在Firestore通话期间无法使用firebase-admin模仿用户 [英] Cannot impersonate user with firebase-admin during firestore calls
问题描述
基于此处的文字,他们冒充用户".使用新的Firebase管理员应用程序实例,这样当他们执行写/读操作时,将为该用户触发安全规则.
Based on what is written here, they are "impersonating a user" with a new Firebase admin app instance, so that when they do a write/read the security rules will be triggered for that user.
https://firebase.google.com/docs/database/extend-with-functions
除了Firestore,我正在尝试做同样的事情,但这似乎不起作用.
I'm trying to do the same thing but for Firestore, but it doesn't seem to work.
我对Firestore进行读/写操作是通过作为云功能托管的快速后端进行的.我不想在该后端实施手动安全规则.
I have reading/writing to firestore go through an express backend hosted as cloud function. I do not want to implement manual security rules in that backend.
我想让firebase-admin应用实例表现为作为用户"因此Firestore安全规则会被适当触发,因此我可以在安全规则中统一我的安全性.
I want to have the firebase-admin app instance to behave "as a user" so the firestore security rules are triggered appropriately, and I can unify my security in the security rules.
这是我正在使用的代码:
Here is the code I'm using:
export function getLocalAdminAppOptions(): admin.AppOptions {
// we are running locally
const serviceAccount: admin.ServiceAccount = {
clientEmail: CLIENT_EMAIL,
projectId: PROJECT_ID,
privateKey: (PRIVATE_KEY || "").replace(/\\n/g, "\n")
}
return {
credential: admin.credential.cert(serviceAccount),
databaseURL: DATABASE_URL
}
}
2.添加模拟选项&实例化管理应用
import * as Admin from "firebase-admin"
import * as Functions from "firebase-functions"
const appOptions = getLocalAdminAppOptions()
const token: Admin.auth.DecodedIdToken = await Admin.auth().verifyIdToken(req.idToken)
const authOverwrite: Functions.EventContext["auth"] = {
token,
uid: req.authUser.uid
}
appOptions.databaseAuthVariableOverride = authOverwrite
const uniqueAppName = "adminAppAsUser:" + req.authUser.uid
const adminAppAsUser = Admin.initializeApp(appOptions, uniqueAppName)
3.使用模拟应用程序实例进行Firestore调用
const snap = await adminAppAsUser
.firestore()
.collection(`test`)
.doc("test")
.get()
return snap.data()
问题:
adminAppAsUser似乎仍然是具有完全访问权限的管理应用程序,而忽略了安全规则.
The Problem:
The adminAppAsUser seems to still be a admin app with full access rights, ignoring the security rules.
我确实设法找到了一个骇客".解决方法:在后端内部为Web创建一个新的Firebase实例,并使用自定义令牌进行签名,然后使用该实例访问Firestore.
I did manage to find a "hacky" workaround: Create a new instance of Firebase for the web inside my backend, and signing with custom token, and use that to access firestore.
此变通办法的问题:每次我运行云功能时,signInWithCustomToken需要800毫秒!
Problems with this workaround: signInWithCustomToken takes 800ms every time I run the cloud function!
解决方法的代码
const uniqueAppName = "adminAppAsUser:" + req.authUser.uid
const adminAppAsUser = Firebase.initializeApp(configs.dev, uniqueAppName)
const token = await Admin.auth().createCustomToken(req.authUser.uid)
await adminAppAsUser.auth().signInWithCustomToken(token)
推荐答案
除了Firestore,我正在尝试做同样的事情,但这似乎不起作用.
I'm trying to do the same thing but for Firestore, but it doesn't seem to work.
完全不支持.使用RTDB可获得的模拟不适用于Firestore.
It's not supported at all. The impersonation you can get with RTDB does not work for Firestore.
在将任何后端SDK用于Firestore时,用于对其进行初始化的服务帐户的特权将始终绕过安全规则,而取决于Google Cloud IAM权限.
When using any of the backend SDKs for Firestore, the privileges of the service account used to initialize it will always bypass security rules and depend on Google Cloud IAM permissions instead.
另请参阅:
这篇关于在Firestore通话期间无法使用firebase-admin模仿用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
