后端的 Firebase 管理员用于 verifyIdToken 并使用 Firestore [英] Firebase admin on backend for verifyIdToken and use Firestore
问题描述
我正在尝试在我的后端使用 Firebase Admin 进行伪造"通过验证 ID 令牌进行客户端身份验证,以便从后端使用 Firestore.
I'm trying to use Firebase Admin on my backend for "faking" client authentication by verifying Id Token in order to use firestore from the backend.
这个想法是将我的服务器用作我的客户端和 Firestore 之间的中间件.
The idea is to use my server as a middleware between my client and firestore.
我可以在后端初始化 FirebaseAdmin 并从客户端正确地初始化 verifyIdToken(),但我不知道在那之后使用 firestore.你们能告诉我一个方法吗?
I can initialize FirebaseAdmin on the backend and verifyIdToken() from client properly, but I don't have an idea for using firestore after that. Can you guys show me a way for doing it?
import * as firebaseAdmin from 'firebase-admin';
import firebaseServiceAccountKey from './firebaseServiceAccountKey.json';
if (!firebaseAdmin.apps.length) {
firebaseAdmin.initializeApp({
credential: firebaseAdmin.credential.cert(
firebaseServiceAccountKey
),
databaseURL: ##########################,
});
}
// This is working
function getUser(token) {
return firebaseAdmin
.auth()
.verifyIdToken(token)
.then((decodedToken) => {
return decodedToken;
})
.catch((error) => {
return error
});
}
/*
Now I want to use Firestore authenticated with this token, should I
import firebase from "firebase"
and then try auth() with token?
*/
推荐答案
通过 Admin SDK 访问 Firestore 始终具有完全管理权限.无法以您验证其令牌的用户身份访问 Firestore.
Access to Firestore through the Admin SDK always happens with full administrative privileges. There is no way to access Firestore as the user whose token you verified.
如果您想使用这种中间件方法,您必须确保它只访问用户在代码中获得授权的数据.
If you want to use this middleware approach, you will have to ensure it only accesses data the user is authorized for in the code itself.
另见:
如果目标是更严格地控制谁可以登录您的应用,请考虑改用自定义身份验证 - 服务器为每个用户铸造自定义令牌,即客户端 SDK然后用于登录.
If the goal is to have tighter control over who can sign in to your app, consider using custom authentication instead - where the server mints a custom token for each user, that the client-side SDK then uses to sign in.
这篇关于后端的 Firebase 管理员用于 verifyIdToken 并使用 Firestore的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
