Set read/write access to Firebase Realtime database only from my NestJS Firebase function

ergondar
February 7, 2023
150 views
0 votes
2 Answers

I have a Firebase project, where I have a NestJS application deployed to Firebase functions. In this very same project I have an Angular application deployed to Firebase hosting, and finally I have a Firebase Realtime Database in the same Firebase project.

I’d like to make the latter be only readable/writeable from my NestJS application (so no direct access from the Angular app, or from anywhere else). What kind of Realtime Database rules should I set up?

Currently I have the following rules (which are obviously not good):

{
  "rules": {
    ".read": true,
    ".write": true,
  }
}

My ideal approach would be to allow everything from the following domain + path:
https://us-central1-my-firebase-function.cloudfunctions.net/api/ or allow everything from my Firebase function only.

Is there an easy, clean and secure way to do this?

Thanks for the tips in advance!

Answers

- TasnuvaTavasumoshin
- February 7, 2023 at 12:38 pm
- 0 votes
0
```
  {
      "rules": {
        ".read": true,
        ".write": "auth.uid != null && root.child('users').child(auth.uid).child('isAdmin').val() === true"
      }
    }
```
1st for your NestJS application user , Add as Admin and then check the following
Login or Signup to reply.

- FrankvanPuffelen
- February 7, 2023 at 3:35 pm
- 0 votes
0
When you access Firebase services from within Cloud Functions you’re using the Admin SDK. And this SDK bypasses any security rules you’ve set.

So to disallow all client-side access, you can set your security rules to:
```
{
  "rules": {
    ".read": false,
    ".write": false
  }
}
```
And then your code in Cloud Functions will still be able to access the data, as it bypasses these rules due to using the Admin SDK.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.