I'm a quite new JavaScript developer, coming from the Embedded Systems area, i.e., algorithms and programming basic concepts are not an issue for me, but some concepts of web development (front/back end) are still new to me, and many doubts often come up.
Going directly to my question, I'm currently developing a basic HTML JS application where the user must login to get access to a "private" area; once logged-in, it is possible to perform many service requests and see other users requests, being more or less an "intranet" system.
I'm using Firebase Firestore as the database, and adopting two approaches to comunicate with the database:
-For user authentication management (log-in and sign-up processes), I'm taking advantage of the "front-end" JS modules provided by Firebase, using the login/password method with the e-mail link confirmation feature activated. Once an auth request is sent, the firebase app returns a token, and based on this token a session cookie is generated, granting access to the private area. This way, I don't need to manage most of the auth / account validation steps in my back-end part.
-For any other database operations (firestore read & write), I'm using the 'firebase-admin' SDK in conjunction with my back-end implementation, in a way that all the requests are validated with the session cookie before being actually performed. The back-end has access to a service account JSON "key", which gives it total read & write access to the whole database.
Finally, the questions are:
-Is it acceptable or conventional to use both approaches, front-end and back-end, to manage the firebase application?
-Once all the firestore data is being managed in the back-end side, and all the read/write/privilege rules are managed there, is it correct the correct approach to set the security rules to block everything, as follows? (considering that firebase-admin bypasses everything from the back-end side, not being affected)
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}
Best regards, and please let me know if I was clear in my doubts :)
CodePudding user response:
Combining front-end and back-end code when using Firestore (or other Firebase modules) is quite normal. Performing all data access through the Admin SDK (while not necessary) is a completely acceptable approach too. Setting the rules to not allow any direct access from client-side SDKs (or with ID tokens through the REST APIs) is indeed a logical step in this scenario.
On thing to realize is that your code is now responsible for ensuring all data is authorized, while in cases where you use client-side Firebase SDKs it is the security rules that perform access control.