Skip to content

Unable to access Firestore in Dart Frog on behalf of user logged in to the frontend with FirebaseAuth #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alex-georgiou opened this issue Mar 14, 2025 · 0 comments
Open

Unable to access Firestore in Dart Frog on behalf of user logged in to the frontend with FirebaseAuth #148

alex-georgiou opened this issue Mar 14, 2025 · 0 comments

Comments

@alex-georgiou
Copy link

alex-georgiou commented Mar 14, 2025
edited
Loading

Hello and sorry in advance if this is a dumb question.

My requirement

I am building a Flutter app, where the user authenticates on the app using FirebaseAuth, using a number of methods, including not just Google sign-in, but also email/password or Facebook sign-in.

I am trying to access the Firestore DB of a Flutter app from Dart Frog. The code should do some work on the DB on behalf of the user.

Here's what I tried so far:

First attempt - Passing the user credentials to firedart

My first attempt was to pass a Firebase ID JWT (FirebaseAuth.instance.currentUser?.getIdToken()) from the frontend to an API endpoint in the backend, and I was able to extract the user_id claim from the JWT, but I couldn't figure out how to use these credentials with firedart auth. Maybe there is a way to exchange this for an OAuth2 token using Google's APIs?

Second attempt - Using firedart with a service account

I then learned about service accounts, and I was hoping that I could then write access rules with conditions such as:

request.resource.data.userId == request.auth.uid || request.auth.token.admin == true

Or something similar. Then I could use the validated uid I got from the JWT string, to perform queries that run with the service account credentials.

I was able to load the service account credentials with:

FirebaseAdmin.instance.initializeApp(
	AppOptions(
		credential: FirebaseAdmin.instance.certFromPath( serviceAccountJsonFilename ),
	)
);

Firestore.initialize(projectId);

This kinda works: It works with VERY permissive DB access rules, but I can't filter requests for request.auth.token.admin, because I think service accounts do not have request.auth.token. So I don't have any security on my DB with this approach.

Third attempt - Google Application Default Credentials

I saw this issue that appears to be similar: #124

The solution to this issue points to the adc.dart example: https://github.com/cachapa/firedart/blob/master/example/adc.dart

When I implement this solution (i.e. when I set useApplicationDefaultAuth: true), the code tries to contact the host metadata.google.internal, which I'm guessing is available only from Google cloud.

My question: Is my approach entirely wrong?

  • Is there any way to use a Firebase ID token with firedart?
  • Alternatively, is there a way to load the credentials of a service account from a JSON file into firedart, and access the Firestore DB with those credentials, from outside the Google cloud?

I am not finding any help on stackoverflow, and the LLMs are hallucinating wildly when it comes to firedart code.

Thanks in advance for any insight you can provide.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alex-georgiou