Issue
I want to connect to Firestore and perform queries from a Java client. The client gets run by somebody who is a user of the Firebase application, not an admin. I have the user's JWT in a string. What I do not know is how -- and using which libraries -- I can connect to Firestore.
What I tried:
- Package from Maven: implementation group: 'com.google.cloud', name: 'google-cloud-firestore', version: '2.6.1'
- This package seems to be intended for usage on a secured server that has admin permissions, e.g. using a service account. I could not find a way to use it with a user account.
- Package from Maven: implementation group: 'com.google.firebase', name: 'firebase-firestore', version: '23.0.3'
- This package is intended for Android and pulls in a load of Android-specific dependencies.
Why I think this is possible:
- Javascript code running on the browser can use the corresponding Javascript library to do exactly what I want (except being a Java library), using the "firebase" NPM package
- The Android-specific library is described as what I want (except the android part) -- though I did not know how to test this assumption
Why I want to do this:
- giving a user admin permissions instead is a violation of the principle of least privilege
- setting up a server between the client application and Firebase that runs on admin privileges does not serve any obvious purpose; it is not needed for a Javascript-based client either and would introduce a whole layer of potential security issues since any bug in that layer runs with admin privileges.
Solution
There is no client-side Java SDK for Firebase/Firestore. The only SDK Firebase provides for such access is an Admin SDK, which (as you say) provides privileged, administrative access.
If you want to access Firestore with client credentials from non-Android Java code, you will have to access Firestore through its REST API passing the user's ID token (as opposed to an OAuth2 token) to ensure the security rules are enforced.
Answered By - Frank van Puffelen Answer Checked By - Terry (PHPFixing Volunteer)
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.