Wednesday, October 19, 2022

[FIXED] How can I access Google Firestore from a Java client as a user (not admin)?

      , , , ,      No comments   

Issue

I want to connect to Firestore and perform queries from a Java client. The client gets run by somebody who is a user of the Firebase application, not an admin. I have the user's JWT in a string. What I do not know is how -- and using which libraries -- I can connect to Firestore.

What I tried:

  • Package from Maven: implementation group: 'com.google.cloud', name: 'google-cloud-firestore', version: '2.6.1'
    • This package seems to be intended for usage on a secured server that has admin permissions, e.g. using a service account. I could not find a way to use it with a user account.
  • Package from Maven: implementation group: 'com.google.firebase', name: 'firebase-firestore', version: '23.0.3'
    • This package is intended for Android and pulls in a load of Android-specific dependencies.

Why I think this is possible:

  • Javascript code running on the browser can use the corresponding Javascript library to do exactly what I want (except being a Java library), using the "firebase" NPM package
  • The Android-specific library is described as what I want (except the android part) -- though I did not know how to test this assumption

Why I want to do this:

  • giving a user admin permissions instead is a violation of the principle of least privilege
  • setting up a server between the client application and Firebase that runs on admin privileges does not serve any obvious purpose; it is not needed for a Javascript-based client either and would introduce a whole layer of potential security issues since any bug in that layer runs with admin privileges.

Solution

There is no client-side Java SDK for Firebase/Firestore. The only SDK Firebase provides for such access is an Admin SDK, which (as you say) provides privileged, administrative access.

If you want to access Firestore with client credentials from non-Android Java code, you will have to access Firestore through its REST API passing the user's ID token (as opposed to an OAuth2 token) to ensure the security rules are enforced.



Answered By - Frank van Puffelen
Answer Checked By - Terry (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...