Restrict firestore access to admin-sdk

Posted on

Restrict firestore access to admin-sdk

I am designing an application (let’s call it a TodoList app) based on VueJs (for the UI) + NodeJs (for the backend, which will run in Google Cloud Platform) + Firestore (for the auth + database).

I have wandered through the huge documentation of Google (sometimes redundant!) to achieve something that should work but I am not sure it’s production-proof.


  • A user has signed-in on my VueJs app thanks to the password-based authentication of Firebase (and the user’s credentials, including his accessToken, are stored in my Vuex store).
  • The Firebase Admin SDK is running on my backend.
  • My VueJs app is requesting my backend.
  • The backend verifies the accessToken sent in the client-side request
  • It is my backend that request my Firestore database thanks to the Admin SDK

I have set some security rules on my Firestore database:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId}/{document=**} {
      allow read, write: if request.auth.uid == userId;

so that I don’t want any logged users to access data from another user.


As the Firebase Admin SDK has full privilege on my Firestore database, how can I make sure there won’t be any security issues. For now, I am just verifying the accessToken sent in the request to my backend, but … something makes me feel wrong with this!


On client-side:

auth.onAuthStateChanged((user) => {
  if (user) {
    // Save the user credentials

On server-side:

// idToken comes from the client app (shown above)
// ...
  .then(function(decodedToken) {
    var uid = decodedToken.uid;
    // Retrieve or add some data in /users/{userId}/{document=**}
  }).catch(function(error) {
    // Handle error

As you can see, once I validate the accessToken and retrieve the uid, I can do anything on my database.


Thanks for your help!

Solution :

The admin SDK will always have full access to the database.

Since the client is never accessing Firebase directly, you should totally disable access to all documents. Your API will still have access

match /{document=**} {
  allow read, write: if false;

I think after verify access token from client-side, you can send uid in resource of firestore-admin, and firestore rules would like this:

allow read, write: if == userId;

Leave a Reply

Your email address will not be published. Required fields are marked *