问题
My client app is accessing to Firestore through API created by Firebase Functions. However, the Firebase Functions imports firebase-admin which bypass all the defined security rule. Is there any way I can make my HTTP triggers Function to act as a specific user (for example, by passing an access token from client to server), so that the Functions works under influence of Firebase Functions as well.
回答1:
There is currently no way to do this. The Firestore SDK for node doesn't have a way of scoping its access to the database as a particular authenticated user.
Note that this is different than the Realtime Database SDK, which does allow you to scope to a uid.
回答2:
I think it is possible to access Firestore via an admin-sdk but scope it to the logged-in user if you are use REST APIs to access Firestore.
For authentication, the Cloud Firestore REST API accepts either a Firebase Authentication ID token or a Google Identity OAuth 2.0 token. The token you provide affects your request's authorization:
Use Firebase ID tokens to authenticate requests from your application's users. For these requests, Cloud Firestore uses Cloud Firestore Security Rules to determine if a request is authorized.
来源:https://stackoverflow.com/questions/52176402/how-to-make-firebase-functions-act-as-a-user-instead-of-being-an-admin