Firebase Auth with Typesense Extension for Firestore.
TLDR DomijKu seeks ways to handle Firebase Auth with Typesense for Firestore, aiming to restrict search based on user roles and log-in status. Jason provides guidance, suggesting the use of scoped API keys, Google Cloud functions for verifying Firebase Auth, and storing user-specific information in each record.
Nov 03, 2022 (10 months ago)
DomijKu
12:28 PM
Jason
02:37 PMNov 04, 2022 (10 months ago)
DomijKu
03:32 PMI was thinking though, would reading currentUserData from Firebase (e.g. their roles) and then send the role to TS and filter the results by that would be an option? Conditional rendering is of course an option, but security wise I guess it's not.
In other words, is there a way to not let user search on TS collection is the user does not have certain role or is not logged in?
Again, seems like an obvious question, but just trying to figure out the balance between data security and accessibility versus maybe unecessary completion.
Jason
04:31 PMYou would have to do this on the backend (say in a Google Cloud function) - get the current role for the user (say RoleX), then generate a scoped API key on the fly which has an embedded filter in it, which has something like
filter_by:=roles:RoleX, send that key to the frontend and have the FE use it to make API calls to Typesense.DomijKu
05:42 PMIf it changes anything, I am on NextJS / Firebase Auth setup.
DomijKu
05:51 PMJason
06:00 PMThen when a user logs in, you’d create a similar scoped search api key, but instead of a role filter, you’d use an embedded filter like userid:=123 where 123 is the logged in user’s ID
DomijKu
06:12 PMBy not using roles, I literally mean just give access to TS collection if user is simply logged via Firebase Auth to the system (that's an internal company system with 30+ users). Because right now the user can only fetch Firestore collections if they are logged in (and have certain roles) via read/write rules. I am just trying to figure out how to get the same result with TS, because essentially TS collection is a clone of FS, just with no read rules.
It's easily doable on the front end, but security is a concern.
I was even thinking of add a search key attribute to each user (or the ones which have access) and once they log in, along with other user data, they get the search key which is then used for TS as well.
I understand that the key is exposed to logged user, but that's not a concern.
Also, your very prompt support and help is extremely appreciated, thank you for that. The product is great, love the speed of it and a lot of ideas in the future!
Jason
07:07 PMThen you could set a short expires_at on that key and repeat the above process of you notice the API key has expired.
Finally when the user logs out, you want to delete the API key from Typesense using a similar Google cloud function.
The important thing here that ensures security is that you’re verifying that the user is logged in to Firebase auth in the Google cloud function, before generating the api key
Typesense
Indexed 2764 threads (79% resolved)
Similar Threads
Filtering User Access in Typesense with Firebase
Mateus queries about using Typesense to restrict user view by company ID. Jason suggests using scoped API keys, and generating these keys with Firebase functions. However, Mateus faces challenges with user authorization and Firebase functionality. The issue remains unresolved.
Resolving Issues with Scoped API Keys in Typesense with Golang
Suvarna had problems with generating and using scoped API keys in Typesense with Golang. Several bugs misleading the user were found and fixed by Kishore Nallan.
6Understanding and Implementing Typesense Dart Library with Flutter
Alexandro sought help with the Typesense Dart library. Jason explained that the library is in progress, discussed utilizing other HTTP libraries, and provided detailed instructions on utilizing Typesense with Flutter. Alexandro provided feedback on the Typesense UI and expressed interest in creating a tutorial video.
10User Queries About TypeSense Cloud and Firebase Integration
Loic had various queries about TypeSense Cloud and Firebase integration including modifying schema, existing documents, and geopoint and timestamp indexing. Kishore Nallan, Jason, and Harpreet provided clarifications and solutions.
1Discussion on Firebase Extension for Typesense
Jason announced the release of a Firebase Extension for Typesense, leading to a discussion with Gabe about capabilities and scalability concerns. Other users, John and A, simply expressed their admiration.
16