search

boardgameio / boardgame.io

State Management and Multiplayer Networking for Turn-Based Games
https://boardgame.io
MIT License
10k stars 706 forks source link

FR: Support firebase-admin storage connector #384

Closed p00ya closed 5 years ago

p00ya commented 5 years ago

The current Firebase implementation from https://github.com/nicolodavis/boardgame.io/blob/master/src/server/db/firebase.js uses the plain 'firebase' client:

  this.client = require('firebase');
  // ... then later:
  this.client.initializeApp(this.config);
    this.db =
      this.engine === ENGINE_FIRESTORE
        ? this.client.firestore()
        : this.client.database().ref();

The documented way to access a Firestore database from the server seems to be via the Firebase Admin SDK. From the Firebase docs:

If you are interested in using Node.js in privileged environments such as servers or serverless backends like Cloud Functions (as opposed to clients for end-user access like a Node.js desktop or IoT device), you should instead follow the instructions for setting up the Admin SDK.

The Admin SDK docs shows that this can be used similarly to the firestore module, i.e.

import * as admin from 'firebase-admin';
admin.initializeApp({...config});
const db = admin.firestore();

I've tested that it all works with something like:

import firebase from 'firebase-admin';
import { Firebase, Server } from 'boardgame.io/server';

const db = new Firebase({ config });

// Replace the boardgame.io client with an admin client, in order to use
// service accounts.
db.client = firebase;

const server = Server({
  db,
  games: [Game],
});

So I think we should at least support using firebase-admin instead of the plain firebase client as an opt-in. Happy to send a PR for an extra property in the Firebase ctor to enable this, similar to the "engine" property if it SGTY.

However, all this begs the question: what are the current users of the Firebase connector doing with their Firestore security? Given they're not using firebase-admin, they're not using a service role account, so either they've got open read/write ACLs on their Firebase database, or they're somehow pushing EUCs through their server. Or maybe I'm completely missing something? @jorbascrumps who seems to be an active user

nicolodavis commented 5 years ago

Happy to approve a PR adding an option to use firebase-admin. We'll also need to update the docs as well.