populate: true fails for media when using the firebase client sdk

[wollowizard]

I create the flamelink app from a non admin firebase instance. If a request a content which contains a reference to a media file, with populate:true, it fails saying that I need the firebase admin sdk. I think that the flamelink should recognize that the firebase client sdk is used, and avoid to populate media fields. Or as an alternative, additionally to populate:true the content.get should accept a populateMedia parameter, that the sdk user will set to false if he's using the client sdk.

const firebase = require('firebase')
const flamelink = require('flamelink')
const firebaseConfig = ...
const firebaseApp = firebase.initializeApp(firebaseConfig)

const app = flamelink({
  firebaseApp,
  dbType: 'cf',
  env: 't01',
  locale: 'de',
})

//"page" contains a media field. The content assigns an image to that field.
app.content.get({
  schemaKey: "page",
  env: "t01",
  locale: "de",
  populate: true // If this is false, it works. If true, it tries to resolve the media,
  // which will surely fail because here we are not using the admin sdk.
})
.then(res => console.log(res))
.catch(e => console.error(e))

// will print: The Firebase client-side SDK cannot access the Storage Bucket server-side.
// Please use the admin SDK instead

[jperasmus]

Hi there, thanks for opening the issue. What is the reason that you are using the Firebase client SDK server-side instead of the admin SDK? It is generally recommended by the Firebase team to only use the admin SDK server-side. Especially with newer versions of the Firebase SDK's I've personally run into issues trying to use the client SDK in a server environment.

[wollowizard]

Hi, for my project I am indeed using the admin sdk. This is just an issue I observed when I tried to migrate to the client sdk. The reason was that I am ultimately returning content to the client (I built a middleware in which I implement some logic) and I was surprised to see that I need to manually strip away stuff like private key and sensitive metadata. I am afraid of not cleaning up some sensitive data that then might be exposed to the client.

[jperasmus]

The sensitive data you are referring to is what Firebase stores inside the Document References, which is only available when used with the firebase-admin SDK on a trusted (server) environment. If you are passing the data back to a non-trusted environment like the browser, you can either exclude the document reference fields or you can populate them into their document entries, which doesn't include the private key, etc.

From what we've seen in the past when someone used the Flamelink SDK server-side and used the Firebase client SDK, it was by mistake and they couldn't understand why the Storage fields didn't populate correctly. This is a limitation with the Firebase client SDK and the reason why we show that error in our SDK when we detect that you are using the client SDK on the server.

[wollowizard]

Ok, again I am not reporting this as an issue but as an improvement to a potentially misleading situation of someone requesting content and getting an exception because of their chosen client sdk. If the media population will ALWAYS fail with a client sdk, probably this situation could be handled explicitly.