Solved: Re: Apigee proxy policy for custom firebase auth t...

paulens57 · 08-23-2024 05:39 AM

Tech stack: google cloud, apigee, nodejs, terraform

I want to do apigee proxy policy that would decode firebase auth token (I currently can achieve that with VerifyJWT), but in addition I want to query document by decoded id, and based on data I want to compare request with that data settings to confirm or deny query. In a way, creating custom (for other purpose) firestore rules.

Currently, I am stuck on js. Cannot import any package like firebase-admin.

So, ideally I would like to learn how to use packages for proxy policies.
But I am open to suggestions. But I wouldn't like for my target service to do permission check.

Thanks in advance.

dchiesa1

VerifyJWT will verify the Firebase-provided token. After that succeeds, your proxy can rely on the claims in the token, like the ... ID, or whatever, of the user or the app, etc. At that point , it sounds like you want to perform a lookup in Firebase.

ideally I would like to learn how to use packages for proxy policies.

Your first thought, a reasonable one, is to write some JS code to query Firebase, and somehow add that or embed that into the Apigee proxy. But Apigee is not a general-purpose application platform; while there is a JavaScript extension policy, it is not modern ES9 JavaScript, and you cannot run arbitrary code within it. It is not possible to import firebase-admin or, really, any substantial module or library, into the JS policy.

I'm not a Firebase expert, but I am aware that Firebase Realtime DB DOES have a REST API. And Firestore also has a REST API. Apigee is good at invoking APIs; you can use the ServiceCallout policy for that purpose. If you can sort out the authentication required by Firebase, then you should be able to retrieve the data you seek. At that point you could use a JS policy to parse the data, and compare the request with the data settings.

The authentication should be pretty easy. Create a Service Account in GCP that has the right permissions (whatever they are). [You do not need to create a Service Account key.] Then set yourself up to deploy your Apigee proxy with that SA. Finally, configure your ServiceCallout policy to use the Authentication tag, and to perform the right Query against firebase.

View solution in original post

dchiesa1

VerifyJWT will verify the Firebase-provided token. After that succeeds, your proxy can rely on the claims in the token, like the ... ID, or whatever, of the user or the app, etc. At that point , it sounds like you want to perform a lookup in Firebase.

ideally I would like to learn how to use packages for proxy policies.

Your first thought, a reasonable one, is to write some JS code to query Firebase, and somehow add that or embed that into the Apigee proxy. But Apigee is not a general-purpose application platform; while there is a JavaScript extension policy, it is not modern ES9 JavaScript, and you cannot run arbitrary code within it. It is not possible to import firebase-admin or, really, any substantial module or library, into the JS policy.

I'm not a Firebase expert, but I am aware that Firebase Realtime DB DOES have a REST API. And Firestore also has a REST API. Apigee is good at invoking APIs; you can use the ServiceCallout policy for that purpose. If you can sort out the authentication required by Firebase, then you should be able to retrieve the data you seek. At that point you could use a JS policy to parse the data, and compare the request with the data settings.

The authentication should be pretty easy. Create a Service Account in GCP that has the right permissions (whatever they are). [You do not need to create a Service Account key.] Then set yourself up to deploy your Apigee proxy with that SA. Finally, configure your ServiceCallout policy to use the Authentication tag, and to perform the right Query against firebase.

Apigee proxy policy for custom firebase auth token verification