How complex can Firebase security rules be?
I.e., I have multiple roles of people in multiple projects meaning that the data that a user should be able to receive should be dependent on their role, their team but also whether their superiors have granted them access to a specific file / files.
At this point I think it would be better to create an API with something like Express, which then sits inbetween the client and Firebase. So the client requests things from the API server, which in-turn checks their permissions from the database, and if true, relay the data from Firebase they requested.
But doing this seems inefficient.
Because every CRUD query to the API server will lead to a lot of reads on my Firebase server, since it will:
- Check if the person requesting is logged in (and what their role is
for a project). - For the “Team Folder”, request the list of authorized people (and
check if this user is on it) - Request the list of people in the team who should have access to a
resource (and check if the user is on it) - Then request the resource from the database and return it to the
user.
And this will be unique for every type of file and happen for every Create, Read, Update and Delete, which basically mean that the Reads will skyrocket and I will basically lose all Google’s Security and Optimizations.
So my question is, how do apps like Google Drive (which does resource sharing) and ERP software do it?
Is there a certain type of database schema which does this type of permission based sharing?
Or am I looking at it wrong? Because most of the articles online only show small things like 2 or 3 role types and not multiple types of permissions working together.
I think you can expect that enterprise scale products like Google Drive are staffed by hundreds of engineers, cost hundreds of millions of dollars to operate annually, and far more complicated than could be implemented with something like Firebase. A full discussion of how they work is way beyond the scope of a Stack Overflow question.
If you want a deeper understanding of Google’s authorization system, read this white paper: research.google/pubs/…
Firebase’s security rules can be quite complex, but they definitely do have a limit. That said, the basic flow you have described sound feasible – although I recommend changing your thinking from “request a list and check if the value is in there” to “check if the value exists in a certain list/path”. That will improve scalability and lead to much better cost control (the two usually go hand in hand). For some basics of atribute and role based access control, see firebase.google.com/docs/rules/….