Home
Policies

Upstream Authentication

Upstream Firebase User Auth

Upstream Firebase User Auth

This policy adds a Firebase Admin token to the outgoing Authentication header allowing requests to Firebase using Service Account admin permissions. This can be useful for calling Firebase services such as Firestore through a Zuplo endpoint that is secured with other means of Authentication such as API keys. Additionally, this policy can be useful for service content to all API users (for example serving a specific Firestore document containing configuration data)

We recommend reading the serviceAccountJson from environment variables (so it is not checked in to source control) using the $env(ENV_VAR) syntax.

Configuration#

{
  "name": "my-upstream-firebase-user-auth-inbound-policy",
  "policyType": "upstream-firebase-user-auth-inbound",
  "handler": {
    "export": "UpstreamFirebaseUserAuthInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "serviceAccountJson": "$env(SERVICE_ACCOUNT_JSON)",
      "webApiKey": "$env(WEB_API_KEY)",
      "userId": "1234",
      "developerClaims": {
        "premium": true
      }
    }
  }
}

Options#

  • name the name of your policy instance. This is used as a reference in your routes.
  • policyType the identifier of the policy. This is used by the Zuplo UI. Value should be upstream-firebase-user-auth-inbound.
  • handler/export The name of the exported type. Value should be UpstreamFirebaseUserAuthInboundPolicy.
  • handler/module the module containing the policy. Value should be $import(@zuplo/runtime).
  • handler/options The options for this policy:
    • serviceAccountJson

      The Google Service Account key in JSON format. Note you can load this from environment variables using the $env(ENV_VAR) syntax.

    • userId

      The userId to use as the custom token's subject.

    • userIdPropertyPath

      The property on the incoming request.user object to retrieve the value of the userId

    • developerClaims

      Optional additional claims to include in the custom token's payload.

    • webApiKey

      The Firebase Web API Key (found in project settings)

    • tokenRetries

      The number of times to retry fetching the token in the event of a failure. Defaults to 3.

    • expirationOffsetSeconds

      The number of seconds less than the token expiration to cache the token. Defaults to 300 seconds.

Was this article helpful?

YesNo
Do you have any questions?Contact us
Check out ourproduct changelog
Composite Inbound (Group Policies)