node.jsfirebasegoogle-cloud-platformgoogle-cloud-functionsgoogle-admin-sdk

Can One Gmail Account Has Access to Two Apps with different Custom Claims in Firebase Admin SDK


I want to ask about Firebase Admin SDK in case for using Custom Claim between two related apps: Server App and Client App. Each of them has different features. They are all placed inside the same Firebase project, but using different collection. Both apps are using Cloud Function which have different file of Node.js. I put all the Cloud Function codes in different project of Visual Studio Code.

For example in this code for Server App:

claims = {
  serverFeatureA: true,
  serverFeatureB: false,
};

admin.auth().setCustomUserClaims(uid, claims);

And this is for Client App:

claims = {
   clientFeatureA: true,
   clientFeatureB: false,
};

admin.auth().setCustomUserClaims(uid, claims);

What I am worrying is if the same Gmail account uses these both apps and Cloud Function assigns its claims for different features? Will this overwrite the old claims written in Client App and only exist in Server App if user subscribed to Client first, then Server? Any help will be great. Thanks.


Solution

  • Since you have only ONE Firebase project (which means one set of users declared in the authentication service of this Firebase project), when one of your Cloud Functions updates the Custom Claims assigned to a user of this project it overwrites the Custom Claims previously set for this user (independently of the Cloud Function that previously set the Claims).

    What you can do to avoid that is to check, in each of your Cloud Functions, that the user that is going to be updated does not hold the Claims of the other profile. In other words, prior to assign a Server App claim to a specific user you check that this user does not have the Client App claim, and vice-versa.

    The code to do so depends on your Cloud Function trigger type and code.