I recently migrated my Firebase project to use Eventarc triggers for Realtime Database, transitioning to Node.js 20 and the v2 architecture. While I've managed to find workarounds for tracking user actions on set() and update() operations, I'm struggling with the remove() method due to the absence of user context in the event payload.
The Issue
In Firebase Functions v1, the context.auth object provided details about the user performing an action, which was essential for logging and tracking deletions. With the switch to Eventarc in v2, the event payload for deletions no longer includes this information, making it difficult to determine who deleted a data node.
Here's an example of a deletion event payload:
{
"subject": "refs/test/12",
"time": "2025-01-11T21:18:45.028Z",
"id": "0Us3XfpOOxpU3pYguzbfUYlymTw=",
"type": "google.firebase.database.ref.v1.deleted",
"ref": "test/12",
"location": "us-central1",
"specversion": "1.0",
"instance": "my-qa",
"source": "//firebasedatabase.googleapis.com/projects/_/locations/us-central1/instances/my-qa",
"traceparent": "00-fca58d21a6d39b231146499920c172c2-3af3d60a32c1b974-01",
"firebaseDatabaseHost": "firebaseio.com",
"params": {
"id": "12"
}
}
** The Challenge**
Since remove() does not allow adding metadata, there's no clear way to track who performed a deletion. This presents a significant challenge for applications where multiple users or systems can interact with the same data, as it compromises the ability to maintain accurate audit logs and enforce security protocols.
My Question
How can I track the user or system responsible for deletions in Firebase Realtime Database when using Eventarc triggers? Is there a workaround for this scenario in the Eventarc v2 architecture?
On Cloud Functions for Firebase gen1 the implicit auth context is available for the Realtime Database, but not for any other Firebase products.
On Cloud Functions for Firebase gen2 the implicit auth context is available for Firestore, but not for any other Firebase products.
The underlying architecture in Eventarc does allow adding it to other products too, the work "just" hasn't been done for that. While none of us can say what the engineers plans are, I was at Firebase until July 2024 and nobody was working on this for the Realtime Database until then, nor were there any concrete planning timelines for that.
While I of course hope Firebase adds this feature, if you need to know the auth context today you'll have to do it without the implicit auth context. I'd typically pick the same approach that was recommended for Firestore in gen1, and:
That should also work for your case of removing data, as the path is available for deletes too. For more on this, see the docs on wildcarding and capturing. From there:
Path capturing. You can capture path matches into named variables to be used in your function code (e.g.
/user/{uid},/user/{uid=*-us}).The values of the capture variables are available within the
database.DatabaseEvent.paramsobject of your function.
If a data modeling solution isn't feasible, according to the support matrix gen1 of Cloud Functions continues to work - so that could also be a solution.