Settings and activity
6 results found
-
5 votesFred Zhang shared this idea ·
-
8 votesFred Zhang supported this idea ·
-
13 votes
An error occurred while saving the comment -
36 votes
An error occurred while saving the comment Fred Zhang commentedYep, you can sign up for early access here: https://firebase.google.com/products/data-connect
View documentation here: https://firebase.google.com/docs/data-connect
Add feature requests here: https://firebase.uservoice.com/forums/948424-general?category_id=501596Fred Zhang supported this idea · -
5 votesFred Zhang supported this idea ·
-
80 votesFred Zhang supported this idea ·
Interesting idea. Data connect took a slightly different approach. Authorization are done at query / mutation level with `@auth` directives.
Two Camps:
A) Resource level auth policy.
e.g. Postgres's RLS, Security Rules in Firestore / Firebase Storage and RTDB
B) Operation level auth policy.
Cloud Function, Cloud run. Any backend API usually comes with an auth check
We considered existing feedbacks on Firestore and RTDB Security Rules. Open insecure rules are huge concern because it's "too easy" for early development.
When a resource is accessed by different means, it's repetitive and often bug-prone to include every case. This gave birth to emulator suite and security rules testing.
When we design data connect, we debated those two security models heavily. We chose the B) operation level security, so that it's
- secure by default: no way to access a row without a query defined.
- easy to write: operation auth policy has relevant context. It reduces risk of outage due to misconfigured rules on a shared row.
On the other side, you may use the same Cloud SQL database via data connect and other servers. It's great callout out that data connect shall be compatible with Postgres' security best practices.