I148 create admin role using firebase functions and restriction rules to firestore security rules

.eslintrc.js

@@ -15,7 +15,7 @@ module.exports = {
   ],
   rules: {
     'no-unused-vars': 'off',
-    'no-console': 'warn',
+    'no-console': 'off',
     '@typescript-eslint/explicit-module-boundary-types': 'off',
 
     'react/jsx-curly-brace-presence': [
@@ -25,7 +25,7 @@ module.exports = {
 
     //#region  //*=========== Unused Import ===========
     '@typescript-eslint/no-unused-vars': 'off',
-    'unused-imports/no-unused-imports': 'warn',
+    'unused-imports/no-unused-imports': 'off',
     'unused-imports/no-unused-vars': [
       'warn',
       {

.gitignore

@@ -51,4 +51,4 @@ sitemap-*.xml
 **/public/worker-*.js
 **/public/sw.js.map
 **/public/workbox-*.js.map
-**/public/worker-*.js.map
+**/public/worker-*.js.map

firebase/firestore.rules

@@ -1,20 +1,33 @@
 rules_version = '2';
 service cloud.firestore {
   match /databases/{database}/documents {
-    match /users/{userId}/{document=**} {
-      function isSignIn(){
+    function isSignIn(){
         return request.auth != null;
       }
 
-      function isOwner(){
-        return request.auth.uid == userId;
-      }
+    // function hasVerifiedEmail(){
+    //   return request.auth.token.email_verified;
+    // }
 
-      function hasVerifiedEmail(){
-        return request.auth.token.email_verified;
-      }
+    function isOwner(uid){
+      return request.auth.uid == uid;
+    }
+
+    function isAdmin(){
+      return request.auth.token.admin;
+    }
+
+    match /users/{userId}/{document=**} {
+
+      allow read, write: if isSignIn() && isOwner(userId);
+    }
 
-      allow read, write: if isSignIn() && isOwner();
+    match /roles/{userId} {
+      // function checkEmail(){
+      //   return request.auth.token.email == email;
+      // }
+      allow read: if isSignIn() && isAdmin() && isOwner(userId);
+      allow write: if false;
     }
   }
 }

firebase/functions/callable/createAdmin.ts

@@ -0,0 +1,23 @@
+import { functions, auth, firestore } from '../main'
+
+export const createAdmin = functions
+  .region('australia-southeast1')
+  .https.onRequest(async (req, res) => {
+    const userId = '<USER_ID>'
+    const role = 'admin'
+
+    const claims: Record<string, boolean> = {}
+    claims[role] = true
+
+    await auth.setCustomUserClaims(userId, claims)
+
+    const userRecord = await auth.getUser(userId)
+    const data = { role: 'admin', by: 'none' }
+    await firestore
+      .collection('roles')
+      .doc(userRecord.email || userId)
+      .set(data)
+
+    res.setHeader('Content-Type', 'application/json')
+    res.send(JSON.stringify({ status: 'success' }))
+  })

firebase/functions/pubsubWriter.ts → firebase/functions/callable/pubsubWriter.ts

@@ -1,10 +1,11 @@
 import { PubSub } from '@google-cloud/pubsub'
-import { region } from './main'
+import { functions } from '../main'
 
 const pubsub = new PubSub()
 
-export const pubsubWriter = region('australia-southeast1').https.onRequest(
-  async (req, res) => {
+export const pubsubWriter = functions
+  .region('australia-southeast1')
+  .https.onRequest(async (req, res) => {
     console.log('Pubsub Emulator:', process.env.PUBSUB_EMULATOR_HOST)
 
     const msg = await pubsub.topic('billing').publishJSON(
@@ -23,5 +24,4 @@ export const pubsubWriter = region('australia-southeast1').https.onRequest(
     res.json({
       published: msg
     })
-  }
-)
+  })

firebase/functions/index.ts

@@ -1,5 +1,4 @@
-export * from './main'
-export * from './helloWorld'
-export * from './pubsubWriter'
-export * from './billingKillswitch'
-export * from './visitTrigger'
+export * from './callable/pubsubWriter'
+export * from './trigger/billingKillswitch'
+export * from './trigger/visitTrigger'
+export * from './callable/createAdmin'

firebase/functions/main.ts

@@ -1,6 +1,10 @@
 import { config } from 'firebase-functions/v1'
 import { initializeApp } from 'firebase-admin/app'
+import { getAuth } from 'firebase-admin/auth'
+import { getFirestore } from 'firebase-admin/firestore'
 
 initializeApp(config().firebase)
 
-export * from 'firebase-functions/v1'
+export * as functions from 'firebase-functions/v1'
+export const auth = getAuth()
+export const firestore = getFirestore()

firebase/functions/billingKillswitch.ts → firebase/functions/trigger/billingKillswitch.ts

@@ -1,5 +1,5 @@
 import { CloudBillingClient } from '@google-cloud/billing'
-import { region } from './main'
+import { functions } from '../main'
 
 const billing = new CloudBillingClient()
 
@@ -42,7 +42,8 @@ const _disableBillingForProject = async (projectName: string) => {
   return `Billing disabled: ${JSON.stringify(res)}`
 }
 
-export const stopBilling = region('australia-southeast1')
+export const stopBilling = functions
+  .region('australia-southeast1')
   .pubsub.topic('billing')
   .onPublish(async (pubsubEvent) => {
     const pubsubData = JSON.parse(

firebase/functions/visitTrigger.ts → firebase/functions/trigger/visitTrigger.ts

@@ -1,6 +1,6 @@
-import { firestore } from './main'
-import { getFirestore, DocumentData } from 'firebase-admin/firestore'
-const db = getFirestore()
+import { functions, firestore } from '../main'
+import { DocumentData } from 'firebase-admin/firestore'
+
 interface UserStat {
   numVisits: number
   numHours: number
@@ -13,7 +13,7 @@ interface UserStat {
  * Automatically updates the user stats when a visit is added,
  * deleted or updated.
  */
-export const updateVisitTrigger = firestore
+export const updateVisitTrigger = functions.firestore
   .document('users/{userId}/visits/{visitId}')
   .onWrite(async (change, context) => {
     const userId = context.params.userId
@@ -26,7 +26,7 @@ export const updateVisitTrigger = firestore
     }
 
     // require oldStats to append to newStats
-    const userRef = db.collection('users').doc(userId)
+    const userRef = firestore.collection('users').doc(userId)
     const userDoc = await userRef.get()
     const oldStats: UserStat = userDoc.data()?.stats
 

firebase/package.json

@@ -25,7 +25,7 @@
     "@google-cloud/billing": "^3.1.3",
     "@google-cloud/pubsub": "^3.2.1",
     "firebase-admin": "^11.3.0",
-    "firebase-functions": "^4.1.0"
+    "firebase-functions": "^4.1.1"
   },
   "devDependencies": {
     "@types/node": "^16.18.3",

firebase/yarn.lock

@@ -1326,10 +1326,10 @@ firebase-functions-test@^3.0.0:
     lodash "^4.17.5"
     ts-deepmerge "^2.0.1"
 
-firebase-functions@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/firebase-functions/-/firebase-functions-4.1.0.tgz#4d8780a2c0aee6f362b3a632af293911427ec597"
-  integrity sha512-brbww5lGQVm8+d4KFmHF+O8wJBthws1NGXgphy7UDguMbUoW0fq6bL0NI442w+3nDE8IYUbnR4p3U8/cLAhnOA==
+firebase-functions@^4.1.1:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/firebase-functions/-/firebase-functions-4.1.1.tgz#47c39a40d6cdaad9a46cb7ee3b9ffbb9bcaa7f2c"
+  integrity sha512-D0fhHO7m3OfZp5TpbO+ClsEo6vmr8uaR4kt7sePhQgcF1OCRI6YT5dEa9szaQekGKoao/YeZ+C5HVxEGsLxD9Q==
   dependencies:
     "@types/cors" "^2.8.5"
     "@types/express" "4.17.3"

package.json

@@ -36,6 +36,7 @@
     "class-variance-authority": "0.3.0",
     "firebase": "9.14.0",
     "jotai": "^1.12.0",
+    "firebase-admin": "^11.4.1",
     "next": "12.3.4",
     "next-pwa": "5.6.0",
     "react": "18.2.0",

src/components/TopNav/index.tsx

@@ -1,6 +1,11 @@
 import Image from 'next/image'
+import Link from 'next/link'
+
+import Button from '@/components/UI/button'
+import { useAuth } from '@/context/Firebase/Auth/context'
 
 function TopNav() {
+  const { isAdmin } = useAuth()
   return (
     <div className='h-16 w-full'>
       <nav
@@ -9,6 +14,15 @@ function TopNav() {
       >
         <div className='flex justify-between'>
           <Image alt='logo' src='/images/logo.png' width={100} height={64} />
+          {isAdmin && (
+            <Link href='admin/'>
+              <a className='flex justify-center'>
+                <Button size='small' intent='secondary'>
+                  Admin Page
+                </Button>
+              </a>
+            </Link>
+          )}
         </div>
         <hr className='mb-3 h-0.5 border-primary-dark bg-primary-dark text-primary-dark' />
       </nav>

src/context/Firebase/Auth/context.tsx

@@ -10,11 +10,15 @@ export interface FirebaseContextProps {
   externalAuthSignIn?: (auth: Auth, provider: AuthProvider) => void
   logOut?: () => void
   currentUser: User | null
+  isAdmin: boolean
+  refreshUserToken: () => Promise<void>
 }
 //set auth and current user as a context api to be called by other funcs
 export const AuthContext = createContext<FirebaseContextProps>({
   auth: auth,
-  currentUser: null
+  currentUser: null,
+  isAdmin: false,
+  refreshUserToken: async () => undefined
 })
 
 export const useAuth = () => useContext(AuthContext)