Do you need firebase admin sdk when creating admin web?

Question

I'm currently working on a small project using firebase. My team member is working on IOS and android while I'm trying to build a custom admin page using React.

In the app, users can signup with their phone and send a request for permission by attaching few documents.

I have to build an admin page to approve or deny these documents. For that I need to get list of all user from User Collection and view all the documents that was submitted and be able update user field 'isApproved' to true or false.

I was thinking of simply creating a new admin account directly in firebase and use that account to signin to admin page and perform the following actions (manipulate normal user info field). But I found out about firebase admin SDK. Do I need to use this in my case?

I may need to send push notifications to all users signed up and create user, update user, delete user account later on.

Give the situation should I use firebase admin SDK?

Can someone give me advice on how to set up the overall structure?

Answer 1

First things first, you should not use the Admin SDK on frontend. The Admin SDK has privileged access to all Firebase resources and does not follow any security rules either. You should always use Admin SDK in a secure environment like Firebase Cloud Functions or your own server.

I am not entirely sure what actions you need to perform while accepting/rejecting the documents. If you need to read/write a specific part of a database (which only a admin can access) then you can use Firebase security rules . You would have to add a Custom Claim to the admin user or store their UID in a database.

But if you need to do multiple things (maybe sending an email to user, doing some actions using 3rd party API), I'll recommend using a Cloud Functions with the Admin SDK.

How will that work?

1. You will have to create a Cloud Functions to accept/reject the documents.
2. When the admin accepts/rejects a document, you can pass details of that user (userID, document info and if the docs were accepted to the cloud function) to the cloud function and process it over there.

The callable function may look like:

exports.verifyDocs = functions.https.onCall((data, context) => {
  const {uid, token} = context.auth
  if (!uid) return "Unauthorized"
  if (!token.admin) return "Forbidden"
  //The user is an admin
  //Do database updates
  //Any third party APIs 
});

If you use callable functions, Firebase will automatically add auth info of the user calling that function. In the example above, I've assumed the user will have an admin custom claim but if you want to keep things simple based on UIDs you can do so by:

const adminUIDs = ["uid1", "uid2"]
if (!adminUIDs.includes(context.auth.uid)) return "Forbidden"

To call the function from your React app:

const verifyDocs = firebase.functions().httpsCallable('verifyDocs');
verifyDocs({ userID: "userID", text: messageText })
  .then((result) => {
    // Read result of the Cloud Function.
  });

Any thing you pass in the function above will be available in your cloud functions in the 'data' parameter.