Implement Firestore security rules and add user authentication functions

Novapool · Novapool · commit 4fc1bb77a21e · 2025-03-16T22:10:23.000-04:00
diff --git a/firestore.rules b/firestore.rules
@@ -2,18 +2,37 @@ rules_version = '2';
 
 service cloud.firestore {
   match /databases/{database}/documents {
-
-    // This rule allows anyone with your Firestore database reference to view, edit,
-    // and delete all data in your Firestore database. It is useful for getting
-    // started, but it is configured to expire after 30 days because it
-    // leaves your app open to attackers. At that time, all client
-    // requests to your Firestore database will be denied.
-    //
-    // Make sure to write security rules for your app before that time, or else
-    // all client requests to your Firestore database will be denied until you Update
-    // your rules
+    // Helper functions
+    function isAuthenticated() {
+      return request.auth != null;
+    }
+    
+    function isOwner(userId) {
+      return isAuthenticated() && request.auth.uid == userId;
+    }
+    
+    // Users collection
+    match /users/{userId} {
+      // Users can read and update their own profiles
+      allow read, update: if isOwner(userId);
+      // Only allow creation through Cloud Functions (triggered by Auth)
+      allow create: if false;
+      // Only allow deletion through Cloud Functions
+      allow delete: if false;
+    }
+    
+    // Courses collection - will be implemented later
+    match /courses/{courseId} {
+      // Users can read courses they're enrolled in
+      allow read: if isAuthenticated() && 
+        exists(/databases/$(database)/documents/users/$(request.auth.uid)/courses/$(courseId));
+      // Write operations will be handled by Cloud Functions
+      allow write: if false;
+    }
+    
+    // Default deny all
     match /{document=**} {
-      allow read, write: if request.time < timestamp.date(2025, 3, 19);
+      allow read, write: if false;
     }
   }
-}
+}
diff --git a/functions/auth.py b/functions/auth.py
@@ -0,0 +1,175 @@
+from firebase_functions import https_fn
+from firebase_admin import firestore, auth
+import google.cloud.firestore
+import json
+
+@https_fn.on_call()
+def create_user_profile(req: https_fn.CallableRequest) -> dict:
+    """
+    Callable function to create a user profile.
+    Called after user registration.
+    """
+    if not req.auth:
+        raise https_fn.HttpsError(
+            code=https_fn.FunctionsErrorCode.UNAUTHENTICATED,
+            message="User must be authenticated"
+        )
+    
+    try:
+        # Get user data from Firebase Auth
+        user = auth.get_user(req.auth.uid)
+        
+        # Create user profile in Firestore
+        firestore_client: google.cloud.firestore.Client = firestore.client()
+        user_ref = firestore_client.collection('users').document(user.uid)
+        
+        user_data = {
+            'displayName': user.display_name or '',
+            'email': user.email,
+            'photoURL': user.photo_url or '',
+            'createdAt': firestore.SERVER_TIMESTAMP,
+            'lastLogin': firestore.SERVER_TIMESTAMP,
+            'role': 'student',  # Default role
+            'courses': []  # Empty list of courses initially
+        }
+        
+        user_ref.set(user_data)
+        
+        return {"success": True, "message": "User profile created successfully"}
+        
+    except Exception as e:
+        raise https_fn.HttpsError(
+            code=https_fn.FunctionsErrorCode.INTERNAL,
+            message=f"Error creating user profile: {str(e)}"
+        )
+
+@https_fn.on_call()
+def delete_user_data(req: https_fn.CallableRequest) -> dict:
+    """
+    Callable function to delete a user's data.
+    Called before deleting a user account.
+    """
+    if not req.auth:
+        raise https_fn.HttpsError(
+            code=https_fn.FunctionsErrorCode.UNAUTHENTICATED,
+            message="User must be authenticated"
+        )
+    
+    try:
+        # Delete user profile from Firestore
+        firestore_client: google.cloud.firestore.Client = firestore.client()
+        user_ref = firestore_client.collection('users').document(req.auth.uid)
+        
+        # Delete the user document
+        user_ref.delete()
+        
+        return {"success": True, "message": "User data deleted successfully"}
+        
+    except Exception as e:
+        raise https_fn.HttpsError(
+            code=https_fn.FunctionsErrorCode.INTERNAL,
+            message=f"Error deleting user data: {str(e)}"
+        )
+
+@https_fn.on_request()
+def get_user_profile(req: https_fn.Request) -> https_fn.Response:
+    """
+    Get a user's profile data from Firestore.
+    Requires authentication token in Authorization header.
+    """
+    # Check if request has authorization header
+    if not req.headers.get('Authorization'):
+        return https_fn.Response(
+            json.dumps({'error': 'No authorization token provided'}),
+            status=401,
+            headers={'Content-Type': 'application/json'}
+        )
+    
+    try:
+        # Verify the Firebase ID token
+        id_token = req.headers['Authorization'].split('Bearer ')[1]
+        decoded_token = auth.verify_id_token(id_token)
+        uid = decoded_token['uid']
+        
+        # Get user profile from Firestore
+        firestore_client: google.cloud.firestore.Client = firestore.client()
+        user_doc = firestore_client.collection('users').document(uid).get()
+        
+        if not user_doc.exists:
+            return https_fn.Response(
+                json.dumps({'error': 'User profile not found'}),
+                status=404,
+                headers={'Content-Type': 'application/json'}
+            )
+        
+        # Update last login time
+        user_doc.reference.update({
+            'lastLogin': firestore.SERVER_TIMESTAMP
+        })
+        
+        # Return user profile data
+        return https_fn.Response(
+            json.dumps(user_doc.to_dict(), default=str),
+            headers={'Content-Type': 'application/json'}
+        )
+        
+    except Exception as e:
+        return https_fn.Response(
+            json.dumps({'error': str(e)}),
+            status=400,
+            headers={'Content-Type': 'application/json'}
+        )
+
+@https_fn.on_request()
+def update_user_profile(req: https_fn.Request) -> https_fn.Response:
+    """
+    Update a user's profile data in Firestore.
+    Requires authentication token in Authorization header.
+    """
+    # Check if request has authorization header
+    if not req.headers.get('Authorization'):
+        return https_fn.Response(
+            json.dumps({'error': 'No authorization token provided'}),
+            status=401,
+            headers={'Content-Type': 'application/json'}
+        )
+    
+    try:
+        # Verify the Firebase ID token
+        id_token = req.headers['Authorization'].split('Bearer ')[1]
+        decoded_token = auth.verify_id_token(id_token)
+        uid = decoded_token['uid']
+        
+        # Get update data from request body
+        try:
+            update_data = json.loads(req.data.decode())
+        except json.JSONDecodeError:
+            return https_fn.Response(
+                json.dumps({'error': 'Invalid JSON in request body'}),
+                status=400,
+                headers={'Content-Type': 'application/json'}
+            )
+        
+        # Remove any fields that shouldn't be updated by users
+        protected_fields = ['email', 'createdAt', 'role']
+        for field in protected_fields:
+            update_data.pop(field, None)
+        
+        # Update user profile in Firestore
+        firestore_client: google.cloud.firestore.Client = firestore.client()
+        user_ref = firestore_client.collection('users').document(uid)
+        user_ref.update(update_data)
+        
+        # Get and return updated profile
+        updated_profile = user_ref.get()
+        return https_fn.Response(
+            json.dumps(updated_profile.to_dict(), default=str),
+            headers={'Content-Type': 'application/json'}
+        )
+        
+    except Exception as e:
+        return https_fn.Response(
+            json.dumps({'error': str(e)}),
+            status=400,
+            headers={'Content-Type': 'application/json'}
+        )
diff --git a/functions/main.py b/functions/main.py
@@ -1,62 +1,19 @@
-from firebase_functions import https_fn, firestore_fn
-from firebase_admin import initialize_app, firestore
-import google.cloud.firestore
+from firebase_functions import https_fn
+from firebase_admin import initialize_app
+from auth import (
+    create_user_profile,
+    delete_user_data,
+    get_user_profile,
+    update_user_profile
+)
 
+# Initialize Firebase app
 initialize_app()
 
-@https_fn.on_request()
-def store_numbers(req: https_fn.Request) -> https_fn.Response:
-    """Store two numbers in Firestore"""
-    # Get the numbers from query parameters
-    num1 = req.args.get("num1")
-    num2 = req.args.get("num2")
-    
-    # Validate input
-    if not num1 or not num2:
-        return https_fn.Response("Please provide both num1 and num2 as query parameters", status=400)
-    
-    try:
-        num1 = float(num1)
-        num2 = float(num2)
-    except ValueError:
-        return https_fn.Response("Numbers must be valid numeric values", status=400)
-    
-    # Store in Firestore
-    firestore_client: google.cloud.firestore.Client = firestore.client()
-    _, doc_ref = firestore_client.collection("number_pairs").add({
-        "num1": num1,
-        "num2": num2,
-        "timestamp": firestore.SERVER_TIMESTAMP
-    })
-    
-    return https_fn.Response(f"Numbers stored with ID: {doc_ref.id}")
-
-@https_fn.on_request()
-def add_latest(req: https_fn.Request) -> https_fn.Response:
-    """Add the most recently stored number pair"""
-    firestore_client: google.cloud.firestore.Client = firestore.client()
-    
-    # Get the most recent number pair
-    docs = firestore_client.collection("number_pairs")\
-        .order_by("timestamp", direction=firestore.Query.DESCENDING)\
-        .limit(1)\
-        .get()
-    
-    # Check if we have any documents
-    if not docs:
-        return https_fn.Response("No numbers found in database", status=404)
-    
-    # Get the first (most recent) document
-    doc = docs[0]
-    num1 = doc.get("num1")
-    num2 = doc.get("num2")
-    
-    # Calculate sum
-    sum_result = num1 + num2
-    
-    # Store the result
-    doc.reference.update({
-        "sum": sum_result
-    })
-    
-    return https_fn.Response(f"Sum of {num1} and {num2} is {sum_result}")
+# Re-export authentication functions
+__all__ = [
+    'create_user_profile',
+    'delete_user_data',
+    'get_user_profile',
+    'update_user_profile'
+]
