Issue
I’ve come up with this library that I am using on my node.js web server as a nosql database, alternative to mongodb.
I’ve seen this quote:
Applications that use Google’s Server SDKs should not be used in end-user environments, such as on phones or on publicly hosted websites. If you are developing a Web or Node.js application that accesses Cloud Firestore on behalf of end users, use the firebase Client SDK.
Does this mean I shouldn’t use it on my node.js server express app to access the database, or it’s just from the served content as web browser scripts.
Solution
If the code that uses the Admin SDK runs on the server, then that in itself doesn’t introduce a risk of leaking the credentials to an untrusted environment. It of course still depends on what your code does, but there’s not much we can say on that based on what you shared.
That also still leaves concern on what the code actually does. The Admin SDKs access Firebase with administrative privileges, and are not affected by any security rules you may have set on your database. So while client-side SDKs can only access data that the security rules allow, Admin SDKs can access all data – no matter the security rules.
So if you load data through the Admin SDK that you present to the user, it is up to your code to ensure you only share data that the user is authorized for.