Hiranya is a tech lead on the Firebase team. He oversees the development of Firebase Admin SDKs that enable server-side and backend integrations of Firebase. Prior to joining Google, Hiranya worked as a software engineer at WSO2, where he developed open source enterprise integration and API management technologies. He is a committer and a project management committee member for several Apache projects including Apache Synapse and Axis2. Hiranya earned a bachelor’s degree in engineering from University of MoView the profile
Jen is a developer advocate for Firebase at Google. She is a training expert, loves building iOS apps, and recently has been teaching developers how to integrate Cloud Functions into their Firebase apps. Jen graduated Magna Cum Laude with a Bachelor's Degree in Mathematics from Central Connecticut State University.View the profile
About the talk
Firebase is best known for its wealth of client-side solutions. But did you know that Firebase also has a server-side SDK? This session will cover how you can use the Admin SDK to access Firebase from within your existing server/serverless infrastructure or from within Cloud Functions.
Everybody thanks so much for coming to our talk about integrating Firebase into your existing back-end Services. I know that this kind of dinner time right now so we can do our the die-hard Firebase fans, and we're really glad to have you I'm Jen person. I'm a developer advocate for Firebase. So to talk about integrating Firebase into your existing back in infrastructure. We are going to be examining a made-up company called fire flex and we are currently collaborating with the team at fire Flex which is an up-and-coming movie streaming service.
Perfect seams on a mission they want to develop an app that enables their users to browse their growing collection of streaming movies. So that way when you're on the go on your phone or on your computer, you can check out everything that they have to offer save movies. You want to check out later write reviews of movies. You've already seen and maybe even get some recommendations. The right now they're off to really great Stars. I have a few key core features to their app, but don't take my word for it. Go ahead and check it out yourself. So I have a short
link as well as a long way. I won't be a shame. If you know, I won't be embarrassed if you take out your phone or your computer right now and check it out. I will say that there will be something that'll pop up asking if you want to get notifications if you choose to do that. We promise we won't spam you were just going to send you a couple that you'll see as part of our talk. So I'll give everyone just another second to get to the link. This is your opportunity to be on your computer during the talk and it's perfectly, okay? So let's check out what it looks like for
everybody. If you want to go over to the demo machine and everyone can see it even if they don't pull it up on your device and you'll see it looks something like this. We have this extended list of movies. You can load more then he can add it to your library. Let's say you want to keep track of everything you saying or maybe keep track of something that you want to see in the future. You can also add a review for a movie. Give that one four stars, you can get a reading and then you can give it a review the text will be just for you. So you can remember what you thought of it. But the
rating will actually be factored into the overall rating that people made for the movie. Naruto in my review so you can filter by genre if you're really interested in the specifics on genre check out your saved movies and your views and thus have called my recommended which will get into later and you feel free to keep playing with that. I especially recommend that you start making some ratings rates of movies that you really love and also read something that you are not a fan of the more ratings you do the more interesting one of our later demos
will be so again. That's okay to play with your phone during our talk. That's the time. Let's switch back to the slides. Fallen Ones playing We have some great features, but you don't want to make the app even more sophisticated and engaging. I want to be able to add a moderator role so that some members of the fire Flex team are able to add new movies as they're added to their growing collection. We wouldn't want just anybody be to be able to add. Okay? It's right. So it has to be designated admin users. We want to be able to implement secure back-end services for managing
all sorts of different app resources. And we want to leverage the company's existing search infrastructure to Index app data and enable full text search that way people can quickly look for the movies. We want you wouldn't want to just have to scroll through. I think 10,000 movies. You going to be able to search for the one you're looking for? Make movie recommendations to really pull users in give them something that fits their specific interests and keep users engage by sending them notifications. And these are the examples that we're going to be examining today using the
admin SDK. So we're faced with a challenge that many app developers are familiar with successful apps do not exist in isolated silos. They look a lot more like this. They often collaborate and share data with various back-end systems cloud services machine learning models administrative tools as Legacy systems. So rather than just a little after the middle. There's a lot more going on. Fortunately firebases got you covered and to tell you more about it. I'm going to pass over to her and you
need to access Firebase services and Firebase app data from their own back-end systems. This is especially true in the case of Enterprise app developers who typically how various in-house systems that should become part of their mobile and baby Co systems, but it could also apply to small Timer app developers who may require some form of back in the depression as their abs grow and evolve over time. This is where the administrator is coming to the picture administer decays enable you to develop
back-end software that interact with Firebase and you can deploy them in an environment or anus over that you own or manage like the server sitting in your deck company play center. Or if you're running some services in a cloud platform like Google app engine no Google compute engine. You can use admin SDK is to integrate those services with Firebase as well since the service architecture has now going mainstream you can use admin SDK stream Clemente various Ellis event triggers and deploy them in an environment like Google Cloud functions. To make a long story short add mini
speakers are available in for service. I'd programming languages and you can deploy them in any environment that you control as the app developer and supports one of these languages. Now, let's move past the intro send really dig into some serious add minutes later use cases starting with the custom permissions model that fire fixes trying to implement. Bioflix wants to Define two classes of uses moderators and regular uses moderators will have the authorization to perform certain privilege to operations in the app like adding new
movies to the database. Typically when a user signs into a Firebase app Firebase auth issues that uses something called and ID token, this ID has been sent along with all the service request made by the app. 5 is back in service has authorized incoming requests if they are accompanied with a valid ID token. Daijah token itself is a short-lived. Json web token or a JWT with some metadata about the user and coded into it the sign by fire Basalt so they cannot be school. So one
simple way to implement rules in a fire in a fire this app is by instructing Firebase auth to add the rose information to the same ID token issued at sign. For example, since there are only two roles in the fire Flex app. We can tell Firebase auth to add a special moderator claim to the ID tokens issued to fireplace moderators in the back in service. We can check if the claim is present on the JWT to see if it came from an actual moderator. Now the question is how do we tell five-years-old to add additional claims to the ID tokens issued at user login
straightforward? Let's go to the demo machine and look at an example. This is 44 go web service that we have implemented to Grant the moderator all to select add users. We start by calling the fire bass. New rap function which initially initially Kate dysfunction takes a context and an optional set of Firebase settings like the authorization credentials and project ID not playing any of those settings. We simply Fastenal and let the SDK automatically discover all the required
settings from the environment to obtain an old client or Ohio still client, which we would use later. You stole this client in sensors inside destruct call Edwin client that we have defined in our code. No, we can go ahead and implement the function to Grant the moderator role. He was elected user the grounds moderator or function takes the email address of the target user as being put a passage to the get user by email function of the SDK this function return to record of all the men that Firebase auth currently knows about the target
user. We can inspect the user account to see if it already contains the moderator claim. If so, then there's nothing else to do so we can return early music lens function provided by Day Adventist EK This function takes the unique user ID of the dog at user which we can also get from the same user account that we retrieved earlier and a map of claims to be added to that user account. Once this function has been in walked on a user table that uses logs into Firebase 5 assault will automatically issue when I did open
container in those custom flames. Know another thing to know what you guys in this example. We are using the go programming language to connect all the claims and user IDs together, but it doesn't necessarily have to be that way. If you have your own external user still like an ldap server or an active directory server, you can actually query that server from this code and use the results to do to decide how to set claims on different accounts. Let's go back to the slides. Having implemented the grunge moderator all functionality supposed to be
decided to expose it as a temp service so that client applications can call it remotely and manage permissions. But in that case we want to make sure that only authorized users are able to call it. We certainly don't want. Anybody to be able to just call into that serviced and potential again moderator privileges, that would be bad. Let's say for the sake of argument that only an existing fireplace moderator should be able to Grant another user moderator privileges. Same can be true for other critical back and functionality like adding movies. Only moderator should be able to do it. So,
how do we go about implementing a back in service that requires authorization from the column? To meet this requirement. We need to God all the critical back and functionality in a web service with the permission check. Let's go back to So we Implement a new function called check for this function takes the ID token of a Firebase user as the input this implies that whoever calls this service will have to send the ID token along with the request. Once we have received an ID token, we can pass it to the verify ID token function of deadwind SDK this function
performs a series of checks. It checks. Were there any severe form JWT but it is not expired and it is correctly signed by the fireplace off. If any of these checks fail, then you get an error which we can return back to the user. Otherwise, you'll get a decoded representation of the ID token presentation to see if it contains the moderator claim if not a signal success by returning now. Once you have this check out function, it's just a matter of wiring your web service so that all incoming requests first go
to the checkout function before hitting any of the other critical back and functionality like at multifunction know the ground moderator role function that we looked at earlier. No, we already have this web services up and running in the cloud at the Google app engine service. Let's let's go to the demo machine send it to request and see how this permission check what's out in practice. I'm using this Chrome extension called Advanced rest client to send request and this is to the
function that earlier this endpoint accept. So small Json payload containing the email address of the target user ID from a specific first place just need some requests without any HTTP header and see what happens. So you can see you can a 401 unauthorized error response and the theater detail indicating ID token not specified to go back to have a code. You can see ID token unspecified is the error return by of a check what function when there's no ID token available on request Let's also send it somewhere. You don't believe and see what happens. So X
Firebase ID token HP customer. Should I be headed that I'm a back in service expects and I'm going to call a random JWT value. In this case, do we still get a 401 unauthorized response but it's a different era detail this time this time. It says failed to verify token signature token function so you can see how the check goes functional Vanessa SDK prevents different types of unauthorized access attempts to of a back in service to call it as a valid moderator with the correct permissions
account with a moderator as a result if I log in To my app. I'm showing an additional moderator tab that you probably don't see see on your screen and from on the other window. You can see that Jen's account. You can see that she didn't have a moderator privileges at the moment either. The controls in this type allow me to call the same back in service in for not being trained and these controls will take care of sending my ID token along along with the request that you experience you
see here is implemented by parsing the ID token on the client's apps and checking the result to see if it contains the moderator claim client-side database to get around it. But that's okay because as you saw earlier of a serving of limitation has its own and most more robust permission checks, so I'm going to use the moderator form. to get Jen moderator privileges in the system email and this time I got a successful response and hopefully Jen can log back in and show off my new phone privileges. I promise not to get drunk on Power
and adds too many movies. But if you see some silly movies later on was probably me. So now you can see that the moderator tab shows up for me as well. And I have the ability to add new movies as well as additional moderators. Let's talk a little bit about what does custom Claims can do for you. We've looked at two examples of where you can use this costume claims in your server environments where we had the check off function and also on the client where we had sort of a silly check that hide something from
developers. Of course again, you can if your developer you can probably expose that tab, but you won't be able to make any sort of request with it cuz you are not authorized to do so the other place that we did not examine using these custom claims is within the Firebase server. So if you are using cloud firestore or the real-time database or cloud storage, you can use custom claims in the rules that you to set up in your database to manage what people can read and write Just this very simple example that we have here is how you can set up your firestore rules. If I have a movies collection. I
can allow anyone who is authenticated to read because we haven't been with offset up that would be anyone who has access app, but in terms of writing we can set it up so that if the off token has the moderator claim such a true when they are able to write otherwise, it will return in there saying that you do not have permission. Let's take a look at it another example of integrating Firebase into your existing Services. Currently Firefox has an elasticsearch cluster that they're using. They use it to power a number of their search applications that they have the same
infrastructure to index Firebase appdata and to support new keyword search so you can look for movies by genre or by title, news case. You already have some things in place. It may be a little difficult to cell phone on starting something new. You can in fact Incorporated Firebase into this. So currently the app needs to update search and kisses index is just what movies are added but in order to prepare for future changes so they have tracking all of these can be very difficult only there were a way to trigger some back-end code in
response to fire store update events. Of course five functions for Firebase which I'm a huge fan of so you can deploy some no Jasco to automatically trigger when certain events occur in your Firebase project in these could be something off related like adding a new user. These could be rights to the real-time database or Cloud firestore there a lot of different options, but the ones were going to examine today are going to be based around I caught fire store because that's what we're using an AR app.
Slippers example we're going to look at is updating those in Texas. What we want to do is whenever a new movie is added by one of us to Cloud firestore. We want to trigger the indexes to update. So we have a proxy that talks to elasticsearch using its internal IP address because they are both on the same private Network in this case were talking about a pension the proxies expose using custom HTTP off. Now, this is just one way that you can do it. There are certainly other options, but will show you what this looks like. So let's dive into that firestore trigger on
our computer. So you'll see here that we import the admin SDK as well as functions and when we initialize the app we can do so calling just admin. Initialize app. Just like we did with our go code. Normally we may need to pass in some credentials. But because we are in a Google managed environment. We can just call initialise app and Google does all the work for us, which I just love. Let's take a look at our update search index function. This is a format that you'll see for most claps options. We have functions.
Some feature in this case fire store and then the specific document which we wanted to trigger. So we have a collection of movies and inside that are a series of documents each with a unique ID the brackets indicate a wild-card whatever that movie idea. We want this to trigger this Triggers on bright and on right means that any time something is changed or written to that location. This is going to fire when you first right when you make to change or when you delete then this code is going to run our perimeters are change in context and we have a couple examples of how you use each of
these for instance. If we want to get the data after a change occurred we do that using change. After that data and that'll pull all the information inside of the document and his case all the details about the movie its title. It's genre is it We also have previous which if there's any previous data say it's not the first time range that location we can get the date of that way. Otherwise, we're just going to have an empty object. We do a couple of quick checks before we go update are indexes cuz there's some situations where we won't need to do that. So for instance, if the type of
data is undefined as in the movie was just deleted we're going to return a promise that is resolved with turtle and we were turned out of the mess to clean up the function. It doesn't need to do any more work. Otherwise, we check if the title or the genres or change it if they weren't going we don't need to update the indexes cuz currently that is what we are indexing if it passed those checks, then we have our secure proxy service. This is our endpoint. And we have some options. This is where that context parameter comes into place to access that movie ID. So we want to get
that unique key. This is how you can access his account access it from within the function and we get the title and the genres then we have this really sophisticated looking authorization header, but says functions. Config. Fireflex. Token sounds like something may be sophisticated from within Firebase but it is just an environment variable that you can set up from the command line interface. So when you deploy your functions and all of this code is available, there may be some information that you don't want to play with it. Like if it you have some sort of password or in this case some
key that we want to hide you can hide it inside of your environmental variable setting it up in the command line interface so you can call it whatever you want. We called it fire Flex. So can you can call it banana and you can give it whatever value you want and then access it. From within functions. Config what the token is? Does it really matter? We just made it something arbitrary that the service I'd code knows to check for finally. We make a post request and we update that index if there's an error we catch it and then we always end by returning to clean up the function and
tear it down we go back to the so don't want to lie on the client side when it searches made it also goes through this elasticsearch proxy and then the results are streamed backed a client. So either way we're keeping that information secure and not accessible to the client. We can also use cloud functions to automate other tasks. I have so many ideas about what we can do, but I just looked at a couple. So for instance we can notify users about new movie additions to try to
engage them with what we're adding to our collection and we can use five functions to automatically keep movie statistics up-to-date as ratings trickle in this is a very common use case where you might have some number that you need to keep track of a total or an average cost functions are great for that because they can trigger and run automatically anytime something else is written to the database. So let's go back to the demo machine to look at those examples. Which I got the demo.
So we have the ascendant release function which looks very similar in form at again. It's functions. Firestore. Document. It's going to be triggered any time a movie of any ID is added to that movies collection. But in this case, we're looking at an on create trigger, which means it's only going to run the first time something is written to that location. We don't need to notify people if we change something in the spelling of the title or a different genre. We just wanted to run the first time and notify users of our new movies. The perimeters are slightly different as a result. We don't
have change we have snapshot because there is no change that occurred there just the original right. But again, we use. Data to access what was inside of the right? We use the admin SDK to access Firebase Cloud messaging and Firebase Cloud messaging enables you to send data messages and notifications to iOS Android and web. So this way we can send her messages to our users no matter what platform there on we had just a simple Topic in notification. We get the title of the movies from that snapshot data, and then we use the admin SDK to send that
message then we just log that we sent to We finally have one more example. We're going to look at which is updating those ratings this time instead of the movies collection. We're looking at the ratings collection and inside of that. We have a movie ID under the movie ID. We have just whole bunch of user IDs of anyone who has written a rating of that movie and then the value is the rating that they gave that movie. So boom whenever a new reading occurs, we want this to run so glad we have it on right trigger. It's going to get the change after.
We get all of the keys so we can basically count up how many reviews there were so we can get an average. Then we compute the average rating and use the admin SDK to write it back to the database notice. We use dock. Set to set those key value pairs. But we also use merge true that means instead of replacing the entire document or just merging together adding these Keys rather than replacing everything else. That's there. We don't want to replace the ratings that are already there. So that's a lot of code to look at
it be kind of cool to look at an example. What's Happening movie saying I think it's going to be a best-seller incorporating Firebase into existing back-end infrastructure. I say this is an action. corporate comedy drama submit my movie and it says it was successfully added. So now I should be able to. Search for it noticed B function was triggered to index my movie. So I'm immediately able to search for it and I can add a review of it. I know it's under your account. I hope you don't mind. I think it's five stars will watch
again. reviews submitted and then if I take a look up my average has been updated and if you give it a rating as well, you'll see that the average will be updated. You might not see it on other movies because we have so many ratings for other movies that are in there. But again just a reminder to put up some readings cuz you're going to really want them for this next part. Let's head back to the supplies. Fioptics would also like to unleash some of the machine learning tools developed by the data science team on the ratings collected by the app specifically to
make movie recommendations. This model needs to be trained periodically and fireflex would like to do so using their own servers the movie recommendations that results from this computation should be fed back to the app. So that users can see the results on screen. The tensorflow code is written in Python. So in this case, we can use the python administer UK to directly interface Firebase with machine learning code. We can use the fire store API available in admin SDK to query the app database the movie ratings in this matter can be directly
to tensorflow or any other python number-crunching tool that you want to use the same way and the results of the machine learning tools can be written back to Cloud firestore directly notifying the fire Flex client apps through fcm if machine learning tables uncovered something something noteworthy that that should be that that did you so should be notified about now. This is going to take a minute to run. So let's go to the demo machine and get that going first and that's going to a quick cord walk.
They were doing a lot of Life demos for very brave. Hopefully it will be running in the background and let's go to the code. The piping code is organized into three high-level steps in Step One Venetian. I said when SDK as usual and then query the app database for all the information we need as you can see again, you're not facing any argument to initialize app call if executed in an environment like Google compute engine. This will take out application default credentials and automatically connect to the Firebase resources associated with
your gcp JCP project. As you can see if you can get this kind of parameters initialization to work on your own machines to currently this is running on my machine and you do that by installing a service account to the environment to query the app database. We import the fire still module through through Firebase. Admin. He go to the very top. Yes, Meme for the Firestone module through Firebase admin and then use it to get hold of a firestick client instance and then we can use it to retrieve all
the ratings accumulated in the ratings collection hundred thousand Reading Cinema De Madera set plus whatever the ratings that you were nice enough to give their indecision. So this Corey can take around four to five seconds depending on the Netflix. United States ratings collection. We also career uses collection where we have stored UFC and registration tokens. He will use those tokens later to send notifications. Next step in step to be run this data through the 10th floor model and make movie recommendations. Now, I'm going to give me the details of that. But if anybody's curious just
come find just come find me off of the dog or tomorrow at the office for a bit sandbox, and I'll be happy to walk you to ask you how we did that the singular value decomposition model for you. Finally in Step 3B write the movie recommendations made by tensorflow back to the app database. Now this can potentially result in a large number of small fire story. So to make it a little more efficient on The Wire we split our recommendations to chunks and then use the batch right support available in Firestone API to write 500 recommendations at a time.
Having rectenwald recommendation to database. We also use the SCM support messaging support available in the administration to send notifications targeting individual users. No, hopefully the script has run to its completion by now. Let's see. How did that go? Yep, and that means we have some recommendations to look at. Let's go to the dual screen setup. Let's see both of our screen so we can check out. We have found some new movies, you might like that's the python code notifying my app
instance. and Thief It just takes a minute. Let's see if there's anything that I would actually want to see hear the ice. Looks like I'm getting rid of Sci-Fi Action type movies. And I actually do watch boiler of sci-fi and Action Pack movies by and get that pretty accurate. Hopefully you get something more sensible to recommendations from the same users or not. Just the high ratings but low ratings. That's well. Let's go back to the slides made a lot of progress at this point. So it's a good time to take a step back and
look at what we managed to deliver. Richard with a fairly straightforward app that support use authentication and some database interactions. We all ate a custom permission model on this app using Firebase all be used to go admin SDK to set custom flames on selected user accounts which we can validate using that Venus naked self security rules to implement a back in service that only fireflex moderators connectors. moderators for able to use the service to add new movies to the database Then we usually
use cloud functions to Firebase to integrate the in-house search platform at fireflex with the app database to support full text search with India. We use cloud function for Firebase which tracks the updates that going to go to the app database and then indexes them. In the private classic search server be exposed elasticsearch server to function as well as the client apps through a proxy service that we deployed in a pension. We also used to know Jazz. Admin SDK to keep the movie status ticks up-to-date and send notifications about new movies. And
finally we used to fight in that business legal to harvest all the ratings collected in the update running short answer pro model and feed the result recommendations back through cloud firestore Android messaging So this is what the final enhanced fireplace app architecture looks like you can see it's no longer a simple straightforward app, but it has become a fairly sophisticated system where several in-house Services Center of fire Based Services work side-by-side. And Chassis alternator price of beautiful you architecture already kind of looks like this car has more
time app developer. Don't feel left out or what time they might begin to look a little bit like this. And as far as the Edwina secret capabilities go we just scratched the surface today. There are a lot of other examples of ways that you can integrate the admin SDK into your app. So here's some good examples that we did not touch on today gdpr is a big topic right now. You need to be able to delete your users data and the oven is to give you the opportunity to delete instance IDs and other private data from your users when I needed you also able to use it to access Google Cloud Storage the
Firebase real-time database you can manage your fcm topic subscriptions. So you can add people to specific topics that they want to get notifications about and remove them at cetera. You can also use it for custom off. So again, if you have some sort of system that is required to be used at your company. You can still integrate Firebase using that custom authentication in the admin SDK could also use it for Bucky's or Import and Export when you needed to make those big changes if you have a traditional web app, that's using a web session management with cookies. You can do that. Yeah,
there's so much more and more than we can even fit on the slide. Yeah, and also incidentally add mini SD case is one area where we'd like to welcome your input and help as well fight beside venous leak Acer developing open. So so feel free to file bug report. So just new features and just point out areas of improvement in general. And also if you have the time, please keep those pull request running in as well be love working with our community and I'll always looking to get more developers involved in the process that right then
Movies you can also write our session on the Google dial schedule. And also you can reach out to us and tell us what you think. We will be in the ass fire base area of the tents tomorrow morning, probably all morning, but chunk of the day and then you can contact her on you on you can see his handle here and you can find me on Twitter at that Jen person. Thanks so much for coming straight to have you. Thank you.
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.