feat(admin): make options optional

Author: posva

packages/nuxt/playground/nuxt.config.ts

@@ -47,7 +47,7 @@ export default defineNuxtConfig({
         },
 
         admin: {
-          config: {},
+          // config: {},
           serviceAccount: resolve(
             fileURLToPath(new URL('./service-account.json', import.meta.url))
           ),

packages/nuxt/src/module.ts

@@ -37,16 +37,18 @@ export interface VueFireNuxtModuleOptions {
    * Firebase Admin Options.
    */
   admin?: {
+    // TODO: rename to options
     /**
      * Firebase Admin Options passed to `firebase-admin`'s `initializeApp()`. Required if you are using the auth, or the
      * app-check module.
      */
-    config: Omit<AppOptions, 'credential'>
+    config?: Omit<AppOptions, 'credential'>
 
+    // TODO: remove, use env variables instead
     /**
      * Firebase Admin Service Account passed to `firebase-admin`'s `initializeApp()`. Required if you are adding an adminConfig.
      */
-    serviceAccount: string | ServiceAccount
+    serviceAccount?: string | ServiceAccount
   }
 
   /**
@@ -104,18 +106,6 @@ const VueFire: NuxtModule<VueFireNuxtModuleOptions> =
       nuxt.options.build.transpile.push('vuefire')
       nuxt.options.build.transpile.push('vuefire/server')
 
-      if (nuxt.options.ssr && options.admin) {
-        // check the provided config is valid
-        if (options.auth || options.appCheck) {
-          if (!options.admin.config || !options.admin.serviceAccount) {
-            throw new Error(
-              '[VueFire]: Missing firebase "admin" config. Provide an "admin" option to the VueFire module options. This is necessary to use the auth or app-check module.'
-            )
-          }
-          nuxt.options.appConfig.firebaseAdmin = markRaw(options.admin)
-        }
-      }
-
       if (nuxt.options.ssr) {
         addServerHandler({
           route: '/api/_vuefire/auth',
@@ -168,12 +158,25 @@ const VueFire: NuxtModule<VueFireNuxtModuleOptions> =
       addPlugin(resolve(runtimeDir, 'app/plugin.server'))
 
       // we start the admin app first so we can have access to the user uid everywhere
-      if (options.admin) {
+      // TODO: if options.admin
+      if (options.admin || nuxt.options.ssr) {
         if (!nuxt.options.ssr) {
           console.warn(
             '[VueFire]: The "admin" option is only used during SSR. You should reenable ssr to use it.'
           )
         }
+        // TODO: check env variables are present
+
+        // This one is set by servers, we set the GOOGLE_APPLICATION_CREDENTIALS env variable instead that has a lower priority and can be both a path or a JSON string
+        // process.env.FIREBASE_CONFIG ||= JSON.stringify(options.config)
+        if (typeof options.admin?.serviceAccount === 'string') {
+          process.env.GOOGLE_APPLICATION_CREDENTIALS ||=
+            options.admin.serviceAccount
+        }
+        // TODO: remove this runtime config if it's not needed as it could include sensitive data
+        if (options.admin) {
+          nuxt.options.appConfig.firebaseAdmin = markRaw(options.admin)
+        }
         // this plugin adds the user so it's accessible directly in the app as well
         if (options.auth) {
           addPlugin(resolve(runtimeDir, 'admin/plugin-auth-user.server'))
@@ -268,10 +271,7 @@ declare module '@nuxt/schema' {
      * Firebase Admin options passed to VueFire module. Only available on the server.
      * @internal
      */
-    firebaseAdmin?: {
-      config: Omit<AppOptions, 'credential'>
-      serviceAccount: string | ServiceAccount
-    }
+    firebaseAdmin?: VueFireNuxtModuleOptions['admin']
   }
 }
 

packages/nuxt/src/runtime/admin/plugin-auth-user.server.ts

@@ -1,5 +1,4 @@
 import type { App as AdminApp } from 'firebase-admin/app'
-import type { User } from 'firebase/auth'
 import { getAuth as getAdminAuth, UserRecord } from 'firebase-admin/auth'
 import { createServerUser } from 'vuefire/server'
 import { getCookie } from 'h3'
@@ -9,7 +8,7 @@ import { AUTH_COOKIE_NAME } from '../auth/api.session'
 import { defineNuxtPlugin, useRequestEvent } from '#app'
 
 /**
- * Check if there is a cookie and if it is valid, extracts the user from it.
+ * Check if there is a cookie and if it is valid, extracts the user from it. This only requires the admin app.
  */
 export default defineNuxtPlugin(async (nuxtApp) => {
   const event = useRequestEvent()
@@ -31,7 +30,7 @@ export default defineNuxtPlugin(async (nuxtApp) => {
         // the error is fine, the user is not logged in
       } else {
         // ignore the error and consider the user as not logged in
-        console.error(err)
+        console.error('[VueFire]:', err)
       }
     }
   }

packages/nuxt/src/runtime/admin/plugin.server.ts

@@ -3,7 +3,9 @@ import {
   cert,
   getApp,
   getApps,
-  ServiceAccount,
+  applicationDefault,
+  // renamed because there seems to be a global Credential type in vscode
+  Credential as FirebaseAdminCredential,
 } from 'firebase-admin/app'
 import { defineNuxtPlugin, useAppConfig } from '#app'
 
@@ -19,32 +21,50 @@ export default defineNuxtPlugin((nuxtApp) => {
 
   // only initialize the admin sdk once
   if (!getApps().length) {
-    const { FIREBASE_PROJECT_ID, FIREBASE_CLIENT_EMAIL, FIREBASE_PRIVATE_KEY } =
-      process.env
-    // we need either a serviceAccount or the env variables
-    let serviceAccountOrProject: string | ServiceAccount
+    const {
+      // these can be set by the user on other platforms
+      FIREBASE_PROJECT_ID,
+      FIREBASE_CLIENT_EMAIL,
+      FIREBASE_PRIVATE_KEY,
+      // set on firebase cloud functions
+      FIREBASE_CONFIG,
+    } = process.env
 
-    if (FIREBASE_CLIENT_EMAIL && FIREBASE_PRIVATE_KEY && FIREBASE_PROJECT_ID) {
+    if (FIREBASE_CONFIG) {
+      console.log('[VueFire]: using FIREBASE_CONFIG env variable')
+      initializeApp()
+    } else {
+      let credential: FirebaseAdminCredential
       // This version should work in Firebase Functions and other providers while applicationDefault() only works on
-      serviceAccountOrProject = {
-        projectId: FIREBASE_PROJECT_ID,
-        clientEmail: FIREBASE_CLIENT_EMAIL,
-        // replace `\` and `n` character pairs w/ single `\n` character
-        privateKey: FIREBASE_PRIVATE_KEY.replace(/\\n/g, '\n'),
+      if (FIREBASE_PRIVATE_KEY) {
+        console.log('[VueFire]: using FIREBASE_PRIVATE_KEY env variable')
+        credential = cert({
+          projectId: FIREBASE_PROJECT_ID,
+          clientEmail: FIREBASE_CLIENT_EMAIL,
+          // replace `\` and `n` character pairs w/ single `\n` character
+          privateKey: FIREBASE_PRIVATE_KEY.replace(/\\n/g, '\n'),
+        })
+      } else if (process.env.GOOGLE_APPLICATION_CREDENTIALS) {
+        console.log(
+          '[VueFire]: using GOOGLE_APPLICATION_CREDENTIALS env variable'
+        )
+        // automatically picks up the service account file path from the env variable
+        credential = applicationDefault()
+      } else {
+        // TODO: add link to docs
+        console.warn(`\
+[VueFire]: You must provide an "admin.serviceAccount" path to your json so it's picked up during development. See https://firebase.google.com/docs/admin/setup#initialize-sdk for more information. Note that you can also set the GOOGLE_APPLICATION_CREDENTIALS env variable to a full resolved path or a JSON string.
+You can also set the FIREBASE_CLIENT_EMAIL, FIREBASE_PRIVATE_KEY and FIREBASE_PROJECT_ID env variables in production if you are deploying to something else than Firebase Cloud Functions.
+`)
+        throw new Error('admin-app/missing-credentials')
       }
-    } else if (firebaseAdmin.serviceAccount) {
-      serviceAccountOrProject = firebaseAdmin.serviceAccount
-    } else {
-      throw new Error(
-        '[VueFire]: You must provide a "serviceAccount" (dev) or set the FIREBASE_CLIENT_EMAIL, FIREBASE_PRIVATE_KEY and FIREBASE_PROJECT_ID env variables production.'
-      )
-    }
 
-    initializeApp({
-      // TODO: is this really going to be used?
-      ...firebaseAdmin.config,
-      credential: cert(serviceAccountOrProject),
-    })
+      initializeApp({
+        // TODO: is this really going to be used?
+        ...firebaseAdmin.config,
+        credential,
+      })
+    }
   }
 
   const firebaseAdminApp = getApp()

packages/nuxt/src/runtime/app/plugin.server.ts

@@ -5,7 +5,8 @@ import { UserSymbol } from '../admin/plugin-auth-user.server'
 import { defineNuxtPlugin, useAppConfig } from '#app'
 
 // TODO: allow customizing
-// TODO: find sensible defaults
+// TODO: find sensible defaults. Should they change depending on the platform?
+// copied from https://github.com/FirebaseExtended/firebase-framework-tools/blob/e69f5bdd44695274ad88dbb4e21aac778ba60cc8/src/constants.ts
 export const LRU_MAX_INSTANCES = 100
 export const LRU_TTL = 1_000 * 60 * 5
 const appCache = new LRU<string, FirebaseApp>({
@@ -21,7 +22,7 @@ const appCache = new LRU<string, FirebaseApp>({
 /**
  * Initializes the app and provides it to others.
  */
-export default defineNuxtPlugin(async (nuxtApp) => {
+export default defineNuxtPlugin((nuxtApp) => {
   const appConfig = useAppConfig()
 
   // @ts-expect-error: this is a private symbol