@edgedev/create-edge-app 0.0.1

package/firestore.rules

@@ -0,0 +1,294 @@
+rules_version = '2';
+// #EDGE FIREBASE RULES START
+service cloud.firestore {
+
+  match /databases/{database}/documents/events/{event} {
+    allow read: if false;
+    allow create: if false;  
+    allow update: if false; 
+    allow delete: if false; 
+  }
+  
+  match /databases/{database}/documents/rule-helpers/{helper} {
+    allow read: if false;
+    allow create: if request.auth.uid == request.resource.data.uid;  
+    allow update: if request.auth.uid == request.resource.data.uid;
+    allow delete: if false; 
+  }
+
+  match /databases/{database}/documents/users/{user} {
+      function readSelf() {
+        return  resource == null ||
+                (
+                  "userId" in resource.data && 
+                  resource.data.userId == request.auth.uid
+                );
+      }
+    
+    allow read: if readSelf();
+    allow create: if false;
+    allow update: if false;
+    allow delete: if false;
+  }
+
+  match /databases/{database}/documents/collection-data/{collectionPath} {
+    // TODO: these rules need tested.
+    function getRolePermission(role, collection, permissionCheck) {
+        let pathCollectionPermissions = get(/databases/$(database)/documents/collection-data/$(collection)).data;
+        let defaultPermissions = get(/databases/$(database)/documents/collection-data/-default-).data;
+        return (role in pathCollectionPermissions && pathCollectionPermissions[role][permissionCheck]) ||
+              (role in defaultPermissions && defaultPermissions[role][permissionCheck]);
+    }
+    function canAssign() {
+      let user = get(/databases/$(database)/documents/users/$(request.auth.uid)).data;
+      let ruleHelper = get(/databases/$(database)/documents/rule-helpers/$(request.auth.uid)).data['edge-assignment-helper'];
+      return collectionPath.matches("^" + ruleHelper[collectionPath].permissionCheckPath + ".*$") &&
+      (
+        "specialPermissions" in user &&
+        ruleHelper[collectionPath].permissionCheckPath in user.specialPermissions &&
+        "assign" in user.specialPermissions[ruleHelper[collectionPath].permissionCheckPath] &&
+         user.specialPermissions[ruleHelper[collectionPath].permissionCheckPath]["assign"]
+      ) ||
+      (
+        "roles" in user && 
+        ruleHelper[collectionPath].permissionCheckPath in user.roles &&
+        "role" in user.roles[ruleHelper[collectionPath].permissionCheckPath] &&
+         getRolePermission(user.roles[ruleHelper[collectionPath].permissionCheckPath].role, collectionPath, "assign")
+      );
+    }
+    allow read: if request.auth != null; // All signed in users can read collection-data
+    allow create: if canAssign();
+    allow update: if canAssign();
+    allow delete: if canAssign();
+  }
+
+  match /databases/{database}/documents/staged-users/{user} {
+
+    function canUpdate() {
+      let user = get(/databases/$(database)/documents/users/$(request.auth.uid)).data;
+      let ruleHelper = get(/databases/$(database)/documents/rule-helpers/$(request.auth.uid)).data;
+      
+      return (
+              request.auth.uid == request.resource.data.uid &&
+              (
+                (
+                  (
+                     request.resource.data.userId == resource.data.userId ||
+                     resource.data.userId == ""
+                   ) &&
+                  (
+                    request.resource.data.userId == request.auth.uid ||
+                    request.resource.data.templateUserId == request.auth.uid
+                  )
+                ) ||
+                (
+                  request.resource.data.userId == resource.data.userId &&
+                  "edge-assignment-helper" in ruleHelper &&
+                  permissionUpdatesCheck(user, ruleHelper, "roles") && 
+                  permissionUpdatesCheck(user, ruleHelper, "specialPermssions")
+                )
+              )
+             );
+             
+    }
+
+
+    function permissionUpdatesCheck(user, ruleHelper, permissionType) {
+      return !(permissionType in request.resource.data) ||
+              (
+                resource.data.userId == request.auth.uid && 
+                request.resource.data[permissionType].keys().hasOnly(resource.data[permissionType].keys())
+              ) ||
+              (
+                resource.data.userId != request.auth.uid &&
+                 permissionCheck(permissionType, user, ruleHelper)
+              );
+    }
+    function permissionCheck(permissionType, user, ruleHelper) {
+        let lastPathUpdated = ruleHelper["edge-assignment-helper"].fullPath;
+        let permissionCheckPath = ruleHelper["edge-assignment-helper"].permissionCheckPath;
+        return request.resource.data[permissionType].diff(resource.data[permissionType]).affectedKeys().size() == 0 || 
+            (
+              request.resource.data[permissionType].diff(resource.data[permissionType]).affectedKeys().size() == 1 && 
+              request.resource.data[permissionType].diff(resource.data[permissionType]).affectedKeys() == [lastPathUpdated].toSet() &&
+              (
+                 permissionCheckPath == "-" || 
+                 lastPathUpdated.matches("^" + permissionCheckPath + ".*$")
+              ) &&
+              (
+                (
+                  "roles" in user &&
+                  getRolePermission(user.roles[permissionCheckPath].role, permissionCheckPath, "assign")
+                ) ||
+                (
+                  "specialPermissions" in user &&
+                  permissionCheckPath in user.specialPermissions &&
+                  "assign" in user.specialPermissions[permissionCheckPath] &&
+                  user.specialPermissions[permissionCheckPath]["assign"]
+                )
+              )
+            );
+    }
+
+    function canAssign(user, ruleHelper) {
+      return request.auth != null &&
+             "edge-assignment-helper" in ruleHelper &&
+             (
+              (
+                "roles" in user &&
+                ruleHelper["edge-assignment-helper"].permissionCheckPath in user.roles &&
+                getRolePermission(user.roles[ruleHelper["edge-assignment-helper"].permissionCheckPath].role, ruleHelper["edge-assignment-helper"].permissionCheckPath, 'assign')
+              ) ||
+              (
+                "specialPermissions" in user &&
+                ruleHelper["edge-assignment-helper"].permissionCheckPath in user.specialPermissions &&
+                "assign" in user.specialPermissions[ruleHelper["edge-assignment-helper"].permissionCheckPath] &&
+                user.specialPermissions[ruleHelper["edge-assignment-helper"].permissionCheckPath]["assign"]
+              )
+             )
+    }
+
+    function canAssignSubCreatePath(user, ruleHelper) {
+      let permissionCheckPath = ruleHelper["edge-assignment-helper"].permissionCheckPath;
+      return  (
+                !("subCreate" in request.resource.data) ||
+                (
+                  "subCreate" in request.resource.data &&
+                  request.resource.data.subCreate.keys().size() == 0 
+                )
+              )||
+              (
+                 permissionCheckPath == "-" || 
+                 request.resource.data.subCreate.rootPath.matches("^" + permissionCheckPath + ".*$")
+              ) &&
+              (
+                (
+                  "roles" in user &&
+                  permissionCheckPath in user.roles &&
+                  getRolePermission(user.roles[permissionCheckPath].role, permissionCheckPath, "assign")
+                ) ||
+                (
+                  "specialPermissions" in user &&
+                  permissionCheckPath in user.specialPermissions &&
+                  "assign" in user.specialPermissions[permissionCheckPath] &&
+                  user.specialPermissions[permissionCheckPath]["assign"]
+                )
+              )
+
+    }
+
+    function canList() {
+      let user = get(/databases/$(database)/documents/users/$(request.auth.uid)).data;
+      let ruleHelper = get(/databases/$(database)/documents/rule-helpers/$(request.auth.uid)).data;
+      return canAssign(user, ruleHelper);
+    }
+
+    function canCreate() {
+      let user = get(/databases/$(database)/documents/users/$(request.auth.uid)).data;
+      let ruleHelper = get(/databases/$(database)/documents/rule-helpers/$(request.auth.uid)).data;
+      return noPermissionData() && canAssign(user, ruleHelper) && canAssignSubCreatePath(user, ruleHelper);
+    }
+
+    function noPermissionData() {
+      return request.resource.data.roles.size() == 0 && request.resource.data.specialPermissions.size() == 0;
+    }
+
+    function getRolePermission(role, collection, permissionCheck) {
+        let pathCollectionPermissions = get(/databases/$(database)/documents/collection-data/$(collection)).data;
+        let defaultPermissions = get(/databases/$(database)/documents/collection-data/-default-).data;
+        return (role in pathCollectionPermissions && pathCollectionPermissions[role][permissionCheck]) ||
+              (role in defaultPermissions && defaultPermissions[role][permissionCheck]);
+      }
+
+     function canGet () {
+       return resource == null || 
+             ("userId" in resource.data && resource.data.userId == "") || 
+             ("userId" in resource.data && resource.data.userId == request.auth.uid) ||
+             canAssign(get(/databases/$(database)/documents/users/$(request.auth.uid)).data, get(/databases/$(database)/documents/rule-helpers/$(request.auth.uid)).data);
+     }
+    allow get: if canGet();
+    allow list: if canList();
+    allow create: if canCreate();
+    allow update: if canUpdate();
+    allow delete: if false // TODO if isTemplate is true... can delete... otherwise users never deleted just removed from collection paths
+  }
+
+  match /databases/{database}/documents/{seg1} {
+      function getRolePermission(role, collection, permissionCheck) {
+        let pathCollectionPermissions = get(/databases/$(database)/documents/collection-data/$(collection)).data;
+        let defaultPermissions = get(/databases/$(database)/documents/collection-data/-default-).data;
+        return (role in pathCollectionPermissions && pathCollectionPermissions[role][permissionCheck]) ||
+              (role in defaultPermissions && defaultPermissions[role][permissionCheck]);
+      }
+      function checkPermission(collectionPath, permissionCheck) {
+          let user = get(/databases/$(database)/documents/users/$(request.auth.uid)).data;
+          let skipPaths = ["collection-data", "users", "staged-users", "events", "rule-helpers"];
+          let ruleHelper = get(/databases/$(database)/documents/rule-helpers/$(request.auth.uid)).data;
+          return !(collectionPath in skipPaths) &&
+                  request.auth != null &&
+                  collectionPath in ruleHelper &&
+                  "permissionCheckPath" in ruleHelper[collectionPath] &&
+                  (
+                    ruleHelper[collectionPath].permissionCheckPath == "-" ||
+                    collectionPath.matches("^" + ruleHelper[collectionPath].permissionCheckPath + ".*$")
+                  ) &&
+                  (
+                    (
+                      "roles" in user &&
+                      ruleHelper[collectionPath].permissionCheckPath in user.roles &&
+                      getRolePermission(user.roles[ruleHelper[collectionPath].permissionCheckPath].role, ruleHelper[collectionPath].permissionCheckPath, permissionCheck)
+                    ) ||
+                    (
+                      "specialPermissions" in user &&
+                      ruleHelper[collectionPath].permissionCheckPath in user.specialPermissions &&
+                      permissionCheck in user.specialPermissions[ruleHelper[collectionPath].permissionCheckPath] &&
+                      user.specialPermissions[ruleHelper[collectionPath].permissionCheckPath][permissionCheck]
+                    )
+                  );
+        }
+      match /{seg2} {
+        allow get: if checkPermission(seg1 + "-" + seg2, "read");
+        allow list: if checkPermission(seg1, "read");
+        allow create: if request.auth.uid == request.resource.data.uid && checkPermission(seg1, "write");
+        allow update: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2, "write");
+        allow delete: if checkPermission(seg1, "delete");
+        match /{seg3} {
+          allow get: if checkPermission(seg1 + "-" + seg2 + "-" + seg3, "read");
+          allow list: if checkPermission(seg1 + "-" + seg2, "read");
+          allow create: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2, "write");
+          allow update: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2 + "-" + seg3, "write");
+          allow delete: if checkPermission(seg1 + "-" + seg2, "delete");
+          match /{seg4} {
+            allow get: if checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4, "read");
+            allow list: if checkPermission(seg1 + "-" + seg2 + "-" + seg3, "read");
+            allow create: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2 + "-" + seg3, "write");
+            allow update: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4, "write");
+            allow delete: if checkPermission(seg1 + "-" + seg2 + "-" + seg3, "delete");
+
+            match /{seg5} {
+              allow get: if checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5, "read");
+              allow list: if checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4, "read");
+              allow create: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4, "write");
+              allow update: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5, "write");
+              allow delete: if checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4, "delete");
+              match /{seg6} {
+                allow get: if checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5 + "-" + seg6, "read");
+                allow list: if checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5, "read");
+                allow create: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5, "write");
+                allow update: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5 + "-" + seg6, "write");
+                allow delete: if checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5, "delete");
+                match /{seg7} {
+                  allow get: if checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5 + "-" + seg6 + "-" + seg7, "read");
+                  allow list: if checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5 + "-" + seg6, "read");
+                  allow create: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5 + "-" + seg6, "write");
+                  allow update: if request.auth.uid == request.resource.data.uid && checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5 + "-" + seg6 + "-" + seg7, "write");
+                  allow delete: if checkPermission(seg1 + "-" + seg2 + "-" + seg3 + "-" + seg4 + "-" + seg5 + "-" + seg6, "delete");
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+// #EDGE FIREBASE RULES END

package/firestore.rules.backup

@@ -0,0 +1 @@
+rules_version = '2';

package/functions/.runtimeconfig.json

@@ -0,0 +1,5 @@
+{
+    "openai": {
+        "api_key": "some-key-here"
+    }
+}

package/functions/index.js

@@ -0,0 +1,226 @@
+const functions = require('firebase-functions')
+const admin = require('firebase-admin')
+admin.initializeApp()
+const db = admin.firestore()
+// START @edge/firebase functions
+
+exports.initFirestore = functions.https.onCall(async (data, context) => {
+  // checks to see of the collections 'collection-data' and 'staged-users' exist if not will seed them with data
+  const collectionData = await db.collection('collection-data').get()
+  const stagedUsers = await db.collection('staged-users').get()
+  if (collectionData.empty) {
+    // create a document with the id of '-' and one called '-default-':
+    const admin = { assign: true, delete: true, read: true, write: true }
+    const editor = { assign: false, delete: true, read: true, write: true }
+    const writer = { assign: false, delete: false, read: true, write: true }
+    const user = { assign: false, delete: false, read: true, write: false }
+    await db.collection('collection-data').doc('-').set({ admin, editor, writer, user })
+    await db.collection('collection-data').doc('-default-').set({ admin, editor, writer, user })
+  }
+  if (stagedUsers.empty) {
+    const templateUser = {
+      docId: 'organization-registration-template',
+      isTemplate: true,
+      meta: {
+        name: 'Organization Registration Template',
+      },
+      subCreate: {
+        documentStructure: {
+          name: '',
+        },
+        dynamicDocumentField: 'name',
+        role: 'admin',
+        rootPath: 'organizations',
+      },
+      userId: '',
+    }
+    await db.collection('staged-users').doc('organization-registration-template').set(templateUser)
+  }
+})
+
+exports.removeNonRegisteredUser = functions.https.onCall(async (data, context) => {
+  if (data.uid === context.auth.uid) {
+    const stagedUser = await db.collection('staged-users').doc(data.docId).get()
+    if (stagedUser.exists) {
+      const stagedUserData = stagedUser.data()
+
+      const rolesExist = stagedUserData.roles && Object.keys(stagedUserData.roles).length !== 0
+      const specialPermissionsExist = stagedUserData.specialPermissions && Object.keys(stagedUserData.specialPermissions).length !== 0
+      const userIdExistsAndNotBlank = stagedUserData.userId && stagedUserData.userId !== ''
+
+      if (!rolesExist && !specialPermissionsExist && !userIdExistsAndNotBlank) {
+        await db.collection('staged-users').doc(data.docId).delete()
+        return { success: true, message: '' }
+      }
+      else {
+        let message = ''
+        if (rolesExist && specialPermissionsExist) {
+          message = 'Cannot delete because the non-registered user still has roles and special permissions assigned.'
+        }
+        else if (rolesExist) {
+          message = 'Cannot delete because the non-registered user still has roles assigned.'
+        }
+        else if (specialPermissionsExist) {
+          message = 'Cannot delete because the non-registered user still has special permissions assigned.'
+        }
+        else if (userIdExistsAndNotBlank) {
+          message = 'Cannot delete because the user is registered.'
+        }
+        return { success: false, message }
+      }
+    }
+  }
+  return { success: false, message: 'Non-registered user not found.' }
+})
+
+exports.currentUserRegister = functions.https.onCall(async (data, context) => {
+  if (data.uid === context.auth.uid) {
+    const stagedUser = await db.collection('staged-users').doc(data.registrationCode).get()
+    if (!stagedUser.exists) {
+      return { success: false, message: 'Registration code not found.' }
+    }
+    else {
+      const stagedUserData = await stagedUser.data()
+      let process = false
+      if (stagedUserData.isTemplate) {
+        process = true
+      }
+      if (!stagedUserData.isTemplate && stagedUserData.userId === '') {
+        process = true
+      }
+      if (!process) {
+        return { success: false, message: 'Registration code not valid.' }
+      }
+      const newRoles = stagedUserData.roles || {}
+      const currentUser = await db.collection('users').doc(data.uid).get()
+      const currentUserData = await currentUser.data()
+      const currentRoles = currentUserData.roles || {}
+      const currentUserCollectionPaths = currentUserData.collectionPaths || []
+      let newRole = {}
+      if (stagedUserData.subCreate && Object.keys(stagedUserData.subCreate).length !== 0 && stagedUserData.isTemplate) {
+        if (!data.dynamicDocumentFieldValue) {
+          return { success: false, message: 'Dynamic document field value is required.' }
+        }
+        const rootPath = stagedUserData.subCreate.rootPath
+        const newDoc = stagedUserData.subCreate.documentStructure
+        newDoc[stagedUserData.subCreate.dynamicDocumentField] = data.dynamicDocumentFieldValue
+        const addedDoc = await db.collection(rootPath).add(newDoc)
+        await db.collection(rootPath).doc(addedDoc.id).update({ docId: addedDoc.id })
+        newRole = { [`${rootPath}-${addedDoc.id}`]: { collectionPath: `${rootPath}-${addedDoc.id}`, role: stagedUserData.subCreate.role } }
+      }
+      const combinedRoles = { ...currentRoles, ...newRoles, ...newRole }
+      Object.values(combinedRoles).forEach((role) => {
+        if (!currentUserCollectionPaths.includes(role.collectionPath)) {
+          currentUserCollectionPaths.push(role.collectionPath)
+        }
+      })
+      await db.collection('staged-users').doc(currentUserData.stagedDocId).update({ roles: combinedRoles, collectionPaths: currentUserCollectionPaths })
+      if (!stagedUserData.isTemplate) {
+        await db.collection('staged-users').doc(data.registrationCode).delete()
+      }
+      return { success: true, message: '' }
+    }
+  }
+})
+
+exports.updateUser = functions.firestore.document('staged-users/{docId}').onUpdate((change, context) => {
+  const eventId = context.eventId
+  const eventRef = db.collection('events').doc(eventId)
+  const stagedDocId = context.params.docId
+  let newData = change.after.data()
+  const oldData = change.before.data()
+  return shouldProcess(eventRef).then((process) => {
+    if (process) {
+      // Note: we can trust on newData.uid because we are checking in rules that it matches the auth.uid
+      if (newData.userId) {
+        const userRef = db.collection('users').doc(newData.userId)
+        setUser(userRef, newData, oldData, stagedDocId).then(() => {
+          return markProcessed(eventRef)
+        })
+      }
+      else {
+        if (newData.templateUserId !== oldData.templateUserId) {
+          newData.isTemplate = false
+          const templateUserId = newData.templateUserId
+          newData.meta = newData.templateMeta
+          delete newData.templateMeta
+          delete newData.templateUserId
+          if (Object.prototype.hasOwnProperty.call(newData, 'subCreate') && Object.values(newData.subCreate).length > 0) {
+            const subCreate = newData.subCreate
+            delete newData.subCreate
+            db.collection(subCreate.rootPath).add({ [subCreate.dynamicDocumentField]: newData.dynamicDocumentFieldValue }).then((addedDoc) => {
+              db.collection(subCreate.rootPath).doc(addedDoc.id).update({ docId: addedDoc.id }).then(() => {
+                delete newData.dynamicDocumentFieldValue
+                const newRole = { [`${subCreate.rootPath}-${addedDoc.id}`]: { collectionPath: `${subCreate.rootPath}-${addedDoc.id}`, role: subCreate.role } }
+                if (Object.prototype.hasOwnProperty.call(newData, 'collectionPaths')) {
+                  newData.collectionPaths.push(`${subCreate.rootPath}-${addedDoc.id}`)
+                }
+                else {
+                  newData.collectionPaths = [`${subCreate.rootPath}-${addedDoc.id}`]
+                }
+                const newRoles = { ...newData.roles, ...newRole }
+                newData = { ...newData, roles: newRoles }
+                const stagedUserRef = db.collection('staged-users').doc(templateUserId)
+                return stagedUserRef.set({ ...newData, userId: templateUserId }).then(() => {
+                  const userRef = db.collection('users').doc(templateUserId)
+                  setUser(userRef, newData, oldData, templateUserId).then(() => {
+                    return markProcessed(eventRef)
+                  })
+                })
+              })
+            })
+          }
+          else {
+            const stagedUserRef = db.collection('staged-users').doc(templateUserId)
+            return stagedUserRef.set({ ...newData, userId: templateUserId }).then(() => {
+              const userRef = db.collection('users').doc(templateUserId)
+              setUser(userRef, newData, oldData, templateUserId).then(() => {
+                return markProcessed(eventRef)
+              })
+            })
+          }
+        }
+      }
+      return markProcessed(eventRef)
+    }
+  })
+})
+
+function setUser(userRef, newData, oldData, stagedDocId) {
+// IT's OK If "users" doesn't match exactly matched "staged-users" because this is only preventing
+// writing from outside the @edgdev/firebase functions, so discrepancies will be rare since
+// the package will prevent before it gets this far.
+  return userRef.get().then((user) => {
+    let userUpdate = { meta: newData.meta, stagedDocId }
+
+    if (Object.prototype.hasOwnProperty.call(newData, 'roles')) {
+      userUpdate = { ...userUpdate, roles: newData.roles }
+    }
+    if (Object.prototype.hasOwnProperty.call(newData, 'specialPermissions')) {
+      userUpdate = { ...userUpdate, specialPermissions: newData.specialPermissions }
+    }
+
+    if (!oldData.userId) {
+      userUpdate = { ...userUpdate, userId: newData.uid }
+    }
+    if (!user.exists) {
+      return userRef.set(userUpdate)
+    }
+    else {
+      return userRef.update(userUpdate)
+    }
+  })
+}
+
+function shouldProcess(eventRef) {
+  return eventRef.get().then((eventDoc) => {
+    return !eventDoc.exists || !eventDoc.data().processed
+  })
+}
+
+function markProcessed(eventRef) {
+  return eventRef.set({ processed: true }).then(() => {
+    return null
+  })
+}
+// END @edge/firebase functions

package/functions/index.js.backup

@@ -0,0 +1,4 @@
+const functions = require('firebase-functions')
+const admin = require('firebase-admin')
+admin.initializeApp()
+const db = admin.firestore()