I want to link my game to a database that stores username and high scores, in order to create a leaderboard. A lot of tutorials I watched uses Firebase Authentication, but I want to store only the username without any email signup. Is it possible to only use Firebase Firestore to store user data? It would also be helpful if there is any guide I can use to do so.
A lot of tutorials I watched uses Firebase Authentication
The tutorials you have watched are using Firebase Authentication because it provides a really useful feature, which is securing the database using Cloud Firestore Security. These rules are enforced on the server, so can't be bypassed by malicious users.
Is it possible to only use Firebase Firestore to store user data?
Yes, it is. If you are not interested to secure your database, you can create a structure that looks like this:
Firestore-root
|
--- users (collection)
|
--- $username (document)
|
--- age: 20
|
--- gender: male
Having the username as the document ID will ensure that you will have no duplicates because in a collection you cannot have two documents with the same ID.
If you reconsider your approach to using Security Rules, please check the following article before:
How to fix Firestore Error: PERMISSION_DENIED: Missing or insufficient permissions
Yes you can do that. You need to implement also SharedPreference. SharedPreference will use as to check whether user already logged in or not.
Assume your json look like this:
-user
-userUid
-username = USERNAME
-psw = PSW
-otherData = ...
-userUid
-username = USERNAME2
-psw = PSW2
-otherData = ...
From here, you can do a loop and compare each of them if username and psw are correct. Once it is, exit the loop and make it as logged in.
Related
I have a collection of "Users" in Cloud Firestore and I am using Firebase Auth to authenticate my app users as follows:
The user authenticates within the mobile app (for example with Google).
I verify that there is no document within the "Users" collection that corresponds to the UID of the authenticated user.
If the document does not exist in "Users" I use the user's UID to create a new document.
It is my question: Is there a security problem with this model or some other type?
I am confused by Google documentation because it says that the user's UID is unique to the Firebase project but should not be used to authenticate my user to the backend server. It also says that in that case, I should use FirebaseUser.getToken () but that token can change, so it will create a new user in my DB.
So, my second question is: When should you use that token? Give me an example, please.
Thanks for the help.
USER_ID
You can use the google generated user_id for future reference. That will never change for a given user email or authentication type as long as the user is already in the database.
Example:
If the user Signed In with google federated login with user1#example.com then the user record is maintained in the Firebase and USER_ID(Say ABFDe12cdaa2...) will be assigned(You can use this id in URLs to see the user profile etc it is kind of 32 chars long(I am not sure exactly here). Now, If a user tries to sign up again with the same email(user1#example.com) then it pulls the previous record ABFDe12cdaa2.... If you delete a user1#example.com from the firebase database(Firebase maintains its own database of the user for your project, With has a limited number of user properties). Then the user tries to sign in again then the new USER_ID is generated.
Now the TOKEN:
As you USER_ID is public, it can be seen by everyone. It is not used for authentication.
So you need to generate the token( This is longer the user id) to authenticate programmatically with the Firebase. It token is temporary and specific to the user. It will expire in some time ( you can define that time while creating the token). a refresh token is used to get a new token.
I don't have any code examples while writing this answer. I will update with code example,If, I find any.
Hope I clarified some of your questions.
I wanna ask about the concept and logically ways to give another user the privilege to access other's users' data. What I want to do exactly is like this :
Basically, collection 1 contains several Users ID (UID) from authentication, then the user will have their own data collected in collection 2 which contain the data ID.
So, it's like giving access to another user to collaborate with the data like Google Docs Apps where we can add another user to edit our documents. I've been thinking of how to do this, but still, I got stuck.
My question is, how can I possibly do this? cause from what I've read, cloud firestore don't use such a foreign key like MySQL. Thank You
haven't tried something like this but i think this approch overcomes your problem.
modify your structure according to above image. userID collection will contain userIds which are allowed to edit their parent collection.and create firestore rules according to your use to check weather the userId is allowed to edit the Collection or not.
in your case when 'user 2' will have reference to 'collection 2', he/she will try to change data. firebase rule will check if auth.userId is inside the 'collection2.UserIDs' or not and will allow according that.
I am making an app, and in that app, users login and I am storing their information; however, I have noticed that I don't have a users' password information after they register. Is it a good idea to store users' password when they register through Firebase? And is there a point where I will need their passwords? I want to make sure before I proceed further. Thanks!
You do not do that.
Use the (awesome, amazing) Firebase authentication system.
Click right here:
on the left, to see all the users - click "Authentication".
You never see / you cannot see their passwords.
You don't handle or touch the passwords at all.
In the Android or iOS app, you get the userid - and that's it.
The answer by #PeterHaddad shows perfectly how to do that.
That's the first and most basic step in any Firebase ios/droid app.
In your data you'll have a "table" called probably "userData/" and that's where you keep all data about the user. (For example, you may store their address, real name, shoe size .. whatever is relevant in your app.)
Note - FBase is so amazing, your users can also connect with other methods (phone, etc). For your reference in the future, that is explained here
You don't need to store the password in the firebase database, after you authenticate the user using createUserWithEmailAndPassword the email and other info will be stored in the authentication console. So you do not need the password in the database, all you need is the userid to connect auth with database.
FirebaseUser user=FirebaseAuth.getInstance().getCurrentUser();
String useruid=user.getUid();
I'm trying to build android application uses firebase server, I would like to add an authentication to the application, I have searched a lot in the internet, all firebase authentication examples are using google/email/..
But none is using own authentication, what I want to do is:
I will initialize all users data in firebase with unique "id" for each user (no sign up/registration from user)
I will give each user his private unique "id" I initialized for him
User will enter in the application the "id" I gave him - app should check if there is any user with this "id" or not and behave accordingly.
I did the first 2 steps, I have no idea of how to do the third one.
I know how to initialize firebase and iterate over user, but this will be enough ?
How can I gain such an authentication ?
Any help is appreciated
Please forgive my lack of knowledge.
Thanks a lot
I am currently writing an android app. In my app users can rate some objects. The data (the objects as well as the ratings) shall be stored in Google Firebase, especially Firestore.
I already linked my app to Firebase and implemented the com.google.android.gms.auth.api.signin to get the GoogleSignInAccount of the current user.
I want to save the data to the database like:
SomeObject: | objectId | name |
ObjectRating: | ratingId | objectId | userId | rating |
What I am not sure about is, what to save as userId. The documentation of GoogleSignInAccount.getId() says:
Important: Do not use this returned Google ID to communicate the currently signed in user to your backend server. Instead, send an ID token (requestIdToken(String)), which can be securely validated on the server; or send a server auth code (requestServerAuthCode(String)) which can be in turn exchanged for id token.
So I probably should not use this. But the recommended IdToken is signed, so I think it will be different everytime the method is called.
What most people do, is create a users directory in the database. But from the app I want to get the users rating as well as the overall mean rating of all users for the given object. So I think splitting the ratings in multiple user tables complicates the computation of the overall mean rating.
My question is: How can I link the ObjectRating to the user, without using the unsafe getId() while still be able to select all ObjectRatings by objectId to compute the mean rating?
To obtain the user's unique identifier you can use FirebaseAuth to get the FirebaseUser object:
FirebaseAuth.getInstance().getCurrentUser().getUid();
The getUid() method:
Returns a string used to uniquely identify your user in your Firebase
project's user database. Use it when storing information in Firebase
Database or Storage, or even in your own backend.
You'll need to ensure that you've used the GoogleSignInAccount to authenticate with Firebase before calling getCurrentUser(), otherwise it will return null.