So I'm trying to understand how Firebase works. I'm using Firebase cloud for the Database. I have created a collection like this:
'groups': {
'some_group_name': { ... data ... }
'other_group_name': { ... data ... }
}
Also each user enters email and password when entered to the app. On the sign up, he chooses the group name. For example in the sign up he will set username, password and some_group_name. But How do I connect between the currently login user and it's group in the database? The only data that Firebase authentication saves is email and password.
Do I need to create another collection users like so?
"users": {
"some_user_name": "some_group_name"
}
You'll need to store the group membership/association of the user somewhere. How to do this, depends on the exact requirements of your app.
If a user can be a member of only one group, you can store their group as a field in a user profile doc. You'd typically have a top-level collection users for this, and a document for each user under that with the user's UID as the document ID (so that you can easily look up the user profile by their UID).
If a user can be a member of multiple groups, you can store that in an array field in the same user profile document. In that case, use arrayUnion and arrayRemove to manipulate the array, so that you can easily query for array membership when needed.
Related
I have a collection of "Users" in Cloud Firestore and I am using Firebase Auth to authenticate my app users as follows:
The user authenticates within the mobile app (for example with Google).
I verify that there is no document within the "Users" collection that corresponds to the UID of the authenticated user.
If the document does not exist in "Users" I use the user's UID to create a new document.
It is my question: Is there a security problem with this model or some other type?
I am confused by Google documentation because it says that the user's UID is unique to the Firebase project but should not be used to authenticate my user to the backend server. It also says that in that case, I should use FirebaseUser.getToken () but that token can change, so it will create a new user in my DB.
So, my second question is: When should you use that token? Give me an example, please.
Thanks for the help.
USER_ID
You can use the google generated user_id for future reference. That will never change for a given user email or authentication type as long as the user is already in the database.
Example:
If the user Signed In with google federated login with user1#example.com then the user record is maintained in the Firebase and USER_ID(Say ABFDe12cdaa2...) will be assigned(You can use this id in URLs to see the user profile etc it is kind of 32 chars long(I am not sure exactly here). Now, If a user tries to sign up again with the same email(user1#example.com) then it pulls the previous record ABFDe12cdaa2.... If you delete a user1#example.com from the firebase database(Firebase maintains its own database of the user for your project, With has a limited number of user properties). Then the user tries to sign in again then the new USER_ID is generated.
Now the TOKEN:
As you USER_ID is public, it can be seen by everyone. It is not used for authentication.
So you need to generate the token( This is longer the user id) to authenticate programmatically with the Firebase. It token is temporary and specific to the user. It will expire in some time ( you can define that time while creating the token). a refresh token is used to get a new token.
I don't have any code examples while writing this answer. I will update with code example,If, I find any.
Hope I clarified some of your questions.
I am working on one the Android APP & want to integrate it with the Firebase & it's Realtime Database. I have a list of 1000 users(Excel) with details like EmpId, EmpName, Team, Mobile Number, etc.
I want to restrict my APP only to the users from this list & also want to authenticate them using the mobile number present in the list against there name.
Can I use Firebase Auth for the above requirement & if yes, how to do that?
If with FireBase Auth, this is not possible what is the alternative solution?
Please help.
Firebase Authentication only allows the users to identify themselves. What you're describing is limiting what users are allowed to use your app, which is known as authorization, and Firebase Authentication doesn't handle that.
Luckily you tagged with firebase-realtime-database too, and authorization is definitely built into that. What I'd usually do is create a top-level node in the database that contains the UID of users that are allowed to use the app:
"allowedUsers": {
"uidOfUser1": true,
"uidOfUser2": true
...
}
Then in other security rules you'll check if the user's UID is in this list before allowing them access to data, with something like:
{
"rules": {
"employees": {
".read": "root.child('allowedUsers').child(auth.uid).exists()",
"$uid": {
".read": "auth.uid === $uid && root.child('allowedUsers').child(auth.uid).exists()"
}
}
}
}
With these rules:
Allowed users that are signed in can read all employee data.
But they can only modify their own employee data.
Of course you'll want to modify these rules to fit your own requirements, but hopefully this allows you to get started.
A few things to keep in mind:
The UID is only created once the users sign up in Firebase Authentication. This means you may have to map from the email addresses you have to the corresponding UIDs. You can either do this by precreating all users, do it in batches, or use a Cloud Function that triggers on user creation to add the known users to the allowedUsers list.
Alternative you can store the list of email addresses in the database. Just keep in mind that somebody could sign in with somebody else's email address, unless you require email address verification. Oh, and you can't store the email address as a key in the database as-is, since . characters are not allowed, so you'll have to do some form of encoding on that.
Also see:
How do I lock down Firebase Database to any user from a specific (email) domain? (also shows how to check for email verification)
Restrict Firebase users by email (shows using encoded email addresses)
firebase realtime db security rule to allow specific users
How to disable Signup in Firebase 3.x
Firebase - Prevent user authentication
I know it's late but for anyone who may be referencing this question, my recommendation is blocking functions. You essentially create a Firebase Cloud Function that can accept or deny requests to make an account. Here's what it could look like:
const functions = require('firebase-functions');
exports.beforeCreate = functions.auth.user().beforeCreate((user, context) => {
var allowedUsers = ['johndoe#stackoverflow.com'];
// if they are not in the list, they cannot make an account
// throwing this error will prevent account creation
if(allowUsers.indexOf(user.email) == -1) throw new functions.auth.HttpsError('permission-denied');
});
This way is better in my opinion because the security rules doesn't have to reference the database. Instead, the security rules can allow requests from any authenticated user, because the only authenticated users are ones allowed by this function.
I am creating an application that would allow users to access data on their phones. Examples would be progress scores/test results.
I can upload the data to Firebase with an email address as the user link.
Is there a way that I can link this already loaded data to a user (with the same email address) once they have registered? Ideally using the email address in a rule to search up that data and use that reference point in the app.
Ideally I would like to pre-upload the users in bulk, but I know that Firebase only allows one user to be added at a time.
Any help would be appreciated.
After a user sign in to the app through the Firebase auth you can get its email through this call:
FirebaseAuth.getInstance().getCurrentUser().getEmail()
If you want to import data into your database, you should first make a json out of your data (list of users by email) and then use Firebase-Import to put it in your datastore.
I am new to the Firebase database.I have learned that push methods generate a unique key in Firebase database.My question is After the authentication, how to set the user_id as the key? so every time User logged in. User can manipulate its own data .. I have searched a lot but didn't find help. Thanks.
You usually save the user specific data under a node with the $user_id as key. You set write permissions to only that user. When the user first signs up, you create that node on the client side where the user just signed in and then populate with that user's data. So you first define the rule in the Firebase Console for that node ahead of time, create the user db node after first time authentication. From there, the user can only manipulate its own data. Check this doc for more on this: https://firebase.google.com/docs/database/security/user-security
I am currently making an Android app that allows Facebook sign-in and for each user, stores their email address (from Facebook) along with a couple integer variables in my database.
Upon login, I want my app to check if my database contains the email address of the logged on user. If it does, I proceed with the app functionality, if not, I create a new entry in my database for that user, with an email address and the associated integers.
How can I formulate a query or request that searches my database for a given email string? I am not very experienced with Firebase.
Using FirebaseAuth for your Facebook sign-in would give every user a unique id generated by Firebase.
This id is returned to you in the code when login is successful. You could then retrieve the user's email from the returned object.
Assuming you're using Firebase's real time database to store your info, you could check out their official docs here on how to use your DatabaseReference DataSnapshot to query the database