I was wondering if getAuth().uid is sensitive/private in anyway? I am planning to use it on a user post something like: post.created_by: getAuth().uid. This makes writing rules/logic a lot easier.
The other way is to use the push id when the user is added to the database, which I'm trying to avoid.
No its safe to use the uid and recommended, firebase uses auth to authenticate the user and the assign the uid to identify the user across firebase.
You will be using uid in your security rules and as well as to identify user info in your db records.
Manually creating another id will render the efficiency of firebase useless.
Related
I am using theFirebaseAuth Flutter plugin in order to manage the authentication process of users in my app. So far, I have been able to retrieve data from the current user with no trouble. However, I would like to retrieve user information data such as the profile picture using the UID of that user. This is quite easy when the user I want to get the data from is the current user, but I can't see the way of doing that when the user is different.
Is it possible, in some way, to build an instance of FirebaseUser specifying the UID? Or am I forced to store that information in some external storage platform? I prefer
For security reasons, getting user info from any user besides the current one has to be done in a managed environment like a server or Cloud Functions. You can use the Admin SDK to handle this.
I have been exploring Firebase and from my first impressions it looks really good.
I will use Auth for authentication because it's simple and I do not want to write yet another sign in/up system.
I have been looking at firestore for saving data, because it's simple and I do not have to manage a server.
And here comes the problem; Many of the examples I have seen put rules to show only the current rows with "ID" the Auth UID which they pass from the client.
But can the user can decompile my app, change the UID to other user's UID and read/write to their data?
Is this true or am I missing something?
UIDs are handled by Firebase on the server side. There is no way to reverse engineer an app and change the UID.
If for some reason a user does that or anything similar, he won't be able to login to the app thus won't have access to the data stored on Cloud Firestore.
I'm trying to use firebase cloud messaging service for my android application and I'm trying to find the best way to manage registration ID in database server.
I was thinking to create new table with userID,registrationId (where userID is unique for each user) in my database and insert new record once the user logs in successfully and remove that record when the user logs out. but there are some situation that the registration Id will be refreshed, I can get the new registration Id to save it in the database. but how can I get the old registration Id to remove it?
Are there better way to manage the registration Id in database?
note: a device can access one account but there are might be many devices that use the same account.
Depending on the user, you might want to also have an identifier for each device they use. But for a simpler explanation, I'll go with the scenario where each user only has a single device.
If you're using Firebase Database, then the simplest way to structure the nodes would be something like this:
pushTokens/
$userId: <registration_token_here>
Simple as that. You just pair the userId that you use in your app (possibly for authentication) and place the token there. On sign out, log the user out. When the user is currently signed-in and the token refreshes, handle it in onTokenRefresh(), send the new token to the DB, and replace the older one. Deciding to keep the old one for logging purposes is your call.
Possibly helpful posts:
Firebase Cloud Messaging - Managing Registration Tokens
Managing FCM device groups
I'd like to know the best approach/pattern to implement for the following use case.
I'm using Firebase Auth to sign up/in users and it's working fine.
As soon as the auth is performed I need to fetch from a Cloud Firestore collection, say user_profile, the data related to the logged user.
The problem is that the collection has its id which is not related to the user, since it's automatically generated by Firestore. So I don't know what to put in <user>
db.collection("user_profile").doc(<user>).get()
A possible solution I came up with is to store the user id inside user_profile and then query the whole collection like this
db.collection("user_profile").where("id", "==", id_from_auth).get()
Making the id field index of the collection.
Is this a good approach?
Is there a better/smarter/automatic way of doing this?
It's customary to store per-user data in a document keyed by the uid of the user authenticated by Firebase Authentication.
I am new to Firebase Database and I am not planning to use the Firebase Authentication.
Is it possibile to set Firebase Database rules based on the Firebase Instance ID, rather than on the authenticated User ID ?
This is the structure I am thinking to implement:
/instanceIDs
/iid1
/somedata
/someotherdata
/iid2
...
/iid3
...
and I would like to restrict read/write permission only to that specific instance ID
anyone can show how to set such rule?
Otherwise, if I set read/write to true for all users, what is the security risk?
If my native mobile app code only reads/writes on the specific instance ID branch, can I expect some security issues?
The Instance ID in an app that uses Firebase Cloud Messaging identifies the installation of that specific app on that specific device. This value is not available in Firebase security rules.
While it sounds like an interesting idea to secure based on this instance ID, it would in longer term not work. The Instance ID can change over time, and every time that happens, the device would lose access to its data.
Access to Firebase (database and storage) is typically based on the user of the app. Unlike the Instance ID, the user's ID is stable over time: meaning that the same user will always have the same UID and thus have access to the same resources. If you don't want to ask your users to sign in, you can use Firebase's anonymous authentication.
PS: if you feel like experimenting with using the Instance ID to secure access, you can easily pass the Instance ID to a server, mint a Firebase Authentication token from it (you could use Cloud Functions for this), and then use that custom token to sign in.