I am working on an app using Firebase Auth and Firestore where we store user information in the /users collection. Some users login and have a Firebase Auth record. Other users don't login, their /users documents are just used as reference data.
For Firestore documents in the /users Collection that link to Admin records, I am setting the Document ID to the Firebase Auth UUID (28 character ID generated by Firebase Auth). This lets me easily fetch the user information after the user logs in.
For the others, I am creating the user records with the auto-generated 20 character ID Firestore creates via .doc() or .add(newData).
Is there any documented risk to this or has Firebase stated anything that makes this unwise? I have found nothing in their Guide/Reference documentation that says one way or the other. Their documentation states you can set the ID or let it be generated for you, but it never says you can mix the two methods in the same collection. Has Firebase stated any guarantees for the length of their IDs (currently Auth uses 28 characters and Firestore uses 20 which guarantees they'd never overlap). Will Firestore auto-create a new ID if the auto-generated ID already exists?
The biggest risk I see is if the implementation changed in the future and both had the same length IDs but I have been unable to find any guarantees one way or the other.
Related
Using R, I am trying to read the Firebase authentication records created by users for our project, projectID. To be clear, I do not wish to read, nor can I read, the user pswd, just the Firebase authentication ID, known as the User UID.
Firebase creates a unique UID when a user record is created. This in turn populates a collection, call it collectionID, where the key to collectionID is the Firebase authentication User UID. Other information about the user's use of our application is stored within this collection.
I can read the collectionID using the Firestore library created by Luis Rodriguez - github("luizmirodriguez/FireStore") - as follows:
fireStore.download(projectID,collectionID,auth$credentials$access_token).
I cannot download the authentication records shown in Firebase Console with R today. Does anyone know how to do this?
It may be as simple as knowing the name of the collection (authentication, authentication/users, authentication/users_uid all produce errors).
Any help appreciated
I have the file stored in firebase cloud storage. This file will only available for the paid user download.
How to set up security rules to allow the paid user to have read access to that file?
[Updated]
I use the cloud firestore to store user collection
Each user doc contain
uid
email
name
photoUrl
provider
status
stripeCustomerId
purchasedProducts << this is the array of product name
I can verify paid user by looking if the product exist in purchasedProducts array.
However, inside the security rule from Firebase storage, it seem I can't access resource (user collection) in there. Or am I missing something?
Thanks
There is no way to access Cloud Firestore from within the security rules for Firebase Storage.
That means the only ways to currently implement your use-case is to:
include the necessary information in the ID token of the user, as a custom claim, which is then also available in security rules.
include the necessary information about the user (probably their UID) in your security rules
Since the second approach requires that you update your rules for every paying user, it's not very common.
Setting a custom claim can be done through the Firebase Admin SDK, for example from a Cloud Function that triggers when you write their payment information to Cloud Firestore.
Once you set the custom claim it may take up to an hour before it's available on the client, and from there in the security rules. The reason for that is that the claims are included in the ID token, which only auth-refreshes once an hour. If you want to get the updated claims sooner, you can force a refresh of the user's profile on the client.
Another approach you can try is to delete a file right after it was uploaded using the functions.storage.object().onFinalize webhook - this is wehere you can access the database and check if the user was allowed to upload the file.
Even though it may look a bit 'hacky' at the first glance, this is really a precaution measure in the first place - the UI itself would restrict the upload for the "good" users. And for those who messes up with the source code and tries to circumvent the system, onFinalize would do the job.
You can access cloud firestore through the firestorage service security rules:
https://firebase.google.com/docs/storage/security/rules-conditions#enhance_with_firestore
I have my backend hosted in firebase. Whenever a new user registers I create a new account in my firestore collection. Each user will be identified by a unique uid generated by firebase. Is it possible with enough users to generate the same uid and hence write over another user's data when registering? Or does firestore have any built-in measures to prevent this from happening? Thanks in advance.
Firebase Auth guarantees that each user will have a truly unique ID within your project. There is nothing you have to do. Just accept the UID it generates.
Is it possible to reference user objects in Firestore like a regular document from collection ? I've created a sample of fake users for test in the Authentication section, and I'd like to reference them in a collection.
Their is the reference field :
The id seems correct, however calling a db.doc() with this reference as a parameter returns an empty document (snapshot.exists returns false).
The database 'users' isn't present in my collections since it is handled by Firestore authentication system, but I was wondering if their was a way to access it, similar to regular documents.
You seem to be mixing up two products in the Firebase platform:
Firebase Authentication handles user sign-in.
All information about these users is stored in an internal database,
that you can only access through the Firebase Authentication APIs.
Cloud Firestore stores data that you put in it.
Firebase Authentication does not automatically create any user data in Firestore when a user is created. If you want such data in Firestore, you'll have to create it yourself, either in your application code, or in Cloud Functions in response to the user-created event.
Within Cloud Firestore there is no type that is a "reference to a Firebase Authentication user". But if you store user-specific documents in Firestore, you can use its Document Reference type to reference those user-specific documents.
I'd like to know the best approach/pattern to implement for the following use case.
I'm using Firebase Auth to sign up/in users and it's working fine.
As soon as the auth is performed I need to fetch from a Cloud Firestore collection, say user_profile, the data related to the logged user.
The problem is that the collection has its id which is not related to the user, since it's automatically generated by Firestore. So I don't know what to put in <user>
db.collection("user_profile").doc(<user>).get()
A possible solution I came up with is to store the user id inside user_profile and then query the whole collection like this
db.collection("user_profile").where("id", "==", id_from_auth).get()
Making the id field index of the collection.
Is this a good approach?
Is there a better/smarter/automatic way of doing this?
It's customary to store per-user data in a document keyed by the uid of the user authenticated by Firebase Authentication.