PermissionOffer for Non-Registered User - realm

I have a use case where I would like to share a realm with a user that has not yet registered with Realm Object Server. The registered user would share a realm with a non-registered user by entering their email address. When the unregistered user registers using the app, they will be granted permission to the realm the first user owns.
How do PermissionOffers work if the user id doesn't yet exist? If the user id is an email address, can the PermissionOffer just hang until a user with the email address is created? What is the suggested workflow for handling something like this?

Permission offers are not bound to user Id. Instead, when you create a permission offer, a random token is generated that the first user sends via any medium (e.g. email/imessage) to the second user. The second user then accepts the offer by consuming the token and receives permissions to the Realm.

Related

Firebase subaccounts

I'm currently building a POS/Store admin app, when a user gets into my app, the Owner of the store will then be asked to login only once for setup purpose (e.g. a new machine), the app will then display a list of staffsName that has already been added by this owner, and then everytime a staff wants to start a new transaction, he/she will only need to click on his/her name, then enter his/her 4-digit pincode to 'login' and process the transaction.
How do i go about achieving this?
I was thinking of using firebase auth for the 'login' of the staff, but then when i log in using the staff credential, I will lose access to the uid of the owner, which is needed to access the owner's store data such as his/her products.
i'm also thinking of using firestore to store the 4digit pincode, but then i'm also concerned about security
There are multiple ways you can approach this, one where you utilize the email login by simply appending a fake domain to the username to create a valid email domain. This user account could be the designated 'user' in question, or utilize credentials inside custom claims or hidden in a database that allows the client or server (depending on your preference) to then log in as the user.
Moreover if you want the manager to login once you can add Authentication State Persistence to specify whether a signed in user should be indefinitely persisted until explicit sing out, page reload etc.
Another approach requires the user also to have a valid auth that is not an email password and you link your pin auth to that main account with Firebase Auth Linking per the documentation: https://firebase.google.com/docs/auth/web/account-linking.
This does however require that the user be registered from an auth provider such as Google, Twitter, Apple, etc. then the user will have to activate this link by logging in for authentication purposes. This can in theory be automatically generated and processed without the user knowing.
It is a long way around it since this is essentially a custom solution but it does create the flow you are looking for without having to use a custom auth provider.

Firebase linking anon UID to email verification if verified on a different device

Has anyone managed to associate an authorised email to an anon UID that was created earlier on another device?
Here is the workflow:
User comes to the site for the first time, anon UID is created, they enter email as part of signup, which is added to their details in the db
An email is sent to them to verify the email.
However, user misses it for whatever reason.
Instead, they come again with a different device and try to log in using a password-less login by entering their email and receiving a link
they get the link and click on it. The email gets verified, but gets assigned to a NEW UID created on the 2nd visit.
The question is how can the email be linked to the 1st UID instead of the 2nd one on a new device?
Under 2, before the email is sent, I am calling firebase.auth().currentUser.updateEmail(email), but it doesn't seem to associate the email with the UID in the firebase for some reason. I can see that in the Firebase Authentication tab -- the UID is still showing as Identifier (anonymous). This is probably the root cause of the issue as otherwise the email would be there, just unauthenticated.
Any ideas would be welcome!
Setting an email address to an anonymous account doesn't change its provider to suddenly become email+password. It remains an anonymous account, it now just also has an email address associated with it. To associate the user with an email+password account, you'll have to sign them in with email+password credentials and then link those credentials to the existing anonymous account.
To link accounts/providers, you must create credentials for both providers on the same device and call the relevant API to link them.
Since you only have a UID from anonymous sign-in on the first device, that UID can't be recreated on the second device. And that means there is no way to link the email-link UID account on the second device to the anonymous UID on the first device.

Firebase - create a temporary user until the user signs up

I have a use case where User A can say that User B borrowed from User A some amount of money, similar to apps like Splitwise.
I'm using firestore to store the data. In this particular case, I'll store it as a document in the "Transactions" collection which will have the following fields:
amount: 20
fromUser: uid for User A
toUser: uid for User B
The issue here is that the User B doesn't exist yet and so there is no uid for the user B. What I want to do is to create a temporary user for User B with the email address which will generate a uid. And later when the User B signs up on the app, the same user is upgraded to a permanent user with whatever auth provider the User B has used.
While searching, I came across - https://www.freecodecamp.org/news/heres-what-i-wish-i-knew-before-i-started-using-firebase-9110d393e193/
Which mentions that this was possible with the firebase invites which is now depreciated. So, is there any other way to achieve this behavior now?
Firebase supports creating anonymous user accounts for just such scenarios.
Authenticate with Firebase Anonymously
You can use Firebase Authentication to create and use temporary anonymous accounts to authenticate with Firebase. These temporary anonymous accounts can be used to allow users who haven't yet signed up to your app to work with data protected by security rules. If an anonymous user decides to sign up to your app, you can link their sign-in credentials to the anonymous account so that they can continue to work with their protected data in future sessions.
Email Address of 2nd User Known
If you already have the email address for a user (User B) that has not yet signed up, then you can create their account using the Firebase Admin SDK.
See Create a user
The new User B email address could then be configured for Email Link Authentication by calling firebase.auth().sendSignInLinkToEmail(email, actionCodeSettings).
Since the User B account creation was initiated by User A, you would not be able to use Local Storage to save the email of User B to complete sign-in with the email link. However, this is not a problem, since as the documentation example shows, you may prompt the user for their email address.
if (firebase.auth().isSignInWithEmailLink(window.location.href)) {
// Additional state parameters can also be passed via URL.
// This can be used to continue the user's intended action before triggering
// the sign-in operation.
email = window.prompt('Please provide your email for confirmation');
// The client SDK will parse the code from the link for you.
firebase.auth().signInWithEmailLink(email, window.location.href)
...
Now that User B has successfully signed in using the email link, the standard process may be followed to Link Multiple Auth Providers.
The server side (aka Node.js) Admin SDK allows you to create users programatically. You would need some way to pin/stick the newly created user UID to userB. Email address would seem the easiest way. So UserA would need to specify the email address of userB, then you process that server side Admin SDK.
When user B signs in with their email address, Firebase Authentication will detect an existing account with userB's email address and throw an error which you can use to merge userB's account data.

Symfony 2 track anonymous user actions in database

I would like to track anonymous user actions as if the user would be authenticated. The goal is to let users perform actions(normally reserved to authenticated users), save it in Database with a special status (not visible until user will log into the application).
For example,
an anonymous user reply to a comment.
The system detect that the user is not logged in, save the comment with special status 'waiting for authentication'.
The system ask user to log in, in order to complete the registration of the comment.
User log into the application.
The system check for 'waiting for authentication' status and update/associate entries to the user authenticated.
Have you any suggestions / experiences to implement this type of functionality? Maybe Symfony has already in feature/bundle for that?
What you are trying to do is simillar to Lazy Registration, which is a proven concept. It is well implemented here at stackoverflow. It allows you to post messages after providing an email address. It works similar to this one:
http://www.90percentofeverything.com/2009/03/16/signup-forms-must-die-heres-how-we-killed-ours/
However, if you really want to go your way, without asking user for an email address, I would recommend storing data at browser local storage. It would save you a lot of work on backend side. Data would be transferred to the backend only when user registers. This way you will also prevent database pollution with users who never registered. http://blog.teamtreehouse.com/storing-data-on-the-client-with-localstorage
You could use ip address but it won't be very effective because one user can access your website from many ip addresses (wifi, 3g/4g connection ...).
You can rely on cookies but once he logs in from another device you can't do anything about it.
IMO, you should save actions and link them to a uniq token that you send to the anonymous user, once he's authenticated he can provide the generated token and then you save actions for that user. Becareful to not forget removing saved anonymous-actions once they are "identified".

How to login a new user by default after mail Invite in Meteor?

I have a requirement where I need to log in a new user to a Meteor application by default, and take the user to the reset password route after that.
I looked into this documentation, but I don't think it would apply here, because the password is not known. Here's my use case in detail :-
A user invites another new user by providing the invited user's email ID. The application sends email invite to the user, asking them to be taken to a route which normally requires logging into the application.
The new user who receives the email invite, is not yet signed up with the application. So, they need to pick a password to log in to the invited area of the application.
Currently, I am using the meteor-useraccounts:core package; to trigger the resetPasswd route for FlowRouter. Using the onSubmitHook, one can redirect the user to the proper location after successful reset of the password.
However, I am not able to figure out how to first log in the user automatically. Because if the user is not logged in, the reset password page won't open. Instead, it would show some error, indicating unauthorized action.
How could a link be sent via mail to the invited user, which would automatically log in the user?
I looked into this documentation, but I don't think it would apply
here, because the password is not known.
That is right, and because of that, in order to achieve that you have to create an account for that e-mail at the time the user enters a link sent by e-mail. Or create the account at time of invitation.
So possible solutions:
1) create an account for an e-mail provided in query (http://app/login?email=blabla#google.com) for a route, random password, reset password e-mail sent immediately after the login. (create login automatically login the user). That would also required some security key, so that no-one could create lots of accounts on different e-mail addresses.
2) create account at time of invitation, take random password and send it as a query parameter of the link sent to the invited user. When user enters the site, you take that password (and e-mail) and login him with that, and immediately send reset password for that e-mail

Resources