There is a good article on merging multiple user accounts with Meteor: http://www.meteorpedia.com/read/Merging_OAuth_accounts
I have an already logged in user. I want to the currently logged in user to login to Facebook and Linkedin and merge all the service objects. For this, I have created an Account.onCreateUser() function
Within the onCreateUser() function, I require to retrieve the following information:
current UserId: I tried this.userId, it is not working
current SessionId: in client, Meteor.data_connection._lastSessionId. Not sure how to get this in the server.
Any help is very useful.
I'm using package meteor-accounts-meld
The best way to merge multiple accounts is writing custom code in Accounts.onCreateUser. Within this method, retrieving session Id does not work. Migration of user data based on session Id should happen after accounts are migrated. Also, for this.userId to work within Accounts.onCreateUser, do not create new users in Meteor.startup.
Related
We're using our auth backend for multiple customers. The idea would be to create a tenant for every customer account. For user management purposes, I need to display a list of all available users in the front end.
As I can't just display all available users, I'm looking for a way on how to retrieve a specific group of users.
getUsers() (https://firebase.google.com/docs/auth/admin/manage-users#bulk_retrieve_user_data) doesn't help, as there is no UserIdentifier for custom claims (which would be a way to differentiate between accounts).
Another idea (as mentioned) would be to create a tenant for every account, and map the users that belong to this account. But it seems like there's no method to get all users for a tenant as well.
Of course I could just store user data in firestore as well, but I'm curious if there's a different way.
Thanks in advance for your help!
The documentation for Google Cloud Identity Platform seems to indicate that it is possible to get a list of the users for a specific tenant by calling listUsers on an auth instance that is initialized for that specific tenant with:
const tenantAuth = admin admin.auth().tenantManager().authForTenant('TENANT-ID');
tenantAuth.listUsers(1000, nextPageToken)
.then((listUsersResult) => {
...
})
I have this security concern with Firestore. The issue is could a malicious user for example inject data in to his document? Or even Worst having access to different collections? I know rules play a major part in here, but since I am creating docs/updating docs/deleting docs from front end could an abuse for crud happen in the context of the single user?
Also there is another part; I want to create a userSub collection (from front end) it will have a subscription info.
UserSub/uid
Premium: true
Enddate: 2 days form now
Could a malicious user get the uid from authContext and make crud ops to modify the mention doc in the collection to let’s say 10 days from now extending his sub? Since he knows what doc I am creating for those values (from source code in chrome)?
You must not allow users to update their subscription information from client. This should be done from backend only for example, if you use Stripe for payment, you should use their webhooks which would send subscription information to your backend/Cloud function that would update users subscription in your database or Firebase Auth custom claims.
You must ensure that this data is read only from users side using security rules if using database.
1. The Context of the Problem
In my app, I'm creating a screen where the user could see other people's ranks. For that, inevitably, I'm going to need other users' names, profile pictures, etc. So, is there a way of querying that info through Firebase's authentication API? Or, for example, would I have to save that kind of data in a separate collection when the user logs in for the first time — doesn't sound like a good security practice to me.
2. How I think it would look like
I imagine the workflow would look a bit like this:
// ...
for (String userEmail in listOfUserEmailsInRanking){
UserInfo userData = FirebaseAuth.instance.getUserData(
email: userEmail
);
userDisplayName = userData.displayName;
userPhoto = userData.photoUrl;
// ...
}
My idea is that there should be some API following the example of displayName and photoUrl, which are both properties available from the FirebaseAuth.instance.currentUser() method.
It is not possible to use the Firebase Authentication client API to allow a user to query for other users. If you want to expose user account data to other users, you should write some code to write the required user data to a database, and query the database instead.
If you have concerns about security, and you're using a Firebase data (Realtime Database or Firestore) then look into using security rules to determine who can read and write its data.
Your second option can be implemented without compromising security. If you really intend to share some user data (which I suppose is not sensitive) you can create a shared separate collection of just that data and link it to the owner through some ID which you also keep in a private collection of that owner's properties.
I'm building an app in javascript using react + redux that talks to firebase. Different users with different permissions (based on user roles) will use this app, and so I'd like to render different components depending on the user's permissions.
Now, since I already have all the permissions as rules in firebase, I don't want to duplicate that data in the client as well. I'd rather ask firebase what the current logged in user can and cannot do.
This seems impossible to do in firebase. What I'd like to be able to do is something like this:
var canReadBars = firebase.database().ref('foo/bar').hasPermission('read');
if (canReadBars){
// render the component
}
A (rather ugly) workaround is to simply fetch the data itself and determining what to render based on whether I get PERMISSION_DENIED or not, but that doesn't really work for writes.
I've googled this for hours trying to find an answer. Does anyone have any ideas?
Firebase intentionally exposes a generic error message to the client when the user doesn't have access permission to the data.
There is no way for a client to get a list of the permissions it has in the database. Nor is there a way to expose user-friendly error messages.
In Meteor, how can I proceed with LoginWithService (or LinkWithService) and get the service data without actually creating an account?
In my app, I use the service API keys to do certain tasks, to do that I use LinkWithService()
But I also allow users to login/create accounts with LoginWithService() function. But these two functions conflict with each other because if an account already exists with password + service, it will force a log out followed by another log-in.
I'm not sure if that made sense, anyhow I would like to just get the login service data without actually creating an account. How can I do this?