Home Firebase Rules with facebook Authentication and Unique IDs
Reply: 1

Firebase Rules with facebook Authentication and Unique IDs

Noel McKeown
1#
Noel McKeown Published in 2017-11-14 16:11:46Z

I'm looking for some advice or a possible solution with tightening up my firebase rules.

This is my user tree in Firebase:

users
    |_male
         |_uid

    |_female
         |_uid

The UID will be an epoch timestamp when the account is created which will be a signed integer.

These are the firebase rules which basically ensures the user has logged in and authenticated with Facebook before they can read or write to users:

"users": {
       "male":{
          ".indexOn": ["uid"]
       },
       "female":{
         ".indexOn": ["uid"]
       },
       ".read": "auth != null  && auth.provider === 'facebook'",
       ".write": "auth != null && auth.provider === 'facebook'"
},

I only want users to read/write to their tree, for example:

users->male->uid->1233254...

I'm afraid with my rules above, they could potentially read and write from/to another users tree.

It would be great if I could compare the app UID with the Facebook UID. I do capture this detail in another tree on the database e.g:

user_fbuid
         |_fbuid
               |_facebook:a1244dxs
                                 |_uid

I do have better rules here that check against auth.uid:

"user_fbuid": {
      "fbuid":{
        "$fbuid": {
          ".indexOn": ["fbuid"],
          ".read": "$fbuid === auth.uid && auth.provider === 'facebook'",
          ".write": "$fbuid === auth.uid && auth.provider === 'facebook'"
       }
   },
},

If anyone has any ideas, I'd love to hear. Thanks

Noel McKeown
2#
Noel McKeown Reply to 2017-12-08 17:31:24Z

I ended up using the facebook id attribute as my own uid and the rules below:

"$uid": {
          // only the user can read and write to their tree
          ".read": "auth != null  && auth.provider === 'facebook' && auth.token.firebase.identities['facebook.com'][0] === $uid",
            ".write": "auth != null  && auth.provider === 'facebook' && auth.token.firebase.identities['facebook.com'][0] === $uid"
        },
You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.30669 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO