4

This post describes how to tie multiple accounts to a single $uid in a users collection.

Here's those security rules:

"rules": {
  "users": {
    "$uid": {
      ".write": "auth != null && 
        (data.val() === null || 
        (auth.provider === 'facebook' && auth.id === data.child('facebookUid').val()) || 
        (auth.provider === 'twitter' && auth.id === data.child('twitterUid').val()))"
    }
  },
  "usersMap": {
    "facebook": {
      "$fuid": {
        ".read": "auth != null && auth.provider === 'facebook' && auth.id === $fuid",
        ".write": "auth != null && 
          (data.val() === null || 
          root.child('users').child(data.val()).child('facebookUid').val() == auth.id)"
      }
    },
    "twitter": {
      "$tuid": {
        ".read": "auth != null && auth.provider === 'twitter' && auth.id === $tuid",
        ".write": "auth != null && 
          (data.val() === null || 
          root.child('users').child(data.val()).child('twitterUid').val() == auth.id)"
      }
    }
  }
}

Here is how I imagine a practical way to put these rules to use:

  1. A user "Logs in" with their Facebook account.

  2. Does the $fuid exist? If not add a new $uid to users. In the success callback create a $fuid under userMap/facebook with a property value of $fuid.uid equal too $uid.

  3. If it does exist just ignore the request and return a message like "User already exists".

But what if a user wants to tie another account to the same master $uid?

Let's say the user is still logged in with their Facebook account and wants to add their Twitter account. Let's roll through that workflow again...

  1. User logs in with another account.

  2. Does the $tuid exist? No but if the auth object is holding both the Facebook and the Twitter sessions then we don't want to create another $uid - instead we want to map the $tuid to the same $uid the $fuid is mapped too.

    • Does the auth object have support for accessing properties of simultaneous authentication objects? For example if we were logged in with both Facebook and Twitter auth.id would be different for both right?

    • Am I thinking about this the wrong way? How is it possible to map additional accounts to $uid using the security rules above?

Community
  • 1
  • 1
Dan Kanze
  • 18,485
  • 28
  • 81
  • 134

1 Answers1

4

If you want to tie multiple accounts to a single uid, you'll need to generate your own tokens.

You could, for example, use Firebase.push to generate unique ids for each user, and use those in your tokens. This is no simple matter as it requires that you have:

  • a way to store the user's ID independent of authentication method (a cookie?)
  • a way to link auth accounts together when using a diff computer

In many use cases, this could even counter-productive; users will log in with a single auth method in most cases and may even wish to use diff auth methods to create separate accounts. So it may not be worth the trouble unless you have an app that depends on sharing data between providers.

Kato
  • 40,352
  • 6
  • 119
  • 149
  • But consider the scenario where a user logged in with both a Facebook and Twitter account. What would the `auth` object look like? Which authentication type object properties would you see? If I hit "Log Out" whcih account would I be logging out of? – Dan Kanze Apr 10 '14 at 15:26
  • You can't authenticate to Firebase with two tokens simultaneously. I'm not sure why the interface would display a login button for Twitter if I've already logged in with Facebook, but this is the UI's problem to solve, not Firebase's. If the goal is to link accounts, then generating auth tokens on your own and using a provider-agnostic ID is the answer. – Kato Apr 11 '14 at 00:29