0

I'm struggling with a basic Firebase security concept. Suppose I have, for example, two (eventual) google-authenticated (using OAUTH) users of my web app which uses Firebase as its data store; the users are alice@gmail.com and bob@gmail.com. I know they will eventually log in, and when they do, I will authenticate them to firebase using the Google OAuth facility. Neither has yet used my Firebase app. Furthermore, when they do log in, I trust that Google's OAUTH service is verifying that the person who claims to be bob@gmail.com is in fact bob, at least insofar as that he knows bob's password for Google's identity service.

Suppose that I want to create a firebase document collection with three nodes such that both alice and bob can read documents in node 1 (but other authenticated or unauthenticated users cannot); all users, including unauthenticated ones, can read documents in node 2 but cannot write them; but only bob@gmail.com can write any document in any node (Bob is a "superuser".)

But here's where I get stuck, when looking at various examples on Firebase and elsewhere: I want to set up these firebase rules before either alice or bob has ever logged into to my Firebase-backed application for the first time. So while I initially know their gmail addresses, I do not (yet) know their unique user ids. All the examples I have come across seem to depend on the fact that I know in advance the value of their UID (such as the example in the answer here, where john and mary's twitter UIDs are specified e.g. john's is twitter:2544215)

How do I define the security rules for Firebase in advance of these users ever having initially logged in; that is, what if I don't (yet) know that bob@gmail.com has a UID of 2544215?

I'm hoping someone can show a snippet of a security rule example.

Community
  • 1
  • 1
CognitiveCarbon
  • 191
  • 7
  • Use [anonymous authentication](https://www.firebase.com/docs/web/guide/login/anonymous.html) and associate their email address with it? But anything you do before they actually authenticate with their email+password will be inherently less secure. – Frank van Puffelen Nov 13 '15 at 05:04
  • To be more clear, it seems like I have to say "hey, bob@gmail.com: I want to grant you rights to be a super user in my firebase database; but I can't set up the rules for that until you have logged in for the first time, so that I can snag your magic UID number and enter it into my rule set." What concept am I missing? – CognitiveCarbon Nov 13 '15 at 05:26
  • User based security is based on knowing the user's identity. Before they log in, how do you know that "bob@gmail.com" is really "bob@gmail.com"? Did they just type their email address into an input box in your app? – Frank van Puffelen Nov 13 '15 at 15:31
  • You've misunderstood my question. Let me explain it this way: if I use the 'Registered Users' method of authentication to Firebase (email/password) I can create a new user, say samson@gmail.com. Firebase generates a User UID for me at this point. I can use that UID in a security rule, even though samson has never used my app yet. However, if I intend to authenticate using OAUTH and Google, I can't know the User UID until the person has signed in at least once. So how can I make a security rule in this second case? – CognitiveCarbon Nov 15 '15 at 01:21
  • So "How can I write a security rule for a specific user, if that user hasn't logged in to my app yet and I only know their email address?" I'd update your question to something shorter in that case and show add some information on what you've already done. For example: do you have a data structure? – Frank van Puffelen Nov 15 '15 at 01:33
  • Some folks I have talked to say "let the users sign in first, then once they have authenticated, go find their UIDs and 'promote' those users to power users after the fact". I acknowledge that this would serve as a workaround, but it doesn't seem elegant--it requires either manual intervention, or extra server-side code. I want to say "samson@gmail will soon sign in; when he finally does, there will be a UID generated; that UID, whatever it is, should drop into this placeholder in my security rule" – CognitiveCarbon Nov 15 '15 at 01:36
  • I think the answer to my question might be buried in this post: [link](http://stackoverflow.com/questions/19350486/how-to-authenticate-escaped-email-based-user-accounts-in-firebase?rq=1). It seems to imply that if I first create a registered user, e.g. samson@gmail.com using the email/password auth method, and Firebase generates a UID for samson, that same UID will later still apply, if samson uses Google OAUTH instead. – CognitiveCarbon Nov 15 '15 at 01:46
  • The UIDs will *not* be the same across authentication methods. But you can use the approach in that answer to "link" the two UIDs based on some known property (such as the mail address). – Frank van Puffelen Nov 15 '15 at 01:50

0 Answers0