1

I'm working on a iOS-app with FirebaseAuth and FirebaseDatabase. To identify the correct Node in the Database, where the logged in user saves his Data, I use the uid key of the User-Object from FirebaseAuth. The problem I'm facing now is, that I want to allow the users to share their Databases with other Teammembers. So the Idea in general is: One user Signs up and creates the virtual database, means a new node in the whole Database. Then other users can sign up with some sort of key or anything and join the virtual database, where they have the same rights, means they can read and edit the data. The easiest way would be to create a node where I store the new users uid and the database uid, but I'm a bit concerned about the security of that. Can I just share the UID of the owning user? Is there any general approach?

Another idea I had was that the "Main User" can invite other users, either with just entering their email or with creating a new user object on firebase where the users can reset the password.

Thank you!

Stephan Boner
  • 733
  • 1
  • 6
  • 27
  • You could have a cloud function configured to do the database handling so your not sharing userID’s in the application. When user A decided to share with user B the cloud function will update/create a different table that specifies what is shared. Then when the user goes to access it a cloud function can check for permissions and respond accordingly – Jake Feb 21 '18 at 17:30
  • "Can I just share the UID of the owning user?" Sharing UIDs is **not** a security risk. See https://stackoverflow.com/a/37222341/209103, https://stackoverflow.com/a/33347706/209103 – Frank van Puffelen Feb 21 '18 at 18:18
  • Ok, I‘m just worried about the possibility to access the data from another customer. Isn‘t it possible for somebody to abuse the key and access the database over e.g. a REST-Client or sth like this? – Stephan Boner Feb 21 '18 at 18:26
  • 1
    @Steeve If they can't authenticate with the corresponding user, then they still won't be able to access the data they are allowed to read/write – AL. Feb 22 '18 at 11:53
  • In your virtual database I would just create a new property with an array of userIDs. These user accounts are allowed to access database. As other people said no need to worry about security since user has to be logged in in order to do anything, so knowing UID won't help him in any way. – ZassX Feb 22 '18 at 12:03
  • yeah he has to be logged in, but everybody can sign up for my app at firebase right? @ZassX: And how would you control that? Is it possible to set a constraint or sth like that? – Stephan Boner Feb 22 '18 at 14:34
  • We have an app that uses "similar" functionality: forums. User is allowed to create a post or read them from only selected forums. This is handled like I said above: each forum has a property (array of strings) that represents user ids, that are allowed to that forum. So when application is loaded we know to which forums he has access to and on that we can display right forum content inside his feed list. – ZassX Feb 22 '18 at 17:04

0 Answers0