2

I am working on a mobile app where users will be able to login with their phone and invite other people to groups if they have their phone number. I setup the following in the Firestore.

enter image description here

enter image description here

enter image description here

I am planning on writing rules that make it so that users can only edit their own documents. And they can invite each other via invitations so a user can join a group himself. And they will only be able to lookup users that are in their phone by number.

But I would like to know is if I am playing with fire here? What are the risks of using a phone number as a document id? I am new to this and I would like to keep the user's data as safe as possible. But also I don't want to have too many lookups/queries for documents. Any tips on how I could improve my design?

anonymous-dev
  • 2,897
  • 9
  • 48
  • 112

1 Answers1

2

What are the risks of using a phone number as the users documentID?

There is nothing wrong with that as long as the users will not change their phone numbers. But if they'll change, you'll probably have hard times with that. I'm saying that because there is no way you can "rename" a document id. You can copy the same document and change the document id but this implies a new document read as well as a new write operation.

What you can do instead would be to use as a document id, the uid of the that comes from Firebase authentication process. This uid will always be the same no matter what the phone number is.

I am planning on writing rules that make it so that users can only edit their own document.

You can achieve this even if you are using the uid.

Edit:

o use as a document id" I want to check the users phone book against the users collection to find the users with the corresponding phone numbers.

You probably thought initially to use:

db.collection("users").document(phoneNumber).get();

But you can achieve the exact same thing using a query:

db.collection("users").whereEqualTo("phoneNumber", phoneNumber).get();

Will this be a costly query when doing it this way?

No, you'll be charged with only one document read.

And does that query count as document reads?

Yes, it counts. Please also note that there is also a cost of one document read, even if the query yields no documents.

Alex Mamo
  • 130,605
  • 17
  • 163
  • 193
  • "What you can do instead would be to use as a document id" I want to check the users phone book against the users collection to find the users with the corresponding phone numbers. Will this be a costly query when doing it this way? And does that query count as document reads? By query I mean the where() function. – anonymous-dev Mar 13 '20 at 12:31
  • 1
    Thanks this answer brought me some clarity! Gave it an upvote. – anonymous-dev Mar 13 '20 at 13:02
  • Good to hear that ;) – Alex Mamo Mar 13 '20 at 13:03