1

Context

I am trying to use Firebase with my own MongodDB database on my own backend server. I currently store user data on MongoDB, so each user has their own unique ObjectId, which conveniently serves as a UID for the users.

Thus, I planned to store files, like display pictures, using the user's ObjectId on Firebase Storage:

Firebase Storage
 |
 +-- display-pictures
 |     |
 |     +-- userObjectId1.png
 |     |
 |     +-- userObjectId2.png
 |
 +-- videos
 |     |
 |     +-- postObjectId1.mp4
 |     |
 |     +-- postObjectId2.mp4
 |
 +-- thumbnails

However, this means that users can delete or overwrite other users' content as long as they know their ObjectId. From what I know, typically, one would structure the content using the users' IDs so that Firebase Security Rules can be applied to prevent modification of other users' content:

Firebase Storage
 |
 +-- userObjectId1
 |     |
 |     +-- display-picture.png
 |     |
 |     +-- posts
 |           |
 |           +-- postObjectId1
 |                       |
 |                       +-- video.mp4
 |                       |
 |                       +-- thumbnail.png
 |
 +-- userObjectId2
       |
       +-- display-picture.png
       |
       +-- posts
             |
             +-- postObjectId2
                         |
                         +-- video.mp4
                         |
                         +-- thumbnail.png

This would then allow Security Rules like:

service firebase.storage {
  // Only a user can upload their file, but anyone can view it
  match /{userId}/{fileName} {
    allow read;
    allow write: if request.auth != null && request.auth.uid == userId;
  }
}

However, for my case, as Firebase does not know about the ObjectIds in MongoDB on my server, I can't actually do this.

The question

What's the best practice here? Should I create Firebase Auth users from my backend server, using the Firebase Admin SDK, and set a custom UID (with the MongoDB document's ObjectId)? Are there any downsides to setting custom UIDs like that?

Or is it better to route all Firebase Storage interactions with potential for damage (such as deleting things or actions that can overwrite data) to my backend server instead?

Or should I use the Firebase Auth UID as the main, and only, ID for users, instead of the MongoDB ObjectId (the problem being that, as I am migrating from my own auth and storage system to Firebase, current users do not have a Firebase UID yet; I can't create Firebase profile on their behalf as I do not store their raw passwords, so a complete migration cannot be made...)?

The first option seems like it would be the easiest, but I'm not sure what other considerations I should make.

Thanks.

Nathan Tew
  • 432
  • 1
  • 5
  • 21

1 Answers1

2

As Firebase does not know about the ObjectIds in MongoDB on my server

Firebase let's you set a custom user ID when creating user with Admin SDK. You can add an API endpoint /register that adds user document in MongoDB and creates a user with newly generated _id in Firebase. For example:

const { insertedId } = await collection.insertOne(doc);

await getAuth().createUser({ uid: insertedId })

This way, you can still use all features of security rules with ease as request.auth.uid will be same as _id in MongoDB.

What's the best practice here? Should I create Firebase Auth users from my backend server, using the Firebase Admin SDK, and set a custom UID (with the MongoDB document's ObjectId)? Are there any downsides to setting custom UIDs like that?

I would prefer using same UID in all places and there are no downsides of using custom UIDs. That feature is very useful when you are importing users from legacy servers to Firebase but want to retain old UIDs.

You can always store Firebase Auth's UID as a separate field in your MongoDB document if you don't want to use ObjectIDs as Firebase UIDs. You can't store that UID in _id (ObjectID) as it's not a 24 character hexadecimal string.

Additionally (but not required), you can disable sign ups from client side to prevent anyone from creating user accounts directly using Client SDK (that'll generate a random UID). Checkout How to disable sign ups in Firebase? (requires Identity Platform).

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
  • Is it possible to use custom UIDs when creating a firebase user from the client device (i.e. from the mobile app itself, rather than from my backend server)? I'd much rather deal with the errors (like weak password and invalid email) using the Firebase library on my mobile app platform... (I'm using Flutter, and and from what I can tell there doesn't seem to be a way, but maybe you know something I don't) – Nathan Tew Oct 09 '22 at 13:05
  • @NathanTew no, only Admin SDK can create users with custom UIDs. You can still add form validation on client end before calling the API. – Dharmaraj Oct 09 '22 at 13:09