Reputation: 25
Flutter store users data with Cloud Firestore and Firebase Auth
I have a collection of "Users" in Cloud Firestore and I am using Firebase Auth to authenticate my app users as follows:
- The user authenticates within the mobile app (for example with Google).
- I verify that there is no document within the "Users" collection that corresponds to the UID of the authenticated user.
- If the document does not exist in "Users" I use the user's UID to create a new document.
It is my question: Is there a security problem with this model or some other type?
I am confused by Google documentation because it says that the user's UID is unique to the Firebase project but should not be used to authenticate my user to the backend server. It also says that in that case, I should use FirebaseUser.getToken () but that token can change, so it will create a new user in my DB.
So, my second question is: When should you use that token? Give me an example, please.
Thanks for the help.
Upvotes: 1
Views: 696
Answers (1)
Reputation: 645
USER_ID
You can use the google generated user_id for future reference. That will never change for a given user email or authentication type as long as the user is already in the database.
Example:
If the user Signed In with google federated login with [email protected] then the user record is maintained in the Firebase and USER_ID(Say ABFDe12cdaa2...) will be assigned(You can use this id in URLs to see the user profile etc it is kind of 32 chars long(I am not sure exactly here). Now, If a user tries to sign up again with the same email([email protected]) then it pulls the previous record ABFDe12cdaa2.... If you delete a [email protected] from the firebase database(Firebase maintains its own database of the user for your project, With has a limited number of user properties). Then the user tries to sign in again then the new USER_ID is generated.
Now the TOKEN:
As you USER_ID is public, it can be seen by everyone. It is not used for authentication.
So you need to generate the token( This is longer the user id) to authenticate programmatically with the Firebase. It token is temporary and specific to the user. It will expire in some time ( you can define that time while creating the token). a refresh token is used to get a new token.
I don't have any code examples while writing this answer. I will update with code example,If, I find any.
Hope I clarified some of your questions.
Upvotes: 1
Related Questions
- Flutter: Creating a user in Firestore using the account created from Firebase Authentication
- FirebaseUser and User
- Store logged in users to cloud Firestore in flutter
- How to save user data in cloud fire store in flutter
- Reading and displaying userData from Firestore - Flutter
- How To use Firebase Auth with Firestore in flutter
- Flutter: Add Authenticated Users to Firestore
- Saving user data to Firestore
- Flutter user registration storing data
- Getting and storing user data after logging/sign up