9

I am working on something where I have two apps - one for a 'Requester' user and one for a 'Responder' user, and I am currently using Firebase for Auth. The users sign in with email/password combinations and this is the root of the problem:

The problem is with user collisions - because the auth module is hooked up into a single project in the Firebase console, a responder can technically log into the requester app, and vice versa, which results in issues because well, the back end conks out - the API doesnt allow them access because the DB doesnt find their data in the tables, and the apps behave erratically (read: crash).

I understand there are similar sounding questions (Android - Firebase - Different types of Users Login) but what I would really like to ask is if there can be some way I can avoid this nasty situation. Some options that come to mind are:

  1. do a manual check in the db and log the user out if they are not of the right type - can be done but is tedious and costs data/time.
  2. create different projects in Firebase just for each user type - this is inefficient - while I use Firebase for auth, I use Mongo for storage so this doesnt really matter but if/when I switch to Firebase for storage, then my server code will get complicated, slow and messy from having to access a different DB each to access requester and responder data
  3. roll my own auth - feels like a bad idea, but it helps solve the immediate problem while opening a different can of worms as I also need to implement Firebase Cloud Messaging down the line
  4. switch to another auth provider - I'm open to suggestions here

I also anticipate a scenario where a responder could create an account and use the requester app as well, in which case the collision occurs and needs to be addressed - I could ban responders from using the same email ID to sign in as a requester but that may not hold up to real world scenarios where users could (and will) want to use one email ID for everything.

Can anyone help me with the right approach to take and/or with any hints/solutions to this problem?

----- EDIT ON 14 DEC 2017 --------

I also have two apps listed under the same project (screenshot attached), so my next question is, will there even be a clash when a requester user tries to sign in/sign up as a responder or vice versa?

Screenshot of two apps in one Firebase Project

kilokahn
  • 1,136
  • 2
  • 18
  • 38

1 Answers1

4

Consider using custom user claims and enforcing access via the Database rules or if you are using your own endpoints, by parsing the ID token and checking its claims. The Firebase admin SDK provides tools to do that: https://firebase.google.com/docs/auth/admin/custom-claims

Firebase Auth team is also working on exposing these claims to the client too to simplify UI changes needed there.

bojeil
  • 29,642
  • 4
  • 69
  • 76
  • Thanks for responding! I looked into the custom token claims, however as my storage and tables arent on Firebase, i'm not sure if this step will help me with much more than my option #1 (logout on incorrect user type) - unless I'm missing out on something. I know I'm missing the serverless bus here but I prefer having a middle tier between the DB and apps - this keeps things simple and scalable. – kilokahn Dec 14 '17 at 09:10
  • 1
    This solution works completely independent of other Firebase services. You can host your own backend server logic and still use this. – bojeil Dec 15 '17 at 07:59