I know this is slightly off-topic but I’m hoping someone can help.
I want users to be able to read/write data from Firebase without having to sign in using an email address. For my meal planning app, I’d like to generate a random User ID (I’ve already done that) and then have the app sync to the Firebase node with that value. That’s working fine with the test rules that Firebase sets by default (which are wide open). How do I change them to protect users more?
I’m saving the User ID (e.g. 3362-6163-7471-6933-91) in a Stored variable on the device. So when the app loads, it uses that same User ID every time. But how do I ensure that that particular user has access to only that node, in this case /Users/3362-6163-7471-6933-91/ and not all of /Users/?
It looks like this might be a good place for me to start… not sure:
I know there is a way to:
Use the login function the same, but you need some settings.
Device variable of an ID: Randomly generated for the first use. (You also need to register by the way: “you have a Gmail account+ID@gmail.com” will become a non-fake email.
Password device variable.
For example:if you have a Gmail:"email@example.com" and userID is “AHGK1133”
Than user email:is “abcdapp+ AHGK1133@gmail.com”
The password is randomly generated and stored for the first time.
Register and log in to this account.
Using the uid would generally allow you more security as the uid is only ever returned to the logged in user.
When does this happen?
Which block requires verification? You should still be able to log a user in without verifying their email. How else can the app tell you if they have verified or not without logging in that person anyways, right? Typically, a developer may just limit what a logged in user can do if they haven’t verified their email yet. In some cases, you may not allow them to pass the login portal at all without verification first. Just depends on your use case.
That’s what I was thinking. Do you think it’s fairly safe to use the “only authenticated users…” rules I posted right above since the user will never know their own random username and password and since there is no way to access any one else’s data from within the app?
Not to mention, there’s nothing confidential about the data… it’s really just a list of food items.
I believe this is a workable solution without compromising the data security. The email and password is something that you will choose yourself and for me I set verification to false and use a dummy email to use it as an app login. All other functions I control by the app itself.
Again, you can choose to use the API calls to login or use the Sign In component and provide the email and password in the code without any GUI components.