0

Before I go into the issue I am having I'd like to provide you with some context. Currently I have users and sessions. Users are the what you would normally think of when you think of users, however sessions can be thought of as meetings. These meetings can be marked as private, in which case I have Firebase Database security rules in place which prevent users from reading and writing to the meeting unless they are a part of it. In app invites are the only way to get invited (originating from the organizer)

Until Now, here's the problem: I would like to use Dynamic links to invite users to sessions by linking straight to the session, however I don't know how I would model this in database security rules.

Does anyone have any idea how I would say: "Anyone that was invited here from a dynamic link has access to invite themselves to a session"? In this case I guess the issue is that I don't know who the user will invite.

orrett3
  • 1,038
  • 1
  • 9
  • 15
  • The current proposed solution to this issue is to generate a random push key that I will store in the session and also embed in the dynamic link as a query parameter. When the user clicks on the link the app opens and it will proceed to extract the random key and push it into a prefix in the databse (ex. linkInvites/{userId}/{pushKey}). The firebase rule will check for this key to decide if the user should have access to the session. I'll post this as an answer if this works. – orrett3 Mar 18 '17 at 05:30

1 Answers1

0

Looks like I solved my own problem using my previous comment. I decided to generate a new push key and distribute the key using dynamic links.

What does this look like in the DB?
I created a path in firebase to hold the session's random key:

dynamicInvites/sessions/{sessionId}
"somerandomkey"

and a path to hold the key distributed to users

dynamicInvites/users/{userId}
{
  "somerandomkey": {timestamp}
}

In addition there are security rules that say that session X and random key for session X cannot be read unless user A has the random push key for session X or they are a member of the session.

How did you distribute the key?
Since users of the session have access to the random key they can generate a dynamic link with the random key and sessionId as querystrings.

When the user clicks the link they are redirected to the app which pulls the random key and session id from the link and puts the random key under their dynamicinvites user path along with the current time and then opens the session using the session id. The current time is used in the event that I want to perform some type of periodic cleanup of these keys.

Why use a separate push key and not the one from the session?
The push key for the session is in multiple places in the DB and is not considered private as it may be loaded to the client.

Performing a DB update at app startup is not user friendly though
I masked this time using a splash screen when the user clicks the link. Since I have a splash screen at normal startup time this is the normal behavior that users will expect.

orrett3
  • 1,038
  • 1
  • 9
  • 15