1

In a quick search I realized that my problem with Firebase Authentication is a common problem for many users who have complained for over 2 years! Maybe the complaints weren't clear so I'll try to be detailed in explaining the problem.

I would like to have the same firestore data for the same user regardless of the authentication method used by him. For example email and password, Facebook, Google or GitHub. The only information that is common to all these services is the email address.

I can't use the UserID because firebase creates one for each authentication method.

When creating a security rule so that a user cannot see the data of another, the sentence "request.auth.token.email" is only fed when the "email and password" method is used, generating most of the problems.

Example of rule that doesn't work with google, facebook, etc:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /user/{email}/{documents=**} {
      allow read, write, get: if request.auth != null && request.auth.token.email == email;
    }
  }
}

Could someone from the Firebase team help us?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Maickel Bourscheid
  • 13
  • 3
  • "I can't use the UserID because firebase creates one for each authentication method." If these are all the same user, you should probably link all of the accounts so they end up with a single UID: https://firebase.google.com/docs/auth/android/account-linking – Frank van Puffelen Mar 09 '22 at 21:25

1 Answers1

1

I just tested this on a project of my own and whether the user.email property gets populated (and thus is available in your security rules) depends on the One account per email address setting:

  • Prevent creation of multiple accounts with the same email address: this prevents the user from creating multiple accounts with the same email address, and will populate the user.email property. If you want to allow a single user to be able to sign in from multiple providers with the same email address, you'll want to look at the documentation on linking accounts in this case. That will also then allow you to base your security rules on UIDs, as the linked accounts will all have the same UID.
  • Allow creation of multiple accounts with the same email address: the user.email property won't be populated, and thus also won't be available in security rules.

With a HT to this old question/answer:

Not getting the email using Google Authentication in Firebase

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thank you very much with this I solve my problems. But I really think it would be easier to require "email scope" and always feed "request.auth.token.email" to end all questions and problems! – Maickel Bourscheid Mar 10 '22 at 15:54
  • Agreed that it'd be easier for your use-case, so I'm checking with the engineering team - as I'm quite sure they had a reason for not doing that. – Frank van Puffelen Mar 10 '22 at 16:00
  • Even linking several providers to a single userID still has the problem of changing the email password, which removes the "request.auth.token.email" possibility! – Maickel Bourscheid Mar 10 '22 at 17:54