Firebase real-time database authentication for multiple users

0
votes

I was looking for simple authentication mechanism for multiple users in Firebase real-time database. For ex: I don't want all millions of users to login using email and password to access Firebase real-time.

I came across creating custom token from the below documentation.

https://firebase.google.com/docs/auth/admin/create-custom-tokens

I want to understand clearly about that. Is this something that helps to authenticate multiple users (grouped as one) programmatically via custom token instead of each user has to authenticate using email address and password? or This is different from what I thought?

Please advise.

3
firebasefirebase-realtime-databasefirebase-authentication

3 Answers

0
votes

No, custom tokens are used when you have your own database of users that have already signed into your existing service with some other form of credentials that you provide.

If you don't have your own database of users, custom tokens won't help.

Also, there is no such thing as "grouping" users for the purpose of authentication using Firebase Authentication. Each user has their own distinct identity with their own credentials that are dealt with independently of each other.

0
votes

Custom tokens are used when you have your own authentication service but want to allow your users to access Firebase services. If you want your users to be able to use the database without an email and password, you can use a provider such as Google or use Anonymous authentication, which is when the user is logged in and can access the database, but don't have to prove that they're themselves. You can always add them as an actual user later.

To allow authenticated users to access the database, you can use these rules: 

// These rules require authentication
{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

Database Rules Docs

0
votes

There is a difference between when a user signs in (authentication) and when they gain access to your database (authorization).

There is no way to prevent users from authenticating with Firebase Authentication's built-in providers that you've enabled in the Firebase console. But it's quite easy to only allow specific users access to the data in your database with Firebase's server-side security rules.

For example, if you only want specific users access, you can set up a whitelist of their UIDs:

allowedUsers
  uid1: true,
  uid2: true,
  uid3: true

Now you can write a simple security rule that only allows users in this list to read your database:

{
  "rules": {
    ".read": "root.child('allowedUsers').child(auth.uid).exists()"
  }
}