1

I am developing an app for my college and there are different types of users called students ,teachers , hod's etc. When they login, how do I know a teacher logged in, or a student logged in? Is there any function in firestore for role based signups and signins?

I was thinking that when a teacher signs up, I will add a tag end of her uid.username that if username is 'DANIEL' while signup, I will add a tea for teachers and stu for students at the end of the name what they provided.

So when they login i will get the uid and do the string manupulations and get the last three letters so that i can know who logged in so that i can show different UI to Different types of users

Is there any best way to do like this ?

while singning up user enters his username example:"daniel" i will update that username in uid.username like this "daniel-stu"(if student signed up),"daniel-tea" if techer signsup.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
Saikumarreddy atluri
  • 539
  • 7
  • 23

1 Answers1

2

Storing this information in the user's display name can work. You can read it back from there next time, and take action in your application's client-side code. But note that this means that any user can change their role, since they can also call the same code to update their profile. If that is not a concern for your app, then this approach sounds like it would work.

If malicious users should not be able to change their role, then you shouldn't set that role from the client-side application code. In that case, you can set the role from a server (or your development machine, or Cloud Functions) using the Admin SDK. Since the Admin SDK runs in a trusted environment, it has expanded privileges and can update the profile of any user. So the Admin SDK could update the display name of the user in the same way you have in mind.

But this still isn't secure, since you're still setting a property that anyone can modify for their own profile. Again... if that is no problem for your app that is fine, but if the use-case requires that you can rely on the property to be correct, we have to keep looking elsewhere.

The Admin SDK can set additional so-called claims on a user profile that client-side code can't modify. Such claims are for things that affect the permissions of the user, such if the user is an admin, or what role/group your users belong to. This sounds quite close to what you are describing, so can also be used. And this time, only your code that runs in a trusted environment will be able to do so.

Finally, you could store the additional information about a user in the database. It's quite common to have a collection (Users or Profiles) in the database, where you store a document for each user (with the document name being User.uid). You create the document when the user first signs in, and update whenever you need to. You can do this from the client-side code (if there is no need to control what gets written), or from code that runs in a trusted environment (such as your development machine, a server you control, or Cloud Functions) if you do need to keep control. A big advantage of this approach is that all users can potentially see the information in this collection, where the client-side Authentication SDK only allows a user to read their own user profile.

For more on this, see:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • When the user tries to change their username i will be again adding the role of the user at end of the username that makes no difference right. I think this is the best way than reading many documents to search about role of the user... rather than this i didnt find any thing – Saikumarreddy atluri Jan 31 '19 at 14:45
  • If you must ensure the information is correct, you can't do it in client-side code. If you do it in client-side code, you can't be sure the information is correct. None of the approaches I gave would require reading many documents to get the role for a specific user. – Frank van Puffelen Jan 31 '19 at 15:04
  • Allow me to add a link to the official video on Custom Claims that Frank mentioned in his answer https://www.youtube.com/watch?v=3hj_r_N0qMs – Renaud Tarnec Jan 31 '19 at 15:14
  • Good one Renaud. I keep forgetting that we have Firecasts on topics. Added, and thanks for flagging! – Frank van Puffelen Jan 31 '19 at 15:23
  • There are a few ways of doing that. For example: when a user signs up, that can trigger a Cloud Function. And in that you can then set the correct role. See https://firebase.google.com/docs/functions/auth-events. The main thing there is to figure out how you determine their role. Keep in mind: you can't trust any data that comes from the client, since that can be easily spoofed by malicious uses. So you can't securely send an "I am an admin" along from the client. – Frank van Puffelen Feb 01 '19 at 00:48
  • One more i am using forebase auth in flutter when i signout when there no conecticity and when i try to login without connectivity it logging me in. I dont why its logging in o thought it throw an exception.but know but just loging in without connectivity how do i stop that.whether do check for connection before logging in – Saikumarreddy atluri Feb 01 '19 at 19:44
  • Firebase Authentication automatically restores the user's authentication state when they restart the app. In many cases developers want their users to be able to continue using the app, even when they're offline, and this is the most transparent approach to allow that. – Frank van Puffelen Feb 01 '19 at 20:49
  • thanks. for that if i want to make an chat application should i store each messege in seperate document. – Saikumarreddy atluri Feb 02 '19 at 02:00
  • That seems completely unrelated to this question. See: https://stackoverflow.com/questions/54008366/how-to-structure-firestore-database-in-chat-app – Frank van Puffelen Feb 02 '19 at 03:34