Menu
In Firebase Database; If user_a has data they can access and they want to share this data with user_b, what is the best practice and database structure for securely sharing this data between specific users?
Important: user_a doesn't have any information about user_b account, e.g. uid.
Detailed Example:
1) user_a has a list of clientele.
"users": {
"user_a": {
"clients": [
"clientUid",
"clientUid2"
]
}
},
"clients": {
"clientUid": {
"firstName": "John",
"lastName": "Doe"
},
"clientUid2": {
"firstName": "Joe",
"lastName": "Bloggs"
}
}
2) user_b signs up. user_a now wants to share user_b data in clients with the user_b account that signed up.
Put another way: user_a has a list of clients, one of them creates an account and needs to link to the information user_a has already entered for them.
An important element here is that there is no list of users or accounts that a 'friend request' can be made from for more data. I have experimented with creating a short unique id a user can enter when they sign up to access their data, but am unsure if this is a good way forward and have encountered issues.
This is different to previously asked 'shared data' questions as it focuses on, how is the link between the two users made? Not just the before and after.
369
I know if two ways:
A shared secret can be easily modeled in the database as a location that you can read once you know it. Your short unique id is an example of such a shared secret, where user_a "determines" the secret, and then sends it to user_b out of band.
A simple flow:
user_a clicks a Get secret button in the appThe app determines a secret code, e.g. correct-horse-battery-staple and:
2a. Writes the secret code to the database in a non-queryable-but-readable location, together with the actual information to share, in your case the UID of user_a.
2b. Shows the secret code to user_a.
user_a copies the code and sends it to user_b via some other communication mechanism, e.g. text, email, chat.
user_b clicks Enter secret button in the app, and pastes the secret.user_a.The data structure for this could be something like:
"secrets": {
"correct-horse-battery-staple": "uidOfUserA"
}
Which you secure with these rules:
{
"rules": {
"secrets": {
"$secret": {
".read": true
}
}
}
}
So the above rules don't allow anyone to read /secrets, hence they can't get a list of all secrets. But once they know a secret, they can look up the associated data under it.
The alternative is to have a list of users in your database, and allow user_b to search on some property that they know from user_a. A common property might be their email address, or their display name, which you could store in the database like:
users: {
"uidOfUserA": {
email: "[email protected]",
displayName: "user A"
},
"uidOfUserB": {
email: "[email protected]",
displayName: "user B"
}
}
To allow users to search each other is a bit more involved, as in: it will require server-side code. The reason for this is that being able to search over a dataset requires that you can read that dataset. And in Firebase, if you can read a dataset, you can get all data under it. In other words, to allow search a user you need to be able to read all of /users and allowing this would disclose too much information.
So to implement a search securely, you'll need to have rules like this:
{
"rules": {
"users": {
"$uid": {
".read": true,
".write": "auth.uid === $uid"
}
}
}
}
In words: anyone can read the profile for a user for whom they know the UID, but each individual user can only modify their own profile.
With this, you can implement a Cloud Function that then takes the email or display name as input, and searches across all /users. Since Cloud Functions access the database with administrative privileges, they are not restricted by the above security rules.
108
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
