2

I'm trying to create a multi-level role system for my website (which is a type of blog).

I've already implemented classic Firebase Auth authentication system, with email/password combo only. By now, every user can post/edit articles because I do't have any granularity. I'd like to change that and make a separation between several roles - starting by Admins/Moderators/Users, but roles don't seem to be available as the default Firebase User model.

How can I possibly migrate my logic to this, and which tool should I use withotu having to redo everything? I've seen people using Firestore (but this was a long time ago, Firebase must've changed since then), and some others tend to prefer the Firebase Auth SDK. By now, new things are even available with this Identity Platform thing, which I don't really understand yet.

Note that I'm using:

  • NextJS 13 (Javascript only) with integrated Next API (SSR)
  • Deployment on Vercel
  • Database split between some Firebase Storage assets (mostly images) and MongoDB (everything else)
Improve this question

2 Answers 2

Reset to default
2

Firebase Authentication only handles authentication (validating the user's identity). It does not have any built-in mechanism for authorization (determining what the user is allowed to do).

That said, you can build an authorization model on top of Firebase in a multitude of ways. Some topics to consider:

  • There are two common places to store the authorization information (the roles in your use-case): either as a custom claim in the user's profile, or as separate records in a database.

  • For securing access to the files in Cloud Storage, you can use Firebase security rules. For an example of this, see the Firebase documentation on implementing custom-claim attributes and roles. A few things to note here:

    • Security rules are applied to access to Cloud Storage through the Firebase client-side SDKs, but not when you access the file through a download URL or through a Google Cloud (server-side) SDKs.
    • The example shows the user's role being stored as a custom claim in their user profile. While this is still possible today, you can nowadays also access Firestore from Storage security rules which gives you a second option on where to store the user's role information.

  • For MongoDB, you will have to implement authorization within your own code. If you stored the authorization information as custom claims in the user profile, you can decode the token and get the information from there. If you stored it in a database, you can read it from there and apply it.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks a lot! So basically, if I chose to use MongoDB to store everything, even the role, I can, for example, create a new entry in a users collection when a new user is created, and then fetch it or modify it as I see fit? Given that the frontend first checks for permissions, of course...
1

You can create your own user table or collection which holds user's role against the email or userId.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.