Flutter 使用 Cloud Firestore 和 Firebase Auth 存储用户数据
[英]Flutter store users data with Cloud Firestore and Firebase Auth
问题描述
I have a collection of "Users" in Cloud Firestore and I am using Firebase Auth to authenticate my app users as follows:
我在Cloud Firestore中有一组“用户”,我正在使用Firebase Auth对我的应用用户进行身份验证,如下所示:
- The user authenticates within the mobile app (for example with Google).用户在移动应用程序中进行身份验证(例如使用 Google)。
- I verify that there is no document within the "Users" collection that corresponds to the UID of the authenticated user.我验证“用户”集合中没有与经过身份验证的用户的 UID 相对应的文档。
- If the document does not exist in "Users" I use the user's UID to create a new document.如果“用户”中不存在该文档,我将使用用户的 UID 创建一个新文档。
It is my question: Is there a security problem with this model or some other type?这是我的问题:这个 model 或其他类型是否存在安全问题?
I am confused by Google documentation because it says that the user's UID is unique to the Firebase project but should not be used to authenticate my user to the backend server.我对 Google 文档感到困惑,因为它说用户的 UID 对 Firebase 项目是唯一的,但不应用于向后端服务器验证我的用户。 It also says that in that case, I should use FirebaseUser.getToken () but that token can change, so it will create a new user in my DB.它还说,在这种情况下,我应该使用 FirebaseUser.getToken () 但该令牌可以更改,因此它将在我的数据库中创建一个新用户。
So, my second question is: When should you use that token?所以,我的第二个问题是:你应该什么时候使用那个令牌? Give me an example, please.请给我一个例子。
Thanks for the help.谢谢您的帮助。
1 个解决方案
解决方案1
1 2021-06-10 05:45:21
USER_ID用户身份
You can use the google generated user_id for future reference.您可以使用 google 生成的 user_id 以供将来参考。 That will never change for a given user email or authentication type as long as the user is already in the database.只要用户已经在数据库中,对于给定的用户 email 或身份验证类型,这将永远不会改变。
Example: If the user Signed In with google federated login with user1@example.com then the user record is maintained in the Firebase and USER_ID(Say ABFDe12cdaa2... ) will be assigned(You can use this id in URLs to see the user profile etc it is kind of 32 chars long(I am not sure exactly here). Now, If a user tries to sign up again with the same email(user1@example.com) then it pulls the previous record ABFDe12cdaa2... . If you delete a user1@example.com from the firebase database(Firebase maintains its own database of the user for your project, With has a limited number of user properties). Then the user tries to sign in again then the new USER_ID is generated.示例:如果用户使用 google federated login 使用 user1@example.com 登录,则用户记录将保存在 Firebase 和 USER_ID( ABFDe12cdaa2... )将被分配(您可以在 URL 中使用此 id 来查看用户profile 等它有 32 个字符长(我不确定这里到底是什么)。现在,如果用户尝试使用相同的电子邮件(user1@example.com)再次注册,那么它会拉取之前的记录ABFDe12cdaa2...如果您从 firebase 数据库中删除 user1@example.com(Firebase 为您的项目维护自己的用户数据库,With 具有有限数量的用户属性)。然后用户尝试再次登录,然后生成新的 USER_ID .
Now the TOKEN :现在令牌:
As you USER_ID is public, it can be seen by everyone.由于您的 USER_ID 是公开的,因此每个人都可以看到。 It is not used for authentication.它不用于身份验证。
So you need to generate the token( This is longer the user id) to authenticate programmatically with the Firebase.因此,您需要生成令牌(这是更长的用户 ID)以通过 Firebase 以编程方式进行身份验证。 It token is temporary and specific to the user.它的令牌是临时的并且特定于用户。 It will expire in some time ( you can define that time while creating the token).它将在一段时间后过期(您可以在创建令牌时定义该时间)。 a refresh token is used to get a new token.刷新令牌用于获取新令牌。
I don't have any code examples while writing this answer.编写此答案时,我没有任何代码示例。 I will update with code example,If, I find any.我将使用代码示例进行更新,如果我找到任何。
Hope I clarified some of your questions.希望我澄清了你的一些问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.