How to handle with user role in Flutter with Firebase backend? Client & admin app or both in one app?
Question
I am working on a project that has 2 user role which is customer and seller.
Currently, Im using same app for both user roles. Let me explain quick: There is a LoginScreen for both users and if they log in with their email and password (also Im using Firebase) with Firebase's signInWithEmailAndPassword method, there is a function for detecting user's role.
MY GOAL
There will be some different features and properties for Seller (add,update,delete some product). And I don't know which is better seperate them for 2 app or both in one app ?
Here is some part of that function's code:
if (user != null) {
if (isSeller != false) {
return const SellerHome();
} else {
return const CustomerHome();
}
} else {
return const LoginView();
}
As you can see, if the user has isSeller = true field in Firebase CloudStorage , it returns SellerHome . But if has not, returns CustomerHome.
But is this a safe or good way to handle with User Role Based Auth or not ? Should I use Cloude Function for this?
Should I seperate CustomerHome and SellerHome?
And I took a little look for Firebase Custom Claims and I actually don't get it well. Clearly I can say I am not professional at Firebase and Flutter.
1 answers
solution1
0 2022-06-18 20:52:20
Whether you implement the end-user and app-admin functionality in separate apps or into a single app is a purely personal choice. But either way it should not be a security risk.
With the code you shared, the worst that a malicious non-admin user can do is to show the SellerHome widget. This is typically not a security concern on its own, because the widget is harmless unless it also allows the user to perform seller functionality. And since this functionality will require calls to some backend functionality, that is where you'll want to ensure that the user is authorized to perform the operation they are trying to perform.
For example, if you use one of Firebase's databases (Firestore or Realtime Database) as the backend of your app, you can use its server-side security rules to ensure all data access is authorized. A common usage-pattern here is so-called content-owner only access , which can be easily accomplished in these rules. There are many more ways to secure data access in these rules, and they can (and at times will ) be as complex as your front-end code.
If you're not using a Firebase database as your backend, you'll typically want to pass the ID token from the front-end code to your backend, verify the ID token there, and then determine (with your own logic) whether the not identified user is authorized to perform the action they requested.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.