undefined | Better HN

0 pointsowaislone8y ago0 comments

JWT claims are strictly meant for JWT. I don't know how or why they would work with Facebook login, but if you need to support Facebook/Google login for users in addition to JWT, you can still implement claims/roles. You just need to create a collection for users in firebase that stores claims for all users. Protect it with security rules and then this collection to power security rules for other collections. Something like:

``` ".read": "auth != null && (root.child('users').child(auth.uid).child('claims').child('isAdmin').val() == true)", ```

This security rule will lets users read data only if their account is present in `users` collection and has `claims.isAdmin == true`. I did not test the above snippet but I have something very similar working in a project already.

0 comments

1 comments · 1 top-level

mluggy8y ago

my database.rules file is over 2000 LOC, and I have lots of these: root.child('users/' + auth.uid + '/roles/admin').exists(). that's my point really, you need a supplemental user record in a second database, even if all you wanted is a bit of information attached to a user login. see this guy's question: https://stackoverflow.com/questions/43329143/access-firebase...

j / k navigate · click thread line to collapse