I'd like to create this simple model:
user registers and Firebase stores email & password
user pays with PayPal to access protected content
Firebase gets notified by PayPal the user has paid & logs this
paying user logs in with his credentials & Firebase authorizes access to the protected content; non-paying users are denied access
What is the bare minimum amount of functionality needed to leverage Firebase's backend and make this work?
Depends on your exact requirements (ie, are 5 or 15 minute delays acceptable) but you can get started super quickly using Zapier
https://zapier.com/zapbook/firebase/paypal/
You would setup the zap using your secret firebase and paypal keys, setting the zap to update a property on the user's profile (be sure to use Firebase security rules to limit write access to that property) which says they have paid.
Related
I want only people whom I register or with specified email should be able to use google sign in, rest are not allow to sign in.
example:- I run a institution and I have separate id for my fellow students and I want them to only be able to sign in using that id and otherwise they should not be allowed to use any other Id(email to be more precise).
in my flutter application using firebase-> google_sign_in.
hope I am clear!
bro add some g mails in your firestore those people you want they can access my app if this emails exist in your db then they can google signin otherwise show toast your account is not regirsted by admin
try{
FirbaseFirestore.instance.collection("alloweduser).doc().where("emial",isequalto:123#gmail.com).then(){
Goolglesinin()
{
google signcode
}
}.catch(e)
{
showToast("ask admin to app permission")
}
You are talking about authentication vs. authorization.
Authentication: Since google is your authentication provider... anyone with a valid google account is authenticated.
Authorization: Who has access to what parts of the application?
You need to implement an authorization system / flow to determine if an authenticated user has access to the app. By default... all users will have NO ACCESS.
How you implement authorization - depends on your backend and how you store user data. If you are using firebase, something like this will help: https://firebase.google.com/docs/firestore/solutions/role-based-access
While using Unity 2020.3.9f1 and Unity IAP 3.2.1 I can send the initial subscription via a regular https request to my Spring backend and receive the user information from backend auth + purchase token via the request. I can then insert the expiry date (which I query from Google API using AndroidPublisher and the token) to my database and give premium features to the given user for that time period.
When the subscription is about to renew, I need to update the users premium feature expiry date in the database accordingly.
I already found out, that I can receive this renewal information, even if the client is not active, via Google Cloud Pub/Sub by linking it with the apps monetization. The backend then receives a purchase token, but this time there is no more user information since the request was not issued through a client/server request.
I also figured out that there is/was a developer payload to use for that purpose. My question is how I can add this to the subscription to link renewal subscription notifications to a certain user on receiving renewal subscription notifications. I do not really want to add a new index on a (at least in test mode always unique) purchase token to my database if I do not have to.
I use Firebase Auth in my app - can I make use of that in any way?
Actually i want do it in this way when user sign up with fake email. user can't verify this email.So the email should automatically deleted from firebase authentication after fixed time.
There is nothing built into Firebase Authentication to auto-delete accounts like that. I'd also consider what you actually gain by such functionality, as the user can just recreate their Firebase Authentication account by calling the same API again.
You'll typically either want to:
disable their account, which prevents them from signing in/signing up with it. This can be done through the Firebase Admin SDK, by first getting a list of all users, and then disabling the relevant ones.
only grant them access to your back-end services if they've verified their email address (within a certain amount of time). How to do this depends on your backend services though.
Iam working on a flutter mobile application where i use Google SignIn for Auth, is there a way to authorize users with existing account only?
Prevent users from creating new accounts? I've looked for the same thing without finding a way to do this with any Firebase project setting.
The solution, I believe, is consider the difference between authentication and authorization. Firebase's Authentication service is aptly named. It does authentication
- validates that a user is actually who they claim to be. It does not do authorization - control what actions authenticated users are allowed to perform or what data they can access within an application. App developers have to be responsible for managing user authorization.
One way to do this is to maintain a collection of "authorized users" in Firestore, for example. When a user authenticates, your app would perform a lookup to see if the current user is actually authorized or not. Security rules can be written for Firestore and Firebase Cloud Storage to also validate that the current user is in the "authorized users" collection before allowing access to data. But this requires extra data queries to obtain this authorization info.
The authorization method I prefer is to use Custom Claims which can be assigned using the Firebase Admin library. A custom claim can be added to an existing user account that can act as a flag indicating what type of authorization they're granted. Front-end code can check the authentication token they've been issued for the custom claim to determine the authorization they've been granted. Server-side code and security rules can also check for those required custom claims within submitted requests.
Realistically, any application you build where different users might have different levels of access will require you to deal with authorization. I believe that assigning carefully thought-out custom claims is the best solution.
Many mobile apps require user login. That's why Ionic launched their Auth service (https://docs.ionic.io/services/auth/). I can create users via the Auth service itself or via the Ionic API. I also can save custom data for each user. Very nice is also that I can sen targeted push notifications to my users. Seems like a nice out-of-the-box solution.
But most of the time apps have more complex logic (user can post something, user can order something, make a payment, ...). The simple user with some atributes from Ionic does not help much in those cases.
So I need to authorize the users not only inside the app but also against some custom API. And this is where my questions come up...what's the best way to do this?
Some things that came to my mind:
When creating the user in Ionic, also create the same user with the same email and password in my API. So I can make authorized requests. But this does not user any token and I would have to pass my password in every request, also I am worried about data consistency. What if the user changes its password?
Use the internal Ionic user ID, create one global token and use user ID and global token to authenticate the user in my API. But is this secure?
Another worry in my mind: If I save user name, email etc in the Ionic Auth system I would have to access it via their API every time I need it in my own system. For example: A user orders a product in the app. Then my system needs to send out a confirmation to the user. I would have to access the Ionic API to know that users email...and so own.
I think this is all confusing.
Is Ionic Auth not made for those situation? Then, I don't see what it's made for at all...
Is ionic Auth just not there yet...?
Am I just not getting it?