Context. In my iOS game, I would like to allow users to play without logging in (anonymously anonymous in Firebase to save user data), but also give them the opportunity to log in with Facebook to unlock additional gameplay.
I am trying to change this post by replacing Twitter login with anonymous login:
"users": { "$userid": { // Require the user to be logged in, and make sure their current credentials // match at least one of the credentials listed below, unless we're creating // a new account from scratch. ".write": "auth != null && (data.val() === null || (auth.provider === 'facebook' && auth.uid === data.child('facebook/id').val() || (auth.provider === 'anonymous' && auth.uid === data.child('anonymous/id').val()))" } }
I am confused how the transition will work with these rules. In particular, let's say:
The user authenticates anonymously and can create a canonical user record with their anonymous uid stored in users/"$userid"/anonymous/id . This is allowed because the user is authenticated and the user object is set for the first time ( auth != null && data.val() === null ).
Any subsequent entries in users/"$userid"/ allowed, since the identity of the anonymous user with authentication is stored in the user tree ( auth != null && (auth.provider === 'anonymous' && auth.uid === data.child('anonymous/id').val()) ).
The user is logged in to facebook. Now authData contains a facebook uid that has not yet been written to users/"$userid"/facebook/id . Writes this place a crash because security rules do not allow it.
Thus, an anonymous user does not have access to facebook uid until facebook authentication is complete. At this point, it is too late to write to users/"$userid"/facebook/id , because the authenticated user is now a facebook user and does not have write permission there.
Am I missing something? Any ideas on how to fix this?
source share