0

Firebase real-time database has Character Set Limitations that prevent these characters 

. (period)
$ (dollar sign)
[ (left square bracket)
] (right square bracket)
# (hash or pound sign)
/ (forward slash)

from being present in a primary key.

But this library for firebase real-time database on google apps script uses escaped email as auth.uid

Therefore, I structured my FB real-time DB as below:

{  
   users={  
      auth.uid={  //auth.uid == escaped email
         phone_no=+123456789012,
         email=foo@bar.com
      },
      ... //rest of the array
   }
}

My concern is that, the possibility for two different users to have the same escaped email.

For example:

User1 email: johndoe@foobar.com

User1 escaped email: johndoefoobarcom

User2 email: j.o.h.ndo.e@foobar.com

User2 escaped email: johndoefoobarcom

Do email services especially Gmail allow users to register emails that are similar as shown above?

Here's what my rules look like

{
  "rules": {
    "users": {
      "$user_id": {
        ".write": "$user_id === auth.uid",
        ".read": "$user_id === auth.uid"
      }
    }
  }
}

So, you can see why i am using the escaped email (the auth.uid) as rootkey (because the auth.uid is already the escaped email address)

Here is Apps Script Code -> https://codepen.io/edge-developer/pen/JVPNOY

EdgeDev
  • 2,376
  • 2
  • 20
  • 37
  • 1
    In that page you linked to - it doesn't say anything about using email address as the unique ID. You're supposed to use the unique id assigned to the user by Firebase Authentication. This is the standard thing to do. (Also, that page refers to a VERY old version of Firebase. I'm not sure it's giving you modern advice.) – Doug Stevenson Mar 29 '19 at 18:38
  • my google email has several periods (`.`) in it, so yes. Hashes, periods and dollar signs are all legal in an email addresses. – ZombieTfk Mar 29 '19 at 18:39
  • @DougStevenson i have tested the code, that's what it uses (escaped email address). Got any Firebase Auth/Realtime DB Library you may want me to try out? – EdgeDev Mar 29 '19 at 18:40
  • Why-oh-why would you use something the user can freely expect to change as your primary key for them? Email addresses, phone numbers, and names are terrible IDs. – tehhowch Mar 29 '19 at 18:47
  • i know, but that's what the library uses. It's beyond me – EdgeDev Mar 29 '19 at 18:48
  • please check the update – EdgeDev Mar 29 '19 at 18:54
  • Your security rules are indicating that $user_id should be the unique id of the user as assigned by Firebase Authentication. This is the only way to really secure per-user data in Realtime Database. This is what I was suggesting in my first comment. – Doug Stevenson Mar 29 '19 at 18:56
  • yes and okay. check out my apps script code https://codepen.io/edge-developer/pen/JVPNOY – EdgeDev Mar 29 '19 at 19:15
  • @DougStevenson it seems i am using an outdated Firebase JS Library, let me check out the latest one and give a feedback – EdgeDev Mar 29 '19 at 19:19

1 Answers1

3

You are using a very old version of firebase, you need to upgrade to firebase js 5.8.5.

Also no it is better to use the userId that you obtain are you authenticate a specific user. The main reason to use the uid is because it is unique for each user.

Check here :

Why use UID in Firebase? Should I use it

Peter Haddad
  • 78,874
  • 25
  • 140
  • 134
  • thanks. could you help me look into this https://stackoverflow.com/questions/55427213/firebase-authentication-redirecting-to-a-blank-page-after-sign-in – EdgeDev Mar 30 '19 at 01:47