Firebase firestore get user document without authenticated
It's not clear how your database is set up or how you're passing the phone number, but here's a simpler approach that may help guide you.
Set your database up where the phone number is the customer's ID. If that's not possible, create a phoneToCustomers
collection that is used to match phone numbers to customers.
Example 1: Phone Numbers as Customer IDs
Let's assume your customer IDs are their phone numbers:
{
"customers": {
"7878445778": {...},
"1231231234": {...}
}
}
With this simple rule you can accomplish what you want:
match /customers/{phone} {
// Allow anyone with the phone number to access this document
allow get: if true;
// Can't list all customers
allow list: if false;
}
Example 2: Customer ID Lookup Table
Let's assume your database looks like this:
{
"customers": {
"abc123": {...},
"xyz987": {...}
},
"phoneToCustomers": {
"7878445778": "abc123",
"1231231234": "xyz987"
}
}
These rules prevent users from querying your customers or phone numbers but allows retrieving documents if the user knows the ID.
match /customers/{customerId} {
// Allow anyone with the customer ID to access this document
allow get: if true;
// Can't list all customers
allow list: if false;
}
match /phoneToCustomers/{phone} {
// Allow anyone with the phone number to access this document
allow get: if true;
// Can't list all customers
allow list: if false;
}
You would then need to get() /phoneToCustomers/7878445778
to get the customer ID then a second get() to retrieve the customer data at /customers/<customerId>
.
EngineSense
Updated on December 28, 2022Comments
-
EngineSense over 1 year
I was trying to build an application in flutter with firebase. I don't want to User to authenticate him/her to firebase authentication.
All I want them to use their phone number as a secret code. Meaning he/she can enter the phone number to view their data without authentication. Without phone number, they cannot read the data.(without OTP too).
Now I have this in firestore rule, so anybody holds the phone number can view the data.
function isUserRef(field) { return field in resource.data && resource.data.mobile == /customers/document/$(request.resource.data.mobile) } match /customers/{document=**} { allow read : if isUserRef(request.resource.data.mobile); }
request resource data contain as below.
User{ "id" : null, "mobile" : "7878445778" }
But the above rule still doesn't match the document based on his/her mobile number. I don't want to user to authenticate at all. It's simple application were data is not a concern.
Any help appreciated!!. Thanks.