本文介绍了Cloud Firestore:强制执行唯一的用户名的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!




I have seen this question several times (also in the context of the Firebase Real-Time Database), but I haven't seen a convincing answer to it. The problem statement is fairly simple:


First of all, the why: After a user authenticates, they have a unique user ID. Many web-apps, however, let the user choose a "display name" (how the user wants to appear on the website), in order to protect the users personal data (like real name).



Given a data structure like the following it is possible to store a username along with other data for each user:

/users  (collection)
    /{uid}  (document)
        - name: "<the username>"
        - foo: "<other data>"


However, nothing prevents another user (with a different {uid}) to store the same name in their record. As far as I know, there is no "security rule" that allows us to check if the name has already been by another user.


Note: A client side check is possible, but unsafe as a malicious client could omit the check.



Popular solutions are creating a collection with a reverse mapping:

/usernames  (collection)
    /{name}  (document)
       - uid: "<the auth {uid} field>"


Given this reverse mapping, it is possible to write a security rule to enforce that a username is not already taken:

match /users/{userId} {
  allow read: if true;
  allow create, update: if
      request.auth.uid == userId &&
      request.resource.data.name is string &&
      request.resource.data.name.size() >= 3 &&
      get(/PATH/usernames/$(request.resource.data.name)).data.uid == userId;


and to force a user to create a usernames document first:

match /usernames/{name} {
  allow read: if true;
  allow create: if
      request.resource.data.size() == 1 &&
      request.resource.data.uid is string &&
      request.resource.data.uid == request.auth.uid;


I believe the solution is half-way there. However, there are still a few unsolved issues.



This implementation is quite involved already but it doesn't even solve the problem of users that want to change their user name (requires record deletion or update rules, etc.)


Another issue is, nothing prevents a user from adding multiple records in the usernames collection, effectively snatching all good usernames to sabotage the system.


  • 是否有一种更简单的解决方案来强制使用唯一的用户名?
  • 如何防止垃圾邮件usernames收集?
  • 如何使用户名检查不区分大小写?
  • Is there a simpler solution to enforce unique usernames?
  • How can spamming the usernames collection be prevented?
  • How can the username checks be made case-insensitive?


I tried also enforcing existence of the users, with another exists() rule for the /usernames collection and then committing a batch write operation, however, this doesn't seem to work ("Missing or insufficient permissions" error).

另一个注意事项:我已经看到了客户端检查的解决方案. 但这些都不安全.任何恶意客户端都可以修改代码,并省略检查.

Another note: I have seen solutions with client-side checks. BUT THESE ARE UNSAFE. Any malicious client can modify the code, and omit checks.


@asciimike是Firebase安全规则开发人员.他说,目前尚无办法对文档的密钥实施唯一性. https://twitter.com/asciimike/status/937032291511025664

@asciimike on twitter is a firebase security rules developer.He says there is currently no way to enforce uniqueness on a key on a document. https://twitter.com/asciimike/status/937032291511025664

由于firestore基于Google Cloud datastore,因此它继承了此问题.自2008年以来,这是一个长期存在的要求. https://issuetracker.google.com/issues/35875869#c14

Since firestore is based on Google Cloud datastore it inherits this issue. It's been a long standing request since 2008.https://issuetracker.google.com/issues/35875869#c14

但是,您可以使用firebase functions和一些严格的security rules来实现自己的目标.

However, you can achieve your goal by using firebase functions and some strict security rules.

您可以在介质上查看我的整个建议解决方案. https://medium.com/@jqualls/firebase-firestore-unique-constraints -d0673b7a4952

You can view my entire proposed solution on medium.https://medium.com/@jqualls/firebase-firestore-unique-constraints-d0673b7a4952

这篇关于Cloud Firestore:强制执行唯一的用户名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-15 07:25