Read and write data without authentication?

[pndalal]

First of all, a big thank you to the devs for this very helpful project!

I'm new to Firebase. I was hoping on letting players read and write data without logging in. The nature of my game is such that a login would be an unnecessary barrier to entry. I figured I'd be able to use cloud functions to sanitize submitted data for security.

The thing is, this SDK seems to require authentication in order to access the Firestore. At first, I figured that logging in users anonymously would be an acceptable workaround. However, this approach creates a new user every time the app is opened. I don't believe that's a sustainable long-term solution as my app scales.

Do you have any suggestions for how I should use this SDK to support my use case? Perhaps there is something I missed.

---

EDIT: After a little more digging, it seems I might be able to use the email and password method to authenticate users. Instead of using an actual email, I could use a string derived from their device id. This would create one unique user per device without requiring players to make an account. I believe this approach will work for my needs, but feel free to critique it or let me know if there's a better way. Thanks!

[BearDooks]

@pndalal I apologize it took so long to get back to you. I know some of the team was getting ready for Godotcon and the talk that they gave there.

Long story short Google and Firebase don't recommend allowing access without Auth. This can allow someone to write or remove data. Remove is obviously bad, but if they write massive amounts of data, you can find yourself with a huge bill from Google.

I think your solution would work fine, the security rules are going to be the most important thing to look at.

Chuck

[WolfgangSenff]

It is actually a little easier even than proposed - you can just use anonymous authentication. Google will create an identifier for you and use that, and it's unique per device. :)

The above is a well-tested method, and is being done at current in https://wolfgangsenff.itch.io/hero-babysitters-club, which I introduced in my talk at GodotCon.

And yes, so sorry it took so long to get back to you, @pndalal!

[pndalal]

No worries at all. Thank you both for your replies!

@BearDooks That makes sense, especially when it comes to direct access. I feel that when it comes to Cloud Functions, however, I wouldn't expect an authentication requirement, since I could be using functions to update data in a secure and controlled way. But that's probably a different topic, since the Cloud Function API hasn't been included yet (I see that it might be included soon).

@WolfgangSenff I did explore that possibility briefly, but it seems that anonymous authentication creates a new user every time my app is opened. So it's not just unique per device, but it's unique per session, and it never gets deleted. I feel like that's not ideal as my app scales, which is why I opted for the email and password system. But perhaps I misunderstood :P

[WolfgangSenff]

Ah, hm. I didn't know it created a new one each time. You can use Godot's built in device-ID I believe, which should work as long as you aren't exporting for HTML. It's definitely something to look into, and should give you a good head start, @pndalal .