Notes

In this section, we’re going to cover role-based authorization using custom claims.

Custom claims are useful when giving users different access levels or roles that can be enforced using security rules.

Common use cases:

• Unlock certain features in your app only for users that have paid for them.
• Tutoring app with different roles for teachers and students
• Ride-sharing app with drivers and passengers
• eCommerce marketplace with sellers and buyers

Our eCommerce app is also a good example of this because we have:

• regular users → can purchase items, leave reviews, review their orders
• admin users → can create, edit, and delete products

So we’ll use it as a real-world example of how to implement role-based authorization.

What’s inside

Here is what we will cover:

• A high-level overview of custom claims (how they work and how to use them)
• Using the Firebase CLI to configure our eCommerce app so we can use it with the Firebase local emulator
• Write a cloud function trigger that we’ll use to set the custom claims securely on the server
• How to enforce some security rules so that only authorized users can perform certain operations with Cloud Firestore
• Ensure that only admin users have access to certain pages in the app (as part of this, we will update our GoRouter redirect logic as well)
• How to combine custom claims and realtime listeners so we can deliver the best user experience
• Deploy our cloud function so that we can run and test the new logic with the real Firebase backend

By the end, you should understand when and how to use custom claims to enable role-based authorization so that you can enable multiple user roles in your Flutter apps.