How to manage Cloud platform users?


(Aurelio Petrone) #1

Hi everyone, we are setting up the launch of our app but I have some questions:

  1. How I register them to Cloud Platform? Is there any way to do it via node.js? I can add one user at a time via Realm Studio but clearly I need a way to do it programmatically

  2. How I manage those users? I need some way to get all users, edit a user (reset the password, change the username if possible) and delete it.

Thanks in advance.


(Zsolt Jandzso) #2

There is no such thing Cloud ROS.
ROS is self hosted, you are managing the server that host it.

ROS is the same as the cloud, so you can use it in your app like any synced realm. That means you can register users programmatically - see the documentation.


(Aurelio Petrone) #3

Thanks for the answer.

The only thing I found in the documentation for creating a user is:

Realm.Sync.Credentials.usernamePassword(username, password, createUser)

But my question is:

  • If username/password auth is on, everyone can create a user? How I prevent the registration of new users?
  • Once created, I can’t find any way to list/manage those

I’m a bit confused about the cloud/ROS difference…I thought the cloud was just an instance of ROS that I couldn’t manage by myself.


(Zsolt Jandzso) #4
  • I don’t know any way to prevent the registration globally, on the realm cloud instance level - but you can do it with your own logic easily - as you need to build a registration form anyway.
  • registering a user to a realm instance is not the same as registering to an app or a website. You need to save your own user data, and you can manage those.
    If you are using the Realm Studio then connect it to the cloud instance - you can see the registered users there, change password, delete it etc. However its not a full user management tool, you should build your own.

Realm cloud is indeed a ROS instance, which are managed by realm.


(Aurelio Petrone) #5

@freeubi

I understand how to manage data on the realm but not how to manage directly the “users” ( I know that users data is in a custom collection but I’m talking about the credentials to login).

The registration form I build is on the client side. If someone could find my cloud istance url he can make users from a script and access to data. I see a big issue.


(Zsolt Jandzso) #6

Is this not enough?
There is the button for delete user, change password, some basic role management etc.


(Zsolt Jandzso) #7

The registration form I build is on the client side. If someone could find my cloud istance url he can make users from a script and access to data. I see a big issue.

There is this question time to time on this forum, but that is not valid issue. Yes, we can write a script to do that, but what purpose? They can spam your db with users, but not with data. It’s not a realm world issue.


(Aurelio Petrone) #8

It’s not enought if I have 10K (my client has ~30K ) users or if I have to build a custom management tool for a client.

For example If I need to delete them all, how can I do without delete the entire istance?


(Aurelio Petrone) #9

If they can get access to the database they can also create and see data and it’s something I don’t want. And I need they have the ability to do that because at first connection they create some data.


(Zsolt Jandzso) #10

Then you write a script for that.
Realm is a database, not a user management tool.


(Zsolt Jandzso) #11

You cant do that right now.
If you find an another database that has solution for this, please tell me.


(Aurelio Petrone) #12

Maybe it’s not clear.

First I use Query-BAsed sync.

  1. I have an empty database on cloud
  2. I register a user to the cloud
  3. The user login in the APP
    3a) If the use exist the user get access to the database
    3b) If the user can’t log in it says user doesn’t exist
  4. If the user is logged in it create an object in the USER_DATA class and can read the database data

Now, if I enable the username/password auth, someone could create the user and get access to all my data on cloud (read/create)

So as I understood, given a cloud istance url, everybody could connect to it as a registered user and make what he wants. It sounds very strange to me, so maybe something isn’t clear to me.

What’s the point of have username/password if everyone can get one? Only to register identities?


(Zsolt Jandzso) #13

This is true, but only if you don’t use permissions. In the realm world the user only has access their own data - if you have shared data then yes, it will be available.
But that will be available if i create a simple account for your app too…

So as I understood, given a cloud istance url, everybody could connect to it as a registered user and make what he wants. It sounds very strange to me, so maybe something isn’t clear to me.

Thats true for every database. Why is it a problem, that everyone can register? Doest it matter that they do it in your app or vie script?

What’s the point of have username/password if everyone can get one? Only to register identities?

This is the goal of everbody-s application, to reach out users that can create an account an use the services. Why would you make limitations?
Do you want to have paid tiers in your app? Then have a free one with limitation and make your own logic to have premium features.


(Aurelio Petrone) #14

This is true, but only if you don’t use permissions. In the realm world the user only has access their own data - if you have shared data then yes, it will be available.

Yes, I have shared data that’s the problem. But I want this shared data to be available only to registered users.

But that will be available if i create a simple account for your app too…

That’s the reason why I don’t want the user to be able to register by itself.

In my case the client will send to me a list of users, and I will register them before launching the app.

It would be very easy if I just had the possibility to prevent user registration.


(Aurelio Petrone) #15

I think I found a solution using Firebase Auth and JWT.

I create all the users on Firebase, then I login on Firebase, create a JWT with a cloud function and use the token to connect to Realm Cloud.

I just can disable the username/password auth and so the user registration (available as I understood only with that option enabled)