Is it legit in firestore security rules using $(request.auth.token.email) to verify accessing users' own data?

Question

I'm developing an app with two kinds of permission roles (admin and member). Every time an admin adds a member or another admin, he just needs to add them using their specific email address. In this situation, those emails are not required whether registered or not, and also those users can be added offline.

The problem is when an admin tries to add a member with an email, I can't add that member user id (probably a new member) to the 'users' collection but can add using his/her email address.

So, to be accessed their own data, I'm wondering whether it is recommended to use $(request.auth.token.email) instead of $(request.auth.uid) recommended in firebase security documentation. And also, if you have any suggestions, please let me know. I am very new to firebase security rules.

match /shops/{shop} {
  allow read, write: 
  if get(/databases/$(database)/documents/shops/$(shop)/users/$(request.auth.token.email))
  .data.admin == true;
}

.

Answer 1

If you want to prepopulate roles before the user's are registered, going by their email address is common.

You'll probably want to add a check if the email address is verified in that case, as otherwise anyone can register with one of the email addresses you have listen and gain administrative privileges.

Personally I'd see the mapping from email address to role as a temporary step in this scenario, and store the permanent user record under their UID as is more common. You can even do that client-side, by allowing the user to write the role to their own profile as long as it matches what you have in the email-to-role mapping collection.