Implement user roles with Firebase Auth (NextJS)

I'm trying to create a multi-level role system for my website (which is a type of blog).

I've already implemented classic Firebase Auth authentication system, with email/password combo only. By now, every user can post/edit articles because I do't have any granularity. I'd like to change that and make a separation between several roles - starting by Admins/Moderators/Users, but roles don't seem to be available as the default Firebase User model.

How can I possibly migrate my logic to this, and which tool should I use withotu having to redo everything? I've seen people using Firestore (but this was a long time ago, Firebase must've changed since then), and some others tend to prefer the Firebase Auth SDK. By now, new things are even available with this Identity Platform thing, which I don't really understand yet.

Note that I'm using:

• NextJS 13 (Javascript only) with integrated Next API (SSR)
• Deployment on Vercel
• Database split between some Firebase Storage assets (mostly images) and MongoDB (everything else)

You can create your own user table or collection which holds user's role against the email or userId.

Firebase Authentication only handles authentication (validating the user's identity). It does not have any built-in mechanism for authorization (determining what the user is allowed to do).

That said, you can build an authorization model on top of Firebase in a multitude of ways. Some topics to consider:

• There are two common places to store the authorization information (the roles in your use-case): either as a custom claim in the user's profile, or as separate records in a database.

• For securing access to the files in Cloud Storage, you can use Firebase security rules. For an example of this, see the Firebase documentation on implementing custom-claim attributes and roles. A few things to note here:

  • Security rules are applied to access to Cloud Storage through the Firebase client-side SDKs, but not when you access the file through a download URL or through a Google Cloud (server-side) SDKs.
  • The example shows the user's role being stored as a custom claim in their user profile. While this is still possible today, you can nowadays also access Firestore from Storage security rules which gives you a second option on where to store the user's role information.

• For MongoDB, you will have to implement authorization within your own code. If you stored the authorization information as custom claims in the user profile, you can decode the token and get the information from there. If you stored it in a database, you can read it from there and apply it.