What is the difference of Firebase authentication custom claims and Firestore document with no write access?

Question

I'm looking for the difference between Firebase authentication with custom claims and a private Firestore document for each user with no write permissions.

The use case I am facing is a SaaS solution with 3 stripe plans. Each stripe plans has different properties. A user should be restricted to the plan they are subscribe to.

The only difference I see is that custom claims only require on call to Firebase while a document in Firestore would require 2 (auth + get user private data).

Are there any other differences I'm missing?

Answer 1

It sounds like you're trying to compare two security models:

1. Store the payment plan information in a custom claim in the user's token.
2. Store the payment plan in a non-writeable document in Firestore.

Some changes that come to mind:

1. As you say the second option will require an extra read operation whenever the security rules need to be validated.
2. Storing the information in the token makes each request from the user bigger, since the claim is in their token. So it uses more bandwidth.

But probably the most important one for making up you mind:

3. A custom claim may not be immediately available on the client, since it depends on the token being refreshed, which may take up to an hour. The information in the database on the other hands is up to date as soon as you write it.

For more good tips around this, have a look at the video Five tips to secure your app.