DEV Community: VINCENT PHIRI The latest articles on DEV Community by VINCENT PHIRI (@vincent_phiri_fc220a95092). https://dev.to/vincent_phiri_fc220a95092 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2887535%2F4416edc5-060f-46c6-8afd-891a34455544.jpg DEV Community: VINCENT PHIRI https://dev.to/vincent_phiri_fc220a95092 en How I Lost a Six-Figure SaaS Contract to a "Vibe Coder" (Even Though I Used AI Too) VINCENT PHIRI Sun, 07 Jun 2026 18:45:18 +0000 https://dev.to/vincent_phiri_fc220a95092/how-i-lost-a-six-figure-saas-contract-to-a-vibe-coder-even-though-i-used-ai-too-1411 https://dev.to/vincent_phiri_fc220a95092/how-i-lost-a-six-figure-saas-contract-to-a-vibe-coder-even-though-i-used-ai-too-1411 <p><em>Have you seen the think-pieces. "AI is coming for your jobs." "English is the new programming language." As a seasoned software developer based in South Africa, I used to think I was ahead of the curve. I wasn't an AI denier; in fact, I actively use Agentic AI assistants to cut down my development time, spin up boilerplates, and ship features faster than ever.</em></p> <p>I thought leveraging AI inside my IDE made me very competitive.</p> <p>Oh boy was i wrong by huge margin. Recently, I didn't just lose a lucrative, six-figure administrative SaaS contract to AI—I lost it to a human who didn't write a single line of code. I lost it to an Operations Manager who decided to "vibe code" an entire alternative system.</p> <p>Here is the wake-up call of how it happened, the sobering conversation we had, and why merely using AI as a coding assistant does not put us(software developers) head and shoulders above the rest.</p> <h2> The Setup: Fast Shipping, False Security </h2> <p>In early 2025, I landed a highly competitive contract to build a comprehensive administrative SaaS solution for a prominent local company in South Africa which does high end corporate events and venue management services. There was no single source of truth, operations and admin very disjointed. </p> <p>They need a solution to streamline operations and have one source of truth to make operations as efficient and effective as possible.I did my workflows audits and came up with a workable system that the owners loved, well eventually. There were feedback meetings we held after my presentation and made adjustments from the suggestions I got from management and lower staff. After a month or so my solution was adopted and went live. It was a bespoke SaaS.</p> <p>Using Claude Code helped me code components, generate APIs, and I rapidly deployed both a web portal and mobile application. Thanks to AI assistance, I built it in record time. The client was thrilled, and the project naturally transitioned into a highly lucrative monthly maintenance contract.</p> <p>I felt completely secure. I was the "10x engineer" who knew how to prompt, how to code, and how to architect. I held the keys to the repository.</p> <p>Then came the Operations Manager.</p> <h2> The Plot Twist: "Please don't be angry with me..." </h2> <p>The company’s Operations Manager is brilliant at his job, but he has zero software development background. He couldn't write a loop if his life depended on it. What he did have, however, was a 100% granular view of the company's daily operational bottlenecks—angles I hadn't fully captured because I didn't live in their day-to-day chaos.<br> Instead of waiting for me to build custom features on my retainer, he signed up to Claude Max5 began vibe coding. He just fed the AI business logic, real-world data structures, and company pain points.</p> <p>Within two months, he didn't just build a prototype. He built a comprehensive, highly practical, fully functioning alternative SaaS solution.<br> When he finally revealed what he had done, he asked to sit down with me. I'll never forget how the conversation started. He looked at me nervously and said:</p> <blockquote> <p>Please don’t be angry with me. What I’m about to tell you might make you furiously angry with me...<br> He then laid out his alternative system and explained his reasoning plainly: </p> <p>I didn’t want the company to keep spending massive amounts of money on a maintenance retainer when I could just build what we needed myself. It took me two months, spent about $700 on the build.</p> </blockquote> <p>His solution was vastly cheaper than my contract, completely tailored to their exact workflows, and it worked. He successfully beat me out of my own contract.</p> <h2> The Realization: AI-Assisted Coding vs. Pure Vibe Coding </h2> <p>This was a massive slice of humble pie. My immediate defense mechanism was to think, </p> <blockquote> <p>But I used AI to build my system too! My code is cleaner, safer, and better architected!</p> </blockquote> <p>But here is the brutal reality we have to face as professional developers:<strong>Knowing how to code using AI didn't protect me from the guy who doesn't know how to code at all.</strong></p> <p>Why? Because I was using AI to write code. He was using AI to write solutions.</p> <p>I was focused on syntax efficiency, database optimization, and deployment pipelines. He was focused 100% on the organizational problems because he understood the business inside and out. <br> To management, a $700 system built by an insider that solves 95% of their immediate operational problems today will always win over a beautifully architected, expensive system built by an external dev, who is me and you.</p> <p>By being dismissive or elitist about "vibe coders," we are actively pushing ourselves out of business. Our direct competition is no longer just other software agencies; it’s the ambitious, frustrated employee inside our client's office.</p> <h2> The Blueprint: How We Take the Lead </h2> <p>If someone with zero coding knowledge can build a super-alternative SaaS system in two months for a few hundred dollars, imagine what we can do if we combine actual engineering fundamentals with that same level of business-centric execution.</p> <p><em>We need to shift our focus immediately:</em><br> <strong>1. Stop Hiding Behind the Code</strong><br> Having our hands 100% under the hood isn't the flex it used to be. We need to spend less time worrying about the lines of code and more time understanding the business domain. If we don’t have a 100% view of the organization’s actual day-to-day problems, a vibe coder who does will replace us.</p> <p><strong>2. Move from Developers to "Super-Architects"</strong><br> Vibe-coded applications are amazing for immediate business logic, but they eventually hit walls regarding complex security, data compliance (like POPIA here in South Africa), and massive scaling. Our value is no longer in typing the code faster than them; it's in being the guardrails. We should be the ones helping them architect, secure, and scale these systems safely.</p> <p><strong>3. Build at 100x Speed, Not 10x</strong><br> If non-technical builders are using AI to disrupt us, we must use our technical knowledge to out-pace them. We know how databases should handle edge cases. We know how APIs should be secured. By combining deep engineering logic with high-speed AI generation, a single professional developer should be able to ship entire enterprise ecosystems over a weekend.</p> <h2> The Silverlining </h2> <p>Losing that contract was a painful lesson, but it forced me to see where the tech landscape is heading. The gatekeeping era of software development is officially dead.</p> <p>Have you ever been bypassed by a non-technical stakeholder building their own tools? If you are a developer who uses AI, how are you changing your strategy to ensure you're delivering unique value that a "vibe coder" can't replicate?</p> ai vibecoding softwaredevelopment I Was Tired of Writing the Same Firebase Auth Boilerplate in Every React Native App — So I Built FireGuard VINCENT PHIRI Thu, 14 May 2026 19:10:56 +0000 https://dev.to/vincent_phiri_fc220a95092/i-was-tired-of-writing-the-same-firebase-auth-boilerplate-in-every-react-native-app-so-i-built-1m86 https://dev.to/vincent_phiri_fc220a95092/i-was-tired-of-writing-the-same-firebase-auth-boilerplate-in-every-react-native-app-so-i-built-1m86 <h2> How I went from copying and pasting 300 lines of auth code across projects to a single npm package that handles everything — protected routes, role-based access, and security best practices out of the box. </h2> <p>The Problem I Kept Running Into<br> Every time I started a new React Native project with Firebase, I found myself writing the same code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// The same listener. Every. Single. Project.</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">unsubscribe</span> <span class="o">=</span> <span class="nf">onAuthStateChanged</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">doc</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getDoc</span><span class="p">(</span><span class="nf">doc</span><span class="p">(</span><span class="nx">db</span><span class="p">,</span> <span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">uid</span><span class="p">));</span> <span class="nf">setRole</span><span class="p">(</span><span class="nx">doc</span><span class="p">.</span><span class="nf">data</span><span class="p">()?.</span><span class="nx">role</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">);</span> <span class="nf">setUser</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">setUser</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">setRole</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="p">}</span> <span class="nf">setIsLoaded</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">unsubscribe</span><span class="p">;</span> <span class="p">},</span> <span class="p">[]);</span> </code></pre> </div> <p>Then the route guard logic. Then the redirect logic. Then the "show this only for admins" logic. Then the error messages. Then realizing I'm storing the raw Firebase User object in state — which contains your ID token, refresh token, and all kinds of internals — and that React DevTools can expose it to anyone inspecting the app.<br> It was boilerplate on top of boilerplate, and I kept making the same security mistakes every time.<br> If you've used Clerk with Expo, you know how different it feels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// Clerk makes this effortless</span> <span class="p">&lt;</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ProtectedScreen</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">SignedOut</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">LoginScreen</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">SignedOut</span><span class="p">&gt;</span> </code></pre> </div> <p>That declarative, component-based approach is exactly what Firebase developers deserve too. So I built it.</p> <p><strong>Introducing FireGuard</strong> 🔥🛡️<br> FireGuard is a security-first authentication wrapper for Firebase + Expo React Native apps. It gives you the Clerk-like developer experience on top of Firebase Auth.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>react-native-fireguard </code></pre> </div> <p><strong>364 downloads in its first 4 days on npm.</strong> Clearly, I'm not the only one who felt this pain.<br> Here's what it gives you in under 5 minutes of setup.</p> <p><strong>From This... To This</strong><br> Before FireGuard<br> Here's what a typical Firebase auth setup looks like in a real Expo app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// _layout.jsx — the typical Firebase boilerplate nightmare</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useEffect</span><span class="p">,</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRouter</span><span class="p">,</span> <span class="nx">useSegments</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">expo-router</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">onAuthStateChanged</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase/auth</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getDoc</span><span class="p">,</span> <span class="nx">doc</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase/firestore</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span><span class="p">,</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./firebase</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">RootLayout</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">user</span><span class="p">,</span> <span class="nx">setUser</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">role</span><span class="p">,</span> <span class="nx">setRole</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">isLoaded</span><span class="p">,</span> <span class="nx">setIsLoaded</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">useRouter</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">segments</span> <span class="o">=</span> <span class="nf">useSegments</span><span class="p">();</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">unsubscribe</span> <span class="o">=</span> <span class="nf">onAuthStateChanged</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">firebaseUser</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">firebaseUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">snap</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getDoc</span><span class="p">(</span><span class="nf">doc</span><span class="p">(</span><span class="nx">db</span><span class="p">,</span> <span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">firebaseUser</span><span class="p">.</span><span class="nx">uid</span><span class="p">));</span> <span class="nf">setRole</span><span class="p">(</span><span class="nx">snap</span><span class="p">.</span><span class="nf">exists</span><span class="p">()</span> <span class="p">?</span> <span class="nx">snap</span><span class="p">.</span><span class="nf">data</span><span class="p">().</span><span class="nx">role</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nf">setRole</span><span class="p">(</span><span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nf">setUser</span><span class="p">(</span><span class="nx">firebaseUser</span><span class="p">);</span> <span class="c1">// ⚠️ raw User object in state — security risk</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">setUser</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">setRole</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="p">}</span> <span class="nf">setIsLoaded</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">unsubscribe</span><span class="p">;</span> <span class="p">},</span> <span class="p">[]);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isLoaded</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">inAuthGroup</span> <span class="o">=</span> <span class="nx">segments</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">(auth)</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">inAuthGroup</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">/(auth)/login</span><span class="dl">'</span><span class="p">);</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span> <span class="o">&amp;&amp;</span> <span class="nx">inAuthGroup</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">/(tabs)</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="p">[</span><span class="nx">user</span><span class="p">,</span> <span class="nx">isLoaded</span><span class="p">,</span> <span class="nx">segments</span><span class="p">]);</span> <span class="c1">// Now pass user/role through context... more boilerplate</span> <span class="c1">// Then protect individual screens... more boilerplate</span> <span class="c1">// Then handle admin-only content... even more boilerplate</span> <span class="p">}</span> </code></pre> </div> <p>That's just the root layout. You haven't even touched the individual screens yet.<br> <strong>After FireGuard</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// _layout.jsx — the entire auth setup, done</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Slot</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">expo-router</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">FirebaseAuthProvider</span><span class="p">,</span> <span class="nx">RouteGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">firebaseConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_API_KEY</span><span class="p">,</span> <span class="na">authDomain</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_AUTH_DOMAIN</span><span class="p">,</span> <span class="na">projectId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_PROJECT_ID</span><span class="p">,</span> <span class="na">storageBucket</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_STORAGE_BUCKET</span><span class="p">,</span> <span class="na">messagingSenderId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_MESSAGING_SENDER_ID</span><span class="p">,</span> <span class="na">appId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_APP_ID</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">RootLayout</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">FirebaseAuthProvider</span> <span class="nx">config</span><span class="o">=</span><span class="p">{</span><span class="nx">firebaseConfig</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">RouteGuard</span> <span class="nx">loginRoute</span><span class="o">=</span><span class="dl">"</span><span class="s2">/(auth)/login</span><span class="dl">"</span> <span class="nx">homeRoute</span><span class="o">=</span><span class="dl">"</span><span class="s2">/(tabs)</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Slot</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/RouteGuard</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/FirebaseAuthProvider</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>That's it. Route protection, Firestore role fetching, token management — all handled.</p> <p><strong>The Full Feature Set</strong></p> <ol> <li>Declarative Auth Components Show and hide content based on auth state — no if statements scattered across your components: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">SignedIn</span><span class="p">,</span> <span class="nx">SignedOut</span><span class="p">,</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">HomeScreen</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">role</span><span class="p">,</span> <span class="nx">signOut</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">View</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Text</span><span class="p">&gt;</span>Welcome, <span class="si">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">email</span><span class="si">}</span>!<span class="p">&lt;/</span><span class="nc">Text</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Role-based access control */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">Protect</span> <span class="na">role</span><span class="p">=</span><span class="s">"admin"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">AdminDashboard</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Protect</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Protect</span> <span class="na">role</span><span class="p">=</span><span class="si">{</span><span class="p">[</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">moderator</span><span class="dl">"</span><span class="p">]</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ModerationTools</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Protect</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Button</span> <span class="na">title</span><span class="p">=</span><span class="s">"Sign Out"</span> <span class="na">onPress</span><span class="p">=</span><span class="si">{</span><span class="nx">signOut</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">SignedOut</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Text</span><span class="p">&gt;</span>Please sign in to continue<span class="p">&lt;/</span><span class="nc">Text</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">SignedOut</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">View</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>2. Pre-Built Auth Screens</strong><br> Stop building login forms from scratch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// app/(auth)/login.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SignIn</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">LoginScreen</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nc">SignIn</span> <span class="p">/&gt;;</span> <span class="c1">// Full form with validation, loading states, error handling</span> <span class="p">}</span> </code></pre> </div> <p><strong>3. Role-Based Tab Visibility</strong><br> Hide entire tabs from users who don't have permission — not just the content inside them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/(tabs)/_layout.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Tabs</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">expo-router</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">TabsLayout</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">isAdmin</span> <span class="o">=</span> <span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">Tabs</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Tabs</span><span class="p">.</span><span class="nx">Screen</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">home</span><span class="dl">"</span> <span class="nx">options</span><span class="o">=</span><span class="p">{{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Home</span><span class="dl">'</span> <span class="p">}}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">Tabs</span><span class="p">.</span><span class="nx">Screen</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">profile</span><span class="dl">"</span> <span class="nx">options</span><span class="o">=</span><span class="p">{{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Profile</span><span class="dl">'</span> <span class="p">}}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">Tabs</span><span class="p">.</span><span class="nx">Screen</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span> <span class="nx">options</span><span class="o">=</span><span class="p">{{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">href</span><span class="p">:</span> <span class="nx">isAdmin</span> <span class="p">?</span> <span class="kc">undefined</span> <span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="c1">// completely invisible to non-admins</span> <span class="p">}}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/Tabs</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>4. Secure API Calls</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">getIdToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">fetchSensitiveData</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Force-refresh the token before a payment or sensitive operation</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getIdToken</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.yourapp.com/payment</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">100</span> <span class="p">}),</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <p><strong>The Security Decisions That Matter</strong><br> This isn't just a convenience wrapper. FireGuard was built with specific security problems in mind that most Firebase implementations get wrong.</p> <p><strong>Problem 1: Raw Firebase User in React State</strong><br> Most tutorials tell you to do this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">[</span><span class="nx">user</span><span class="p">,</span> <span class="nx">setUser</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">onAuthStateChanged</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="p">(</span><span class="nx">firebaseUser</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setUser</span><span class="p">(</span><span class="nx">firebaseUser</span><span class="p">);</span> <span class="c1">// ❌ This puts your ID token in React state</span> <span class="p">});</span> </code></pre> </div> <p>The Firebase User object contains stsTokenManager — your raw ID token and refresh token. When you put it in React state, it becomes visible in React DevTools to anyone with access to your development environment, and it can be accidentally logged or serialized.<br> FireGuard's fix: The raw User is stored in a useRef — completely invisible to React DevTools — and only a sanitized SafeUser object is exposed through context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// What FireGuard exposes — no tokens, no internals</span> <span class="kr">interface</span> <span class="nx">SafeUser</span> <span class="p">{</span> <span class="nl">uid</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">email</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="nl">displayName</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="nl">emailVerified</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">isAnonymous</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="c1">// ... safe properties only</span> <span class="p">}</span> </code></pre> </div> <p><strong>Problem 2: onAuthStateChanged Misses Token Revocations</strong><br> If you disable a user in the Firebase Console or revoke their token via the Admin SDK, onAuthStateChanged <strong>never fires</strong>. The user stays signed in indefinitely on the client.</p> <p><strong>FireGuard's fix:</strong> Uses onIdTokenChanged instead, which fires on every token refresh cycle (~every hour) and catches server-side revocations immediately.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// FireGuard uses this instead of onAuthStateChanged</span> <span class="nf">onIdTokenChanged</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="p">(</span><span class="nx">firebaseUser</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Fires on: sign in, sign out, token refresh, AND token revocation</span> <span class="p">});</span> </code></pre> </div> <p><strong>Problem 3: Email Enumeration</strong><br> Most auth error handlers do this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="dl">'</span><span class="s1">auth/user-not-found</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No account found with this email.</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ❌</span> <span class="dl">'</span><span class="s1">auth/wrong-password</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Incorrect password.</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ❌</span> </code></pre> </div> <p>An attacker can use different error messages to test which emails are registered in your app. This is a well-documented attack called email enumeration — and it's trivially easy to automate.</p> <p><strong>FireGuard's fix:</strong> Both codes return the same message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="dl">'</span><span class="s1">auth/user-not-found</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid email or password.</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ✅</span> <span class="dl">'</span><span class="s1">auth/wrong-password</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid email or password.</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ✅</span> </code></pre> </div> <p><strong>Problem 4: Route Guard Race Conditions</strong><br> Expo Router's navigation is async. If you call router.replace() before the navigator is mounted, it silently fails — leaving an unauthenticated user on a protected screen with no redirect.</p> <p><strong>FireGuard's fix:</strong> Checks useRootNavigationState before any redirect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">navigationState</span> <span class="o">=</span> <span class="nf">useRootNavigationState</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">isNavigatorReady</span> <span class="o">=</span> <span class="o">!!</span><span class="nx">navigationState</span><span class="p">?.</span><span class="nx">key</span><span class="p">;</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isLoaded</span> <span class="o">||</span> <span class="o">!</span><span class="nx">isNavigatorReady</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="c1">// wait for navigator</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nx">loginRoute</span><span class="p">);</span> <span class="p">},</span> <span class="p">[</span><span class="nx">isLoaded</span><span class="p">,</span> <span class="nx">isNavigatorReady</span><span class="p">,</span> <span class="nx">user</span><span class="p">]);</span> </code></pre> </div> <p><strong>Setting Up Role-Based Access Control</strong><br> Roles are stored in Firestore. The structure is simple:<br> Collection: users<br> └── Document: {firebase_auth_uid} ← must be the user's UID<br> ├── role: "admin"<br> └── email: "<a href="mailto:user@example.com">user@example.com</a>"<br> To make a user an admin:</p> <p>Go to <strong>Firebase Console **→ Authentication → Users<br> Copy the user's UID<br> Go to **Firestore → users collection</strong> → Add document<br> Set Document ID = the UID<br> Add field: role (string) = "admin"</p> <p>That's it. Next time they sign in, FireGuard fetches their role and it's available everywhere via useAuth().<br> FireGuard defaults any user without a Firestore document to role: "user" — so your app works even before you set up roles.</p> <p><strong>Getting Started in 5 Minutes</strong><br> Install:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>react-native-fireguard npx expo <span class="nb">install </span>firebase @react-native-async-storage/async-storage expo-router </code></pre> </div> <p><strong>Set up your .env:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">EXPO_PUBLIC_FIREBASE_API_KEY</span><span class="p">=</span><span class="s">your_key</span> <span class="py">EXPO_PUBLIC_FIREBASE_AUTH_DOMAIN</span><span class="p">=</span><span class="s">your_project.firebaseapp.com</span> <span class="py">EXPO_PUBLIC_FIREBASE_PROJECT_ID</span><span class="p">=</span><span class="s">your_project_id</span> <span class="py">EXPO_PUBLIC_FIREBASE_STORAGE_BUCKET</span><span class="p">=</span><span class="s">your_project.appspot.com</span> <span class="py">EXPO_PUBLIC_FIREBASE_MESSAGING_SENDER_ID</span><span class="p">=</span><span class="s">your_sender_id</span> <span class="py">EXPO_PUBLIC_FIREBASE_APP_ID</span><span class="p">=</span><span class="s">your_app_id</span> </code></pre> </div> <p><strong>Root layout:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/_layout.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Slot</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">expo-router</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">FirebaseAuthProvider</span><span class="p">,</span> <span class="nx">RouteGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">RootLayout</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">FirebaseAuthProvider</span> <span class="nx">config</span><span class="o">=</span><span class="p">{{</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_API_KEY</span><span class="p">,</span> <span class="na">authDomain</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_AUTH_DOMAIN</span><span class="p">,</span> <span class="na">projectId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_PROJECT_ID</span><span class="p">,</span> <span class="na">storageBucket</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_STORAGE_BUCKET</span><span class="p">,</span> <span class="na">messagingSenderId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_MESSAGING_SENDER_ID</span><span class="p">,</span> <span class="na">appId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_APP_ID</span><span class="p">,</span> <span class="p">}}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">RouteGuard</span> <span class="nx">loginRoute</span><span class="o">=</span><span class="dl">"</span><span class="s2">/(auth)/login</span><span class="dl">"</span> <span class="nx">homeRoute</span><span class="o">=</span><span class="dl">"</span><span class="s2">/(tabs)</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Slot</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/RouteGuard</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/FirebaseAuthProvider</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Login Screen</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// app/(auth)/login.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SignIn</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">LoginScreen</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nc">SignIn</span> <span class="p">/&gt;;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Protected Screen</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// app/(tabs)/home.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SignedIn</span><span class="p">,</span> <span class="nx">Protect</span><span class="p">,</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">HomeScreen</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">role</span><span class="p">,</span> <span class="nx">signOut</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Text</span><span class="p">&gt;</span>Welcome <span class="si">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">email</span><span class="si">}</span> — Role: <span class="si">{</span><span class="nx">role</span><span class="si">}</span><span class="p">&lt;/</span><span class="nc">Text</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Protect</span> <span class="na">role</span><span class="p">=</span><span class="s">"admin"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Text</span><span class="p">&gt;</span>🔐 Admin only<span class="p">&lt;/</span><span class="nc">Text</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">Protect</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>That's the whole setup. Auth, routing, and RBAC — done.</p> <p><strong>API Quick Reference</strong><br> Component / HookWhat it doesRoot provider — wraps your entire appAuto-redirects unauthenticated usersShows children only when signed inShows children only when signed outShows children only for specified roleShows children while auth is loadingPre-built sign in formPre-built sign up formuseAuth()Returns user, role, isLoaded, signOut, getIdToken</p> <p><strong>What's Next</strong><br> <strong>FireGuard</strong> is actively maintained. Coming in future versions:</p> <ul> <li>TypeScript types — full .d.ts declarations</li> <li>Biometric auth support — Face ID / fingerprint integration</li> <li>Session timeout — auto sign-out after inactivity</li> <li>Social login helpers — Google, Apple, GitHub sign-in components</li> <li>Firestore helper hooks — useDocument, useCollection with built-in auth</li> </ul> <p><strong>Links</strong><br> <strong>npm:</strong><a href="//npmjs.com/package/react-native-fireguard">npmjs.com/package/react-native-fireguard</a><br> <strong>GitHub:</strong><a href="//github.com/Inspire00/react-native-fireguard">npmjs.com/package/react-native-fireguard<br> </a><br> <strong>Issues:</strong><a href="//github.com/Inspire00/react-native-fireguard/issues">github.com/Inspire00/react-native-fireguard/issues</a><br> If this saves you time on your next Firebase project, drop a ⭐ on GitHub and share it with your team. And if you run into any issues or have feature ideas — open an issue, I'm actively reading them.</p> <p>Built by <a href="https://vincentapps.xyz/profile" rel="noopener noreferrer">Vincent</a> — a developer who got tired of writing the same Firebase boilerplate one too many times.</p> <p>react-native firebase expo authentication open-source javascript mobile-development rbac</p> javascript productivity reactnative showdev