DEV Community: VINCENT PHIRI The latest articles on DEV Community by VINCENT PHIRI (@vincent_phiri_fc220a95092). https://dev.to/vincent_phiri_fc220a95092 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2887535%2F4416edc5-060f-46c6-8afd-891a34455544.jpg DEV Community: VINCENT PHIRI https://dev.to/vincent_phiri_fc220a95092 en I Was Tired of Writing the Same Firebase Auth Boilerplate in Every React Native App — So I Built FireGuard VINCENT PHIRI Thu, 14 May 2026 19:10:56 +0000 https://dev.to/vincent_phiri_fc220a95092/i-was-tired-of-writing-the-same-firebase-auth-boilerplate-in-every-react-native-app-so-i-built-1m86 https://dev.to/vincent_phiri_fc220a95092/i-was-tired-of-writing-the-same-firebase-auth-boilerplate-in-every-react-native-app-so-i-built-1m86 <h2> How I went from copying and pasting 300 lines of auth code across projects to a single npm package that handles everything — protected routes, role-based access, and security best practices out of the box. </h2> <p>The Problem I Kept Running Into<br> Every time I started a new React Native project with Firebase, I found myself writing the same code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// The same listener. Every. Single. Project.</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">unsubscribe</span> <span class="o">=</span> <span class="nf">onAuthStateChanged</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">doc</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getDoc</span><span class="p">(</span><span class="nf">doc</span><span class="p">(</span><span class="nx">db</span><span class="p">,</span> <span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">uid</span><span class="p">));</span> <span class="nf">setRole</span><span class="p">(</span><span class="nx">doc</span><span class="p">.</span><span class="nf">data</span><span class="p">()?.</span><span class="nx">role</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">);</span> <span class="nf">setUser</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">setUser</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">setRole</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="p">}</span> <span class="nf">setIsLoaded</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">unsubscribe</span><span class="p">;</span> <span class="p">},</span> <span class="p">[]);</span> </code></pre> </div> <p>Then the route guard logic. Then the redirect logic. Then the "show this only for admins" logic. Then the error messages. Then realizing I'm storing the raw Firebase User object in state — which contains your ID token, refresh token, and all kinds of internals — and that React DevTools can expose it to anyone inspecting the app.<br> It was boilerplate on top of boilerplate, and I kept making the same security mistakes every time.<br> If you've used Clerk with Expo, you know how different it feels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// Clerk makes this effortless</span> <span class="p">&lt;</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ProtectedScreen</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">SignedOut</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">LoginScreen</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">SignedOut</span><span class="p">&gt;</span> </code></pre> </div> <p>That declarative, component-based approach is exactly what Firebase developers deserve too. So I built it.</p> <p><strong>Introducing FireGuard</strong> 🔥🛡️<br> FireGuard is a security-first authentication wrapper for Firebase + Expo React Native apps. It gives you the Clerk-like developer experience on top of Firebase Auth.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>react-native-fireguard </code></pre> </div> <p><strong>364 downloads in its first 4 days on npm.</strong> Clearly, I'm not the only one who felt this pain.<br> Here's what it gives you in under 5 minutes of setup.</p> <p><strong>From This... To This</strong><br> Before FireGuard<br> Here's what a typical Firebase auth setup looks like in a real Expo app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// _layout.jsx — the typical Firebase boilerplate nightmare</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useEffect</span><span class="p">,</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRouter</span><span class="p">,</span> <span class="nx">useSegments</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">expo-router</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">onAuthStateChanged</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase/auth</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getDoc</span><span class="p">,</span> <span class="nx">doc</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase/firestore</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span><span class="p">,</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./firebase</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">RootLayout</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">user</span><span class="p">,</span> <span class="nx">setUser</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">role</span><span class="p">,</span> <span class="nx">setRole</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">isLoaded</span><span class="p">,</span> <span class="nx">setIsLoaded</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">useRouter</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">segments</span> <span class="o">=</span> <span class="nf">useSegments</span><span class="p">();</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">unsubscribe</span> <span class="o">=</span> <span class="nf">onAuthStateChanged</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">firebaseUser</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">firebaseUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">snap</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getDoc</span><span class="p">(</span><span class="nf">doc</span><span class="p">(</span><span class="nx">db</span><span class="p">,</span> <span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">,</span> <span class="nx">firebaseUser</span><span class="p">.</span><span class="nx">uid</span><span class="p">));</span> <span class="nf">setRole</span><span class="p">(</span><span class="nx">snap</span><span class="p">.</span><span class="nf">exists</span><span class="p">()</span> <span class="p">?</span> <span class="nx">snap</span><span class="p">.</span><span class="nf">data</span><span class="p">().</span><span class="nx">role</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nf">setRole</span><span class="p">(</span><span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nf">setUser</span><span class="p">(</span><span class="nx">firebaseUser</span><span class="p">);</span> <span class="c1">// ⚠️ raw User object in state — security risk</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">setUser</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">setRole</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="p">}</span> <span class="nf">setIsLoaded</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">unsubscribe</span><span class="p">;</span> <span class="p">},</span> <span class="p">[]);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isLoaded</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">inAuthGroup</span> <span class="o">=</span> <span class="nx">segments</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">(auth)</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">inAuthGroup</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">/(auth)/login</span><span class="dl">'</span><span class="p">);</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span> <span class="o">&amp;&amp;</span> <span class="nx">inAuthGroup</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">/(tabs)</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="p">[</span><span class="nx">user</span><span class="p">,</span> <span class="nx">isLoaded</span><span class="p">,</span> <span class="nx">segments</span><span class="p">]);</span> <span class="c1">// Now pass user/role through context... more boilerplate</span> <span class="c1">// Then protect individual screens... more boilerplate</span> <span class="c1">// Then handle admin-only content... even more boilerplate</span> <span class="p">}</span> </code></pre> </div> <p>That's just the root layout. You haven't even touched the individual screens yet.<br> <strong>After FireGuard</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// _layout.jsx — the entire auth setup, done</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Slot</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">expo-router</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">FirebaseAuthProvider</span><span class="p">,</span> <span class="nx">RouteGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">firebaseConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_API_KEY</span><span class="p">,</span> <span class="na">authDomain</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_AUTH_DOMAIN</span><span class="p">,</span> <span class="na">projectId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_PROJECT_ID</span><span class="p">,</span> <span class="na">storageBucket</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_STORAGE_BUCKET</span><span class="p">,</span> <span class="na">messagingSenderId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_MESSAGING_SENDER_ID</span><span class="p">,</span> <span class="na">appId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_APP_ID</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">RootLayout</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">FirebaseAuthProvider</span> <span class="nx">config</span><span class="o">=</span><span class="p">{</span><span class="nx">firebaseConfig</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">RouteGuard</span> <span class="nx">loginRoute</span><span class="o">=</span><span class="dl">"</span><span class="s2">/(auth)/login</span><span class="dl">"</span> <span class="nx">homeRoute</span><span class="o">=</span><span class="dl">"</span><span class="s2">/(tabs)</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Slot</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/RouteGuard</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/FirebaseAuthProvider</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>That's it. Route protection, Firestore role fetching, token management — all handled.</p> <p><strong>The Full Feature Set</strong></p> <ol> <li>Declarative Auth Components Show and hide content based on auth state — no if statements scattered across your components: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">SignedIn</span><span class="p">,</span> <span class="nx">SignedOut</span><span class="p">,</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">HomeScreen</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">role</span><span class="p">,</span> <span class="nx">signOut</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">View</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Text</span><span class="p">&gt;</span>Welcome, <span class="si">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">email</span><span class="si">}</span>!<span class="p">&lt;/</span><span class="nc">Text</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Role-based access control */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">Protect</span> <span class="na">role</span><span class="p">=</span><span class="s">"admin"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">AdminDashboard</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Protect</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Protect</span> <span class="na">role</span><span class="p">=</span><span class="si">{</span><span class="p">[</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">moderator</span><span class="dl">"</span><span class="p">]</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ModerationTools</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Protect</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Button</span> <span class="na">title</span><span class="p">=</span><span class="s">"Sign Out"</span> <span class="na">onPress</span><span class="p">=</span><span class="si">{</span><span class="nx">signOut</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">SignedOut</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Text</span><span class="p">&gt;</span>Please sign in to continue<span class="p">&lt;/</span><span class="nc">Text</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">SignedOut</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">View</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>2. Pre-Built Auth Screens</strong><br> Stop building login forms from scratch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// app/(auth)/login.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SignIn</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">LoginScreen</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nc">SignIn</span> <span class="p">/&gt;;</span> <span class="c1">// Full form with validation, loading states, error handling</span> <span class="p">}</span> </code></pre> </div> <p><strong>3. Role-Based Tab Visibility</strong><br> Hide entire tabs from users who don't have permission — not just the content inside them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/(tabs)/_layout.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Tabs</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">expo-router</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">TabsLayout</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">isAdmin</span> <span class="o">=</span> <span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">Tabs</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Tabs</span><span class="p">.</span><span class="nx">Screen</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">home</span><span class="dl">"</span> <span class="nx">options</span><span class="o">=</span><span class="p">{{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Home</span><span class="dl">'</span> <span class="p">}}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">Tabs</span><span class="p">.</span><span class="nx">Screen</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">profile</span><span class="dl">"</span> <span class="nx">options</span><span class="o">=</span><span class="p">{{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Profile</span><span class="dl">'</span> <span class="p">}}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">Tabs</span><span class="p">.</span><span class="nx">Screen</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span> <span class="nx">options</span><span class="o">=</span><span class="p">{{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">href</span><span class="p">:</span> <span class="nx">isAdmin</span> <span class="p">?</span> <span class="kc">undefined</span> <span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="c1">// completely invisible to non-admins</span> <span class="p">}}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/Tabs</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>4. Secure API Calls</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">getIdToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">fetchSensitiveData</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Force-refresh the token before a payment or sensitive operation</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getIdToken</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.yourapp.com/payment</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">100</span> <span class="p">}),</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <p><strong>The Security Decisions That Matter</strong><br> This isn't just a convenience wrapper. FireGuard was built with specific security problems in mind that most Firebase implementations get wrong.</p> <p><strong>Problem 1: Raw Firebase User in React State</strong><br> Most tutorials tell you to do this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">[</span><span class="nx">user</span><span class="p">,</span> <span class="nx">setUser</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">onAuthStateChanged</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="p">(</span><span class="nx">firebaseUser</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setUser</span><span class="p">(</span><span class="nx">firebaseUser</span><span class="p">);</span> <span class="c1">// ❌ This puts your ID token in React state</span> <span class="p">});</span> </code></pre> </div> <p>The Firebase User object contains stsTokenManager — your raw ID token and refresh token. When you put it in React state, it becomes visible in React DevTools to anyone with access to your development environment, and it can be accidentally logged or serialized.<br> FireGuard's fix: The raw User is stored in a useRef — completely invisible to React DevTools — and only a sanitized SafeUser object is exposed through context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// What FireGuard exposes — no tokens, no internals</span> <span class="kr">interface</span> <span class="nx">SafeUser</span> <span class="p">{</span> <span class="nl">uid</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">email</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="nl">displayName</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="nl">emailVerified</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">isAnonymous</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="c1">// ... safe properties only</span> <span class="p">}</span> </code></pre> </div> <p><strong>Problem 2: onAuthStateChanged Misses Token Revocations</strong><br> If you disable a user in the Firebase Console or revoke their token via the Admin SDK, onAuthStateChanged <strong>never fires</strong>. The user stays signed in indefinitely on the client.</p> <p><strong>FireGuard's fix:</strong> Uses onIdTokenChanged instead, which fires on every token refresh cycle (~every hour) and catches server-side revocations immediately.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// FireGuard uses this instead of onAuthStateChanged</span> <span class="nf">onIdTokenChanged</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="p">(</span><span class="nx">firebaseUser</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Fires on: sign in, sign out, token refresh, AND token revocation</span> <span class="p">});</span> </code></pre> </div> <p><strong>Problem 3: Email Enumeration</strong><br> Most auth error handlers do this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="dl">'</span><span class="s1">auth/user-not-found</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No account found with this email.</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ❌</span> <span class="dl">'</span><span class="s1">auth/wrong-password</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Incorrect password.</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ❌</span> </code></pre> </div> <p>An attacker can use different error messages to test which emails are registered in your app. This is a well-documented attack called email enumeration — and it's trivially easy to automate.</p> <p><strong>FireGuard's fix:</strong> Both codes return the same message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="dl">'</span><span class="s1">auth/user-not-found</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid email or password.</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ✅</span> <span class="dl">'</span><span class="s1">auth/wrong-password</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid email or password.</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// ✅</span> </code></pre> </div> <p><strong>Problem 4: Route Guard Race Conditions</strong><br> Expo Router's navigation is async. If you call router.replace() before the navigator is mounted, it silently fails — leaving an unauthenticated user on a protected screen with no redirect.</p> <p><strong>FireGuard's fix:</strong> Checks useRootNavigationState before any redirect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">navigationState</span> <span class="o">=</span> <span class="nf">useRootNavigationState</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">isNavigatorReady</span> <span class="o">=</span> <span class="o">!!</span><span class="nx">navigationState</span><span class="p">?.</span><span class="nx">key</span><span class="p">;</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isLoaded</span> <span class="o">||</span> <span class="o">!</span><span class="nx">isNavigatorReady</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="c1">// wait for navigator</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nx">loginRoute</span><span class="p">);</span> <span class="p">},</span> <span class="p">[</span><span class="nx">isLoaded</span><span class="p">,</span> <span class="nx">isNavigatorReady</span><span class="p">,</span> <span class="nx">user</span><span class="p">]);</span> </code></pre> </div> <p><strong>Setting Up Role-Based Access Control</strong><br> Roles are stored in Firestore. The structure is simple:<br> Collection: users<br> └── Document: {firebase_auth_uid} ← must be the user's UID<br> ├── role: "admin"<br> └── email: "<a href="mailto:user@example.com">user@example.com</a>"<br> To make a user an admin:</p> <p>Go to <strong>Firebase Console **→ Authentication → Users<br> Copy the user's UID<br> Go to **Firestore → users collection</strong> → Add document<br> Set Document ID = the UID<br> Add field: role (string) = "admin"</p> <p>That's it. Next time they sign in, FireGuard fetches their role and it's available everywhere via useAuth().<br> FireGuard defaults any user without a Firestore document to role: "user" — so your app works even before you set up roles.</p> <p><strong>Getting Started in 5 Minutes</strong><br> Install:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>react-native-fireguard npx expo <span class="nb">install </span>firebase @react-native-async-storage/async-storage expo-router </code></pre> </div> <p><strong>Set up your .env:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">EXPO_PUBLIC_FIREBASE_API_KEY</span><span class="p">=</span><span class="s">your_key</span> <span class="py">EXPO_PUBLIC_FIREBASE_AUTH_DOMAIN</span><span class="p">=</span><span class="s">your_project.firebaseapp.com</span> <span class="py">EXPO_PUBLIC_FIREBASE_PROJECT_ID</span><span class="p">=</span><span class="s">your_project_id</span> <span class="py">EXPO_PUBLIC_FIREBASE_STORAGE_BUCKET</span><span class="p">=</span><span class="s">your_project.appspot.com</span> <span class="py">EXPO_PUBLIC_FIREBASE_MESSAGING_SENDER_ID</span><span class="p">=</span><span class="s">your_sender_id</span> <span class="py">EXPO_PUBLIC_FIREBASE_APP_ID</span><span class="p">=</span><span class="s">your_app_id</span> </code></pre> </div> <p><strong>Root layout:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/_layout.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Slot</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">expo-router</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">FirebaseAuthProvider</span><span class="p">,</span> <span class="nx">RouteGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">RootLayout</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">FirebaseAuthProvider</span> <span class="nx">config</span><span class="o">=</span><span class="p">{{</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_API_KEY</span><span class="p">,</span> <span class="na">authDomain</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_AUTH_DOMAIN</span><span class="p">,</span> <span class="na">projectId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_PROJECT_ID</span><span class="p">,</span> <span class="na">storageBucket</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_STORAGE_BUCKET</span><span class="p">,</span> <span class="na">messagingSenderId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_MESSAGING_SENDER_ID</span><span class="p">,</span> <span class="na">appId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EXPO_PUBLIC_FIREBASE_APP_ID</span><span class="p">,</span> <span class="p">}}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">RouteGuard</span> <span class="nx">loginRoute</span><span class="o">=</span><span class="dl">"</span><span class="s2">/(auth)/login</span><span class="dl">"</span> <span class="nx">homeRoute</span><span class="o">=</span><span class="dl">"</span><span class="s2">/(tabs)</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Slot</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/RouteGuard</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/FirebaseAuthProvider</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Login Screen</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// app/(auth)/login.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SignIn</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">LoginScreen</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nc">SignIn</span> <span class="p">/&gt;;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Protected Screen</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// app/(tabs)/home.jsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SignedIn</span><span class="p">,</span> <span class="nx">Protect</span><span class="p">,</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-native-fireguard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">HomeScreen</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">role</span><span class="p">,</span> <span class="nx">signOut</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Text</span><span class="p">&gt;</span>Welcome <span class="si">{</span><span class="nx">user</span><span class="p">?.</span><span class="nx">email</span><span class="si">}</span> — Role: <span class="si">{</span><span class="nx">role</span><span class="si">}</span><span class="p">&lt;/</span><span class="nc">Text</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Protect</span> <span class="na">role</span><span class="p">=</span><span class="s">"admin"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Text</span><span class="p">&gt;</span>🔐 Admin only<span class="p">&lt;/</span><span class="nc">Text</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">Protect</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">SignedIn</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>That's the whole setup. Auth, routing, and RBAC — done.</p> <p><strong>API Quick Reference</strong><br> Component / HookWhat it doesRoot provider — wraps your entire appAuto-redirects unauthenticated usersShows children only when signed inShows children only when signed outShows children only for specified roleShows children while auth is loadingPre-built sign in formPre-built sign up formuseAuth()Returns user, role, isLoaded, signOut, getIdToken</p> <p><strong>What's Next</strong><br> <strong>FireGuard</strong> is actively maintained. Coming in future versions:</p> <ul> <li>TypeScript types — full .d.ts declarations</li> <li>Biometric auth support — Face ID / fingerprint integration</li> <li>Session timeout — auto sign-out after inactivity</li> <li>Social login helpers — Google, Apple, GitHub sign-in components</li> <li>Firestore helper hooks — useDocument, useCollection with built-in auth</li> </ul> <p><strong>Links</strong><br> <strong>npm:</strong><a href="//npmjs.com/package/react-native-fireguard">npmjs.com/package/react-native-fireguard</a><br> <strong>GitHub:</strong><a href="//github.com/Inspire00/react-native-fireguard">npmjs.com/package/react-native-fireguard<br> </a><br> <strong>Issues:</strong><a href="//github.com/Inspire00/react-native-fireguard/issues">github.com/Inspire00/react-native-fireguard/issues</a><br> If this saves you time on your next Firebase project, drop a ⭐ on GitHub and share it with your team. And if you run into any issues or have feature ideas — open an issue, I'm actively reading them.</p> <p>Built by <a href="https://vincentapps.xyz/profile" rel="noopener noreferrer">Vincent</a> — a developer who got tired of writing the same Firebase boilerplate one too many times.</p> <p>react-native firebase expo authentication open-source javascript mobile-development rbac</p> javascript productivity reactnative showdev