XML documents

XML provides a syntax for expressing structured information in the form of an XML document with nested elements and their attributes. The specific elements and attributes used in an XML document can come from any vocabulary, such as public standards or (private) user-defined XML formats. XML is used for specifying

• document formats, such as XHTML5, the Scalable Vector Graphics (SVG) format or the DocBook format,

• data interchange file formats, such as the Mathematical Markup Language (MathML) or the Universal Business Language (UBL),

• message formats, such as the web service message format SOAP

Unicode and UTF-8

XML is based on Unicode, which is a platform-independent character set that includes almost all characters from most of the world's script languages including Hindi, Burmese and Gaelic. Each character is assigned a unique integer code in the range between 0 and 1,114,111. For example, the Greek letter π has the code 960, so it can be inserted in an XML document as π using the XML entity syntax.

Unicode includes legacy character sets like ASCII and ISO-8859-1 (Latin-1) as subsets.

The default encoding of an XML document is UTF-8, which uses only a single byte for ASCII characters, but three bytes for less common characters.

Almost all Unicode characters are legal in a well-formed XML document. Illegal characters are the control characters with code 0 through 31, except for the carriage return, line feed and tab. It is therefore dangerous to copy text from another (non-XML) text to an XML document (often, the form feed character creates a problem).

XML namespaces

Generally, namespaces help to avoid name conflicts. They allow to reuse the same (local) name in different namespace contexts. Many computational languages have some form of namespace concept, for instance, Java and PHP.

XML namespaces are identified with the help of a namespace URI, such as the SVG namespace URI "http://www.w3.org/2000/svg", which is associated with a namespace prefix, such as svg. Such a namespace represents a collection of names, both for elements and attributes, and allows namespace-qualified names of the form prefix:name, such as svg:circle as a namespace-qualified name for SVG circle elements.

A default namespace is declared in the start tag of an element in the following way:

<html xmlns="http://www.w3.org/1999/xhtml">

This example shows the start tag of the HTML root element, in which the XHTML namespace is declared as the default namespace.

The following example shows an SVG namespace declaration for an svg element embedded in an HTML document:

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
   ...
  </head>
  <body>
    <figure>
      <figcaption>Figure 1: A blue circle</figcaption>
      <svg:svg xmlns: svgb>="http://www.w3.org/2000/svg">
        <svg:circle cx="100" cy="100" r="50" fill="blue"/>
      </svg:svg>
    </figure>
  </body>
</html>

Correct XML documents

XML defines two syntactic correctness criteria. An XML document must be well-formed, and if it is based on a grammar (or schema), then it must also be valid with respect to that grammar, or, in other words, satisfy all rules of the grammar.

An XML document is called well-formed, if it satisfies the following syntactic conditions:

1. There must be exactly one root element.

2. Each element has a start tag and an end tag; however, empty elements can be closed as <phone/> instead of <phone></phone>.

3. Tags don't overlap. For instance, we cannot have

   <author><name>Lee Hong</author></name>

4. Attribute names are unique within the scope of an element. For instance, the following code is not correct:

   <attachment file="lecture2.html" file="lecture3.html"/>

An XML document is called valid against a particular grammar (such as a DTD or an XML Schema), if

1. it is well-formed,

2. and it respects the grammar.

The evolution of HTML

The World-Wide Web Committee (W3C) has developed the following important versions of HTML:

• 1997: HTML 4 as an SGML-based language,

• 2000: XHTML 1 as an XML-based clean-up of HTML 4,

• 2014: (X)HTML 5 in cooperation (and competition) with the WHAT working group supported by browser vendors.

HTML was originally designed as a structure description language, and not as a presentation description language. But HTML4 has a lot of purely presentational elements such as font. XHTML has been taking HTML back to its roots, dropping presentational elements and defining a simple and clear syntax, in support of the goals of

• device independence,

• accessibility, and

• usability.

We adopt the symbolic equation

HTML = HTML5 = XHTML5

stating that when we say "HTML" or "HTML5", we actually mean XHTML5

because we prefer the clear syntax of XML documents over the liberal and confusing HTML4-style syntax that is also allowed by HTML5.

The following simple example shows the basic code template to be used for any HTML document:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <meta charset="UTF-8" />
  <title>XHTML5 Template Example</title>
  <meta name="viewport" content="width=device-width, initial-scale=1"/>
</head>
<body>
  <h1>XHTML5 Template Example</h1>
  <section><h2>First Section Title</h2>
   ...
  </section>
</body>
</html>

Notice that in line 1, the HTML5 document type is declared, such that browsers are instructed to use the HTML5 document object model (DOM). In the html start tag in line 2, using the default namespace declaration attribute xmlns, the XHTML namespace URI http://www.w3.org/1999/xhtml is declared as the default namespace for making sure that browsers, and other tools, understand that all non-qualified element names like html, head, body, etc. are from the XHTML namespace.

Also in the html start tag, we set the (default) language for the text content of all elements (here to "en" standing for English) using both the xml:lang attribute and the HTML lang attribute. This attribute duplication is a small price to pay for having a hybrid document that can be processed both by HTML and by XML tools.

Finally, in line 4, using an (empty) meta element with a charset attribute, we set the HTML document's character encoding to UTF-8, which is also the default for XML documents.

HTML forms

For user-interactive web applications, the web browser needs to render a user interface (UI). The traditional metaphor for a software application's UI is that of a form. The special elements for data input, data output and user actions are called form controls or UI widgets. In HTML, a form element is a section of a web page consisting of block elements that contain form controls and labels on those controls.

Users complete a form by entering text into input fields and by selecting items from choice controls, including dropdown selection lists, radio button groups and checkbox groups. A completed form is submitted with the help of a submit button. When a user submits a form, it is normally sent to a web server either with the HTTP GET method or with the HTTP POST method. The standard encoding for the submission is called URL-encoded. It is represented by the Internet media type application/x-www-form-urlencoded. In this encoding, spaces become plus signs, and any other reserved characters become encoded as a percent sign and hexadecimal digits, as defined in RFC 1738.

Each form control has both an initial value and a current value, both of which are strings. The initial value is specified with the control element's value attribute, except for the initial value of a textarea element, which is given by its initial contents. The control's current value is first set to the initial value. Thereafter, the control's current value may be modified through user interaction or scripts. When a form is submitted for processing, some controls have their name paired with their current value and these pairs are submitted with the form.

Labels are associated with a control by including the control as a child element within a label element (implicit labels), or by giving the control an id value and referencing this ID in the for attribute of the label element (explicit labels).

In the simple user interfaces of our "Getting Started" applications, we only need four types of form controls:

1. single line input fields created with an <input name="..." /> element,

2. single line output fields created with an <output name="..." /> element,

3. push buttons created with a <button type="button">...</button> element, and

4. dropdown selection lists created with a select element of the following form:

   <select name="...">
     <option value="value1"> option1 </option>
     <option value="value2"> option2 </option>
     ...
   </select>

An example of an HTML form with implicit labels for creating such a user interface is

<form id="Book">
  <p><label>ISBN: <output name="isbn" /></label></p>
  <p><label>Title: <input name="title" /></label></p>
  <p><label>Year: <input name="year" /></label></p>
  <p><button type="button">Save</button></p>
</form>

In an HTML-form-based data management user interface, we have a correspondence between the different kinds of properties defined in the model classes of an app and the form controls used for the input and output of their values. We have to distinguish between various kinds of model class attributes, which are mapped to various kinds of form fields. This mapping is also called data binding.

In general, an attribute of a model class can always be represented in the user interface by a plain input control (with the default setting type="text"), no matter which datatype has been defined as the range of the attribute in the model class. However, in special cases, other types of input controls (for instance, type="date"), or other widgets, may be used. For instance, if the attribute's range is an enumeration, a select control or, if the number of possible choices is small enough (say, less than 8), a radio button group can be used.

JavaScript as an object-oriented language

JavaScript is object-oriented, but in a different way than classical OO programming languages such as Java and C++. In JavaScript, classes, unlike objects and functions, have not been first-class citizens until ES2015 has introduced a class syntax. Before ES2015, classes had to be defined by following a code pattern in the form of special JS objects: either as constructor functions or as factory objects. Notice that when using (the syntactic sugar of) ES2015 class declarations, what is really defined internally, is still a constructor function.

However, objects can also be created without instantiating a class, in which case they are untyped, and properties as well as methods can be defined for specific objects independently of any class definition. At run time, properties and methods can be added to, or removed from, any object and class. This dynamism of JavaScript allows powerful forms of meta-programming, such as defining your own concepts of classes and enumerations (and other special datatypes).

Further reading about JavaScript

Good open access books about JavaScript are

• Speaking JavaScript, by Dr. Axel Rauschmayer.

• Eloquent JavaScript, by Marijn Haverbeke.

• Building Front-End Web Apps with Plain JavaScript, by Gerd Wagner

Question 1: Well-formed XML documents

Which of the following statements represent a requirement for a well-formed XML document? Select one or more:

1. The root element must have a namespace attribute.
2. There must be one and only one top level element.
3. All non-empty elements must have a start-tag and an end-tag with matching names.
4. Element names must be lower case.

Question 2: Well-formed XML

Which of the following fragments are well-formed XML? Select one or more:

1. <strong>This text is bold. <em> and this is italicized and bold.</EM></strong><em> and this is just italics.</em>
2. <STRONGER>This text is bold. <emph>And this is italicized and bold.</STRONGER> And this is just italics.</emph>
3. <stronger>This text is bold. <emph>And this is italicized and bold.</emph></stronger><emph>And this is just italics.</emph>
4. <emph><STRONGER>This is some text <bold>and this is more text. Here is even more</bold> text.</STRONGER></emph>

Question 3: Valid XHTML

Which of the following fragments are valid XHTML? Select one or more:

1. <html xmlns="http://www.w3.org/1999/xhtml">
     <head><title>My Title</title></head>
     <body><a href="http://www.examples.org"/>Jump!</a></body>
   </html>

2. <html xmlns="http://www.w3.org/1999/xhtml">
     <head><title>My Title</title></head>
     <body><p>Lorem ipsum...</p></body>
   </html>

3. <h:html xmlns:h="http://www.w3.org/1999/xhtml">
     <h:head><h:meta charset="utf-8"></h:head>
     <h:body><h:p>Lorem ipsum...</h:p></h:body>
   </h:html>

4. <h:html xmlns:h="http://www.w3.org/1999/xhtml">
     <h:head><h:title>My Title</h:title></h:head>
     <h:body><h:div>Lorem ipsum...</h:div></h:body>
   </h:html>

5. <h:html xmlns:h="http://www.w3.org/1999/xhtml">
     <head><title>My Title</title></head>
     <body><p>Lorem ipsum...</p></body>
   </h:html>

Question 4: Valid XHTML5

Which of the following are correct statements about an XHTML5 document? Select one or more:

1. The root element must be <xhtml>.
2. The document must be well-formed.
3. The root element and all its descendant elements must be in the namespace "http://www.w3.org/1999/xhtml".
4. Case does not matter for element names, so both H1 and h1 can be used.

Question 5: HTML forms

Recall that an HTML form is a section of a document consisting of block elements that contain controls and labels on those controls. Which of the following form elements represent correct forms? Select one or more:

1. <form>
     <div><label>ISBN: <input name="isbn" /></label></div>
     <div><label>Title: <input name="title" /></label></div>
   </form>

2. <form>
     <div>
       <label for="isbn">ISBN: </label><input id="isbn" name="isbn" />
       <label for="title">title: </label><input id="title" name="title" />
     </div>
   </form>

3. <form>
     <div><label>ISBN: </label><input name="isbn" /></div>
     <div><label>title: </label><input name="title" /></div>
   </form>

4. <form>
     <label>ISBN: <input name="isbn" /></label><br/>
     <label>Title: <input name="title" /></label>
   </form>

5. <form>
     <div><label for="isbn">ISBN: </label><input name="isbn" /></div>
     <div><label for="title">title: </label><input name="title" /></div>
   </form>

Callbacks

A simple asynchronous programming approach consists of defining a procedure that is to be executed as soon as the asynchronous operation completes. This allows to continue the program execution after the invocation of the asynchronous operation, however, without assuming that the operation result is available. But how does the execution environment know, which procedure to call after completing the asynchronous operation?

In JS, we can pass a JS function as an argument in the invocation of the asynchronous operation. A callback is such a JS function.

Consider the following example. An external JS file can be dynamically loaded (in the context of an already loaded webpage with associated JS code) by (1) programmatically creating an HTML script element DOM object with the file's URL as the value of the script's src attribute, and (2) inserting the newly created script element after the last child node of the document's head element:

function loadJsFile( fileURL) {
  const scriptEl = document.createElement("script");
  script.src = fileURL;
  document.head.append( scriptEl);
}

When the new script element is inserted into the document's DOM, e.g., with the help of the asynchronous DOM operation append (at the end of the loadJsFile procedure), the browser will load the JS file and then parse and execute it, which will take some time. Let's assume that we have a JS code file containing the definition of a function addTwoNumbers that does what its name says and we first load the file and then invoke the function in the following way:

loadJsFile("addTwoNumbers.js");
console.log( addTwoNumbers( 1, 2));

This wouldn't work. We would get an error message instead of the sum of 1 and 2, since the intended result of the first statement, the availability of the addTwoNumbers function, is not (yet) obtained when the second statement is executed.

We can fix this by adding a callback procedure as a second parameter to the loadJsFile procedure and assign it as an event handler of the JS file load event :

function loadJsFile( fileURL, callback) {
  const scriptEl = document.createElement("script");
  script.src = fileURL;
  script.onload = callback;
  document.head.append( scriptEl);
}

Now when calling loadJsFile we can provide the code to be executed after loading the "addTwoNumbers.js" file in an anonymous callback function:

loadJsFile("addTwoNumbers.js", function () {
  console.log( addTwoNumbers( 1, 2));  // results in 3
]);

Since the loading of the JS file can fail, we should better add some error handling for this case by defining an event handler for the error event. We can handle possible errors within the callback procedure by calling it with an error argument:

function loadJsFile( fileURL, callback) {
  const scriptEl = document.createElement("script");
  script.src = fileURL;
  script.onload = callback;
  script.onerror = function () {
      callback( new Error(`Script load error for ${fileURL}`));
  };
  document.head.append( scriptEl);
}

Now we call loadJsFile with an anonymous callback function having an error parameter:

loadJsFile("addTwoNumbers.js", function (error) {
  if (!error) console.log( addTwoNumbers(1,2));  // results in 3
  else console.log( error);
]);

Callbacks work well as an asynchronous programming approach in simple cases. But when it is necessary to perform several asynchronous operations in a sequence, one quickly ends up in a "callback hell", a term that refers to the resulting deeply nested code structures that are hard to read and maintain.

Promises

A promise (also called future in some programming languages, like in Python) is a special object that provides the deferred result of an asynchronous operation to the code that waits for this result. A promise object is initially in the state pending. If the asynchronous operation succeeds (in the case when the resolve function is called with an argument providing the result value), the promise state is changed from pending to fulfilled. If it fails (in the case when the reject function is called with an argument providing the error), the promise state is changed from pending to rejected.

An example of a built-in asynchronous operation that returns a promise is import for dynamically loading JS code files (and ES6 modules). We can use it instead of the user-defined loadJsFile procedure discussed in the previous section for loading the addTwoNumbers.js file and subsequently executing code that uses the addTwoNumbers function (or reporting an error if the loading failed):

import("addTwoNumbers.js")
.then( function () {
  console.log( addTwoNumbers( 1, 2));
})
.catch( function (error) {
  console.log( error);
});

This example code shows that on the promise object returned by import we can call the predefined functions then and catch:

then

for continuing the execution only when the import operation is completed with a fulfilled promise, and

catch

for processing the error result of a rejected promise.

The general approach of asynchronous programming with promises requires each asynchronous operation to return a promise object that typically provides either a result value, when the promise is fulfilled, or an error value, when the promise is rejected. For user-defined asynchronous procedures, this means that they have to create a promise as their return value, as shown in the promise-valued loadJsFile function presented below.

A promise object can be created with the help of the Promise constructor by providing an anonymous function expression as the argument of the Promise constructor invocation (with two parameters resolve and reject representing JS functions). We do this in the following example of a promise-valued loadJsFile function, which is a variant of the previously discussed callback-based loadJsFile procedure:

function loadJsFile( fileURL) {
  return new Promise( function (resolve, reject) {
    const scriptEl = document.createElement("script");
    scriptEl.src = fileURL;
    scriptEl.onload = resolve;
    scriptEl.onerror = function () {
        reject( new Error(`Script load error for ${fileURL}`));
    };
    document.head.append( scriptEl);
  });
}

This new version of the asynchronous loadJsFile operation is used in the following way:

loadJsFile("addTwoNumbers.js")
.then( function () {
  console.log( addTwoNumbers( 1, 2));
})
.catch( function (error) {
  console.log( error);
});

We can see that even the syntax of a simple promise-valued function call with then and catch is more clear than the syntax of a callback-based asynchronous procedure call. This advantage is even more significant when it comes to chaining asynchronous procedure calls, as in the following example where we first sequentially load three JS files and then invoke their functions:

loadJsFile("addTwoNumbers.js")
.then( function () {
  return loadJsFile("multiplyBy3.js");})
.then( function () {
  return loadJsFile("decrementBy2.js");})
.then( function () {
  console.log( decrementBy2( multiplyBy3( addTwoNumbers(1,2))));})
.catch( function (error) {
  console.log( error);
});

Notice that for executing a sequence of asynchronous operations with then, we need to make sure that each then-function returns a promise.

As an alternative to the sequential execution of asynchronous operations, we may also execute them in parallel with Promise.all:

Promise.all([ loadJsFile("addTwoNumbers.js"),
  loadJsFile("multiplyBy3.js"),
  loadJsFile("decrementBy2.js")
])
.then( function () {
  console.log( decrementBy2( multiplyBy3( addTwoNumbers(1,2))));
})
.catch( function (error) {console.log( error);});

Unlike loadJsFile, which simply completes with a side effect (the loading of JS code), but without a result value being returned, a typical asynchronous operation returns a promise object that provides either a result value, when the promise is fulfilled, or an error value, when the promise is rejected.

Let's consider another example, where we have asynchronous operations with result values. The JS built-in fetch operation allows retrieving the contents of a remote resource file via sending HTTP request messages in two steps:

1. In the first step, it returns a promise that resolves with a response object as its result value containing the HTTP header information retrieved.
2. Then, invoking the text() or the json() function on the previously retrieved response object returns a promise that resolves to the HTTP response message's body (in the form of a string or a JSON object) when it is retrieved from the remote server.

In such a case, when we chain two or more asynchronous operation calls with result values, each successor call can be expressed as a transformation from the previous result to a new result using arrow functions as shown in line 2 of the following example:

fetch("user1.json")
.then( response => response.json())
.then( function (user1) {alert( user1.name);})
.catch( function (error) {console.log( error);});

Notice that the text file "user1.json" is assumed to contain a JSON object describing a particular user with a name field. This JSON object is retrieved with the arrow function expression in line 2.

Calling asynchronous operations with await

When a program with a statement containing an asynchronous procedure call (with await) is executed, the program will run up to that statement, call the procedure, and suspend execution until the asynchronous procedure execution completes, which means that if it returns a Promise, it is settled. That suspension of execution means that control is returned to the event loop, such that other asynchronous procedures also get a chance to run. If the Promise of the asynchronous procedure execution is fulfilled, the execution of the program is resumed and the value of the await expression is that of the fulfilled Promise. If it is rejected, the await expression throws the value of the rejected Promise (its error).

When we use await for invoking a Promise-valued JS function, we typically do not use Promise chaining with .then, because await handles the waiting for us. And we can use a regular try-catch block instead of a Promise chaining .catch clause, as shown in the following example code:

try {
  await loadJsFile("addTwoNumbers.js");
  console.log( addTwoNumbers(2,3));
} catch (error) {
  console.log( error);
}

Notice that this is the code of an ES6 module. In a normal JS file, await can only be used within async functions.

When we call several asynchronous procedures in succession with await, the code reads in a natural way, similar to the code for calling synchronous procedures:

try {
  await loadJsFile("addTwoNumbers.js");
  await loadJsFile("multiplyBy3.js");
  await loadJsFile("decrementBy2.js");
  console.log( decrementBy2( multiplyBy3( addTwoNumbers(2,3))));
} catch (error) {
  console.log( error);
}

In an async function, we can invoke Promise-valued functions in await expressions. Since an async function returns a Promise, it can itself be invoked with await.

async function load3JsFiles() {
  await loadJsFile("addTwoNumbers.js");
  await loadJsFile("multiplyBy3.js");
  await loadJsFile("decrementBy2.js");
}
try {
  await load3JsFiles();
  console.log( decrementBy2( multiplyBy3( addTwoNumbers(2,3))));
} catch (error) {
  console.log( error);
}

In the more typical case of asynchronous operation calls with result values, we obtain code like the following await-based version of the above promise-based example of using fetch:

try {
  const response = await fetch("user1.json");
  const user1 = await response.json();
  alert( user1.name);
} catch (error) {
  console.log( error);
}

For more about asynchronous programming techniques, see Promises, async/await and Demystifying Async Programming in Javascript.

Question 1: Data values and objects

Which of the following statements about data values and objects in JS are true? Select one or more:

1. true is an object.
2. A JS array is a JS object.
3. false is a data value.
4. A JS function is a JS object.
5. 1 is a data value.
6. Infinity is an object.

Question 2: Evaluating a Boolean expression

What is the value of the Boolean expression null || !0 ? Select one:

1. true
2. false

Question 3: JavaScript datatypes

Which of the following denote primitive datatypes in JavaScript? Select one or more:

1. double
2. string
3. float
4. int
5. boolean
6. byte
7. number

Question 4: Constructor-based class definition

Which of the following JavaScript fragments correctly defines the constructor-based class City shown in the class diagram (either using a constructor function definition or an ES6 class definition)? Hint: notice that setName is an instance-level method while checkName is a class-level ("static") method. Select one or more:

1. function City( n) {
     this.name = n;
     this.setName = function (n) {this.name = n;};
     checkName = function (n) {...}; // returns true or false
   }

2. class City {
     constructor (n) {
       this.setName( n);
     }
     setName( n) {if (City.checkName( n)) this.name = n;}
     static checkName( n) {...}  // returns true or false
   }

3. function City( n) {
     this.setName( n);
     function checkName( n) {...} // returns true or false
   } 
   City.prototype.setName = function (n) {this.name = n;};

4. function City( n) {
     this.setName( n);
   }
   City.prototype.setName = function (n) {
     if (City.checkName( n)) this.name = n;
   };
   City.checkName = function (n) {...};  // returns true or false

Question 5: Type coercion

Consider the following JavaScript code:

var a = 5;
var b = "7";
var c = a + b;

What is the value of the variable c? Select one:

1. The string "57"
2. The number 12
3. undefined
4. The code will result in an error since you can't use the + operator between two operands of different types.

Question 6: Variable scope

What is the output of the following program?

function foo() {
  var i=7;
  for (var i=0; i < 10; i++) {
    ...  // do something
  }
  console.log( i);
};
foo();

Answer: _____

Firestore: a Cloud Database Management System

Firebase provides two database management systems (DBMS): Realtime Database and Firestore. Both offer a NoSQL DBMS as a Service for mobile and web apps. Unlike the older Realtime Database technology, which essentially manages a large JSON tree, Firestore aims at facilitating scalability, mainly through:

• complex data models, based on

  1. Firestore documents correspond to unique JS objects, representing entity records with possibly complex-valued fields;
  2. Firestore collections of documents correspond to object stores or entity tables;

• better querying options, allow chain and/or combine filters and sorting in a single query.

Firestore SDKs are for server-side programming code in Java, Python, Node.js, Ruby, PHP, Golang, .NET, and C# for both DBMSs.

Firebase Hosting

Firebase Hosting is a static web hosting solution for websites and applications built with HTML, CSS, and JavaScript: single-page applications and progressive web apps. Firebase Hosting includes a free Content Delivery Network (CDN), and free SSL/HTTPS, part of Google Cloud Platform. Paired with Cloud Functions and Firestore, we can build microservices and APIs. Firebase Hosting behaviour is highly configurable, allowing URL redirections, URL rewriting, direct HTTP requests to functions or Cloud Run containers (virtualized applications), customization of dynamic links, header configuration, and more.

Firebase Authentication

Firebase Authentication is a user-authentication solution for mobile and web apps. It allows us to use pre-built user interfaces (FirebaseUI) or create custom user interfaces for login management and authentication. It handles the most common authentication methods, such as using custom credentials, emails, or federated social media accounts, such as Google, Apple, Facebook, Microsoft, Yahoo, Twitter, GitHub, and more.

Pricing and Billing Concerns

Firebase provides a free plan with limited resources (see the free quota of the Spark Plan). However, these resource limits are sufficient for our tutorials and for creating real-world applications. The paid ('Blaze') plan offers a "Pay as you go" billing model under which we pay what we get, not more and not less. Nevertheless, the Spark Plan includes all Firebase cloud services, such as Authentication, Firestore, Cloud Functions, Hosting, Firebase Machine Learning, Real-Time Database, Storage, and many other features that enable web developers to create web apps, websites, games, mobile apps, etc.

In a real-world development project with Firebase, we should make design decisions only after understanding how billing works; otherwise, we may turn a technically successful project into a financially unsustainable business. In this tutorial, this issue is taken very seriously. We will never get an undesirable outcome in the monthly bill if we use it with the small sample of records presented in this app. Therefore, some portions of code aim to exemplify concepts presented in this educational scenario but never be used in an actual situation.

For instance, consider this snippet to retrieve all documents in a collection:

const booksQrySns = await getDocs( collection( db, "books"));

If the collection "books" contains just a few records, we will never get close to the limits of the free plan. Still, if the same statement is repeated several times, querying a database with many thousands of records, we should expect a hefty bill from Google at the end of the month.

One way to control the number of Firestore read operations is by setting up limits in our queries. When used with pagination, this will provide complete control of our Firestore resource consumption. Additionally, setting daily or monthly spending limits is always a good practice.

Read more about Firebase billing plans and how Firestore is billed.

As we can see, the design of Firebase JS/Web SDK version 9 aims to optimize the performance of web apps and increase understandability in our code. When we code using this version, our code will be organized around the functions imported from the SDK libraries. Let's see an example of the use of the "modular" version of the Firebase SDKs for adding Firebase and Firestore to a project:

1. Import the initializeApp() function using the ES6 modules specifiers of the core Firebase SDK library and the getFirestore() function from the Firestore Web SDK, both installed locally using npm.

   import { initializeApp } from "firebase/app";
   import { getFirestore } from "firebase/firestore";

2. Initialize a Firebase App object using the initializeApp() function and firebaseConfig, an object created with the project configuration.

   const firebaseConfig = {
     // TODO: Replace the following with your web app's Firebase project configuration
   };
   // Initialize a Firebase App object
   initializeApp( firebaseConfig);

3. Initialize Firestore using the getFirestore() function. From now on, the object "db" represents the interface to access our Firestore DB instance on the cloud.

   // Initialize Firestore interface
   const db = getFirestore();

Notice that the "modular" version of the Firebase JS SDK has been optimized for using module bundlers, such as Webpack or Rollup. There are two reasons for loading the Firestore Web SDK libraries from the local version installed using npm: if we use module bundlers or Node.js. Otherwise, we must import the SDKs from the Content Delivery Network (CDN) located on the cloud, like:

import { initializeApp } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-app.js";
import { getFirestore, doc, collection, query, setDoc, getDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";

Database Tables and Records

In the Firestore jargon, a DB table is called a "collection" (of records), and a DB record is called a "document". The table's name is called "collection ID", and each record has a "Document ID", which is typically the primary key value of the record (if the table has a non-composite primary key).

Since, unlike relational and object-relational DBs, a Firestore DB is schema-free, one may add any type of Firestore document to a Firestore collection. However, this liberty is hardly used in practice. So, in most cases, a Firestore collection is used as a DB table with a specific (implicit) schema.

Firestore collections are created on the fly, simply by adding a Firestore document to a not yet existing collection, like so:

import { doc, setDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
const record = {isbn: "006251587X", title: "Weaving the Web", year: 2000};
await setDoc( doc( db, "books", "006251587X"), record);

In this example, the expression doc( db, "books", "006251587X") creates a document reference to a Firestore document with ID "006251587X" in the collection books. If the books collection does not yet exist, it will be created on the fly.

Data Types

The following data types are supported by Firestore:

A Firestore collection is similar to a JSON array, while a Firestore document is similar to a JSON object. For instance, the following JSON object represents a Firestore document:

{
  "isbn": "006251587X",
  "title": "NoSQL Databases",
  "languages": ["en","de","es"],
  "author": {"name":"Peter Hanks", 
             "birthDate":"1993-06-17"},
  "reviews": [{title:"Easy and fun to read!", nmrOfStars: 5},
              {title:"Disappointing", nmrOfStars: 1}]
}

Notice that the value of the languages attribute is an array (list), the value of the author attribute is a map (representing a record), and the value of the reviews attribute is a record set called subcollection in the Firebase jargon.

There are two special Firestore data types: document references, like books/006251587X, and geographical points like [51.5074, 0.1278] representing latitude and longitude values. Both data types are not yet well-supported currently.

const chapterDocRef = db.collection("books").document("006251587X")
                      .collection("chapters").document( 1);
chapterDocRef.set({ data })

References

References are objects that represent the location of a record/document or table/collection in a Firestore database.

• A document reference object (DocumentReference), represents the location of a record/document, and is created using the doc() method.

  import { doc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
  
  const bookDocRef = doc( db, "books", "006251587X");

  We can also create document references specifying the path to the record/document as a string for convenience.

  const bookDocRef = doc( db, "books/006251587X");

• A collection reference object (CollectionReference) represents the location of a table and is created using the collection() method.

  import { collection } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
  
  const booksCollRef = collection( db, "books");

Whether a Firestore record/document or table/collection already exists in a database or not, they can be "referenced" and be used anytime later to retrieve, save or listen to the location in a Firestore database. Notice that creating a reference does not execute any network operation and consequently does not impact your billing due the database has not been queried up to that point.

Although similar, document references and collection references are two different types of references; hence they have their own properties and methods.

Queries

import { query, where } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";

const q = query( collection(db, "books"), where("edition", "==", "1"));

Snapshots

Snapshots are objects that contain data from either a reference object or a query object. We may see a snapshot as a picture of the data we receive when retrieving it from the database. The term snapshot reminds us that the retrieved values of the queried properties are from when the query has been processed, but these properties' values may have been changed soon after.

Additionally to the record data inside, a snapshot provides several properties and methods that are convenient for knowing how the data or the record change. A snapshot is always invoked asynchronously using async/await, and always returns a promise.

• Document snapshot, in the following example, the getDoc() method is used to retrieve a document snapshot (DocumentSnapshot) containing data from a single record/document located in a Firestore database.

  import { doc, getDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
  
  const bookDocRef = doc( db, "books", "006251587X"); // document reference
  const bookDocSn = await getDoc( bookDocRef); // document snapshot

  An attempt to retrieve an inexistent document snapshot will return undefined.
• Query snapshot, the getDocs() method is used to retrieve a query snapshot (QuerySnapshot) representing the result of a query, and it may contain none, one or many snapshot objects (QueryDocumentSnapshot) that may constitute either an entire table/collection in a Firestore database,

  import { collection, getDocs } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
  
  const booksCollRef = collection( db, "books"); // collection reference
  const booksQrySn = await getDocs( booksCollRef); // query snapshot

  or none, one or many snapshot objects (QueryDocumentSnapshot) resulting from a query.

  import { collection, query, getDocs, where } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
  
  const q = query( collection(db, "books"), where("edition", "==", "1")); // query
  const booksQrySn = await getDocs( q); // query snapshot

  When a query snapshot contains none query snapshot document objects returns an empty array, and when it has only one query snapshot document object returns an array with one element.
• Query document snapshot, each snapshot object inside a QuerySnapshot is a query document snapshot (QueryDocumentSnapshot) containing data retrieved from a table/document in a Firestore database, returned within an array whether it contains one or many. To access each query document snapshot, we must iterate the query snapshot object using the docs property.

  for (const bookDocSn of booksQrySn.docs) {
    console.log(bookDocSn.id) // query document snapshot
  }

  Since query document snapshots come from a query snapshot, they are always guaranteed to exist.

Document snapshot and query document snapshot objects share the same properties and methods, being both the same in practice. This tutorial treat them similarly, calling them indistinctively document snapshots for convenience.

It may happen that after retrieving any of the previously mentioned snapshots, the referenced original record(s)/document(s) may be deleted by another user however, each individual snapshot will continue existing, although it will be impossible to retrieve data from it.

Later we will know and see the most important methods and properties of every snapshot object working in context, but here there are a few of them very useful:

• id, a property that returns the Document ID in a table/collection. Very useful when we need to know the foreign key without accessing the record data.
• data(), a method that extracts the data enclosed in any of the snapshot objects described lines above. It returns undefined if the data does not exist.
• get(field), a method that extracts the data from a specific field inside a snapshot object.
• exists(), a method that verifies, through a document snapshot, a record, existence in a Firestore database.
• empty(), a method that verifies if a result from a query snapshot is empty, containing no result.

Accessing record data

Finally, the chosen ways to access record data in this tutorial. We present a straightforward way to access every data object and also a simplified form:

• From a single record/document, or document snapshot, using the method data().

  import { doc, getDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
  
  const bookDocRef = doc( db, "books", "006251587X"); // document reference
  const bookDocSn = await getDoc( bookDocRef); // document snapshot
  const bookRec = bookDocSn.data(); // record data

  Here is a simplified way to achieve the same.

  import { doc, getDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
  
  const bookRec = (await getDoc( doc(db, "books", "006251587X"))).data();

• From a query containing multiple records/documents, or a query snapshot, using the Firestore property docs, the JS method map() and the Firestore method data(). In specific circumstances, in this tutorial, we access multiple records/documents data using a for/of loop.

  import { collection, getDocs } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
  
  const booksCollRef = collection( db, "books"); // collection reference
  const booksQrySn = await getDocs( booksCollRef); // query snapshot
  const bookDocSns = booksQrySn.docs; // multiple document snapshots in an array
  const bookRecs = bookDocSns.map( d => d.data()); // records in an array

  Here is a simplified way to achieve the same.

  import { collection, getDocs } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
  
  const bookRecs = (await getDocs( collection( db, "books")))docs.map( d => d.data());

Naming convention of Firestore objects

This tutorial proposes the following convention for naming types of Firestore objects to keep consistency and readability in the code provided. The examples are based on a "books" table/collection.

Create a record with the setDoc() method

There are two different ways to use the setDoc() method,

• one with automatically generated Document ID,

  import { doc, setDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";
  
  const bookDocRef = doc( db, "books");
  await setDoc( bookDocRef, data);

• and another with a specified Document ID.

  const bookDocRef = doc( db, "books", "006251587X");
  await setDoc( bookDocRef, data);

In both cases, if the record/document does not exist, a new record/document will be created. If, on the other hand, the record/document already exists, the setDoc() method with the merge option "true" will merge the provided property-value data with the existing record/document, as an update operation.

const bookDocRef = doc( db, "books", "006251587X");
await setDoc( bookDocRef, { edition: "2" }, { merge: true });

Finally, If the record/document exists, the setDoc() method without the merge option will overwrite all data.

Create record with the addDoc() method

The addDoc() method creates a new record/document with an automatically generated Document ID, without chance of specifying it.

import { collection, addDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";

const booksCollRef = collection( db, "books");
await addDoc( booksCollRef, {
  isbn: "006251587X",
  title: "Weaving the Web",
  year: 2000
});

Update record with the updateDoc() method

The simple way of the updateDoc() method allows to update some fields of an existing record/document,

import { doc, updateDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";

const bookDocRef = doc( db, "books", "006251587X");
await updateDoc( bookDocRef, { year:2000 }); // update a specific attribute

while it can also be used to update record-valued attributes and (array-) list-valued attributes.

// update a record-valued attribute
await updateDoc( bookDocRef, {
  "author.name": "Peter Hanks"
});
// add a new language to the list-valued field "languages"
await updateDoc( bookDocRef, {
  languages: arrayUnion("fr")
});
// remove a language from the "languages" array field
await updateDoc( bookDocRef, {
  languages: arrayRemove("fr")
});

Read a record with the getDoc() method

We show the detailed way to get data from a single record/document,

import { doc, collection, getDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";

const booksCollRef = collection( db, "books");
const bookDocRef = doc( booksCollRef, "006251587X");
const bookDocSn = await getDoc( bookDocRef);
const bookRec = bookDocSn.data();

and a simplified way to achieve the same.

const bookDocSn = await getDoc( db, "books", "006251587X");
const bookRec = bookDocSn.data();

Read all records in a table with the getDocs() method

Notice how the getDocs() method relies on the property docs to extract all document snapshots in the query snapshot object.

import { doc, collection, getDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";

const booksCollRef = collection( db, "books");
const booksQrySn = await getDocs( booksCollRef);
const bookDocSns = booksQrySn.docs;
const bookRecs = bookDocSns.map( d => d.data());

Now a simplified way to achieve the same.

const booksQrySn = await getDocs( collection( db, "books"));
const bookRecs = bookDocSns.docs.map( d => d.data());

Query a table with the query(), where() and getDocs() methods

Retrieve specific records/documents based on attribute filters.

import { collection, query, where, getDoc } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";

const booksCollRef = collection( db, "books");
const q = query( booksCollRef, where("title", "==", "Weaving the Web"));
const booksQrySn = await getDocs( q); // query snapshot

Standard query operators: <, <=, ==, >, >=, !=.

• array-contains

• array-contains-any

• in

• not-in

Data management principles in this tutorial

In the data management approach that we adopt in this tutorial, we are going to use the following principles:

1. We always use entity IDs as Document IDs, and no Firebase auto-IDs.
2. Records/documents are preferably retrieved by their Document IDs (= entity ID) with the getDoc() method.
3. For creating a new entity record as a Firestore record/document (with its entity ID as Document ID), we use the Firestore setDoc() method.
4. For updating an existing Firestore record/document (representing an entity record), we use the Firestore updateDoc() method.

Question 1: Conversion with map

What is the purpose of the arrow function as the argument of the map function in the following expression? (await db.collection("books").get()).docs.map( d => d.data())

For converting a ______________ to a ______________.

1. Collection object.
2. Document Object
3. QuerySnapshot object
4. Record
5. DocumentSnapshot object

Question 2: Characteristics of Firestore

Which of the following statements apply to Firestore? Select one or more:

1. A Firestore collection has a certain schema (i.e., a list of attributes), implying that only documents that comply with its schema (having values for the given attributes) can be stored in a particular collection.
2. A Firestore database table (representing a set of records) is called a collection.
3. A Firestore collection does not have a schema, implying that any document can be stored in a particular collection. For instance, the document {name:"X", age:13} can be stored in the collection "books".
4. A Firestore database record is called a collection.
5. A Firestore database record is called a document.
6. Firestore supports certain forms of non-elementary attributes with composite data values (lists, records, record lists).
7. A Firestore database table (representing a set of records) is called a document.

Question 3: Document snapshots

What kind of JS object is returned by invoking the Firestore function db.collection(x).doc(y).get()? Select one:

1. A QuerySnapshot object.
2. A Query object.
3. A Document object.
4. A DocumentSnapshot object.

Question 4: Firebase JS SDK version 9

What is true about the following import expression? Select one or more:

import { initializeApp } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-app.js";

1. It is a side-effect import.
2. It is a no side-effect import.
3. Its specifier invokes a function from a CDN origin.
4. Its specifier invokes a function from the locally installed SDK using npm.
5. it is optimized for its use with module bundlers.

Question 5: Use of the setDoc() method

What happens when we invoke these two expressions when the detailed record ("006251587X") already exists? Select one:

const bookDocRef = doc( db, "books", "006251587X");
await setDoc( bookDocRef, data);

1. A new record is created with an automatically generated Document ID.
2. The provided property-value data is merged with the existing record/document.
3. The provided property-value data is overwritten with the existing record/document.

Create a Firestore database instance

6. Click on "Build" in the main menu and then on "Firestore Database".

7. Click on "Create database".

8. Security rules are a vital component for setting up security mechanisms for our database. In the Firebase documentation, you can read more about Firebase Security Rules. For the moment, choose "Start in test mode", and you will have 30 days for defining suitable rules for your app's database, which we will do later in Part 2. Now choose the corresponding "Cloud server location" and click on "Done".

   

9. We will now see the Firestore database console. In the jargon of Firestore, tables are called "collections", and records (table rows) are called "documents". We use the platform-independent terminology (records and tables) along with the Firestore jargon ("documents" and "collections"). For creating your first Firestore collection (database table), click on "Start collection", enter the collection name books, and then click on "Next".

10. Click on "Add document" to create your first Firestore document (record). Fill out the Document ID and the other three fields: isbn (string), title (string), year (number), as in Figure 4-3. Creating the first Firestore document/record. Notice that we are assigning the same ISBN code to the Document ID. After clicking on "Save" we see the first Firestore document on the database console.

    

Set up a Firebase web app and hosting URL

11. Go to the Project Overview and click on the "web" icon "</>", next to the icons of iOS, Android and Unity.

12. Give your web app a meaningful name, and then make sure to check "Also set up Firebase Hosting for this app". An auto-generated name will be given to the website hosting, but you can change it, needing only to make sure it is unique. Remember that here is where you define the free and public URL of your Firebase web app, which always ends with ".web.app". Click on "Register App".

13. After waiting while the app is initialized, you will see the Firebase SDK configuration. Save it for later since you need it to initialize the access to your Firebase application. Notice that you can always find it on the Firebase project configuration page.

You have just created your Firebase web app and the production environment where it resides.

Set up the local environment

Now you need to set up your local environment to run and test the web app while you develop, from which you will deploy to your production environment located on your Firebase Hosting instance.

14. Download the code of the Minimal App on your computer, and after uncompressing the ZIP file 1-MinimalApp.zip you will find a folder named 1-MinimalApp. This folder is the repository of every document of the web app, and it is also used as your local Git repo folder.

15. Create or open a new project on your editor, the 1-MinimalApp folder the root of your project. Inside, the subfolder public is accompanied by files related to the Firebase web app: firebase.json, firebase.indexes.json, firebase.rules, and package.json. The subfolder js in the public folder for our JavaScript source code files, and along with two subfolders m, and v, follow the Model-View-Controller paradigm for software application architectures. In the subfolder js there is a file named initFirebase.mjs, an ES6 module file in charge of initializing the web app interface with the Firebase APIs. And finally, there are many HTML files, among them the index.html file, the app's start page. Thus, we end up with the following folder structure:

    1-MinimalApp
      public
        js
          m
          v
          initFirebase.mjs
        index.html

    Notice that the js folder only contains two subfolders m and v (for model and view), not including a c folder since the minimal app doesn't include any controller code.

16. Open a terminal (e.g., the Windows Power Shell) when you are located in the folder 1-MinimalApp. On WebStorm you can open a terminal window if you click on the tab "Terminal" at the bottom of the editor view. Run the following NPM command to install the latest version of the core Firebase SDK:

    npm install firebase

    Finally, click on "Next" on the Firebase Console to continue the set-up process.

17. Logging in your Google account by executing the following command:

    firebase login

    You can find out which Google account is logged in with the command "firebase login".

    [Tip] You can log out your Firebase session by executing:

    firebase logout

18. Install the Firebase CLI running:

    npm install -g firebase-tools

    Notice that you keep your Firebase CLI up-to-date every time you run this command.

19. And then initialize Firebase on your local environment by executing:

    firebase init

20. Now you will go through the Firebase initialization process of your project in your local environment by following a sequence of questions. When you are prompted with the question "Which Firebase CLI features do you want to set up for this directory?" make sure to select the following two options by using the space bar (Figure 4-4. Through the Firebase project initialization process):

    • Firestore: Deploy rules and create indexes for Firestore
    • Hosting: Configure and deploy Firebase Hosting sites

    Press Enter to continue to the next question.

    

21. When prompted for choosing the Firebase project to initialize "First, let's associate this project directory with a Firebase project", use the arrow keys and select “Use an existing project” and then select the previously created Firebase project: i.e. "my awesomeweb-xxxxx".

    [Tip] If you are not prompted for choosing any Firebase project, delete the hidden file .fireserc located in your project folder and start over initializing the project. Optionally, you could run the following command to be prompted to select a Firebase project and assign an alias:

    firebase use --add

22. Press Enter to name the Firestore Security Rules file with the default name firestore.rules.

23. Press Enter to name the Firestore Indexes file with the default name firestore.indexes.json.

24. Press Enter to name the public directory with the default name public.

25. Press N when you are asked if you want to turn your web-based app into a single-page app.

26. Optionally, you can link your project to your GitHub repository to automate deployments to Firebase Hosting every time you push changes to your repo. When asked "Set up automatic builds and deploys with GitHub? (y/N)" answer accordingly and follow these directions in the official Firebase documentation.

27. Finally you will see the message “Firebase initialization complete!”. An index.html and a 404.html files have been created.

28. Go back to the Firebase Console on your web browser, and click on "Continue to Console". We now know that Firebase has been initialized and running on our computer.

Running your Firebase web app locally

28. For testing your app locally, run on terminal:

    firebase serve

    By default, the local server runs using the port 5000: http://localhost:5000.

    If you need to stop your local server, you can press Ctrl + C on Windows, Linux or Mac.

Firebase Local Emulator Suite (optional)

When we work on web development and run our app on our local environment, we are using the Hosting Emulator in the background, mimicking the actual behaviour of our Firebase Hosting, but on local. The Hosting Emulator is part of the Firebase Local Emulator Suite, allowing developers to build and test apps locally using almost every Firebase service available on the cloud. Firebase Local Emulator includes Cloud Firestore, Realtime Database, Cloud Storage, Authentication, Cloud Functions, and Firebase Hosting.

Start the Local Emulator Suite in your project by executing

firebase emulators:start

Once running, Firebase Emulator emulates every Firebase service initialized in your project locally. If we start Firebase Emulator, we would see two emulators running, one for Firestore and another for Firebase Hosting, with links to access their Emulator UIs.

Learn more about the Firebase Local Emulator Suite in the Firebase documentation.

Deploy your app on the production environment

29. For making our app public, we can deploy it to Firebase Hosting by running:

    firebase deploy

    Visit the public web app by clicking on the URL provided on the terminal. You might want to know more about testing locally and deploying your app on Firebase.

Defining and testing your first Security Rules

Previously, in the Firestore database setup process, we chose to "Start in test Mode" to get started with your database quickly, but now we need to define better Security Rules.

Security Rules in test mode leaves the database open to anyone on the Internet to read and write/change without restrictions. That is why Firestore forces us to update the Security Rules after 30 days from the day we created the database. To make our web app work beyond that 30-day limitation, you can set up a more advanced Firebase Security Rules configuration.

Notice that the following Security Rules are just meant to continue running our app beyond the 30-day limitation in this educational context, but they do not provide a significaant database security measure in a real-world situation. Hence, remember to strengthen these basic rules to protect an actual web application accordingly. We encourage you to deepen into the Firestore Security Rules by reading more on the subject in the Firebase Documentation.

1. On your IDE (maybe WebStorm), open the file firestore.rules.

2. Replace the content of the file with this snippet:

   rules_version = '2';
   service cloud.firestore {
     match /databases/{database}/documents {
       // Allow anyone
       match /{document=**} {
         allow read, write; // or allow read, write: if true;
       }
     }
   }

3. Deploy the project by running:

   firebase deploy

   Notice that the correct workflow for updating Security Rules is first editing the rules on your local version (firestore.rules) using your editor and then deploying the project to the cloud in such a way that you are updating both your local rules and the rules on the Firebase Console at the same time. If you edit the rules on the Firebase Console, your local version will be outdated, and you will overwrite the new ones with the outdated version.

4. To ensure the Security Rules have been deployed correctly, you can go to the Firebase Console, go to the Firestore database console, and click on the horizontal tab “Rules”. You must see the same snippet recently deployed.

5. For testing the rules, click on the “Rules playground” tab.

6. On “Location” enter "/books/Auto-ID".

7. Click on “Run”, and you should see a message in green color saying “Simulated read allowed”.

8. Finally, click on "Publish" to deploy the new Security Rules:

   

This may be a good time to try out our "Hello World" web app before continuing towards the next step.

Set up Node.js Dependencies

As we discussed before, a plain JavaScript application using the Firebase Web SDK relies totally on Node.js behind the scenes, so we need to know about the Node.js dependencies that Firebase needs in your local development environment and how to keep them updated and healthy.

In this second step, we locate the package.json file, which contains essential metadata that configures and describes a Node.js project, as a Firebase project is, defining attributes that NPM uses to install dependencies, run scripts, identify the application's entry point, and others that determine how our application interacts and runs. It is thus of crucial importance to understand the role of package.json in the JavaScript ecosystem.

On your editor, open the package.json file, and pay attention to the attribute "dependencies" in the JSON object located inside:

{
  "name": "js-firebase-minimal-app",
  "version": "1.1.0",
  "description": "Part 1: Learn how to build a Minimal Web App using JS and Firebase",
  "homepage": "https://minimalapp-ea662.web.app/tutorial",
  "keywords": [
    "javascript",
    "firebase",
    "firestore",
    "crud",
    "firebase SDK version 9",
    "minimal"
  ],
  ...
  "dependencies": {
    "firebase": "^X.X.X",
    "firebase-firestore-lite": "^X.X.X",
    "firebase-auth": "^X.X.X"
  },
  ...
}

We see three Firebase SDK libraries and their corresponding versions. That means we need those libraries installed in our local environment to run the Minimal App. Run the following command to install the defined dependencies. WebStorm highlights the dependencies not found in the local environment, facilitating to know that we still need to fix something.

npm install

Then the folder "node_modules" is generated with all the dependencies.

Whenever you want to reset all the dependencies and ensure a healthy local environment, you can safely delete the node_modules directory and run npm install again.

Firebase is permanently updated; therefore, sometimes, we need to update our package.json file with the latest versions of the defined dependencies. Use the following command to update the package.json file along with your dependencies.

npm i firebase

Learn about all the package.json attributes with the official npm guide.

Initialize Firebase

In the second step, we initialize an interface for our Firestore instance. We start by creating an ES6 module file named initFirebase.mjs located in the root of the js folder, which first statements import the functions we need from the JavaScript versions of the Firebase SDK libraries. We always initialize Firestore through Firebase, so we import the initializeApp() function from the core Firebase SDK library (firebase-app.js), and the getFirestore() function from the Firestore Lite Web SDK (firebase-firestore-lite.js), introduced from Firebase Web SDK version 9, and designed to improve performance of the most basic read/write operations.

import { initializeApp } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-app.js";
import { getFirestore } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore-lite.js";

To start using Firestore we initialize a Firebase App instance for our app, using the values taken from the web app's Firebase project configuration page and pass them as a parameter in a variable named firebaseConfig to invoke the initializeApp() function. The Firebase App instance object is from now on available in our session, containing configuration information that is consumed across other Firebase services, such as Firestore or Firebase Authentication.

// TODO: Replace the following with your web app's Firebase project configuration
const firebaseConfig = {
  apiKey: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  authDomain: "minimalapp-XXXX.firebaseapp.com",
  projectId: "minimalapp-XXXX",
  appId: "1:XXXXXXXXXXXX:web:XXXXXXXXXXXXXXXXXXXXXXX"
};
// Initialize a Firebase App object
initializeApp( firebaseConfig);

Once the Firebase App instance has been initialized, we can initialize Cloud Firestore using the getFirestore() function to create the fsDb object that works now as an interface to our Firestore DB instance.

// Initialize Firestore interface
const fsDb = getFirestore();

Finally, the fsDb object is exported and becomes available to other procedures in the minimal app.

export { fsDb };

Changing names of Firestore SDK's functions

You may have noticed that formerly we named the Firebase database instance object as "db", but now we have named it "fsDb" since we find this name more meaningful and straightforward once we use it in our code. Additionally, we find three names of the original Firestore SDK JS version 9 functions are too generic, violating good practice conventions, and may turn our code confusing, so we propose to rename them like:

The name changes happen when the functions are imported from the Firestore SDK library.

import { collection as fsColl, doc as fsDoc, query as fsQuery } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore.js";

Creating a new Book record

Since database access operations can fail, we always call them in a try-catch block to follow up with an error message whenever the input operation fails.

The following Book.add procedure takes care of creating a new book record/document and adding it to the Firebase table/collection "books":

Book.add = async function (slots) {
  const booksCollRef = fsColl( fsDb, "books"),
    bookDocRef = fsDoc (booksCollRef, slots.isbn);
  slots.year = parseInt( slots.year);  // convert from string to integer
  try {
    await setDoc( bookDocRef, slots);
    console.log(`Book record ${slots.isbn} created.`);
  } catch( e) {
    console.error(`Error when adding book record: ${e}`);
  }
};

Retrieving a Book record

For retrieving a book record/document we use the Book.retrieve() procedure that is called with a parameter isbn:

Book.retrieve = async function (isbn) {
  let bookDocSn = null;
  try {
    const bookDocRef = fsDoc( fsDb, "books", isbn);
    bookDocSn = await getDoc( bookDocRef);
  } catch( e) {
    console.error(`Error when retrieving book record: ${e}`);
    return null;
  }
  const bookRec = bookDocSn.data();
  return bookRec;
};

Retrieving all Book records

For retrieving the book records/documents from the Firestore "books" table collection, we use the Book.retrieveAll procedure:

Book.retrieveAll = async function () {
  let booksQrySn = null;
  try {
    const booksCollRef = fsColl( fsDb, "books");
    booksQrySn = await getDocs( booksCollRef);
  } catch( e) {
    console.error(`Error when retrieving book records: ${e}`);
    return null;
  }
  const bookDocs = booksQrySn.docs,
    bookRecs = bookDocs.map( d => d.data());
  console.log(`${bookRecs.length} book records retrieved.`);
  return bookRecs;
};

Updating a Book record

For updating an existing book record/document, we first retrieve it from the Firestore "books" table/collection, and then re-assign those attributes the value of which has changed. Here is the full code of the procedure:

Book.update = async function (slots) {
  const updSlots = {};
  // retrieve up-to-date book record
  const bookRec = await Book.retrieve( slots.isbn);
  // convert from string to integer
  if (slots.year) slots.year = parseInt( slots.year);
  // update only those slots that have changed
  if (bookRec.title !== slots.title) updSlots.title = slots.title;
  if (bookRec.year !== slots.year) updSlots.year = slots.year;
  if (Object.keys( updSlots).length > 0) {
    try {
      const bookDocRef = fsDoc( fsDb, "books", slots.isbn);
      await updateDoc( bookDocRef, updSlots);
      console.log(`Book record ${slots.isbn} modified.`);
    } catch( e) {
      console.error(`Error when updating book record: ${e}`);
    }
  }
};

Deleting a Book record

A book record/document is deleted from the Firestore "books" table/collection using the Book.destroy procedure:

Book.destroy = async function (isbn) {
  try {
    await deleteDoc( fsDoc( fsDb, "books", isbn));
    console.log(`Book record ${isbn} deleted.`);
  } catch( e) {
    console.error(`Error when deleting book record: ${e}`);
  }
};

Creating test data

To test our code, we may create some test data and save it in our Firestore DB. We first create an array of book records. Then, to use the Promise.all function, we map each book record, "bookRec", to an Book.add() procedure invocation expression of the following form:

await Promise.all( bookRecs.map( d => Book.add( d)));

Notice that Promise.all allows invoking a list of asynchronous operations, which are not executed sequentially but simultaneously.

Book.generateTestData = async function () {
  let bookRecs = [
    {
      isbn: "006251587X",
      title: "Weaving the Web",
      year: 2000},
    {
      isbn: "0465026567",
      title: "Gödel, Escher, Bach",
      year: 1999
    },
    {
      isbn: "0465030793",
      title: "I Am A Strange Loop",
      year: 2008
    }
  ];
  // save all book records
  await Promise.all( bookRecs.map( d => Book.add( d)));
  console.log(`${Object.keys( bookRecs).length} books saved.`);
};

Clearing all data

The following two-part procedure clears all data from our Firestore "books" table/collection:

1. First, a JS array (list) of all book records is retrieved from the Firestore DB using the Book.retrieveAll() procedure:

   const bookRecords = await Book.retrieveAll();

2. All records/documents in the books table/collection are then deleted individually, invoking asynchronously the Book.destroy() procedure:

   await Promise.all( bookRecs.map( b => Book.destroy( b.isbn)));

Here is the full code of the procedure:

Book.clearData = async function () {
  if (confirm("Do you really want to delete all book records?")) {
    // retrieve all book documents from Firestore
    const bookRecs = await Book.retrieveAll();
    // delete all documents
    await Promise.all( bookRecs.map( b => Book.destroy( b.isbn)));
    // ... and then report that they have been deleted
    console.log(`${Object.values( bookRecs).length} books deleted.`);
  }
};

Styling the User Interface

For simplicity, we have used raw HTML with minimal CSS styling. But a user interface (UI) should be appealing. So, the code of this app should be extended by adding suitable CSS style rules.

Today, the UI pages of a web app have to be adaptive (frequently called "responsive") for being rendered on different devices with different screen sizes and resolutions. The main issue of an adaptive UI is to have a fluid layout, in addition to proper viewport settings. Whenever images are used in a UI, we also need an approach for adaptive bitmap images: serving images in smaller/larger sizes for smaller/large screens (and in higher resolutions for high-resolution screens), while preferring scalable SVG images for diagrams and artwork. In addition, we may decrease the font-size of headings and suppress unimportant content items on smaller screens.

For our purposes and keeping things simple, we have customized the adaptive web page design defined by the HTML5 Boilerplate project (more precisely, the minimal "responsive" configuration available on www.initializr.com). It consists of an HTML template file and two CSS files: the browser style normalization file normalize.css and a main.css, which contains the HTML5 Boilerplate style and our customizations. Consequently, we use a new css subfolder containing these two CSS files:

1-MinimalApp-with-CSS
  public
    css
      main.css
      normalize.css
    js
      m
      v
    index.html

We define our own styles for <table>, <menu> and <form> elements, in main.css. Concerning the styling of HTML forms, we define a simple style for implicitly labeled form control elements.

The start page index.html now must take care of loading the CSS files with the help of the following two link elements:

<link rel="stylesheet" href="css/normalize.css">
<link rel="stylesheet" href="css/main.css">

Since the styling of user interfaces is not our primary concern, we do not discuss its details and leave it to our readers to take a closer look. You can run the CSS-styled minimal app from our code or download its code as a ZIP archive file.

Catching invalid data

The app discussed in this chapter is limited to support the minimum functionality of a data management app, and it does not prevent users from entering invalid data into the app's database. In Part 2 of this tutorial, we show how to express integrity constraints in a model class and how to perform data validation both in the model/storage code of the app and in the user interface code.

Boilerplate code

Another issue with the do-it-yourself code of this example app is the boilerplate code needed per model class for the data storage management methods add, retrieve, update, and destroy. While it is good to write this code a few times for learning app development, you don't want to write it again and again later when you work on real projects. In our mODELcLASSjs tutorial, we present an approach to putting these methods in a generic form in a meta-class, such that they can be reused in all model classes of an app.

Serialization and de-serialization

Serializing a property's value means converting it to a suitable string value. For standard data types, such as numbers, a standard serialization is provided by the predefined conversion function String, which doesn't have to be used in many cases since the JS engine performs the serialization automatically.

When a string value, like "13" or "yes", represents the value of a non-string-valued attribute, it has to be de-serialized, that is, converted to the range type of the attribute, before it is assigned to the attribute. This is the situation, for instance, when a user has entered a value in a form input field for an integer-valued attribute. The values of form fields are always of type string. Consequently, the value of a form input field for an integer-valued attribute has to be converted (de-serialized) to an integer using the predefined conversion function parseInt.

For instance, in our example app, we have the integer-valued attribute year. When the user has entered a value for this attribute in a corresponding form field, in the Create or Update user interface, the form field holds a string value, which has to be converted to an integer in an assignment like the following:

this.year = parseInt( formEl.year.value);

One important question is: where should we take care of de-serialization: in the "view" (before the value is passed to the "model" layer), or in the "model"? Since attribute range types are a business concern, and the business logic of an app is supposed to be encapsulated in the "model", de-serialization should be performed in the "model" layer, and not in the "view".

Synchronizing views with the model

When more than one user uses an app at the same time, we have to take care of somehow synchronizing the possibly concurrent read/write actions of users such that users always have current data in their "views" and are prevented from interfering with each other. This is a complicated problem, which is attacked differently by different approaches. It has been mainly investigated for multi-user database management systems and large enterprise applications built on top of them.

The original MVC proposal included a data binding mechanism for automated one-way model-to-view synchronization (updating the model's views whenever a change in the model data occurs). We didn't take care of this in our minimal app because a front-end app with local storage doesn't have multiple concurrent users. However, we can create a (somewhat artificial) situation that illustrates the issue:

1. Open the Update UI page of the minimal app twice (for instance, by opening updateLearningUnit.html twice), such that you get two browser tabs rendering the same page.

2. Select the same learning unit on both tabs, such that you see its data in the Update view.

3. Change one data item of this learning unit on one of the tabs and save your change.

4. When you go to the other tab, you still see the old data value, while you may have expected it to be automatically updated.

A mechanism for automatically updating all views of a model object whenever a change in its property values occurs is provided by the observer pattern that treats any view as an observer of its model object. Applying the observer pattern requires that

• model objects can have a multi-valued reference property like observers, which holds a set of references to view objects;
• a notify method can be invoked on view objects by the model object whenever one of its property values is changed; and
• the notify method defined for view objects refreshes the user interface.

Notice, however, that the general model-view synchronization problem is not solved by automatically updating all (other users') views of a model object whenever a change in its data occurs because this would only help if the users of these views didn't make themselves any modification of the data item concerned, meanwhile. Otherwise, their changed data value would be overwritten by the automated refresh, and they may not even notice this, which is not acceptable in terms of usability.

Architectural separation of concerns

From an architectural point of view, it is important to keep the app's model classes independent of

1. the user interface (UI) code because it should be possible to reuse the same model classes with different UI technologies;

2. the storage management code because it should be possible to reuse the same model classes with different storage technologies.

In this tutorial, we have kept the model class Book independent of the UI code since it does not contain any references to UI elements, nor does it invoke any view method. However, for simplicity, we didn't keep it independent of storage management code since we have included the method definitions for add, update, destroy, etc., which invoke the storage management methods of JavaScrpt's localStorage API. Therefore, the separation of concerns is incomplete in our minimal example app.

We show in our mODELcLASSjs tutorial how to achieve a complete separation of concerns by defining abstract storage management methods in a special storage manager class, which is complemented by libraries of concrete storage management methods for specific storage technologies, called storage adapters.

404 Pages

Whenever a Firebase project is set up, a 404.html document is generated in the root folder, generally named "public". The primary purpose of this web page is to attend to a crucial -but often unattended- issue of the user experience on web apps and sites: address errors when a web page is not found within a web server. This may happen for several reasons, like a web page being renamed, moved to another folder, or simply because it doesn't exist anymore. Nevertheless, the consequence will always be that the user will be unable to find specific content or resource that previously existed. Web apps and sites are dynamic entities that change along with their life, so handling this issue is a good practice. Another goal of 404 pages is to turn a potential negative user experience into a positive one by providing the necessary information that guides the user to find the new location of the seek resource. 404 pages contain links to help users exit successfully from the error page.

Question 1: Properties/methods of a model class

Which of the following are properties or methods of a model class Book? Select one or more:

1. Book.retrieveAll
2. Book.update
3. Book.destroy
4. Book.save
5. Book.retrieve
6. Book.load
7. Book.instances
8. Book.add

Question 2: Using the output element

In which CRUD use case does the user interface include an HTML output element? Select one or more:

1. Retrieve/list all
2. Update
3. Delete
4. Create

Question 3: Entity tables

Which of the following tables represent entity tables for a model class Book? Select one or more:

1. Key	Value
   1	[ "006251587X", "Weaving the Web", 2000 ]
   2	[ "0465026567", "Gödel, Escher, Bach", 1999 ]
   3	[ "0465030793", "I Am A Strange Loop", 2008 ]

2. Key	Value
   1	{ isbn:"006251587X", title:"Weaving the Web", year:2000 }
   2	{ isbn:"0465026567", title:"Gödel, Escher, Bach", year:1999 }
   3	{ isbn:"0465030793", title:"I Am A Strange Loop", year:2008 }

3. Key	Value
   006251587X	{ isbn:"006251587X", title:"Weaving the Web", year:2000 }
   0465026567	{ isbn:"0465026567", title:"Gödel, Escher, Bach", year:1999 }
   0465030793	{ isbn:"0465030793", title:"I Am A Strange Loop", year:2008 }

4. Key	Value
   006251587X	[ "006251587X", "Weaving the Web", 2000 ]
   0465026567	[ "0465026567", "Gödel, Escher, Bach", 1999 ]
   0465030793	[ "0465030793", "I Am A Strange Loop", 2008 ]

Managing information about movies

The purpose of the app to be developed is managing information about movies. Like in the book data management app discussed in the tutorial, you will use Firestore as the cloud database management system.

The app deals with just one object type: Movie, as depicted in the Figure 4-7. The object type Movie. In the subsequent parts of the tutorial, you will extend this simple app by adding integrity constraints, enumeration attributes, further model classes for actors and directors, and the associations between them.

Notice that releaseDate is an attribute with range Date, so you need to find out how to display, and support user input of, calendar dates.

For developing the app, simply follow the sequence of seven steps described in the tutorial:

1. Step 1 - Set up the Firebase Project

2. Step 2 - Write the Model Code

3. Step 3 - Initialize the Application

4. Step 4 - Implement the List Objects Use Case

5. Step 5 - Implement the Create Object Use Case

6. Step 6 - Implement the Update Object Use Case

7. Step 7 - Implement the Delete Object Use Case

You can use the following sample data for testing:

Make sure that

1. your HTML pages comply with the XML syntax of HTML5,

2. international characters are supported by using UTF-8 encoding for all HTML files,

3. your JavaScript code complies with our Coding Guidelines and is checked with JSHint (for instance, instead of the unsafe equality test with "==", always the strict equality test with "===" has to be used).

Authentication

A user account establishes a relationship between a user identity and an app, device, or network, and Authentication is the process of validating that users are whom they say to be, their user identity, for granting them access control. Authentication aims to prove user identity.

According to Schneider, user authentication solutions can be categorized by:

1. Something you know: a password, personal identification number (PIN), challenge-response, etc.
2. Something you have: security token device/app, certificate, ID card, etc.
3. Something you are: DNA sequence, face/voice/retinal pattern, fingerprint, etc.

Credential

A credential is a digital document, object, or data structure that associates a user identity to a proof of authenticity. An example of a credential may be an email and password combination.

Authorization

Authorization is the process of verifying what specific data/resources/features a particular user has access to. Authorization aims to provide correct access.

User roles

User Roles are permissions defined that control access to data/resources/features according to authorization policies.

User Authentication Status

There are different types of authentication status the user has while using any app with Firebase Authentication:

• Anonymous: a visitor who is "signed in" as anonymous in the background (unnoticeable) by the app. It is the opposite to registered, having the user not provided (yet) email and password. The status before being upgraded to anonymous is "visitor", and the upgrade happens programmatically when the visitor uses the app for the first time.
• Registered: a user who has provided email and password, is already registered in the app, and can be:
  • With non-verified email.
  • With verified email.

Design of our Access Control Handling Solution

The design of our access control handling solution with Firebase Authentication includes the following features:

• Use of the Firebase's email and password authentication method.

• The access control policies grant access to user with authenticated status registered with a verified email to change/write/read operations and restrict access to registered with non-verified email and anonymous users to read-only operations.

• Rather than relying on role-based access control, the solution will use the different user authentication statuses to perform DOM operations on the main menu to implement access control policies to grant/restrict access to the database management operations.
• Protect the database with Firestore Security Rules that correspond with the defined access control policies, limiting hence bypassing the front-end layer to get access directly to the database maliciously.

• Individual pages allow users to sign up and sign in to the app using email and password.

• Registered user must verify email for granting full access to change/write operations. A verification link should be sent after the sign-up process, and once clicked on it, the user is upgraded to full access.

• User's password can be changed if it is forgotten it. An email address must be submitted, and the app sends an email with a link that the requested change is confirmed once clicked on it.
• A sign out solution to handle when a registered user leaves the session, returning to the user authentication status anonymous.

• A UI that adapts to changes of the different user authentication statuses, allows users to sign up/in/out of the app. The UI design should respond to user interactions with redirections, messages or restrictions.

Set up the Folder Structure and add access control files

The MVC folder structure of our minimal app with access control extends the structure of the minimal app by adding five ES6 module files and four HTML files:

• five ES6 module files: accessControl.mjs, actionHandler.mjs, resetPassword.mjs, signIn.mjs, signUp.mjs, initFirebase.mjs, and
• four HTML files: actionHandler.html, resetPassword.html, signIn.html, signUp.html.

Thus, we get the following folder structure:

1-MinimalApp-with-access-control
  public
    js
      m
        Book.mjs
      v
        accessControl.mjs
        actionHandler.mjs
        createBook.mjs
        deleteBook.mjs
        resetPassword.mjs
        retrieveAndListAllBooks.mjs
        signIn.mjs
        signUp.mjs
        update.mjs
      initFirebase.mjs
    404.html
    actionHandler.html
    createBook.html
    credits.html
    deleteBook.html
    favicon.ico
    index.html
    machine-build.svg
    resetPassword.html
    retrieveAndListAllBooks.html
    signIn.html
    signUp.html
    update.html

We discuss the contents of the added files in the following sub-sections.

Enable Firebase Authentication

Go to the Firebase Console and click on the "Authentication" option in the main menu. Select the tab Sign-in Method and enable the option "Email/Password" and the option "Anonymous".

Initialize Firebase Authentication

In the file initFirebase.mjs we add the Firebase user authentication interface, creating an interface to our authentication instance in the "auth" object, which later is exported to be consumed by other ES6 modules that are part of the access control handling solution:

import { initializeApp, getApp, getApps } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-app.js";
import { getFirestore } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-firestore-lite.js";
import { getAuth } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-auth.js";

// TODO: Replace the following with your web app's Firebase project configuration
const config = {
  apiKey: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  authDomain: "minimalapp-XXXX.firebaseapp.com",
  projectId: "minimalapp-XXXX",
  appId: "1:XXXXXXXXXXXX:web:XXXXXXXXXXXXXXXXXXXXXXX"
};
// Initialize a Firebase App object only if not already initialized
const app = (!getApps().length) ? initializeApp( config ) : getApp();
// Initialize Firebase Authentication
const auth = getAuth( app);
// Initialize Firestore interface
const fsDb = getFirestore();

export { auth, fsDb };

Notice that this time we initialize the Firebase App instance differently, storing it as an object in a variable named "app" and later being given as a parameter to the getAuth() function to create the authentication instance in the "auth" object. Contrary to how we initialize Firestore, we cannot initialize Firebase Authentication without using the Firebase App instance object. For such purpose, we evaluate first whether there is already an initialized Firebase app instance using the getApps() function, and, if not, initialize it with the initializeApp() function. If there is already an initialized Firebase app instance, we use the getApp() function to get it and store it in the variable "app".

const app = (!getApps().length) ? initializeApp( config ) : getApp();
...
const auth = getAuth( app);

Prepare the Main Menu for Granting or Restricting Access

The menu items (links and buttons) on the start page may have any of the following three states:

1. Disabled, for menu items to access change/write operations if the user status is anonymous.

2. Enabled, for menu items to access either

   • change/write/read operations if a logged-in user is registered with a verified email,
   • or read operations if a user is anonymous.

3. Enabled but unavailabe, for menu items to access change/write operations if the user is registered with non-verified email. The menu item is enabled, but a redirection back to the start page is triggered after clicking on it.

For setting up the default state of the menu items we perform different DOM operations on UI elements. For instance, the <a> elements are disabled using CSS rules, using the "disabled" class, and the <button> elements are disabled adding the disabled attribute. The whole setup can be seen on the resulting in this HTML code:

<ul role="menubar">
  <li role="menuitem">
    <a href="createBook.html" class="disabled">Create</a> a new book record
  </li>
  <li role="menuitem">
    <a href="retrieveAndListAllBooks.html">Retrieve</a> and list all book records
  </li>
  <li role="menuitem">
    <a href="updateBook.html" class="disabled">Update</a> a book record
  </li>
  <li role="menuitem">
    <a href="deleteBook.html" class="disabled">Delete</a> a book record
  </li>
  <li role="menuitem">
    <button class="generateTestData" type="button" disabled="disabled">Generate test data</button>
  </li>
  <li role="menuitem">
    <button id="clearData" type="button" disabled="disabled">Clear test data</button>
  </li>
</ul>

Notice that the only "non-disabled" menu item by default is "Retrieve and list all book records" since we want to allow unlimited access to the only read operation, whether the user status is anonymous or not.

We also use CSS rules: the "disabled" class, removes click events from the <a> elements using the property pointer-events set to none and changes their appearance by reducing its opacity and setting the cursor to default, which removes the "hand" icon when hovering "clickable" UI elements:

a.disabled {
  opacity: 0.4;
  pointer-events: none;
  cursor: default;
}

Login Management Area

The main UI element that accompanies the four pages of the CRUD use cases in our app is a login management area that adapts its behavior and appearance according to changes in the user authentication status. This area, located in the header section of each page, gives access to links and buttons that allow users to sign up (page signUp.html), sign in (page signIn.html), and sign out. User messages are also shown in this area, sometimes inviting to do something, others providing information about the current authentication status.

<header>
  <div id="login-management"></div>
  <h1>Minimal App with Authentication — Public Library</h1>
</header>

Error messages are meant to provide feedback to users about what they did wrong and how to fix mistakes. The design of our access control handling solution relies very much on user interaction elements. Since many things may go wrong while interacting with such forms, buttons, verification emails/links, etc., we need to handle error messages returned from our Firebase Authentication instance accordingly. To show error messages, every page view related to our access control handling solution includes a div element exclusively for displaying error messages.

<header>
  <div id="message" hidden="hidden"></div>
  <h1>...</h1>
  ...
</header>

Handle Authentication

In the handleAuthentication() procedure resides the logic that encompasses the authentication capabilities of the Firebase Authentication SDK library with the access control policies to authorize access to the CRUD use case pages. For handling authentication we evaluate the different user authentication statuses for invoking accordingly the handleAuthorization() procedure, which grants and restricts access to the CRUD use case pages.

It starts by evaluating the user authentication status using the onAuthStateChanged() function, which returns a user instance object examined by its isAnonymous property. We know if the user is signed in as anonymous or registered throughout this property. However, if the user instance object returns null, there is no active user session, and we use the signInAnonymously() method to upgrade the user from visitor to anonymous, signing in an anonymous user session in the app.

For each evaluated user authentication status we invoke the handleAuthorization() procedure with different parameters for handling authorization. The first parameter is a string value that describes the user authentication status.

function handleAuthentication() {
  // get current page value
  const currentPage = window.location.pathname;
  try {
    // evaluate user authentication status
    onAuthStateChanged( auth, async function (user) {
      // if status is "anonymous" or "registered"
      if (user) {
        if (user.isAnonymous) { // if user is "anonymous"
          handleAuthorization( "Anonymous", currentPage);
        } else { // if status is "registered"
          if (!user.emailVerified) { // if email address is not verified
            handleAuthorization( "Registered with non-verified email", currentPage, user.email);
          } else { // if email address is verified
            handleAuthorization( "Registered with verified email", currentPage, user.email);
          }
        }
      }
      else signInAnonymously( auth); // otherwise, upgrade to "anonymous"
    });
  } catch (e) {
    console.error(`Error with user authentication: ${e}`);
  }
}

The second parameter used with the handleAuthentication() procedure is the "current page" in which the user is located, using the location interface and its property pathname,

const currentPage = window.location.pathname;

Handle authorization

The handleAuthorization() procedure coordinates every UI behaviour orchestrating DOM operations either in the login management area or main menu items, using a switch/case statement based on the three possible passed user authentication statuses. We present the basic structure of this procedure:

function handleAuthorization( userStatus, currentPage, email) {
  ...
  switch (userStatus) {
    case "Anonymous":
      ...
    case "Registered with non-verified email":
      ...
    case "Registered with verified email":
      ...
  }
}

Before handling any possible case of user authentication status, we declare variables for accessing the login management area, a list of "authorized pages" that anonymous users can access without authentication, and another list containing the two forms of how the property pathname of the location interface recognizes the "start page". Notice that the authorizedPages variable concatenates both lists:

function handleAuthorization( userStatus, currentPage, email) {
  // declare variables for current page and for accessing UI elements
  const divLoginMgmtEl = document.getElementById("login-management"),
    startPage = ["/","/index.html"],
    authorizedPages = startPage.concat(["/retrieveAndListAllBooks.html", "/credits.html"]);
  switch (userStatus) {
    ...

If case is "Anonymous"

First, we check if the current page is in the list of authorized pages, and if not, the user is redirected to the sign-up page (signUp.html), or else we show in the login management area the links to the signUp.html and signIn.html pages, using the createSignInAndSignUpUI() helper function:

...
case "Anonymous":
  // if user is not authorized to current page, restrict access & redirect to sign up page
  if (!authorizedPages.includes( currentPage)) window.location.pathname = "/signUp.html";
  else divLoginMgmtEl.appendChild( createSignInAndSignUpUI());
  console.log(`Authenticated as "${userStatus}"`);
  break;
...

If case is "Registered with non-verified email"

First, we check if the current page is in the list of authorized pages, and if not, the user is redirected to the start page (index.html), or else we invoke the createSignOutUI() helper function that creates a "Sign out" button element in the login management area. This time two parameters are passed to the function, the user's email address and a boolean that, if present with the value true, renders a message inviting the user to verify the registered email address:

...
case "Registered with non-verified email":
  // if user is not authorized to current page, restrict access & redirect to start page
  if (!authorizedPages.includes( currentPage)) window.location.pathname = "/index.html";
  else divLoginMgmtEl.appendChild( createSignOutUI( email, true));
  console.log(`Authenticated as "${userStatus}" (${email})`);
  break;
...

If case is "Registered with verified email"

First, we declare variables for accessing UI elements on the main menu located on the start page (index.html). After checking if we are located on it, we enable links by removing the CSS class "disabled" and buttons by setting to false the "disabled" attribute, authorizing as a result full access to create/write operations in the pages of the four database access operations. Then we invoke the createSignOutUI() helper function that creates a "Sign out" button element in the login management area. This time only one parameter is passed to the function, the user's email address:

...
case "Registered with verified email":
  // if current page is start page grant access to the four database operations
  if (startPage.includes( currentPage)) {
    // declare variables for accessing UI elements
    const clearDataBtn = document.getElementById("clearData"),
      generateDataBtns = document.querySelectorAll(".generateTestData"),
      disabledEls = document.querySelectorAll(".disabled");
    // perform DOM operations to enable menu items
    for (const el of disabledEls) el.classList.remove("disabled");
    clearDataBtn.disabled = false;
    for (const btn of generateDataBtns) btn.disabled = false;
  }
  divLoginMgmtEl.appendChild( createSignOutUI( email));
  console.log(`Authenticated as "${userStatus}" (${email})`);
  break;
...

Helper Functions for Rendering the UI

The two functions in charge of manipulating UI elements related to authentication and authorization are createSignInAndSignUpUI() and createSignOutUI().

Notice the use of the JavaScript method createDocumentFragment(), that creates a DOM node object separated from the main DOM tree, over which we perform DOM operations without affecting it, being consequently more computationally efficient. When the fragment is appended to the main DOM tree, it disappears in just one operation:

function createSignInAndSignUpUI() {
  const fragment = document.createDocumentFragment(),
    linkSignUpEl = document.createElement("a"),
    linkSignInEl = document.createElement("a"),
    text = document.createTextNode(" or ");
  linkSignUpEl.href = "signUp.html";
  linkSignInEl.href = "signIn.html";
  linkSignUpEl.textContent = "Sign up";
  linkSignInEl.textContent = "Sign in";
  fragment.appendChild( linkSignUpEl);
  fragment.appendChild( text);
  fragment.appendChild( linkSignInEl);
  return fragment;
}

The createSignOutUI() helper function receives two parameters, one is the user's email address as string, and an optional boolean that, if true, it renders a message inviting the user to verify the registered email address. Notice the event listener added to the button that invokes the handleSignOut() function while the DOM operations happen:

function createSignOutUI( email, invitation) {
  const fragment = document.createDocumentFragment(),
    divEl = document.createElement("div"),
    buttonEl = document.createElement("button");
  if (invitation) {
    const divEl = document.createElement("div");
    divEl.textContent = "Check your email for instructions to verify your account " + 
      "and authorize access to operations";
    fragment.appendChild( divEl);
  }
  buttonEl.type = "button";
  buttonEl.innerText = "Sign Out";
  buttonEl.addEventListener("click", handleSignOut);
  divEl.innerText = `${email} `;
  divEl.appendChild( buttonEl);
  fragment.appendChild( divEl);
  return fragment;
}

async function handleSignOut() {
  try {
    signOut( auth);
    window.location.pathname = "/index.html";
  } catch (e) {
    console.error(`${e.constructor.name}: ${e.message}`);
  }
}

Sign up View Code

In simple, the sign-up view code upgrades an anonymous user to registered, using the email and password passed from the HTML form, in four steps:

1. We generate an authentication credential object using the createUserWithEmailAndPassword() method, providing it as parameters the Firebase Athentication interface object auth, and the entered email and password.

2. We create a user reference in our project's instance of Firebase Authentication using the user method of the authentication credential object.

3. At this point, the user account has been created in our project's instance of Firebase Authentication, being the current status of the user registered with non-verified email. However, to complete the sign up process, we send a verification email that contains a link including a unique activation code. The verification email is generated and sent from our Firebase's project instance, using the sendEmailVerification() method and the user reference described in step 2.

4. We display an alert dialog with a reminder message encouraging us to verify the provided email to complete the sign up process.

Notice that we do all this in a try/catch block, and if Firebase Authentication API returns an error message, we "catch it" and display it accordingly on the div element created for such purpose.

import { auth } from "../initFirebase.mjs";
import { createUserWithEmailAndPassword, sendEmailVerification } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-auth.js";

const formEl = document.forms["Auth"],
  signUpBtn = formEl["signUp"];

// manage sign up event
signUpBtn.addEventListener("click", async function () {
  const email = formEl["email"].value,
    password = formEl["password"].value;
  if (email && password) {
    try {
      // create account and get credential by providing email and password
      // user is signed in automatically if the account is created successfully
      const userCredential = await createUserWithEmailAndPassword( auth, email, password);
      // get user reference from Firebase
      const userRef = userCredential.user;
      // send verification email
      await sendEmailVerification( userRef);
      console.log (`User ${email} became "Registered"`);
      alert (`Account created ${email}. Check your email for instructions to verify this account.`);
      window.location.pathname = "/index.html"; // redirect user to start page
    } catch (e) {
      const divMsgEl = document.getElementById("message");
      divMsgEl.textContent = e.message;
      divMsgEl.hidden = false;
    }
  }
});

Sign in View Code

This procedure uses the signInWithEmailAndPassword() method to sign in to the app with email and password. If the sign-in process is successful, the user is redirected to the start page. Likewise, the sign-up process error messages are handled accordingly in this view code:

import { auth } from "../initFirebase.mjs";
import { signInWithEmailAndPassword } from "https://www.gstatic.com/firebasejs/9.X.X/firebase-auth.js";

const formEl = document.forms["Auth"],
  signInBtn = formEl["signIn"];

signInBtn.addEventListener("click", async function () {
  const email = formEl["email"].value,
    password = formEl["password"].value;
  if (email && password) {
    try {
      // sign in user using email + password
      await signInWithEmailAndPassword( auth, email, password);
      window.location.pathname = "/index.html"; // redirect user to start page
    } catch (e) {
      const divMsgEl = document.getElementById("message");
      divMsgEl.textContent = e.message;
      divMsgEl.hidden = false;
    }
  }
});

Email Action Handler Templates

1. edit the fields that have been filled out automatically by Firebase, such as Sender name, From, Reply to, and Subject, with the content of your choice. Notice that Firebase prevents customizing the field Message to evade abusive behaviour, such as spam; if you want to customize the email message, you need to handle the flow outside Firebase cloud services. In this same screen, you can make individual changes in the templates for "Email address verification" and "Password reset", and afterwards,
2. being on edit mode in any template, click on "Customize action URL", below the "Action URL" field, and refactor the URL by replacing the ending part "__/auth/action" with the file name of the action handler page, resulting into something similar to "https://xxxxx.firebaseapp.com/actionHandler.html". Notice that the Action URL value is shared across all templates, so if you change it in one action handler/template, the same value is updated in all the other action handlers/templates.

Email Action Handler Page

The email action handler page is common for each user management action handler, so we create an HTML file named actionHandler.html, and within we allocate a <section> element for each planned action; the first <section> element deals with email address verification, and the second with password reset. Both <section> elements are hidden by default, and contain a basic structure that defines the page's layout, and after being filled out with content by the view code it is "unhidden". Notice that the heading element <h1> is also present empty and "hidden" by default:

<header>
  <div id="message" hidden="hidden"></div>
  <div>
    <div><h1></h1></div>
  </div>
</header>
<main>
  <div>
    <section hidden="hidden">
      <p></p>
    </section>
    <section hidden="hidden">
      <p></p>
      ...
    </section>
  </div>
</main>

When Firebase generates the link attached in the confirmation email to complete the action, several query parameters are added to the action handler URL, so the first step is parsing from the URL the two parameters needed to complete the user authentication actions: 1) "mode" (stored in a variable mode), and 2) "oobCode" (stored in the variable actionCode). Notice that the oobCode has a self generated unique code, invalidated by Firebase once it is used.

The following is an example of an action handler URL with parameters generated by Firebase and attached to confirmation emails:

https://xxxxx.firebaseapp.com/actionHandler.html?mode=verifyEmail&oobCode=sxMPvK72F3gNuEd4E1xkNiWaCZ6aQgP6GljIP_9LOTsAAAF8unlZmA&apiKey=AIzaSyCEH9UX_qF1KDVWEhjBfZJPvGLwnKcKLv8&lang=en

Notice the optional query parameters present in the action handler URL, such as apiKey and lang, included for convenience if you need your Firebase project's API Key and/or plan to provide localized email action handler pages.

In the view code module file actionHandler.mjs we initialize individual variables for accessing each section in the page, sectionVeriEmailEl and sectionRstPswEl, the first section element for the action handler for email address verification, and the second for the action handler for password reset.

To handle the required actions we use a switch/case statement using the "mode" variable value, to invoke either the procedures handleVerifyEmail() or handleResetPassword() with the section element and the unique action code as parameters:

const mode = getParameterByName("mode");
const actionCode = getParameterByName("oobCode");
const [sectionVeriEmailEl, sectionRstPswEl]
  = document.querySelectorAll("main>div>section");

switch (mode) {
  case "verifyEmail":
    sectionVeriEmailEl.hidden = false;
    await handleVerifyEmail( sectionVeriEmailEl, actionCode);
    break;
  case "resetPassword":
    sectionRstPswEl.hidden = false;
    await handleResetPassword( sectionRstPswEl, actionCode);
    break;
}

For getting parameter values from the URL we use the getParameterByName() function.

function getParameterByName( parameter) {
  const urlParams = new URLSearchParams( location.search);
  return urlParams.get( parameter);
}

Verify Email Address

The view code for handling email address verification is centralized in the handleVerifyEmail() procedure within the actionHandler.html file. We start by declaring variables for accessing the heading element h1 and the p element (h1El and pEL), in which we add text content to communicate the result of this action handler. Later, in a try/catch statement we use the actionCode variable value to verify if the action code is valid using the verifyPasswordResetCode() function. Although this Firebase Authentication SDK's function is not documented for use beyond validating action codes for password resetting, its use is safe in this context. Afterwards, ensuring the action code is valid, we use the applyActionCode() function with confidence. The remaining code deals with DOM operations for embedding text in the web page ,whether the email address verification is successful or failed. Notice that if the verification process fails, the error message coming from our Firebase Authentication instance is displayed in the div element reserved for handling user messages.

async function handleVerifyEmail( sectionVeriEmailEl, actionCode) {
  const h1El = document.querySelector("h1"),
    pEl = sectionVeriEmailEl.querySelector("p");
  let email = null;
  try {
    email = await verifyPasswordResetCode( auth, actionCode);
    await applyActionCode( auth, actionCode);
    h1El.textContent = "Your email address has been verified";
    const bEl = document.createElement("b");
    bEl.textContent = email;
    pEl.innerText = "Now this account can use any data management operation: ";
    pEl.appendChild( bEl);
  } catch (e) {
    h1El.textContent = "Invalid or expired link.";
    pEl.textContent = "Your email address has not been verified.";
    const divMsgEl = document.getElementById("message");
    divMsgEl.textContent = e.message;
    divMsgEl.hidden = false;
  }
}

Reset Password

Use of FirebaseUI and Firebase UI Auth

Described as a set of open-source UI libraries for Firebase, FirebaseUI is built over the Firebase SDK libraries and provides a simple way to connect UI components to Firebase databases, allowing frontend views to update in real-time as data changes on the backend. On the other hand, FirebaseUI Auth, built over of the Firebase Authentication SDK library, provides complete "drop-in" authentication patterns for mobile apps and websites that allow developers to customize easily (usually) complex UI workflows for different sign in and sign up methods, such as email and password, phone numbers, and the most popular federated identity providers like Google, Facebook, Twitter, GitHub, Apple, Microsoft, Yahoo, and others under industry standards like OAuth 2.0 and OpenID Connect.

Separating model and view in our access control handling solution

Although access control components (user accounts, roles, credentials, policies, etc.) should be defined on the model layer of an app, we have chosen to keep it on the view layer for simplicity. However, separating view code from model code in our access control handling solution is totally possible. For instance, Firebase Authentication allows to manage user accounts on the cloud, and it is feasible to add a "user" model class to instantiate "user" objects.

Extending to a role-based access control

Authentication can be extended with role based

Adding action handler for changing the accounts' primary email

Firebase also uses user authentication action handlers for changing the accounts' primary email, but we won't cover such due it is quite similar to the others covered in this tutorial.

Question 1: Access Control definition

Chose the correct options in the following statement:

Access Control consists of two components: authentication and authorization. And while _______________ aims to prove user identity in _______________ aims to provide correct access data/resources/features to _______________.

1. Authentication.
2. Authorization.
3. An authenticated user.
4. An authenticated app, device or network.

Question 2: Email Action Handlers

Which of the following statements apply to Email Action Handlers in Firestore? Select two:

1. The email action handlers provided by Firebase Authentication are email address verification, password reset, and email address change.
2. The email action handlers provided by Firebase Authentication are email address verification and password reset.
3. The templates of email action handlers are good starting points for customizing users' confirmation actions through emails but are not flexible enough for customizing the whole email message within Firebase infrastructure. This design responds to the need of evading abusive behavior, therefore full customization may be achieved using your own infrastructure.
4. The templates of email action handlers provide complete customization of users' confirmation actions through emails, with no need for your own infrastructure. This design responds to the capabilities that Firestore provides to prevent abusive behavior, therefore full customization may be achieved using only Firebase infrastructure.

Question 3: Access Control Handling Solution

According to the Access Control Handling Solution proposed in the tutorial, which features in conjunction grant or restrict access to the database management operations. Select three:

1. Firebase Authentication statuses.
2. DOM operations on the main menu.
3. Firebase Security Rules.
4. Email Action Handlers.
5. Firestore.