I would like to query the Realm server for users, similar to the Realm Studio after you connect to server and when you press button “Users” at the top.
How can I get the same data?
ProviderID
User ID
Role
Realms
Status
Regards
Which version of the SDK are you using? And which server are you talking about - is this the legacy cloud (cloud.realm.io) or MongoDB Realm (realm.mongodb.com)?
1 Like
Studio reads the /__admin Realm to extract that information. It is a system Realm, so you’ll need an admin user to inspect it. It’s also highly recommended that you don’t make any modifications to it, or you can prevent the server from starting. To inspect the schema and/or export model classes, you can open it in Studio by unchecking the “Hide system Realms” option.
1 Like
How would I query the list of Users using the new MongoDB Realm solution?
This is not possible with MongoDB Realm. If you do need to expose a list of users, what you can do is register an authentication trigger and create a document representing the user.
@Daniel_Smith There is an admin API you can leverage to list all the users -
https://docs.mongodb.com/realm/admin/api/v3#users-apis
But depending on what you want to do with it, ie. if you want to display users to another user then you should create a collection in MongoDB for your client SDKs to query as Nikola described
We let our Realm-users register with phone number and password.
So phone number would be stored in “providerid” in Account in __admin.
And id of realm would be “userid” in User in __admin?
If above is the correct way to do it, I’m not sure how the relationships are in realm __admin
We would simply like to query Realm somehow to find out which realm a specific user has as his/her personal realm.
So input would be: 004627292023
output would be:
239h282-2d232323-d23d2… (uuid for the user)
With the uuid we can find the correct realm to open and look for more data related to the user.
I have a couple of use cases:
-
When a user attempts to login - the SDK response does not seem to distinguish between User not found and Invalid password so ideally if my app knows the user does not exist, I can navigate to the Sign Up flow or Incorrect password flow
-
I want to use SMS code for Forgot Password functionality - so the user supplies email address during registration so they also supply email to initiate the forgot password flow…I need to lookup the user and get phone number to send SMS code for reset
I have used stored phone# and redundantly stored email address as User Custom Data to solve #2 and it is working. I solve #1 by calling a function if login fails and looking up user by email address against User Custom Data if I find match then i assume it was invalid password.
So I have workarounds but does not “feel” very clean.
The reason 1. behaves as it does is to avoid leaking user registration data to potential attackers. Differentiating between an account does not exist and account exists, but password is incorrect is valuable information for a hacker who can try to enumerate registered accounts using data dumps, then try to brute force well known passwords against these accounts. It’s not a major roadblock by any means but it’s making their job a little bit harder.
The workarounds are reasonable, although you have to weigh the risks vs the benefits of the UX you choose for sign up.
1 Like