Auth providers
StarrBase uses Firebase Authentication with email/password and OAuth providers. Phone and social auth are routed through the same profile-consent write path.
Token verification
Server endpoints that perform privileged operations verify Firebase ID tokens server-side before writes. Client role assumptions are never accepted without verification.
Authorization: Bearer <firebase-id-token>Role model
- fan: default profile role.
- artist: artist dashboard and payout flows.
Role and profile documents are persisted in Firestore and should be treated as source of truth for route-level behavior.
Anonymous EPK draft flow
- Anonymous users are draft containers only.
- Drafts are stored under
drafts/{uid}. - Migration runs only after non-anonymous auth with confirmed artist role.
Profile provisioning contract
Post-auth provisioning must merge profile fields and never overwrite existing role ownership. Consent writes use merge semantics.