Restrict Firebase Auth to only existing users
2,119 views
Skip to first unread message
Lexi Viripaeff
Jun 26, 2018, 12:03:46 AM6/26/18
to Firebase Google Group
Hi all,
Apologies if this has been asked before, but I haven't found a clear answer.
I only want Firebase to authenticate if the user already exists in the authentication table.
Use case is this: I want to be able to manage my users from the firebase command line, and prevent anyone that I don't add from logging in. I also want to use Google OAuth.
I know I can disable a user once they've logged in and prevent Google OAuth from logging in, so it seems like I should be able to make this the default. Having to make a callback to check a database table, or rolling a custom auth seems way overkill, (and makes unwanted requests).
Thanks!
Kato Richardson
Jun 26, 2018, 12:50:30 PM6/26/18
to Firebase Google Group
Hi Lexi,
Firebase Authentication doesn't grant access to anything and isn't an account management tool. It just converts verified credentials (unique OAuth, email/password, phone number, et al) into a unique user id for Firebase. So if you want to restrict this to "existing users" then you should define those somewhere (e.g. Realtime Database or Firestore) and then restrict access in your security rules based on those settings.
☼, Kato
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/42a7d112-2553-453b-b59a-6f16f1e5a5b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Samuel Stern
Jun 26, 2018, 5:04:42 PM6/26/18
to fireba...@googlegroups.com
Hi Lexi,
If you're building a mobile app, consider using FirebaseUI:
There is an option to restrict email/password accounts to existing users only. Note that this is a UI feature only and it would not prevent a determined attacker from getting around this restriction, but it may be good enough for your situation!
- Sam
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADypTEap_oR88xRH1J2ya9hJgW0txrf%3DOkuGgtOnb4Zp18A_7Q%40mail.gmail.com.
Lexi Viripaeff
Jun 26, 2018, 9:01:42 PM6/26/18
to Firebase Google Group
Thanks for answering!
I can disable a user in the Firebase Authentication UI that will prevent the user from being able to log in regardless of what is in my Realtime Database (which I have no need for currently). Since I can manage users this way, as well as the ability to add custom claims for permissions, I would say that Firebase Auth does provide user management. In fact, the docs even have a section in Firebase Auth called "Manage Users" https://firebase.google.com/docs/auth/web/manage-users, all I want is the "disable" user option to be the default and selectively enable users. Just the inverse of the current functionality.
Is there a roadmap item for this or is there a place to file a ticket against this?
Reply all
Reply to author
Forward
0 new messages