Firebase Authorization control, block signup based on rules

[Luca Faggianelli]

Hi,

Is it possible to control Firebase Auth and deny signup while allowing signin? My usecase are:

• invite-only beta programs, so only invited users can participate
• limit number of registered users per organization/tenant, as each organization pays a fee per user
• limit signup based on email address domain, that is, allow only company's emails and avoid generic gmail, yahoo, etc. emails

Currently my workaround is to act on firestore setting a "validUser" flag or to disable the user via admin sdk. Any idea? Basically i wan't to avoid that account are created rather than letting the account to be created and then blocking it. Is there a mechanism like firestore rules or the possibility to block a signup triggering a cloud function and "return false" or delete the account immediately?

Thanks

Luca

[Kiana McNellis]

Unfortunately there isn't currently a way to deny signup while allowing signin. One common approach is to use a system like yours (custom claims set though the admin SDK) for security, and couple that with removing any UI links to signup. 

You can also setup an http cloud function running the Admin SDK to screen incoming users.  If they meet your criteria, use the admin SDK to create an account for them (and set the custom claims token).  

The alternative, though slightly more involved, approach is to use custom auth.  If you have a database of users, you can use the admin SDK to mint tokens that the user can exchange for a firebase auth token.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/eb7ff526-bd35-4ebf-aa1a-a56c5ce06db5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Luca Faggianelli]

Thank you Kiana, currently custom auth is not a viable option for me. I saw that exists the disabled field in user object, it is meant to disable login at all, that is, if the user tries to login he can't and he results not logged also in firestore rules, etc.?

You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/vmAhNeMj_VU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAM7amBACGfih81qDEZ56mpZN-G_50m%2B8fQz_hk1zyoC0md-u8A%40mail.gmail.com.

[Kato Richardson]

It's worth noting that creating an Auth account just assigns a unique UID to a user. It doesn't authorize any access on their behalf and is not a "registration" process. Registration is a highly proprietary workflow and not something Firebase can really simplify on your behalf, so you'll have to decide how to go about whitelisting accounts.

You probably just want to store a whitelist of registered users in your database or add a boolean to their database profiles, and then reference that in your security rules. Or alternately, add a custom claim onto the auth token itself.

☼, Kato

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAATsypfcbb0XPOEDJm4YNK6Q0OaJJLL90Jf69h9dD251nVGLWA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398