Invite only scenario with multiple auth providers

[Naresh Bhatia]

I have a Firebase authentication + real time database use case where I would like to register people by invitation only. The initial user creation will be by Email & Password. The users will be invited by sending them an email which includes their password. At this point users can login using their email & password. However, I would like to give them an option to login using a provider and link this account to their email/password account. Firebase makes this very easy. However my issue is that as soon as I open up provider authentication, anyone can register themselves using their provider credentials and access data that is visible to invite only users. How can this be prevented? Is there a better workflow for this scenario?

[Jacob Wenger]

Hey Naresh,

You cannot prevent user creation, but you can prevent a created user for accessing resources like the Realtime Database or Storage using Security Rules. For example, you could have /invites and /redeemed nodes in your Realtime Database keyed by email addresses and then write a rule which prevents accessing another node unless the currently signed-in user has redeemed their invite and is in the /redeemed list. You can read more about Security Rules here: Realtime Database and Storage.

Cheers,

Jacob

On Sun, Jul 17, 2016 at 11:58 PM, Naresh Bhatia <naresh.a...@gmail.com> wrote:

I have a Firebase authentication + real time database use case where I would like to register people by invitation only. The initial user creation will be by Email & Password. The users will be invited by sending them an email which includes their password. At this point users can login using their email & password. However, I would like to give them an option to login using a provider and link this account to their email/password account. Firebase makes this very easy. However my issue is that as soon as I open up provider authentication, anyone can register themselves using their provider credentials and access data that is visible to invite only users. How can this be prevented? Is there a better workflow for this scenario?

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5e3ec51f-a3bb-46d6-8c18-f103a492685b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Naresh Bhatia]

This is perfect, Jacob! Thanks for taking the time to answer my question.

Naresh