Firebase Auth Inivite Only Scheme : How to communicate the credentials to user?

Question

Here's my question. To access our app, the users must be invited.

This means, we use an admin web app to create the user account in Firebase and we send him an invite to download the app and use it.

Now the next phase, how can we send to the newly created user his credentials?

Our first idea was to use a temporary password. We could send the password by email to the user and ask him to redefine his password at his first logging.

His this a good idea? I guess it's not

Is there a better way?

Thanks for the help. T

Answer 1

There is no way to prevent users from authenticating with Firebase Authentication. So instead of depending on pre-creating of the accounts, you should ensure that only authorized users have access to the data.

For example, when using the Firebase Database, you could keep a list of authorized users in the database:

/authorizedEmails
  t4ncr3d3@hisdomain,com: true
  puf@hisdomain,com: true

And then you'd check the auth.email variable against this list in the database's security rules.

Instead of pre-creating the account, you could then simply email the user an invite to the app. E.g. an email with a link like http://myapp.mydomain.com/[email protected]

Then when they click the link, pre-populate the sign-up form with the email address you sent the message to and call createUserWithEmailAndPassword().