Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to restrict email domains in Firebase Authentication

I have a question regarding firebase authentication. Actully I am making a dashboard for my company, and I will host it in firebase. I want to restrict the email authentication only to my comany domain (ex: cat.com). But I went through the stackoverflow answers and I found I can impose rule in database. But the issue is that I will be calling external databases to fetcj data using Firebase Function and serve it to website(dashboard). So no domain specific rule will apply there. Below is the outline of my dashboard architecture

enter image description here

How can I achieve this? I want people having "[email protected]" will be able to autheticate and view dashboard data

like image 531
Void95 Avatar asked Jul 19 '20 07:07

Void95


People also ask

How do I customize my Firebase verification email?

To customize your Firebase project's email action handler, you must create and host a web page that uses the Firebase JavaScript SDK to verify the request's validity and complete the request. Then, you must customize your Firebase project's email templates to link to your custom action handler.

How do I use Firebase authentication email?

If you haven't yet connected your app to your Firebase project, do so from the Firebase console. Enable Email/Password sign-in: In the Firebase console, open the Auth section. On the Sign in method tab, enable the Email/password sign-in method and click Save.


Video Answer


3 Answers

If your company uses GSuite & logins via 'Login With Google'

Firebase's Google Login is built on top normal Google Logins + a lot of automation.A Among these is when the part when they create a new OAuth 2.0 Client in GCP. This would be named Web client (auto created by Google Service)

Web Client

This client is auto-linked to OAuth Consent Screen where you can mention your App's Display Name and limit it to users in your organization with a Google account

enter image description here

If your company uses Email & Password login

The easiest method is to immediately immediately check for organization email via firebase background auth trigger onCreate as mentioned in Ben's answer. If the account does not belong to your organization - delete it immediately.

This would tho for a brief moment give access to your system to the malicious user. To further protect, you can set custom claim to your organization user (when they register - in firebase function) & make sure every request to firestore/real time database has those custom claim checked. Similarly you can check for custom claim in firebase function before making call to your database

like image 152
frunkad Avatar answered Jan 03 '23 15:01

frunkad


Case 1: The user has already created their account, and you want to restrict one cloud function to specific email addresses.

You can get the user info associated with the cloud function call, and check their email. You can then call the external database if they have the correct email domain. You should also do some UI changes so the user doesn't just get errors if they don't have @cat.com.


Case 2: Restrict all users in your Firebase project to emails containing @cat.com?

If so, you can't restrict the emails directly in firebase authentication, so you'd have to stick user registration code behind a cloud function, creating user accounts there. You can then check their email when they try to register.

You can do this with the Firebase Admin SDK in a cloud function. docs

admin.auth().createUser({
  email: '[email protected]',
  emailVerified: false,
  phoneNumber: '+11234567890',
  password: 'secretPassword',
  displayName: 'John Doe',
  photoURL: 'http://www.example.com/12345678/photo.png',
  disabled: false
})
  .then(function(userRecord) {
    // See the UserRecord reference doc for the contents of userRecord.
    console.log('Successfully created new user:', userRecord.uid);
  })
  .catch(function(error) {
    console.log('Error creating new user:', error);
  });

The client will call the cloud function with their desired email and password, and before calling this .createUser, and you can check for the correct email before creating the user with "[email protected]".toLowerCase().endsWith("cat.com").


Alternatively, you can set a custom claim for users as mentioned by @frunkad: Give extra permissions to users who register with "@cat.com" emails, and this is shown here: Defining roles via Firebase Functions on user creation. However, in OP's case, only users with "@cat.com" should be able to register, so custom claims are over-complicating the issue.

Also, using email domain as a form of access control doesn't sound like a good idea. During the account creation process, you manually add access to the user's document based on the email. What happens when you want to give someone an email but don't want to give them access to the database?

like image 29
Ben Butterworth Avatar answered Jan 03 '23 14:01

Ben Butterworth


In your firebase security rules just paste this

this works for me and I am able to restrict logged in Google user to my org domain

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.token.email.matches('.*@domain[.]com');
    }
  }
}
like image 44
HimalayanCoder Avatar answered Jan 03 '23 15:01

HimalayanCoder