Menu
I have a question regarding firebase authentication. Actully I am making a dashboard for my company, and I will host it in firebase. I want to restrict the email authentication only to my comany domain (ex: cat.com). But I went through the stackoverflow answers and I found I can impose rule in database. But the issue is that I will be calling external databases to fetcj data using Firebase Function and serve it to website(dashboard). So no domain specific rule will apply there. Below is the outline of my dashboard architecture
How can I achieve this? I want people having "[email protected]" will be able to autheticate and view dashboard data
531
To customize your Firebase project's email action handler, you must create and host a web page that uses the Firebase JavaScript SDK to verify the request's validity and complete the request. Then, you must customize your Firebase project's email templates to link to your custom action handler.
If you haven't yet connected your app to your Firebase project, do so from the Firebase console. Enable Email/Password sign-in: In the Firebase console, open the Auth section. On the Sign in method tab, enable the Email/password sign-in method and click Save.
Firebase's Google Login is built on top normal Google Logins + a lot of automation.A Among these is when the part when they create a new OAuth 2.0 Client in GCP. This would be named Web client (auto created by Google Service)
This client is auto-linked to OAuth Consent Screen where you can mention your App's Display Name and limit it to users in your organization with a Google account
The easiest method is to immediately immediately check for organization email via firebase background auth trigger onCreate as mentioned in Ben's answer. If the account does not belong to your organization - delete it immediately.
This would tho for a brief moment give access to your system to the malicious user. To further protect, you can set custom claim to your organization user (when they register - in firebase function) & make sure every request to firestore/real time database has those custom claim checked. Similarly you can check for custom claim in firebase function before making call to your database
152
Case 1: The user has already created their account, and you want to restrict one cloud function to specific email addresses.
You can get the user info associated with the cloud function call, and check their email. You can then call the external database if they have the correct email domain. You should also do some UI changes so the user doesn't just get errors if they don't have @cat.com.
Case 2: Restrict all users in your Firebase project to emails containing @cat.com?
If so, you can't restrict the emails directly in firebase authentication, so you'd have to stick user registration code behind a cloud function, creating user accounts there. You can then check their email when they try to register.
You can do this with the Firebase Admin SDK in a cloud function. docs
admin.auth().createUser({
email: '[email protected]',
emailVerified: false,
phoneNumber: '+11234567890',
password: 'secretPassword',
displayName: 'John Doe',
photoURL: 'http://www.example.com/12345678/photo.png',
disabled: false
})
.then(function(userRecord) {
// See the UserRecord reference doc for the contents of userRecord.
console.log('Successfully created new user:', userRecord.uid);
})
.catch(function(error) {
console.log('Error creating new user:', error);
});
The client will call the cloud function with their desired email and password, and before calling this .createUser, and you can check for the correct email before creating the user with "[email protected]".toLowerCase().endsWith("cat.com").
Alternatively, you can set a custom claim for users as mentioned by @frunkad: Give extra permissions to users who register with "@cat.com" emails, and this is shown here: Defining roles via Firebase Functions on user creation. However, in OP's case, only users with "@cat.com" should be able to register, so custom claims are over-complicating the issue.
Also, using email domain as a form of access control doesn't sound like a good idea. During the account creation process, you manually add access to the user's document based on the email. What happens when you want to give someone an email but don't want to give them access to the database?
29
In your firebase security rules just paste this
this works for me and I am able to restrict logged in Google user to my org domain
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.token.email.matches('.*@domain[.]com');
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
