Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to restrict registrations in firebase

Tags:

Is there a way to restrict users from registering firebase email/password accounts so that new users can't sign up? I have a small app that only a few admins need to have access to(which I've manually created in the Firebase admin) and the way it's setup right now it seems like anybody could inject a little javascript and register an account.

like image 776
binaryorganic Avatar asked Feb 16 '14 18:02

binaryorganic


People also ask

How do I block someone on Firebase authentication?

If you want to build a list of "blocked users" that will be able to authenticate but will have restricted access, you can store the blocked ids in a node on your firebase database like /databaseRoot/blockedUsers and then work with the security and rules .

Can I use Firebase for authentication only?

You can use Firebase Authentication to allow users to sign in to your app using one or more sign-in methods, including email address and password sign-in, and federated identity providers such as Google Sign-in and Facebook Login.


1 Answers

Firebase Simple Login is an abstraction built on top of Firebase Custom Login for convenience. When using the email / password authentication, it's worth keeping in mind that this is just creating a mapping between that email and password, and automatically generating authentication tokens for use in your security rules.

In your specific case, if all of the "admin" users have already been created, you can achieve the behavior you're looking for through security rules. For example, if you want to only allow read / write access to your Firebase data tree to authenticated users in that list, try writing top-level read / write security rules that require that user to be in the "admins" list:

{   ".read"  : "auth != null && root.child('admins').hasChild(auth.uid)",   ".write" : "auth != null && root.child('admins').hasChild(auth.uid)" } 

Those rules above ensure that the user is authenticated (via auth != null) and require that the authenticated user's id is in the list of admins (root.child('admins').hasChild(auth.uid)).

The last step is to actually make those users admins, by writing them to the admins subtree. Let's say you have users 1, 4, and 7 to make admins, update your data tree to reflect the following:

{   ...   "admins": {     "1": true,     "4": true,     "7": true   } } 

As a result of this, even if other users are able to generate new email / password mappings using Firebase Simple Login, those mappings will have no impact on your application as it is restricted using security rules.

like image 96
Rob DiMarco Avatar answered Oct 12 '22 19:10

Rob DiMarco