24

Is there a way to restrict users from registering firebase email/password accounts so that new users can't sign up? I have a small app that only a few admins need to have access to(which I've manually created in the Firebase admin) and the way it's setup right now it seems like anybody could inject a little javascript and register an account.

binaryorganic
  • 1,554
  • 4
  • 17
  • 25
  • This has been [asked and answered previously](http://stackoverflow.com/questions/17719703/how-do-i-restrict-signup-to-a-product-in-firebase). In short: use custom login or simply prevent read/write to accounts you don't authorize. – Kato Feb 17 '14 at 16:50

3 Answers3

38

Firebase Simple Login is an abstraction built on top of Firebase Custom Login for convenience. When using the email / password authentication, it's worth keeping in mind that this is just creating a mapping between that email and password, and automatically generating authentication tokens for use in your security rules.

In your specific case, if all of the "admin" users have already been created, you can achieve the behavior you're looking for through security rules. For example, if you want to only allow read / write access to your Firebase data tree to authenticated users in that list, try writing top-level read / write security rules that require that user to be in the "admins" list:

{
  ".read"  : "auth != null && root.child('admins').hasChild(auth.uid)",
  ".write" : "auth != null && root.child('admins').hasChild(auth.uid)"
}

Those rules above ensure that the user is authenticated (via auth != null) and require that the authenticated user's id is in the list of admins (root.child('admins').hasChild(auth.uid)).

The last step is to actually make those users admins, by writing them to the admins subtree. Let's say you have users 1, 4, and 7 to make admins, update your data tree to reflect the following:

{
  ...
  "admins": {
    "1": true,
    "4": true,
    "7": true
  }
}

As a result of this, even if other users are able to generate new email / password mappings using Firebase Simple Login, those mappings will have no impact on your application as it is restricted using security rules.

Rob DiMarco
  • 13,226
  • 1
  • 43
  • 55
  • I'm trying to write "root.child('admins').hasChild(auth.uid)" in Bolt. I would assume it would be "root.admins.uid != null" but it gets transformed into "root.child('admins').child('uid').val() != null" and then it does not work =( – Anders Jan 31 '16 at 00:22
  • 1
    root.admins[auth.uid] != null – mckoss Feb 01 '16 at 02:59
  • 1
    While this would work in that new users are not allowed to read/write but still doesn't prevent someone from creating dummy accounts on your system right? – A Paracha May 29 '16 at 16:54
  • 1
    This does not answer the question. You NEED to DISABLE registration, similar to disabling registration in auth0 – polRk Apr 29 '20 at 07:46
  • Yes, this is a great work around for disabling user registration. – Anurag Nov 25 '20 at 01:26
16

@RobDiMarco provided a great answer, but it has a flaw.

The rule root.child('admins').hasChild(auth.uid) will pass, in case auth.uid will be an empty string.

You can test this in Firebase Database Security Simulator, clearing out uid field ({ "provider": "anonymous", "uid": ""}).

Simulation results

This rule root.child('admins').child(auth.uid).val() === true will not pass with an empty uid.

ioi0
  • 309
  • 3
  • 10
0

You can also turn off new user registration by adding a cloud function that deletes new users upon registration. See this answer:

How to prevent new user registration on Firebase?

Gabriel Garrett
  • 2,087
  • 6
  • 27
  • 45