0

Without cloud functions, it appeared that it required a app server to securely limit signups for a firebase app by email domain according to this old question: How do I lock down Firebase Database to any user from a specific (email) domain?

The goal is to allow only signups from a specific domain or set of domains using google authentication and/or other auth providers.

Now that we have firebase cloud functions how can this be accomplished without an app server?

Community
  • 1
  • 1
Mike
  • 2,429
  • 1
  • 27
  • 30
  • Frank's answer on the question that you linked to shows how to achieve this without the need for any app server, just by using the database security rules. – Josep Sayol Mar 19 '17 at 17:27
  • Other answers suggested that technique was not secure. I tried implementing it without success but didn't pursue it further when I saw the suggestion that it wasn't secure against tampering. Was I mistaken? – Mike Mar 19 '17 at 18:46

1 Answers1

2

From the Introduction section of the Firebase Functions page:

Firebase SDK for Cloud Functions integrates the Firebase platform by letting you write code that responds to events and invokes functionality exposed by other Firebase features.

The keyword being responds. The Firebase functions are only meant to react, not prevent, so to speak.

If you picture the scenario of a user signing up, your functions would only fire after a user has been created (functions.auth.user().onCreate). By that measure, if you were to do this with Firebase Functions then you would have to delete the user after it was created, making your client side logic really messy.

The rules that Josep directed you towards is the correct solution. They will actively prevent any signups from a given domain.

I hope this clarifies a bit, even though it might not have been the answer you were looking for. :)

Chris
  • 7,830
  • 6
  • 38
  • 72