Restrict Firebase users by email

Question

I have a client that would like to be able to make a list of restricted emails that can access the data. So anyone else coming to the app can't read/write any data at all ( ideally can't even log in but I don't think that's possible with Firebase? ). Any ideas on how to go about this? I had thought of having an array of accepted emails and checking whether their email existed in the security rules but that didn't seem to work. I had the following in the database:

"validEmails": ["test@test.com"]

and then in the security rules:

".read": "root.child('validEmails').val().indexOf(auth.token.email) > -1"

But it looks like you can't use indexOf in those security rules.

Maybe I need to have a list of acceptable emails, and then when a user signs up it checks whether they're in that list and adds their UID to an accepted list? I guess I could do this through a cloud function or something?

Any help would be much appreciated.

Cheers

"but that didn't seem to work" It sounds like you've tried something that should've worked. Please edit your question to include the [minimal code that reproduces what you tried](http://stackoverflow.com/help/mcve). Also see this answer for a more generic "lock down database by domain" https://stackoverflow.com/questions/36943350/how-do-i-lock-down-firebase-database-to-any-user-from-a-specific-email-domain — Frank van Puffelen, Sep 04 '17 at 13:38
Sorry Frank, I've updated the question to reflect the code that I tried that didn't work. — Matt Sanders, Sep 05 '17 at 03:25

score 12 · Answer 1 · answered Sep 26 '17 at 21:30

Have the list of allowed user's emails in the database:

"whitelist": {
   "fred@gmail%2Ecom": true,
   "barney@aol%2Ecom": true
 }

Since periods are not allowed in keys, you need to escape strings with periods before storing them.

Then in the database rules:

{
    "rules": {
        "whitelist": {
            ".read": false,
            ".write": false
        },
        ".read": "root.child('whitelist').child(auth.token.email.replace('.', '%2E')).exists()",
        ".write": "root.child('whitelist').child(auth.token.email.replace('.', '%2E')).exists()"
    }
}

User's email is accessible via auth.token.email. You need to escape the dots (. -> %2E) and check if the key exists on the whitelist.

These rules don't allow anyone read or write access to the /whitelist section of the database. Modification is only possible via firebase console.

can confirm this is still a working solution 3 years later – Eli Albért Jul 17 '20 at 20:36 — Eli Albért, Jul 17 '20 at 20:36

score 5 · Accepted Answer · answered Sep 26 '17 at 22:20

5

Thanks guys, what I ended up doing was having a list of acceptable emails:

{
    "validEmails": ["test@test.com"],
    "validUsers": {}
}

and then have a cloud function run to check when a user signed up if their email was in the valid email list. If it was then it added them to the valid users list and if not it deleted the newly created user. I also set up data rules so that only users within validUsers could access the data.

The front-end then handled the redirection etc for invalid users.

answered Sep 26 '17 at 22:20

Matt Sanders

370
2
12

Would you please elaborate how do you "have a cloud function run to check when a user signed up if their email was in the valid email list"? Thanks! – Aníbal Rivero Dec 01 '17 at 14:16
3

@AníbalRivero Firebase allows you to write [cloud functions](https://firebase.google.com/docs/functions/) which is basically just javascript that runs on a node.js server. They hook into specific actions and allow you to run code in response to something. In my example above, I'm using `functions.auth.user().onCreate()` to check whether the user that just signed up has an email in the list of valid emails. If not it removes them. – Matt Sanders Dec 03 '17 at 18:09

score 4 · Answer 3 · answered Sep 04 '17 at 11:08

Once you enable the authentication module of Firebase I believe you can't restrict it to email addresses or domains. However you could secure your database another way. If your users are already registered and you know their uid, then you can restrict read and write access based on these.

Lets pretend you have an acl object in the database, you can list the users and their uid with their read/write permissions.

These rules will check each request and only allow authorised users to access the data.

{
  "acl": {
    [
      {
        "uid: "abc123"
        "canRead": true,
        "canWrite": true
      },
      {
        "uid": "def456",
        "canRead": true,
        "canWrite": false
      }
  },
  "secure": {
    ".read": { root.child('acl').child(auth.uid).child('canRead').val() == true }
    ".write": { root.child('acl').child(auth.uid).child('canWrite').val() == true }
  }
}

Thanks, I wondered if this was the case. I'll have to re-think the clients approach to the situation and build it around this. — Matt Sanders, Sep 05 '17 at 03:13

Restrict Firebase users by email

3 Answers3

Linked