0

Using Firestore, I'm trying to figure out how to restrict new user accounts to those matching a whitelist of emails. The problem is, I don't even know if it's even possible to use security rules to prevent the creation of new user accounts. I've attempted a lot of combinations. This was my best attempt:

service cloud.firestore {
  match /users/{userId} {
    allow read: if true;
    allow create, update: if
      request.resource.data.email == "bbbbb@asdfljflsaj.com";
  }
}

I've also tried:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read: if true;
      allow create, update: if
        request.resource.data.email == "bbbbb@asdfljflsaj.com";
    }
  }
}

And:

service cloud.firestore {
  match /users/{userId} {
    allow read: if true;
    allow create, update: if
      request.auth.email == "bbbbb@asdfljflsaj.com";
  }
}

I'm calling 'createUserWithEmailAndPassword' to create the user and keep hoping one of the variations I try is successful, but to no avail at this point in time. I'm starting to wonder if it's even possible. Any help would be greatly appreciated!

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
flycrum
  • 111
  • 4
  • There is no way to prevent creation of Firebase Authentication accounts, beyond disabling the email provider in your Firebase console. What operation are you trying to prevent with your security rules? – Frank van Puffelen Dec 11 '17 at 04:28
  • 1
    Alternatively, you can write a Firebase Functions API endpoint that validates your sign up form details. On successful of the API call, you can proceed on the client with creating an account for the user. – Joel Fernandes Dec 11 '17 at 06:00
  • Thanks @JoelFernandes, that's exactly what I'll do then! I was originally hoping to find something comparable to some of the whitelist solutions I had seen with respect to the Firebase Realtime Database, but it looks like it's likely a low priority item for Firestore especially given the introduction of the Functions API which can clearly solve my problem. – flycrum Dec 12 '17 at 00:08
  • Thanks for the information @FrankvanPuffelen. I just wanted to make sure this was in fact impossible before moving onto a different solution. Originally I was trying to prevent the creation of a user unless their email is on a whitelist. I had assumed it was unlikely that I was going to find a clean solution as others had tried to do something similar with avoiding duplicate twitter handlers but with no success. No problem for me, however, as I can send the request off to a Function. – flycrum Dec 12 '17 at 00:09
  • This question has been asked a few times before. It always comes down to the fact that having a registered account doesn't necessarily mean the user has access to resources. I recommend focusing your energy on the latter, instead of on preventing account creation. E.g. this question shows how to only allow access to the database to users from a specific domain: https://stackoverflow.com/questions/36943350/how-do-i-lock-down-firebase-database-to-any-user-from-a-specific-email-domain – Frank van Puffelen Dec 12 '17 at 00:24
  • Possible duplicate of [Security rules for Firestore DB](https://stackoverflow.com/questions/49884331/security-rules-for-firestore-db) – aglassman May 21 '18 at 15:08

0 Answers0