0

I developed a website from Firebase Hosting. I have a problem when users do not allow access to their emails from Facebook Authentication, because the email was blanked '-'.

My code:

var facebookAuthProvider = new firebase.auth.FacebookAuthProvider();
facebookAuthProvider.addScope('email');
firebase.auth().signInWithPopup(facebookAuthProvider);

Although I added the email to the scope, user can disallow it. How can I check, before the login, if user allowed or disallowed the email ?

Thank you.

KENdi
  • 7,576
  • 2
  • 16
  • 31
Erasmo Neto
  • 17
  • 2
  • "before" the login? you can check AFTER login, not before. there is a permissions endpoint, check out the api reference. – andyrandy Dec 22 '17 at 11:05
  • @luschn but after login, user account will already be created in Firebase without email, that's the problem. Thanks. – Erasmo Neto Dec 22 '17 at 11:28
  • @luschn For example: there is a cordova plugin called CordovaFacebook where I can check before the command signInWithCredential if the variable result.declined.length is bigger than 0. Thanks. – Erasmo Neto Dec 22 '17 at 11:36
  • 1
    I think there is no option something like: signup but but don't allow to share email. There are only signup or deny with facebook. And list of scopes that the app will access. So, this user probably signed up with facebook but email not shared because this may cause from facebook its own user settings. ( I have read something before but could not find now) – Cappittall Dec 22 '17 at 11:45
  • But in case add `public_profile` to scope like: `facebookAuthProvider.addScope('public_profile email');` in case you can get the name etc. basic info. – Cappittall Dec 22 '17 at 11:49
  • 1
    be aware that some users even do not have any email so do not expect it. for identification, you only need the id anyway. let users enter their email on their own. – andyrandy Dec 22 '17 at 12:26

1 Answers1

0

There is no way to prevent the user from creating an account.

But what you can do is disallow access to other products based on the fact that they haven't provided an email address.

For example: if you use the Firebase Database, you'd secure that through its server-side security rules. For an example of this, see How do I lock down Firebase Database to any user from a specific (email) domain?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807