4

Is there any way to turn off more users from signing up on Firebase after I've signed up specific users? For instance, if I only want 10 particular users to be signed up and no more, is there a way to turn off future signups?

Gabriel Garrett
  • 2,087
  • 6
  • 27
  • 45
  • You might want to consider simply manually disabling all forms of auth, after your threshold is met, so there's no chance of an account being created for even a small amount of time. – Doug Stevenson Mar 07 '18 at 22:41
  • @DougStevenson Once auth is disabled, doesn’t that also get rid of all the available accounts though? – Gabriel Garrett Mar 08 '18 at 00:47
  • I don't think it would be so rash as to delete everything without prompting you. It might disable their logins, though. You might want to just give it a try. – Doug Stevenson Mar 08 '18 at 02:14

2 Answers2

9

After some digging, even though this method isn't officially listed in the documentation, I found that you can automatically delete any new user that's created once they have signed up using Cloud Functions and the admin SDK. Here's the code I used to delete any new user the moment they have tried signing up:

  exports.deleteNewUser = functions.auth.user().onCreate((event) => {
  const uid = event.data.uid; // The Firebase user.
  admin.auth().deleteUser(uid)
    .then(function() {
      console.log("Successfully deleted user");
    })
    .catch(function(error) {
      console.log("Error deleting user:", error);
    });
  });

Update: Firebase has introduced a revoke token API as well. The reason this is important is because when a user registers, even if they are immediately deleted, they are issued a valid token that remains authenticated for at least several minutes, if not longer. Consider revoking the user's token immediately after deletion by utilizing:

admin.auth().revokeRefreshTokens(uid)
  .then(() => {
    return admin.auth().getUser(uid);
})
Gabriel Garrett
  • 2,087
  • 6
  • 27
  • 45
  • 3
    However don't forget to prevent read/write from accounts you don't authorize through setting-up some database security rules. – Renaud Tarnec Mar 07 '18 at 22:29
  • 3
    This is not ideal. Once a user is created using the SDK method, they are automatically signed-in. Please see: https://firebase.google.com/docs/auth/web/password-auth#create_a_password-based_account. So, I do not know how reliable is the proposed solution above. – Bilger Yahov Feb 08 '19 at 15:07
  • Does someone know a use case that this solution may be a problem? For me it looks awesome to restrict registration based on another firebase info and I don't know why google does not mention that – Leonardo Rick Aug 30 '20 at 00:37
  • @LeonardoRick There's a fraction of a second where a token would be issued and security vulnerability could exist. That token would remain active until the user left. Consider revoking the token simultaneously and adding DB security rules that only permit users existing within the DB as well to use it. – Gabriel Garrett Aug 31 '20 at 01:29
  • 1
    @GabrielGarrett Thank's for answering. I decided to call `https.onCall()` of cloud functions after user registration. This way I can pass all user info to be stored on firestore via this http request and I only create the user based on my conditions. If user is not allowed I revoke the token and delete him from `auth()` on this request. – Leonardo Rick Aug 31 '20 at 17:12
6

For anyone stumbling upon this post as of 3/21/21, Firebase has implemented a feature to disable user creation/deletion on the Identity platform page.

Please reference, https://github.com/firebase/firebaseui-web/issues/99#issuecomment-794537000

You no longer need to create an API to handle user authentication just to disable user creation/deletion now.

lemonpledge
  • 1,018
  • 2
  • 10
  • 14