Firebase: Check for domain of verified email address

Question

I am making a tool for other people to use and they all have the same domain for their email addresses (Ex: john.james@company.com, jack.mason@company.com). I want them to be able to auth without me having to do any work, but to disallow anyone else to be able to auth if they don't have the domain of @company.com. So far my ruleset is the following

service cloud.firestore {
  match /databases/{database}/documents {
    match /booths/{id} {
        allow read, write: if request.auth.uid == 'censored uid'
      allow read, update: if request.auth.token.email_verified
    }
  }
}

If anyone has any information on the matter please respond. Thanks in advance.

Firestore security rules can't be used to prevent who can authenticate. They can only be used to determine who may read and write parts of the database *after* they authenticate with Firebase Authentication. You could certainly lock down the database using the user's verified email address, but again, that requires that the user has previously authenticated. — Doug Stevenson, Jan 26 '19 at 22:24
Please be mindful of tags: you're asking about Firebase Authentication, you're showing security rules for Cloud Firestore, and tagged with Realtime Database. While all three are part of Firebase, all these products work differently and have their own APIs. With the tagging and question now, I honestly have no idea what you're asking; Doug's comment is definitely one of the options, and here is a great example of how to do just that: https://stackoverflow.com/questions/36943350/how-do-i-lock-down-firebase-database-to-any-user-from-a-specific-email-domain. — Frank van Puffelen, Jan 27 '19 at 00:04

Firebase: Check for domain of verified email address

0 Answers0