0

I am developing website using firebase services. It is a website for a club. This website is not for everyone. Only club members should have access to the files and other members' data. So if a user has signed up in this website and requested the verification email, I need to send that email to Admin panel email not to the user. Then they can review the request by contacting the user and forward the email after confirmation. Is there any way I can do this?

Creating user account for all the members and giving access is not very easy and practical (But possible) in this situation because this club is 50+ years old and there are more than 5000 members are available also they all are working in different countries. So we can't create every single user account and we can't let unauthorized people accessing the data.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Gimhana Jayasekara
  • 17
  • 6

1 Answers1

0

It's important to keep the individual actions/steps separate in your use-case:

  1. authentication

    The user signs-in to Firebase Authentication to your app. This validates that the credentials the user enters, are what Firebase Authentication (or the social identity provider) has stored for that user. This does nothing more than allowing me to prove that I am Frank, and makes it "impossible" for any other user of your app to prove that.

  2. email verification

    Since many authentication mechanisms are based on a combination of email address and a password, it can be crucial to know that the email address was entered correctly. Through Firebase Authentication's email verification mechanism, you can ensure that the user has access to the email address they entered.

  3. authorization

    Based on an authenticated user, you can grant access to other resources within your app. This is beyond the scope of Firebase Authentication though, and depends on those other resources.

    For example, if you use the Firebase Realtime Database or Cloud Firestore, you'd use the security rules of those databases to ensure all data access is authorized. A simple example of only allowing gmail users access to data in the Realtime Database, can be found in my answer to this question: How do I lock down Firebase Database to any user from a specific (email) domain?. If you have a custom domain for all users that you want to allow, this approach would be it unnecessary to validate all of them by hand: you can just allow all verified email addresses from your custom domain.

    If your specific scenario allows users to enter any domain, you'll typically have a predefined list of email addresses. In that case, consider storing that list in the database, and verifying against that in your security rules. An example of that for Cloud Firestore can be found in my answer to this question: Prevent user account creation with sign in by email in firestore

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • I'm using real time database and have set the read and write access only for authorized accounts. Can maintain allowed user email list and check every time when user enters an email to signup. But I like to give flexibility to use any email address that ain't provided to the club members database. In my case I think user should provide an application in signup state. A form with only application submission. After admin panel reviewed the application they will create an account with only email and password and send password info to the member and he or she can change that password later. – Gimhana Jayasekara May 26 '19 at 04:25
  • That is all possible with the approaches I outlined, but it is something you'll have to build yourself. Apply the solution I linked for Firestore to RTDB, creating a list of allowed UIDs in the database. Then create an Admin site that allows you (and only you) to add UIDs to that part of the database. You can also do that in the Firebase console of the RTDB, which is what I usually do, and save yourself from writing an admin interface (initially). – Frank van Puffelen May 26 '19 at 04:31