0

I'm using Firebase to authenticate the users on my application but, since the app is very early stage, I would like to restrict the login (or registration) to only users that have a specific code.

It looks like there's no option like this and I was wondering if there's any solution that doesn't involve a back-end.

Right now I'm using a specific code in the database that the user has to enter while logging in. If that code is not correct you can't login. The problem is the function (obviously) is executed on the front-end so a person with the right knowledge could easily modify the code and still access without token.

Is there a more robust solution?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
ste
  • 3,087
  • 5
  • 38
  • 73
  • how about the firebase security rules? – Ticherhaz FreePalestine Feb 11 '20 at 12:42
  • There is no way to control who can authenticate, as all that does is prove that their credentials are correct. But (if you use Firebase Realtime Database or Firestore) you can keep them from accessing application data with Firebase's server-side security rules). For an example of this, see: https://stackoverflow.com/a/42788746, https://stackoverflow.com/a/38357717, https://stackoverflow.com/a/45789720 – Frank van Puffelen Feb 11 '20 at 14:30
  • Does this answer your question? [How to disable Signup in Firebase 3.x](https://stackoverflow.com/questions/38357554/how-to-disable-signup-in-firebase-3-x) – Frank van Puffelen Feb 11 '20 at 14:30

1 Answers1

0

if you truly want no back end, you can see my answer at the bottom here How to protect firebase Cloud Function HTTP endpoint to allow only Firebase authenticated users? , which involves taking advantage of the fact that every firebase project is also a Google cloud platform project and GCP allows for private functions.

however, there is an easier way: just wrap your cloud function logic with an if clause that checks for any of a number of things before actually executing the function

assuming, for instance, you're on the web platform, when someone invokes an HTTPS callable function from the front, it will be sent with data and context objects.

you could check for context.auth.email to restrict to specific users. or you could check for data.mySecretKey and since the check is occurring in your cloud function, no one could inspect your code to find the key.

ultraGentle
  • 5,084
  • 1
  • 19
  • 45