0

I've been working on a small application, using firestore. I also implemented basic auth using email/password (from the Firebase UI kit).

Now existing users (which I made manually) can login, but if the e-mail is not found, the auth let's you sign-up. Can this be disabled? Because I want to somehow restrict the access a atleast a little bit.

__

What I've done for now is wrote a db-rule so that only a user in my 'users'-collection (where document uid = userid) and has a boolean field 'admin' and give them write access.

The rule itself goes as follows:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
        allow read: if request.auth.uid != null;
        allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true;
    }
  }
}

is this 'safe' and 'ok' to be implemented like this?

NickVH
  • 143
  • 1
  • 11

1 Answers1

0

As you can see on this community question, in firebase you cannot disable sign-up without disabling sign-in for all users, so in order to create this control you would have to either:

  • Set that on your provider, since you are using FirebaseUI, when you build the class doing something like this:
List<AuthUI.IdpConfig> providers = new ArrayList<>();
providers.add(new AuthUI.IdpConfig.EmailBuilder()
    .setAllowNewAccounts(false)
    .build());
  • Control it using Cloud Functions by doing something like this:
const admin = require('firebase-admin');

exports.blockSignup = functions.auth.user().onCreate(event => {
  return admin.auth()
    .updateUser(event.uid, {disabled: true})
    .then(blockedUser => console.log(`The user ${blockedUser.toJSON()} has been blocked from SignIn`))
    .catch(error => console.log(`${error}`));
});
  • The solution you already implemented that has a list of authorized users and that blocks out all users that are not, this is a good choice if you have a limited number of users. Also to you security point, this would only be visible to the firebase rules themselves and the users would still need to sign in so the rules can get the uids to compare with the list, so I would say that this would be secure enough.

Hope this helps.

Ralemos
  • 5,571
  • 2
  • 9
  • 18
  • Thanks for the reply. Your 3rd solution seems similar to what I've already created so far it seems? (with a user-collection where uid's have an admin-field). Is this considered 'safe'? – NickVH Apr 14 '20 at 14:47
  • I would say that it is, since users would still need to authenticated for you to get their uids, and this would only be handled by your rules themselves. – Ralemos Apr 14 '20 at 14:55
  • I edited the answer as I did not saw you already had implemented it and added my comment on the security. – Ralemos Apr 14 '20 at 15:06