Firebase - Predefined User list & Phone Number Authentication

Question

I am working on one the Android APP & want to integrate it with the Firebase & it's Realtime Database. I have a list of 1000 users(Excel) with details like EmpId, EmpName, Team, Mobile Number, etc.

I want to restrict my APP only to the users from this list & also want to authenticate them using the mobile number present in the list against there name.

Can I use Firebase Auth for the above requirement & if yes, how to do that?

If with FireBase Auth, this is not possible what is the alternative solution?

Please help.

Answer 1

Firebase Authentication only allows the users to identify themselves. What you're describing is limiting what users are allowed to use your app, which is known as authorization, and Firebase Authentication doesn't handle that.

Luckily you tagged with firebase-realtime-database too, and authorization is definitely built into that. What I'd usually do is create a top-level node in the database that contains the UID of users that are allowed to use the app:

"allowedUsers": {
  "uidOfUser1": true,
  "uidOfUser2": true
  ...
}

Then in other security rules you'll check if the user's UID is in this list before allowing them access to data, with something like:

{
  "rules": {
    "employees": {
      ".read": "root.child('allowedUsers').child(auth.uid).exists()",
      "$uid": {
        ".read": "auth.uid === $uid && root.child('allowedUsers').child(auth.uid).exists()"
      }
    }
  }
}

With these rules:

• Allowed users that are signed in can read all employee data.
• But they can only modify their own employee data.

Of course you'll want to modify these rules to fit your own requirements, but hopefully this allows you to get started.

A few things to keep in mind:

• The UID is only created once the users sign up in Firebase Authentication. This means you may have to map from the email addresses you have to the corresponding UIDs. You can either do this by precreating all users, do it in batches, or use a Cloud Function that triggers on user creation to add the known users to the allowedUsers list.
• Alternative you can store the list of email addresses in the database. Just keep in mind that somebody could sign in with somebody else's email address, unless you require email address verification. Oh, and you can't store the email address as a key in the database as-is, since . characters are not allowed, so you'll have to do some form of encoding on that.

Also see:

• How do I lock down Firebase Database to any user from a specific (email) domain? (also shows how to check for email verification)
• Restrict Firebase users by email (shows using encoded email addresses)
• firebase realtime db security rule to allow specific users
• How to disable Signup in Firebase 3.x
• Firebase - Prevent user authentication

Answer 2

I know it's late but for anyone who may be referencing this question, my recommendation is blocking functions. You essentially create a Firebase Cloud Function that can accept or deny requests to make an account. Here's what it could look like:

const functions = require('firebase-functions');

exports.beforeCreate = functions.auth.user().beforeCreate((user, context) => {
  var allowedUsers = ['johndoe@stackoverflow.com'];

  // if they are not in the list, they cannot make an account
  // throwing this error will prevent account creation
  if(allowUsers.indexOf(user.email) == -1) throw new functions.auth.HttpsError('permission-denied');

});

This way is better in my opinion because the security rules doesn't have to reference the database. Instead, the security rules can allow requests from any authenticated user, because the only authenticated users are ones allowed by this function.