Is there a way to default disable users in a firebase authencation on signup?

Question

I am currently developing an iOS appplication using xcode and Swift. My application works well with firebase including the function of email verification. Due to the nature of my application, I want users to be able to sign up, verify their email and then await further verification on the side of my client using firebase.

In an ideal world, firebase would have a setting that supports user being automatically disabled on signup, and you would just tick a box and the user would be enabled in the authencation page of the console.

Seeming as I am looking for my client to be able to do this, I need a way that is simple to them, so they can enable and disable accounts. There is a property in the firebase authencation page but no way to default it.

So.. My idea was to create a cloud function in firebase that automatically disables users on signup, and once my client has verified who they are they will enable them. Any ideas on what this function would look like? Disabled is a nice and easy boolean value so.

I am new to firebase, so wondering if anyone had came across this kind of issue? The link below shows the function on user creation.

https://firebase.google.com/docs/functions/auth-events#trigger_a_function_on_user_creation

Answer 1

You can add an Admin SDK function in the user creation event you have. See this for an example: https://firebase.google.com/docs/auth/admin/manage-users#update_a_user

Answer 2

The easiest way to automatically disable new user accounts is through Cloud Functions. See for an example the answer to this question about How to prevent new user registration on Firebase?.

But note that the user will already be signed in by the time the Cloud Function runs, so they'll have access until their current/initial ID token expired (up to an hour).

The proper solution is to check whether the user is verified before enabling any backend functionality. For Cloud Firestore, Cloud Storage, and Firebase Realtime Database, you can do this in their server-side security rules. See for some examples of this:

• (Firebase) Firestore security rules - allow if email verified without custom tokens?
• Security rule to only allow write for users with verified emails
• How do I lock down Firebase Database to any user from a specific (email) domain?