0

Before adding a new user to Firebase Authentication should the name be qualified first:

  • The name must not be null
  • The name must not be empty
  • The name must contain one D character at least

Examples:

  • "Frank van Puffelen" => It is unacceptable because there is no D character

  • "Doug Stevenson" => It is acceptable

  • "Alex Mamo" => It is unacceptable because there is no D character

  • "Renaud Tarnec" => It is acceptable

  • "" => It is unacceptable because it is empty value

  • NULL => It is unacceptable because it is a null value

On the client side before adding a new user I check if the name follows the above qualifiers or not but the problem is if someone modifies the code.

The client side is not safe and I should check again on the server side if the name follows the rules or not.

So the question is why there is no Rules tab inside Firebase Authentication?

Taha Sami
  • 1,565
  • 1
  • 16
  • 43

2 Answers2

2

Since you want to check that the user name (the displayName I guess) follows the set of constraints listed at the top of your question you can take advantage of the new blocking Cloud Functions that "let you execute custom code that modifies the result of a user signing in to your app".

For example:

exports.checkDisplayName = functions.auth.user().beforeCreate((user, context) => {
  if (!user.displayName || !user.displayName.toUpperCase().includes('D')) {
    throw new functions.auth.HttpsError(
      'invalid-argument', `displayName is invalid`); // adapt as follows
  }
});

More details in the specific section of the doc, and in particular on how to catch and handle the error in your front-end.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
  • How to pass the `displayName` to the blocking function when using `createUserWithEmailAndPassword`? – Dharmaraj Sep 06 '22 at 08:35
  • As you know, passing a `displayName` to the `createUserWithEmailAndPassword` method is not possible, while it is possible with federated identity providers like Google, Facebook, etc. – Renaud Tarnec Sep 06 '22 at 11:16
1

The security rules concept is used to prevent unauthorized access to your Firebase resources such as database and storage. The displayName property is optional irrespective of which authentication method you chose.

If you require users to have a displayName then you can:

  1. Check if user has displayName set every time they login. If not, then redirect them to a screen where they can set a name.

  2. Disable sign-ups directly from Firebase client SDKs and use Firebase Cloud Functions with the Admin SDK to create user. No one else can reverse engineer the functions code so the validation on server side will ensure a user has displayName.

exports.createUser = functions.https.onCall((data, context) => {
  const { displayName, email, password } = data;

  // check if displayName is valid
  // if not return error

  // create user using Admin SDK if all data provided is valid

  return { message: "User created" };
});

Then you can login your user with the Client SDK using signInWithEmailAndPassword()

In case you are using any Auth providers e.g. Google, Facebook and the display name is unavailable for some reason, then you'll need some custom logic as explain in method 1 above.

Either of the solution does not prevent users from using updateProfile() APIs so make sure have some validation on client end as well and report such events somewhere in the database where you can monitor it.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
  • Then I should call the function that exists inside Cloud Functions and pass the data to it? I'm using this with Android – Taha Sami Sep 06 '22 at 07:20
  • 1
    @TahaSami yes, you can use callable functions as in my answer above. You can easily call it and pass data from your client app using Firebase client SDK (check the linked documentation). And then use the Admin SDK (that should be used on server side only like in CFs) to create the user. Admin SDK can create users even if you disable signups from client SDK./ – Dharmaraj Sep 06 '22 at 07:23
  • Okay, everything is clear for me now, Do you mind if you tell me if I disabled [this option (Enable delete)](https://i.stack.imgur.com/VBTw2.png) what will happen? Thank you so much. – Taha Sami Sep 06 '22 at 07:28
  • 1
    @TahaSami users will be able to delete their account using the [`deleteUser()`](https://firebase.google.com/docs/auth/web/manage-users#delete_a_user) function of client SDK. If you don't want users to delete their account themselves, then don't enable it. The Admin SDK still can be used to delete users. – Dharmaraj Sep 06 '22 at 07:30
  • Could you see Frank van Puffelen [answer here](https://stackoverflow.com/a/39437376/7474282), He said `"There is no way to prevent a user from deleting their Firebase Authentication account."`, Does that mean his answer is not valid anymore? Among the terms of use of my app, the user cannot delete his account after signing in but maybe a specific user modifies the app code and add the user.delete() code to delete his account. Will this option help me to prevent the user delete his account? Thank you again and sorry because I talked about something outside of the topic. – Taha Sami Sep 06 '22 at 07:44
  • 1
    @TahaSami that's an answer from 2016. The option to disable sign-ups and deletion was added recently to the Firebase console (though it was in the Cloud Identity Toolkit console for a while. Yes, users won't be able to delete their account with `deleteUser()` function (or `.delete()` in older SDK). It'll throw an error _"Firebase: Error (auth/admin-restricted-operation)."_ Also, as in my updated answer, users can still use `updateProfile()` so make sure you keep an eye on incorrect user name and report such events in case someone tries to bypass it. – Dharmaraj Sep 06 '22 at 07:51