问题
I have a question regarding firebase authentication. Actully I am making a dashboard for my company, and I will host it in firebase. I want to restrict the email authentication only to my comany domain (ex: cat.com). But I went through the stackoverflow answers and I found I can impose rule in database. But the issue is that I will be calling external databases to fetcj data using Firebase Function and serve it to website(dashboard). So no domain specific rule will apply there. Below is the outline of my dashboard architecture
How can I achieve this? I want people having "xxxx@cat.com" will be able to autheticate and view dashboard data
回答1:
Case 1: The user has already created their account, and you want to restrict one cloud function to specific email addresses.
You can get the user info associated with the cloud function call, and check their email. You can then call the external database if they have the correct email domain. You should also do some UI changes so the user doesn't just get errors if they don't have @cat.com.
Case 2: Restrict all users in your Firebase project to emails containing @cat.com?
If so, you can't restrict the emails directly in firebase authentication, so you'd have to stick user registration code behind a cloud function, creating user accounts there. You can then check their email when they try to register.
You can do this with the Firebase Admin SDK in a cloud function. docs
admin.auth().createUser({
email: 'user@example.com',
emailVerified: false,
phoneNumber: '+11234567890',
password: 'secretPassword',
displayName: 'John Doe',
photoURL: 'http://www.example.com/12345678/photo.png',
disabled: false
})
.then(function(userRecord) {
// See the UserRecord reference doc for the contents of userRecord.
console.log('Successfully created new user:', userRecord.uid);
})
.catch(function(error) {
console.log('Error creating new user:', error);
});
The client will call the cloud function with their desired email and password, and before calling this .createUser, and you can check for the correct email before creating the user with "dog@cat.com".toLowerCase().endsWith("cat.com").
Also, using email domain as a form of access control doesn't sound like a good idea. During the account creation process, you manually add access to the user's document based on the email. What happens when you want to give someone an email but don't want to give them access to the database?
回答2:
If your company uses GSuite & logins via 'Login With Google'
Firebase's Google Login is built on top normal Google Logins + a lot of automation.A Among these is when the part when they create a new OAuth 2.0 Client in GCP. This would be named Web client (auto created by Google Service)
This client is auto-linked to OAuth Consent Screen where you can mention your App's Display Name and limit it to users in your organization with a Google account
If your company uses Email & Password login
The easiest method is to immediately immediately check for organization email via firebase background auth trigger onCreate as mentioned in Ben's answer. If the account does not belong to your organization - delete it immediately.
This would tho for a brief moment give access to your system to the malicious user. To further protect, you can set custom claim to your organization user (when they register - in firebase function) & make sure every request to firestore/real time database has those custom claim checked. Similarly you can check for custom claim in firebase function before making call to your database
来源:https://stackoverflow.com/questions/62977597/how-to-restrict-email-domains-in-firebase-authentication