发表新帖
发表新帖

Prevent user account creation with sign in by email in firestore

后端 未结
关注
1 1442
执笔经年
执笔经年 2020-12-11 12:08

I have setup a passwordless login using firebase sign in with email link. Everything is working as expected, however when the user receives the email and clicks the link to

1条回答
  • 醉话见心
    醉话见心 (楼主)
    2020-12-11 12:39

    Passwordless email sign in allows the user to prove they have access to a certain mail box. It does inherently do nothing more than that. Once the user clicks the link, they are authenticated. Beyond enabling/disabling the entire sign-in provider, you cannot control who can sign-in/authenticate.

    After that it is up to your application to determine what this user is allowed to do. This is a separate step, typically called authorization.

    Firebase Authentication takes (as its name implies) care of authentication only. You will have to handle authorization elsewhere, depending on what services you provide the users access to.

    What makes an email "registered" in your app? I.e. where does the admin create those users? For example, if you store the users in the Cloud Firestore in a collection allowed_users, with documents like this:

    allowed_users: // collection
  "arkade@domain,com": { ... } // document
  "puf@domain,com": { ... } // document

    Now you can limit that only allowed users can access other data with Firestore's server-side security rules. Say you have a collection of posts, you can allow only these users to read posts with:

    service cloud.firestore {
  match /databases/{database}/documents {
    match /posts/{post} {
      // Make sure a 'allowed_users' document exists for the requesting user before
      // allowing any reads from the 'posts' collection
      allow read: if exists(/databases/$(database)/documents/allowed_users/$(request.auth.email))
  }
}

    The syntax is a bit long, but your can see that is only allows the reading of a post if the current user's email address (request.auth.email) exists as a document in allowed_users.

    In rules version 2 of the Firestore rules, you access the current user's email address a little differently. You can do it via request.auth.token.email. The example below also shows how you can get a boolean property in the current user's document, if you identify that user by email:

    allow write: if get(/databases/$(database)/documents/users/$(request.auth.token.email)).data.admin == true;

    0 讨论(0)
 看不清?
提交回复
热议问题