Firebase Auth, only activate account created after someone accept it

0
votes

I currently have an website that uses firebase auth as my authentication. My problem is that I don't want to open registration to everyone, only a selected few people that are supposed to use the website. I read about .htaccess and .htpasswd but since I'm hosting on firebase hosting I don't think it's possible.

My question is how can I secure the account creation? I don't want to create the accounts manually at firebase console but have the users create it on a page. Is it possible to have the account work only after someone "accept" it at the firebase console or add an extra step after creation, can I somehow protect the registration page if using firebase hosting?

1
firebasefirebase-authentication

1 Answers

2
votes

There is no way to prevent any user from creating an account after you enable Firebase Authentication. But the fact that they can create an account, does not necessarily mean that they can then use your application.

The typical approach for your use-case is to store a list of approved users somewhere. Since you're using Firebase Authentication, this would take the form of a list of UIDs.

So to be authorized to use your application a user needs to be authenticated, and approved. Firebase Authentication takes care of them being authenticated, and your back-end functionality should take care of checking their approval status.

For example, if you're using Cloud Firestore as your database, you'd store the approved user UIDs in a collection:

approvedUsers <collection>
  UID1 <document>
  UID2 <document>

And then you can check in the server-side security rules of your database that the user is authorized (authenticated and approved) before allowing them to (for example) read any data.

exists(/databases/$(database)/documents/$(document.reference))
service cloud.firestore {
  match /databases/{database}/documents {

    match /myCollection/{document} {

     function isApproved() {
        return exists(/databases/$(database)/documents/approvedUsers/$(request.auth.uid))
      }

      allow read, write: if isApproved();
    }
  }
}