Firestore rules for creating a user

0
votes

I am new to firebase and trying to use firebase authentication, along with firestore database. It looks like all the security lies in rules we set, however I want to know the following:

  1. Is it possible to apply rules based on user authentication without using firebase authentication system ?
  2. How can I make sure that the users are only created through my application ? Would anyone with my firebase credentials (Which are easily exposed in browser) be able to add users to the database ? I understand that there is no domain based locking on firestore, but is user creation atleast domain based ?

Thanks!

1
firebasegoogle-cloud-firestorefirebase-authentication

1 Answers

1
votes

Firebase Authentication is the only way to populate the request.auth variable in security rules. So if you want to secure based on a user, you'll need to create that user in Firebase Authentication.

You can however:

  • Use anonymous authentication to generate a UID for users, without requiring them to enter credentials.
  • If you have an existing sign-in system, you can hook that up to Firebase Authentication as a custom provider. This would then make your user details available in request.auth in the security rules.

To lock access to your Firestore database down to users from a specific domain, you'd use something like this in your security rules:

request.auth.token.email_verified && 
  request.auth.token.email.matches(".*@google.com")

So this only allows access once a user has verified the email address in their profile, and if that email address is from he given domain.