How to disable Signup in Firebase 3.x
I have created some users using firebase.auth().signInWithEmailAndPassword and would like to stop signUp now, but keep signIn working. I tried some rules on users and even to stop writing to firebase at all. However registration was still possible. Disabling Email/Password within console disables login too.
{
"rules": {
".read": true,
".write": false,
}
}
Any ideas how to apply security rules to users in Firebase 3?
Firebase explicitly separates authentication (signing in to the app) from authorization (accessing database or storage resources from the app).
You cannot disable sign-up without disabling sign-in for all users, which is not what you want.
In a typical scenario, developer will start securing database/file access based on the authenticated user. See the relevant section in the docs for database security and storage security.
If your use-case is that you only want specific users to have access, you'll probably want to implement a whitelist: a list of users that are allowed to access the data.
You can do that in your security rules:
{
"rules": {
".read": "auth.uid == '123abc' || auth.uid == 'def456'",
".write": false,
}
}
Or (better) by putting the list of allowed uids in your database and referring to that from your security rules:
"allowedUids": {
"123abc": true,
"def456": true
}
And then:
{
"rules": {
".read": "root.child('allowedUids').child(auth.uid).exists()",
".write": false,
}
}
Well it's been days since the question was asked but maybe this could help for those who are still wondering for the answer, we still can't simply disable the new account creation but we can do using Firebase functions:
Here is the workaround for auto-disable new users using cloud functions.
const functions = require('firebase-functions');
const admin = require('firebase-admin');
exports.blockSignup = functions.auth.user().onCreate(event => {
return admin.auth()
.updateUser(event.uid, {disabled: true})
.then(userRecord => console.log(`Auto blocked user: ${userRecord.toJSON()}`))
.catch(error => console.log(`Error auto blocking: ${error}`));
});
Remembering that this function is fired when you create users using the Firebase web console, or by 3rd parties. So you have to create, await the function, then enable the user.
If you want to remove the signup option from FirebaseUI in Android app than you have to add the following provider:
new AuthUI.IdpConfig.EmailBuilder().setAllowNewAccounts(false).build());
and the function will look like the following:
private void FireBaseLoginUI() {
List<AuthUI.IdpConfig> providers = Collections.singletonList(
new AuthUI.IdpConfig.EmailBuilder().setAllowNewAccounts(false).build());
startActivityForResult(
AuthUI.getInstance()
.createSignInIntentBuilder()
.setAvailableProviders(providers)
.setLogo(R.drawable.app_logo)
.setTheme(R.style.AuthUITheme)
.build(),
RC_SIGN_IN);
}
If you enable the Cloud Identity API then you can disable sign up and delete account actions for users and limit them to the Admin SDK.
You can visit https://console.cloud.google.com/customer-identity/settings to disable them.
You might get this notice while enabling the API on an existing project:
Once disabled, using the createUserWithEmailAndPassword method returned a 400 error:
{
"error": {
"code": 400,
"message": "ADMIN_ONLY_OPERATION",
"errors": [
{
"message": "ADMIN_ONLY_OPERATION",
"domain": "global",
"reason": "invalid"
}
]
}
}
Do note that you can still use Admin SDK to create new users.
The documentation for the same can be found here