Is there a way to restrict registrations in firebase

Is there a way to restrict users from registering firebase email/password accounts so that new users can't sign up? I have a small app that only a few admins need to have access to(which I've manually created in the Firebase admin) and the way it's setup right now it seems like anybody could inject a little javascript and register an account.


Firebase Simple Login is an abstraction built on top of Firebase Custom Login for convenience. When using the email / password authentication, it's worth keeping in mind that this is just creating a mapping between that email and password, and automatically generating authentication tokens for use in your security rules.

In your specific case, if all of the "admin" users have already been created, you can achieve the behavior you're looking for through security rules. For example, if you want to only allow read / write access to your Firebase data tree to authenticated users in that list, try writing top-level read / write security rules that require that user to be in the "admins" list:

{
  ".read"  : "auth != null && root.child('admins').hasChild(auth.uid)",
  ".write" : "auth != null && root.child('admins').hasChild(auth.uid)"
}

Those rules above ensure that the user is authenticated (via auth != null ) and require that the authenticated user's id is in the list of admins ( root.child('admins').hasChild(auth.uid) ).

The last step is to actually make those users admins, by writing them to the admins subtree. Let's say you have users 1, 4, and 7 to make admins, update your data tree to reflect the following:

{
  ...
  "admins": {
    "1": true,
    "4": true,
    "7": true
  }
}

As a result of this, even if other users are able to generate new email / password mappings using Firebase Simple Login, those mappings will have no impact on your application as it is restricted using security rules.


@RobDiMarco provided a great answer, but it has a flaw.

The rule root.child('admins').hasChild(auth.uid) will pass, in case auth.uid will be an empty string.

You can test this in Firebase Database Security Simulator, clearing out uid field ( { "provider": "anonymous", "uid": ""} ).

仿真结果

This rule root.child('admins').child(auth.uid).val() === true will not pass with an empty uid .

链接地址: http://www.djcxy.com/p/84208.html

上一篇: Firebase是否为所有认证类型创建帐户?

下一篇: 有没有办法限制Firebase中的注册