10

If I create a new product, use simple auth, there is a "create user" API. How do I restrict it so that only invited emails (either by the email or via a one-time key) can sign up? Doesn't seem to fit easily into the rules, but I am probably missing something.

deitch
  • 14,019
  • 14
  • 68
  • 96

1 Answers1

4

First, I should point out that the core Firebase API uses JSON Web Tokens for auth, which you can generate yourself, so you have full control over the creation of user accounts and can restrict it however you like:

https://www.firebase.com/docs/security/custom-login.html

I'm guessing you're referring to our Simple Login service.

Simple Login is a service that provides some common login options. It has no way to restrict creation of new accounts. However, you can restrict what those accounts can do with Firebase. For example, you could set your security rules up so that only user accounts in some authorized list (in Firebase) are actually able to read or write data.

Andrew Lee
  • 10,127
  • 3
  • 46
  • 40
  • 1
    Hmm, can you elaborate a bit further? Sounds like you're saying, "let them sign up at will, but restrict what they can do unless they are part of the private beta." Not ideal, but might be workable. [I hate how I cannot enter linebreaks here!] Yes, I might the Simple Login service. After all, if I have to build another service for user auth, and then another for Stripe payments interaction, and another for sending emails, very quickly I lose the benefit of Firebase and might as well just use my server for everything. – deitch Jul 18 '13 at 17:36
  • 1
    Yes, that's what I'm suggesting. Many of our customers already have their own user account databases so that's why we make Custom Login a first-class citizen and Simple Login a layer on top of that. – Andrew Lee Jul 18 '13 at 21:39
  • Would it be possible to store a list of invite tokens as a document in a firebase and set up a security rule that any new user created must have an invite code which is in the table? That would allow an invite system without a separate server. – max Nov 09 '13 at 07:10
  • The page https://www.firebase.com/docs/security/custom-login.html is expired – WcW Sep 23 '22 at 11:37