How to disable Signup in Firebase 3.x
I have created some users using firebase.auth().signInWithEmailAndPassword and would like to stop signUp now, but keep signIn working. I tried some rules on users and even to stop writing to firebase at all. However registration was still possible. Disabling Email/Password within console disables login too.
{
"rules": {
".read": true,
".write": false,
}
}
Any ideas how to apply security rules to users in Firebase 3?
Answer
Firebase explicitly separates authentication (signing in to the app) from authorization (accessing database or storage resources from the app).
You cannot disable sign-up without disabling sign-in for all users, which is not what you want.
In a typical scenario, developer will start securing database/file access based on the authenticated user. See the relevant section in the docs for database security and storage security.
If your use-case is that you only want specific users to have access, you'll probably want to implement a whitelist: a list of users that are allowed to access the data.
You can do that in your security rules:
{
"rules": {
".read": "auth.uid == '123abc' || auth.uid == 'def456'",
".write": false,
}
}
Or (better) by putting the list of allowed uids in your database and referring to that from your security rules:
"allowedUids": {
"123abc": true,
"def456": true
}
And then:
{
"rules": {
".read": "root.child('allowedUids').child(auth.uid).exists()",
".write": false,
}
}