How to disable Signup in Firebase 3.x

Question

I have created some users using firebase.auth().signInWithEmailAndPassword and would like to stop signUp now, but keep signIn working. I tried some rules on users and even to stop writing to firebase at all. However registration was still possible. Disabling Email/Password within console disables login too.

{
  "rules": {
        ".read": true,
        ".write": false,
      }
}

Any ideas how to apply security rules to users in Firebase 3?

Answer 1

Firebase explicitly separates authentication (signing in to the app) from authorization (accessing database or storage resources from the app).

You cannot disable sign-up without disabling sign-in for all users, which is not what you want.

In a typical scenario, developer will start securing database/file access based on the authenticated user. See the relevant section in the docs for database security and storage security.

If your use-case is that you only want specific users to have access, you'll probably want to implement a whitelist: a list of users that are allowed to access the data.

You can do that in your security rules:

{
  "rules": {
        ".read": "auth.uid == '123abc' || auth.uid == 'def456'",
        ".write": false,
      }
}

Or (better) by putting the list of allowed uids in your database and referring to that from your security rules:

"allowedUids": {
    "123abc": true,
    "def456": true
}

And then:

{
  "rules": {
        ".read": "root.child('allowedUids').child(auth.uid).exists()",
        ".write": false,
      }
}

Answer 2

Well it's been days since the question was asked but maybe this could help for those who are still wondering for the answer, we still can't simply disable the new account creation but we can do using Firebase functions:

Here is the workaround for auto-disable new users using cloud functions.

const functions = require('firebase-functions');
const admin = require('firebase-admin');
    
exports.blockSignup = functions.auth.user().onCreate(event => {
  return admin.auth()
    .updateUser(event.uid, {disabled: true})
    .then(userRecord => console.log(`Auto blocked user: ${userRecord.toJSON()}`))
    .catch(error => console.log(`Error auto blocking: ${error}`));
});

Remembering that this function is fired when you create users using the Firebase web console, or by 3rd parties. So you have to create, await the function, then enable the user.

Answer 3

If you want to remove the signup option from FirebaseUI in Android app than you have to add the following provider:

new AuthUI.IdpConfig.EmailBuilder().setAllowNewAccounts(false).build());

and the function will look like the following:

private void FireBaseLoginUI() {
        List<AuthUI.IdpConfig> providers = Collections.singletonList(
                new AuthUI.IdpConfig.EmailBuilder().setAllowNewAccounts(false).build());

        startActivityForResult(
                AuthUI.getInstance()
                        .createSignInIntentBuilder()
                        .setAvailableProviders(providers)
                        .setLogo(R.drawable.app_logo)
                        .setTheme(R.style.AuthUITheme)
                        .build(),
                RC_SIGN_IN);
}

Answer 4

If you enable the Cloud Identity API then you can disable sign up and delete account actions for users and limit them to the Admin SDK.

You can visit https://console.cloud.google.com/customer-identity/settings to disable them.

You might get this notice while enabling the API on an existing project:

Once disabled, using the createUserWithEmailAndPassword method returned a 400 error:

{
  "error": {
    "code": 400,
    "message": "ADMIN_ONLY_OPERATION",
    "errors": [
      {
        "message": "ADMIN_ONLY_OPERATION",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Do note that you can still use Admin SDK to create new users.

The documentation for the same can be found here

Answer 5

I use this:

// The Cloud Functions for Firebase SDK to create Cloud Functions and setup triggers.
const functions = require('firebase-functions');
const admin = require("firebase-admin");

admin.initializeApp();

exports.blockSignup = functions.auth.user().onCreate(event => {
    if (process.env['allowCreation'] === "false")
        return admin.auth().deleteUser(event.uid);
    else return Promise.resolve("letUserCreate");
});

After creating the users I want, go to https://console.cloud.google.com/functions and change the environment variable to false, redeploy, done.

Alternatively you could add the user to firestore and only allow to sign up if the user exists on firestore. Like so:

// The Cloud Functions for Firebase SDK to create Cloud Functions and setup triggers.
const functions = require('firebase-functions');
const admin = require("firebase-admin");

admin.initializeApp();

exports.blockSignup = functions.auth.user().onCreate(user => {
    return new Promise((resolve, reject) => {
        admin.firestore().collection('users').doc(user.email).get().then(doc => {
            if (doc.exists) {
                resolve("letUserCreate");
            }
            else {
                reject(admin.auth().deleteUser(user.uid))
            }
        }).catch(reason => {
            console.error(reason)
            reject(admin.auth().deleteUser(user.uid))
        })
    });
});

Answer 6

As mentioned above, it's important to differentiate between authentication and authorization. Therefore, this can also be done slightly off of Firebase. If you are building a web app for example and you want to allow access to a given page to a specific list of users then you can handle it within your web app.

This example is for executing an onCall firebase function. It only executes if the user UID is 12345

exports.ILoveConsole = functions.https.onCall((message, context) => {

//message is just a text
//context hold the user auth information

    'use strict';
        if (context && context.auth && context.auth.uid) {
            if(context.auth.uid === "12345"){
                console.log("I love security");
            }
            else{
                console.log("You are authenticated but not authorized");
            }
        }
        else {
            console.log("You are neither authenticated nor authorized");
        }
});

Note: If you want to do a list of users, you can do a for loop function to check the array of your authorized users in browser or call a firebase function. They both should run before loading the page

Answer 7

I don't know if Google added this option since the other answers were posted, or if it's just so buried in the documentation that most people don't know about it, but there is a disableSignup option for FirebaseUI Auth. https://github.com/firebase/firebaseui-web/blob/master/README.md#configure-email-provider

The usage looks something like this:

var uiConfig = {
    callbacks: {
        signInSuccessWithAuthResult: (authResult, redirectUrl) => {
            // User successfully signed in.
            // Call your success handler.
            handleLoginSuccess(authResult.user)
            .then( () => {
                return true;
            })
            .catch( err => {
                return false;
            });
        },
        signInFailure: (err) => {
            console.error(`[signInFailure] ERROR: ${err.message}`);
        },
        uiShown: () => {
            // The widget is rendered.
            // Hide the loader.
            document.getElementById('loader').style.display = 'none';
        }
    },
    signInSuccessUrl: "/",
    signInOptions: [
        {
            provider: firebase.auth.EmailAuthProvider.PROVIDER_ID,
            requireDisplayName: true,
            disableSignUp: {
                status: true,
                adminEmail: '[email protected]',
                helpLink: 'https://example.com/login-help'
            }
        }
    ]
};

ui.start("#firebaseui-auth-container", uiConfig);

Hope this helps future searchers who end up here.