Question posted in 
I have a working web application with Firebase authentication. I want it to be such that only I (via the Firebase console) can set up accounts and anybody can sign into the accounts that I’ve set up. Every account in this app can access the same data, no matter the account, and I have setup Firestore rules to only accept requests that are authenticated.
The root of the problem is that I do not know much about the best practices of Firebase, but to get to the point, what is preventing someone from running auth.createUserWithEmailAndPassword("email", "password") in the browser console, logging into that account, and gaining access to the data?
2
Answers
I have found that the simplest solution to my specific problem is to disable the "Enable Create (sign-up)" setting under Firebase Console > Authentication > User Actions.
With this done, attempting to run
auth.createUserWithEmailAndPassword("email", "password");fails and returns this error:Uncaught FirebaseError: Firebase: This operation is restricted to administrators only. (auth/admin-restricted-operation).Nothing, as long as you have enabled email authentication for your project.
You might want to look into validating new accounts with email links as well as blocking registration with Cloud Functions.
Also look into Fireabse App Check for additional protection (but it is not guaranteed to ensure that no one can abuse your system).