Question 120231 in Firebase Question posted in
An extensive official documentation can be found here.

Why there is no Rules tab inside Firebase Authentication?

Before adding a new user to Firebase Authentication should the name be qualified first:

  • The name must not be null
  • The name must not be empty
  • The name must contain one D character at least

Examples:

  • "Frank van Puffelen" => It is unacceptable because there is no D character

  • "Doug Stevenson" => It is acceptable

  • "Alex Mamo" => It is unacceptable because there is no D character

  • "Renaud Tarnec" => It is acceptable

  • "" => It is unacceptable because it is empty value

  • NULL => It is unacceptable because it is a null value

On the client side before adding a new user I check if the name follows the above qualifiers or not but the problem is if someone modifies the code.

The client side is not safe and I should check again on the server side if the name follows the rules or not.

So the question is why there is no Rules tab inside Firebase Authentication?

Tags:

2

Answers


  1. 0

    The security rules concept is used to prevent unauthorized access to your Firebase resources such as database and storage. The displayName property is optional irrespective of which authentication method you chose.

    If you require users to have a displayName then you can:

    1. Check if user has displayName set every time they login. If not, then redirect them to a screen where they can set a name.

    2. Disable sign-ups directly from Firebase client SDKs and use Firebase Cloud Functions with the Admin SDK to create user. No one else can reverse engineer the functions code so the validation on server side will ensure a user has displayName.

    exports.createUser = functions.https.onCall((data, context) => {
  const { displayName, email, password } = data;

  // check if displayName is valid
  // if not return error

  // create user using Admin SDK if all data provided is valid

  return { message: "User created" };
});

    Then you can login your user with the Client SDK using signInWithEmailAndPassword()

    In case you are using any Auth providers e.g. Google, Facebook and the display name is unavailable for some reason, then you’ll need some custom logic as explain in method 1 above.

    Either of the solution does not prevent users from using updateProfile() APIs so make sure have some validation on client end as well and report such events somewhere in the database where you can monitor it.

    Login or Signup to reply.
  2. 0

    Since you want to check that the user name (the displayName I guess) follows the set of constraints listed at the top of your question you can take advantage of the new blocking Cloud Functions that "let you execute custom code that modifies the result of a user signing in to your app".

    For example:

    exports.checkDisplayName = functions.auth.user().beforeCreate((user, context) => {
  if (!user.displayName || !user.displayName.toUpperCase().includes('D')) {
    throw new functions.auth.HttpsError(
      'invalid-argument', `displayName is invalid`); // adapt as follows
  }
});

    More details in the specific section of the doc, and in particular on how to catch and handle the error in your front-end.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search