如何在 Firebase 身份验证中限制电子邮件域 [英] How to restrict email domains in Firebase Authentication
问题描述
我有一个关于 Firebase 身份验证的问题.实际上,我正在为我的公司制作一个仪表板,并将其托管在 firebase 中.我想将电子邮件身份验证仅限于我的公司域(例如:cat.com).但是我浏览了 stackoverflow 的答案,发现我可以在数据库中强加规则.但问题是我将使用 Firebase 函数调用外部数据库来获取数据并将其提供给网站(仪表板).所以没有特定于域的规则适用于那里.下面是我的仪表板架构大纲
I have a question regarding firebase authentication. Actully I am making a dashboard for my company, and I will host it in firebase. I want to restrict the email authentication only to my comany domain (ex: cat.com). But I went through the stackoverflow answers and I found I can impose rule in database. But the issue is that I will be calling external databases to fetcj data using Firebase Function and serve it to website(dashboard). So no domain specific rule will apply there. Below is the outline of my dashboard architecture
我怎样才能做到这一点?我希望人们拥有xxxx@cat.com"将能够验证和查看仪表板数据
How can I achieve this? I want people having "xxxx@cat.com" will be able to autheticate and view dashboard data
推荐答案
案例 1: 用户已经创建了他们的帐户,并且您希望将一项云功能限制为特定的电子邮件地址.
Case 1: The user has already created their account, and you want to restrict one cloud function to specific email addresses.
您可以获取与云函数调用关联的用户信息,并查看他们的电子邮件.如果外部数据库具有正确的电子邮件域,则您可以调用它们.您还应该进行一些 UI 更改,这样用户就不会在没有 @cat.com 的情况下收到错误.
You can get the user info associated with the cloud function call, and check their email. You can then call the external database if they have the correct email domain. You should also do some UI changes so the user doesn't just get errors if they don't have @cat.com.
案例 2: 限制 Firebase 项目中的所有用户使用包含 @cat.com 的电子邮件?
Case 2: Restrict all users in your Firebase project to emails containing @cat.com?
如果是这样,您不能直接在 firebase 身份验证中限制电子邮件,因此您必须将用户注册代码粘贴在云功能后面,在那里创建用户帐户.然后,您可以在他们尝试注册时查看他们的电子邮件.
If so, you can't restrict the emails directly in firebase authentication, so you'd have to stick user registration code behind a cloud function, creating user accounts there. You can then check their email when they try to register.
您可以在云函数中使用 Firebase Admin SDK 执行此操作.文档
You can do this with the Firebase Admin SDK in a cloud function. docs
admin.auth().createUser({
email: 'user@example.com',
emailVerified: false,
phoneNumber: '+11234567890',
password: 'secretPassword',
displayName: 'John Doe',
photoURL: 'http://www.example.com/12345678/photo.png',
disabled: false
})
.then(function(userRecord) {
// See the UserRecord reference doc for the contents of userRecord.
console.log('Successfully created new user:', userRecord.uid);
})
.catch(function(error) {
console.log('Error creating new user:', error);
});
客户端会用自己想要的邮箱和密码调用云函数,在调用这个.createUser之前,你可以在创建用户之前用"dog检查邮箱是否正确@cat.com".toLowerCase().endsWith("cat.com").
The client will call the cloud function with their desired email and password, and before calling this .createUser, and you can check for the correct email before creating the user with "dog@cat.com".toLowerCase().endsWith("cat.com").
或者,您可以为@frunkad 提到的用户设置自定义声明:向在@cat.com"注册的用户授予额外权限;电子邮件,此处显示:在用户创建时通过 Firebase 函数定义角色.但是,在 OP 的情况下,只有具有@cat.com"的用户才能访问.应该能够注册,因此自定义声明使问题过于复杂.
Alternatively, you can set a custom claim for users as mentioned by @frunkad: Give extra permissions to users who register with "@cat.com" emails, and this is shown here: Defining roles via Firebase Functions on user creation. However, in OP's case, only users with "@cat.com" should be able to register, so custom claims are over-complicating the issue.
此外,使用电子邮件域作为访问控制的一种形式听起来也不是一个好主意.在帐户创建过程中,您可以根据电子邮件手动添加对用户文档的访问权限.当您想给某人发送电子邮件但不想让他们访问数据库时会发生什么?
Also, using email domain as a form of access control doesn't sound like a good idea. During the account creation process, you manually add access to the user's document based on the email. What happens when you want to give someone an email but don't want to give them access to the database?
这篇关于如何在 Firebase 身份验证中限制电子邮件域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
