通过在Firestore中通过电子邮件登录来阻止创建用户帐户 [英] Prevent user account creation with sign in by email in firestore
问题描述
我已使用Firebase登录并通过电子邮件链接设置了无密码登录.一切都按预期进行,但是当用户收到电子邮件并单击链接进行登录时,他们将自动创建为注册用户.
I have setup a passwordless login using firebase sign in with email link. Everything is working as expected, however when the user receives the email and clicks the link to login they are automatically created as a registered user.
https://firebase.google.com/docs/auth/web/email-link-auth
用户首次登录后,将使用一个新的用户帐户 创建并链接到凭据...
After a user signs in for the first time, a new user account is created and linked to the credentials...
这意味着在登录屏幕上发出请求的任何人都将收到一封电子邮件,并可以访问该网站.
This means anyone who makes a request in the login screen will get an email and get access to the site.
我不确定是否需要完成任何配置或设置才能要求仅针对注册用户检查请求注册链接的用户.
I am not sure if there is any configuration or setup that i need to complete in order to require that the user requesting the signup link are only checked against the users that are registered.
类似
firebase.auth().sendLoginLinkToEmail(email,{url:...,handleCodeInApp:true}).then(() =>{
....
}, error =>{
// return if not an authenticated user
})
如果email未注册,则返回错误.
And if the email is not registered then it returns an error.
这个想法是让管理员创建用户,然后这些创建的用户只需使用电子邮件链接(无密码)登录
The idea is to have an administrator that creates users and then those created users just login with an email link ( no password )
这可能吗?为了防止Firebase使用.signInWithEmailLink()?
Is this possible? To prevent firebase from creating an account with.signInWithEmailLink() ?
推荐答案
无密码电子邮件登录允许用户证明他们有权访问特定的邮箱.它本质上只做些什么.用户单击链接后,便会通过身份验证.除了启用/禁用整个登录提供程序之外,您无法控制谁可以登录/验证.
Passwordless email sign in allows the user to prove they have access to a certain mail box. It does inherently do nothing more than that. Once the user clicks the link, they are authenticated. Beyond enabling/disabling the entire sign-in provider, you cannot control who can sign-in/authenticate.
之后,由您的应用程序确定允许该用户执行的操作.这是一个单独的步骤,通常称为授权.
After that it is up to your application to determine what this user is allowed to do. This is a separate step, typically called authorization.
Firebase身份验证(顾名思义)仅进行身份验证.您将不得不在其他地方处理授权,具体取决于您向用户提供了哪些服务.
Firebase Authentication takes (as its name implies) care of authentication only. You will have to handle authorization elsewhere, depending on what services you provide the users access to.
什么使电子邮件在您的应用程序中注册"了? IE.管理员在哪里创建这些用户?例如,如果您将用户存储在集合allowed_users中的 Cloud Firestore 中,带有这样的文档:
What makes an email "registered" in your app? I.e. where does the admin create those users? For example, if you store the users in the Cloud Firestore in a collection allowed_users, with documents like this:
allowed_users: // collection
"arkade@domain,com": { ... } // document
"puf@domain,com": { ... } // document
现在,您可以限制只有允许的用户才能使用Firestore的服务器端安全规则访问其他数据.假设您有posts的集合,则只能允许这些用户阅读具有以下内容的帖子:
Now you can limit that only allowed users can access other data with Firestore's server-side security rules. Say you have a collection of posts, you can allow only these users to read posts with:
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{post} {
// Make sure a 'allowed_users' document exists for the requesting user before
// allowing any reads from the 'posts' collection
allow read: if exists(/databases/$(database)/documents/allowed_users/$(request.auth.email))
}
}
语法有点长,但是您可以看到,只有当当前用户的电子邮件地址(request.auth.email)作为文档存在于allowed_users中时,才允许阅读帖子.
The syntax is a bit long, but your can see that is only allows the reading of a post if the current user's email address (request.auth.email) exists as a document in allowed_users.
在Firestore规则的规则版本2中,您对当前用户的电子邮件地址的访问有所不同.您可以通过request.auth.token.email进行操作.下面的示例还显示了如果通过电子邮件识别该用户,则如何在当前用户的文档中get布尔属性:
In rules version 2 of the Firestore rules, you access the current user's email address a little differently. You can do it via request.auth.token.email. The example below also shows how you can get a boolean property in the current user's document, if you identify that user by email:
allow write: if get(/databases/$(database)/documents/users/$(request.auth.token.email)).data.admin == true;
这篇关于通过在Firestore中通过电子邮件登录来阻止创建用户帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
