限制Firestore Gmail登录到特定域 [英] Restrict Firestore gmail sign in to specific domain

问题描述

我想限制用户使用特定的gmail域登录我的Firestore应用程序.我在此处找到了类似的问题但这与Firestore完全不同.所以，让我解释一下我的需求.

I want to restrict the users to be able to sign in in my Firestore application using the specific gmail domain. I found the similar question here but that is totally different from the Firestore. So let me explain my requirement what I want.

假设一家名为abc.com的公司正在使用gmail服务，并且他们已将其所有电子邮件帐户集成到gmail.因此，他们可以使用该帐户使用Gmail电子邮件服务.因此，我想限制仅使用username@abc.com gmail帐户登录我的Firestore应用程序的用户.

Suppose one company called abc.com are using the gmail services and they have integrated their all email accounts to gmail. So they can use gmail email services using that account. So I want to restrict to users that only use the username@abc.com gmail account to login to my firestore app.

我进行了很多搜索，但没有找到有关此文档的任何文件.

I have searched a lot but didn't found any documentation about this.

推荐答案

似乎没有一个可靠的Firestore解决方案，但我有一个复合解决方案:

There doesn't seem to be a solid Firestore solution for this but I have a compound solution:

• 关于访问的第一个数据收集的安全规则，我在此处检查电子邮件域
• 有关数据检索的catchError，我在其中检查错误代码权限被拒绝"
• 错误处理程序，它将调用身份验证服务并通过注销重定向并重定向到未经授权的页面.

很抱歉粘贴代码段，但是我无法让格式化程序格式化所有代码.

Sorry about pasting snippets, but I couldn't get the formatter to format all the code.

我的组件代码:

  ngOnInit(): void {
    this.leadsDataSubscription = this.leadService.getLeadsSnapshot()
      .pipe(
        catchError((e: any) => Observable.throw(this.errorHandler(e)))
      )
      .subscribe(data => {
        this.leadsDataSource.data = data;
        this.leadsDataSource.paginator = this.paginator;
        this.leadsDataSource.sort = this.sort;
      });
    this.currentUser = this.authSvc.getCurrentUser();
  }

  private errorHandler(error: any) {
    if (error.name === 'FirebaseError' && error.code === 'permission-denied') {
      this.leadsDataSubscription.unsubscribe()
      this.authSvc.logout('/unauthorized');
    }
  }

我的服务代码

  logout(redirectURL?: string) {
    this.unsubscribe()
    this.afAuth.auth.signOut()
      .then(response => {
        this.snackBar.open('Signed out');
        this.router.navigate([redirectURL || '/']);
      })
      .catch(error => this.snackBar.open('Error signing out: ' + error));
  }

Firestore规则:

And the Firestore rules:

match /leads/{document=**} {
  allow read: if isAllowedDomain() && isSignedIn();
  allow update: if isAllowedDomain() && isSignedIn() && canUpdate()
  allow delete: if isAllowedDomain() && isSignedIn() && isCreator() && canWrite() || isGod()
  allow create: if isAllowedDomain() && isSignedIn() && userExists();
}
function isAllowedDomain() {
    return request.auth.token.email_verified == true &&
               request.auth.token.email.matches(".*@workdomain.se") ||
               request.auth.token.email.matches(".*@privatedomain.org")
}

这篇关于限制Firestore Gmail登录到特定域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！