Create users server side via simple login on firebase

Question

I'm experimenting with firebase security and auth configurations and noticed the Simple Login Web tutorial. I can create users by running the auth.createUser() through the javascript console but wanted to know if I can restrict user creation to be done server side.

I tried adding a host to Authorized Request Originsand tried removing localhost and 127.0.0.1 (without success) but was still able to create users from client side.

Ideally, I'd like the users to only be able to authenticate from client side. Am I missing something? (assuming this can be done without falling back to fb ,twitter, etc integration)

Thanks

Answer 1

Simple Login is designed to work entirely without a server. If you want to prevent clients from creating accounts, you'll need to utilize custom login and roll your own.

However, in most cases, you probably don't need to prevent accounts from being created in Simple Login. You can achieve the same result by simply preventing users from creating a user record in Firebase, and base your security rules on this.

For example, when a new user account is created on the server, I could create the user profile as:

/user/$user_id/...

I can allow users to write to their own profile, but not create a profile, with this rule:

".write": "data.exists() && auth.uid === $user_id"

Then, to control access to any path on the server, I can write a rule as follows:

".read": "root.child('user/'+auth.uid).exists()"

Since only the server can create the profile in the first place, the user has effectively been prevented from creating an account.