Ionic and Firebase Authentication Security with Domain Restrictions

Question

I'm using Ionic with Firebase Authentication (Google sign-in method) to authenticate users. I've got the authentication working. The problem is I want to only allow access to my application (login --- rather than authentication) if the user is from my company's domain (jimmy @neutron.ca).

I only want my employees logging into the app and gaining access to the interface beyond the login page. I only want my employees to be able to submit their hours (that's the scope of the application after login).

My question is, what is a secure way of authenticating a user and logging them in?

Is it secure to calculate on the client-side ionic app wether or not the user is of a particular domain after we get the authentication object back from firebase google sign-in method?

login() {
  this.afAuth.auth.signInWithPopup(new firebase.auth.GoogleAuthProvider())
    .then(res => {
      // example email object = 'jimmy@neutron.com'
      // get email object, split('@')[1] on it
      // if result of split (@neutron.com) is eqaul to my domain (neutron.com), which it is, then log user in
        this.navCtrl.setRoot(AuthenticatedPage);
      // if not, unauthenticate and present unauthorized message to user.
    })
}

If this isn't secure to do in ionic on client-side, then how can we calculate it? Can firebase calculate it?

Answer 1

If I understand this correctly. You need to pass hd custom OAuth parameter to Google provider:

const provider = new firebase.auth.GoogleAuthProvider();
provider.setCustomParameters({hd: 'neutron.ca'});
this.afAuth.auth.signInWithPopup(provider);

However, users could still bypass that as Google doesn't enforce it (check the email domain). You need to also enforce that via your security rules (if you are using Firebase Rules) or when you parse the ID token and verify it via Firebase Admin SDK.