Only let pre-verified users log into Firebase

Question

Right now, I only want users who have already registered and been verified with our software to login, and I have saved the list of emails of users (stripped of special characters) inside Firebase. Currently, when the user logs in, I use the following function to check if their email is in this list:

function isEmailValid(userEmail, trueCallback, falseCallback) {
  var emailHash = userEmail.replace(/[^a-zA-Z0-9]/g, "");
  firebase
    .database()
    .ref("validEmails/" + emailHash)
    .on("value", snapshot => {
      if (snapshot.val()) {
        trueCallback(snapshot.val());
      } else {
        falseCallback();
      }
    });
}

Although this method works, it is quite unwieldy, as the user is still able to log in initially before the function callback is called, and their email is still shown in the "Authentication" tab in Firebase.

Is there a better way to only allowed pre-verified users to log into Firebase?

Answer 1

I'm pretty sure this has been covered before: there currently is no way to prevent users from signing in with Firebase Authentication. But if you want to prevent them from accessing backend resources, you can check whether their email address is verified either in the server-side security rules (for Realtime Database, Storage, or Firestore), or in your own server-side code.

At I/O a demo was given of upcoming functionality in Cloud Function that would allow you to prevent signing in users without a verified email address. But I don't know when this functionality will available in a public API.

Also see:

• Firebase Prevent Creating Account Before Email Verification
• How to prevent user authentication in Firebase/Vue.js BEFORE email is verified
• How do I lock down Firebase Database to any user from a specific (email) domain?