signal nest
Hello everyone,
I noticed that some methods such as createUserWithEmailAndPassword are public. Anyone with access to the frontend can use this method and create accounts, for example.
Is there a way to prevent this? (other than creating the accounts via a backend service)
livid umbra
even if the method it's private, anyone could access it or just rewrite a copy. Also anyone could just call the API directly.
You need to define roles, i.e. only admins can create new users.
pliant stratus
See https://firebase.google.com/docs/auth/extend-with-blocking-functions?hl=en&%3Bauthuser=0&authuser=0&gen=2nd#blocking_registration_or_sign-in for explanations on how to block user creations.