Blocking authentication with Firebase Auth Functions

Firebase has introduced functions that allow us to write server logic before or after authenticating. Let's see how to use them.

·2 min read
Cover Image for Blocking authentication with Firebase Auth Functions

Firebase Auth Functions are blocking functions that allow us to write server-side logic when the user creates an account or when signs in. This has been one of the most requested features, which is why we're so excited about it.

The two blocking functions are:

  1. beforeCreate: use this function before signing the user up to your Auth Database

  2. beforeSignIn: use this function when the user is verified upon signing in (i.e. when the sign-in process is successful). This function is also called when the user is signing up.

Firebase Authentication Blocking Functions: Use-Cases

These functions can be used for various use-cases, such as:

  • only allow users signing up with an allowed email or domain
  • prevent users from accessing using certain IP addresses
  • modifying user's data upon signing in (for example, set certain custom claims)
  • ... and many others!

Requirements: Update to Firebase Authentication with Identity Platform

To use this new functionality you have to upgrade your Firebase project to Firebase Authentication with Identity Platform using the Firebase Console.

Preventing users from creating an account with Firebase Auth

One common scenario is to prevent the user from signing up based on certain criteria, such as: email domain, IP address, and so on.

To do so, we can use the beforeCreate Firebase Auth function so that we can check if the details provided meet the criteria for signing up to your Firebase application.

In the example below, we have a list of allowed domain names, and we check if the user's email is among the list:

import functions from 'firebase-functions';
 
const ALLOWED_DOMAINS: string[] = [
  '@yourapp.com'
];
 
export const beforeCreate = functions.auth.user()
  .beforeCreate((user) => {
    const canAccess = ALLOWED_DOMAINS.some(domain => {
      return user.email.includes(domain);
    });
 
    if (!canAccess) {
      throw new functions.auth.HttpsError(
        'invalid-argument',
        `Unauthorized email "${user.email}"`
      );
    }
  });

Preventing users from signing in with Firebase Auth

We can also prevent user from signing in after they've created a profile. For example, let's assume an IP is acting suspiciously and we have banned it from the application:

export const beforeSignIn = functions.auth.user()
  .beforeSignIn((user) => {
    const ip = context.ipAddress;
 
    if (isSuspiciousIpAddress(ip)) {
      throw new functions.auth.HttpsError(
        'permission-denied',
        'Unauthorized access!'
      );
    }
  });

Another common scenario can be blocking access to your application from mobile or unsupported devices:

export const beforeSignIn = functions.auth.user()
  .beforeSignIn((user) => {
    const userAgent = context.userAgent;
 
    if (isMobile(userAgent)) {
      throw new functions.auth.HttpsError(
        'permission-denied',
        'Unauthorized access!'
      );
    }
  });

Deploy Firebase Auth Blocking Functions

Finally, remember to deploy your functions:

firebase deploy --only functions

To know more about Firebase's blocking functions and the detailed API, visit the Firebase documentation.

👋 Hi! Would you like to learn how to build an AI SaaS with Next.js, Supabase and Stripe including a fully working SaaS template? Check out our new course!

Read more about Tutorials

Cover Image for Building an AI Writer SaaS with Next.js and Supabase

Building an AI Writer SaaS with Next.js and Supabase

·57 min read
Learn how to build an AI Writer SaaS with Next.js and Supabase - from writing SEO optimized blog posts to managing subscriptions and billing.
Cover Image for Announcing the Data Loader SDK for Supabase

Announcing the Data Loader SDK for Supabase

·8 min read
We're excited to announce the Data Loader SDK for Supabase. It's a declarative, type-safe set of utilities to load data into your Supabase database that you can use in your Next.js or Remix apps.
Cover Image for Adding AI capabilities to your Next.js SaaS with Supabase and HuggingFace

Adding AI capabilities to your Next.js SaaS with Supabase and HuggingFace

·20 min read
In this tutorial, we will learn how to use add AI capabilities to your SaaS using Supabase Vector, HuggingFace models and Next.js Server Components.
Cover Image for Building an AI-powered Blog with Next.js and WordPress

Building an AI-powered Blog with Next.js and WordPress

·17 min read
Learn how to build a blog with Next.js 13 and WordPress and how to leverage AI to generate content.
Cover Image for Using Supabase Vault to store secrets

Using Supabase Vault to store secrets

·6 min read
Supabase Vault is a Postgres extension that allows you to store secrets in your database. This is a great way to store API keys, tokens, and other sensitive information. In this tutorial, we'll use Supabase Vault to store our API keys
Cover Image for Introduction to Next.js Server Actions

Introduction to Next.js Server Actions

·9 min read
Next.js Server Actions are a new feature introduced in Next.js 13 that allows you to run server code without having to create an API endpoint. In this article, we'll learn how to use them.