FB oAuth allows anyone to register<>login (rather than a whitelist opt)

[dylanh724]

How to whitelist for FB oAuth?

• In the README example for u/p, user/pass is whitelisted.
• In the README example for FB oAuth, there is inconsistently no whitelist - which doesn't make too much sense for react-admin.

[benwinding]

Hi @dylanh724,

In the README example for u/p, user/pass is whitelisted.

What are you referring to here? Can you share the link to what you mean?

Anyway, what you're saying is a good point, but not easily fixed, if anyone has any ideas, let me know. I've never personally seen a system which whitelists Facebook or Github or any OAuth signups for that matter. Plus any whitelist, would be built into the client-side code and easily circumvented by an attacker.

Other Solutions

In my opinion, registration pages are a bad idea for a private admin-panel and better solutions are more secure, for example:

• Adding users via cloud-functions.
• Only allow users to login who have been approved with Custom User Claims (only editable on the server)
  • See this issue: https://github.com/benwinding/react-admin-firebase/issues/178
  • More info here: https://firebase.google.com/docs/auth/admin/custom-claims

Let me know how you go, cheers.

[dylanh724]

In my opinion, registration pages are a bad idea for a private admin-panel and better solutions are more secure, for example:

I agree: The default react-admin-firebase Facebook ("FB") oAuth self-registers users.

What are you referring to here? Can you share the link to what you mean?

On firebase auth section (where you setup FB login or email<>pass), for user+pass (by default) there's no registration page. You simply ADD an admin like shown:

This is the opposite that happens with username/pass login where you need to first whitelist them by adding a user in the backend.

Just for brainstorm, what we have to work with for FB login (well, registration) actually stores email and a userId.

I noticed you can disable or delete credentials in firebase. I'm new to firebase, but perhaps there's a way to auto-disable on create. Then you can see "pending" accounts that an admin can approve (or use a firebase API)..

EDIT: I found out how to do this, but requires premium plans (probably not the most-graceful solution): https://firebase.google.com/docs/functions/auth-events#trigger_a_function_on_user_creation

EDIT 2: Is there a spot to withhold approving the client and async/await make a call to disable their account?