Open dylanh724 opened 3 years ago
Hi @dylanh724,
In the README example for u/p, user/pass is whitelisted.
What are you referring to here? Can you share the link to what you mean?
Anyway, what you're saying is a good point, but not easily fixed, if anyone has any ideas, let me know. I've never personally seen a system which whitelists Facebook or Github or any OAuth signups for that matter. Plus any whitelist, would be built into the client-side code and easily circumvented by an attacker.
In my opinion, registration pages are a bad idea for a private admin-panel and better solutions are more secure, for example:
Let me know how you go, cheers.
In my opinion, registration pages are a bad idea for a private admin-panel and better solutions are more secure, for example:
I agree: The default react-admin-firebase
Facebook ("FB") oAuth self-registers users.
What are you referring to here? Can you share the link to what you mean?
On firebase auth section (where you setup FB login or email<>pass), for user+pass (by default) there's no registration page. You simply ADD an admin like shown:
This is the opposite that happens with username/pass login where you need to first whitelist them by adding a user in the backend.
Just for brainstorm, what we have to work with for FB login (well, registration) actually stores email and a userId.
I noticed you can disable or delete credentials in firebase. I'm new to firebase, but perhaps there's a way to auto-disable on create. Then you can see "pending" accounts that an admin can approve (or use a firebase API)..
EDIT: I found out how to do this, but requires premium plans (probably not the most-graceful solution): https://firebase.google.com/docs/functions/auth-events#trigger_a_function_on_user_creation
EDIT 2: Is there a spot to withhold approving the client and async/await make a call to disable their account?
How to whitelist for FB oAuth?