Menu
I want to use the authenticated user's email domain to restrict access to information in firestore.
The only way I could work out how to do it was like this:
match /organization-secrets/{org} {
allow read: if request.auth.email.split('@')[1] == org
}
Since email adresses can have multiple @, this could easily be spoofed with an email that is something like:
[email protected]@h4xxor.net
Is there another way to restrict access based on domain?
982
You could restrict the last domain (and make sure that the email is verified). Use String.matches and make sure to include the '$' at the end of the regular expression.
match /organization-secrets/{org} {
allow read: if (request.auth.token.email.matches('.*@yourdomainhere[.]com$') &&
request.auth.token.email_verified)
}
answered Oct 29 '25 03:10
One way to go about it could be creating a cloud function that triggers on user create. This cloud function could grant the user a custom claim token
then you could use this in your rules
https://firebase.google.com/docs/auth/admin/create-custom-tokens https://firebase.google.com/docs/auth/admin/custom-claims
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
