Firebase Authentication with whitelisted email addresses

Question

Assuming a teacher/student scenario what would be a good way to handle \'email invitations\'?

Using a CSV upload I would like to create users or a whitelist of emails th

Answer 1

What I'd recommend is to separate the auth from the access by using Custom Claims. Allow any one to create a user, but attach a Cloud Function to the user create event. If the user matches one on the white list, set a custom user claim (this just launched recently!)

Finally, in your rules, check for that use property before giving access to the data:

{
  "rules": {
    "adminContent": {
      ".read": "auth.token.admin === true",
      ".write": "auth.token.admin === true",
    }
  }
}

Answer 2

FirebaseAuth is only meant to verify that a person is who he/she say they are. It does not restrict usage.

See FirebaseAuth documentation

After a successful sign in, you can access the user's basic profile information, and you can control the user's access to data stored in other Firebase products. You can also use the provided authentication token to verify the identity of users in your own backend services

I.e. you can use Firebase Authentication to verify a user is who they say they are, but restricting them from your services is then up to you based on the information in their user profile information

You can however combine FirebaseAuth with other Firebase services like Database or Storage which are integrated with auth. But for your scenario you still need to create the logic to restrict authenticated users from accessing data they shouldn't be able to access using Rules in the database or in storage. You haven't specified much else in your question so I can't give a better answer for now