HTTPS Callable cloud function auth check email address domain

cloud function auth email domain check

Sometimes you want to add an extra layer of security in case the firebase client side auth is compromised.

context.auth would tell you if the user is authenticated. But if you have a setup where you want to restrict auth to a specific email domain, malicious attackers might be able to circumvent this on the client side.

For instance if you set up auth with Google sign in custom domain (using G Suite) there is the possibility that on the client the attacker could remove the custom domain restriction and sign in with any regular gmail. The following code can help you further mitigate that with server side validation in a cloud function and check the auth email against a specific domain.

// Get email address from auth and check is @example.com email
const email = context.auth.token.email;
if(!email.endsWith('@example.com')){
throw new functions.https.HttpsError(
"failed-precondition",
"The function must be called " + "while authenticated with @example.com email address."
);
}

Modified from stackoverflow Get user phone number in firebase cloud functions

For more background on endsWith it's exactly what you'd expect from its name

The endsWith() method determines whether a string ends with the characters of a specified string, returning true or false as appropriate.