Allow new auth user accounts from a specific email address domain. #1057
Comments
|
This is my first day playing around with supabase, but maybe you can do this using a RLS rule similar to the one described here? https://supabase.com/docs/guides/auth/row-level-security#verifying-email-domains |
|
@kiwicopple I received this reply from 'silentworks' on Discord about this question. "Similar question was asked in the #ideas-and-suggestions channel. You can do so using a trigger but there is currently a pending issue that stops this from working fully as EXCEPTIONS inside of triggers on signUp don't bubble all the way up to the API level, so your user would be stopped but you wouldn't get an error message explaining why." I then went to the channel mentioned and found this information. |
|
I raised the question on Discord and was directed to this thread in Ideas/Suggestions there...
|
|
Ah yes, that sounds accurate - you won't be able to bubble up the error so you will need to "guess" that it's failing at the trigger. We definitely want to improve this (in the Auth server, which will require some work to make it work better with Postgres) Is this a blocker for you @bwklein? Or is it a reasonable workaround for now? |
|
I'v used the same method to limit signups to a specific e-mail domain and i'm getting an error as expected:
create function check_user()
returns trigger
language plpgsql
as $$
begin
if right(new.email, 11) = '@domain.com' then
return new;
else
return null;
end if;
end;
$$;
-- Triggers
--
-- trigger the function every time before a user is created - if a email is legal create user, otherwise returns an error
create trigger on_before_user_created
before insert on auth.users
for each row execute procedure check_user();
// gmail is not a whitelisted domain
await supabase.auth.signUp({email: "blabla@gmail.com", password: "..."})
{
"code": 500,
"error_id": "e6044037-cb3d-4a82-a784-34b32d112146",
"msg": "Error creating identity"
}if that helps anyone |
|
I'll have to give it a try myself, but from this it looks like @rotemrevivo91 solution would do the trick. |
|
@rotemrevivo91 does the user receive an email like silentworks mentioned in the reply or does that failure in your trigger stop the process before the email is sent? |
I'v disabled the need for users to verify their registration via e-mails, so no e-mail is being sent. I'v faced a few issues with the SMTP service of supabase. But, i'v set up a nodemailer service to do the same, at least temporarily. |
|
This should be in the docs #1057 versus https://supabase.com/docs/guides/auth/row-level-security#verifying-email-domains |
|
RLS would seem like a heavy solution for something like this if you can do it on the client side.:(( |
|
I'd like to add that the raising of an exception issue I mentioned in chat with the OP from almost a year ago was fixed. @gregpalaci we would have to create a triggers/trigger functions section in the docs for this. The section you mentioned in the docs only covers RLS examples. |
|
I'll transfer this issue to github.com/supabase/gotrue as we've been discussing implementing some form of allowlist / denylist behavior. Still no timeline on it, but best this is tracked there. |
Hey no worries, it came up in my search, I'm glad the original issue was resolved around exceptions 🎉 . I reckon the best course of action is the close the issue as solved. Sorry if I miss commented I just wanted to eloborate on my findings to help new comers doing the same search as me and landing in the same result with some acltionable intel. Thanks @hf for creating an issue in the correct place, sorry again for polluting your notifications y'all |
@silentworks, are you referring to the email issue or exceptions not being bubbled from signUp function call? I'm on the latest Supabase cli, and exceptions get only bubbled when the account exists, but not upon signup. |
How would I alter this for a list of emails? I'm making an app where I only want certain domains to have access to different types of accounts (only engineering firms can make one account (store an array of whitelisted emails somewhere?) and manufacturers can make other types of accounts (any email can pass through)) |
|
Here's my solution: Step 1 make a table for your domains you want to verify against (Run these in sql editor)
Add the domain names you want to be valid as rows in the allowed_domains table. DO NOT INCLUDE THE '@' symbol. example: domain_nameexample.com Then add a trigger on auth.users insert Then give your supabase admin permission to select from your domain table
|
|
For all the people who have created a table with whitelists/blacklists, it only works if you disable the RLS (Row-Level Security) or enable at least the select for anonymous users. |
The anon role doesn't require any access to the table and would be a poor practice, as it could give free access to your customer list to anyone. Either the |
I wanted to do same logic but with a small difference which is (checking email if it's existed in allowed_emails) desipte that email is found in the table it gives the following error: also I tried to disable RLS on the allowed_emails table, and tried to grant supabase_auth_admin select permission but it didn't work, any help? |
|
Try this: CREATE OR REPLACE FUNCTION check_user() RETURNS TRIGGER AS $$ and check in which schema the allowed_emails table is. Its import to prefix it with public. (if its is in public) |
Feature request
Is your feature request related to a problem? Please describe.
I am building an application where the authenticated users are all from a specific domain. I want a way to only allow accounts to be created for email addresses from a specific domain.
Describe the solution you'd like
A way to specify a list of allowed domains for new account creation, or an example for how to use the existing system to check for the email address domain and allow/reject with an error, based on that check.
Describe alternatives you've considered
Handling the email validation on the registration form, but this can be bypassed on the client side.
The text was updated successfully, but these errors were encountered: