Allowing only login, not creating account

Question

Allowing only login, not creating account

Closed this issue 5 months ago · 8 comments

I don't see in documentation how to disable creating accounts in MongoDB Atlas through Realm and using it only for login to existing accounts.

It is important for security reasons that developers can restrict creation of accounts only to server side, not enable it in Realm JavaScript.

Answer 1 · 2024-01-02T16:30:22.000Z

Hi @step135 - which authentication method are you trying to use to login from the SDKs? The only authentication method where you can control whether the SDK creates new accounts is email/password authentication. For more information, see: Create and Delete Users in our SDK documentation, or Create an App User in our Atlas App Services documentation.

For other authentication methods, we rely on the authentication provider to validate whether or not a user should be able to login. You can see more details about the authentication providers on the Authentication Providers page in the App Services documentation.

Answer 2 · 2024-01-04T17:02:44.000Z

Yes, it is email/password and it is not possible to do what I wrote as you state in documentation "which requires registering and confirming a user before the user can authenticate". So according to the documentation there is no control whether the JavaScript Realm creates new accounts.

Answer 3 · 2024-01-04T22:40:54.000Z

So with Email/Password users, there are actually two different methods involved:

emailPasswordAuth.registerUser() creates the user account.
App.login() with an emailPassword credential actually logs the user in.

You could potentially implement a client that just doesn't contain the registerUser() method so the client is incapable of creating new user accounts. You or a trusted member of your team could manually create the user accounts, so there is no automatic creation - the Create an App User page in the App Services documentation has details about how to manually create email/password users.

Does this solve your use case?

Answer 4 · 2024-01-05T08:07:31.000Z

You are completely not answering. How to disable 'registerUser' in Realm?

Answer 5 · 2024-01-05T14:19:51.000Z

If you don't use the registerUser() method in your client application, then users can't register new accounts. You can omit the method call entirely from your client code. If that doesn't solve your use case, can you share a little more about what you're trying to do?

Answer 6 · 2024-01-05T14:35:54.000Z

@dacharyc It is completely irrelevant comment and totally unhelpful to read it. Your recommendation will not disable registerUser in any way. It is again completely not tackling the issue I reported.

Answer 7 · 2024-01-05T14:37:40.000Z

Is your use case that other developers will be writing code using the SDK and you want to prevent other developers from implementing registerUser() in app code?

Answer 8 · 2024-01-18T14:28:51.000Z

Hey there - since I haven't gotten more information about your use case, I can't make recommendations about the best way to proceed. So I'll just summarize a few points, and then close this issue. Feel free to re-open if you need additional help.

You're correct - you cannot "disable" creating new accounts from the server side. The product does not have a mechanism to do this. If this is an important feature to you, we encourage you to make a feature request. You can find more details about how to do that in our documentation's Get Help page.

There are two reasons most apps don't need this feature:

Creating new accounts requires you to implement the registerUser() method in a client application. If you omit this method from your client code, there is no way in the app client for a user to create a new account. For more details, refer to the Register a New User section of the Manage Email/Password Users documentation page.
Even after a new account is created, the user account must be confirmed before they can login and use the app. We provide two programmatic account confirmation methods - via email, or via a confirmation function. You can also manually confirm users. If you want to require a manual approval process - i.e. new users can't login and use the app unless someone with access to the server approves them - that is totally possible with the current functionality. For more details about user confirmation, refer to Complete a User Confirmation in the SDK documentation, or the User Confirmation section in the App Services documentation.

If you have an additional use case that this functionality doesn't support, I encourage you to provide details about your use case in a feature request.

If there's anything else we can do to help from a documentation perspective - if any of the resources I've linked are unclear, for example - please don't hesitate to re-open this issue.