无密码电子邮件登录允许用户证明他们有权访问特定的邮箱.它本质上只做些什么.用户单击链接后，便会通过身份验证.除了启用/禁用整个登录提供程序之外，您无法控制谁可以登录/验证.

Passwordless email sign in allows the user to prove they have access to a certain mail box. It does inherently do nothing more than that. Once the user clicks the link, they are authenticated. Beyond enabling/disabling the entire sign-in provider, you cannot control who can sign-in/authenticate.

之后，由您的应用程序确定允许该用户执行的操作.这是一个单独的步骤，通常称为授权.

After that it is up to your application to determine what this user is allowed to do. This is a separate step, typically called authorization.

Firebase身份验证(顾名思义)仅进行身份验证.您将不得不在其他地方处理授权，具体取决于您向用户提供了哪些服务.

Firebase Authentication takes (as its name implies) care of authentication only. You will have to handle authorization elsewhere, depending on what services you provide the users access to.

什么使电子邮件在您的应用程序中注册"了? IE.管理员在哪里创建这些用户?例如，如果您将用户存储在集合allowed_users中的 Cloud Firestore 中，带有这样的文档:

What makes an email "registered" in your app? I.e. where does the admin create those users? For example, if you store the users in the Cloud Firestore in a collection allowed_users, with documents like this:

allowed_users: // collection
  "arkade@domain,com": { ... } // document
  "puf@domain,com": { ... } // document

现在，您可以限制只有允许的用户才能使用Firestore的服务器端安全规则访问其他数据.假设您有posts的集合，则只能允许这些用户阅读具有以下内容的帖子:

Now you can limit that only allowed users can access other data with Firestore's server-side security rules. Say you have a collection of posts, you can allow only these users to read posts with:

service cloud.firestore {
  match /databases/{database}/documents {
    match /posts/{post} {
      // Make sure a 'allowed_users' document exists for the requesting user before
      // allowing any reads from the 'posts' collection
      allow read: if exists(/databases/$(database)/documents/allowed_users/$(request.auth.email))
  }
}

语法有点长，但是您可以看到，只有当当前用户的电子邮件地址(request.auth.email)作为文档存在于allowed_users中时，才允许阅读帖子.

The syntax is a bit long, but your can see that is only allows the reading of a post if the current user's email address (request.auth.email) exists as a document in allowed_users.

在Firestore规则的规则版本2中，您对当前用户的电子邮件地址的访问有所不同.您可以通过request.auth.token.email进行操作.下面的示例还显示了如果通过电子邮件识别该用户，则如何在当前用户的文档中get布尔属性:

In rules version 2 of the Firestore rules, you access the current user's email address a little differently. You can do it via request.auth.token.email. The example below also shows how you can get a boolean property in the current user's document, if you identify that user by email:

allow write: if get(/databases/$(database)/documents/users/$(request.auth.token.email)).data.admin == true;