Whenever I use the email/password authentication provider in Firebase, the provider sends a bearer token upon successful sign-up even though the emailVerified
is false
. Is there a way, out of the box, to configure the email/password auth provider to not send a bearer token (and return a 403 error) until the user has verified their email address?
Note that I'm aware of how to create a user, sign in a user, send a verification email, etc... using firebase v9.x via the methods createUserWithEmailAndPassword
, signInWithEmailAndPassword
, signOut
, sendEmailVerification
from firebase/auth
. I'm just asking if there is a way to set the behavior of the provider without having to write my own handler function for this. I'd like this to behave like Cognito does whenever the email verification is required.
CodePudding user response:
There is no way to require the user's email address to be verified before they can sign in to Firebase Authentication. This is something you'll want to implement in your application code:
- User enters their credentials
- You sign them in to Firebase with those credentials
- You check whether their email address is verified
- If not, you stop them from further using the app - and (optionally) send them a verification email.
Same with data access: if you have a custom backend code, you can check whether the email address is verified in the ID token there too, as well as in Firebase's server-side security rules.
CodePudding user response:
The createUserWithEmailAndPassword()
will sign in user right after the account is created. Also there isn't any way to prevent users from logging in even if their email is not verified but you can actually check if email is verified in security rules or using Admin SDK to prevent users with unverified email from accessing your resources. You can use this rule in Firestore:
allow read, write: if request.auth.token.email_verified == true;
One workaround would be creating users using a Cloud function and Admin SDK which won't sign in users but do note that users can sign in.
If you want to prevent login unless the email is verified strictly, then you can disable account right after it is created. Now you may not be able to use sendEmailVerification()
which requires user to be signed in at first place, you can always create your own solution for verifying email. The process might look something like:
- Create a user and disable the account in a Cloud function
- Generate some token or identifier for verifying email and send an email to user from same cloud function
- Once the user visits that link and verifies the email you can enable it
Additionally, users can still create accounts by using REST API but you can disable sign ups so users can be created via Cloud function only which disables the user immediately.