15

Ok so im making a blog which requires users to login through firebase. To post comments, their email has to be verified

I know how to verify the email, and i did so with my test account. When i typed into the console

firebase.auth().currentUser.emailVerified

it returned true, so yes my email was verified.

But the comment .validate rule requires the user to be validated, like so:

auth.token.email_verified === true

However it wasn't working, so i removed it and it began to work again

After a bit of reading, I realized that i had to

const credentials = firebase.auth.EmailAuthProvider.credential(
  user.email, password);

user.reauthenticateWithCredential(credentials)
  .then(() => { /* ... */ });

And that makes it work perfectly. The explanation was it apparantly takes the firebase server some time to update its backend validation, but reauthenticating forces the update immediately.

However, I am stumped on how to ask the user to reauthenticate themselves, as i have the following problem

How do I know when the users is validated (firebase.auth().currentUser.emailValidated), and at the same time the firebase backend is not updated (auth.token.email_verified === true is false) so that i can update my UI and prompt the user to reauthenticate

Basically how can i know when auth.token.email_verified === true is not updated yet on the client side

edit also is there a client side solution without reauthentication that updates the backend validation?

edit I tried user.reload().then(() => window.location.replace('/')) but it didnt work

notrota
  • 1,048
  • 10
  • 21

1 Answers1

22

This is what is likely happening:

firebase.auth().currentUser.emailVerified is updated when firebase.auth().currentUser.reload() is called after verification. However auth.token.email_verified gets its value from the ID token which will not get updated until it gets expired or you force refresh. So you may have to call firebase.auth().currentUser.getIdToken(true) to force refresh to update the token claim which is sent to the Firebase Database backend.

bojeil
  • 29,642
  • 4
  • 69
  • 76
  • 6
    Yikes...more messy code, brought to you by Firebase. – Ross Barbish Nov 08 '18 at 17:16
  • Why can't Firebase do the update automatically when the user click the Verification link? This has caused me a few days just to figure out what went wrong with both my code and security rules. After so many trials and error then only I realised that it is the F*@+-~ email not verified, even though it was verified long before that!!! – sam byte Dec 24 '20 at 07:54
  • 1
    I'm using these lines of code for some time in my app, only recently this stopped being reliable. Most of the times I'l get a permission error. Even if I wait 10s between the force refresh and a firestore update, I get 90% of the time a permission error on the auth.token.email_verified rule (as it isnot updated yet) . Anyone else having this problem? – Ben Feb 12 '21 at 10:53