8

I've got a question about how firebase email verification work.

Case:

  1. My user signed in my site (using device A).
  2. They create another account using other browser or device (device B), but they open email verification link with browser and device which he is already signed in (which is device A).

What happened to the already signed in user (in device A)? Is firebase signed them out or just verify new email, but still signed in with the current user?

Neeraj Sewani
  • 3,952
  • 6
  • 38
  • 55
Christoforus Surjoputro
  • 558
  • 6
  • 17

1 Answers1

11

The email verification occurs out of band and would not affect any existing firebase states until it is reloaded. If a user verifies their email, you have to call firebase.auth().currentUser.reload() to update the emailVerified property. If you are using firebase rules with emailVerified field, you need to force a token refresh (firebase.auth().currentUser.getToken(true)) after verification. You can use the Firebase realtime database to set some flag on email verification and detect it in the existing session to force a user to reload. This would require you build your own custom email verification handler: https://firebase.google.com/docs/auth/custom-email-handler

Kick Buttowski
  • 6,709
  • 13
  • 37
  • 58
bojeil
  • 29,642
  • 4
  • 69
  • 76
  • I think you didn't get my question. I've update my question to make it clear. Sorry and thank you. – Christoforus Surjoputro Dec 27 '16 at 11:44
  • I answered it. Email verification has no effect on existing sessions. Existing signed in users will remain signed in even if they are different users and regardless the device they are on. – bojeil Dec 28 '16 at 19:13
  • Oh I got it, @bojeil. Sorry and thanks for the answer. How about same case, but instead verify email, it process password reset. Is password reset also has no effect on existing session? – Christoforus Surjoputro Dec 28 '16 at 20:27
  • Password reset will expire the token of any existing session for the same account. Reauthentication will be required. – bojeil Dec 29 '16 at 22:02
  • So if it processed through different account, the user still authenticated? – Christoforus Surjoputro Dec 30 '16 at 05:39
  • 1
    Yeah if you reset the password on a different account, the other user would remain authenticated. – bojeil Dec 31 '16 at 18:50
  • currentUser.reload() does not update the emailVerified property. See https://stackoverflow.com/a/37902082/679553 – Gazihan Alankus Aug 07 '17 at 11:19
  • It should update it. Did you test it yourself? After you sign-in, the same endpoint as `reload()` is called to populate the user content. – bojeil Aug 07 '17 at 18:19