Firebase email verification flow broken?

Question

Firebase email/password account creation and email verification seems broken. It appears your are automatically logged in after creating a new account (on android at least) and it seems you have to login in order to call user.SendEmailVerification(). After the user clicks the link in the email a web page says

You can now log in to your account

That's neat - but the user is already logged in. Is it possible to create a new email/password account without automatically logging in and to request email verification without first logging into the unverified account?

It's possible to use a cloud function to create the account currently, solving the first problem - but it does not seem possible to request email verification that way.

I'm voting to close this question as off-topic because this reads like a feature request or bug report. Please send Firebase feature requests and bug reports here: https://firebase.google.com/support/contact/bugs-features/ — Doug Stevenson, Aug 20 '17 at 17:19
Been reported doug. Please answer the question. Or confirm it's a bug. — Christopher Oliver, Aug 20 '17 at 17:58
are you using javascript(web), swift(ios), objective-c(ios), or java(android)? — Rishi, Aug 20 '17 at 18:08

score 0 · Answer 1 · answered Aug 20 '17 at 20:41

A user's email address does not have to be verified for that user to sign in. In fact, all they need to know is the credentials: so email address + password for email/password authentication, whatever credentials the social provider (Facebook, Twitter, Github, Google) requires, or event just the phone number on which to receive a verification text message.

If you want to limit what a user without a verified email address can do, you should check in the token of that user whether they have a verified email address. For example, to limit access to the database to users with a verified email address:

".read": "auth.token.email_verified === true"

For Cloud Storage the syntax is slightly different, but the logic is the same. If you have other back-end service that you want to integrate with Firebase Authentication, you can decode the token and check if email_verified is true.

If there is a bug, it is in the message of the email that seems to hint that you can now log in - as if you couldn't log in before. The correct message should say that the user may have to reauthenticate in order for the app to know that they've verified their email address (the token in the app doesn't immediately pick that fact up, since it's a so-called out-of-bounds verification).

Hmm, seems like that is inviting identity fraud. But, it seems other mainstream apps (twitter, snapchat, and others) are doing the same so I guess so be it. Apparently, the answer to people using your identity by making an account using your email, is to request a forgotten password and retake control. Wow. The fact that the incorrect email is hardcoded by Firebase is also a serious problem that can't be corrected. — Christopher Oliver, Aug 21 '17 at 15:17

Firebase email verification flow broken?

1 Answers1