Is there a way to check if the request user email is verified in the Firestore security rules?
something like:
function isEmailVerified() {
return request.auth.emailVerified == true;
}
Asked
Active
Viewed 3,989 times
10
MTK90
- 123
- 1
- 9
-
That should be `request.auth.token.email_verified` as far as I can tell. – Frank van Puffelen May 08 '18 at 00:38
-
is there a reference of the token data? or a way to inspect the token? – MTK90 May 08 '18 at 08:58
-
1To inspect you can decode the JWT in your app or through jwt.io. The documentation is definitely sparse, but I dug it up from https://firebase.google.com/docs/reference/rules/rules.firestore.Request#auth and https://firebase.google.com/docs/reference/security/database/#authtoken – Frank van Puffelen May 08 '18 at 13:47
-
sharp eye, i looked for something like this for over an hour. Thanks a lot. – MTK90 May 08 '18 at 15:59
1 Answers
21
The correct syntax is:
request.auth.token.email_verified
If you want to know all claims available in your token, you can decode the JWT in your app or through jwt.io.
Some relevant documentation:
- https://firebase.google.com/docs/reference/rules/rules.firestore.Request#auth
- https://firebase.google.com/docs/reference/security/database/#authtoken (for a list of the claims in there by default)
Frank van Puffelen
- 565,676
- 79
- 828
- 807