2

I made the following login function:

 @objc func handleSignIn() {
    guard let email = emailField.text else { return }
    guard let pass = passwordField.text else { return }
Auth.auth().signIn(withEmail: email, password: pass) { user, error in
            if error == nil && user != nil && (user!.user.isEmailVerified){
                self.dismiss(animated: false, completion: nil)
            }; if user != nil && !(user?.user.isEmailVerified)! {
                self.lblStatus.text = "Please Verify Your Email"
            }
            else {
                self.lblStatus.text = "Error logging in: \(error!.localizedDescription)"
                resetForm()
            }
        }

Yet the user can still log in without verifying their email despite my attempts to prevent this with the && (user!.user.isEmailVerified) stipulation. What am I missing here?

EverythingEnds
  • 77
  • 1
  • 11

1 Answers1

1

The completion of a sign in just means that the user identified themselves, and you know which account represents their chosen identity. A sign-in does not imply authorization to do anything with that account, other than to update its profile information.

You'll notice there's a bit of a chicken and egg problem here. A sign-in has to complete successfully in order to get a User object, and that user object has the property which indicates if their email has been verified. So you have to allow a sign-in if you want read that property.

You could, in theory, sign the user out immediately if they haven't verified, but all that does is prevent them from requesting another email verification, in case they deleted the first one, or it wasn't able to be delivered. So now you just have an upset user who can't take any action to resolve the issue.

If you want to prevent the user from doing anything in other Firebase products until they're verified, you should use security rules to prevent whatever read and write access shouldn't be allowed. You can check the email verification flag in your rules. Look into using auth.token.emailVerified. Example for Realtime Database here.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441