Firebase - Freeze an account until email is verified

Question

I want to maintain an account disabled until it passes the email verification.

Problem is, as a user registers itself via createUserWithEmailAndPassword, the newly created account is ready to be used. The only way I can avoid authentication is to check email verification flag via js in client app and deny login, but I don't want to rely on client controls, I'd prefer that firebase itselfs deny the authentication until email is verified.

Is there a way to accomplish this?

score 1 · Accepted Answer · answered Jun 01 '20 at 15:29

You can (and should) also check if the email is verified in the back-end, either:

in security rules, if you're using Firestore, Realtime Database, or Storage
in your own backend code, using a Firebase Admin SDK

When you do this, the client-side check is nothing more than a way to show the correct UI for the current state ("hey there, your email isn't verified yet. Check your inbox, or click here to resend the email"). It's the server-side check that controls access to the data, which is precisely how you want it to be.

This has been covered quite regularly before, so also see:

the Firebase documentation on implementing role-based access control on Firestore
How do I lock down Firebase Database to any user from a specific (email) domain? (for Realtime Database)
Only let pre-verified users log into Firebase

Firebase - Freeze an account until email is verified

1 Answers1

Related