My plan is to ONLY sign in a user if the email has been verified. I am using a if-statement to check if the email is verified using the built in "emailVerified" function but it is crashing.
function login(email, password) {
if (email.emailVerified) {
console.log("trying to log user");
return auth.signInWithEmailAndPassword(email, password);
} else {
console.log("failed to log user");
alert("Please verify your email");
return false;
}
}
There is no way to determine whether a profile's emailVerified property is set in the client-side SDK without signing in. So with only the client-side SDK, you won't be able to do what your pseudo-code does.
What you can do is create a custom API in a trusted environment (for example on Cloud Functions) where you use the Admin SDK to get a user profile by its email address and then check if its emailVerified property is set to true. You can then call this custom API from within your application code. But this still won't prevent a malicious user from calling the signInWithEmailAndPassword method themselves
Alternatively, and much simpler, is to sign in first, then check if the email is verified, and only allow the user to continue using the app (and accessing data) if the email is verified.
Note that this topic comes up quite regularly, so I recommend also reading: