1

I am trying to prevent users with an unverified email from executing a cloud function. My function looks like this :

export const myFunction = functions.https.onCall(async (data, context) => {
  if (context.auth && context.auth.token.email_verified) {
    //my actual function code
  } else {
    if (!context.auth) {
      functions.logger.log("unauthenticated call to myFunction");
    } else if (!context.auth.token.email_verified) {
      functions.logger.log("unverified email call to myFunction with token", context.auth.token);
    }
  }
});

I'm calling this function from my react-native frontend app this way :

const myFunction = firebase.functions().httpsCallable("myFunction");
myFunction(payload);

I went through the email verification process by clicking the link I received, and everything seemed to work fine. If I log my current user from my frontend app, the emailVerified prop is true :

console.log(firebase.auth().currentUser)

However, when calling the cloud function, it logs unverified email call to myFunction with token, and the email_verified prop is false inside the token

Am I missing something ? How can the two be different ?

jeannot789
  • 33
  • 1
  • 6

1 Answers1

1

Problem comes from token refreshing and is similar to https://stackoverflow.com/a/47281903/6353365

Jean-Baptiste Martin
  • 1,399
  • 1
  • 10
  • 19
  • Hello and thanks for answering ! I tried to log the currrent user the way you suggested, and the emailVerified prop is true there too. Since the email is verified before the call to `myFunction`, the result should be the same even if I check my current user before the promise resolves, no ? – jeannot789 Nov 17 '21 at 17:51
  • 1
    Yes you are right the logging inside `then` is irrelevant. Have you checked [this](https://stackoverflow.com/a/47281903/6353365) answer? – Jean-Baptiste Martin Nov 17 '21 at 18:11
  • I just checked this answer and tried it, and it is working after refreshing ! I also tried calling the function before refreshing with the account I verified yesterday, and it was working which means it was indeed the outdated token which was causing the issue. Thank you for linking this answer, I did not find it by myself. Can I mark this question as duplicate ? – jeannot789 Nov 18 '21 at 10:13
  • Sure! I've edited my answer to avoid misleading future readers – Jean-Baptiste Martin Nov 18 '21 at 13:32