1

I have been searching in this forum that has helped me a lot to develop my entire project in firebase but I have not been able to find the answer to my question.

I have created a small voting app where users register and can only vote if they have verified their email. Every time a user registers, a verification email is sent with the sendEmailVerification() method. Obviously I can (and I will) hide/show the UI based on user.emailVerified value (true or false) but for more security, I have configured the following rules:

{
"rules": {
  //only users can write, noone can read
  ".read": false, 
  ".write": "auth.uid != null",
    "users": {
      "$uid": {
      //Inside /users, users can read/write in child /$uid only if the $uid of the user matches with the /$uid that is the branch name    for each user
      ".read": "$uid === auth.uid", 
      ".validate": "$uid === auth.uid",
        "votos": {
        //only users that verified the email can read/write in this child object
        ".validate": "auth.token.email_verified === true",
        
        }
      }
    },

    "lists": {
    //only users that verified the email can read/write here
    //read is public because you dont need to be logged in to see the votes of the lists
    ".read": true,
    ".validate": "auth.token.email_verified == true",
    }
  }
}

I have done tests in the console simulator and everything seems to work correctly but when I go to the web it does not let me vote even though I have verified my email.

Basically I can only think of:

  • I have not configured the rules correctly (but the console simulator gives me the results I expect)
  • I have not configured the validations correctly
  • It is not enough to send the verification email. Could it be that when the user verifies the mail, a token or something should be included in the url or in the user's data? I believe that ".validate": "auth.token.email_verified === true", is done with the true or false value of user.emailVerified of the user, but I am not an expert in this...

The only thing I've seen similar is problems related to user.emailVerified not being updated after clicking the verification link and this made the value always false. But again, I have no idea.

If anyone can help me, I really appreciate it. This is my first question on the forum, sorry if I did something wrong.

Phil
  • 157,677
  • 23
  • 242
  • 245
Design Must
  • 11
  • 1
  • Check if this can help you in email verification: https://stackoverflow.com/questions/37900447/user-emailverified-doesnt-change-after-clicking-email-verification-link-firebas – Tanay Apr 19 '22 at 01:45
  • Rules don't do anything on their own, but only become meaningful when exercised by code. Can you edit your question to show the minimal code with whith you get a problem, and in that code prove that it meets the conditions set out by your security rules (e.g. log the current user, and their `email_verified` value right before accessing the database). – Frank van Puffelen Apr 19 '22 at 04:04
  • I checked the link Tanay passed and yes, you need to do a firebaseUser.reload() in order for the change to the firebaseUser's authentication status to be updated. I tried signing out and sign in again and after this I was able to vote. – Design Must Apr 19 '22 at 10:03

0 Answers0