Geek Answers Handbook

How can we guarantee that the email stored by the Firebase user is indeed his own email?

In other words, is there a way to verify that the user (when he installs, lets say that the user / email address) is really the email id of the user who registered?

We are creating a firebase application where some aspects of the service are delivered via email notifications. We do not want to send emails to the wrong user. There seems to be no way to ensure that the email information written in the users / email path really matches the email address used to log in (directly or via google or facebook, etc.).

In my opinion, if auth (rules) had an auth.email field in addition to auth.uid, this would solve the problem, and the rules could be written to handle a use case.

+5
source share
1 answer

The latest version of Firebase Authentication supports email verification.

If the identity provider (email address + password, google) supports additional verification of the email address, this information is provided in the API and in the security rules. (**)

For example, the JavaScript API has an emailVerified property , which you can check in your code:

 firebase.auth().currentUser.emailVerified

True

In the security rules, you can access both the email address and the check, which makes some possible use cases possible. With these rules, for example, only an authenticated, verified Gmail user can write his profile:

 { "rules": { ".read": "auth != null", "gmailUsers": { "$uid": { ".write": "auth.token.email_verified == true && auth.token.email.matches(/.*@gmail.com$/)" } } } }

(**) This applies to your Google Account and email + password. As far as I know, Facebook will only show the email address if it is verified, so you can rely on it.

+9
source

More articles:


All Articles