Firebase - Auth - discover users who signed up but not verified email

Question

I've set-up a Firebase project which I am using for it's user authentication module. I am also using the firebaseui-web project from Github.

My redirect on sign-on is working fine per this code:

// FirebaseUI config.
var uiConfig = {
  'signInSuccessUrl': 'MY_REDIRECT.html',
  'signInOptions': [
    firebase.auth.EmailAuthProvider.PROVIDER_ID
  ],
  // Terms of service url.
  'tosUrl': '<your-tos-url>',
};

When the page loads (i.e. MY_REDIRECT.html) I'm checking the status of the user to see if they have verified their e-mail, and if not then invoke the sendEmailVerification method:

checkLoggedInUser = function() {
  auth.onAuthStateChanged(function(user) {
    if (user) {
      // is email verified
      if(user.emailVerified) {
        // show logged in user in UI
        $('#loggedinUserLink').html('Logged in:' + user.email + '<span class="caret"></span>');        
      } else {
        // user e-mail is not verified - send verification mail and redirect
        alert('Please check your inbox for a verification e-mail and follow the instructions');
        // handle firebase promise and don't redirect until complete i.e. .then
        user.sendEmailVerification().then(function() {
          window.location.replace('index.html');
        });
      }
    } else {
      // no user object - go back to index
      window.location.replace("index.html");
    }
  }, function(error) {
    console.log(error);
  });
};

window.onload = function() {
  checkLoggedInUser()
};

All good so far - Firebase is doing what I want! Thanks guys :)

However, in the Firebase Console UI there doesn't appear to be a way of seeing if a user actually went to their inbox and clicked on the link to perform the verification. The UI looks like this:

I've run basic tests and the User UID doesn't change before and after verification has taken place.

So, here's my question - did I go about the e-mail verification correctly? If so (and therefore the UI doesn't show me verified vs unverified) is there an accepted method of accessing these two sets of users in the Auth module? I can't see the way to access the underlying table of UIDs and their properties (including the emailVerified property). I don't mind having to write more code if the functionality isn't in the Console - just looking to get nudged in the correct direction for my next step.

Answer 1

There is currently no way in the Firebase Console to see whether a specific user's email address has been verified. There is an API to get a list of users, but you can't filter on whether they're verified or not.

You can check whether the currently authenticated user's email address is verified with:

firebase.auth().currentUser.emailVerified

You cannot prevent who signs up. But you can easily ensure that only users with a verified email address can access (certain) data. For example:

{
  "rules": {
    ".read": "auth != null && auth.token.email_verified",
    "gmailUsers": {
      "$uid": {
        ".write": "auth.token.email_verified == true && 
                   auth.token.email.matches(/.*@gmail.com$/)"
      }
    }
  }
}

The above rules ensure that only users with a verified email address can read any data and only users with a verified gmail address can write under gmailUsers.