Firebase email verification behavior

Question

I've got a question about how firebase email verification work.

Case:

1. My user signed in my site (using device A).
2. They create another account using other browser or device (device B), but they open email verification link with browser and device which he is already signed in (which is device A).

What happened to the already signed in user (in device A)? Is firebase signed them out or just verify new email, but still signed in with the current user?

Answer 1

The email verification occurs out of band and would not affect any existing firebase states until it is reloaded. If a user verifies their email, you have to call firebase.auth().currentUser.reload() to update the emailVerified property. If you are using firebase rules with emailVerified field, you need to force a token refresh (firebase.auth().currentUser.getToken(true)) after verification. You can use the Firebase realtime database to set some flag on email verification and detect it in the existing session to force a user to reload. This would require you build your own custom email verification handler: https://firebase.google.com/docs/auth/custom-email-handler