Menu
I have my security rules setup like so (in firestore console).
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth.uid != null && request.auth.token.email_verified;
allow write: if false;
}
}
}
Firebase auto logs-in new users. Therefore, a recent user will have a non verified email address.
When the user verifies their email, I'm getting these results in my app.
Auth.auth().currentUser?.isEmailVerified // This is true
But when I make a request to the firestore I'm getting an error back that says that the user doesn't have enough permission to access that data.
When I sign the user out and then sign them back in, everything works fine.
My initial thoughts are that maybe there is a token that is not refreshed ? But this seems extremely confusing because I already refreshed the current user before attempting to make the request to firestore.
Auth.auth().currentUser?.reload()
I feel like I'm missing something.
Why are user's forced logged-in after they signup but then their email verification status isn't updated accordingly ?
Do we have to request-reauthentication ?
If so, what was the point of force log-in ?
This is getting extremely frustrating because I don't know how I'm suppose to manage my users.
Is signing in unverified user's something that we should do ? Wouldn't this lead to security concerns like user's making fake accounts and spamming your application.
Update
I read this non swift response which re-enforces my suspicion.
I'm going to test this solution tomorrow, the swift version of it is:
Auth.auth().currentUser?.getIDTokenForcingRefresh(forceRefresh: , completion: )
Docs for the method:
Retrieves the Firebase authentication token, possibly refreshing it if it has expired. Remark
The authentication token will be refreshed (by making a network request) if it has expired, or if
forceRefreshis YES.
I'm guessing that in my case I have to force refresh because the token will not be expired.
778
It turns out that the token has to be refreshed as mentioned in the update above.
Here is how I solved my issue.
First I refresh the auth token
Auth.auth().currentUser?.getIDTokenForcingRefresh(true)
If that was successful, I then refresh the user.
Auth.auth().currentUser?.reload()
My issue was that I thought that reloading the user will refresh the token, I didn't imagine that things could be out of sync.
When I checked if the email was verified I got true but the firestore database needs a refreshed token for it to know that the email was verified.
76
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With