(Firebase) Firestore security rules - allow if email verified without custom tokens?

Question

Is there a way to check if the request user email is verified in the Firestore security rules?

something like:

function isEmailVerified() {
  return request.auth.emailVerified == true;
}

Answer 1

The correct syntax is:

request.auth.token.email_verified

If you want to know all claims available in your token, you can decode the JWT in your app or through jwt.io.

Some relevant documentation:

• https://firebase.google.com/docs/reference/rules/rules.firestore.Request#auth
• https://firebase.google.com/docs/reference/security/database/#authtoken (for a list of the claims in there by default)