Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firebase token.email_verified going weird

Ok so im making a blog which requires users to login through firebase. To post comments, their email has to be verified

I know how to verify the email, and i did so with my test account. When i typed into the console

firebase.auth().currentUser.emailVerified

it returned true, so yes my email was verified.

But the comment .validate rule requires the user to be validated, like so:

auth.token.email_verified === true

However it wasn't working, so i removed it and it began to work again

After a bit of reading, I realized that i had to

const credentials = firebase.auth.EmailAuthProvider.credential(
  user.email, password);

user.reauthenticateWithCredential(credentials)
  .then(() => { /* ... */ });

And that makes it work perfectly. The explanation was it apparantly takes the firebase server some time to update its backend validation, but reauthenticating forces the update immediately.

However, I am stumped on how to ask the user to reauthenticate themselves, as i have the following problem

How do I know when the users is validated (firebase.auth().currentUser.emailValidated), and at the same time the firebase backend is not updated (auth.token.email_verified === true is false) so that i can update my UI and prompt the user to reauthenticate

Basically how can i know when auth.token.email_verified === true is not updated yet on the client side

edit also is there a client side solution without reauthentication that updates the backend validation?

edit I tried user.reload().then(() => window.location.replace('/')) but it didnt work

like image 335
notrota Avatar asked Nov 11 '17 22:11

notrota


People also ask

How long does a Firebase token last?

The Firebase Admin SDK has a built-in method for creating custom tokens. At a minimum, you need to provide a uid , which can be any string but should uniquely identify the user or device you are authenticating. These tokens expire after one hour.

How do I know if my Firebase token is expired?

Because Firebase ID tokens are stateless JWTs, you can determine a token has been revoked only by requesting the token's status from the Firebase Authentication backend. For this reason, performing this check on your server is an expensive operation, requiring an extra network round trip.

How do I verify my Firebase custom token?

To do so securely, after a successful sign-in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it. You can use the uid transmitted in this way to securely identify the currently signed-in user on your server.

Where is Firebase token stored?

The token should be saved inside your systems data-store and should be easily accessible when required. The examples below use a Cloud Firestore database to store and manage the tokens, and Firebase Authentication to manage the users identity. You can however use any datastore or authentication method of your choice.

How to update email verification token in Firebase?

However auth.token.email_verified gets its value from the ID token which will not get updated until it gets expired or you force refresh. So you may have to call firebase.auth ().currentUser.getIdToken (true) to force refresh to update the token claim which is sent to the Firebase Database backend.

How does the firebase admin SDK verify an Idid token?

ID token verification requires a project ID. The Firebase Admin SDK attempts to obtain a project ID via one of the following methods: If the SDK was initialized with an explicit projectId app option, the SDK uses the value of that option.

How to validate a JWT token in Firebase?

// ... Once you have an ID token, you can send that JWT to your backend and validate it using the Firebase Admin SDK, or using a third-party JWT library if your server is written in a language which Firebase does not natively support. The Firebase Admin SDK has a built-in method for verifying and decoding ID tokens.

What is the difference between Firebase Auth and auth token?

firebase.auth ().currentUser.emailVerified is updated when firebase.auth ().currentUser.reload () is called after verification. However auth.token.email_verified gets its value from the ID token which will not get updated until it gets expired or you force refresh.


1 Answers

This is what is likely happening:

firebase.auth().currentUser.emailVerified is updated when firebase.auth().currentUser.reload() is called after verification. However auth.token.email_verified gets its value from the ID token which will not get updated until it gets expired or you force refresh. So you may have to call firebase.auth().currentUser.getIdToken(true) to force refresh to update the token claim which is sent to the Firebase Database backend.

like image 155
bojeil Avatar answered Oct 19 '22 03:10

bojeil