Ok so im making a blog which requires users to login through firebase. To post comments, their email has to be verified
I know how to verify the email, and i did so with my test account. When i typed into the console
firebase.auth().currentUser.emailVerified
it returned true, so yes my email was verified.
But the comment .validate
rule requires the user to be validated, like so:
auth.token.email_verified === true
However it wasn't working, so i removed it and it began to work again
After a bit of reading, I realized that i had to
const credentials = firebase.auth.EmailAuthProvider.credential(
user.email, password);
user.reauthenticateWithCredential(credentials)
.then(() => { /* ... */ });
And that makes it work perfectly. The explanation was it apparantly takes the firebase server some time to update its backend validation, but reauthenticating forces the update immediately.
However, I am stumped on how to ask the user to reauthenticate themselves, as i have the following problem
How do I know when the users is validated (firebase.auth().currentUser.emailValidated
), and at the same time the firebase backend is not updated (auth.token.email_verified === true
is false) so that i can update my UI and prompt the user to reauthenticate
Basically how can i know when auth.token.email_verified === true
is not updated yet on the client side
edit also is there a client side solution without reauthentication that updates the backend validation?
edit I tried user.reload().then(() => window.location.replace('/'))
but it didnt work
The Firebase Admin SDK has a built-in method for creating custom tokens. At a minimum, you need to provide a uid , which can be any string but should uniquely identify the user or device you are authenticating. These tokens expire after one hour.
Because Firebase ID tokens are stateless JWTs, you can determine a token has been revoked only by requesting the token's status from the Firebase Authentication backend. For this reason, performing this check on your server is an expensive operation, requiring an extra network round trip.
To do so securely, after a successful sign-in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it. You can use the uid transmitted in this way to securely identify the currently signed-in user on your server.
The token should be saved inside your systems data-store and should be easily accessible when required. The examples below use a Cloud Firestore database to store and manage the tokens, and Firebase Authentication to manage the users identity. You can however use any datastore or authentication method of your choice.
However auth.token.email_verified gets its value from the ID token which will not get updated until it gets expired or you force refresh. So you may have to call firebase.auth ().currentUser.getIdToken (true) to force refresh to update the token claim which is sent to the Firebase Database backend.
ID token verification requires a project ID. The Firebase Admin SDK attempts to obtain a project ID via one of the following methods: If the SDK was initialized with an explicit projectId app option, the SDK uses the value of that option.
// ... Once you have an ID token, you can send that JWT to your backend and validate it using the Firebase Admin SDK, or using a third-party JWT library if your server is written in a language which Firebase does not natively support. The Firebase Admin SDK has a built-in method for verifying and decoding ID tokens.
firebase.auth ().currentUser.emailVerified is updated when firebase.auth ().currentUser.reload () is called after verification. However auth.token.email_verified gets its value from the ID token which will not get updated until it gets expired or you force refresh.
This is what is likely happening:
firebase.auth().currentUser.emailVerified
is updated when firebase.auth().currentUser.reload()
is called after verification. However auth.token.email_verified
gets its value from the ID token which will not get updated until it gets expired or you force refresh. So you may have to call firebase.auth().currentUser.getIdToken(true)
to force refresh to update the token claim which is sent to the Firebase Database backend.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With