In other words, is there a way to verify that the user (when he sets lets say a users//email ), it is indeed the email id of the user who is logged in?
We are building a firebase application, where certain aspects of the service are delivered via email notifications. We do not want to be sending emails to the wrong user. There seems to be no way to guarantee that the email info written to the users//email path is indeed the same as the email used to login (directly or via google or facebook etc.)
In my opinion, if auth (rules) had in addition to auth.uid an auth.email field it would solve the problem and rules could be written to handle the use case.
The latest release of Firebase Authentication supports email verification.
If an identity provider (email+password, google) supports optional email address verification, that information is made available in the API and in the security rules.(**)
For example, the JavaScript API has an emailVerified
property that you can check in your code:
firebase.auth().currentUser.emailVerified
true
In the security rules you can access both the email address and whether it is verified, which makes some great use-cases possible. With these rules for example only an authenticated, verified gmail user can write their profile:
{
"rules": {
".read": "auth != null",
"gmailUsers": {
"$uid": {
".write": "auth.token.email_verified == true &&
auth.token.email.matches(/.*@gmail.com$/)"
}
}
}
}
(**) This applies to Google sign-in and email+password for sure. As far as I know, Facebook will only expose the email address if it's been verified, so you could rely on that.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With