Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can we guarantee that the email saved by the Firebase user is indeed his own email?

In other words, is there a way to verify that the user (when he sets lets say a users//email ), it is indeed the email id of the user who is logged in?

We are building a firebase application, where certain aspects of the service are delivered via email notifications. We do not want to be sending emails to the wrong user. There seems to be no way to guarantee that the email info written to the users//email path is indeed the same as the email used to login (directly or via google or facebook etc.)

In my opinion, if auth (rules) had in addition to auth.uid an auth.email field it would solve the problem and rules could be written to handle the use case.

like image 486
kvs Avatar asked Jun 23 '16 08:06

kvs


1 Answers

The latest release of Firebase Authentication supports email verification.

If an identity provider (email+password, google) supports optional email address verification, that information is made available in the API and in the security rules.(**)

For example, the JavaScript API has an emailVerified property that you can check in your code:

firebase.auth().currentUser.emailVerified

true

In the security rules you can access both the email address and whether it is verified, which makes some great use-cases possible. With these rules for example only an authenticated, verified gmail user can write their profile:

{
  "rules": {
    ".read": "auth != null",
    "gmailUsers": {
      "$uid": {
        ".write": "auth.token.email_verified == true && 
                   auth.token.email.matches(/.*@gmail.com$/)"
      }
    }
  }
}

(**) This applies to Google sign-in and email+password for sure. As far as I know, Facebook will only expose the email address if it's been verified, so you could rely on that.

like image 184
Frank van Puffelen Avatar answered Sep 27 '22 19:09

Frank van Puffelen