What will happen, if a user doesn't verify the email?

Question

I am trying to add Email and password verification using Firebase, and I saw on their snippet that you can choose whether to send a verification email or not. What happens if a user doesn't verify? Will his account be automatically deleted by Firebase?

Answer 1

When a user verifies their email address with Firebase Authentication, the isEmailVerified property in their profile will be marked as true. This is the only change that Firebase makes. It does not make any other changes based on whether the user verifies or does not verify their account.

Typically you'll use the value of isEmailVerified in other parts of your app. Some examples:

1. The first activity of your app may prompt the user to verify their email address, if isEmailVerified returns false.

2. You can authorize only users with a verified email address to write to your database, using Firebase's server-side security rules.

   For the Realtime Database this would look like:

   ".write": "auth.token. email_verified === true"
   

   And for Cloud Firestore this would be the equivalent:

   allow write: if request.auth.token.email_verified;
   

3. You can periodically clean up unverified accounts with the Firebase Admin SDK. Check out this example of deleting inactive users. You'll want to change the code to capture unverified users, instead of inactive ones.

Also see:

• Email Verification in Firebase Auth
• Security rule to only allow write for users with verified emails