My plan is to ONLY sign in a user if the email has been verified. I am using a if-statement to check if the email is verified using the built in "emailVerified" function but it is crashing.
function login(email, password) {
if (email.emailVerified) {
console.log("trying to log user");
return auth.signInWithEmailAndPassword(email, password);
} else {
console.log("failed to log user");
alert("Please verify your email");
return false;
}
}
There is no way to determine whether a profile's emailVerified property is set in the client-side SDK without signing in. So with only the client-side SDK, you won't be able to do what your pseudo-code does.
What you can do is create a custom API in a trusted environment (for example on Cloud Functions) where you use the Admin SDK to get a user profile by its email address and then check if its emailVerified property is set to true. You can then call this custom API from within your application code. But this still won't prevent a malicious user from calling the signInWithEmailAndPassword method themselves
Alternatively, and much simpler, is to sign in first, then check if the email is verified, and only allow the user to continue using the app (and accessing data) if the email is verified.
Note that this topic comes up quite regularly, so I recommend also reading:
Only let pre-verified users log into Firebase
Firebase - Auth - discover users who signed up but not verified email
Firebase Auth - createUserWithEmailAndPassword() - prevent login until email is verified
Can I get updated emailVerified without logging out?
and more from these search results
Related
The login sequence of the firebaseui.
The login sequence starts with only an email address.
In case the address has been registered to the firebase, login will continue.
If not added, a new account will be created.
My Question
How can I check an email address that has been registered or not on the firebase auth, as the firebaseui does it?
I'm looking for the appropriate API to check the email address if it has been added or not. I've searched on the
document firebase. auth. Auth, but I can't find it.
I've tried the firebase.auth().signInWithEmailAndPassword(this.email, "") with expect to get the error auth/user-not-found, but I've get auth/wrong-password.
You can use the following method, from the docs:
fetchSignInMethodsForEmail
fetchSignInMethodsForEmail(email: string): Promise<Array<string>>
Gets the list of possible sign in methods for the given email address. This is useful to differentiate methods of sign-in for the same provider, eg. EmailAuthProvider which has 2 methods of sign-in, email/password and email/link.
Error Codes
auth/invalid-email
Thrown if the email address is not valid.
Parameters
email: string
Returns Promise<Array<string>>
This will return an error if the email is not registered
Right now, I only want users who have already registered and been verified with our software to login, and I have saved the list of emails of users (stripped of special characters) inside Firebase. Currently, when the user logs in, I use the following function to check if their email is in this list:
function isEmailValid(userEmail, trueCallback, falseCallback) {
var emailHash = userEmail.replace(/[^a-zA-Z0-9]/g, "");
firebase
.database()
.ref("validEmails/" + emailHash)
.on("value", snapshot => {
if (snapshot.val()) {
trueCallback(snapshot.val());
} else {
falseCallback();
}
});
}
Although this method works, it is quite unwieldy, as the user is still able to log in initially before the function callback is called, and their email is still shown in the "Authentication" tab in Firebase.
Is there a better way to only allowed pre-verified users to log into Firebase?
I'm pretty sure this has been covered before: there currently is no way to prevent users from signing in with Firebase Authentication. But if you want to prevent them from accessing backend resources, you can check whether their email address is verified either in the server-side security rules (for Realtime Database, Storage, or Firestore), or in your own server-side code.
At I/O a demo was given of upcoming functionality in Cloud Function that would allow you to prevent signing in users without a verified email address. But I don't know when this functionality will available in a public API.
Also see:
Firebase Prevent Creating Account Before Email Verification
How to prevent user authentication in Firebase/Vue.js BEFORE email is verified
How do I lock down Firebase Database to any user from a specific (email) domain?
This question already has answers here:
Is there a way to send the verification email with the Firebase Admin SDK from my Node.js server?
(3 answers)
Closed 4 years ago.
I'm trying to send an email verification to users using firebase auth admin. All examples seem to use firebase.auth().currentUser;, however, in my case I am logged in as an admin user viewing a custom dashboard list of users to take action on rather than being logged in as an individual user.
I can successfully change a user record using this approach by passing in the UID to the updateUser method and the changes... e.g.
let userRecord = await fbAuth.updateUser(blogUID, {
email: req.body.BloggerEmail
})
and can retrieve the userdetails of the user I want using:
var userA = await fbAuth.getUser(blogUID)
However, the user object returned by this method does't allow me to call the sendEmailVerification method (it appears getUser doesn't return the same object type as getCurrentUser
try {
var userA = await fbAuth.getUser(blogUID).sendEmailVerification()
console.log("Sent new verification email");
} catch(error) {
console.log("Error sending verification email " + error);
}
[this fails, sendEmailVerification is not a method]
Official Reference Doc I've tried to use:
https://firebase.google.com/docs/auth/web/manage-users#send_a_user_a_verification_email
Appreciate your help.
Since your code uses the Admin SDK to look up a user by their UID, it can only call methods from the Admin SDK. You can't simply match methods from the Admin SDK and the client-side SDKs.
Since the Admin SDK doesn't have a method to send a verification email (see this), you will either have to let the client do this, or implement your own email verification flow. See firebase admin SDK create user and send verification email
I have following flow for my sign up process:
User fills out details and signs up (gets send verification email)
After this user is logged in, but sees a screen asking to for email verification
User verifies their email and goes back to app
At this stage how can I get new user data that will have emailVerified field without logging user out?
I expected auth().onAuthStateChanged to be fired once emailVerified changes to true, but that does not happen, nor can I find any refresh function in firebase docs to get this data manually.
Only way I can get that new value for emailVerified is by loging out and loging back in, but ideally would like to avoid this.
update: this is using JavaScript SDK
Based on android I did
firebase.auth().currentUser.reload().then(() => {
console.log(firebase.auth().currentUser)
})
this returns updated information about the user, I couldn't find this anywhere in the docs for some reason
I am using Amazon Cognito Identity SDK for JavaScript (deprecated).
I created new pool without verifying email and phone_number.
By default, users aren't confirmed in Cognito User Pools, so I need to do this manually.
How to confirm user in Cognito User Pools without verifying email or phone?
I hope this will help someone else.
To do this you can add this Lambda function:
exports.handler = (event, context, callback) => {
event.response.autoConfirmUser = true;
event.response.autoVerifyEmail = true; // this is NOT needed if e-mail is not in attributeList
event.response.autoVerifyPhone = true; // this is NOT needed if phone # is not in attributeList
context.done(null, event);
};
Then navigate to AWS Cognito's General settings >> Triggers and add this Lambda function to 'Pre sign-up' - click the drop down list and select Lambda function with above code.
If you only use 'preferred_username' (if no e-mail or phone # is used) setting event.response.autoConfirmUser to true is sufficient.
Actually, AWS has recently added the ability to verify email and verify phone number in the pre-signup lambda as well. You basically need to set autoVerifyEmail and autoVerifyPhone in the lambda and they will get verified.
More info in the official documentation.
"response": {
"autoConfirmUser": boolean
"autoVerifyEmail": boolean
"autoVerifyPhone": boolean
}
I think the accepted answer is problematic. OP's question is how to confirm a user without verifying their email. But the solution will verify the user's email.
If you want to confirm a user with an unverified email (or phone), you can use AdminConfirmSignUpCommand. It is the intended way to confirm a user without having them do it, as per official docs:
Unlike ConfirmSignUpCommand, AdminConfirmSignUpCommand doesn't need a code. You can implement this command after signup in your API or as a Custom Message Trigger (effectively confirming the user when the email is sent).
Now, the user can log in, but the email must be confirmed still.