Firebase firestore not updating email verification

2019-06-25 10:54发布

问题:

I have my security rules setup like so (in firestore console).

    service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {

      allow read: if request.auth.uid != null && request.auth.token.email_verified;
      allow write: if false; 
    }
  }
}

Firebase auto logs-in new users. Therefore, a recent user will have a non verified email address.

When the user verifies their email, I'm getting these results in my app.

Auth.auth().currentUser?.isEmailVerified // This is true

But when I make a request to the firestore I'm getting an error back that says that the user doesn't have enough permission to access that data.

When I sign the user out and then sign them back in, everything works fine.

My initial thoughts are that maybe there is a token that is not refreshed ? But this seems extremely confusing because I already refreshed the current user before attempting to make the request to firestore.

Auth.auth().currentUser?.reload()

I feel like I'm missing something.

Why are user's forced logged-in after they signup but then their email verification status isn't updated accordingly ?

Do we have to request-reauthentication ?

If so, what was the point of force log-in ?


This is getting extremely frustrating because I don't know how I'm suppose to manage my users.

Is signing in unverified user's something that we should do ? Wouldn't this lead to security concerns like user's making fake accounts and spamming your application.


Update

I read this non swift response which re-enforces my suspicion.

I'm going to test this solution tomorrow, the swift version of it is:

Auth.auth().currentUser?.getIDTokenForcingRefresh(forceRefresh: , completion: )

Docs for the method:

Retrieves the Firebase authentication token, possibly refreshing it if it has expired. Remark

The authentication token will be refreshed (by making a network request) if it has expired, or if forceRefresh is YES.

I'm guessing that in my case I have to force refresh because the token will not be expired.

回答1:

It turns out that the token has to be refreshed as mentioned in the update above.

Here is how I solved my issue.

First I refresh the auth token

Auth.auth().currentUser?.getIDTokenForcingRefresh(true)

If that was successful, I then refresh the user.

Auth.auth().currentUser?.reload()

My issue was that I thought that reloading the user will refresh the token, I didn't imagine that things could be out of sync.

When I checked if the email was verified I got true but the firestore database needs a refreshed token for it to know that the email was verified.