Firebase: Email verification and user login to be

I have created a form "main.html#!/register" to allow users to enter their: firstname, lastname, email and login. Once all those entered an email verification is sent, so that they cannot get to the page "main.html#!/success" before verifying the email.

The good news is: If they try to get to the access page from the login page without confirming the Email, they will not be able to access. The bad news is: Right after the registration, if they enter the "main.html#!/success" they will be able to open this page !!

Use case: The user is not able to access to "main.html#!/success" without any registration The user is not able to access the "main.html#!/success" from the login page "main.html#!/login", if he has not verified his email The problem is : The user is able to access the "main.html#!/success" right after the registration without email confirmation.

Question: How can I use the email verification condition user.emailVerified and the user auth $requireSignIn() to allow the access to the page "main.html#!/success" ? I had put a resolve function to prevent any access without the registration.

Here is my codes 1-resolve function: Authentication is a service I have created

 when('/success', {
  templateUrl: 'views/success.html',
  controller: 'SuccessController',
  resolve: {
    currentAuth: function(Authentication) {
    return Authentication.requireAuth();
    } //currentAuth
  }//resolve
}).

2-code in the Authentication service

requireAuth: function() {
    return auth.$requireSignIn();
}, //require Authentication

3- the register function (it is in the service)

register: function(user) {   
  auth.$createUserWithEmailAndPassword(
    user.email,
    user.password
  ).then(function(regUser) {
    var regRef = ref.child('users')
      .child(regUser.uid).set({
        date: firebase.database.ServerValue.TIMESTAMP,
        regUser: regUser.uid,
        firstname: user.firstname,
        lastname: user.lastname,
        email: user.email 
      }); //userinfo
    regUser.sendEmailVerification().then(function() {
      // Email sent.
        alert("your Email is verified: " + regUser.emailVerified) ;
    }).catch(function(error) {
      // An error happened.
        alert(error);
    });
  }).catch(function(error) {
    $rootScope.message = error.message;
  }); //createUserWithEmailAndPassword
} //register

3- login function

login: function(user) {
            auth.$signInWithEmailAndPassword(
            user.email,
            user.password
          ).then(function(user) {
                if(user.emailVerified){
                  $location.path('/success');
                }
                else{
                $rootScope.message= "Please validate your registration first : "+user.emailVerified;
                }
          }).catch(function(error) {
            $rootScope.message = error.message;
          }); //signInWithEmailAndPassword
}, //login

You are trying to enforce this on the client side. Instead you should enforce access for verified signed in users from your Firebase rules. For example:

".write": "$user_id === auth.uid && auth.token.email_verified == true"