I have my security rules setup like so (in firestore console).
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth.uid != null && request.auth.token.email_verified;
allow write: if false;
}
}
}
Firebase auto logs-in new users. Therefore, a recent user will have a non verified email address.
When the user verifies their email, I'm getting these results in my app.
Auth.auth().currentUser?.isEmailVerified // This is true
But when I make a request to the firestore I'm getting an error back that says that the user doesn't have enough permission to access that data.
When I sign the user out and then sign them back in, everything works fine.
My initial thoughts are that maybe there is a token that is not refreshed ? But this seems extremely confusing because I already refreshed the current user before attempting to make the request to firestore.
Auth.auth().currentUser?.reload()
I feel like I'm missing something.
Why are user's forced logged-in after they signup but then their email verification status isn't updated accordingly ?
Do we have to request-reauthentication ?
If so, what was the point of force log-in ?
This is getting extremely frustrating because I don't know how I'm suppose to manage my users.
Is signing in unverified user's something that we should do ? Wouldn't this lead to security concerns like user's making fake accounts and spamming your application.
Update
I read this non swift response which re-enforces my suspicion.
I'm going to test this solution tomorrow, the swift version of it is:
Auth.auth().currentUser?.getIDTokenForcingRefresh(forceRefresh: , completion: )
Docs for the method:
Retrieves the Firebase authentication token, possibly refreshing it if it has expired. Remark
The authentication token will be refreshed (by making a network request) if it has expired, or if
forceRefresh
is YES.
I'm guessing that in my case I have to force refresh because the token will not be expired.
It turns out that the token has to be refreshed as mentioned in the update above.
Here is how I solved my issue.
First I refresh the auth token
If that was successful, I then refresh the user.
My issue was that I thought that reloading the user will refresh the token, I didn't imagine that things could be out of sync.
When I checked if the email was verified I got
true
but the firestore database needs a refreshed token for it to know that the email was verified.