Firebase Auth API email verification JavaScript

Question

I use nuxt (vue) for my application and firebase to authenticate my users. For that, I send a post request with axios. So far so good. I get a response with some credentials. Then I'm sending another post request with axios to send the user a verification email. This is working as well. But I don't get where the information that the user verified the email address by clicking on the link is saved. So I cannot make that as a condition for my authentication process.

I also don't get an error if I'm logging in with my email and password without verifying the email.

https://firebase.google.com/docs/reference/rest/auth/#section-create-email-password

https://firebase.google.com/docs/reference/rest/auth/#section-send-email-verification

Thanks so much for your help in advance.

Answer 1

Firebase does not block access if you don't verify your email since many applications do not require that. It is up to you to enforce that via your security rules. Example:

"$uid": {
  ".write": "auth.token.email_verified === true && auth.uid === $user",
  ".read": "auth.token.email_verified === true && auth.uid === $user"
}

The ID token of a verified user will contain email_verified set to true. Firebase Auth will store that value when the user clicks the email verification link. To detect that on the user, you need to user.reload() which will set user.emailVerified to true. To force the ID token to pick up these changes, you can force token refresh user.getIdToken(true).