Firebase email/password authentication - how to require email verification?

Question

Whenever I use the email/password authentication provider in Firebase, the provider sends a bearer token upon successful sign-up even though the emailVerified is false. Is there a way, out of the box, to configure the email/password auth provider to not send a bearer token (and return a 403 error) until the user has verified their email address?

Note that I'm aware of how to create a user, sign in a user, send a verification email, etc... using firebase v9.x via the methods createUserWithEmailAndPassword, signInWithEmailAndPassword, signOut, sendEmailVerification from firebase/auth. I'm just asking if there is a way to set the behavior of the provider without having to write my own handler function for this. I'd like this to behave like Cognito does whenever the email verification is required.

Answer 1

As per the documentation, you can use blocking functions to require email verification for registration (only that it doesn't work):

exports.beforeCreate = functions.auth.user().beforeCreate((user, context) => {
  const locale = context.locale;
  if (user.email && !user.emailVerified) {
    // Send custom email verification on sign-up.
    return admin.auth().generateEmailVerificationLink(user.email).then((link) => {
      return sendCustomVerificationEmail(user.email, link, locale);
    });
  }
});

exports.beforeSignIn = functions.auth.user().beforeSignIn((user, context) => {
 if (user.email && !user.emailVerified) {
   throw new functions.auth.HttpsError(
     'invalid-argument', `"${user.email}" needs to be verified before access is granted.`);
  }
});

generateEmailVerificationLink always returns the following error:

"err": {
  "message": "There is no user record corresponding to the provided identifier.",
  "code": "auth/user-not-found"
},

but the user is created anyway given that beforeCreate don't return an exception.

If you want to check by yourself just log the error:

return admin.auth().generateEmailVerificationLink(user.email)
    .then((link) => {
      functions.logger.info("link", {user: user, context: context, link: link})
    })
    .catch((err) => {
      functions.logger.info("error", {user: user, context: context, err: err});
    });                                           

Answer 2

There is no way to require the user's email address to be verified before they can sign in to Firebase Authentication.

The closest you can get is by using email-link sign-in, which combines signing in and verifying the user's email address in one action.

But this is how you'll typically want to implement this in your application code:

1. User enters their credentials
2. You sign them in to Firebase with those credentials
3. You check whether their email address is verified
4. If not, you stop them from further using the app - and (optionally) send them a verification email.

Same with data access: if you have a custom backend code, you can check whether the email address is verified in the ID token there too, as well as in Firebase's server-side security rules.

Answer 3

The createUserWithEmailAndPassword() will sign in user right after the account is created. Also there isn't any way to prevent users from logging in even if their email is not verified but you can actually check if email is verified in security rules or using Admin SDK to prevent users with unverified email from accessing your resources. You can use this rule in Firestore:

allow read, write: if request.auth.token.email_verified == true;

One workaround would be creating users using a Cloud function and Admin SDK which won't sign in users but do note that users can sign in.

---

If you want to prevent login unless the email is verified strictly, then you can disable account right after it is created. Now you may not be able to use sendEmailVerification() which requires user to be signed in at first place, you can always create your own solution for verifying email. The process might look something like:

1. Create a user and disable the account in a Cloud function
2. Generate some token or identifier for verifying email and send an email to user from same cloud function
3. Once the user visits that link and verifies the email you can enable it

---

Additionally, users can still create accounts by using REST API but you can disable sign ups so users can be created via Cloud function only which disables the user immediately.