Set password and verify email in one step

Question

Lots of questions about email verification here on SO, but none seem to cover my scenario.

We would like to add users ourselves after an intake meeting. Our representative has a form to enter some details like company name, VAT number, contact data (which contains an email field), ... This data is saved in Firestore.

After this, an email is sent to the supplied email address which contains a link that takes the user to a form where his/her email address is displayed with a password and a password confirmation input field. When submitting this field, the user is created. But now the user receives an email asking to confirm their email address. I assume, for security and privacy reasons, there's no way I can set the user's email address as verified.

I've looked at customizing the verification email, but that doesn't seem to solve my problem.

Creating the user with a random password after the intake meeting also doesn't seem to be a solution, as the user still has to verify and then reset the password in 2 steps. Or can I somehow redirect after the email verification to the 'set password' page? That would be an acceptable solution.

Is there any way to achieve the desired flow described above?

Answer 1

As a general workflow, you could achieve this using a Cloud Function along with either database system. You can also make use of App Check to further secure this process.

1. Representative adds base user information in their portal. Store the data securely in the database of your choice.
2. Send the user an invite email containing a short-lived verification token linked with the email added by the representative (this could be generated and fired off using an onCreate Cloud Function once the invitee's data is added to the database). This token should follow some standard like JWT so you can deserialize the contained email address or be exchangeable for the underlying email address.
3. When user clicks/copies the link to their browser, present them with an input form asking for the desired email and password. Note: the email field should be editable! The rep may have used an email the new user doesn't want to use with your platform.

• If the token is still valid and not consumed, continue with the next steps.
• If the token has expired and not consumed, send another email to reconfirm their email and restart this step.
• If the token is already consumed, show an error and don't continue.

4. Submit the email, password and emailed token to your backend via a Callable Cloud Function.
5. Sign the user in using the authentication token returned by the function on success. Show an error otherwise.

In the callable function for creating the user:

1. Confirm the request comes from your app (if using App Check)
2. Confirm the validity of the emailed token
3. Pull the data the representative entered from the database linked with the emailed token's original email address.
4. Using that data, the updated email, the new password, and emailVerified=true, call the createUser API.
5. Using the User ID from the returned UserRecord, create the user's profile data in the database and also create a Custom Authentication Token.
6. Once their data has been created and the token generated, return the authentication token as the result of the request.