Firebase email verification not working as expected, without verification the user is able to login

firebase custom email verification
firebase email verification swift
firebase email verification react
firebase email verification redirect
firebase email verification flutter
sendemailverification firebase

I'm having an issue with Firebase and it's email verification flow. I'm able to create a new user, email with a link to verify email address is delivered with no issues. Now, just for testing purposes I'm not clicking on the link to verify the email, but, if I open the app, I'm able to access and do anything. I'm not sure what I'm missing or what I'm doing wrong. I've been stuck with this for the past couple days. Any help is greatly appreciated.

my code

@IBAction func loginBtnTapped(_ sender: Any) {

    SVProgressHUD.show()
    guard let email = emailTxt.text,
        let password = passwordTxt.text else { return }

    Auth.auth().signIn(withEmail: email, password: password) { 
(user, error) in
        if error != nil {
            let alert = UIAlertController(title: "Login Error", 
message:"Incorrect Email and/or Password", preferredStyle: .alert)
            alert.addAction(UIAlertAction(title: "OK", style: 
.default) { _ in })
            self.present(alert, animated: true){}
            if let error = error {
                print("error: \(error.localizedDescription)")
            }
           if Auth.auth().currentUser?.isEmailVerified == false {
                let alert = UIAlertController(title: "Unable to 
login", message:"Pending: email verification", preferredStyle: 
.alert)
                alert.addAction(UIAlertAction(title: "OK", style: 
.default) { _ in })
                self.present(alert, animated: true){}
                print("")
            SVProgressHUD.dismiss()
            }
        }
            self.dismiss(animated: true, completion: nil)
            SVProgressHUD.dismiss()
        }
    }

Expected results

Newly created user should not be able to login and open the app unless email is verified.

you need to check on the firebase databasae for the field that says "is email verified" and then if that BOOL value is TRUE, then let them in the app. the bool value will turn to TRUE automatically after they click the link in their email. so instead of doing it like your'e doing, query the user table for that user and check the boolean value for whether they are verified, if they are not, then don't let them in. good luck and have a fabulous day

Authenticate with Firebase Using Email Link in JavaScript, You can use Firebase Authentication to sign in a user by sending them an email The ability to authenticate a user while also verifying that the user is the For example, a user who has forgotten their password can still sign in without Do not pass the user's email in the redirect URL parameters and re-use it as this may​  you need to check on the firebase databasae for the field that says "is email verified" and then if that BOOL value is TRUE, then let them in the app. the bool value will turn to TRUE automatically after they click the link in their email. so instead of doing it like your'e doing, query the user table for that user and check the boolean value for whether they are verified, if they are not, then don't let them in. good luck and have a fabulous day

Authenticate with Firebase Using Email Link in Android, You can use Firebase Authentication to sign in a user by sending them an email containing a The ability to authenticate a user while also verifying that the user is the For example, a user who has forgotten their password can still sign in without The link will redirect the user to this URL if the app is not installed on their  To sign in users by email link, you must first enable the Email provider and Email link sign-in method for your Firebase project: In the Firebase console, open the Auth section. On the Sign in

You should keep the user account disabled until the email address is verified. That seems to be the only way to securely forbid login.

Typically, you may use sendSignInLinkToEmail() to send an email address validation message with specific URL. The user will be automatically redirected to this url after the email validation process.

In our case, we invite user to create a password and then activate their account before redirecting them to the login screen.

firebase/firebase-js-sdk, If you want to consider Facebook emails verified, you have the ability to do so with the Firebase Admin SDK. You can use updateUser API to  You can use Firebase Authentication to sign in a user by sending them an email containing a link, which they can click to sign in. In the process, the user's email address is also verified. There are numerous benefits to signing in by email: Low friction sign-up and sign-in.

I was able to get this working as expected. The user needs to verify the email, if not, they cannot access the app. I did not have to modify the rules in Firebase. Hope this helps anyone.

loginVC

private var authUser : User? {
        return Auth.auth().currentUser
    }
    public func verifyEmail() {
        authUser?.reload(completion: { (err) in
            if err == nil {
                if self.authUser!.isEmailVerified == true {
                   self.dismiss(animated: true, completion: nil)
                } else {
                    let alert = UIAlertController(title: "Confirm your email 
address.", message: "A confirmation email has been sent to" + "  " + 
((self.emailTxt.text)!) + " . " + "Click on the confirmation link to activate 
your account. ", preferredStyle: .alert)
                    let actionTaken = UIAlertAction(title: "OK", style: 
.default, handler: nil)
                    alert.addAction(actionTaken)
                    self.present(alert, animated: true, completion: nil)
                }
            }
        })
    }


    @IBAction func loginBtnTapped(_ sender: Any) {
        SVProgressHUD.show()
        guard let email = emailTxt.text,
            let password = passwordTxt.text else { return }

        Auth.auth().signIn(withEmail: email, password: password) { (user, 
error) in
            self.verifyEmail()
            if error != nil {
                let alert = UIAlertController(title: "Login Error", 
message:"Error: \(error!.localizedDescription)", preferredStyle: .alert)
                alert.addAction(UIAlertAction(title: "OK", style: .default) { _ 
in })
                self.present(alert, animated: true){}
                if let error = error {
                    print("error: \(error.localizedDescription)")
                }
            }
            SVProgressHUD.dismiss()
        }

    }

FirebaseAuth should consider Facebook emails as verified. · Issue , Expected behaviour: Given the Facebook user has an email associated with his Facebook account, the sign in should complete without any additional prompts. I mean your arguments about the Facebook email not being verified, I just think the users of Firebase Auth with Facebook wants to know the  Note that Firebase Auth web sessions are single host origin and will be persisted for a single domain only. firebase.auth.Auth.Persistence.SESSION 'session' Indicates that the state will only persist in the current session or tab, and will be cleared when the tab or window in which the user authenticated is closed.

How do I prevent a new user from login until they verify their email , Hello, please have you done any tutorials on email verification using firebase for ionic? from login in the new user until they have verified their accounts in the email sent You can add the email verification there, something like this will work for you: No spam. One-click unsubscribe at any time. Powered By ConvertKit. Firebase email and password authentication can be used to enable users of your android app register/login on your app using the old fashion email and password style without you worrying much about building a backend to support the user authentication process.

Verify Firebase domain for Sign in…, I'm trying to use Sign in With Apple as an option for firebase authentication. I got the email part setup, but I can't find a way to verify the domain. but if it's web​/JS then you have to set up firebase hosting if you're not already using it it's supposed to work if you use the firebase domain without the 'https://' in the domain  [FIREBASE_AUTH]When the default FirebaseApp is not used, verifyPhoneNumber does not work plugin: auth type: bug #2656 opened May 28, 2020 by wds609 [firebase_ml_vision] Unable to scan Aztec QRCodes in iOS without quiet zone platform: ios plugin: ml_vision type: bug

Build a Role-based API with Firebase Authentication, Allow only specific users access to certain resources. In this tutorial, we'll learn how to build a role-based auth API using Firebase, which This means our API is actually working as expected! we can see that Firebase returns a token after verifying our user and password. Also, the role is not set when editing a user. Instant verification: in some cases the phone number can be instantly verified without needing to send or enter a verification code. Auto-retrieval: on some devices, Google Play services can automatically detect the incoming verification SMS and perform verification without user action.

Comments
  • Firebase Authentication allows user to sign in who enter the right credentials, regardless of their email verification status. Are you saying you don't get the Unable to login alert?
  • Hi Frank, i thought that the purpose of the email verification is to avoid unauthorized users. I don't want for a random user to create an account and just access the info. I'm able to access without "verification of my email address", thus, the Unable to login alert does not come up. Thank you
  • Firebase Authentication is about authenticating users. If you type (say) the correct email address and password, we trust that you are you. If you only want to allow data access to users who have verified their email address, that is possible (and know as authorization). You'll check this in the backend that you're trying to protect though, for example in security rules of your Firestore database, as shown here stackoverflow.com/a/50239804.
  • thank you, i'll check these links and hopefully i can come up with a solution.
  • do you create the account and keep them disabled until the email is verified? or is there a way that when the user creates the account from the app is disabled until the verification? if yes, i there a post i can take a look at.
  • Accounts are created disabled with basic information (email, preferred language) and an email invite is sent. After some time we can delete accounts which are disabled with an unverified email address.