How to prevent user verification email abuse?

[harry_sb]

I'm currently using Google Identity Toolkit for my web application using Google App Engine backend. 

With Identity Toolkit my backend app used to send the verification email. User could click on "Resend Verification Email" on the UI to resend the email to their email address. To prevent abuse, the backend had a limit of 3 verification emails to be sent to an address.

With Firebase, the client Javascript SDK sends the verification email. Is there any built-in feature to prevent abuse? Otherwise, is their a recommended way to prevent abuse (what if a user registers with email / password using someone else's email address and starts to abuse the "Resend Verification Email" option) or do I still need to build my own mechanism to track the number of verification emails sent to an email address?

Thanks.

[Kato Richardson]

Hi Harry,

Firebase Authentication does enforce abuse prevention. For example, only a certain number of requests can be sent from any given IP address over a rolling time period. There are others, but I'm not really familiar with what I can say publicly about them. 

I haven't heard of a limit based on the destination email address either, but there could be one. That should be easy to find out : )

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/4ba5aabb-b383-4e5b-9a98-0645f688544b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Kato Richardson]

Harry, 

Thanks for this. I've been talknig this over with the Auth gurus over the course of the past week. There is a lot to unpack here, so I'm just going to give you a few highlights.

There are instructions in the email that it can be ignored if the recipient didn't request an account.

As a workaround, the user can verify the account, which would stop any email from being sent. Obviously less than ideal since the recipient of the emails may not trust your app enough to find this a happy answer.

A couple solutions we will look at for feasibility are 1) a link to report spam in the email, or 2) throttling the number of requests similar to GitKit.

Thanks so much for the feedback. It led to some great internal discussion and ultimately I filed a feature request on your behalf. Great stuff. I don't have any idea when this might get implemented, but it's now on the radar. 

☼, Kato

On Sat, May 20, 2017 at 6:54 AM, harry_sb <harwinde...@gmail.com> wrote:

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/4ba5aabb-b383-4e5b-9a98-0645f688544b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kato Richardson]

I should add that all of these thoughts (directly addressing the verification email process) are in addition to the existing prevention mechanisms (a bit more broad) that I already mentioned in the previous thread.