auth.token.email_verified is not true after verification.

337 views
Skip to first unread message

Anton Struzhkin

unread,
Oct 28, 2016, 1:06:00 AM10/28/16
to Firebase Google Group
I tried to base my firebase realtime database's rules on auth.token.email_verified for auth.provider == 'password' but stucked with a problem. My algorithm is next:
1.) I register new user with email and password.
2.) With Firebase.reload() app waits when Userinfo.isEmailVerified becomes true while I go to my mail box to click verification link.
3.) I try to read some data and get 'permission denied'.

For tests sake I already simplified my rules to:

{
  "rules": {
    "record_limits" : {
      ".read" : "auth.token.email_verified == true",
    }
}


My data is:
{
  "record_limits" : {
    "max" : 170,
    "min" : 100
  }
}

If i change auth.token.email_verified to false everything will work fine. Again, I want to emphasize that Userinfo.isEmailVerified returns true.

Kato Richardson

unread,
Oct 28, 2016, 11:01:34 AM10/28/16
to Firebase Google Group

Hi Anton,

Can you create a minimal repro (less than 100 lines of code that runs and reproduces the error, version info, sample data, security rules, and steps to reproduce) we can use to verify and troubleshoot? My initial guess would be that it’s a timing issue and the data is accessed before auth takes place.

You may also get some interesting clues by turning on debug logging:

JS:  firebase.database().enableLogging(true);
iOS:  [FIRDatabase setLoggingEnabled:YES];
Android:  FirebaseDatabase.getInstance().setLogLevel(Logger.Level.DEBUG);

Also, in this case, it would be good to see the output from the simulator to prove that's the only rule being evaluated.

☼, Kato


--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/3e35d8be-5cf6-49ae-8103-a93e9def9e62%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Jacob Wenger

unread,
Oct 28, 2016, 8:56:27 PM10/28/16
to fireba...@googlegroups.com
Hey Anton,

This is because the underlying Firebase ID token is not automatically updated when a user verifies their email. The token will eventually refresh after at most one hour and it will have the correct value for email_verified. However, you should be able force this ID token refresh to happen by calling reauthenticate().

Cheers,
Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADypTEY99wS%3DSHaJ5O%2BFxs%2BB9ntzEyhsD_xeY8bbnMheBDP9Wg%40mail.gmail.com.

Jam Hsu

unread,
Nov 3, 2016, 9:56:49 AM11/3/16
to Firebase Google Group
I remember in previous version of android sdk berfore 9.8, we can get the isEmailVerified flag refresh if we only call reload user. But now we need to  reauthenticate(), is this your modification?

Thanks

Anton Struzhkin於 2016年10月28日星期五 UTC+8下午1時06分00秒寫道:

Bassam

unread,
Nov 3, 2016, 5:27:36 PM11/3/16
to Firebase Google Group
Hey Anton,
Calling reload on the user should refresh the isEmailVerified flag to the latest value.

Bassam
Reply all
Reply to author
Forward
0 new messages