8

In other words, is there a way to verify that the user (when he sets lets say a users//email ), it is indeed the email id of the user who is logged in?

We are building a firebase application, where certain aspects of the service are delivered via email notifications. We do not want to be sending emails to the wrong user. There seems to be no way to guarantee that the email info written to the users//email path is indeed the same as the email used to login (directly or via google or facebook etc.)

In my opinion, if auth (rules) had in addition to auth.uid an auth.email field it would solve the problem and rules could be written to handle the use case.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
kvs
  • 121
  • 4
  • 1
    Why would you want to? The email address reported by my google account is not the same as the address at which I prefer to receive email. As long as you have verified ownership of an address by sending an email to it with a confirmation link, then it shouldn't matter exactly what address it is. – Ian Roberts Jun 23 '16 at 08:32
  • The reason is if we are providing service to an email, and there is inconsistency it becomes a future security risk. A malicious user can potentially spoof emails of other people and can potentially avail service/credits etc. – kvs Jun 24 '16 at 06:39

1 Answers1

13

The latest release of Firebase Authentication supports email verification.

If an identity provider (email+password, google) supports optional email address verification, that information is made available in the API and in the security rules.(**)

For example, the JavaScript API has an emailVerified property that you can check in your code:

firebase.auth().currentUser.emailVerified

true

In the security rules you can access both the email address and whether it is verified, which makes some great use-cases possible. With these rules for example only an authenticated, verified gmail user can write their profile:

{
  "rules": {
    ".read": "auth != null",
    "gmailUsers": {
      "$uid": {
        ".write": "auth.token.email_verified == true && 
                   auth.token.email.matches(/.*@gmail.com$/)"
      }
    }
  }
}

(**) This applies to Google sign-in and email+password for sure. As far as I know, Facebook will only expose the email address if it's been verified, so you could rely on that.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • 4
    I do not find auth.token in any documentation of security rules. Could you please post a link? This seems like it could work. – kvs Jun 24 '16 at 06:48