3

I've been facing a weird behaviour while implementing the email verification through Firebase. After creating an account through an Android app, I send an email verification for the user.

The email is being sent properly but it gets verified automatically even before clicking on the link (as in firebaseAuth.currentUser.isEmailVerified will return true after that). If the user presses on the link afterwards, it will say:

Your request to verify your email has expired or the link has already been used

This only happens with custom domains though. For example if the user uses a gmail account, everything goes normally.

Some more info

The credentials responsible for the email verification is restricted for HTTP referrers with https://{APP-ID}.firebaseapp.com for the APIs Firebase Dynamic Links API and Identity Toolkit API

Any ideas on what might be happening?

Odin
  • 642
  • 1
  • 9
  • 27

1 Answers1

2

Did you previously make an account with that email, verify the email, then delete the account? I had this same issue, it seems like firebase remembers email verification by email address, not by account.

This is likely an issue with firebase (albeit a rarer edge case in practical use), but if you're just doing testing, try using another email.

UPDATE: See comment below, it appears to be domain-related

Reid Moffat
  • 322
  • 1
  • 3
  • 16
  • Oh, that actually might be the issue! Yea I was deleted and used the same email that I already verified before. It's going to be tricky to test that again since I don't have another email with the same domain but I will let you know what happens. Thanks a lot! – Odin Oct 24 '22 at 12:36
  • 1
    I made a bug report with firebase, and (at least in my case) it appears to be the domain that's causing the issue. Here's the MVCE: https://github.com/reid-moffat/firebase-auth-bug-report, I could replicate the issue on my university domain but not with gmail for example. The firebase representative said this in the support ticket: "My conclusion is that the domain @queensu.ca is what is causing the strange behavior which implies that the troubleshooting should be carried out on the configuration of the domain. If you have further questions, feel free to write back." – Reid Moffat Nov 23 '22 at 19:49
  • 2
    Thank you so much for the follow up and update! I contacted Firebase before but didn't really put the time to do a MVCE. That's exactly my issue; Gmail behave as expected but not the custom domain, so it could be the same issue. I'll try to contact devops and see if we can figure out what's going on with the domain. Thanks again and I'll update you if I have new information! – Odin Nov 24 '22 at 08:26