0

I need to implement a standard user registration/activation workflow with Firebase. There doesn't seem to be an obvious way to implement this. When I say "standard", I mean how most email/password accounts work - not necessarily specific to Firebase. I'm sure you're familiar with this. This is the workflow:

  • User enters their username/password on a form with some validation and submits details
  • The back-end creates the user record in the database, but the account remains deactivated (i.e. user cannot authenticate - the activated flag is set to false)
  • The back-end sends an email to the user with a link to activate the account
  • The user clicks the link in their email which triggers activation. This is probably a Web API of some description.
  • At this point, the user record's activated flag ticks over to true, and the user can now authenticate
  • The link probably also has a deep link that opens the app or navigates to a web page
  • The user can now log into the app

How do I configure Firebase to do all this?

Currently, the app allows the user to register. I am using the Flutterfire SDK. I call createUserWithEmailAndPassword, which successfully creates the user in Firebase. But, the user is already activated. The user should have a state of "disabled" in firebase until the account becomes activated. I can't find any settings to default the user to disabled when the account is first created.

I also managed to get Firebase to send out an activation email by calling sendSignInLinkToEmail, but this call is really designed for email authentication - not email activation. Opening the link should activate the account, but I have not figured out how to do this. This documentation makes it sound like it is possible. Perhaps, the Flutterfire SDK is missing this? I don't want to allow people to log in without a password. I only want to use this call to send out an email.

What am I missing here? Is this non-standard behavior for Firebase? If so, why? If the user is allowed to use an app with an email address that is not activated, they can impersonate someone else. We need to confirm at least that they are custodians of the email address that they are claiming to have.

Do other Firebase people just not worry about this?

Lastly, I know I can achieve this by creating a collection for users in Firebase and putting an "activated" flag there. But, if I do that, I've got to write a cloud function that accepts the link and then updates the user in the collection based on the received link. But I thought this would be automatic in Firebase. If Firebase doesn't have this built-in, I have to put all the security over the top to stop users from authenticating when they have not yet activated their account.

Improve this question

1 Answer 1

Reset to default
1

This is a pretty valid concern. I suppose the way around this is to check whether the signed-in user is verified whenever the app is launched. The User object that is returned from Firebase Auth has an emailVerified flag. Check this page for more details.

Using this flag you can choose to show a different screen or pop-up that has a button to send a verification link to the registered email address. Until the user verifies this address, you can limit access to some of the app's screens if you want.

Please note that I have not checked if this emailVerified flag is true for sign ups using Federated login providers like Google Sign-in and Apple Sign In. You might want to check that out.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Ok, this is a great tip. I think it points me in the right direction. Are you saying that if the user opens the link they receive by email, the email should be verified? And, this flag will become true?
Yes, it should work. You can send a verification email using the method sendEmailVerification(). This will send a link that allows the user to verify their email. Check out this link for details --- firebase.google.com/docs/auth/flutter/…
The Flutterfire SDK doesn't have a sendEmailVerification method. It only has sendSignInLinkToEmail. Is it missing in Flutter?
Actually, I found it. It's on the user instead of the auth object itself...
"Please note that I have not checked if this emailVerified flag is true for sign ups using Federated login providers like Google Sign-in and Apple Sign In." That depends on the specific email address and the provider. Most common example: the Google provider will set isVerified to true for @gmail.com addresses, and the Facebook provider will do so for @facebook.com addreses. Outside of those, you indeed have to send an email from Firebase to verify them.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.