How should I go about verifying an email address prior to the user signing up with Firebase?
I know that an email address is verified with .sendEmailVerification, however this only works on the current user. Hence a user must be already created before sending a verification email. This would not be of much help since you obviously have to verify an email before adding it to your database. Therefore, what is a good workaround?
You can't verify the email prior to sign up with Firebase Auth. Email verification is not always required. This is why Firebase Auth provides it as a method on the user. Some applications do not require email verification on sign-up, others may make it optional, others may offer limited access to unverified users, etc.
If you want to require users to be verified before accessing your app content, you can either:
enforce that via Firebase rules, eg:
".read": "auth.token.email_verified === true"
Or, if you are using your own backend, use the Firebase Admin SDK,
https://firebase.google.com/docs/auth/admin/verify-id-tokens:
admin.auth().verifyIdToken(idToken).then(decodedToken => {
if (decodedToken.email_verified) {
// Email verified. Grant access.
} else {
// Email not verified. Ask user to verify email.
}
});
Related
I have 2 kinds of users.
Admin.
User.
And there are 2 registrations.
After registration, you will receive a confirmation email. How to make a different email structure for different users?
For example:
Hello Admin, please confirm your email.
and for the user:
Hi User, please verify your email.
The built-in email verification feature if Firebase Authentication uses a single email template for all users and doesn't allow customization of the content of the email.
If you want to send different emails to different types of users, you'll have to take control of the entire verification process. Once you've verified the email address, you can use the Admin SDK to set the emailVerified flag of the user.
I am using Cognito in my service and I want to enable my service to change email address.
In my frontend, I added code like this.
const email = 'foo#example.com'; // input
const user = await Auth.currentAuthenticatedUser();
await Auth.updateUserAttributes(user, { email });
I found this updateUserAttributes not only send verification email, but also change email address and set Email verified false before verification success.
When a user send wrong email address, I think, the user will no longer login, because the user cannot access to verification code and login old email.
Is there functions like rollback old email address in Cognito?
After some digging, I found the related issue
I found this updateUserAttributes not only send verification email, but also change email address and set Email verified false before verification success.
Unfortunately, this is Cognito side problem, and now there is no way to solve it fundamentally.
In the issue, Can-Sahin approach may help you.
I am implementing an email verification service, with the purpose of confirming that the person registering is indeed the owner of that email address (specifically, that they work at the organisation that the email domain belongs to).
I will send an email post-registration with a single-use link in it that will set their status to verified = 1.
Users can choose to register and log-in using either a simple email/password combination, or by using the Google Sign In service.
My question is: do I need to verify the ones that have registered with Google Sign In? In order to provide their email address to me, they had to sign in with Google, who then confirmed the address. Is there anything I've missed here, or can I immediately consider these users to be the verified owners of these addresses?
If you are using google sign in there is no need to verify the user.
Whereas if have your own login system, then you must verify the email because
if the email is not verified then you cannot have forgotten password feature through email
and also the user might not have actually had the email so anyone else could create the same email and if you have forgotten password through email someone else could easily access others data.
I'm using Register with Facebook as one of the ways to log in to my web app, and expressly ask for the "email" permission..
On login, some of the user data ($facebook->api('/me')) is stored into the users database, however, sometimes the email field just doesn't exist - is this a common problem?
Just a guess...
The facebook documentation says:
note: this field will not be returned if no valid email address is available for the user
Source: https://developers.facebook.com/docs/reference/api/user/
So when an email address become invalid (users who haven't used facebook in years and have destroyed/changed their email address since for example), facebook may stop returning this field.
5% of invalid address may sounds big, but if I check my facebook friends, I think more than 5% of them never use their account, and I wouldn't be surprised if the address they used when they signed in is now invalid.
Users don't always have to provide an email address in order to use Facebook. They can also sign up via SMS, though it's far less common.
In short, FB won't always have an email address, so can't serve it to your app.
Try:
// Just to make sure email are permitted
//$facebook->getLoginUrl(array('req_perms' => 'email'))
// Request email
FB.api('/me?scope=email', function(response) { /*...*/ });
Or:
$email = $facebook->api('user_id?fields=email');
PROBLEMS:
The user changed the visibility of its email address to "only me" and thus you have no way to get it.
The user registered with SMS instead of email as mentioned in the previous answer.
ALTERNATIVE:
If you absolutely need to contact the user but you cannot get its email address nyou can still get its Facebook email (everybody has this email): "user_name#facebook.com".
If the user uses a POP server he will directly receive the email in GMail or others, if not he will receive your email as a private message. The only drawback if this method is that your email must be "plain/text" and not "HTML".
One thing is Users don't always have to provide an email address in order to use Facebook(could have registered through mobile)- as mentioned by Colm. Apart from this-
Please check that if the user has definitely granted you the email extended permission or it hasn't subsequently been revoked. To have a check on this you could use the permissions api-
/USER/permissions
I had similar problem & I found the cause for this. This problem occurs for users who have not set their Primary Email Address (They have many email address but they haven’t pointed out which is their primary email address) under General Account setting tab.
I tried using such accounts on various famous sites which has Facebook login & even they couldn’t retrieve the email address from such accounts.
So, its not the problem with the code(Assuming u have asked for permissions). We just have to handle such scenarios & let users know that we didn’t receive their email address. Like Klout does.
Thanks
In addition to what #Jigar Jain wrote above, users can actually uncheck the email permission during the sign inflow. If that's the case, his/her email address will not be returned by Facebook.
It's up to you to implement a logic that makes login unsuccessful if user unchecks the email permission, to force your users to choose another login method that will guarantee that a return of user's email address.
It is not mandatory for someone to give their email address while signing up with Facebook. An alternate approach would be to ask the user to link their email id in the Facebook account settings. That way you can fetch the email id, if that's a mandatory field in your DB. Otherwise you can continue with the id provided by FB which is unique.
My application uses the "https://graph.facebook.com/me" request with an OAuth token to obtain properties about the user. Email address is one of the properties we need, and we do explicity request that permission when we request access.
It's working fine 99% of the time, but on a few occasions the response comes back without any object in the jSON data named "email".
Is there an explanation as to why this might happen, such as a way a user could grant us permission but still block their email address? Or could it be found under another key?
Thanks.
Short answer: Not all users have an email address available and those who do may not have a valid, reachable email address
The documentation for the email field of the user object ( https://developers.facebook.com/docs/reference/api/user/ ) clarifies the expected behaviour here, which is:
"this field will not be returned if no valid email address is available"
There are a number of circumstances in which you may think a user should have an email address returned but they will not. Some common reasons:
No Email address on account
No confirmed, verified email address on account
User entered a security checkpoint which required them to reconfirm their email address and they have not yet done so
Users's email address is unreachable
You also need the email extended permission (which users can choose not to allow), even for users who have a valid, confirmed, reachable email address on file.
The mobile signup form at http://touch.facebook.com/r.php allows you to signup with an email address or phone number. So I don't think all Facebook users have an email address stored with them.
The user can revoke the email address permission on the app privacy settings page without revoking the full application. You could first call /me/permissions to make sure the email permission is still granted.
If you are using facebook SDK 2.4 or higher you need to add "fields" in the strategy
Below is an example for oAuth library.
FacebookStrategy.php line 131
BEFORE:
$me = $this->serverGet('https://graph.facebook.com/me', array('access_token' => $access_token), null, $headers);
AFTER:
$me = $this->serverGet('https://graph.facebook.com/me', array('access_token' => $access_token,'fields'=>'email,name,first_name,last_name,age_range,gender'), null, $headers);
Regardless of the field list, if you want to get more information that is not by default provided by Facebook, the permissions need to be in the "scope" array.
Default data provided by SDK includes: email, public profile, user_friends
Had the same problem and discovered that in the rare cases where this happens the user did not have a primary E-Mail-Address defined (although 2 Addresses were registered). We're not able to reproduce such a costellation, since normally it is not possible not to have a primary e-mail address.
Can anyone confirm something similar?
Missing email field happens where user doesn't confirm his primary address via clicking link from activation message.