Is there a way to generate a firebase email verification link before a user is actually signed up?

Question

I am currently implementing a MFA system with Firebase Authentication & Google Authenticator.

Since my users are not allowed to authenticate with a non-verified email address, I'd like to prevent them from signing-in if their Firebase Authentication email_verified is set to false. To do that, I am using Google Cloud Identity Provider blocking functions, this works perfectly. However, when it comes to the registration beforeCreate blocking function hook, I can't find a way to generate an email verification link for the user currently being created, the documentation says:

Requiring email verification on registration The following example shows how to require a user to verify their email after registering:

export.beforeCreate = authClient.functions().beforeCreateHandler((user, context) => {
  const locale = context.locale;
  if (user.email && !user.emailVerified) {
    // Send custom email verification on sign-up.
    return admin.auth()
            .generateEmailVerificationLink(user.email)
            .then((link) => {         
              return sendCustomVerificationEmail(
                user.email, link, locale
              );
    });
  }
});

export.beforeSignIn = authClient.functions().beforeSignInHandler((user, context) => {
 if (user.email && !user.emailVerified) {
   throw new gcipCloudFunctions.https.HttpsError(
     'invalid-argument', `"${user.email}" needs to be verified before access is granted.`);
  }
});

However, as far as I understand, generateEmailVerificationLink() can only be called to generate email verification link of an existing Firebase Authentication user. At this stage (while running beforeCreate blocking function), the user is not created yet.

Now I am wondering, I am missing something or is the Google documentation wrong?

You can also use sign in with email link instead of sign in with password, that way you're sure signed in users are verified — Obumuneme Nwabude, May 16 '22 at 22:17

Dabbel · Answer 1 · 2022-05-16T22:29:35.940

2

No.

User data is created upon registration in the database.

Then, you may send an Email-Verification with a link automatically.

This Email-Verification just updates the field emaiVerified of said user data.

If you want to prevent users with unverified Emails from logging in, you need to adjust your Login page and check whether emaiVerified is true.

Important: Google will sign in a user right upon registration whether the email is verified or not, as this is the expected behavior from the perspective of a user. Email verification is ensured on the second, manual login.

(Also, please do not screenshot code.)

edited May 16 '22 at 22:29

answered May 16 '22 at 22:12

Dabbel

1,143
5
18

Thanks for your explanation, I just replaced my screenshot accordingly, however this does not answer my question: is the documentation wrong or am I missing something? – Liyali May 17 '22 at 07:23
1

Also, note that it is possible to prevent user to login upon registration if their email is not verified by checking the email verified status in the `beforeSignin` hook, that's the whole point of these blocking functions AFAIU. – Liyali May 17 '22 at 07:25

Is there a way to generate a firebase email verification link before a user is actually signed up?

1 Answers1