When the user wants to update the email, I'm using verifyBeforeUpdateEmail to verify before updating it.
await FirebaseAuth.instance.currentUser.verifyBeforeUpdateEmail(
email,
ActionCodeSettings(
androidInstallApp: true,
androidPackageName: 'com.example',
iOSBundleId: 'com.example',
handleCodeInApp: true,
url: 'https://example.page.link/emailVerify',
));
Can I let the user know if the email has been verified and updated? I've tried dynamic_links but it does not pick up the email verification.
The verifyBeforeUpdateEmail() method sends a verification email to a new email address. So the user needs to execute an action in order to verify the email (click on the link provided in the email). So normally the user will know he/she has verified the new email.
If you want to add an extra mechanism to "let the user know if the email has been verified and updated" you could adopt one of the following approaches:
#1 Implement a custom email action handler
As explained in the doc, "by default, user management emails link to the default action handler, which is a web page hosted at a URL in your project's Firebase Hosting domain. You can instead create and host a custom email action handler to do custom processing and to integrate the email action handler with your website".
This way, you could implement any business logic in parallel of the email verification, like sending a confirmation email or updating a flag, etc..
#2 Use a Cloud Function
There is no Authentication Cloud Functions trigger in response to the verification of an email, unfortunately. We can only trigger a Cloud Function upon the creation and deletion of Firebase user accounts. But you could implement a scheduled Cloud Function which checks if the email has been verified.
Related
I would like to customize the email template (using the Trigger Email extension templates) to send verification links to users.
I understand it is not possible to change the template from the Firebase console as it prevents spam.
I am aware of the ability to customize action email handlers (The page that the user lands on when the link in verification email is clicked), as well as the ability to update the auth user's emailVerified property manually.
Is there also a way to generate the verification link that firebase would have used? One with the following properties:
mode
oobCode
apiKey
continueUrl
lang
My ideal solution is to send a custom template to the user upon registration with the generated verification link. Direct users to a custom handler page, and use the applyActionCode() function as shown in The Docs to verify the email (I hope this implicitly updates the emailVerified property on the Auth.User record.)
I have achieved this by creating the user and generating the link on the backend with the admin SDK.
So your frontend would call a callable function or bespoke API endpoint for instance for the registration instead of using the SDK directly.
The callable would go about this:
Creating the user in Auth: auth.createUser()
Creating the user in your DB (Firestore, Mongo etc.)
Assigning custom claims if required: auth.setCustomUserClaims
Building the link for signin: auth.generateSignInWithEmailLink()
Sending the email to an email transactional API
You will need an ESP e.g Sendgrid, MailChimp, MailGun etc. for the last step. There you will have all the freedom to build your own templates.
Please note that the generateSignInWithEmailLink will take care of verifying an email address and signing-in. It could therefore be used for login and registration.
Cheers
I have a Flutter mobile application and I am using Firebase authentication. I have decided to use email template for verifying user email. In the backend, I call generateEmailVerificationLink(email ,actionCode) to create an email verification link, then I pass the link to a good looking email template and send it to the user.
I would like to do the same thing for updating user email. But I am not sure which function to call in the backend to create the proper link that I need to pass to the email temple. The mode in the action code should be "verifyAndChangeEmail"
Does any one know?
I found this link https://firebase.google.com/docs/auth/admin/email-action-links
but it does not say how to generate a link for updating user email. Does that mean that I can't have a custom email for updating user email??
Please help.
You can use the same generateEmailVerificationLink() method, and, in the page opened via the link, you need to trigger, in the back-end, the updateUser() method of the Admin SDK.
More concretely:
In a Cloud Function (or a server you own), generate an email verification link for the new email (as explained in the doc you mention in your question) and build and send an email containing this link (for example by calling a microservice like Sendgrid).
The user receives the email in his mailbox. When he clicks on the link, the user is redirected to a web page you host somewhere (for example with Firebase hosting): the email is then verified, with applyActionCode(), as shown in the code found in this page in the Firebase doc (see "4. Handle email address verification by calling applyActionCode.").
Then, in the .then((resp) => {...}) block of this page, implement a call to a callable Cloud Function in which you use the updateUser() method to update the user's email. In the callable cloud function you must check that the uid (User ID) that you pass to the updateUser() method is the uid of the caller (with const uid = context.auth.uid; see the doc).
I have implemented email verification in my app but i've noticed to email providers have bots that open the link before the user gets to see (thus verifying the email).
is there a way to prevent such behavior? or email verification by code or have action on the screen the user would need to click to verify?
Rather than providing a direct link to Firebase (the default), you can customize your email verification template to direct the user to another location, such as your application, where they must press a button to complete the verification process. Then you can use the Auth.applyActionCode() method with the oobCode that was supplied in the query parameters.
You'll have to process the verifications yourself if you wish to customize it. You can try it by generating email verification link using Admin SDK in a Cloud Function/Server
// Admin SDK API to generate the email verification link.
const useremail = 'user#example.com';
admin
.auth()
.generateEmailVerificationLink(useremail, actionCodeSettings)
.then((link) => {
// Construct email verification template, embed the link and send
// using custom SMTP server.
return sendCustomVerificationEmail(useremail, displayName, link);
})
.catch((error) => {
// Some error occurred.
});
Now that you've sent the email, you'll have to self-host a page to that opens after opening that link.
You can find detailed explanation in the documentation
That being said, you can implement reCaptcha or any verification service you want to use to make sure the user is not a bot and verify it in your custom handler.
I am using flutter for this project. My goal is to send a verification email to the admin once the user has registered his/her account. The profile will be registered once the admin verifies it through email.
I am aware that we can send a verification email to the user itself to verify the email id by using Firebase Auth. I was wondering whether there is a way to change the reciever's address from the user to an admin's email id(custom email id). If no then is there any other way to perform this task ?
Thank you in advance for the help.
I am using Cloud Firestore as a database service.
You can use Cloud Functions to know when a user was created or deleted.
But if you want to get an email only after the email was confirmed, then you would have to do it inside your app, triggering some logic that sends you a message from inside your app once you detect the email is verified.
You can't change the destination of the verification email. It will always go to the email address that was used at the time of signup.
If your goal is to prevent the user from doing anything with some backend resource until after an admin authorizes them, what you can do is use custom claims to add a flag to the account that can be checked by security rules or your backend endpoint. The presence of that flag can be used to tell if an admin has authorized them. You will have to build out some amount of backend infrastructure to make all that work.
As far as I remember there are Firebase Authentication triggers that you can use to listen to new user creations. You need to setup a Firebase function that listens for user creation events.
functions.auth.user().onCreate((user) => {
//send email to admin
}
Another step that you can take is to disable the newly created account and also send email to the user as well telling him that his account is disabled until admin approves it. You can achieve this using Firebase Admin SDK. And maybe create another cloud function that admin activates to enable the account back. So maybe something like this:
functions.auth.user().onCreate((user) => {
// disable this account
// send user email to let him know that his account is disabled until approval
// send email to admin to ask for his approval for the account
}
() {// another cloud function that enables the user account called by admin}
This may not be the best solution but it will work.
I know stripe doesn't have anything to do with verifying emails.
I have a form on my website where I collect a new user's email, password and cc info.
As of now I do not verfiy the user's email. I simply create the user in my system and create the strip user and subscription after I get the card token with stripe.js.
I want to verify the email address, but I am not sure at what point in the process to do it. I don't think it makes sense to charge the customer and start the subscription and then verify the email address.
Should I wait and start the stripe subscription when the customer verifies the email address? It seems like this is one of the most common scenario's online. Is their a best practice for this scenario?
Again, I am not asking technically how to verify the email address (I use firebase auth), I just want to know when I should and how it should fit into my onboarding flow.
You can after Firebase Auth account creation, check if the emailVerified is true. If not, send an email verification and pass a continueUrl to continue the subscription process, instructing the user to check their email to continue the subscription process. This is a common process for many subscriptions that require email verification.
You can learn more about passing continueUrl via email verifications:
https://firebase.google.com/docs/auth/web/passing-state-in-email-actions
You can build your own custom landing page where you continue the subscription using the following instructions: https://firebase.google.com/docs/auth/custom-email-handler
Make sure you check email_verified in the idToken after ID token verification to confirm verification, server side.