Firebase handle reset password emails for not verified users

0
votes

When a new user registers the web application a verification email is sent to him. I prevent new users to log in before verification.

Meanwhile if the verification link expires and the user forgets the password he will click the reset password link and will receive an email.

So I think that I should handle reset password action together with verification at once. Otherwise user will not be able to login even after changing the password.

function handleResetPassword(auth, actionCode) {
    auth.verifyPasswordResetCode(actionCode)
       .then(function (email) {
          // Showing the reset screen and ask the user for
          // the new password.
       }).catch(function (error) {
         //
       });
};

When user saves the new password:

function saveNewPassword() {
    auth.confirmPasswordReset(actionCode, vm.form.password).then(function (resp) {
        // Password reset has been confirmed and new password updated.
        // Now auto sign in user
        auth.signInWithEmailAndPassword(vm.email, vm.form.password).catch(function (error) {
            // Handle Errors here.
        });

        firebase.auth().onAuthStateChanged(function (user) {
            if (user) {
                // user signed in. 
                // check whether the user is verified
                // if not set true
                user.updateProfile({ emailVerified: true })
            }
        });

    }).catch(function (error) {
        // 

    });
}

But the code below doesn't work as I expected as it has no affect. I can change other user data (e.g. displayName) but not (emailVerified). It only works with firebase email verification.

user.updateProfile({ emailVerified: true })

What is the recommended approach for this type of user scenario ?

1
angularjsfirebasefirebase-authentication

1 Answers

2
votes

You can't update emailVerified from the client, otherwise any unverified user would be able to do that without enforcing actual ownership of the email. You would need to do it with the Admin SDK using an HTTP endpoint (you can use Firebase Functions for that too). However, you need to ensure that the password reset code succeeded. So in this case you need to run your code on the server. Here is how it would work:

var firebase = require('firebase');
var admin = require('firebase-admin');
// Initialize the client and admin instances.
// firebase.initializeApp(clientConfig);
// admin.initializeApp(adminConfig);
// Send the reset code and the new password to your backend. 
var email = null;
// Get email corresponding to code.
firebase.auth().checkActionCode(actionCode)
  .then(function(info) {
    email = info.email;
    // Confirm password reset.
    firebase.auth().confirmPasswordReset(actionCode, password)
  });
  .then(function() {
    // Get uid of user with corresponding email.
    return admin.auth().getUserByEmail(email);
  }).then(function(userRecord) {
    // Password reset succeeded. Email can be verified as the user
    // must have received the code via their email confirming
    // ownership.
    return admin.auth().updateUser(userRecord.uid, {emailVerified: true});
  });