0

I have a simple form to register and signin, using firebase to store and for authentication. Registered user can receive confirmation mail through firebase. But unverified users can also able to login, what am doing wrong here.?

login-page.component.ts

import { Component, OnInit } from '@angular/core';
import { FormBuilder, FormGroup, Validators, AbstractControl } from '@angular/forms';
import * as firebase from 'firebase';

@Component({
  selector: 'app-login-page',
  templateUrl: './login-page.component.html',
  styleUrls: ['./login-page.component.css']
})
export class LoginPageComponent implements OnInit {
  signin:FormGroup;
  constructor(private fb: FormBuilder) {
    this.signin = fb.group({
      email : [null, Validators.compose([Validators.required, this.nospaceValidator])],
      password : [null, Validators.required]
    });
   }

  ngOnInit() {
  }

signUp(){
    let values = this.signin.value;
    console.log(values.email,values.password)
    firebase.auth().createUserWithEmailAndPassword(values.email,values.password)
    .then(
      function(user){
      if(user && user.emailVerified === false){
        user.sendEmailVerification()
        .then(function(){
          console.log("email verification sent to user");
        });
      }
    }
    )
    .catch(
      function(error) {
  var errorCode = error.code;
  var errorMessage = error.message;
  console.log(errorMessage)
});
}
signIn(){
firebase.auth().onAuthStateChanged(
  function(user) { 
  if (user.emailVerified) {
    console.log('Email is verified');
  }
  else {
    console.log('Email is not verified');
  }
});
}
}
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
codedamn
  • 811
  • 4
  • 10
  • 16

2 Answers2

0

You're not doing anything wrong. While Firebase Authentication allows you to send messages to verify a user's email address, there is nothing to prevent a user with a non-verified email address from signing in.

If you want certain resources to only be visible to users with a verified email address, you'd protect those resources. For example, if you use the Firebase Database to store data, you could make data in there accessible only to users with a verified email address with: 

{
  "rules": {
    ".read": "auth.token.email_verified == true"
  }
}

For more on this, see my answer here: How do I lock down Firebase Database to any user from a specific (email) domain?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
0

Adding to Franks answer you can also use this code to prevent users who have not verified their email from signing into your app.

if (user.emailVerified) {
    // sign the user into your app
}
else {
    // alert the user that the cannot sign in until they verify their email
   // You probably want to offer to send another email verification here too
}
DoesData
  • 6,594
  • 3
  • 39
  • 62
  • what you have modified.? – codedamn Dec 27 '17 at 17:14
  • Nothing. I am saying you can use that if check right there to prevent user sign in if their email isn't verified. Post your current sign in function and I can show you exactly what I mean. – DoesData Dec 27 '17 at 20:30