本文介绍了Firebase Firestore 未更新电子邮件验证状态的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的安全规则设置如下(在 Firestore 控制台中).

 service cloud.firestore {匹配/databases/{database}/documents {匹配/{document=**} {允许读取:如果 request.auth.uid != null &&request.auth.token.email_verified;允许写入:如果为假;}}}

Firebase 自动登录新用户.因此,最近的用户将拥有一个未经验证的电子邮件地址.

当用户验证他们的电子邮件时,我会在我的应用中得到这些结果.

Auth.auth().currentUser?.isEmailVerified//这是真的

但是当我向 firestore 发出请求时,我收到一条错误消息,指出用户没有足够的权限访问该数据.

当我注销用户然后重新登录时,一切正常.

我最初的想法是,也许有一个令牌没有刷新?但这似乎非常令人困惑,因为在尝试向 firestore 发出请求之前,我已经刷新了当前用户.

Auth.auth().currentUser?.reload()

我觉得我错过了一些东西.

为什么用户在注册后被强制登录,但他们的电子邮件验证状态没有相应更新?

我们必须请求重新认证吗?

如果是这样,强制登录的意义何在?

这让我非常沮丧,因为我不知道应该如何管理我的用户.

登录未经验证的用户是我们应该做的事情吗?这会不会导致安全问题,例如用户创建虚假帐户和向您的应用发送垃圾邮件.

更新

我阅读了这个不迅速的回复,这再次加深了我的怀疑.

明天我要测试这个解决方案,它的快速版本是:

Auth.auth().currentUser?.getIDTokenForcingRefresh(forceRefresh: , completion: )

该方法的文档:

检索 Firebase 身份验证令牌,如果出现以下情况可能会刷新它它已过期.备注

认证令牌将被刷新(通过建立网络request) 如果它已经过期,或者 forceRefresh 是 YES.

我猜在我的情况下我必须强制刷新,因为令牌不会过期.

解决方案

事实证明,必须按照上面更新中提到的方式刷新令牌.

这是我解决问题的方法.

首先我刷新身份验证令牌

Auth.auth().currentUser?.getIDTokenForcingRefresh(true)

如果成功,我会刷新用户.

Auth.auth().currentUser?.reload()

我的问题是我认为重新加载用户会刷新令牌,我没想到事情会不同步.

当我检查电子邮件是否已通过验证时,我得到了 true,但 Firestore 数据库需要刷新令牌才能知道电子邮件已通过验证.

I have my security rules setup like so (in firestore console).

    service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {

      allow read: if request.auth.uid != null && request.auth.token.email_verified;
      allow write: if false;
    }
  }
}

Firebase auto logs-in new users.Therefore, a recent user will have a non verified email address.

When the user verifies their email, I'm getting these results in my app.

Auth.auth().currentUser?.isEmailVerified // This is true

But when I make a request to the firestore I'm getting an error back that says that the user doesn't have enough permission to access that data.

When I sign the user out and then sign them back in, everything works fine.

My initial thoughts are that maybe there is a token that is not refreshed ?But this seems extremely confusing because I already refreshed the current user before attempting to make the request to firestore.

Auth.auth().currentUser?.reload()


I feel like I'm missing something.

Why are user's forced logged-in after they signup but then their email verification status isn't updated accordingly ?

Do we have to request-reauthentication ?

If so, what was the point of force log-in ?


This is getting extremely frustrating because I don't know how I'm suppose to manage my users.

Is signing in unverified user's something that we should do ?Wouldn't this lead to security concerns like user's making fake accounts and spamming your application.


Update

I read this non swift response which re-enforces my suspicion.

I'm going to test this solution tomorrow, the swift version of it is:

Auth.auth().currentUser?.getIDTokenForcingRefresh(forceRefresh: , completion: )

I'm guessing that in my case I have to force refresh because the token will not be expired.

解决方案

It turns out that the token has to be refreshed as mentioned in the update above.

Here is how I solved my issue.

First I refresh the auth token

Auth.auth().currentUser?.getIDTokenForcingRefresh(true)

If that was successful, I then refresh the user.

Auth.auth().currentUser?.reload()

My issue was that I thought that reloading the user will refresh the token, I didn't imagine that things could be out of sync.

When I checked if the email was verified I got true but the firestore database needs a refreshed token for it to know that the email was verified.

这篇关于Firebase Firestore 未更新电子邮件验证状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-03 22:59
查看更多