0

I have created a form "main.html#!/register" to allow users to enter their: firstname, lastname, email and login. Once all those entered an email verification is sent, so that they cannot get to the page "main.html#!/success" before verifying the email.

The good news is: If they try to get to the access page from the login page without confirming the Email, they will not be able to access. The bad news is: Right after the registration, if they enter the "main.html#!/success" they will be able to open this page !!

Use case: The user is not able to access to "main.html#!/success" without any registration The user is not able to access the "main.html#!/success" from the login page "main.html#!/login", if he has not verified his email The problem is : The user is able to access the "main.html#!/success" right after the registration without email confirmation.

Question: How can I use the email verification condition user.emailVerified and the user auth $requireSignIn() to allow the access to the page "main.html#!/success" ? I had put a resolve function to prevent any access without the registration.

Here is my codes 1-resolve function: Authentication is a service I have created

 when('/success', {
  templateUrl: 'views/success.html',
  controller: 'SuccessController',
  resolve: {
    currentAuth: function(Authentication) {
    return Authentication.requireAuth();
    } //currentAuth
  }//resolve
}).

2-code in the Authentication service 

requireAuth: function() {
    return auth.$requireSignIn();
}, //require Authentication

3- the register function (it is in the service)

register: function(user) {   
  auth.$createUserWithEmailAndPassword(
    user.email,
    user.password
  ).then(function(regUser) {
    var regRef = ref.child('users')
      .child(regUser.uid).set({
        date: firebase.database.ServerValue.TIMESTAMP,
        regUser: regUser.uid,
        firstname: user.firstname,
        lastname: user.lastname,
        email: user.email 
      }); //userinfo
    regUser.sendEmailVerification().then(function() {
      // Email sent.
        alert("your Email is verified: " + regUser.emailVerified) ;
    }).catch(function(error) {
      // An error happened.
        alert(error);
    });
  }).catch(function(error) {
    $rootScope.message = error.message;
  }); //createUserWithEmailAndPassword
} //register

3- login function

login: function(user) {
            auth.$signInWithEmailAndPassword(
            user.email,
            user.password
          ).then(function(user) {
                if(user.emailVerified){
                  $location.path('/success');
                }
                else{
                $rootScope.message= "Please validate your registration first : "+user.emailVerified;
                }
          }).catch(function(error) {
            $rootScope.message = error.message;
          }); //signInWithEmailAndPassword
}, //login
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Alexandre Asj
  • 21
  • 3

1 Answers1

1

You are trying to enforce this on the client side. Instead you should enforce access for verified signed in users from your Firebase rules. For example:

".write": "$user_id === auth.uid && auth.token.email_verified == true"

bojeil
  • 29,642
  • 4
  • 69
  • 76
  • Thank you bojeil, but since I added this rules, no user data is getting added into the db..!! weird – Alexandre Asj Jan 25 '18 at 23:21
  • Another question: once I set up this rule, what should I put in the login() in the client side ? for the moment the validations is done in the client side. – Alexandre Asj Jan 26 '18 at 00:34
  • Well, I just noiticed that because of the rule : ".write": "$user_id === auth.uid && auth.token.email_verified == true" the user's data is not created into the DB – Alexandre Asj Jan 26 '18 at 02:29
  • Ah yeah, they won't get added because the user is not verified at that time you populate the db node. You could relax that node rule to allow the logged in user but you would need to apply the additional restrictive rule for data that only verified can access. – bojeil Jan 27 '18 at 02:02