How can we guarantee that the email saved by the Firebase user is indeed his own email?

Question

In other words, is there a way to verify that the user (when he sets lets say a users//email ), it is indeed the email id of the user who is logged in?

We are buildi

Answer 1

The latest release of Firebase Authentication supports email verification.

If an identity provider (email+password, google) supports optional email address verification, that information is made available in the API and in the security rules.(**)

For example, the JavaScript API has an emailVerified property that you can check in your code:

firebase.auth().currentUser.emailVerified

true

In the security rules you can access both the email address and whether it is verified, which makes some great use-cases possible. With these rules for example only an authenticated, verified gmail user can write their profile:

{
  "rules": {
    ".read": "auth != null",
    "gmailUsers": {
      "$uid": {
        ".write": "auth.token.email_verified == true && 
                   auth.token.email.matches(/.*@gmail.com$/)"
      }
    }
  }
}

(**) This applies to Google sign-in and email+password for sure. As far as I know, Facebook will only expose the email address if it's been verified, so you could rely on that.