0

is possible in realtime database rules validate if email exist in Authentication?

because I login at https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[API_KEY] and get idToken to log in to the realtime database, but I would like to know if there is a way to validate if auth.token.email = authentication email and email enabled this is a result of an idToken base64 decode:

I need to know if "email": "[email protected]" exists in Authentication user

{
 "iss": "https://securetoken.google.com/xaxaxaxa",
 "aud": "xaxaxaxa",
 "auth_time": 1567541399,
 "user_id": "xxxxaxxaxaxaxaxaxax",
 "sub": "xaxaxaxaxaxaxaxa",
 "iat": 1567541399,
 "exp": 1567544999,
 "email": "[email protected]",
 "email_verified": false,
 "firebase": {
  "identities": {
   "email": ["[email protected]"]
  },
  "sign_in_provider": "password"
 }
}
Improve this question

1 Answer 1

Reset to default
0

Security rules can't check whether a certain email address exists. All they can do is read the claims in the token and act on that. But usually there's a "email_verified" claim in the token that you can use to ensure that the email address was verified: 

"someNode": {
  ".write": "auth.token.email_verified === true"
}

Verification can happen either by the provider (such in the case of the Google and Facebook providers), or by your own code through the Admin SDK.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.