如何保证Firebase用户保存的邮箱确实是他自己的邮箱? [英] How can we guarantee that the email saved by the Firebase user is indeed his own email?
问题描述
换句话说,有没有办法验证用户(当他设置时可以说是 users//email ),它确实是登录用户的电子邮件 ID?
我们正在构建 Firebase 应用程序,其中通过电子邮件通知提供服务的某些方面.我们不希望向错误的用户发送电子邮件.似乎无法保证写入用户的电子邮件信息//电子邮件路径确实与用于登录的电子邮件相同(直接或通过谷歌或 Facebook 等)
在我看来,如果 auth(规则)除了 auth.uid 之外还有一个 auth.email 字段,它将解决问题,并且可以编写规则来处理用例.
最新版本的 Firebase 身份验证支持电子邮件验证.
如果身份提供商(电子邮件+密码、谷歌)支持可选的电子邮件地址验证,则该信息将在 API 和安全规则中提供.(**)
例如,JavaScript API 有一个 emailVerified属性,您可以在代码中签入:
firebase.auth().currentUser.emailVerified<块引用>
真实
在安全规则中,您可以访问电子邮件地址以及它是否经过验证,这使得一些很好的用例成为可能.例如,根据这些规则,只有经过身份验证和验证的 Gmail 用户才能编写他们的个人资料:
<代码>{规则":{".read": "auth != null",gmail 用户":{$uid":{".write": "auth.token.email_verified == true &&auth.token.email.matches(/.*@gmail.com$/)"}}}}(**) 这肯定适用于 Google 登录和电子邮件+密码.据我所知,Facebook 只会在通过验证的情况下公开电子邮件地址,因此您可以放心使用.
In other words, is there a way to verify that the user (when he sets lets say a users//email ), it is indeed the email id of the user who is logged in?
We are building a firebase application, where certain aspects of the service are delivered via email notifications. We do not want to be sending emails to the wrong user. There seems to be no way to guarantee that the email info written to the users//email path is indeed the same as the email used to login (directly or via google or facebook etc.)
In my opinion, if auth (rules) had in addition to auth.uid an auth.email field it would solve the problem and rules could be written to handle the use case.
The latest release of Firebase Authentication supports email verification.
If an identity provider (email+password, google) supports optional email address verification, that information is made available in the API and in the security rules.(**)
For example, the JavaScript API has an emailVerified property that you can check in your code:
firebase.auth().currentUser.emailVerified
true
In the security rules you can access both the email address and whether it is verified, which makes some great use-cases possible. With these rules for example only an authenticated, verified gmail user can write their profile:
{
"rules": {
".read": "auth != null",
"gmailUsers": {
"$uid": {
".write": "auth.token.email_verified == true &&
auth.token.email.matches(/.*@gmail.com$/)"
}
}
}
}
(**) This applies to Google sign-in and email+password for sure. As far as I know, Facebook will only expose the email address if it's been verified, so you could rely on that.
这篇关于如何保证Firebase用户保存的邮箱确实是他自己的邮箱?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
