我有一个简单的表单来注册和登录,使用firebase存储和进行身份验证。注册用户可以通过firebase接收确认邮件。但是未经验证的用户也可以登录,这里有什么问题。?
登录-page.component.ts
import { Component, OnInit } from '@angular/core';
import { FormBuilder, FormGroup, Validators, AbstractControl } from '@angular/forms';
import * as firebase from 'firebase';
@Component({
selector: 'app-login-page',
templateUrl: './login-page.component.html',
styleUrls: ['./login-page.component.css']
})
export class LoginPageComponent implements OnInit {
signin:FormGroup;
constructor(private fb: FormBuilder) {
this.signin = fb.group({
email : [null, Validators.compose([Validators.required, this.nospaceValidator])],
password : [null, Validators.required]
});
}
ngOnInit() {
}
signUp(){
let values = this.signin.value;
console.log(values.email,values.password)
firebase.auth().createUserWithEmailAndPassword(values.email,values.password)
.then(
function(user){
if(user && user.emailVerified === false){
user.sendEmailVerification()
.then(function(){
console.log("email verification sent to user");
});
}
}
)
.catch(
function(error) {
var errorCode = error.code;
var errorMessage = error.message;
console.log(errorMessage)
});
}
signIn(){
firebase.auth().onAuthStateChanged(
function(user) {
if (user.emailVerified) {
console.log('Email is verified');
}
else {
console.log('Email is not verified');
}
});
}
}
答案 0 :(得分:0)
你没有做错任何事。虽然Firebase身份验证允许您发送邮件以验证用户的电子邮件地址,但没有任何内容可以阻止使用未经验证的电子邮件地址的用户登录。
如果您希望只有拥有经过验证的电子邮件地址的用户才能看到某些资源,您就可以保护这些资源。例如,如果您使用Firebase数据库存储数据,则可以使用经过验证的电子邮件地址的用户访问其中的数据:
{
"rules": {
".read": "auth.token.email_verified == true"
}
}
有关详情,请参阅我的回答:How do I lock down Firebase Database to any user from a specific (email) domain?
答案 1 :(得分:0)
添加到Franks回答您还可以使用此代码阻止未验证其电子邮件的用户登录您的应用。
if (user.emailVerified) {
// sign the user into your app
}
else {
// alert the user that the cannot sign in until they verify their email
// You probably want to offer to send another email verification here too
}