Firestore check if the logged in user verified his email

So I have a collection in firestore that should only be accessible to logged in and verified users.

This is how I secure it:

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    function userIsAdmin() {
      return request.auth.token.accessLevel >= 200;
    }
    function emailVerified() {
      return request.auth.token.firebase.sign_in_provider != 'password'
            || request.auth.token.email_verified == true;
    }
    function isAuthed() {
      return request.auth.uid != null && emailVerified(); // If I remove the && emailVerified() part, it works again in the frontend
    }
    function userIsSameAsResource(userId) {
      return request.auth.uid == userId && emailVerified();
    }

    match /users/{userId} {

      allow get: if isAuthed();
      allow list: if userIsAdmin();

      allow create, delete: if userIsAdmin();
      allow update: if userIsAdmin()
                      || userIsSameAsResource(userId);
    }
  }
}

Using the rules emulator this works as expected:

  • Google Auth provider, email not verified: read allowed
  • Google Auth provider, email verified: read allowed (but not really needed, as we dont send verifications for providers other than email)
  • Email Auth provider, email not verified: read not allowed
  • Email Auth provider, email verified: read allowed

But using the frontend this happens:

  • Google Auth provider, email not verified: read allowed
  • Google Auth provider, email verified: read allowed
  • Email Auth provider, email not verified: read not allowed
  • Email Auth provider, email verified: read not allowed → fails with a Missing or insufficient permissions

Here are the relevant snippets from my frontend code:

// currentAuthUserObs() is the current auth user from firebase  (that part works)
// isEmailVerified() is described further down (works too)
// afStorage is AngularFire2's Firestore module

// 'HERE' and 'HERE2' are both printed, so that works as expected. The problem really is the query

this.auth.currentAuthUserObs().subscribe(async (authUser) => {
    console.log('HERE');
    if (authUser != null && await this.auth.emailAuth.isEmailVerified()) {
        console.log('HERE2');
        this.afStorage.doc(`${FirestoreCollections.USERS}/${authUser.uid}`).valueChanges()
            .subscribe(user => {
                console.log(user);
            });
    }
});


// In my case isEmailVerified gets called before and refreshes the currentUser, so it is ok to not call it with `refresh = true` in the subscription above.
public async isEmailVerified(refresh = false): Promise<boolean> {
    if (refresh) {
        await firebase.auth().currentUser.reload();
    }

    const isEmail = () => firebase.auth().currentUser.providerData.some(provider => provider.providerId == 'password');
    return isEmail() ? firebase.auth().currentUser.emailVerified : true;
}

Does someone have any clue what the problem could possibly be?

Answer

As the user @Kato pointed out, the ID token of the user needs a refresh. You can do that using firebase.auth().currentUser.getIdToken(true) – which looks like that in my example:

public async isEmailVerified(refresh = false): Promise<boolean> {
    if (refresh) {
        await firebase.auth().currentUser.reload();
        await firebase.auth().currentUser.getIdToken(true); // <-- here
    }

    const isEmail = () => firebase.auth().currentUser.providerData.some(provider => provider.providerId == 'password');
    return isEmail() ? firebase.auth().currentUser.emailVerified : true;
}