Resetting password automagically sets emailVerified to true

[abhi-dasgupta]

Developing an application that has a verification wall, i.e. if emailVerified is false, no other ui is shown. Handling the logic by implementing Email action links + Custom email action handlers. And on email verification have a firebase function that sets emailVerified to true, All works great. But I have one issue, steps to reproduce: User signs up > Function sends verification email > For some reason user does not click it, deletes it, etc and forgets the password > user requests password reset > Function sends password reset link > user resets password and my verification wall is broken! Successfully resetting the password automagically sets emailVerified to true. Which perfectly makes sense now that I read what I wrote as email is kind of verified But! I believe it should be explicit Not implicit, because I have a couple of different user roles through Custom claims and some of them dont require verification and some do. Best work around I can think is write another cloud function to set emailVerified to false, if the user does not have the required role. Please advice.
🙏🏼

[sam-gc]

Hi @abhi-dasgupta, thanks for reaching out! This is expected behavior, because by resetting the password via an email action, the user has demonstrated that the email is valid and belongs to the account in question. If you wish to avoid this behavior, I would recommend setting your own custom claim for email verification instead of editing/relying on the email_verified field directly

[abhi-dasgupta]

Ok, did that, thanks. Now that I think of this, its really an edge case or I am over engineering, who would create an account and immediately forget its password 😄 , but just in case its handled now! thank you

[sam-gc]

No problem, glad I could help! :)