feat: Add verifyBeforeUpdateEmail Functionality To Authentication

ewwwgiddings commented 2 days ago

Plugin(s)

[ ] Analytics
[ ] App
[ ] App Check
[X] Authentication
[ ] Crashlytics
[ ] Cloud Firestore
[ ] Cloud Functions
[ ] Cloud Messaging
[ ] Cloud Storage
[ ] Performance
[ ] Remote Config

Current problem

When selecting email enumeration protection it is said that we should not be using updateEmail() and instead use verifyBeforeUpdateEmail(): Firebase Doc Reference

Here is some more information about it: Email Enumeration Docs

As said in the above document:

Users cannot change their email address without first verifying the new address. For example, you can no longer change a user's email address with the update REST API, the setAccountInfo REST API, or the updateEmail client SDK method on all platforms. You can use verifyBeforeUpdateEmail for Web and Android or sendEmailVerification(beforeUpdatingEmail:) for iOS instead.

This is a part of the same documentation for the deprecation of fetchsigninmethodsforemail() so it has been considered for other methods.

While we can use the JS SDK for this it is not available for the Android and iOS implementations of this plugin as far as I can tell.****

Preferred solution

Add the ability to use verifyBeforeUpdateEmail() and sendEmailVerification(beforeUpdatingEmail:) depending on the environment, or have one method that will do it as it differs with iOS under-the-hood.

Alternative options

I think I can only easily achieve this on web by using JS SDK as noted in some other workarounds.

If there is a way I can achieve this without adding this method to this plugin I would love to hear how.

Additional context

When attempting to use the fetchsigninmethodsforemail() method I Noticed it was deprecated and followed the links to find out I should also not be using updateEmail() if I want to turn off email enumeration protection (which imo should be turned on)

Before submitting

[X] I have read and followed the feature request guidelines.
[X] I have attached links to possibly related issues and discussions.

robingenz commented 1 day ago

Yes, this is currently missing. Would you be willing to create a PR?

ewwwgiddings commented 1 day ago

Willing to try my hand at it: https://github.com/capawesome-team/capacitor-firebase/pull/741

I haven't had any experience til now working on Capacitor plugins, but I created this PR just now.

I used the sendEmailVerification and updateEmail methods as a guide and did a bunch of copy/paste/rename from those.

Didn't click any of the buttons on the PR checklist cause I'm not sure how it's tested.

Maybe someone else who has more knowledge on the subject can review, suggest, or edit the PR if it's not far off?

robingenz commented 3 minutes ago

Closed by #741

capawesome-team / capacitor-firebase