I've recently switched Firebase authentication from the namespaced API to the modular API, and while rebuilding my code I'm finding an issue with email verification.
When a user signs up to the site I use the sendEmailVerification function to send an email to the address they've entered, as per the code below.
Under the previous API, if they then try to access the site, the user object returned by Firebase would have a emailVerified value of false until they click on the link in the verification email. However, under the new API, once they user has been sent that verfication email, the user object returned has an emailVerified value of true, without them having to confirm.
The exception to the above is if the email address entered doesn't exist, in which case firebase still returns false, but if the email is a valid address it seems to automatically return true, enabling me to use someone else's email address to create an account.
What am I missing?
const auth = getAuth();
doSendEmailVerification = () =>
sendEmailVerification(auth.currentUser, {
url: "https://example-64072.web.app",
});
User object returned:
accessToken: "bigLongDeletedString"
auth: AuthImpl {app: FirebaseAppImpl, heartbeatServiceProvider: Provider, appCheckServiceProvider: Provider, config: {…}, currentUser: _UserImpl, …}
displayName: null
email: "[email protected]"
***emailVerified: true***
isAnonymous: false
metadata: UserMetadata {createdAt: '1755609618755', lastLoginAt: '1755611635445', lastSignInTime: 'Tue, 19 Aug 2025 13:53:55 GMT', creationTime: 'Tue, 19 Aug 2025 13:20:18 GMT'}
phoneNumber: null
photoURL: null
proactiveRefresh: ProactiveRefresh {user: _UserImpl, isRunning: true, timerId: 8, errorBackoff: 30000}
providerData: [{…}]
providerId: "firebase"
reloadListener: null
reloadUserInfo: {localId: 'shorterString', email: '[email protected]', passwordHash: 'hashValue', emailVerified: true, passwordUpdatedAt: 1755609618755, …}
stsTokenManager: _StsTokenManager {…}
tenantId: null
uid: "abcdefghijklmn"
