Hi everyone,
I’ve noticed a behavior I wanted to clarify.
If a user signs up using email/password but does not verify their email, and later clicks “Forgot password”, Firebase sends them a password reset email as expected.
However, once the user completes the password reset process using that link, their emailVerified flag becomes true — even though they never clicked an actual email verification link (sendEmailVerification).
My questions:
-
Is this intended behavior?
-
Does Firebase treat a successful password reset as implicit email verification?
-
Is it safe to rely on this behavior for access control?
Thanks in advance for the clarification!
– Nico