You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The existing admin callable and legacy membership-sync endpoint grant Firebase custom claims by matching an email address, but neither checks the authoritative Firebase Auth userRecord.emailVerified value. An attacker can pre-register a known member address and receive membership access when that address is imported.
Security invariant
Promotion to member or admin is allowed only when Firebase Auth reports userRecord.emailVerified === true. Request fields and Firestore profile mirrors never prove verification. Demotion to unverified remains allowed so operators can remove access safely.
Atomic scope
Add one small pure role-grant policy helper.
Apply it immediately after authoritative Auth lookup and before any claim or Firestore write in setMemberRole.
Apply it before any claim or Firestore write in each updateMemberRole batch item.
Problem
The existing admin callable and legacy membership-sync endpoint grant Firebase custom claims by matching an email address, but neither checks the authoritative Firebase Auth
userRecord.emailVerifiedvalue. An attacker can pre-register a known member address and receive membership access when that address is imported.Security invariant
Promotion to
memberoradminis allowed only when Firebase Auth reportsuserRecord.emailVerified === true. Request fields and Firestore profile mirrors never prove verification. Demotion tounverifiedremains allowed so operators can remove access safely.Atomic scope
setMemberRole.updateMemberRolebatch item.Explicitly out of scope
Acceptance criteria
memberthrough either endpoint.adminthrough the admin callable.emailVerifiedvalue is ignored.setCustomUserClaimsand before Firestore profile writes.unverifiedstill succeeds for an unverified target.admin.Dependencies and file ownership
GITHUB_ISSUES.md; coordination epic: COMMUNITY-EPIC — Unified member access and community integrations #79.functions/setMemberRole.js,functions/updatemembers.js, newfunctions/roleGrantPolicy.js, newfunctions/roleGrantPolicy.test.js.Claim protocol
Do not edit until this issue is assigned and a timestamped
CLAIMEDcomment names the agent and branch. Earliest valid claim wins.