I'm developing a NextJS with React Server Components application, meaning I do a lot of rendering (or at least data fetching) on the server side, instead of the client side.
To do this, I'm using Firebase Authentication with Session Cookies instead of Token IDs, mainly because of the refresh time (max 14 days instead of 1 hour). Followed this to implement it: https://firebase.google.com/docs/auth/admin/manage-cookies. Also, used firebase.auth.Auth.Persistence.NONE to make sure the client-side is logged out immediately after I generate the session cookie.
Generally, after the user signs up for the first time, or logs in in general, I take their token ID, mint a session cookie from it, and save that as an HttpOnly cookie, which I can verify on any subsequent interaction.
The problem I'm facing is that after the initial sign-up, if it's by email and password, I send a verification email through Firebase's SDK. When the user clicks the link, they are verified and redirected to my website. Problem is - the email_verified field in the decoded token from the session cookie I have stored (after doing verifySessionCookie(sessionCookie)) is still false, because I never updated the cookie. However - I can't find a way I can update the cookie at this stage, given that I deleted the TokenId immediately after sign up (remember the firebase.auth.Auth.Persistence.NONE persistence). Am I doomed to keep the client-side token ID until email verification?
Thanks!