Login with facebook when another account with same email is already created. #489
Replies: 3 comments
-
Hey @WNeuteboom, and thank you for the detailed description! In the context of Firebase, these are two different users by different identity providers (IdP): the password provider manages users within Firebase's Auth database and is able to prevent users with the same email address (if enabled in the project settings). Users coming from Facebook, Google, or one of the other third-party are considered separate users, even if they have the same email address on the other platform - here, uniqueness is ensured by e.g. Facebook (no two Facebook users can have the same email address). So, in context of the Admin SDK, you can't check "just so" if a user that authenticated via the Facebook IdP (identified by their Facebook ID) already has a corresponding user provided by the Password IdP (identified by their email). What you can do on the client side is to link both accounts together, for example with the Firebase JS Client SDK: https://firebase.google.com/docs/auth/web/account-linking With this, you can let a user that's already authenticated with email and password link their Facebook ID with their existing account and vice versa. However, it is possible to link two existing accounts together via the Firebase Auth REST API (https://firebase.google.com/docs/reference/rest/auth?hl=en#section-link-with-oauth-credential and https://firebase.google.com/docs/reference/rest/auth?hl=en#section-link-with-email-password), and I can/could implement this in this Admin SDK as well, but I'm afraid this would enable bad players to intransparently do things on behalf of users that didn't know that their accounts got linked. For example, a user could authenticate via Facebook with an application, and with the provided token, the backend could create a "shadow login" by linking it to an email/password combination out of control of the user, allowing a login to the user's account with these secondary credentials without the user ever knowing it. That's why I feel (at the moment) that account linking should remain on the client side. I say "at the moment" because I'm aware that I could have gotten something wrong - if I have, please let me know 🙏 On the other hand (I should perhaps have started with this 😅), if you can show me that this functionality has been implemented in one of the official SDKs, that would show me that Google/Firebase is okay with providing this as a backend/admin functionality and will see to that it will be implemented here as well 💪😊 |
Beta Was this translation helpful? Give feedback.
-
Thanks for the great explanation. Makes a lot of sense about the security issue. Haven't thought about it that way. But isn't that the responsibility of the programmer developing the website? I understand that the default setting would be "don't merge". The reason i thought it was a bug was that it didn't throw any errors. I received a response with the object, but it was empty. What i expected was a "Duplicate Email" error or something like that. But maybe i'm testing something that might not occur, ever. When i see it in the official sdk i will let you know 😊. Again, great work! Keep it up |
Beta Was this translation helpful? Give feedback.
-
You're right, it is the responsibility of the programmer - I'm just afraid of irresponsible developers 😅 I don't have an application with 3rd-party authentication at the moment (or any, for that matter 😂), but I will try to set something up in order to be able to reproduce this. I haven't looked into the code, but I do believe that I just fill the object with what's returned by the Firebase API, so if the object is empty, then the Firebase API returned an empty object - but I haven't touched this part of the SDK in quite some time, so I will look into it in more detail as soon as I can and let you know! |
Beta Was this translation helpful? Give feedback.
-
Describe the bug
When a user is already created in firebase authentication with email / password, and i login with facebook using this same email address i get an empty Login result. Only the data object is filled with the facebook user. This same behaviour goes well when i login with Google. Then the user can login with user/password and gmail.
Expected behavior
Either the user can login with both email / password and facebook. Or a exception with duplicate email should be returned.
Thanks in advance! and thank you for the great sdk
Wouter
Beta Was this translation helpful? Give feedback.
All reactions