reauthenticateWithPopup() method is adding a new user entry in the Firebase Authentication.

[arunraj6]

Describe your environment

• Operating System version: macOS Big Sur 11.2.3
• Browser version: 89.0.4389.90
• Firebase SDK version: 8.2.10
• Firebase Product: auth

Describe the problem

When we reauthenticate a user using Google auth provider, a user is being added to the Firebase Authentication if we use another account to sign in instead of the previously signed-in user.

Steps to reproduce:

1. Sign in a user with Google auth provider by using signInWithPopup() method (example user: myid1@gmail.com).
2. Try to delete this user from a web application.
3. Need to reauthenticate the user myid1@gmail.com by using reauthenticateWithPopup() method.
4. In the sign-in popup try to give some different google account (example: myid2@gmail.com).
5. A new user entry will be added in the Firebase Authentication for the usermyid2@gmail.com.

Relevant Code:

import * as firebase from 'firebase/app';
            
        const user = firebase.default.auth().currentUser;   
        user.reauthenticateWithPopup(new firebase.default.auth.GoogleAuthProvider())
            .then(() => {
                // Success
            }).catch((error) => {
                //Error: The supplied credentials do not correspond to the previously signed in user.
            });

The proper error message (The supplied credentials do not correspond to the previously signed in user.) is coming in the catch block and also a new user is created which can be avoided.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[looptheloop88]

Hi @arunraj6, I can't replicate this issue. When you delete the user in step 2, you can't do reauthenticateWithPopup() anymore in step 3, because it requires a currently signed-in user.

[arunraj6]

Hi @arunraj6, I can't replicate this issue. When you delete the user in step 2, you can do reauthenticateWithPopup() anymore in step 3, because it requires a currently signed-in user.

You meant to say, can't do the reauthenticateWithPopup() ?

[arunraj6]

Hi @looptheloop88 ,
Actually, in step-2 I am trying to do the deletion operation. For that, we have to reauthenticate the currently logged-in user (step-3).

Here in my case, the currently logged-in user is 'myid1@gmail.com'. But in the reauthentication popup, if I tried to use some other account (example: 'myid2@gmail.com') to reauthenticate the user, a new user entry is adding in the Firebase Authentication for the user 'myid2@gmail.com'.

[looptheloop88]

Hi @arunraj6, I can't replicate this issue. When you delete the user in step 2, you can do reauthenticateWithPopup() anymore in step 3, because it requires a currently signed-in user.

You meant to say, can't do the reauthenticateWithPopup() ?

Yes, sorry about the typo error. I have updated by comment.

[looptheloop88]

I'm trying to figure out the steps that I need to do to replicate the issue, so please do correct me if I'm wrong here.

1. Sign-in user A using signInWithPopup()
2. Re-authenticate user A using reauthenticateWithPopup(), but use another account - user B

Here, I am getting the error below:

code: "auth/user-mismatch"
message: "The supplied credentials do not correspond to the previously signed in user."

Upon checking the Firebase Authentication console, I was able to verify that user B got successfully registered. This should not happen, because there is an error thrown and actually catched by the code implementation. Is this the bug you're referring to?

[arunraj6]

I'm trying to figure out the steps that I need to do to replicate the issue, so please do correct me if I'm wrong here.

1. Sign-in user A using signInWithPopup()
2. Re-authenticate user A using reauthenticateWithPopup(), but use another account - user B

Here, I am getting the error below:

code: "auth/user-mismatch"
message: "The supplied credentials do not correspond to the previously signed in user."

Upon checking the Firebase Authentication console, I was able to verify that user B got successfully registered. This should not happen, because there is an error thrown and actually catched by the code implementation. Is this the bug you're referring to?

Yes exactly, this is the issue I am referring to.

Here the error (user-mismatch) I am getting is expected. But the registration of User B is unexpected or there is a chance of accidental user creations like this.