reauthenticateWithPopup() method is adding a new user entry in the Firebase Authentication.

[arunraj6]

Describe your environment

• Operating System version: macOS Big Sur 11.2.3
• Browser version: 89.0.4389.90
• Firebase SDK version: 8.2.10
• Firebase Product: auth

Describe the problem

When we reauthenticate a user using Google auth provider, a user is being added to the Firebase Authentication if we use another account to sign in instead of the previously signed-in user.

Steps to reproduce:

1. Sign in a user with Google auth provider by using signInWithPopup() method (example user: myid1@gmail.com).
2. Try to delete this user from a web application.
3. Need to reauthenticate the user myid1@gmail.com by using reauthenticateWithPopup() method.
4. In the sign-in popup try to give some different google account (example: myid2@gmail.com).
5. A new user entry will be added in the Firebase Authentication for the usermyid2@gmail.com.

Relevant Code:

import * as firebase from 'firebase/app';
            
        const user = firebase.default.auth().currentUser;   
        user.reauthenticateWithPopup(new firebase.default.auth.GoogleAuthProvider())
            .then(() => {
                // Success
            }).catch((error) => {
                //Error: The supplied credentials do not correspond to the previously signed in user.
            });

The proper error message (The supplied credentials do not correspond to the previously signed in user.) is coming in the catch block and also a new user is created which can be avoided.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[looptheloop88]

Hi @arunraj6, I can't replicate this issue. When you delete the user in step 2, you can't do reauthenticateWithPopup() anymore in step 3, because it requires a currently signed-in user.

[arunraj6]

Hi @arunraj6, I can't replicate this issue. When you delete the user in step 2, you can do reauthenticateWithPopup() anymore in step 3, because it requires a currently signed-in user.

You meant to say, can't do the reauthenticateWithPopup() ?

[arunraj6]

Hi @looptheloop88 ,
Actually, in step-2 I am trying to do the deletion operation. For that, we have to reauthenticate the currently logged-in user (step-3).

Here in my case, the currently logged-in user is 'myid1@gmail.com'. But in the reauthentication popup, if I tried to use some other account (example: 'myid2@gmail.com') to reauthenticate the user, a new user entry is adding in the Firebase Authentication for the user 'myid2@gmail.com'.

[looptheloop88]

Hi @arunraj6, I can't replicate this issue. When you delete the user in step 2, you can do reauthenticateWithPopup() anymore in step 3, because it requires a currently signed-in user.

You meant to say, can't do the reauthenticateWithPopup() ?

Yes, sorry about the typo error. I have updated by comment.

[looptheloop88]

I'm trying to figure out the steps that I need to do to replicate the issue, so please do correct me if I'm wrong here.

1. Sign-in user A using signInWithPopup()
2. Re-authenticate user A using reauthenticateWithPopup(), but use another account - user B

Here, I am getting the error below:

code: "auth/user-mismatch"
message: "The supplied credentials do not correspond to the previously signed in user."

Upon checking the Firebase Authentication console, I was able to verify that user B got successfully registered. This should not happen, because there is an error thrown and actually catched by the code implementation. Is this the bug you're referring to?

[arunraj6]

I'm trying to figure out the steps that I need to do to replicate the issue, so please do correct me if I'm wrong here.

1. Sign-in user A using signInWithPopup()
2. Re-authenticate user A using reauthenticateWithPopup(), but use another account - user B

Here, I am getting the error below:

code: "auth/user-mismatch"
message: "The supplied credentials do not correspond to the previously signed in user."

Upon checking the Firebase Authentication console, I was able to verify that user B got successfully registered. This should not happen, because there is an error thrown and actually catched by the code implementation. Is this the bug you're referring to?

Yes exactly, this is the issue I am referring to.

Here the error (user-mismatch) I am getting is expected. But the registration of User B is unexpected or there is a chance of accidental user creations like this.

[arunraj6]

Hi @arunraj6, I can't replicate this issue. When you delete the user in step 2, you can do reauthenticateWithPopup() anymore in step 3, because it requires a currently signed-in user.

You meant to say, can't do the reauthenticateWithPopup() ?

Yes, sorry about the typo error. I have updated by comment.

No problem, Thank you.

[looptheloop88]

Hi @arunraj6, thanks for the confirmation. I've filed an internal bug for this issue. I will keep this thread posted for any updates. Thanks!

[arunraj6]

Hi @arunraj6, thanks for the confirmation. I've filed an internal bug for this issue. I will keep this thread posted for any updates. Thanks!

You are welcome :)
will wait for the fix.

[looptheloop88]

To give an update, this behavior is a known issue. This is tracked internally and added to our roadmap, however we can't provide definite timelines or details for when it will be fixed.

Please keep an eye out on this issue thread or the Firebase release notes to get more updates in the future.

[arunraj6]

@looptheloop88 Any updates on this Issue?

[looptheloop88]

This issue has already been raised and discussed internally, however we won't be able to get to it immediately.

For reference, the internal bug is b/184046641.

[nth-child]

@looptheloop88 Please give us an update. I am facing this issue now. I have not seen any mentions in Firebase release notes.

Thank you.

[brainwithE]

I do hope this will be fixed soon.