Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FirebaseUI always try to create a new account also if email exists in Firebase Auth #1040

Open
ralf00 opened this issue Sep 15, 2023 · 46 comments

Comments

@ralf00
Copy link

ralf00 commented Sep 15, 2023

Hello,

i'm using firebase ui 10 on my nodejs project, implementing it in react (supported by this video https://www.youtube.com/watch?v=eTuJ47RvEdQ

everything seems to work good but with one big problem, if i insert the email address of a already existent user, it goes forward asking me to "Create a new account" and "Choose a new password" that is not what is expected.

If i put a password it goes on error telling me that the email address already exists and asking me to reset the password.

Anyone has encountered this issue? some advice?

@anisabboud
Copy link

anisabboud commented Sep 15, 2023

I'm encountering the same issue on a new project with AngularFire + FirebaseUI (cannot Sign in with Email):

  1. Sign up with some [email protected]
    image
  2. Check Firebase console - everything is fine.
    image
    image
  3. Sign out
  4. Try to sign in again using same [email protected]
  5. It shows the Create account UI again instead of the Sign in UI even though the account exists for this email!
    image
  6. If you try to Sign up again, you get an error:
    This email already exists without any means of sign-in. Please reset the password to recover.
    image

I compared the network tab in this project compared to an older project:

  • Old project (works fine), network tab after inputting the email and clicking Next (correctly identifies that the user exists):
    image
  • New project (cannot sign in), network tab after inputting the email and clicking Next (response indicates user doesn't exist):
    image

Versions:

    "@angular/fire": "^7.6.1",
    "firebase": "^9.23.0",
    "firebaseui": "^6.1.0",
    "firebaseui-angular": "^6.1.3",

@ralf00
Copy link
Author

ralf00 commented Sep 16, 2023

I'm encountering the same issue on a new project with AngularFire + FirebaseUI (cannot Sign in with Email):

  1. Sign up with some [email protected]
    image
  2. Check Firebase console - everything is fine.
    image
    image
  3. Sign out
  4. Try to sign in again using same [email protected]
  5. It shows the Create account UI again instead of the Sign in UI even though the account exists for this email!
    image
  6. If you try to Sign up again, you get an error:
    This email already exists without any means of sign-in. Please reset the password to recover.
    image

I compared the network tab in this project compared to an older project:

  • Old project (works fine), network tab after inputting the email and clicking Next (correctly identifies that the user exists):
    image
  • New project (cannot sign in), network tab after inputting the email and clicking Next (response indicates user doesn't exist):
    image

Versions:

    "@angular/fire": "^7.6.1",
    "firebase": "^9.23.0",
    "firebaseui": "^6.1.0",
    "firebaseui-angular": "^6.1.3",

Exactly like me... i did the same things using Network, looking at the Console but nothing found.

Do you suggesto to do a downgrade? Which version is a working version?

@anisabboud
Copy link

anisabboud commented Sep 16, 2023

Tried downgrading from 6.1.0 to 6.0.0, but it didn't help.
The culprit seems to be in fetchSignInMethodsForEmail used by FirebaseUI to determine whether to show Sign in / Create account flow:

p = this.getAuth().fetchSignInMethodsForEmail(email)

For some reason, it's returning [] instead of ['password'] on the new project, but it works fine on an old project!

import { getAuth, fetchSignInMethodsForEmail } from 'firebase/auth';  // or from '@angular/fire/auth';

  constructor() {
    fetchSignInMethodsForEmail(getAuth(), '[email protected]').then(console.log);  // prints [] instead of ['password']
  }

Related iOS issue: firebase/firebase-ios-sdk#11810

@anisabboud
Copy link

Related: https://stackoverflow.com/questions/77115477/reactjs-and-firebase-ui-authentication-problems
(same issue posted 11 hours ago). Quoting from Stack Overflow:

When I use email/password to log in, I enter my email, it prompts me to create an account by entering a password, I do that and get logged in. I also receive a verification email, which works. The problem is that if I log out and then try to log back in with the same credentials, it essentially prompts me to create a new user by entering a new password. If I try to proceed, it says the email already exists, and I can reset the password.

@gdutleung
Copy link

I got the same issue!!!
my version is

 "firebase": "^10.3.1",
  "firebaseui": "^6.1.0",

Is there any way to fix this issue or any old verison I can use to avoid this issue? Thankyou very much!

@donaldr
Copy link

donaldr commented Sep 22, 2023

Is there no resolution for this? Or should I just no use Firebase? Seems like a pretty egregious bug.

@ralf00
Copy link
Author

ralf00 commented Sep 22, 2023

For now i solved without using Firebase UI for authentication but just using Firebase with custom email and password fields that works. The problem is just with Firebase UI.. waiting for resolution...

@arupnayak
Copy link

i am facing the same issue with new firebase project. works fine on old project

@sgb-io
Copy link

sgb-io commented Oct 4, 2023

Also facing this.

FYI: this appears to be a Google issue (see comments from @paulb777): firebase/firebase-ios-sdk#11810 (comment)

No apparent fix available yet.

@robmr88
Copy link

robmr88 commented Oct 4, 2023

I am having the same problem, I am having it on Firebase Ui Android native, and Firebase UI Flutter

@sgb-io
Copy link

sgb-io commented Oct 5, 2023

It looks like this is a breaking change for email/password sign-in due to the Email Enumeration Protection changes in Firebase. This feature is enabled by default as of 15 September 2023.

Unfortunately, it seems this project (Firebase UI) is seemingly abandoned by Google, so you either need to roll your own email/password sign-in solution against the Firebase SDKs or look at alternative projects.

It's not the best developer experience: you follow the Firebase docs to get started, Firebase UI is prominently recommended, then you later find out that it doesn't fully work and they've stopped maintaining it (with no obvious alternative available). Maybe they will swap to giving examples of how to roll your own; that would be better than starting your project then later realising you need to take multiple steps backward.

@victorcastro89
Copy link

It is a backend issue, you can just disable email-enumeraion-protection as work around:
https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#disable

@naturedamends
Copy link

naturedamends commented Oct 22, 2023

It is a backend issue, you can just disable email-enumeraion-protection as work around: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#disable

How can I run this? When adding it to top level module of my firebase functions It won't analyse.

EDIT: figured it out - you can run the command in the GCP terminal to get the accees token.

@jhuleatt jhuleatt pinned this issue Oct 23, 2023
@jhuleatt
Copy link
Collaborator

jhuleatt commented Oct 23, 2023

As @sgb-io and @victorcastro89 noted, this is due to a change in defaults for Firebase Authentication. On September 15, 2023 email enumeration protection was enabled by default for all new Firebase projects created after that date to boost security. When this setting is enabled, it limits the ability to check for what existing sign in methods exist for an email address through the fetchSignInMethodsForEmail JavaScript API, which FirebaseUI uses to decide whether to show the "Sign In" screen or "Create Account" screen.

We're going to update FirebaseUI to take away this conditional behavior. Until we do that, unfortunately the only workaround is to disable email enumeration protection on your Firebase project's underlying Cloud project. Related issue: firebase/firebase-js-sdk#7644 (comment)

@capodisseny
Copy link

Also could fix it with the curl command from the terminal.
PROJECT_ID = firebase project id

First get the ACCESS_TOKEN
$ gcloud auth print-access-token --project=PROJECT_ID

Now replace ACCESS_TOKEN and PROJCT_ID
`$ curl -X PATCH -d "{'email_privacy_config':{'enable_improved_email_privacy':"false"}}"
-H 'Authorization: Bearer ACCESS_TOKEN'
-H 'Content-Type: application/json' -H 'X-Goog-User-Project: PROJECT_ID'
"https://identitytoolkit.googleapis.com/admin/v2/projects/PROJECT_ID/config?updateMask=email_privacy_config"

`

@blalmal10a
Copy link

As @sgb-io and @victorcastro89 noted, this is due to a change in defaults for Firebase Authentication. On September 15, 2023 email enumeration protection was enabled by default for all new Firebase projects created after that date to boost security. When this setting is enabled, it limits the ability to check for what existing sign in methods exist for an email address through the fetchSignInMethodsForEmail JavaScript API, which FirebaseUI uses to decide whether to show the "Sign In" screen or "Create Account" screen.

We're going to update FirebaseUI to take away this conditional behavior. Until we do that, unfortunately the only workaround is to disable email enumeration protection on your Firebase project's underlying Cloud project. Related issue: firebase/firebase-js-sdk#7644 (comment)

Please mark this as answer for others can easily find the temporary solution @ralf00

@UtkarshSaxenautk
Copy link

@ralf00 Try turning off email enumerations from auth-setting in your account.

@danielramdometic
Copy link

It is a backend issue, you can just disable email-enumeraion-protection as work around: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#disable

I don't know how you figured this out, but thank you a lot.

@coleridge72
Copy link

We're going to update FirebaseUI to take away this conditional behavior. Until we do that, unfortunately the only workaround is to disable email enumeration protection on your Firebase project's underlying Cloud project. Related issue: firebase/firebase-js-sdk#7644 (comment)

Hi @jhuleatt, thanks for the workaround - any word on when the official fix will be up?

@Boardtale
Copy link

Adding my +1 here. Would love to see insta sign in (not checking if account exist on first try)

@vkmel
Copy link

vkmel commented Feb 29, 2024

+1 .. no fix yet.

@benlabbeus
Copy link

+1

2 similar comments
@patricebender
Copy link

+1

@theangrydev
Copy link

+1

@sharafeddeen
Copy link

Disabling email enumeration protection on the firebase console worked for me.

Not cool having to patch up my project with workarounds, but at least it's something until they release an official fix.

@kodejuice
Copy link

Disabling email enumeration protection on the firebase console worked for me.

Not cool having to patch up my project with workarounds, but at least it's something until they release an official fix.

This also fixed it for me

@jacobakkerboom
Copy link

As @sgb-io and @victorcastro89 noted, this is due to a change in defaults for Firebase Authentication. On September 15, 2023 email enumeration protection was enabled by default for all new Firebase projects created after that date to boost security. When this setting is enabled, it limits the ability to check for what existing sign in methods exist for an email address through the fetchSignInMethodsForEmail JavaScript API, which FirebaseUI uses to decide whether to show the "Sign In" screen or "Create Account" screen.

We're going to update FirebaseUI to take away this conditional behavior. Until we do that, unfortunately the only workaround is to disable email enumeration protection on your Firebase project's underlying Cloud project. Related issue: firebase/firebase-js-sdk#7644 (comment)

A little comment about this in the README would go a long way I think (until it's fixed). I wanted to try out firebase (and nextjs) and I made a test app using nextjs, then another one using node/express just to make sure I didn't mess up the nextjs stuff, then I looked in the FirebaseUI README to see if maybe I'm supposed to change the configuration, all to no avail. It's hard to guess that such an official resource like FirebaseUI would have an issue in what is basically its "hello world", and without guessing that there's something wrong with it it's hard to find answers pointing to the new setting.

@mdemund-scpr
Copy link

+1

@JosefJezek
Copy link

any progress?

@g-stone7
Copy link

g-stone7 commented May 2, 2024

+1

@any626
Copy link

any626 commented May 10, 2024

Any updates?

@VektorTech
Copy link

+1

1 similar comment
@sanjulaonline
Copy link

+1

@mbimbij
Copy link

mbimbij commented May 18, 2024

"egregious bug", couldn't agree more. A "drop-in solution" should at least allow you to setup a working proof of concept out of the box with default config. And it is still not fixed 8 months after the issue is opened, what a shame.

@kyrylo-drlg
Copy link

kyrylo-drlg commented May 31, 2024

+1 works for me disable email protection

@leknesh
Copy link

leknesh commented Jul 10, 2024

Disabling email protection in the Firebase project does NOT work for me. Any more workaround suggestions?

@joe-brutto-66degrees
Copy link

+1 still not fixed even with the GIP+IAP "Use an existing hosted sign-in page"
However; the workaround for the Firebase project did work for me.

@hnphi
Copy link

hnphi commented Aug 23, 2024

+1
Not work when enabling email protection. But, if disable protection is then face the issue that users use the same email that they already logged in by Google/Microsoft

@KateGoncharik
Copy link

KateGoncharik commented Sep 21, 2024

@RobinsonMichael-FS
Copy link

+1
It's been over a year now.

@kelvinkoko
Copy link

kelvinkoko commented Oct 10, 2024

Disable email protection workaround work, thanks for sharing. But as other mentioned, suppose it is drop in solution and i seems don't see it is deprecated, would like to +1 on this issue. I still love the convenience of firebase but having this bug in this common flow for a year really hurt developer experience.

@bigminions
Copy link

Still had

@szymonkadas
Copy link

+1

@agent3bood
Copy link

One year later

@naturedamends
Copy link

naturedamends commented Nov 24, 2024

One year later

Litrally using this product is a data protection issue in the Europe. It has caused millions of peoples emails to be exposed. And its literally the front end of the product.

Can you just send us all our payout now? Or are you just going to continue to purposely ignore it. Cant you just right code with AI. Isn't 25 percent of your code AI written now

@lehuyhungcyberagent
Copy link

Disable for email enumeration protection solve the problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests