Firebase Allowing Multiple Accounts from Same Email Address

18
votes

Within the Firebase console I have specifically set it to only allow "One account per email address". This is found on the sign-in method tab under "advanced".

I have an account created using the Google login method that has an address like "[email protected]". If I then choose to sign-in via Facebook using an account that also uses "[email protected]", Firebase is allowing it with the exception that the email address in the Users entity is null.

The Firebase documentation states:

if you don't allow multiple accounts with the same email address, a user cannot create a new account that signs in using a Google Account with the email address [email protected] if there already is an account that signs in using the email address [email protected] and a password.

Does this only count if you are trying to create a Firebase login directly with a username/password vs creating an account from two providers like Facebook and Google? I would be under the impression that if it finds a duplicate email address it should reject the registration/login. I do realize the quote states "and a password" which makes me wonder.

3
firebasefirebase-authentication
could you provide the source for your quote. i dont find documentation in firebase about this yet online. do you have a link ? - j2emanue
@j2emanue here is the link: support.google.com/firebase/answer/6400716 - C6Silver
@C6Silver how did you solve this? - cbdeveloper
@cbdev420 - With each sign-up I check if the email exists before creating an account on Firebase. - C6Silver
@C6Silver this email check you mentioned is on your Firebase database? so you are allowing multiple accounts per email on Firebase Auth? And are you using the email as a "userID" in your database (Firestore/RealTimeDB)? Thanks! - cbdeveloper

3 Answers

2
votes

Step 1 : Go to Firebase Console > Authentication > Sign in method. Check the option preventing multiple account creation with single email id.

Step 2 :The following documentation explains how to connect multiple providers to a single account using custom method.

https://firebase.google.com/docs/auth/web/account-linking

1
votes

Go to Firebase Console

In the Authentication -> SIGN-IN METHOD

Scroll Down to Advanced Section Click on CHANGE and then SAVE

enter image description here

1
votes

Expanding Kathir's answer, Firebase documentation does provide solution.

The following are code snippets copied from the documentation. 

// Step 1.
// User tries to sign in to Google.
auth.signInWithPopup(new firebase.auth.GoogleAuthProvider()).catch(function(error) {
  // An error happened.
  if (error.code === 'auth/account-exists-with-different-credential') {
    // Step 2.
    // User's email already exists.
    // The pending Google credential.
    var pendingCred = error.credential;

    // The provider account's email address.
    var email = error.email;

    // Get sign-in methods for this email.
    auth.fetchSignInMethodsForEmail(email).then(function(methods) {

      // Step 3.
      // If the user has several sign-in methods,
      // the first method in the list will be the "recommended" method to use.
      if (methods[0] === 'password') {

        // Asks the user their password.
        // In real scenario, you should handle this asynchronously.
        var password = promptUserForPassword(); // TODO: implement promptUserForPassword.

        auth.signInWithEmailAndPassword(email, password).then(function(user) {
          // Step 4a.
          return user.linkWithCredential(pendingCred);
        }).then(function() {
          // Google account successfully linked to the existing Firebase user.
          goToApp();
        });
        return;
      }

      // All the other cases are external providers.
      // Construct provider object for that provider.
      // TODO: implement getProviderForProviderId.
      var provider = getProviderForProviderId(methods[0]);

      // At this point, you should let the user know that he already has an account
      // but with a different provider, and let him validate the fact he wants to
      // sign in with this provider.
      // Sign in to provider. Note: browsers usually block popup triggered asynchronously,
      // so in real scenario you should ask the user to click on a "continue" button
      // that will trigger the signInWithPopup.
      auth.signInWithPopup(provider).then(function(result) {
        // Remember that the user may have signed in with an account that has a different email
        // address than the first one. This can happen as Firebase doesn't control the provider's
        // sign in flow and the user is free to login using whichever account he owns.
        // Step 4b.
        // Link to Google credential.
        // As we have access to the pending credential, we can directly call the link method.
        result.user.linkAndRetrieveDataWithCredential(pendingCred).then(function(usercred) {
          // Google account successfully linked to the existing Firebase user.
          goToApp();
        });
      });
    });
  }
});