firebase-admin-node icon indicating copy to clipboard operation
firebase-admin-node copied to clipboard

Published 20 hours ago verified publisher icon firebase

Concurrent calls to auth.createUser() may create multiple user accounts with the same email address

Open th0rgall opened this issue 5 months ago • 0 comments

[REQUIRED] Step 2: Describe your environment

  • Operating System version: macOS 14.6.1 (23G93)
  • Firebase SDK version: [email protected]
  • Firebase Product: auth
  • Node.js version: 20.18
  • NPM version: 10.8.2

[REQUIRED] Step 3: Describe the problem

Firebase does not guarantee user email uniqueness in users in case duplicate & concurrent calls are made to auth.createUser(), despite the "User account linking" setting in the Console being set to "Link accounts that use the same email". The API is not idempotent.

This issue breaks the promise found in the following support documentation:

Users can never create multiple accounts with the same email address and sign-in method.

If calls to auth.createUser with the same email are separated enough in time (some tens of milliseconds?), the last call will raise a auth/email-already-exists error, which is the expected behavior.

Steps to reproduce:

  1. Run this Firebase Admin JS script against a production Firebase environment, using node v20
// `auth` is a Firebase Admin auth instance
import { auth } from "../src/admin.js";

const c = () =>
    auth.createUser({
        email: "[email protected]",
        displayName: "Test",
    });

await Promise.all([c(), c()]);

  1. Observe that two users were created with the same details, with different UIDs

    Screenshot of the Firebase Console Auth dashboard

Workaround

Avoid concurrent calls to auth.createUser() with the same email address.

We were likely getting this issue because our front-end registration form would be submitted two times if double-clicked, which in turn lead to two concurrent auth.createUser calls in the back-end. Now we've debounced this call, which should avoid the issue in most circumstances.

More context

  • We are not using "Firebase Auth with Identity Platform"
  • I believe this is exactly the same issue as the following issue reported for the Python Admin SDK https://github.com/firebase/firebase-admin-python/issues/809
  • We saw an increase in the frequency of this issue since we started using the Firebase Admin SDK for Firebase Auth account creation (5 cases over 2 months). In the years before, when we were still using front-end Firebase JS clients for Firebase Auth account creation, we only had 1 similar case. I assume the frontend client implements some kind of debouncing internally already?

th0rgall avatar Jul 08 '25 15:07 th0rgall