firebase-android-sdk
firebase-android-sdk copied to clipboard
Reauthenticating with wrong credentials creates a new user
Environment
- Android Studio version: Chipmunk 2021.2.1
- Firebase Component: Authentication
- Component version: 21.0.1
Steps to reproduce:
When using login providers to retrieve credentials for reauthentication, if the user reauthenticates with the wrong Facebook/Google account, the reauthentication fails, however a new account is created on the server with the wrong credentials.
Relevant Code:
For Facebook we pass the retrieved credentials to reauthenticate
suspend fun reAuthenticateUser(credentials: AuthCredential) {
firebaseAuth.currentUser!!.reauthenticate(credentials).await()
}
For Google we let the function handle the reauthentication
suspend fun reAuthenticateUserGoogle(activity: Activity) {
val provider = OAuthProvider.newBuilder(AUTH_PROVIDER_GOOGLE)
firebaseAuth.currentUser!!.startActivityForReauthenticateWithProvider(activity, provider.build()).await()
}
I found a few problems with this issue:
- I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
- This issue does not seem to follow the issue template. Make sure you provide all the required information.
Thanks for reporting, @linas77. I was able to reproduce the same behavior, I'll notify an engineer and see what we can do here.
Hi, thanks for filing this issue! We are unable to promise any timeline for this, but if others also have this issue, adding a +1 on this issue can help us prioritize adding this to the roadmap.
(Googler-only internal tracking bug: b/234154236)
Hi @linas77, thanks for filing this issue!
At the present moment, this is the intended behavior -- reauthenticating essentially behaves the same as a sign-in, with an additional check on the client to verify that the user is the same as before.