firebase-js-sdk icon indicating copy to clipboard operation
firebase-js-sdk copied to clipboard
verified publisher icon firebase

recoverEmail - mail is sent to the wrong email address when changing it two times

Open lukfel opened this issue 4 years ago • 4 comments

[REQUIRED] Describe your environment

  • Operating System version: Windows 10
  • Browser version: Chrome 87.0.4280.88
  • Firebase SDK version: 8.1.2
  • Firebase Product: auth

[REQUIRED] Describe the problem

Steps to reproduce:

I tested my email action handlers and noticed that if you change your authentication email two times, the recoverEmail notification is sent to the wrong email addres.

Reproduce:

  1. Change email1 to email2
  2. Verify email2 with verifyEmail notification - email1 receives recoverEmail notification as expected
  3. Change email2 to email3 - email1 receives recoverEmail notification again

I´m not sure if this is intentional, but in my opinion, since email2 was already validated and verified by Firebase, email2 should be handled as the new primary email address.

Relevant Code:

firebase.auth().updateEmail(newEmail);

lukfel avatar Jan 06 '21 22:01 lukfel

Hi @RegniBlef, thanks for filing this issue! Yes, this behavior is intentional -- the recoverEmail notification is currently designed to always go to the email used at account creation. However, I filed this as an internal feature request at b/177938422.

rosalyntan avatar Jan 29 '21 17:01 rosalyntan

My team and I just encountered this issue whilst testing a new 'change email address' feature in the app we're developing and we assumed it was a bug. Agree with lukfel above - expected behaviour is that the email is sent to the previously-verified email address not the originally-verified email address.

karinvanh47 avatar Jul 24 '23 05:07 karinvanh47

Noticed this just now as well. I think users expect the previously-verified email address to be the "recovery" address. I tried to switch to a new email inbox in a Firebase project I'm working on, and all seemed well, but the next time I changed the email (to test our change-email flow), a recovery email unexpectedly went to the old defunct inbox.

AverageHelper avatar Sep 14 '23 02:09 AverageHelper

I encountered this issue as well and agree with the other comments. It would make more sense for the recovery email to be sent to the last verified email address.

sohenze avatar Sep 05 '24 16:09 sohenze

Encountering this right now too Say we change email from A->B and then B->C, during the latter operation the recoverEmail is sent to A, even though B has been verified as well One of the major cases where this is an issue is if the user's original email address was hacked. In that case, even if they managed to change their account to a new email, the hacked email will still be getting the recoverEmail message.

@rosalyntan sorry for pinging, but could you shed any light on this matter or discuss internally to change this behavior?

baibhavbista avatar Feb 24 '25 03:02 baibhavbista