FirebaseUI always try to create a new account also if email exists in Firebase Auth

[ralf00]

Hello,

i'm using firebase ui 10 on my nodejs project, implementing it in react (supported by this video https://www.youtube.com/watch?v=eTuJ47RvEdQ

everything seems to work good but with one big problem, if i insert the email address of a already existent user, it goes forward asking me to "Create a new account" and "Choose a new password" that is not what is expected.

If i put a password it goes on error telling me that the email address already exists and asking me to reset the password.

Anyone has encountered this issue? some advice?

[anisabboud]

I'm encountering the same issue on a new project with AngularFire + FirebaseUI (cannot Sign in with Email):

1. Sign up with some [email protected]
2. Check Firebase console - everything is fine.
3. Sign out
4. Try to sign in again using same [email protected]
5. It shows the Create account UI again instead of the Sign in UI even though the account exists for this email!
6. If you try to Sign up again, you get an error: This email already exists without any means of sign-in. Please reset the password to recover.

---

I compared the network tab in this project compared to an older project:

• Old project (works fine), network tab after inputting the email and clicking Next (correctly identifies that the user exists):
• New project (cannot sign in), network tab after inputting the email and clicking Next (response indicates user doesn't exist):

---

Versions:

    "@angular/fire": "^7.6.1",
    "firebase": "^9.23.0",
    "firebaseui": "^6.1.0",
    "firebaseui-angular": "^6.1.3",

[ralf00]

I'm encountering the same issue on a new project with AngularFire + FirebaseUI (cannot Sign in with Email):

1. Sign up with some [email protected]
2. Check Firebase console - everything is fine.
3. Sign out
4. Try to sign in again using same [email protected]
5. It shows the Create account UI again instead of the Sign in UI even though the account exists for this email!
6. If you try to Sign up again, you get an error: This email already exists without any means of sign-in. Please reset the password to recover.

I compared the network tab in this project compared to an older project:

• Old project (works fine), network tab after inputting the email and clicking Next (correctly identifies that the user exists):
• New project (cannot sign in), network tab after inputting the email and clicking Next (response indicates user doesn't exist):

Versions:

    "@angular/fire": "^7.6.1",
    "firebase": "^9.23.0",
    "firebaseui": "^6.1.0",
    "firebaseui-angular": "^6.1.3",

Exactly like me... i did the same things using Network, looking at the Console but nothing found.

Do you suggesto to do a downgrade? Which version is a working version?

[anisabboud]

Tried downgrading from 6.1.0 to 6.0.0, but it didn't help. The culprit seems to be in fetchSignInMethodsForEmail used by FirebaseUI to determine whether to show Sign in / Create account flow: https://github.com/firebase/firebaseui-web/blob/85fbdd46847dff45afe76d9341e8c001a3394e2d/javascript/widgets/authui.js#L1174

For some reason, it's returning [] instead of ['password'] on the new project, but it works fine on an old project!

import { getAuth, fetchSignInMethodsForEmail } from 'firebase/auth';  // or from '@angular/fire/auth';

  constructor() {
    fetchSignInMethodsForEmail(getAuth(), '[email protected]').then(console.log);  // prints [] instead of ['password']
  }

Related iOS issue: https://github.com/firebase/firebase-ios-sdk/issues/11810

[anisabboud]

Related: https://stackoverflow.com/questions/77115477/reactjs-and-firebase-ui-authentication-problems (same issue posted 11 hours ago). Quoting from Stack Overflow:

When I use email/password to log in, I enter my email, it prompts me to create an account by entering a password, I do that and get logged in. I also receive a verification email, which works. The problem is that if I log out and then try to log back in with the same credentials, it essentially prompts me to create a new user by entering a new password. If I try to proceed, it says the email already exists, and I can reset the password.

[gdutleung]

I got the same issue!!! my version is

 "firebase": "^10.3.1",
  "firebaseui": "^6.1.0",

Is there any way to fix this issue or any old verison I can use to avoid this issue? Thankyou very much!

[donaldr]

Is there no resolution for this? Or should I just no use Firebase? Seems like a pretty egregious bug.

[ralf00]

For now i solved without using Firebase UI for authentication but just using Firebase with custom email and password fields that works. The problem is just with Firebase UI.. waiting for resolution...

[arupnayak]

i am facing the same issue with new firebase project. works fine on old project

[sgb-io]

Also facing this.

FYI: this appears to be a Google issue (see comments from @paulb777): https://github.com/firebase/firebase-ios-sdk/issues/11810#issuecomment-1726320394

No apparent fix available yet.

[robmr88]

I am having the same problem, I am having it on Firebase Ui Android native, and Firebase UI Flutter

[sgb-io]

It looks like this is a breaking change for email/password sign-in due to the Email Enumeration Protection changes in Firebase. This feature is enabled by default as of 15 September 2023.

Unfortunately, it seems this project (Firebase UI) is seemingly abandoned by Google, so you either need to roll your own email/password sign-in solution against the Firebase SDKs or look at alternative projects.

It's not the best developer experience: you follow the Firebase docs to get started, Firebase UI is prominently recommended, then you later find out that it doesn't fully work and they've stopped maintaining it (with no obvious alternative available). Maybe they will swap to giving examples of how to roll your own; that would be better than starting your project then later realising you need to take multiple steps backward.

[victorcastro89]

It is a backend issue, you can just disable email-enumeraion-protection as work around: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#disable

[naturedamends]

It is a backend issue, you can just disable email-enumeraion-protection as work around: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#disable

How can I run this? When adding it to top level module of my firebase functions It won't analyse.

EDIT: figured it out - you can run the command in the GCP terminal to get the accees token.

[jhuleatt]

As @sgb-io and @victorcastro89 noted, this is due to a change in defaults for Firebase Authentication. On September 15, 2023 email enumeration protection was enabled by default for all new Firebase projects created after that date to boost security. When this setting is enabled, it limits the ability to check for what existing sign in methods exist for an email address through the fetchSignInMethodsForEmail JavaScript API, which FirebaseUI uses to decide whether to show the "Sign In" screen or "Create Account" screen.

We're going to update FirebaseUI to take away this conditional behavior. Until we do that, unfortunately the only workaround is to disable email enumeration protection on your Firebase project's underlying Cloud project. Related issue: https://github.com/firebase/firebase-js-sdk/issues/7644#issuecomment-1751301783

[capodisseny]

Also could fix it with the curl command from the terminal. PROJECT_ID = firebase project id

First get the ACCESS_TOKEN $ gcloud auth print-access-token --project=PROJECT_ID

Now replace ACCESS_TOKEN and PROJCT_ID `$ curl -X PATCH -d "{'email_privacy_config':{'enable_improved_email_privacy':"false"}}"
-H 'Authorization: Bearer ACCESS_TOKEN'
-H 'Content-Type: application/json' -H 'X-Goog-User-Project: PROJECT_ID'
"https://identitytoolkit.googleapis.com/admin/v2/projects/PROJECT_ID/config?updateMask=email_privacy_config"

`

[blalmal10a]

As @sgb-io and @victorcastro89 noted, this is due to a change in defaults for Firebase Authentication. On September 15, 2023 email enumeration protection was enabled by default for all new Firebase projects created after that date to boost security. When this setting is enabled, it limits the ability to check for what existing sign in methods exist for an email address through the fetchSignInMethodsForEmail JavaScript API, which FirebaseUI uses to decide whether to show the "Sign In" screen or "Create Account" screen.

We're going to update FirebaseUI to take away this conditional behavior. Until we do that, unfortunately the only workaround is to disable email enumeration protection on your Firebase project's underlying Cloud project. Related issue: firebase/firebase-js-sdk#7644 (comment)

Please mark this as answer for others can easily find the temporary solution @ralf00

[UtkarshSaxenautk]

@ralf00 Try turning off email enumerations from auth-setting in your account.

[danielramdometic]

It is a backend issue, you can just disable email-enumeraion-protection as work around: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#disable

I don't know how you figured this out, but thank you a lot.

[coleridge72]

We're going to update FirebaseUI to take away this conditional behavior. Until we do that, unfortunately the only workaround is to disable email enumeration protection on your Firebase project's underlying Cloud project. Related issue: https://github.com/firebase/firebase-js-sdk/issues/7644#issuecomment-1751301783

Hi @jhuleatt, thanks for the workaround - any word on when the official fix will be up?

[Boardtale]

Adding my +1 here. Would love to see insta sign in (not checking if account exist on first try)

[vkmel]

+1 .. no fix yet.

[benlabbeus]

+1

[patricebender]

+1

[theangrydev]

+1

[sharafeddeen]

Disabling email enumeration protection on the firebase console worked for me.

Not cool having to patch up my project with workarounds, but at least it's something until they release an official fix.

[kodejuice]

Disabling email enumeration protection on the firebase console worked for me.

Not cool having to patch up my project with workarounds, but at least it's something until they release an official fix.

This also fixed it for me

[jacobakkerboom]

As @sgb-io and @victorcastro89 noted, this is due to a change in defaults for Firebase Authentication. On September 15, 2023 email enumeration protection was enabled by default for all new Firebase projects created after that date to boost security. When this setting is enabled, it limits the ability to check for what existing sign in methods exist for an email address through the fetchSignInMethodsForEmail JavaScript API, which FirebaseUI uses to decide whether to show the "Sign In" screen or "Create Account" screen.

We're going to update FirebaseUI to take away this conditional behavior. Until we do that, unfortunately the only workaround is to disable email enumeration protection on your Firebase project's underlying Cloud project. Related issue: firebase/firebase-js-sdk#7644 (comment)

A little comment about this in the README would go a long way I think (until it's fixed). I wanted to try out firebase (and nextjs) and I made a test app using nextjs, then another one using node/express just to make sure I didn't mess up the nextjs stuff, then I looked in the FirebaseUI README to see if maybe I'm supposed to change the configuration, all to no avail. It's hard to guess that such an official resource like FirebaseUI would have an issue in what is basically its "hello world", and without guessing that there's something wrong with it it's hard to find answers pointing to the new setting.

[mdemund-scpr]

+1

[JosefJezek]

any progress?

[g-stone7]

+1