Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Signing in with Google deletes the user's password
See original GitHub issueWhile digging into #118, I discovered that signing in with Google appears to delete the user’s existing password, or in any case removes the email/password provider, without any warning.
I don’t recall reading this in the docs, and I think we should either not destroy this information, or we should provide a visible warning to the user, as well as to developers who use Google sign-in + email/password auth.
We recently went to great lengths to import a large number of user accounts from a legacy auth system using the auth:import tool, preserving each user’s password from the old database to provide a seamless transition. In fact, for this purpose I requested pbkdf2-sha256 hash support on the Firebase google group, and it was added a couple of months later (which was fantastic, btw!).
I would prefer (and expect) users to be able to sign in with Google while also maintaining a password for their account on my site. The UX and docs led me to believe that we could use the same email address account with multiple auth providers, and AFAIK does not mention that adding an additional auth provider can remove an existing provider.
Steps to reproduce on https://fir-ui-demo-84a6c.firebaseapp.com/?mode=select:
- Click “Sign in with Email” and create a new account using email+password of a Gmail account
- Sign out
- Click ‘sign in with Google’ and select the same email as above
- Sign out
- In the console, run
firebase.auth().fetchProvidersForEmail("YOUR_EMAIL").then(console.log). This should log [“google”] to the console. - You can also try running
firebase.auth().signInWithEmailAndPassword("YOUR_EMAIL", "YOUR_PASSWORD").catch(console.log), which will log the error{code: "auth/wrong-password", message: "The password is invalid or the user does not have a password."}
Issue Analytics
- State:
- Created 6 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @TMSCH,
Thanks for the explanation. Even after hearing you say that, I can read and re-read the linked passage and not come away with the same understanding. Maybe the implications could be described more clearly…
Google serves as both an email and social identity provider. Email IDPs are authoritative for all email addresses related to their hosted email domain while social IDPs assert email identities based having done a one time confirmation of the email address. A user logging in with Google will never cause this error when their account is hosted at Google even if they signed up for their account with a password or a social IDP.Is a developer reading that text supposed to come away with the understanding that “the password for an account without a verified email address will be deleted upon sign-in with Google”? Or maybe I am still looking at the wrong place.
In any case, the bit about
emailVerifiedis a big help, because it means (a) this won’t affect email/password accounts under normal circumstances, and (b) I know how to fix this for my users (it looks like I should have set that field during import).I do agree that the verified owner of a Gmail account should be able to ‘take back’ control of an account created previously or by someone else.
if you use all of the recommended parameters for user import, but exclude the salt-seperator option, on login firebase auth for web responds with:
Should I create a new issue for this?