Firebase-js-sdk: unable to prevent `The email is already in use as another user initial email` using fetchSignInMethodsForEmail due to false data

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

This is quite an edge case. It would be incorrect to return anything in fetchSignInMethodsForEmail as returning a provider ID/signInMethod means that the user can actually sign-in with that email but the user can't. The original owner of the account has to revert back to it before being able to sign-in. The email is reserved in case the original owner wants to revert back to it, but technically, the account can't be signed in with.

Hey @bojeil-google & team,

We've been experiencing the same issue that @hamedbaatour reported for months and I finally got a chance to dig deep enough to confirm there is in fact a bug and error that's not being handled correctly.

This is actually a fairly common scenario and not much of an edge-case, let me explain:

• Let's say there are 2 users who work together: Bob & Sally
• Bob signs up for trial of app using [email protected]. Then tells Sally to sign up and purchase a plan under [email protected]
• Then they want to change the sally's account email to Bob's but receives and error that [email protected] is already taken.
• So Bob changes his email to something else like [email protected]
• When Sally tries to change her email again, she now receives the error: The email is already in use as another user's initial email

• To make matters worse, if Bob deletes his account and then Sally tries to change her email again, the Firebase Auth service completely breaks and responds with a 500:

  {
    "error": {
      "code": 500,
      "message": "Internal error encountered.",
      "errors": [
        {
          "message": "Internal error encountered.",
          "domain": "global",
          "reason": "backendError"
        }
      ],
      "status": "INTERNAL"
    }
  }
  

• So by Bob creating an account once, he's prevented the possibility of all future accounts from changing their email to his, even if he wants to do that.

It seems like Firebase is storing an internal database of "initial emails" that the developer has no access or knowledge of. The initialEmail property is almost never shown to the dev and not mentioned at all in the docs. The only time I see this property is when the Firebase JS client hits the enpoint at https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo or when we use the REST api to get account info with https://identitytoolkit.googleapis.com/v1/accounts:lookup.

Even the Firebase Admin SDK doesn't include the initialEmail property in its results for getting user info.

So there are two issues here:

1. There's an internal server error when a user's email is changed to an email that belonged to a deleted user.
2. The initialEmail property is not accessible by the developer. Ideally we could control if the property gets set at all or we could tell firebase to remove that property.

Would love to find a solution here. Let me know if there is another path that I missed. Unfortunately If we can't find a solution we'll have to migrate millions of users to another auth system to give us full control of auth.

I have filed an internal bug for this. I would suggest you follow up with Firebase support on this. This is the recommended process to get updates for this as this is a backend behavior issue and not SDK related.

We were unable to recreate this issue. We tried to create a user, update their email, delete it and then create a new user with the first user's initial email without any issue.
There must be something specific to your project. I recommend you file a bug with Firebase support and provide more details on your project and the user that is experiencing these issues.

We had the same situation with one of our users today. Should we contact the support ?

A user created an account with an email, then later changed it. When we try to create a user with this previous email (using the admin backend), we are getting the error The email is already in use as another user initial email.
This email cannot be found in the Firebase auth dashboard.

@bojeil-google in which situations, does Firebase prevent the use of an email previously used by another user ?

Any updates?

I also need a solution for this. Our situation is exactly the same as @bojeil-google described.

We were trying to update the user's email to the one taken by another person. We have many paid users requesting this, so I wish this is to be fixed.

There's not any way to fix this even by manually going into the firebase admin panel. The use case described by @saidurh above is exactly what our user's have done. Are we really completely stuck on this issue until Google implements a fix?

And to clarify @bojeil-google, I think the reason you did not see this issue when trying to recreate it is that you deleted the first account. In the situation we're describing, the user does not delete their first account, they simply change the email associated with it. At that point, the second user tries to create an account using the first email, but they cannot do so because the first user has still "claimed" the initial user.

@bojeil-google Can you post the internal bug for this?

@scottcrossen We are seeing this as well. This is not an edge case, and it also not a problem with the way the product is being used, nor is it specific to a particular environment. This situation comes up all the time: Someone in a company creates an account, then they want to use that email on a different account. Virtually every commercial product I've used allows this, and it is accepted that it should work (I do it all the time, including with various Google services). This is causing pain to our users. Can anyone provide an update on when this will be resolved?

@johndunderhill If you could provide us repro steps (or file a Support ticket with repro steps if there's anything sensitive in those steps), that could really help us investigate further. Thanks!

Thanks, Megha.

Steps to reproduce:

Using an app that uses Firebase Auth:

1. Create a new account using an email address and password.
2. Confirm the original email address.
3. Change the email address to a different email address.
4. Confirm the new email address.
5. Try to create a new account with first email address.

What happens: The attempt to create the new account is blocked with a message similar to:

"This email address is already in use as another user's initial email addre?ss."

Expected behavior: The system allows a new account to be created with the now-abandoned email address, as in most other login systems on the planet.

John

From: Megha Bangalore notifications@github.com
Sent: Monday, July 13, 2020 2:09 PM
To: firebase/firebase-js-sdk
Cc: John Underhill; Mention
Subject: Re: [firebase/firebase-js-sdk] unable to prevent The email is already in use as another user initial email using fetchSignInMethodsForEmail due to false data (#1905)

@johndunderhillhttps://github.com/johndunderhill If you could provide us repro steps (or file a Support tickethttps://firebase.google.com/support with repro steps if there's anything sensitive in those steps), that could really help us investigate further. Thanks!

-
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/firebase/firebase-js-sdk/issues/1905#issuecomment-657794832, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGDRBW3MZBGVBU32KKBRM2DR3NZXPANCNFSM4H2XH7EQ.