Automatic auth linking

Question

On our app we are using "One account per email address". We want users to sign up using a specific authentication provider, which we keep track of, and stick with it.

What I've noticed today is that if I log in using a Google or Facebook provider I can then send myself a password reset link to the associated email address, which allows me to use the email/password provider instead. There is a slight difference in behaviour depending on the first provider:

• If I use Google first, after I use the password reset link I can now user either provider to log in, and both are linked to the same firebase uid. If I debug, I can see both in the providerDetails array on the authData object I get back from Firebase.
• If I use Facebook first, after I use the password link the password provider replaces the Facebook one completely, although it retains the old firebase uid. At this point I can no longer use the Facebook login.

My questions are: is this behaviour intended, and, is there any way to switch it off?

This can cause confusion if say a user logs in using Facebook (which we track) and then later forgets and sends a password reset. It isn't the end of the world because they can carry on using the password login, but it certainly muddies the water.

Thanks

Answer 1

The behavior is intentional.

For end users, if they had signed into the app using Google or Facebook, and later they want to recover the password, the most likely reason is they (or an attacker) can not login with that identity provider.

After the user clicks the password reset link, Firebase removes the non-email identity providers to prevent other people from accessing the account silently. If the user still wants to add Facebook/Twitter login, they can do that via manual account linking (if the app supports).

In case the user's email service is the same as identity provider (e.g. @gmail.com users login into the app using Google), Firebase has an optimization to keep the identity provider since there is no security risk.