Firebase, prevent user sign up by email password and google - firebase

I'm using Flutter and Firebase.
I allow new users to sign up using Email and Password, and also Apple and Google sign in.
Now I need to prevent the same user from creating an account with Email and Password, and a different account with Apple/Google sign in. As it is currently, they can create two accounts, and I see two different accounts in the Firebase console. Is there a way to make sure that once a user signed up with one method, he cannot sign up with another method? For example, check if that email already has a user associated with it?
Thanks

Related

Flutter account security using multiple auth verification

i want to make an application that check if the user is a real user. i want to create an double/multiple auth like some app did.
something like e-commerce app, the user create an account using login signup with firebase on flutter. when the user already sign in how can i check/ask user to did more verification something like 1 user account will need phone number and email verification to be able did something like upload a product or buying a product
i already make the user can be login using email, google sign in, an anonymus login
and once again how can i check if user is anonymus?
You can make use of the isAnonymous property of the user to know if the user is an anonymous user or a real authenticated user.
From your question it seems you want to re-authenticate the user before buying or uploading a product. For that you can use any of the following methods.
reauthenticateWithCredential
reauthenticateWithPhoneNumber
reauthenticateWithRedirect
reauthenticateWithPopup

how to get the user ID without firebase authentication?

I'm working on a flutter app that doesn't require an email or password to sign in, it only requires the user to enter his name
my question is, how can I deal with the user data and use his user id without firebase authentication?
is that possible?
If you want to be able to identify a user without requiring the to enter credentials, consider using Firebase's anonymous authentication. You can then store data in your database associated with that anonymous user's UID.

Make sure a user verified their email before signing them in

I'm in the middle of adding firebase email/password sign in inside a React app. Specifically, it's an e-commerce site, and users will be signed in anonymously before they create an account (for things like cart data).
Here's the ideal user flow:
User registers by providing an email and password
User is not signed in immediately and instead gets a verification email
If a user tries signing in before verifying their email, they cannot sign in
User then clicks on the verification link and can sign in
I'm having issues with #3 because it appears like the only way to check if an email is verified is by calling:
const { user } = await firebase
.auth()
.signInWithEmailAndPassword(email, password)
if (user?.emailVerified) //let them enter the dashboard
However, this process signs in the user even if the email is not verified. That destroys the data on the anonymous account. And merging the two accounts isn't possible because the user thinks they are not signed in (hence it could cause UX issues if the accounts are already merged).
Any ideas?
If you're using the email+password provider, there is no way to prevent the user from signing in without a verified email address. You can of course keep them from using your app and accessing data, but you can't keep them from signing in.
If you want to ensure the user can only sign in after their email address has been verified, consider using the email link provider. You can then later allow them to set a password on the same account, either through the Admin SDK, or by creating a email+password account and linking that with the email link account. Also see the documentation on differentiating email/password from email link for some of the nuances here.

Firebase recover password transforms account type

we are building an angular 5 app with Firebase.
We allow users to login with email+password or google account and we don't allow to have multiple accounts related to the same email address.
We built a form to allow users to ask for a Password Reset Email if they forgot their email password credentials and works perfectly if the user has an email+password account.
The problem arises when the reset email is asked for a google account. We'd expect for firebase to throw an error, not allowing to send the email, but the email is sent and if the user proceeds resetting the email the account is transformed from google type to an email+password.
Is there a way to prevent this behaviour ?
There is no way to prevent this. When a user resets their password, they are making a conscious decision to do so. Firebase is providing a way to recover an email account, in case it was hijacked. In the process all providers are unlinked and a password is set on the account.
You have a way to check if the email is associated with google provider or not. Checkout the fetchSignInMethodsForEmail and fetchProvidersForEmail APIs. These APIs would return the array of sign in methods or providers associated with an email.

Lose password after sign in using Google provider

I have an Android app with use Firebase authentication using email and password. Recently added Google provider now my users can sign in wih his Google account, the problem is the following
There's an existing user example#gmail.com registered on my app, later the user sign in with his Google account Firebase automatically change the provider of the account from email to Google, the problem the user sign out and try to login with his email/password and got a message
The password is invalid or the user does not have a password
I understand why happens, but users (you know they are users) get frustrated because can't login with his email/password
There's some way to tell Firebase to keep the user password or when a user login with Google and this convertion happens in order to notify to user
Note My app only allow one account per email
I found there's a method fetchProvidersForEmail I asume I can build a flow over that method that check which provider have the user and allow the user chose if want to keep if old password by asking and linking account or just continue

Resources