Trying to log in with Email+Password when already logged in with OAuth previously only shows "Incorrect password"

[bezysoftware]

"Link accounts that use the same email" is turned on.

In v7:

1. Users logs in for the first time with OAuth provider (e.g. Google)
2. They sign out and next time they mistakenly try to log in with Email+Password
3. They get "Password Incorrect"

This is a different behavior than in v6, where they would get this dialog:

This helps users a lot to identify how they previously logged in when they forget. Looking at the network calls:

v6 calls https://identitytoolkit.googleapis.com/v1/accounts:createAuthUri (without password in payload, only email) which replies with

{
  "kind": "identitytoolkit#CreateAuthUriResponse",
  "allProviders": [ "google.com"  ],
  "signinMethods": [ "google.com"  ]
}

v7 calls https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword (with password & email in payload) and receives

{
  "error": {
    "code": 400,
    "message": "INVALID_PASSWORD",
    "errors": [
      {
        "message": "INVALID_PASSWORD",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Can we bring back the previous behavior to help users identify how they previously logged in?

[russellwheatley]

Hey @bezysoftware - Those API calls are internal to the firebase-js-sdk. As mentioned in this issue: #1308 (comment), getting providers associated with an email relies on a deprecated firebase auth API, namely fetchSignInMethodsForEmail(). We can't use that anymore, as it'll likely return an empty array in the future.

The best we can aim for is something like -a pop-up with option of trying different provider or attempt another password again?

[ashishyk018-byte]

This makes sense. If an account was originally created via OAuth and has no
password set, attempting Email+Password login should first check the available
sign-in methods for the email and surface a helpful message (as v6 did),
instead of directly returning “Incorrect password”. Happy to explore a fix.

[bezysoftware]

Yes, a more user friendly message is certainly an improvement. It will reduce the number of support tickets from users 🙂

[ashishyk018-byte]

Great, thanks! I’ll look into implementing this and follow up with a PR.

[ashishyk018-byte]

If it makes sense to discuss this live, do you have a preferred Discord or
other channel for contributor discussions? Happy to keep everything here if
you prefer.

[russellwheatley]

@bezysoftware - yes, at a minimum, there should be better feedback to the user in this scenario. I'll see what is possible for this issue 🙏

[MichaelVerdon]

Hello @bezysoftware after some digging around, the only way this can be truly done is by disabling email enumeration protection (not generally recommended) and using fetchSignInMethodsForEmail(); method. We will add an example in the example app for React on how this can be done. These kind of errors are likely omitted for security reasons.

[bezysoftware]

I was actually expecting this outcome. Still I think it's worth tweaking the error message saying "are you sure you didn't previously sign in with..." or something along those lines

[ashishyk018-byte]

That sounds reasonable to me.

If adjusting the error message wording is a better balance between usability and security, I'd be happy to explore that approach instead.

For example, we could keep the error generic but slightly more helpful, something along the lines of:
"Incorrect email or password. If you previously signed in with a different provider, try using that method instead."

Let me know if you'd like me to propose a small PR focused purely on refining the wording without altering the authentication logic.