Firebase Blocking Auth Functions Run Incorrectly on Failed Signup

[lox]

[REQUIRED] Version info

node: n/a

firebase-functions: n/a

firebase-tools: n/a

firebase-admin: n/a

[REQUIRED] Test case

Firebase Blocking Auth functions beforeUserCreated and beforeUserSignedIn fire incorrectly when the a user that already exists in Firebase Auth attempts to register.

Function:

import { initializeApp } from "firebase-admin/app"
import {
  beforeUserCreated,
  beforeUserSignedIn,
} from "firebase-functions/v2/identity";

export const beforecreated = beforeUserCreated((event) => {
  console.log('befoerUserCreated', event)
  return;
});

export const beforesignedin = beforeUserSignedIn((event) => {
  console.log('beforeUserSignedIn', event)
});

initializeApp();

registerUser.js:

import { initializeApp } from "firebase/app";
import { createUserWithEmailAndPassword } from 'firebase/auth'
import { getAuth } from 'firebase/auth'

const firebaseConfig = {
  apiKey: "xxx",
  authDomain: "xxx.firebaseapp.com",
  projectId: "xxx",
  storageBucket: "xxx.appspot.com",
  messagingSenderId: "xxx",
  appId: "xxx"
};

// Initialize Firebase
const app = initializeApp(firebaseConfig);
const auth = getAuth(app)
const testEmail = `[email protected]`

const userCredential = await createUserWithEmailAndPassword(auth, testEmail, 'testPassword')
console.log(`ℹ️  Created test user ${userCredential.user.uid} with email ${testEmail}`)

When registerUser.js is called multiple times, the beforeSignedIn and beforeUserCreated functions will fire. After the first time for the correct user creation, they will STILL FIRE, and provide random / nonexistent uid's.

This means any code that makes the assumption that these functions will only fire on authenticated sign-ins or post user-creation can potentially be exploited.

[REQUIRED] Steps to reproduce

1. Deploy functions
2. Run script multiple times, observe Firebase: Error (auth/email-already-in-use).
3. Check logs

[REQUIRED] Expected behavior

I'd expect the functions fire as described in the documentation:

• Before the user is created: Triggers before a new user is saved to the Firebase Authentication database, and before a token is returned to your client app.

• Before the user is signed in: Triggers after a user's credentials are verified, but before Firebase Authentication returns an ID token to your client app. If your app uses multi-factor authentication, the function triggers after the user verifies their second factor. Note that creating a new user also triggers both these events.

[REQUIRED] Actual behavior

Blocking functions fire despite the error Firebase: Error (auth/email-already-in-use).

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[lox]

I reported this to Google Support, Firebase Support and our Account Management In Feb 2024. The issue was passed on to a product team and we didn't hear back.

[CorieW]

Hi @lox,

Thanks for reporting this issue! We’ve received it and are reviewing it. We’ll provide updates as soon as possible.

[CorieW]

I'm able to reproduce this using the latest versions of things.

It looks like if you spam fast enough, you can actually create several users:

When signing in, it seems to use the most recently created user with that email: