search

firebase / FirebaseUI-Flutter

Apache License 2.0
91 stars 78 forks source link

🐛 User can get locked out of the account using the ProfileScreen #14

Closed guplem closed 9 months ago

guplem commented 1 year ago

This was discussed initially here and here, but it doesn't seem that those comments/discussion have started any progress on the topic.

Bug report

Describe the bug

In the default profile screen (ProfileScreen from firebase_ui_auth), the user can unlink the sign-in methods they desire. However, no confirmation is asked before unlinking them. A miss click might unlink a user from a sign in method.

Making things worse, you can remove all the sign in methods and not be able to log in again. Even if the user tries to re-enable it, they are asked to log in again to re-enable a sign in method.

Steps to reproduce

Steps to reproduce the behavior:

  1. Login
  2. Go to the screen where you can see the ProfileScreen
  3. Add any auth methods (Google, ...)
  4. Remove them (No warning appears and you can remove them all, locking you out of the account)

Expected behavior

The ProfileScreen should ask for confirmation before unlinking a "sign in method" and the user shouldn't be able to remove them all!

Sample project

Simply use the ProfileScreen in any app.

Flutter doctor

Click To Expand ``` [√] Flutter (Channel stable, 3.7.10, on Microsoft Windows [Version 10.0.22621.1702], locale en-150) [√] Windows Version (Installed version of Windows is version 10 or higher) [√] Android toolchain - develop for Android devices (Android SDK version 33.0.1) [√] Chrome - develop for the web [√] Visual Studio - develop for Windows (Visual Studio Build Tools 2019 16.11.19) [√] Android Studio (version 2022.1) [√] VS Code (version 1.78.2) [√] Connected device (3 available) [√] HTTP Host Availability • No issues found! ```

Flutter dependencies

Click To Expand ``` Dart SDK 2.19.6 Flutter SDK 3.7.10 things 2023.0531.0+11 dependencies: - animate_do 3.0.2 [flutter] - async 2.10.0 [collection meta] - auto_route 7.3.2 [flutter path collection meta] - cloud_firestore 4.8.0 [cloud_firestore_platform_interface cloud_firestore_web collection firebase_core firebase_core_platform_interface flutter meta] - cupertino_icons 1.0.5 - firebase_auth 4.6.2 [firebase_auth_platform_interface firebase_auth_web firebase_core firebase_core_platform_interface flutter meta] - firebase_core 2.13.1 [firebase_core_platform_interface firebase_core_web flutter meta] - firebase_ui_auth 1.4.2 [email_validator firebase_auth firebase_core firebase_dynamic_links firebase_ui_localizations firebase_ui_oauth firebase_ui_shared flutter flutter_localizations] - firebase_ui_firestore 1.5.2 [cloud_firestore firebase_ui_localizations flutter] - firebase_ui_oauth 1.4.2 [desktop_webview_auth firebase_auth firebase_ui_auth firebase_ui_shared flutter_svg flutter] - firebase_ui_oauth_google 1.2.2 [firebase_auth firebase_ui_oauth flutter google_sign_in] - flutter 0.0.0 [characters collection js material_color_utilities meta vector_math sky_engine] - flutter_localizations 0.0.0 [flutter intl characters clock collection js material_color_utilities meta path vector_math] - freezed 2.3.4 [analyzer build build_config collection meta source_gen freezed_annotation json_annotation] - freezed_annotation 2.2.0 [collection json_annotation meta] - http 0.13.6 [async http_parser meta] - image_stack 2.1.1 [flutter] - internet_connection_checker_plus 1.0.1 [flutter http] - intl 0.17.0 [clock path] - json_annotation 4.8.1 [meta] - json_table 2.0.1 [flutter] - package_info_plus 4.0.2 [ffi flutter flutter_web_plugins http meta path package_info_plus_platform_interface win32] - provider 6.0.5 [collection flutter nested] - rxdart 0.27.7 - shimmer 3.0.0 [flutter] - universal_io 2.2.0 [collection meta typed_data] - url_launcher 6.1.11 [flutter url_launcher_android url_launcher_ios url_launcher_linux url_launcher_macos url_launcher_platform_interface url_launcher_web url_launcher_windows] - uuid 3.0.7 [crypto] - visibility_detector 0.4.0+2 [flutter] dev dependencies: - auto_route_generator 7.1.1 [build source_gen analyzer path build_runner code_builder dart_style xml args glob auto_route] - build_runner 2.3.3 [args async analyzer build build_config build_daemon build_resolvers build_runner_core code_builder collection crypto dart_style frontend_server_client glob graphs http_multi_server io js logging meta mime package_config path pool pub_semver pubspec_parse shelf shelf_web_socket stack_trace stream_transform timing watcher web_socket_channel yaml] - flutter_lints 2.0.1 [lints] - flutter_test 0.0.0 [flutter test_api path fake_async clock stack_trace vector_math async boolean_selector characters collection js matcher material_color_utilities meta source_span stream_channel string_scanner term_glyph] - json_serializable 6.6.2 [analyzer async build build_config collection json_annotation meta path pub_semver pubspec_parse source_gen source_helper] transitive dependencies: - _fe_analyzer_shared 61.0.0 [meta] - _flutterfire_internals 1.3.2 [collection firebase_core firebase_core_platform_interface flutter meta] - analyzer 5.13.0 [_fe_analyzer_shared collection convert crypto glob meta package_config path pub_semver source_span watcher yaml] - args 2.4.1 - boolean_selector 2.1.1 [source_span string_scanner] - build 2.3.1 [analyzer async convert crypto glob logging meta path] - build_config 1.1.1 [checked_yaml json_annotation path pubspec_parse yaml] - build_daemon 3.1.1 [built_collection built_value http_multi_server logging path pool shelf shelf_web_socket stream_transform watcher web_socket_channel] - build_resolvers 2.2.0 [analyzer async build collection crypto graphs logging path package_config pool pub_semver stream_transform yaml] - build_runner_core 7.2.7+1 [async build build_config build_resolvers collection convert crypto glob graphs json_annotation logging meta path package_config pool timing watcher yaml] - built_collection 5.1.1 - built_value 8.6.0 [built_collection collection fixnum meta] - characters 1.2.1 - checked_yaml 2.0.3 [json_annotation source_span yaml] - clock 1.1.1 - cloud_firestore_platform_interface 5.15.0 [_flutterfire_internals collection firebase_core flutter meta plugin_platform_interface] - cloud_firestore_web 3.6.0 [_flutterfire_internals cloud_firestore_platform_interface collection firebase_core firebase_core_web flutter flutter_web_plugins js] - code_builder 4.5.0 [built_collection built_value collection matcher meta] - collection 1.17.0 - convert 3.1.1 [typed_data] - crypto 3.0.3 [typed_data] - dart_style 2.3.1 [analyzer args path pub_semver source_span] - desktop_webview_auth 0.0.12 [crypto flutter http flutter_web_plugins plugin_platform_interface] - email_validator 2.1.17 - fake_async 1.3.1 [clock collection] - ffi 2.0.2 - file 6.1.4 [meta path] - firebase_auth_platform_interface 6.15.2 [_flutterfire_internals collection firebase_core flutter meta plugin_platform_interface] - firebase_auth_web 5.5.2 [firebase_auth_platform_interface firebase_core firebase_core_web flutter flutter_web_plugins http_parser js meta] - firebase_core_platform_interface 4.8.0 [collection flutter flutter_test meta plugin_platform_interface] - firebase_core_web 2.5.0 [firebase_core_platform_interface flutter flutter_web_plugins js meta] - firebase_dynamic_links 5.3.2 [firebase_core firebase_core_platform_interface firebase_dynamic_links_platform_interface flutter meta plugin_platform_interface] - firebase_dynamic_links_platform_interface 0.2.6+2 [_flutterfire_internals firebase_core flutter meta plugin_platform_interface] - firebase_ui_localizations 1.5.0 [flutter flutter_localizations path] - firebase_ui_shared 1.3.0 [flutter] - fixnum 1.1.0 - flutter_svg 2.0.5 [flutter vector_graphics vector_graphics_codec vector_graphics_compiler] - flutter_web_plugins 0.0.0 [flutter js characters collection material_color_utilities meta vector_math] - frontend_server_client 3.2.0 [async path] - glob 2.1.2 [async collection file path string_scanner] - google_identity_services_web 0.2.1 [js meta] - google_sign_in 6.1.3 [flutter google_sign_in_android google_sign_in_ios google_sign_in_platform_interface google_sign_in_web] - google_sign_in_android 6.1.14 [flutter google_sign_in_platform_interface] - google_sign_in_ios 5.6.2 [flutter google_sign_in_platform_interface] - google_sign_in_platform_interface 2.4.1 [flutter plugin_platform_interface quiver] - google_sign_in_web 0.12.0+1 [flutter flutter_web_plugins google_identity_services_web google_sign_in_platform_interface http js] - graphs 2.3.1 [collection] - http_multi_server 3.2.1 [async] - http_parser 4.0.2 [collection source_span string_scanner typed_data] - io 1.0.4 [meta path string_scanner] - js 0.6.5 [meta] - lints 2.0.1 - logging 1.2.0 - matcher 0.12.13 [meta stack_trace] - material_color_utilities 0.2.0 - meta 1.8.0 - mime 1.0.4 - nested 1.0.0 [flutter] - package_config 2.1.0 [path] - package_info_plus_platform_interface 2.0.1 [flutter meta plugin_platform_interface] - path 1.8.2 - path_parsing 1.0.1 [vector_math meta] - petitparser 5.1.0 [meta] - plugin_platform_interface 2.1.4 [meta] - pool 1.5.1 [async stack_trace] - pub_semver 2.1.4 [collection meta] - pubspec_parse 1.2.3 [checked_yaml collection json_annotation pub_semver yaml] - quiver 3.2.1 [matcher] - shelf 1.4.1 [async collection http_parser path stack_trace stream_channel] - shelf_web_socket 1.0.4 [shelf stream_channel web_socket_channel] - sky_engine 0.0.99 - source_gen 1.3.2 [analyzer async build dart_style glob path source_span yaml] - source_helper 1.3.3 [analyzer collection source_gen] - source_span 1.9.1 [collection path term_glyph] - stack_trace 1.11.0 [path] - stream_channel 2.1.1 [async] - stream_transform 2.1.0 - web_socket_channel 2.4.0 [async crypto stream_channel] - win32 4.1.4 [ffi] - xml 6.2.2 [collection meta petitparser] - yaml 3.1.2 [collection source_span string_scanner] ```
danagbemava-nc commented 1 year ago

Reproducible using the plugin example code.

https://github.com/firebase/flutterfire/assets/88313112/5a4713e5-6578-4152-9a43-6a365c58b49f

guplem commented 1 year ago

Reproducible using the plugin example code.

Screen.Recording.2023-06-02.at.11.19.59.mov

This is not exactly what I meant, but a warning or something should be displayed before deleting the account.

The focus of the issue that I raised is with the "sign in methods". If you tap on the Apple, Google, ... logos in the ProfileScreen, the sign in method is removed without a warning, and you could even remove them all and then not be able to log in again even when the user account still exists.