Closed jkomoros closed 2 years ago
The documentation is extremely unclear, but it looks like if you just use GoogleAuthProvider, email etc are already set.
But we do anonymous account linking with anonymous accounts first.
This has likely been broken for a long time, actually--it's just all of the prod and dev accounts have been created before (they don't get wiped on gulp reset-dev
) so the flow to updatePorfile hasn't been hit for awhile.
That was likely why, in #472, we added 6012072a93d5bb827a8d1919990e28e13a585605 to disable anonymous login--because if you do, and the first login a user has is via GoogleAuthProvider, then email, displayName, photoURL are all set automatically, not triggering the broken flow.
Note for how to test the typical flow for this:
Sign out of Chrome.
Delete the accuont in dev-complexity-compendium
Sign out of the webapp.
Delete cookies in the webapp (our webapp only uses anoymous login if there's no previous login)
Detected when working on #601.
First of all, ensureRichestDataForUser is broken as of #528 because it uses user.updateProfile, but has to change to updateProfile(user).
But also, updateProfile passes photoUrl, displayName, and email... but email isn't a supported field, and it's not clear it ever was.
updateEmail seems like it sends an email to confirm a user, which doesn't feel right.
firestore.rules uses
request.auth.token.email
inuserMatchesDomain
. And I haven't yet traced where and how the .email is used (is it just exracted from _userInfo(firebaseUser) in the rest of the machinery.Fixing this will be delicate and error prone