I faced a strange behaviour of Firebase Auth Linking that is not possible to catch, and I would like to ask your opinion about possible solutions to detect it.
Problem is next:
Users can bypass linking the API and sign up by bypassing the server during using the linking API.
Description of the problem:
Using the Firebase Auth linking API of iOS/Android for Google/Facebook/Apple providers our users can bypass linking to the users created by the our server and create users manually(Sign Up), we also have the code that detect issue during the linking process and allow continue sign up only if the type of linking issue was FIRAuthErrorCodeProviderAlreadyLinked or FIRAuthErrorCodeCredentialAlreadyInUse but I still see that users able to bypass linking with our server users, and we haven’t another options to do that except the linking flow.
This problem leads to a problem where our users can omit linking with the server users and are unable to use server APIs, because if an issue happens, all users with this issue will be invisible to us. Issues occur for a small % of users during this linking flow, and for each.
Where is the potential issue with the Firebase Linking API?
Flows logic:
Registration:
We do registration of the user one time programmatically, the server creates users, and we sign in with a token to the firebase api(Firebase Admin SDK).
Linking:
Users can use Google/Facebook/Apple providers to sign in using native mobile SDK, generate OAuth tokens, and then use the Firebase Linking API to link their profile to their own server users created during registration flow.
If during linking flow issue exists, we check the type of error, and if the error is FIRAuthErrorCodeProviderAlreadyLinked or FIRAuthErrorCodeCredentialAlreadyInUse means that users are on our DB, and in this case, users will be signed in to the system. If this is not the case, the case flow will be canceled.
Registration flow cannot be skipped.
