How to block user sign in if account already exists with other provider?

Question

Flow step:

1. Sign in with twitter mail@gmail.com (successfully)
2. Sign in with google mail@gmail.com (successfully rewrite provider to google)
3. Sign in with twitter again mail@gmail.com (failed, account already exist with different provider)

i'm so confuse in step 2.. because, firebase not blocking sign in with google provider and do rewrite provider

Future<Either<Failure, Unit>> signInWithTwitter() async {
    try {
      if (kIsWeb) {
        await _firebaseAuth.signInWithPopup(_twitterAuthProvider);
      } else {
        await _firebaseAuth.signInWithProvider(_twitterAuthProvider);
      }

      return right(unit);
    } on FirebaseAuthException catch (e) {
      return left(
        Failure.authFailure(
          message: e.toString(),
        ),
      );
    }
  }

Future<Either<Failure, Unit>> signInWithGoogle() async {
    try {
      final googleUser = await _googleSignIn.signIn();
      if (googleUser == null) {
        return left(const Failure.authFailure());
      }

      final googleAuthentication = await googleUser.authentication;

      final authCredential = GoogleAuthProvider.credential(
        idToken: googleAuthentication.idToken,
        accessToken: googleAuthentication.accessToken,
      );

      await _firebaseAuth.signInWithCredential(authCredential);

      return right(unit);
    } on FirebaseAuthException catch (e) {
      return left(
        Failure.authFailure(
          message: e.toString(),
        ),
      );
    }
  }

so, How to block user sign in if account already exists with other provider (like: twitter, github, facebook etc)?

Answer 1

Firebase Authentication has the concept of preferred providers for certain email addresses, in the case where a provider is the known source of a certain email address. In your example, the Google sign-in provider is preferred for mail@gmail.com, as Google is the entity guaranteed to have created that mail address.

In other words: anyone can claim to be mail@gmail.com when signing in with Twitter, but when someone signs in with mail@gmail.com through Google, you are guaranteed that they are who they claim to be. That's why Firebase Authentication lets the Google provider take over the account in your step 2.

For more on this, also see:

• Firebase authentication provider silently changes from password to google.com (and the many links I included there)

If you don't want this to happen for you app, call fetchSignInMethodsForEmail after the user enters their email address to check if an account already exists for that email address.