Feature regression: `linkWithCredential` no longer works when linking a credential with the same email address

[Miodec]

Operating System

Sonoma 14.0

Browser Version

Chrome 122.0.6261.57

Firebase SDK Version

10.8.0

Firebase SDK Product:

Auth

Describe your project's tooling

vite, vanilla js

Describe the problem

This is a duplicate of #7959. I feel like it was closed too quickly because this makes the user experience worse.

If a user has signed up with gmail auth, but no longer wishes to use that for their authentication, they cannot use that email to add password authentication.

• Sign up with abc@gmail.com gmail authentication
• Try to add password authentication with the same email
• An error is encountered

This creates a lot of friction - now the user needs to add password authentication with a different email, then remove gmail auth, then change their password auth email back to the original one:

• Sign up with abc@gmail.com gmail auth
• Add password auth with zxc@gmail.com
• Remove gmail auth
• Change password auth to abc@gmail.com

This was NOT an issue in 10.0.0 (which is the only version i tested).

As the original issue described, the linkWithCredential function calls the signUp which doesnt make much sense in the context of adding a second authentication method.

Steps and code to reproduce issue

I will more-or-less copy paste the steps from the original issues as they are the same:

Scenario

Sign up through Google using the account abc@gmail.com.
Use linkWithCredential function to link email and password credentials to a user account.
Linking fails.

Code snippet

const googleProvider = new GoogleAuthProvider({});

const credential = await signInWithPopup(auth, googleProvider);

const emailCredential = EmailAuthProvider.credential(
    'abc@gmail.com',
    '123qwe!!',
);

const result = await linkWithCredential(credential.user, emailCredential);

Running the linkWithCredential function sends a request to the "https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=[API_KEY]" endpoint, which is used to create accounts. (not expected)

It sholud sends a request to "https://identitytoolkit.googleapis.com/v1/accounts:update?key=[API_KEY]" (expected)
[rest api doc]

This problem occurs in firebase sdk v10.8.0

I found that sdk v10.0.0 doesn't have this problem.

[GriffinJohnston]

I just did some testing, and it looks like this issue was introduced in 10.6.0. The problem is not present in 10.5.2.

Same issue in the Android and iOS SDKs:
firebase/firebase-android-sdk#5659
firebase/firebase-ios-sdk#12313

[Miodec]

Seems to be resolved on the backend side. Thank you Firebase team.

[GriffinJohnston]

I can confirm this is working now. I'm seeing some new undesirable behavior though, which is that if you've signed up with Google and then use linkWithCredential to add the same email address, auth.currentUser.emailVerified is marked as false. Obviously the email should be verified, since they already logged in using OAuth.