Skip to content

Concurrent calls to auth.createUser() may create multiple user accounts with the same email address #2949

New issue
New issue
Open
Open
Concurrent calls to auth.createUser() may create multiple user accounts with the same email address#2949
Assignees
Xiaoshouzi-ghpashanka
Labels
api: auth
@th0rgall

Description

@th0rgall
th0rgall
opened on Jul 8, 2025

[REQUIRED] Step 2: Describe your environment

  • Operating System version: macOS 14.6.1 (23G93)
  • Firebase SDK version: firebase-admin@13.2.0
  • Firebase Product: auth
  • Node.js version: 20.18
  • NPM version: 10.8.2

[REQUIRED] Step 3: Describe the problem

Firebase does not guarantee user email uniqueness in users in case duplicate & concurrent calls are made to auth.createUser(), despite the "User account linking" setting in the Console being set to "Link accounts that use the same email". The API is not idempotent.

This issue breaks the promise found in the following support documentation:

Users can never create multiple accounts with the same email address and sign-in method.

If calls to auth.createUser with the same email are separated enough in time (some tens of milliseconds?), the last call will raise a auth/email-already-exists error, which is the expected behavior.

Steps to reproduce:

  1. Run this Firebase Admin JS script against a production Firebase environment, using node v20
// `auth` is a Firebase Admin auth instance
import { auth } from "../src/admin.js";

const c = () =>
    auth.createUser({
        email: "thor+duplicatetest@slowby.travel",
        displayName: "Test",
    });

await Promise.all([c(), c()]);

  1. Observe that two users were created with the same details, with different UIDs

    Screenshot of the Firebase Console Auth dashboard

Workaround

Avoid concurrent calls to auth.createUser() with the same email address.

We were likely getting this issue because our front-end registration form would be submitted two times if double-clicked, which in turn lead to two concurrent auth.createUser calls in the back-end. Now we've debounced this call, which should avoid the issue in most circumstances.

More context

  • We are not using "Firebase Auth with Identity Platform"
  • I believe this is exactly the same issue as the following issue reported for the Python Admin SDK Concurrently creating firebase users of the same email succeeds firebase-admin-python#809
  • We saw an increase in the frequency of this issue since we started using the Firebase Admin SDK for Firebase Auth account creation (5 cases over 2 months). In the years before, when we were still using front-end Firebase JS clients for Firebase Auth account creation, we only had 1 similar case. I assume the frontend client implements some kind of debouncing internally already?

Metadata

Metadata

Assignees

Labels

api: auth

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions