[Bug] User object unexpectedly updates UID when logging in

[triplef]

[REQUIRED] Please fill in the following fields:

• Pre-built SDK from the website or open-source from this repo: open-source (self built)
• Firebase C++ SDK version: 11.0.1
• Main Firebase Components in concern: Auth
• Other Firebase Components in use: -
• Platform you are using the C++ SDK on: Windows
• Platform you are targeting: Windows

[REQUIRED] Please describe the question here:

We noticed that a User object obtained from current_user() dynamically updates its UID and other user properties to match the current user’s properties when logging in or out.

This prevents keeping a reference to a previously logged in user, e.g. to delete a previously logged in anonymous user after logging in with user credentials.

This behavior does not match the iOS or Android SDK‘s behavior, where an object obtained from the equivalent current_user() method will not change when logging or out, and as far as we could tell it is also not documented.

I‘d appreciate feedback to know whether this is intended behavior or a bug, and whether there is a way to work around this behavior. I'm probably just missing something here.

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[triplef]

According to this documentation it sounds like this might be a bug:

User instances are independent from Firebase Authentication instances, so you can have several references to different users within the same context and still call any of their methods.

And:

When the user signs out, the Auth instance stops keeping a reference to the user object and no longer persists its state; there is no current user. However, the user instance continues to be completely functional: if you keep a reference to it, you can still access and update the user's data.

[AlmostMatt]

Huh. Just to confirm, you are definitely using version 11.0.1 of the SDK?

In 10.7.0 and previous versions, current_user would return a pointer to a single internal current user object. This made it difficult to perform operations on the old current user after you have logged into a different user.

With 11.0.1, current_user should return a User object, and if you sign into a different user then current_user will return a different User object, but you should still be able to interact with the old User object.

Which specific fields of User were unexpectedly updated? Is it just uid?

Did you previously have any similar functionality using an older version of Firebase Auth?

[triplef]

Yes I can confirm I’m on 11.0.1, and I’m using the new User object on the stack (not pointers as in pre-v11).

Here’s a comparison of the same User object before and after logging in with a new user (in this case the old user was an anonymous user). You can see that the auth_data_ object referenced by User gets updated with new information, and I guess this is where the uid() and other methods get their data. It affects all properties of a user (uid, email, display name, etc.).

The new User object we get in the auth state change listener references the same auth_data_ object (0x1bfa8a91440).

Before

After

(Somehow the debugger is showing the user variable as a pointer, but it’s defined as a User& reference.)

We didn’t use older versions of Firebase Auth, so I can’t say whether they are affected as well.

[AlmostMatt]

Ok, so I was mistaken about the current expected behaviour.

It is indeed the case that the User returned from current_user is dynamically linked to the internal current user, and so if you sign out or sign into a different account, the User's uid and other properties will all update accordingly.

This behaviour is consistent with both 11.0 and 10.7 and previous versions. The change to 11.0 just changed the API but did not change this underlying functionality.

As you point out, this is inconvenient if you want to perform operations on the old user object after you have signed out.
This is something that we would like to change in a future version of Firebase Auth.
For now, you can try storing the result of functions like uid() in variables to keep track of the old value.

[triplef]

Ok thanks for the clarification.

As mentioned above this behavior is inconsistent with the documentation and SDKs on other platforms, so it would be great to see it fixed. 🙏

[triplef]

Also could you please clarify this:

As you point out, this is inconvenient if you want to perform operations on the old user object after you have signed out.

Is there still a way to perform operations on the old user with the current behavior of user objects, or is it impossible?