1 user see an email input
2 onCall to Functions, it will check users/{userEmailInput}:secretPushKey
2.a if the node don't exist it means is a sign up, onCall will reply the same email
2.b if the node exist onCall will check registrations/{secretPushKey}/{userEmailInput}
, the object
on secretPushKey is like this:
{
email1:true,
email2:false,
email3:false
}
Every email there is a user email, either the original true
or another associated.
In this point onCall will reply with the email, if it is the original it will be the same that the user input if is not the original.
But an associated email, then onCall will reply with the original
3. Since onCall reply with an email on every case we have an email
4. Screen 2, the user sees a password input
5. We grab the email from onCall and the password, and pass it to auth
- User sign up with email1
- User link email2 to its own account
- User write any email
- User write the original password
- Everything done by onCall is completely private because only onCall can check for it. This is not a security concern because it woul be the equivalent of someone trying to force hack a email password combination.
- It doesn't mather what the user see, under hood onCall always replied with an email. If was a signup, then the email was not on the database, then the replied email was the same. If was an associated email then the replied email was the original. If was the original email, then the original email was replied.
- The user always propmt their password to firebase-auth, there are no password storing on the database, only mapping for emails