feat: implement legacyFetchSignInWithEmail behaviour for Angular and React

[russellwheatley]

• Adds a new legacyFetchSignInWithEmail behavior in packages/core to handle auth/account-exists-with-different-credential and related email/password recovery cases.
• Fetches sign-in methods for the conflicting email and stores recovery state on the FirebaseUI instance.
• Persists pending OAuth credentials so they can be linked after the user signs in with the existing provider.
• Adds legacySignInRecovery state plus setter/clear helpers to the core config/store.
• Updates core auth/error handling so email context is available when building recovery state.
• Adds default legacy recovery UI for React.
• Adds default legacy recovery UI for Angular.
• Adds React APIs to consume or suppress the built-in recovery flow.
• Adds Angular APIs to consume or suppress the built-in recovery flow.
• Updates docs/examples/translations for the new recovery flow.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a robust mechanism for handling authentication errors where a user attempts to sign in with a different provider than previously used for the same email. It provides a new behavior that fetches and presents alternative sign-in methods, along with corresponding UI components for React and Angular, to guide users through the recovery process. This significantly improves the user experience by preventing dead ends during sign-in and offering clear paths to resolve credential conflicts.

Highlights

• New Legacy Sign-In Recovery Behavior: Introduced a new legacyFetchSignInWithEmail behavior in @firebase-oss/ui-core to augment OAuth auth/account-exists-with-different-credential flows. This behavior fetches and stores available sign-in methods for a user's email, enabling recovery from mismatched credentials.
• Cross-Platform UI Components for Recovery: Added dedicated UI components (LegacySignInRecoveryComponent for Angular and LegacySignInRecovery for React) to automatically render the recovery state as a modal on SignInAuthScreen and OAuthScreen. These components guide users to sign in with their previously used method.
• Granular UI Control: Provided showLegacySignInRecovery props for SignInAuthScreen and OAuthScreen in both React and Angular, allowing developers to hide the built-in recovery UI and implement custom recovery flows using new hooks/injectors (useLegacySignInRecovery for React, injectLegacySignInRecovery/injectClearLegacySignInRecovery for Angular).
• Enhanced Error Handling: Modified the core error handling logic to clear legacy sign-in recovery state and attach email information to errors, improving the context provided during authentication failures.
• Documentation and Examples: Updated the README.md with comprehensive documentation for the new legacyFetchSignInWithEmail behavior and its associated UI components and hooks. A new demo screen was added to the React example application to showcase the recovery flow.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

[russellwheatley]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a new legacyFetchSignInWithEmail behavior to handle OAuth account mismatch flows, allowing users to recover their accounts by suggesting previously used sign-in methods. The changes include core logic for error handling and state management, new UI components for React and Angular to display recovery options, and updated translations. My feedback suggests a minor improvement to the attachEmailToError function to ensure safer cloning of the customData object.

[jhuleatt]

Can you please add a bit more context here? Something like:

Adds support for deprecated methods and behavior (like fetchSignInMethodsForEmail()) when email enumeration protection is disabled.

If your web app relies on this legacy behaviors, we recommend that you begin migrating away from doing so, and enable email enumeration protection as soon as you can.

[jhuleatt]

Overall LGTM, I just want to confirm that all defaults and demos have this legacy behavior disabled (except for the demo that explicitly shows this flow). This won't work by default on any Firebase project created after 2023

[jhuleatt]

Suggested change

	description: "Use this screen to test wrong-provider recovery for email/password and OAuth attempts.",
	description: "Use this screen to test wrong-provider recovery for email/password and OAuth attempts in a project that has email enumeration protection disabled.",

[jhuleatt]

What does "by default" mean here? legacyFetchSignInWithEmail should be an optional behavior, not the default. From what I can tell, I think that's the case, but just making sure.

[jhuleatt]

Let's make sure all the defaults have legacy recovery disabled