search

firebase / firebase-tools

The Firebase Command Line Tools
MIT License
4.01k stars 929 forks source link

Firebase auth emulator does not respect Email Enumeration Protection when enabled. #6687

Open JulioGrajales opened 8 months ago

JulioGrajales commented 8 months ago

[REQUIRED] Environment info

firebase-tools: 13.0.3

Platform: Windows

[REQUIRED] Test case

When enabling Email Enumeration Protection through the firebase console it does not reflect on the authentication emulator when running the emulator with the project id of my firebase project and executing functions like sendPasswordResetEmail.

[REQUIRED] Steps to reproduce

init the emulators:

firebase login
firebase use $YOUR_PROJECT_ID
firebase emulators:start --only auth

boiler plate html:


<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Document</title>
  </head>
  <body>
    <button type="button" id="reset-btn">reset</button>
  </body>
</html>

<script type="module">
  import { initializeApp } from "https://www.gstatic.com/firebasejs/10.7.1/firebase-app.js";

  const app = initializeApp({
    // ...
  });

  import {
    getAuth,
    connectAuthEmulator,
    sendPasswordResetEmail,
  } from "https://www.gstatic.com/firebasejs/10.7.1/firebase-auth.js";

  const auth = getAuth(app);
  connectAuthEmulator(auth, "http://127.0.0.1:9099");

  const btn = document.getElementById("reset-btn");
  btn.addEventListener("click", () => {
    sendPasswordResetEmail(auth, "fake@fake.fake");
  });
</script>

Click the button to execute the sendPasswordResetEmail function with a fake email address not registered in the list of users.

[REQUIRED] Expected behavior

Return a 200 status code and the following JSON object:

{
  "kind": "identitytoolkit#GetOobConfirmationCodeResponse",
  "email": "fake@fake.fake"
}

[REQUIRED] Actual behavior

It returns a 400 status code and the following JSON object:

{
  "error": {
    "code": 400,
    "message": "EMAIL_NOT_FOUND",
    "errors": [
      {
        "message": "EMAIL_NOT_FOUND",
        "reason": "invalid",
        "domain": "global"
      }
    ]
  }
}
joehan commented 8 months ago

Hey @JulioGrajales, in general, the emulators will not reflect changes made via the Firebase console. In this case however, nfortunately, we have not gotten a chance to implement emulator support for email enumeration protection yet.

Keeping this open to track the feature request - however, I can't make any promises as to when this may be supported.

Kasra-G commented 5 months ago

I have only tested it with signInWithEmailAndPassword authentication method, but at least some support for email enumeration protection seems to now be possible:

Do an export of the firebase emulators after adding some users:

firebase emulators:export exports

Edit the file exports/auth_export/config.json Set enableImprovedEmailPrivacy in the JSON file to true

Import the firebase emulators from the modified config:

firebase emulators:start --import=exports

At this point, the JSON return from invalid logins changes from EMAIL_NOT_FOUND or INVALID_PASSWORD to just INVALID_CREDENTIALS Tested on version 13.7.3 of firebase-tools

After some searching, it seems that this has been added since v13.2.0, (#6702).