search

firebase / firebaseui-web

FirebaseUI is an open-source JavaScript library for Web that provides simple, customizable UI bindings on top of Firebase SDKs to eliminate boilerplate code and promote best practices.
https://firebase.google.com/
Apache License 2.0
4.59k stars 1.06k forks source link

Unable to login with email + password if "email enumeration protection" is enabled #1041

Open studiomomo-bss opened 1 year ago

studiomomo-bss commented 1 year ago

[REQUIRED] Describe your environment

[REQUIRED] Describe the problem

I've been going through the official Firebase Security Checklist (https://firebase.google.com/support/guides/security-checklist), and since I use email-password auth I followed the instructions to enable email enumeration protection. After enabling enumeration protection, all login attempts result in the message "Not Authorized: [email] is not authorized to view the requested page" immediately after inputing the user email and pressing the "NEXT" button — no password input field is presented. Disabling enumeration protection returns normal login functionality.

Steps to reproduce:

  1. Enable email enumeration protection
  2. Try to login

Relevant Code:

N/A — I expect that any app configured for email-password auth will encounter the issue

Expected behavior:

FirebaseUI can be used to authenticate with firebase instances that have enabled email enumeration protection, as suggested by the official Firebase Security Checklist

Hivemind9000 commented 9 months ago

@jhuleatt Can someone label this correctly (bug) and escalate it for a fix? Firebase is strongly recommending we take action on implementing email enumeration protection (via an email I received today), yet Firebase UI users can't - leaving our apps unprotected. From the wording in the email they are expecting a fix sometime, but I can't see any evidence of anyone working on it (no PRs, no confirmation as a bug etc.). Is Firebase UI still actively supported and maintained?

Casey10110 commented 9 months ago

I also am having issues with my app. Users now get stuck on the screen that you enter the email. I can't get my app to pass the Play Store because I can't get it to do it myself, but I have seen it on my devices and on others as well. This is the image that the team at Google that approves apps sent me, this is where it now suddenly gets stuck after working for several years: IN_APP_EXPERIENCE-1592

TheRealMikeD commented 9 months ago

I am getting the same issue on my web app. I just recently enabled email enumeration protection, since Google sent me an email strongly encouraging it. Now, no one can log in using FirebaseUI auth.

Screen Shot 2024-01-31 at 4 47 04 PM
JosefJezek commented 6 months ago

any progress?

Casey10110 commented 6 months ago

I ended up just writing a custom log-in with e-mail and ditching that premade stuff altogether ... kinda lame they pretend it is still supported.

On Mon, Apr 29, 2024, at 12:54 AM, Josef Ježek wrote:

any progress?

— Reply to this email directly, view it on GitHub https://github.com/firebase/firebaseui-web/issues/1041#issuecomment-2082091075, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJNVFJFTORPH2CSDLEQXL7TY7X4CTAVCNFSM6AAAAAA45RULNGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBSGA4TCMBXGU. You are receiving this because you commented.Message ID: @.***>

shane-js commented 3 months ago

As someone setting up firebase for the first time in 2024 I gotta say this whole thing was super confusing. Finally came across this issue and it makes a lot more sense that I am just messing around with something that is potentially broken?

I have a pretty straight forward brand new react app trying to drop firebaseui-web in to test and every user I enter the email for I get: "is not authorized to view the requested page.".

I agree with others - if this is not actively maintained time to just say so and remove it from the firebase docs.

Casey10110 commented 3 months ago

Definitely ... this needs to be removed it is wasting a ton of people's time.

On Thu, Jul 11, 2024, at 2:42 PM, Shane wrote:

As someone setting up firebase for the first time in 2024 I gotta say this whole thing was super confusing. Finally came across this issue and it makes a lot more sense that I am just messing around with something that is potentially broken?

I have a pretty straight forward brand new react app trying to drop firebaseui-web in to test and every user I enter the email for I get: "is not authorized to view the requested page.".

I agree with others - if this is not actively maintained time to just say so and remove it from the firebase docs.

— Reply to this email directly, view it on GitHub https://github.com/firebase/firebaseui-web/issues/1041#issuecomment-2223987795, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJNVFJH5C262L5KS23APE2LZL333ZAVCNFSM6AAAAAA45RULNGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRTHE4DONZZGU. You are receiving this because you commented.Message ID: @.***>