-
Notifications
You must be signed in to change notification settings - Fork 956
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds rudimentary email enumeration protection for auth emulator #6702
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #6702 +/- ##
==========================================
+ Coverage 54.15% 54.19% +0.03%
==========================================
Files 347 347
Lines 24136 24153 +17
Branches 4986 4992 +6
==========================================
+ Hits 13072 13089 +17
Misses 9865 9865
Partials 1199 1199 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great to me! Gonna find someone from auth to take a quick pass too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, LGTM with a comment on a test case.
src/test/emulators/auth/oob.spec.ts
Outdated
}); | ||
}); | ||
|
||
it("should return email when sending a password reset to non-existent user with improved email privacy enabled", async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This email should be sent only when the user exists. See https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#overview
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to verify. Are you referring to this line “When you make a password reset request, a verification email is sent only if the email address exists”. If so, I think the name of the test case I wrote may be a little bit misleading.
In this case I’m referring to the email address to be returned in the api response. When an email does not exists, a password reset email would not be sent, just that the api response would look like
{
"kind": "identitytoolkit#GetOobConfirmationCodeResponse",
"email": "non_existent_email@fake.fake"
}
Should I leave a comment in the test case describing this? Or just change the test name to “should return email address...”
LMK in case I misunderstood anything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clarification. I think "should return email address.." sounds more accurate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, updated the test title.
Description
Added rudimentary support for email enumeration protection on the Auth emulator.
Mainly covers these endpoints:
Reference
Auth Methods: https://firebase.google.com/docs/reference/js/auth.md#fetchsigninmethodsforemail
Email Enumeration Protection: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#overview
Scenarios Tested
Manual Testing
Tried to match Auth emulator results with the results from manual testing in https://github.com/aalej/auth-eep-testing
Sample Commands
firebase emulators:start
Caveats
The public docs for Email enumeration protection uses this endpoint which currently does not exist in the auth emulator from what I can tell(apiSpec.ts)
The emulator however does has this endpoint(the admin is not included in the path). See
firebase-tools/src/emulator/auth/apiSpec.ts
Line 2325 in 5f6c816
The
emailPrivacyConfig
can be enabled by this curl commandAlternatively, the endpoint specific to the emulator can be used to set the configs: