Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds rudimentary email enumeration protection for auth emulator #6702

Merged
merged 12 commits into from
Jan 29, 2024

Conversation

aalej
Copy link
Contributor

@aalej aalej commented Jan 19, 2024

Description

Added rudimentary support for email enumeration protection on the Auth emulator.
Mainly covers these endpoints:

  • identitytoolkit.googleapis.com/v1/accounts:signInWithPassword
  • identitytoolkit.googleapis.com/v1/accounts:createAuthUri
  • identitytoolkit.googleapis.com/v1/accounts:sendOobCode

Reference

Auth Methods: https://firebase.google.com/docs/reference/js/auth.md#fetchsigninmethodsforemail
Email Enumeration Protection: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#overview

Scenarios Tested

Manual Testing

Tried to match Auth emulator results with the results from manual testing in https://github.com/aalej/auth-eep-testing

Sample Commands

firebase emulators:start

Caveats

The public docs for Email enumeration protection uses this endpoint which currently does not exist in the auth emulator from what I can tell(apiSpec.ts)

https://identitytoolkit.googleapis.com/admin/v2/projects/PROJECT_ID/config?updateMask=emailPrivacyConfig

The emulator however does has this endpoint(the admin is not included in the path). See

"/v2/projects/{targetProjectId}/config": {

https://identitytoolkit.googleapis.com/v2/projects/PROJECT_ID/config?updateMask=emailPrivacyConfig

The emailPrivacyConfig can be enabled by this curl command

curl -X PATCH -d '{"emailPrivacyConfig":{"enableImprovedEmailPrivacy":true}}' \
    -H 'Authorization: Bearer owner' \
    -H 'Content-Type: application/json' -H 'X-Goog-User-Project: <PROJECT_ID>' \
    "http://127.0.0.1:9099/identitytoolkit.googleapis.com/v2/projects/<PROJECT_ID>/config?updateMask=emailPrivacyConfig"

Alternatively, the endpoint specific to the emulator can be used to set the configs:

http://127.0.0.1:9099/emulator/v1/projects/<project_id>/config

src/test/emulators/auth/oob.spec.ts Dismissed Show dismissed Hide dismissed
src/test/emulators/auth/oob.spec.ts Dismissed Show dismissed Hide dismissed
@codecov-commenter
Copy link

codecov-commenter commented Jan 19, 2024

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (3182a1b) 54.15% compared to head (8c0d2e9) 54.19%.

Files Patch % Lines
src/emulator/auth/state.ts 80.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #6702      +/-   ##
==========================================
+ Coverage   54.15%   54.19%   +0.03%     
==========================================
  Files         347      347              
  Lines       24136    24153      +17     
  Branches     4986     4992       +6     
==========================================
+ Hits        13072    13089      +17     
  Misses       9865     9865              
  Partials     1199     1199              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

@joehan joehan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great to me! Gonna find someone from auth to take a quick pass too

Copy link

@renkelvin renkelvin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM with a comment on a test case.

});
});

it("should return email when sending a password reset to non-existent user with improved email privacy enabled", async () => {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to verify. Are you referring to this line “When you make a password reset request, a verification email is sent only if the email address exists”. If so, I think the name of the test case I wrote may be a little bit misleading.

In this case I’m referring to the email address to be returned in the api response. When an email does not exists, a password reset email would not be sent, just that the api response would look like

{
    "kind": "identitytoolkit#GetOobConfirmationCodeResponse",
    "email": "non_existent_email@fake.fake"
}

Should I leave a comment in the test case describing this? Or just change the test name to “should return email address...”

LMK in case I misunderstood anything.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification. I think "should return email address.." sounds more accurate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, updated the test title.

@aalej aalej merged commit 02e711e into master Jan 29, 2024
35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy