Skip to content

Commit 476ba53

Browse files
LyokoneLyokone
authored
docs(auth): add documentation about errors code when Email Enumeration Protection is activated (#18084)
1 parent 531ceeb commit 476ba53

File tree

3 files changed

+49
-15
lines changed

3 files changed

+49
-15
lines changed

docs/auth/password-auth.md

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,14 +73,28 @@ try {
7373
password: password
7474
);
7575
} on FirebaseAuthException catch (e) {
76-
if (e.code == 'user-not-found') {
76+
if (e.code == 'invalid-credential') {
77+
// Email or password is incorrect. Projects with email enumeration
78+
// protection enabled (the default since September 2023) return this
79+
// code instead of 'user-not-found' or 'wrong-password'.
80+
print('Invalid email or password.');
81+
} else if (e.code == 'user-not-found') {
82+
// Only returned when email enumeration protection is disabled.
7783
print('No user found for that email.');
7884
} else if (e.code == 'wrong-password') {
85+
// Only returned when email enumeration protection is disabled.
7986
print('Wrong password provided for that user.');
8087
}
8188
}
8289
```
8390

91+
Note: Since September 2023, Firebase enables
92+
[email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection)
93+
by default on new projects. With this feature enabled, `user-not-found` and
94+
`wrong-password` error codes are replaced by `invalid-credential` to prevent
95+
revealing whether an email address is registered. You can manage this setting in
96+
the Firebase console under **Authentication > Settings**.
97+
8498
Caution: When a user uninstalls your app on iOS or macOS, the user's authentication
8599
state can persist between app re-installs, as the Firebase iOS SDK persists
86100
authentication state to the system keychain.

packages/firebase_auth/firebase_auth/lib/src/firebase_auth.dart

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -535,11 +535,19 @@ class FirebaseAuth extends FirebasePluginPlatform {
535535
/// - Thrown if the email address is not valid.
536536
/// - **user-disabled**:
537537
/// - Thrown if the user corresponding to the given email has been disabled.
538-
/// - **user-not-found**:
538+
/// - **user-not-found** _(deprecated)_:
539539
/// - Thrown if there is no user corresponding to the given email.
540-
/// - **wrong-password**:
540+
/// **Note:** This code is no longer returned on projects that have
541+
/// [email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection)
542+
/// enabled (the default for new projects since September 2023).
543+
/// Use **invalid-credential** instead.
544+
/// - **wrong-password** _(deprecated)_:
541545
/// - Thrown if the password is invalid for the given email, or the account
542546
/// corresponding to the email does not have a password set.
547+
/// **Note:** This code is no longer returned on projects that have
548+
/// [email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection)
549+
/// enabled (the default for new projects since September 2023).
550+
/// Use **invalid-credential** instead.
543551
/// - **too-many-requests**:
544552
/// - Thrown if the user sent too many requests at the same time, for security
545553
/// the api will not allow too many attempts at the same time, user will have
@@ -550,11 +558,13 @@ class FirebaseAuth extends FirebasePluginPlatform {
550558
/// - **network-request-failed**:
551559
/// - Thrown if there was a network request error, for example the user
552560
/// doesn't have internet connection
553-
/// - **INVALID_LOGIN_CREDENTIALS** or **invalid-credential**:
554-
/// - Thrown if the password is invalid for the given email, or the account
555-
/// corresponding to the email does not have a password set.
556-
/// Depending on if you are using firebase emulator or not the code is
557-
/// different
561+
/// - **invalid-credential**:
562+
/// - Thrown if the email or password is incorrect. On projects with
563+
/// [email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection)
564+
/// enabled (the default since September 2023), this replaces
565+
/// **user-not-found** and **wrong-password** to prevent revealing
566+
/// whether an account exists. On the Firebase emulator, the code may
567+
/// appear as **INVALID_LOGIN_CREDENTIALS**.
558568
/// - **operation-not-allowed**:
559569
/// - Thrown if email/password accounts are not enabled. Enable
560570
/// email/password accounts in the Firebase Console, under the Auth tab.

packages/firebase_auth/firebase_auth_platform_interface/lib/src/platform_interface/platform_interface_firebase_auth.dart

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -514,11 +514,19 @@ abstract class FirebaseAuthPlatform extends PlatformInterface {
514514
/// - Thrown if the email address is not valid.
515515
/// - **user-disabled**:
516516
/// - Thrown if the user corresponding to the given email has been disabled.
517-
/// - **user-not-found**:
517+
/// - **user-not-found** _(deprecated)_:
518518
/// - Thrown if there is no user corresponding to the given email.
519-
/// - **wrong-password**:
519+
/// **Note:** This code is no longer returned on projects that have
520+
/// [email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection)
521+
/// enabled (the default for new projects since September 2023).
522+
/// Use **invalid-credential** instead.
523+
/// - **wrong-password** _(deprecated)_:
520524
/// - Thrown if the password is invalid for the given email, or the account
521525
/// corresponding to the email does not have a password set.
526+
/// **Note:** This code is no longer returned on projects that have
527+
/// [email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection)
528+
/// enabled (the default for new projects since September 2023).
529+
/// Use **invalid-credential** instead.
522530
/// - **too-many-requests**:
523531
/// - Thrown if the user sent too many requests at the same time, for security
524532
/// the api will not allow too many attempts at the same time, user will have
@@ -529,11 +537,13 @@ abstract class FirebaseAuthPlatform extends PlatformInterface {
529537
/// - **network-request-failed**:
530538
/// - Thrown if there was a network request error, for example the user
531539
/// doesn't have internet connection
532-
/// - **INVALID_LOGIN_CREDENTIALS** or **invalid-credential**:
533-
/// - Thrown if the password is invalid for the given email, or the account
534-
/// corresponding to the email does not have a password set.
535-
/// Depending on if you are using firebase emulator or not the code is
536-
/// different
540+
/// - **invalid-credential**:
541+
/// - Thrown if the email or password is incorrect. On projects with
542+
/// [email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection)
543+
/// enabled (the default since September 2023), this replaces
544+
/// **user-not-found** and **wrong-password** to prevent revealing
545+
/// whether an account exists. On the Firebase emulator, the code may
546+
/// appear as **INVALID_LOGIN_CREDENTIALS**.
537547
/// - **operation-not-allowed**:
538548
/// - Thrown if email/password accounts are not enabled. Enable
539549
/// email/password accounts in the Firebase Console, under the Auth tab.

0 commit comments

Comments
 (0)