Manual Testing for Email Enumeration Protection

Using a real Firebase project, manual testing of endpoints and their responses with Email Enumeration Protection enabled/disabled

createUserWithEmailAndPassword (no difference)

User Exists

Enabled

{
  "error": {
    "code": 400,
    "message": "EMAIL_EXISTS",
    "errors": [
      {
        "message": "EMAIL_EXISTS",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Disabled

{
  "error": {
    "code": 400,
    "message": "EMAIL_EXISTS",
    "errors": [
      {
        "message": "EMAIL_EXISTS",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

signInWithEmailAndPassword

No User

Enabled

{
  "error": {
    "code": 400,
    "message": "INVALID_LOGIN_CREDENTIALS",
    "errors": [
      {
        "message": "INVALID_LOGIN_CREDENTIALS",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Disabled

{
  "error": {
    "code": 400,
    "message": "EMAIL_NOT_FOUND",
    "errors": [
      {
        "message": "EMAIL_NOT_FOUND",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Wrong password

Enabled

{
  "error": {
    "code": 400,
    "message": "INVALID_LOGIN_CREDENTIALS",
    "errors": [
      {
        "message": "INVALID_LOGIN_CREDENTIALS",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Disabled

{
  "error": {
    "code": 400,
    "message": "INVALID_PASSWORD",
    "errors": [
      {
        "message": "INVALID_PASSWORD",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

User Disabled

Enabled

{
  "error": {
    "code": 400,
    "message": "USER_DISABLED",
    "errors": [
      {
        "message": "USER_DISABLED",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Disabled

{
  "error": {
    "code": 400,
    "message": "USER_DISABLED",
    "errors": [
      {
        "message": "USER_DISABLED",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

User Disabled + wrong Password

Enabled

{
  "error": {
    "code": 400,
    "message": "USER_DISABLED",
    "errors": [
      {
        "message": "USER_DISABLED",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Disabled

{
  "error": {
    "code": 400,
    "message": "USER_DISABLED",
    "errors": [
      {
        "message": "USER_DISABLED",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

fetchSignInMethodsForEmail

No User

Enabled

{
  "kind": "identitytoolkit#CreateAuthUriResponse",
  "sessionId": "ehpfdpyNv2J0jH3bOmw2auF4PrM"
}

Disabled

{
  "kind": "identitytoolkit#CreateAuthUriResponse",
  "registered": false,
  "sessionId": "OqMNF-1Tp8s-pUJhkuvIMVy4_6A"
}

User exists

Enabled

{
  "kind": "identitytoolkit#CreateAuthUriResponse",
  "sessionId": "yDuvwZcbeauTSZPScXCkcTCNvWk"
}

Disabled

{
  "kind": "identitytoolkit#CreateAuthUriResponse",
  "allProviders": [
    "password"
  ],
  "registered": true,
  "sessionId": "5jcQNCwU4T7cA_VAocfrHaSWNME",
  "signinMethods": [
    "password"
  ]
}

User Disabled

Enabled

{
  "kind": "identitytoolkit#CreateAuthUriResponse",
  "sessionId": "ZqNinTT2DiVEMxJdc_sgJv617Sw"
}

Disabled

{
  "kind": "identitytoolkit#CreateAuthUriResponse",
  "allProviders": [
    "password"
  ],
  "registered": true,
  "sessionId": "fT9UUkEhOqQ4d-MJ5me6RulFX9E",
  "signinMethods": [
    "password"
  ]
}

sendPasswordResetEmail

No User

Enabled

{
  "error": {
    "code": 400,
    "message": "EMAIL_NOT_FOUND",
    "errors": [
      {
        "message": "EMAIL_NOT_FOUND",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Disabled

{
  "kind": "identitytoolkit#GetOobConfirmationCodeResponse",
  "email": "fake@fake.fake"
}

User exists

Enabled

{
  "kind": "identitytoolkit#GetOobConfirmationCodeResponse",
  "email": "fake@fake.fake"
}

Disabled

{
  "kind": "identitytoolkit#GetOobConfirmationCodeResponse",
  "email": "fake@fake.fake"
}

User Disabled

Enabled

{
  "kind": "identitytoolkit#GetOobConfirmationCodeResponse",
  "email": "fake@fake.fake"
}

Disabled

{
  "kind": "identitytoolkit#GetOobConfirmationCodeResponse",
  "email": "fake@fake.fake"
}

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
public		public
.firebaserc		.firebaserc
.gitignore		.gitignore
README.md		README.md
firebase.json		firebase.json

aalej/auth-eep-testing

Folders and files

Latest commit

History

Repository files navigation

Manual Testing for Email Enumeration Protection

createUserWithEmailAndPassword (no difference)

User Exists

Enabled

Disabled

signInWithEmailAndPassword

No User

Enabled

Disabled

Wrong password

Enabled

Disabled

User Disabled

Enabled

Disabled

User Disabled + wrong Password

Enabled

Disabled

fetchSignInMethodsForEmail

No User

Enabled

Disabled

User exists

Enabled

Disabled

User Disabled

Enabled

Disabled

sendPasswordResetEmail

No User

Enabled

Disabled

User exists

Enabled

Disabled

User Disabled

Enabled

Disabled

About

Resources

Stars

Watchers

Forks

Languages