Firebase Auth: Can we have a sign up button without leaking emails?
120 views
Skip to first unread message
Alex
Jun 20, 2023, 5:15:12 PM6/20/23
to Firebase Google Group
1. User enters no email or password
- User can sign in as a guest
2. User enters an email
- User can send a magic link
3. User enters an email and a password
- User can sign up or sign in
If the user signs up with an email we haven't seen before, an account is created.
If the user signs up with an email we have seen before, what should we do?
I was thinking when a user clicks sign up we could send them a magic link regardless of whether or not they've created an account already. That way the sign-up button behaves the same whether the email is associated with an account or not.
However if we do that, their password is deleted because Firebase Auth isn't sure whether or not the user receiving the magic link is the same user who created an account with a password. This is reasonable.
But now I'm not sure what to do with my sign up button, if you have an account it does one thing, if you don't have an account it does another thing, effectively leaking the fact you have an email with us.
Laurent Payot
Jun 22, 2023, 8:23:45 AM6/22/23
to Firebase Google Group
I raised a similar issue in 2020: https://github.com/firebase/firebase-js-sdk/issues/4164
The issue was closed because it is "intended behavior". I’m glad I’m not the only one to be worried by this privacy/security leak.
Michael Gane (Ganey)
Jun 23, 2023, 1:33:32 PM6/23/23
to Firebase Google Group
This isn't ideal, but you could catch the error codes and display the exact same error message to the user?
case 'auth/user-not-found':
case 'auth/user-disabled':
case 'auth/wrong-password':
data.error = 'Incorrect email/password';
case 'auth/user-disabled':
case 'auth/wrong-password':
data.error = 'Incorrect email/password';
Laurent Payot
Jun 26, 2023, 7:31:56 AM6/26/23
to Firebase Google Group
That’s what I’m doing already. But anyone can see the Firebase auth response in the dev console. It make scripts trivial to write to check lots of emails.
Alex
Jul 1, 2023, 1:18:57 AM7/1/23
to Firebase Google Group
Thank you for the input, unfortunately even if the messaging is the same, the difference in behaviour reveals whether or not the email has been registered.
i.e. If the user signs up with an email we haven't seen before, an account is created, but if the user signs up with an email we have seen before, we can't create an account.
Reply all
Reply to author
Forward
0 new messages