Firebase auth emulator does not respect Email Enumeration Protection when enabled. #6687
Description
[REQUIRED] Environment info
firebase-tools: 13.0.3
Platform: Windows
[REQUIRED] Test case
When enabling Email Enumeration Protection through the firebase console it does not reflect on the authentication emulator when running the emulator with the project id of my firebase project and executing functions like sendPasswordResetEmail.
[REQUIRED] Steps to reproduce
init the emulators:
firebase login
firebase use $YOUR_PROJECT_ID
firebase emulators:start --only authboiler plate html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Document</title>
</head>
<body>
<button type="button" id="reset-btn">reset</button>
</body>
</html>
<script type="module">
import { initializeApp } from "https://www.gstatic.com/firebasejs/10.7.1/firebase-app.js";
const app = initializeApp({
// ...
});
import {
getAuth,
connectAuthEmulator,
sendPasswordResetEmail,
} from "https://www.gstatic.com/firebasejs/10.7.1/firebase-auth.js";
const auth = getAuth(app);
connectAuthEmulator(auth, "http://127.0.0.1:9099");
const btn = document.getElementById("reset-btn");
btn.addEventListener("click", () => {
sendPasswordResetEmail(auth, "[email protected]");
});
</script>
Click the button to execute the sendPasswordResetEmail function with a fake email address not registered in the list of users.
[REQUIRED] Expected behavior
Return a 200 status code and the following JSON object:
{
"kind": "identitytoolkit#GetOobConfirmationCodeResponse",
"email": "[email protected]"
}
[REQUIRED] Actual behavior
It returns a 400 status code and the following JSON object:
{
"error": {
"code": 400,
"message": "EMAIL_NOT_FOUND",
"errors": [
{
"message": "EMAIL_NOT_FOUND",
"reason": "invalid",
"domain": "global"
}
]
}
}