Ad

Prevent Invalid Email/password Hinting

- 1 answer

I'm building a login page with Angular 7 and I'm using angularfire2. Everything works fine but there is something that is bugging me which I really dislike. This is the form I'm using:

enter image description here

However, if I enter a wrong password, the network tab of the developer console registers the following:

enter image description here

If I enter a wrong email address, the network tab shows this:

{error: {code: 400, message: "EMAIL_NOT_FOUND",…}}
error: {code: 400, message: "EMAIL_NOT_FOUND",…}
code: 400
errors: [{message: "EMAIL_NOT_FOUND", domain: "global", reason: "invalid"}]
message: "EMAIL_NOT_FOUND"

The reason I really dislike this is because when an email or password is not valid, I'm showing the user the message:

You enter an invalid email or password

But this is clearly hinting what its wrong hence if someones tries to hack, it will get a hint on whether the password or email specifically is valid or not.

This is the logic i'm using when the user clicks on the Sign In button:

  onSignIn(form: NgForm){
    const email = form.value.email;
    const password = form.value.password;
    this.afAuth.auth.signInWithEmailAndPassword(email, password)
      .then(firebaseUser=>{
        console.log(firebaseUser);
      }).catch(error=>{
        if(error.code === "auth/user-not-found" || error.code === "auth/wrong-password"){
          this.wrongAuthCreds = true;
          setTimeout(()=>{
            this.wrongAuthCreds = false;
          }, 3000);
        } else {
          this.unknownErr = true;
          setTimeout(()=>{
            this.unknownErr = false;
          }, 3000);
          console.log(error);
        }        
      });
  } 

Is there a way to prevent that response being sent? Is there something I should configure or simply it can't. I've looked in the documentation to no avail. Thanks in advance!

Ad

Answer

As David said in his comment, those messages come from Firebase's back-end itself, and unfortunately there's no option to customize that default behavior... BUT... Firebase does give you the ability to customize the authentication process using custom auth tokens.

It'll be a lot of work, but if you really want to go down this road, then you'll need to create a cloud function that accepts a username and password, validates it, generates a custom JWT, and returns it to the end-user... and have your login page POST the credentials to that cloud function instead of afAuth.auth.signInWithEmailAndPassword. Inside of your new function, if you can't validate the username & password, you can send back whatever kind of generic error message you want.

Ad
source: stackoverflow.com
Ad