Prevent Invalid Email/password Hinting

- 1 answer

I'm building a login page with Angular 7 and I'm using angularfire2. Everything works fine but there is something that is bugging me which I really dislike. This is the form I'm using:

enter image description here

However, if I enter a wrong password, the network tab of the developer console registers the following:

enter image description here

If I enter a wrong email address, the network tab shows this:

{error: {code: 400, message: "EMAIL_NOT_FOUND",…}}
error: {code: 400, message: "EMAIL_NOT_FOUND",…}
code: 400
errors: [{message: "EMAIL_NOT_FOUND", domain: "global", reason: "invalid"}]
message: "EMAIL_NOT_FOUND"

The reason I really dislike this is because when an email or password is not valid, I'm showing the user the message:

You enter an invalid email or password

But this is clearly hinting what its wrong hence if someones tries to hack, it will get a hint on whether the password or email specifically is valid or not.

This is the logic i'm using when the user clicks on the Sign In button:

  onSignIn(form: NgForm){
    const email =;
    const password = form.value.password;
    this.afAuth.auth.signInWithEmailAndPassword(email, password)
        if(error.code === "auth/user-not-found" || error.code === "auth/wrong-password"){
          this.wrongAuthCreds = true;
            this.wrongAuthCreds = false;
          }, 3000);
        } else {
          this.unknownErr = true;
            this.unknownErr = false;
          }, 3000);

Is there a way to prevent that response being sent? Is there something I should configure or simply it can't. I've looked in the documentation to no avail. Thanks in advance!



As David said in his comment, those messages come from Firebase's back-end itself, and unfortunately there's no option to customize that default behavior... BUT... Firebase does give you the ability to customize the authentication process using custom auth tokens.

It'll be a lot of work, but if you really want to go down this road, then you'll need to create a cloud function that accepts a username and password, validates it, generates a custom JWT, and returns it to the end-user... and have your login page POST the credentials to that cloud function instead of afAuth.auth.signInWithEmailAndPassword. Inside of your new function, if you can't validate the username & password, you can send back whatever kind of generic error message you want.