I use FirebaseAuth.instance.signInWithEmailAndPassword() in my Flutter/Dart code. To test scenarios where users, for example, enter a wrong password or wrong email etc, I check the error codes, like: 'user-not-found', 'invalid-email', 'user-disabled', or 'wrong-password'. The problem is that the only error code that I get is 'INVALID_LOGIN_CREDENTIALS' and none of the others.
This is my code:
Future<AuthResult> signIn(String email, String password) async {
try {
await FirebaseAuth.instance.signInWithEmailAndPassword(
email: email,
password: password,
);
return AuthResult.success;
} on FirebaseAuthException catch (e) {
print(e.code);
switch (e.code) {
case 'user-not-found':
return AuthResult.userNotFound;
case 'invalid-email':
return AuthResult.invalidEmail;
case 'user-disabled':
return AuthResult.userDisabled;
case 'wrong-password':
return AuthResult.wrongPassword;
default:
return AuthResult.failure;
}
} catch (_) {
return AuthResult.aborted;
}
}
I also looked on Stack Overflow and GitHub to see if other people had this problem. It looks like it has to do with email enumeration protection. I looked into the Google Cloud docs to see how to disable this, but this didn't solve my problem, when following the instructions.
Link on how to disable it: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#disable
This is the error I get in the Google Cloud console when following the instructions:
curl: (3) URL using bad/illegal format or missing URL
curl: (6) Could not resolve host: Bearer
curl: (3) URL using bad/illegal format or missing URL
curl: (3) URL using bad/illegal format or missing URL
curl: (6) Could not resolve host: application
curl: (3) URL using bad/illegal format or missing URL
curl: (3) URL using bad/illegal format or missing URL
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"service": "identitytoolkit.googleapis.com",
"method": "google.cloud.identitytoolkit.admin.v2.ProjectConfigService.UpdateConfig"
}
}
]
}
}
For Firebase projects created since September 15 2023, the setting to protect against email enumeration is enabled by default. This setting makes it harder for malicious user to find out what users are in your project by changing the responses of some APIs, and disabling other APIs completely.
What you're seeing is the result of this setting, which is documented on this page on email enumeration protection.
That page also shows how to disable email enumeration protection so that the API reverts to its previous behavior. Note that doing so will make your project/users susceptible to the risks of an email enumeration attack.