Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds rudimentary email enumeration protection for auth emulator #6702

Merged
merged 12 commits into from
Jan 29, 2024
Merged

Adds rudimentary email enumeration protection for auth emulator #6702

merged 12 commits into from
Jan 29, 2024

Conversation

aalej
Copy link
Contributor

@aalej aalej commented Jan 19, 2024
edited
Loading

Description

Added rudimentary support for email enumeration protection on the Auth emulator.
Mainly covers these endpoints:

  • identitytoolkit.googleapis.com/v1/accounts:signInWithPassword
  • identitytoolkit.googleapis.com/v1/accounts:createAuthUri
  • identitytoolkit.googleapis.com/v1/accounts:sendOobCode

Reference

Auth Methods: https://firebase.google.com/docs/reference/js/auth.md#fetchsigninmethodsforemail
Email Enumeration Protection: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#overview

Scenarios Tested

Manual Testing

Tried to match Auth emulator results with the results from manual testing in https://github.com/aalej/auth-eep-testing

Sample Commands

firebase emulators:start

Caveats

The public docs for Email enumeration protection uses this endpoint which currently does not exist in the auth emulator from what I can tell(apiSpec.ts)

https://identitytoolkit.googleapis.com/admin/v2/projects/PROJECT_ID/config?updateMask=emailPrivacyConfig

The emulator however does has this endpoint(the admin is not included in the path). See

firebase-tools/src/emulator/auth/apiSpec.ts

Line 2325 in 5f6c816

"/v2/projects/{targetProjectId}/config": { 

https://identitytoolkit.googleapis.com/v2/projects/PROJECT_ID/config?updateMask=emailPrivacyConfig

The emailPrivacyConfig can be enabled by this curl command

curl -X PATCH -d '{"emailPrivacyConfig":{"enableImprovedEmailPrivacy":true}}' \
    -H 'Authorization: Bearer owner' \
    -H 'Content-Type: application/json' -H 'X-Goog-User-Project: <PROJECT_ID>' \
    "http://127.0.0.1:9099/identitytoolkit.googleapis.com/v2/projects/<PROJECT_ID>/config?updateMask=emailPrivacyConfig"

Alternatively, the endpoint specific to the emulator can be used to set the configs:

http://127.0.0.1:9099/emulator/v1/projects/<project_id>/config

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 19, 2024
View reviewed changes
src/test/emulators/auth/oob.spec.ts Dismissed Show dismissed Hide dismissed
src/test/emulators/auth/oob.spec.ts Dismissed Show dismissed Hide dismissed
@codecov-commenter
Copy link

codecov-commenter commented Jan 19, 2024
edited
Loading

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (3182a1b) 54.15% compared to head (8c0d2e9) 54.19%.

Files Patch % Lines
src/emulator/auth/state.ts 80.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #6702      +/-   ##
==========================================
+ Coverage   54.15%   54.19%   +0.03%     
==========================================
  Files         347      347              
  Lines       24136    24153      +17     
  Branches     4986     4992       +6     
==========================================
+ Hits        13072    13089      +17     
  Misses       9865     9865              
  Partials     1199     1199

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

joehan
joehan approved these changes Jan 23, 2024
View reviewed changes
Copy link
Contributor

@joehan joehan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great to me! Gonna find someone from auth to take a quick pass too

renkelvin
renkelvin approved these changes Jan 23, 2024
View reviewed changes
Copy link

@renkelvin renkelvin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM with a comment on a test case.

src/test/emulators/auth/oob.spec.ts Outdated
});
});

it("should return email when sending a password reset to non-existent user with improved email privacy enabled", async () => {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This email should be sent only when the user exists. See https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#overview

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to verify. Are you referring to this line “When you make a password reset request, a verification email is sent only if the email address exists”. If so, I think the name of the test case I wrote may be a little bit misleading.

In this case I’m referring to the email address to be returned in the api response. When an email does not exists, a password reset email would not be sent, just that the api response would look like

{
    "kind": "identitytoolkit#GetOobConfirmationCodeResponse",
    "email": "[email protected]"
}

Should I leave a comment in the test case describing this? Or just change the test name to “should return email address...”

LMK in case I misunderstood anything.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification. I think "should return email address.." sounds more accurate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, updated the test title.

@aalej aalej merged commit 02e711e into master Jan 29, 2024
35 checks passed
@Kasra-G Kasra-G mentioned this pull request Apr 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renkelvin renkelvin renkelvin approved these changes

@joehan joehan joehan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aalej @codecov-commenter @renkelvin @joehan