Firebase auth emulator does not respect Email Enumeration Protection when enabled.

[JulioGrajales]

[REQUIRED] Environment info

firebase-tools: 13.0.3

Platform: Windows

[REQUIRED] Test case

When enabling Email Enumeration Protection through the firebase console it does not reflect on the authentication emulator when running the emulator with the project id of my firebase project and executing functions like sendPasswordResetEmail.

[REQUIRED] Steps to reproduce

init the emulators:

firebase login
firebase use $YOUR_PROJECT_ID
firebase emulators:start --only auth

boiler plate html:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Document</title>
  </head>
  <body>
    <button type="button" id="reset-btn">reset</button>
  </body>
</html>

<script type="module">
  import { initializeApp } from "https://www.gstatic.com/firebasejs/10.7.1/firebase-app.js";

  const app = initializeApp({
    // ...
  });


  import {
    getAuth,
    connectAuthEmulator,
    sendPasswordResetEmail,
  } from "https://www.gstatic.com/firebasejs/10.7.1/firebase-auth.js";

  const auth = getAuth(app);
  connectAuthEmulator(auth, "http://127.0.0.1:9099");

  const btn = document.getElementById("reset-btn");
  btn.addEventListener("click", () => {
    sendPasswordResetEmail(auth, "fake@fake.fake");
  });
</script>

Click the button to execute the sendPasswordResetEmail function with a fake email address not registered in the list of users.

[REQUIRED] Expected behavior

Return a 200 status code and the following JSON object:

{
  "kind": "identitytoolkit#GetOobConfirmationCodeResponse",
  "email": "fake@fake.fake"
}

[REQUIRED] Actual behavior

It returns a 400 status code and the following JSON object:

{
  "error": {
    "code": 400,
    "message": "EMAIL_NOT_FOUND",
    "errors": [
      {
        "message": "EMAIL_NOT_FOUND",
        "reason": "invalid",
        "domain": "global"
      }
    ]
  }
}

[joehan]

Hey @JulioGrajales, in general, the emulators will not reflect changes made via the Firebase console. In this case however, nfortunately, we have not gotten a chance to implement emulator support for email enumeration protection yet.

Keeping this open to track the feature request - however, I can't make any promises as to when this may be supported.

[Kasra-G]

I have only tested it with signInWithEmailAndPassword authentication method, but at least some support for email enumeration protection seems to now be possible:

Do an export of the firebase emulators after adding some users:

firebase emulators:export exports

Edit the file exports/auth_export/config.json
Set enableImprovedEmailPrivacy in the JSON file to true

Import the firebase emulators from the modified config:

firebase emulators:start --import=exports

At this point, the JSON return from invalid logins changes from EMAIL_NOT_FOUND or INVALID_PASSWORD to just INVALID_CREDENTIALS
Tested on version 13.7.3 of firebase-tools

After some searching, it seems that this has been added since v13.2.0, (#6702).