Adds rudimentary email enumeration protection for auth emulator

[aalej]

Description

Added rudimentary support for email enumeration protection on the Auth emulator.
Mainly covers these endpoints:

• identitytoolkit.googleapis.com/v1/accounts:signInWithPassword
• identitytoolkit.googleapis.com/v1/accounts:createAuthUri
• identitytoolkit.googleapis.com/v1/accounts:sendOobCode

Reference

Auth Methods: https://firebase.google.com/docs/reference/js/auth.md#fetchsigninmethodsforemail
Email Enumeration Protection: https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#overview

Scenarios Tested

Manual Testing

Tried to match Auth emulator results with the results from manual testing in https://github.com/aalej/auth-eep-testing

Sample Commands

firebase emulators:start

Caveats

The public docs for Email enumeration protection uses this endpoint which currently does not exist in the auth emulator from what I can tell(apiSpec.ts)

https://identitytoolkit.googleapis.com/admin/v2/projects/PROJECT_ID/config?updateMask=emailPrivacyConfig

The emulator however does has this endpoint(the admin is not included in the path). See

firebase-tools/src/emulator/auth/apiSpec.ts

Line 2325 in 5f6c816

"/v2/projects/{targetProjectId}/config": {

https://identitytoolkit.googleapis.com/v2/projects/PROJECT_ID/config?updateMask=emailPrivacyConfig

The emailPrivacyConfig can be enabled by this curl command

curl -X PATCH -d '{"emailPrivacyConfig":{"enableImprovedEmailPrivacy":true}}' \
    -H 'Authorization: Bearer owner' \
    -H 'Content-Type: application/json' -H 'X-Goog-User-Project: <PROJECT_ID>' \
    "http://127.0.0.1:9099/identitytoolkit.googleapis.com/v2/projects/<PROJECT_ID>/config?updateMask=emailPrivacyConfig"

Alternatively, the endpoint specific to the emulator can be used to set the configs:

http://127.0.0.1:9099/emulator/v1/projects/<project_id>/config

[codecov-commenter]

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (3182a1b) 54.15% compared to head (8c0d2e9) 54.19%.

Files	Patch %	Lines
src/emulator/auth/state.ts	80.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6702      +/-   ##
==========================================
+ Coverage   54.15%   54.19%   +0.03%     
==========================================
  Files         347      347              
  Lines       24136    24153      +17     
  Branches     4986     4992       +6     
==========================================
+ Hits        13072    13089      +17     
  Misses       9865     9865              
  Partials     1199     1199              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[joehan]

This looks great to me! Gonna find someone from auth to take a quick pass too

[renkelvin]

Thanks, LGTM with a comment on a test case.

[renkelvin]

This email should be sent only when the user exists. See https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection#overview

[aalej]

Just to verify. Are you referring to this line “When you make a password reset request, a verification email is sent only if the email address exists”. If so, I think the name of the test case I wrote may be a little bit misleading.

In this case I’m referring to the email address to be returned in the api response. When an email does not exists, a password reset email would not be sent, just that the api response would look like

{
    "kind": "identitytoolkit#GetOobConfirmationCodeResponse",
    "email": "non_existent_email@fake.fake"
}

Should I leave a comment in the test case describing this? Or just change the test name to “should return email address...”

LMK in case I misunderstood anything.

[renkelvin]

Thanks for the clarification. I think "should return email address.." sounds more accurate.

[aalej]

Thanks, updated the test title.