CODEWITHSUNDEEP
angularfirebaseangularfire2
Morfinismo
Morfinismo

Reputation: 5253

Prevent invalid email/password hinting

I'm building a login page with Angular 7 and I'm using angularfire2. Everything works fine but there is something that is bugging me which I really dislike. This is the form I'm using:

enter image description here

However, if I enter a wrong password, the network tab of the developer console registers the following:

enter image description here

If I enter a wrong email address, the network tab shows this: 

{error: {code: 400, message: "EMAIL_NOT_FOUND",…}}
error: {code: 400, message: "EMAIL_NOT_FOUND",…}
code: 400
errors: [{message: "EMAIL_NOT_FOUND", domain: "global", reason: "invalid"}]
message: "EMAIL_NOT_FOUND"

The reason I really dislike this is because when an email or password is not valid, I'm showing the user the message:

You enter an invalid email or password

But this is clearly hinting what its wrong hence if someones tries to hack, it will get a hint on whether the password or email specifically is valid or not.

This is the logic i'm using when the user clicks on the Sign In button: 

  onSignIn(form: NgForm){
    const email = form.value.email;
    const password = form.value.password;
    this.afAuth.auth.signInWithEmailAndPassword(email, password)
      .then(firebaseUser=>{
        console.log(firebaseUser);
      }).catch(error=>{
        if(error.code === "auth/user-not-found" || error.code === "auth/wrong-password"){
          this.wrongAuthCreds = true;
          setTimeout(()=>{
            this.wrongAuthCreds = false;
          }, 3000);
        } else {
          this.unknownErr = true;
          setTimeout(()=>{
            this.unknownErr = false;
          }, 3000);
          console.log(error);
        }        
      });
  }

Is there a way to prevent that response being sent? Is there something I should configure or simply it can't. I've looked in the documentation to no avail. Thanks in advance!

Upvotes: 2

Views: 582

Answers (1)

JeremyW
JeremyW

Reputation: 5272

As David said in his comment, those messages come from Firebase's back-end itself, and unfortunately there's no option to customize that default behavior... BUT... Firebase does give you the ability to customize the authentication process using custom auth tokens.

It'll be a lot of work, but if you really want to go down this road, then you'll need to create a cloud function that accepts a username and password, validates it, generates a custom JWT, and returns it to the end-user... and have your login page POST the credentials to that cloud function instead of afAuth.auth.signInWithEmailAndPassword. Inside of your new function, if you can't validate the username & password, you can send back whatever kind of generic error message you want.

Upvotes: 1

Related Questions