Making firebase's sendPasswordResetEmail more secure

Question

On a website using firebase that contains auth I'm implementing a "forgot password" feature.

The return status of sendPasswordResetEmail() is 400 if the user supplies an email that doesn't have an account associated with it. It returns 200 if the email does have an account.

That means that an attacker can keep guessing emails until they get a 200. Then they know of a valid email. Then they can start guessing passwords for it.

Is there a way to get sendPasswordResetEmail() to always return 200? I'll like the only response, whether a good or bad email is entered, to be "Check your email for a reset link". If the email is invalid then firebase should quietly not send an email.

Or is there some other mechanism that would increase security?

Answer 1

firebaser here

API calls from client-side SDKs to Firebase Authentication are rate-limited to reduce the risk in such a dictionary attacks. We also just launched new configuration options that allow you to enable email enumeration protection for example by always returning INVALID_LOGIN_CREDENTIALS regardless of the type of error.

If you suspect you're project is actively seeing such an attack, reach out to Firebase support so they can investigate and adjust quota if needed.