Skip to content

Email enumeration fails for existing users in Next.js App Router #1201

New issue
New issue
Open
Open
Email enumeration fails for existing users in Next.js App Router#1201
@leeprobert

Description

@leeprobert
leeprobert
opened on Sep 29, 2025

FirebaseUI Bug Report: Email enumeration fails for existing users in Next.js App Router

Summary

FirebaseUI's email sign-in flow incorrectly directs existing users to the "Create Account" panel. The internal mechanism for checking if a user exists appears to fail, even when the Firebase project is configured correctly and the user is confirmed to exist.

Environment

  • firebase: ^10.12.2
  • firebaseui: ^6.1.0
  • next: ^15.5.4
  • react: ^19.0.0
  • Framework: Next.js (App Router)
  • **Deployment Environment: localhost

Steps to Reproduce

  1. Set up a new Next.js project using the App Router.
  2. Configure Firebase and FirebaseUI for email authentication using the redirect flow.
  3. Ensure there is an existing user in the Firebase Authentication database.
  4. Use the FirebaseUI widget to attempt to sign in with the existing user's email address.

Expected Behavior

After entering a valid, existing email address, FirebaseUI should recognize the user and present the password entry screen.

Actual Behavior

After entering a valid, existing email address, FirebaseUI proceeds to the "Create Account" screen, as if the user does not exist.

Debugging Steps Taken

This issue was subject to an extensive debugging session. Here are the key findings:

  1. Configuration Verified: The firebaseConfig object used to initialize the Firebase app was verified to be correct. The projectId and other credentials were confirmed to match the target Firebase project. The API key was confirmed to be working for other Firebase services like Firestore and for creating new user accounts through the UI.

  2. User Status Verified: The user account was confirmed to be enabled in the Firebase Authentication console.

  3. fetchSignInMethodsForEmail Fails: Using the (now deprecated) fetchSignInMethodsForEmail function for the existing user's email consistently returned an empty array ([]). This is the likely root cause of the UI's behavior.

  4. signInWithEmailAndPassword with dummy password Fails as expected: Using signInWithEmailAndPassword with a dummy password resulted in an auth/invalid-credential error, which is the expected behavior in recent SDK versions and doesn't allow to distinguish between user not found and wrong password.

  5. signInWithEmailAndPassword with real password SUCCEEDS: This is the key finding. When signInWithEmailAndPassword was called directly with the correct email and password for the user, it succeeded, and a valid token was returned.

Conclusion

The fact that signInWithEmailAndPassword succeeds proves that the Firebase project configuration, API keys, and connection to the Firebase backend are all working correctly.

The issue appears to be a bug within the FirebaseUI library's specific logic for checking for the existence of an email address before presenting the password prompt. This logic seems to be failing where the core Firebase Auth SDK succeeds.

As a workaround, we have implemented a custom login UI using the core Firebase Auth SDK, which works perfectly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions