Skip to content

Commit b0535f4

Browse files
authored
docs(auth): clarify signInWithEmailAndPassword error behavior under email enumeration protection (#8519)
1 parent 0729030 commit b0535f4

File tree

1 file changed

+15
-5
lines changed

1 file changed

+15
-5
lines changed

packages/auth/lib/index.d.ts

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1806,17 +1806,27 @@ export namespace FirebaseAuthTypes {
18061806
/**
18071807
* Signs a user in with an email and password.
18081808
*
1809+
* ⚠️ Note:
1810+
* If "Email Enumeration Protection" is enabled in your Firebase Authentication settings (enabled by default),
1811+
* Firebase may return a generic `auth/invalid-login-credentials` error instead of more specific ones like
1812+
* `auth/user-not-found` or `auth/wrong-password`. This behavior is intended to prevent leaking information
1813+
* about whether an account with the given email exists.
1814+
*
1815+
* To receive detailed error codes, you must disable "Email Enumeration Protection", which may increase
1816+
* security risks if not properly handled on the frontend.
1817+
*
18091818
* #### Example
18101819
*
18111820
* ```js
18121821
* const userCredential = await firebase.auth().signInWithEmailAndPassword('[email protected]', '123456');
1813-
* ````
1822+
* ```
1823+
*
18141824
* @error auth/invalid-email Thrown if the email address is not valid.
18151825
* @error auth/user-disabled Thrown if the user corresponding to the given email has been disabled.
1816-
* @error auth/user-not-found Thrown if there is no user corresponding to the given email.
1817-
* @error auth/wrong-password Thrown if the password is invalid for the given email, or the account corresponding to the email does not have a password set.
1818-
* @param email The users email address.
1819-
* @param password The users password.
1826+
* @error auth/user-not-found Thrown if there is no user corresponding to the given email. (May be suppressed if email enumeration protection is enabled.)
1827+
* @error auth/wrong-password Thrown if the password is invalid or missing. (May be suppressed if email enumeration protection is enabled.)
1828+
* @param email The user's email address.
1829+
* @param password The user's password.
18201830
*/
18211831
signInWithEmailAndPassword(email: string, password: string): Promise<UserCredential>;
18221832

0 commit comments

Comments
 (0)