From 5be78c38ad964339569e649bfcf3545e4426723d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Dinh?= <82420070+No898@users.noreply.github.com> Date: Wed, 7 May 2025 15:10:11 +0200 Subject: [PATCH 1/2] docs(auth): clarify fetchSignInMethodsForEmail behavior with email enumeration protection This update enhances the JSDoc comment for fetchSignInMethodsForEmail by explaining its behavior when "Email Enumeration Protection" is enabled in Firebase Authentication settings (which is the default). It notes that the method may return an empty array even for existing accounts when called from an unauthenticated context. This clarification aims to prevent confusion and potential misuse that could lead to security vulnerabilities. --- packages/auth/lib/index.d.ts | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/packages/auth/lib/index.d.ts b/packages/auth/lib/index.d.ts index cf2cad3ecc..fb00551de2 100644 --- a/packages/auth/lib/index.d.ts +++ b/packages/auth/lib/index.d.ts @@ -2096,19 +2096,28 @@ export namespace FirebaseAuthTypes { /** * Returns a list of authentication methods that can be used to sign in a given user (identified by its main email address). * + * ⚠️ Note: + * If "Email Enumeration Protection" is enabled in your Firebase Authentication settings (which is the default), + * this method may return an empty array even if the email is registered, especially when called from an unauthenticated context. + * + * This is a security measure to prevent leaking account existence via email enumeration attacks. + * Do not use the result of this method to directly inform the user whether an email is registered. + * * #### Example * * ```js * const methods = await firebase.auth().fetchSignInMethodsForEmail('joe.bloggs@example.com'); * - * methods.forEach((method) => { - * console.log(method); - * }); + * if (methods.length > 0) { + * // Likely a registered user — offer sign-in + * } else { + * // Could be unregistered OR email enumeration protection is active — offer registration + * } * ``` * * @error auth/invalid-email Thrown if the email address is not valid. - * @param email The users email address. - */ + * @param email The user's email address. + */ fetchSignInMethodsForEmail(email: string): Promise; /** From 05174792a27afcb7bd322123e6a3b6c383931fce Mon Sep 17 00:00:00 2001 From: Mike Hardy Date: Mon, 12 May 2025 14:46:05 -0500 Subject: [PATCH 2/2] Update packages/auth/lib/index.d.ts --- packages/auth/lib/index.d.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/auth/lib/index.d.ts b/packages/auth/lib/index.d.ts index fb00551de2..20f36ad3ef 100644 --- a/packages/auth/lib/index.d.ts +++ b/packages/auth/lib/index.d.ts @@ -2117,7 +2117,7 @@ export namespace FirebaseAuthTypes { * * @error auth/invalid-email Thrown if the email address is not valid. * @param email The user's email address. - */ + */ fetchSignInMethodsForEmail(email: string): Promise; /**