Missing INVALID_LOGIN_CREDENTIALS in the AuthErrorCodes of the firebase auth library

[delphinegesse]

Operating System

MacOs ventura

Browser Version

Chrome 117.0.5938.88

Firebase SDK Version

^10.4.0

Firebase SDK Product:

Auth

Describe your project's tooling

I am using the firebase auth service for a login page. I enabled the "email enumeration protection" and I want to display a specific message when the error INVALID_LOGIN_CREDENTIALS (the code is auth/invalid-login-credentials) occurs.

For this I need to check if the received error is indeed INVALID_LOGIN_CREDENTIALS. Consequently, I am looking for the official error in the firebase repository.

Describe the problem

My problem is that I cannot find the error INVALID_LOGIN_CREDENTIALS in the AuthErrorCodes (in the file auth-public.d.ts ) enumeration that should contain all auth errors. This enumeration is described as:

a map of potential Auth error codes, for easier comparison with errors thrown by the SDK

But this error is not in it. It seems that it was not included in the official documentation of errors either.

This is the error that my browser receives which proves that it is sent by firebase:

FirebaseError: Firebase: Error (auth/invalid-login-credentials).
    at createErrorInternal (assert.ts:136:55)
    at _fail (assert.ts:65:9)
    at _performFetchWithErrorHandling (index.ts:196:9)
    at async _performSignInRequest (index.ts:217:27)
    at async _signInWithCredential (credential.ts:37:20)

In my opinion the missing line in AuthErrorCodes is this one:
readonly INVALID_LOGIN_CREDENTIALS = "auth/invalid-login-credentials";

Since I cannot find the error I am currently putting it in a constant:
export const INVALID_LOGIN_CREDENTIALS = 'auth/invalid-login-credentials';

Am I looking in the wrong place? Or is the error really not available in the library? If it is option 2, then it should definitely be added!

Steps and code to reproduce issue

What I'm doing

Set up a project that uses the firebase auth service for a login page.
Enable the email enumeration protection.
Try to display a message specific to the INVALID_LOGIN_CREDENTIALS error (with the error code auth/invalid-login-credentials).

What I actually need

Find a reference to the INVALID_LOGIN_CREDENTIALS error (with the error code auth/invalid-login-credentials) in the repository that can be used in any app.

Basically, make this work:

import { AuthErrorCodes } from 'firebase/auth';
const iNeedThisErrorSomewhere = AuthErrorCodes.INVALID_LOGIN_CREDENTIALS;

[vimevili]

I'm facing the same issue and I wasn't able to figure it out

[JGarrido]

From what I can gather, the errors "auth/user-not-found" and "auth/wrong-password" (possibly others) have been collapsed into a new entry of "auth/invalid-login-credentials". This impacts version 10.4.0 of the client SDK for Web/JavaScript (though possibly others). What's interesting though is that it is only impacting 1 of 3 Firebase projects (the one we use for Production); the other two retain the original messaging.

I'm assuming this was made as a security enhancement (to obscure somewhat the actual issue, thereby discouraging brute force attacks) – but as @delphinegesse pointed out, the documentation has not yet been updated with this change. It's also somewhat of a breaking change, since existing error handling will be potentially rendered ineffective, and so probably should have been part of a major release instead.

[Xiaoshouzi-gh]

This behavior change is due to the Email Enumeration protection feature that is enabled by default on new projects (created on or after Sep 15). There is an option to disable the feature, in case your app relies on this functionality. In an upcoming release, the INVALID_LOGIN_CREDENTIAL error code will be exposed. This github issue will be used to track the fix. Thanks!

[NickFoden]

Thanks for the information. I hit this issue in my projects that are long running and created before 2023.

Edited to add -> (oh wait I maybe clicked the "enable google identity" banner or such recently yeah . . . )

[andrea19920611]

Thanks for the information. But how can be possible this change without changing the documentation or a changelog elsewhere?!

[Kaidtarek]

same error i was try to type a wrong email here :try { final credential = await FirebaseAuth.instance.signInWithEmailAndPassword(email: email.text, password: password.text); FirebaseAuth.instance.fetchSignInMethodsForEmail(email.text); } on FirebaseAuthException catch (e) { print('the catch here fix me!!!'); print("e_code is : << ${e.code} >>"); if (e.code == 'user-not-found') { print('No user found for that email.'); } else if (e.code == 'wrong-password') { print('Wrong password provided for that user.'); } } and i get INVALID_LOGIN_CREDENTIALS

[prameshj]

This error should now be thrown as "auth/invalid-credential" with the latest SDK - 10.7.0