Firebase-js-sdk: firebase.auth().confirmPasswordReset() is throwing the wrong error

Created on 9 Feb 2019 · 12Comments · Source: firebase/firebase-js-sdk

[REQUIRED] Describe your environment

Operating System version: Windows 10
Browser version: Firefox 65.0
Firebase SDK version: 5.8.2
Firebase Product: auth

[REQUIRED] Describe the problem

firebase.auth().confirmPasswordReset() is throwing the wrong error. Instead of auth/user-disabled, it throws auth/invalid-action-code.

Steps to reproduce:

Create an email-password user.
Disable user.
Send password reset email to user.
Run the following code:

const actionCode = "abc"; // Replace this with the action code from the email
const newPassword = "qwerty123"; // New password for user

firebase.auth().confirmPasswordReset(actionCode, newPassword).then(() => {
  // Reset was successful
  console.log("Success");

}).catch(error => { console.error(error) });

In Firefox 65, this error is thown:

{ code: "auth/invalid-action-code", message: "The action code is invalid. This can happen if the code is malformed, expired, or has already been used.", stack: "" }

instead of this more relevant error that is thrown in Chrome 72.0.3626.96:

{ code: "auth/user-disabled", message: "The user account has been disabled by an administrator." }

The latter error is more relevant because the action code is valid, current, and unused, the problem is that the user is disabled and it would be nice if this was reflected in the error message.

Also, it it's helpful, both firebase.auth().verifyPasswordResetCode() and firebase.auth().checkActionCode() work fine in both browsers.

auth closed-by-bot needs-info no-recent-activity

Source

CamWass

👍2

Most helpful comment

I'm having this issue too.

It seems that we can't catch the rejection of confirmPasswordReset..

imsamdez on 25 Jun 2019

👍3

All 12 comments

Hey @CamWass, are you saying that you are getting a different error depending on the browser? Our backend errors should be agnostic of user agent. Can you inspect the underlying server response (via browser network console) for both and provide the full response?

bojeil-google on 9 Feb 2019

Yeah, that seems to be the case, here are the server responses.
Firefox:

{
  "error": {
    "code": 400,
    "message": "INVALID_OOB_CODE",
    "errors": [
      {
        "message": "INVALID_OOB_CODE",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Chrome:

{
  "error": {
    "code": 400,
    "message": "USER_DISABLED",
    "errors": [
      {
        "message": "USER_DISABLED",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

CamWass on 9 Feb 2019

I speculate this is due to some gradual experiment rollout on our backend. I don't think it is specific to browser. Will need to confirm.

bojeil-google on 9 Feb 2019

I'm having this issue too.

It seems that we can't catch the rejection of confirmPasswordReset..

imsamdez on 25 Jun 2019

👍3

Still an issue? I still having this problem in the usual way of reseting my user's password (without deactivating the user)

Lan19094 on 9 Aug 2019

I've been trying to reproduce this issue (demo app), running on different browsers using the mentioned the JS SDK (5.8.2) version, but can't seem to replicate it.

I’m a bit curious though, if it’s in the implementation or there might be somehow happen to trigger the reset twice that makes the code invalid.

I’m finding it quite difficult replicating the issue without a detailed mcve, could you provide a minimal runnable repro of your app so I can also test this locally? Thanks.

rommelpe on 20 Nov 2019

Hey @CamWass. We need more information to resolve this issue but there hasn't been an update in 7 days. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

google-oss-bot on 28 Nov 2019

I can confirm this is still an issue with v7.5.0 of the SDK on Firefox 70.0.1 and Chrome 78.0.3904.108. I have created a demo app. Here is a live demo, and here is the repo. The demo should explain and guide you through reproduction and the repo contains baisc instructions for using you own firebase project, should you wish to do so. Thanks.

CamWass on 30 Nov 2019

I've done some more digging and I think the issue is being caused by browser extensions (oops, probably should have checked that first) modifying HTTP headers. I'll do some more research to confirm this isn't an issue with the JS SDK or auth backend. Does firebase auth require/rely on any headers, like for example "referer" or "origin"?

CamWass on 2 Dec 2019

I don't believe our service checks these specific headers. It may be that the extension is modifying the request content causing this issue to manifest, possibly modifying the code itself. You will need to investigate what changes this extension is making.

bojeil-google on 2 Dec 2019

If you have more information that will help us get to the bottom of this, just add a comment!

google-oss-bot on 10 Dec 2019

Since there haven't been any recent updates here, I am going to close this issue.

@CamWass if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.

google-oss-bot on 13 Dec 2019

Was this page helpful?

0 / 5 - 0 ratings