Firebase-js-sdk: `signInWithEmailAndPassword` requires 'reCaptcha' but missing an API support

Created on 4 Dec 2019  路  6Comments  路  Source: firebase/firebase-js-sdk

[REQUIRED] Describe your environment

  • Operating System version: OSX 10.15.1
  • Browser version: Chrome 78.0.3904.108
  • Firebase SDK version: 7.4.0
  • Firebase Product: auth

[REQUIRED] Describe the problem

Firebase auth has a built-in protection for too many frequent login attempts. When failing to login multiple times, the server it returns a wrong error that requires the developer to implement a reCaptcha though it is not supported by the API.

Steps to reproduce:

When using a simple authentication using the signInWithEmailAndPassword API, it sends a request to: https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword

After multiple failed logins, the returned result is:

{
  "error": {
    "code": 400,
    "message": "TOO_MANY_ATTEMPTS_TRY_LATER : Too many unsuccessful login attempts.  Please include reCaptcha verification or try again later",
    "errors": [
      {
        "message": "TOO_MANY_ATTEMPTS_TRY_LATER : Too many unsuccessful login attempts.  Please include reCaptcha verification or try again later",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

And to be more specific, it returns the following text in the error:
"Please include reCaptcha verification or try again later".

The problem? signInWithEmailAndPassword API does not accepts ApplicationVerifier meaning it can not be used with firebase.auth.RecaptchaVerifier.

Also, this is not a good error message since it should not be displayed to the user (this is an implementation guideline).

auth bug
Source
picture eyalben
👍2

All 6 comments

Thanks for reporting the issue, @eyalben. We have an existing internal report (b/144943694) for this and our Auth folks have confirmed that it shouldn't be mentioned in the error message as we don't support reCAPTCHA yet for email/password. This shall be added to future releases however, I may not be able provide you with any specifics as to when will the fix be released in production. You may keep an eye out on our release notes for any updates.

Appreciate all the feedback. Thanks

rommelpe picture rommelpe on 4 Dec 2019
👀1

Got feedback from the backend team that the fix is already released in prod. Thanks!

rommelpe picture rommelpe on 8 Jan 2020

@rommelpe If I want to try the maximum number of unsuccessful attempts (minus one) before displaying a captcha for signInWithEmailAndPassword then how many attempts on what duration is exactly "too many attempts"? Is there a way to customize that number/duration?

I didn't try reCaptcha yet, will the reCaptcha widget be displayed automagically when there was to many unsuccessful attempts and be hidden before that? That would be great.

laurentpayot picture laurentpayot on 15 Jan 2020

@rommelpe Please provide more information regarding the released fix.

Looking at the release notes. nothing was released regarding this.

GuillaumeSerrat picture GuillaumeSerrat on 24 Jan 2020

This is a server side fix. It is applicable to all versions of the client SDK.

bojeil-google picture bojeil-google on 25 Jan 2020

@laurentpayot For password login requests, it is 20 QPS per IP address. Usually after some time, maybe a minute, the restriction will be lifted for that email. Also, you may reduce the frequency of attempts to avoid triggering the anti-abuse system.

If you have a valid use-case specific to increase this quota, you may contact Firebase support so they can properly assist you.

Currently, the reCaptcha feature needs to be set up manually on your app, it doesn't come after reaching the quota.

rommelpe picture rommelpe on 27 Jan 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hvonralvert picture hvonralvert  路  3Comments
wiesson picture wiesson  路  3Comments
mrfambo picture mrfambo  路  4Comments
giladrom picture giladrom  路  3Comments
Kosai106 picture Kosai106  路  3Comments