Fix issue where a user is created when empty email and password is pa…

…ssed (#5906) * Fix issue where a user is created when passing an empty email and password * Fix issue where a user is created when passing an empty email and password --------- Co-authored-by: joehan <[email protected]>
firebase · Jun 1, 2023 · ac21ab3 · ac21ab3
1 parent 708efef
commit ac21ab3
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 - Fix a bug preventing web framework's dev-mode from working out-of-box with Firebase Authentication. (#5894)
 - Address additional cases where we were attempting to deploy a framework's development bundle (#5895)
+- Fixes issue where Authentication emulator creates a user if empty email and empty password is provided. (#5639)
 - Improve error message raised when `--import` flag directory does not exist. (#5851)
 - Switch `ext:dev:init` to default 'billingRequired' to true in `extension.yaml`
 - Remove `LOCATION` param from the `extensions.yaml` template for `ext:dev:init`

diff --git a/src/emulator/auth/operations.ts b/src/emulator/auth/operations.ts
@@ -198,13 +198,13 @@ async function signUp(
     }
   }
 
-  if (reqBody.email) {
+  if (typeof reqBody.email === "string") {
     assert(isValidEmailAddress(reqBody.email), "INVALID_EMAIL");
     const email = canonicalizeEmailAddress(reqBody.email);
     assert(!state.getUserByEmail(email), "EMAIL_EXISTS");
     updates.email = email;
   }
-  if (reqBody.password) {
+  if (typeof reqBody.password === "string") {
     assert(
       reqBody.password.length >= PASSWORD_MIN_LENGTH,
       `WEAK_PASSWORD : Password should be at least ${PASSWORD_MIN_LENGTH} characters`

diff --git a/src/test/emulators/auth/signUp.spec.ts b/src/test/emulators/auth/signUp.spec.ts
@@ -40,6 +40,17 @@ describeAuthEmulator("accounts:signUp", ({ authApi }) => {
       });
   });
 
+  it("should throw error if empty email and password is provided", async () => {
+    await authApi()
+      .post("/identitytoolkit.googleapis.com/v1/accounts:signUp")
+      .send({ email: "", password: "" })
+      .query({ key: "fake-api-key" })
+      .then((res) => {
+        expectStatusCode(400, res);
+        expect(res.body.error).to.have.property("message").equals("INVALID_EMAIL");
+      });
+  });
+
   it("should issue idToken and refreshToken on anon signUp", async () => {
     await authApi()
       .post("/identitytoolkit.googleapis.com/v1/accounts:signUp")