Skip to content

Improve error message for email/password sign-in on OAuth accounts#1316

Closed
ashishyk018-byte wants to merge 9 commits intofirebase:mainfrom
ashishyk018-byte:improve-email-password-error
Closed

Improve error message for email/password sign-in on OAuth accounts#1316
ashishyk018-byte wants to merge 9 commits intofirebase:mainfrom
ashishyk018-byte:improve-email-password-error

Conversation

@ashishyk018-byte
Copy link

@ashishyk018-byte ashishyk018-byte commented Jan 28, 2026

Fixes #1313

Improves the error message shown when Email/Password sign-in is attempted
for accounts originally created via OAuth, without relying on deprecated
auth APIs.

Manually verified the updated error handling logic.

@google-cla
Copy link

google-cla bot commented Jan 28, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@ashishyk018-byte
Copy link
Author

ashishyk018-byte commented Jan 28, 2026

Thanks! Happy to make any changes if needed 🙂

@russellwheatley
Copy link
Member

russellwheatley commented Jan 29, 2026

Hi @ashishyk018-byte - Thank you for the PR. We haven't made a decision on the best approach to this particular issue at this moment in time, but I'll let you know when a decision has been made 🙏

@ashishyk018-byte
Copy link
Author

ashishyk018-byte commented Jan 29, 2026

Thanks for the update! 👍
Happy to adjust the approach or make changes once a direction is decided.

@ashishyk018-byte
Copy link
Author

ashishyk018-byte commented Feb 1, 2026

The relevant change for this PR is the commit Clear form validation errors when input is corrected

russellwheatley
russellwheatley requested changes Feb 18, 2026
View reviewed changes
@MichaelVerdon
Copy link
Contributor

MichaelVerdon commented Feb 26, 2026
edited
Loading

Hi there, after some experimenting we won't be able to accept this PR as the only way we can catch out by provider is using the fetchSignInMethodsForEmail(); method and checking against that which also requires email enumeration protection disabled which is generally not recommended. Errors were likely naturally kept vague to prevent bad actors from finding out why sign in failed but instead we will add to the react example app on how it can be done for those who want it in their application. Proposed solution would overwrite other errors.

@ashishyk018-byte
Copy link
Author

ashishyk018-byte commented Feb 26, 2026

Thanks for looking into this and for the detailed explanation.

That makes sense regarding email enumeration protection and keeping errors intentionally vague for security reasons. I understand why this shouldn't be part of the core library.

I appreciate the clarification and the plan to demonstrate it in the React example app instead. Thanks again for reviewing and experimenting with the approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@russellwheatley russellwheatley Awaiting requested review from russellwheatley

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Trying to log in with Email+Password when already logged in with OAuth previously only shows "Incorrect password"

3 participants

@ashishyk018-byte @russellwheatley @MichaelVerdon