Firebase Auth signs out user when receives error 429 - too many requests

[thomasdao]

Operating System

Mac Sequoia 15.6.1

Environment (if applicable)

Latest Chrome

Firebase SDK Version

12.2.1

Firebase SDK Product(s)

Auth

Project Tooling

Webpack

Detailed Problem Description

Issue

When Firebase Auth refreshes the user token via
https://identitytoolkit.googleapis.com/v1/accounts:lookup,
if the server responds with status 429 (Too Many Requests), Firebase JS SDK automatically deletes the local cached token and signs out the current user. This does not happen for Firebase iOS and Android SDK.

Impact

This behavior can be exploited by an attacker: by spamming authentication services (e.g., sign-up or password reset), they can trigger 429 responses and force sign-outs for all valid users of the project.

Steps and code to reproduce issue

Please mock the 429 (too many requests) response from Firebase endpoint https://identitytoolkit.googleapis.com/v1/accounts:lookup. After receiving 429 response error, the token is removed from IndexedDB and localStorage and the current user is signed out.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.