firebase-ios-sdk
firebase-ios-sdk copied to clipboard
firebase
MFA_ENROLLMENT_NOT_FOUND on MFA when using Firebase Auth Emulator
Description
We're trying to automate E2E with Firebase Emulators.
On the project we use Sign in with email/password, email verification & MFA with phone number.
When we create a user with email/password, email verification & MFA through Firebase Auth Emulator Suite we are able to login with email/password. But then when we try to proceed with an OTP code we're getting error - MFA_ENROLLMENT_NOT_FOUND.
Reproducing the issue
- Create a project on
Firebaseand addiOSproject. - Enable Authentication with
email/password&MFA. - Simple project that does login with email/password and then goes to the screen to enter OTP code for MFA.
- Setup Firebase Auth Emulator.
- Create new user through
Firebase Auth Emulatorwith email/password, email verified, MFA enabled with some phone number. - Run the app. Proceed with email/password.
- Then call API
http://0.0.0.0:9099/emulator/v1/projects/{firebase_project_id}/verificationCodeswhere thefirebase_project_idis the id of the firebase project. - Inside the app enter the OTP code from the previous step. Expected behaviour
- Function
FIRMultiFactorResolver.resolveSignInWithAssertionshould return success. Actual behaviour - Function
FIRMultiFactorResolver.resolveSignInWithAssertionreturns error -MFA_ENROLLMENT_NOT_FOUND.
Firebase SDK Version
10.7.0
Xcode Version
14.2
Installation Method
Carthage
Firebase Product(s)
Authentication
Targeted Platforms
iOS
Relevant Log Output
Error Domain=FIRAuthErrorDomain Code=17084 "MFA_ENROLLMENT_NOT_FOUND" UserInfo={NSLocalizedDescription=MFA_ENROLLMENT_NOT_FOUND, FIRAuthErrorUserInfoNameKey=ERROR_MULTI_FACTOR_INFO_NOT_FOUND}
If using Swift Package Manager, the project's Package.resolved
Expand Package.resolved snippet
Replace this line with the contents of your Package.resolved.
If using CocoaPods, the project's Podfile.lock
Expand Podfile.lock snippet
Replace this line with the contents of your Podfile.lock!
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
Same issue occurs with react-native-firebase with google-sign-in as first factor:
Error: [auth/unknown] MFA_ENROLLMENT_NOT_FOUND
NativeFirebaseError: [auth/unknown] MFA_ENROLLMENT_NOT_FOUND
at resolveMultiFactorSignIn (http://192.168.50.163:8081/index.bundle?platform=ios&dev=true&hot=false:126322:52)
at resolveSignIn (http://192.168.50.163:8081/index.bundle?platform=ios&dev=true&hot=false:128803:51)
at eval (JavaScript:1:23)
at ?anon_0_ (http://192.168.50.163:8081/index.bundle?platform=ios&dev=true&hot=false:160337:37)
at next (native)
at asyncGeneratorStep (http://192.168.50.163:8081/index.bundle?platform=ios&dev=true&hot=false:4630:26)
at _next (http://192.168.50.163:8081/index.bundle?platform=ios&dev=true&hot=false:4649:29)
at anonymous (http://192.168.50.163:8081/index.bundle?platform=ios&dev=true&hot=false:4654:14)
at tryCallTwo (/Users/distiller/react-native/sdks/hermes/build_iphonesimulator/lib/InternalBytecode/InternalBytecode.js:61:9)
at doResolve (/Users/distiller/react-native/sdks/hermes/build_iphonesimulator/lib/InternalBytecode/InternalBytecode.js:216:25)
at Promise (/Users/distiller/react-native/sdks/hermes/build_iphonesimulator/lib/InternalBytecode/InternalBytecode.js:82:14)
@romansorochak Thanks for the report and reproduction instructions. Would you share a project that demonstrates the issue to help us prioritize it?
I'm not able to reproduce it using the friendly chat app codelab: https://firebase.google.com/codelabs/auth-mfa-blocking-functions
curl http://127.0.0.1:9199/emulator/v1/projects/demo-example/verificationCodes
{"verificationCodes":[{"code":"339404","phoneNumber":"+14081111111","sessionInfo":"PgzXxZvNnbzJ9U1u4i5L9jGTbSLwzc-A_KTUJ1g36Zimf-88UlU0yGUfRX57aJbl8jcL2_NTP-1-ZgKnljZ3qxPsymMnsdzyU6Ns5sADQK3EwcLylD2XF2t5vXJhApdbg2erPD5b-sb1RYyMIp1m__5rR-B_ijGt547CB5cgtyKvUkf7lraFBEdUOsfNXgFcWJvWDyhzSS10WxfopY8c5LtRRhN4DyoOsk"}]}
If I were to guess, the line throwing the error in the emulator is here: https://github.com/firebase/firebase-tools/blob/a1287dd55b284c3463f3e216db86b0b46260e237/src/emulator/auth/operations.ts#L2102
@romansorochak Thanks for the report and reproduction instructions. Would you share a project that demonstrates the issue to help us prioritize it?
Hi @paulb777
Here is a test project with the issue.
It is missing GoogleService-Info.plist file.
Please use your own.
Thanks for you help !
Hi @paulb777 Just wondering if you were able to reproduce the issue ?
@romansorochak Sorry, we haven't been able to get to it yet. I hope to in the next few days.
@romansorochak We've been able to reproduce the issue and it looks like a bug in the emulator. We will investigate a fix and report back when we have more details.
@romansorochak We've been able to reproduce the issue and it looks like a bug in the emulator. We will investigate a fix and report back when we have more details.
Thank you a lot for your help !
I also got the repro app running with a real Firebase console project and was able to see a difference in SDK behavior between the emulator and console project.
The execution paths diverge at https://github.com/firebase/firebase-ios-sdk/blob/master/FirebaseAuth/Sources/AuthProvider/Phone/FIRPhoneAuthProvider.m#L452: isAppVerificationDisabledForTesting is YES for the emulator and it sends a SendVerificationCodeRequest with:
(lldb) po postBody
{
phoneNumber = "+*******1234";
}
The console project falls through to the StartMFAEnrollmentRequest and sends:
(lldb) po postBody
{
mfaEnrollmentId = "6e11e8de-bbd3-4afa-b379-8cfba337d640";
mfaPendingCredential = "AMzJoSkTTSYRvlAy74VToXPODKkQfzRNjNacGAWRF8B-K77KX2WroX45hQamZKBsPT8b4hjYNg0A_4Ix_paLyLqkv2xj9CLl4oA7dfD8NbSCcbFEK5e5Yl94FSaS33Rk9uQVoGzZbZ6lB_MvjQcMDXrv5w2Qn11Dj4ePwz0Ovcbvo0_uEyGIMoU";
phoneSignInInfo = {
phoneNumber = "+*******7074";
recaptchaToken = "03AKH6MRFaH21R6oi2chCjxPIZ972tbeM6xwG57SxO3jfWsZkrdjZ98yylOHL_uSFQTV6Z7riGNLW56Ne_i6kn0x6YD1udf3tCSoZj0BWdGr9r11k9Bb2JSAVvEP4BIjw4Kg4xfmVjA7IjTwbG_H-0wJgj1iUpySG6bDCDbshEsgREqkJed38tjmDzydd5UK8G3WvsA0NC9xBJoPv-FiDJ3JCFnDkspXhTLvHqNxDzLkFuO1aFcNpTnK-_Ba6weVDXySZcEJZwLaZVQhRr18eCHxxbquXeauFYnohOHuk7SNTu9aaW0X1cWfYpNxOVLXR7s2Yvd3I5R5uNJOmW0jjI_TeCzsK56oBIfJ-2pDBCWZoMibikjmph9ZTlaIppgnoN987IhvFyu7um5uE9Mq0SrbbzFKqG6q7DjE542sC9C8_pLiHxFxMM2-h40dHBR775_PaG3KLs7GAuXkyoXGBbx_oInANTitBer86zG2jBIRmspE3J7Ovzs7CzvAiMSGOz-9Vwdhiv_eiFAAz_hsK25x9t2GKdGTCE2R3SlKRrCbVg9woxP2mIJrSbrTM-JGhF-vUwgkShUofvuNnbCw_PxA5VbbmzuVu98A";
};
}
Is there a fix planned for this issue? We'd love to be able to test authentication with the emulators but this is blocking us from doing so, even with SDK version 10.24.0. I looked at #12223 and it didn't seem like it fixed this particular bug but perhaps I missed something.
@dantheli Sorry we haven't been able to prioritize this. In the meantime, please add a thumbs-up to the report above to indicate interest.
Thanks Paul! I just did some digging myself following your April 20, 2023 findings and I think the underlying issue is this:
Emulator throws the error because the client SDK sends the phone number obfuscated, but emulator expects to have a full phone number (obviously). This occurs because if it's connected to the emulator, FIRPhoneAuthProvider as mentioned above will request a verification code using the phone number that the MFA resolver returns in the auth error. The number the MFA resolver returns is obfuscated, which should be expected because the client doesn't need to know the number.
I wrote a patch that fixes this by changing the FIRPhoneAuthProvider method to use the same path during emulator as with production, but skipping the app verification call of course. This seems to work. And as far as I can tell, this is what the JS SDK does, where phone MFA verification works fine with the emulator. I've pushed it to a fork.
I just put up PR #12874. If I have some more time I'll write some tests, but would love to know if I missed something silly.
Thanks @dantheli! Please sign the CLA and address other CI issues and we can review.