react-native-firebase icon indicating copy to clipboard operation
react-native-firebase copied to clipboard

Published 20 hours ago • verified publisher icon invertase

[📚] Does this module support MFA with Firebase?

Open thertzelle opened this issue 3 years ago • 9 comments

Documentation Feedback

Firebase support MFA with any login type, I was wondering if this module supports it, its not in the documentation?

thertzelle avatar Aug 28 '20 13:08 thertzelle

MFA is a strategy, not an API. So, sure?

You can do email/password (or social auth) and then also an SMS verification. That would be MFA, yes?

mikehardy avatar Aug 28 '20 14:08 mikehardy

Just a couple months ago an update was made to Firebase to support MFA via Google Cloud Identity.

https://cloud.google.com/identity-platform/docs/web/mfa

I doubt we support that though, so you'll have to improvise

andersonaddo avatar Aug 28 '20 15:08 andersonaddo

That is - I think - basically the SMS verification, which the native SDKs and react-native-firebase handle fine

mikehardy avatar Aug 28 '20 16:08 mikehardy

Is there a way to access the multifactor object within the native SDK from react-native-firebase module ? According to the documentation it's on the user object, without it, it's not possible to enroll an device as MFA

thertzelle avatar Aug 31 '20 15:08 thertzelle

You will have to instrument the code to inspect that object and log out contents to see, it likely does if you are on up to date SDKs

I just read the doc more carefully and it looks like this is an API extension that needs wrapping here in order to expose it:

https://cloud.google.com/identity-platform/docs/web/mfa#enrolling_a_second_factor

Steps 9

Initialize a MultiFactorAssertion object with the PhoneAuthCredential:

var multiFactorAssertion = firebase.auth.PhoneMultiFactorGenerator.assertion(cred);

and 10

Complete the enrollment. Optionally, you can specify a display name for the second factor. This is useful for users with multiple second factors, since the phone number is masked during the authentication flow (for example, +1******1234).

// Complete enrollment. This will update the underlying tokens
// and trigger ID token change listener.
user.multiFactor.enroll(multiFactorAssertion, 'My personal phone number');

It exists at least on android: https://firebase.google.com/docs/reference/android/com/google/firebase/auth/MultiFactor

iOS it appears to be there as of pod version 6.20.0 https://firebase.google.com/support/release-notes/ios#version_6200_-_march_12_2020

PRs welcome!

mikehardy avatar Aug 31 '20 16:08 mikehardy

I'll see what I can do about doing a PR, thank you for your guidance!

thertzelle avatar Aug 31 '20 16:08 thertzelle

Hello 👋, to help manage issues we automatically close stale issues. This issue has been automatically marked as stale because it has not had activity for quite some time. Has this issue been fixed, or does it still require the community's attention?

This issue will be closed in 15 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 04 '20 02:10 stale[bot]

Closing this issue after a prolonged period of inactivity. If this is still present in the latest release, please feel free to create a new issue with up-to-date information.

stale[bot] avatar Nov 01 '20 07:11 stale[bot]

Worth reopening I think - there is MFA information to expose on the user object I believe, an easy for PR for someone, similar to the #5019 PR

mikehardy avatar Mar 17 '21 15:03 mikehardy

Released in v11.3.0 here!

mikehardy avatar Oct 26 '22 17:10 mikehardy

Thanks @mikehardy, but if thats ok I need a clarification. I would like to do MFA and Im not holding my users data in Firebase (currently not using "@react-native-firebase/auth").
Is there a way to access the MultiFactor object via react-native-firebase and send sms to a user not signed in with Firebase?

chenop avatar Mar 07 '23 11:03 chenop

I'm not clear on whether React Native Firebase supports TOTP for second factor. Can anyone clarify?

Nantris avatar Nov 28 '23 00:11 Nantris

@Slapbox with apologies this isn't a use case of mine so I haven't explored it. I think this may be a "try it and see" 😬 - if it doesn't work, it can't be far off from working with all the multi-factor stuff in place now

mikehardy avatar Nov 29 '23 00:11 mikehardy

At least one of the necessary methods, TotpMultiFactorGenerator doesn't appear to be included in React Native Firebase, not even as a dummy function that logs a "Not implemented" warning.

The other required method, getMultiFactorResolver does appear to be implemented.

I wonder about the potential feasibility of adding that required method.

  • JS SDK: https://firebase.google.com/docs/auth/web/totp-mfa#sign_in_users_with_a_second_factor
  • Android SDK: https://firebase.google.com/docs/auth/android/totp-mfa#sign_in_users_with_a_second_factor

Edit: Added to list in #7483

Nantris avatar Dec 09 '23 20:12 Nantris