feat(auth): support TOTP enroll and unenroll

Author: James Bateman

packages/auth/android/src/main/java/io/invertase/firebase/auth/ReactNativeFirebaseAuthModule.java

@@ -66,6 +66,9 @@
 import com.google.firebase.auth.PhoneMultiFactorAssertion;
 import com.google.firebase.auth.PhoneMultiFactorGenerator;
 import com.google.firebase.auth.PhoneMultiFactorInfo;
+import com.google.firebase.auth.TotpMultiFactorAssertion;
+import com.google.firebase.auth.TotpMultiFactorGenerator;
+import com.google.firebase.auth.TotpSecret;
 import com.google.firebase.auth.TwitterAuthProvider;
 import com.google.firebase.auth.UserInfo;
 import com.google.firebase.auth.UserProfileChangeRequest;
@@ -107,6 +110,7 @@ class ReactNativeFirebaseAuthModule extends ReactNativeFirebaseModule {
 
   private final HashMap<String, MultiFactorResolver> mCachedResolvers = new HashMap<>();
   private final HashMap<String, MultiFactorSession> mMultiFactorSessions = new HashMap<>();
+  private final HashMap<String, TotpSecret> mTotpSecrets = new HashMap<>();
 
   // storage for anonymous phone auth credentials, used for linkWithCredentials
   // https://github.com/invertase/react-native-firebase/issues/4911
@@ -154,6 +158,7 @@ public void invalidate() {
 
     mCachedResolvers.clear();
     mMultiFactorSessions.clear();
+    mTotpSecrets.clear();
   }
 
   @ReactMethod
@@ -1130,6 +1135,26 @@ public void getSession(final String appName, final Promise promise) {
             });
   }
 
+  @ReactMethod
+  public void unenrollMultiFactor(
+      final String appName, final String factorUID, final Promise promise) {
+    FirebaseApp firebaseApp = FirebaseApp.getInstance(appName);
+    FirebaseAuth firebaseAuth = FirebaseAuth.getInstance(firebaseApp);
+    firebaseAuth
+        .getCurrentUser()
+        .getMultiFactor()
+        .unenroll(factorUID)
+        .addOnCompleteListener(
+            task -> {
+              if (!task.isSuccessful()) {
+                rejectPromiseWithExceptionMap(promise, task.getException());
+                return;
+              }
+
+              promise.resolve(null);
+            });
+  }
+
   @ReactMethod
   public void verifyPhoneNumberWithMultiFactorInfo(
       final String appName, final String hintUid, final String sessionKey, final Promise promise) {
@@ -1280,6 +1305,42 @@ public void finalizeMultiFactorEnrollment(
             });
   }
 
+  @ReactMethod
+  public void finalizeTotpEnrollment(
+      final String appName,
+      final String totpSecret,
+      final String verificationCode,
+      @Nullable final String displayName,
+      final Promise promise) {
+
+    TotpSecret secret = mTotpSecrets.get(totpSecret);
+    if (secret == null) {
+      rejectPromiseWithCodeAndMessage(
+          promise, "invalid-multi-factor-secret", "can't find secret for provided key");
+      return;
+    }
+
+    TotpMultiFactorAssertion assertion =
+        TotpMultiFactorGenerator.getAssertionForEnrollment(secret, verificationCode);
+
+    FirebaseApp firebaseApp = FirebaseApp.getInstance(appName);
+    FirebaseAuth firebaseAuth = FirebaseAuth.getInstance(firebaseApp);
+
+    firebaseAuth
+        .getCurrentUser()
+        .getMultiFactor()
+        .enroll(assertion, displayName)
+        .addOnCompleteListener(
+            task -> {
+              if (!task.isSuccessful()) {
+                rejectPromiseWithExceptionMap(promise, task.getException());
+                return;
+              }
+
+              promise.resolve(null);
+            });
+  }
+
   /**
    * This method is intended to resolve a {@link PhoneAuthCredential} obtained through a
    * multi-factor authentication flow. A credential can either be obtained using:
@@ -1335,6 +1396,70 @@ public void resolveMultiFactorSignIn(
     resolveMultiFactorCredential(credential, session, promise);
   }
 
+  @ReactMethod
+  public void resolveTotpSignIn(
+      final String appName,
+      final String sessionKey,
+      final String uid,
+      final String oneTimePassword,
+      final Promise promise) {
+
+    final MultiFactorAssertion assertion =
+        TotpMultiFactorGenerator.getAssertionForSignIn(uid, oneTimePassword);
+
+    final MultiFactorResolver resolver = mCachedResolvers.get(sessionKey);
+    if (resolver == null) {
+      // See https://firebase.google.com/docs/reference/node/firebase.auth.multifactorresolver for
+      // the error code
+      rejectPromiseWithCodeAndMessage(
+          promise,
+          "invalid-multi-factor-session",
+          "No resolver for session found. Is the session id correct?");
+      return;
+    }
+
+    resolver
+        .resolveSignIn(assertion)
+        .addOnCompleteListener(
+            task -> {
+              if (task.isSuccessful()) {
+                AuthResult authResult = task.getResult();
+                promiseWithAuthResult(authResult, promise);
+              } else {
+                promiseRejectAuthException(promise, task.getException());
+              }
+            });
+  }
+
+  @ReactMethod
+  public void generateTotpSecret(
+      final String appName, final String sessionKey, final Promise promise) {
+
+    final MultiFactorSession session = mMultiFactorSessions.get(sessionKey);
+    if (session == null) {
+      rejectPromiseWithCodeAndMessage(
+          promise,
+          "invalid-multi-factor-session",
+          "No resolver for session found. Is the session id correct?");
+      return;
+    }
+
+    TotpMultiFactorGenerator.generateSecret(session)
+        .addOnCompleteListener(
+            task -> {
+              if (task.isSuccessful()) {
+                TotpSecret totpSecret = task.getResult();
+                String totpSecretKey = totpSecret.getSharedSecretKey();
+                mTotpSecrets.put(totpSecretKey, totpSecret);
+                WritableMap result = Arguments.createMap();
+                result.putString("secretKey", totpSecretKey);
+                promise.resolve(result);
+              } else {
+                promiseRejectAuthException(promise, task.getException());
+              }
+            });
+  }
+
   @ReactMethod
   public void confirmationResultConfirm(
       String appName, final String verificationCode, final Promise promise) {

packages/auth/ios/RNFBAuth/RNFBAuthModule.m

@@ -58,6 +58,7 @@
 #if TARGET_OS_IOS
 static __strong NSMutableDictionary<NSString *, FIRMultiFactorResolver *> *cachedResolver;
 static __strong NSMutableDictionary<NSString *, FIRMultiFactorSession *> *cachedSessions;
+static __strong NSMutableDictionary<NSString *, FIRTOTPSecret *> *cachedTotpSecrets;
 #endif
 
 @implementation RNFBAuthModule
@@ -81,6 +82,7 @@ - (id)init {
 #if TARGET_OS_IOS
     cachedResolver = [[NSMutableDictionary alloc] init];
     cachedSessions = [[NSMutableDictionary alloc] init];
+    cachedTotpSecrets = [[NSMutableDictionary alloc] init];
 #endif
   });
   return self;
@@ -110,6 +112,7 @@ - (void)invalidate {
 #if TARGET_OS_IOS
   [cachedResolver removeAllObjects];
   [cachedSessions removeAllObjects];
+  [cachedTotpSecrets removeAllObjects];
 #endif
 }
 
@@ -967,6 +970,62 @@ - (void)invalidate {
                                               }];
 }
 
+RCT_EXPORT_METHOD(resolveTotpSignIn
+                  : (FIRApp *)firebaseApp
+                  : (NSString *)sessionKey
+                  : (NSString *)uid
+                  : (NSString *)oneTimePassword
+                  : (RCTPromiseResolveBlock)resolve
+                  : (RCTPromiseRejectBlock)reject) {
+  DLog(@"using instance resolve TotpSignIn: %@", firebaseApp.name);
+
+  FIRMultiFactorAssertion *assertion =
+      [FIRTOTPMultiFactorGenerator assertionForSignInWithEnrollmentID:uid
+                                                      oneTimePassword:oneTimePassword];
+  [cachedResolver[sessionKey] resolveSignInWithAssertion:assertion
+                                              completion:^(FIRAuthDataResult *_Nullable authResult,
+                                                           NSError *_Nullable error) {
+                                                DLog(@"authError: %@", error) if (error) {
+                                                  [self promiseRejectAuthException:reject
+                                                                             error:error];
+                                                }
+                                                else {
+                                                  [self promiseWithAuthResult:resolve
+                                                                     rejecter:reject
+                                                                   authResult:authResult];
+                                                }
+                                              }];
+}
+
+RCT_EXPORT_METHOD(generateTotpSecret
+                  : (FIRApp *)firebaseApp
+                  : (NSString *)sessionKey
+                  : (RCTPromiseResolveBlock)resolve
+                  : (RCTPromiseRejectBlock)reject) {
+  DLog(@"using instance resolve generateTotpSecret: %@", firebaseApp.name);
+
+  FIRMultiFactorSession *session = cachedSessions[sessionKey];
+  DLog(@"using sessionKey: %@", sessionKey);
+  DLog(@"using session: %@", session);
+  [FIRTOTPMultiFactorGenerator
+      generateSecretWithMultiFactorSession:session
+                                completion:^(FIRTOTPSecret *_Nullable totpSecret,
+                                             NSError *_Nullable error) {
+                                  DLog(@"authError: %@", error) if (error) {
+                                    [self promiseRejectAuthException:reject error:error];
+                                  }
+                                  else {
+                                    NSString *secretKey = totpSecret.sharedSecretKey;
+                                    DLog(@"secretKey generated: %@", secretKey);
+                                    cachedTotpSecrets[secretKey] = totpSecret;
+                                    DLog(@"cachedSecret: %@", cachedTotpSecrets[secretKey]);
+                                    resolve(@{
+                                      @"secretKey" : secretKey,
+                                    });
+                                  }
+                                }];
+}
+
 RCT_EXPORT_METHOD(getSession
                   : (FIRApp *)firebaseApp
                   : (RCTPromiseResolveBlock)resolve
@@ -985,6 +1044,26 @@ - (void)invalidate {
   }];
 }
 
+RCT_EXPORT_METHOD(unenrollMultiFactor
+                  : (FIRApp *)firebaseApp
+                  : (NSString *)factorUID
+                  : (RCTPromiseResolveBlock)resolve
+                  : (RCTPromiseRejectBlock)reject) {
+  DLog(@"using instance unenrollMultiFactor: %@", firebaseApp.name);
+
+  FIRUser *user = [FIRAuth authWithApp:firebaseApp].currentUser;
+  [user.multiFactor unenrollWithFactorUID:factorUID
+                               completion:^(NSError *_Nullable error) {
+                                 if (error != nil) {
+                                   [self promiseRejectAuthException:reject error:error];
+                                   return;
+                                 }
+
+                                 resolve(nil);
+                                 return;
+                               }];
+}
+
 RCT_EXPORT_METHOD(finalizeMultiFactorEnrollment
                   : (FIRApp *)firebaseApp
                   : (NSString *)verificationId
@@ -1014,6 +1093,37 @@ - (void)invalidate {
                              }];
 }
 
+RCT_EXPORT_METHOD(finalizeTotpEnrollment
+                  : (FIRApp *)firebaseApp
+                  : (NSString *)totpSecret
+                  : (NSString *)verificationCode
+                  : (NSString *_Nullable)displayName
+                  : (RCTPromiseResolveBlock)resolve
+                  : (RCTPromiseRejectBlock)reject) {
+  DLog(@"using instance finalizeTotpEnrollment: %@", firebaseApp.name);
+
+  FIRTOTPSecret *cachedTotpSecret = cachedTotpSecrets[totpSecret];
+  DLog(@"using totpSecretKey: %@", totpSecret);
+  DLog(@"using cachedSecret: %@", cachedTotpSecret);
+  FIRTOTPMultiFactorAssertion *assertion =
+      [FIRTOTPMultiFactorGenerator assertionForEnrollmentWithSecret:cachedTotpSecret
+                                                    oneTimePassword:verificationCode];
+
+  FIRUser *user = [FIRAuth authWithApp:firebaseApp].currentUser;
+
+  [user.multiFactor enrollWithAssertion:assertion
+                            displayName:displayName
+                             completion:^(NSError *_Nullable error) {
+                               if (error != nil) {
+                                 [self promiseRejectAuthException:reject error:error];
+                                 return;
+                               }
+
+                               resolve(nil);
+                               return;
+                             }];
+}
+
 RCT_EXPORT_METHOD(verifyPhoneNumber
                   : (FIRApp *)firebaseApp
                   : (NSString *)phoneNumber
@@ -1741,12 +1851,12 @@ - (NSDictionary *)firebaseUserToDict:(FIRUser *)user {
       @"enrollmentDate" : enrollmentTime,
     } mutableCopy];
 
-    // only support phone mutli factor
     if ([hint isKindOfClass:[FIRPhoneMultiFactorInfo class]]) {
       FIRPhoneMultiFactorInfo *phoneHint = (FIRPhoneMultiFactorInfo *)hint;
       factorDict[@"phoneNumber"] = phoneHint.phoneNumber;
-      [enrolledFactors addObject:factorDict];
     }
+
+    [enrolledFactors addObject:factorDict];
   }
   return enrolledFactors;
 }

packages/auth/lib/MultiFactorResolver.js

@@ -9,7 +9,12 @@ export default class MultiFactorResolver {
   }
 
   resolveSignIn(assertion) {
-    const { token, secret } = assertion;
-    return this._auth.resolveMultiFactorSignIn(this.session, token, secret);
+    const { token, secret, uid, verificationCode } = assertion;
+
+    if (token && secret) {
+      return this._auth.resolveMultiFactorSignIn(this.session, token, secret);
+    }
+
+    return this._auth.resolveTotpSignIn(this.session, uid, verificationCode);
   }
 }

packages/auth/lib/TotpMultiFactorGenerator.js

@@ -0,0 +1,49 @@
+import { TotpSecret } from './TotpSecret';
+
+/*
+ * Copyright (c) 2016-present Invertase Limited & Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this library except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+export default class TotpMultiFactorGenerator {
+  static FACTOR_ID = 'totp';
+
+  constructor() {
+    throw new Error(
+      '`new TotpMultiFactorGenerator()` is not supported on the native Firebase SDKs.',
+    );
+  }
+
+  static assertionForSignIn(uid, verificationCode) {
+    return { uid, verificationCode };
+  }
+
+  static assertionForEnrollment(totpSecret, verificationCode) {
+    return { totpSecret: totpSecret.secretKey, verificationCode };
+  }
+
+  static async generateSecret(session, auth) {
+    if (!session) {
+      throw new Error('Session is required to generate a TOTP secret.');
+    }
+    const {
+      secretKey,
+      // Other properties are not publicly exposed in native APIs
+      // hashingAlgorithm, codeLength, codeIntervalSeconds, enrollmentCompletionDeadline
+    } = await auth.native.generateTotpSecret(session);
+
+    return new TotpSecret(secretKey);
+  }
+}