feat(other): implement TOTP auth for Other platform

mikehardy · mikehardy · commit 3fbc43a1f1cc · 2025-08-28T21:45:40.000-05:00
diff --git a/packages/app/lib/internal/NativeFirebaseError.js b/packages/app/lib/internal/NativeFirebaseError.js
@@ -49,6 +49,18 @@ export default class NativeFirebaseError extends Error {
       value: userInfo,
     });
 
+    // Needed for MFA processing of errors on web
+    Object.defineProperty(this, 'customData', {
+      enumerable: false,
+      value: nativeError.customData || null,
+    });
+
+    // Needed for MFA processing of errors on web
+    Object.defineProperty(this, 'operationType', {
+      enumerable: false,
+      value: nativeError.operationType || null,
+    });
+
     Object.defineProperty(this, 'nativeErrorCode', {
       enumerable: false,
       value: userInfo.nativeErrorCode || null,
diff --git a/packages/auth/lib/TotpMultiFactorGenerator.js b/packages/auth/lib/TotpMultiFactorGenerator.js
@@ -15,7 +15,9 @@
  *
  */
 
+import { isOther } from '@react-native-firebase/app/lib/common';
 import { TotpSecret } from './TotpSecret';
+import { getAuth } from './modular';
 
 export default class TotpMultiFactorGenerator {
   static FACTOR_ID = 'totp';
@@ -27,6 +29,11 @@ export default class TotpMultiFactorGenerator {
   }
 
   static assertionForSignIn(uid, verificationCode) {
+    if (isOther) {
+      // we require the web native assertion when using firebase-js-sdk
+      // as it has functions used by the SDK, a shim won't do
+      return getAuth().native.assertionForSignIn(uid, verificationCode);
+    }
     return { uid, verificationCode };
   }
 
diff --git a/packages/auth/lib/getMultiFactorResolver.js b/packages/auth/lib/getMultiFactorResolver.js
@@ -1,3 +1,4 @@
+import { isOther } from '@react-native-firebase/app/lib/common';
 import MultiFactorResolver from './MultiFactorResolver.js';
 
 /**
@@ -7,6 +8,9 @@ import MultiFactorResolver from './MultiFactorResolver.js';
  * Returns null if no resolver object can be found on the error.
  */
 export function getMultiFactorResolver(auth, error) {
+  if (isOther) {
+    return auth.native.getMultiFactorResolver(error);
+  }
   if (
     error.hasOwnProperty('userInfo') &&
     error.userInfo.hasOwnProperty('resolver') &&
diff --git a/packages/auth/lib/multiFactor.js b/packages/auth/lib/multiFactor.js
@@ -36,6 +36,7 @@ export class MultiFactorUser {
     }
 
     // We need to reload the user otherwise the changes are not visible
+    // TODO reload not working on Other platform
     return reload(this._auth.currentUser);
   }
 
diff --git a/packages/auth/lib/web/RNFBAuthModule.js b/packages/auth/lib/web/RNFBAuthModule.js
@@ -8,6 +8,8 @@ import {
   sendSignInLinkToEmail,
   getAdditionalUserInfo,
   multiFactor,
+  getMultiFactorResolver,
+  TotpMultiFactorGenerator,
   createUserWithEmailAndPassword,
   signInWithEmailAndPassword,
   isSignInWithEmailLink,
@@ -70,6 +72,15 @@ function rejectPromiseWithCodeAndMessage(code, message) {
   return rejectPromise(getWebError({ code: `auth/${code}`, message }));
 }
 
+function rejectWithCodeAndMessage(code, message) {
+  return Promise.reject(
+    getWebError({
+      code,
+      message,
+    }),
+  );
+}
+
 /**
  * Returns a structured error object.
  * @param {error} error The error object.
@@ -102,7 +113,9 @@ function userToObject(user) {
     tenantId: user.tenantId !== null && user.tenantId !== '' ? user.tenantId : null,
     providerData: user.providerData.map(userInfoToObject),
     metadata: userMetadataToObject(user.metadata),
-    multiFactor: multiFactor(user).enrolledFactors.map(multiFactorInfoToObject),
+    multiFactor: {
+      enrolledFactors: multiFactor(user).enrolledFactors.map(multiFactorInfoToObject),
+    },
   };
 }
 
@@ -222,6 +235,7 @@ const instances = {};
 const authStateListeners = {};
 const idTokenListeners = {};
 const sessionMap = new Map();
+const totpSecretMap = new Map();
 let sessionId = 0;
 
 // Returns a cached Firestore instance.
@@ -441,11 +455,28 @@ export default {
    * @returns {Promise<object>} - The result of the sign in.
    */
   async signInWithEmailAndPassword(appName, email, password) {
-    return guard(async () => {
-      const auth = getCachedAuthInstance(appName);
-      const credential = await signInWithEmailAndPassword(auth, email, password);
+    // The default guard / getWebError process doesn't work well here,
+    // since it creates a new error object that is then passed through
+    // a native module proxy and gets processed again.
+    // We need lots of information from the error so that MFA will work
+    // later if needed. So we handle the error custom here.
+    // return guard(async () => {
+    try {
+      const credential = await signInWithEmailAndPassword(
+        getCachedAuthInstance(appName),
+        email,
+        password,
+      );
       return authResultToObject(credential);
-    });
+    } catch (e) {
+      e.userInfo = {
+        code: e.code.split('/')[1],
+        message: e.message,
+        customData: e.customData,
+      };
+      throw e;
+    }
+    // });
   },
 
   /**
@@ -991,6 +1022,104 @@ export default {
     });
   },
 
+  /**
+   * Get a MultiFactorResolver from the underlying SDK
+   * @param {*} _appName the name of the app to get the auth instance for
+   * @param {*} uid the uid of the TOTP MFA attempt
+   * @param {*} code the code from the user TOTP app
+   * @return TotpMultiFactorAssertion to use for resolving
+   */
+  assertionForSignIn(_appName, uid, code) {
+    return TotpMultiFactorGenerator.assertionForSignIn(uid, code);
+  },
+
+  /**
+   * Get a MultiFactorResolver from the underlying SDK
+   * @param {*} appName the name of the app to get the auth instance for
+   * @param {*} error the MFA error returned from initial factor login attempt
+   * @return MultiFactorResolver to use for verifying the second factor
+   */
+  getMultiFactorResolver(appName, error) {
+    return getMultiFactorResolver(getCachedAuthInstance(appName), error);
+  },
+
+  /**
+   * generate a TOTP secret
+   * @param {*} _appName - The name of the app to get the auth instance for.
+   * @param {*} session - The MultiFactorSession to associate with the secret
+   * @returns object with secretKey to associate with TotpSecret
+   */
+  async generateTotpSecret(_appName, session) {
+    return guard(async () => {
+      const totpSecret = await TotpMultiFactorGenerator.generateSecret(sessionMap.get(session));
+      totpSecretMap.set(totpSecret.secretKey, totpSecret);
+      return { secretKey: totpSecret.secretKey };
+    });
+  },
+
+  /**
+   * unenroll from TOTP
+   * @param {*} appName - The name of the app to get the auth instance for.
+   * @param {*} enrollmentId - The ID to associate with the enrollment
+   * @returns
+   */
+  async unenrollMultiFactor(appName, enrollmentId) {
+    return guard(async () => {
+      const auth = getCachedAuthInstance(appName);
+      if (auth.currentUser === null) {
+        return promiseNoUser(true);
+      }
+      await multiFactor(auth.currentUser).unenroll(enrollmentId);
+    });
+  },
+
+  /**
+   * finalize a TOTP enrollment
+   * @param {*} appName - The name of the app to get the auth instance for.
+   * @param {*} secretKey - The secretKey to associate native TotpSecret
+   * @param {*} verificationCode - The TOTP to verify
+   * @param {*} displayName - The name to associate as a hint
+   * @returns
+   */
+  async finalizeTotpEnrollment(appName, secretKey, verificationCode, displayName) {
+    return guard(async () => {
+      const auth = getCachedAuthInstance(appName);
+      if (auth.currentUser === null) {
+        return promiseNoUser(true);
+      }
+      const multiFactorAssertion = TotpMultiFactorGenerator.assertionForEnrollment(
+        totpSecretMap.get(secretKey),
+        verificationCode,
+      );
+      await multiFactor(auth.currentUser).enroll(multiFactorAssertion, displayName);
+    });
+  },
+
+  /**
+   * generate a TOTP QR Code URL
+   * @param {*} _appName - The name of the app to get the auth instance for.
+   * @param {*} secretKey - The secretKey to associate with the TotpSecret
+   * @param {*} accountName - The account name to use in auth app
+   * @param {*} issuer - The issuer to use in auth app
+   * @returns QR Code URL
+   */
+  generateQrCodeUrl(_appName, secretKey, accountName, issuer) {
+    return totpSecretMap.get(secretKey).generateQrCodeUrl(accountName, issuer);
+  },
+
+  /**
+   * open a QR Code URL in an app directly
+   * @param {*} appName - The name of the app to get the auth instance for.
+   * @param {*} qrCodeUrl the URL to open in the app, from generateQrCodeUrl
+   * @throws Error not supported in this environment
+   */
+  openInOtpApp() {
+    return rejectWithCodeAndMessage(
+      'unsupported',
+      'This operation is not supported in this environment.',
+    );
+  },
+
   /* ----------------------
    *  other methods
    * ---------------------- */

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,9 @@`
`15`	`15`	`*`
`16`	`16`	`*/`
`17`	`17`
	`18`	`+import { isOther } from '@react-native-firebase/app/lib/common';`
`18`	`19`	`import { TotpSecret } from './TotpSecret';`
	`20`	`+import { getAuth } from './modular';`
`19`	`21`
`20`	`22`	`export default class TotpMultiFactorGenerator {`
`21`	`23`	`static FACTOR_ID = 'totp';`
`@@ -27,6 +29,11 @@ export default class TotpMultiFactorGenerator {`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`static assertionForSignIn(uid, verificationCode) {`
	`32`	`+ if (isOther) {`
	`33`	`+ // we require the web native assertion when using firebase-js-sdk`
	`34`	`+ // as it has functions used by the SDK, a shim won't do`
	`35`	`+ return getAuth().native.assertionForSignIn(uid, verificationCode);`
	`36`	`+ }`
`30`	`37`	`return { uid, verificationCode };`
`31`	`38`	`}`
`32`	`39`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ export class MultiFactorUser {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`// We need to reload the user otherwise the changes are not visible`
	`39`	`+ // TODO reload not working on Other platform`
`39`	`40`	`return reload(this._auth.currentUser);`
`40`	`41`	`}`
`41`	`42`