[FirebaseAuth] signIn(withEmail:link:completion:) doesn't work with MFA

[ir77]

[REQUIRED] Step 1: Describe your environment

• Xcode version: Version 12.4 (12D4e)
• Firebase SDK version: 7.8.1
• Installation method: CocoaPods
• Firebase Component: Auth

[REQUIRED] Step 2: Describe the problem

Steps to reproduce:

Hello. I'm an iOS developer.
We are using Firebase Auth for new app development. We use the email link authentication method. We are trying to register for multi-factor authentication by phone number after the email link authentication.

The signIn(withEmail:link:completion:) used in this email link login returns the following error when re-logging in after multi-factor registration. (It is expected that the secondFactorRequired error will be returned.)

Error Domain=FIRAuthErrorDomain Code=17999 "An internal error has occurred, print and inspect the error details for more information." UserInfo={FIRAuthErrorUserInfoNameKey=ERROR_INTERNAL_ERROR, NSLocalizedDescription=An internal error has occurred, print and inspect the error details for more information., NSUnderlyingError=0x283de8d80 {Error Domain=FIRAuthInternalErrorDomain Code=3 "(null)" UserInfo={FIRAuthErrorUserInfoDeserializedResponseKey={
    code = 400;
    message = "INVALID_GRANT_TYPE";
    status = "INVALID_ARGUMENT";
}}}}

I would like to know how to avoid this error.

I have tested it several times and found out a few things. If I disable multifactor registration in the user console of the ID platform, I can log in again. I have also confirmed that I can log in after multifactor registration using methods other than email link log-in (ex. signIn(withEmail:password:completion:) ). I have confirmed that this problem does not occur in web SDK.

reference

• https://firebase.google.com/docs/auth/ios/email-link-auth?authuser=0#completing_sign-in_in_an_ios_mobile_app
• https://cloud.google.com/identity-platform/docs/ios/mfa
• https://firebase.google.com/docs/reference/swift/firebaseauth/api/reference/Classes/Auth#signinwithemail🔗completion:

Relevant Code:

    func signIn(email: String, link: SignInLink) -> AnyPublisher<SignInResult, RepositoryError> {
        return Future<SignInResult, RepositoryError> { (promise) in
            auth.signIn(withEmail: email, link: link.rawValue) { result, error in
                if let error = error as NSError? {
                    if error.code == AuthErrorCode.secondFactorRequired.rawValue,
                       let resolver = error.userInfo[AuthErrorUserInfoMultiFactorResolverKey] as? MultiFactorResolver,
                       let multiFactorInfo = resolver.hints.first as? PhoneMultiFactorInfo {
                        promise(.success(.needVerifyingMFA(resolver: resolver, phoneMultiFactorInfo: multiFactorInfo))) // I'm expecting to get into this line.
                    } else {
                        promise(.failure(.init(firebaseAuthCommonError: error))) // But it actually goes in a line here.
                        return
                    }
                }

                guard let user = result?.user else {
                    promise(.failure(.init(SignInError.noUser)))
                    return
                }

                guard user.multiFactor.enrolledFactors.isEmpty else {
                    promise(.failure(.init(SignInError.mfaError)))
                    return
                }

                promise(.success(.needEnrollingMFA))
            }
        }
        .eraseToAnyPublisher()
    }

[rizafran]

Hi @ir77 let me check this, and I'll let you know of my findings.

[rizafran]

Hi @ir77, based on my understanding, MFA is working fine when using the other auth method, but it's not working when using the email link. Is it correct? Also, is it possible for you to share an MCVE so I could try to reproduce it on my end?

[ir77]

@rizafran

MFA is working fine when using the other auth method, but it's not working when using the email link. Is it correct?

Yes, your understanding is correct. More specific, it won't work if a user who is already connected to MFA uses the email link. If you remove the MFA setting for that user from the project settings, the email link will work.

Also, is it possible to share the MCVE so that I can reproduce it on my end?

I'm sorry, but I'm not going to be able to share the MCVE for a while. If I am ready, please let me know.

[0x0c]

I got a same issue. I added phone number as MFA and it is +1-650-555-3434 which is suggested in Firebase document (https://firebase.google.com/docs/auth/ios/phone-auth). Of course I've already tried adding my own phone number, but still not work.

My environment is as follows

• Xcode version: Version 12.5.1 (12E507)
• Firebase SDK version: 8.7.0
• Installation method: CocoaPods
• Firebase Component: Auth

[0x0c]

Here is MCVE. https://github.com/0x0c/FirebaseAuthMFASamplePublic
Please check codes in view controllers.

Notes: I removed my GoogleService-Info.plist, .entitlement file for using Associated Domain feature or Dynamic Links, and some files that contains sensitive information such as REVERSED_CLIENT_ID, AppID, and team ID of Apple Developer Program. To try this MCVE, please make new Xcode project, add files under FirebaseAuthMFASample/, R.generated.swift, and Podfile, then init CocoaPods. If someone needs help to setup the MCVE, please let me know.

[0x0c]

I found the reason of this issue.

Unfortunately, firebase-ios-sdk does not support MFA with email link sing in even if the doc mentioned it is supported (https://cloud.google.com/identity-platform/docs/ios/mfa).

If we have to use MFA, we can not get ID token when call Auth.auth().signIn(withEmail: link:). In this case, as implemented in FIRVerifyPasswordResponse, we got mfaInfo and handle an error that is generated from [FIRAuthErrorUtilssecondFactorRequiredErrorWithPendingCredential:hints:]. After handle the error, we ask verification code for user and continue MFA. However, FIREmailLinkSignInResponse doesn't store mfaInfo and also FIRAuthBackend doesn't handle the error.

This issue may solved by adding same code in [FIRVerifyPasswordResponse setWithDictionary:error:] and handle an error like [FIRAuthBackend verifyPassword:callback:] (here).

[rosalyntan]

This has been addressed in #8705 -- thanks, @0x0c!