On every call to login type phone, Firebase generates a verification id. If this function is called several times before submitting an SMS code, at the time this happens, Firebase returns all the verification ids accumulated to the onCodeSent->requestPhoneAuthVerificationCode (android) or credentialWithVerificationIDVerificationCode (iOS) one by one.
Use Case
A user enters a phone number and clicks on login. Then the user realizes the phone number is wrong, resets the form, sets a proper number, clicks on login, gets an SMS code and submit this code to verify the login.
Steps to reproduce
Enter wrong number, trigger login but do not verify it by entering SMS code.
Enter correct number, trigger login and enter SMS code.
Firebase returns a user
Either queries to Firestore return permission denied or edge where 1st user logs in (more details in Observed results).
Observed Results
It generates 2 different callbacks to requestPhoneAuthVerificationCode(android)/credentialWithVerificationIDVerificationCode(iOS). I found out 2 different outcomes so far.
After the user is logged in, Firestore rules return permission denied.
Only possible to reproduce by setting in the Firebase console 2 test phone numbers, which have the same SMS code. If phone number A and phone number B have the same SMS code, after following the steps to reproduce, phone number A will be logged in instead of B.
Expected Results
The last phone number sent to the login function should be the only one logging in.
Solution proposed
Keep track of the 'current' verificationId to verify, in a variable.
As soon as onCodeSent receives the verificationId, save the 'current' verificationId in a the variable. Each callback can now reference a snapshot of the verificationId that is being verified.
In the requestPhoneAuthVerificationCode(android)/credentialWithVerificationIDVerificationCode(iOS) function of the OnVerificationStateChangedCallbacks object that is passed to verifyPhoneNumber, check if the actual 'current' verificationId to verify is equal to the verificationId that was captured/enclosed by the callback object -- if the verificationId don't match, stop execution.
Prerequisite
Disable android timeout by setting it to 0
Context
On every call to
logintype phone, Firebase generates a verification id. If this function is called several times before submitting an SMS code, at the time this happens, Firebase returns all the verification ids accumulated to theonCodeSent->requestPhoneAuthVerificationCode(android) orcredentialWithVerificationIDVerificationCode(iOS) one by one.Use Case
A user enters a phone number and clicks on login. Then the user realizes the phone number is wrong, resets the form, sets a proper number, clicks on login, gets an SMS code and submit this code to verify the login.
Steps to reproduce
Observed Results
It generates 2 different callbacks to
requestPhoneAuthVerificationCode(android)/credentialWithVerificationIDVerificationCode(iOS). I found out 2 different outcomes so far.Expected Results
The last phone number sent to the login function should be the only one logging in.
Solution proposed
verificationIdto verify, in a variable.onCodeSentreceives theverificationId, save the 'current'verificationIdin a the variable. Each callback can now reference a snapshot of theverificationIdthat is being verified.requestPhoneAuthVerificationCode(android)/credentialWithVerificationIDVerificationCode(iOS)function of the OnVerificationStateChangedCallbacks object that is passed to verifyPhoneNumber, check if the actual 'current'verificationIdto verify is equal to theverificationIdthat was captured/enclosed by the callback object -- if theverificationIddon't match, stop execution.