Open Durisvk opened 1 year ago
I found a few problems with this issue:
I'm looking for this method too. I don't want to implement 2 separated recaptcha challenges for 2 purposes (authen phone and own purpose) Instead, ability to validating firebase recaptcha on my server-side would be ideal
Is your feature request related to a problem? Please describe. Firebase Phone Authentication flow according to what's available currently supports the following flow:
This doesn't allow splitting Login and Signup flows and that is very frustrating. Our solution currently is the following:
This is prone to a brute-force discovery attack. An attacker might be able to brute-force guess the phone numbers and invoke our API endpoint which checks for existing users to get all the phone numbers in our system.
To solve this we need to secure this endpoint with a reCAPTCHA.
The problem: Firebase already uses reCAPTCHA but it's not available to us developers. We can call
RecaptchaVerifier.verify()
but we cannot validate the token on the backend because the reCAPTCHA secret (required here: https://developers.google.com/recaptcha/docs/verify) is not provided to us.Describe the solution you'd like Either expose the internal Firebase's reCAPTCHA secret to us in some way through Firebase Dashboard or GCP dashboard so that we can reuse it for our validation.
Or expose a method in firebase auth such that:
Describe alternatives you've considered
Setup a separate reCAPTCHA application at https://www.google.com/recaptcha/admin
Use rate limitter on the endpoint which is responsible for verifying whether the user already exists.
I was also looking throughout the Firebase Admin dashboard and GCP dashboard to look for a secret key that I can use to validate the reCAPTCHA token but I just couldn't find it.