Open Albertbol opened 4 years ago
Hey @Albertbol,
I can't reproduce the first issue. verifyBeforeUpdateEmail
is working after recent login.
Regarding the second issue, you cannot sign in with a phone number when a user is enrolled with 2FA. The phone number set on user.phoneNumber
is used for first factor sign-in. We don't allow sign in with a phone as a first factor (if the user is a 2FA user). So there are 2 options:
The team preference is to go with option #1. There is a good case where a user no longer owns the first factor phone number and they want to remove it. You should still be able to unlink it in that case.
I will relay this to the right folks.
Hi, thanks for response @bojeil-google !
Regarding second issue actually would be nice to separate sign in with phone and just update + verify the phone.
I agree that sign in with phone makes no sense if person has same (or any basically) number as MFA enrollment and thats really the problem here, i actually don't allow phone "Sign in" in application i just basically want to update user data and add phone number verifying it at the same time.
In users object we have providers and all sign in methods are there as well as phone sign in, would be nice to separate providers and level above which has displayName, photoUrl and phoneNumber and just be able to update user phone without touching "phone sign in" , so basically for user perspective option #2 is better , because i get verifying mechanism out of the box and user body coming from firebase that i can use. (No need to integrate other third party solutions for phone verifying sms)
Otherwise we are kinda wasting resources that are already on the place in firebase, limting it to only sign in. What you think about it and community?
Thanks in advance!
Basically now if i enable MFA in my project, nobody can update their phone number anymore, even if user does not have MFA enrolled. I think separation of sign in as a provider and just updating + verifying phone would be great solution for this.
@bojeil-google Hey , just wanted to ask if this will be fixed in future ?
@bojeil-google friendly reminder
Describe your environment
Operating System version: macOS Catalina v.10.15.4 Browser version: Chrome Version 83.0.4103.106 (Official Build) (64-bit) Firebase SDK version: "firebase": "^7.15.1" Firebase Product: auth mfa
Describe the problem
1) If the user has MFA enrolled, verifyBeforeUpdateEmail will throw: https://www.googleapis.com/identitytoolkit/v3/relyingparty/getOobConfirmationCode?key=***
But the user was just relogged, because previous step throws error: 'auth/requires-recent-login' and that logic is on the place.
2) updatePhoneNumber will throw this error on mfa enrolled user: https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPhoneNumber?key=***
3) If you have no factors enrolled and use updatePhoneNumber on number XXXXX, MFA enrollment wont let you use this factor to add MFA
Everything works perfectly fine in same project with user who has zero MFA factors enrolled.
Steps to reproduce:
Basically create user with MFA factor enrolled and try 2 methods as documented in firebase updatePhoneNumber and verifyBeforeUpdateEmail, then you can try to update user phone who has no enrollment in mfa and try to use same number to add mfa to get number 3 issues.