firebase / flutterfire

πŸ”₯ A collection of Firebase plugins for Flutter apps.
https://firebase.google.com/docs/flutter/setup
BSD 3-Clause "New" or "Revised" License
8.73k stars 3.98k forks source link

πŸ› [firebase_auth: ^4.15.3] Android ERROR_REQUIRES_RECENT_LOGIN always thrown regardless of recent sign in (TotpMultiFactorGenerator) #12087

Open kNoAPP opened 11 months ago

kNoAPP commented 11 months ago

Bug report

Describe the bug When generating a TotpMultiFactor secret, Firebase on Android throws an ERROR_REQUIRES_RECENT_LOGIN regardless of how recent the last sign in was. Web and iOS are NOT impacted by this bug and both behave correctly.

final user = FirebaseAuth.instance.currentUser!;
final session = await user.multiFactor.getSession();

// Platform exception ERROR_REQUIRES_RECENT_LOGIN thrown regardless of recent login.
TotpSecret secret = await TotpMultiFactorGenerator.generateSecret(session);

Utilizing the alternative reauthenticateWithCredential produces the same unwanted behavior:

final user = _firebaseAuth.currentUser!;
final credential = await user.reauthenticateWithCredential(EmailAuthProvider.credential(
        email: 'test@example.com', password: 'password123'));
final session = await credential.user!.multiFactor.getSession();

// Platform exception ERROR_REQUIRES_RECENT_LOGIN thrown regardless of recent login.
TotpSecret secret = await TotpMultiFactorGenerator.generateSecret(session);

Steps to reproduce

Steps to reproduce the behavior:

  1. On Android, use the sample code above.
  2. Sign into an account on your Firebase Auth instance.
  3. Wait a short period of time (maybe ~5m?). ERROR_REQUIRES_RECENT_LOGIN is not thrown initially when TotpMultiFactorGenerator.generateSecret on FIRST sign-in. Subsequent sign-ins without closing the Android app produce this bug.
  4. Notice ERROR_REQUIRES_RECENT_LOGIN is thrown. Reauthenticate either with FirebaseAuth.instance.signInWithEmailAndPassword or user.reauthenticateWithCredential.
  5. Retry TotpMultiFactorGenerator.generateSecret. Notice ERROR_REQUIRES_RECENT_LOGIN is still thrown.

Expected behavior

After the user freshly authenticates, ERROR_REQUIRES_RECENT_LOGIN should not be thrown on TotpMultiFactorGenerator.generateSecret for a short period of time. This enables sensitive operations to complete.

Sample project

Unavailable


Additional context

This issue only impacts Android. Both iOS and Web are not impacted and are functioning as expected.


Flutter doctor

Run flutter doctor and paste the output below:

Click To Expand ``` Doctor summary (to see all details, run flutter doctor -v): [√] Flutter (Channel stable, 3.16.0, on Microsoft Windows [Version 10.0.22621.2861], locale en-US) [√] Windows Version (Installed version of Windows is version 10 or higher) [√] Android toolchain - develop for Android devices (Android SDK version 34.0.0) [√] Chrome - develop for the web [√] Visual Studio - develop Windows apps (Visual Studio Build Tools 2019 16.11.29) [√] Android Studio (version 2022.3) [√] VS Code (version 1.85.1) [√] Connected device (4 available) [√] Network resources β€’ No issues found! ```

Flutter dependencies

Run flutter pub deps -- --style=compact and paste the output below:

Click To Expand ``` Dart SDK 3.2.0 Flutter SDK 3.16.0 hylist 1.0.12 dependencies: - built_value 8.8.1 [built_collection collection fixnum meta] - cloud_firestore 4.13.6 [cloud_firestore_platform_interface cloud_firestore_web collection firebase_core firebase_core_platform_interface flutter meta] - collection 1.18.0 - cupertino_icons 1.0.6 - dio 5.4.0 [async http_parser meta path] - dio_smart_retry 5.0.0 [dio http_parser path] - dotted_border 2.1.0 [flutter path_drawing] - firebase_analytics 10.7.4 [firebase_analytics_platform_interface firebase_analytics_web firebase_core firebase_core_platform_interface flutter] - firebase_app_check 0.2.1+8 [firebase_app_check_platform_interface firebase_app_check_web firebase_core firebase_core_platform_interface flutter] - firebase_auth 4.15.3 [firebase_auth_platform_interface firebase_auth_web firebase_core firebase_core_platform_interface flutter meta] - firebase_core 2.24.2 [firebase_core_platform_interface firebase_core_web flutter meta] - firebase_crashlytics 3.4.8 [firebase_core firebase_core_platform_interface firebase_crashlytics_platform_interface flutter stack_trace] - firebase_performance 0.9.3+8 [firebase_core firebase_core_platform_interface firebase_performance_platform_interface firebase_performance_web flutter] - flutter 0.0.0 [characters collection material_color_utilities meta vector_math web sky_engine] - flutter_background 1.2.0 [flutter plugin_platform_interface] - flutter_form_builder 9.1.1 [flutter intl] - flutter_hooks 0.20.3 [flutter] - flutter_localizations 0.0.0 [flutter intl characters clock collection material_color_utilities meta path vector_math web] - flutter_web_plugins 0.0.0 [flutter characters collection material_color_utilities meta vector_math web] - form_builder_validators 9.1.0 [flutter flutter_localizations intl] - freezed_annotation 2.4.1 [collection json_annotation meta] - go_router 12.1.3 [collection flutter flutter_web_plugins logging meta] - google_fonts 6.1.0 [flutter http path_provider crypto] - hooks_riverpod 2.4.9 [collection flutter flutter_hooks flutter_riverpod riverpod state_notifier] - hylist_api 1.0.0 [dio one_of one_of_serializer built_value built_collection] - intl 0.18.1 [clock meta path] - json_annotation 4.8.1 [meta] - livekit_client 1.5.3 [flutter_web_plugins flutter async collection connectivity_plus cryptography fixnum meta http logging uuid synchronized protobuf flutter_webrtc device_info_plus js platform_detect dart_webrtc sdp_transform] - permission_handler 11.1.0 [flutter meta permission_handler_android permission_handler_apple permission_handler_html permission_handler_windows permission_handler_platform_interface] - platform_detect 2.0.11 [meta pub_semver] - qr_flutter 4.1.0 [flutter qr] - reorderable_grid_view 2.2.8 [flutter] - riverpod_annotation 2.3.3 [meta riverpod] - rxdart 0.27.7 - shared_preferences 2.2.2 [flutter shared_preferences_android shared_preferences_foundation shared_preferences_linux shared_preferences_platform_interface shared_preferences_web shared_preferences_windows] - theme_tailor_annotation 2.0.2 [collection json_annotation meta] dev dependencies: - build_runner 2.4.7 [analyzer args async build build_config build_daemon build_resolvers build_runner_core code_builder collection crypto dart_style frontend_server_client glob graphs http_multi_server io js logging meta mime package_config path pool pub_semver pubspec_parse shelf shelf_web_socket stack_trace stream_transform timing watcher web_socket_channel yaml] - custom_lint 0.5.7 [analyzer analyzer_plugin args async ci cli_util collection freezed_annotation json_annotation meta package_config path pub_semver pubspec_parse rxdart uuid yaml] - flutter_launcher_icons 0.13.1 [args checked_yaml cli_util image json_annotation path yaml] - flutter_lints 2.0.3 [lints] - flutter_test 0.0.0 [flutter test_api matcher path fake_async clock stack_trace vector_math async boolean_selector characters collection material_color_utilities meta source_span stream_channel string_scanner term_glyph web] - freezed 2.4.6 [analyzer build build_config collection meta source_gen freezed_annotation json_annotation] - json_serializable 6.7.1 [analyzer async build build_config collection json_annotation meta path pub_semver pubspec_parse source_gen source_helper] - riverpod_generator 2.3.9 [analyzer build build_config collection crypto meta path riverpod_analyzer_utils riverpod_annotation source_gen] - riverpod_lint 2.3.7 [analyzer analyzer_plugin collection custom_lint_builder meta path riverpod riverpod_analyzer_utils source_span yaml] - theme_tailor 2.0.2 [analyzer build_config build collection json_annotation meta source_gen_test source_gen source_helper theme_tailor_annotation] transitive dependencies: - _fe_analyzer_shared 64.0.0 [meta] - _flutterfire_internals 1.3.16 [collection firebase_core firebase_core_platform_interface flutter meta] - analyzer 6.2.0 [_fe_analyzer_shared collection convert crypto glob meta package_config path pub_semver source_span watcher yaml] - analyzer_plugin 0.11.3 [analyzer collection dart_style pub_semver yaml] - archive 3.4.9 [crypto path pointycastle] - args 2.4.2 - async 2.11.0 [collection meta] - boolean_selector 2.1.1 [source_span string_scanner] - build 2.4.1 [analyzer async convert crypto glob logging meta package_config path] - build_config 1.1.1 [checked_yaml json_annotation path pubspec_parse yaml] - build_daemon 4.0.1 [built_collection built_value crypto http_multi_server logging path pool shelf shelf_web_socket stream_transform watcher web_socket_channel] - build_resolvers 2.4.2 [analyzer async build collection convert crypto graphs logging package_config path pool pub_semver stream_transform yaml] - build_runner_core 7.2.11 [async build build_config build_resolvers collection convert crypto glob graphs json_annotation logging meta package_config path pool timing watcher yaml] - build_test 2.2.2 [async build build_config build_resolvers crypto glob html logging matcher package_config path stream_transform test test_core watcher] - built_collection 5.1.1 - characters 1.3.0 - checked_yaml 2.0.3 [json_annotation source_span yaml] - ci 0.1.0 - cli_util 0.4.1 [meta path] - clock 1.1.1 - cloud_firestore_platform_interface 6.0.10 [_flutterfire_internals collection firebase_core flutter meta plugin_platform_interface] - cloud_firestore_web 3.8.10 [_flutterfire_internals cloud_firestore_platform_interface collection firebase_core firebase_core_web flutter flutter_web_plugins js] - code_builder 4.9.0 [built_collection built_value collection matcher meta] - connectivity_plus 5.0.2 [flutter flutter_web_plugins connectivity_plus_platform_interface js meta nm] - connectivity_plus_platform_interface 1.2.4 [flutter meta plugin_platform_interface] - convert 3.1.1 [typed_data] - coverage 1.7.2 [args logging package_config path source_maps stack_trace vm_service] - crypto 3.0.3 [typed_data] - cryptography 2.7.0 [collection crypto ffi js meta typed_data] - csslib 1.0.0 [source_span] - custom_lint_builder 0.5.7 [analyzer analyzer_plugin collection custom_lint custom_lint_core glob hotreloader meta path pubspec_parse rxdart] - custom_lint_core 0.5.7 [analyzer analyzer_plugin collection custom_lint matcher meta path pubspec_parse source_span yaml] - dart_style 2.3.4 [analyzer args collection path pub_semver source_span] - dart_webrtc 1.1.3 [collection js platform_detect webrtc_interface] - dbus 0.7.10 [args ffi meta xml] - device_info_plus 9.1.1 [device_info_plus_platform_interface ffi file flutter flutter_web_plugins meta win32 win32_registry] - device_info_plus_platform_interface 7.0.0 [flutter meta plugin_platform_interface] - fake_async 1.3.1 [clock collection] - ffi 2.1.0 - file 7.0.0 [meta path] - firebase_analytics_platform_interface 3.8.4 [_flutterfire_internals firebase_core flutter meta plugin_platform_interface] - firebase_analytics_web 0.5.5+11 [_flutterfire_internals firebase_analytics_platform_interface firebase_core firebase_core_web flutter flutter_web_plugins js] - firebase_app_check_platform_interface 0.1.0+10 [_flutterfire_internals firebase_core flutter meta plugin_platform_interface] - firebase_app_check_web 0.1.0+10 [_flutterfire_internals firebase_app_check_platform_interface firebase_core firebase_core_web flutter flutter_web_plugins js] - firebase_auth_platform_interface 7.0.9 [_flutterfire_internals collection firebase_core flutter meta plugin_platform_interface] - firebase_auth_web 5.8.12 [firebase_auth_platform_interface firebase_core firebase_core_web flutter flutter_web_plugins http_parser js meta] - firebase_core_platform_interface 5.0.0 [collection flutter flutter_test meta plugin_platform_interface] - firebase_core_web 2.10.0 [firebase_core_platform_interface flutter flutter_web_plugins js meta] - firebase_crashlytics_platform_interface 3.6.16 [_flutterfire_internals collection firebase_core flutter meta plugin_platform_interface] - firebase_performance_platform_interface 0.1.4+16 [_flutterfire_internals firebase_core flutter plugin_platform_interface] - firebase_performance_web 0.1.4+16 [_flutterfire_internals firebase_core firebase_core_web firebase_performance_platform_interface flutter flutter_web_plugins js] - fixnum 1.1.0 - flutter_riverpod 2.4.9 [collection flutter meta riverpod state_notifier] - flutter_webrtc 0.9.47 [collection dart_webrtc flutter path_provider webrtc_interface] - frontend_server_client 3.2.0 [async path] - glob 2.1.2 [async collection file path string_scanner] - graphs 2.3.1 [collection] - hotreloader 4.1.0 [collection logging path stream_transform vm_service watcher] - html 0.15.4 [csslib source_span] - http 1.1.2 [async http_parser meta web] - http_multi_server 3.2.1 [async] - http_parser 4.0.2 [collection source_span string_scanner typed_data] - image 4.1.3 [archive meta xml] - io 1.0.4 [meta path string_scanner] - js 0.6.7 [meta] - lints 2.1.1 - logging 1.2.0 - matcher 0.12.16 [async meta stack_trace term_glyph test_api] - material_color_utilities 0.5.0 [collection] - meta 1.10.0 - mime 1.0.4 - nm 0.5.0 [dbus] - node_preamble 2.0.2 - one_of 1.5.0 [collection quiver] - one_of_serializer 1.5.0 [one_of built_value] - package_config 2.1.0 [path] - path 1.8.3 - path_drawing 1.0.1 [vector_math meta path_parsing flutter] - path_parsing 1.0.1 [vector_math meta] - path_provider 2.1.1 [flutter path_provider_android path_provider_foundation path_provider_linux path_provider_platform_interface path_provider_windows] - path_provider_android 2.2.2 [flutter path_provider_platform_interface] - path_provider_foundation 2.3.1 [flutter path_provider_platform_interface] - path_provider_linux 2.2.1 [ffi flutter path path_provider_platform_interface xdg_directories] - path_provider_platform_interface 2.1.1 [flutter platform plugin_platform_interface] - path_provider_windows 2.2.1 [ffi flutter path path_provider_platform_interface win32] - permission_handler_android 12.0.1 [flutter permission_handler_platform_interface] - permission_handler_apple 9.2.0 [flutter permission_handler_platform_interface] - permission_handler_html 0.1.0+2 [flutter flutter_web_plugins permission_handler_platform_interface] - permission_handler_platform_interface 4.0.2 [flutter meta plugin_platform_interface] - permission_handler_windows 0.2.0 [flutter permission_handler_platform_interface] - petitparser 6.0.2 [meta] - platform 3.1.3 - plugin_platform_interface 2.1.7 [meta] - pointycastle 3.7.3 [collection convert js] - pool 1.5.1 [async stack_trace] - protobuf 3.1.0 [collection fixnum meta] - pub_semver 2.1.4 [collection meta] - pubspec_parse 1.2.3 [checked_yaml collection json_annotation pub_semver yaml] - qr 3.0.1 [meta] - quiver 3.2.1 [matcher] - riverpod 2.4.9 [meta stack_trace state_notifier] - riverpod_analyzer_utils 0.5.0 [analyzer collection crypto custom_lint_core freezed_annotation meta path source_span] - sdp_transform 0.3.2 - shared_preferences_android 2.2.1 [flutter shared_preferences_platform_interface] - shared_preferences_foundation 2.3.4 [flutter shared_preferences_platform_interface] - shared_preferences_linux 2.3.2 [file flutter path path_provider_linux path_provider_platform_interface shared_preferences_platform_interface] - shared_preferences_platform_interface 2.3.1 [flutter plugin_platform_interface] - shared_preferences_web 2.2.2 [flutter flutter_web_plugins shared_preferences_platform_interface web] - shared_preferences_windows 2.3.2 [file flutter path path_provider_platform_interface path_provider_windows shared_preferences_platform_interface] - shelf 1.4.1 [async collection http_parser path stack_trace stream_channel] - shelf_packages_handler 3.0.2 [path shelf shelf_static] - shelf_static 1.1.2 [convert http_parser mime path shelf] - shelf_web_socket 1.0.4 [shelf stream_channel web_socket_channel] - sky_engine 0.0.99 - source_gen 1.5.0 [analyzer async build dart_style glob path source_span yaml] - source_gen_test 1.0.6 [analyzer build build_test dart_style meta path source_gen test] - source_helper 1.3.4 [analyzer collection source_gen] - source_map_stack_trace 2.1.1 [path source_maps stack_trace] - source_maps 0.10.12 [source_span] - source_span 1.10.0 [collection path term_glyph] - sprintf 7.0.0 - stack_trace 1.11.1 [path] - state_notifier 1.0.0 [meta] - stream_channel 2.1.2 [async] - stream_transform 2.1.0 - string_scanner 1.2.0 [source_span] - synchronized 3.1.0+1 - term_glyph 1.2.1 - test 1.24.9 [analyzer async boolean_selector collection coverage http_multi_server io js matcher node_preamble package_config path pool shelf shelf_packages_handler shelf_static shelf_web_socket source_span stack_trace stream_channel test_api test_core typed_data web_socket_channel webkit_inspection_protocol yaml] - test_api 0.6.1 [async boolean_selector collection meta source_span stack_trace stream_channel string_scanner term_glyph] - test_core 0.5.9 [analyzer args async boolean_selector collection coverage frontend_server_client glob io meta package_config path pool source_map_stack_trace source_maps source_span stack_trace stream_channel test_api vm_service yaml] - timing 1.0.1 [json_annotation] - typed_data 1.3.2 [collection] - uuid 4.2.2 [crypto sprintf meta] - vector_math 2.1.4 - vm_service 13.0.0 - watcher 1.1.0 [async path] - web 0.3.0 - web_socket_channel 2.4.0 [async crypto stream_channel] - webkit_inspection_protocol 1.2.1 [logging] - webrtc_interface 1.1.2 - win32 5.1.1 [ffi] - win32_registry 1.1.2 [ffi win32] - xdg_directories 1.0.3 [meta path] - xml 6.5.0 [collection meta petitparser] - yaml 3.1.2 [collection source_span string_scanner] ```

darshankawar commented 11 months ago

Thanks for the report @kNoAPP

  • On Android, use the sample code above.
  • Sign into an account on your Firebase Auth instance.
  • Wait a short period of time (maybe ~5m?). ERROR_REQUIRES_RECENT_LOGIN is not thrown initially when TotpMultiFactorGenerator.generateSecret on FIRST sign-in. Subsequent sign-ins without closing the Android app produce this bug.
  • Notice ERROR_REQUIRES_RECENT_LOGIN is thrown. Reauthenticate either with FirebaseAuth.instance.signInWithEmailAndPassword or user.reauthenticateWithCredential

I tried following these steps using the plugin example but was unable to see the reported error.

Have you already enrolled the user with TOTP ? or without enrolling it, you get the reported error ? Can you also try the plugin example and check if using it, you get same error or not ?

kNoAPP commented 11 months ago

I will certainly give this a go and report back. Give me a few minutes.

kNoAPP commented 11 months ago

@darshankawar

Have you already enrolled the user with TOTP?

No, the user is not enrolled with TOTP. This issue occurs when enrolling on a non-recent login on Android. You must wait 5-10m, logged-in, with the app open before attempting to enroll to trigger the bug.

or without enrolling it, you get the reported error ?

The problem occurs during enrollment.

Can you also try the plugin example and check if using it, you get same error or not ?

Line 275-278 in the example app profile.dart are throwing an uncaught ERROR_REQUIRES_RECENT_LOGIN exception when waiting 5-10m on the profile page screen before clicking "Enroll TOTP." The example app does not handle the recent-login scenario, and you have to restart the app to clear the error-- which is consistent with what I'm reporting in this ticket.

https://github.com/firebase/flutterfire/blob/master/packages/firebase_auth/firebase_auth/example/lib/profile.dart#L275-L278

Demo (Full uncut, look at end of 10m video ~10:16):

https://github.com/firebase/flutterfire/assets/23529044/e1aa1687-11f1-4e17-8f20-789bfb1d5960

darshankawar commented 11 months ago

Thanks for the update @kNoAPP I tried again using the plugin example and kept it on profile screen for ~ 10 mins, tried signing out and re-signing, but was unable to replicate the error.

Based on the report and error received though, keeping it open for team's tracking.

/cc @Lyokone

kNoAPP commented 11 months ago

@darshankawar In the video, I am not signing out. I don't click on a sign out button. I am clicking "Enroll TOTP" which should display a QR code after clicking. However, it signs me out instead.

Signing back in and and trying to hit the button produces the same result. However, this shouldn't happen. A QR Code should be displayed. The reason why this happens in the demo app is because ERROR_REQUIRES_RECENT_LOGIN is thrown regardless of how recent the sign in was (on Android only). And it continues to throw through multiple recent signs ins.

Thanks for keeping this open!

Lyokone commented 10 months ago

@kNoAPP Are you using by any chance a VPN or something that could alter the IP or the identity of the device while trying this?

kNoAPP commented 10 months ago

@Lyokone Unfortunately not. I am on a regular home Fiber network. No firewall or anything either. You can verify this by checking the video above for the Android system VPN icon in the notifications bar (it looks like a key), which is not present.

Here is the same device, but with a VPN turned on. Notice that key icon appears. The same icon is not present in the prior video. https://github.com/firebase/flutterfire/assets/23529044/564896a2-af91-4b02-838a-a0c3bcf94345

liuzs0666 commented 8 months ago

+1 to this and we are using SMS multi factor. Cannot be resolved by sign out then sign in again, or reauthenticate. Seems to be Android only tho.

kNoAPP commented 3 months ago

@Lyokone Any update or progress on this bug?