Skip to content
This repository has been archived by the owner on Apr 4, 2023. It is now read-only.

Ignore callbacks for previous phone number auth entered #1765

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

erodriguezh
Copy link

Prerequisite

Disable android timeout by setting it to 0

Context

On every call to login type phone, Firebase generates a verification id. If this function is called several times before submitting an SMS code, at the time this happens, Firebase returns all the verification ids accumulated to the onCodeSent->requestPhoneAuthVerificationCode (android) or credentialWithVerificationIDVerificationCode (iOS) one by one.

Use Case

A user enters a phone number and clicks on login. Then the user realizes the phone number is wrong, resets the form, sets a proper number, clicks on login, gets an SMS code and submit this code to verify the login.

Steps to reproduce

  1. Enter wrong number, trigger login but do not verify it by entering SMS code.
  2. Enter correct number, trigger login and enter SMS code.
  3. Firebase returns a user
  4. Either queries to Firestore return permission denied or edge where 1st user logs in (more details in Observed results).

Observed Results

It generates 2 different callbacks to requestPhoneAuthVerificationCode(android)/credentialWithVerificationIDVerificationCode(iOS). I found out 2 different outcomes so far.

  1. After the user is logged in, Firestore rules return permission denied.
  2. Only possible to reproduce by setting in the Firebase console 2 test phone numbers, which have the same SMS code. If phone number A and phone number B have the same SMS code, after following the steps to reproduce, phone number A will be logged in instead of B.

Expected Results

The last phone number sent to the login function should be the only one logging in.

Solution proposed

  1. Keep track of the 'current' verificationId to verify, in a variable.
  2. As soon as onCodeSent receives the verificationId, save the 'current' verificationId in a the variable. Each callback can now reference a snapshot of the verificationId that is being verified.
  3. In the requestPhoneAuthVerificationCode(android)/credentialWithVerificationIDVerificationCode(iOS) function of the OnVerificationStateChangedCallbacks object that is passed to verifyPhoneNumber, check if the actual 'current' verificationId to verify is equal to the verificationId that was captured/enclosed by the callback object -- if the verificationId don't match, stop execution.

Ignore all the callbacks that are associated with old verificationIds
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant