Adds event ID validation to verify phone number (#263)

protocol86 · web-flow · commit b8f70da4ee43 · 2017-09-13T23:45:07.000-07:00
* Adds event ID validation to verify phone number
diff --git a/Firebase/Auth/Source/AuthProviders/Phone/FIRPhoneAuthProvider.m b/Firebase/Auth/Source/AuthProviders/Phone/FIRPhoneAuthProvider.m
@@ -153,14 +153,19 @@ - (void)verifyPhoneNumber:(NSString *)phoneNumber
         completion(nil, error);
         return;
       }
-      [self reCAPTCHAURLWithCompletion:^(NSURL *_Nullable reCAPTCHAURL,
-                                         NSError *_Nullable error) {
+      NSMutableString *eventID = [[NSMutableString alloc] init];
+      for(int i=0; i<10; i++) {
+        [eventID appendString:
+            [NSString stringWithFormat:@"%c", 'a' + arc4random_uniform('z' - 'a' + 1)]];
+      }
+      [self reCAPTCHAURLWithEventID:eventID completion:^(NSURL *_Nullable reCAPTCHAURL,
+                                                         NSError *_Nullable error) {
         if (error) {
           callBackOnMainThread(nil, error);
           return;
         }
         FIRAuthURLCallbackMatcher callbackMatcher = ^BOOL(NSURL *_Nullable callbackURL) {
-          return [self isVerifyAppURL:callbackURL];
+          return [self isVerifyAppURL:callbackURL eventID:eventID];
         };
         [_auth.authURLPresenter presentURL:reCAPTCHAURL
                                 UIDelegate:UIDelegate
@@ -275,7 +280,7 @@ - (NSString *)reCAPTCHATokenForURL:(NSURL *)URL error:(NSError **)error {
     @param URL The url to be checked against the authType string.
     @return Whether or not the URL matches authType.
  */
-- (BOOL)isVerifyAppURL:(nullable NSURL *)URL {
+- (BOOL)isVerifyAppURL:(nullable NSURL *)URL eventID:(NSString *)eventID {
   if (!URL) {
     return NO;
   }
@@ -297,7 +302,8 @@ - (BOOL)isVerifyAppURL:(nullable NSURL *)URL {
   NSURL *deeplinkURL = [NSURL URLWithString:URLQueryItems[@"deep_link_id"]];
   NSDictionary<NSString *, NSString *> *deeplinkQueryItems =
       [NSDictionary gtm_dictionaryWithHttpArgumentsString:deeplinkURL.query];
-  if ([deeplinkQueryItems[@"authType"] isEqualToString:kAuthTypeVerifyApp]) {
+  if ([deeplinkQueryItems[@"authType"] isEqualToString:kAuthTypeVerifyApp] &&
+      [deeplinkQueryItems[@"eventId"] isEqualToString:eventID]) {
     return YES;
   }
   return NO;
@@ -423,7 +429,7 @@ - (void)verifyClientWithCompletion:(FIRVerifyClientCallback)completion {
   }];
 }
 
-- (void)reCAPTCHAURLWithCompletion:(FIRReCAPTCHAURLCallBack)completion {
+- (void)reCAPTCHAURLWithEventID:(NSString *)eventID completion:(FIRReCAPTCHAURLCallBack)completion {
   [self fetchAuthDomainWithCompletion:^(NSString *_Nullable authDomain,
                                         NSError *_Nullable error) {
     if (error) {
@@ -438,7 +444,8 @@ - (void)reCAPTCHAURLWithCompletion:(FIRReCAPTCHAURLCallBack)completion {
       @"authType" : kAuthTypeVerifyApp,
       @"ibi" : bundleID ?: @"",
       @"clientId" : clienID,
-      @"v" : [FIRAuthBackend authUserAgent]
+      @"v" : [FIRAuthBackend authUserAgent],
+      @"eventId" : eventID,
     }];
     if (_auth.requestConfiguration.languageCode) {
       urlArguments[@"hl"] = _auth.requestConfiguration.languageCode;
