move all TOTP implementation into core/mfa/assertions.

We do not need to restrict this to platform_browser. SMS mfa is in platform_browser since it requires a recaptcha step.

Author: prameshj

packages/auth/src/mfa/assertions/totp.test.ts

@@ -19,15 +19,24 @@ import { expect, use } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 
 import { mockEndpoint } from '../../../test/helpers/api/helper';
-import { testAuth, TestAuth } from '../../../test/helpers/mock_auth';
+import { testAuth, TestAuth, testUser } from '../../../test/helpers/mock_auth';
 import * as mockFetch from '../../../test/helpers/mock_fetch';
 import { Endpoint } from '../../api';
 import { MultiFactorSessionImpl } from '../../mfa/mfa_session';
 import { StartTotpMfaEnrollmentResponse } from '../../api/account_management/mfa';
-import { TotpSecret } from '../../platform_browser/mfa/assertions/totp';
-import { TotpMultiFactorGenerator } from './totp';
-import { FactorId } from '../../model/public_types';
+import { FinalizeMfaResponse } from '../../api/authentication/mfa';
+import {
+  TotpMultiFactorAssertionImpl,
+  TotpMultiFactorGenerator,
+  TotpSecret
+} from './totp';
+import { Auth, FactorId } from '../../model/public_types';
 import { AuthErrorCode } from '../../core/errors';
+import { FirebaseApp, initializeApp } from '@firebase/app';
+import { AppName } from '../../model/auth';
+import { getAuth } from '../../platform_browser';
+import { initializeAuth } from '../../core';
+import { _castAuth } from '../../core/auth/auth_impl';
 
 use(chaiAsPromised);
 
@@ -119,3 +128,168 @@ describe('core/mfa/assertions/totp/TotpMultiFactorGenerator', () => {
     });
   });
 });
+
+describe('core/mfa/totp/assertions/TotpMultiFactorAssertionImpl', () => {
+  let auth: TestAuth;
+  let assertion: TotpMultiFactorAssertionImpl;
+  let session: MultiFactorSessionImpl;
+  let secret: TotpSecret;
+
+  const serverResponse: FinalizeMfaResponse = {
+    idToken: 'final-id-token',
+    refreshToken: 'refresh-token'
+  };
+
+  const startEnrollmentResponse: StartTotpMfaEnrollmentResponse = {
+    totpSessionInfo: {
+      sharedSecretKey: 'key123',
+      verificationCodeLength: 6,
+      hashingAlgorithm: 'SHA1',
+      periodSec: 30,
+      sessionInfo: 'verification-id',
+      finalizeEnrollmentTime: 1662586196
+    }
+  };
+
+  beforeEach(async () => {
+    mockFetch.setUp();
+    auth = await testAuth();
+    secret = TotpSecret.fromStartTotpMfaEnrollmentResponse(
+      startEnrollmentResponse,
+      auth.name
+    );
+    assertion = TotpMultiFactorAssertionImpl._fromSecret(secret, '123456');
+  });
+  afterEach(mockFetch.tearDown);
+
+  describe('enroll', () => {
+    beforeEach(() => {
+      session = MultiFactorSessionImpl._fromIdtoken(
+        'enrollment-id-token',
+        auth
+      );
+    });
+
+    it('should finalize the MFA enrollment', async () => {
+      const mock = mockEndpoint(
+        Endpoint.FINALIZE_MFA_ENROLLMENT,
+        serverResponse
+      );
+      const response = await assertion._process(auth, session);
+      expect(response).to.eql(serverResponse);
+      expect(mock.calls[0].request).to.eql({
+        idToken: 'enrollment-id-token',
+        totpVerificationInfo: {
+          verificationCode: '123456',
+          sessionInfo: 'verification-id'
+        }
+      });
+      expect(session.auth).to.eql(auth);
+    });
+
+    context('with display name', () => {
+      it('should set the display name', async () => {
+        const mock = mockEndpoint(
+          Endpoint.FINALIZE_MFA_ENROLLMENT,
+          serverResponse
+        );
+        const response = await assertion._process(
+          auth,
+          session,
+          'display-name'
+        );
+        expect(response).to.eql(serverResponse);
+        expect(mock.calls[0].request).to.eql({
+          idToken: 'enrollment-id-token',
+          displayName: 'display-name',
+          totpVerificationInfo: {
+            verificationCode: '123456',
+            sessionInfo: 'verification-id'
+          }
+        });
+        expect(session.auth).to.eql(auth);
+      });
+    });
+  });
+});
+
+describe('core/mfa/assertions/totp/TotpSecret', () => {
+  const serverResponse: StartTotpMfaEnrollmentResponse = {
+    totpSessionInfo: {
+      sharedSecretKey: 'key123',
+      verificationCodeLength: 6,
+      hashingAlgorithm: 'SHA1',
+      periodSec: 30,
+      sessionInfo: 'verification-id',
+      finalizeEnrollmentTime: 1662586196
+    }
+  };
+  const fakeAppName: AppName = 'test-app';
+  const fakeEmail: string = 'user@email';
+  const secret = TotpSecret.fromStartTotpMfaEnrollmentResponse(
+    serverResponse,
+    fakeAppName
+  );
+
+  describe('fromStartTotpMfaEnrollmentResponse', () => {
+    it('fields from the response are parsed correctly', () => {
+      expect(secret.secretKey).to.eq('key123');
+      expect(secret.codeIntervalSeconds).to.eq(30);
+      expect(secret.codeLength).to.eq(6);
+      expect(secret.hashingAlgorithm).to.eq('SHA1');
+    });
+  });
+  describe('generateQrCodeUrl', () => {
+    let app: FirebaseApp;
+    let auth: Auth;
+
+    beforeEach(async () => {
+      app = initializeApp(
+        {
+          apiKey: 'fake-key',
+          appId: 'fake-app-id',
+          authDomain: 'fake-auth-domain'
+        },
+        fakeAppName
+      );
+      auth = initializeAuth(app);
+      await auth.updateCurrentUser(
+        testUser(_castAuth(auth), 'uid', fakeEmail, true)
+      );
+    });
+
+    it('with account name and issuer provided', () => {
+      const url = secret.generateQrCodeUrl('user@myawesomeapp', 'myawesomeapp');
+      expect(url).to.eq(
+        'otpauth://totp/myawesomeapp:user@myawesomeapp?secret=key123&issuer=myawesomeapp&algorithm=SHA1&digits=6'
+      );
+    });
+    it('only accountName provided', () => {
+      const url = secret.generateQrCodeUrl('user@myawesomeapp', '');
+      const auth2 = getAuth(app);
+      console.log('Current user is ' + auth2);
+      expect(url).to.eq(
+        `otpauth://totp/${fakeAppName}:user@myawesomeapp?secret=key123&issuer=${fakeAppName}&algorithm=SHA1&digits=6`
+      );
+    });
+    it('only issuer provided', () => {
+      const url = secret.generateQrCodeUrl('', 'myawesomeapp');
+      expect(url).to.eq(
+        `otpauth://totp/myawesomeapp:${fakeEmail}?secret=key123&issuer=myawesomeapp&algorithm=SHA1&digits=6`
+      );
+    });
+    it('with defaults', () => {
+      const url = secret.generateQrCodeUrl();
+      expect(url).to.eq(
+        `otpauth://totp/${fakeAppName}:${fakeEmail}?secret=key123&issuer=${fakeAppName}&algorithm=SHA1&digits=6`
+      );
+    });
+    it('with defaults, without currentUser', async () => {
+      await auth.updateCurrentUser(null);
+      const url = secret.generateQrCodeUrl();
+      expect(url).to.eq(
+        `otpauth://totp/${fakeAppName}:unknownuser?secret=key123&issuer=${fakeAppName}&algorithm=SHA1&digits=6`
+      );
+    });
+  });
+});

packages/auth/src/mfa/assertions/totp.ts

@@ -14,19 +14,26 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-import {
-  TotpSecret,
-  TotpMultiFactorAssertionImpl
-} from '../../platform_browser/mfa/assertions/totp';
 import {
   TotpMultiFactorAssertion,
   MultiFactorSession,
   FactorId
 } from '../../model/public_types';
-import { startEnrollTotpMfa } from '../../api/account_management/mfa';
+import { AppName, AuthInternal } from '../../model/auth';
+import {
+  finalizeEnrollTotpMfa,
+  startEnrollTotpMfa,
+  StartTotpMfaEnrollmentResponse,
+  TotpVerificationInfo
+} from '../../api/account_management/mfa';
+import { FinalizeMfaResponse } from '../../api/authentication/mfa';
+import { MultiFactorAssertionImpl } from '../../mfa/mfa_assertion';
 import { MultiFactorSessionImpl } from '../mfa_session';
 import { AuthErrorCode } from '../../core/errors';
 import { _assert } from '../../core/util/assert';
+import { getApp } from '@firebase/app';
+import { getAuth } from '../../platform_browser';
+
 /**
  * Provider for generating a {@link TotpMultiFactorAssertion}.
  *
@@ -49,6 +56,7 @@ export class TotpMultiFactorGenerator {
   ): TotpMultiFactorAssertion {
     return TotpMultiFactorAssertionImpl._fromSecret(secret, oneTimePassword);
   }
+
   /**
    * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of the totp second factor.
    * This assertion is used to complete signIn with TOTP as the second factor.
@@ -67,6 +75,7 @@ export class TotpMultiFactorGenerator {
       oneTimePassword
     );
   }
+
   /**
    * Returns a promise to {@link TOTPSecret} which contains the TOTP shared secret key and other parameters.
    * Creates a TOTP secret as part of enrolling a TOTP second factor.
@@ -93,8 +102,148 @@ export class TotpMultiFactorGenerator {
       mfaSession.auth!.name
     );
   }
+
   /**
    * The identifier of the TOTP second factor: `totp`.
    */
   static FACTOR_ID = FactorId.TOTP;
 }
+
+export class TotpMultiFactorAssertionImpl
+  extends MultiFactorAssertionImpl
+  implements TotpMultiFactorAssertion
+{
+  constructor(
+    readonly otp: string,
+    readonly enrollmentId?: string,
+    readonly secret?: TotpSecret
+  ) {
+    super(FactorId.TOTP);
+  }
+
+  static _fromSecret(
+    secret: TotpSecret,
+    otp: string
+  ): TotpMultiFactorAssertionImpl {
+    return new TotpMultiFactorAssertionImpl(
+      (otp = otp),
+      undefined,
+      (secret = secret)
+    );
+  }
+
+  static _fromEnrollmentId(
+    enrollmentId: string,
+    otp: string
+  ): TotpMultiFactorAssertionImpl {
+    return new TotpMultiFactorAssertionImpl(
+      (otp = otp),
+      (enrollmentId = enrollmentId)
+    );
+  }
+
+  /** @internal */
+  _finalizeEnroll(
+    auth: AuthInternal,
+    idToken: string,
+    displayName?: string | null
+  ): Promise<FinalizeMfaResponse> {
+    _assert(
+      typeof this.secret !== 'undefined',
+      auth,
+      AuthErrorCode.ARGUMENT_ERROR
+    );
+    return finalizeEnrollTotpMfa(auth, {
+      idToken,
+      displayName,
+      totpVerificationInfo: this.secret.makeTotpVerificationInfo(this.otp)
+    });
+  }
+
+  /** @internal */
+  _finalizeSignIn(
+    _auth: AuthInternal,
+    _mfaPendingCredential: string
+  ): Promise<FinalizeMfaResponse> {
+    throw new Error('method not implemented');
+  }
+}
+
+/**
+ * Provider for generating a {@link TotpMultiFactorAssertion}.
+ *
+ * Stores the shared secret key and other parameters to generate time-based OTPs.
+ * Implements methods to retrieve the shared secret key, generate a QRCode URL.
+ * @public
+ */
+export class TotpSecret {
+  /**
+   * Constructor for TotpSecret.
+   * @param secretKey - Shared secret key/seed used for enrolling in TOTP MFA and generating otps.
+   * @param hashingAlgorithm - Hashing algorithm used.
+   * @param codeLength - Length of the one-time passwords to be generated.
+   * @param codeIntervalSeconds - The interval (in seconds) when the OTP codes should change.
+   */
+  private constructor(
+    readonly secretKey: string,
+    readonly hashingAlgorithm: string,
+    readonly codeLength: number,
+    readonly codeIntervalSeconds: number,
+    // TODO(prameshj) - make this public after API review.
+    // This can be used by callers to show a countdown of when to enter OTP code by.
+    private readonly finalizeEnrollmentBy: string,
+    private readonly sessionInfo: string,
+    private readonly appName: AppName
+  ) {}
+
+  static fromStartTotpMfaEnrollmentResponse(
+    response: StartTotpMfaEnrollmentResponse,
+    appName: AppName
+  ): TotpSecret {
+    return new TotpSecret(
+      response.totpSessionInfo.sharedSecretKey,
+      response.totpSessionInfo.hashingAlgorithm,
+      response.totpSessionInfo.verificationCodeLength,
+      response.totpSessionInfo.periodSec,
+      new Date(response.totpSessionInfo.finalizeEnrollmentTime).toUTCString(),
+      response.totpSessionInfo.sessionInfo,
+      appName
+    );
+  }
+
+  makeTotpVerificationInfo(otp: string): TotpVerificationInfo {
+    return { sessionInfo: this.sessionInfo, verificationCode: otp };
+  }
+
+  /**
+   * Returns a QRCode URL as described in
+   * https://github.com/google/google-authenticator/wiki/Key-Uri-Format
+   * This can be displayed to the user as a QRCode to be scanned into a TOTP App like Google Authenticator.
+   * If the optional parameters are unspecified, an accountName of <userEmail> and issuer of <firebaseAppName> are used.
+   *
+   * @param accountName the name of the account/app along with a user identifier.
+   * @param issuer issuer of the TOTP(likely the app name).
+   * @returns A QRCode URL string.
+   */
+  generateQrCodeUrl(accountName?: string, issuer?: string): string {
+    let useDefaults = false;
+    if (_isEmptyString(accountName) || _isEmptyString(issuer)) {
+      useDefaults = true;
+    }
+    if (useDefaults) {
+      const app = getApp(this.appName);
+      const auth = getAuth(app);
+      if (_isEmptyString(accountName)) {
+        accountName = auth.currentUser?.email || 'unknownuser';
+      }
+      if (_isEmptyString(issuer)) {
+        issuer = app.name;
+      }
+    }
+    return `otpauth://totp/${issuer}:${accountName}?secret=${this.secretKey}&issuer=${issuer}&algorithm=${this.hashingAlgorithm}&digits=${this.codeLength}`;
+  }
+}
+
+function _isEmptyString(input?: string): boolean {
+  return typeof input === 'undefined' || input?.length === 0;
+}