MFA bug on unenrolling last factor when you have more than one factor enrolled.

[Albertbol]

• Operating System version: macOS Catalina v.10.15.4
• Browser version: Chrome Version 83.0.4103.106 (Official Build) (64-bit)
• Firebase SDK version: "firebase": "^7.15.1"
• Firebase Product: auth mfa

[REQUIRED] Describe the problem

When you add 1st mfa phone number, then 2nd if you try to unenroll 2nd factor, factor will be removed but you will get this error in query: https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo?key=***

{
  "error": {
    "code": 400,
    "message": "TOKEN_EXPIRED",
    "errors": [
      {
        "message": "TOKEN_EXPIRED",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

Which will log out user, what is strange is if you delete it in another sequence: add 1st factor, 2nd factor and unenroll 1st, everything will work fine...

This is very important as in production environment user cannot delete factors safely, it works only in reverse sequence delete the one you added first, if you delete the least MFA you added and you have more than 1 you will get this error.
Please help maybe i'm doing some kind of easy mistake there, pretty sure MFA is heavily tested and this sounds as a thing you couldn't miss, thanks!

Steps to reproduce:

I setted up rough project where you can reproduce this, follow through readme :
https://github.com/Albertbol/bug-mfa

[sam-gc]

Thanks for reaching out. I am able to reproduce this. Tracking internally at b/159455224

[bojeil-google]

Hey @Albertbol, currently this works as intended. Here is a simplified reason of what is going on:

1. User signs up with 2nd factor A, the token has factor A encoded.
2. User add second factor B, the token has factor B encoded.
3. User unenrolls factor B. However, the token has factor B encoded and this user has 2 factors. The user has to prove ownership of second factor A which means sign in again is required.

You can file a feature request for an improved session management solution which is something we are interested in exploring down the road. We do understand the UX downside here. However, for security reasons, we are required to follow the above behavior.

[Albertbol]

Hi @bojeil-google,

Thanks for answer,

When i follow your link i get: Component ID 458130 does not exist or you do not have access.
But basically i just want method which removes MFA to throw 'auth/requires-recent-login' error so it would be possible to relogin person with right token A.

[bbonds007]

Experiencing the exact same issue. Also hoping this gets improved, hopefully by throwing err "auth/requires-recent-login" so it can be caught and handled.

[prameshj]

Thanks for following up. I have pinged the internal tracking bug to evaluate if we can throw the "requires-recent-login" error here.

[prameshj]

Marked as closed, since the PR - #6973 exposes "auth/user-token-expired" error in mfa unenroll. This can be caught and handled with a reauthenticate.