diff --git a/.changeset/hot-experts-talk.md b/.changeset/hot-experts-talk.md new file mode 100644 index 00000000000..2903ce42919 --- /dev/null +++ b/.changeset/hot-experts-talk.md @@ -0,0 +1,5 @@ +--- +'@firebase/auth': patch +--- + +Support TOTP as a multi-factor option in Firebase Auth/GCIP. diff --git a/common/api-review/auth.api.md b/common/api-review/auth.api.md index 045b64bcf19..5b147491212 100644 --- a/common/api-review/auth.api.md +++ b/common/api-review/auth.api.md @@ -361,6 +361,7 @@ export class FacebookAuthProvider extends BaseOAuthProvider { // @public export const FactorId: { readonly PHONE: "phone"; + readonly TOTP: "totp"; }; // @public @@ -745,6 +746,41 @@ export function signInWithRedirect(auth: Auth, provider: AuthProvider, resolver? // @public export function signOut(auth: Auth): Promise; +// @public +export interface TotpMultiFactorAssertion extends MultiFactorAssertion { +} + +// @public +export class TotpMultiFactorGenerator { + static assertionForEnrollment(secret: TotpSecret, oneTimePassword: string): TotpMultiFactorAssertion; + static assertionForSignIn(enrollmentId: string, oneTimePassword: string): TotpMultiFactorAssertion; + // Warning: (ae-forgotten-export) The symbol "FactorId" needs to be exported by the entry point index.d.ts + static FACTOR_ID: FactorId_2; + static generateSecret(session: MultiFactorSession): Promise; +} + +// @public +export interface TotpMultiFactorInfo extends MultiFactorInfo { +} + +// @public +export class TotpSecret { + readonly codeIntervalSeconds: number; + readonly codeLength: number; + readonly enrollmentCompletionDeadline: string; + // Warning: (ae-forgotten-export) The symbol "StartTotpMfaEnrollmentResponse" needs to be exported by the entry point index.d.ts + // + // @internal (undocumented) + static _fromStartTotpMfaEnrollmentResponse(response: StartTotpMfaEnrollmentResponse, auth: AuthInternal): TotpSecret; + generateQrCodeUrl(accountName?: string, issuer?: string): string; + readonly hashingAlgorithm: string; + // Warning: (ae-forgotten-export) The symbol "TotpVerificationInfo" needs to be exported by the entry point index.d.ts + // + // @internal (undocumented) + _makeTotpVerificationInfo(otp: string): TotpVerificationInfo; + readonly secretKey: string; + } + // @public export class TwitterAuthProvider extends BaseOAuthProvider { constructor(); diff --git a/docs-devsite/auth.md b/docs-devsite/auth.md index f0f9029c225..d3b3572df51 100644 --- a/docs-devsite/auth.md +++ b/docs-devsite/auth.md @@ -93,6 +93,8 @@ Firebase Authentication | [PhoneMultiFactorGenerator](./auth.phonemultifactorgenerator.md#phonemultifactorgenerator_class) | Provider for generating a [PhoneMultiFactorAssertion](./auth.phonemultifactorassertion.md#phonemultifactorassertion_interface). | | [RecaptchaVerifier](./auth.recaptchaverifier.md#recaptchaverifier_class) | An [reCAPTCHA](https://www.google.com/recaptcha/)-based application verifier. | | [SAMLAuthProvider](./auth.samlauthprovider.md#samlauthprovider_class) | An [AuthProvider](./auth.authprovider.md#authprovider_interface) for SAML. | +| [TotpMultiFactorGenerator](./auth.totpmultifactorgenerator.md#totpmultifactorgenerator_class) | Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface). | +| [TotpSecret](./auth.totpsecret.md#totpsecret_class) | Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface).Stores the shared secret key and other parameters to generate time-based OTPs. Implements methods to retrieve the shared secret key and generate a QR code URL. | | [TwitterAuthProvider](./auth.twitterauthprovider.md#twitterauthprovider_class) | Provider for generating an [OAuthCredential](./auth.oauthcredential.md#oauthcredential_class) for [ProviderId](./auth.md#providerid).TWITTER. | ## Interfaces @@ -130,6 +132,8 @@ Firebase Authentication | [PopupRedirectResolver](./auth.popupredirectresolver.md#popupredirectresolver_interface) | A resolver used for handling DOM specific operations like [signInWithPopup()](./auth.md#signinwithpopup) or [signInWithRedirect()](./auth.md#signinwithredirect). | | [ReactNativeAsyncStorage](./auth.reactnativeasyncstorage.md#reactnativeasyncstorage_interface) | Interface for a supplied AsyncStorage. | | [RecaptchaParameters](./auth.recaptchaparameters.md#recaptchaparameters_interface) | Interface representing reCAPTCHA parameters.See the \[reCAPTCHA docs\](https://developers.google.com/recaptcha/docs/display\#render\_param) for the list of accepted parameters. All parameters are accepted except for sitekey: Firebase Auth provisions a reCAPTCHA for each project and will configure the site key upon rendering.For an invisible reCAPTCHA, set the size key to invisible. | +| [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) | The class for asserting ownership of a TOTP second factor. Provided by [TotpMultiFactorGenerator.assertionForEnrollment()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) and [TotpMultiFactorGenerator.assertionForSignIn()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin). | +| [TotpMultiFactorInfo](./auth.totpmultifactorinfo.md#totpmultifactorinfo_interface) | The subclass of the [MultiFactorInfo](./auth.multifactorinfo.md#multifactorinfo_interface) interface for TOTP second factors. The factorId of this second factor is [FactorId](./auth.md#factorid).TOTP. | | [User](./auth.user.md#user_interface) | A user account. | | [UserCredential](./auth.usercredential.md#usercredential_interface) | A structure containing a [User](./auth.user.md#user_interface), the [OperationType](./auth.md#operationtype), and the provider ID. | | [UserInfo](./auth.userinfo.md#userinfo_interface) | User profile information, visible only to the Firebase project's apps. | @@ -1855,6 +1859,7 @@ An enum of factors that may be used for multifactor authentication. ```typescript FactorId: { readonly PHONE: "phone"; + readonly TOTP: "totp"; } ``` diff --git a/docs-devsite/auth.totpmultifactorassertion.md b/docs-devsite/auth.totpmultifactorassertion.md new file mode 100644 index 00000000000..ef4f6f34fd5 --- /dev/null +++ b/docs-devsite/auth.totpmultifactorassertion.md @@ -0,0 +1,21 @@ +Project: /docs/reference/js/_project.yaml +Book: /docs/reference/_book.yaml +page_type: reference + +{% comment %} +DO NOT EDIT THIS FILE! +This is generated by the JS SDK team, and any local changes will be +overwritten. Changes should be made in the source code at +https://github.com/firebase/firebase-js-sdk +{% endcomment %} + +# TotpMultiFactorAssertion interface +The class for asserting ownership of a TOTP second factor. Provided by [TotpMultiFactorGenerator.assertionForEnrollment()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) and [TotpMultiFactorGenerator.assertionForSignIn()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin). + +Signature: + +```typescript +export interface TotpMultiFactorAssertion extends MultiFactorAssertion +``` +Extends: [MultiFactorAssertion](./auth.multifactorassertion.md#multifactorassertion_interface) + diff --git a/docs-devsite/auth.totpmultifactorgenerator.md b/docs-devsite/auth.totpmultifactorgenerator.md new file mode 100644 index 00000000000..93b7c485f40 --- /dev/null +++ b/docs-devsite/auth.totpmultifactorgenerator.md @@ -0,0 +1,112 @@ +Project: /docs/reference/js/_project.yaml +Book: /docs/reference/_book.yaml +page_type: reference + +{% comment %} +DO NOT EDIT THIS FILE! +This is generated by the JS SDK team, and any local changes will be +overwritten. Changes should be made in the source code at +https://github.com/firebase/firebase-js-sdk +{% endcomment %} + +# TotpMultiFactorGenerator class +Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface). + +Signature: + +```typescript +export declare class TotpMultiFactorGenerator +``` + +## Properties + +| Property | Modifiers | Type | Description | +| --- | --- | --- | --- | +| [FACTOR\_ID](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorfactor_id) | static | FactorId | The identifier of the TOTP second factor: totp. | + +## Methods + +| Method | Modifiers | Description | +| --- | --- | --- | +| [assertionForEnrollment(secret, oneTimePassword)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) | static | Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the TOTP (time-based one-time password) second factor. This assertion is used to complete enrollment in TOTP second factor. | +| [assertionForSignIn(enrollmentId, oneTimePassword)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin) | static | Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the TOTP second factor. This assertion is used to complete signIn with TOTP as the second factor. | +| [generateSecret(session)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorgeneratesecret) | static | Returns a promise to [TotpSecret](./auth.totpsecret.md#totpsecret_class) which contains the TOTP shared secret key and other parameters. Creates a TOTP secret as part of enrolling a TOTP second factor. Used for generating a QR code URL or inputting into a TOTP app. This method uses the auth instance corresponding to the user in the multiFactorSession. | + +## TotpMultiFactorGenerator.FACTOR\_ID + +The identifier of the TOTP second factor: `totp`. + +Signature: + +```typescript +static FACTOR_ID: FactorId; +``` + +## TotpMultiFactorGenerator.assertionForEnrollment() + +Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the TOTP (time-based one-time password) second factor. This assertion is used to complete enrollment in TOTP second factor. + +Signature: + +```typescript +static assertionForEnrollment(secret: TotpSecret, oneTimePassword: string): TotpMultiFactorAssertion; +``` + +### Parameters + +| Parameter | Type | Description | +| --- | --- | --- | +| secret | [TotpSecret](./auth.totpsecret.md#totpsecret_class) | A [TotpSecret](./auth.totpsecret.md#totpsecret_class) containing the shared secret key and other TOTP parameters. | +| oneTimePassword | string | One-time password from TOTP App. | + +Returns: + +[TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) + +A [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) which can be used with [MultiFactorUser.enroll()](./auth.multifactoruser.md#multifactoruserenroll). + +## TotpMultiFactorGenerator.assertionForSignIn() + +Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the TOTP second factor. This assertion is used to complete signIn with TOTP as the second factor. + +Signature: + +```typescript +static assertionForSignIn(enrollmentId: string, oneTimePassword: string): TotpMultiFactorAssertion; +``` + +### Parameters + +| Parameter | Type | Description | +| --- | --- | --- | +| enrollmentId | string | identifies the enrolled TOTP second factor. | +| oneTimePassword | string | One-time password from TOTP App. | + +Returns: + +[TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) + +A [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) which can be used with [MultiFactorResolver.resolveSignIn()](./auth.multifactorresolver.md#multifactorresolverresolvesignin). + +## TotpMultiFactorGenerator.generateSecret() + +Returns a promise to [TotpSecret](./auth.totpsecret.md#totpsecret_class) which contains the TOTP shared secret key and other parameters. Creates a TOTP secret as part of enrolling a TOTP second factor. Used for generating a QR code URL or inputting into a TOTP app. This method uses the auth instance corresponding to the user in the multiFactorSession. + +Signature: + +```typescript +static generateSecret(session: MultiFactorSession): Promise; +``` + +### Parameters + +| Parameter | Type | Description | +| --- | --- | --- | +| session | [MultiFactorSession](./auth.multifactorsession.md#multifactorsession_interface) | The [MultiFactorSession](./auth.multifactorsession.md#multifactorsession_interface) that the user is part of. | + +Returns: + +Promise<[TotpSecret](./auth.totpsecret.md#totpsecret_class)> + +A promise to [TotpSecret](./auth.totpsecret.md#totpsecret_class). + diff --git a/docs-devsite/auth.totpmultifactorinfo.md b/docs-devsite/auth.totpmultifactorinfo.md new file mode 100644 index 00000000000..116474ec850 --- /dev/null +++ b/docs-devsite/auth.totpmultifactorinfo.md @@ -0,0 +1,21 @@ +Project: /docs/reference/js/_project.yaml +Book: /docs/reference/_book.yaml +page_type: reference + +{% comment %} +DO NOT EDIT THIS FILE! +This is generated by the JS SDK team, and any local changes will be +overwritten. Changes should be made in the source code at +https://github.com/firebase/firebase-js-sdk +{% endcomment %} + +# TotpMultiFactorInfo interface +The subclass of the [MultiFactorInfo](./auth.multifactorinfo.md#multifactorinfo_interface) interface for TOTP second factors. The `factorId` of this second factor is [FactorId](./auth.md#factorid).TOTP. + +Signature: + +```typescript +export interface TotpMultiFactorInfo extends MultiFactorInfo +``` +Extends: [MultiFactorInfo](./auth.multifactorinfo.md#multifactorinfo_interface) + diff --git a/docs-devsite/auth.totpsecret.md b/docs-devsite/auth.totpsecret.md new file mode 100644 index 00000000000..8e040735b2d --- /dev/null +++ b/docs-devsite/auth.totpsecret.md @@ -0,0 +1,111 @@ +Project: /docs/reference/js/_project.yaml +Book: /docs/reference/_book.yaml +page_type: reference + +{% comment %} +DO NOT EDIT THIS FILE! +This is generated by the JS SDK team, and any local changes will be +overwritten. Changes should be made in the source code at +https://github.com/firebase/firebase-js-sdk +{% endcomment %} + +# TotpSecret class +Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface). + +Stores the shared secret key and other parameters to generate time-based OTPs. Implements methods to retrieve the shared secret key and generate a QR code URL. + +Signature: + +```typescript +export declare class TotpSecret +``` + +## Properties + +| Property | Modifiers | Type | Description | +| --- | --- | --- | --- | +| [codeIntervalSeconds](./auth.totpsecret.md#totpsecretcodeintervalseconds) | | number | The interval (in seconds) when the OTP codes should change. | +| [codeLength](./auth.totpsecret.md#totpsecretcodelength) | | number | Length of the one-time passwords to be generated. | +| [enrollmentCompletionDeadline](./auth.totpsecret.md#totpsecretenrollmentcompletiondeadline) | | string | The timestamp (UTC string) by which TOTP enrollment should be completed. | +| [hashingAlgorithm](./auth.totpsecret.md#totpsecrethashingalgorithm) | | string | Hashing algorithm used. | +| [secretKey](./auth.totpsecret.md#totpsecretsecretkey) | | string | Shared secret key/seed used for enrolling in TOTP MFA and generating OTPs. | + +## Methods + +| Method | Modifiers | Description | +| --- | --- | --- | +| [generateQrCodeUrl(accountName, issuer)](./auth.totpsecret.md#totpsecretgenerateqrcodeurl) | | Returns a QR code URL as described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format This can be displayed to the user as a QR code to be scanned into a TOTP app like Google Authenticator. If the optional parameters are unspecified, an accountName of and issuer of are used. | + +## TotpSecret.codeIntervalSeconds + +The interval (in seconds) when the OTP codes should change. + +Signature: + +```typescript +readonly codeIntervalSeconds: number; +``` + +## TotpSecret.codeLength + +Length of the one-time passwords to be generated. + +Signature: + +```typescript +readonly codeLength: number; +``` + +## TotpSecret.enrollmentCompletionDeadline + +The timestamp (UTC string) by which TOTP enrollment should be completed. + +Signature: + +```typescript +readonly enrollmentCompletionDeadline: string; +``` + +## TotpSecret.hashingAlgorithm + +Hashing algorithm used. + +Signature: + +```typescript +readonly hashingAlgorithm: string; +``` + +## TotpSecret.secretKey + +Shared secret key/seed used for enrolling in TOTP MFA and generating OTPs. + +Signature: + +```typescript +readonly secretKey: string; +``` + +## TotpSecret.generateQrCodeUrl() + +Returns a QR code URL as described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format This can be displayed to the user as a QR code to be scanned into a TOTP app like Google Authenticator. If the optional parameters are unspecified, an accountName of and issuer of are used. + +Signature: + +```typescript +generateQrCodeUrl(accountName?: string, issuer?: string): string; +``` + +### Parameters + +| Parameter | Type | Description | +| --- | --- | --- | +| accountName | string | the name of the account/app along with a user identifier. | +| issuer | string | issuer of the TOTP (likely the app name). | + +Returns: + +string + +A QR code URL string. + diff --git a/packages/auth/README.md b/packages/auth/README.md index 0592fa595a7..ad8ca35d5eb 100644 --- a/packages/auth/README.md +++ b/packages/auth/README.md @@ -17,6 +17,7 @@ host of npm scripts to run these tests. The most important commands are: | `yarn test::unit:debug` | Runs \ unit tests, auto-watching for file system changes | | `yarn test::integration` | Runs only integration tests against the live environment | | `yarn test::integration:local` | Runs all headless \ integration tests against the emulator (more below) | +| `yarn test:browser:integration:prodbackend` | Runs TOTP MFA integration tests against the backend (more below) | Where \ is "browser" or "node". There are also cordova tests, but they are not broken into such granular details. Check out `package.json` for more. @@ -46,6 +47,25 @@ you would simply execute the following command: firebase emulators:exec --project foo-bar --only auth "yarn test:integration:local" ``` +### Integration testing with the production backend + +Currently, MFA TOTP tests only run against the production backend (since they are not supported on the emulator yet). +Running against the backend also makes it a more reliable end-to-end test. + +The TOTP tests require the following email/password combination to exist in the project, so if you are running this test against your test project, please create this user: + +'totpuser-donotdelete@test.com', 'password' + +You also need to verify this email address, in order to use MFA. This can be done with a curl command like this: + +``` +curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -H "X-Goog-User-Project: ${PROJECT_ID}" -X POST https://identitytoolkit.googleapis.com/v1/accounts:sendOobCode -d '{ + "email": "totpuser-donotdelete@test.com", + "requestType": "VERIFY_EMAIL", + "returnOobLink": true, + }' +``` + ### Selenium Webdriver tests These tests assume that you have both Firefox and Chrome installed on your diff --git a/packages/auth/demo/README.md b/packages/auth/demo/README.md index beb5a800bc5..f29127ab074 100644 --- a/packages/auth/demo/README.md +++ b/packages/auth/demo/README.md @@ -45,12 +45,21 @@ in the `config.js` file. Before deploying, you may need to build the auth package: ```bash +cd auth/demo yarn yarn build:deps ``` This can take some time, and you only need to do it if you've modified the auth package. +You can optionally clear the cache and rebuild using: + +```bash +cd auth/demo +rm -rf node_modules yarn.lock +yarn build:deps +``` + To run the app locally, simply issue the following command in the `auth/demo` directory: ```bash diff --git a/packages/auth/demo/public/index.html b/packages/auth/demo/public/index.html index 624b6e3c0e7..d098860f216 100644 --- a/packages/auth/demo/public/index.html +++ b/packages/auth/demo/public/index.html @@ -229,6 +229,18 @@ + +
Set Tenant
+
+ + +
+
Sign Up
@@ -487,6 +499,12 @@ Phone +
  • + + TOTP + +
    • @@ -504,7 +522,27 @@ class="form-control" placeholder="Display Name" /> + + +
    +
    +
    + +
    + + + +
    + + +
    @@ -733,6 +771,17 @@

    Select a second factor to sign in with

    + +
    diff --git a/packages/auth/demo/public/style.css b/packages/auth/demo/public/style.css index cdd999f8e8b..1a7554ae618 100644 --- a/packages/auth/demo/public/style.css +++ b/packages/auth/demo/public/style.css @@ -177,6 +177,23 @@ input + .form, margin-right: 10px; } +.totp-text { + font-family: 'Courier New', Courier; +} + +.totp-deadline { + font-family: 'Courier New', Courier; + color: #d9534f; +} + +.totp-qr-image { + height: 120px; + margin-right: 10px; + border: 1px solid #ddd; + border-radius: 4px; + width: 120px; +} + .profile-email-not-verified { color: #d9534f; } diff --git a/packages/auth/demo/src/index.js b/packages/auth/demo/src/index.js index 8b924a57079..5159d1169d7 100644 --- a/packages/auth/demo/src/index.js +++ b/packages/auth/demo/src/index.js @@ -49,6 +49,8 @@ import { signInWithCredential, signInWithCustomToken, signInWithEmailAndPassword, + TotpMultiFactorGenerator, + TotpSecret, unlink, updateEmail, updatePassword, @@ -97,6 +99,8 @@ let multiFactorErrorResolver = null; let selectedMultiFactorHint = null; let recaptchaSize = 'normal'; let webWorker = null; +let totpSecret = null; +let totpDeadlineId = null; // The corresponding Font Awesome icons for each provider. const providersIcons = { @@ -318,7 +322,14 @@ function onUseDeviceLanguage() { $('#language-code').val(auth.languageCode); alertSuccess('Using device language "' + auth.languageCode + '".'); } - +/** + * Set tenant id for the firebase project. + */ +function onSetTenantIdClick(_event) { + const tenantId = $('#set-tenant').val(); + auth.tenantId = tenantId === '' ? null : tenantId; + alertSuccess('Tenant Id : ' + auth.tenantId); +} /** * Changes the Auth state persistence to the specified one. */ @@ -687,6 +698,80 @@ function onFinalizeEnrollWithPhoneMultiFactor() { }, onAuthError); } +async function onStartEnrollWithTotpMultiFactor() { + console.log('Starting TOTP enrollment!'); + if (!activeUser()) { + alertError('No active user found.'); + return; + } + try { + multiFactorSession = await multiFactor(activeUser()).getSession(); + totpSecret = await TotpMultiFactorGenerator.generateSecret( + multiFactorSession + ); + const url = totpSecret.generateQrCodeUrl('test', 'testissuer'); + console.log('TOTP URL is ' + url); + console.log( + 'Finalize sign in by ' + totpSecret.enrollmentCompletionDeadline + ); + // display the numbr of seconds left to enroll. + $('p.totp-deadline').show(); + totpDeadlineId = setInterval(function () { + var deadline = new Date(totpSecret.enrollmentCompletionDeadline); + var t = deadline - new Date().getTime(); + if (t < 0) { + clearInterval(totpDeadlineId); + document.getElementById('totp-deadline').innerText = + 'TOTP enrollment expired!'; + } else { + var minutes = Math.floor(t / (1000 * 60)); + var seconds = Math.floor((t % (60 * 1000)) / 1000); + // accessing the field using $ does not work here. + document.getElementById( + 'totp-deadline' + ).innerText = `Time left - ${minutes} minutes, ${seconds} seconds.`; + } + }, 1000); + // Use the QRServer API documented at https://goqr.me/api/doc/ + const qrCodeUrl = `https://api.qrserver.com/v1/create-qr-code/?data=${url}&size=30x30`; + $('img.totp-qr-image').attr('src', qrCodeUrl).show(); + $('p.totp-text').show(); + } catch (e) { + onAuthError(e); + } +} + +async function onFinalizeEnrollWithTotpMultiFactor() { + const verificationCode = $('#enroll-mfa-totp-verification-code').val(); + if (!activeUser() || !totpSecret || !verificationCode) { + alertError(' Missing active user OR TOTP secret OR verification code.'); + return; + } + + const multiFactorAssertion = TotpMultiFactorGenerator.assertionForEnrollment( + totpSecret, + verificationCode + ); + const displayName = $('#enroll-mfa-totp-display-name').val() || undefined; + + try { + await multiFactor(activeUser()).enroll(multiFactorAssertion, displayName); + refreshUserData(); + clearTOTPUIState(); + alertSuccess('TOTP MFA enrolled!'); + } catch (e) { + onAuthError(e); + } +} + +function clearTOTPUIState() { + $('p.totp-deadline').hide(); + $('img.totp-qr-image').hide(); + $('p.totp-text').hide(); + $('enroll-mfa-totp-verification-code').hide(); + $('enroll-mfa-totp-display-name').hide(); + clearInterval(totpDeadlineId); +} /** * Signs in or links a provider's credential, based on current tab opened. * @param {!AuthCredential} credential The provider's credential. @@ -1056,6 +1141,7 @@ function handleMultiFactorSignIn(resolver) { ); // Hide phone form (other second factor types could be supported). $('#multi-factor-phone').addClass('hidden'); + $('#multi-factor-totp').addClass('hidden'); // Show second factor recovery dialog. $('#multiFactorModal').modal(); } @@ -1122,6 +1208,7 @@ function onSelectMultiFactorHint(index) { // Hide all forms for handling each type of second factors. // Currently only phone is supported. $('#multi-factor-phone').addClass('hidden'); + $('#multi-factor-totp').addClass('hidden'); if ( !multiFactorErrorResolver || typeof multiFactorErrorResolver.hints[index] === 'undefined' @@ -1141,6 +1228,14 @@ function onSelectMultiFactorHint(index) { // Clear all input. $('#multi-factor-sign-in-verification-id').val(''); $('#multi-factor-sign-in-verification-code').val(''); + } else if (multiFactorErrorResolver.hints[index].factorId === 'totp') { + // Save selected second factor. + selectedMultiFactorHint = multiFactorErrorResolver.hints[index]; + + // Show sign-in with totp second factor menu. + $('#multi-factor-totp').removeClass('hidden'); + // Clear all input. + $('#multi-factor-totp-sign-in-verification-code').val(''); } else { // 2nd factor not found or not supported by app. alertError('Selected 2nd factor is not supported!'); @@ -1195,6 +1290,28 @@ function onFinalizeSignInWithPhoneMultiFactor(event) { }, onAuthError); } +/** + * Completes sign-in with the 2nd factor totp assertion. + * @param {!jQuery.Event} event The jQuery event object. + */ +function onFinalizeSignInWithTotpMultiFactor(event) { + event.preventDefault(); + // Make sure a second factor is selected. + const otp = $('#multi-factor-totp-sign-in-verification-code').val(); + if (!otp || !selectedMultiFactorHint || !multiFactorErrorResolver) { + return; + } + + const assertion = TotpMultiFactorGenerator.assertionForSignIn( + selectedMultiFactorHint.uid, + otp + ); + multiFactorErrorResolver.resolveSignIn(assertion).then(userCredential => { + onAuthUserCredentialSuccess(userCredential); + $('#multiFactorModal').modal('hide'); + }, onAuthError); +} + /** * Adds a new row to insert an OAuth custom parameter key/value pair. * @param {!jQuery.Event} _event The jQuery event object. @@ -1326,7 +1443,6 @@ function signInWithPopupRedirect(provider) { customParameters[key] = value; } }); - console.log('customParameters: ', customParameters); // For older jscore versions that do not support this. if (provider.setCustomParameters) { // Set custom parameters on current provider. @@ -1999,12 +2115,24 @@ function initApp() { $('#sign-in-with-phone-multi-factor').click( onFinalizeSignInWithPhoneMultiFactor ); + + // Completes multi-factor sign-in with supplied OTP(One-Time Password). + $('#sign-in-with-totp-multi-factor').click( + onFinalizeSignInWithTotpMultiFactor + ); + // Starts multi-factor enrollment with phone number. $('#enroll-mfa-verify-phone-number').click(onStartEnrollWithPhoneMultiFactor); // Completes multi-factor enrollment with supplied SMS code. $('#enroll-mfa-confirm-phone-verification').click( onFinalizeEnrollWithPhoneMultiFactor ); + // Starts multi-factor enrollment with TOTP. + $('#enroll-mfa-totp-start').click(onStartEnrollWithTotpMultiFactor); + // Completes multi-factor enrollment with supplied OTP(One-Time Password). + $('#enroll-mfa-totp-finalize').click(onFinalizeEnrollWithTotpMultiFactor); + // Sets tenant for the current auth instance + $('#set-tenant-btn').click(onSetTenantIdClick); } $(initApp); diff --git a/packages/auth/index.ts b/packages/auth/index.ts index 6e0338435d1..6ed92b361ac 100644 --- a/packages/auth/index.ts +++ b/packages/auth/index.ts @@ -73,6 +73,10 @@ import { browserPopupRedirectResolver } from './src/platform_browser/popup_redir // MFA import { PhoneMultiFactorGenerator } from './src/platform_browser/mfa/assertions/phone'; +import { + TotpMultiFactorGenerator, + TotpSecret +} from './src/mfa/assertions/totp'; // Initialization and registration of Auth import { getAuth } from './src/platform_browser'; @@ -96,5 +100,7 @@ export { RecaptchaVerifier, browserPopupRedirectResolver, PhoneMultiFactorGenerator, + TotpMultiFactorGenerator, + TotpSecret, getAuth }; diff --git a/packages/auth/karma.conf.js b/packages/auth/karma.conf.js index 8c4bcba24d2..4f82e4ab5a7 100644 --- a/packages/auth/karma.conf.js +++ b/packages/auth/karma.conf.js @@ -37,6 +37,9 @@ function getTestFiles(argv) { if (argv.unit) { return ['src/**/*.test.ts', 'test/helpers/**/*.test.ts']; } else if (argv.integration) { + if (argv.prodbackend) { + return ['test/integration/flows/totp.test.ts']; + } return argv.local ? ['test/integration/flows/*.test.ts'] : ['test/integration/flows/*!(local).test.ts']; diff --git a/packages/auth/package.json b/packages/auth/package.json index 9eac3e524b4..fd02e002634 100644 --- a/packages/auth/package.json +++ b/packages/auth/package.json @@ -84,7 +84,7 @@ "build:scripts": "tsc -moduleResolution node --module commonjs scripts/*.ts && ls scripts/*.js | xargs -I % sh -c 'terser % -o %'", "dev": "rollup -c -w", "test": "run-p lint test:all", - "test:all": "run-p test:browser:unit test:node:unit test:integration", + "test:all": "run-p test:browser:unit test:node:unit test:integration test:browser:integration:prodbackend", "test:integration": "firebase emulators:exec --project emulatedproject --only auth \"run-s test:browser:integration:local test:node:integration:local test:webdriver\"", "test:ci": "node ../../scripts/run_tests_in_ci.js -s test:all", "test:integration:local": "run-s test:node:integration:local test:browser:integration:local test:webdriver", @@ -92,6 +92,7 @@ "test:browser:unit": "karma start --single-run --unit", "test:browser:integration": "karma start --single-run --integration", "test:browser:integration:local": "karma start --single-run --integration --local", + "test:browser:integration:prodbackend": "karma start --single-run --integration --prodbackend", "test:browser:debug": "karma start --auto-watch", "test:browser:unit:debug": "karma start --auto-watch --unit", "test:cordova": "karma start --single-run --cordova", @@ -127,7 +128,8 @@ "rollup-plugin-typescript2": "0.31.2", "selenium-webdriver": "4.8.0", "typescript": "4.7.4", - "@types/express": "4.17.17" + "@types/express": "4.17.17", + "totp-generator": "0.0.14" }, "repository": { "directory": "packages/auth", diff --git a/packages/auth/src/api/account_management/mfa.test.ts b/packages/auth/src/api/account_management/mfa.test.ts index 83eda69416a..9f036471087 100644 --- a/packages/auth/src/api/account_management/mfa.test.ts +++ b/packages/auth/src/api/account_management/mfa.test.ts @@ -27,7 +27,9 @@ import * as mockFetch from '../../../test/helpers/mock_fetch'; import { ServerError } from '../errors'; import { finalizeEnrollPhoneMfa, + finalizeEnrollTotpMfa, startEnrollPhoneMfa, + startEnrollTotpMfa, withdrawMfa } from './mfa'; @@ -89,7 +91,7 @@ describe('api/account_management/startEnrollPhoneMfa', () => { await expect(startEnrollPhoneMfa(auth, request)).to.be.rejectedWith( FirebaseError, - "Firebase: This user's credential isn't valid for this project. This can happen if the user's token has been tampered with, or if the user isn't for the project associated with this API key. (auth/invalid-user-token)." + 'auth/invalid-user-token' ); expect(mock.calls[0].request).to.eql(request); }); @@ -152,6 +154,139 @@ describe('api/account_management/finalizeEnrollPhoneMfa', () => { ); await expect(finalizeEnrollPhoneMfa(auth, request)).to.be.rejectedWith( + FirebaseError, + 'auth/invalid-verification-id' + ); + expect(mock.calls[0].request).to.eql(request); + }); +}); + +describe('api/account_management/startEnrollTotpMfa', () => { + const request = { + idToken: 'id-token', + totpEnrollmentInfo: {} + }; + + let auth: TestAuth; + + beforeEach(async () => { + auth = await testAuth(); + mockFetch.setUp(); + }); + + afterEach(mockFetch.tearDown); + + it('should POST to the correct endpoint', async () => { + const currentTime = new Date().toISOString(); + const mock = mockEndpoint(Endpoint.START_MFA_ENROLLMENT, { + totpSessionInfo: { + sharedSecretKey: 'key123', + verificationCodeLength: 6, + hashingAlgorithm: 'SHA256', + periodSec: 30, + sessionInfo: 'session-info', + finalizeEnrollmentTime: currentTime + } + }); + + const response = await startEnrollTotpMfa(auth, request); + expect(response.totpSessionInfo.sharedSecretKey).to.eq('key123'); + expect(response.totpSessionInfo.verificationCodeLength).to.eq(6); + expect(response.totpSessionInfo.hashingAlgorithm).to.eq('SHA256'); + expect(response.totpSessionInfo.periodSec).to.eq(30); + expect(response.totpSessionInfo.sessionInfo).to.eq('session-info'); + expect(response.totpSessionInfo.finalizeEnrollmentTime).to.eq(currentTime); + expect(mock.calls[0].request).to.eql(request); + expect(mock.calls[0].method).to.eq('POST'); + expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq( + 'application/json' + ); + expect(mock.calls[0].headers!.get(HttpHeader.X_CLIENT_VERSION)).to.eq( + 'testSDK/0.0.0' + ); + }); + + it('should handle errors', async () => { + const mock = mockEndpoint( + Endpoint.START_MFA_ENROLLMENT, + { + error: { + code: 400, + message: ServerError.INVALID_ID_TOKEN, + errors: [ + { + message: ServerError.INVALID_ID_TOKEN + } + ] + } + }, + 400 + ); + + await expect(startEnrollTotpMfa(auth, request)).to.be.rejectedWith( + FirebaseError, + 'auth/invalid-user-token' + ); + expect(mock.calls[0].request).to.eql(request); + }); +}); + +describe('api/account_management/finalizeEnrollTotpMfa', () => { + const request = { + idToken: 'id-token', + displayName: 'my-otp-app', + totpVerificationInfo: { + sessionInfo: 'session-info', + verificationCode: 'code' + } + }; + + let auth: TestAuth; + + beforeEach(async () => { + auth = await testAuth(); + mockFetch.setUp(); + }); + + afterEach(mockFetch.tearDown); + + it('should POST to the correct endpoint', async () => { + const mock = mockEndpoint(Endpoint.FINALIZE_MFA_ENROLLMENT, { + idToken: 'id-token', + refreshToken: 'refresh-token' + }); + + const response = await finalizeEnrollTotpMfa(auth, request); + expect(response.idToken).to.eq('id-token'); + expect(response.refreshToken).to.eq('refresh-token'); + expect(mock.calls[0].request).to.eql(request); + expect(mock.calls[0].method).to.eq('POST'); + expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq( + 'application/json' + ); + expect(mock.calls[0].headers!.get(HttpHeader.X_CLIENT_VERSION)).to.eq( + 'testSDK/0.0.0' + ); + }); + + it('should handle errors', async () => { + const mock = mockEndpoint( + Endpoint.FINALIZE_MFA_ENROLLMENT, + { + error: { + code: 400, + message: ServerError.INVALID_SESSION_INFO, + errors: [ + { + message: ServerError.INVALID_SESSION_INFO + } + ] + } + }, + 400 + ); + + await expect(finalizeEnrollTotpMfa(auth, request)).to.be.rejectedWith( FirebaseError, 'Firebase: The verification ID used to create the phone auth credential is invalid. (auth/invalid-verification-id).' ); diff --git a/packages/auth/src/api/account_management/mfa.ts b/packages/auth/src/api/account_management/mfa.ts index a30a363a832..db9a4120d3d 100644 --- a/packages/auth/src/api/account_management/mfa.ts +++ b/packages/auth/src/api/account_management/mfa.ts @@ -26,7 +26,7 @@ import { FinalizeMfaResponse } from '../authentication/mfa'; import { AuthInternal } from '../../model/auth'; /** - * MFA Info as returned by the API + * MFA Info as returned by the API. */ interface BaseMfaEnrollment { mfaEnrollmentId: string; @@ -35,16 +35,21 @@ interface BaseMfaEnrollment { } /** - * An MFA provided by SMS verification + * An MFA provided by SMS verification. */ export interface PhoneMfaEnrollment extends BaseMfaEnrollment { phoneInfo: string; } /** - * MfaEnrollment can be any subtype of BaseMfaEnrollment, currently only PhoneMfaEnrollment is supported + * An MFA provided by TOTP (Time-based One Time Password). */ -export type MfaEnrollment = PhoneMfaEnrollment; +export interface TotpMfaEnrollment extends BaseMfaEnrollment {} + +/** + * MfaEnrollment can be any subtype of BaseMfaEnrollment, currently only PhoneMfaEnrollment and TotpMfaEnrollment are supported. + */ +export type MfaEnrollment = PhoneMfaEnrollment | TotpMfaEnrollment; export interface StartPhoneMfaEnrollmentRequest { idToken: string; @@ -100,6 +105,66 @@ export function finalizeEnrollPhoneMfa( _addTidIfNecessary(auth, request) ); } +export interface StartTotpMfaEnrollmentRequest { + idToken: string; + totpEnrollmentInfo: {}; + tenantId?: string; +} + +export interface StartTotpMfaEnrollmentResponse { + totpSessionInfo: { + sharedSecretKey: string; + verificationCodeLength: number; + hashingAlgorithm: string; + periodSec: number; + sessionInfo: string; + finalizeEnrollmentTime: number; + }; +} + +export function startEnrollTotpMfa( + auth: AuthInternal, + request: StartTotpMfaEnrollmentRequest +): Promise { + return _performApiRequest< + StartTotpMfaEnrollmentRequest, + StartTotpMfaEnrollmentResponse + >( + auth, + HttpMethod.POST, + Endpoint.START_MFA_ENROLLMENT, + _addTidIfNecessary(auth, request) + ); +} + +export interface TotpVerificationInfo { + sessionInfo: string; + verificationCode: string; +} +export interface FinalizeTotpMfaEnrollmentRequest { + idToken: string; + totpVerificationInfo: TotpVerificationInfo; + displayName?: string | null; + tenantId?: string; +} + +export interface FinalizeTotpMfaEnrollmentResponse + extends FinalizeMfaResponse {} + +export function finalizeEnrollTotpMfa( + auth: AuthInternal, + request: FinalizeTotpMfaEnrollmentRequest +): Promise { + return _performApiRequest< + FinalizeTotpMfaEnrollmentRequest, + FinalizeTotpMfaEnrollmentResponse + >( + auth, + HttpMethod.POST, + Endpoint.FINALIZE_MFA_ENROLLMENT, + _addTidIfNecessary(auth, request) + ); +} export interface WithdrawMfaRequest { idToken: string; diff --git a/packages/auth/src/api/authentication/mfa.ts b/packages/auth/src/api/authentication/mfa.ts index 81d9d91d67a..0ad85a7ef82 100644 --- a/packages/auth/src/api/authentication/mfa.ts +++ b/packages/auth/src/api/authentication/mfa.ts @@ -79,8 +79,20 @@ export interface FinalizePhoneMfaSignInRequest { tenantId?: string; } +// TOTP MFA Sign in only has a finalize phase. Phone MFA has a start phase to initiate sending an +// SMS and a finalize phase to complete sign in. With TOTP, the user already has the OTP in the +// TOTP/Authenticator app. +export interface FinalizeTotpMfaSignInRequest { + mfaPendingCredential: string; + totpVerificationInfo: { verificationCode: string }; + tenantId?: string; + mfaEnrollmentId: string; +} + export interface FinalizePhoneMfaSignInResponse extends FinalizeMfaResponse {} +export interface FinalizeTotpMfaSignInResponse extends FinalizeMfaResponse {} + export function finalizeSignInPhoneMfa( auth: Auth, request: FinalizePhoneMfaSignInRequest @@ -96,6 +108,21 @@ export function finalizeSignInPhoneMfa( ); } +export function finalizeSignInTotpMfa( + auth: Auth, + request: FinalizeTotpMfaSignInRequest +): Promise { + return _performApiRequest< + FinalizeTotpMfaSignInRequest, + FinalizeTotpMfaSignInResponse + >( + auth, + HttpMethod.POST, + Endpoint.FINALIZE_MFA_SIGN_IN, + _addTidIfNecessary(auth, request) + ); +} + /** * @internal */ diff --git a/packages/auth/src/mfa/assertions/totp.test.ts b/packages/auth/src/mfa/assertions/totp.test.ts new file mode 100644 index 00000000000..2bdced46b93 --- /dev/null +++ b/packages/auth/src/mfa/assertions/totp.test.ts @@ -0,0 +1,338 @@ +/** + * @license + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { expect, use } from 'chai'; +import chaiAsPromised from 'chai-as-promised'; + +import { mockEndpoint } from '../../../test/helpers/api/helper'; +import { testAuth, TestAuth, testUser } from '../../../test/helpers/mock_auth'; +import * as mockFetch from '../../../test/helpers/mock_fetch'; +import { Endpoint } from '../../api'; +import { MultiFactorSessionImpl } from '../../mfa/mfa_session'; +import { StartTotpMfaEnrollmentResponse } from '../../api/account_management/mfa'; +import { FinalizeMfaResponse } from '../../api/authentication/mfa'; +import { + TotpMultiFactorAssertionImpl, + TotpMultiFactorGenerator, + TotpSecret +} from './totp'; +import { FactorId } from '../../model/public_types'; +import { AuthErrorCode } from '../../core/errors'; +import { AppName } from '../../model/auth'; +import { _castAuth } from '../../core/auth/auth_impl'; +import { MultiFactorAssertionImpl } from '../mfa_assertion'; + +use(chaiAsPromised); + +describe('core/mfa/assertions/totp/TotpMultiFactorGenerator', () => { + let auth: TestAuth; + let session: MultiFactorSessionImpl; + const startEnrollmentResponse: StartTotpMfaEnrollmentResponse = { + totpSessionInfo: { + sharedSecretKey: 'key123', + verificationCodeLength: 6, + hashingAlgorithm: 'SHA1', + periodSec: 30, + sessionInfo: 'verification-id', + finalizeEnrollmentTime: 1662586196 + } + }; + describe('assertionForEnrollment', () => { + it('should generate a valid TOTP assertion for enrollment', async () => { + auth = await testAuth(); + const secret = TotpSecret._fromStartTotpMfaEnrollmentResponse( + startEnrollmentResponse, + auth + ); + const assertion = TotpMultiFactorGenerator.assertionForEnrollment( + secret, + '123456' + ); + expect(assertion.factorId).to.eql(FactorId.TOTP); + }); + }); + + describe('assertionForSignIn', () => { + it('should generate a valid TOTP assertion for sign in', () => { + const assertion = TotpMultiFactorGenerator.assertionForSignIn( + 'enrollmentId', + '123456' + ); + expect(assertion.factorId).to.eql(FactorId.TOTP); + }); + }); + + describe('generateSecret', () => { + beforeEach(async () => { + mockFetch.setUp(); + }); + afterEach(mockFetch.tearDown); + + it('should throw error if auth instance is not found in mfaSession', async () => { + try { + session = MultiFactorSessionImpl._fromIdtoken( + 'enrollment-id-token', + undefined + ); + await TotpMultiFactorGenerator.generateSecret(session); + } catch (e) { + expect((e as any).code).to.eql(`auth/${AuthErrorCode.INTERNAL_ERROR}`); + } + }); + it('generateSecret should generate a valid secret by starting enrollment', async () => { + const mock = mockEndpoint( + Endpoint.START_MFA_ENROLLMENT, + startEnrollmentResponse + ); + + auth = await testAuth(); + session = MultiFactorSessionImpl._fromIdtoken( + 'enrollment-id-token', + auth + ); + const secret = await TotpMultiFactorGenerator.generateSecret(session); + expect(mock.calls[0].request).to.eql({ + idToken: 'enrollment-id-token', + totpEnrollmentInfo: {} + }); + expect(secret.secretKey).to.eql( + startEnrollmentResponse.totpSessionInfo.sharedSecretKey + ); + expect(secret.codeIntervalSeconds).to.eq( + startEnrollmentResponse.totpSessionInfo.periodSec + ); + expect(secret.codeLength).to.eq( + startEnrollmentResponse.totpSessionInfo.verificationCodeLength + ); + expect(secret.hashingAlgorithm).to.eq( + startEnrollmentResponse.totpSessionInfo.hashingAlgorithm + ); + }); + }); +}); + +describe('core/mfa/totp/assertions/TotpMultiFactorAssertionImpl', () => { + let auth: TestAuth; + let assertion: TotpMultiFactorAssertionImpl; + let session: MultiFactorSessionImpl; + let secret: TotpSecret; + + const serverResponse: FinalizeMfaResponse = { + idToken: 'final-id-token', + refreshToken: 'refresh-token' + }; + + const startEnrollmentResponse: StartTotpMfaEnrollmentResponse = { + totpSessionInfo: { + sharedSecretKey: 'key123', + verificationCodeLength: 6, + hashingAlgorithm: 'SHA1', + periodSec: 30, + sessionInfo: 'verification-id', + finalizeEnrollmentTime: 1662586196 + } + }; + + beforeEach(async () => { + mockFetch.setUp(); + auth = await testAuth(); + secret = TotpSecret._fromStartTotpMfaEnrollmentResponse( + startEnrollmentResponse, + auth + ); + assertion = TotpMultiFactorAssertionImpl._fromSecret(secret, '123456'); + }); + afterEach(mockFetch.tearDown); + + describe('enroll', () => { + beforeEach(() => { + session = MultiFactorSessionImpl._fromIdtoken( + 'enrollment-id-token', + auth + ); + }); + + it('should finalize the MFA enrollment', async () => { + const mock = mockEndpoint( + Endpoint.FINALIZE_MFA_ENROLLMENT, + serverResponse + ); + const response = await assertion._process(auth, session); + expect(response).to.eql(serverResponse); + expect(mock.calls[0].request).to.eql({ + idToken: 'enrollment-id-token', + totpVerificationInfo: { + verificationCode: '123456', + sessionInfo: 'verification-id' + } + }); + expect(session.auth).to.eql(auth); + }); + + context('with display name', () => { + it('should set the display name', async () => { + const mock = mockEndpoint( + Endpoint.FINALIZE_MFA_ENROLLMENT, + serverResponse + ); + const response = await assertion._process( + auth, + session, + 'display-name' + ); + expect(response).to.eql(serverResponse); + expect(mock.calls[0].request).to.eql({ + idToken: 'enrollment-id-token', + displayName: 'display-name', + totpVerificationInfo: { + verificationCode: '123456', + sessionInfo: 'verification-id' + } + }); + expect(session.auth).to.eql(auth); + }); + }); + }); +}); + +describe('Testing signin Flow', () => { + let auth: TestAuth; + let assertion: MultiFactorAssertionImpl; + let session: MultiFactorSessionImpl; + beforeEach(async () => { + mockFetch.setUp(); + auth = await testAuth(); + session = MultiFactorSessionImpl._fromMfaPendingCredential( + 'mfa-pending-credential' + ); + }); + afterEach(mockFetch.tearDown); + + it('should finalize mfa signin for totp', async () => { + const mockResponse: FinalizeMfaResponse = { + idToken: 'final-id-token', + refreshToken: 'refresh-token' + }; + const mock = mockEndpoint(Endpoint.FINALIZE_MFA_SIGN_IN, mockResponse); + assertion = TotpMultiFactorGenerator.assertionForSignIn( + 'enrollment-id', + '123456' + ) as any; + const response = await assertion._process(auth, session); + + expect(response).to.eql(mockResponse); + + expect(mock.calls[0].request).to.eql({ + mfaPendingCredential: 'mfa-pending-credential', + mfaEnrollmentId: 'enrollment-id', + totpVerificationInfo: { + verificationCode: '123456' + } + }); + }); + + it('should throw Firebase Error if enrollment-id is undefined', async () => { + assertion = TotpMultiFactorGenerator.assertionForSignIn( + undefined as any, + '123456' + ) as any; + + await expect(assertion._process(auth, session)).to.be.rejectedWith( + 'auth/argument-error' + ); + }); + + it('should throw Firebase Error if otp is undefined', async () => { + assertion = TotpMultiFactorGenerator.assertionForSignIn( + 'enrollment-id', + undefined as any + ) as any; + + await expect(assertion._process(auth, session)).to.be.rejectedWith( + 'auth/argument-error' + ); + }); +}); + +describe('core/mfa/assertions/totp/TotpSecret', async () => { + const serverResponse: StartTotpMfaEnrollmentResponse = { + totpSessionInfo: { + sharedSecretKey: 'key123', + verificationCodeLength: 6, + hashingAlgorithm: 'SHA1', + periodSec: 30, + sessionInfo: 'verification-id', + finalizeEnrollmentTime: 1662586196 + } + }; + // this is the name used by the fake app in testAuth(). + const fakeAppName: AppName = 'test-app'; + const fakeEmail: string = 'user@email'; + const auth = await testAuth(); + const secret = TotpSecret._fromStartTotpMfaEnrollmentResponse( + serverResponse, + auth + ); + + describe('fromStartTotpMfaEnrollmentResponse', () => { + it('fields from the response are parsed correctly', () => { + expect(secret.secretKey).to.eq('key123'); + expect(secret.codeIntervalSeconds).to.eq(30); + expect(secret.codeLength).to.eq(6); + expect(secret.hashingAlgorithm).to.eq('SHA1'); + }); + }); + describe('generateQrCodeUrl', () => { + beforeEach(async () => { + await auth.updateCurrentUser( + testUser(_castAuth(auth), 'uid', fakeEmail, true) + ); + }); + + it('with account name and issuer provided', () => { + const url = secret.generateQrCodeUrl('user@myawesomeapp', 'myawesomeapp'); + expect(url).to.eq( + 'otpauth://totp/myawesomeapp:user@myawesomeapp?secret=key123&issuer=myawesomeapp&algorithm=SHA1&digits=6' + ); + }); + it('only accountName provided', () => { + const url = secret.generateQrCodeUrl('user@myawesomeapp', ''); + expect(url).to.eq( + `otpauth://totp/${fakeAppName}:user@myawesomeapp?secret=key123&issuer=${fakeAppName}&algorithm=SHA1&digits=6` + ); + }); + it('only issuer provided', () => { + const url = secret.generateQrCodeUrl('', 'myawesomeapp'); + expect(url).to.eq( + `otpauth://totp/myawesomeapp:${fakeEmail}?secret=key123&issuer=myawesomeapp&algorithm=SHA1&digits=6` + ); + }); + it('with defaults', () => { + const url = secret.generateQrCodeUrl(); + expect(url).to.eq( + `otpauth://totp/${fakeAppName}:${fakeEmail}?secret=key123&issuer=${fakeAppName}&algorithm=SHA1&digits=6` + ); + }); + it('with defaults, without currentUser', async () => { + await auth.updateCurrentUser(null); + const url = secret.generateQrCodeUrl(); + expect(url).to.eq( + `otpauth://totp/${fakeAppName}:unknownuser?secret=key123&issuer=${fakeAppName}&algorithm=SHA1&digits=6` + ); + }); + }); +}); diff --git a/packages/auth/src/mfa/assertions/totp.ts b/packages/auth/src/mfa/assertions/totp.ts new file mode 100644 index 00000000000..35694ed39eb --- /dev/null +++ b/packages/auth/src/mfa/assertions/totp.ts @@ -0,0 +1,276 @@ +/** + * @license + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +import { + TotpMultiFactorAssertion, + MultiFactorSession, + FactorId +} from '../../model/public_types'; +import { AuthInternal } from '../../model/auth'; +import { + finalizeEnrollTotpMfa, + startEnrollTotpMfa, + StartTotpMfaEnrollmentResponse, + TotpVerificationInfo +} from '../../api/account_management/mfa'; +import { + FinalizeMfaResponse, + finalizeSignInTotpMfa +} from '../../api/authentication/mfa'; +import { MultiFactorAssertionImpl } from '../../mfa/mfa_assertion'; +import { MultiFactorSessionImpl } from '../mfa_session'; +import { AuthErrorCode } from '../../core/errors'; +import { _assert } from '../../core/util/assert'; + +/** + * Provider for generating a {@link TotpMultiFactorAssertion}. + * + * @public + */ +export class TotpMultiFactorGenerator { + /** + * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of + * the TOTP (time-based one-time password) second factor. + * This assertion is used to complete enrollment in TOTP second factor. + * + * @param secret A {@link TotpSecret} containing the shared secret key and other TOTP parameters. + * @param oneTimePassword One-time password from TOTP App. + * @returns A {@link TotpMultiFactorAssertion} which can be used with + * {@link MultiFactorUser.enroll}. + */ + static assertionForEnrollment( + secret: TotpSecret, + oneTimePassword: string + ): TotpMultiFactorAssertion { + return TotpMultiFactorAssertionImpl._fromSecret(secret, oneTimePassword); + } + + /** + * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of the TOTP second factor. + * This assertion is used to complete signIn with TOTP as the second factor. + * + * @param enrollmentId identifies the enrolled TOTP second factor. + * @param oneTimePassword One-time password from TOTP App. + * @returns A {@link TotpMultiFactorAssertion} which can be used with + * {@link MultiFactorResolver.resolveSignIn}. + */ + static assertionForSignIn( + enrollmentId: string, + oneTimePassword: string + ): TotpMultiFactorAssertion { + return TotpMultiFactorAssertionImpl._fromEnrollmentId( + enrollmentId, + oneTimePassword + ); + } + + /** + * Returns a promise to {@link TotpSecret} which contains the TOTP shared secret key and other parameters. + * Creates a TOTP secret as part of enrolling a TOTP second factor. + * Used for generating a QR code URL or inputting into a TOTP app. + * This method uses the auth instance corresponding to the user in the multiFactorSession. + * + * @param session The {@link MultiFactorSession} that the user is part of. + * @returns A promise to {@link TotpSecret}. + */ + static async generateSecret( + session: MultiFactorSession + ): Promise { + const mfaSession = session as MultiFactorSessionImpl; + _assert( + typeof mfaSession.auth !== 'undefined', + AuthErrorCode.INTERNAL_ERROR + ); + const response = await startEnrollTotpMfa(mfaSession.auth, { + idToken: mfaSession.credential, + totpEnrollmentInfo: {} + }); + return TotpSecret._fromStartTotpMfaEnrollmentResponse( + response, + mfaSession.auth + ); + } + + /** + * The identifier of the TOTP second factor: `totp`. + */ + static FACTOR_ID = FactorId.TOTP; +} + +export class TotpMultiFactorAssertionImpl + extends MultiFactorAssertionImpl + implements TotpMultiFactorAssertion +{ + constructor( + readonly otp: string, + readonly enrollmentId?: string, + readonly secret?: TotpSecret + ) { + super(FactorId.TOTP); + } + + /** @internal */ + static _fromSecret( + secret: TotpSecret, + otp: string + ): TotpMultiFactorAssertionImpl { + return new TotpMultiFactorAssertionImpl(otp, undefined, secret); + } + + /** @internal */ + static _fromEnrollmentId( + enrollmentId: string, + otp: string + ): TotpMultiFactorAssertionImpl { + return new TotpMultiFactorAssertionImpl(otp, enrollmentId); + } + + /** @internal */ + async _finalizeEnroll( + auth: AuthInternal, + idToken: string, + displayName?: string | null + ): Promise { + _assert( + typeof this.secret !== 'undefined', + auth, + AuthErrorCode.ARGUMENT_ERROR + ); + return finalizeEnrollTotpMfa(auth, { + idToken, + displayName, + totpVerificationInfo: this.secret._makeTotpVerificationInfo(this.otp) + }); + } + + /** @internal */ + async _finalizeSignIn( + auth: AuthInternal, + mfaPendingCredential: string + ): Promise { + _assert( + this.enrollmentId !== undefined && this.otp !== undefined, + auth, + AuthErrorCode.ARGUMENT_ERROR + ); + const totpVerificationInfo = { verificationCode: this.otp }; + return finalizeSignInTotpMfa(auth, { + mfaPendingCredential, + mfaEnrollmentId: this.enrollmentId, + totpVerificationInfo + }); + } +} + +/** + * Provider for generating a {@link TotpMultiFactorAssertion}. + * + * Stores the shared secret key and other parameters to generate time-based OTPs. + * Implements methods to retrieve the shared secret key and generate a QR code URL. + * @public + */ +export class TotpSecret { + /** + * Shared secret key/seed used for enrolling in TOTP MFA and generating OTPs. + */ + readonly secretKey: string; + /** + * Hashing algorithm used. + */ + readonly hashingAlgorithm: string; + /** + * Length of the one-time passwords to be generated. + */ + readonly codeLength: number; + /** + * The interval (in seconds) when the OTP codes should change. + */ + readonly codeIntervalSeconds: number; + /** + * The timestamp (UTC string) by which TOTP enrollment should be completed. + */ + // This can be used by callers to show a countdown of when to enter OTP code by. + readonly enrollmentCompletionDeadline: string; + + // The public members are declared outside the constructor so the docs can be generated. + private constructor( + secretKey: string, + hashingAlgorithm: string, + codeLength: number, + codeIntervalSeconds: number, + enrollmentCompletionDeadline: string, + private readonly sessionInfo: string, + private readonly auth: AuthInternal + ) { + this.secretKey = secretKey; + this.hashingAlgorithm = hashingAlgorithm; + this.codeLength = codeLength; + this.codeIntervalSeconds = codeIntervalSeconds; + this.enrollmentCompletionDeadline = enrollmentCompletionDeadline; + } + + /** @internal */ + static _fromStartTotpMfaEnrollmentResponse( + response: StartTotpMfaEnrollmentResponse, + auth: AuthInternal + ): TotpSecret { + return new TotpSecret( + response.totpSessionInfo.sharedSecretKey, + response.totpSessionInfo.hashingAlgorithm, + response.totpSessionInfo.verificationCodeLength, + response.totpSessionInfo.periodSec, + new Date(response.totpSessionInfo.finalizeEnrollmentTime).toUTCString(), + response.totpSessionInfo.sessionInfo, + auth + ); + } + + /** @internal */ + _makeTotpVerificationInfo(otp: string): TotpVerificationInfo { + return { sessionInfo: this.sessionInfo, verificationCode: otp }; + } + + /** + * Returns a QR code URL as described in + * https://github.com/google/google-authenticator/wiki/Key-Uri-Format + * This can be displayed to the user as a QR code to be scanned into a TOTP app like Google Authenticator. + * If the optional parameters are unspecified, an accountName of and issuer of are used. + * + * @param accountName the name of the account/app along with a user identifier. + * @param issuer issuer of the TOTP (likely the app name). + * @returns A QR code URL string. + */ + generateQrCodeUrl(accountName?: string, issuer?: string): string { + let useDefaults = false; + if (_isEmptyString(accountName) || _isEmptyString(issuer)) { + useDefaults = true; + } + if (useDefaults) { + if (_isEmptyString(accountName)) { + accountName = this.auth.currentUser?.email || 'unknownuser'; + } + if (_isEmptyString(issuer)) { + issuer = this.auth.name; + } + } + return `otpauth://totp/${issuer}:${accountName}?secret=${this.secretKey}&issuer=${issuer}&algorithm=${this.hashingAlgorithm}&digits=${this.codeLength}`; + } +} + +/** @internal */ +function _isEmptyString(input?: string): boolean { + return typeof input === 'undefined' || input?.length === 0; +} diff --git a/packages/auth/src/mfa/mfa_info.test.ts b/packages/auth/src/mfa/mfa_info.test.ts index 91f0c6175e0..47df7f53a0f 100644 --- a/packages/auth/src/mfa/mfa_info.test.ts +++ b/packages/auth/src/mfa/mfa_info.test.ts @@ -18,7 +18,7 @@ import { expect, use } from 'chai'; import chaiAsPromised from 'chai-as-promised'; -import { ProviderId } from '../model/enums'; +import { FactorId } from '../model/public_types'; import { FirebaseError } from '@firebase/util'; import { testAuth, TestAuth } from '../../test/helpers/mock_auth'; @@ -27,7 +27,7 @@ import { MultiFactorInfoImpl } from './mfa_info'; use(chaiAsPromised); -describe('core/mfa/mfa_info/MultiFactorInfo', () => { +describe('core/mfa/mfa_info/MultiFactorInfo for Phone MFA', () => { let auth: TestAuth; beforeEach(async () => { @@ -49,7 +49,7 @@ describe('core/mfa/mfa_info/MultiFactorInfo', () => { auth, enrollmentInfo ); - expect(mfaInfo.factorId).to.eq(ProviderId.PHONE); + expect(mfaInfo.factorId).to.eq(FactorId.PHONE); expect(mfaInfo.uid).to.eq('uid'); expect(mfaInfo.enrollmentTime).to.eq(new Date(date).toUTCString()); expect(mfaInfo.displayName).to.eq('display-name'); @@ -74,3 +74,48 @@ describe('core/mfa/mfa_info/MultiFactorInfo', () => { }); }); }); + +describe('core/mfa/mfa_info/MultiFactorInfo for TOTP MFA', () => { + let auth: TestAuth; + + beforeEach(async () => { + auth = await testAuth(); + }); + + describe('_fromServerResponse', () => { + context('TOTP enrollment', () => { + const date = Date.now(); + const enrollmentInfo = { + mfaEnrollmentId: 'uid', + enrolledAt: date, + displayName: 'display-name', + totpInfo: {} + }; + + it('should create a valid MfaInfo', () => { + const mfaInfo = MultiFactorInfoImpl._fromServerResponse( + auth, + enrollmentInfo + ); + expect(mfaInfo.factorId).to.eq(FactorId.TOTP); + expect(mfaInfo.uid).to.eq('uid'); + expect(mfaInfo.enrollmentTime).to.eq(new Date(date).toUTCString()); + expect(mfaInfo.displayName).to.eq('display-name'); + }); + }); + + context('Invalid enrollment, no totp or phone info found', () => { + const enrollmentInfo = { + mfaEnrollmentId: 'uid', + enrolledAt: Date.now(), + displayName: 'display-name' + }; + + it('should throw an error', () => { + expect(() => + MultiFactorInfoImpl._fromServerResponse(auth, enrollmentInfo) + ).to.throw(FirebaseError, 'auth/internal-error'); + }); + }); + }); +}); diff --git a/packages/auth/src/mfa/mfa_info.ts b/packages/auth/src/mfa/mfa_info.ts index a1cb41b12af..0e749ff816e 100644 --- a/packages/auth/src/mfa/mfa_info.ts +++ b/packages/auth/src/mfa/mfa_info.ts @@ -18,11 +18,13 @@ import { FactorId, MultiFactorInfo, - PhoneMultiFactorInfo + PhoneMultiFactorInfo, + TotpMultiFactorInfo } from '../model/public_types'; import { PhoneMfaEnrollment, - MfaEnrollment + MfaEnrollment, + TotpMfaEnrollment } from '../api/account_management/mfa'; import { AuthErrorCode } from '../core/errors'; import { _fail } from '../core/util/assert'; @@ -45,6 +47,8 @@ export abstract class MultiFactorInfoImpl implements MultiFactorInfo { ): MultiFactorInfoImpl { if ('phoneInfo' in enrollment) { return PhoneMultiFactorInfoImpl._fromServerResponse(auth, enrollment); + } else if ('totpInfo' in enrollment) { + return TotpMultiFactorInfoImpl._fromServerResponse(auth, enrollment); } return _fail(auth, AuthErrorCode.INTERNAL_ERROR); } @@ -65,6 +69,21 @@ export class PhoneMultiFactorInfoImpl _auth: AuthInternal, enrollment: MfaEnrollment ): PhoneMultiFactorInfoImpl { - return new PhoneMultiFactorInfoImpl(enrollment); + return new PhoneMultiFactorInfoImpl(enrollment as PhoneMfaEnrollment); + } +} +export class TotpMultiFactorInfoImpl + extends MultiFactorInfoImpl + implements TotpMultiFactorInfo +{ + private constructor(response: TotpMfaEnrollment) { + super(FactorId.TOTP, response); + } + + static _fromServerResponse( + _auth: AuthInternal, + enrollment: MfaEnrollment + ): TotpMultiFactorInfoImpl { + return new TotpMultiFactorInfoImpl(enrollment as TotpMfaEnrollment); } } diff --git a/packages/auth/src/model/enum_maps.ts b/packages/auth/src/model/enum_maps.ts index 4d3e3f4a59c..e0ffec60b7e 100644 --- a/packages/auth/src/model/enum_maps.ts +++ b/packages/auth/src/model/enum_maps.ts @@ -22,7 +22,8 @@ */ export const FactorId = { /** Phone as second factor */ - PHONE: 'phone' + PHONE: 'phone', + TOTP: 'totp' } as const; /** diff --git a/packages/auth/src/model/public_types.ts b/packages/auth/src/model/public_types.ts index fdef53e6850..0b872ec9297 100644 --- a/packages/auth/src/model/public_types.ts +++ b/packages/auth/src/model/public_types.ts @@ -545,7 +545,8 @@ export interface AuthProvider { */ export const enum FactorId { /** Phone as second factor */ - PHONE = 'phone' + PHONE = 'phone', + TOTP = 'totp' } /** @@ -658,6 +659,13 @@ export interface PhoneMultiFactorInfo extends MultiFactorInfo { readonly phoneNumber: string; } +/** + * The subclass of the {@link MultiFactorInfo} interface for TOTP + * second factors. The `factorId` of this second factor is {@link FactorId}.TOTP. + * @public + */ +export interface TotpMultiFactorInfo extends MultiFactorInfo {} + /** * The class used to facilitate recovery from {@link MultiFactorError} when a user needs to * provide a second factor to sign in. @@ -1229,3 +1237,13 @@ export interface Dependencies { */ errorMap?: AuthErrorMap; } + +/** + * The class for asserting ownership of a TOTP second factor. Provided by + * {@link TotpMultiFactorGenerator.assertionForEnrollment} and + * {@link TotpMultiFactorGenerator.assertionForSignIn}. + * + * @public + */ + +export interface TotpMultiFactorAssertion extends MultiFactorAssertion {} diff --git a/packages/auth/test/helpers/integration/helpers.ts b/packages/auth/test/helpers/integration/helpers.ts index 4f9518a6717..b03a49d8678 100644 --- a/packages/auth/test/helpers/integration/helpers.ts +++ b/packages/auth/test/helpers/integration/helpers.ts @@ -23,7 +23,8 @@ import { getAuth, connectAuthEmulator } from '../../../'; // Use browser OR node import { _generateEventId } from '../../../src/core/util/event_id'; import { getAppConfig, getEmulatorUrl } from './settings'; import { resetEmulator } from './emulator_rest_helpers'; - +// @ts-ignore - ignore types since this is only used in tests. +import totp from 'totp-generator'; interface IntegrationTestAuth extends Auth { cleanUp(): Promise; } @@ -62,10 +63,12 @@ export function getTestInstance(requireEmulator = false): Auth { } else { // Clear out any new users that were created in the course of the test for (const user of createdUsers) { - try { - await user.delete(); - } catch { - // Best effort. Maybe the test already deleted the user ¯\_(ツ)_/¯ + if (!user.email?.includes('donotdelete')) { + try { + await user.delete(); + } catch { + // Best effort. Maybe the test already deleted the user ¯\_(ツ)_/¯ + } } } } @@ -93,3 +96,22 @@ function stubConsoleToSilenceEmulatorWarnings(): sinon.SinonStub { } }); } + +export function getTotpCode( + sharedSecretKey: string, + periodSec: number, + verificationCodeLength: number, + timestamp: Date +): string { + const token = totp(sharedSecretKey, { + period: periodSec, + digits: verificationCodeLength, + algorithm: 'SHA-1', + timestamp + }); + + return token; +} +export const email = 'totpuser-donotdelete@test.com'; +//1000000 is always incorrect since it has 7 digits and we expect 6. +export const incorrectTotpCode = '1000000'; diff --git a/packages/auth/test/integration/flows/totp.test.ts b/packages/auth/test/integration/flows/totp.test.ts new file mode 100644 index 00000000000..7eb9033deff --- /dev/null +++ b/packages/auth/test/integration/flows/totp.test.ts @@ -0,0 +1,180 @@ +/** + * @license + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { expect, use } from 'chai'; +import chaiAsPromised from 'chai-as-promised'; +import sinonChai from 'sinon-chai'; +import { + Auth, + multiFactor, + signInWithEmailAndPassword, + getMultiFactorResolver +} from '@firebase/auth'; +import { FirebaseError } from '@firebase/app'; +import { + cleanUpTestInstance, + getTestInstance, + getTotpCode, + email, + incorrectTotpCode +} from '../../helpers/integration/helpers'; + +import { + TotpMultiFactorGenerator, + TotpSecret +} from '../../../src/mfa/assertions/totp'; +import { getEmulatorUrl } from '../../helpers/integration/settings'; + +use(chaiAsPromised); +use(sinonChai); + +describe(' Integration tests: Mfa TOTP', () => { + let auth: Auth; + let totpSecret: TotpSecret; + let displayName: string; + let totpTimestamp: Date; + let emulatorUrl: string | null; + beforeEach(async () => { + emulatorUrl = getEmulatorUrl(); + if (!emulatorUrl) { + auth = getTestInstance(); + displayName = 'totp-integration-test'; + } + }); + + afterEach(async () => { + if (!emulatorUrl) { + await cleanUpTestInstance(auth); + } + }); + + it('should not enroll if incorrect totp supplied', async function () { + if (emulatorUrl) { + this.skip(); + } + const cr = await signInWithEmailAndPassword(auth, email, 'password'); + const mfaUser = multiFactor(cr.user); + const session = await mfaUser.getSession(); + totpSecret = await TotpMultiFactorGenerator.generateSecret(session); + const multiFactorAssertion = + TotpMultiFactorGenerator.assertionForEnrollment( + totpSecret, + incorrectTotpCode + ); + + await expect( + mfaUser.enroll(multiFactorAssertion, displayName) + ).to.be.rejectedWith('auth/invalid-verification-code'); + }); + + it('should enroll using correct otp', async function () { + if (emulatorUrl) { + this.skip(); + } + const cr = await signInWithEmailAndPassword(auth, email, 'password'); + + const mfaUser = multiFactor(cr.user); + + const session = await mfaUser.getSession(); + + totpSecret = await TotpMultiFactorGenerator.generateSecret(session); + + totpTimestamp = new Date(); + + const totpVerificationCode = getTotpCode( + totpSecret.secretKey, + totpSecret.codeIntervalSeconds, + totpSecret.codeLength, + totpTimestamp + ); + + const multiFactorAssertion = + TotpMultiFactorGenerator.assertionForEnrollment( + totpSecret, + totpVerificationCode + ); + await expect(mfaUser.enroll(multiFactorAssertion, displayName)).to.be + .fulfilled; + }); + + it('should not allow sign-in with incorrect totp', async function () { + let resolver: any; + + if (emulatorUrl) { + this.skip(); + } + try { + await signInWithEmailAndPassword(auth, email, 'password'); + + throw new Error('Signin should not have been successful'); + } catch (error) { + expect(error).to.be.an.instanceOf(FirebaseError); + expect((error as any).code).to.eql('auth/multi-factor-auth-required'); + + resolver = getMultiFactorResolver(auth, error as any); + expect(resolver.hints).to.have.length(1); + + const assertion = TotpMultiFactorGenerator.assertionForSignIn( + resolver.hints[0].uid, + incorrectTotpCode + ); + + await expect(resolver.resolveSignIn(assertion)).to.be.rejectedWith( + 'auth/invalid-verification-code' + ); + } + }); + + it('should allow sign-in with for correct totp and unenroll successfully', async function () { + let resolver: any; + if (emulatorUrl) { + this.skip(); + } + try { + await signInWithEmailAndPassword(auth, email, 'password'); + + throw new Error('Signin should not have been successful'); + } catch (error) { + expect(error).to.be.an.instanceOf(FirebaseError); + expect((error as any).code).to.eql('auth/multi-factor-auth-required'); + + resolver = getMultiFactorResolver(auth, error as any); + expect(resolver.hints).to.have.length(1); + + totpTimestamp.setSeconds(totpTimestamp.getSeconds() + 30); + + const totpVerificationCode = getTotpCode( + totpSecret.secretKey, + totpSecret.codeIntervalSeconds, + totpSecret.codeLength, + totpTimestamp + ); + + const assertion = TotpMultiFactorGenerator.assertionForSignIn( + resolver.hints[0].uid, + totpVerificationCode + ); + const userCredential = await resolver.resolveSignIn(assertion); + + const mfaUser = multiFactor(userCredential.user); + + await expect(mfaUser.unenroll(resolver.hints[0].uid)).to.be.fulfilled; + await expect(signInWithEmailAndPassword(auth, email, 'password')).to.be + .fulfilled; + } + }); +}); diff --git a/yarn.lock b/yarn.lock index 4b38969007c..216e47bb895 100644 --- a/yarn.lock +++ b/yarn.lock @@ -11112,6 +11112,11 @@ jsprim@^1.2.2: json-schema "0.2.3" verror "1.10.0" +jssha@^3.1.2: + version "3.3.0" + resolved "https://registry.npmjs.org/jssha/-/jssha-3.3.0.tgz#44b5531bcf55a12f4a388476c647a9a1cca92839" + integrity sha512-w9OtT4ALL+fbbwG3gw7erAO0jvS5nfvrukGPMWIAoea359B26ALXGpzy4YJSp9yGnpUvuvOw1nSjSoHDfWSr1w== + jszip@^3.1.3, jszip@^3.6.0: version "3.7.1" resolved "https://registry.npmjs.org/jszip/-/jszip-3.7.1.tgz#bd63401221c15625a1228c556ca8a68da6fda3d9" @@ -16806,6 +16811,13 @@ toidentifier@1.0.1: resolved "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz#3be34321a88a820ed1bd80dfaa33e479fbb8dd35" integrity sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA== +totp-generator@0.0.14: + version "0.0.14" + resolved "https://registry.npmjs.org/totp-generator/-/totp-generator-0.0.14.tgz#c136bcb4030f9cab5b10ecd82d15cd2d5518234a" + integrity sha512-vFZ8N2TdF4mCj8bUW460jI73LqS+JKccsZ8cttQSuXa3dkTmZo8q81Pq2yAuiPxCI5fPfUrfaKuU+7adjx5s4w== + dependencies: + jssha "^3.1.2" + tough-cookie@~2.5.0: version "2.5.0" resolved "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz#cd9fb2a0aa1d5a12b473bd9fb96fa3dcff65ade2"