From ebbf3975d48c693ed1d97f27e196852a4b8e816a Mon Sep 17 00:00:00 2001 From: bhparijat Date: Wed, 31 Aug 2022 13:14:06 -0700 Subject: [PATCH 01/26] adding support TOTP MFA (#6547) Co-authored-by: Parijat Bhatt --- common/api-review/auth.api.md | 5 ++ packages/auth/src/mfa/assertions/totp.ts | 78 +++++++++++++++++++ packages/auth/src/model/enum_maps.ts | 3 +- packages/auth/src/model/public_types.ts | 12 ++- .../platform_browser/mfa/assertions/totp.ts | 50 ++++++++++++ 5 files changed, 146 insertions(+), 2 deletions(-) create mode 100644 packages/auth/src/mfa/assertions/totp.ts create mode 100644 packages/auth/src/platform_browser/mfa/assertions/totp.ts diff --git a/common/api-review/auth.api.md b/common/api-review/auth.api.md index 045b64bcf19..553feb40f20 100644 --- a/common/api-review/auth.api.md +++ b/common/api-review/auth.api.md @@ -361,6 +361,7 @@ export class FacebookAuthProvider extends BaseOAuthProvider { // @public export const FactorId: { readonly PHONE: "phone"; + readonly TOTP: "totp"; }; // @public @@ -745,6 +746,10 @@ export function signInWithRedirect(auth: Auth, provider: AuthProvider, resolver? // @public export function signOut(auth: Auth): Promise; +// @public +export interface TotpMultiFactorAssertion extends MultiFactorAssertion { +} + // @public export class TwitterAuthProvider extends BaseOAuthProvider { constructor(); diff --git a/packages/auth/src/mfa/assertions/totp.ts b/packages/auth/src/mfa/assertions/totp.ts new file mode 100644 index 00000000000..8fb437cef35 --- /dev/null +++ b/packages/auth/src/mfa/assertions/totp.ts @@ -0,0 +1,78 @@ +/** + * @license + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +import { TotpSecret } from '../../platform_browser/mfa/assertions/totp'; +import { + TotpMultiFactorAssertion, + MultiFactorSession, + FactorId +} from '../../model/public_types'; +/** + * Provider for generating a {@link TotpMultiFactorAssertion}. + * + * @public + */ +export class TotpMultiFactorGenerator { + /** + * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of + * the totp(Time-based One Time Password) second factor. + * This assertion is used to complete enrollment in TOTP second factor. + * + * @param secret {@link TotpSecret}. + * @param oneTimePassword One-time password from TOTP App. + * @returns A {@link TotpMultiFactorAssertion} which can be used with + * {@link MultiFactorUser.enroll}. + */ + static assertionForEnrollment( + _secret: TotpSecret, + _oneTimePassword: string + ): TotpMultiFactorAssertion { + throw new Error('Unimplemented'); + } + /** + * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of the totp second factor. + * This assertion is used to complete signIn with TOTP as the second factor. + * + * @param enrollmentId identifies the enrolled TOTP second factor. + * @param otp One-time password from TOTP App. + * @returns A {@link TotpMultiFactorAssertion} which can be used with + * {@link MultiFactorResolver.resolveSignIn}. + */ + static assertionForSignIn( + _enrollmentId: string, + _otp: string + ): TotpMultiFactorAssertion { + throw new Error('Unimplemented'); + } + /** + * Returns a promise to {@link TOTPSecret} which contains the TOTP shared secret key and other parameters. + * Creates a TOTP secret as part of enrolling a TOTP second factor. + * Used for generating a QRCode URL or inputting into a TOTP App. + * This method uses the auth instance corresponding to the user in the multiFactorSession. + * + * @param session A link to {@MultiFactorSession}. + * @returns A promise to {@link TotpSecret}. + */ + static async generateSecret( + _session: MultiFactorSession + ): Promise { + throw new Error('Unimplemented'); + } + /** + * The identifier of the TOTP second factor: `totp`. + */ + static FACTOR_ID = FactorId.TOTP; +} diff --git a/packages/auth/src/model/enum_maps.ts b/packages/auth/src/model/enum_maps.ts index 4d3e3f4a59c..e0ffec60b7e 100644 --- a/packages/auth/src/model/enum_maps.ts +++ b/packages/auth/src/model/enum_maps.ts @@ -22,7 +22,8 @@ */ export const FactorId = { /** Phone as second factor */ - PHONE: 'phone' + PHONE: 'phone', + TOTP: 'totp' } as const; /** diff --git a/packages/auth/src/model/public_types.ts b/packages/auth/src/model/public_types.ts index fdef53e6850..31437ec5dea 100644 --- a/packages/auth/src/model/public_types.ts +++ b/packages/auth/src/model/public_types.ts @@ -545,7 +545,8 @@ export interface AuthProvider { */ export const enum FactorId { /** Phone as second factor */ - PHONE = 'phone' + PHONE = 'phone', + TOTP = 'totp' } /** @@ -1229,3 +1230,12 @@ export interface Dependencies { */ errorMap?: AuthErrorMap; } + +/** + * The class for asserting ownership of a totp second factor. Provided by + * {@link TotpMultiFactorGenerator.assertion}. + * + * @public + */ + +export interface TotpMultiFactorAssertion extends MultiFactorAssertion {} diff --git a/packages/auth/src/platform_browser/mfa/assertions/totp.ts b/packages/auth/src/platform_browser/mfa/assertions/totp.ts new file mode 100644 index 00000000000..d62813d8d44 --- /dev/null +++ b/packages/auth/src/platform_browser/mfa/assertions/totp.ts @@ -0,0 +1,50 @@ +/** + * @license + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Stores the shared secret key and other parameters to generate time-based OTPs. + * Implements methods to retrieve the shared secret key, generate a QRCode URL. + * @public + */ +export class TotpSecret { + /** + * Constructor for TotpSecret. + * @param secretKey - Shared secret key/seed used for enrolling in TOTP MFA and generating otps. + * @param hashingAlgorithm - Hashing algorithm used. + * @param codeLength - Length of the one-time passwords to be generated. + * @param codeIntervalSeconds - The interval (in seconds) when the OTP codes should change. + */ + constructor( + readonly secretKey: string, + readonly hashingAlgorithm: string, + readonly codeLength: number, + readonly codeIntervalSeconds: number + ) {} + /** + * Returns a QRCode URL as described in + * https://github.com/google/google-authenticator/wiki/Key-Uri-Format + * This can be displayed to the user as a QRCode to be scanned into a TOTP App like Google Authenticator. + * If the optional parameters are unspecified, an accountName of ": and issuer of are used. + * + * @param accountName the name of the account/app along with a user identifier. + * @param issuer issuer of the TOTP(likely the app name). + * @returns A QRCode URL string. + */ + generateQrCodeUrl(_accountName?: string, _issuer?: string): string { + throw new Error('Unimplemented'); + } +} From c79e7fb4139f3770db80a35facbd29dbe12382c5 Mon Sep 17 00:00:00 2001 From: prameshj Date: Wed, 14 Sep 2022 15:33:31 -0700 Subject: [PATCH 02/26] Implement TOTP MFA enrollment flows (#6598) * Implement TOTP MFA enrollment. This includes changes to mfa_info, addition of TotpMultiFactorImpl and unit tests. * move all TOTP implementation into core/mfa/assertions. We do not need to restrict this to platform_browser. SMS mfa is in platform_browser since it requires a recaptcha step. * Include a reference to Auth in TotpSecret This is cleaner than looking up the app and auth instance with getApp and getAuth. * addressed review comments, added totp subdirectory. --- common/api-review/auth.api.md | 4 + .../src/api/account_management/mfa.test.ts | 137 ++++++++- .../auth/src/api/account_management/mfa.ts | 73 ++++- packages/auth/src/mfa/assertions/totp.ts | 78 ----- .../auth/src/mfa/assertions/totp/totp.test.ts | 282 ++++++++++++++++++ packages/auth/src/mfa/assertions/totp/totp.ts | 243 +++++++++++++++ packages/auth/src/mfa/mfa_info.test.ts | 51 +++- packages/auth/src/mfa/mfa_info.ts | 26 +- packages/auth/src/model/public_types.ts | 7 + .../platform_browser/mfa/assertions/totp.ts | 50 ---- 10 files changed, 812 insertions(+), 139 deletions(-) delete mode 100644 packages/auth/src/mfa/assertions/totp.ts create mode 100644 packages/auth/src/mfa/assertions/totp/totp.test.ts create mode 100644 packages/auth/src/mfa/assertions/totp/totp.ts delete mode 100644 packages/auth/src/platform_browser/mfa/assertions/totp.ts diff --git a/common/api-review/auth.api.md b/common/api-review/auth.api.md index 553feb40f20..b9d192e01cb 100644 --- a/common/api-review/auth.api.md +++ b/common/api-review/auth.api.md @@ -750,6 +750,10 @@ export function signOut(auth: Auth): Promise; export interface TotpMultiFactorAssertion extends MultiFactorAssertion { } +// @public +export interface TotpMultiFactorInfo extends MultiFactorInfo { +} + // @public export class TwitterAuthProvider extends BaseOAuthProvider { constructor(); diff --git a/packages/auth/src/api/account_management/mfa.test.ts b/packages/auth/src/api/account_management/mfa.test.ts index 83eda69416a..9f036471087 100644 --- a/packages/auth/src/api/account_management/mfa.test.ts +++ b/packages/auth/src/api/account_management/mfa.test.ts @@ -27,7 +27,9 @@ import * as mockFetch from '../../../test/helpers/mock_fetch'; import { ServerError } from '../errors'; import { finalizeEnrollPhoneMfa, + finalizeEnrollTotpMfa, startEnrollPhoneMfa, + startEnrollTotpMfa, withdrawMfa } from './mfa'; @@ -89,7 +91,7 @@ describe('api/account_management/startEnrollPhoneMfa', () => { await expect(startEnrollPhoneMfa(auth, request)).to.be.rejectedWith( FirebaseError, - "Firebase: This user's credential isn't valid for this project. This can happen if the user's token has been tampered with, or if the user isn't for the project associated with this API key. (auth/invalid-user-token)." + 'auth/invalid-user-token' ); expect(mock.calls[0].request).to.eql(request); }); @@ -152,6 +154,139 @@ describe('api/account_management/finalizeEnrollPhoneMfa', () => { ); await expect(finalizeEnrollPhoneMfa(auth, request)).to.be.rejectedWith( + FirebaseError, + 'auth/invalid-verification-id' + ); + expect(mock.calls[0].request).to.eql(request); + }); +}); + +describe('api/account_management/startEnrollTotpMfa', () => { + const request = { + idToken: 'id-token', + totpEnrollmentInfo: {} + }; + + let auth: TestAuth; + + beforeEach(async () => { + auth = await testAuth(); + mockFetch.setUp(); + }); + + afterEach(mockFetch.tearDown); + + it('should POST to the correct endpoint', async () => { + const currentTime = new Date().toISOString(); + const mock = mockEndpoint(Endpoint.START_MFA_ENROLLMENT, { + totpSessionInfo: { + sharedSecretKey: 'key123', + verificationCodeLength: 6, + hashingAlgorithm: 'SHA256', + periodSec: 30, + sessionInfo: 'session-info', + finalizeEnrollmentTime: currentTime + } + }); + + const response = await startEnrollTotpMfa(auth, request); + expect(response.totpSessionInfo.sharedSecretKey).to.eq('key123'); + expect(response.totpSessionInfo.verificationCodeLength).to.eq(6); + expect(response.totpSessionInfo.hashingAlgorithm).to.eq('SHA256'); + expect(response.totpSessionInfo.periodSec).to.eq(30); + expect(response.totpSessionInfo.sessionInfo).to.eq('session-info'); + expect(response.totpSessionInfo.finalizeEnrollmentTime).to.eq(currentTime); + expect(mock.calls[0].request).to.eql(request); + expect(mock.calls[0].method).to.eq('POST'); + expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq( + 'application/json' + ); + expect(mock.calls[0].headers!.get(HttpHeader.X_CLIENT_VERSION)).to.eq( + 'testSDK/0.0.0' + ); + }); + + it('should handle errors', async () => { + const mock = mockEndpoint( + Endpoint.START_MFA_ENROLLMENT, + { + error: { + code: 400, + message: ServerError.INVALID_ID_TOKEN, + errors: [ + { + message: ServerError.INVALID_ID_TOKEN + } + ] + } + }, + 400 + ); + + await expect(startEnrollTotpMfa(auth, request)).to.be.rejectedWith( + FirebaseError, + 'auth/invalid-user-token' + ); + expect(mock.calls[0].request).to.eql(request); + }); +}); + +describe('api/account_management/finalizeEnrollTotpMfa', () => { + const request = { + idToken: 'id-token', + displayName: 'my-otp-app', + totpVerificationInfo: { + sessionInfo: 'session-info', + verificationCode: 'code' + } + }; + + let auth: TestAuth; + + beforeEach(async () => { + auth = await testAuth(); + mockFetch.setUp(); + }); + + afterEach(mockFetch.tearDown); + + it('should POST to the correct endpoint', async () => { + const mock = mockEndpoint(Endpoint.FINALIZE_MFA_ENROLLMENT, { + idToken: 'id-token', + refreshToken: 'refresh-token' + }); + + const response = await finalizeEnrollTotpMfa(auth, request); + expect(response.idToken).to.eq('id-token'); + expect(response.refreshToken).to.eq('refresh-token'); + expect(mock.calls[0].request).to.eql(request); + expect(mock.calls[0].method).to.eq('POST'); + expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq( + 'application/json' + ); + expect(mock.calls[0].headers!.get(HttpHeader.X_CLIENT_VERSION)).to.eq( + 'testSDK/0.0.0' + ); + }); + + it('should handle errors', async () => { + const mock = mockEndpoint( + Endpoint.FINALIZE_MFA_ENROLLMENT, + { + error: { + code: 400, + message: ServerError.INVALID_SESSION_INFO, + errors: [ + { + message: ServerError.INVALID_SESSION_INFO + } + ] + } + }, + 400 + ); + + await expect(finalizeEnrollTotpMfa(auth, request)).to.be.rejectedWith( FirebaseError, 'Firebase: The verification ID used to create the phone auth credential is invalid. (auth/invalid-verification-id).' ); diff --git a/packages/auth/src/api/account_management/mfa.ts b/packages/auth/src/api/account_management/mfa.ts index a30a363a832..db9a4120d3d 100644 --- a/packages/auth/src/api/account_management/mfa.ts +++ b/packages/auth/src/api/account_management/mfa.ts @@ -26,7 +26,7 @@ import { FinalizeMfaResponse } from '../authentication/mfa'; import { AuthInternal } from '../../model/auth'; /** - * MFA Info as returned by the API + * MFA Info as returned by the API. */ interface BaseMfaEnrollment { mfaEnrollmentId: string; @@ -35,16 +35,21 @@ interface BaseMfaEnrollment { } /** - * An MFA provided by SMS verification + * An MFA provided by SMS verification. */ export interface PhoneMfaEnrollment extends BaseMfaEnrollment { phoneInfo: string; } /** - * MfaEnrollment can be any subtype of BaseMfaEnrollment, currently only PhoneMfaEnrollment is supported + * An MFA provided by TOTP (Time-based One Time Password). */ -export type MfaEnrollment = PhoneMfaEnrollment; +export interface TotpMfaEnrollment extends BaseMfaEnrollment {} + +/** + * MfaEnrollment can be any subtype of BaseMfaEnrollment, currently only PhoneMfaEnrollment and TotpMfaEnrollment are supported. + */ +export type MfaEnrollment = PhoneMfaEnrollment | TotpMfaEnrollment; export interface StartPhoneMfaEnrollmentRequest { idToken: string; @@ -100,6 +105,66 @@ export function finalizeEnrollPhoneMfa( _addTidIfNecessary(auth, request) ); } +export interface StartTotpMfaEnrollmentRequest { + idToken: string; + totpEnrollmentInfo: {}; + tenantId?: string; +} + +export interface StartTotpMfaEnrollmentResponse { + totpSessionInfo: { + sharedSecretKey: string; + verificationCodeLength: number; + hashingAlgorithm: string; + periodSec: number; + sessionInfo: string; + finalizeEnrollmentTime: number; + }; +} + +export function startEnrollTotpMfa( + auth: AuthInternal, + request: StartTotpMfaEnrollmentRequest +): Promise { + return _performApiRequest< + StartTotpMfaEnrollmentRequest, + StartTotpMfaEnrollmentResponse + >( + auth, + HttpMethod.POST, + Endpoint.START_MFA_ENROLLMENT, + _addTidIfNecessary(auth, request) + ); +} + +export interface TotpVerificationInfo { + sessionInfo: string; + verificationCode: string; +} +export interface FinalizeTotpMfaEnrollmentRequest { + idToken: string; + totpVerificationInfo: TotpVerificationInfo; + displayName?: string | null; + tenantId?: string; +} + +export interface FinalizeTotpMfaEnrollmentResponse + extends FinalizeMfaResponse {} + +export function finalizeEnrollTotpMfa( + auth: AuthInternal, + request: FinalizeTotpMfaEnrollmentRequest +): Promise { + return _performApiRequest< + FinalizeTotpMfaEnrollmentRequest, + FinalizeTotpMfaEnrollmentResponse + >( + auth, + HttpMethod.POST, + Endpoint.FINALIZE_MFA_ENROLLMENT, + _addTidIfNecessary(auth, request) + ); +} export interface WithdrawMfaRequest { idToken: string; diff --git a/packages/auth/src/mfa/assertions/totp.ts b/packages/auth/src/mfa/assertions/totp.ts deleted file mode 100644 index 8fb437cef35..00000000000 --- a/packages/auth/src/mfa/assertions/totp.ts +++ /dev/null @@ -1,78 +0,0 @@ -/** - * @license - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -import { TotpSecret } from '../../platform_browser/mfa/assertions/totp'; -import { - TotpMultiFactorAssertion, - MultiFactorSession, - FactorId -} from '../../model/public_types'; -/** - * Provider for generating a {@link TotpMultiFactorAssertion}. - * - * @public - */ -export class TotpMultiFactorGenerator { - /** - * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of - * the totp(Time-based One Time Password) second factor. - * This assertion is used to complete enrollment in TOTP second factor. - * - * @param secret {@link TotpSecret}. - * @param oneTimePassword One-time password from TOTP App. - * @returns A {@link TotpMultiFactorAssertion} which can be used with - * {@link MultiFactorUser.enroll}. - */ - static assertionForEnrollment( - _secret: TotpSecret, - _oneTimePassword: string - ): TotpMultiFactorAssertion { - throw new Error('Unimplemented'); - } - /** - * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of the totp second factor. - * This assertion is used to complete signIn with TOTP as the second factor. - * - * @param enrollmentId identifies the enrolled TOTP second factor. - * @param otp One-time password from TOTP App. - * @returns A {@link TotpMultiFactorAssertion} which can be used with - * {@link MultiFactorResolver.resolveSignIn}. - */ - static assertionForSignIn( - _enrollmentId: string, - _otp: string - ): TotpMultiFactorAssertion { - throw new Error('Unimplemented'); - } - /** - * Returns a promise to {@link TOTPSecret} which contains the TOTP shared secret key and other parameters. - * Creates a TOTP secret as part of enrolling a TOTP second factor. - * Used for generating a QRCode URL or inputting into a TOTP App. - * This method uses the auth instance corresponding to the user in the multiFactorSession. - * - * @param session A link to {@MultiFactorSession}. - * @returns A promise to {@link TotpSecret}. - */ - static async generateSecret( - _session: MultiFactorSession - ): Promise { - throw new Error('Unimplemented'); - } - /** - * The identifier of the TOTP second factor: `totp`. - */ - static FACTOR_ID = FactorId.TOTP; -} diff --git a/packages/auth/src/mfa/assertions/totp/totp.test.ts b/packages/auth/src/mfa/assertions/totp/totp.test.ts new file mode 100644 index 00000000000..c67a091a957 --- /dev/null +++ b/packages/auth/src/mfa/assertions/totp/totp.test.ts @@ -0,0 +1,282 @@ +/** + * @license + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { expect, use } from 'chai'; +import chaiAsPromised from 'chai-as-promised'; + +import { mockEndpoint } from '../../../../test/helpers/api/helper'; +import { + testAuth, + TestAuth, + testUser +} from '../../../../test/helpers/mock_auth'; +import * as mockFetch from '../../../../test/helpers/mock_fetch'; +import { Endpoint } from '../../../api'; +import { MultiFactorSessionImpl } from '../../../mfa/mfa_session'; +import { StartTotpMfaEnrollmentResponse } from '../../../api/account_management/mfa'; +import { FinalizeMfaResponse } from '../../../api/authentication/mfa'; +import { + TotpMultiFactorAssertionImpl, + TotpMultiFactorGenerator, + TotpSecret +} from './totp'; +import { FactorId } from '../../../model/public_types'; +import { AuthErrorCode } from '../../../core/errors'; +import { AppName } from '../../../model/auth'; +import { _castAuth } from '../../../core/auth/auth_impl'; + +use(chaiAsPromised); + +describe('core/mfa/assertions/totp/TotpMultiFactorGenerator', () => { + let auth: TestAuth; + let session: MultiFactorSessionImpl; + const startEnrollmentResponse: StartTotpMfaEnrollmentResponse = { + totpSessionInfo: { + sharedSecretKey: 'key123', + verificationCodeLength: 6, + hashingAlgorithm: 'SHA1', + periodSec: 30, + sessionInfo: 'verification-id', + finalizeEnrollmentTime: 1662586196 + } + }; + describe('assertionForEnrollment', () => { + it('should generate a valid TOTP assertion for enrollment', async () => { + auth = await testAuth(); + const secret = TotpSecret._fromStartTotpMfaEnrollmentResponse( + startEnrollmentResponse, + auth + ); + const assertion = TotpMultiFactorGenerator.assertionForEnrollment( + secret, + '123456' + ); + expect(assertion.factorId).to.eql(FactorId.TOTP); + }); + }); + + describe('assertionForSignIn', () => { + it('should generate a valid TOTP assertion for sign in', () => { + const assertion = TotpMultiFactorGenerator.assertionForSignIn( + 'enrollmentId', + '123456' + ); + expect(assertion.factorId).to.eql(FactorId.TOTP); + }); + }); + + describe('generateSecret', () => { + beforeEach(async () => { + mockFetch.setUp(); + }); + afterEach(mockFetch.tearDown); + + it('should throw error if auth instance is not found in mfaSession', async () => { + try { + session = MultiFactorSessionImpl._fromIdtoken( + 'enrollment-id-token', + undefined + ); + await TotpMultiFactorGenerator.generateSecret(session); + } catch (e) { + expect(e.code).to.eql(`auth/${AuthErrorCode.INTERNAL_ERROR}`); + } + }); + it('generateSecret should generate a valid secret by starting enrollment', async () => { + const mock = mockEndpoint( + Endpoint.START_MFA_ENROLLMENT, + startEnrollmentResponse + ); + + auth = await testAuth(); + session = MultiFactorSessionImpl._fromIdtoken( + 'enrollment-id-token', + auth + ); + const secret = await TotpMultiFactorGenerator.generateSecret(session); + expect(mock.calls[0].request).to.eql({ + idToken: 'enrollment-id-token', + totpEnrollmentInfo: {} + }); + expect(secret.secretKey).to.eql( + startEnrollmentResponse.totpSessionInfo.sharedSecretKey + ); + expect(secret.codeIntervalSeconds).to.eq( + startEnrollmentResponse.totpSessionInfo.periodSec + ); + expect(secret.codeLength).to.eq( + startEnrollmentResponse.totpSessionInfo.verificationCodeLength + ); + expect(secret.hashingAlgorithm).to.eq( + startEnrollmentResponse.totpSessionInfo.hashingAlgorithm + ); + }); + }); +}); + +describe('core/mfa/totp/assertions/TotpMultiFactorAssertionImpl', () => { + let auth: TestAuth; + let assertion: TotpMultiFactorAssertionImpl; + let session: MultiFactorSessionImpl; + let secret: TotpSecret; + + const serverResponse: FinalizeMfaResponse = { + idToken: 'final-id-token', + refreshToken: 'refresh-token' + }; + + const startEnrollmentResponse: StartTotpMfaEnrollmentResponse = { + totpSessionInfo: { + sharedSecretKey: 'key123', + verificationCodeLength: 6, + hashingAlgorithm: 'SHA1', + periodSec: 30, + sessionInfo: 'verification-id', + finalizeEnrollmentTime: 1662586196 + } + }; + + beforeEach(async () => { + mockFetch.setUp(); + auth = await testAuth(); + secret = TotpSecret._fromStartTotpMfaEnrollmentResponse( + startEnrollmentResponse, + auth + ); + assertion = TotpMultiFactorAssertionImpl._fromSecret(secret, '123456'); + }); + afterEach(mockFetch.tearDown); + + describe('enroll', () => { + beforeEach(() => { + session = MultiFactorSessionImpl._fromIdtoken( + 'enrollment-id-token', + auth + ); + }); + + it('should finalize the MFA enrollment', async () => { + const mock = mockEndpoint( + Endpoint.FINALIZE_MFA_ENROLLMENT, + serverResponse + ); + const response = await assertion._process(auth, session); + expect(response).to.eql(serverResponse); + expect(mock.calls[0].request).to.eql({ + idToken: 'enrollment-id-token', + totpVerificationInfo: { + verificationCode: '123456', + sessionInfo: 'verification-id' + } + }); + expect(session.auth).to.eql(auth); + }); + + context('with display name', () => { + it('should set the display name', async () => { + const mock = mockEndpoint( + Endpoint.FINALIZE_MFA_ENROLLMENT, + serverResponse + ); + const response = await assertion._process( + auth, + session, + 'display-name' + ); + expect(response).to.eql(serverResponse); + expect(mock.calls[0].request).to.eql({ + idToken: 'enrollment-id-token', + displayName: 'display-name', + totpVerificationInfo: { + verificationCode: '123456', + sessionInfo: 'verification-id' + } + }); + expect(session.auth).to.eql(auth); + }); + }); + }); +}); + +describe('core/mfa/assertions/totp/TotpSecret', async () => { + const serverResponse: StartTotpMfaEnrollmentResponse = { + totpSessionInfo: { + sharedSecretKey: 'key123', + verificationCodeLength: 6, + hashingAlgorithm: 'SHA1', + periodSec: 30, + sessionInfo: 'verification-id', + finalizeEnrollmentTime: 1662586196 + } + }; + // this is the name used by the fake app in testAuth(). + const fakeAppName: AppName = 'test-app'; + const fakeEmail: string = 'user@email'; + const auth = await testAuth(); + const secret = TotpSecret._fromStartTotpMfaEnrollmentResponse( + serverResponse, + auth + ); + + describe('fromStartTotpMfaEnrollmentResponse', () => { + it('fields from the response are parsed correctly', () => { + expect(secret.secretKey).to.eq('key123'); + expect(secret.codeIntervalSeconds).to.eq(30); + expect(secret.codeLength).to.eq(6); + expect(secret.hashingAlgorithm).to.eq('SHA1'); + }); + }); + describe('generateQrCodeUrl', () => { + beforeEach(async () => { + await auth.updateCurrentUser( + testUser(_castAuth(auth), 'uid', fakeEmail, true) + ); + }); + + it('with account name and issuer provided', () => { + const url = secret.generateQrCodeUrl('user@myawesomeapp', 'myawesomeapp'); + expect(url).to.eq( + 'otpauth://totp/myawesomeapp:user@myawesomeapp?secret=key123&issuer=myawesomeapp&algorithm=SHA1&digits=6' + ); + }); + it('only accountName provided', () => { + const url = secret.generateQrCodeUrl('user@myawesomeapp', ''); + expect(url).to.eq( + `otpauth://totp/${fakeAppName}:user@myawesomeapp?secret=key123&issuer=${fakeAppName}&algorithm=SHA1&digits=6` + ); + }); + it('only issuer provided', () => { + const url = secret.generateQrCodeUrl('', 'myawesomeapp'); + expect(url).to.eq( + `otpauth://totp/myawesomeapp:${fakeEmail}?secret=key123&issuer=myawesomeapp&algorithm=SHA1&digits=6` + ); + }); + it('with defaults', () => { + const url = secret.generateQrCodeUrl(); + expect(url).to.eq( + `otpauth://totp/${fakeAppName}:${fakeEmail}?secret=key123&issuer=${fakeAppName}&algorithm=SHA1&digits=6` + ); + }); + it('with defaults, without currentUser', async () => { + await auth.updateCurrentUser(null); + const url = secret.generateQrCodeUrl(); + expect(url).to.eq( + `otpauth://totp/${fakeAppName}:unknownuser?secret=key123&issuer=${fakeAppName}&algorithm=SHA1&digits=6` + ); + }); + }); +}); diff --git a/packages/auth/src/mfa/assertions/totp/totp.ts b/packages/auth/src/mfa/assertions/totp/totp.ts new file mode 100644 index 00000000000..ec04908b058 --- /dev/null +++ b/packages/auth/src/mfa/assertions/totp/totp.ts @@ -0,0 +1,243 @@ +/** + * @license + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +import { + TotpMultiFactorAssertion, + MultiFactorSession, + FactorId +} from '../../../model/public_types'; +import { AuthInternal } from '../../../model/auth'; +import { + finalizeEnrollTotpMfa, + startEnrollTotpMfa, + StartTotpMfaEnrollmentResponse, + TotpVerificationInfo +} from '../../../api/account_management/mfa'; +import { FinalizeMfaResponse } from '../../../api/authentication/mfa'; +import { MultiFactorAssertionImpl } from '../../../mfa/mfa_assertion'; +import { MultiFactorSessionImpl } from '../../mfa_session'; +import { AuthErrorCode } from '../../../core/errors'; +import { _assert } from '../../../core/util/assert'; + +/** + * Provider for generating a {@link TotpMultiFactorAssertion}. + * + * @public + */ +export class TotpMultiFactorGenerator { + /** + * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of + * the totp(Time-based One Time Password) second factor. + * This assertion is used to complete enrollment in TOTP second factor. + * + * @param secret {@link TotpSecret}. + * @param oneTimePassword One-time password from TOTP App. + * @returns A {@link TotpMultiFactorAssertion} which can be used with + * {@link MultiFactorUser.enroll}. + */ + static assertionForEnrollment( + secret: TotpSecret, + oneTimePassword: string + ): TotpMultiFactorAssertion { + return TotpMultiFactorAssertionImpl._fromSecret(secret, oneTimePassword); + } + + /** + * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of the totp second factor. + * This assertion is used to complete signIn with TOTP as the second factor. + * + * @param enrollmentId identifies the enrolled TOTP second factor. + * @param oneTimePassword One-time password from TOTP App. + * @returns A {@link TotpMultiFactorAssertion} which can be used with + * {@link MultiFactorResolver.resolveSignIn}. + */ + static assertionForSignIn( + enrollmentId: string, + oneTimePassword: string + ): TotpMultiFactorAssertion { + return TotpMultiFactorAssertionImpl._fromEnrollmentId( + enrollmentId, + oneTimePassword + ); + } + + /** + * Returns a promise to {@link TOTPSecret} which contains the TOTP shared secret key and other parameters. + * Creates a TOTP secret as part of enrolling a TOTP second factor. + * Used for generating a QRCode URL or inputting into a TOTP App. + * This method uses the auth instance corresponding to the user in the multiFactorSession. + * + * @param session A link to {@MultiFactorSession}. + * @returns A promise to {@link TotpSecret}. + */ + static async generateSecret( + session: MultiFactorSession + ): Promise { + const mfaSession = session as MultiFactorSessionImpl; + _assert( + typeof mfaSession.auth !== 'undefined', + AuthErrorCode.INTERNAL_ERROR + ); + const response = await startEnrollTotpMfa(mfaSession.auth, { + idToken: mfaSession.credential, + totpEnrollmentInfo: {} + }); + return TotpSecret._fromStartTotpMfaEnrollmentResponse( + response, + mfaSession.auth + ); + } + + /** + * The identifier of the TOTP second factor: `totp`. + */ + static FACTOR_ID = FactorId.TOTP; +} + +export class TotpMultiFactorAssertionImpl + extends MultiFactorAssertionImpl + implements TotpMultiFactorAssertion +{ + constructor( + readonly otp: string, + readonly enrollmentId?: string, + readonly secret?: TotpSecret + ) { + super(FactorId.TOTP); + } + + /** @internal */ + static _fromSecret( + secret: TotpSecret, + otp: string + ): TotpMultiFactorAssertionImpl { + return new TotpMultiFactorAssertionImpl(otp, undefined, secret); + } + + /** @internal */ + static _fromEnrollmentId( + enrollmentId: string, + otp: string + ): TotpMultiFactorAssertionImpl { + return new TotpMultiFactorAssertionImpl(otp, enrollmentId); + } + + /** @internal */ + _finalizeEnroll( + auth: AuthInternal, + idToken: string, + displayName?: string | null + ): Promise { + _assert( + typeof this.secret !== 'undefined', + auth, + AuthErrorCode.ARGUMENT_ERROR + ); + return finalizeEnrollTotpMfa(auth, { + idToken, + displayName, + totpVerificationInfo: this.secret._makeTotpVerificationInfo(this.otp) + }); + } + + /** @internal */ + _finalizeSignIn( + _auth: AuthInternal, + _mfaPendingCredential: string + ): Promise { + throw new Error('method not implemented'); + } +} + +/** + * Provider for generating a {@link TotpMultiFactorAssertion}. + * + * Stores the shared secret key and other parameters to generate time-based OTPs. + * Implements methods to retrieve the shared secret key, generate a QRCode URL. + * @public + */ +export class TotpSecret { + /** + * Constructor for TotpSecret. + * @param secretKey - Shared secret key/seed used for enrolling in TOTP MFA and generating otps. + * @param hashingAlgorithm - Hashing algorithm used. + * @param codeLength - Length of the one-time passwords to be generated. + * @param codeIntervalSeconds - The interval (in seconds) when the OTP codes should change. + */ + private constructor( + readonly secretKey: string, + readonly hashingAlgorithm: string, + readonly codeLength: number, + readonly codeIntervalSeconds: number, + // TODO(prameshj) - make this public after API review. + // This can be used by callers to show a countdown of when to enter OTP code by. + private readonly finalizeEnrollmentBy: string, + private readonly sessionInfo: string, + private readonly auth: AuthInternal + ) {} + + /** @internal */ + static _fromStartTotpMfaEnrollmentResponse( + response: StartTotpMfaEnrollmentResponse, + auth: AuthInternal + ): TotpSecret { + return new TotpSecret( + response.totpSessionInfo.sharedSecretKey, + response.totpSessionInfo.hashingAlgorithm, + response.totpSessionInfo.verificationCodeLength, + response.totpSessionInfo.periodSec, + new Date(response.totpSessionInfo.finalizeEnrollmentTime).toUTCString(), + response.totpSessionInfo.sessionInfo, + auth + ); + } + + /** @internal */ + _makeTotpVerificationInfo(otp: string): TotpVerificationInfo { + return { sessionInfo: this.sessionInfo, verificationCode: otp }; + } + + /** + * Returns a QRCode URL as described in + * https://github.com/google/google-authenticator/wiki/Key-Uri-Format + * This can be displayed to the user as a QRCode to be scanned into a TOTP App like Google Authenticator. + * If the optional parameters are unspecified, an accountName of and issuer of are used. + * + * @param accountName the name of the account/app along with a user identifier. + * @param issuer issuer of the TOTP(likely the app name). + * @returns A QRCode URL string. + */ + generateQrCodeUrl(accountName?: string, issuer?: string): string { + let useDefaults = false; + if (_isEmptyString(accountName) || _isEmptyString(issuer)) { + useDefaults = true; + } + if (useDefaults) { + if (_isEmptyString(accountName)) { + accountName = this.auth.currentUser?.email || 'unknownuser'; + } + if (_isEmptyString(issuer)) { + issuer = this.auth.name; + } + } + return `otpauth://totp/${issuer}:${accountName}?secret=${this.secretKey}&issuer=${issuer}&algorithm=${this.hashingAlgorithm}&digits=${this.codeLength}`; + } +} + +/** @internal */ +function _isEmptyString(input?: string): boolean { + return typeof input === 'undefined' || input?.length === 0; +} diff --git a/packages/auth/src/mfa/mfa_info.test.ts b/packages/auth/src/mfa/mfa_info.test.ts index 91f0c6175e0..47df7f53a0f 100644 --- a/packages/auth/src/mfa/mfa_info.test.ts +++ b/packages/auth/src/mfa/mfa_info.test.ts @@ -18,7 +18,7 @@ import { expect, use } from 'chai'; import chaiAsPromised from 'chai-as-promised'; -import { ProviderId } from '../model/enums'; +import { FactorId } from '../model/public_types'; import { FirebaseError } from '@firebase/util'; import { testAuth, TestAuth } from '../../test/helpers/mock_auth'; @@ -27,7 +27,7 @@ import { MultiFactorInfoImpl } from './mfa_info'; use(chaiAsPromised); -describe('core/mfa/mfa_info/MultiFactorInfo', () => { +describe('core/mfa/mfa_info/MultiFactorInfo for Phone MFA', () => { let auth: TestAuth; beforeEach(async () => { @@ -49,7 +49,7 @@ describe('core/mfa/mfa_info/MultiFactorInfo', () => { auth, enrollmentInfo ); - expect(mfaInfo.factorId).to.eq(ProviderId.PHONE); + expect(mfaInfo.factorId).to.eq(FactorId.PHONE); expect(mfaInfo.uid).to.eq('uid'); expect(mfaInfo.enrollmentTime).to.eq(new Date(date).toUTCString()); expect(mfaInfo.displayName).to.eq('display-name'); @@ -74,3 +74,48 @@ describe('core/mfa/mfa_info/MultiFactorInfo', () => { }); }); }); + +describe('core/mfa/mfa_info/MultiFactorInfo for TOTP MFA', () => { + let auth: TestAuth; + + beforeEach(async () => { + auth = await testAuth(); + }); + + describe('_fromServerResponse', () => { + context('TOTP enrollment', () => { + const date = Date.now(); + const enrollmentInfo = { + mfaEnrollmentId: 'uid', + enrolledAt: date, + displayName: 'display-name', + totpInfo: {} + }; + + it('should create a valid MfaInfo', () => { + const mfaInfo = MultiFactorInfoImpl._fromServerResponse( + auth, + enrollmentInfo + ); + expect(mfaInfo.factorId).to.eq(FactorId.TOTP); + expect(mfaInfo.uid).to.eq('uid'); + expect(mfaInfo.enrollmentTime).to.eq(new Date(date).toUTCString()); + expect(mfaInfo.displayName).to.eq('display-name'); + }); + }); + + context('Invalid enrollment, no totp or phone info found', () => { + const enrollmentInfo = { + mfaEnrollmentId: 'uid', + enrolledAt: Date.now(), + displayName: 'display-name' + }; + + it('should throw an error', () => { + expect(() => + MultiFactorInfoImpl._fromServerResponse(auth, enrollmentInfo) + ).to.throw(FirebaseError, 'auth/internal-error'); + }); + }); + }); +}); diff --git a/packages/auth/src/mfa/mfa_info.ts b/packages/auth/src/mfa/mfa_info.ts index a1cb41b12af..4059a234be4 100644 --- a/packages/auth/src/mfa/mfa_info.ts +++ b/packages/auth/src/mfa/mfa_info.ts @@ -18,11 +18,13 @@ import { FactorId, MultiFactorInfo, - PhoneMultiFactorInfo + PhoneMultiFactorInfo, + TotpMultiFactorInfo } from '../model/public_types'; import { PhoneMfaEnrollment, - MfaEnrollment + MfaEnrollment, + TotpMfaEnrollment } from '../api/account_management/mfa'; import { AuthErrorCode } from '../core/errors'; import { _fail } from '../core/util/assert'; @@ -45,6 +47,9 @@ export abstract class MultiFactorInfoImpl implements MultiFactorInfo { ): MultiFactorInfoImpl { if ('phoneInfo' in enrollment) { return PhoneMultiFactorInfoImpl._fromServerResponse(auth, enrollment); + } else if ('totpInfo' in enrollment) { + // TODO(prameshj) ensure that this field is set by the backend once the tracking bug is fixed. + return TotpMultiFactorInfoImpl._fromServerResponse(auth, enrollment); } return _fail(auth, AuthErrorCode.INTERNAL_ERROR); } @@ -65,6 +70,21 @@ export class PhoneMultiFactorInfoImpl _auth: AuthInternal, enrollment: MfaEnrollment ): PhoneMultiFactorInfoImpl { - return new PhoneMultiFactorInfoImpl(enrollment); + return new PhoneMultiFactorInfoImpl(enrollment as PhoneMfaEnrollment); + } +} +export class TotpMultiFactorInfoImpl + extends MultiFactorInfoImpl + implements TotpMultiFactorInfo +{ + private constructor(response: TotpMfaEnrollment) { + super(FactorId.TOTP, response); + } + + static _fromServerResponse( + _auth: AuthInternal, + enrollment: MfaEnrollment + ): TotpMultiFactorInfoImpl { + return new TotpMultiFactorInfoImpl(enrollment as TotpMfaEnrollment); } } diff --git a/packages/auth/src/model/public_types.ts b/packages/auth/src/model/public_types.ts index 31437ec5dea..d65fcf840bb 100644 --- a/packages/auth/src/model/public_types.ts +++ b/packages/auth/src/model/public_types.ts @@ -659,6 +659,13 @@ export interface PhoneMultiFactorInfo extends MultiFactorInfo { readonly phoneNumber: string; } +/** + * The subclass of the {@link MultiFactorInfo} interface for TOTP + * second factors. The `factorId` of this second factor is {@link FactorId}.TOTP. + * @public + */ +export interface TotpMultiFactorInfo extends MultiFactorInfo {} + /** * The class used to facilitate recovery from {@link MultiFactorError} when a user needs to * provide a second factor to sign in. diff --git a/packages/auth/src/platform_browser/mfa/assertions/totp.ts b/packages/auth/src/platform_browser/mfa/assertions/totp.ts deleted file mode 100644 index d62813d8d44..00000000000 --- a/packages/auth/src/platform_browser/mfa/assertions/totp.ts +++ /dev/null @@ -1,50 +0,0 @@ -/** - * @license - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * Stores the shared secret key and other parameters to generate time-based OTPs. - * Implements methods to retrieve the shared secret key, generate a QRCode URL. - * @public - */ -export class TotpSecret { - /** - * Constructor for TotpSecret. - * @param secretKey - Shared secret key/seed used for enrolling in TOTP MFA and generating otps. - * @param hashingAlgorithm - Hashing algorithm used. - * @param codeLength - Length of the one-time passwords to be generated. - * @param codeIntervalSeconds - The interval (in seconds) when the OTP codes should change. - */ - constructor( - readonly secretKey: string, - readonly hashingAlgorithm: string, - readonly codeLength: number, - readonly codeIntervalSeconds: number - ) {} - /** - * Returns a QRCode URL as described in - * https://github.com/google/google-authenticator/wiki/Key-Uri-Format - * This can be displayed to the user as a QRCode to be scanned into a TOTP App like Google Authenticator. - * If the optional parameters are unspecified, an accountName of ": and issuer of are used. - * - * @param accountName the name of the account/app along with a user identifier. - * @param issuer issuer of the TOTP(likely the app name). - * @returns A QRCode URL string. - */ - generateQrCodeUrl(_accountName?: string, _issuer?: string): string { - throw new Error('Unimplemented'); - } -} From e11ed0b6bea14fe15d42a9a32acfe3e66d616c8a Mon Sep 17 00:00:00 2001 From: prameshj Date: Fri, 16 Sep 2022 14:16:41 -0700 Subject: [PATCH 03/26] restore totp*.ts into mfa/assertions directory. (#6602) The same pattern is followed in rest of the auth codebase. (ex- src/platform_browser/mfa/assertions/) --- .../mfa/assertions/{totp => }/totp.test.ts | 26 ++++++++----------- .../src/mfa/assertions/{totp => }/totp.ts | 16 ++++++------ 2 files changed, 19 insertions(+), 23 deletions(-) rename packages/auth/src/mfa/assertions/{totp => }/totp.test.ts (92%) rename packages/auth/src/mfa/assertions/{totp => }/totp.ts (94%) diff --git a/packages/auth/src/mfa/assertions/totp/totp.test.ts b/packages/auth/src/mfa/assertions/totp.test.ts similarity index 92% rename from packages/auth/src/mfa/assertions/totp/totp.test.ts rename to packages/auth/src/mfa/assertions/totp.test.ts index c67a091a957..17c8f323f08 100644 --- a/packages/auth/src/mfa/assertions/totp/totp.test.ts +++ b/packages/auth/src/mfa/assertions/totp.test.ts @@ -18,26 +18,22 @@ import { expect, use } from 'chai'; import chaiAsPromised from 'chai-as-promised'; -import { mockEndpoint } from '../../../../test/helpers/api/helper'; -import { - testAuth, - TestAuth, - testUser -} from '../../../../test/helpers/mock_auth'; -import * as mockFetch from '../../../../test/helpers/mock_fetch'; -import { Endpoint } from '../../../api'; -import { MultiFactorSessionImpl } from '../../../mfa/mfa_session'; -import { StartTotpMfaEnrollmentResponse } from '../../../api/account_management/mfa'; -import { FinalizeMfaResponse } from '../../../api/authentication/mfa'; +import { mockEndpoint } from '../../../test/helpers/api/helper'; +import { testAuth, TestAuth, testUser } from '../../../test/helpers/mock_auth'; +import * as mockFetch from '../../../test/helpers/mock_fetch'; +import { Endpoint } from '../../api'; +import { MultiFactorSessionImpl } from '../../mfa/mfa_session'; +import { StartTotpMfaEnrollmentResponse } from '../../api/account_management/mfa'; +import { FinalizeMfaResponse } from '../../api/authentication/mfa'; import { TotpMultiFactorAssertionImpl, TotpMultiFactorGenerator, TotpSecret } from './totp'; -import { FactorId } from '../../../model/public_types'; -import { AuthErrorCode } from '../../../core/errors'; -import { AppName } from '../../../model/auth'; -import { _castAuth } from '../../../core/auth/auth_impl'; +import { FactorId } from '../../model/public_types'; +import { AuthErrorCode } from '../../core/errors'; +import { AppName } from '../../model/auth'; +import { _castAuth } from '../../core/auth/auth_impl'; use(chaiAsPromised); diff --git a/packages/auth/src/mfa/assertions/totp/totp.ts b/packages/auth/src/mfa/assertions/totp.ts similarity index 94% rename from packages/auth/src/mfa/assertions/totp/totp.ts rename to packages/auth/src/mfa/assertions/totp.ts index ec04908b058..39cc18376e5 100644 --- a/packages/auth/src/mfa/assertions/totp/totp.ts +++ b/packages/auth/src/mfa/assertions/totp.ts @@ -18,19 +18,19 @@ import { TotpMultiFactorAssertion, MultiFactorSession, FactorId -} from '../../../model/public_types'; -import { AuthInternal } from '../../../model/auth'; +} from '../../model/public_types'; +import { AuthInternal } from '../../model/auth'; import { finalizeEnrollTotpMfa, startEnrollTotpMfa, StartTotpMfaEnrollmentResponse, TotpVerificationInfo -} from '../../../api/account_management/mfa'; -import { FinalizeMfaResponse } from '../../../api/authentication/mfa'; -import { MultiFactorAssertionImpl } from '../../../mfa/mfa_assertion'; -import { MultiFactorSessionImpl } from '../../mfa_session'; -import { AuthErrorCode } from '../../../core/errors'; -import { _assert } from '../../../core/util/assert'; +} from '../../api/account_management/mfa'; +import { FinalizeMfaResponse } from '../../api/authentication/mfa'; +import { MultiFactorAssertionImpl } from '../../mfa/mfa_assertion'; +import { MultiFactorSessionImpl } from '../mfa_session'; +import { AuthErrorCode } from '../../core/errors'; +import { _assert } from '../../core/util/assert'; /** * Provider for generating a {@link TotpMultiFactorAssertion}. From 524f1d129ec1da61bebe85b8c36c4be14886abef Mon Sep 17 00:00:00 2001 From: bhparijat Date: Wed, 28 Sep 2022 16:06:52 -0700 Subject: [PATCH 04/26] Demo-app readme fix (#6630) * updated readme --- packages/auth/demo/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/packages/auth/demo/README.md b/packages/auth/demo/README.md index beb5a800bc5..f29127ab074 100644 --- a/packages/auth/demo/README.md +++ b/packages/auth/demo/README.md @@ -45,12 +45,21 @@ in the `config.js` file. Before deploying, you may need to build the auth package: ```bash +cd auth/demo yarn yarn build:deps ``` This can take some time, and you only need to do it if you've modified the auth package. +You can optionally clear the cache and rebuild using: + +```bash +cd auth/demo +rm -rf node_modules yarn.lock +yarn build:deps +``` + To run the app locally, simply issue the following command in the `auth/demo` directory: ```bash From b6c736f1a8db3137d04e245d3ff04122034d1ca3 Mon Sep 17 00:00:00 2001 From: prameshj Date: Wed, 5 Oct 2022 13:38:56 -0700 Subject: [PATCH 05/26] Mfa totp demoapp (#6629) * Export TOTP symbols to be picked up by demo app. * Update the demo app to support TOTP enrollment, use local firebase auth version. The QR code image is generated using the qrserver api at https://goqr.me/api/doc/ --- common/api-review/auth.api.md | 26 ++++++++++++ packages/auth/demo/public/index.html | 28 ++++++++++++- packages/auth/demo/public/style.css | 11 +++++ packages/auth/demo/src/index.js | 51 ++++++++++++++++++++++++ packages/auth/index.ts | 6 +++ packages/auth/src/mfa/assertions/totp.ts | 44 ++++++++++++++------ 6 files changed, 152 insertions(+), 14 deletions(-) diff --git a/common/api-review/auth.api.md b/common/api-review/auth.api.md index b9d192e01cb..738c72048bb 100644 --- a/common/api-review/auth.api.md +++ b/common/api-review/auth.api.md @@ -750,10 +750,36 @@ export function signOut(auth: Auth): Promise; export interface TotpMultiFactorAssertion extends MultiFactorAssertion { } +// @public +export class TotpMultiFactorGenerator { + static assertionForEnrollment(secret: TotpSecret, oneTimePassword: string): TotpMultiFactorAssertion; + static assertionForSignIn(enrollmentId: string, oneTimePassword: string): TotpMultiFactorAssertion; + // Warning: (ae-forgotten-export) The symbol "FactorId" needs to be exported by the entry point index.d.ts + static FACTOR_ID: FactorId_2; + static generateSecret(session: MultiFactorSession): Promise; +} + // @public export interface TotpMultiFactorInfo extends MultiFactorInfo { } +// @public +export class TotpSecret { + readonly codeIntervalSeconds: number; + readonly codeLength: number; + // Warning: (ae-forgotten-export) The symbol "StartTotpMfaEnrollmentResponse" needs to be exported by the entry point index.d.ts + // + // @internal (undocumented) + static _fromStartTotpMfaEnrollmentResponse(response: StartTotpMfaEnrollmentResponse, auth: AuthInternal): TotpSecret; + generateQrCodeUrl(accountName?: string, issuer?: string): string; + readonly hashingAlgorithm: string; + // Warning: (ae-forgotten-export) The symbol "TotpVerificationInfo" needs to be exported by the entry point index.d.ts + // + // @internal (undocumented) + _makeTotpVerificationInfo(otp: string): TotpVerificationInfo; + readonly secretKey: string; + } + // @public export class TwitterAuthProvider extends BaseOAuthProvider { constructor(); diff --git a/packages/auth/demo/public/index.html b/packages/auth/demo/public/index.html index 624b6e3c0e7..86290860583 100644 --- a/packages/auth/demo/public/index.html +++ b/packages/auth/demo/public/index.html @@ -487,6 +487,12 @@ Phone +
  • + + TOTP + +
    • @@ -504,7 +510,27 @@ class="form-control" placeholder="Display Name" /> + + +
    +
    +
    + +
    + +
    + +
    + + +
    diff --git a/packages/auth/demo/public/style.css b/packages/auth/demo/public/style.css index cdd999f8e8b..84750c29ea1 100644 --- a/packages/auth/demo/public/style.css +++ b/packages/auth/demo/public/style.css @@ -177,6 +177,17 @@ input + .form, margin-right: 10px; } +.totp-text { + font-family: 'Courier New', Courier; +} +.totp-qr-image { + height: 120px; + margin-right: 10px; + border: 1px solid #ddd; + border-radius: 4px; + width: 120px; +} + .profile-email-not-verified { color: #d9534f; } diff --git a/packages/auth/demo/src/index.js b/packages/auth/demo/src/index.js index 8b924a57079..40701616293 100644 --- a/packages/auth/demo/src/index.js +++ b/packages/auth/demo/src/index.js @@ -49,6 +49,8 @@ import { signInWithCredential, signInWithCustomToken, signInWithEmailAndPassword, + TotpMultiFactorGenerator, + TotpSecret, unlink, updateEmail, updatePassword, @@ -97,6 +99,7 @@ let multiFactorErrorResolver = null; let selectedMultiFactorHint = null; let recaptchaSize = 'normal'; let webWorker = null; +let totpSecret = null; // The corresponding Font Awesome icons for each provider. const providersIcons = { @@ -687,6 +690,50 @@ function onFinalizeEnrollWithPhoneMultiFactor() { }, onAuthError); } +async function onStartEnrollWithTotpMultiFactor() { + console.log('Starting TOTP enrollment!'); + if (!activeUser()) { + alertError('No active user found.'); + return; + } + try { + multiFactorSession = await multiFactor(activeUser()).getSession(); + totpSecret = await TotpMultiFactorGenerator.generateSecret( + multiFactorSession + ); + const url = totpSecret.generateQrCodeUrl('test', 'testissuer'); + console.log('TOTP URL is ' + url); + // Use the QRServer API documented at https://goqr.me/api/doc/ + const qrCodeUrl = `https://api.qrserver.com/v1/create-qr-code/?data=${url}&size=30x30`; + $('img.totp-qr-image').attr('src', qrCodeUrl).show(); + $('p.totp-text').show(); + } catch (e) { + onAuthError(e); + } +} + +async function onFinalizeEnrollWithTotpMultiFactor() { + const verificationCode = $('#enroll-mfa-totp-verification-code').val(); + if (!activeUser() || !totpSecret || !verificationCode) { + alertError(' Missing active user OR TOTP secret OR verification code.'); + return; + } + + const multiFactorAssertion = TotpMultiFactorGenerator.assertionForEnrollment( + totpSecret, + verificationCode + ); + const displayName = $('#enroll-mfa-totp-display-name').val() || undefined; + + try { + await multiFactor(activeUser()).enroll(multiFactorAssertion, displayName); + refreshUserData(); + alertSuccess('TOTP MFA enrolled!'); + } catch (e) { + onAuthError(e); + } +} + /** * Signs in or links a provider's credential, based on current tab opened. * @param {!AuthCredential} credential The provider's credential. @@ -2005,6 +2052,10 @@ function initApp() { $('#enroll-mfa-confirm-phone-verification').click( onFinalizeEnrollWithPhoneMultiFactor ); + // Starts multi-factor enrollment with TOTP. + $('#enroll-mfa-totp-start').click(onStartEnrollWithTotpMultiFactor); + // Completes multi-factor enrollment with supplied OTP(One-Time Password). + $('#enroll-mfa-totp-finalize').click(onFinalizeEnrollWithTotpMultiFactor); } $(initApp); diff --git a/packages/auth/index.ts b/packages/auth/index.ts index 6e0338435d1..6ed92b361ac 100644 --- a/packages/auth/index.ts +++ b/packages/auth/index.ts @@ -73,6 +73,10 @@ import { browserPopupRedirectResolver } from './src/platform_browser/popup_redir // MFA import { PhoneMultiFactorGenerator } from './src/platform_browser/mfa/assertions/phone'; +import { + TotpMultiFactorGenerator, + TotpSecret +} from './src/mfa/assertions/totp'; // Initialization and registration of Auth import { getAuth } from './src/platform_browser'; @@ -96,5 +100,7 @@ export { RecaptchaVerifier, browserPopupRedirectResolver, PhoneMultiFactorGenerator, + TotpMultiFactorGenerator, + TotpSecret, getAuth }; diff --git a/packages/auth/src/mfa/assertions/totp.ts b/packages/auth/src/mfa/assertions/totp.ts index 39cc18376e5..8ab819c4c62 100644 --- a/packages/auth/src/mfa/assertions/totp.ts +++ b/packages/auth/src/mfa/assertions/totp.ts @@ -171,23 +171,41 @@ export class TotpMultiFactorAssertionImpl */ export class TotpSecret { /** - * Constructor for TotpSecret. - * @param secretKey - Shared secret key/seed used for enrolling in TOTP MFA and generating otps. - * @param hashingAlgorithm - Hashing algorithm used. - * @param codeLength - Length of the one-time passwords to be generated. - * @param codeIntervalSeconds - The interval (in seconds) when the OTP codes should change. + * Shared secret key/seed used for enrolling in TOTP MFA and generating otps. */ + readonly secretKey: string; + /** + * Hashing algorithm used. + */ + readonly hashingAlgorithm: string; + /** + * Length of the one-time passwords to be generated. + */ + readonly codeLength: number; + /** + * The interval (in seconds) when the OTP codes should change. + */ + readonly codeIntervalSeconds: number; + // TODO(prameshj) - make this public after API review. + // This can be used by callers to show a countdown of when to enter OTP code by. + private readonly finalizeEnrollmentBy: string; + + // The public members are declared outside the constructor so the docs can be generated. private constructor( - readonly secretKey: string, - readonly hashingAlgorithm: string, - readonly codeLength: number, - readonly codeIntervalSeconds: number, - // TODO(prameshj) - make this public after API review. - // This can be used by callers to show a countdown of when to enter OTP code by. - private readonly finalizeEnrollmentBy: string, + secretKey: string, + hashingAlgorithm: string, + codeLength: number, + codeIntervalSeconds: number, + finalizeEnrollmentBy: string, private readonly sessionInfo: string, private readonly auth: AuthInternal - ) {} + ) { + this.secretKey = secretKey; + this.hashingAlgorithm = hashingAlgorithm; + this.codeLength = codeLength; + this.codeIntervalSeconds = codeIntervalSeconds; + this.finalizeEnrollmentBy = finalizeEnrollmentBy; + } /** @internal */ static _fromStartTotpMfaEnrollmentResponse( From e3f2bea36d9e698c607ad1253e85f2322b6797ba Mon Sep 17 00:00:00 2001 From: bhparijat Date: Thu, 13 Oct 2022 12:05:03 -0700 Subject: [PATCH 06/26] sign-in flow for totp (#6626) * Export TOTP symbols to be picked up by demo app. * adding sign-in flow for totp * using only verification code for sign-in * added startSignInTotp method * modified verification code usage in object signin * added mfa enrollment id to finalize signin method: * adding singin for totp in demoapp * made enrollmentId to not be optional * reverting changes in authapi.md * removed unnecessary check and fixed spelling * added back otp check * made _finalizeEnroll && and _finalizeSignin to be async Co-authored-by: Pavithra Ramesh --- packages/auth/demo/public/index.html | 11 +++++ packages/auth/demo/src/index.js | 39 ++++++++++++++- packages/auth/src/api/authentication/mfa.ts | 53 +++++++++++++++++++++ packages/auth/src/mfa/assertions/totp.ts | 25 +++++++--- 4 files changed, 121 insertions(+), 7 deletions(-) diff --git a/packages/auth/demo/public/index.html b/packages/auth/demo/public/index.html index 86290860583..0492d810ab5 100644 --- a/packages/auth/demo/public/index.html +++ b/packages/auth/demo/public/index.html @@ -759,6 +759,17 @@

    Select a second factor to sign in with

    + +
    diff --git a/packages/auth/demo/src/index.js b/packages/auth/demo/src/index.js index 40701616293..45316512056 100644 --- a/packages/auth/demo/src/index.js +++ b/packages/auth/demo/src/index.js @@ -1103,6 +1103,7 @@ function handleMultiFactorSignIn(resolver) { ); // Hide phone form (other second factor types could be supported). $('#multi-factor-phone').addClass('hidden'); + $('#multi-factor-totp').addClass('hidden'); // Show second factor recovery dialog. $('#multiFactorModal').modal(); } @@ -1169,6 +1170,7 @@ function onSelectMultiFactorHint(index) { // Hide all forms for handling each type of second factors. // Currently only phone is supported. $('#multi-factor-phone').addClass('hidden'); + $('#multi-factor-totp').addClass('hidden'); if ( !multiFactorErrorResolver || typeof multiFactorErrorResolver.hints[index] === 'undefined' @@ -1188,6 +1190,14 @@ function onSelectMultiFactorHint(index) { // Clear all input. $('#multi-factor-sign-in-verification-id').val(''); $('#multi-factor-sign-in-verification-code').val(''); + } else if (multiFactorErrorResolver.hints[index].factorId === 'totp') { + // Save selected second factor. + selectedMultiFactorHint = multiFactorErrorResolver.hints[index]; + + // Show sign-in with totp second factor menu. + $('#multi-factor-totp').removeClass('hidden'); + // Clear all input. + $('#multi-factor-totp-sign-in-verification-code').val(''); } else { // 2nd factor not found or not supported by app. alertError('Selected 2nd factor is not supported!'); @@ -1242,6 +1252,28 @@ function onFinalizeSignInWithPhoneMultiFactor(event) { }, onAuthError); } +/** + * Completes sign-in with the 2nd factor totp assertion. + * @param {!jQuery.Event} event The jQuery event object. + */ +function onFinalizeSignInWithTotpMultiFactor(event) { + event.preventDefault(); + // Make sure a second factor is selected. + const otp = $('#multi-factor-totp-sign-in-verification-code').val(); + if (!otp || !selectedMultiFactorHint || !multiFactorErrorResolver) { + return; + } + + const assertion = TotpMultiFactorGenerator.assertionForSignIn( + selectedMultiFactorHint.uid, + otp + ); + multiFactorErrorResolver.resolveSignIn(assertion).then(userCredential => { + onAuthUserCredentialSuccess(userCredential); + $('#multiFactorModal').modal('hide'); + }, onAuthError); +} + /** * Adds a new row to insert an OAuth custom parameter key/value pair. * @param {!jQuery.Event} _event The jQuery event object. @@ -1373,7 +1405,6 @@ function signInWithPopupRedirect(provider) { customParameters[key] = value; } }); - console.log('customParameters: ', customParameters); // For older jscore versions that do not support this. if (provider.setCustomParameters) { // Set custom parameters on current provider. @@ -2046,6 +2077,12 @@ function initApp() { $('#sign-in-with-phone-multi-factor').click( onFinalizeSignInWithPhoneMultiFactor ); + + // Completes multi-factor sign-in with supplied OTP(One-Time Password). + $('#sign-in-with-totp-multi-factor').click( + onFinalizeSignInWithTotpMultiFactor + ); + // Starts multi-factor enrollment with phone number. $('#enroll-mfa-verify-phone-number').click(onStartEnrollWithPhoneMultiFactor); // Completes multi-factor enrollment with supplied SMS code. diff --git a/packages/auth/src/api/authentication/mfa.ts b/packages/auth/src/api/authentication/mfa.ts index 81d9d91d67a..f593a4efd60 100644 --- a/packages/auth/src/api/authentication/mfa.ts +++ b/packages/auth/src/api/authentication/mfa.ts @@ -51,6 +51,14 @@ export interface StartPhoneMfaSignInRequest { }; tenantId?: string; } +export interface StartTotpMfaSignInRequest { + mfaPendingCredential: string; + mfaEnrollmentId: string; + totpSignInInfo: { + verificationCode: string; + }; + tenantId?: string; +} export interface StartPhoneMfaSignInResponse { phoneResponseInfo: { @@ -58,6 +66,12 @@ export interface StartPhoneMfaSignInResponse { }; } +export interface StartTotpMfaSignInResponse { + totpSignInInfo: { + verificationCode: string; + }; +} + export function startSignInPhoneMfa( auth: Auth, request: StartPhoneMfaSignInRequest @@ -73,14 +87,38 @@ export function startSignInPhoneMfa( ); } +export function startSignInTotpMfa( + auth: Auth, + request: StartTotpMfaSignInRequest +): Promise { + return _performApiRequest< + StartTotpMfaSignInRequest, + StartTotpMfaSignInResponse + >( + auth, + HttpMethod.POST, + Endpoint.START_MFA_SIGN_IN, + _addTidIfNecessary(auth, request) + ); +} + export interface FinalizePhoneMfaSignInRequest { mfaPendingCredential: string; phoneVerificationInfo: SignInWithPhoneNumberRequest; tenantId?: string; } +export interface FinalizeTotpMfaSignInRequest { + mfaPendingCredential: string; + totpVerificationInfo: { verificationCode: string }; + tenantId?: string; + mfaEnrollmentId: string; +} + export interface FinalizePhoneMfaSignInResponse extends FinalizeMfaResponse {} +export interface FinalizeTotpMfaSignInResponse extends FinalizeMfaResponse {} + export function finalizeSignInPhoneMfa( auth: Auth, request: FinalizePhoneMfaSignInRequest @@ -96,6 +134,21 @@ export function finalizeSignInPhoneMfa( ); } +export function finalizeSignInTotpMfa( + auth: Auth, + request: FinalizeTotpMfaSignInRequest +): Promise { + return _performApiRequest< + FinalizeTotpMfaSignInRequest, + FinalizeTotpMfaSignInResponse + >( + auth, + HttpMethod.POST, + Endpoint.FINALIZE_MFA_SIGN_IN, + _addTidIfNecessary(auth, request) + ); +} + /** * @internal */ diff --git a/packages/auth/src/mfa/assertions/totp.ts b/packages/auth/src/mfa/assertions/totp.ts index 8ab819c4c62..00c80a94fd2 100644 --- a/packages/auth/src/mfa/assertions/totp.ts +++ b/packages/auth/src/mfa/assertions/totp.ts @@ -26,7 +26,10 @@ import { StartTotpMfaEnrollmentResponse, TotpVerificationInfo } from '../../api/account_management/mfa'; -import { FinalizeMfaResponse } from '../../api/authentication/mfa'; +import { + FinalizeMfaResponse, + finalizeSignInTotpMfa +} from '../../api/authentication/mfa'; import { MultiFactorAssertionImpl } from '../../mfa/mfa_assertion'; import { MultiFactorSessionImpl } from '../mfa_session'; import { AuthErrorCode } from '../../core/errors'; @@ -136,7 +139,7 @@ export class TotpMultiFactorAssertionImpl } /** @internal */ - _finalizeEnroll( + async _finalizeEnroll( auth: AuthInternal, idToken: string, displayName?: string | null @@ -154,11 +157,21 @@ export class TotpMultiFactorAssertionImpl } /** @internal */ - _finalizeSignIn( - _auth: AuthInternal, - _mfaPendingCredential: string + async _finalizeSignIn( + auth: AuthInternal, + mfaPendingCredential: string ): Promise { - throw new Error('method not implemented'); + _assert( + this.enrollmentId !== undefined && this.otp !== undefined, + auth, + AuthErrorCode.ARGUMENT_ERROR + ); + const totpVerificationInfo = { verificationCode: this.otp }; + return finalizeSignInTotpMfa(auth, { + mfaPendingCredential, + mfaEnrollmentId: this.enrollmentId, + totpVerificationInfo + }); } } From 59e6da3f0316bce04a67726bdfd09516afa59f6b Mon Sep 17 00:00:00 2001 From: bhparijat Date: Fri, 14 Oct 2022 10:35:55 -0700 Subject: [PATCH 07/26] Unit test cases for sign-in flow (#6640) * adding test cases for signing in * fixed test cases to handle async signin --- packages/auth/src/mfa/assertions/totp.test.ts | 84 ++++++++++++++++++- 1 file changed, 83 insertions(+), 1 deletion(-) diff --git a/packages/auth/src/mfa/assertions/totp.test.ts b/packages/auth/src/mfa/assertions/totp.test.ts index 17c8f323f08..e30e85ad5e2 100644 --- a/packages/auth/src/mfa/assertions/totp.test.ts +++ b/packages/auth/src/mfa/assertions/totp.test.ts @@ -24,7 +24,10 @@ import * as mockFetch from '../../../test/helpers/mock_fetch'; import { Endpoint } from '../../api'; import { MultiFactorSessionImpl } from '../../mfa/mfa_session'; import { StartTotpMfaEnrollmentResponse } from '../../api/account_management/mfa'; -import { FinalizeMfaResponse } from '../../api/authentication/mfa'; +import { + FinalizeMfaResponse, + StartTotpMfaSignInResponse +} from '../../api/authentication/mfa'; import { TotpMultiFactorAssertionImpl, TotpMultiFactorGenerator, @@ -34,6 +37,7 @@ import { FactorId } from '../../model/public_types'; import { AuthErrorCode } from '../../core/errors'; import { AppName } from '../../model/auth'; import { _castAuth } from '../../core/auth/auth_impl'; +import { MultiFactorAssertionImpl } from '../mfa_assertion'; use(chaiAsPromised); @@ -208,6 +212,84 @@ describe('core/mfa/totp/assertions/TotpMultiFactorAssertionImpl', () => { }); }); +describe('Testing signin Flow', () => { + let auth: TestAuth; + let assertion: MultiFactorAssertionImpl; + let totpSignInResponse: StartTotpMfaSignInResponse; + let session: MultiFactorSessionImpl; + beforeEach(async () => { + mockFetch.setUp(); + auth = await testAuth(); + session = MultiFactorSessionImpl._fromMfaPendingCredential( + 'mfa-pending-credential' + ); + }); + afterEach(mockFetch.tearDown); + + it('should finalize mfa signin for totp', async () => { + totpSignInResponse = { + verificationCode: '123456', + idToken: 'final-id-token', + refreshToken: 'refresh-token' + } as any; + assertion = TotpMultiFactorGenerator.assertionForSignIn( + 'enrollment-id', + '123456' + ) as any; + + const mock = mockEndpoint( + Endpoint.FINALIZE_MFA_SIGN_IN, + totpSignInResponse + ); + + const response = await assertion._process(auth, session); + + expect(response).to.eql(totpSignInResponse); + + expect(mock.calls[0].request).to.eql({ + mfaPendingCredential: 'mfa-pending-credential', + mfaEnrollmentId: 'enrollment-id', + totpVerificationInfo: { + verificationCode: '123456' + } + }); + }); + + it('should throw Firebase Error if enrollment-id is undefined', async () => { + let _response: FinalizeMfaResponse; + totpSignInResponse = { + verificationCode: '123456', + idToken: 'final-id-token', + refreshToken: 'refresh-token' + } as any; + assertion = TotpMultiFactorGenerator.assertionForSignIn( + undefined as any, + '123456' + ) as any; + + await expect(assertion._process(auth, session)).to.be.rejectedWith( + 'auth/argument-error' + ); + }); + + it('should throw Firebase Error if otp is undefined', async () => { + let _response: FinalizeMfaResponse; + totpSignInResponse = { + verificationCode: '123456', + idToken: 'final-id-token', + refreshToken: 'refresh-token' + } as any; + assertion = TotpMultiFactorGenerator.assertionForSignIn( + 'enrollment-id', + undefined as any + ) as any; + + await expect(assertion._process(auth, session)).to.be.rejectedWith( + 'auth/argument-error' + ); + }); +}); + describe('core/mfa/assertions/totp/TotpSecret', async () => { const serverResponse: StartTotpMfaEnrollmentResponse = { totpSessionInfo: { From 731082281dc2a3a0a1802be5d4cbc6a9d5624b7b Mon Sep 17 00:00:00 2001 From: bhparijat Date: Tue, 22 Nov 2022 10:15:46 -0800 Subject: [PATCH 08/26] integration tests for totp (#6784) * totp integration test * test cases working with verified email * removing debug logs * changed test email and fixed handling of user delete for totp * reverting unwanted changes in helper.ts * modified comments --- packages/auth/package.json | 1 + .../auth/test/helpers/integration/helpers.ts | 34 +++- .../auth/test/integration/flows/totp.test.ts | 157 ++++++++++++++++++ packages/auth/totp-generator.d.ts | 18 ++ 4 files changed, 205 insertions(+), 5 deletions(-) create mode 100644 packages/auth/test/integration/flows/totp.test.ts create mode 100644 packages/auth/totp-generator.d.ts diff --git a/packages/auth/package.json b/packages/auth/package.json index 9eac3e524b4..23cf03deb3a 100644 --- a/packages/auth/package.json +++ b/packages/auth/package.json @@ -127,6 +127,7 @@ "rollup-plugin-typescript2": "0.31.2", "selenium-webdriver": "4.8.0", "typescript": "4.7.4", + "totp-generator": "0.0.14", "@types/express": "4.17.17" }, "repository": { diff --git a/packages/auth/test/helpers/integration/helpers.ts b/packages/auth/test/helpers/integration/helpers.ts index 4f9518a6717..a7ca9120344 100644 --- a/packages/auth/test/helpers/integration/helpers.ts +++ b/packages/auth/test/helpers/integration/helpers.ts @@ -23,7 +23,7 @@ import { getAuth, connectAuthEmulator } from '../../../'; // Use browser OR node import { _generateEventId } from '../../../src/core/util/event_id'; import { getAppConfig, getEmulatorUrl } from './settings'; import { resetEmulator } from './emulator_rest_helpers'; - +import totp from 'totp-generator'; interface IntegrationTestAuth extends Auth { cleanUp(): Promise; } @@ -62,10 +62,12 @@ export function getTestInstance(requireEmulator = false): Auth { } else { // Clear out any new users that were created in the course of the test for (const user of createdUsers) { - try { - await user.delete(); - } catch { - // Best effort. Maybe the test already deleted the user ¯\_(ツ)_/¯ + if (!user.email?.includes('donotdelete')) { + try { + await user.delete(); + } catch { + // Best effort. Maybe the test already deleted the user ¯\_(ツ)_/¯ + } } } } @@ -93,3 +95,25 @@ function stubConsoleToSilenceEmulatorWarnings(): sinon.SinonStub { } }); } + +export function getTotpCode( + sharedSecretKey: string, + periodSec: number, + verificationCodeLength: number +): string { + const token = totp(sharedSecretKey, { + period: periodSec, + digits: verificationCodeLength, + algorithm: 'SHA-1' + }); + + return token; +} + +export function delay(dt: number): Promise { + return new Promise(resolve => setTimeout(resolve, dt)); +} + +export const email = 'totpuser-donotdelete@test.com'; +//1000000 is always incorrect since it has 7 digits and we expect 6. +export const incorrectTotpCode = '1000000'; diff --git a/packages/auth/test/integration/flows/totp.test.ts b/packages/auth/test/integration/flows/totp.test.ts new file mode 100644 index 00000000000..dd2b2846055 --- /dev/null +++ b/packages/auth/test/integration/flows/totp.test.ts @@ -0,0 +1,157 @@ +/** + * @license + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { expect, use } from 'chai'; +import chaiAsPromised from 'chai-as-promised'; +import sinonChai from 'sinon-chai'; +import { + Auth, + multiFactor, + signInWithEmailAndPassword, + getMultiFactorResolver +} from '@firebase/auth'; +import { FirebaseError } from '@firebase/app'; +import { + cleanUpTestInstance, + getTestInstance, + getTotpCode, + delay, + email, + incorrectTotpCode +} from '../../helpers/integration/helpers'; + +import { + TotpMultiFactorGenerator, + TotpSecret +} from '../../../src/mfa/assertions/totp'; + +use(chaiAsPromised); +use(sinonChai); + +describe(' Integration tests: Mfa TOTP', () => { + let auth: Auth; + let totpSecret: TotpSecret; + let displayName: string; + beforeEach(async () => { + auth = getTestInstance(); + displayName = 'totp-integration-test'; + }); + + afterEach(async () => { + await cleanUpTestInstance(auth); + }); + + it('should not enroll if incorrect totp supplied', async () => { + const cr = await signInWithEmailAndPassword(auth, email, 'password'); + const mfaUser = multiFactor(cr.user); + const session = await mfaUser.getSession(); + totpSecret = await TotpMultiFactorGenerator.generateSecret(session); + const multiFactorAssertion = + TotpMultiFactorGenerator.assertionForEnrollment( + totpSecret, + incorrectTotpCode + ); + + await expect( + mfaUser.enroll(multiFactorAssertion, displayName) + ).to.be.rejectedWith('auth/invalid-verification-code'); + }); + + it('should enroll using correct otp', async () => { + const cr = await signInWithEmailAndPassword(auth, email, 'password'); + + const mfaUser = multiFactor(cr.user); + + const session = await mfaUser.getSession(); + + totpSecret = await TotpMultiFactorGenerator.generateSecret(session); + + const totpVerificationCode = getTotpCode( + totpSecret.secretKey, + totpSecret.codeIntervalSeconds, + totpSecret.codeLength + ); + + const multiFactorAssertion = + TotpMultiFactorGenerator.assertionForEnrollment( + totpSecret, + totpVerificationCode + ); + await expect(mfaUser.enroll(multiFactorAssertion, displayName)).to.be + .fulfilled; + }); + + it('should not allow sign-in with incorrect totp', async () => { + let resolver; + + try { + await signInWithEmailAndPassword(auth, email, 'password'); + + throw new Error('Signin should not have been successful'); + } catch (error) { + expect(error).to.be.an.instanceOf(FirebaseError); + expect((error as any).code).to.eql('auth/multi-factor-auth-required'); + + resolver = getMultiFactorResolver(auth, error as any); + expect(resolver.hints).to.have.length(1); + + const assertion = TotpMultiFactorGenerator.assertionForSignIn( + resolver.hints[0].uid, + incorrectTotpCode + ); + + await expect(resolver.resolveSignIn(assertion)).to.be.rejectedWith( + 'auth/invalid-verification-code' + ); + } + }); + + it('should allow sign-in with for correct totp and unenroll successfully', async () => { + let resolver; + + await delay(30 * 1000); + //TODO(bhparijat) generate the otp code for the next time window by passing the appropriate + //timestamp to avoid the 30s delay. The delay is needed because the otp code used for enrollment + //cannot be reused for signing in. + try { + await signInWithEmailAndPassword(auth, email, 'password'); + + throw new Error('Signin should not have been successful'); + } catch (error) { + expect(error).to.be.an.instanceOf(FirebaseError); + expect((error as any).code).to.eql('auth/multi-factor-auth-required'); + + resolver = getMultiFactorResolver(auth, error as any); + expect(resolver.hints).to.have.length(1); + + const totpVerificationCode = getTotpCode( + totpSecret.secretKey, + totpSecret.codeIntervalSeconds, + totpSecret.codeLength + ); + const assertion = TotpMultiFactorGenerator.assertionForSignIn( + resolver.hints[0].uid, + totpVerificationCode + ); + const userCredential = await resolver.resolveSignIn(assertion); + + const mfaUser = multiFactor(userCredential.user); + + await expect(mfaUser.unenroll(resolver.hints[0].uid)).to.be.fulfilled; + } + }).timeout(32000); +}); diff --git a/packages/auth/totp-generator.d.ts b/packages/auth/totp-generator.d.ts new file mode 100644 index 00000000000..01defa03c6a --- /dev/null +++ b/packages/auth/totp-generator.d.ts @@ -0,0 +1,18 @@ +/** + * @license + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +declare module 'totp-generator'; From 07eacac3c3f3cda93abe7167010acbc2ad70bb5f Mon Sep 17 00:00:00 2001 From: bhparijat Date: Fri, 2 Dec 2022 21:26:05 -0800 Subject: [PATCH 09/26] Totp integration test fix (#6814) * removed delay function and used timestamp for totp generator * updated yarn.lock to show totp-generator * added check for signin after unenroll * adding skippig of totp tests if emulator is being used * using this.skip to skip tests --- .../auth/test/helpers/integration/helpers.ts | 11 ++-- .../auth/test/integration/flows/totp.test.ts | 59 +++++++++++++------ yarn.lock | 12 ++++ 3 files changed, 57 insertions(+), 25 deletions(-) diff --git a/packages/auth/test/helpers/integration/helpers.ts b/packages/auth/test/helpers/integration/helpers.ts index a7ca9120344..836de2af62f 100644 --- a/packages/auth/test/helpers/integration/helpers.ts +++ b/packages/auth/test/helpers/integration/helpers.ts @@ -99,21 +99,18 @@ function stubConsoleToSilenceEmulatorWarnings(): sinon.SinonStub { export function getTotpCode( sharedSecretKey: string, periodSec: number, - verificationCodeLength: number + verificationCodeLength: number, + timestamp: Date ): string { const token = totp(sharedSecretKey, { period: periodSec, digits: verificationCodeLength, - algorithm: 'SHA-1' + algorithm: 'SHA-1', + timestamp }); return token; } - -export function delay(dt: number): Promise { - return new Promise(resolve => setTimeout(resolve, dt)); -} - export const email = 'totpuser-donotdelete@test.com'; //1000000 is always incorrect since it has 7 digits and we expect 6. export const incorrectTotpCode = '1000000'; diff --git a/packages/auth/test/integration/flows/totp.test.ts b/packages/auth/test/integration/flows/totp.test.ts index dd2b2846055..7eb9033deff 100644 --- a/packages/auth/test/integration/flows/totp.test.ts +++ b/packages/auth/test/integration/flows/totp.test.ts @@ -29,7 +29,6 @@ import { cleanUpTestInstance, getTestInstance, getTotpCode, - delay, email, incorrectTotpCode } from '../../helpers/integration/helpers'; @@ -38,6 +37,7 @@ import { TotpMultiFactorGenerator, TotpSecret } from '../../../src/mfa/assertions/totp'; +import { getEmulatorUrl } from '../../helpers/integration/settings'; use(chaiAsPromised); use(sinonChai); @@ -46,16 +46,26 @@ describe(' Integration tests: Mfa TOTP', () => { let auth: Auth; let totpSecret: TotpSecret; let displayName: string; + let totpTimestamp: Date; + let emulatorUrl: string | null; beforeEach(async () => { - auth = getTestInstance(); - displayName = 'totp-integration-test'; + emulatorUrl = getEmulatorUrl(); + if (!emulatorUrl) { + auth = getTestInstance(); + displayName = 'totp-integration-test'; + } }); afterEach(async () => { - await cleanUpTestInstance(auth); + if (!emulatorUrl) { + await cleanUpTestInstance(auth); + } }); - it('should not enroll if incorrect totp supplied', async () => { + it('should not enroll if incorrect totp supplied', async function () { + if (emulatorUrl) { + this.skip(); + } const cr = await signInWithEmailAndPassword(auth, email, 'password'); const mfaUser = multiFactor(cr.user); const session = await mfaUser.getSession(); @@ -71,7 +81,10 @@ describe(' Integration tests: Mfa TOTP', () => { ).to.be.rejectedWith('auth/invalid-verification-code'); }); - it('should enroll using correct otp', async () => { + it('should enroll using correct otp', async function () { + if (emulatorUrl) { + this.skip(); + } const cr = await signInWithEmailAndPassword(auth, email, 'password'); const mfaUser = multiFactor(cr.user); @@ -80,10 +93,13 @@ describe(' Integration tests: Mfa TOTP', () => { totpSecret = await TotpMultiFactorGenerator.generateSecret(session); + totpTimestamp = new Date(); + const totpVerificationCode = getTotpCode( totpSecret.secretKey, totpSecret.codeIntervalSeconds, - totpSecret.codeLength + totpSecret.codeLength, + totpTimestamp ); const multiFactorAssertion = @@ -95,9 +111,12 @@ describe(' Integration tests: Mfa TOTP', () => { .fulfilled; }); - it('should not allow sign-in with incorrect totp', async () => { - let resolver; + it('should not allow sign-in with incorrect totp', async function () { + let resolver: any; + if (emulatorUrl) { + this.skip(); + } try { await signInWithEmailAndPassword(auth, email, 'password'); @@ -120,13 +139,11 @@ describe(' Integration tests: Mfa TOTP', () => { } }); - it('should allow sign-in with for correct totp and unenroll successfully', async () => { - let resolver; - - await delay(30 * 1000); - //TODO(bhparijat) generate the otp code for the next time window by passing the appropriate - //timestamp to avoid the 30s delay. The delay is needed because the otp code used for enrollment - //cannot be reused for signing in. + it('should allow sign-in with for correct totp and unenroll successfully', async function () { + let resolver: any; + if (emulatorUrl) { + this.skip(); + } try { await signInWithEmailAndPassword(auth, email, 'password'); @@ -138,11 +155,15 @@ describe(' Integration tests: Mfa TOTP', () => { resolver = getMultiFactorResolver(auth, error as any); expect(resolver.hints).to.have.length(1); + totpTimestamp.setSeconds(totpTimestamp.getSeconds() + 30); + const totpVerificationCode = getTotpCode( totpSecret.secretKey, totpSecret.codeIntervalSeconds, - totpSecret.codeLength + totpSecret.codeLength, + totpTimestamp ); + const assertion = TotpMultiFactorGenerator.assertionForSignIn( resolver.hints[0].uid, totpVerificationCode @@ -152,6 +173,8 @@ describe(' Integration tests: Mfa TOTP', () => { const mfaUser = multiFactor(userCredential.user); await expect(mfaUser.unenroll(resolver.hints[0].uid)).to.be.fulfilled; + await expect(signInWithEmailAndPassword(auth, email, 'password')).to.be + .fulfilled; } - }).timeout(32000); + }); }); diff --git a/yarn.lock b/yarn.lock index 4b38969007c..216e47bb895 100644 --- a/yarn.lock +++ b/yarn.lock @@ -11112,6 +11112,11 @@ jsprim@^1.2.2: json-schema "0.2.3" verror "1.10.0" +jssha@^3.1.2: + version "3.3.0" + resolved "https://registry.npmjs.org/jssha/-/jssha-3.3.0.tgz#44b5531bcf55a12f4a388476c647a9a1cca92839" + integrity sha512-w9OtT4ALL+fbbwG3gw7erAO0jvS5nfvrukGPMWIAoea359B26ALXGpzy4YJSp9yGnpUvuvOw1nSjSoHDfWSr1w== + jszip@^3.1.3, jszip@^3.6.0: version "3.7.1" resolved "https://registry.npmjs.org/jszip/-/jszip-3.7.1.tgz#bd63401221c15625a1228c556ca8a68da6fda3d9" @@ -16806,6 +16811,13 @@ toidentifier@1.0.1: resolved "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz#3be34321a88a820ed1bd80dfaa33e479fbb8dd35" integrity sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA== +totp-generator@0.0.14: + version "0.0.14" + resolved "https://registry.npmjs.org/totp-generator/-/totp-generator-0.0.14.tgz#c136bcb4030f9cab5b10ecd82d15cd2d5518234a" + integrity sha512-vFZ8N2TdF4mCj8bUW460jI73LqS+JKccsZ8cttQSuXa3dkTmZo8q81Pq2yAuiPxCI5fPfUrfaKuU+7adjx5s4w== + dependencies: + jssha "^3.1.2" + tough-cookie@~2.5.0: version "2.5.0" resolved "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz#cd9fb2a0aa1d5a12b473bd9fb96fa3dcff65ade2" From 36fc7c76f3ee8371feaca4da246063d186edf7bd Mon Sep 17 00:00:00 2001 From: bhparijat Date: Mon, 5 Dec 2022 15:12:37 -0800 Subject: [PATCH 10/26] fixing conflict in package.json (#6855) --- packages/auth/package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/auth/package.json b/packages/auth/package.json index 23cf03deb3a..9eac3e524b4 100644 --- a/packages/auth/package.json +++ b/packages/auth/package.json @@ -127,7 +127,6 @@ "rollup-plugin-typescript2": "0.31.2", "selenium-webdriver": "4.8.0", "typescript": "4.7.4", - "totp-generator": "0.0.14", "@types/express": "4.17.17" }, "repository": { From 3c64cc7f29eba0f52a0f7065954b7c74086e7405 Mon Sep 17 00:00:00 2001 From: prameshj Date: Wed, 7 Dec 2022 10:43:54 -0800 Subject: [PATCH 11/26] Fix mfa totp unit test (#6858) * Fix type error in totp unit test. * add ts-ignore for totp-generator. --- packages/auth/src/mfa/assertions/totp.test.ts | 2 +- .../auth/test/helpers/integration/helpers.ts | 1 + packages/auth/totp-generator.d.ts | 18 ------------------ 3 files changed, 2 insertions(+), 19 deletions(-) delete mode 100644 packages/auth/totp-generator.d.ts diff --git a/packages/auth/src/mfa/assertions/totp.test.ts b/packages/auth/src/mfa/assertions/totp.test.ts index e30e85ad5e2..69b9b79667e 100644 --- a/packages/auth/src/mfa/assertions/totp.test.ts +++ b/packages/auth/src/mfa/assertions/totp.test.ts @@ -93,7 +93,7 @@ describe('core/mfa/assertions/totp/TotpMultiFactorGenerator', () => { ); await TotpMultiFactorGenerator.generateSecret(session); } catch (e) { - expect(e.code).to.eql(`auth/${AuthErrorCode.INTERNAL_ERROR}`); + expect((e as any).code).to.eql(`auth/${AuthErrorCode.INTERNAL_ERROR}`); } }); it('generateSecret should generate a valid secret by starting enrollment', async () => { diff --git a/packages/auth/test/helpers/integration/helpers.ts b/packages/auth/test/helpers/integration/helpers.ts index 836de2af62f..b03a49d8678 100644 --- a/packages/auth/test/helpers/integration/helpers.ts +++ b/packages/auth/test/helpers/integration/helpers.ts @@ -23,6 +23,7 @@ import { getAuth, connectAuthEmulator } from '../../../'; // Use browser OR node import { _generateEventId } from '../../../src/core/util/event_id'; import { getAppConfig, getEmulatorUrl } from './settings'; import { resetEmulator } from './emulator_rest_helpers'; +// @ts-ignore - ignore types since this is only used in tests. import totp from 'totp-generator'; interface IntegrationTestAuth extends Auth { cleanUp(): Promise; diff --git a/packages/auth/totp-generator.d.ts b/packages/auth/totp-generator.d.ts deleted file mode 100644 index 01defa03c6a..00000000000 --- a/packages/auth/totp-generator.d.ts +++ /dev/null @@ -1,18 +0,0 @@ -/** - * @license - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -declare module 'totp-generator'; From 1fcf4e1c25e7673481146021ab74291b39c35708 Mon Sep 17 00:00:00 2001 From: bhparijat Date: Wed, 7 Dec 2022 14:24:18 -0800 Subject: [PATCH 12/26] Added ui for setting tenant-id (#6850) --- packages/auth/demo/public/index.html | 12 ++++++++++++ packages/auth/demo/src/index.js | 11 ++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/packages/auth/demo/public/index.html b/packages/auth/demo/public/index.html index 0492d810ab5..6e90dca738f 100644 --- a/packages/auth/demo/public/index.html +++ b/packages/auth/demo/public/index.html @@ -229,6 +229,18 @@ + +
    Set Tenant
    +
    + + +
    +
    Sign Up
    diff --git a/packages/auth/demo/src/index.js b/packages/auth/demo/src/index.js index 45316512056..7c09d79bf65 100644 --- a/packages/auth/demo/src/index.js +++ b/packages/auth/demo/src/index.js @@ -321,7 +321,14 @@ function onUseDeviceLanguage() { $('#language-code').val(auth.languageCode); alertSuccess('Using device language "' + auth.languageCode + '".'); } - +/** + * Set tenant id for the firebase project. + */ +function onSetTenantIdClick(_event) { + const tenantId = $('#set-tenant').val(); + auth.tenantId = tenantId === '' ? null : tenantId; + alertSuccess('Tenant Id : ' + auth.tenantId); +} /** * Changes the Auth state persistence to the specified one. */ @@ -2093,6 +2100,8 @@ function initApp() { $('#enroll-mfa-totp-start').click(onStartEnrollWithTotpMultiFactor); // Completes multi-factor enrollment with supplied OTP(One-Time Password). $('#enroll-mfa-totp-finalize').click(onFinalizeEnrollWithTotpMultiFactor); + // Sets tenant for the current auth instance + $('#set-tenant-btn').click(onSetTenantIdClick); } $(initApp); From 5ff2929c7a4dc496c1e820edaa77690e7f7ac116 Mon Sep 17 00:00:00 2001 From: prameshj Date: Tue, 27 Dec 2022 14:51:16 -0800 Subject: [PATCH 13/26] Expose enrollmentCompletionDeadline field in TotpSecret. (#6870) Also changed the demo app to display this field as a countdown. --- common/api-review/auth.api.md | 1 + packages/auth/demo/public/index.html | 2 +- packages/auth/demo/public/style.css | 6 ++++++ packages/auth/demo/src/index.js | 21 +++++++++++++++++++++ packages/auth/src/mfa/assertions/totp.ts | 10 ++++++---- 5 files changed, 35 insertions(+), 5 deletions(-) diff --git a/common/api-review/auth.api.md b/common/api-review/auth.api.md index 738c72048bb..5b147491212 100644 --- a/common/api-review/auth.api.md +++ b/common/api-review/auth.api.md @@ -767,6 +767,7 @@ export interface TotpMultiFactorInfo extends MultiFactorInfo { export class TotpSecret { readonly codeIntervalSeconds: number; readonly codeLength: number; + readonly enrollmentCompletionDeadline: string; // Warning: (ae-forgotten-export) The symbol "StartTotpMfaEnrollmentResponse" needs to be exported by the entry point index.d.ts // // @internal (undocumented) diff --git a/packages/auth/demo/public/index.html b/packages/auth/demo/public/index.html index 6e90dca738f..d098860f216 100644 --- a/packages/auth/demo/public/index.html +++ b/packages/auth/demo/public/index.html @@ -534,7 +534,7 @@
    -
    +
    Date: Fri, 27 Jan 2023 17:42:20 -0800 Subject: [PATCH 14/26] clear TOTP QR code display in the demo app once enrollment is complete. (#6984) --- packages/auth/demo/src/index.js | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/packages/auth/demo/src/index.js b/packages/auth/demo/src/index.js index 72c783d293f..5159d1169d7 100644 --- a/packages/auth/demo/src/index.js +++ b/packages/auth/demo/src/index.js @@ -100,6 +100,7 @@ let selectedMultiFactorHint = null; let recaptchaSize = 'normal'; let webWorker = null; let totpSecret = null; +let totpDeadlineId = null; // The corresponding Font Awesome icons for each provider. const providersIcons = { @@ -715,11 +716,11 @@ async function onStartEnrollWithTotpMultiFactor() { ); // display the numbr of seconds left to enroll. $('p.totp-deadline').show(); - var id = setInterval(function () { + totpDeadlineId = setInterval(function () { var deadline = new Date(totpSecret.enrollmentCompletionDeadline); var t = deadline - new Date().getTime(); if (t < 0) { - clearInterval(id); + clearInterval(totpDeadlineId); document.getElementById('totp-deadline').innerText = 'TOTP enrollment expired!'; } else { @@ -756,12 +757,21 @@ async function onFinalizeEnrollWithTotpMultiFactor() { try { await multiFactor(activeUser()).enroll(multiFactorAssertion, displayName); refreshUserData(); + clearTOTPUIState(); alertSuccess('TOTP MFA enrolled!'); } catch (e) { onAuthError(e); } } +function clearTOTPUIState() { + $('p.totp-deadline').hide(); + $('img.totp-qr-image').hide(); + $('p.totp-text').hide(); + $('enroll-mfa-totp-verification-code').hide(); + $('enroll-mfa-totp-display-name').hide(); + clearInterval(totpDeadlineId); +} /** * Signs in or links a provider's credential, based on current tab opened. * @param {!AuthCredential} credential The provider's credential. From 119cb1c7da569b06066d05e186f745e400d168a6 Mon Sep 17 00:00:00 2001 From: prameshj Date: Tue, 14 Feb 2023 16:11:09 -0800 Subject: [PATCH 15/26] Add a command to run totp integration tests. (#6998) --- packages/auth/README.md | 20 ++++++++++++++++++++ packages/auth/karma.conf.js | 3 +++ packages/auth/package.json | 3 ++- 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/packages/auth/README.md b/packages/auth/README.md index 0592fa595a7..ad8ca35d5eb 100644 --- a/packages/auth/README.md +++ b/packages/auth/README.md @@ -17,6 +17,7 @@ host of npm scripts to run these tests. The most important commands are: | `yarn test::unit:debug` | Runs \ unit tests, auto-watching for file system changes | | `yarn test::integration` | Runs only integration tests against the live environment | | `yarn test::integration:local` | Runs all headless \ integration tests against the emulator (more below) | +| `yarn test:browser:integration:prodbackend` | Runs TOTP MFA integration tests against the backend (more below) | Where \ is "browser" or "node". There are also cordova tests, but they are not broken into such granular details. Check out `package.json` for more. @@ -46,6 +47,25 @@ you would simply execute the following command: firebase emulators:exec --project foo-bar --only auth "yarn test:integration:local" ``` +### Integration testing with the production backend + +Currently, MFA TOTP tests only run against the production backend (since they are not supported on the emulator yet). +Running against the backend also makes it a more reliable end-to-end test. + +The TOTP tests require the following email/password combination to exist in the project, so if you are running this test against your test project, please create this user: + +'totpuser-donotdelete@test.com', 'password' + +You also need to verify this email address, in order to use MFA. This can be done with a curl command like this: + +``` +curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -H "X-Goog-User-Project: ${PROJECT_ID}" -X POST https://identitytoolkit.googleapis.com/v1/accounts:sendOobCode -d '{ + "email": "totpuser-donotdelete@test.com", + "requestType": "VERIFY_EMAIL", + "returnOobLink": true, + }' +``` + ### Selenium Webdriver tests These tests assume that you have both Firefox and Chrome installed on your diff --git a/packages/auth/karma.conf.js b/packages/auth/karma.conf.js index 8c4bcba24d2..4f82e4ab5a7 100644 --- a/packages/auth/karma.conf.js +++ b/packages/auth/karma.conf.js @@ -37,6 +37,9 @@ function getTestFiles(argv) { if (argv.unit) { return ['src/**/*.test.ts', 'test/helpers/**/*.test.ts']; } else if (argv.integration) { + if (argv.prodbackend) { + return ['test/integration/flows/totp.test.ts']; + } return argv.local ? ['test/integration/flows/*.test.ts'] : ['test/integration/flows/*!(local).test.ts']; diff --git a/packages/auth/package.json b/packages/auth/package.json index 9eac3e524b4..0aee237edb3 100644 --- a/packages/auth/package.json +++ b/packages/auth/package.json @@ -84,7 +84,7 @@ "build:scripts": "tsc -moduleResolution node --module commonjs scripts/*.ts && ls scripts/*.js | xargs -I % sh -c 'terser % -o %'", "dev": "rollup -c -w", "test": "run-p lint test:all", - "test:all": "run-p test:browser:unit test:node:unit test:integration", + "test:all": "run-p test:browser:unit test:node:unit test:integration test:browser:integration:prodbackend", "test:integration": "firebase emulators:exec --project emulatedproject --only auth \"run-s test:browser:integration:local test:node:integration:local test:webdriver\"", "test:ci": "node ../../scripts/run_tests_in_ci.js -s test:all", "test:integration:local": "run-s test:node:integration:local test:browser:integration:local test:webdriver", @@ -92,6 +92,7 @@ "test:browser:unit": "karma start --single-run --unit", "test:browser:integration": "karma start --single-run --integration", "test:browser:integration:local": "karma start --single-run --integration --local", + "test:browser:integration:prodbackend": "karma start --single-run --integration --prodbackend", "test:browser:debug": "karma start --auto-watch", "test:browser:unit:debug": "karma start --auto-watch --unit", "test:cordova": "karma start --single-run --cordova", From 522392a8afd32c6d14bbb1122ef0de0ddee7166f Mon Sep 17 00:00:00 2001 From: prameshj Date: Wed, 22 Feb 2023 14:20:31 -0800 Subject: [PATCH 16/26] remove startMfaSignIn step for TOTP. (#7047) TOTP only needs a finalize step. --- packages/auth/src/api/authentication/mfa.ts | 32 ++----------------- packages/auth/src/mfa/assertions/totp.test.ts | 32 +++---------------- packages/auth/src/mfa/mfa_info.ts | 1 - 3 files changed, 8 insertions(+), 57 deletions(-) diff --git a/packages/auth/src/api/authentication/mfa.ts b/packages/auth/src/api/authentication/mfa.ts index f593a4efd60..0ad85a7ef82 100644 --- a/packages/auth/src/api/authentication/mfa.ts +++ b/packages/auth/src/api/authentication/mfa.ts @@ -51,14 +51,6 @@ export interface StartPhoneMfaSignInRequest { }; tenantId?: string; } -export interface StartTotpMfaSignInRequest { - mfaPendingCredential: string; - mfaEnrollmentId: string; - totpSignInInfo: { - verificationCode: string; - }; - tenantId?: string; -} export interface StartPhoneMfaSignInResponse { phoneResponseInfo: { @@ -66,12 +58,6 @@ export interface StartPhoneMfaSignInResponse { }; } -export interface StartTotpMfaSignInResponse { - totpSignInInfo: { - verificationCode: string; - }; -} - export function startSignInPhoneMfa( auth: Auth, request: StartPhoneMfaSignInRequest @@ -87,27 +73,15 @@ export function startSignInPhoneMfa( ); } -export function startSignInTotpMfa( - auth: Auth, - request: StartTotpMfaSignInRequest -): Promise { - return _performApiRequest< - StartTotpMfaSignInRequest, - StartTotpMfaSignInResponse - >( - auth, - HttpMethod.POST, - Endpoint.START_MFA_SIGN_IN, - _addTidIfNecessary(auth, request) - ); -} - export interface FinalizePhoneMfaSignInRequest { mfaPendingCredential: string; phoneVerificationInfo: SignInWithPhoneNumberRequest; tenantId?: string; } +// TOTP MFA Sign in only has a finalize phase. Phone MFA has a start phase to initiate sending an +// SMS and a finalize phase to complete sign in. With TOTP, the user already has the OTP in the +// TOTP/Authenticator app. export interface FinalizeTotpMfaSignInRequest { mfaPendingCredential: string; totpVerificationInfo: { verificationCode: string }; diff --git a/packages/auth/src/mfa/assertions/totp.test.ts b/packages/auth/src/mfa/assertions/totp.test.ts index 69b9b79667e..2bdced46b93 100644 --- a/packages/auth/src/mfa/assertions/totp.test.ts +++ b/packages/auth/src/mfa/assertions/totp.test.ts @@ -24,10 +24,7 @@ import * as mockFetch from '../../../test/helpers/mock_fetch'; import { Endpoint } from '../../api'; import { MultiFactorSessionImpl } from '../../mfa/mfa_session'; import { StartTotpMfaEnrollmentResponse } from '../../api/account_management/mfa'; -import { - FinalizeMfaResponse, - StartTotpMfaSignInResponse -} from '../../api/authentication/mfa'; +import { FinalizeMfaResponse } from '../../api/authentication/mfa'; import { TotpMultiFactorAssertionImpl, TotpMultiFactorGenerator, @@ -215,7 +212,6 @@ describe('core/mfa/totp/assertions/TotpMultiFactorAssertionImpl', () => { describe('Testing signin Flow', () => { let auth: TestAuth; let assertion: MultiFactorAssertionImpl; - let totpSignInResponse: StartTotpMfaSignInResponse; let session: MultiFactorSessionImpl; beforeEach(async () => { mockFetch.setUp(); @@ -227,24 +223,18 @@ describe('Testing signin Flow', () => { afterEach(mockFetch.tearDown); it('should finalize mfa signin for totp', async () => { - totpSignInResponse = { - verificationCode: '123456', + const mockResponse: FinalizeMfaResponse = { idToken: 'final-id-token', refreshToken: 'refresh-token' - } as any; + }; + const mock = mockEndpoint(Endpoint.FINALIZE_MFA_SIGN_IN, mockResponse); assertion = TotpMultiFactorGenerator.assertionForSignIn( 'enrollment-id', '123456' ) as any; - - const mock = mockEndpoint( - Endpoint.FINALIZE_MFA_SIGN_IN, - totpSignInResponse - ); - const response = await assertion._process(auth, session); - expect(response).to.eql(totpSignInResponse); + expect(response).to.eql(mockResponse); expect(mock.calls[0].request).to.eql({ mfaPendingCredential: 'mfa-pending-credential', @@ -256,12 +246,6 @@ describe('Testing signin Flow', () => { }); it('should throw Firebase Error if enrollment-id is undefined', async () => { - let _response: FinalizeMfaResponse; - totpSignInResponse = { - verificationCode: '123456', - idToken: 'final-id-token', - refreshToken: 'refresh-token' - } as any; assertion = TotpMultiFactorGenerator.assertionForSignIn( undefined as any, '123456' @@ -273,12 +257,6 @@ describe('Testing signin Flow', () => { }); it('should throw Firebase Error if otp is undefined', async () => { - let _response: FinalizeMfaResponse; - totpSignInResponse = { - verificationCode: '123456', - idToken: 'final-id-token', - refreshToken: 'refresh-token' - } as any; assertion = TotpMultiFactorGenerator.assertionForSignIn( 'enrollment-id', undefined as any diff --git a/packages/auth/src/mfa/mfa_info.ts b/packages/auth/src/mfa/mfa_info.ts index 4059a234be4..0e749ff816e 100644 --- a/packages/auth/src/mfa/mfa_info.ts +++ b/packages/auth/src/mfa/mfa_info.ts @@ -48,7 +48,6 @@ export abstract class MultiFactorInfoImpl implements MultiFactorInfo { if ('phoneInfo' in enrollment) { return PhoneMultiFactorInfoImpl._fromServerResponse(auth, enrollment); } else if ('totpInfo' in enrollment) { - // TODO(prameshj) ensure that this field is set by the backend once the tracking bug is fixed. return TotpMultiFactorInfoImpl._fromServerResponse(auth, enrollment); } return _fail(auth, AuthErrorCode.INTERNAL_ERROR); From 2ab3198e9f46d24b50010be9f44a984b8359c896 Mon Sep 17 00:00:00 2001 From: Pavithra Ramesh Date: Wed, 22 Mar 2023 12:45:05 -0700 Subject: [PATCH 17/26] Add back totp-generator dep (removed during merge conflict) --- packages/auth/package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/auth/package.json b/packages/auth/package.json index 0aee237edb3..fd02e002634 100644 --- a/packages/auth/package.json +++ b/packages/auth/package.json @@ -128,7 +128,8 @@ "rollup-plugin-typescript2": "0.31.2", "selenium-webdriver": "4.8.0", "typescript": "4.7.4", - "@types/express": "4.17.17" + "@types/express": "4.17.17", + "totp-generator": "0.0.14" }, "repository": { "directory": "packages/auth", From df20c0a5b0d79727a0a55c64dcec3d25630b6601 Mon Sep 17 00:00:00 2001 From: Pavithra Ramesh Date: Mon, 27 Mar 2023 23:32:20 -0700 Subject: [PATCH 18/26] Fix doc comments in TOTP files --- packages/auth/src/mfa/assertions/totp.ts | 8 ++++---- packages/auth/src/model/public_types.ts | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/packages/auth/src/mfa/assertions/totp.ts b/packages/auth/src/mfa/assertions/totp.ts index 5bbc7febe07..1277d3c1a32 100644 --- a/packages/auth/src/mfa/assertions/totp.ts +++ b/packages/auth/src/mfa/assertions/totp.ts @@ -46,7 +46,7 @@ export class TotpMultiFactorGenerator { * the totp(Time-based One Time Password) second factor. * This assertion is used to complete enrollment in TOTP second factor. * - * @param secret {@link TotpSecret}. + * @param secret A {@link TotpSecret} containing the shared secret key and other TOTP parameters. * @param oneTimePassword One-time password from TOTP App. * @returns A {@link TotpMultiFactorAssertion} which can be used with * {@link MultiFactorUser.enroll}. @@ -78,12 +78,12 @@ export class TotpMultiFactorGenerator { } /** - * Returns a promise to {@link TOTPSecret} which contains the TOTP shared secret key and other parameters. + * Returns a promise to {@link TotpSecret} which contains the TOTP shared secret key and other parameters. * Creates a TOTP secret as part of enrolling a TOTP second factor. * Used for generating a QRCode URL or inputting into a TOTP App. * This method uses the auth instance corresponding to the user in the multiFactorSession. * - * @param session A link to {@MultiFactorSession}. + * @param session The {@link MultiFactorSession} that the user is part of. * @returns A promise to {@link TotpSecret}. */ static async generateSecret( @@ -184,7 +184,7 @@ export class TotpMultiFactorAssertionImpl */ export class TotpSecret { /** - * Shared secret key/seed used for enrolling in TOTP MFA and generating otps. + * Shared secret key/seed used for enrolling in TOTP MFA and generating OTPs. */ readonly secretKey: string; /** diff --git a/packages/auth/src/model/public_types.ts b/packages/auth/src/model/public_types.ts index d65fcf840bb..026079f0858 100644 --- a/packages/auth/src/model/public_types.ts +++ b/packages/auth/src/model/public_types.ts @@ -1240,7 +1240,8 @@ export interface Dependencies { /** * The class for asserting ownership of a totp second factor. Provided by - * {@link TotpMultiFactorGenerator.assertion}. + * {@link TotpMultiFactorGenerator.assertionForEnrollment} and + * {@link TotpMultiFactorGenerator.assertionForSignIn}. * * @public */ From 0972c844209997f265b22c55cdc6161e32a1b729 Mon Sep 17 00:00:00 2001 From: Pavithra Ramesh Date: Mon, 27 Mar 2023 23:48:26 -0700 Subject: [PATCH 19/26] Generate docs for TOTP --- docs-devsite/auth.md | 5 + docs-devsite/auth.totpmultifactorassertion.md | 21 ++++ docs-devsite/auth.totpmultifactorgenerator.md | 112 ++++++++++++++++++ docs-devsite/auth.totpmultifactorinfo.md | 21 ++++ docs-devsite/auth.totpsecret.md | 111 +++++++++++++++++ 5 files changed, 270 insertions(+) create mode 100644 docs-devsite/auth.totpmultifactorassertion.md create mode 100644 docs-devsite/auth.totpmultifactorgenerator.md create mode 100644 docs-devsite/auth.totpmultifactorinfo.md create mode 100644 docs-devsite/auth.totpsecret.md diff --git a/docs-devsite/auth.md b/docs-devsite/auth.md index f0f9029c225..03caef2c43a 100644 --- a/docs-devsite/auth.md +++ b/docs-devsite/auth.md @@ -93,6 +93,8 @@ Firebase Authentication | [PhoneMultiFactorGenerator](./auth.phonemultifactorgenerator.md#phonemultifactorgenerator_class) | Provider for generating a [PhoneMultiFactorAssertion](./auth.phonemultifactorassertion.md#phonemultifactorassertion_interface). | | [RecaptchaVerifier](./auth.recaptchaverifier.md#recaptchaverifier_class) | An [reCAPTCHA](https://www.google.com/recaptcha/)-based application verifier. | | [SAMLAuthProvider](./auth.samlauthprovider.md#samlauthprovider_class) | An [AuthProvider](./auth.authprovider.md#authprovider_interface) for SAML. | +| [TotpMultiFactorGenerator](./auth.totpmultifactorgenerator.md#totpmultifactorgenerator_class) | Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface). | +| [TotpSecret](./auth.totpsecret.md#totpsecret_class) | Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface).Stores the shared secret key and other parameters to generate time-based OTPs. Implements methods to retrieve the shared secret key, generate a QRCode URL. | | [TwitterAuthProvider](./auth.twitterauthprovider.md#twitterauthprovider_class) | Provider for generating an [OAuthCredential](./auth.oauthcredential.md#oauthcredential_class) for [ProviderId](./auth.md#providerid).TWITTER. | ## Interfaces @@ -130,6 +132,8 @@ Firebase Authentication | [PopupRedirectResolver](./auth.popupredirectresolver.md#popupredirectresolver_interface) | A resolver used for handling DOM specific operations like [signInWithPopup()](./auth.md#signinwithpopup) or [signInWithRedirect()](./auth.md#signinwithredirect). | | [ReactNativeAsyncStorage](./auth.reactnativeasyncstorage.md#reactnativeasyncstorage_interface) | Interface for a supplied AsyncStorage. | | [RecaptchaParameters](./auth.recaptchaparameters.md#recaptchaparameters_interface) | Interface representing reCAPTCHA parameters.See the \[reCAPTCHA docs\](https://developers.google.com/recaptcha/docs/display\#render\_param) for the list of accepted parameters. All parameters are accepted except for sitekey: Firebase Auth provisions a reCAPTCHA for each project and will configure the site key upon rendering.For an invisible reCAPTCHA, set the size key to invisible. | +| [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) | The class for asserting ownership of a totp second factor. Provided by [TotpMultiFactorGenerator.assertionForEnrollment()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) and [TotpMultiFactorGenerator.assertionForSignIn()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin). | +| [TotpMultiFactorInfo](./auth.totpmultifactorinfo.md#totpmultifactorinfo_interface) | The subclass of the [MultiFactorInfo](./auth.multifactorinfo.md#multifactorinfo_interface) interface for TOTP second factors. The factorId of this second factor is [FactorId](./auth.md#factorid).TOTP. | | [User](./auth.user.md#user_interface) | A user account. | | [UserCredential](./auth.usercredential.md#usercredential_interface) | A structure containing a [User](./auth.user.md#user_interface), the [OperationType](./auth.md#operationtype), and the provider ID. | | [UserInfo](./auth.userinfo.md#userinfo_interface) | User profile information, visible only to the Firebase project's apps. | @@ -1855,6 +1859,7 @@ An enum of factors that may be used for multifactor authentication. ```typescript FactorId: { readonly PHONE: "phone"; + readonly TOTP: "totp"; } ``` diff --git a/docs-devsite/auth.totpmultifactorassertion.md b/docs-devsite/auth.totpmultifactorassertion.md new file mode 100644 index 00000000000..0aada477dd5 --- /dev/null +++ b/docs-devsite/auth.totpmultifactorassertion.md @@ -0,0 +1,21 @@ +Project: /docs/reference/js/_project.yaml +Book: /docs/reference/_book.yaml +page_type: reference + +{% comment %} +DO NOT EDIT THIS FILE! +This is generated by the JS SDK team, and any local changes will be +overwritten. Changes should be made in the source code at +https://github.com/firebase/firebase-js-sdk +{% endcomment %} + +# TotpMultiFactorAssertion interface +The class for asserting ownership of a totp second factor. Provided by [TotpMultiFactorGenerator.assertionForEnrollment()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) and [TotpMultiFactorGenerator.assertionForSignIn()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin). + +Signature: + +```typescript +export interface TotpMultiFactorAssertion extends MultiFactorAssertion +``` +Extends: [MultiFactorAssertion](./auth.multifactorassertion.md#multifactorassertion_interface) + diff --git a/docs-devsite/auth.totpmultifactorgenerator.md b/docs-devsite/auth.totpmultifactorgenerator.md new file mode 100644 index 00000000000..5e8a83a9d19 --- /dev/null +++ b/docs-devsite/auth.totpmultifactorgenerator.md @@ -0,0 +1,112 @@ +Project: /docs/reference/js/_project.yaml +Book: /docs/reference/_book.yaml +page_type: reference + +{% comment %} +DO NOT EDIT THIS FILE! +This is generated by the JS SDK team, and any local changes will be +overwritten. Changes should be made in the source code at +https://github.com/firebase/firebase-js-sdk +{% endcomment %} + +# TotpMultiFactorGenerator class +Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface). + +Signature: + +```typescript +export declare class TotpMultiFactorGenerator +``` + +## Properties + +| Property | Modifiers | Type | Description | +| --- | --- | --- | --- | +| [FACTOR\_ID](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorfactor_id) | static | FactorId | The identifier of the TOTP second factor: totp. | + +## Methods + +| Method | Modifiers | Description | +| --- | --- | --- | +| [assertionForEnrollment(secret, oneTimePassword)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) | static | Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the totp(Time-based One Time Password) second factor. This assertion is used to complete enrollment in TOTP second factor. | +| [assertionForSignIn(enrollmentId, oneTimePassword)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin) | static | Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the totp second factor. This assertion is used to complete signIn with TOTP as the second factor. | +| [generateSecret(session)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorgeneratesecret) | static | Returns a promise to [TotpSecret](./auth.totpsecret.md#totpsecret_class) which contains the TOTP shared secret key and other parameters. Creates a TOTP secret as part of enrolling a TOTP second factor. Used for generating a QRCode URL or inputting into a TOTP App. This method uses the auth instance corresponding to the user in the multiFactorSession. | + +## TotpMultiFactorGenerator.FACTOR\_ID + +The identifier of the TOTP second factor: `totp`. + +Signature: + +```typescript +static FACTOR_ID: FactorId; +``` + +## TotpMultiFactorGenerator.assertionForEnrollment() + +Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the totp(Time-based One Time Password) second factor. This assertion is used to complete enrollment in TOTP second factor. + +Signature: + +```typescript +static assertionForEnrollment(secret: TotpSecret, oneTimePassword: string): TotpMultiFactorAssertion; +``` + +### Parameters + +| Parameter | Type | Description | +| --- | --- | --- | +| secret | [TotpSecret](./auth.totpsecret.md#totpsecret_class) | A [TotpSecret](./auth.totpsecret.md#totpsecret_class) containing the shared secret key and other TOTP parameters. | +| oneTimePassword | string | One-time password from TOTP App. | + +Returns: + +[TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) + +A [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) which can be used with [MultiFactorUser.enroll()](./auth.multifactoruser.md#multifactoruserenroll). + +## TotpMultiFactorGenerator.assertionForSignIn() + +Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the totp second factor. This assertion is used to complete signIn with TOTP as the second factor. + +Signature: + +```typescript +static assertionForSignIn(enrollmentId: string, oneTimePassword: string): TotpMultiFactorAssertion; +``` + +### Parameters + +| Parameter | Type | Description | +| --- | --- | --- | +| enrollmentId | string | identifies the enrolled TOTP second factor. | +| oneTimePassword | string | One-time password from TOTP App. | + +Returns: + +[TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) + +A [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) which can be used with [MultiFactorResolver.resolveSignIn()](./auth.multifactorresolver.md#multifactorresolverresolvesignin). + +## TotpMultiFactorGenerator.generateSecret() + +Returns a promise to [TotpSecret](./auth.totpsecret.md#totpsecret_class) which contains the TOTP shared secret key and other parameters. Creates a TOTP secret as part of enrolling a TOTP second factor. Used for generating a QRCode URL or inputting into a TOTP App. This method uses the auth instance corresponding to the user in the multiFactorSession. + +Signature: + +```typescript +static generateSecret(session: MultiFactorSession): Promise; +``` + +### Parameters + +| Parameter | Type | Description | +| --- | --- | --- | +| session | [MultiFactorSession](./auth.multifactorsession.md#multifactorsession_interface) | The [MultiFactorSession](./auth.multifactorsession.md#multifactorsession_interface) that the user is part of. | + +Returns: + +Promise<[TotpSecret](./auth.totpsecret.md#totpsecret_class)> + +A promise to [TotpSecret](./auth.totpsecret.md#totpsecret_class). + diff --git a/docs-devsite/auth.totpmultifactorinfo.md b/docs-devsite/auth.totpmultifactorinfo.md new file mode 100644 index 00000000000..116474ec850 --- /dev/null +++ b/docs-devsite/auth.totpmultifactorinfo.md @@ -0,0 +1,21 @@ +Project: /docs/reference/js/_project.yaml +Book: /docs/reference/_book.yaml +page_type: reference + +{% comment %} +DO NOT EDIT THIS FILE! +This is generated by the JS SDK team, and any local changes will be +overwritten. Changes should be made in the source code at +https://github.com/firebase/firebase-js-sdk +{% endcomment %} + +# TotpMultiFactorInfo interface +The subclass of the [MultiFactorInfo](./auth.multifactorinfo.md#multifactorinfo_interface) interface for TOTP second factors. The `factorId` of this second factor is [FactorId](./auth.md#factorid).TOTP. + +Signature: + +```typescript +export interface TotpMultiFactorInfo extends MultiFactorInfo +``` +Extends: [MultiFactorInfo](./auth.multifactorinfo.md#multifactorinfo_interface) + diff --git a/docs-devsite/auth.totpsecret.md b/docs-devsite/auth.totpsecret.md new file mode 100644 index 00000000000..a4f313b0bd4 --- /dev/null +++ b/docs-devsite/auth.totpsecret.md @@ -0,0 +1,111 @@ +Project: /docs/reference/js/_project.yaml +Book: /docs/reference/_book.yaml +page_type: reference + +{% comment %} +DO NOT EDIT THIS FILE! +This is generated by the JS SDK team, and any local changes will be +overwritten. Changes should be made in the source code at +https://github.com/firebase/firebase-js-sdk +{% endcomment %} + +# TotpSecret class +Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface). + +Stores the shared secret key and other parameters to generate time-based OTPs. Implements methods to retrieve the shared secret key, generate a QRCode URL. + +Signature: + +```typescript +export declare class TotpSecret +``` + +## Properties + +| Property | Modifiers | Type | Description | +| --- | --- | --- | --- | +| [codeIntervalSeconds](./auth.totpsecret.md#totpsecretcodeintervalseconds) | | number | The interval (in seconds) when the OTP codes should change. | +| [codeLength](./auth.totpsecret.md#totpsecretcodelength) | | number | Length of the one-time passwords to be generated. | +| [enrollmentCompletionDeadline](./auth.totpsecret.md#totpsecretenrollmentcompletiondeadline) | | string | The timestamp(UTC string) by which TOTP enrollment should be completed. | +| [hashingAlgorithm](./auth.totpsecret.md#totpsecrethashingalgorithm) | | string | Hashing algorithm used. | +| [secretKey](./auth.totpsecret.md#totpsecretsecretkey) | | string | Shared secret key/seed used for enrolling in TOTP MFA and generating OTPs. | + +## Methods + +| Method | Modifiers | Description | +| --- | --- | --- | +| [generateQrCodeUrl(accountName, issuer)](./auth.totpsecret.md#totpsecretgenerateqrcodeurl) | | Returns a QRCode URL as described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format This can be displayed to the user as a QRCode to be scanned into a TOTP App like Google Authenticator. If the optional parameters are unspecified, an accountName of and issuer of are used. | + +## TotpSecret.codeIntervalSeconds + +The interval (in seconds) when the OTP codes should change. + +Signature: + +```typescript +readonly codeIntervalSeconds: number; +``` + +## TotpSecret.codeLength + +Length of the one-time passwords to be generated. + +Signature: + +```typescript +readonly codeLength: number; +``` + +## TotpSecret.enrollmentCompletionDeadline + +The timestamp(UTC string) by which TOTP enrollment should be completed. + +Signature: + +```typescript +readonly enrollmentCompletionDeadline: string; +``` + +## TotpSecret.hashingAlgorithm + +Hashing algorithm used. + +Signature: + +```typescript +readonly hashingAlgorithm: string; +``` + +## TotpSecret.secretKey + +Shared secret key/seed used for enrolling in TOTP MFA and generating OTPs. + +Signature: + +```typescript +readonly secretKey: string; +``` + +## TotpSecret.generateQrCodeUrl() + +Returns a QRCode URL as described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format This can be displayed to the user as a QRCode to be scanned into a TOTP App like Google Authenticator. If the optional parameters are unspecified, an accountName of and issuer of are used. + +Signature: + +```typescript +generateQrCodeUrl(accountName?: string, issuer?: string): string; +``` + +### Parameters + +| Parameter | Type | Description | +| --- | --- | --- | +| accountName | string | the name of the account/app along with a user identifier. | +| issuer | string | issuer of the TOTP(likely the app name). | + +Returns: + +string + +A QRCode URL string. + From b13870cdb0596dd9dd114690b8d5d37d99e55288 Mon Sep 17 00:00:00 2001 From: Pavithra Ramesh Date: Tue, 28 Mar 2023 09:22:56 -0700 Subject: [PATCH 20/26] Add changeset --- .changeset/hot-experts-talk.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/hot-experts-talk.md diff --git a/.changeset/hot-experts-talk.md b/.changeset/hot-experts-talk.md new file mode 100644 index 00000000000..2903ce42919 --- /dev/null +++ b/.changeset/hot-experts-talk.md @@ -0,0 +1,5 @@ +--- +'@firebase/auth': patch +--- + +Support TOTP as a multi-factor option in Firebase Auth/GCIP. From 8c158e8efabc6a267b2184b9487cd54e63939a50 Mon Sep 17 00:00:00 2001 From: prameshj Date: Tue, 28 Mar 2023 13:38:09 -0700 Subject: [PATCH 21/26] Update packages/auth/src/mfa/assertions/totp.ts Co-authored-by: Kevin Cheung --- packages/auth/src/mfa/assertions/totp.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/auth/src/mfa/assertions/totp.ts b/packages/auth/src/mfa/assertions/totp.ts index 1277d3c1a32..01c15462f29 100644 --- a/packages/auth/src/mfa/assertions/totp.ts +++ b/packages/auth/src/mfa/assertions/totp.ts @@ -43,7 +43,7 @@ import { _assert } from '../../core/util/assert'; export class TotpMultiFactorGenerator { /** * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of - * the totp(Time-based One Time Password) second factor. + * the TOTP (time-based one-time password) second factor. * This assertion is used to complete enrollment in TOTP second factor. * * @param secret A {@link TotpSecret} containing the shared secret key and other TOTP parameters. From 5e73e410ffb84bdf0bc41da68169ecd77be0a639 Mon Sep 17 00:00:00 2001 From: prameshj Date: Tue, 28 Mar 2023 13:38:52 -0700 Subject: [PATCH 22/26] Update packages/auth/src/model/public_types.ts Co-authored-by: Kevin Cheung --- packages/auth/src/model/public_types.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/auth/src/model/public_types.ts b/packages/auth/src/model/public_types.ts index 026079f0858..0b872ec9297 100644 --- a/packages/auth/src/model/public_types.ts +++ b/packages/auth/src/model/public_types.ts @@ -1239,7 +1239,7 @@ export interface Dependencies { } /** - * The class for asserting ownership of a totp second factor. Provided by + * The class for asserting ownership of a TOTP second factor. Provided by * {@link TotpMultiFactorGenerator.assertionForEnrollment} and * {@link TotpMultiFactorGenerator.assertionForSignIn}. * From be27f0bd062ca6f937cc3d61beff8a4942e368d3 Mon Sep 17 00:00:00 2001 From: prameshj Date: Tue, 28 Mar 2023 13:39:06 -0700 Subject: [PATCH 23/26] Update packages/auth/src/mfa/assertions/totp.ts Co-authored-by: Kevin Cheung --- packages/auth/src/mfa/assertions/totp.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/auth/src/mfa/assertions/totp.ts b/packages/auth/src/mfa/assertions/totp.ts index 01c15462f29..c8b350c4eaa 100644 --- a/packages/auth/src/mfa/assertions/totp.ts +++ b/packages/auth/src/mfa/assertions/totp.ts @@ -244,14 +244,14 @@ export class TotpSecret { } /** - * Returns a QRCode URL as described in + * Returns a QR code URL as described in * https://github.com/google/google-authenticator/wiki/Key-Uri-Format - * This can be displayed to the user as a QRCode to be scanned into a TOTP App like Google Authenticator. + * This can be displayed to the user as a QR code to be scanned into a TOTP app like Google Authenticator. * If the optional parameters are unspecified, an accountName of and issuer of are used. * * @param accountName the name of the account/app along with a user identifier. - * @param issuer issuer of the TOTP(likely the app name). - * @returns A QRCode URL string. + * @param issuer issuer of the TOTP (likely the app name). + * @returns A QR code URL string. */ generateQrCodeUrl(accountName?: string, issuer?: string): string { let useDefaults = false; From 81c317783863c3d1372a0c504420599d8a845c59 Mon Sep 17 00:00:00 2001 From: prameshj Date: Tue, 28 Mar 2023 13:39:20 -0700 Subject: [PATCH 24/26] Update packages/auth/src/mfa/assertions/totp.ts Co-authored-by: Kevin Cheung --- packages/auth/src/mfa/assertions/totp.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/auth/src/mfa/assertions/totp.ts b/packages/auth/src/mfa/assertions/totp.ts index c8b350c4eaa..aefcd1218a9 100644 --- a/packages/auth/src/mfa/assertions/totp.ts +++ b/packages/auth/src/mfa/assertions/totp.ts @@ -179,7 +179,7 @@ export class TotpMultiFactorAssertionImpl * Provider for generating a {@link TotpMultiFactorAssertion}. * * Stores the shared secret key and other parameters to generate time-based OTPs. - * Implements methods to retrieve the shared secret key, generate a QRCode URL. + * Implements methods to retrieve the shared secret key and generate a QR code URL. * @public */ export class TotpSecret { From a507d9359a36b52caa960024d12e370d906efe0a Mon Sep 17 00:00:00 2001 From: prameshj Date: Tue, 28 Mar 2023 13:41:03 -0700 Subject: [PATCH 25/26] Apply suggestions from code review Co-authored-by: Kevin Cheung --- packages/auth/src/mfa/assertions/totp.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/auth/src/mfa/assertions/totp.ts b/packages/auth/src/mfa/assertions/totp.ts index aefcd1218a9..35694ed39eb 100644 --- a/packages/auth/src/mfa/assertions/totp.ts +++ b/packages/auth/src/mfa/assertions/totp.ts @@ -59,7 +59,7 @@ export class TotpMultiFactorGenerator { } /** - * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of the totp second factor. + * Provides a {@link TotpMultiFactorAssertion} to confirm ownership of the TOTP second factor. * This assertion is used to complete signIn with TOTP as the second factor. * * @param enrollmentId identifies the enrolled TOTP second factor. @@ -80,7 +80,7 @@ export class TotpMultiFactorGenerator { /** * Returns a promise to {@link TotpSecret} which contains the TOTP shared secret key and other parameters. * Creates a TOTP secret as part of enrolling a TOTP second factor. - * Used for generating a QRCode URL or inputting into a TOTP App. + * Used for generating a QR code URL or inputting into a TOTP app. * This method uses the auth instance corresponding to the user in the multiFactorSession. * * @param session The {@link MultiFactorSession} that the user is part of. @@ -200,7 +200,7 @@ export class TotpSecret { */ readonly codeIntervalSeconds: number; /** - * The timestamp(UTC string) by which TOTP enrollment should be completed. + * The timestamp (UTC string) by which TOTP enrollment should be completed. */ // This can be used by callers to show a countdown of when to enter OTP code by. readonly enrollmentCompletionDeadline: string; From 7c2af1806a8fc5c7eda497b45294026b1809a884 Mon Sep 17 00:00:00 2001 From: Pavithra Ramesh Date: Tue, 28 Mar 2023 13:51:02 -0700 Subject: [PATCH 26/26] re-generate docs --- docs-devsite/auth.md | 4 ++-- docs-devsite/auth.totpmultifactorassertion.md | 2 +- docs-devsite/auth.totpmultifactorgenerator.md | 12 ++++++------ docs-devsite/auth.totpsecret.md | 14 +++++++------- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/docs-devsite/auth.md b/docs-devsite/auth.md index 03caef2c43a..d3b3572df51 100644 --- a/docs-devsite/auth.md +++ b/docs-devsite/auth.md @@ -94,7 +94,7 @@ Firebase Authentication | [RecaptchaVerifier](./auth.recaptchaverifier.md#recaptchaverifier_class) | An [reCAPTCHA](https://www.google.com/recaptcha/)-based application verifier. | | [SAMLAuthProvider](./auth.samlauthprovider.md#samlauthprovider_class) | An [AuthProvider](./auth.authprovider.md#authprovider_interface) for SAML. | | [TotpMultiFactorGenerator](./auth.totpmultifactorgenerator.md#totpmultifactorgenerator_class) | Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface). | -| [TotpSecret](./auth.totpsecret.md#totpsecret_class) | Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface).Stores the shared secret key and other parameters to generate time-based OTPs. Implements methods to retrieve the shared secret key, generate a QRCode URL. | +| [TotpSecret](./auth.totpsecret.md#totpsecret_class) | Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface).Stores the shared secret key and other parameters to generate time-based OTPs. Implements methods to retrieve the shared secret key and generate a QR code URL. | | [TwitterAuthProvider](./auth.twitterauthprovider.md#twitterauthprovider_class) | Provider for generating an [OAuthCredential](./auth.oauthcredential.md#oauthcredential_class) for [ProviderId](./auth.md#providerid).TWITTER. | ## Interfaces @@ -132,7 +132,7 @@ Firebase Authentication | [PopupRedirectResolver](./auth.popupredirectresolver.md#popupredirectresolver_interface) | A resolver used for handling DOM specific operations like [signInWithPopup()](./auth.md#signinwithpopup) or [signInWithRedirect()](./auth.md#signinwithredirect). | | [ReactNativeAsyncStorage](./auth.reactnativeasyncstorage.md#reactnativeasyncstorage_interface) | Interface for a supplied AsyncStorage. | | [RecaptchaParameters](./auth.recaptchaparameters.md#recaptchaparameters_interface) | Interface representing reCAPTCHA parameters.See the \[reCAPTCHA docs\](https://developers.google.com/recaptcha/docs/display\#render\_param) for the list of accepted parameters. All parameters are accepted except for sitekey: Firebase Auth provisions a reCAPTCHA for each project and will configure the site key upon rendering.For an invisible reCAPTCHA, set the size key to invisible. | -| [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) | The class for asserting ownership of a totp second factor. Provided by [TotpMultiFactorGenerator.assertionForEnrollment()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) and [TotpMultiFactorGenerator.assertionForSignIn()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin). | +| [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) | The class for asserting ownership of a TOTP second factor. Provided by [TotpMultiFactorGenerator.assertionForEnrollment()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) and [TotpMultiFactorGenerator.assertionForSignIn()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin). | | [TotpMultiFactorInfo](./auth.totpmultifactorinfo.md#totpmultifactorinfo_interface) | The subclass of the [MultiFactorInfo](./auth.multifactorinfo.md#multifactorinfo_interface) interface for TOTP second factors. The factorId of this second factor is [FactorId](./auth.md#factorid).TOTP. | | [User](./auth.user.md#user_interface) | A user account. | | [UserCredential](./auth.usercredential.md#usercredential_interface) | A structure containing a [User](./auth.user.md#user_interface), the [OperationType](./auth.md#operationtype), and the provider ID. | diff --git a/docs-devsite/auth.totpmultifactorassertion.md b/docs-devsite/auth.totpmultifactorassertion.md index 0aada477dd5..ef4f6f34fd5 100644 --- a/docs-devsite/auth.totpmultifactorassertion.md +++ b/docs-devsite/auth.totpmultifactorassertion.md @@ -10,7 +10,7 @@ https://github.com/firebase/firebase-js-sdk {% endcomment %} # TotpMultiFactorAssertion interface -The class for asserting ownership of a totp second factor. Provided by [TotpMultiFactorGenerator.assertionForEnrollment()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) and [TotpMultiFactorGenerator.assertionForSignIn()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin). +The class for asserting ownership of a TOTP second factor. Provided by [TotpMultiFactorGenerator.assertionForEnrollment()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) and [TotpMultiFactorGenerator.assertionForSignIn()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin). Signature: diff --git a/docs-devsite/auth.totpmultifactorgenerator.md b/docs-devsite/auth.totpmultifactorgenerator.md index 5e8a83a9d19..93b7c485f40 100644 --- a/docs-devsite/auth.totpmultifactorgenerator.md +++ b/docs-devsite/auth.totpmultifactorgenerator.md @@ -28,9 +28,9 @@ export declare class TotpMultiFactorGenerator | Method | Modifiers | Description | | --- | --- | --- | -| [assertionForEnrollment(secret, oneTimePassword)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) | static | Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the totp(Time-based One Time Password) second factor. This assertion is used to complete enrollment in TOTP second factor. | -| [assertionForSignIn(enrollmentId, oneTimePassword)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin) | static | Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the totp second factor. This assertion is used to complete signIn with TOTP as the second factor. | -| [generateSecret(session)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorgeneratesecret) | static | Returns a promise to [TotpSecret](./auth.totpsecret.md#totpsecret_class) which contains the TOTP shared secret key and other parameters. Creates a TOTP secret as part of enrolling a TOTP second factor. Used for generating a QRCode URL or inputting into a TOTP App. This method uses the auth instance corresponding to the user in the multiFactorSession. | +| [assertionForEnrollment(secret, oneTimePassword)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) | static | Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the TOTP (time-based one-time password) second factor. This assertion is used to complete enrollment in TOTP second factor. | +| [assertionForSignIn(enrollmentId, oneTimePassword)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin) | static | Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the TOTP second factor. This assertion is used to complete signIn with TOTP as the second factor. | +| [generateSecret(session)](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorgeneratesecret) | static | Returns a promise to [TotpSecret](./auth.totpsecret.md#totpsecret_class) which contains the TOTP shared secret key and other parameters. Creates a TOTP secret as part of enrolling a TOTP second factor. Used for generating a QR code URL or inputting into a TOTP app. This method uses the auth instance corresponding to the user in the multiFactorSession. | ## TotpMultiFactorGenerator.FACTOR\_ID @@ -44,7 +44,7 @@ static FACTOR_ID: FactorId; ## TotpMultiFactorGenerator.assertionForEnrollment() -Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the totp(Time-based One Time Password) second factor. This assertion is used to complete enrollment in TOTP second factor. +Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the TOTP (time-based one-time password) second factor. This assertion is used to complete enrollment in TOTP second factor. Signature: @@ -67,7 +67,7 @@ A [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactora ## TotpMultiFactorGenerator.assertionForSignIn() -Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the totp second factor. This assertion is used to complete signIn with TOTP as the second factor. +Provides a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) to confirm ownership of the TOTP second factor. This assertion is used to complete signIn with TOTP as the second factor. Signature: @@ -90,7 +90,7 @@ A [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactora ## TotpMultiFactorGenerator.generateSecret() -Returns a promise to [TotpSecret](./auth.totpsecret.md#totpsecret_class) which contains the TOTP shared secret key and other parameters. Creates a TOTP secret as part of enrolling a TOTP second factor. Used for generating a QRCode URL or inputting into a TOTP App. This method uses the auth instance corresponding to the user in the multiFactorSession. +Returns a promise to [TotpSecret](./auth.totpsecret.md#totpsecret_class) which contains the TOTP shared secret key and other parameters. Creates a TOTP secret as part of enrolling a TOTP second factor. Used for generating a QR code URL or inputting into a TOTP app. This method uses the auth instance corresponding to the user in the multiFactorSession. Signature: diff --git a/docs-devsite/auth.totpsecret.md b/docs-devsite/auth.totpsecret.md index a4f313b0bd4..8e040735b2d 100644 --- a/docs-devsite/auth.totpsecret.md +++ b/docs-devsite/auth.totpsecret.md @@ -12,7 +12,7 @@ https://github.com/firebase/firebase-js-sdk # TotpSecret class Provider for generating a [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface). -Stores the shared secret key and other parameters to generate time-based OTPs. Implements methods to retrieve the shared secret key, generate a QRCode URL. +Stores the shared secret key and other parameters to generate time-based OTPs. Implements methods to retrieve the shared secret key and generate a QR code URL. Signature: @@ -26,7 +26,7 @@ export declare class TotpSecret | --- | --- | --- | --- | | [codeIntervalSeconds](./auth.totpsecret.md#totpsecretcodeintervalseconds) | | number | The interval (in seconds) when the OTP codes should change. | | [codeLength](./auth.totpsecret.md#totpsecretcodelength) | | number | Length of the one-time passwords to be generated. | -| [enrollmentCompletionDeadline](./auth.totpsecret.md#totpsecretenrollmentcompletiondeadline) | | string | The timestamp(UTC string) by which TOTP enrollment should be completed. | +| [enrollmentCompletionDeadline](./auth.totpsecret.md#totpsecretenrollmentcompletiondeadline) | | string | The timestamp (UTC string) by which TOTP enrollment should be completed. | | [hashingAlgorithm](./auth.totpsecret.md#totpsecrethashingalgorithm) | | string | Hashing algorithm used. | | [secretKey](./auth.totpsecret.md#totpsecretsecretkey) | | string | Shared secret key/seed used for enrolling in TOTP MFA and generating OTPs. | @@ -34,7 +34,7 @@ export declare class TotpSecret | Method | Modifiers | Description | | --- | --- | --- | -| [generateQrCodeUrl(accountName, issuer)](./auth.totpsecret.md#totpsecretgenerateqrcodeurl) | | Returns a QRCode URL as described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format This can be displayed to the user as a QRCode to be scanned into a TOTP App like Google Authenticator. If the optional parameters are unspecified, an accountName of and issuer of are used. | +| [generateQrCodeUrl(accountName, issuer)](./auth.totpsecret.md#totpsecretgenerateqrcodeurl) | | Returns a QR code URL as described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format This can be displayed to the user as a QR code to be scanned into a TOTP app like Google Authenticator. If the optional parameters are unspecified, an accountName of and issuer of are used. | ## TotpSecret.codeIntervalSeconds @@ -58,7 +58,7 @@ readonly codeLength: number; ## TotpSecret.enrollmentCompletionDeadline -The timestamp(UTC string) by which TOTP enrollment should be completed. +The timestamp (UTC string) by which TOTP enrollment should be completed. Signature: @@ -88,7 +88,7 @@ readonly secretKey: string; ## TotpSecret.generateQrCodeUrl() -Returns a QRCode URL as described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format This can be displayed to the user as a QRCode to be scanned into a TOTP App like Google Authenticator. If the optional parameters are unspecified, an accountName of and issuer of are used. +Returns a QR code URL as described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format This can be displayed to the user as a QR code to be scanned into a TOTP app like Google Authenticator. If the optional parameters are unspecified, an accountName of and issuer of are used. Signature: @@ -101,11 +101,11 @@ generateQrCodeUrl(accountName?: string, issuer?: string): string; | Parameter | Type | Description | | --- | --- | --- | | accountName | string | the name of the account/app along with a user identifier. | -| issuer | string | issuer of the TOTP(likely the app name). | +| issuer | string | issuer of the TOTP (likely the app name). | Returns: string -A QRCode URL string. +A QR code URL string.