Readme stated I have to call my endpoint to get a custom token and sign in. I implemented according the guide provided and able to sign in now.
From my understanding, isn't when Firebase auth return me instant verification is true, I should get signed in directly instead of request a custom token from my endpoint to sign in with custom token?
Is the method stated in readme a temporary workaround solution or permanent fix?
I am facing the same dilemma, and while going through the Firebase Docs, I found some points can be used to reach a permanent fix.
Link to Firebase Docs: - Authenticate with Firebase on Android using a Phone Number
Quoting the docs: -
onVerificationCompleted(PhoneAuthCredential)
This method is called in two situations:
- Instant verification: in some cases the phone number can be instantly verified without needing to send or enter a verification code.
- Auto-retrieval: on some devices, Google Play services can automatically detect the incoming verification
SMS and perform verification without user action. (This capability might be unavailable with some carriers.)
In either case, _the user's phone number has been verified successfully, and you can use the PhoneAuthCredential object that's passed to the callback to sign in the user._
onCodeSent(String verificationId, PhoneAuthProvider.ForceResendingToken)
Optional. This method is called after the verification code has been sent by SMS to the provided phone number.
When this method is called, most apps display a UI that prompts the user to type the verification code from the SMS message. (At the same time, auto-verification might be proceeding in the background.) _Then, after the user types the verification code, you can use the verification code and the verification ID that was passed to the method to create a PhoneAuthCredential object, which you can in turn use to sign in the user_. However, some apps might wait until onCodeAutoRetrievalTimeOut is called before displaying the verification code UI (not recommended).
If you focus on the italicized text, the PhoneAuthCredential
can be used to sign in the user.
In the onCodeSent()
case, we create the PhoneAuthCredential
ourselves and then sign in using the following code:
signInWithOTP(verificationId: string, otpCode: string): Promise<firebase.User> {
return firebase.auth().signInWithCredential(
firebase.auth.PhoneAuthProvider.credential(verificationId, otpCode)
);
}
But in onVerificationCompleted()
case, the PhoneAuthCredential
is passed to the callback...
The implementation of this in the Plugin is as follows where PhoneAuthCredential
is passed to the callback: -
https://github.com/arnesson/cordova-plugin-firebase/blob/c53bd4aa04e83e37009ecfb1fd4342ac2cc78618/src/android/FirebasePlugin.java#L937-L962
So, if we could expose this PhoneAuthCredentia
l outside the plugin, returned along the pluginResult
or maybe implement a signIn()
function within the plugin as quoted from the firebase docs: -
Sign in the user
After you get a PhoneAuthCredential object, whether in the onVerificationCompleted callback or by calling PhoneAuthProvider.getCredential, complete the sign-in flow by passing the PhoneAuthCredential object to FirebaseAuth.signInWithCredential:
private void signInWithPhoneAuthCredential(PhoneAuthCredential credential) { mAuth.signInWithCredential(credential) .addOnCompleteListener(this, new OnCompleteListener<AuthResult>() { @Override public void onComplete(@NonNull Task<AuthResult> task) { if (task.isSuccessful()) { // Sign in success, update UI with the signed-in user's information Log.d(TAG, "signInWithCredential:success"); FirebaseUser user = task.getResult().getUser(); // ... } else { // Sign in failed, display a message and update the UI Log.w(TAG, "signInWithCredential:failure", task.getException()); if (task.getException() instanceof FirebaseAuthInvalidCredentialsException) { // The verification code entered was invalid } } } }); }
By adding returnResults.put("credential", credential);
to these lines, we may return the PhoneAuthCredential
to be used further, as being done in onCodeSent()
: -
https://github.com/arnesson/cordova-plugin-firebase/blob/c53bd4aa04e83e37009ecfb1fd4342ac2cc78618/src/android/FirebasePlugin.java#L948-L951
Maybe the Instant Verification could also be handled using the plugin this way.
I am no expert in this and am just making some deductions from the available information. Kindof brainstorming, but if someone could take it forward from here, it would be great.
@YaMo97 : Your solution is correct 👍. I will try to implement it.
I think it's a bad idea to call the backend server with phone number to get the token. It's a big security breach. Anyone can access this URL, pass any phone number as parameter and get a token to get access on the app.
you are right @placha433 - I never thought about this hack while I was trying to fix this issue. So this is on me and the readme should be changed. We stopped using firebase at this project, as it didn't do the job right like we wanted.
Love to see you guys push out a fix for this
this has been fixed in v2.0.3 via https://github.com/arnesson/cordova-plugin-firebase/pull/861
Most helpful comment
@YaMo97 : Your solution is correct 👍. I will try to implement it.
I think it's a bad idea to call the backend server with phone number to get the token. It's a big security breach. Anyone can access this URL, pass any phone number as parameter and get a token to get access on the app.