From c4e1ed3601e030d360d785779cf44cd167ec95ce Mon Sep 17 00:00:00 2001 From: nhienlam Date: Tue, 14 Nov 2023 23:37:14 -0800 Subject: [PATCH 1/4] Update injectRecaptchaFields to inject recaptcha fields into phone API requests --- .../src/api/account_management/mfa.test.ts | 12 +- .../auth/src/api/account_management/mfa.ts | 7 +- .../auth/src/api/authentication/mfa.test.ts | 12 +- packages/auth/src/api/authentication/mfa.ts | 7 +- .../auth/src/api/authentication/sms.test.ts | 12 +- packages/auth/src/api/authentication/sms.ts | 7 +- packages/auth/src/api/index.ts | 8 +- .../recaptcha/recaptcha.test.ts | 60 +++++- .../platform_browser/recaptcha/recaptcha.ts | 19 +- .../recaptcha_enterprise_verifier.test.ts | 191 ++++++++++++++++-- .../recaptcha_enterprise_verifier.ts | 60 +++++- 11 files changed, 350 insertions(+), 45 deletions(-) diff --git a/packages/auth/src/api/account_management/mfa.test.ts b/packages/auth/src/api/account_management/mfa.test.ts index 9f036471087..152f1fb53d3 100644 --- a/packages/auth/src/api/account_management/mfa.test.ts +++ b/packages/auth/src/api/account_management/mfa.test.ts @@ -20,7 +20,12 @@ import chaiAsPromised from 'chai-as-promised'; import { FirebaseError } from '@firebase/util'; -import { Endpoint, HttpHeader } from '../'; +import { + Endpoint, + HttpHeader, + RecaptchaClientType, + RecaptchaVersion +} from '../'; import { mockEndpoint } from '../../../test/helpers/api/helper'; import { testAuth, TestAuth } from '../../../test/helpers/mock_auth'; import * as mockFetch from '../../../test/helpers/mock_fetch'; @@ -40,7 +45,10 @@ describe('api/account_management/startEnrollPhoneMfa', () => { idToken: 'id-token', phoneEnrollmentInfo: { phoneNumber: 'phone-number', - recaptchaToken: 'captcha-token' + recaptchaToken: 'captcha-token', + captchaResponse: 'captcha-response', + clientType: RecaptchaClientType.WEB, + recaptchaVersion: RecaptchaVersion.ENTERPRISE } }; diff --git a/packages/auth/src/api/account_management/mfa.ts b/packages/auth/src/api/account_management/mfa.ts index db9a4120d3d..4a2b43d3d1a 100644 --- a/packages/auth/src/api/account_management/mfa.ts +++ b/packages/auth/src/api/account_management/mfa.ts @@ -18,6 +18,8 @@ import { Endpoint, HttpMethod, + RecaptchaClientType, + RecaptchaVersion, _addTidIfNecessary, _performApiRequest } from '../index'; @@ -55,7 +57,10 @@ export interface StartPhoneMfaEnrollmentRequest { idToken: string; phoneEnrollmentInfo: { phoneNumber: string; - recaptchaToken: string; + recaptchaToken?: string; + captchaResponse?: string; + clientType?: RecaptchaClientType; + recaptchaVersion?: RecaptchaVersion; }; tenantId?: string; } diff --git a/packages/auth/src/api/authentication/mfa.test.ts b/packages/auth/src/api/authentication/mfa.test.ts index 2289f49ca0c..b732a3e83b8 100644 --- a/packages/auth/src/api/authentication/mfa.test.ts +++ b/packages/auth/src/api/authentication/mfa.test.ts @@ -20,7 +20,12 @@ import chaiAsPromised from 'chai-as-promised'; import { FirebaseError } from '@firebase/util'; -import { Endpoint, HttpHeader } from '../'; +import { + Endpoint, + HttpHeader, + RecaptchaClientType, + RecaptchaVersion +} from '../'; import { mockEndpoint } from '../../../test/helpers/api/helper'; import { testAuth, TestAuth } from '../../../test/helpers/mock_auth'; import * as mockFetch from '../../../test/helpers/mock_fetch'; @@ -34,7 +39,10 @@ describe('api/authentication/startSignInPhoneMfa', () => { mfaPendingCredential: 'my-creds', mfaEnrollmentId: 'my-enrollment-id', phoneSignInInfo: { - recaptchaToken: 'catpcha-token' + recaptchaToken: 'catpcha-token', + captchaResponse: 'captcha-response', + clientType: RecaptchaClientType.WEB, + recaptchaVersion: RecaptchaVersion.ENTERPRISE } }; diff --git a/packages/auth/src/api/authentication/mfa.ts b/packages/auth/src/api/authentication/mfa.ts index 0ad85a7ef82..d8f54dedb44 100644 --- a/packages/auth/src/api/authentication/mfa.ts +++ b/packages/auth/src/api/authentication/mfa.ts @@ -19,6 +19,8 @@ import { _performApiRequest, Endpoint, HttpMethod, + RecaptchaClientType, + RecaptchaVersion, _addTidIfNecessary } from '../index'; import { Auth } from '../../model/public_types'; @@ -47,7 +49,10 @@ export interface StartPhoneMfaSignInRequest { mfaPendingCredential: string; mfaEnrollmentId: string; phoneSignInInfo: { - recaptchaToken: string; + recaptchaToken?: string; + captchaResponse?: string; + clientType?: RecaptchaClientType; + recaptchaVersion?: RecaptchaVersion; }; tenantId?: string; } diff --git a/packages/auth/src/api/authentication/sms.test.ts b/packages/auth/src/api/authentication/sms.test.ts index 420797b1c97..d72e7973077 100644 --- a/packages/auth/src/api/authentication/sms.test.ts +++ b/packages/auth/src/api/authentication/sms.test.ts @@ -21,7 +21,12 @@ import chaiAsPromised from 'chai-as-promised'; import { ProviderId } from '../../model/enums'; import { FirebaseError } from '@firebase/util'; -import { Endpoint, HttpHeader } from '../'; +import { + Endpoint, + HttpHeader, + RecaptchaClientType, + RecaptchaVersion +} from '../'; import { mockEndpoint } from '../../../test/helpers/api/helper'; import { testAuth, TestAuth } from '../../../test/helpers/mock_auth'; import * as mockFetch from '../../../test/helpers/mock_fetch'; @@ -38,7 +43,10 @@ use(chaiAsPromised); describe('api/authentication/sendPhoneVerificationCode', () => { const request = { phoneNumber: '123456789', - recaptchaToken: 'captchad' + recaptchaToken: 'captchad', + captchaResponse: 'captcha-response', + clientType: RecaptchaClientType.WEB, + recaptchaVersion: RecaptchaVersion.ENTERPRISE }; let auth: TestAuth; diff --git a/packages/auth/src/api/authentication/sms.ts b/packages/auth/src/api/authentication/sms.ts index 93a8a2e5abf..970fcbcc0e0 100644 --- a/packages/auth/src/api/authentication/sms.ts +++ b/packages/auth/src/api/authentication/sms.ts @@ -18,6 +18,8 @@ import { Endpoint, HttpMethod, + RecaptchaClientType, + RecaptchaVersion, _addTidIfNecessary, _makeTaggedError, _performApiRequest, @@ -30,8 +32,11 @@ import { Auth } from '../../model/public_types'; export interface SendPhoneVerificationCodeRequest { phoneNumber: string; - recaptchaToken: string; + recaptchaToken?: string; tenantId?: string; + captchaResponse?: string; + clientType?: RecaptchaClientType; + recaptchaVersion?: RecaptchaVersion; } export interface SendPhoneVerificationCodeResponse { diff --git a/packages/auth/src/api/index.ts b/packages/auth/src/api/index.ts index 81ecf5a356a..f61ba74d1c6 100644 --- a/packages/auth/src/api/index.ts +++ b/packages/auth/src/api/index.ts @@ -86,7 +86,10 @@ export const enum RecaptchaVersion { export const enum RecaptchaActionName { SIGN_IN_WITH_PASSWORD = 'signInWithPassword', GET_OOB_CODE = 'getOobCode', - SIGN_UP_PASSWORD = 'signUpPassword' + SIGN_UP_PASSWORD = 'signUpPassword', + SEND_VERIFICATION_CODE = 'sendVerificationCode', + MFA_SMS_ENROLLMENT = 'mfaSmsEnrollment', + MFA_SMS_SIGNIN = 'mfaSmsSignin' } export const enum EnforcementState { @@ -98,7 +101,8 @@ export const enum EnforcementState { // Providers that have reCAPTCHA Enterprise support. export const enum RecaptchaProvider { - EMAIL_PASSWORD_PROVIDER = 'EMAIL_PASSWORD_PROVIDER' + EMAIL_PASSWORD_PROVIDER = 'EMAIL_PASSWORD_PROVIDER', + PHONE_PROVIDER = 'PHONE_PROVIDER' } export const DEFAULT_API_TIMEOUT_MS = new Delay(30_000, 60_000); diff --git a/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts b/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts index 42a758840f6..03705e15cae 100644 --- a/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts +++ b/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts @@ -29,7 +29,7 @@ import { import { isV2, isEnterprise, RecaptchaConfig } from './recaptcha'; import { GetRecaptchaConfigResponse } from '../../api/authentication/recaptcha'; -import { EnforcementState } from '../../api/index'; +import { EnforcementState, RecaptchaProvider } from '../../api/index'; use(chaiAsPromised); use(sinonChai); @@ -46,7 +46,14 @@ describe('platform_browser/recaptcha/recaptcha', () => { const GET_RECAPTCHA_CONFIG_RESPONSE: GetRecaptchaConfigResponse = { recaptchaKey: 'projects/testproj/keys/' + TEST_SITE_KEY, recaptchaEnforcementState: [ - { provider: 'EMAIL_PASSWORD_PROVIDER', enforcementState: 'ENFORCE' } + { + provider: RecaptchaProvider.EMAIL_PASSWORD_PROVIDER, + enforcementState: EnforcementState.ENFORCE + }, + { + provider: RecaptchaProvider.PHONE_PROVIDER, + enforcementState: EnforcementState.AUDIT + } ] }; @@ -81,23 +88,62 @@ describe('platform_browser/recaptcha/recaptcha', () => { it('should construct the recaptcha config from the backend response', () => { expect(recaptchaConfig.siteKey).to.eq(TEST_SITE_KEY); expect(recaptchaConfig.recaptchaEnforcementState[0]).to.eql({ - provider: 'EMAIL_PASSWORD_PROVIDER', - enforcementState: 'ENFORCE' + provider: RecaptchaProvider.EMAIL_PASSWORD_PROVIDER, + enforcementState: EnforcementState.ENFORCE + }); + expect(recaptchaConfig.recaptchaEnforcementState[1]).to.eql({ + provider: RecaptchaProvider.PHONE_PROVIDER, + enforcementState: EnforcementState.AUDIT }); }); it('#getProviderEnforcementState should return the correct enforcement state of the provider', () => { expect( - recaptchaConfig.getProviderEnforcementState('EMAIL_PASSWORD_PROVIDER') + recaptchaConfig.getProviderEnforcementState( + RecaptchaProvider.EMAIL_PASSWORD_PROVIDER + ) ).to.eq(EnforcementState.ENFORCE); + expect( + recaptchaConfig.getProviderEnforcementState( + RecaptchaProvider.PHONE_PROVIDER + ) + ).to.eq(EnforcementState.AUDIT); expect(recaptchaConfig.getProviderEnforcementState('invalid-provider')).to .be.null; }); it('#isProviderEnabled should return the enablement state of the provider', () => { - expect(recaptchaConfig.isProviderEnabled('EMAIL_PASSWORD_PROVIDER')).to.be - .true; + expect( + recaptchaConfig.isProviderEnabled( + RecaptchaProvider.EMAIL_PASSWORD_PROVIDER + ) + ).to.be.true; + expect( + recaptchaConfig.isProviderEnabled(RecaptchaProvider.PHONE_PROVIDER) + ).to.be.true; expect(recaptchaConfig.isProviderEnabled('invalid-provider')).to.be.false; }); + + it('#isAnyProviderEnabled should return true if at least one provider is enabled', () => { + expect(recaptchaConfig.isAnyProviderEnabled()).to.be.true; + + const getRecaptchaConfigResponse: GetRecaptchaConfigResponse = { + recaptchaKey: 'projects/testproj/keys/' + TEST_SITE_KEY, + recaptchaEnforcementState: [ + { + provider: RecaptchaProvider.EMAIL_PASSWORD_PROVIDER, + enforcementState: EnforcementState.OFF + }, + { + provider: RecaptchaProvider.PHONE_PROVIDER, + enforcementState: EnforcementState.OFF + } + ] + }; + const configNoProviderEnabled = new RecaptchaConfig( + getRecaptchaConfigResponse + ); + expect(configNoProviderEnabled.isAnyProviderEnabled()).to.be.false; + }); }); }); diff --git a/packages/auth/src/platform_browser/recaptcha/recaptcha.ts b/packages/auth/src/platform_browser/recaptcha/recaptcha.ts index bb1b79895c0..2cc47f8a0cd 100644 --- a/packages/auth/src/platform_browser/recaptcha/recaptcha.ts +++ b/packages/auth/src/platform_browser/recaptcha/recaptcha.ts @@ -20,7 +20,11 @@ import { GetRecaptchaConfigResponse, RecaptchaEnforcementProviderState } from '../../api/authentication/recaptcha'; -import { EnforcementState, _parseEnforcementState } from '../../api/index'; +import { + EnforcementState, + RecaptchaProvider, + _parseEnforcementState +} from '../../api/index'; // reCAPTCHA v2 interface export interface Recaptcha { @@ -135,4 +139,17 @@ export class RecaptchaConfig { this.getProviderEnforcementState(providerStr) === EnforcementState.AUDIT ); } + + /** + * Returns true if reCAPTCHA Enterprise protection is enabled in at least one provider, otherwise + * returns false. + * + * @returns Whether or not reCAPTCHA Enterprise protection is enabled for at least one provider. + */ + isAnyProviderEnabled(): boolean { + return ( + this.isProviderEnabled(RecaptchaProvider.EMAIL_PASSWORD_PROVIDER) || + this.isProviderEnabled(RecaptchaProvider.PHONE_PROVIDER) + ); + } } diff --git a/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.test.ts b/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.test.ts index ecbe6c0232d..3b351a8fac7 100644 --- a/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.test.ts +++ b/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.test.ts @@ -24,7 +24,9 @@ import { Endpoint, RecaptchaClientType, RecaptchaVersion, - RecaptchaActionName + RecaptchaActionName, + RecaptchaProvider, + EnforcementState } from '../../api'; import { mockEndpointWithParams } from '../../../test/helpers/api/helper'; import { testAuth, TestAuth } from '../../../test/helpers/mock_auth'; @@ -36,7 +38,8 @@ import { MockGreCAPTCHATopLevel } from './recaptcha_mock'; import { RecaptchaEnterpriseVerifier, FAKE_TOKEN, - handleRecaptchaFlow + handleRecaptchaFlow, + injectRecaptchaFields } from './recaptcha_enterprise_verifier'; import { RecaptchaConfig } from './recaptcha'; import { AuthErrorCode } from '../../core/errors'; @@ -53,8 +56,12 @@ describe('platform_browser/recaptcha/recaptcha_enterprise_verifier', () => { recaptchaKey: 'foo/bar/to/site-key', recaptchaEnforcementState: [ { - provider: 'EMAIL_PASSWORD_PROVIDER', - enforcementState: 'ENFORCE' + provider: RecaptchaProvider.EMAIL_PASSWORD_PROVIDER, + enforcementState: EnforcementState.ENFORCE + }, + { + provider: RecaptchaProvider.PHONE_PROVIDER, + enforcementState: EnforcementState.ENFORCE } ] }; @@ -65,17 +72,30 @@ describe('platform_browser/recaptcha/recaptcha_enterprise_verifier', () => { recaptchaKey: 'foo/bar/to/site-key', recaptchaEnforcementState: [ { - provider: 'EMAIL_PASSWORD_PROVIDER', - enforcementState: 'OFF' + provider: RecaptchaProvider.EMAIL_PASSWORD_PROVIDER, + enforcementState: EnforcementState.OFF + }, + { + provider: RecaptchaProvider.PHONE_PROVIDER, + enforcementState: EnforcementState.OFF } ] }; const recaptchaConfigOff = new RecaptchaConfig(recaptchaConfigResponseOff); + const getRecaptchaConfigRequest = { + clientType: RecaptchaClientType.WEB, + version: RecaptchaVersion.ENTERPRISE + }; + + let recaptcha: MockGreCAPTCHATopLevel; + beforeEach(async () => { auth = await testAuth(); mockFetch.setUp(); verifier = new RecaptchaEnterpriseVerifier(auth); + recaptcha = new MockGreCAPTCHATopLevel(); + window.grecaptcha = recaptcha; }); afterEach(() => { @@ -84,21 +104,10 @@ describe('platform_browser/recaptcha/recaptcha_enterprise_verifier', () => { }); context('#verify', () => { - const request = { - clientType: RecaptchaClientType.WEB, - version: RecaptchaVersion.ENTERPRISE - }; - - let recaptcha: MockGreCAPTCHATopLevel; - beforeEach(() => { - recaptcha = new MockGreCAPTCHATopLevel(); - window.grecaptcha = recaptcha; - }); - it('returns if response is available', async () => { mockEndpointWithParams( Endpoint.GET_RECAPTCHA_CONFIG, - request, + getRecaptchaConfigRequest, recaptchaConfigResponseEnforce ); sinon @@ -110,7 +119,7 @@ describe('platform_browser/recaptcha/recaptcha_enterprise_verifier', () => { it('reject if error is thrown when retrieve site key', async () => { mockEndpointWithParams( Endpoint.GET_RECAPTCHA_CONFIG, - request, + getRecaptchaConfigRequest, { error: { code: 400, @@ -131,7 +140,7 @@ describe('platform_browser/recaptcha/recaptcha_enterprise_verifier', () => { it('return fake recaptcha token if error is thrown when retrieve recaptcha token', async () => { mockEndpointWithParams( Endpoint.GET_RECAPTCHA_CONFIG, - request, + getRecaptchaConfigRequest, recaptchaConfigResponseEnforce ); sinon @@ -246,4 +255,146 @@ describe('platform_browser/recaptcha/recaptcha_enterprise_verifier', () => { expect(mockActionMethod).to.have.been.calledOnce; }); }); + + context('#injectRecaptchaFields', () => { + it('injects recaptcha enterprise fields into SignInWithPassword request', async () => { + mockEndpointWithParams( + Endpoint.GET_RECAPTCHA_CONFIG, + getRecaptchaConfigRequest, + recaptchaConfigResponseEnforce + ); + sinon + .stub(recaptcha.enterprise, 'execute') + .returns(Promise.resolve('recaptcha-response')); + + const request = { + returnSecureToken: true, + email: 'email', + password: 'password', + clientType: RecaptchaClientType.WEB + }; + const requestWithRecaptcha = await injectRecaptchaFields( + auth, + request, + RecaptchaActionName.SIGN_IN_WITH_PASSWORD, + false + ); + const expectedRequest = { + returnSecureToken: true, + email: 'email', + password: 'password', + clientType: RecaptchaClientType.WEB, + captchaResponse: 'recaptcha-response', + recaptchaVersion: RecaptchaVersion.ENTERPRISE + }; + + expect(requestWithRecaptcha).to.eql(expectedRequest); + }); + + it('injects recaptcha enterprise fields when captchaResp is true', async () => { + mockEndpointWithParams( + Endpoint.GET_RECAPTCHA_CONFIG, + getRecaptchaConfigRequest, + recaptchaConfigResponseEnforce + ); + sinon + .stub(recaptcha.enterprise, 'execute') + .returns(Promise.resolve('recaptcha-response')); + + const request = { + requestType: 'requestType', + email: 'email', + clientType: RecaptchaClientType.WEB + }; + const requestWithRecaptcha = await injectRecaptchaFields( + auth, + request, + RecaptchaActionName.GET_OOB_CODE, + true + ); + const expectedRequest = { + requestType: 'requestType', + email: 'email', + clientType: RecaptchaClientType.WEB, + captchaResp: 'recaptcha-response', + recaptchaVersion: RecaptchaVersion.ENTERPRISE + }; + + expect(requestWithRecaptcha).to.eql(expectedRequest); + }); + + it('injects recaptcha enterprise fields into StartPhoneMfaEnrollment request', async () => { + mockEndpointWithParams( + Endpoint.GET_RECAPTCHA_CONFIG, + getRecaptchaConfigRequest, + recaptchaConfigResponseEnforce + ); + sinon + .stub(recaptcha.enterprise, 'execute') + .returns(Promise.resolve('recaptcha-response')); + + const request = { + idToken: 'idToken', + phoneEnrollmentInfo: { + phoneNumber: '123456', + recaptchaToken: 'recaptchaToken' + } + }; + const requestWithRecaptcha = await injectRecaptchaFields( + auth, + request, + RecaptchaActionName.MFA_SMS_ENROLLMENT, + false + ); + const expectedRequest = { + idToken: 'idToken', + phoneEnrollmentInfo: { + phoneNumber: '123456', + recaptchaToken: 'recaptchaToken', + captchaResponse: 'recaptcha-response', + clientType: RecaptchaClientType.WEB, + recaptchaVersion: RecaptchaVersion.ENTERPRISE + } + }; + + expect(requestWithRecaptcha).to.eql(expectedRequest); + }); + + it('injects recaptcha enterprise fields into StartPhoneMfaSignInRequest request', async () => { + mockEndpointWithParams( + Endpoint.GET_RECAPTCHA_CONFIG, + getRecaptchaConfigRequest, + recaptchaConfigResponseEnforce + ); + sinon + .stub(recaptcha.enterprise, 'execute') + .returns(Promise.resolve('recaptcha-response')); + + const request = { + mfaPendingCredential: 'mfaPendingCredential', + mfaEnrollmentId: 'mfaEnrollmentId', + phoneSignInInfo: { + recaptchaToken: 'recaptchaToken' + } + }; + const requestWithRecaptcha = await injectRecaptchaFields( + auth, + request, + RecaptchaActionName.MFA_SMS_SIGNIN, + false + ); + const expectedRequest = { + mfaPendingCredential: 'mfaPendingCredential', + mfaEnrollmentId: 'mfaEnrollmentId', + phoneSignInInfo: { + recaptchaToken: 'recaptchaToken', + captchaResponse: 'recaptcha-response', + clientType: RecaptchaClientType.WEB, + recaptchaVersion: RecaptchaVersion.ENTERPRISE + } + }; + + expect(requestWithRecaptcha).to.eql(expectedRequest); + }); + }); }); diff --git a/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts b/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts index 8d188032e36..22d62a89543 100644 --- a/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts +++ b/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts @@ -30,6 +30,9 @@ import { AuthInternal } from '../../model/auth'; import { _castAuth } from '../../core/auth/auth_impl'; import * as jsHelpers from '../load_js'; import { AuthErrorCode } from '../../core/errors'; +import { StartPhoneMfaEnrollmentRequest } from '../../api/account_management/mfa'; +import { StartPhoneMfaSignInRequest } from '../../api/authentication/mfa'; +import { _assert } from '../../core/util/assert'; const RECAPTCHA_ENTERPRISE_URL = 'https://www.google.com/recaptcha/enterprise.js?render='; @@ -155,16 +158,61 @@ export async function injectRecaptchaFields( auth: AuthInternal, request: T, action: RecaptchaActionName, - captchaResp = false + captchaResp = false, + fakeToken = false ): Promise { const verifier = new RecaptchaEnterpriseVerifier(auth); let captchaResponse; - try { - captchaResponse = await verifier.verify(action); - } catch (error) { - captchaResponse = await verifier.verify(action, true); + + if (fakeToken) { + captchaResponse = FAKE_TOKEN; + } else { + try { + captchaResponse = await verifier.verify(action); + } catch (error) { + captchaResponse = await verifier.verify(action, true); + } } + const newRequest = { ...request }; + if ( + action === RecaptchaActionName.MFA_SMS_ENROLLMENT || + action === RecaptchaActionName.MFA_SMS_SIGNIN + ) { + if ('phoneEnrollmentInfo' in newRequest) { + const phoneNumber = ( + newRequest as unknown as StartPhoneMfaEnrollmentRequest + ).phoneEnrollmentInfo.phoneNumber; + const recaptchaToken = ( + newRequest as unknown as StartPhoneMfaEnrollmentRequest + ).phoneEnrollmentInfo.recaptchaToken; + + Object.assign(newRequest, { + 'phoneEnrollmentInfo': { + phoneNumber, + recaptchaToken, + captchaResponse, + 'clientType': RecaptchaClientType.WEB, + 'recaptchaVersion': RecaptchaVersion.ENTERPRISE + } + }); + } else if ('phoneSignInInfo' in newRequest) { + const recaptchaToken = ( + newRequest as unknown as StartPhoneMfaSignInRequest + ).phoneSignInInfo.recaptchaToken; + + Object.assign(newRequest, { + 'phoneSignInInfo': { + recaptchaToken, + captchaResponse, + 'clientType': RecaptchaClientType.WEB, + 'recaptchaVersion': RecaptchaVersion.ENTERPRISE + } + }); + } + return newRequest; + } + if (!captchaResp) { Object.assign(newRequest, { captchaResponse }); } else { @@ -235,7 +283,7 @@ export async function _initializeRecaptchaConfig(auth: Auth): Promise { authInternal._tenantRecaptchaConfigs[authInternal.tenantId] = config; } - if (config.isProviderEnabled(RecaptchaProvider.EMAIL_PASSWORD_PROVIDER)) { + if (config.isAnyProviderEnabled()) { const verifier = new RecaptchaEnterpriseVerifier(authInternal); void verifier.verify(); } From 8189fe95ce9f1fbaf98d7327c9857030a35a03b6 Mon Sep 17 00:00:00 2001 From: nhienlam Date: Wed, 15 Nov 2023 10:02:07 -0800 Subject: [PATCH 2/4] Fix lint --- .../platform_browser/recaptcha/recaptcha_enterprise_verifier.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts b/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts index 22d62a89543..40e96057c7d 100644 --- a/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts +++ b/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts @@ -32,7 +32,6 @@ import * as jsHelpers from '../load_js'; import { AuthErrorCode } from '../../core/errors'; import { StartPhoneMfaEnrollmentRequest } from '../../api/account_management/mfa'; import { StartPhoneMfaSignInRequest } from '../../api/authentication/mfa'; -import { _assert } from '../../core/util/assert'; const RECAPTCHA_ENTERPRISE_URL = 'https://www.google.com/recaptcha/enterprise.js?render='; From 194eab0249d04f468189f13ddc92a3b42cc94fe4 Mon Sep 17 00:00:00 2001 From: nhienlam Date: Wed, 15 Nov 2023 14:04:55 -0800 Subject: [PATCH 3/4] Rename captchaResp and fakeToken params --- .../auth/src/api/account_management/mfa.ts | 2 + packages/auth/src/api/authentication/mfa.ts | 2 + packages/auth/src/api/authentication/sms.ts | 2 + .../recaptcha/recaptcha.test.ts | 74 +++++++++++++------ .../recaptcha_enterprise_verifier.ts | 8 +- 5 files changed, 61 insertions(+), 27 deletions(-) diff --git a/packages/auth/src/api/account_management/mfa.ts b/packages/auth/src/api/account_management/mfa.ts index 4a2b43d3d1a..f43217e8abf 100644 --- a/packages/auth/src/api/account_management/mfa.ts +++ b/packages/auth/src/api/account_management/mfa.ts @@ -57,7 +57,9 @@ export interface StartPhoneMfaEnrollmentRequest { idToken: string; phoneEnrollmentInfo: { phoneNumber: string; + // reCAPTCHA v2 token recaptchaToken?: string; + // reCAPTCHA Enterprise token captchaResponse?: string; clientType?: RecaptchaClientType; recaptchaVersion?: RecaptchaVersion; diff --git a/packages/auth/src/api/authentication/mfa.ts b/packages/auth/src/api/authentication/mfa.ts index d8f54dedb44..c6dc6854e98 100644 --- a/packages/auth/src/api/authentication/mfa.ts +++ b/packages/auth/src/api/authentication/mfa.ts @@ -49,7 +49,9 @@ export interface StartPhoneMfaSignInRequest { mfaPendingCredential: string; mfaEnrollmentId: string; phoneSignInInfo: { + // reCAPTCHA v2 token recaptchaToken?: string; + // reCAPTCHA Enterprise token captchaResponse?: string; clientType?: RecaptchaClientType; recaptchaVersion?: RecaptchaVersion; diff --git a/packages/auth/src/api/authentication/sms.ts b/packages/auth/src/api/authentication/sms.ts index 970fcbcc0e0..26db0634288 100644 --- a/packages/auth/src/api/authentication/sms.ts +++ b/packages/auth/src/api/authentication/sms.ts @@ -32,8 +32,10 @@ import { Auth } from '../../model/public_types'; export interface SendPhoneVerificationCodeRequest { phoneNumber: string; + // reCAPTCHA v2 token recaptchaToken?: string; tenantId?: string; + // reCAPTCHA Enterprise token captchaResponse?: string; clientType?: RecaptchaClientType; recaptchaVersion?: RecaptchaVersion; diff --git a/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts b/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts index 03705e15cae..721930729fb 100644 --- a/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts +++ b/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts @@ -39,7 +39,6 @@ describe('platform_browser/recaptcha/recaptcha', () => { let recaptchaV2: MockReCaptcha; let recaptchaV3: MockGreCAPTCHA; let recaptchaEnterprise: MockGreCAPTCHATopLevel; - let recaptchaConfig: RecaptchaConfig; const TEST_SITE_KEY = 'test-site-key'; @@ -57,6 +56,41 @@ describe('platform_browser/recaptcha/recaptcha', () => { ] }; + const GET_RECAPTCHA_CONFIG_RESPONSE_OFF: GetRecaptchaConfigResponse = { + recaptchaKey: 'projects/testproj/keys/' + TEST_SITE_KEY, + recaptchaEnforcementState: [ + { + provider: RecaptchaProvider.EMAIL_PASSWORD_PROVIDER, + enforcementState: EnforcementState.OFF + }, + { + provider: RecaptchaProvider.PHONE_PROVIDER, + enforcementState: EnforcementState.OFF + } + ] + }; + + const GET_RECAPTCHA_CONFIG_RESPONSE_ENFORCE_AND_OFF: GetRecaptchaConfigResponse = + { + recaptchaKey: 'projects/testproj/keys/' + TEST_SITE_KEY, + recaptchaEnforcementState: [ + { + provider: RecaptchaProvider.EMAIL_PASSWORD_PROVIDER, + enforcementState: EnforcementState.ENFORCE + }, + { + provider: RecaptchaProvider.PHONE_PROVIDER, + enforcementState: EnforcementState.OFF + } + ] + }; + + const recaptchaConfig = new RecaptchaConfig(GET_RECAPTCHA_CONFIG_RESPONSE); + const recaptchaConfigOff = new RecaptchaConfig(GET_RECAPTCHA_CONFIG_RESPONSE_OFF); + const recaptchaConfigEnforceAndOff = new RecaptchaConfig( + GET_RECAPTCHA_CONFIG_RESPONSE_ENFORCE_AND_OFF + ); + context('#verify', () => { beforeEach(async () => { auth = await testAuth(); @@ -81,10 +115,6 @@ describe('platform_browser/recaptcha/recaptcha', () => { }); context('#RecaptchaConfig', () => { - beforeEach(async () => { - recaptchaConfig = new RecaptchaConfig(GET_RECAPTCHA_CONFIG_RESPONSE); - }); - it('should construct the recaptcha config from the backend response', () => { expect(recaptchaConfig.siteKey).to.eq(TEST_SITE_KEY); expect(recaptchaConfig.recaptchaEnforcementState[0]).to.eql({ @@ -95,6 +125,10 @@ describe('platform_browser/recaptcha/recaptcha', () => { provider: RecaptchaProvider.PHONE_PROVIDER, enforcementState: EnforcementState.AUDIT }); + expect(recaptchaConfigEnforceAndOff.recaptchaEnforcementState[1]).to.eql({ + provider: RecaptchaProvider.PHONE_PROVIDER, + enforcementState: EnforcementState.OFF + }); }); it('#getProviderEnforcementState should return the correct enforcement state of the provider', () => { @@ -108,6 +142,11 @@ describe('platform_browser/recaptcha/recaptcha', () => { RecaptchaProvider.PHONE_PROVIDER ) ).to.eq(EnforcementState.AUDIT); + expect( + recaptchaConfigEnforceAndOff.getProviderEnforcementState( + RecaptchaProvider.PHONE_PROVIDER + ) + ).to.eq(EnforcementState.OFF); expect(recaptchaConfig.getProviderEnforcementState('invalid-provider')).to .be.null; }); @@ -121,29 +160,18 @@ describe('platform_browser/recaptcha/recaptcha', () => { expect( recaptchaConfig.isProviderEnabled(RecaptchaProvider.PHONE_PROVIDER) ).to.be.true; + expect( + recaptchaConfigEnforceAndOff.isProviderEnabled( + RecaptchaProvider.PHONE_PROVIDER + ) + ).to.be.false; expect(recaptchaConfig.isProviderEnabled('invalid-provider')).to.be.false; }); it('#isAnyProviderEnabled should return true if at least one provider is enabled', () => { expect(recaptchaConfig.isAnyProviderEnabled()).to.be.true; - - const getRecaptchaConfigResponse: GetRecaptchaConfigResponse = { - recaptchaKey: 'projects/testproj/keys/' + TEST_SITE_KEY, - recaptchaEnforcementState: [ - { - provider: RecaptchaProvider.EMAIL_PASSWORD_PROVIDER, - enforcementState: EnforcementState.OFF - }, - { - provider: RecaptchaProvider.PHONE_PROVIDER, - enforcementState: EnforcementState.OFF - } - ] - }; - const configNoProviderEnabled = new RecaptchaConfig( - getRecaptchaConfigResponse - ); - expect(configNoProviderEnabled.isAnyProviderEnabled()).to.be.false; + expect(recaptchaConfigEnforceAndOff.isAnyProviderEnabled()).to.be.true; + expect(recaptchaConfigOff.isAnyProviderEnabled()).to.be.false; }); }); }); diff --git a/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts b/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts index 40e96057c7d..b3b8f97bae8 100644 --- a/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts +++ b/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts @@ -157,13 +157,13 @@ export async function injectRecaptchaFields( auth: AuthInternal, request: T, action: RecaptchaActionName, - captchaResp = false, - fakeToken = false + isCaptchaResp = false, + isFakeToken = false ): Promise { const verifier = new RecaptchaEnterpriseVerifier(auth); let captchaResponse; - if (fakeToken) { + if (isFakeToken) { captchaResponse = FAKE_TOKEN; } else { try { @@ -212,7 +212,7 @@ export async function injectRecaptchaFields( return newRequest; } - if (!captchaResp) { + if (!isCaptchaResp) { Object.assign(newRequest, { captchaResponse }); } else { Object.assign(newRequest, { 'captchaResp': captchaResponse }); From 3d70b230295136e30de7e56c655bec12a0903d87 Mon Sep 17 00:00:00 2001 From: nhienlam Date: Wed, 15 Nov 2023 14:08:52 -0800 Subject: [PATCH 4/4] Format --- .../auth/src/platform_browser/recaptcha/recaptcha.test.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts b/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts index 721930729fb..b3c97d0716f 100644 --- a/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts +++ b/packages/auth/src/platform_browser/recaptcha/recaptcha.test.ts @@ -86,7 +86,9 @@ describe('platform_browser/recaptcha/recaptcha', () => { }; const recaptchaConfig = new RecaptchaConfig(GET_RECAPTCHA_CONFIG_RESPONSE); - const recaptchaConfigOff = new RecaptchaConfig(GET_RECAPTCHA_CONFIG_RESPONSE_OFF); + const recaptchaConfigOff = new RecaptchaConfig( + GET_RECAPTCHA_CONFIG_RESPONSE_OFF + ); const recaptchaConfigEnforceAndOff = new RecaptchaConfig( GET_RECAPTCHA_CONFIG_RESPONSE_ENFORCE_AND_OFF );