Skip to content

Phone authentication with reCAPTCHA & api key restriction issue #7653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
antoninbiret opened this issue Mar 4, 2021 · 5 comments
Closed

Phone authentication with reCAPTCHA & api key restriction issue #7653

antoninbiret opened this issue Mar 4, 2021 · 5 comments
Assignees
@rosalyntan
Labels
api: auth

Comments

@antoninbiret
Copy link

antoninbiret commented Mar 4, 2021
edited
Loading

[REQUIRED] Step 1: Describe your environment

  • Xcode version: 12.4
  • Firebase SDK version: 7.7.0
  • Installation method: CocoaPods
  • Firebase Component: Auth

[REQUIRED] Step 2: Describe the problem

I recently discovered that the reCAPTCHA phone authentication flow did not work as expected in my project but was working well before. The silent push authentication flow works fine tho.

I get the following error:

{
   "error":{
      "code":403,
      "message":"Requests from this iOS client application <empty> are blocked.",
      "errors":[
         {
            "message":"Requests from this iOS client application <empty> are blocked.",
            "domain":"global",
            "reason":"forbidden"
         }
      ],
      "status":"PERMISSION_DENIED"
   }
}

My firebase API key is restricted to be used by both my development & staging app's bundle identifier. If I remove the restriction the reCAPTCHA flow is working fine.

Did some debugging and find out the ibi parameter in the reCAPTCHA URL request is set and equal to my application's bundle identifier.

Am I the only one seeing this issue ?

Steps to reproduce:

Restricting firebase API key on the google cloud console for the app's bundle identifier and try the reCAPTCHA authentication flow.

Thanks in advance for any feedback.
@rizafran
Copy link
Contributor

Hi Antonin, based on my understanding, the reCAPTCHA flow is not working when the API key is restricted. I found this from the docs and it seems that:

Note: If you apply restrictions to an API key that's used for accessing Firebase services, and you're getting errors, you may need to include the Firebase Management API in the list of allowed APIs. This is especially true if you use Google Analytics with a web app.

I'll also try to reproduce this on my end and I'll let you know of my findings.

@rizafran
Copy link
Contributor

I've tried to reproduce the issue, and I was able to get the same behavior. Looks like you have to remove the API key restrictions if you want the reCAPTCHA fallback to work. We need to make an API call to our server from a web view in order to render the reCAPTCHA.

@morganchen12
Copy link
Contributor

@rosalyntan can you confirm if this is intended behavior (looks like it is), and whether or not we should add something to our docs about it?

@rosalyntan
Copy link
Member

Hi @antoninbiret, thanks for filing this issue! As @rizafran said, this is WAI because reCAPTCHA is a web-based flow and our web widget doesn't (and shouldn't) impersonate your iOS app.

@antoninbiret
Copy link
Author

Thanks for your feedback

@firebase firebase locked and limited conversation to collaborators Apr 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rosalyntan rosalyntan

Labels
api: auth
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@antoninbiret @morganchen12 @rosalyntan @google-oss-bot @rizafran