implement MFA

Author: lesnitsky

packages/firebase_ui_auth/example/lib/main.dart

@@ -116,6 +116,16 @@ class FirebaseAuthUIExample extends StatelessWidget {
                   Navigator.pushReplacementNamed(context, '/profile');
                 }
               }),
+              AuthStateChangeAction<MFARequired>((context, state) async {
+                final nav = Navigator.of(context);
+
+                await startMFAVerification(
+                  resolver: state.resolver,
+                  context: context,
+                );
+
+                nav.pushReplacementNamed('/profile');
+              }),
               EmailLinkSignInAction((context) {
                 Navigator.pushReplacementNamed(context, '/email-link-sign-in');
               }),
@@ -232,6 +242,7 @@ class FirebaseAuthUIExample extends StatelessWidget {
               }),
             ],
             actionCodeSettings: actionCodeSettings,
+            showMFATile: true,
           );
         },
       },

packages/firebase_ui_auth/lib/firebase_ui_auth.dart

@@ -15,7 +15,8 @@ export 'src/auth_state.dart'
         SignedIn,
         SigningIn,
         AuthFailed,
-        DifferentSignInMethodsFound;
+        DifferentSignInMethodsFound,
+        MFARequired;
 
 export 'src/providers/auth_provider.dart';
 export 'src/providers/email_auth_provider.dart';
@@ -92,6 +93,8 @@ export 'src/styling/theme.dart' show FirebaseUITheme;
 export 'src/styling/style.dart' show FirebaseUIStyle;
 export 'src/widgets/internal/universal_button.dart' show ButtonVariant;
 
+export 'src/mfa.dart' show startMFAVerification;
+
 import 'package:firebase_auth/firebase_auth.dart' hide OAuthProvider;
 import 'package:firebase_core/firebase_core.dart';
 import 'package:flutter/widgets.dart';

packages/firebase_ui_auth/lib/src/actions.dart

@@ -101,11 +101,17 @@ class FirebaseUIActions extends InheritedWidget {
 
     /// A [Widget] to wrap with [FirebaseUIActions].
     required Widget child,
+
+    /// A list of [FirebaseUIAction]s to provide to the [child].
+    List<FirebaseUIAction> actions = const [],
   }) {
     final w = maybeOf(from);
 
     if (w != null) {
-      return FirebaseUIActions(actions: w.actions, child: child);
+      return FirebaseUIActions(
+        actions: [...w.actions, ...actions],
+        child: child,
+      );
     }
 
     return child;

packages/firebase_ui_auth/lib/src/auth_controller.dart

@@ -13,6 +13,10 @@ enum AuthAction {
 
   /// Links a provided credential with currently signed in user account
   link,
+
+  /// Disables automatic credential handling.
+  /// It's up to the user to decide what to do with the obtained credential.
+  none,
 }
 
 /// An abstract class that should be implemented by auth controllers of

packages/firebase_ui_auth/lib/src/auth_flow.dart

@@ -6,6 +6,8 @@ import 'package:flutter/widgets.dart';
 import 'package:firebase_auth/firebase_auth.dart';
 import 'package:firebase_ui_auth/firebase_ui_auth.dart';
 
+import 'auth_state.dart';
+
 /// An exception that is being thrown when user cancels the authentication
 /// process.
 class AuthCancelledException implements Exception {
@@ -106,7 +108,7 @@ class AuthFlow<T extends AuthProvider> extends ValueNotifier<AuthState>
   }
 
   @override
-  void onBeforeCredentialLinked(AuthCredential credential) {
+  void onCredentialReceived(AuthCredential credential) {
     value = CredentialReceived(credential);
   }
 
@@ -164,4 +166,9 @@ class AuthFlow<T extends AuthProvider> extends ValueNotifier<AuthState>
   void onCanceled() {
     value = initialState;
   }
+
+  @override
+  void onMFARequired(MultiFactorResolver resolver) {
+    value = MFARequired(resolver);
+  }
 }

packages/firebase_ui_auth/lib/src/auth_state.dart

@@ -1,6 +1,7 @@
 import 'package:firebase_ui_auth/firebase_ui_auth.dart';
 import 'package:flutter/widgets.dart';
-import 'package:firebase_auth/firebase_auth.dart' show AuthCredential, User;
+import 'package:firebase_auth/firebase_auth.dart'
+    show AuthCredential, MultiFactorResolver, User;
 
 /// An abstract class for all auth states.
 /// [AuthState] transitions could be captured with an [AuthStateChangeAction]:
@@ -171,6 +172,16 @@ class FetchingProvidersForEmail extends AuthState {
   const FetchingProvidersForEmail();
 }
 
+/// {@template ui.auth.auth_state.mfa_required}
+/// An [AuthState] that indicates that multi-factor authentication is required.
+/// {@endtemplate}
+class MFARequired extends AuthState {
+  /// A multi-factor resolver that should be used to complete MFA.
+  final MultiFactorResolver resolver;
+
+  const MFARequired(this.resolver);
+}
+
 class AuthStateProvider extends InheritedWidget {
   final AuthState state;
 

packages/firebase_ui_auth/lib/src/flows/phone_auth_flow.dart

@@ -73,7 +73,10 @@ class AutoresolutionFailedException implements Exception {
 abstract class PhoneAuthController extends AuthController {
   /// Initializes the flow with a phone number. This method should be called
   /// after user submits a phone number.
-  void acceptPhoneNumber(String phoneNumber);
+  void acceptPhoneNumber(
+    String phoneNumber, [
+    fba.MultiFactorSession? multiFactorSession,
+  ]);
 
   /// Triggers an SMS code verification.
   void verifySMSCode(
@@ -113,15 +116,23 @@ class PhoneAuthFlow extends AuthFlow<PhoneAuthProvider>
         );
 
   @override
-  void acceptPhoneNumber(String phoneNumber) {
-    provider.sendVerificationCode(phoneNumber, action);
+  void acceptPhoneNumber(
+    String phoneNumber, [
+    fba.MultiFactorSession? multiFactorSession,
+  ]) {
+    provider.sendVerificationCode(
+      phoneNumber: phoneNumber,
+      action: action,
+      multiFactorSession: multiFactorSession,
+    );
   }
 
   @override
   void verifySMSCode(
     String code, {
     String? verificationId,
     fba.ConfirmationResult? confirmationResult,
+    fba.MultiFactorSession? multiFactorSession,
   }) {
     provider.verifySMSCode(
       action: action,

packages/firebase_ui_auth/lib/src/mfa.dart

@@ -0,0 +1,87 @@
+import 'dart:async';
+
+import 'package:firebase_auth/firebase_auth.dart' hide PhoneAuthProvider;
+import 'package:firebase_ui_auth/firebase_ui_auth.dart';
+import 'package:firebase_ui_auth/src/widgets/internal/universal_page_route.dart';
+import 'package:flutter/scheduler.dart';
+import 'package:flutter/widgets.dart';
+
+Future<UserCredential> startMFAVerification({
+  required BuildContext context,
+  required MultiFactorResolver resolver,
+}) async {
+  if (resolver.hints.first is PhoneMultiFactorInfo) {
+    return startPhoneMFAVerification(
+      context: context,
+      resolver: resolver,
+    );
+  } else {
+    throw Exception('Unsupported MFA type');
+  }
+}
+
+Future<UserCredential> startPhoneMFAVerification({
+  required BuildContext context,
+  required MultiFactorResolver resolver,
+  FirebaseAuth? auth,
+}) async {
+  final session = resolver.session;
+  final hint = resolver.hints.first;
+  final completer = Completer<UserCredential>();
+  final navigator = Navigator.of(context);
+
+  final provider = PhoneAuthProvider();
+  provider.auth = auth ?? FirebaseAuth.instance;
+
+  final flow = PhoneAuthFlow(
+    auth: auth ?? FirebaseAuth.instance,
+    action: AuthAction.none,
+    provider: PhoneAuthProvider(),
+  );
+
+  provider.authListener = flow;
+
+  final flowKey = Object();
+
+  SchedulerBinding.instance.addPostFrameCallback((timeStamp) {
+    provider.sendVerificationCode(
+      hint: hint as PhoneMultiFactorInfo,
+      multiFactorSession: session,
+      action: AuthAction.none,
+    );
+  });
+
+  navigator.push(
+    createPageRoute(
+      context: context,
+      builder: (context) {
+        return AuthFlowBuilder<PhoneAuthController>(
+          flow: flow,
+          flowKey: flowKey,
+          child: SMSCodeInputScreen(
+            flowKey: flowKey,
+            action: AuthAction.none,
+            auth: auth,
+            actions: [
+              AuthStateChangeAction<CredentialReceived>((context, inner) {
+                final cred = inner.credential as PhoneAuthCredential;
+                final assertion = PhoneMultiFactorGenerator.getAssertion(cred);
+                try {
+                  final cred = resolver.resolveSignIn(assertion);
+                  completer.complete(cred);
+                } catch (e) {
+                  completer.completeError(e);
+                }
+              }),
+            ],
+          ),
+        );
+      },
+    ),
+  );
+
+  final cred = await completer.future;
+
+  navigator.pop();
+  return cred;
+}

packages/firebase_ui_auth/lib/src/navigation/phone_verification.dart

@@ -1,4 +1,9 @@
-import 'package:firebase_auth/firebase_auth.dart' show FirebaseAuth;
+import 'package:firebase_auth/firebase_auth.dart'
+    show
+        FirebaseAuth,
+        MultiFactorInfo,
+        MultiFactorSession,
+        PhoneMultiFactorInfo;
 import 'package:firebase_ui_auth/firebase_ui_auth.dart';
 import 'package:flutter/material.dart';
 
@@ -13,15 +18,27 @@ Future<void> startPhoneVerification({
 
   /// {@macro ui.auth.auth_controller.auth}
   FirebaseAuth? auth,
+
+  /// {@macro ui.auth.providers.phone_auth_provider.mfa_session}
+  MultiFactorSession? multiFactorSession,
+
+  /// {@macro ui.auth.providers.phone_auth_provider.mfa_hint}
+  PhoneMultiFactorInfo? hint,
+
+  /// Additional actions to pass down to the [PhoneInputScreen].
+  List<FirebaseUIAction> actions = const [],
 }) async {
   await Navigator.of(context).push(
     createPageRoute(
       context: context,
       builder: (_) => FirebaseUIActions.inherit(
         from: context,
+        actions: actions,
         child: PhoneInputScreen(
           auth: auth,
           action: action,
+          multiFactorSession: multiFactorSession,
+          mfaHint: hint,
         ),
       ),
     ),

packages/firebase_ui_auth/lib/src/providers/auth_provider.dart

@@ -12,6 +12,11 @@ void defaultOnAuthError(AuthProvider provider, Object error) {
     throw error;
   }
 
+  if (error is FirebaseAuthMultiFactorException) {
+    provider.authListener.onMFARequired(error.resolver);
+    return;
+  }
+
   if (error.code == 'account-exists-with-different-credential') {
     final email = error.email;
     if (email == null) {
@@ -49,7 +54,7 @@ abstract class AuthListener {
 
   /// Called before an attempt to link the credential with currently signed in
   /// user account.
-  void onBeforeCredentialLinked(AuthCredential credential);
+  void onCredentialReceived(AuthCredential credential);
 
   /// Called if the credential was successfully linked with the user account.
   void onCredentialLinked(AuthCredential credential);
@@ -66,6 +71,9 @@ abstract class AuthListener {
 
   /// Called when the user cancells the sign in process.
   void onCanceled();
+
+  /// Called when the user has to complete MFA.
+  void onMFARequired(MultiFactorResolver resolver);
 }
 
 /// {@template ui.auth.auth_provider}
@@ -109,7 +117,7 @@ abstract class AuthProvider<T extends AuthListener, K extends AuthCredential> {
   /// Links a provided [AuthCredential] with the currently signed in user
   /// account.
   void linkWithCredential(AuthCredential credential) {
-    authListener.onBeforeCredentialLinked(credential);
+    authListener.onCredentialReceived(credential);
     try {
       final user = auth.currentUser!;
       user
@@ -155,10 +163,18 @@ abstract class AuthProvider<T extends AuthListener, K extends AuthCredential> {
   /// hooks are called if action is [AuthAction.signUp].
   /// {@endtemplate}
   void onCredentialReceived(K credential, AuthAction action) {
-    if (action == AuthAction.link) {
-      linkWithCredential(credential);
-    } else {
-      signInWithCredential(credential);
+    switch (action) {
+      case AuthAction.link:
+        linkWithCredential(credential);
+        break;
+      case AuthAction.signIn:
+        signInWithCredential(credential);
+        break;
+      case AuthAction.none:
+        authListener.onCredentialReceived(credential);
+        break;
+      default:
+        throw Exception('$runtimeType should handle $action');
     }
   }
 }