Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only fetch reCAPTCHA v2 token when FAKE_TOKEN #8493

Merged
merged 1 commit into from
Sep 10, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 6 additions & 18 deletions packages/auth/src/platform_browser/strategies/phone.ts
Original file line number Diff line number Diff line change
Expand Up @@ -267,12 +267,8 @@ export async function _verifyPhoneNumber(
authInstance: AuthInternal,
request: StartPhoneMfaEnrollmentRequest
) => {
// If reCAPTCHA Enterprise token is empty or "NO_RECAPTCHA", fetch reCAPTCHA v2 token and inject into request.
if (
!request.phoneEnrollmentInfo.captchaResponse ||
request.phoneEnrollmentInfo.captchaResponse.length === 0 ||
request.phoneEnrollmentInfo.captchaResponse === FAKE_TOKEN
) {
// If reCAPTCHA Enterprise token is FAKE_TOKEN, fetch reCAPTCHA v2 token and inject into request.
if (request.phoneEnrollmentInfo.captchaResponse === FAKE_TOKEN) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the case that we need to use a fake token?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use fake token when rCE token is missing (MISSING_RECAPTCHA_TOKEN) or reCAPTCHA Enterprise token check fails (INVALID_APP_CREDENTIAL). In audit mode, if the 1st request fails with the above reason, we try again with FAKE_TOKEN and rcv2 token

https://github.com/firebase/firebase-js-sdk/blob/nhienlam-rce/packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts#L308-L310

_assert(
verifier?.type === RECAPTCHA_VERIFIER_TYPE,
authInstance,
Expand Down Expand Up @@ -329,12 +325,8 @@ export async function _verifyPhoneNumber(
authInstance: AuthInternal,
request: StartPhoneMfaSignInRequest
) => {
// If reCAPTCHA Enterprise token is empty or "NO_RECAPTCHA", fetch reCAPTCHA v2 token and inject into request.
if (
!request.phoneSignInInfo.captchaResponse ||
request.phoneSignInInfo.captchaResponse.length === 0 ||
request.phoneSignInInfo.captchaResponse === FAKE_TOKEN
) {
// If reCAPTCHA Enterprise token is FAKE_TOKEN, fetch reCAPTCHA v2 token and inject into request.
if (request.phoneSignInInfo.captchaResponse === FAKE_TOKEN) {
_assert(
verifier?.type === RECAPTCHA_VERIFIER_TYPE,
authInstance,
Expand Down Expand Up @@ -380,12 +372,8 @@ export async function _verifyPhoneNumber(
authInstance: AuthInternal,
request: SendPhoneVerificationCodeRequest
) => {
// If reCAPTCHA Enterprise token is empty or "NO_RECAPTCHA", fetch reCAPTCHA v2 token and inject into request.
if (
!request.captchaResponse ||
request.captchaResponse.length === 0 ||
request.captchaResponse === FAKE_TOKEN
) {
// If reCAPTCHA Enterprise token is FAKE_TOKEN, fetch reCAPTCHA v2 token and inject into request.
if (request.captchaResponse === FAKE_TOKEN) {
_assert(
verifier?.type === RECAPTCHA_VERIFIER_TYPE,
authInstance,
Expand Down
Loading