1

Action: - signInWithPhoneNumber(NUMBER NOT IN DB, recaptchaVerifier)

Expected Behavior: - Since number not in DB, it should not log me in.

Current Behavior: - If the number does not exist in DB, it CREATES a new user after going through recaptcha + sms verification. WHY?

Code:

function loginWithSMS(phoneNumber) {
    firebase.auth().useDeviceLanguage();
    //@ts-ignore
    window.recaptchaVerifier = new firebase.auth.RecaptchaVerifier("recaptcha-container");

    //@ts-ignore
    window.recaptchaVerifier.render().then(function (widgetId) {
      //@ts-ignore
      window.recaptchaWidgetId = widgetId;
    });
    // @ts-ignore
    firebase
      .signInWithPhoneNumber(phoneNumber, window.recaptchaVerifier)
      .then((confirmationResult) => {
        console.log("Login success", confirmationResult);
        window.recaptchaVerifier.clear();
        // SMS sent. Prompt user to type the code from the message, then sign the
        // user in with confirmationResult.confirm(code).
        const verificationCode = window.prompt(
          "Please enter the verification " + "code that was sent to your mobile device."
        );
        return confirmationResult.confirm(verificationCode);
      })
      .catch((error) => {
        console.error(error);
        // Error; SMS not sent
        // Handle Errors Here
        window.recaptchaVerifier.clear();
        return Promise.reject(error);
      });
  }
Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Azmain Amin
  • 23
  • 1
  • 3

1 Answers1

1

This is just how the API is defined: by sending a text to the number, Firebase allows the user to verify that they have access to that phone number. If they do, they're allowed to sign in.

This is the same for the email+password provider in Firebase Authentication. Calling firebase.auth().createUserWithEmailAndPassword(email, password) creates the user, even if they didn't exist yet. And while your code may not call this API, any developer can take the Firebase configuration data from your app and call the API themselves.

Most often when developers are asking about this they're confusing authentication with authorization.

When you authenticate, you are proving that you are you. So in the examples above, that you have access to a certain phone number, or that you know the email+password combination of the account.

Based on knowing who the user is, the application then authorizes that user to perform certain actions or to access certain data.

For example, if you're using Realtime Database, Cloud Storage, or Cloud Firestore, you can control access with Firebase's server-side security rules.

If you have a different back-end, you'd control it there by checking the information in the ID token of the user (which you get from Firebase Authentication) against some set of authorization rules for your application.

Also see:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks! This was a much needed clear explanation! I was very confused by the function name: signInWithPhone, as I assumed SignIN meant authorization! – Azmain Amin Mar 29 '20 at 01:01
  • I have a follow up question: Right now, I am using phone auth for my app. I do not have a Login functionality yet and I am confused HOW I will implement that, because the user is signing in using their number and not saving a password. Any help is greatly appreciated! – Azmain Amin Mar 29 '20 at 05:18
  • If you want the user to (also) be able to sign in with an email+password, you'll want to link their phone credentials with that. See https://firebase.google.com/docs/auth/web/account-linking – Frank van Puffelen Mar 29 '20 at 14:35