Firebase REST API Authenticate With Phone Number

10
votes

I am using PAW to try and test different cloud functions deployed with Firebase. The app uses phone authentication, however currently there is little to no documentation on how to accomplish phone number authentication via REST API.

I have whitelisted a phone number for testing as per instructions here.

It appears that what I need to do is call on the verifyPhoneNumber method, which I have pieced together that the REST API endpoint I need is in the format:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPhoneNumber?key={WEB_API_KEY}

Now where I get stuck is in trying to pass the data that is expected. It looks like this endpoint expects a phoneNumber and an applicationVerifier object. I've pieced this together from the corresponding documentation here.

I try to make a request that looks like:

POST /identitytoolkit/v3/relyingparty/verifyPhoneNumber?key={WEB_API_KEY}
Content-Type: application/json; charset=utf-8
Host: www.googleapis.com
Connection: close
User-Agent: Paw/3.1.7 (Macintosh; OS X/10.13.6) GCDHTTPRequest
Content-Length: 73

{"phoneNumber":"+18035551111","applicationVerifier":{"type":"recaptcha"}}

The response I receive is:

HTTP/1.1 400 Bad Request
Vary: X-Origin
Vary: Referer
Content-Type: application/json; charset=UTF-8
Date: Thu, 13 Sep 2018 16:35:33 GMT
Server: ESF
Cache-Control: private
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
Accept-Ranges: none
Vary: Origin,Accept-Encoding
Connection: close

{
  "error": {
    "code": 400,
    "message": "MISSING_SESSION_INFO",
    "errors": [
      {
        "message": "MISSING_SESSION_INFO",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

I'm not sure what I'm doing wrong at this point as I'm running out of documentation and sort of just blindly guessing parameters now. How can I authenticate via white-listed phone number via REST API for testing?

3
restapifirebasefirebase-authentication
Did you find any solution for this?mosid
No, I did not. Sorry.DjH
Why a u send "applicationVerifier":{"type":"recaptcha"} as request value/ Where did you find it. I found javascript requests and find there recaptchaToken: parameter only, but cant get it by script requestkoa73

3 Answers

5
votes
  1. Create you verification code request (the key is an environment variable)

send verification code part 1 send verification code part 2

  1. (but this is optional) make the session info a Body Response Dynamic Value

enter image description here

  1. Create your verify phone number request

enter image description here

  1. (again, optional) make the idToken also a Body Response Dynamic Value

enter image description here

  1. Use the idToken dynamic value in any other subsequent requests you perform to Firebase

enter image description here

The best part about adding the variables as Body Response Dynamic Values is you can chain them and call them in a sequence:

enter image description here

2
votes

After a lot of research (I'm struggling to create automated tests for my "login with phone" flow), I finally found a solution for this, based on @Danut Pralea's answer. Hopefully it will help people in future :)

Considering that your phone number is already whitelisted (as mentioned in the question), first step would be a call to firebase to send the verification code:

POST /v1/accounts:sendVerificationCode?key={WEB_API_KEY} HTTP/1.1
Host: identitytoolkit.googleapis.com:443
Content-Type: application/json
Content-Length: 39

{
    "phoneNumber": "{PHONE_NUMBER}"
}

The response will be the sessionInfo, like this:

{
    "sessionInfo": "ALiwoWJhYJgtFav1DKc0yBoTwcjjiyQNu240eDJ76GmlH-2i3RmHAYamaPkx3rjEmOBcgrua5QfLw8Nrn_QwjVPO6N09fYsiWQha0-5o2Jb5Hwqxkw7qwsl6YK0gotZ16HmiwqJkyd-stAXTVU1ZIBUwfrFqZmFY7g"
}

Then, the next step is to use login in firebase with the code (same used in the whitelisting) and the session info:

POST /v1/accounts:signInWithPhoneNumber?key={WEB_API_KEY} HTTP/1.1
Host: identitytoolkit.googleapis.com:443
Content-Type: application/json
Content-Length: 207

{
    "sessionInfo": "ALiwoWJhYJgtFav1DKc0yBoTwcjjiyQNu240eDJ76GmlH-2i3RmHAYamaPkx3rjEmOBcgrua5QfLw8Nrn_QwjVPO6N09fYsiWQha0-5o2Jb5Hwqxkw7qwsl6YK0gotZ16HmiwqJkyd-stAXTVU1ZIBUwfrFqZmFY7g",
    "code": 123456
}

And that's it! Response will be something like:

{
    "idToken": "idToken",
    "refreshToken": "refreshToken",
    "expiresIn": "3600",
    "localId": "localId",
    "isNewUser": false,
    "phoneNumber": "{PHONE_NUMBER}"
}

More info in the official documentation: https://cloud.google.com/identity-platform/docs/reference/rest/v1/accounts

1
votes

For the REST API POST, you have to pass the reCAPTCHA token instead of the captcha object you are passing. You can obtain the token in the callback function when you create RecaptchaVerifier

        window.recaptchaVerifier = new firebase.auth.RecaptchaVerifier('my_btn', {
            'size': 'invisible',
            'callback': function(response) {
                // reCAPTCHA solved, allow signInWithPhoneNumber.
                recaptchaToken = response;
                .....
            }
        });

This article helped me - https://medium.com/@shangyilim/verifying-phone-numbers-with-firebase-phone-authentication-on-your-backend-for-free-7a9bef326d02