feature: implement reauth for email link in Views and updating method in auth service

Author: russellwheatley

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Services/AuthService.swift

@@ -122,6 +122,10 @@ public final class AuthService {
   // Needed because provider data sign-in doesn't distinguish between email link and password
   // sign-in needed for reauthentication
   @ObservationIgnored @AppStorage("is-email-link") private var isEmailLinkSignIn: Bool = false
+  // Storage for email link reauthentication (separate from sign-in)
+  @ObservationIgnored @AppStorage("email-link-reauth") private var emailLinkReauth: String?
+  @ObservationIgnored @AppStorage("is-reauthenticating") private var isReauthenticating: Bool =
+    false
 
   private var currentMFAResolver: MultiFactorResolver?
   private var listenerManager: AuthListenerManager?
@@ -181,6 +185,9 @@ public final class AuthService {
     currentUser = nil
     // Clear email link sign-in flag
     isEmailLinkSignIn = false
+    // Clear email link reauth state
+    emailLinkReauth = nil
+    isReauthenticating = false
     updateAuthenticationState()
   }
 
@@ -385,20 +392,44 @@ public extension AuthService {
 // MARK: - Email Link Sign In
 
 public extension AuthService {
-  func sendEmailSignInLink(email: String) async throws {
+  /// Send email link for sign-in or reauthentication
+  /// - Parameters:
+  ///   - email: Email address to send link to
+  ///   - isReauth: Whether this is for reauthentication (default: false)
+  func sendEmailSignInLink(email: String, isReauth: Bool = false) async throws {
     let actionCodeSettings = try updateActionCodeSettings()
     try await auth.sendSignInLink(
       toEmail: email,
       actionCodeSettings: actionCodeSettings
     )
+
+    // Store email based on context
+    if isReauth {
+      emailLinkReauth = email
+      isReauthenticating = true
+    }
   }
 
   func handleSignInLink(url url: URL) async throws {
     do {
-      guard let email = emailLink else {
-        throw AuthServiceError
-          .invalidEmailLink("email address is missing from app storage. Is this the same device?")
+      // Check which flow we're in based on the flag
+      let email: String
+      let isReauth = isReauthenticating
+
+      if isReauth {
+        guard let reauthEmail = emailLinkReauth else {
+          throw AuthServiceError
+            .invalidEmailLink("Email address is missing for reauthentication")
+        }
+        email = reauthEmail
+      } else {
+        guard let signInEmail = emailLink else {
+          throw AuthServiceError
+            .invalidEmailLink("email address is missing from app storage. Is this the same device?")
+        }
+        email = signInEmail
       }
+
       let urlString = url.absoluteString
 
       guard let originalLink = CommonUtils.getQueryParamValue(from: urlString, paramName: "link")
@@ -412,41 +443,62 @@ public extension AuthService {
           .invalidEmailLink("Failed to decode Link URL")
       }
 
-      guard let continueUrl = CommonUtils.getQueryParamValue(from: link, paramName: "continueUrl")
-      else {
-        throw AuthServiceError
-          .invalidEmailLink("`continueUrl` parameter is missing from the email link URL")
-      }
-
       if auth.isSignIn(withEmailLink: link) {
-        let anonymousUserID = CommonUtils.getQueryParamValue(
-          from: continueUrl,
-          paramName: "ui_auid"
-        )
-        if shouldHandleAnonymousUpgrade, anonymousUserID == currentUser?.uid {
-          let credential = EmailAuthProvider.credential(withEmail: email, link: link)
-          try await handleAutoUpgradeAnonymousUser(credentials: credential)
+        let credential = EmailAuthProvider.credential(withEmail: email, link: link)
+
+        if isReauth {
+          // Reauthentication flow
+          try await reauthenticate(with: credential)
+          // Clean up reauth state
+          emailLinkReauth = nil
+          isReauthenticating = false
         } else {
-          let result = try await auth.signIn(withEmail: email, link: link)
+          // Sign-in flow
+          guard let continueUrl = CommonUtils.getQueryParamValue(
+            from: link,
+            paramName: "continueUrl"
+          )
+          else {
+            throw AuthServiceError
+              .invalidEmailLink("`continueUrl` parameter is missing from the email link URL")
+          }
+
+          let anonymousUserID = CommonUtils.getQueryParamValue(
+            from: continueUrl,
+            paramName: "ui_auid"
+          )
+          if shouldHandleAnonymousUpgrade, anonymousUserID == currentUser?.uid {
+            try await handleAutoUpgradeAnonymousUser(credentials: credential)
+          } else {
+            let result = try await auth.signIn(withEmail: email, link: link)
+          }
+          updateAuthenticationState()
+          // Track that user signed in with email link
+          isEmailLinkSignIn = true
+          emailLink = nil
         }
-        updateAuthenticationState()
-        // Track that user signed in with email link
-        isEmailLinkSignIn = true
-        emailLink = nil
       }
     } catch {
-      // Reconstruct credential for conflict handling
+      // Determine which email to use for error handling
+      let email = isReauthenticating ? emailLinkReauth : emailLink
       let link = url.absoluteString
-      guard let email = emailLink else {
+
+      guard let email = email else {
         throw AuthServiceError
-          .invalidEmailLink("email address is missing from app storage. Is this the same device?")
+          .invalidEmailLink("email address is missing from app storage")
       }
       let credential = EmailAuthProvider.credential(withEmail: email, link: link)
 
-      // Possible conflicts from auth.signIn(withEmail:link:):
-      // - accountExistsWithDifferentCredential: account exists with different provider
-      // - credentialAlreadyInUse: credential is already linked to another account
-      try handleErrorWithConflictCheck(error: error, credential: credential)
+      // Only handle conflicts for sign-in flow, not reauth
+      if !isReauthenticating {
+        // Possible conflicts from auth.signIn(withEmail:link:):
+        // - accountExistsWithDifferentCredential: account exists with different provider
+        // - credentialAlreadyInUse: credential is already linked to another account
+        try handleErrorWithConflictCheck(error: error, credential: credential)
+      } else {
+        // For reauth, just rethrow
+        throw error
+      }
     }
   }
 }

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Views/EmailLinkReauthView.swift

@@ -0,0 +1,160 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import FirebaseAuth
+import FirebaseCore
+import SwiftUI
+
+@MainActor
+public struct EmailLinkReauthView {
+  @Environment(AuthService.self) private var authService
+  @Environment(\.reportError) private var reportError
+
+  let email: String
+  let coordinator: ReauthenticationCoordinator
+
+  @State private var emailSent = false
+  @State private var isLoading = false
+  @State private var error: AlertError?
+
+  private func sendEmailLink() async {
+    isLoading = true
+    do {
+      try await authService.sendEmailSignInLink(email: email, isReauth: true)
+      emailSent = true
+      isLoading = false
+    } catch {
+      if let reportError = reportError {
+        reportError(error)
+      } else {
+        self.error = AlertError(
+          title: "Error",
+          message: error.localizedDescription,
+          underlyingError: error
+        )
+      }
+      isLoading = false
+    }
+  }
+
+  private func handleReauthURL(_ url: URL) {
+    Task { @MainActor in
+      do {
+        try await authService.handleSignInLink(url: url)
+        coordinator.reauthCompleted()
+      } catch {
+        if let reportError = reportError {
+          reportError(error)
+        } else {
+          self.error = AlertError(
+            title: "Error",
+            message: error.localizedDescription,
+            underlyingError: error
+          )
+        }
+      }
+    }
+  }
+}
+
+extension EmailLinkReauthView: View {
+  public var body: some View {
+    NavigationStack {
+      VStack(spacing: 24) {
+        if emailSent {
+          // "Check your email" state
+          VStack(spacing: 16) {
+            Image(systemName: "envelope.open.fill")
+              .font(.system(size: 60))
+              .foregroundColor(.accentColor)
+              .padding(.top, 32)
+
+            Text("Check Your Email")
+              .font(.title)
+              .fontWeight(.bold)
+
+            Text("We've sent a verification link to:")
+              .font(.body)
+              .foregroundStyle(.secondary)
+
+            Text(email)
+              .font(.body)
+              .fontWeight(.medium)
+              .padding(.horizontal)
+
+            Text("Tap the link in the email to complete reauthentication.")
+              .font(.body)
+              .multilineTextAlignment(.center)
+              .foregroundStyle(.secondary)
+              .padding(.horizontal, 32)
+              .padding(.top, 8)
+
+            Button {
+              Task {
+                await sendEmailLink()
+              }
+            } label: {
+              if isLoading {
+                ProgressView()
+                  .frame(height: 32)
+              } else {
+                Text("Resend Email")
+                  .frame(height: 32)
+              }
+            }
+            .buttonStyle(.bordered)
+            .disabled(isLoading)
+            .padding(.top, 16)
+          }
+        } else {
+          // Loading/sending state
+          VStack(spacing: 16) {
+            ProgressView()
+              .padding(.top, 32)
+            Text("Sending verification email...")
+              .foregroundStyle(.secondary)
+          }
+        }
+
+        Spacer()
+      }
+      .frame(maxWidth: .infinity, maxHeight: .infinity, alignment: .top)
+      .navigationTitle("Verify Your Identity")
+      .navigationBarTitleDisplayMode(.inline)
+      .toolbar {
+        ToolbarItem(placement: .cancellationAction) {
+          Button("Cancel") {
+            coordinator.reauthCancelled()
+          }
+        }
+      }
+      .onOpenURL { url in
+        handleReauthURL(url)
+      }
+      .task {
+        await sendEmailLink()
+      }
+    }
+    .errorAlert(error: $error, okButtonLabel: authService.string.okButtonLabel)
+  }
+}
+
+#Preview {
+  FirebaseOptions.dummyConfigurationForPreview()
+  return EmailLinkReauthView(
+    email: "[email protected]",
+    coordinator: ReauthenticationCoordinator()
+  )
+  .environment(AuthService())
+}

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Views/ReauthenticationCoordinator.swift

@@ -24,6 +24,8 @@ public final class ReauthenticationCoordinator {
   public var showingPhoneReauth = false
   public var showingPhoneReauthAlert = false
   public var showingEmailPasswordPrompt = false
+  public var showingEmailLinkReauth = false
+  public var showingEmailLinkReauthAlert = false
 
   private var continuation: CheckedContinuation<Void, Error>?
 
@@ -41,6 +43,8 @@ public final class ReauthenticationCoordinator {
         self.showingPhoneReauthAlert = true
       case .email:
         self.showingEmailPasswordPrompt = true
+      case .emailLink:
+        self.showingEmailLinkReauthAlert = true
       case .oauth:
         // For OAuth providers (Google, Apple, etc.)
         self.isReauthenticating = true
@@ -54,6 +58,12 @@ public final class ReauthenticationCoordinator {
     showingPhoneReauth = true
   }
 
+  /// Called when user confirms email link reauth alert
+  public func confirmEmailLinkReauth() {
+    showingEmailLinkReauthAlert = false
+    showingEmailLinkReauth = true
+  }
+
   /// Called when reauthentication completes successfully
   public func reauthCompleted() {
     continuation?.resume()
@@ -72,6 +82,8 @@ public final class ReauthenticationCoordinator {
     showingPhoneReauth = false
     showingPhoneReauthAlert = false
     showingEmailPasswordPrompt = false
+    showingEmailLinkReauth = false
+    showingEmailLinkReauthAlert = false
     reauthContext = nil
   }
 }

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Views/ReauthenticationModifier.swift

@@ -72,6 +72,31 @@ struct ReauthenticationModifier: ViewModifier {
           )
         }
       }
+      // Alert for email link reauthentication
+      .alert(
+        "Email Verification Required",
+        isPresented: $coordinator.showingEmailLinkReauthAlert
+      ) {
+        Button("Send Verification Email") {
+          coordinator.confirmEmailLinkReauth()
+        }
+        Button("Cancel", role: .cancel) {
+          coordinator.reauthCancelled()
+        }
+      } message: {
+        if case let .emailLink(context) = coordinator.reauthContext {
+          Text("We'll send a verification link to \(context.email). Tap the link to continue.")
+        }
+      }
+      // Sheet for email link reauthentication
+      .sheet(isPresented: $coordinator.showingEmailLinkReauth) {
+        if case let .emailLink(context) = coordinator.reauthContext {
+          EmailLinkReauthView(
+            email: context.email,
+            coordinator: coordinator
+          )
+        }
+      }
   }
 
   private func performReauth() {