feat: MFA enrolment flow

Author: russellwheatley

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Auth/MultiFactor.swift

@@ -0,0 +1,101 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+@preconcurrency import FirebaseAuth
+import SwiftUI
+
+public enum SecondFactorType {
+  case sms
+  case totp
+}
+
+public struct TOTPEnrollmentInfo {
+  public let sharedSecretKey: String
+  public let qrCodeURL: URL?
+  public let accountName: String?
+  public let issuer: String?
+  public let verificationStatus: VerificationStatus
+
+  public enum VerificationStatus {
+    case pending
+    case verified
+    case failed
+  }
+
+  public init(sharedSecretKey: String,
+              qrCodeURL: URL? = nil,
+              accountName: String? = nil,
+              issuer: String? = nil,
+              verificationStatus: VerificationStatus = .pending) {
+    self.sharedSecretKey = sharedSecretKey
+    self.qrCodeURL = qrCodeURL
+    self.accountName = accountName
+    self.issuer = issuer
+    self.verificationStatus = verificationStatus
+  }
+}
+
+public struct EnrollmentSession {
+  public let id: String
+  public let type: SecondFactorType
+  public let session: MultiFactorSession
+  public let totpInfo: TOTPEnrollmentInfo?
+  public let phoneNumber: String?
+  public let verificationId: String?
+  public let status: EnrollmentStatus
+  public let createdAt: Date
+  public let expiresAt: Date
+
+  // Internal handle to finish TOTP
+  fileprivate let _totpSecret: AnyObject?
+
+  public enum EnrollmentStatus {
+    case initiated
+    case verificationSent
+    case verificationPending
+    case completed
+    case failed
+    case expired
+  }
+
+  public init(id: String = UUID().uuidString,
+              type: SecondFactorType,
+              session: MultiFactorSession,
+              totpInfo: TOTPEnrollmentInfo? = nil,
+              phoneNumber: String? = nil,
+              verificationId: String? = nil,
+              status: EnrollmentStatus = .initiated,
+              createdAt: Date = Date(),
+              expiresAt: Date = Date().addingTimeInterval(600), // 10 minutes default
+              _totpSecret: AnyObject? = nil) {
+    self.id = id
+    self.type = type
+    self.session = session
+    self.totpInfo = totpInfo
+    self.phoneNumber = phoneNumber
+    self.verificationId = verificationId
+    self.status = status
+    self.createdAt = createdAt
+    self.expiresAt = expiresAt
+    self._totpSecret = _totpSecret
+  }
+
+  public var isExpired: Bool {
+    return Date() > expiresAt
+  }
+
+  public var canProceed: Bool {
+    return !isExpired &&
+      (status == .initiated || status == .verificationSent || status == .verificationPending)
+  }
+}

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/AuthServiceError.swift

@@ -38,6 +38,8 @@ public enum AuthServiceError: LocalizedError {
   case accountMergeConflict(context: AccountMergeConflictContext)
   case invalidPhoneAuthenticationArguments(String)
   case providerNotFound(String)
+  case multiFactorAuth(String)
+  
 
   public var errorDescription: String? {
     switch self {
@@ -61,6 +63,8 @@ public enum AuthServiceError: LocalizedError {
       return description
     case let .invalidPhoneAuthenticationArguments(description):
         return description
+    case let .multiFactorAuth(description):
+      return description
     }
   }
 }

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Services/AuthConfiguration.swift

@@ -25,14 +25,23 @@ public struct AuthConfiguration {
   public let emailLinkSignInActionCodeSettings: ActionCodeSettings?
   public let verifyEmailActionCodeSettings: ActionCodeSettings?
 
+    // MARK: - MFA Configuration
+
+  public let mfaEnabled: Bool
+  public let allowedSecondFactors: Set<SecondFactorType>
+  public let mfaIssuer: String
+
   public init(shouldHideCancelButton: Bool = false,
               interactiveDismissEnabled: Bool = true,
               shouldAutoUpgradeAnonymousUsers: Bool = false,
               customStringsBundle: Bundle? = nil,
               tosUrl: URL? = nil,
               privacyPolicyUrl: URL? = nil,
               emailLinkSignInActionCodeSettings: ActionCodeSettings? = nil,
-              verifyEmailActionCodeSettings: ActionCodeSettings? = nil) {
+              verifyEmailActionCodeSettings: ActionCodeSettings? = nil,
+              mfaEnabled: Bool = false,
+              allowedSecondFactors: Set<SecondFactorType> = [.sms, .totp],
+              mfaIssuer: String = "Firebase Auth") {
     self.shouldHideCancelButton = shouldHideCancelButton
     self.interactiveDismissEnabled = interactiveDismissEnabled
     self.shouldAutoUpgradeAnonymousUsers = shouldAutoUpgradeAnonymousUsers
@@ -41,5 +50,8 @@ public struct AuthConfiguration {
     self.privacyPolicyUrl = privacyPolicyUrl
     self.emailLinkSignInActionCodeSettings = emailLinkSignInActionCodeSettings
     self.verifyEmailActionCodeSettings = verifyEmailActionCodeSettings
+    self.mfaEnabled = mfaEnabled
+    self.allowedSecondFactors = allowedSecondFactors
+    self.mfaIssuer = mfaIssuer
   }
 }

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Services/AuthService.swift

@@ -49,12 +49,15 @@ public enum AuthView {
   case passwordRecovery
   case emailLink
   case updatePassword
+  case mfaEnrollment
 }
 
 public enum SignInOutcome: @unchecked Sendable {
   case signedIn(AuthDataResult?)
 }
 
+
+
 @MainActor
 private final class AuthListenerManager {
   private var authStateHandle: AuthStateDidChangeListenerHandle?
@@ -517,4 +520,203 @@ public extension AuthService {
       throw error
     }
   }
-}
+}
+
+// MARK: - MFA Methods (Placeholder implementations)
+
+public extension AuthService {
+  func startMfaEnrollment(type: SecondFactorType, accountName: String? = nil,
+                          issuer: String? = nil) async throws -> EnrollmentSession {
+    guard let user = auth.currentUser else {
+      throw AuthServiceError.noCurrentUser
+    }
+
+    // Check if MFA is enabled in configuration
+    guard configuration.mfaEnabled else {
+      throw AuthServiceError.multiFactorAuth("MFA is not enabled in configuration, please enable `AuthConfiguration.mfaEnabled`")
+    }
+
+    // Check if the requested factor type is allowed
+    guard configuration.allowedSecondFactors.contains(type) else {
+      throw AuthServiceError
+        .multiFactorAuth(
+          "The requested MFA factor type '\(type)' is not allowed in AuthConfiguration.allowedSecondFactors"
+        )
+    }
+
+    let multiFactorUser = user.multiFactor
+
+    // Get the multi-factor session
+    let session = try await withCheckedThrowingContinuation { (continuation: CheckedContinuation<
+      MultiFactorSession,
+      Error
+    >) in
+      multiFactorUser.getSessionWithCompletion { session, error in
+        if let error = error {
+          continuation.resume(throwing: error)
+        } else if let session = session {
+          continuation.resume(returning: session)
+        } else {
+          continuation.resume(throwing: AuthServiceError.multiFactorAuth("Failed to get MFA session for '\(type)'"))
+        }
+      }
+    }
+
+    switch type {
+    case .sms:
+      // For SMS, we just return the session - phone number will be provided in
+      // sendSmsVerificationForEnrollment
+      return EnrollmentSession(
+        type: .sms,
+        session: session,
+        status: .initiated
+      )
+
+    case .totp:
+      // For TOTP, generate the secret and QR code
+      let totpSecret = try await TOTPMultiFactorGenerator.generateSecret(with: session)
+
+      // Generate QR code URL
+      let resolvedAccountName = accountName ?? user.email ?? "User"
+      let resolvedIssuer = issuer ?? configuration.mfaIssuer
+
+      let qrCodeURL = totpSecret.generateQRCodeURL(
+        withAccountName: resolvedAccountName,
+        issuer: resolvedIssuer
+      )
+
+      let totpInfo = TOTPEnrollmentInfo(
+        sharedSecretKey: totpSecret.sharedSecretKey(),
+        qrCodeURL: URL(string: qrCodeURL),
+        accountName: resolvedAccountName,
+        issuer: resolvedIssuer,
+        verificationStatus: .pending
+      )
+
+      return EnrollmentSession(
+        type: .totp,
+        session: session,
+        totpInfo: totpInfo,
+        status: .initiated,
+        _totpSecret: totpSecret
+      )
+    }
+  }
+
+  func sendSmsVerificationForEnrollment(session: EnrollmentSession,
+                                        phoneNumber: String) async throws -> String {
+    // Validate session
+    guard session.type == .sms else {
+      throw AuthServiceError.multiFactorAuth("Session is not configured for SMS enrollment")
+    }
+
+    guard session.canProceed else {
+      if session.isExpired {
+        throw AuthServiceError.multiFactorAuth("Enrollment session has expired")
+      } else {
+        throw AuthServiceError
+          .multiFactorAuth("Session is not in a valid state for SMS verification")
+      }
+    }
+
+    // Validate phone number format
+    guard !phoneNumber.isEmpty else {
+      throw AuthServiceError.multiFactorAuth("Phone number cannot be empty for SMS enrollment")
+    }
+
+    // Send SMS verification using Firebase Auth PhoneAuthProvider
+    let verificationID =
+      try await withCheckedThrowingContinuation { (continuation: CheckedContinuation<
+        String,
+        Error
+      >) in
+        PhoneAuthProvider.provider().verifyPhoneNumber(
+          phoneNumber,
+          uiDelegate: nil,
+          multiFactorSession: session.session
+        ) { verificationID, error in
+          if let error = error {
+            continuation.resume(throwing: error)
+          } else if let verificationID = verificationID {
+            continuation.resume(returning: verificationID)
+          } else {
+            continuation
+              .resume(throwing: AuthServiceError
+                .multiFactorAuth("Failed to send SMS verification code to verify phone number"))
+          }
+        }
+      }
+
+    return verificationID
+  }
+
+  func completeEnrollment(session: EnrollmentSession, verificationId: String?,
+                          verificationCode: String, displayName: String) async throws {
+    // Validate session state
+    guard session.canProceed else {
+      if session.isExpired {
+        throw AuthServiceError.multiFactorAuth("Enrollment session has expired, cannot complete enrollment")
+      } else {
+        throw AuthServiceError.multiFactorAuth("Enrollment session is not in a valid state for completion")
+      }
+    }
+
+    // Validate verification code
+    guard !verificationCode.isEmpty else {
+      throw AuthServiceError.multiFactorAuth("Verification code cannot be empty")
+    }
+
+    guard let user = auth.currentUser else {
+      throw AuthServiceError.noCurrentUser
+    }
+
+    let multiFactorUser = user.multiFactor
+
+    // Create the appropriate assertion based on factor type
+    let assertion: MultiFactorAssertion
+
+    switch session.type {
+    case .sms:
+      // For SMS, we need the verification ID
+      guard let verificationId = verificationId else {
+        throw AuthServiceError
+          .multiFactorAuth("Verification ID is required for SMS enrollment")
+      }
+
+      // Create phone credential and assertion
+      let credential = PhoneAuthProvider.provider().credential(
+        withVerificationID: verificationId,
+        verificationCode: verificationCode
+      )
+      assertion = PhoneMultiFactorGenerator.assertion(with: credential)
+
+    case .totp:
+      // For TOTP, we need the secret from the session
+      guard let totpInfo = session.totpInfo else {
+        throw AuthServiceError
+          .multiFactorAuth("TOTP info is missing from enrollment session")
+      }
+
+      // Use the stored TOTP secret from the enrollment session
+      guard let secret = session._totpSecret else {
+        throw AuthServiceError
+          .multiFactorAuth("TOTP secret is missing from enrollment session")
+      }
+
+      // The concrete type is FirebaseAuth.TOTPSecret (kept as AnyObject to avoid exposing it)
+      guard let totpSecret = secret as? TOTPSecret else {
+        throw AuthServiceError
+          .multiFactorAuth("Invalid TOTP secret type in enrollment session")
+      }
+
+      assertion = TOTPMultiFactorGenerator.assertionForEnrollment(
+        with: totpSecret,
+        oneTimePassword: verificationCode
+      )
+    }
+
+    // Complete the enrollment
+    try await user.multiFactor.enroll(with: assertion, displayName: displayName)
+    currentUser = auth.currentUser
+  }
+}