feat: MFA management and resolution logic

Author: russellwheatley

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Auth/MultiFactor.swift

@@ -98,4 +98,17 @@ public struct EnrollmentSession {
     return !isExpired &&
       (status == .initiated || status == .verificationSent || status == .verificationPending)
   }
+}
+
+public enum MFAHint {
+  case phone(displayName: String?, uid: String, phoneNumber: String?)
+  case totp(displayName: String?, uid: String)
+}
+
+public struct MFARequired {
+  public let hints: [MFAHint]
+
+  public init(hints: [MFAHint]) {
+    self.hints = hints
+  }
 }

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Services/AuthService.swift

@@ -50,9 +50,12 @@ public enum AuthView {
   case emailLink
   case updatePassword
   case mfaEnrollment
+  case mfaManagement
+  case mfaResolution
 }
 
 public enum SignInOutcome: @unchecked Sendable {
+  case mfaRequired(MFARequired)
   case signedIn(AuthDataResult?)
 }
 
@@ -104,6 +107,8 @@ public final class AuthService {
   public var authenticationFlow: AuthenticationFlow = .signIn
   public var errorMessage = ""
   public let passwordPrompt: PasswordPromptCoordinator = .init()
+  public var currentMFARequired: MFARequired?
+  private var currentMFAResolver: MultiFactorResolver?
 
   // MARK: - AuthPickerView Modal APIs
 
@@ -719,4 +724,169 @@ public extension AuthService {
     try await user.multiFactor.enroll(with: assertion, displayName: displayName)
     currentUser = auth.currentUser
   }
+
+  func reauthenticateCurrentUser(on user: User) async throws {
+    if let providerId = signedInCredential?.provider {
+      if providerId == EmailAuthProviderID {
+        guard let email = user.email else {
+          throw AuthServiceError.invalidCredentials("User does not have an email address")
+        }
+        let password = try await passwordPrompt.confirmPassword()
+        let credential = EmailAuthProvider.credential(withEmail: email, password: password)
+        try await user.reauthenticate(with: credential)
+      } else if let matchingProvider = providers.first(where: { $0.id == providerId }) {
+        let credential = try await matchingProvider.provider.createAuthCredential()
+        try await user.reauthenticate(with: credential)
+      } else {
+        throw AuthServiceError.providerNotFound("No provider found for \(providerId)")
+      }
+    } else {
+      throw AuthServiceError
+        .reauthenticationRequired("Recent login required to perform this operation.")
+    }
+  }
+
+  func unenrollMFA(_ factorUid: String) async throws -> [MultiFactorInfo] {
+    guard let user = auth.currentUser else {
+      throw AuthServiceError.noCurrentUser
+    }
+
+    let multiFactorUser = user.multiFactor
+
+    do {
+      try await multiFactorUser.unenroll(withFactorUID: factorUid)
+    } catch let error as NSError {
+      if error.domain == AuthErrorDomain,
+         error.code == AuthErrorCode.requiresRecentLogin.rawValue || error.code == AuthErrorCode
+         .userTokenExpired.rawValue {
+        try await reauthenticateCurrentUser(on: user)
+        try await multiFactorUser.unenroll(withFactorUID: factorUid)
+      } else {
+        throw AuthServiceError
+          .multiFactorAuth(
+            "Invalid second factor: \(error.localizedDescription)"
+          )
+      }
+    }
+
+    // This is the only we to get the actual latest enrolledFactors
+    currentUser = Auth.auth().currentUser
+    let freshFactors = currentUser?.multiFactor.enrolledFactors ?? []
+
+    return freshFactors
+  }
+
+  // MARK: - MFA Helper Methods
+
+  private func extractMFAHints(from resolver: MultiFactorResolver) -> [MFAHint] {
+    return resolver.hints.map { hint -> MFAHint in
+      if hint.factorID == PhoneMultiFactorID {
+        let phoneHint = hint as! PhoneMultiFactorInfo
+        return .phone(
+          displayName: phoneHint.displayName,
+          uid: phoneHint.uid,
+          phoneNumber: phoneHint.phoneNumber
+        )
+      } else if hint.factorID == TOTPMultiFactorID {
+        return .totp(
+          displayName: hint.displayName,
+          uid: hint.uid
+        )
+      } else {
+        // Fallback for unknown hint types
+        return .totp(displayName: hint.displayName, uid: hint.uid)
+      }
+    }
+  }
+
+  private func handleMFARequiredError(resolver: MultiFactorResolver) -> SignInOutcome {
+    let hints = extractMFAHints(from: resolver)
+    currentMFARequired = MFARequired(hints: hints)
+    currentMFAResolver = resolver
+    authView = .mfaResolution
+    return .mfaRequired(MFARequired(hints: hints))
+  }
+
+  func resolveSmsChallenge(hintIndex: Int) async throws -> String {
+    guard let resolver = currentMFAResolver else {
+      throw AuthServiceError.multiFactorAuth("No MFA resolver available")
+    }
+
+    guard hintIndex < resolver.hints.count else {
+      throw AuthServiceError.multiFactorAuth("Invalid hint index")
+    }
+
+    let hint = resolver.hints[hintIndex]
+    guard hint.factorID == PhoneMultiFactorID else {
+      throw AuthServiceError.multiFactorAuth("Selected hint is not a phone hint")
+    }
+    let phoneHint = hint as! PhoneMultiFactorInfo
+
+    return try await withCheckedThrowingContinuation { continuation in
+      PhoneAuthProvider.provider().verifyPhoneNumber(
+        with: phoneHint,
+        uiDelegate: nil,
+        multiFactorSession: resolver.session
+      ) { verificationId, error in
+        if let error = error {
+          continuation
+            .resume(throwing: AuthServiceError.multiFactorAuth(error.localizedDescription))
+        } else if let verificationId = verificationId {
+          continuation.resume(returning: verificationId)
+        } else {
+          continuation
+            .resume(throwing: AuthServiceError.multiFactorAuth("Unknown error occurred"))
+        }
+      }
+    }
+  }
+
+  func resolveSignIn(code: String, hintIndex: Int, verificationId: String? = nil) async throws {
+    guard let resolver = currentMFAResolver else {
+      throw AuthServiceError.multiFactorAuth("No MFA resolver available")
+    }
+
+    guard hintIndex < resolver.hints.count else {
+      throw AuthServiceError.multiFactorAuth("Invalid hint index")
+    }
+
+    let hint = resolver.hints[hintIndex]
+    let assertion: MultiFactorAssertion
+
+    // Create the appropriate assertion based on the hint type
+    if hint.factorID == PhoneMultiFactorID {
+      guard let verificationId = verificationId else {
+        throw AuthServiceError.multiFactorAuth("Verification ID is required for SMS MFA")
+      }
+
+      let credential = PhoneAuthProvider.provider().credential(
+        withVerificationID: verificationId,
+        verificationCode: code
+      )
+      assertion = PhoneMultiFactorGenerator.assertion(with: credential)
+
+    } else if hint.factorID == TOTPMultiFactorID {
+      assertion = TOTPMultiFactorGenerator.assertionForSignIn(
+        withEnrollmentID: hint.uid,
+        oneTimePassword: code
+      )
+
+    } else {
+      throw AuthServiceError.multiFactorAuth("Unsupported MFA hint type")
+    }
+
+    do {
+      let result = try await resolver.resolveSignIn(with: assertion)
+      signedInCredential = result.credential
+      updateAuthenticationState()
+
+      // Clear MFA resolution state
+      currentMFARequired = nil
+      currentMFAResolver = nil
+
+    } catch {
+      throw AuthServiceError
+        .multiFactorAuth("Failed to resolve MFA challenge: \(error.localizedDescription)")
+    }
+  }
 }

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Views/AuthPickerView.swift

@@ -53,6 +53,8 @@ extension AuthPickerView: View {
           switch authService.authView {
           case .mfaEnrollment:
             MFAEnrolmentView()
+          case .mfaManagement:
+            MFAManagementView()
           default:
             SignedInView()
           }
@@ -64,6 +66,8 @@ extension AuthPickerView: View {
             EmailLinkView()
           case .mfaEnrollment:
             MFAEnrolmentView()
+          case .mfaResolution:
+            MFAResolutionView()  
           case .authPicker:
             if authService.emailSignInEnabled {
               Text(authService.authenticationFlow == .signIn ? authService.string