firebase auth] Error Firebase: Error (auth/error-code:-39) shows on blaze plan. #17295
Description
Is there an existing issue for this?
- I have searched the existing issues.
Which plugins are affected?
Auth
Which platforms are affected?
Web
Description
#3817.
Title: [firebase_auth/web] Persistent auth/error-code:-39 (503 Service Unavailable) with Phone Auth on Blaze Plan (Real Numbers Only)
Description:
We are encountering a persistent issue with Firebase Phone Authentication (signInWithPhoneNumber) in our Nuxt.js web application hosted on Firebase Hosting (rdmercana.web.app).
Expected behavior:
Successfully send SMS verification codes to real phone numbers using signInWithPhoneNumber.
Actual behavior:
When attempting to send a verification code to any real phone number, the process fails immediately. We observe the following errors:
- In the web application UI/console:
FirebaseError: Error (auth/error-code:-39) - In the browser's network tab: A
POSTrequest tohttps://identitytoolkit.googleapis.com/v1/accounts:sendVerificationCode?key=...fails with a503 (Service Unavailable)status code.
Importantly, this issue does not occur when using the test phone numbers configured within the Firebase Authentication settings. Test numbers work correctly.
Our Firebase project is on the Blaze (Pay-as-you-go) plan.
Troubleshooting Steps Taken:
- Verified that the Identity Platform API is enabled in the linked Google Cloud project.
- Verified that the web app's domain (
rdmercana.web.app) andlocalhostare included in the Authorized Domains list in Firebase Auth settings. - Verified the API Key restrictions in Google Cloud Console:
- HTTP referrers include
rdmercana.web.app/*and relevantlocalhostentries. - API restrictions allow the Identity Platform API (or keys are unrestricted).
- HTTP referrers include
- Verified the Firebase configuration details (
apiKey,authDomain,projectId) in our Nuxt.js application are correct. - Disabled reCAPTCHA Account Defender in the Google Cloud Console (the issue persisted).
- Confirmed test phone numbers work correctly.
- Waited over 24 hours to allow potential temporary anti-abuse blocks or rate limits to expire, but the issue persists for real numbers.
Hypothesis:
Given that test numbers function correctly and we are on the Blaze plan, the issue seems related to Firebase's anti-abuse or security mechanisms specifically affecting SMS delivery to real numbers for our project. It might be a persistent block or limit that hasn't cleared automatically, as suggested in similar issues like #3817.
We require assistance in diagnosing why real numbers are consistently failing with auth/error-code:-39 / 503 despite the correct configuration and Blaze plan status. Is there a way to investigate potential blocks or gain more insight into the specific reason for the failure?
Environment:
- Platform: Web
- Framework: Nuxt.js
- Firebase SDK Version: [Please add your firebase JS SDK version here,firebase": "^10.13.1"]
Reproducing the issue
Steps to reproduce:
- Set up Firebase Phone Authentication in a web project (using Firebase JS SDK v[Your Firebase JS SDK Version]).
- Ensure the project is on the Blaze plan, Identity Platform API is enabled, the domain is authorized, and API key restrictions are correctly configured (allow Identity Platform and HTTP referrers). Ensure Account Defender is disabled.
- Use a component similar to the one described below to implement the phone sign-in flow using
signInWithPhoneNumberand an invisibleRecaptchaVerifier. - Deploy the application (e.g., to Firebase Hosting).
- Attempt to sign in using a configured test phone number: Enter the test number and trigger the
signInWithPhoneNumberfunction.- Expected: The invisible reCAPTCHA should pass, and the function should resolve successfully, proceeding to the code verification step.
- Actual: This works correctly as expected.
- Attempt to sign in using a real phone number (e.g., +1829xxxxxxx): Enter a valid, real phone number and trigger the
signInWithPhoneNumberfunction.- Expected: The invisible reCAPTCHA should pass, the SMS code should be sent, and the function should resolve successfully.
- Actual: The
signInWithPhoneNumberfunction fails almost immediately. The browser console showsFirebaseError: Error (auth/error-code:-39), and the network request toidentitytoolkit.googleapis.com/.../accounts:sendVerificationCodeshows a503 Service Unavailableerror. This happens consistently for real numbers despite waiting periods.
Relevant Code Snippet (Simplified Logic from our LoginPhone.vue):
import { RecaptchaVerifier, signInWithPhoneNumber } from 'firebase/auth';
// ... other imports and setup ...
const auth = getAuth(); // Assuming $auth is initialized getAuth() result
const phoneNumber = ref('+1...'); // User input for real phone number
const recaptchaVerifier = ref(null);
const confirmationResult = ref(null);
const loading = ref(false);
const errorMessage = ref('');
onMounted(() => {
recaptchaVerifier.value = new RecaptchaVerifier(auth, 'recaptcha-container', {
size: 'invisible',
callback: (response) => { console.log('reCAPTCHA verified'); },
'expired-callback': () => { errorMessage.value = 'reCAPTCHA expired'; }
});
recaptchaVerifier.value.render().catch(err => console.error("Recaptcha render error:", err));
});
async function sendVerificationCode() {
loading.value = true;
errorMessage.value = '';
try {
// This is the call that fails for REAL numbers with error -39 / 503
confirmationResult.value = await signInWithPhoneNumber(auth, phoneNumber.value, recaptchaVerifier.value);
// Proceeds to verification step (only reached for test numbers)
console.log('Confirmation result received:', confirmationResult.value);
} catch (error) {
console.error('Error sending verification code:', error); // Logs the auth/error-code:-39
errorMessage.value = `Error: ${error.message}`;
} finally {
loading.value = false;
}
}
// Template would include an input for phoneNumber, a button calling sendVerificationCode,
// and the <div id="recaptcha-container"></div>
**Nota:** Reemplaza `[Your Firebase JS SDK Version]` con la versión que encontraste en tu `package.json`. Este texto describe los pasos y da contexto sobre el código, lo que debería ser útil para el equipo de Firebase.
### Firebase Core version
10.13.1
### Flutter Version
000
### Relevant Log Output
```shell
Enviando código de verificación SMS... HjfGGP5v.js:6
POST https://identitytoolkit.googleapis.com/v1/accounts:sendVerificationCode?key=[YOUR_API_KEY] 503 (Service Unavailable) QvmcPS5y.js:522
Error durante el proceso de envío de código: FirebaseError: Firebase: Error (auth/error-code:-39). HjfGGP5v.js:6
at hd (QvmcPS5y.js:417:758)
at wn (QvmcPS5y.js:417:30)
at Tw (QvmcPS5y.js:522:1233)
at async kO (QvmcPS5y.js:1467:1046)
at async jU (QvmcPS5y.js:1467:251)
at async E (HjfGGP5v.js:6:7808)
reCAPTCHA v2 (Firebase Auth) reseteado. HjfGGP5v.js:6
Flutter dependencies
Expand Flutter dependencies snippet
Replace this line with the contents of your `flutter pub deps -- --style=compact`.
Additional context and comments
- The application is built using Nuxt.js (v3) and deployed to Firebase Hosting.
- The issue appears similar to reports in [firebase auth] Error code 39 (QuotaExceeded) message is too vague, shows on blaze plan #3817 where
auth/error-code:-39relates to anti-abuse limits rather than billing quotas, even on the Blaze plan. - The core problem is the discrepancy: test numbers work flawlessly, while all real numbers consistently fail with the 503 / error -39, suggesting a specific block or issue with the real number SMS verification path for this project.
- All standard configuration checks (API enablement, authorized domains, API key restrictions, Firebase config object) have been performed multiple times and appear correct. reCAPTCHA Account Defender was temporarily disabled with no change in behavior. A waiting period of over 24 hours did not resolve the issue.