🐛 [firebase_auth] MFA enabled user calls reauthenticateWithCredential method throws FirebaseAuthException.

[htsuruo]

Bug report

Describe the bug
MFA enabled user calls reauthenticateWithCredential method throws FirebaseAuthException, error code is second-factor-required.

Steps to reproduce

Steps to reproduce the behavior:

1. Enroll MFA with enroll method
2. You try the sensitive operation that requires recent authentication.
   • example: try to MFA unenroll or password change etc..
3. If you try to reauthenticate with reauthenticateWithCredential method because of required recent authentication before, But throws FirebaseException.

Expected behavior

It should throw FirebaseAuthMultiFactorException.
We need MultiFactorResolver for verifiing Phone Number, but FirebaseException does not have it.
And also, If you try to sign in(not reauthentication) as MFA user by callingenroll method in MultiFactor class, then throws FirebaseAuthMultiFactorException.
Therefore, reauthentication should be same behavior to enroll.

---

Additional context

Add any other context about the problem here.

---

Flutter doctor

Run flutter doctor and paste the output below:

Click To Expand

Doctor summary (to see all details, run flutter doctor -v):
[✓] Flutter (Channel stable, 3.0.5, on macOS 12.5 21G72 darwin-arm, locale ja-JP)
[✓] Android toolchain - develop for Android devices (Android SDK version 31.0.0)
[✓] Xcode - develop for iOS and macOS (Xcode 13.4.1)
[✓] Chrome - develop for the web
[✓] Android Studio (version 2021.2)
[✓] VS Code (version 1.70.0)
[✓] Connected device (4 available)
    ! Error: iPhone has recently restarted. Xcode will continue when iPhone is unlocked. (code -14)
[✓] HTTP Host Availability

• No issues found!

---

Flutter dependencies

Run flutter pub deps -- --style=compact and paste the output below:

Click To Expand

Dart SDK 2.17.6
Flutter SDK 3.0.5
flutter_firebase_mfa 1.0.0+1

dependencies:
- adaptive_dialog 1.8.0 [animations collection dynamic_color flutter intersperse macos_ui meta]
- collection 1.16.0
- cupertino_icons 1.0.5
- firebase_auth 3.6.3 [firebase_auth_platform_interface firebase_auth_web firebase_core firebase_core_platform_interface flutter meta]
- firebase_core 1.20.1 [firebase_core_platform_interface firebase_core_web flutter meta]
- flutter 0.0.0 [characters collection material_color_utilities meta vector_math sky_engine]
- flutter_dotenv 5.0.2 [flutter]
- flutter_riverpod 2.0.0-dev.9 [collection flutter meta riverpod state_notifier]
- flutter_signin_button 2.0.0 [flutter font_awesome_flutter]
- gap 2.0.0 [flutter]
- go_router 4.2.7 [collection flutter flutter_web_plugins logging meta]
- google_sign_in 5.4.1 [flutter google_sign_in_android google_sign_in_ios google_sign_in_platform_interface google_sign_in_web]
- simple_logger 1.9.0 [logging stack_trace]
- touch_indicator 2.0.0 [flutter]
- tsuruo_kit 0.0.10 [cloud_firestore collection flutter flutter_riverpod flutter_web_plugins rxdart]

dev dependencies:
- flutter_test 0.0.0 [flutter test_api path fake_async clock stack_trace vector_math async boolean_selector characters charcode collection matcher material_color_utilities meta source_span stream_channel string_scanner term_glyph]
- pedantic_mono 1.19.2 [flutter_lints]

transitive dependencies:
- animations 2.0.3 [flutter]
- async 2.8.2 [collection meta]
- boolean_selector 2.1.0 [source_span string_scanner]
- characters 1.2.0
- charcode 1.3.1
- clock 1.1.0
- cloud_firestore 3.4.4 [cloud_firestore_platform_interface cloud_firestore_web collection firebase_core firebase_core_platform_interface flutter meta]
- cloud_firestore_platform_interface 5.7.1 [collection firebase_core flutter meta plugin_platform_interface]
- cloud_firestore_web 2.8.4 [cloud_firestore_platform_interface collection firebase_core firebase_core_web flutter flutter_web_plugins js]
- dynamic_color 1.4.0 [flutter flutter_test material_color_utilities]
- fake_async 1.3.0 [clock collection]
- firebase_auth_platform_interface 6.5.3 [collection firebase_core flutter meta plugin_platform_interface]
- firebase_auth_web 4.2.3 [firebase_auth_platform_interface firebase_core firebase_core_web flutter flutter_web_plugins http_parser intl js meta]
- firebase_core_platform_interface 4.5.0 [collection flutter flutter_test meta plugin_platform_interface]
- firebase_core_web 1.7.1 [firebase_core_platform_interface flutter flutter_web_plugins js meta]
- flutter_lints 2.0.1 [lints]
- flutter_web_plugins 0.0.0 [flutter js characters collection material_color_utilities meta vector_math]
- font_awesome_flutter 9.2.0 [flutter]
- google_sign_in_android 6.0.1 [flutter google_sign_in_platform_interface]
- google_sign_in_ios 5.4.0 [flutter google_sign_in_platform_interface]
- google_sign_in_platform_interface 2.2.0 [flutter quiver]
- google_sign_in_web 0.10.2 [flutter flutter_web_plugins google_sign_in_platform_interface js]
- http_parser 4.0.1 [collection source_span string_scanner typed_data]
- intersperse 2.0.0
- intl 0.17.0 [clock path]
- js 0.6.4
- lints 2.0.0
- logging 1.0.2
- macos_ui 1.7.1 [flutter]
- matcher 0.12.11 [stack_trace]
- material_color_utilities 0.1.4
- meta 1.7.0
- path 1.8.1
- plugin_platform_interface 2.1.2 [meta]
- quiver 3.1.0 [matcher]
- riverpod 2.0.0-dev.9 [collection meta stack_trace state_notifier]
- rxdart 0.27.5
- sky_engine 0.0.99
- source_span 1.8.2 [collection path term_glyph]
- stack_trace 1.10.0 [path]
- state_notifier 0.7.2+1 [meta]
- stream_channel 2.1.0 [async]
- string_scanner 1.1.0 [charcode source_span]
- term_glyph 1.2.0
- test_api 0.4.9 [async boolean_selector collection meta source_span stack_trace stream_channel string_scanner term_glyph matcher]
- typed_data 1.3.1 [collection]
- vector_math 2.1.2

---

[darshankawar]

Thanks for the report. I am seeing same behavior as reported, ie, getting a FirebaseAuthException with code second-factor-required.

[davidmigloz]

Any updates? This bug basically prevents any user with 2FA enabled to change his password, update his email, modify 2FA factors, etc.

[davidmigloz]

The bug affects also iOS and web, not only Android (I haven't tested desktop).

[Lyokone]

Hello, thanks for the report, I'm looking into this.