Recaptcha Enterprise integration with phone auth flows

FirebaseAuth/Sources/Swift/Auth/Auth.swift

@@ -2289,7 +2289,7 @@ extension Auth: AuthInterop {
                                             action: AuthRecaptchaAction) async throws -> T
       .Response {
       let recaptchaVerifier = AuthRecaptchaVerifier.shared(auth: self)
-      if recaptchaVerifier.enablementStatus(forProvider: AuthRecaptchaProvider.password) {
+      if recaptchaVerifier.enablementStatus(forProvider: AuthRecaptchaProvider.password) != .off {
         try await recaptchaVerifier.injectRecaptchaFields(request: request,
                                                           provider: AuthRecaptchaProvider.password,
                                                           action: action)

FirebaseAuth/Sources/Swift/AuthProvider/PhoneAuthProvider.swift

@@ -185,7 +185,7 @@ import Foundation
                                 uiDelegate: AuthUIDelegate?,
                                 multiFactorSession: MultiFactorSession? = nil) async throws
       -> String? {
-      guard phoneNumber.count > 0 else {
+      guard !phoneNumber.isEmpty else {
         throw AuthErrorUtils.missingPhoneNumberError(message: nil)
       }
       guard let manager = auth.notificationManager else {
@@ -194,29 +194,63 @@ import Foundation
       guard await manager.checkNotificationForwarding() else {
         throw AuthErrorUtils.notificationNotForwardedError()
       }
-      return try await verifyClAndSendVerificationCode(toPhoneNumber: phoneNumber,
-                                                       retryOnInvalidAppCredential: true,
-                                                       multiFactorSession: multiFactorSession,
-                                                       uiDelegate: uiDelegate)
+
+      let recaptchaVerifier = AuthRecaptchaVerifier.shared(auth: auth)
+      try await recaptchaVerifier.retrieveRecaptchaConfig(forceRefresh: false)
+
+      switch recaptchaVerifier.enablementStatus(forProvider: .phone) {
+      case .off:
+        return try await verifyClAndSendVerificationCode(
+          toPhoneNumber: phoneNumber,
+          retryOnInvalidAppCredential: true,
+          multiFactorSession: multiFactorSession,
+          uiDelegate: uiDelegate
+        )
+      case .audit:
+        return try await verifyClAndSendVerificationCodeWithRecaptcha(
+          toPhoneNumber: phoneNumber,
+          retryOnInvalidAppCredential: true,
+          multiFactorSession: multiFactorSession,
+          uiDelegate: uiDelegate,
+          recaptchaVerifier: recaptchaVerifier
+        )
+      case .enforce:
+        return try await verifyClAndSendVerificationCodeWithRecaptcha(
+          toPhoneNumber: phoneNumber,
+          retryOnInvalidAppCredential: false,
+          multiFactorSession: multiFactorSession,
+          uiDelegate: uiDelegate,
+          recaptchaVerifier: recaptchaVerifier
+        )
+      }
     }
 
-    /// Starts the flow to verify the client via silent push notification.
-    /// - Parameter retryOnInvalidAppCredential: Whether of not the flow should be retried if an
-    ///  AuthErrorCodeInvalidAppCredential error is returned from the backend.
-    /// - Parameter phoneNumber: The phone number to be verified.
-    /// - Parameter callback: The callback to be invoked on the global work queue when the flow is
-    /// finished.
-    private func verifyClAndSendVerificationCode(toPhoneNumber phoneNumber: String,
-                                                 retryOnInvalidAppCredential: Bool,
-                                                 uiDelegate: AuthUIDelegate?) async throws
+    /// Initiates the verification flow by sending a verification code with reCAPTCHA protection to
+    /// the provided phone number.
+    /// - Parameters:
+    ///   - phoneNumber: The phone number to which the verification code should be sent.
+    ///   - retryOnInvalidAppCredential: A boolean indicating whether to retry the flow if an
+    /// AuthErrorCodeInvalidAppCredential error occurs.
+    ///   - uiDelegate: An optional delegate for handling UI events during the verification process.
+    ///   - recaptchaVerifier: An instance of `AuthRecaptchaVerifier` to inject reCAPTCHA fields
+    /// into the request.
+    /// - Returns: A string containing the verification ID if the request is successful; otherwise,
+    /// handles the error and returns nil.
+    private func verifyClAndSendVerificationCodeWithRecaptcha(toPhoneNumber phoneNumber: String,
+                                                              retryOnInvalidAppCredential: Bool,
+                                                              uiDelegate: AuthUIDelegate?,
+                                                              recaptchaVerifier: AuthRecaptchaVerifier) async throws
       -> String? {
-      let codeIdentity = try await verifyClient(withUIDelegate: uiDelegate)
       let request = SendVerificationCodeRequest(phoneNumber: phoneNumber,
-                                                codeIdentity: codeIdentity,
+                                                codeIdentity: CodeIdentity.empty,
                                                 requestConfiguration: auth
                                                   .requestConfiguration)
-
       do {
+        try await recaptchaVerifier.injectRecaptchaFields(
+          request: request,
+          provider: .phone,
+          action: .sendVerificationCode
+        )
         let response = try await AuthBackend.call(with: request)
         return response.verificationID
       } catch {
@@ -228,23 +262,136 @@ import Foundation
       }
     }
 
-    /// Starts the flow to verify the client via silent push notification.
-    /// - Parameter retryOnInvalidAppCredential: Whether of not the flow should be retried if an
-    /// AuthErrorCodeInvalidAppCredential error is returned from the backend.
-    /// - Parameter phoneNumber: The phone number to be verified.
+    /// Initiates the verification flow by sending a verification code to the provided phone number
+    /// using a silent push notification.
+    /// - Parameters:
+    ///   - phoneNumber: The phone number to which the verification code should be sent.
+    ///   - retryOnInvalidAppCredential: A boolean indicating whether to retry the flow if an
+    /// AuthErrorCodeInvalidAppCredential error occurs.
+    ///   - uiDelegate: An optional delegate for handling UI events during the verification process.
+    /// - Returns: A string containing the verification ID if the request is successful; otherwise,
+    /// handles the error and returns nil.
     private func verifyClAndSendVerificationCode(toPhoneNumber phoneNumber: String,
                                                  retryOnInvalidAppCredential: Bool,
-                                                 multiFactorSession session: MultiFactorSession?,
                                                  uiDelegate: AuthUIDelegate?) async throws
       -> String? {
+      let codeIdentity = try await verifyClient(withUIDelegate: uiDelegate)
+      let request = SendVerificationCodeRequest(phoneNumber: phoneNumber,
+                                                codeIdentity: codeIdentity,
+                                                requestConfiguration: auth
+                                                  .requestConfiguration)
+      do {
+        let response = try await AuthBackend.call(with: request)
+        return response.verificationID
+      } catch {
+        return try await handleVerifyErrorWithRetry(
+          error: error,
+          phoneNumber: phoneNumber,
+          retryOnInvalidAppCredential: retryOnInvalidAppCredential,
+          multiFactorSession: nil,
+          uiDelegate: uiDelegate
+        )
+      }
+    }
+
+    /// Initiates the verification flow by sending a verification code with reCAPTCHA protection,
+    /// optionally considering a multi-factor session.
+    /// - Parameters:
+    ///   - phoneNumber: The phone number to which the verification code should be sent.
+    ///   - retryOnInvalidAppCredential: A boolean indicating whether to retry the flow if an
+    /// AuthErrorCodeInvalidAppCredential error occurs.
+    ///   - session: An optional `MultiFactorSession` instance to include in the verification flow
+    /// for multi-factor authentication.
+    ///   - uiDelegate: An optional delegate for handling UI events during the verification process.
+    ///   - recaptchaVerifier: An instance of `AuthRecaptchaVerifier` to inject reCAPTCHA fields
+    /// into the request.
+    /// - Returns: A string containing the verification ID or session info if the request is
+    /// successful; otherwise, handles the error and returns nil.
+    private func verifyClAndSendVerificationCodeWithRecaptcha(toPhoneNumber phoneNumber: String,
+                                                              retryOnInvalidAppCredential: Bool,
+                                                              multiFactorSession session: MultiFactorSession?,
+                                                              uiDelegate: AuthUIDelegate?,
+                                                              recaptchaVerifier: AuthRecaptchaVerifier) async throws
+      -> String? {
       if let settings = auth.settings,
          settings.isAppVerificationDisabledForTesting {
         let request = SendVerificationCodeRequest(
           phoneNumber: phoneNumber,
           codeIdentity: CodeIdentity.empty,
           requestConfiguration: auth.requestConfiguration
         )
+        let response = try await AuthBackend.call(with: request)
+        return response.verificationID
+      }
+      guard let session else {
+        return try await verifyClAndSendVerificationCodeWithRecaptcha(
+          toPhoneNumber: phoneNumber,
+          retryOnInvalidAppCredential: retryOnInvalidAppCredential,
+          uiDelegate: uiDelegate,
+          recaptchaVerifier: recaptchaVerifier
+        )
+      }
+      let startMFARequestInfo = AuthProtoStartMFAPhoneRequestInfo(phoneNumber: phoneNumber,
+                                                                  codeIdentity: CodeIdentity.empty)
+      do {
+        if let idToken = session.idToken {
+          let request = StartMFAEnrollmentRequest(idToken: idToken,
+                                                  enrollmentInfo: startMFARequestInfo,
+                                                  requestConfiguration: auth.requestConfiguration)
+          try await recaptchaVerifier.injectRecaptchaFields(
+            request: request,
+            provider: .phone,
+            action: .startMfaEnrollment
+          )
+          let response = try await AuthBackend.call(with: request)
+          return response.phoneSessionInfo?.sessionInfo
+        } else {
+          let request = StartMFASignInRequest(MFAPendingCredential: session.mfaPendingCredential,
+                                              MFAEnrollmentID: session.multiFactorInfo?.uid,
+                                              signInInfo: startMFARequestInfo,
+                                              requestConfiguration: auth.requestConfiguration)
+          try await recaptchaVerifier.injectRecaptchaFields(
+            request: request,
+            provider: .phone,
+            action: .startMfaSignin
+          )
+          let response = try await AuthBackend.call(with: request)
+          return response.responseInfo?.sessionInfo
+        }
+      } catch {
+        return try await handleVerifyErrorWithRetry(
+          error: error,
+          phoneNumber: phoneNumber,
+          retryOnInvalidAppCredential: retryOnInvalidAppCredential,
+          multiFactorSession: session,
+          uiDelegate: uiDelegate
+        )
+      }
+    }
 
+    /// Initiates the verification flow by sending a verification code, optionally considering a
+    /// multi-factor session using silent push notification.
+    /// - Parameters:
+    ///   - phoneNumber: The phone number to which the verification code should be sent.
+    ///   - retryOnInvalidAppCredential: A boolean indicating whether to retry the flow if an
+    /// AuthErrorCodeInvalidAppCredential error occurs.
+    ///   - session: An optional `MultiFactorSession` instance to include in the verification flow
+    /// for multi-factor authentication.
+    ///   - uiDelegate: An optional delegate for handling UI events during the verification process.
+    /// - Returns: A string containing the verification ID or session info if the request is
+    /// successful; otherwise, handles the error and returns nil.
+    private func verifyClAndSendVerificationCode(toPhoneNumber phoneNumber: String,
+                                                 retryOnInvalidAppCredential: Bool,
+                                                 multiFactorSession session: MultiFactorSession?,
+                                                 uiDelegate: AuthUIDelegate?) async throws
+      -> String? {
+      if let settings = auth.settings,
+         settings.isAppVerificationDisabledForTesting {
+        let request = SendVerificationCodeRequest(
+          phoneNumber: phoneNumber,
+          codeIdentity: CodeIdentity.empty,
+          requestConfiguration: auth.requestConfiguration
+        )
         let response = try await AuthBackend.call(with: request)
         return response.verificationID
       }
@@ -477,8 +624,9 @@ import Foundation
     private let auth: Auth
     private let callbackScheme: String
     private let usingClientIDScheme: Bool
+    private var recaptchaVerifier: AuthRecaptchaVerifier?
 
-    init(auth: Auth) {
+    init(auth: Auth, recaptchaVerifier: AuthRecaptchaVerifier? = nil) {
       self.auth = auth
       if let clientID = auth.app?.options.clientID {
         let reverseClientIDScheme = clientID.components(separatedBy: ".").reversed()
@@ -497,6 +645,7 @@ import Foundation
         return
       }
       callbackScheme = ""
+      self.recaptchaVerifier = AuthRecaptchaVerifier.shared(auth: auth)
     }
 
     private let kAuthTypeVerifyApp = "verifyApp"

FirebaseAuth/Sources/Swift/Backend/RPC/SendVerificationTokenRequest.swift

@@ -29,6 +29,15 @@ private let kSecretKey = "iosSecret"
 /// The key for the reCAPTCHAToken parameter in the request.
 private let kreCAPTCHATokenKey = "recaptchaToken"
 
+/// The key for the "clientType" value in the request.
+private let kClientType = "clientType"
+
+/// The key for the "captchaResponse" value in the request.
+private let kCaptchaResponseKey = "captchaResponse"
+
+/// The key for the "recaptchaVersion" value in the request.
+private let kRecaptchaVersion = "recaptchaVersion"
+
 /// The key for the tenant id value in the request.
 private let kTenantIDKey = "tenantId"
 
@@ -50,6 +59,12 @@ class SendVerificationCodeRequest: IdentityToolkitRequest, AuthRPCRequest {
   /// verification code.
   let codeIdentity: CodeIdentity
 
+  /// Response to the captcha.
+  var captchaResponse: String?
+
+  /// The reCAPTCHA version.
+  var recaptchaVersion: String?
+
   init(phoneNumber: String, codeIdentity: CodeIdentity,
        requestConfiguration: AuthRequestConfiguration) {
     self.phoneNumber = phoneNumber
@@ -71,10 +86,21 @@ class SendVerificationCodeRequest: IdentityToolkitRequest, AuthRPCRequest {
       postBody[kreCAPTCHATokenKey] = reCAPTCHAToken
     case .empty: break
     }
-
+    if let captchaResponse {
+      postBody[kCaptchaResponseKey] = captchaResponse
+    }
+    if let recaptchaVersion {
+      postBody[kRecaptchaVersion] = recaptchaVersion
+    }
     if let tenantID {
       postBody[kTenantIDKey] = tenantID
     }
+    postBody[kClientType] = clientType
     return postBody
   }
+
+  func injectRecaptchaFields(recaptchaResponse: String?, recaptchaVersion: String) {
+    captchaResponse = recaptchaResponse
+    self.recaptchaVersion = recaptchaVersion
+  }
 }