20

I am using PAW to try and test different cloud functions deployed with Firebase. The app uses phone authentication, however currently there is little to no documentation on how to accomplish phone number authentication via REST API.

I have whitelisted a phone number for testing as per instructions here.

It appears that what I need to do is call on the verifyPhoneNumber method, which I have pieced together that the REST API endpoint I need is in the format:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPhoneNumber?key={WEB_API_KEY}

Now where I get stuck is in trying to pass the data that is expected. It looks like this endpoint expects a phoneNumber and an applicationVerifier object. I've pieced this together from the corresponding documentation here.

I try to make a request that looks like:

POST /identitytoolkit/v3/relyingparty/verifyPhoneNumber?key={WEB_API_KEY}
Content-Type: application/json; charset=utf-8
Host: www.googleapis.com
Connection: close
User-Agent: Paw/3.1.7 (Macintosh; OS X/10.13.6) GCDHTTPRequest
Content-Length: 73

{"phoneNumber":"+18035551111","applicationVerifier":{"type":"recaptcha"}}

The response I receive is:

HTTP/1.1 400 Bad Request
Vary: X-Origin
Vary: Referer
Content-Type: application/json; charset=UTF-8
Date: Thu, 13 Sep 2018 16:35:33 GMT
Server: ESF
Cache-Control: private
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
Accept-Ranges: none
Vary: Origin,Accept-Encoding
Connection: close

{
  "error": {
    "code": 400,
    "message": "MISSING_SESSION_INFO",
    "errors": [
      {
        "message": "MISSING_SESSION_INFO",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

I'm not sure what I'm doing wrong at this point as I'm running out of documentation and sort of just blindly guessing parameters now. How can I authenticate via white-listed phone number via REST API for testing?

Improve this question
3
  • Did you find any solution for this? Commented May 5, 2019 at 7:28
  • No, I did not. Sorry. Commented May 5, 2019 at 10:53
  • Why a u send "applicationVerifier":{"type":"recaptcha"} as request value/ Where did you find it. I found javascript requests and find there recaptchaToken: parameter only, but cant get it by script request Commented Jul 4, 2019 at 15:24

3 Answers 3

Reset to default
20

After a lot of research (I'm struggling to create automated tests for my "login with phone" flow), I finally found a solution for this, based on @Danut Pralea's answer. Hopefully it will help people in future :)

Considering that your phone number is already whitelisted (as mentioned in the question), first step would be a call to firebase to send the verification code:

POST /v1/accounts:sendVerificationCode?key={WEB_API_KEY} HTTP/1.1
Host: identitytoolkit.googleapis.com:443
Content-Type: application/json
Content-Length: 39

{
    "phoneNumber": "{PHONE_NUMBER}"
}

The response will be the sessionInfo, like this:

{
    "sessionInfo": "ALiwoWJhYJgtFav1DKc0yBoTwcjjiyQNu240eDJ76GmlH-2i3RmHAYamaPkx3rjEmOBcgrua5QfLw8Nrn_QwjVPO6N09fYsiWQha0-5o2Jb5Hwqxkw7qwsl6YK0gotZ16HmiwqJkyd-stAXTVU1ZIBUwfrFqZmFY7g"
}

Then, the next step is to use login in firebase with the code (same used in the whitelisting) and the session info:

POST /v1/accounts:signInWithPhoneNumber?key={WEB_API_KEY} HTTP/1.1
Host: identitytoolkit.googleapis.com:443
Content-Type: application/json
Content-Length: 207

{
    "sessionInfo": "ALiwoWJhYJgtFav1DKc0yBoTwcjjiyQNu240eDJ76GmlH-2i3RmHAYamaPkx3rjEmOBcgrua5QfLw8Nrn_QwjVPO6N09fYsiWQha0-5o2Jb5Hwqxkw7qwsl6YK0gotZ16HmiwqJkyd-stAXTVU1ZIBUwfrFqZmFY7g",
    "code": 123456
}

And that's it! Response will be something like:

{
    "idToken": "idToken",
    "refreshToken": "refreshToken",
    "expiresIn": "3600",
    "localId": "localId",
    "isNewUser": false,
    "phoneNumber": "{PHONE_NUMBER}"
}

More info in the official documentation: https://cloud.google.com/identity-platform/docs/reference/rest/v1/accounts

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

is firebase provide an official API for sending verification code (sendVerificationCode) to mobile?
@ManishVadher yes! cloud.google.com/identity-platform/docs/reference/rest/v1/…
I want to get "unobfuscatedPhoneInfo" value in "signInWithPassword" API in firebase. Can you help me ? Two Factor is Enabled for the User
hmmm I don't think we can bypass the two factor authentication. Anyway I think you should create another question for your issue @ManishVadher adding more details, that way we can help you in a better way :)
5
  1. Create you verification code request (the key is an environment variable)

send verification code part 1 send verification code part 2

  1. (but this is optional) make the session info a Body Response Dynamic Value

enter image description here

  1. Create your verify phone number request

enter image description here

  1. (again, optional) make the idToken also a Body Response Dynamic Value

enter image description here

  1. Use the idToken dynamic value in any other subsequent requests you perform to Firebase

enter image description here

The best part about adding the variables as Body Response Dynamic Values is you can chain them and call them in a sequence:

enter image description here

Improve this answer

2 Comments

i still did not understand wat is the value of sessioninfo and how I do it get it? Also, what tool are using to generate this?
I'm using PAW, a MAC OS rest client. The same one the OP uses and also indicated he uses in his question description. sessionInfo is the name of the parameter that firebase expects for the verifyPhoneNumber call
2

For the REST API POST, you have to pass the reCAPTCHA token instead of the captcha object you are passing. You can obtain the token in the callback function when you create RecaptchaVerifier

        window.recaptchaVerifier = new firebase.auth.RecaptchaVerifier('my_btn', {
            'size': 'invisible',
            'callback': function(response) {
                // reCAPTCHA solved, allow signInWithPhoneNumber.
                recaptchaToken = response;
                .....
            }
        });

This article helped me - https://medium.com/@shangyilim/verifying-phone-numbers-with-firebase-phone-authentication-on-your-backend-for-free-7a9bef326d02

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.