fix(emulator, auth): allow SMS MFA finalization with obfuscated number (#9062)

mikehardy · joehan · web-flow · commit e183833292ca · 2025-09-03T14:31:29.000-07:00
* fix(emulator, auth): allow SMS MFA finalization with obfuscated number

This works in practice against cloud auth but fails on the emulator. The emulator should succeed if cloud auth succeeds

* Update src/emulator/auth/operations.ts

Co-authored-by: Mike Hardy &lt;github@mikehardy.net&gt;

* Fix buggy merge

* Changelog

* format

---------

Co-authored-by: Joe Hanley &lt;joehanley@google.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,5 @@
-- Support auth token JSON in `dataconnect_execute` MPC tool. (#9046)
+- Added support for auth token JSON in `dataconnect_execute` MPC tool. (#9046)
+- Fixed issue where `firebase-ios-sdk` could not finalize MFA with auth emulator. (#9062)
 - Fixed the bugs when MCP tools cannot connect to emulator due to CLI version mis-matched. (#9068)
-- Fix bug when `firebase dataconnect:sdk:generate --watch` swallow all logs. (#9055)
-- Add GA4 agent user property to tag CLI usage by coding agents. (#9070)
+- Fixed a bug where `firebase dataconnect:sdk:generate --watch` swallowed all logs. (#9055)
+- Added GA4 agent user property to tag CLI usage by coding agents. (#9070)
diff --git a/src/emulator/auth/operations.ts b/src/emulator/auth/operations.ts
@@ -2220,9 +2220,23 @@ async function mfaSignInFinalize(
   const phoneNumber = verifyPhoneNumber(state, sessionInfo, code);
 
   let { user, signInProvider } = parsePendingCredential(state, reqBody.mfaPendingCredential);
-  const enrollment = user.mfaInfo?.find(
-    (enrollment) => enrollment.unobfuscatedPhoneInfo === phoneNumber,
-  );
+  const enrollment = user.mfaInfo?.find((enrollment) => {
+    // All but firebase-ios-sdk finalize with unobfuscated phone number.
+    if (enrollment.unobfuscatedPhoneInfo === phoneNumber) {
+      return true;
+    }
+
+    // But firebase-ios-sdk finalizes with an obfuscated number. This works against
+    // cloud auth, so emulator should attempt to find enrollment obfuscated as well.
+    if (
+      !!enrollment.unobfuscatedPhoneInfo &&
+      obfuscatePhoneNumber(enrollment.unobfuscatedPhoneInfo) === phoneNumber
+    ) {
+      return true;
+    }
+
+    return false;
+  });
 
   const { updates, extraClaims } = await fetchBlockingFunction(
     state,
