admin/auth/updateUser for MFA not working

Question

admin/auth/updateUser for MFA not working

zabakala opened this issue 10 months ago · comments

Hello. Discovered the following issue using firebase admin v10. I can successfully enroll a user for the MFA process by calling admin.auth().updateUser(...) with multiFactor/enrolledFactors provided. But removing enrolled factors is not successful (https://firebase.google.com/docs/auth/admin/manage-mfa-users):

admin.auth().updateUser({
  uid: '123456789',
  multiFactor: {
    enrolledFactors: null,
  },
})
.then((userRecord) => {
  console.log(userRecord.multiFactor);
})
.catch((error) => {
  console.log(error);
});

The factors remain in DB. I can see the same discussed for Golang as well here https://github.com/firebase/firebase-admin-go/pull/530/files.

Google Open Source Bot · Answer 1 · Fri Aug 18 2023 13:20:27 GMT+0800 (China Standard Time)

I found a few problems with this issue:

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
This issue does not seem to follow the issue template. Make sure you provide all the required information.

pragatimodi · Answer 2 · Wed Aug 23 2023 05:19:34 GMT+0800 (China Standard Time)

Hi, thanks for reporting this issue. Please use an empty array to update the MFA config for now while we fix this.

admin.auth().updateUser(uid: '123456789', {
  multiFactor: {
    enrolledFactors: [],
  },
})
.then((userRecord) => {
  console.log(userRecord.multiFactor);
})
.catch((error) => {
  console.log(error);
});

MrGrenouille · Answer 3 · Wed Aug 23 2023 14:58:27 GMT+0800 (China Standard Time)

I tried with an empty array, but without success as well.

pragatimodi · Answer 4 · Thu Aug 24 2023 00:32:50 GMT+0800 (China Standard Time)

Is UID being entered as a method param in your code? I think the documentation needs to be amended.

MrGrenouille · Answer 5 · Thu Aug 24 2023 03:32:17 GMT+0800 (China Standard Time)

Yes, it is shaped like this #2285 (comment) , but be it null or an empty array [] for the enrolledFactors body part, it keeps having the previously assigned payload, i.e it does not get reset. The request linked above works as it successfully updates enrolledFactors but any attempt to reset them retains previous data.

pragatimodi · Answer 6 · Tue Aug 29 2023 01:07:20 GMT+0800 (China Standard Time)

Is uid entered as a method param rather than the UpdateRequest body?

MrGrenouille · Answer 7 · Tue Aug 29 2023 21:23:12 GMT+0800 (China Standard Time)

yes , there is also an attempt to enter it as a param.

pragatimodi · Answer 8 · Thu Sep 07 2023 01:49:25 GMT+0800 (China Standard Time)

@zabakala I am unable to reproduce this issue, please feel free to provide more details you think may be useful to repro this.
Also consider filing a bug report through https://firebase.google.com/support so we can track this issue internally.