refactor: add phone auth reauth and move reauth out of authservice

Author: russellwheatley

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/AuthServiceError.swift

@@ -73,6 +73,7 @@ public enum AuthServiceError: LocalizedError {
   case clientIdNotFound(String)
   case notConfiguredActionCodeSettings(String)
   case reauthenticationRequired(String)
+  case phoneReauthenticationRequired(phoneNumber: String)
   case invalidCredentials(String)
   case signInFailed(underlying: Error)
   case accountConflict(AccountConflictContext)
@@ -94,6 +95,8 @@ public enum AuthServiceError: LocalizedError {
       return description
     case let .reauthenticationRequired(description):
       return description
+    case let .phoneReauthenticationRequired(phoneNumber):
+      return "Phone reauthentication required for \(phoneNumber)"
     case let .invalidCredentials(description):
       return description
     // Use when failed to sign-in with Firebase

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Services/AuthService.swift

@@ -301,19 +301,15 @@ public extension AuthService {
       throw AuthServiceError.noCurrentUser
     }
 
-    try await withReauthenticationIfNeeded(on: user) {
-      try await user.delete()
-    }
+    try await user.delete()
   }
 
   func updatePassword(to password: String) async throws {
     guard let user = auth.currentUser else {
       throw AuthServiceError.noCurrentUser
     }
 
-    try await withReauthenticationIfNeeded(on: user) {
-      try await user.updatePassword(to: password)
-    }
+    try await user.updatePassword(to: password)
   }
 }
 
@@ -708,44 +704,18 @@ public extension AuthService {
     }
 
     // Complete the enrollment
-    try await withReauthenticationIfNeeded(on: user) {
-      try await user.multiFactor.enroll(with: assertion, displayName: displayName)
-    }
+    try await user.multiFactor.enroll(with: assertion, displayName: displayName)
     currentUser = auth.currentUser
   }
 
-  /// Gets the provider ID that was used for the current sign-in session
-  private func getCurrentSignInProvider() async throws -> String {
+  /// Reauthenticates the current user with their sign-in provider
+  /// - Throws: `AuthServiceError.phoneReauthenticationRequired` for phone auth users
+  /// - Throws: `AuthServiceError.providerNotFound` if provider is not configured
+  func reauthenticate() async throws {
     guard let user = currentUser else {
       throw AuthServiceError.noCurrentUser
     }
 
-    // Get the ID token result which contains the signInProvider claim
-    let tokenResult = try await user.getIDTokenResult(forcingRefresh: false)
-
-    // The signInProvider property tells us which provider was used for this session
-    let signInProvider = tokenResult.signInProvider
-
-    // If signInProvider is not empty, use it
-    if !signInProvider.isEmpty {
-      return signInProvider
-    }
-
-    // Fallback: if signInProvider is empty, try to infer from providerData
-    // Prefer non-password providers as they're more specific
-    let providerId = user.providerData.first(where: { $0.providerID != "password" })?.providerID
-      ?? user.providerData.first?.providerID
-
-    guard let providerId = providerId else {
-      throw AuthServiceError.reauthenticationRequired(
-        "Unable to determine sign-in provider for reauthentication"
-      )
-    }
-
-    return providerId
-  }
-
-  func reauthenticateCurrentUser(on user: User) async throws {
     // Get the provider from the token instead of stored credential
     let providerId = try await getCurrentSignInProvider()
 
@@ -761,36 +731,52 @@ public extension AuthService {
       }
 
       let credential = try await emailProvider.createReauthCredential(email: email)
-      _ = try await user.reauthenticate(with: credential)
+      try await user.reauthenticate(with: credential)
     } else if providerId == PhoneAuthProviderID {
-      // Phone auth requires manual reauthentication via sign out and sign in otherwise it will take
-      // the user out of the existing flow
-      throw AuthServiceError.reauthenticationRequired(
-        "Phone authentication requires you to sign out and sign in again to continue"
-      )
+      guard let phoneNumber = user.phoneNumber else {
+        throw AuthServiceError.invalidCredentials("User does not have a phone number")
+      }
+
+      // Throw error with context for phone reauthentication
+      throw AuthServiceError.phoneReauthenticationRequired(phoneNumber: phoneNumber)
     } else if let matchingProvider = providers.first(where: { $0.id == providerId }),
               let credentialProvider = matchingProvider.provider as? CredentialAuthProviderSwift {
       let credential = try await credentialProvider.createAuthCredential()
-      _ = try await user.reauthenticate(with: credential)
+      try await user.reauthenticate(with: credential)
     } else {
       throw AuthServiceError.providerNotFound("No provider found for \(providerId)")
     }
   }
 
-  private func withReauthenticationIfNeeded(on user: User,
-                                            operation: () async throws -> Void) async throws {
-    do {
-      try await operation()
-    } catch let error as NSError {
-      if error.domain == AuthErrorDomain,
-         error.code == AuthErrorCode.requiresRecentLogin.rawValue || error.code == AuthErrorCode
-         .userTokenExpired.rawValue {
-        try await reauthenticateCurrentUser(on: user)
-        try await operation()
-      } else {
-        throw error
-      }
+  /// Gets the provider ID that was used for the current sign-in session
+  func getCurrentSignInProvider() async throws -> String {
+    guard let user = currentUser else {
+      throw AuthServiceError.noCurrentUser
+    }
+
+    // Get the ID token result which contains the signInProvider claim
+    let tokenResult = try await user.getIDTokenResult(forcingRefresh: false)
+
+    // The signInProvider property tells us which provider was used for this session
+    let signInProvider = tokenResult.signInProvider
+
+    // If signInProvider is not empty, use it
+    if !signInProvider.isEmpty {
+      return signInProvider
+    }
+
+    // Fallback: if signInProvider is empty, try to infer from providerData
+    // Prefer non-password providers as they're more specific
+    let providerId = user.providerData.first(where: { $0.providerID != "password" })?.providerID
+      ?? user.providerData.first?.providerID
+
+    guard let providerId = providerId else {
+      throw AuthServiceError.reauthenticationRequired(
+        "Unable to determine sign-in provider for reauthentication"
+      )
     }
+
+    return providerId
   }
 
   func unenrollMFA(_ factorUid: String) async throws -> [MultiFactorInfo] {
@@ -800,9 +786,7 @@ public extension AuthService {
 
     let multiFactorUser = user.multiFactor
 
-    try await withReauthenticationIfNeeded(on: user) {
-      try await multiFactorUser.unenroll(withFactorUID: factorUid)
-    }
+    try await multiFactorUser.unenroll(withFactorUID: factorUid)
 
     // This is the only we to get the actual latest enrolledFactors
     currentUser = Auth.auth().currentUser

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Services/ReauthenticationCoordinator.swift

@@ -0,0 +1,89 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import FirebaseAuth
+import Observation
+
+/// Context information for reauthentication UI
+public struct ReauthContext {
+  public let providerId: String
+  public let providerName: String
+  public let phoneNumber: String?
+  public let email: String?
+
+  public init(providerId: String, providerName: String, phoneNumber: String?, email: String?) {
+    self.providerId = providerId
+    self.providerName = providerName
+    self.phoneNumber = phoneNumber
+    self.email = email
+  }
+
+  public var displayMessage: String {
+    switch providerId {
+    case EmailAuthProviderID:
+      return "Please enter your password to continue"
+    case PhoneAuthProviderID:
+      return "Please verify your phone number to continue"
+    default:
+      return "Please sign in with \(providerName) to continue"
+    }
+  }
+}
+
+/// Coordinator for handling reauthentication flows
+@MainActor
+@Observable
+public final class ReauthenticationCoordinator {
+  public var isReauthenticating = false
+  public var reauthContext: ReauthContext?
+  public var showingPhoneReauth = false
+
+  private var continuation: CheckedContinuation<Void, Error>?
+
+  public init() {}
+
+  /// Request reauthentication from the user
+  public func requestReauth(context: ReauthContext) async throws {
+    return try await withCheckedThrowingContinuation { continuation in
+      self.continuation = continuation
+      self.reauthContext = context
+
+      // Show different UI based on provider
+      if context.providerId == PhoneAuthProviderID {
+        self.showingPhoneReauth = true
+      } else {
+        self.isReauthenticating = true
+      }
+    }
+  }
+
+  /// Called when reauthentication completes successfully
+  public func reauthCompleted() {
+    continuation?.resume()
+    cleanup()
+  }
+
+  /// Called when reauthentication is cancelled
+  public func reauthCancelled() {
+    continuation?.resume(throwing: AuthServiceError.signInCancelled("Reauthentication cancelled"))
+    cleanup()
+  }
+
+  private func cleanup() {
+    continuation = nil
+    isReauthenticating = false
+    showingPhoneReauth = false
+    reauthContext = nil
+  }
+}

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Services/ReauthenticationHelpers.swift

@@ -0,0 +1,75 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import FirebaseAuth
+
+/// Execute an operation that may require reauthentication
+/// - Parameters:
+///   - authService: The auth service managing authentication
+///   - coordinator: The coordinator managing reauthentication UI
+///   - operation: The operation to execute
+/// - Throws: Rethrows errors from the operation or reauthentication process
+@MainActor
+public func withReauthenticationIfNeeded(authService: AuthService,
+                                         coordinator: ReauthenticationCoordinator,
+                                         operation: @escaping () async throws
+                                           -> Void) async throws {
+  do {
+    try await operation()
+  } catch let error as NSError {
+    // Check if reauthentication is needed
+    if error.domain == AuthErrorDomain,
+       error.code == AuthErrorCode.requiresRecentLogin.rawValue ||
+       error.code == AuthErrorCode.userTokenExpired.rawValue {
+      // Determine the provider context
+      let providerId = try await authService.getCurrentSignInProvider()
+      let context = ReauthContext(
+        providerId: providerId,
+        providerName: getProviderDisplayName(providerId),
+        phoneNumber: authService.currentUser?.phoneNumber,
+        email: authService.currentUser?.email
+      )
+
+      // Request reauthentication from user with context
+      try await coordinator.requestReauth(context: context)
+
+      // Retry the operation after successful reauth
+      try await operation()
+    } else {
+      throw error
+    }
+  }
+}
+
+/// Get a user-friendly display name for a provider ID
+/// - Parameter providerId: The provider ID from Firebase Auth
+/// - Returns: A user-friendly name for the provider
+public func getProviderDisplayName(_ providerId: String) -> String {
+  switch providerId {
+  case EmailAuthProviderID:
+    return "Email"
+  case PhoneAuthProviderID:
+    return "Phone"
+  case "google.com":
+    return "Google"
+  case "apple.com":
+    return "Apple"
+  case "facebook.com":
+    return "Facebook"
+  case "twitter.com":
+    return "Twitter"
+  default:
+    return providerId
+  }
+}

FirebaseSwiftUI/FirebaseAuthSwiftUI/Sources/Views/MFAEnrolmentView.swift

@@ -37,6 +37,7 @@ public struct MFAEnrolmentView {
   @State private var isLoading = false
   @State private var displayName = ""
   @State private var showCopiedFeedback = false
+  @State private var reauthCoordinator = ReauthenticationCoordinator()
 
   @FocusState private var focus: FocusableField?
 
@@ -135,12 +136,17 @@ public struct MFAEnrolmentView {
 
       do {
         let code = session.type == .sms ? verificationCode : totpCode
-        try await authService.completeEnrollment(
-          session: session,
-          verificationId: session.verificationId,
-          verificationCode: code,
-          displayName: displayName
-        )
+        try await withReauthenticationIfNeeded(
+          authService: authService,
+          coordinator: reauthCoordinator
+        ) {
+          try await authService.completeEnrollment(
+            session: session,
+            verificationId: session.verificationId,
+            verificationCode: code,
+            displayName: displayName
+          )
+        }
 
         // Reset form state on success
         resetForm()
@@ -281,6 +287,7 @@ extension MFAEnrolmentView: View {
     }
     .frame(maxWidth: .infinity, maxHeight: .infinity, alignment: .top)
     .safeAreaPadding()
+    .withReauthentication(coordinator: reauthCoordinator)
     .navigationTitle("Two-Factor Authentication")
     .onAppear {
       // Initialize selected factor type to first allowed type