bring validation into operations layer and extend MFA related support…

… to the `updateUser` path + add test cases for validation of `signUp` MFA flows

src/emulator/auth/operations.ts

@@ -167,7 +167,29 @@ function signUp(
     updates.validSince = toUnixTimestamp(new Date()).toString();
   }
   if (reqBody.mfaInfo) {
-    updates.mfaInfo = reqBody.mfaInfo;
+    const mfaInfo = [];
+    for (const factor of reqBody.mfaInfo) {
+      // the node SDK validation asserts the absence of a uid on create requests prior to submitting any API requests.
+      // e.g., `Error: "uid" is not supported when adding second factors via "createUser()"`
+      assert(
+        !Object.prototype.hasOwnProperty.call(factor, "mfaEnrollmentId"),
+        "UNEXPECTED_PARAMETER : mfaEnrollmentId"
+      );
+      assert(
+        factor.phoneInfo && isValidPhoneNumber(factor.phoneInfo),
+        "INVALID_MFA_PHONE_NUMBER : Invalid format."
+      );
+      const mfaEnrollmentId = randomId(28);
+      assert(
+        state.validateMfaEnrollmentIdForCreate(mfaEnrollmentId),
+        "INVALID_MFA_ID : enrollment ID was not unique."
+      );
+      mfaInfo.push({
+        ...factor,
+        mfaEnrollmentId,
+      });
+    }
+    updates.mfaInfo = mfaInfo;
   }
   let user: UserInfo | undefined;
   if (reqBody.idToken) {
@@ -977,6 +999,31 @@ export function setAccountInfoImpl(
       updates.validSince = toUnixTimestamp(new Date()).toString();
     }
 
+    // if the user has MFA info, update it, otherwise if specified but empty, delete it...
+    if (reqBody.mfa) {
+      if (reqBody.mfa.enrollments && reqBody.mfa.enrollments.length > 0) {
+        const mfaInfo = [];
+        for (const enrolledFactor of reqBody.mfa.enrollments) {
+          assert(
+            enrolledFactor.phoneInfo && isValidPhoneNumber(enrolledFactor.phoneInfo),
+            "INVALID_MFA_PHONE_NUMBER : Invalid format."
+          );
+          assert(
+            enrolledFactor.mfaEnrollmentId,
+            "INVALID_MFA_ID : Must specify non-null mfaEnrollmentId on update."
+          );
+          assert(
+            state.validateMfaEnrollmentIdForUpdate(enrolledFactor.mfaEnrollmentId, user),
+            "INVALID_MFA_ID : enrollment ID was not unique."
+          );
+          mfaInfo.push({ ...enrolledFactor });
+        }
+        updates.mfaInfo = mfaInfo;
+      } else {
+        updates.mfaInfo = undefined;
+      }
+    }
+
     // Copy profile properties to updates, if they're specified.
     const fieldsToCopy: (keyof typeof reqBody & keyof typeof updates)[] = [
       "displayName",

src/emulator/auth/state.ts

@@ -174,25 +174,53 @@ export class ProjectState {
       deleteProviders.push(PROVIDER_PHONE);
     }
     if (user.mfaInfo) {
-      this.updateMfaEnrollments(user);
+      this.updateMfaEnrollments(user, user.mfaInfo);
     } else {
       this.mfaEnrollmentIdsForLocalId.delete(user.localId);
     }
 
     return this.updateUserProviderInfo(user, upsertProviders, deleteProviders);
   }
 
-  private updateMfaEnrollments(user: UserInfo): UserInfo {
-    for (const factor of user.mfaInfo ?? []) {
-      const allowUpdate = !!factor.mfaEnrollmentId;
-      const mfaEnrollmentId = factor.mfaEnrollmentId ?? randomId(28);
-      const enrollments = this.mfaEnrollmentIdsForLocalId.get(user.localId) ?? new Set();
-      if (!(enrollments.add(mfaEnrollmentId) || allowUpdate)) {
-        throw new Error("New MfaEnrollmentId wasn't unique.");
+  /**
+   * Validates a new MFA enrollment ID, checking that the enrollment
+   * ID is not already in use for a different user.
+   *
+   * @param mfaEnrollmentId the proposed MFA enrollment ID
+   */
+  validateMfaEnrollmentIdForCreate(mfaEnrollmentId: string): boolean {
+    const localId = this.localIdForMfaEnrollmentId.get(mfaEnrollmentId);
+    return !localId;
+  }
+
+  /**
+   * Validates an MFA enrollment ID being updated, checking either that
+   * the ID does not already exist, or that the ID exists and is being
+   * used by the current user.
+   *
+   * @param mfaEnrollmentId the proposed MFA enrollment ID
+   * @param user the user being updated
+   */
+  validateMfaEnrollmentIdForUpdate(mfaEnrollmentId: string, user: UserInfo): boolean {
+    const localId = this.localIdForMfaEnrollmentId.get(mfaEnrollmentId);
+    // if the ID is in use for another user, it is invalid. otherwise, we'll allow an update
+    // even if the user is doing something sketchy like swapping the ID's on various
+    // existing enrolled factors.
+    return !localId || localId === user.localId;
+  }
+
+  private updateMfaEnrollments(
+    user: UserInfo,
+    mfaInfo: Schemas["GoogleCloudIdentitytoolkitV1MfaEnrollment"][]
+  ): UserInfo {
+    for (const factor of mfaInfo) {
+      if (!factor.mfaEnrollmentId) {
+        throw new Error("MFA Factor Must Have an Enrollment ID");
       }
+      const enrollments = this.mfaEnrollmentIdsForLocalId.get(user.localId) ?? new Set();
+      enrollments.add(factor.mfaEnrollmentId);
       this.mfaEnrollmentIdsForLocalId.set(user.localId, enrollments);
-      this.localIdForMfaEnrollmentId.set(mfaEnrollmentId, user.localId);
-      factor.mfaEnrollmentId = mfaEnrollmentId;
+      this.localIdForMfaEnrollmentId.set(factor.mfaEnrollmentId, user.localId);
     }
     return user;
   }