Phone authentication with reCAPTCHA & api key restriction issue

[antoninbiret]

[REQUIRED] Step 1: Describe your environment

• Xcode version: 12.4
• Firebase SDK version: 7.7.0
• Installation method: CocoaPods
• Firebase Component: Auth

[REQUIRED] Step 2: Describe the problem

I recently discovered that the reCAPTCHA phone authentication flow did not work as expected in my project but was working well before. The silent push authentication flow works fine tho.

I get the following error:

{
   "error":{
      "code":403,
      "message":"Requests from this iOS client application <empty> are blocked.",
      "errors":[
         {
            "message":"Requests from this iOS client application <empty> are blocked.",
            "domain":"global",
            "reason":"forbidden"
         }
      ],
      "status":"PERMISSION_DENIED"
   }
}

My firebase API key is restricted to be used by both my development & staging app's bundle identifier. If I remove the restriction the reCAPTCHA flow is working fine.

Did some debugging and find out the ibi parameter in the reCAPTCHA URL request is set and equal to my application's bundle identifier.

Am I the only one seeing this issue ?

Steps to reproduce:

Restricting firebase API key on the google cloud console for the app's bundle identifier and try the reCAPTCHA authentication flow.

Thanks in advance for any feedback.

[rizafran]

Hi Antonin, based on my understanding, the reCAPTCHA flow is not working when the API key is restricted. I found this from the docs and it seems that:

Note: If you apply restrictions to an API key that's used for accessing Firebase services, and you're getting errors, you may need to include the Firebase Management API in the list of allowed APIs. This is especially true if you use Google Analytics with a web app.

I'll also try to reproduce this on my end and I'll let you know of my findings.

[rizafran]

I've tried to reproduce the issue, and I was able to get the same behavior. Looks like you have to remove the API key restrictions if you want the reCAPTCHA fallback to work. We need to make an API call to our server from a web view in order to render the reCAPTCHA.

[morganchen12]

@rosalyntan can you confirm if this is intended behavior (looks like it is), and whether or not we should add something to our docs about it?

[rosalyntan]

Hi @antoninbiret, thanks for filing this issue! As @rizafran said, this is WAI because reCAPTCHA is a web-based flow and our web widget doesn't (and shouldn't) impersonate your iOS app.

[antoninbiret]

Thanks for your feedback