Description
What feature would you like to see?
Follow up of #1757: Please change the reCAPTCHA phone verification web workflow to work with a restricted key. Obviously a restricted Firebase Android API key cannot work with the reCAPTCHA workflow, because it opens a browser and is in a different context. My Android key has proper fingerprints and Android Device Verification and Identity Toolkit APIs activated. On a regular Android phone the OTP successes using the SafetyNet.API, however on some phones it does not (i.e. older phones or phones with alternate ROMs like GrapheneOS). In those cases the reCAPTCHA fallback gets triggered and it always returns:
E/zzf: Failed to get reCAPTCHA token with error [There was an internal error in the web widget. [ {"code":"auth/internal-error","message":"{"error":{"code":403,"message":"Requests from this Android client application are blocked.","errors":[{"message":"Requests from this Android client application are blocked.","domain":"global","reason":"forbidden"}],"status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"API_KEY_ANDROID_APP_BLOCKED","domain":"googleapis.com","metadata":{"service":"identitytoolkit.googleapis.com","consumer":"projects/<PROJECT_ID>"}}]}}"} ]]- calling backend without app verification
It now forces me to remove Android key restrictions which should never be the case in my opinion, since it makes abuse so much easier. Why is the reCAPTCHA fallback not using the Firebase Browser API key instead?
In my browser key, I could whitelist <PROJECT_ID>.firebaseapp.com/* as a valid HTTP referrer and things could work out. This is not working, the reCAPTCHA workflow tries to pass-through the Android API key restrictions, which is impossible.
How would you use it?
I would ensure any Android device is able to verify a phone number via SMS. Right now I have to either decide to only support devices that are part of the Android Compatibility Test Suite (CTS) or to use an insecure API key.
cc @malcolmdeck