Firebase authorized subdomains allow login but does not allow captcha #585
Description
Operating System
All
Environment (if applicable)
All
Firebase SDK Version
12.6.0
Firebase SDK Product(s)
Auth
Project Tooling
SvelteKit app with Vite
Detailed Problem Description
Since Vercel auto-generates the preview branches deployment URLs, we have added a custom domain to allow logins. We'll call preview.test.com here.
In the authorized domain list of Firebase Auth, we've added preview.test.com which allows us to login to any subdomain of it (e.g. test-feature.preview.test.com).
However, when the MFA is enabled, we are getting the following error:
Hostname match not found (auth/captcha-check-failed).
And in the MFA enrollment request, we are getting the following error:
URL: https://identitytoolkit.googleapis.com/v2/accounts/mfaEnrollment:start?key=X
{
"error": {
"code": 400,
"message": "CAPTCHA_CHECK_FAILED : Hostname match not found",
"status": "INVALID_ARGUMENT"
}
}
Because of this issue, we are able to log in but are not able to enable MFA in the preview URLs.
Steps and code to reproduce issue
1 - Deploy the application into a subdomain (branch.preview.test.com).
2 - Allow the root domain in the Firebase Auth allowed domains list (preview.test.com).
3 - Try to set up the MFA, or try to log in to an account with MFA already set up.
It seems like Recaptcha library is doing a full domain match, causing the subdomains to give an error. It's not aligned with Firebase, which also allows the subdomains.