npm - @firebase/auth - Versions diffs - 1.13.2 → 1.13.3-20260615181107 - Mend

@firebase/auth 1.13.2 → 1.13.3-20260615181107

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/dist/web-extension-cjs/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.d.ts CHANGED Viewed

@@ -19,12 +19,30 @@ import { Auth } from '../../model/public_types';
 import { AuthInternal } from '../../model/auth';
 export declare const RECAPTCHA_ENTERPRISE_VERIFIER_TYPE = "recaptcha-enterprise";
 export declare const FAKE_TOKEN = "NO_RECAPTCHA";
+export declare const RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME = "onFirebaseAuthREInstanceReady";
+declare global {
+    interface Window {
+        [RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]: () => void;
+    }
+}
 export declare class RecaptchaEnterpriseVerifier {
     /**
      * Identifies the type of application verifier (e.g. "recaptcha-enterprise").
      */
     readonly type = "recaptcha-enterprise";
     private readonly auth;
+    /**
+     * Deferred that resolves when script tag has been injected onto the page
+     * and the script is ready (grecaptcha.ready() and script.onload are not
+     * reliable indicators, so this resolves when the global
+     * `window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]()` callback provided to the recaptcha url param "onload"
+     * is triggered).
+     * As a static variable this is applied to all instances of the class.
+     * This will cause an error if users try to create multiple RecaptchaVerifiers
+     * with different Recaptcha Enterprise sitekeys, which should be an
+     * unuspported use case.
+     */
+    private static scriptInjectionDeferred;
     /**
      *
      * @param authExtern - The corresponding Firebase {@link Auth} instance.

package/dist/web-extension-cjs/test/helpers/mock_loadjs.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+export declare const mockLoadJS: () => Promise<Event>;

package/dist/web-extension-esm/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
-import { r as registerAuth, i as initializeAuth, a as indexedDBLocalPersistence, c as connectAuthEmulator } from './register-01796967.js';
-export { Y as ActionCodeURL, m as AuthCredential, A as AuthErrorCodes, E as EmailAuthCredential, q as EmailAuthProvider, F as FacebookAuthProvider, t as GithubAuthProvider, G as GoogleAuthProvider, O as OAuthCredential, w as OAuthProvider, P as PhoneAuthCredential, S as SAMLAuthProvider, T as TotpMultiFactorGenerator, b as TotpSecret, x as TwitterAuthProvider, J as applyActionCode, e as beforeAuthStateChanged, K as checkActionCode, I as confirmPasswordReset, c as connectAuthEmulator, M as createUserWithEmailAndPassword, l as debugErrorMap, k as deleteUser, V as fetchSignInMethodsForEmail, a4 as getAdditionalUserInfo, a1 as getIdToken, a2 as getIdTokenResult, a6 as getMultiFactorResolver, n as inMemoryPersistence, a as indexedDBLocalPersistence, i as initializeAuth, d as initializeRecaptchaConfig, R as isSignInWithEmailLink, B as linkWithCredential, a7 as multiFactor, f as onAuthStateChanged, o as onIdTokenChanged, Z as parseActionCodeURL, p as prodErrorMap, C as reauthenticateWithCredential, a5 as reload, j as revokeAccessToken, W as sendEmailVerification, H as sendPasswordResetEmail, Q as sendSignInLinkToEmail, s as setPersistence, y as signInAnonymously, z as signInWithCredential, D as signInWithCustomToken, N as signInWithEmailAndPassword, U as signInWithEmailLink, h as signOut, a3 as unlink, g as updateCurrentUser, $ as updateEmail, a0 as updatePassword, _ as updateProfile, u as useDeviceLanguage, v as validatePassword, X as verifyBeforeUpdateEmail, L as verifyPasswordResetCode } from './register-01796967.js';
+import { r as registerAuth, i as initializeAuth, a as indexedDBLocalPersistence, c as connectAuthEmulator } from './register-afae00a4.js';
+export { Y as ActionCodeURL, m as AuthCredential, A as AuthErrorCodes, E as EmailAuthCredential, q as EmailAuthProvider, F as FacebookAuthProvider, t as GithubAuthProvider, G as GoogleAuthProvider, O as OAuthCredential, w as OAuthProvider, P as PhoneAuthCredential, S as SAMLAuthProvider, T as TotpMultiFactorGenerator, b as TotpSecret, x as TwitterAuthProvider, J as applyActionCode, e as beforeAuthStateChanged, K as checkActionCode, I as confirmPasswordReset, c as connectAuthEmulator, M as createUserWithEmailAndPassword, l as debugErrorMap, k as deleteUser, V as fetchSignInMethodsForEmail, a4 as getAdditionalUserInfo, a1 as getIdToken, a2 as getIdTokenResult, a6 as getMultiFactorResolver, n as inMemoryPersistence, a as indexedDBLocalPersistence, i as initializeAuth, d as initializeRecaptchaConfig, R as isSignInWithEmailLink, B as linkWithCredential, a7 as multiFactor, f as onAuthStateChanged, o as onIdTokenChanged, Z as parseActionCodeURL, p as prodErrorMap, C as reauthenticateWithCredential, a5 as reload, j as revokeAccessToken, W as sendEmailVerification, H as sendPasswordResetEmail, Q as sendSignInLinkToEmail, s as setPersistence, y as signInAnonymously, z as signInWithCredential, D as signInWithCustomToken, N as signInWithEmailAndPassword, U as signInWithEmailLink, h as signOut, a3 as unlink, g as updateCurrentUser, $ as updateEmail, a0 as updatePassword, _ as updateProfile, u as useDeviceLanguage, v as validatePassword, X as verifyBeforeUpdateEmail, L as verifyPasswordResetCode } from './register-afae00a4.js';
 import { _getProvider, getApp } from '@firebase/app';
 import { getDefaultEmulatorHost } from '@firebase/util';
 import '@firebase/component';

package/dist/web-extension-esm/internal.js CHANGED Viewed

@@ -1,5 +1,5 @@
-import { a8 as STORAGE_AVAILABLE_KEY, a9 as _isMobileBrowser, aa as _isIE10, ab as Delay, ac as _window, ad as _assert, ae as isV2, af as _createError, ag as _recaptchaV2ScriptUrl, ah as _loadJS, ai as MockReCaptcha, aj as _generateCallbackName, ak as _castAuth, al as _isHttpOrHttps, am as _isWorker, an as getRecaptchaParams, ao as _serverAppCurrentUserOperationNotSupportedError, z as signInWithCredential, ap as _assertLinkedStatus, B as linkWithCredential, C as reauthenticateWithCredential, aq as _initializeRecaptchaConfig, ar as FAKE_TOKEN, as as startEnrollPhoneMfa, at as handleRecaptchaFlow, au as startSignInPhoneMfa, av as sendPhoneVerificationCode, aw as _link$1, P as PhoneAuthCredential, ax as _getInstance, ay as _signInWithCredential, az as _reauthenticate, m as AuthCredential, aA as signInWithIdp, aB as _fail, aC as debugAssert, aD as _assertInstanceOf, aE as _generateEventId, aF as FederatedAuthProvider, aG as _persistenceKeyName, aH as _performApiRequest, aI as _getCurrentUrl, aJ as _gapiScriptUrl, aK as _emulatorUrl, aL as _isChromeIOS, aM as _isFirefox, aN as _isIOSStandalone, aO as BaseOAuthProvider, aP as _setWindowLocation, aQ as _isSafari, aR as _isIOS, aS as MultiFactorAssertionImpl, aT as finalizeEnrollPhoneMfa, aU as finalizeSignInPhoneMfa, r as registerAuth, i as initializeAuth, a as indexedDBLocalPersistence, e as beforeAuthStateChanged, o as onIdTokenChanged, c as connectAuthEmulator, aV as _setExternalJSProvider, aW as _isAndroid, aX as _isIOS7Or8 } from './register-01796967.js';
-export { Y as ActionCodeURL, m as AuthCredential, A as AuthErrorCodes, aZ as AuthImpl, E as EmailAuthCredential, q as EmailAuthProvider, F as FacebookAuthProvider, a$ as FetchProvider, t as GithubAuthProvider, G as GoogleAuthProvider, O as OAuthCredential, w as OAuthProvider, P as PhoneAuthCredential, b0 as SAMLAuthCredential, S as SAMLAuthProvider, T as TotpMultiFactorGenerator, b as TotpSecret, x as TwitterAuthProvider, aY as UserImpl, ad as _assert, ak as _castAuth, aB as _fail, aE as _generateEventId, a_ as _getClientVersion, ax as _getInstance, aG as _persistenceKeyName, J as applyActionCode, e as beforeAuthStateChanged, K as checkActionCode, I as confirmPasswordReset, c as connectAuthEmulator, M as createUserWithEmailAndPassword, l as debugErrorMap, k as deleteUser, V as fetchSignInMethodsForEmail, a4 as getAdditionalUserInfo, a1 as getIdToken, a2 as getIdTokenResult, a6 as getMultiFactorResolver, n as inMemoryPersistence, a as indexedDBLocalPersistence, i as initializeAuth, d as initializeRecaptchaConfig, R as isSignInWithEmailLink, B as linkWithCredential, a7 as multiFactor, f as onAuthStateChanged, o as onIdTokenChanged, Z as parseActionCodeURL, p as prodErrorMap, C as reauthenticateWithCredential, a5 as reload, j as revokeAccessToken, W as sendEmailVerification, H as sendPasswordResetEmail, Q as sendSignInLinkToEmail, s as setPersistence, y as signInAnonymously, z as signInWithCredential, D as signInWithCustomToken, N as signInWithEmailAndPassword, U as signInWithEmailLink, h as signOut, a3 as unlink, g as updateCurrentUser, $ as updateEmail, a0 as updatePassword, _ as updateProfile, u as useDeviceLanguage, v as validatePassword, X as verifyBeforeUpdateEmail, L as verifyPasswordResetCode } from './register-01796967.js';
+import { a8 as STORAGE_AVAILABLE_KEY, a9 as _isMobileBrowser, aa as _isIE10, ab as Delay, ac as _window, ad as _assert, ae as isV2, af as _createError, ag as _recaptchaV2ScriptUrl, ah as _loadJS, ai as MockReCaptcha, aj as _generateCallbackName, ak as _castAuth, al as _isHttpOrHttps, am as _isWorker, an as getRecaptchaParams, ao as _serverAppCurrentUserOperationNotSupportedError, z as signInWithCredential, ap as _assertLinkedStatus, B as linkWithCredential, C as reauthenticateWithCredential, aq as _initializeRecaptchaConfig, ar as FAKE_TOKEN, as as startEnrollPhoneMfa, at as handleRecaptchaFlow, au as startSignInPhoneMfa, av as sendPhoneVerificationCode, aw as _link$1, P as PhoneAuthCredential, ax as _getInstance, ay as _signInWithCredential, az as _reauthenticate, m as AuthCredential, aA as signInWithIdp, aB as _fail, aC as debugAssert, aD as _assertInstanceOf, aE as _generateEventId, aF as FederatedAuthProvider, aG as _persistenceKeyName, aH as _performApiRequest, aI as _getCurrentUrl, aJ as _gapiScriptUrl, aK as _emulatorUrl, aL as _isChromeIOS, aM as _isFirefox, aN as _isIOSStandalone, aO as BaseOAuthProvider, aP as _setWindowLocation, aQ as _isSafari, aR as _isIOS, aS as MultiFactorAssertionImpl, aT as finalizeEnrollPhoneMfa, aU as finalizeSignInPhoneMfa, r as registerAuth, i as initializeAuth, a as indexedDBLocalPersistence, e as beforeAuthStateChanged, o as onIdTokenChanged, c as connectAuthEmulator, aV as _setExternalJSProvider, aW as _isAndroid, aX as _isIOS7Or8 } from './register-afae00a4.js';
+export { Y as ActionCodeURL, m as AuthCredential, A as AuthErrorCodes, aZ as AuthImpl, E as EmailAuthCredential, q as EmailAuthProvider, F as FacebookAuthProvider, a$ as FetchProvider, t as GithubAuthProvider, G as GoogleAuthProvider, O as OAuthCredential, w as OAuthProvider, P as PhoneAuthCredential, b0 as SAMLAuthCredential, S as SAMLAuthProvider, T as TotpMultiFactorGenerator, b as TotpSecret, x as TwitterAuthProvider, aY as UserImpl, ad as _assert, ak as _castAuth, aB as _fail, aE as _generateEventId, a_ as _getClientVersion, ax as _getInstance, aG as _persistenceKeyName, J as applyActionCode, e as beforeAuthStateChanged, K as checkActionCode, I as confirmPasswordReset, c as connectAuthEmulator, M as createUserWithEmailAndPassword, l as debugErrorMap, k as deleteUser, V as fetchSignInMethodsForEmail, a4 as getAdditionalUserInfo, a1 as getIdToken, a2 as getIdTokenResult, a6 as getMultiFactorResolver, n as inMemoryPersistence, a as indexedDBLocalPersistence, i as initializeAuth, d as initializeRecaptchaConfig, R as isSignInWithEmailLink, B as linkWithCredential, a7 as multiFactor, f as onAuthStateChanged, o as onIdTokenChanged, Z as parseActionCodeURL, p as prodErrorMap, C as reauthenticateWithCredential, a5 as reload, j as revokeAccessToken, W as sendEmailVerification, H as sendPasswordResetEmail, Q as sendSignInLinkToEmail, s as setPersistence, y as signInAnonymously, z as signInWithCredential, D as signInWithCustomToken, N as signInWithEmailAndPassword, U as signInWithEmailLink, h as signOut, a3 as unlink, g as updateCurrentUser, $ as updateEmail, a0 as updatePassword, _ as updateProfile, u as useDeviceLanguage, v as validatePassword, X as verifyBeforeUpdateEmail, L as verifyPasswordResetCode } from './register-afae00a4.js';
 import { querystring, getModularInstance, getUA, isEmpty, getExperimentalSetting, getDefaultEmulatorHost, querystringDecode } from '@firebase/util';
 import { _isFirebaseServerApp, SDK_VERSION, _getProvider, getApp } from '@firebase/app';
 import '@firebase/component';

package/dist/web-extension-esm/{register-01796967.js → register-afae00a4.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { ErrorFactory, isBrowserExtension, isMobileCordova, isReactNative, FirebaseError, querystring, isCloudflareWorker, isCloudWorkstation, getModularInstance, base64Decode, getUA, isIE, createSubscribe, deepEqual, pingServer, querystringDecode, extractQuerystring } from '@firebase/util';
+import { ErrorFactory, isBrowserExtension, isMobileCordova, isReactNative, FirebaseError, querystring, isCloudflareWorker, isCloudWorkstation, getModularInstance, base64Decode, getUA, isIE, createSubscribe, Deferred, deepEqual, pingServer, querystringDecode, extractQuerystring } from '@firebase/util';
 import { SDK_VERSION, _isFirebaseServerApp, _getProvider, _registerComponent, registerVersion } from '@firebase/app';
 import { Component } from '@firebase/component';
 import { Logger, LogLevel } from '@firebase/logger';
@@ -804,8 +804,8 @@ async function _performApiRequest(auth, method, path, request, customErrorMap =
             }
         }
         const query = querystring({
-            key: auth.config.apiKey,
-            ...params
+            ...params,
+            key: auth.config.apiKey
         }).slice(1);
         const headers = await auth._getAdditionalHeaders();
         headers["Content-Type" /* HttpHeader.CONTENT_TYPE */] = 'application/json';
@@ -822,7 +822,7 @@ async function _performApiRequest(auth, method, path, request, customErrorMap =
            'RequestInitializerDict' is not implemented."
            https://github.com/cloudflare/next-on-pages/issues/487 */
         if (!isCloudflareWorker()) {
-            fetchArgs.referrerPolicy = 'no-referrer';
+            fetchArgs.referrerPolicy = 'strict-origin-when-cross-origin';
         }
         if (auth.emulatorConfig && isCloudWorkstation(auth.emulatorConfig.host)) {
             fetchArgs.credentials = 'include';
@@ -3330,6 +3330,7 @@ function generateRandomAlphaNumericString(len) {
 /* eslint-disable @typescript-eslint/no-require-imports */
 const RECAPTCHA_ENTERPRISE_VERIFIER_TYPE = 'recaptcha-enterprise';
 const FAKE_TOKEN = 'NO_RECAPTCHA';
+const RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME = 'onFirebaseAuthREInstanceReady';
 class RecaptchaEnterpriseVerifier {
     /**
      *
@@ -3409,8 +3410,13 @@ class RecaptchaEnterpriseVerifier {
         }
         return new Promise((resolve, reject) => {
             retrieveSiteKey(this.auth)
-                .then(siteKey => {
-                if (!forceRefresh && isEnterprise(window.grecaptcha)) {
+                .then(async (siteKey) => {
+                if (!forceRefresh &&
+                    isEnterprise(window.grecaptcha) &&
+                    // If download has already been initiated, do not trigger another
+                    // download, await the promise here.
+                    RecaptchaEnterpriseVerifier.scriptInjectionDeferred) {
+                    await RecaptchaEnterpriseVerifier.scriptInjectionDeferred.promise;
                     retrieveRecaptchaToken(siteKey, resolve, reject);
                 }
                 else {
@@ -3420,9 +3426,25 @@ class RecaptchaEnterpriseVerifier {
                     }
                     let url = _recaptchaEnterpriseScriptUrl();
                     if (url.length !== 0) {
-                        url += siteKey;
+                        url +=
+                            siteKey +
+                                `&onload=${RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME}`;
                     }
+                    // Existence of deferred indicates download has been initiated.
+                    RecaptchaEnterpriseVerifier.scriptInjectionDeferred =
+                        new Deferred();
+                    /**
+                     * Script attached to global window object that will be called
+                     * when the ReCAPTCHA Enterprise instance is ready.
+                     * grecaptcha.ready() is not reliable when there are multiple
+                     * scripts on the page, and script.onload only indicates the
+                     * script has downloaded, not that it has initialized.
+                     */
+                    window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME] = () => {
+                        RecaptchaEnterpriseVerifier.scriptInjectionDeferred?.resolve();
+                    };
                     _loadJS(url)
+                        .then(() => RecaptchaEnterpriseVerifier.scriptInjectionDeferred?.promise)
                         .then(() => {
                         retrieveRecaptchaToken(siteKey, resolve, reject);
                     })
@@ -3437,6 +3459,18 @@ class RecaptchaEnterpriseVerifier {
         });
     }
 }
+/**
+ * Deferred that resolves when script tag has been injected onto the page
+ * and the script is ready (grecaptcha.ready() and script.onload are not
+ * reliable indicators, so this resolves when the global
+ * `window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]()` callback provided to the recaptcha url param "onload"
+ * is triggered).
+ * As a static variable this is applied to all instances of the class.
+ * This will cause an error if users try to create multiple RecaptchaVerifiers
+ * with different Recaptcha Enterprise sitekeys, which should be an
+ * unuspported use case.
+ */
+RecaptchaEnterpriseVerifier.scriptInjectionDeferred = null;
 async function injectRecaptchaFields(auth, request, action, isCaptchaResp = false, isFakeToken = false) {
     const verifier = new RecaptchaEnterpriseVerifier(auth);
     let captchaResponse;
@@ -8111,7 +8145,7 @@ function _isEmptyString(input) {
 }
 var name = "@firebase/auth";
-var version = "1.13.2";
+var version = "1.13.3-20260615181107";
 /**
  * @license
@@ -8257,4 +8291,4 @@ function registerAuth(clientPlatform) {
 }
 export { updateEmail as $, AUTH_ERROR_CODES_MAP_DO_NOT_USE_INTERNALLY as A, linkWithCredential as B, reauthenticateWithCredential as C, signInWithCustomToken as D, EmailAuthCredential as E, FacebookAuthProvider as F, GoogleAuthProvider as G, sendPasswordResetEmail as H, confirmPasswordReset as I, applyActionCode as J, checkActionCode as K, verifyPasswordResetCode as L, createUserWithEmailAndPassword as M, signInWithEmailAndPassword as N, OAuthCredential as O, PhoneAuthCredential as P, sendSignInLinkToEmail as Q, isSignInWithEmailLink as R, SAMLAuthProvider as S, TotpMultiFactorGenerator as T, signInWithEmailLink as U, fetchSignInMethodsForEmail as V, sendEmailVerification as W, verifyBeforeUpdateEmail as X, ActionCodeURL as Y, parseActionCodeURL as Z, updateProfile as _, indexedDBLocalPersistence as a, FetchProvider as a$, updatePassword as a0, getIdToken as a1, getIdTokenResult as a2, unlink as a3, getAdditionalUserInfo as a4, reload as a5, getMultiFactorResolver as a6, multiFactor as a7, STORAGE_AVAILABLE_KEY as a8, _isMobileBrowser as a9, signInWithIdp as aA, _fail as aB, debugAssert as aC, _assertInstanceOf as aD, _generateEventId as aE, FederatedAuthProvider as aF, _persistenceKeyName as aG, _performApiRequest as aH, _getCurrentUrl as aI, _gapiScriptUrl as aJ, _emulatorUrl as aK, _isChromeIOS as aL, _isFirefox as aM, _isIOSStandalone as aN, BaseOAuthProvider as aO, _setWindowLocation as aP, _isSafari as aQ, _isIOS as aR, MultiFactorAssertionImpl as aS, finalizeEnrollPhoneMfa as aT, finalizeSignInPhoneMfa as aU, _setExternalJSProvider as aV, _isAndroid as aW, _isIOS7Or8 as aX, UserImpl as aY, AuthImpl as aZ, _getClientVersion as a_, _isIE10 as aa, Delay as ab, _window as ac, _assert as ad, isV2 as ae, _createError as af, _recaptchaV2ScriptUrl as ag, _loadJS as ah, MockReCaptcha as ai, _generateCallbackName as aj, _castAuth as ak, _isHttpOrHttps as al, _isWorker as am, getRecaptchaParams as an, _serverAppCurrentUserOperationNotSupportedError as ao, _assertLinkedStatus as ap, _initializeRecaptchaConfig as aq, FAKE_TOKEN as ar, startEnrollPhoneMfa as as, handleRecaptchaFlow as at, startSignInPhoneMfa as au, sendPhoneVerificationCode as av, _link as aw, _getInstance as ax, _signInWithCredential as ay, _reauthenticate as az, TotpSecret as b, SAMLAuthCredential as b0, connectAuthEmulator as c, initializeRecaptchaConfig as d, beforeAuthStateChanged as e, onAuthStateChanged as f, updateCurrentUser as g, signOut as h, initializeAuth as i, revokeAccessToken as j, deleteUser as k, debugErrorMap as l, AuthCredential as m, inMemoryPersistence as n, onIdTokenChanged as o, prodErrorMap as p, EmailAuthProvider as q, registerAuth as r, setPersistence as s, GithubAuthProvider as t, useDeviceLanguage as u, validatePassword as v, OAuthProvider as w, TwitterAuthProvider as x, signInAnonymously as y, signInWithCredential as z };
-//# sourceMappingURL=register-01796967.js.map
+//# sourceMappingURL=register-afae00a4.js.map