@firebase/auth 1.13.2 → 1.13.3-20260616165109

package/dist/node-esm/index.js

@@ -1,4 +1,4 @@
-export { A as ActionCodeOperation, aj as ActionCodeURL, M as AuthCredential, J as AuthErrorCodes, N as EmailAuthCredential, W as EmailAuthProvider, X as FacebookAuthProvider, F as FactorId, Z as GithubAuthProvider, Y as GoogleAuthProvider, Q as OAuthCredential, _ as OAuthProvider, O as OperationType, U as PhoneAuthCredential, P as PhoneAuthProvider, n as PhoneMultiFactorGenerator, q as ProviderId, R as RecaptchaVerifier, $ as SAMLAuthProvider, S as SignInMethod, T as TotpMultiFactorGenerator, o as TotpSecret, a0 as TwitterAuthProvider, a8 as applyActionCode, y as beforeAuthStateChanged, a as browserCookiePersistence, b as browserLocalPersistence, m as browserPopupRedirectResolver, c as browserSessionPersistence, a9 as checkActionCode, a7 as confirmPasswordReset, L as connectAuthEmulator, ab as createUserWithEmailAndPassword, H as debugErrorMap, G as deleteUser, ag as fetchSignInMethodsForEmail, ar as getAdditionalUserInfo, p as getAuth, ao as getIdToken, ap as getIdTokenResult, at as getMultiFactorResolver, k as getRedirectResult, V as inMemoryPersistence, i as indexedDBLocalPersistence, K as initializeAuth, v as initializeRecaptchaConfig, ae as isSignInWithEmailLink, a3 as linkWithCredential, l as linkWithPhoneNumber, e as linkWithPopup, h as linkWithRedirect, au as multiFactor, z as onAuthStateChanged, x as onIdTokenChanged, ak as parseActionCodeURL, I as prodErrorMap, a4 as reauthenticateWithCredential, r as reauthenticateWithPhoneNumber, f as reauthenticateWithPopup, j as reauthenticateWithRedirect, as as reload, E as revokeAccessToken, ah as sendEmailVerification, a6 as sendPasswordResetEmail, ad as sendSignInLinkToEmail, t as setPersistence, a1 as signInAnonymously, a2 as signInWithCredential, a5 as signInWithCustomToken, ac as signInWithEmailAndPassword, af as signInWithEmailLink, s as signInWithPhoneNumber, d as signInWithPopup, g as signInWithRedirect, D as signOut, aq as unlink, C as updateCurrentUser, am as updateEmail, an as updatePassword, u as updatePhoneNumber, al as updateProfile, B as useDeviceLanguage, w as validatePassword, ai as verifyBeforeUpdateEmail, aa as verifyPasswordResetCode } from './totp-5d40279f.js';
+export { A as ActionCodeOperation, aj as ActionCodeURL, M as AuthCredential, J as AuthErrorCodes, N as EmailAuthCredential, W as EmailAuthProvider, X as FacebookAuthProvider, F as FactorId, Z as GithubAuthProvider, Y as GoogleAuthProvider, Q as OAuthCredential, _ as OAuthProvider, O as OperationType, U as PhoneAuthCredential, P as PhoneAuthProvider, n as PhoneMultiFactorGenerator, q as ProviderId, R as RecaptchaVerifier, $ as SAMLAuthProvider, S as SignInMethod, T as TotpMultiFactorGenerator, o as TotpSecret, a0 as TwitterAuthProvider, a8 as applyActionCode, y as beforeAuthStateChanged, a as browserCookiePersistence, b as browserLocalPersistence, m as browserPopupRedirectResolver, c as browserSessionPersistence, a9 as checkActionCode, a7 as confirmPasswordReset, L as connectAuthEmulator, ab as createUserWithEmailAndPassword, H as debugErrorMap, G as deleteUser, ag as fetchSignInMethodsForEmail, ar as getAdditionalUserInfo, p as getAuth, ao as getIdToken, ap as getIdTokenResult, at as getMultiFactorResolver, k as getRedirectResult, V as inMemoryPersistence, i as indexedDBLocalPersistence, K as initializeAuth, v as initializeRecaptchaConfig, ae as isSignInWithEmailLink, a3 as linkWithCredential, l as linkWithPhoneNumber, e as linkWithPopup, h as linkWithRedirect, au as multiFactor, z as onAuthStateChanged, x as onIdTokenChanged, ak as parseActionCodeURL, I as prodErrorMap, a4 as reauthenticateWithCredential, r as reauthenticateWithPhoneNumber, f as reauthenticateWithPopup, j as reauthenticateWithRedirect, as as reload, E as revokeAccessToken, ah as sendEmailVerification, a6 as sendPasswordResetEmail, ad as sendSignInLinkToEmail, t as setPersistence, a1 as signInAnonymously, a2 as signInWithCredential, a5 as signInWithCustomToken, ac as signInWithEmailAndPassword, af as signInWithEmailLink, s as signInWithPhoneNumber, d as signInWithPopup, g as signInWithRedirect, D as signOut, aq as unlink, C as updateCurrentUser, am as updateEmail, an as updatePassword, u as updatePhoneNumber, al as updateProfile, B as useDeviceLanguage, w as validatePassword, ai as verifyBeforeUpdateEmail, aa as verifyPasswordResetCode } from './totp-5eeabfcc.js';
 import '@firebase/app';
 import '@firebase/util';
 import '@firebase/component';

package/dist/node-esm/internal.js

@@ -1,5 +1,5 @@
-import { av as _getInstance, aw as _assert, ax as _signInWithCredential, ay as _reauthenticate, az as _link$1, M as AuthCredential, aA as signInWithIdp, aB as _fail, aC as debugAssert, aD as _persistenceKeyName, aE as _serverAppCurrentUserOperationNotSupportedError, aF as _castAuth, aG as FederatedAuthProvider, aH as BaseOAuthProvider, aI as _emulatorUrl, aJ as _performApiRequest, aK as _isIOS, aL as _isAndroid, aM as _isIOS7Or8, aN as _createError, aO as _isMobileBrowser, aP as _isIE10 } from './totp-5d40279f.js';
-export { A as ActionCodeOperation, aj as ActionCodeURL, M as AuthCredential, J as AuthErrorCodes, aR as AuthImpl, N as EmailAuthCredential, W as EmailAuthProvider, X as FacebookAuthProvider, F as FactorId, aT as FetchProvider, Z as GithubAuthProvider, Y as GoogleAuthProvider, Q as OAuthCredential, _ as OAuthProvider, O as OperationType, U as PhoneAuthCredential, P as PhoneAuthProvider, n as PhoneMultiFactorGenerator, q as ProviderId, R as RecaptchaVerifier, aU as SAMLAuthCredential, $ as SAMLAuthProvider, S as SignInMethod, T as TotpMultiFactorGenerator, o as TotpSecret, a0 as TwitterAuthProvider, aQ as UserImpl, aw as _assert, aF as _castAuth, aB as _fail, aS as _getClientVersion, av as _getInstance, aD as _persistenceKeyName, a8 as applyActionCode, y as beforeAuthStateChanged, a as browserCookiePersistence, b as browserLocalPersistence, m as browserPopupRedirectResolver, c as browserSessionPersistence, a9 as checkActionCode, a7 as confirmPasswordReset, L as connectAuthEmulator, ab as createUserWithEmailAndPassword, H as debugErrorMap, G as deleteUser, ag as fetchSignInMethodsForEmail, ar as getAdditionalUserInfo, p as getAuth, ao as getIdToken, ap as getIdTokenResult, at as getMultiFactorResolver, k as getRedirectResult, V as inMemoryPersistence, i as indexedDBLocalPersistence, K as initializeAuth, v as initializeRecaptchaConfig, ae as isSignInWithEmailLink, a3 as linkWithCredential, l as linkWithPhoneNumber, e as linkWithPopup, h as linkWithRedirect, au as multiFactor, z as onAuthStateChanged, x as onIdTokenChanged, ak as parseActionCodeURL, I as prodErrorMap, a4 as reauthenticateWithCredential, r as reauthenticateWithPhoneNumber, f as reauthenticateWithPopup, j as reauthenticateWithRedirect, as as reload, E as revokeAccessToken, ah as sendEmailVerification, a6 as sendPasswordResetEmail, ad as sendSignInLinkToEmail, t as setPersistence, a1 as signInAnonymously, a2 as signInWithCredential, a5 as signInWithCustomToken, ac as signInWithEmailAndPassword, af as signInWithEmailLink, s as signInWithPhoneNumber, d as signInWithPopup, g as signInWithRedirect, D as signOut, aq as unlink, C as updateCurrentUser, am as updateEmail, an as updatePassword, u as updatePhoneNumber, al as updateProfile, B as useDeviceLanguage, w as validatePassword, ai as verifyBeforeUpdateEmail, aa as verifyPasswordResetCode } from './totp-5d40279f.js';
+import { av as _getInstance, aw as _assert, ax as _signInWithCredential, ay as _reauthenticate, az as _link$1, M as AuthCredential, aA as signInWithIdp, aB as _fail, aC as debugAssert, aD as _persistenceKeyName, aE as _serverAppCurrentUserOperationNotSupportedError, aF as _castAuth, aG as FederatedAuthProvider, aH as BaseOAuthProvider, aI as _emulatorUrl, aJ as _performApiRequest, aK as _isIOS, aL as _isAndroid, aM as _isIOS7Or8, aN as _createError, aO as _isMobileBrowser, aP as _isIE10 } from './totp-5eeabfcc.js';
+export { A as ActionCodeOperation, aj as ActionCodeURL, M as AuthCredential, J as AuthErrorCodes, aR as AuthImpl, N as EmailAuthCredential, W as EmailAuthProvider, X as FacebookAuthProvider, F as FactorId, aT as FetchProvider, Z as GithubAuthProvider, Y as GoogleAuthProvider, Q as OAuthCredential, _ as OAuthProvider, O as OperationType, U as PhoneAuthCredential, P as PhoneAuthProvider, n as PhoneMultiFactorGenerator, q as ProviderId, R as RecaptchaVerifier, aU as SAMLAuthCredential, $ as SAMLAuthProvider, S as SignInMethod, T as TotpMultiFactorGenerator, o as TotpSecret, a0 as TwitterAuthProvider, aQ as UserImpl, aw as _assert, aF as _castAuth, aB as _fail, aS as _getClientVersion, av as _getInstance, aD as _persistenceKeyName, a8 as applyActionCode, y as beforeAuthStateChanged, a as browserCookiePersistence, b as browserLocalPersistence, m as browserPopupRedirectResolver, c as browserSessionPersistence, a9 as checkActionCode, a7 as confirmPasswordReset, L as connectAuthEmulator, ab as createUserWithEmailAndPassword, H as debugErrorMap, G as deleteUser, ag as fetchSignInMethodsForEmail, ar as getAdditionalUserInfo, p as getAuth, ao as getIdToken, ap as getIdTokenResult, at as getMultiFactorResolver, k as getRedirectResult, V as inMemoryPersistence, i as indexedDBLocalPersistence, K as initializeAuth, v as initializeRecaptchaConfig, ae as isSignInWithEmailLink, a3 as linkWithCredential, l as linkWithPhoneNumber, e as linkWithPopup, h as linkWithRedirect, au as multiFactor, z as onAuthStateChanged, x as onIdTokenChanged, ak as parseActionCodeURL, I as prodErrorMap, a4 as reauthenticateWithCredential, r as reauthenticateWithPhoneNumber, f as reauthenticateWithPopup, j as reauthenticateWithRedirect, as as reload, E as revokeAccessToken, ah as sendEmailVerification, a6 as sendPasswordResetEmail, ad as sendSignInLinkToEmail, t as setPersistence, a1 as signInAnonymously, a2 as signInWithCredential, a5 as signInWithCustomToken, ac as signInWithEmailAndPassword, af as signInWithEmailLink, s as signInWithPhoneNumber, d as signInWithPopup, g as signInWithRedirect, D as signOut, aq as unlink, C as updateCurrentUser, am as updateEmail, an as updatePassword, u as updatePhoneNumber, al as updateProfile, B as useDeviceLanguage, w as validatePassword, ai as verifyBeforeUpdateEmail, aa as verifyPasswordResetCode } from './totp-5eeabfcc.js';
 import { isEmpty, querystring, querystringDecode } from '@firebase/util';
 import { _isFirebaseServerApp, SDK_VERSION } from '@firebase/app';
 import '@firebase/component';

package/dist/node-esm/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.d.ts

@@ -19,12 +19,30 @@ import { Auth } from '../../model/public_types';
 import { AuthInternal } from '../../model/auth';
 export declare const RECAPTCHA_ENTERPRISE_VERIFIER_TYPE = "recaptcha-enterprise";
 export declare const FAKE_TOKEN = "NO_RECAPTCHA";
+export declare const RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME = "onFirebaseAuthREInstanceReady";
+declare global {
+    interface Window {
+        [RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]: () => void;
+    }
+}
 export declare class RecaptchaEnterpriseVerifier {
     /**
      * Identifies the type of application verifier (e.g. "recaptcha-enterprise").
      */
     readonly type = "recaptcha-enterprise";
     private readonly auth;
+    /**
+     * Deferred that resolves when script tag has been injected onto the page
+     * and the script is ready (grecaptcha.ready() and script.onload are not
+     * reliable indicators, so this resolves when the global
+     * `window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]()` callback provided to the recaptcha url param "onload"
+     * is triggered).
+     * As a static variable this is applied to all instances of the class.
+     * This will cause an error if users try to create multiple RecaptchaVerifiers
+     * with different Recaptcha Enterprise sitekeys, which should be an
+     * unuspported use case.
+     */
+    private static scriptInjectionDeferred;
     /**
      *
      * @param authExtern - The corresponding Firebase {@link Auth} instance.

package/dist/node-esm/test/helpers/mock_loadjs.d.ts

@@ -0,0 +1,17 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+export declare const mockLoadJS: () => Promise<Event>;

package/dist/node-esm/{totp-5d40279f.js → totp-5eeabfcc.js}

@@ -1,5 +1,5 @@
 import { SDK_VERSION, _isFirebaseServerApp, _getProvider, _registerComponent, registerVersion, getApp } from '@firebase/app';
-import { ErrorFactory, isBrowserExtension, isMobileCordova, isReactNative, FirebaseError, querystring, isCloudflareWorker, isCloudWorkstation, getModularInstance, base64Decode, getUA, isIE, createSubscribe, deepEqual, pingServer, querystringDecode, extractQuerystring, getDefaultEmulatorHost } from '@firebase/util';
+import { ErrorFactory, isBrowserExtension, isMobileCordova, isReactNative, FirebaseError, querystring, isCloudflareWorker, isCloudWorkstation, getModularInstance, base64Decode, getUA, isIE, createSubscribe, Deferred, deepEqual, pingServer, querystringDecode, extractQuerystring, getDefaultEmulatorHost } from '@firebase/util';
 import { Component } from '@firebase/component';
 import { Logger, LogLevel } from '@firebase/logger';
 
@@ -893,8 +893,8 @@ async function _performApiRequest(auth, method, path, request, customErrorMap =
             }
         }
         const query = querystring({
-            key: auth.config.apiKey,
-            ...params
+            ...params,
+            key: auth.config.apiKey
         }).slice(1);
         const headers = await auth._getAdditionalHeaders();
         headers["Content-Type" /* HttpHeader.CONTENT_TYPE */] = 'application/json';
@@ -911,7 +911,7 @@ async function _performApiRequest(auth, method, path, request, customErrorMap =
            'RequestInitializerDict' is not implemented."
            https://github.com/cloudflare/next-on-pages/issues/487 */
         if (!isCloudflareWorker()) {
-            fetchArgs.referrerPolicy = 'no-referrer';
+            fetchArgs.referrerPolicy = 'strict-origin-when-cross-origin';
         }
         if (auth.emulatorConfig && isCloudWorkstation(auth.emulatorConfig.host)) {
             fetchArgs.credentials = 'include';
@@ -3289,6 +3289,7 @@ class MockGreCAPTCHA {
 /* eslint-disable @typescript-eslint/no-require-imports */
 const RECAPTCHA_ENTERPRISE_VERIFIER_TYPE = 'recaptcha-enterprise';
 const FAKE_TOKEN = 'NO_RECAPTCHA';
+const RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME = 'onFirebaseAuthREInstanceReady';
 class RecaptchaEnterpriseVerifier {
     /**
      *
@@ -3368,8 +3369,13 @@ class RecaptchaEnterpriseVerifier {
         }
         return new Promise((resolve, reject) => {
             retrieveSiteKey(this.auth)
-                .then(siteKey => {
-                if (!forceRefresh && isEnterprise(window.grecaptcha)) {
+                .then(async (siteKey) => {
+                if (!forceRefresh &&
+                    isEnterprise(window.grecaptcha) &&
+                    // If download has already been initiated, do not trigger another
+                    // download, await the promise here.
+                    RecaptchaEnterpriseVerifier.scriptInjectionDeferred) {
+                    await RecaptchaEnterpriseVerifier.scriptInjectionDeferred.promise;
                     retrieveRecaptchaToken(siteKey, resolve, reject);
                 }
                 else {
@@ -3379,9 +3385,25 @@ class RecaptchaEnterpriseVerifier {
                     }
                     let url = _recaptchaEnterpriseScriptUrl();
                     if (url.length !== 0) {
-                        url += siteKey;
+                        url +=
+                            siteKey +
+                                `&onload=${RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME}`;
                     }
+                    // Existence of deferred indicates download has been initiated.
+                    RecaptchaEnterpriseVerifier.scriptInjectionDeferred =
+                        new Deferred();
+                    /**
+                     * Script attached to global window object that will be called
+                     * when the ReCAPTCHA Enterprise instance is ready.
+                     * grecaptcha.ready() is not reliable when there are multiple
+                     * scripts on the page, and script.onload only indicates the
+                     * script has downloaded, not that it has initialized.
+                     */
+                    window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME] = () => {
+                        RecaptchaEnterpriseVerifier.scriptInjectionDeferred?.resolve();
+                    };
                     _loadJS(url)
+                        .then(() => RecaptchaEnterpriseVerifier.scriptInjectionDeferred?.promise)
                         .then(() => {
                         retrieveRecaptchaToken(siteKey, resolve, reject);
                     })
@@ -3396,6 +3418,18 @@ class RecaptchaEnterpriseVerifier {
         });
     }
 }
+/**
+ * Deferred that resolves when script tag has been injected onto the page
+ * and the script is ready (grecaptcha.ready() and script.onload are not
+ * reliable indicators, so this resolves when the global
+ * `window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]()` callback provided to the recaptcha url param "onload"
+ * is triggered).
+ * As a static variable this is applied to all instances of the class.
+ * This will cause an error if users try to create multiple RecaptchaVerifiers
+ * with different Recaptcha Enterprise sitekeys, which should be an
+ * unuspported use case.
+ */
+RecaptchaEnterpriseVerifier.scriptInjectionDeferred = null;
 async function injectRecaptchaFields(auth, request, action, isCaptchaResp = false, isFakeToken = false) {
     const verifier = new RecaptchaEnterpriseVerifier(auth);
     let captchaResponse;
@@ -7167,7 +7201,7 @@ function multiFactor(user) {
 }
 
 var name = "@firebase/auth";
-var version = "1.13.2";
+var version = "1.13.3-20260616165109";
 
 /**
  * @license
@@ -7577,4 +7611,4 @@ function _isEmptyString(input) {
 }
 
 export { SAMLAuthProvider as $, ActionCodeOperation as A, useDeviceLanguage as B, updateCurrentUser as C, signOut as D, revokeAccessToken as E, FactorId as F, deleteUser as G, debugErrorMap as H, prodErrorMap as I, AUTH_ERROR_CODES_MAP_DO_NOT_USE_INTERNALLY as J, initializeAuth as K, connectAuthEmulator as L, AuthCredential as M, EmailAuthCredential as N, OperationType as O, PhoneAuthProvider as P, OAuthCredential as Q, RecaptchaVerifier as R, SignInMethod as S, TotpMultiFactorGenerator as T, PhoneAuthCredential as U, inMemoryPersistence as V, EmailAuthProvider as W, FacebookAuthProvider as X, GoogleAuthProvider as Y, GithubAuthProvider as Z, OAuthProvider as _, browserCookiePersistence as a, TwitterAuthProvider as a0, signInAnonymously as a1, signInWithCredential as a2, linkWithCredential as a3, reauthenticateWithCredential as a4, signInWithCustomToken as a5, sendPasswordResetEmail as a6, confirmPasswordReset as a7, applyActionCode as a8, checkActionCode as a9, signInWithIdp as aA, _fail as aB, debugAssert as aC, _persistenceKeyName as aD, _serverAppCurrentUserOperationNotSupportedError as aE, _castAuth as aF, FederatedAuthProvider as aG, BaseOAuthProvider as aH, _emulatorUrl as aI, _performApiRequest as aJ, _isIOS as aK, _isAndroid as aL, _isIOS7Or8 as aM, _createError as aN, _isMobileBrowser as aO, _isIE10 as aP, UserImpl as aQ, AuthImpl as aR, _getClientVersion as aS, FetchProvider as aT, SAMLAuthCredential as aU, verifyPasswordResetCode as aa, createUserWithEmailAndPassword as ab, signInWithEmailAndPassword as ac, sendSignInLinkToEmail as ad, isSignInWithEmailLink as ae, signInWithEmailLink as af, fetchSignInMethodsForEmail as ag, sendEmailVerification as ah, verifyBeforeUpdateEmail as ai, ActionCodeURL as aj, parseActionCodeURL as ak, updateProfile as al, updateEmail as am, updatePassword as an, getIdToken as ao, getIdTokenResult as ap, unlink as aq, getAdditionalUserInfo as ar, reload as as, getMultiFactorResolver as at, multiFactor as au, _getInstance as av, _assert as aw, _signInWithCredential as ax, _reauthenticate as ay, _link as az, browserLocalPersistence as b, browserSessionPersistence as c, signInWithPopup as d, linkWithPopup as e, reauthenticateWithPopup as f, signInWithRedirect as g, linkWithRedirect as h, indexedDBLocalPersistence as i, reauthenticateWithRedirect as j, getRedirectResult as k, linkWithPhoneNumber as l, browserPopupRedirectResolver as m, PhoneMultiFactorGenerator as n, TotpSecret as o, getAuth as p, ProviderId as q, reauthenticateWithPhoneNumber as r, signInWithPhoneNumber as s, setPersistence as t, updatePhoneNumber as u, initializeRecaptchaConfig as v, validatePassword as w, onIdTokenChanged as x, beforeAuthStateChanged as y, onAuthStateChanged as z };
-//# sourceMappingURL=totp-5d40279f.js.map
+//# sourceMappingURL=totp-5eeabfcc.js.map