npm - @firebase/auth - Versions diffs - 1.13.2 → 1.13.3-20260616165109 - Mend

@firebase/auth 1.13.2 → 1.13.3-20260616165109

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/dist/cordova/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.d.ts CHANGED Viewed

@@ -19,12 +19,30 @@ import { Auth } from '../../model/public_types';
 import { AuthInternal } from '../../model/auth';
 export declare const RECAPTCHA_ENTERPRISE_VERIFIER_TYPE = "recaptcha-enterprise";
 export declare const FAKE_TOKEN = "NO_RECAPTCHA";
+export declare const RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME = "onFirebaseAuthREInstanceReady";
+declare global {
+    interface Window {
+        [RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]: () => void;
+    }
+}
 export declare class RecaptchaEnterpriseVerifier {
     /**
      * Identifies the type of application verifier (e.g. "recaptcha-enterprise").
      */
     readonly type = "recaptcha-enterprise";
     private readonly auth;
+    /**
+     * Deferred that resolves when script tag has been injected onto the page
+     * and the script is ready (grecaptcha.ready() and script.onload are not
+     * reliable indicators, so this resolves when the global
+     * `window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]()` callback provided to the recaptcha url param "onload"
+     * is triggered).
+     * As a static variable this is applied to all instances of the class.
+     * This will cause an error if users try to create multiple RecaptchaVerifiers
+     * with different Recaptcha Enterprise sitekeys, which should be an
+     * unuspported use case.
+     */
+    private static scriptInjectionDeferred;
     /**
      *
      * @param authExtern - The corresponding Firebase {@link Auth} instance.

package/dist/cordova/test/helpers/mock_loadjs.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+export declare const mockLoadJS: () => Promise<Event>;

package/dist/esm/{index-9d184c40.js → index-627e45d8.js} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { SDK_VERSION, _isFirebaseServerApp, _getProvider, _registerComponent, registerVersion, getApp } from '@firebase/app';
-import { ErrorFactory, isBrowserExtension, isMobileCordova, isReactNative, FirebaseError, querystring, isCloudflareWorker, isCloudWorkstation, getModularInstance, base64Decode, getUA, isIE, createSubscribe, deepEqual, pingServer, querystringDecode, extractQuerystring, isEmpty, getExperimentalSetting, getDefaultEmulatorHost } from '@firebase/util';
+import { ErrorFactory, isBrowserExtension, isMobileCordova, isReactNative, FirebaseError, querystring, isCloudflareWorker, isCloudWorkstation, getModularInstance, base64Decode, getUA, isIE, createSubscribe, Deferred, deepEqual, pingServer, querystringDecode, extractQuerystring, isEmpty, getExperimentalSetting, getDefaultEmulatorHost } from '@firebase/util';
 import { Logger, LogLevel } from '@firebase/logger';
 import { Component } from '@firebase/component';
@@ -903,8 +903,8 @@ async function _performApiRequest(auth, method, path, request, customErrorMap =
             }
         }
         const query = querystring({
-            key: auth.config.apiKey,
-            ...params
+            ...params,
+            key: auth.config.apiKey
         }).slice(1);
         const headers = await auth._getAdditionalHeaders();
         headers["Content-Type" /* HttpHeader.CONTENT_TYPE */] = 'application/json';
@@ -921,7 +921,7 @@ async function _performApiRequest(auth, method, path, request, customErrorMap =
            'RequestInitializerDict' is not implemented."
            https://github.com/cloudflare/next-on-pages/issues/487 */
         if (!isCloudflareWorker()) {
-            fetchArgs.referrerPolicy = 'no-referrer';
+            fetchArgs.referrerPolicy = 'strict-origin-when-cross-origin';
         }
         if (auth.emulatorConfig && isCloudWorkstation(auth.emulatorConfig.host)) {
             fetchArgs.credentials = 'include';
@@ -3429,6 +3429,7 @@ function generateRandomAlphaNumericString(len) {
 /* eslint-disable @typescript-eslint/no-require-imports */
 const RECAPTCHA_ENTERPRISE_VERIFIER_TYPE = 'recaptcha-enterprise';
 const FAKE_TOKEN = 'NO_RECAPTCHA';
+const RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME = 'onFirebaseAuthREInstanceReady';
 class RecaptchaEnterpriseVerifier {
     /**
      *
@@ -3508,8 +3509,13 @@ class RecaptchaEnterpriseVerifier {
         }
         return new Promise((resolve, reject) => {
             retrieveSiteKey(this.auth)
-                .then(siteKey => {
-                if (!forceRefresh && isEnterprise(window.grecaptcha)) {
+                .then(async (siteKey) => {
+                if (!forceRefresh &&
+                    isEnterprise(window.grecaptcha) &&
+                    // If download has already been initiated, do not trigger another
+                    // download, await the promise here.
+                    RecaptchaEnterpriseVerifier.scriptInjectionDeferred) {
+                    await RecaptchaEnterpriseVerifier.scriptInjectionDeferred.promise;
                     retrieveRecaptchaToken(siteKey, resolve, reject);
                 }
                 else {
@@ -3519,9 +3525,25 @@ class RecaptchaEnterpriseVerifier {
                     }
                     let url = _recaptchaEnterpriseScriptUrl();
                     if (url.length !== 0) {
-                        url += siteKey;
+                        url +=
+                            siteKey +
+                                `&onload=${RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME}`;
                     }
+                    // Existence of deferred indicates download has been initiated.
+                    RecaptchaEnterpriseVerifier.scriptInjectionDeferred =
+                        new Deferred();
+                    /**
+                     * Script attached to global window object that will be called
+                     * when the ReCAPTCHA Enterprise instance is ready.
+                     * grecaptcha.ready() is not reliable when there are multiple
+                     * scripts on the page, and script.onload only indicates the
+                     * script has downloaded, not that it has initialized.
+                     */
+                    window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME] = () => {
+                        RecaptchaEnterpriseVerifier.scriptInjectionDeferred?.resolve();
+                    };
                     _loadJS(url)
+                        .then(() => RecaptchaEnterpriseVerifier.scriptInjectionDeferred?.promise)
                         .then(() => {
                         retrieveRecaptchaToken(siteKey, resolve, reject);
                     })
@@ -3536,6 +3558,18 @@ class RecaptchaEnterpriseVerifier {
         });
     }
 }
+/**
+ * Deferred that resolves when script tag has been injected onto the page
+ * and the script is ready (grecaptcha.ready() and script.onload are not
+ * reliable indicators, so this resolves when the global
+ * `window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]()` callback provided to the recaptcha url param "onload"
+ * is triggered).
+ * As a static variable this is applied to all instances of the class.
+ * This will cause an error if users try to create multiple RecaptchaVerifiers
+ * with different Recaptcha Enterprise sitekeys, which should be an
+ * unuspported use case.
+ */
+RecaptchaEnterpriseVerifier.scriptInjectionDeferred = null;
 async function injectRecaptchaFields(auth, request, action, isCaptchaResp = false, isFakeToken = false) {
     const verifier = new RecaptchaEnterpriseVerifier(auth);
     let captchaResponse;
@@ -10905,7 +10939,7 @@ function _isEmptyString(input) {
 }
 var name = "@firebase/auth";
-var version = "1.13.2";
+var version = "1.13.3-20260616165109";
 /**
  * @license
@@ -11158,4 +11192,4 @@ _setExternalJSProvider({
 registerAuth("Browser" /* ClientPlatform.BROWSER */);
 export { SAMLAuthProvider as $, ActionCodeOperation as A, useDeviceLanguage as B, updateCurrentUser as C, signOut as D, revokeAccessToken as E, FactorId as F, deleteUser as G, debugErrorMap as H, prodErrorMap as I, AUTH_ERROR_CODES_MAP_DO_NOT_USE_INTERNALLY as J, initializeAuth as K, connectAuthEmulator as L, AuthCredential as M, EmailAuthCredential as N, OperationType as O, PhoneAuthProvider as P, OAuthCredential as Q, RecaptchaVerifier as R, SignInMethod as S, TotpMultiFactorGenerator as T, PhoneAuthCredential as U, inMemoryPersistence as V, EmailAuthProvider as W, FacebookAuthProvider as X, GoogleAuthProvider as Y, GithubAuthProvider as Z, OAuthProvider as _, browserCookiePersistence as a, TwitterAuthProvider as a0, signInAnonymously as a1, signInWithCredential as a2, linkWithCredential as a3, reauthenticateWithCredential as a4, signInWithCustomToken as a5, sendPasswordResetEmail as a6, confirmPasswordReset as a7, applyActionCode as a8, checkActionCode as a9, _getProjectConfig as aA, _isIOS7Or8 as aB, _createError as aC, _assert as aD, AuthEventManager as aE, _getInstance as aF, _persistenceKeyName as aG, _getRedirectResult as aH, _overrideRedirectResult as aI, _clearRedirectOutcomes as aJ, _castAuth as aK, UserImpl as aL, AuthImpl as aM, _getClientVersion as aN, _generateEventId as aO, AuthPopup as aP, FetchProvider as aQ, SAMLAuthCredential as aR, verifyPasswordResetCode as aa, createUserWithEmailAndPassword as ab, signInWithEmailAndPassword as ac, sendSignInLinkToEmail as ad, isSignInWithEmailLink as ae, signInWithEmailLink as af, fetchSignInMethodsForEmail as ag, sendEmailVerification as ah, verifyBeforeUpdateEmail as ai, ActionCodeURL as aj, parseActionCodeURL as ak, updateProfile as al, updateEmail as am, updatePassword as an, getIdToken as ao, getIdTokenResult as ap, unlink as aq, getAdditionalUserInfo as ar, reload as as, getMultiFactorResolver as at, multiFactor as au, debugAssert as av, _isIOS as aw, _isAndroid as ax, _fail as ay, _getRedirectUrl as az, browserLocalPersistence as b, browserSessionPersistence as c, signInWithPopup as d, linkWithPopup as e, reauthenticateWithPopup as f, signInWithRedirect as g, linkWithRedirect as h, indexedDBLocalPersistence as i, reauthenticateWithRedirect as j, getRedirectResult as k, linkWithPhoneNumber as l, browserPopupRedirectResolver as m, PhoneMultiFactorGenerator as n, TotpSecret as o, getAuth as p, ProviderId as q, reauthenticateWithPhoneNumber as r, signInWithPhoneNumber as s, setPersistence as t, updatePhoneNumber as u, initializeRecaptchaConfig as v, validatePassword as w, onIdTokenChanged as x, beforeAuthStateChanged as y, onAuthStateChanged as z };
-//# sourceMappingURL=index-9d184c40.js.map
+//# sourceMappingURL=index-627e45d8.js.map