@firebase/auth 1.13.2 → 1.13.3-20260616165109

package/dist/node/index.js

@@ -2,7 +2,7 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var totp = require('./totp-90def736.js');
+var totp = require('./totp-65d9d0d1.js');
 require('@firebase/app');
 require('@firebase/util');
 require('@firebase/component');

package/dist/node/internal.js

@@ -2,7 +2,7 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var totp = require('./totp-90def736.js');
+var totp = require('./totp-65d9d0d1.js');
 var util = require('@firebase/util');
 var app = require('@firebase/app');
 require('@firebase/component');

package/dist/node/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.d.ts

@@ -19,12 +19,30 @@ import { Auth } from '../../model/public_types';
 import { AuthInternal } from '../../model/auth';
 export declare const RECAPTCHA_ENTERPRISE_VERIFIER_TYPE = "recaptcha-enterprise";
 export declare const FAKE_TOKEN = "NO_RECAPTCHA";
+export declare const RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME = "onFirebaseAuthREInstanceReady";
+declare global {
+    interface Window {
+        [RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]: () => void;
+    }
+}
 export declare class RecaptchaEnterpriseVerifier {
     /**
      * Identifies the type of application verifier (e.g. "recaptcha-enterprise").
      */
     readonly type = "recaptcha-enterprise";
     private readonly auth;
+    /**
+     * Deferred that resolves when script tag has been injected onto the page
+     * and the script is ready (grecaptcha.ready() and script.onload are not
+     * reliable indicators, so this resolves when the global
+     * `window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]()` callback provided to the recaptcha url param "onload"
+     * is triggered).
+     * As a static variable this is applied to all instances of the class.
+     * This will cause an error if users try to create multiple RecaptchaVerifiers
+     * with different Recaptcha Enterprise sitekeys, which should be an
+     * unuspported use case.
+     */
+    private static scriptInjectionDeferred;
     /**
      *
      * @param authExtern - The corresponding Firebase {@link Auth} instance.

package/dist/node/test/helpers/mock_loadjs.d.ts

@@ -0,0 +1,17 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+export declare const mockLoadJS: () => Promise<Event>;

package/dist/node/{totp-90def736.js → totp-65d9d0d1.js}

@@ -895,8 +895,8 @@ async function _performApiRequest(auth, method, path, request, customErrorMap =
             }
         }
         const query = util.querystring({
-            key: auth.config.apiKey,
-            ...params
+            ...params,
+            key: auth.config.apiKey
         }).slice(1);
         const headers = await auth._getAdditionalHeaders();
         headers["Content-Type" /* HttpHeader.CONTENT_TYPE */] = 'application/json';
@@ -913,7 +913,7 @@ async function _performApiRequest(auth, method, path, request, customErrorMap =
            'RequestInitializerDict' is not implemented."
            https://github.com/cloudflare/next-on-pages/issues/487 */
         if (!util.isCloudflareWorker()) {
-            fetchArgs.referrerPolicy = 'no-referrer';
+            fetchArgs.referrerPolicy = 'strict-origin-when-cross-origin';
         }
         if (auth.emulatorConfig && util.isCloudWorkstation(auth.emulatorConfig.host)) {
             fetchArgs.credentials = 'include';
@@ -3291,6 +3291,7 @@ class MockGreCAPTCHA {
 /* eslint-disable @typescript-eslint/no-require-imports */
 const RECAPTCHA_ENTERPRISE_VERIFIER_TYPE = 'recaptcha-enterprise';
 const FAKE_TOKEN = 'NO_RECAPTCHA';
+const RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME = 'onFirebaseAuthREInstanceReady';
 class RecaptchaEnterpriseVerifier {
     /**
      *
@@ -3370,8 +3371,13 @@ class RecaptchaEnterpriseVerifier {
         }
         return new Promise((resolve, reject) => {
             retrieveSiteKey(this.auth)
-                .then(siteKey => {
-                if (!forceRefresh && isEnterprise(window.grecaptcha)) {
+                .then(async (siteKey) => {
+                if (!forceRefresh &&
+                    isEnterprise(window.grecaptcha) &&
+                    // If download has already been initiated, do not trigger another
+                    // download, await the promise here.
+                    RecaptchaEnterpriseVerifier.scriptInjectionDeferred) {
+                    await RecaptchaEnterpriseVerifier.scriptInjectionDeferred.promise;
                     retrieveRecaptchaToken(siteKey, resolve, reject);
                 }
                 else {
@@ -3381,9 +3387,25 @@ class RecaptchaEnterpriseVerifier {
                     }
                     let url = _recaptchaEnterpriseScriptUrl();
                     if (url.length !== 0) {
-                        url += siteKey;
+                        url +=
+                            siteKey +
+                                `&onload=${RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME}`;
                     }
+                    // Existence of deferred indicates download has been initiated.
+                    RecaptchaEnterpriseVerifier.scriptInjectionDeferred =
+                        new util.Deferred();
+                    /**
+                     * Script attached to global window object that will be called
+                     * when the ReCAPTCHA Enterprise instance is ready.
+                     * grecaptcha.ready() is not reliable when there are multiple
+                     * scripts on the page, and script.onload only indicates the
+                     * script has downloaded, not that it has initialized.
+                     */
+                    window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME] = () => {
+                        RecaptchaEnterpriseVerifier.scriptInjectionDeferred?.resolve();
+                    };
                     _loadJS(url)
+                        .then(() => RecaptchaEnterpriseVerifier.scriptInjectionDeferred?.promise)
                         .then(() => {
                         retrieveRecaptchaToken(siteKey, resolve, reject);
                     })
@@ -3398,6 +3420,18 @@ class RecaptchaEnterpriseVerifier {
         });
     }
 }
+/**
+ * Deferred that resolves when script tag has been injected onto the page
+ * and the script is ready (grecaptcha.ready() and script.onload are not
+ * reliable indicators, so this resolves when the global
+ * `window[RECAPTCHA_ENTERPRISE_ONLOAD_CALLBACK_NAME]()` callback provided to the recaptcha url param "onload"
+ * is triggered).
+ * As a static variable this is applied to all instances of the class.
+ * This will cause an error if users try to create multiple RecaptchaVerifiers
+ * with different Recaptcha Enterprise sitekeys, which should be an
+ * unuspported use case.
+ */
+RecaptchaEnterpriseVerifier.scriptInjectionDeferred = null;
 async function injectRecaptchaFields(auth, request, action, isCaptchaResp = false, isFakeToken = false) {
     const verifier = new RecaptchaEnterpriseVerifier(auth);
     let captchaResponse;
@@ -7169,7 +7203,7 @@ function multiFactor(user) {
 }
 
 var name = "@firebase/auth";
-var version = "1.13.2";
+var version = "1.13.3-20260616165109";
 
 /**
  * @license
@@ -7689,4 +7723,4 @@ exports.useDeviceLanguage = useDeviceLanguage;
 exports.validatePassword = validatePassword;
 exports.verifyBeforeUpdateEmail = verifyBeforeUpdateEmail;
 exports.verifyPasswordResetCode = verifyPasswordResetCode;
-//# sourceMappingURL=totp-90def736.js.map
+//# sourceMappingURL=totp-65d9d0d1.js.map