@firebase/auth 1.6.2 → 1.7.0-canary.42fcdfe4c

package/dist/esm5/{index-3bd54529.js → index-dcfb76ea.js}

@@ -1,6 +1,6 @@
 import { __spreadArray, __assign, __awaiter, __generator, __rest, __extends } from 'tslib';
+import { SDK_VERSION, _isFirebaseServerApp, _getProvider, _registerComponent, registerVersion, getApp } from '@firebase/app';
 import { ErrorFactory, isBrowserExtension, isMobileCordova, isReactNative, FirebaseError, querystring, getModularInstance, base64Decode, isIE, getUA, createSubscribe, deepEqual, querystringDecode, extractQuerystring, isEmpty, getExperimentalSetting, getDefaultEmulatorHost } from '@firebase/util';
-import { SDK_VERSION, _getProvider, _registerComponent, registerVersion, getApp } from '@firebase/app';
 import { Logger, LogLevel } from '@firebase/logger';
 import { Component } from '@firebase/component';
 
@@ -499,6 +499,9 @@ function _errorWithCustomMessage(auth, code, message) {
         appName: auth.name
     });
 }
+function _serverAppCurrentUserOperationNotSupportedError(auth) {
+    return _errorWithCustomMessage(auth, "operation-not-supported-in-this-environment" /* AuthErrorCode.OPERATION_NOT_SUPPORTED */, 'Operations that alter the current user are not supported in conjunction with FirebaseServerApp');
+}
 function _assertInstanceOf(auth, object, instance) {
     var constructorInstance = instance;
     if (!(object instanceof constructorInstance)) {
@@ -1786,16 +1789,21 @@ var StsTokenManager = /** @class */ (function () {
             : _tokenExpiresIn(response.idToken);
         this.updateTokensAndExpiration(response.idToken, response.refreshToken, expiresIn);
     };
+    StsTokenManager.prototype.updateFromIdToken = function (idToken) {
+        _assert(idToken.length !== 0, "internal-error" /* AuthErrorCode.INTERNAL_ERROR */);
+        var expiresIn = _tokenExpiresIn(idToken);
+        this.updateTokensAndExpiration(idToken, null, expiresIn);
+    };
     StsTokenManager.prototype.getToken = function (auth, forceRefresh) {
         if (forceRefresh === void 0) { forceRefresh = false; }
         return __awaiter(this, void 0, void 0, function () {
             return __generator(this, function (_a) {
                 switch (_a.label) {
                     case 0:
-                        _assert(!this.accessToken || this.refreshToken, auth, "user-token-expired" /* AuthErrorCode.TOKEN_EXPIRED */);
                         if (!forceRefresh && this.accessToken && !this.isExpired) {
                             return [2 /*return*/, this.accessToken];
                         }
+                        _assert(this.refreshToken, auth, "user-token-expired" /* AuthErrorCode.TOKEN_EXPIRED */);
                         if (!this.refreshToken) return [3 /*break*/, 2];
                         return [4 /*yield*/, this.refresh(auth, this.refreshToken)];
                     case 1:
@@ -2019,7 +2027,11 @@ var UserImpl = /** @class */ (function () {
             var idToken;
             return __generator(this, function (_a) {
                 switch (_a.label) {
-                    case 0: return [4 /*yield*/, this.getIdToken()];
+                    case 0:
+                        if (_isFirebaseServerApp(this.auth.app)) {
+                            return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(this.auth))];
+                        }
+                        return [4 /*yield*/, this.getIdToken()];
                     case 1:
                         idToken = _a.sent();
                         return [4 /*yield*/, _logoutIfInvalidated(this, deleteAccount(this.auth, { idToken: idToken }))];
@@ -2124,6 +2136,47 @@ var UserImpl = /** @class */ (function () {
             });
         });
     };
+    /**
+     * Initialize a User from an idToken server response
+     * @param auth
+     * @param idTokenResponse
+     */
+    UserImpl._fromGetAccountInfoResponse = function (auth, response, idToken) {
+        return __awaiter(this, void 0, void 0, function () {
+            var coreAccount, providerData, isAnonymous, stsTokenManager, user, updates;
+            return __generator(this, function (_a) {
+                coreAccount = response.users[0];
+                _assert(coreAccount.localId !== undefined, "internal-error" /* AuthErrorCode.INTERNAL_ERROR */);
+                providerData = coreAccount.providerUserInfo !== undefined
+                    ? extractProviderData(coreAccount.providerUserInfo)
+                    : [];
+                isAnonymous = !(coreAccount.email && coreAccount.passwordHash) && !(providerData === null || providerData === void 0 ? void 0 : providerData.length);
+                stsTokenManager = new StsTokenManager();
+                stsTokenManager.updateFromIdToken(idToken);
+                user = new UserImpl({
+                    uid: coreAccount.localId,
+                    auth: auth,
+                    stsTokenManager: stsTokenManager,
+                    isAnonymous: isAnonymous
+                });
+                updates = {
+                    uid: coreAccount.localId,
+                    displayName: coreAccount.displayName || null,
+                    photoURL: coreAccount.photoUrl || null,
+                    email: coreAccount.email || null,
+                    emailVerified: coreAccount.emailVerified || false,
+                    phoneNumber: coreAccount.phoneNumber || null,
+                    tenantId: coreAccount.tenantId || null,
+                    providerData: providerData,
+                    metadata: new UserMetadata(coreAccount.createdAt, coreAccount.lastLoginAt),
+                    isAnonymous: !(coreAccount.email && coreAccount.passwordHash) &&
+                        !(providerData === null || providerData === void 0 ? void 0 : providerData.length)
+                };
+                Object.assign(user, updates);
+                return [2 /*return*/, user];
+            });
+        });
+    };
     return UserImpl;
 }());
 
@@ -3025,13 +3078,59 @@ var AuthImpl = /** @class */ (function () {
             });
         });
     };
+    AuthImpl.prototype.initializeCurrentUserFromIdToken = function (idToken) {
+        return __awaiter(this, void 0, void 0, function () {
+            var response, user, err_1;
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        _a.trys.push([0, 4, , 6]);
+                        return [4 /*yield*/, getAccountInfo(this, { idToken: idToken })];
+                    case 1:
+                        response = _a.sent();
+                        return [4 /*yield*/, UserImpl._fromGetAccountInfoResponse(this, response, idToken)];
+                    case 2:
+                        user = _a.sent();
+                        return [4 /*yield*/, this.directlySetCurrentUser(user)];
+                    case 3:
+                        _a.sent();
+                        return [3 /*break*/, 6];
+                    case 4:
+                        err_1 = _a.sent();
+                        console.warn('FirebaseServerApp could not login user with provided authIdToken: ', err_1);
+                        return [4 /*yield*/, this.directlySetCurrentUser(null)];
+                    case 5:
+                        _a.sent();
+                        return [3 /*break*/, 6];
+                    case 6: return [2 /*return*/];
+                }
+            });
+        });
+    };
     AuthImpl.prototype.initializeCurrentUser = function (popupRedirectResolver) {
         var _a;
         return __awaiter(this, void 0, void 0, function () {
-            var previouslyStoredUser, futureCurrentUser, needsTocheckMiddleware, redirectUserEventId, storedUserEventId, result, e_2;
+            var idToken_1, previouslyStoredUser, futureCurrentUser, needsTocheckMiddleware, redirectUserEventId, storedUserEventId, result, e_2;
+            var _this = this;
             return __generator(this, function (_b) {
                 switch (_b.label) {
-                    case 0: return [4 /*yield*/, this.assertedPersistence.getCurrentUser()];
+                    case 0:
+                        if (_isFirebaseServerApp(this.app)) {
+                            idToken_1 = this.app.settings.authIdToken;
+                            if (idToken_1) {
+                                // Start the auth operation in the next tick to allow a moment for the customer's app to
+                                // attach an emulator, if desired.
+                                return [2 /*return*/, new Promise(function (resolve) {
+                                        setTimeout(function () {
+                                            return _this.initializeCurrentUserFromIdToken(idToken_1).then(resolve, resolve);
+                                        });
+                                    })];
+                            }
+                            else {
+                                return [2 /*return*/, this.directlySetCurrentUser(null)];
+                            }
+                        }
+                        return [4 /*yield*/, this.assertedPersistence.getCurrentUser()];
                     case 1:
                         previouslyStoredUser = (_b.sent());
                         futureCurrentUser = previouslyStoredUser;
@@ -3173,6 +3272,9 @@ var AuthImpl = /** @class */ (function () {
         return __awaiter(this, void 0, void 0, function () {
             var user;
             return __generator(this, function (_a) {
+                if (_isFirebaseServerApp(this.app)) {
+                    return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(this))];
+                }
                 user = userExtern
                     ? getModularInstance(userExtern)
                     : null;
@@ -3220,9 +3322,12 @@ var AuthImpl = /** @class */ (function () {
         return __awaiter(this, void 0, void 0, function () {
             return __generator(this, function (_a) {
                 switch (_a.label) {
-                    case 0: 
-                    // Run first, to block _setRedirectUser() if any callbacks fail.
-                    return [4 /*yield*/, this.beforeStateQueue.runMiddleware(null)];
+                    case 0:
+                        if (_isFirebaseServerApp(this.app)) {
+                            return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(this))];
+                        }
+                        // Run first, to block _setRedirectUser() if any callbacks fail.
+                        return [4 /*yield*/, this.beforeStateQueue.runMiddleware(null)];
                     case 1:
                         // Run first, to block _setRedirectUser() if any callbacks fail.
                         _a.sent();
@@ -3241,6 +3346,9 @@ var AuthImpl = /** @class */ (function () {
     };
     AuthImpl.prototype.setPersistence = function (persistence) {
         var _this = this;
+        if (_isFirebaseServerApp(this.app)) {
+            return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(this));
+        }
         return this.queue(function () { return __awaiter(_this, void 0, void 0, function () {
             return __generator(this, function (_a) {
                 switch (_a.label) {
@@ -6028,6 +6136,9 @@ function providerIdForResponse(response) {
  * If there is already an anonymous user signed in, that user will be returned; otherwise, a
  * new anonymous user identity will be created and returned.
  *
+ * This method is not supported by {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
+ *
  * @param auth - The {@link Auth} instance.
  *
  * @public
@@ -6039,6 +6150,9 @@ function signInAnonymously(auth) {
         return __generator(this, function (_b) {
             switch (_b.label) {
                 case 0:
+                    if (_isFirebaseServerApp(auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth))];
+                    }
                     authInternal = _castAuth(auth);
                     return [4 /*yield*/, authInternal._initializationPromise];
                 case 1:
@@ -6270,6 +6384,9 @@ function _reauthenticate(user, credential, bypassAuthState) {
             switch (_a.label) {
                 case 0:
                     auth = user.auth;
+                    if (_isFirebaseServerApp(auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth))];
+                    }
                     operationType = "reauthenticate" /* OperationType.REAUTHENTICATE */;
                     _a.label = 1;
                 case 1:
@@ -6319,6 +6436,9 @@ function _signInWithCredential(auth, credential, bypassAuthState) {
         return __generator(this, function (_a) {
             switch (_a.label) {
                 case 0:
+                    if (_isFirebaseServerApp(auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth))];
+                    }
                     operationType = "signIn" /* OperationType.SIGN_IN */;
                     return [4 /*yield*/, _processCredentialSavingMfaContextIfNecessary(auth, operationType, credential)];
                 case 1:
@@ -6342,6 +6462,9 @@ function _signInWithCredential(auth, credential, bypassAuthState) {
  * @remarks
  * An {@link AuthProvider} can be used to generate the credential.
  *
+ * This method is not supported by {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
+ *
  * @param auth - The {@link Auth} instance.
  * @param credential - The auth credential.
  *
@@ -6388,6 +6511,9 @@ function linkWithCredential(user, credential) {
  * attempts. This method can be used to recover from a `CREDENTIAL_TOO_OLD_LOGIN_AGAIN` error
  * or a `TOKEN_EXPIRED` error.
  *
+ * This method is not supported on any {@link User} signed in by {@link Auth} instances
+ * created with a {@link @firebase/app#FirebaseServerApp}.
+ *
  * @param user - The user.
  * @param credential - The auth credential.
  *
@@ -6452,6 +6578,9 @@ function signInWithCustomToken$1(auth, request) {
  *
  * Fails with an error if the token is invalid, expired, or not accepted by the Firebase Auth service.
  *
+ * This method is not supported by {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
+ *
  * @param auth - The {@link Auth} instance.
  * @param customToken - The custom token to sign in with.
  *
@@ -6463,6 +6592,9 @@ function signInWithCustomToken(auth, customToken) {
         return __generator(this, function (_a) {
             switch (_a.label) {
                 case 0:
+                    if (_isFirebaseServerApp(auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth))];
+                    }
                     authInternal = _castAuth(auth);
                     return [4 /*yield*/, signInWithCustomToken$1(authInternal, {
                             token: customToken,
@@ -6819,6 +6951,9 @@ function verifyPasswordResetCode(auth, code) {
  *
  * User account creation can fail if the account already exists or the password is invalid.
  *
+ * This method is not supported on {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
+ *
  * Note: The email address acts as a unique identifier for the user and enables an email-based
  * password reset. This function will create a new user account and set the initial user password.
  *
@@ -6834,6 +6969,9 @@ function createUserWithEmailAndPassword(auth, email, password) {
         return __generator(this, function (_a) {
             switch (_a.label) {
                 case 0:
+                    if (_isFirebaseServerApp(auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth))];
+                    }
                     authInternal = _castAuth(auth);
                     request = {
                         returnSecureToken: true,
@@ -6869,10 +7007,14 @@ function createUserWithEmailAndPassword(auth, email, password) {
  * When [Email Enumeration Protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection) is enabled,
  * this method fails with "auth/invalid-credential" in case of an invalid email/password.
  *
+ * This method is not supported on {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
+ *
  * Note: The user's password is NOT the password used to access the user's email account. The
  * email address serves as a unique identifier for the user, and the password is used to access
  * the user's account in your Firebase project. See also: {@link createUserWithEmailAndPassword}.
  *
+ *
  * @param auth - The {@link Auth} instance.
  * @param email - The users email address.
  * @param password - The users password.
@@ -6881,6 +7023,9 @@ function createUserWithEmailAndPassword(auth, email, password) {
  */
 function signInWithEmailAndPassword(auth, email, password) {
     var _this = this;
+    if (_isFirebaseServerApp(auth.app)) {
+        return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth));
+    }
     return signInWithCredential(getModularInstance(auth), EmailAuthProvider.credential(email, password)).catch(function (error) { return __awaiter(_this, void 0, void 0, function () {
         return __generator(this, function (_a) {
             if (error.code === "auth/".concat("password-does-not-meet-requirements" /* AuthErrorCode.PASSWORD_DOES_NOT_MEET_REQUIREMENTS */)) {
@@ -6992,6 +7137,9 @@ function isSignInWithEmailLink(auth, emailLink) {
  *
  * Fails with an error if the email address is invalid or OTP in email link expires.
  *
+ * This method is not supported by {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
+ *
  * Note: Confirm the link is a sign-in email link before calling this method firebase.auth.Auth.isSignInWithEmailLink.
  *
  * @example
@@ -7015,6 +7163,7 @@ function isSignInWithEmailLink(auth, emailLink) {
  * }
  * ```
  *
+ *
  * @param auth - The {@link Auth} instance.
  * @param email - The user's email address.
  * @param emailLink - The link sent to the user's email address.
@@ -7025,6 +7174,9 @@ function signInWithEmailLink(auth, email, emailLink) {
     return __awaiter(this, void 0, void 0, function () {
         var authModular, credential;
         return __generator(this, function (_a) {
+            if (_isFirebaseServerApp(auth.app)) {
+                return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth))];
+            }
             authModular = getModularInstance(auth);
             credential = EmailAuthProvider.credentialWithLink(email, emailLink || _getCurrentUrl());
             // Check if the tenant ID in the email link matches the tenant ID on Auth
@@ -7338,6 +7490,9 @@ function updateProfile(user, _a) {
  * An email will be sent to the original email address (if it was set) that allows to revoke the
  * email address change, in order to protect them from account hijacking.
  *
+ * This method is not supported on any {@link User} signed in by {@link Auth} instances
+ * created with a {@link @firebase/app#FirebaseServerApp}.
+ *
  * Important: this is a security sensitive operation that requires the user to have recently signed
  * in. If this requirement isn't met, ask the user to authenticate again and then call
  * {@link reauthenticateWithCredential}.
@@ -7351,7 +7506,11 @@ function updateProfile(user, _a) {
  * @public
  */
 function updateEmail(user, newEmail) {
-    return updateEmailOrPassword(getModularInstance(user), newEmail, null);
+    var userInternal = getModularInstance(user);
+    if (_isFirebaseServerApp(userInternal.auth.app)) {
+        return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(userInternal.auth));
+    }
+    return updateEmailOrPassword(userInternal, newEmail, null);
 }
 /**
  * Updates the user's password.
@@ -7556,7 +7715,8 @@ function getAdditionalUserInfo(userCredential) {
  * remembered or not. It also makes it easier to never persist the `Auth` state for applications
  * that are shared by other users or have sensitive data.
  *
- * This method does not work in a Node.js environment.
+ * This method does not work in a Node.js environment or with {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
  *
  * @example
  * ```javascript
@@ -7707,6 +7867,9 @@ function useDeviceLanguage(auth) {
  * The operation fails with an error if the user to be updated belongs to a different Firebase
  * project.
  *
+ * This method is not supported by {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
+ *
  * @param auth - The {@link Auth} instance.
  * @param user - The new {@link User}.
  *
@@ -7718,6 +7881,10 @@ function updateCurrentUser(auth, user) {
 /**
  * Signs out the current user.
  *
+ * @remarks
+ * This method is not supported by {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
+ *
  * @param auth - The {@link Auth} instance.
  *
  * @public
@@ -9899,7 +10066,8 @@ var ConfirmationResultImpl = /** @class */ (function () {
  * {@link RecaptchaVerifier} (like React Native), but you need to use a
  * third-party {@link ApplicationVerifier} implementation.
  *
- * This method does not work in a Node.js environment.
+ * This method does not work in a Node.js environment or with {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
  *
  * @example
  * ```javascript
@@ -9922,6 +10090,9 @@ function signInWithPhoneNumber(auth, phoneNumber, appVerifier) {
         return __generator(this, function (_a) {
             switch (_a.label) {
                 case 0:
+                    if (_isFirebaseServerApp(auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth))];
+                    }
                     authInternal = _castAuth(auth);
                     return [4 /*yield*/, _verifyPhoneNumber(authInternal, phoneNumber, getModularInstance(appVerifier))];
                 case 1:
@@ -9971,7 +10142,8 @@ function linkWithPhoneNumber(user, phoneNumber, appVerifier) {
  * @remarks
  * Use before operations such as {@link updatePassword} that require tokens from recent sign-in attempts.
  *
- * This method does not work in a Node.js environment.
+ * This method does not work in a Node.js environment or on any {@link User} signed in by
+ * {@link Auth} instances created with a {@link @firebase/app#FirebaseServerApp}.
  *
  * @param user - The user.
  * @param phoneNumber - The user's phone number in E.164 format (e.g. +16505550101).
@@ -9986,6 +10158,9 @@ function reauthenticateWithPhoneNumber(user, phoneNumber, appVerifier) {
             switch (_a.label) {
                 case 0:
                     userInternal = getModularInstance(user);
+                    if (_isFirebaseServerApp(userInternal.auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(userInternal.auth))];
+                    }
                     return [4 /*yield*/, _verifyPhoneNumber(userInternal.auth, phoneNumber, getModularInstance(appVerifier))];
                 case 1:
                     verificationId = _a.sent();
@@ -10073,7 +10248,8 @@ function _verifyPhoneNumber(auth, options, verifier) {
  * Updates the user's phone number.
  *
  * @remarks
- * This method does not work in a Node.js environment.
+ * This method does not work in a Node.js environment or on any {@link User} signed in by
+ * {@link Auth} instances created with a {@link @firebase/app#FirebaseServerApp}.
  *
  * @example
  * ```
@@ -10093,9 +10269,15 @@ function _verifyPhoneNumber(auth, options, verifier) {
  */
 function updatePhoneNumber(user, credential) {
     return __awaiter(this, void 0, void 0, function () {
+        var userInternal;
         return __generator(this, function (_a) {
             switch (_a.label) {
-                case 0: return [4 /*yield*/, _link$1(getModularInstance(user), credential)];
+                case 0:
+                    userInternal = getModularInstance(user);
+                    if (_isFirebaseServerApp(userInternal.auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(userInternal.auth))];
+                    }
+                    return [4 /*yield*/, _link$1(userInternal, credential)];
                 case 1:
                     _a.sent();
                     return [2 /*return*/];
@@ -10530,7 +10712,8 @@ var _POLL_WINDOW_CLOSE_TIMEOUT = new Delay(2000, 10000);
  * If succeeds, returns the signed in user along with the provider's credential. If sign in was
  * unsuccessful, returns an error object containing additional information about the error.
  *
- * This method does not work in a Node.js environment.
+ * This method does not work in a Node.js environment or with {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
  *
  * @example
  * ```javascript
@@ -10557,6 +10740,9 @@ function signInWithPopup(auth, provider, resolver) {
     return __awaiter(this, void 0, void 0, function () {
         var authInternal, resolverInternal, action;
         return __generator(this, function (_a) {
+            if (_isFirebaseServerApp(auth.app)) {
+                return [2 /*return*/, Promise.reject(_createError(auth, "operation-not-supported-in-this-environment" /* AuthErrorCode.OPERATION_NOT_SUPPORTED */))];
+            }
             authInternal = _castAuth(auth);
             _assertInstanceOf(auth, provider, FederatedAuthProvider);
             resolverInternal = _withDefaultResolver(authInternal, resolver);
@@ -10573,7 +10759,8 @@ function signInWithPopup(auth, provider, resolver) {
  * If the reauthentication is successful, the returned result will contain the user and the
  * provider's credential.
  *
- * This method does not work in a Node.js environment.
+ * This method does not work in a Node.js environment or on any {@link User} signed in by
+ * {@link Auth} instances created with a {@link @firebase/app#FirebaseServerApp}.
  *
  * @example
  * ```javascript
@@ -10597,6 +10784,9 @@ function reauthenticateWithPopup(user, provider, resolver) {
         var userInternal, resolverInternal, action;
         return __generator(this, function (_a) {
             userInternal = getModularInstance(user);
+            if (_isFirebaseServerApp(userInternal.auth.app)) {
+                return [2 /*return*/, Promise.reject(_createError(userInternal.auth, "operation-not-supported-in-this-environment" /* AuthErrorCode.OPERATION_NOT_SUPPORTED */))];
+            }
             _assertInstanceOf(userInternal.auth, provider, FederatedAuthProvider);
             resolverInternal = _withDefaultResolver(userInternal.auth, resolver);
             action = new PopupOperation(userInternal.auth, "reauthViaPopup" /* AuthEventType.REAUTH_VIA_POPUP */, provider, resolverInternal, userInternal);
@@ -10946,7 +11136,8 @@ function pendingRedirectKey(auth) {
  * Follow the {@link https://firebase.google.com/docs/auth/web/redirect-best-practices
  * | best practices} when using {@link signInWithRedirect}.
  *
- * This method does not work in a Node.js environment.
+ * This method does not work in a Node.js environment or with {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
  *
  * @example
  * ```javascript
@@ -10990,6 +11181,9 @@ function _signInWithRedirect(auth, provider, resolver) {
         return __generator(this, function (_a) {
             switch (_a.label) {
                 case 0:
+                    if (_isFirebaseServerApp(auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth))];
+                    }
                     authInternal = _castAuth(auth);
                     _assertInstanceOf(auth, provider, FederatedAuthProvider);
                     // Wait for auth initialization to complete, this will process pending redirects and clear the
@@ -11017,7 +11211,8 @@ function _signInWithRedirect(auth, provider, resolver) {
  * Follow the {@link https://firebase.google.com/docs/auth/web/redirect-best-practices
  * | best practices} when using {@link reauthenticateWithRedirect}.
  *
- * This method does not work in a Node.js environment.
+ * This method does not work in a Node.js environment or with {@link Auth} instances
+ * created with a {@link @firebase/app#FirebaseServerApp}.
  *
  * @example
  * ```javascript
@@ -11055,6 +11250,9 @@ function _reauthenticateWithRedirect(user, provider, resolver) {
                 case 0:
                     userInternal = getModularInstance(user);
                     _assertInstanceOf(userInternal.auth, provider, FederatedAuthProvider);
+                    if (_isFirebaseServerApp(userInternal.auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(userInternal.auth))];
+                    }
                     // Wait for auth initialization to complete, this will process pending redirects and clear the
                     // PENDING_REDIRECT_KEY in persistence. This should be completed before starting a new
                     // redirect and creating a PENDING_REDIRECT_KEY entry.
@@ -11083,7 +11281,8 @@ function _reauthenticateWithRedirect(user, provider, resolver) {
  * Follow the {@link https://firebase.google.com/docs/auth/web/redirect-best-practices
  * | best practices} when using {@link linkWithRedirect}.
  *
- * This method does not work in a Node.js environment.
+ * This method does not work in a Node.js environment or with {@link Auth} instances
+ * created with a {@link @firebase/app#FirebaseServerApp}.
  *
  * @example
  * ```javascript
@@ -11148,7 +11347,8 @@ function _linkWithRedirect(user, provider, resolver) {
  * If sign-in succeeded, returns the signed in user. If sign-in was unsuccessful, fails with an
  * error. If no redirect operation was called, returns `null`.
  *
- * This method does not work in a Node.js environment.
+ * This method does not work in a Node.js environment or with {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
  *
  * @example
  * ```javascript
@@ -11200,6 +11400,9 @@ function _getRedirectResult(auth, resolverExtern, bypassAuthState) {
         return __generator(this, function (_a) {
             switch (_a.label) {
                 case 0:
+                    if (_isFirebaseServerApp(auth.app)) {
+                        return [2 /*return*/, Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth))];
+                    }
                     authInternal = _castAuth(auth);
                     resolver = _withDefaultResolver(authInternal, resolverExtern);
                     action = new RedirectAction(authInternal, resolver, bypassAuthState);
@@ -12271,7 +12474,7 @@ function _isEmptyString(input) {
 }
 
 var name = "@firebase/auth";
-var version = "1.6.2";
+var version = "1.7.0-canary.42fcdfe4c";
 
 /**
  * @license
@@ -12510,14 +12713,19 @@ function getAuth(app) {
         ]
     });
     var authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
-    // Don't allow urls (XSS possibility), only paths on the same domain
-    // (starting with a single '/')
-    if (authTokenSyncPath && authTokenSyncPath.match(/^\/[^\/].*/)) {
-        var mintCookie_1 = mintCookieFactory(authTokenSyncPath);
-        beforeAuthStateChanged(auth, mintCookie_1, function () {
-            return mintCookie_1(auth.currentUser);
-        });
-        onIdTokenChanged(auth, function (user) { return mintCookie_1(user); });
+    // Only do the Cookie exchange in a secure context
+    if (authTokenSyncPath &&
+        typeof isSecureContext === 'boolean' &&
+        isSecureContext) {
+        // Don't allow urls (XSS possibility), only paths on the same domain
+        var authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
+        if (location.origin === authTokenSyncUrl.origin) {
+            var mintCookie_1 = mintCookieFactory(authTokenSyncUrl.toString());
+            beforeAuthStateChanged(auth, mintCookie_1, function () {
+                return mintCookie_1(auth.currentUser);
+            });
+            onIdTokenChanged(auth, function (user) { return mintCookie_1(user); });
+        }
     }
     var authEmulatorHost = getDefaultEmulatorHost('auth');
     if (authEmulatorHost) {
@@ -12553,4 +12761,4 @@ _setExternalJSProvider({
 registerAuth("Browser" /* ClientPlatform.BROWSER */);
 
 export { TwitterAuthProvider as $, ActionCodeOperation as A, updateCurrentUser as B, signOut as C, revokeAccessToken as D, deleteUser as E, FactorId as F, debugErrorMap as G, prodErrorMap as H, AUTH_ERROR_CODES_MAP_DO_NOT_USE_INTERNALLY as I, initializeAuth as J, connectAuthEmulator as K, AuthCredential as L, EmailAuthCredential as M, OAuthCredential as N, OperationType as O, PhoneAuthProvider as P, PhoneAuthCredential as Q, RecaptchaVerifier as R, SignInMethod as S, TotpMultiFactorGenerator as T, inMemoryPersistence as U, EmailAuthProvider as V, FacebookAuthProvider as W, GoogleAuthProvider as X, GithubAuthProvider as Y, OAuthProvider as Z, SAMLAuthProvider as _, browserSessionPersistence as a, signInAnonymously as a0, signInWithCredential as a1, linkWithCredential as a2, reauthenticateWithCredential as a3, signInWithCustomToken as a4, sendPasswordResetEmail as a5, confirmPasswordReset as a6, applyActionCode as a7, checkActionCode as a8, verifyPasswordResetCode as a9, _isIOS7Or8 as aA, _assert as aB, _createError as aC, AuthEventManager as aD, _getInstance as aE, _persistenceKeyName as aF, _clearRedirectOutcomes as aG, _getRedirectResult as aH, _overrideRedirectResult as aI, _castAuth as aJ, UserImpl as aK, AuthImpl as aL, _getClientVersion as aM, _generateEventId as aN, AuthPopup as aO, FetchProvider as aP, SAMLAuthCredential as aQ, createUserWithEmailAndPassword as aa, signInWithEmailAndPassword as ab, sendSignInLinkToEmail as ac, isSignInWithEmailLink as ad, signInWithEmailLink as ae, fetchSignInMethodsForEmail as af, sendEmailVerification as ag, verifyBeforeUpdateEmail as ah, ActionCodeURL as ai, parseActionCodeURL as aj, updateProfile as ak, updateEmail as al, updatePassword as am, getIdToken as an, getIdTokenResult as ao, unlink as ap, getAdditionalUserInfo as aq, reload as ar, getMultiFactorResolver as as, multiFactor as at, _isIOS as au, _isAndroid as av, _fail as aw, _getRedirectUrl as ax, debugAssert as ay, _getProjectConfig as az, browserLocalPersistence as b, signInWithPopup as c, linkWithPopup as d, reauthenticateWithPopup as e, signInWithRedirect as f, linkWithRedirect as g, reauthenticateWithRedirect as h, indexedDBLocalPersistence as i, getRedirectResult as j, browserPopupRedirectResolver as k, linkWithPhoneNumber as l, PhoneMultiFactorGenerator as m, TotpSecret as n, getAuth as o, ProviderId as p, setPersistence as q, reauthenticateWithPhoneNumber as r, signInWithPhoneNumber as s, initializeRecaptchaConfig as t, updatePhoneNumber as u, validatePassword as v, onIdTokenChanged as w, beforeAuthStateChanged as x, onAuthStateChanged as y, useDeviceLanguage as z };
-//# sourceMappingURL=index-3bd54529.js.map
+//# sourceMappingURL=index-dcfb76ea.js.map