@firebase/auth 1.9.1 → 1.10.0

package/dist/auth-public.d.ts

@@ -737,6 +737,8 @@ declare abstract class BaseOAuthProvider extends FederatedAuthProvider implement
  */
 export declare function beforeAuthStateChanged(auth: Auth, callback: (user: User | null) => void | Promise<void>, onAbort?: () => void): Unsubscribe;
 
+/* Excluded from this release type: browserCookiePersistence */
+
 /**
  * An implementation of {@link Persistence} of type `LOCAL` using `localStorage`
  * for the underlying storage.
@@ -2390,10 +2392,31 @@ export declare interface Persistence {
      * - 'SESSION' is used for temporary persistence such as `sessionStorage`.
      * - 'LOCAL' is used for long term persistence such as `localStorage` or `IndexedDB`.
      * - 'NONE' is used for in-memory, or no persistence.
+     * - 'COOKIE' is used for cookie persistence, useful for server-side rendering.
      */
-    readonly type: 'SESSION' | 'LOCAL' | 'NONE';
+    readonly type: 'SESSION' | 'LOCAL' | 'NONE' | 'COOKIE';
+}
+
+declare interface PersistenceInternal extends Persistence {
+    type: PersistenceType;
+    _isAvailable(): Promise<boolean>;
+    _set(key: string, value: PersistenceValue): Promise<void>;
+    _get<T extends PersistenceValue>(key: string): Promise<T | null>;
+    _remove(key: string): Promise<void>;
+    _addListener(key: string, listener: StorageEventListener): void;
+    _removeListener(key: string, listener: StorageEventListener): void;
+    _shouldAllowMigration?: boolean;
+}
+
+declare const enum PersistenceType {
+    SESSION = "SESSION",
+    LOCAL = "LOCAL",
+    NONE = "NONE",
+    COOKIE = "COOKIE"
 }
 
+declare type PersistenceValue = PersistedBlob | string;
+
 /**
  * Represents the credentials returned by {@link PhoneAuthProvider}.
  *
@@ -3456,6 +3479,10 @@ declare interface StartTotpMfaEnrollmentResponse {
     };
 }
 
+declare interface StorageEventListener {
+    (value: PersistenceValue | null): void;
+}
+
 /* Excluded from this release type: StsTokenManager */
 
 /* Excluded from this release type: TaggedWithTokenResponse */

package/dist/auth.d.ts

@@ -873,6 +873,7 @@ declare interface AuthInternal extends Auth {
     _canInitEmulator: boolean;
     _isInitialized: boolean;
     _initializationPromise: Promise<void> | null;
+    _persistenceManagerAvailable: Promise<void>;
     _updateCurrentUser(user: UserInternal | null): Promise<void>;
     _onStorageEvent(): void;
     _notifyListenersIfCurrent(user: UserInternal): void;
@@ -883,7 +884,8 @@ declare interface AuthInternal extends Auth {
     _key(): string;
     _startProactiveRefresh(): void;
     _stopProactiveRefresh(): void;
-    _getPersistence(): string;
+    _getPersistenceType(): string;
+    _getPersistence(): PersistenceInternal;
     _getRecaptchaConfig(): RecaptchaConfig | null;
     _getPasswordPolicyInternal(): PasswordPolicyInternal | null;
     _updatePasswordPolicy(): Promise<void>;
@@ -987,6 +989,17 @@ declare abstract class BaseOAuthProvider extends FederatedAuthProvider implement
  */
 export declare function beforeAuthStateChanged(auth: Auth, callback: (user: User | null) => void | Promise<void>, onAbort?: () => void): Unsubscribe;
 
+/**
+ * An implementation of {@link Persistence} of type `COOKIE`, for use on the client side in
+ * applications leveraging hybrid rendering and middleware.
+ *
+ * @remarks This persistence method requires companion middleware to function, such as that provided
+ * by {@link https://firebaseopensource.com/projects/firebaseextended/reactfire/ | ReactFire} for
+ * NextJS.
+ * @beta
+ */
+export declare const browserCookiePersistence: Persistence;
+
 /**
  * An implementation of {@link Persistence} of type `LOCAL` using `localStorage`
  * for the underlying storage.
@@ -2790,10 +2803,31 @@ export declare interface Persistence {
      * - 'SESSION' is used for temporary persistence such as `sessionStorage`.
      * - 'LOCAL' is used for long term persistence such as `localStorage` or `IndexedDB`.
      * - 'NONE' is used for in-memory, or no persistence.
+     * - 'COOKIE' is used for cookie persistence, useful for server-side rendering.
      */
-    readonly type: 'SESSION' | 'LOCAL' | 'NONE';
+    readonly type: 'SESSION' | 'LOCAL' | 'NONE' | 'COOKIE';
+}
+
+declare interface PersistenceInternal extends Persistence {
+    type: PersistenceType;
+    _isAvailable(): Promise<boolean>;
+    _set(key: string, value: PersistenceValue): Promise<void>;
+    _get<T extends PersistenceValue>(key: string): Promise<T | null>;
+    _remove(key: string): Promise<void>;
+    _addListener(key: string, listener: StorageEventListener): void;
+    _removeListener(key: string, listener: StorageEventListener): void;
+    _shouldAllowMigration?: boolean;
 }
 
+declare const enum PersistenceType {
+    SESSION = "SESSION",
+    LOCAL = "LOCAL",
+    NONE = "NONE",
+    COOKIE = "COOKIE"
+}
+
+declare type PersistenceValue = PersistedBlob | string;
+
 /**
  * Represents the credentials returned by {@link PhoneAuthProvider}.
  *
@@ -3955,6 +3989,10 @@ declare interface StartTotpMfaEnrollmentResponse {
     };
 }
 
+declare interface StorageEventListener {
+    (value: PersistenceValue | null): void;
+}
+
 /**
  * We need to mark this class as internal explicitly to exclude it in the public typings, because
  * it references AuthInternal which has a circular dependency with UserInternal.

package/dist/browser-cjs/{index-018c7ebd.js → index-eddc1dc3.js}

@@ -871,6 +871,14 @@ const SERVER_ERROR_MAP = {
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+const CookieAuthProxiedEndpoints = [
+    "/v1/accounts:signInWithCustomToken" /* Endpoint.SIGN_IN_WITH_CUSTOM_TOKEN */,
+    "/v1/accounts:signInWithEmailLink" /* Endpoint.SIGN_IN_WITH_EMAIL_LINK */,
+    "/v1/accounts:signInWithIdp" /* Endpoint.SIGN_IN_WITH_IDP */,
+    "/v1/accounts:signInWithPassword" /* Endpoint.SIGN_IN_WITH_PASSWORD */,
+    "/v1/accounts:signInWithPhoneNumber" /* Endpoint.SIGN_IN_WITH_PHONE_NUMBER */,
+    "/v1/token" /* Endpoint.TOKEN */
+];
 const DEFAULT_API_TIMEOUT_MS = new Delay(30000, 60000);
 function _addTidIfNecessary(auth, request) {
     if (auth.tenantId && !request.tenantId) {
@@ -907,7 +915,7 @@ async function _performApiRequest(auth, method, path, request, customErrorMap =
         if (!util.isCloudflareWorker()) {
             fetchArgs.referrerPolicy = 'no-referrer';
         }
-        return FetchProvider.fetch()(_getFinalTarget(auth, auth.config.apiHost, path, query), fetchArgs);
+        return FetchProvider.fetch()(await _getFinalTarget(auth, auth.config.apiHost, path, query), fetchArgs);
     });
 }
 async function _performFetchWithErrorHandling(auth, customErrorMap, fetchFn) {
@@ -972,12 +980,25 @@ async function _performSignInRequest(auth, method, path, request, customErrorMap
     }
     return serverResponse;
 }
-function _getFinalTarget(auth, host, path, query) {
+async function _getFinalTarget(auth, host, path, query) {
     const base = `${host}${path}?${query}`;
-    if (!auth.config.emulator) {
-        return `${auth.config.apiScheme}://${base}`;
-    }
-    return _emulatorUrl(auth.config, base);
+    const authInternal = auth;
+    const finalTarget = authInternal.config.emulator
+        ? _emulatorUrl(auth.config, base)
+        : `${auth.config.apiScheme}://${base}`;
+    // Cookie auth works by MiTMing the signIn and token endpoints from the developer's backend,
+    // saving the idToken and refreshToken into cookies, and then redacting the refreshToken
+    // from the response
+    if (CookieAuthProxiedEndpoints.includes(path)) {
+        // Persistence manager is async, we need to await it. We can't just wait for auth initialized
+        // here since auth initialization calls this function.
+        await authInternal._persistenceManagerAvailable;
+        if (authInternal._getPersistenceType() === "COOKIE" /* PersistenceType.COOKIE */) {
+            const cookiePersistence = authInternal._getPersistence();
+            return cookiePersistence._getFinalTarget(finalTarget).toString();
+        }
+    }
+    return finalTarget;
 }
 function _parseEnforcementState(enforcementStateStr) {
     switch (enforcementStateStr) {
@@ -1553,7 +1574,7 @@ async function requestStsToken(auth, refreshToken) {
             'refresh_token': refreshToken
         }).slice(1);
         const { tokenApiHost, apiKey } = auth.config;
-        const url = _getFinalTarget(auth, tokenApiHost, "/v1/token" /* Endpoint.TOKEN */, `key=${apiKey}`);
+        const url = await _getFinalTarget(auth, tokenApiHost, "/v1/token" /* Endpoint.TOKEN */, `key=${apiKey}`);
         const headers = await auth._getAdditionalHeaders();
         headers["Content-Type" /* HttpHeader.CONTENT_TYPE */] = 'application/x-www-form-urlencoded';
         return FetchProvider.fetch()(url, {
@@ -2044,7 +2065,17 @@ class PersistenceUserManager {
     }
     async getCurrentUser() {
         const blob = await this.persistence._get(this.fullUserKey);
-        return blob ? UserImpl._fromJSON(this.auth, blob) : null;
+        if (!blob) {
+            return null;
+        }
+        if (typeof blob === 'string') {
+            const response = await getAccountInfo(this.auth, { idToken: blob }).catch(() => undefined);
+            if (!response) {
+                return null;
+            }
+            return UserImpl._fromGetAccountInfoResponse(this.auth, response, blob);
+        }
+        return UserImpl._fromJSON(this.auth, blob);
     }
     removeCurrentUser() {
         return this.persistence._remove(this.fullUserKey);
@@ -2091,7 +2122,19 @@ class PersistenceUserManager {
             try {
                 const blob = await persistence._get(key);
                 if (blob) {
-                    const user = UserImpl._fromJSON(auth, blob); // throws for unparsable blob (wrong format)
+                    let user;
+                    if (typeof blob === 'string') {
+                        const response = await getAccountInfo(auth, {
+                            idToken: blob
+                        }).catch(() => undefined);
+                        if (!response) {
+                            break;
+                        }
+                        user = await UserImpl._fromGetAccountInfoResponse(auth, response, blob);
+                    }
+                    else {
+                        user = UserImpl._fromJSON(auth, blob); // throws for unparsable blob (wrong format)
+                    }
                     if (persistence !== selectedPersistence) {
                         userToMigrate = user;
                     }
@@ -2589,6 +2632,7 @@ class AuthImpl {
         this._tenantRecaptchaConfigs = {};
         this._projectPasswordPolicy = null;
         this._tenantPasswordPolicies = {};
+        this._resolvePersistenceManagerAvailable = undefined;
         // Tracks the last notified UID for state change listeners to prevent
         // repeated calls to the callbacks. Undefined means it's never been
         // called, whereas null means it's been called with a signed out user
@@ -2599,6 +2643,9 @@ class AuthImpl {
         this.frameworks = [];
         this.name = app.name;
         this.clientVersion = config.sdkClientVersion;
+        // TODO(jamesdaniels) explore less hacky way to do this, cookie authentication needs
+        // persistenceMananger to be available. see _getFinalTarget for more context
+        this._persistenceManagerAvailable = new Promise(resolve => (this._resolvePersistenceManagerAvailable = resolve));
     }
     _initializeWithPersistence(persistenceHierarchy, popupRedirectResolver) {
         if (popupRedirectResolver) {
@@ -2607,17 +2654,18 @@ class AuthImpl {
         // Have to check for app deletion throughout initialization (after each
         // promise resolution)
         this._initializationPromise = this.queue(async () => {
-            var _a, _b;
+            var _a, _b, _c;
             if (this._deleted) {
                 return;
             }
             this.persistenceManager = await PersistenceUserManager.create(this, persistenceHierarchy);
+            (_a = this._resolvePersistenceManagerAvailable) === null || _a === void 0 ? void 0 : _a.call(this);
             if (this._deleted) {
                 return;
             }
             // Initialize the resolver early if necessary (only applicable to web:
             // this will cause the iframe to load immediately in certain cases)
-            if ((_a = this._popupRedirectResolver) === null || _a === void 0 ? void 0 : _a._shouldInitProactively) {
+            if ((_b = this._popupRedirectResolver) === null || _b === void 0 ? void 0 : _b._shouldInitProactively) {
                 // If this fails, don't halt auth loading
                 try {
                     await this._popupRedirectResolver._initialize(this);
@@ -2627,7 +2675,7 @@ class AuthImpl {
                 }
             }
             await this.initializeCurrentUser(popupRedirectResolver);
-            this.lastNotifiedUid = ((_b = this.currentUser) === null || _b === void 0 ? void 0 : _b.uid) || null;
+            this.lastNotifiedUid = ((_c = this.currentUser) === null || _c === void 0 ? void 0 : _c.uid) || null;
             if (this._deleted) {
                 return;
             }
@@ -2881,9 +2929,12 @@ class AuthImpl {
             this._tenantPasswordPolicies[this.tenantId] = passwordPolicy;
         }
     }
-    _getPersistence() {
+    _getPersistenceType() {
         return this.assertedPersistence.persistence.type;
     }
+    _getPersistence() {
+        return this.assertedPersistence.persistence;
+    }
     _updateErrorMap(errorMap) {
         this._errorFactory = new util.ErrorFactory('auth', 'Firebase', errorMap());
     }
@@ -7471,6 +7522,150 @@ BrowserLocalPersistence.type = 'LOCAL';
  */
 const browserLocalPersistence = BrowserLocalPersistence;
 
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const POLLING_INTERVAL_MS = 1000;
+// Pull a cookie value from document.cookie
+function getDocumentCookie(name) {
+    var _a, _b;
+    const escapedName = name.replace(/[\\^$.*+?()[\]{}|]/g, '\\$&');
+    const matcher = RegExp(`${escapedName}=([^;]+)`);
+    return (_b = (_a = document.cookie.match(matcher)) === null || _a === void 0 ? void 0 : _a[1]) !== null && _b !== void 0 ? _b : null;
+}
+// Produce a sanitized cookie name from the persistence key
+function getCookieName(key) {
+    // __HOST- doesn't work in localhost https://issues.chromium.org/issues/40196122 but it has
+    // desirable security properties, so lets use a different cookie name while in dev-mode.
+    // Already checked isSecureContext in _isAvailable, so if it's http we're hitting local.
+    const isDevMode = window.location.protocol === 'http:';
+    return `${isDevMode ? '__dev_' : '__HOST-'}FIREBASE_${key.split(':')[3]}`;
+}
+class CookiePersistence {
+    constructor() {
+        this.type = "COOKIE" /* PersistenceType.COOKIE */;
+        this.listenerUnsubscribes = new Map();
+    }
+    // used to get the URL to the backend to proxy to
+    _getFinalTarget(originalUrl) {
+        if (typeof window === undefined) {
+            return originalUrl;
+        }
+        const url = new URL(`${window.location.origin}/__cookies__`);
+        url.searchParams.set('finalTarget', originalUrl);
+        return url;
+    }
+    // To be a usable persistence method in a chain browserCookiePersistence ensures that
+    // prerequisites have been met, namely that we're in a secureContext, navigator and document are
+    // available and cookies are enabled. Not all UAs support these method, so fallback accordingly.
+    async _isAvailable() {
+        var _a;
+        if (typeof isSecureContext === 'boolean' && !isSecureContext) {
+            return false;
+        }
+        if (typeof navigator === 'undefined' || typeof document === 'undefined') {
+            return false;
+        }
+        return (_a = navigator.cookieEnabled) !== null && _a !== void 0 ? _a : true;
+    }
+    // Set should be a noop as we expect middleware to handle this
+    async _set(_key, _value) {
+        return;
+    }
+    // Attempt to get the cookie from cookieStore, fallback to document.cookie
+    async _get(key) {
+        if (!this._isAvailable()) {
+            return null;
+        }
+        const name = getCookieName(key);
+        if (window.cookieStore) {
+            const cookie = await window.cookieStore.get(name);
+            return cookie === null || cookie === void 0 ? void 0 : cookie.value;
+        }
+        return getDocumentCookie(name);
+    }
+    // Log out by overriding the idToken with a sentinel value of ""
+    async _remove(key) {
+        if (!this._isAvailable()) {
+            return;
+        }
+        // To make sure we don't hit signout over and over again, only do this operation if we need to
+        // with the logout sentinel value of "" this can cause race conditions. Unnecessary set-cookie
+        // headers will reduce CDN hit rates too.
+        const existingValue = await this._get(key);
+        if (!existingValue) {
+            return;
+        }
+        const name = getCookieName(key);
+        document.cookie = `${name}=;Max-Age=34560000;Partitioned;Secure;SameSite=Strict;Path=/;Priority=High`;
+        await fetch(`/__cookies__`, { method: 'DELETE' }).catch(() => undefined);
+    }
+    // Listen for cookie changes, both cookieStore and fallback to polling document.cookie
+    _addListener(key, listener) {
+        if (!this._isAvailable()) {
+            return;
+        }
+        const name = getCookieName(key);
+        if (window.cookieStore) {
+            const cb = ((event) => {
+                const changedCookie = event.changed.find(change => change.name === name);
+                if (changedCookie) {
+                    listener(changedCookie.value);
+                }
+                const deletedCookie = event.deleted.find(change => change.name === name);
+                if (deletedCookie) {
+                    listener(null);
+                }
+            });
+            const unsubscribe = () => window.cookieStore.removeEventListener('change', cb);
+            this.listenerUnsubscribes.set(listener, unsubscribe);
+            return window.cookieStore.addEventListener('change', cb);
+        }
+        let lastValue = getDocumentCookie(name);
+        const interval = setInterval(() => {
+            const currentValue = getDocumentCookie(name);
+            if (currentValue !== lastValue) {
+                listener(currentValue);
+                lastValue = currentValue;
+            }
+        }, POLLING_INTERVAL_MS);
+        const unsubscribe = () => clearInterval(interval);
+        this.listenerUnsubscribes.set(listener, unsubscribe);
+    }
+    _removeListener(_key, listener) {
+        const unsubscribe = this.listenerUnsubscribes.get(listener);
+        if (!unsubscribe) {
+            return;
+        }
+        unsubscribe();
+        this.listenerUnsubscribes.delete(listener);
+    }
+}
+CookiePersistence.type = 'COOKIE';
+/**
+ * An implementation of {@link Persistence} of type `COOKIE`, for use on the client side in
+ * applications leveraging hybrid rendering and middleware.
+ *
+ * @remarks This persistence method requires companion middleware to function, such as that provided
+ * by {@link https://firebaseopensource.com/projects/firebaseextended/reactfire/ | ReactFire} for
+ * NextJS.
+ * @beta
+ */
+const browserCookiePersistence = CookiePersistence;
+
 /**
  * @license
  * Copyright 2020 Google LLC
@@ -10681,7 +10876,7 @@ function _isEmptyString(input) {
 }
 
 var name = "@firebase/auth";
-var version = "1.9.1";
+var version = "1.10.0";
 
 /**
  * @license
@@ -10982,6 +11177,7 @@ exports._overrideRedirectResult = _overrideRedirectResult;
 exports._persistenceKeyName = _persistenceKeyName;
 exports.applyActionCode = applyActionCode;
 exports.beforeAuthStateChanged = beforeAuthStateChanged;
+exports.browserCookiePersistence = browserCookiePersistence;
 exports.browserLocalPersistence = browserLocalPersistence;
 exports.browserPopupRedirectResolver = browserPopupRedirectResolver;
 exports.browserSessionPersistence = browserSessionPersistence;
@@ -11042,4 +11238,4 @@ exports.useDeviceLanguage = useDeviceLanguage;
 exports.validatePassword = validatePassword;
 exports.verifyBeforeUpdateEmail = verifyBeforeUpdateEmail;
 exports.verifyPasswordResetCode = verifyPasswordResetCode;
-//# sourceMappingURL=index-018c7ebd.js.map
+//# sourceMappingURL=index-eddc1dc3.js.map