@firebase/auth 1.9.1 → 1.10.0

package/dist/node-esm/src/core/auth/auth_impl.d.ts

@@ -57,6 +57,8 @@ export declare class AuthImpl implements AuthInternal, _FirebaseService {
     _tenantRecaptchaConfigs: Record<string, RecaptchaConfig>;
     _projectPasswordPolicy: PasswordPolicyInternal | null;
     _tenantPasswordPolicies: Record<string, PasswordPolicyInternal>;
+    _resolvePersistenceManagerAvailable: ((value: void | PromiseLike<void>) => void) | undefined;
+    _persistenceManagerAvailable: Promise<void>;
     readonly name: string;
     private lastNotifiedUid;
     languageCode: string | null;
@@ -82,7 +84,8 @@ export declare class AuthImpl implements AuthInternal, _FirebaseService {
     validatePassword(password: string): Promise<PasswordValidationStatus>;
     _getPasswordPolicyInternal(): PasswordPolicyInternal | null;
     _updatePasswordPolicy(): Promise<void>;
-    _getPersistence(): string;
+    _getPersistenceType(): string;
+    _getPersistence(): PersistenceInternal;
     _updateErrorMap(errorMap: AuthErrorMap): void;
     onAuthStateChanged(nextOrObserver: NextOrObserver<User>, error?: ErrorFn, completed?: CompleteFn): Unsubscribe;
     beforeAuthStateChanged(callback: (user: User | null) => void | Promise<void>, onAbort?: () => void): Unsubscribe;

package/dist/node-esm/src/core/persistence/index.d.ts

@@ -18,7 +18,8 @@ import { Persistence } from '../../model/public_types';
 export declare const enum PersistenceType {
     SESSION = "SESSION",
     LOCAL = "LOCAL",
-    NONE = "NONE"
+    NONE = "NONE",
+    COOKIE = "COOKIE"
 }
 export type PersistedBlob = Record<string, unknown>;
 export interface Instantiator<T> {

package/dist/node-esm/src/model/auth.d.ts

@@ -22,6 +22,7 @@ import { UserInternal } from './user';
 import { ClientPlatform } from '../core/util/version';
 import { RecaptchaConfig } from '../platform_browser/recaptcha/recaptcha';
 import { PasswordPolicyInternal } from './password_policy';
+import { PersistenceInternal } from '../core/persistence';
 export type AppName = string;
 export type ApiKey = string;
 export type AuthDomain = string;
@@ -56,6 +57,7 @@ export interface AuthInternal extends Auth {
     _canInitEmulator: boolean;
     _isInitialized: boolean;
     _initializationPromise: Promise<void> | null;
+    _persistenceManagerAvailable: Promise<void>;
     _updateCurrentUser(user: UserInternal | null): Promise<void>;
     _onStorageEvent(): void;
     _notifyListenersIfCurrent(user: UserInternal): void;
@@ -66,7 +68,8 @@ export interface AuthInternal extends Auth {
     _key(): string;
     _startProactiveRefresh(): void;
     _stopProactiveRefresh(): void;
-    _getPersistence(): string;
+    _getPersistenceType(): string;
+    _getPersistence(): PersistenceInternal;
     _getRecaptchaConfig(): RecaptchaConfig | null;
     _getPasswordPolicyInternal(): PasswordPolicyInternal | null;
     _updatePasswordPolicy(): Promise<void>;

package/dist/node-esm/src/model/public_types.d.ts

@@ -305,8 +305,9 @@ export interface Persistence {
      * - 'SESSION' is used for temporary persistence such as `sessionStorage`.
      * - 'LOCAL' is used for long term persistence such as `localStorage` or `IndexedDB`.
      * - 'NONE' is used for in-memory, or no persistence.
+     * - 'COOKIE' is used for cookie persistence, useful for server-side rendering.
      */
-    readonly type: 'SESSION' | 'LOCAL' | 'NONE';
+    readonly type: 'SESSION' | 'LOCAL' | 'NONE' | 'COOKIE';
 }
 /**
  * Interface representing ID token result obtained from {@link User.getIdTokenResult}.

package/dist/node-esm/src/platform_browser/persistence/cookie_storage.d.ts

@@ -0,0 +1,40 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { Persistence } from '../../model/public_types';
+import { PersistenceInternal, PersistenceType, PersistenceValue, StorageEventListener } from '../../core/persistence';
+export declare class CookiePersistence implements PersistenceInternal {
+    static type: 'COOKIE';
+    readonly type = PersistenceType.COOKIE;
+    listenerUnsubscribes: Map<StorageEventListener, () => void>;
+    _getFinalTarget(originalUrl: string): URL | string;
+    _isAvailable(): Promise<boolean>;
+    _set(_key: string, _value: PersistenceValue): Promise<void>;
+    _get<T extends PersistenceValue>(key: string): Promise<T | null>;
+    _remove(key: string): Promise<void>;
+    _addListener(key: string, listener: StorageEventListener): void;
+    _removeListener(_key: string, listener: StorageEventListener): void;
+}
+/**
+ * An implementation of {@link Persistence} of type `COOKIE`, for use on the client side in
+ * applications leveraging hybrid rendering and middleware.
+ *
+ * @remarks This persistence method requires companion middleware to function, such as that provided
+ * by {@link https://firebaseopensource.com/projects/firebaseextended/reactfire/ | ReactFire} for
+ * NextJS.
+ * @beta
+ */
+export declare const browserCookiePersistence: Persistence;

package/dist/node-esm/src/platform_node/index.d.ts

@@ -28,6 +28,7 @@ declare class FailClass {
 }
 export declare const browserLocalPersistence: import("../model/public_types").Persistence;
 export declare const browserSessionPersistence: import("../model/public_types").Persistence;
+export declare const browserCookiePersistence: import("../model/public_types").Persistence;
 export declare const indexedDBLocalPersistence: import("../model/public_types").Persistence;
 export declare const browserPopupRedirectResolver: import("@firebase/app").FirebaseError;
 export declare const PhoneAuthProvider: typeof FailClass;

package/dist/node-esm/{totp-d5ff2369.js → totp-7829abf2.js}

@@ -859,6 +859,14 @@ const SERVER_ERROR_MAP = {
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+const CookieAuthProxiedEndpoints = [
+    "/v1/accounts:signInWithCustomToken" /* Endpoint.SIGN_IN_WITH_CUSTOM_TOKEN */,
+    "/v1/accounts:signInWithEmailLink" /* Endpoint.SIGN_IN_WITH_EMAIL_LINK */,
+    "/v1/accounts:signInWithIdp" /* Endpoint.SIGN_IN_WITH_IDP */,
+    "/v1/accounts:signInWithPassword" /* Endpoint.SIGN_IN_WITH_PASSWORD */,
+    "/v1/accounts:signInWithPhoneNumber" /* Endpoint.SIGN_IN_WITH_PHONE_NUMBER */,
+    "/v1/token" /* Endpoint.TOKEN */
+];
 const DEFAULT_API_TIMEOUT_MS = new Delay(30000, 60000);
 function _addTidIfNecessary(auth, request) {
     if (auth.tenantId && !request.tenantId) {
@@ -895,7 +903,7 @@ async function _performApiRequest(auth, method, path, request, customErrorMap =
         if (!isCloudflareWorker()) {
             fetchArgs.referrerPolicy = 'no-referrer';
         }
-        return FetchProvider.fetch()(_getFinalTarget(auth, auth.config.apiHost, path, query), fetchArgs);
+        return FetchProvider.fetch()(await _getFinalTarget(auth, auth.config.apiHost, path, query), fetchArgs);
     });
 }
 async function _performFetchWithErrorHandling(auth, customErrorMap, fetchFn) {
@@ -960,12 +968,25 @@ async function _performSignInRequest(auth, method, path, request, customErrorMap
     }
     return serverResponse;
 }
-function _getFinalTarget(auth, host, path, query) {
+async function _getFinalTarget(auth, host, path, query) {
     const base = `${host}${path}?${query}`;
-    if (!auth.config.emulator) {
-        return `${auth.config.apiScheme}://${base}`;
-    }
-    return _emulatorUrl(auth.config, base);
+    const authInternal = auth;
+    const finalTarget = authInternal.config.emulator
+        ? _emulatorUrl(auth.config, base)
+        : `${auth.config.apiScheme}://${base}`;
+    // Cookie auth works by MiTMing the signIn and token endpoints from the developer's backend,
+    // saving the idToken and refreshToken into cookies, and then redacting the refreshToken
+    // from the response
+    if (CookieAuthProxiedEndpoints.includes(path)) {
+        // Persistence manager is async, we need to await it. We can't just wait for auth initialized
+        // here since auth initialization calls this function.
+        await authInternal._persistenceManagerAvailable;
+        if (authInternal._getPersistenceType() === "COOKIE" /* PersistenceType.COOKIE */) {
+            const cookiePersistence = authInternal._getPersistence();
+            return cookiePersistence._getFinalTarget(finalTarget).toString();
+        }
+    }
+    return finalTarget;
 }
 function _parseEnforcementState(enforcementStateStr) {
     switch (enforcementStateStr) {
@@ -1534,7 +1555,7 @@ async function requestStsToken(auth, refreshToken) {
             'refresh_token': refreshToken
         }).slice(1);
         const { tokenApiHost, apiKey } = auth.config;
-        const url = _getFinalTarget(auth, tokenApiHost, "/v1/token" /* Endpoint.TOKEN */, `key=${apiKey}`);
+        const url = await _getFinalTarget(auth, tokenApiHost, "/v1/token" /* Endpoint.TOKEN */, `key=${apiKey}`);
         const headers = await auth._getAdditionalHeaders();
         headers["Content-Type" /* HttpHeader.CONTENT_TYPE */] = 'application/x-www-form-urlencoded';
         return FetchProvider.fetch()(url, {
@@ -2025,7 +2046,17 @@ class PersistenceUserManager {
     }
     async getCurrentUser() {
         const blob = await this.persistence._get(this.fullUserKey);
-        return blob ? UserImpl._fromJSON(this.auth, blob) : null;
+        if (!blob) {
+            return null;
+        }
+        if (typeof blob === 'string') {
+            const response = await getAccountInfo(this.auth, { idToken: blob }).catch(() => undefined);
+            if (!response) {
+                return null;
+            }
+            return UserImpl._fromGetAccountInfoResponse(this.auth, response, blob);
+        }
+        return UserImpl._fromJSON(this.auth, blob);
     }
     removeCurrentUser() {
         return this.persistence._remove(this.fullUserKey);
@@ -2072,7 +2103,19 @@ class PersistenceUserManager {
             try {
                 const blob = await persistence._get(key);
                 if (blob) {
-                    const user = UserImpl._fromJSON(auth, blob); // throws for unparsable blob (wrong format)
+                    let user;
+                    if (typeof blob === 'string') {
+                        const response = await getAccountInfo(auth, {
+                            idToken: blob
+                        }).catch(() => undefined);
+                        if (!response) {
+                            break;
+                        }
+                        user = await UserImpl._fromGetAccountInfoResponse(auth, response, blob);
+                    }
+                    else {
+                        user = UserImpl._fromJSON(auth, blob); // throws for unparsable blob (wrong format)
+                    }
                     if (persistence !== selectedPersistence) {
                         userToMigrate = user;
                     }
@@ -2566,6 +2609,7 @@ class AuthImpl {
         this._tenantRecaptchaConfigs = {};
         this._projectPasswordPolicy = null;
         this._tenantPasswordPolicies = {};
+        this._resolvePersistenceManagerAvailable = undefined;
         // Tracks the last notified UID for state change listeners to prevent
         // repeated calls to the callbacks. Undefined means it's never been
         // called, whereas null means it's been called with a signed out user
@@ -2576,6 +2620,9 @@ class AuthImpl {
         this.frameworks = [];
         this.name = app.name;
         this.clientVersion = config.sdkClientVersion;
+        // TODO(jamesdaniels) explore less hacky way to do this, cookie authentication needs
+        // persistenceMananger to be available. see _getFinalTarget for more context
+        this._persistenceManagerAvailable = new Promise(resolve => (this._resolvePersistenceManagerAvailable = resolve));
     }
     _initializeWithPersistence(persistenceHierarchy, popupRedirectResolver) {
         if (popupRedirectResolver) {
@@ -2584,17 +2631,18 @@ class AuthImpl {
         // Have to check for app deletion throughout initialization (after each
         // promise resolution)
         this._initializationPromise = this.queue(async () => {
-            var _a, _b;
+            var _a, _b, _c;
             if (this._deleted) {
                 return;
             }
             this.persistenceManager = await PersistenceUserManager.create(this, persistenceHierarchy);
+            (_a = this._resolvePersistenceManagerAvailable) === null || _a === void 0 ? void 0 : _a.call(this);
             if (this._deleted) {
                 return;
             }
             // Initialize the resolver early if necessary (only applicable to web:
             // this will cause the iframe to load immediately in certain cases)
-            if ((_a = this._popupRedirectResolver) === null || _a === void 0 ? void 0 : _a._shouldInitProactively) {
+            if ((_b = this._popupRedirectResolver) === null || _b === void 0 ? void 0 : _b._shouldInitProactively) {
                 // If this fails, don't halt auth loading
                 try {
                     await this._popupRedirectResolver._initialize(this);
@@ -2604,7 +2652,7 @@ class AuthImpl {
                 }
             }
             await this.initializeCurrentUser(popupRedirectResolver);
-            this.lastNotifiedUid = ((_b = this.currentUser) === null || _b === void 0 ? void 0 : _b.uid) || null;
+            this.lastNotifiedUid = ((_c = this.currentUser) === null || _c === void 0 ? void 0 : _c.uid) || null;
             if (this._deleted) {
                 return;
             }
@@ -2858,9 +2906,12 @@ class AuthImpl {
             this._tenantPasswordPolicies[this.tenantId] = passwordPolicy;
         }
     }
-    _getPersistence() {
+    _getPersistenceType() {
         return this.assertedPersistence.persistence.type;
     }
+    _getPersistence() {
+        return this.assertedPersistence.persistence;
+    }
     _updateErrorMap(errorMap) {
         this._errorFactory = new ErrorFactory('auth', 'Firebase', errorMap());
     }
@@ -7079,7 +7130,7 @@ function multiFactor(user) {
 }
 
 var name = "@firebase/auth";
-var version = "1.9.1";
+var version = "1.10.0";
 
 /**
  * @license
@@ -7281,6 +7332,7 @@ class FailClass {
 }
 const browserLocalPersistence = inMemoryPersistence;
 const browserSessionPersistence = inMemoryPersistence;
+const browserCookiePersistence = inMemoryPersistence;
 const indexedDBLocalPersistence = inMemoryPersistence;
 const browserPopupRedirectResolver = NOT_AVAILABLE_ERROR;
 const PhoneAuthProvider = FailClass;
@@ -7490,5 +7542,5 @@ function _isEmptyString(input) {
     return typeof input === 'undefined' || (input === null || input === void 0 ? void 0 : input.length) === 0;
 }
 
-export { TwitterAuthProvider as $, ActionCodeOperation as A, updateCurrentUser as B, signOut as C, revokeAccessToken as D, deleteUser as E, FactorId as F, debugErrorMap as G, prodErrorMap as H, AUTH_ERROR_CODES_MAP_DO_NOT_USE_INTERNALLY as I, initializeAuth as J, connectAuthEmulator as K, AuthCredential as L, EmailAuthCredential as M, OAuthCredential as N, OperationType as O, PhoneAuthProvider as P, PhoneAuthCredential as Q, RecaptchaVerifier as R, SignInMethod as S, TotpMultiFactorGenerator as T, inMemoryPersistence as U, EmailAuthProvider as V, FacebookAuthProvider as W, GoogleAuthProvider as X, GithubAuthProvider as Y, OAuthProvider as Z, SAMLAuthProvider as _, browserSessionPersistence as a, signInAnonymously as a0, signInWithCredential as a1, linkWithCredential as a2, reauthenticateWithCredential as a3, signInWithCustomToken as a4, sendPasswordResetEmail as a5, confirmPasswordReset as a6, applyActionCode as a7, checkActionCode as a8, verifyPasswordResetCode as a9, _fail as aA, debugAssert as aB, _persistenceKeyName as aC, _serverAppCurrentUserOperationNotSupportedError as aD, _castAuth as aE, FederatedAuthProvider as aF, BaseOAuthProvider as aG, _emulatorUrl as aH, _performApiRequest as aI, _isIOS as aJ, _isAndroid as aK, _isIOS7Or8 as aL, _createError as aM, _isMobileBrowser as aN, _isIE10 as aO, UserImpl as aP, AuthImpl as aQ, _getClientVersion as aR, FetchProvider as aS, SAMLAuthCredential as aT, createUserWithEmailAndPassword as aa, signInWithEmailAndPassword as ab, sendSignInLinkToEmail as ac, isSignInWithEmailLink as ad, signInWithEmailLink as ae, fetchSignInMethodsForEmail as af, sendEmailVerification as ag, verifyBeforeUpdateEmail as ah, ActionCodeURL as ai, parseActionCodeURL as aj, updateProfile as ak, updateEmail as al, updatePassword as am, getIdToken as an, getIdTokenResult as ao, unlink as ap, getAdditionalUserInfo as aq, reload as ar, getMultiFactorResolver as as, multiFactor as at, _getInstance as au, _assert as av, _signInWithCredential as aw, _reauthenticate as ax, _link as ay, signInWithIdp as az, browserLocalPersistence as b, signInWithPopup as c, linkWithPopup as d, reauthenticateWithPopup as e, signInWithRedirect as f, linkWithRedirect as g, reauthenticateWithRedirect as h, indexedDBLocalPersistence as i, getRedirectResult as j, browserPopupRedirectResolver as k, linkWithPhoneNumber as l, PhoneMultiFactorGenerator as m, TotpSecret as n, getAuth as o, ProviderId as p, setPersistence as q, reauthenticateWithPhoneNumber as r, signInWithPhoneNumber as s, initializeRecaptchaConfig as t, updatePhoneNumber as u, validatePassword as v, onIdTokenChanged as w, beforeAuthStateChanged as x, onAuthStateChanged as y, useDeviceLanguage as z };
-//# sourceMappingURL=totp-d5ff2369.js.map
+export { SAMLAuthProvider as $, ActionCodeOperation as A, useDeviceLanguage as B, updateCurrentUser as C, signOut as D, revokeAccessToken as E, FactorId as F, deleteUser as G, debugErrorMap as H, prodErrorMap as I, AUTH_ERROR_CODES_MAP_DO_NOT_USE_INTERNALLY as J, initializeAuth as K, connectAuthEmulator as L, AuthCredential as M, EmailAuthCredential as N, OperationType as O, PhoneAuthProvider as P, OAuthCredential as Q, RecaptchaVerifier as R, SignInMethod as S, TotpMultiFactorGenerator as T, PhoneAuthCredential as U, inMemoryPersistence as V, EmailAuthProvider as W, FacebookAuthProvider as X, GoogleAuthProvider as Y, GithubAuthProvider as Z, OAuthProvider as _, browserCookiePersistence as a, TwitterAuthProvider as a0, signInAnonymously as a1, signInWithCredential as a2, linkWithCredential as a3, reauthenticateWithCredential as a4, signInWithCustomToken as a5, sendPasswordResetEmail as a6, confirmPasswordReset as a7, applyActionCode as a8, checkActionCode as a9, signInWithIdp as aA, _fail as aB, debugAssert as aC, _persistenceKeyName as aD, _serverAppCurrentUserOperationNotSupportedError as aE, _castAuth as aF, FederatedAuthProvider as aG, BaseOAuthProvider as aH, _emulatorUrl as aI, _performApiRequest as aJ, _isIOS as aK, _isAndroid as aL, _isIOS7Or8 as aM, _createError as aN, _isMobileBrowser as aO, _isIE10 as aP, UserImpl as aQ, AuthImpl as aR, _getClientVersion as aS, FetchProvider as aT, SAMLAuthCredential as aU, verifyPasswordResetCode as aa, createUserWithEmailAndPassword as ab, signInWithEmailAndPassword as ac, sendSignInLinkToEmail as ad, isSignInWithEmailLink as ae, signInWithEmailLink as af, fetchSignInMethodsForEmail as ag, sendEmailVerification as ah, verifyBeforeUpdateEmail as ai, ActionCodeURL as aj, parseActionCodeURL as ak, updateProfile as al, updateEmail as am, updatePassword as an, getIdToken as ao, getIdTokenResult as ap, unlink as aq, getAdditionalUserInfo as ar, reload as as, getMultiFactorResolver as at, multiFactor as au, _getInstance as av, _assert as aw, _signInWithCredential as ax, _reauthenticate as ay, _link as az, browserLocalPersistence as b, browserSessionPersistence as c, signInWithPopup as d, linkWithPopup as e, reauthenticateWithPopup as f, signInWithRedirect as g, linkWithRedirect as h, indexedDBLocalPersistence as i, reauthenticateWithRedirect as j, getRedirectResult as k, linkWithPhoneNumber as l, browserPopupRedirectResolver as m, PhoneMultiFactorGenerator as n, TotpSecret as o, getAuth as p, ProviderId as q, reauthenticateWithPhoneNumber as r, signInWithPhoneNumber as s, setPersistence as t, updatePhoneNumber as u, initializeRecaptchaConfig as v, validatePassword as w, onIdTokenChanged as x, beforeAuthStateChanged as y, onAuthStateChanged as z };
+//# sourceMappingURL=totp-7829abf2.js.map