@thefittingroom/sdk 1.5.0 → 1.5.2

package/dist/esm/index.js

@@ -1,5 +1,5 @@
 /*!
-* thefittingroom v1.5.0 (2024-09-01T16:52:25.366Z)
+* thefittingroom v1.5.2 (2024-09-03T15:43:56.403Z)
 * Copyright 2022-present, TheFittingRoom, Inc. All rights reserved.
 */
 // Code generated by tygo. DO NOT EDIT.
@@ -1947,8 +1947,8 @@ function isVersionServiceProvider(provider) {
     return (component === null || component === void 0 ? void 0 : component.type) === "VERSION" /* ComponentType.VERSION */;
 }
 
-const name$o = "@firebase/app";
-const version$1$1 = "0.9.13";
+const name$p = "@firebase/app";
+const version$1$1 = "0.10.9";
 
 /**
  * @license
@@ -1968,54 +1968,56 @@ const version$1$1 = "0.9.13";
  */
 const logger = new Logger$1('@firebase/app');
 
-const name$n = "@firebase/app-compat";
+const name$o = "@firebase/app-compat";
 
-const name$m = "@firebase/analytics-compat";
+const name$n = "@firebase/analytics-compat";
 
-const name$l = "@firebase/analytics";
+const name$m = "@firebase/analytics";
 
-const name$k = "@firebase/app-check-compat";
+const name$l = "@firebase/app-check-compat";
 
-const name$j = "@firebase/app-check";
+const name$k = "@firebase/app-check";
 
-const name$i = "@firebase/auth";
+const name$j = "@firebase/auth";
 
-const name$h = "@firebase/auth-compat";
+const name$i = "@firebase/auth-compat";
 
-const name$g = "@firebase/database";
+const name$h = "@firebase/database";
 
-const name$f = "@firebase/database-compat";
+const name$g = "@firebase/database-compat";
 
-const name$e = "@firebase/functions";
+const name$f = "@firebase/functions";
 
-const name$d = "@firebase/functions-compat";
+const name$e = "@firebase/functions-compat";
 
-const name$c = "@firebase/installations";
+const name$d = "@firebase/installations";
 
-const name$b = "@firebase/installations-compat";
+const name$c = "@firebase/installations-compat";
 
-const name$a = "@firebase/messaging";
+const name$b = "@firebase/messaging";
 
-const name$9 = "@firebase/messaging-compat";
+const name$a = "@firebase/messaging-compat";
 
-const name$8 = "@firebase/performance";
+const name$9 = "@firebase/performance";
 
-const name$7 = "@firebase/performance-compat";
+const name$8 = "@firebase/performance-compat";
 
-const name$6 = "@firebase/remote-config";
+const name$7 = "@firebase/remote-config";
 
-const name$5 = "@firebase/remote-config-compat";
+const name$6 = "@firebase/remote-config-compat";
 
-const name$4 = "@firebase/storage";
+const name$5 = "@firebase/storage";
 
-const name$3 = "@firebase/storage-compat";
+const name$4 = "@firebase/storage-compat";
 
-const name$2 = "@firebase/firestore";
+const name$3 = "@firebase/firestore";
+
+const name$2 = "@firebase/vertexai-preview";
 
 const name$1$1 = "@firebase/firestore-compat";
 
-const name$p = "firebase";
-const version$2 = "9.23.0";
+const name$q = "firebase";
+const version$2 = "10.13.0";
 
 /**
  * @license
@@ -2040,32 +2042,33 @@ const version$2 = "9.23.0";
  */
 const DEFAULT_ENTRY_NAME = '[DEFAULT]';
 const PLATFORM_LOG_STRING = {
-    [name$o]: 'fire-core',
-    [name$n]: 'fire-core-compat',
-    [name$l]: 'fire-analytics',
-    [name$m]: 'fire-analytics-compat',
-    [name$j]: 'fire-app-check',
-    [name$k]: 'fire-app-check-compat',
-    [name$i]: 'fire-auth',
-    [name$h]: 'fire-auth-compat',
-    [name$g]: 'fire-rtdb',
-    [name$f]: 'fire-rtdb-compat',
-    [name$e]: 'fire-fn',
-    [name$d]: 'fire-fn-compat',
-    [name$c]: 'fire-iid',
-    [name$b]: 'fire-iid-compat',
-    [name$a]: 'fire-fcm',
-    [name$9]: 'fire-fcm-compat',
-    [name$8]: 'fire-perf',
-    [name$7]: 'fire-perf-compat',
-    [name$6]: 'fire-rc',
-    [name$5]: 'fire-rc-compat',
-    [name$4]: 'fire-gcs',
-    [name$3]: 'fire-gcs-compat',
-    [name$2]: 'fire-fst',
+    [name$p]: 'fire-core',
+    [name$o]: 'fire-core-compat',
+    [name$m]: 'fire-analytics',
+    [name$n]: 'fire-analytics-compat',
+    [name$k]: 'fire-app-check',
+    [name$l]: 'fire-app-check-compat',
+    [name$j]: 'fire-auth',
+    [name$i]: 'fire-auth-compat',
+    [name$h]: 'fire-rtdb',
+    [name$g]: 'fire-rtdb-compat',
+    [name$f]: 'fire-fn',
+    [name$e]: 'fire-fn-compat',
+    [name$d]: 'fire-iid',
+    [name$c]: 'fire-iid-compat',
+    [name$b]: 'fire-fcm',
+    [name$a]: 'fire-fcm-compat',
+    [name$9]: 'fire-perf',
+    [name$8]: 'fire-perf-compat',
+    [name$7]: 'fire-rc',
+    [name$6]: 'fire-rc-compat',
+    [name$5]: 'fire-gcs',
+    [name$4]: 'fire-gcs-compat',
+    [name$3]: 'fire-fst',
     [name$1$1]: 'fire-fst-compat',
+    [name$2]: 'fire-vertex',
     'fire-js': 'fire-js',
-    [name$p]: 'fire-js-all'
+    [name$q]: 'fire-js-all'
 };
 
 /**
@@ -2088,6 +2091,10 @@ const PLATFORM_LOG_STRING = {
  * @internal
  */
 const _apps = new Map();
+/**
+ * @internal
+ */
+const _serverApps = new Map();
 /**
  * Registered components.
  *
@@ -2126,6 +2133,9 @@ function _registerComponent(component) {
     for (const app of _apps.values()) {
         _addComponent(app, component);
     }
+    for (const serverApp of _serverApps.values()) {
+        _addComponent(serverApp, component);
+    }
     return true;
 }
 /**
@@ -2146,6 +2156,17 @@ function _getProvider(app, name) {
     }
     return app.container.getProvider(name);
 }
+/**
+ *
+ * @param obj - an object of type FirebaseApp.
+ *
+ * @returns true if the provided object is of type FirebaseServerAppImpl.
+ *
+ * @internal
+ */
+function _isFirebaseServerApp(obj) {
+    return obj.settings !== undefined;
+}
 
 /**
  * @license
@@ -2166,9 +2187,10 @@ function _getProvider(app, name) {
 const ERRORS = {
     ["no-app" /* AppError.NO_APP */]: "No Firebase App '{$appName}' has been created - " +
         'call initializeApp() first',
-    ["bad-app-name" /* AppError.BAD_APP_NAME */]: "Illegal App name: '{$appName}",
+    ["bad-app-name" /* AppError.BAD_APP_NAME */]: "Illegal App name: '{$appName}'",
     ["duplicate-app" /* AppError.DUPLICATE_APP */]: "Firebase App named '{$appName}' already exists with different options or config",
     ["app-deleted" /* AppError.APP_DELETED */]: "Firebase App named '{$appName}' already deleted",
+    ["server-app-deleted" /* AppError.SERVER_APP_DELETED */]: 'Firebase Server App has been deleted',
     ["no-options" /* AppError.NO_OPTIONS */]: 'Need to provide options, when not being deployed to hosting via source.',
     ["invalid-app-argument" /* AppError.INVALID_APP_ARGUMENT */]: 'firebase.{$appName}() takes either no argument or a ' +
         'Firebase App instance.',
@@ -2176,7 +2198,9 @@ const ERRORS = {
     ["idb-open" /* AppError.IDB_OPEN */]: 'Error thrown when opening IndexedDB. Original error: {$originalErrorMessage}.',
     ["idb-get" /* AppError.IDB_GET */]: 'Error thrown when reading from IndexedDB. Original error: {$originalErrorMessage}.',
     ["idb-set" /* AppError.IDB_WRITE */]: 'Error thrown when writing to IndexedDB. Original error: {$originalErrorMessage}.',
-    ["idb-delete" /* AppError.IDB_DELETE */]: 'Error thrown when deleting from IndexedDB. Original error: {$originalErrorMessage}.'
+    ["idb-delete" /* AppError.IDB_DELETE */]: 'Error thrown when deleting from IndexedDB. Original error: {$originalErrorMessage}.',
+    ["finalization-registry-not-supported" /* AppError.FINALIZATION_REGISTRY_NOT_SUPPORTED */]: 'FirebaseServerApp deleteOnDeref field defined but the JS runtime does not support FinalizationRegistry.',
+    ["invalid-server-app-environment" /* AppError.INVALID_SERVER_APP_ENVIRONMENT */]: 'FirebaseServerApp is not for use in browser environments.'
 };
 const ERROR_FACTORY = new ErrorFactory$1('app', 'Firebase', ERRORS);
 
@@ -2412,7 +2436,15 @@ function getDbPromise() {
                 // eslint-disable-next-line default-case
                 switch (oldVersion) {
                     case 0:
-                        db.createObjectStore(STORE_NAME);
+                        try {
+                            db.createObjectStore(STORE_NAME);
+                        }
+                        catch (e) {
+                            // Safari/iOS browsers throw occasional exceptions on
+                            // db.createObjectStore() that may be a bug. Avoid blocking
+                            // the rest of the app functionality.
+                            console.warn(e);
+                        }
                 }
             }
         }).catch(e => {
@@ -2426,10 +2458,11 @@ function getDbPromise() {
 async function readHeartbeatsFromIndexedDB(app) {
     try {
         const db = await getDbPromise();
-        const result = await db
-            .transaction(STORE_NAME)
-            .objectStore(STORE_NAME)
-            .get(computeKey(app));
+        const tx = db.transaction(STORE_NAME);
+        const result = await tx.objectStore(STORE_NAME).get(computeKey(app));
+        // We already have the value but tx.done can throw,
+        // so we need to await it here to catch errors
+        await tx.done;
         return result;
     }
     catch (e) {
@@ -2515,33 +2548,45 @@ class HeartbeatServiceImpl {
      * already logged, subsequent calls to this function in the same day will be ignored.
      */
     async triggerHeartbeat() {
-        const platformLogger = this.container
-            .getProvider('platform-logger')
-            .getImmediate();
-        // This is the "Firebase user agent" string from the platform logger
-        // service, not the browser user agent.
-        const agent = platformLogger.getPlatformInfoString();
-        const date = getUTCDateString();
-        if (this._heartbeatsCache === null) {
-            this._heartbeatsCache = await this._heartbeatsCachePromise;
-        }
-        // Do not store a heartbeat if one is already stored for this day
-        // or if a header has already been sent today.
-        if (this._heartbeatsCache.lastSentHeartbeatDate === date ||
-            this._heartbeatsCache.heartbeats.some(singleDateHeartbeat => singleDateHeartbeat.date === date)) {
-            return;
+        var _a, _b, _c;
+        try {
+            const platformLogger = this.container
+                .getProvider('platform-logger')
+                .getImmediate();
+            // This is the "Firebase user agent" string from the platform logger
+            // service, not the browser user agent.
+            const agent = platformLogger.getPlatformInfoString();
+            const date = getUTCDateString();
+            console.log('heartbeats', (_a = this._heartbeatsCache) === null || _a === void 0 ? void 0 : _a.heartbeats);
+            if (((_b = this._heartbeatsCache) === null || _b === void 0 ? void 0 : _b.heartbeats) == null) {
+                this._heartbeatsCache = await this._heartbeatsCachePromise;
+                // If we failed to construct a heartbeats cache, then return immediately.
+                if (((_c = this._heartbeatsCache) === null || _c === void 0 ? void 0 : _c.heartbeats) == null) {
+                    return;
+                }
+            }
+            // Do not store a heartbeat if one is already stored for this day
+            // or if a header has already been sent today.
+            if (this._heartbeatsCache.lastSentHeartbeatDate === date ||
+                this._heartbeatsCache.heartbeats.some(singleDateHeartbeat => singleDateHeartbeat.date === date)) {
+                return;
+            }
+            else {
+                // There is no entry for this date. Create one.
+                this._heartbeatsCache.heartbeats.push({ date, agent });
+            }
+            // Remove entries older than 30 days.
+            this._heartbeatsCache.heartbeats =
+                this._heartbeatsCache.heartbeats.filter(singleDateHeartbeat => {
+                    const hbTimestamp = new Date(singleDateHeartbeat.date).valueOf();
+                    const now = Date.now();
+                    return now - hbTimestamp <= STORED_HEARTBEAT_RETENTION_MAX_MILLIS;
+                });
+            return this._storage.overwrite(this._heartbeatsCache);
+        }
+        catch (e) {
+            logger.warn(e);
         }
-        else {
-            // There is no entry for this date. Create one.
-            this._heartbeatsCache.heartbeats.push({ date, agent });
-        }
-        // Remove entries older than 30 days.
-        this._heartbeatsCache.heartbeats = this._heartbeatsCache.heartbeats.filter(singleDateHeartbeat => {
-            const hbTimestamp = new Date(singleDateHeartbeat.date).valueOf();
-            const now = Date.now();
-            return now - hbTimestamp <= STORED_HEARTBEAT_RETENTION_MAX_MILLIS;
-        });
-        return this._storage.overwrite(this._heartbeatsCache);
     }
     /**
      * Returns a base64 encoded string which can be attached to the heartbeat-specific header directly.
@@ -2551,34 +2596,41 @@ class HeartbeatServiceImpl {
      * returns an empty string.
      */
     async getHeartbeatsHeader() {
-        if (this._heartbeatsCache === null) {
-            await this._heartbeatsCachePromise;
+        var _a;
+        try {
+            if (this._heartbeatsCache === null) {
+                await this._heartbeatsCachePromise;
+            }
+            // If it's still null or the array is empty, there is no data to send.
+            if (((_a = this._heartbeatsCache) === null || _a === void 0 ? void 0 : _a.heartbeats) == null ||
+                this._heartbeatsCache.heartbeats.length === 0) {
+                return '';
+            }
+            const date = getUTCDateString();
+            // Extract as many heartbeats from the cache as will fit under the size limit.
+            const { heartbeatsToSend, unsentEntries } = extractHeartbeatsForHeader(this._heartbeatsCache.heartbeats);
+            const headerString = base64urlEncodeWithoutPadding$1(JSON.stringify({ version: 2, heartbeats: heartbeatsToSend }));
+            // Store last sent date to prevent another being logged/sent for the same day.
+            this._heartbeatsCache.lastSentHeartbeatDate = date;
+            if (unsentEntries.length > 0) {
+                // Store any unsent entries if they exist.
+                this._heartbeatsCache.heartbeats = unsentEntries;
+                // This seems more likely than emptying the array (below) to lead to some odd state
+                // since the cache isn't empty and this will be called again on the next request,
+                // and is probably safest if we await it.
+                await this._storage.overwrite(this._heartbeatsCache);
+            }
+            else {
+                this._heartbeatsCache.heartbeats = [];
+                // Do not wait for this, to reduce latency.
+                void this._storage.overwrite(this._heartbeatsCache);
+            }
+            return headerString;
         }
-        // If it's still null or the array is empty, there is no data to send.
-        if (this._heartbeatsCache === null ||
-            this._heartbeatsCache.heartbeats.length === 0) {
+        catch (e) {
+            logger.warn(e);
             return '';
         }
-        const date = getUTCDateString();
-        // Extract as many heartbeats from the cache as will fit under the size limit.
-        const { heartbeatsToSend, unsentEntries } = extractHeartbeatsForHeader(this._heartbeatsCache.heartbeats);
-        const headerString = base64urlEncodeWithoutPadding$1(JSON.stringify({ version: 2, heartbeats: heartbeatsToSend }));
-        // Store last sent date to prevent another being logged/sent for the same day.
-        this._heartbeatsCache.lastSentHeartbeatDate = date;
-        if (unsentEntries.length > 0) {
-            // Store any unsent entries if they exist.
-            this._heartbeatsCache.heartbeats = unsentEntries;
-            // This seems more likely than emptying the array (below) to lead to some odd state
-            // since the cache isn't empty and this will be called again on the next request,
-            // and is probably safest if we await it.
-            await this._storage.overwrite(this._heartbeatsCache);
-        }
-        else {
-            this._heartbeatsCache.heartbeats = [];
-            // Do not wait for this, to reduce latency.
-            void this._storage.overwrite(this._heartbeatsCache);
-        }
-        return headerString;
     }
 }
 function getUTCDateString() {
@@ -2651,7 +2703,12 @@ class HeartbeatStorageImpl {
         }
         else {
             const idbHeartbeatObject = await readHeartbeatsFromIndexedDB(this.app);
-            return idbHeartbeatObject || { heartbeats: [] };
+            if (idbHeartbeatObject === null || idbHeartbeatObject === void 0 ? void 0 : idbHeartbeatObject.heartbeats) {
+                return idbHeartbeatObject;
+            }
+            else {
+                return { heartbeats: [] };
+            }
         }
     }
     // overwrite the storage with the provided heartbeats
@@ -2720,9 +2777,9 @@ function registerCoreComponents(variant) {
     _registerComponent(new Component$1('platform-logger', container => new PlatformLoggerServiceImpl(container), "PRIVATE" /* ComponentType.PRIVATE */));
     _registerComponent(new Component$1('heartbeat', container => new HeartbeatServiceImpl(container), "PRIVATE" /* ComponentType.PRIVATE */));
     // Register `app` package.
-    registerVersion(name$o, version$1$1, variant);
+    registerVersion(name$p, version$1$1, variant);
     // BUILD_TARGET will be replaced by values like esm5, esm2017, cjs5, etc during the compilation
-    registerVersion(name$o, version$1$1, 'esm2017');
+    registerVersion(name$p, version$1$1, 'esm2017');
     // Register platform SDK identifier (no version).
     registerVersion('fire-js', '');
 }
@@ -17789,7 +17846,7 @@ function jl(t, ...e) {
 }();
 
 var name$1 = "firebase";
-var version$1 = "9.23.0";
+var version$1 = "10.13.0";
 
 /**
  * @license
@@ -18605,6 +18662,7 @@ const AUTH_ERROR_CODES_MAP_DO_NOT_USE_INTERNALLY = {
     INVALID_EMAIL: 'auth/invalid-email',
     INVALID_EMULATOR_SCHEME: 'auth/invalid-emulator-scheme',
     INVALID_IDP_RESPONSE: 'auth/invalid-credential',
+    INVALID_LOGIN_CREDENTIALS: 'auth/invalid-credential',
     INVALID_MESSAGE_PAYLOAD: 'auth/invalid-message-payload',
     INVALID_MFA_SESSION: 'auth/invalid-multi-factor-session',
     INVALID_OAUTH_CLIENT_ID: 'auth/invalid-oauth-client-id',
@@ -18734,6 +18792,9 @@ function _errorWithCustomMessage(auth, code, message) {
         appName: auth.name
     });
 }
+function _serverAppCurrentUserOperationNotSupportedError(auth) {
+    return _errorWithCustomMessage(auth, "operation-not-supported-in-this-environment" /* AuthErrorCode.OPERATION_NOT_SUPPORTED */, 'Operations that alter the current user are not supported in conjunction with FirebaseServerApp');
+}
 function createErrorInternal(authOrCode, ...rest) {
     if (typeof authOrCode !== 'string') {
         const code = rest[0];
@@ -18957,6 +19018,12 @@ class FetchProvider {
         if (typeof self !== 'undefined' && 'fetch' in self) {
             return self.fetch;
         }
+        if (typeof globalThis !== 'undefined' && globalThis.fetch) {
+            return globalThis.fetch;
+        }
+        if (typeof fetch !== 'undefined') {
+            return fetch;
+        }
         debugFail('Could not find fetch implementation, make sure you call FetchProvider.initialize() with an appropriate polyfill');
     }
     static headers() {
@@ -18966,6 +19033,12 @@ class FetchProvider {
         if (typeof self !== 'undefined' && 'Headers' in self) {
             return self.Headers;
         }
+        if (typeof globalThis !== 'undefined' && globalThis.Headers) {
+            return globalThis.Headers;
+        }
+        if (typeof Headers !== 'undefined') {
+            return Headers;
+        }
         debugFail('Could not find Headers implementation, make sure you call FetchProvider.initialize() with an appropriate polyfill');
     }
     static response() {
@@ -18975,6 +19048,12 @@ class FetchProvider {
         if (typeof self !== 'undefined' && 'Response' in self) {
             return self.Response;
         }
+        if (typeof globalThis !== 'undefined' && globalThis.Response) {
+            return globalThis.Response;
+        }
+        if (typeof Response !== 'undefined') {
+            return Response;
+        }
         debugFail('Could not find Response implementation, make sure you call FetchProvider.initialize() with an appropriate polyfill');
     }
 }
@@ -19011,12 +19090,15 @@ const SERVER_ERROR_MAP = {
     ["INVALID_PASSWORD" /* ServerError.INVALID_PASSWORD */]: "wrong-password" /* AuthErrorCode.INVALID_PASSWORD */,
     // This can only happen if the SDK sends a bad request.
     ["MISSING_PASSWORD" /* ServerError.MISSING_PASSWORD */]: "missing-password" /* AuthErrorCode.MISSING_PASSWORD */,
+    // Thrown if Email Enumeration Protection is enabled in the project and the email or password is
+    // invalid.
+    ["INVALID_LOGIN_CREDENTIALS" /* ServerError.INVALID_LOGIN_CREDENTIALS */]: "invalid-credential" /* AuthErrorCode.INVALID_CREDENTIAL */,
     // Sign up with email and password errors.
     ["EMAIL_EXISTS" /* ServerError.EMAIL_EXISTS */]: "email-already-in-use" /* AuthErrorCode.EMAIL_EXISTS */,
     ["PASSWORD_LOGIN_DISABLED" /* ServerError.PASSWORD_LOGIN_DISABLED */]: "operation-not-allowed" /* AuthErrorCode.OPERATION_NOT_ALLOWED */,
     // Verify assertion for sign in with credential errors:
-    ["INVALID_IDP_RESPONSE" /* ServerError.INVALID_IDP_RESPONSE */]: "invalid-credential" /* AuthErrorCode.INVALID_IDP_RESPONSE */,
-    ["INVALID_PENDING_TOKEN" /* ServerError.INVALID_PENDING_TOKEN */]: "invalid-credential" /* AuthErrorCode.INVALID_IDP_RESPONSE */,
+    ["INVALID_IDP_RESPONSE" /* ServerError.INVALID_IDP_RESPONSE */]: "invalid-credential" /* AuthErrorCode.INVALID_CREDENTIAL */,
+    ["INVALID_PENDING_TOKEN" /* ServerError.INVALID_PENDING_TOKEN */]: "invalid-credential" /* AuthErrorCode.INVALID_CREDENTIAL */,
     ["FEDERATED_USER_ID_ALREADY_LINKED" /* ServerError.FEDERATED_USER_ID_ALREADY_LINKED */]: "credential-already-in-use" /* AuthErrorCode.CREDENTIAL_ALREADY_IN_USE */,
     // This can only happen if the SDK sends a bad request.
     ["MISSING_REQ_TYPE" /* ServerError.MISSING_REQ_TYPE */]: "internal-error" /* AuthErrorCode.INTERNAL_ERROR */,
@@ -19034,10 +19116,11 @@ const SERVER_ERROR_MAP = {
     ["USER_NOT_FOUND" /* ServerError.USER_NOT_FOUND */]: "user-token-expired" /* AuthErrorCode.TOKEN_EXPIRED */,
     // Other errors.
     ["TOO_MANY_ATTEMPTS_TRY_LATER" /* ServerError.TOO_MANY_ATTEMPTS_TRY_LATER */]: "too-many-requests" /* AuthErrorCode.TOO_MANY_ATTEMPTS_TRY_LATER */,
+    ["PASSWORD_DOES_NOT_MEET_REQUIREMENTS" /* ServerError.PASSWORD_DOES_NOT_MEET_REQUIREMENTS */]: "password-does-not-meet-requirements" /* AuthErrorCode.PASSWORD_DOES_NOT_MEET_REQUIREMENTS */,
     // Phone Auth related errors.
     ["INVALID_CODE" /* ServerError.INVALID_CODE */]: "invalid-verification-code" /* AuthErrorCode.INVALID_CODE */,
     ["INVALID_SESSION_INFO" /* ServerError.INVALID_SESSION_INFO */]: "invalid-verification-id" /* AuthErrorCode.INVALID_SESSION_INFO */,
-    ["INVALID_TEMPORARY_PROOF" /* ServerError.INVALID_TEMPORARY_PROOF */]: "invalid-credential" /* AuthErrorCode.INVALID_IDP_RESPONSE */,
+    ["INVALID_TEMPORARY_PROOF" /* ServerError.INVALID_TEMPORARY_PROOF */]: "invalid-credential" /* AuthErrorCode.INVALID_CREDENTIAL */,
     ["MISSING_SESSION_INFO" /* ServerError.MISSING_SESSION_INFO */]: "missing-verification-id" /* AuthErrorCode.MISSING_SESSION_INFO */,
     ["SESSION_EXPIRED" /* ServerError.SESSION_EXPIRED */]: "code-expired" /* AuthErrorCode.CODE_EXPIRED */,
     // Other action code errors when additional settings passed.
@@ -19185,6 +19268,18 @@ function _getFinalTarget(auth, host, path, query) {
     }
     return _emulatorUrl(auth.config, base);
 }
+function _parseEnforcementState(enforcementStateStr) {
+    switch (enforcementStateStr) {
+        case 'ENFORCE':
+            return "ENFORCE" /* EnforcementState.ENFORCE */;
+        case 'AUDIT':
+            return "AUDIT" /* EnforcementState.AUDIT */;
+        case 'OFF':
+            return "OFF" /* EnforcementState.OFF */;
+        default:
+            return "ENFORCEMENT_STATE_UNSPECIFIED" /* EnforcementState.ENFORCEMENT_STATE_UNSPECIFIED */;
+    }
+}
 class NetworkTimeout {
     constructor(auth) {
         this.auth = auth;
@@ -19217,6 +19312,61 @@ function _makeTaggedError(auth, code, response) {
     error.customData._tokenResponse = response;
     return error;
 }
+function isEnterprise(grecaptcha) {
+    return (grecaptcha !== undefined &&
+        grecaptcha.enterprise !== undefined);
+}
+class RecaptchaConfig {
+    constructor(response) {
+        /**
+         * The reCAPTCHA site key.
+         */
+        this.siteKey = '';
+        /**
+         * The list of providers and their enablement status for reCAPTCHA Enterprise.
+         */
+        this.recaptchaEnforcementState = [];
+        if (response.recaptchaKey === undefined) {
+            throw new Error('recaptchaKey undefined');
+        }
+        // Example response.recaptchaKey: "projects/proj123/keys/sitekey123"
+        this.siteKey = response.recaptchaKey.split('/')[3];
+        this.recaptchaEnforcementState = response.recaptchaEnforcementState;
+    }
+    /**
+     * Returns the reCAPTCHA Enterprise enforcement state for the given provider.
+     *
+     * @param providerStr - The provider whose enforcement state is to be returned.
+     * @returns The reCAPTCHA Enterprise enforcement state for the given provider.
+     */
+    getProviderEnforcementState(providerStr) {
+        if (!this.recaptchaEnforcementState ||
+            this.recaptchaEnforcementState.length === 0) {
+            return null;
+        }
+        for (const recaptchaEnforcementState of this.recaptchaEnforcementState) {
+            if (recaptchaEnforcementState.provider &&
+                recaptchaEnforcementState.provider === providerStr) {
+                return _parseEnforcementState(recaptchaEnforcementState.enforcementState);
+            }
+        }
+        return null;
+    }
+    /**
+     * Returns true if the reCAPTCHA Enterprise enforcement state for the provider is set to ENFORCE or AUDIT.
+     *
+     * @param providerStr - The provider whose enablement state is to be returned.
+     * @returns Whether or not reCAPTCHA Enterprise protection is enabled for the given provider.
+     */
+    isProviderEnabled(providerStr) {
+        return (this.getProviderEnforcementState(providerStr) ===
+            "ENFORCE" /* EnforcementState.ENFORCE */ ||
+            this.getProviderEnforcementState(providerStr) === "AUDIT" /* EnforcementState.AUDIT */);
+    }
+}
+async function getRecaptchaConfig(auth, request) {
+    return _performApiRequest(auth, "GET" /* HttpMethod.GET */, "/v2/recaptchaConfig" /* Endpoint.GET_RECAPTCHA_CONFIG */, _addTidIfNecessary(auth, request));
+}
 
 /**
  * @license
@@ -19621,6 +19771,9 @@ async function requestStsToken(auth, refreshToken) {
         expiresIn: response.expires_in,
         refreshToken: response.refresh_token
     };
+}
+async function revokeToken(auth, request) {
+    return _performApiRequest(auth, "POST" /* HttpMethod.POST */, "/v2/accounts:revokeToken" /* Endpoint.REVOKE_TOKEN */, _addTidIfNecessary(auth, request));
 }
 
 /**
@@ -19664,11 +19817,16 @@ class StsTokenManager {
             : _tokenExpiresIn(response.idToken);
         this.updateTokensAndExpiration(response.idToken, response.refreshToken, expiresIn);
     }
+    updateFromIdToken(idToken) {
+        _assert(idToken.length !== 0, "internal-error" /* AuthErrorCode.INTERNAL_ERROR */);
+        const expiresIn = _tokenExpiresIn(idToken);
+        this.updateTokensAndExpiration(idToken, null, expiresIn);
+    }
     async getToken(auth, forceRefresh = false) {
-        _assert(!this.accessToken || this.refreshToken, auth, "user-token-expired" /* AuthErrorCode.TOKEN_EXPIRED */);
         if (!forceRefresh && this.accessToken && !this.isExpired) {
             return this.accessToken;
         }
+        _assert(this.refreshToken, auth, "user-token-expired" /* AuthErrorCode.TOKEN_EXPIRED */);
         if (this.refreshToken) {
             await this.refresh(auth, this.refreshToken);
             return this.accessToken;
@@ -19848,6 +20006,9 @@ class UserImpl {
         }
     }
     async delete() {
+        if (_isFirebaseServerApp(this.auth.app)) {
+            return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(this.auth));
+        }
         const idToken = await this.getIdToken();
         await _logoutIfInvalidated(this, deleteAccount(this.auth, { idToken }));
         this.stsTokenManager.clearRefreshToken();
@@ -19931,6 +20092,44 @@ class UserImpl {
         await _reloadWithoutSaving(user);
         return user;
     }
+    /**
+     * Initialize a User from an idToken server response
+     * @param auth
+     * @param idTokenResponse
+     */
+    static async _fromGetAccountInfoResponse(auth, response, idToken) {
+        const coreAccount = response.users[0];
+        _assert(coreAccount.localId !== undefined, "internal-error" /* AuthErrorCode.INTERNAL_ERROR */);
+        const providerData = coreAccount.providerUserInfo !== undefined
+            ? extractProviderData(coreAccount.providerUserInfo)
+            : [];
+        const isAnonymous = !(coreAccount.email && coreAccount.passwordHash) && !(providerData === null || providerData === void 0 ? void 0 : providerData.length);
+        const stsTokenManager = new StsTokenManager();
+        stsTokenManager.updateFromIdToken(idToken);
+        // Initialize the Firebase Auth user.
+        const user = new UserImpl({
+            uid: coreAccount.localId,
+            auth,
+            stsTokenManager,
+            isAnonymous
+        });
+        // update the user with data from the GetAccountInfo response.
+        const updates = {
+            uid: coreAccount.localId,
+            displayName: coreAccount.displayName || null,
+            photoURL: coreAccount.photoUrl || null,
+            email: coreAccount.email || null,
+            emailVerified: coreAccount.emailVerified || false,
+            phoneNumber: coreAccount.phoneNumber || null,
+            tenantId: coreAccount.tenantId || null,
+            providerData,
+            metadata: new UserMetadata(coreAccount.createdAt, coreAccount.lastLoginAt),
+            isAnonymous: !(coreAccount.email && coreAccount.passwordHash) &&
+                !(providerData === null || providerData === void 0 ? void 0 : providerData.length)
+        };
+        Object.assign(user, updates);
+        return user;
+    }
 }
 
 /**
@@ -20246,16 +20445,6 @@ function _isMobileBrowser(ua = getUA()) {
         _isBlackBerry(ua) ||
         /windows phone/i.test(ua) ||
         _isIEMobile(ua));
-}
-function _isIframe() {
-    try {
-        // Check that the current window is not the top window.
-        // If so, return true.
-        return !!(window && window !== window.top);
-    }
-    catch (e) {
-        return false;
-    }
 }
 
 /**
@@ -20298,36 +20487,91 @@ function _getClientVersion(clientPlatform, frameworks = []) {
         : 'FirebaseCore-web'; /* default value if no other framework is used */
     return `${reportedPlatform}/${"JsCore" /* ClientImplementation.CORE */}/${SDK_VERSION}/${reportedFrameworks}`;
 }
-async function getRecaptchaConfig(auth, request) {
-    return _performApiRequest(auth, "GET" /* HttpMethod.GET */, "/v2/recaptchaConfig" /* Endpoint.GET_RECAPTCHA_CONFIG */, _addTidIfNecessary(auth, request));
-}
-function isEnterprise(grecaptcha) {
-    return (grecaptcha !== undefined &&
-        grecaptcha.enterprise !== undefined);
-}
-class RecaptchaConfig {
-    constructor(response) {
-        /**
-         * The reCAPTCHA site key.
-         */
-        this.siteKey = '';
-        /**
-         * The reCAPTCHA enablement status of the {@link EmailAuthProvider} for the current tenant.
-         */
-        this.emailPasswordEnabled = false;
-        if (response.recaptchaKey === undefined) {
-            throw new Error('recaptchaKey undefined');
+
+/**
+ * @license
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+class AuthMiddlewareQueue {
+    constructor(auth) {
+        this.auth = auth;
+        this.queue = [];
+    }
+    pushCallback(callback, onAbort) {
+        // The callback could be sync or async. Wrap it into a
+        // function that is always async.
+        const wrappedCallback = (user) => new Promise((resolve, reject) => {
+            try {
+                const result = callback(user);
+                // Either resolve with existing promise or wrap a non-promise
+                // return value into a promise.
+                resolve(result);
+            }
+            catch (e) {
+                // Sync callback throws.
+                reject(e);
+            }
+        });
+        // Attach the onAbort if present
+        wrappedCallback.onAbort = onAbort;
+        this.queue.push(wrappedCallback);
+        const index = this.queue.length - 1;
+        return () => {
+            // Unsubscribe. Replace with no-op. Do not remove from array, or it will disturb
+            // indexing of other elements.
+            this.queue[index] = () => Promise.resolve();
+        };
+    }
+    async runMiddleware(nextUser) {
+        if (this.auth.currentUser === nextUser) {
+            return;
+        }
+        // While running the middleware, build a temporary stack of onAbort
+        // callbacks to call if one middleware callback rejects.
+        const onAbortStack = [];
+        try {
+            for (const beforeStateCallback of this.queue) {
+                await beforeStateCallback(nextUser);
+                // Only push the onAbort if the callback succeeds
+                if (beforeStateCallback.onAbort) {
+                    onAbortStack.push(beforeStateCallback.onAbort);
+                }
+            }
+        }
+        catch (e) {
+            // Run all onAbort, with separate try/catch to ignore any errors and
+            // continue
+            onAbortStack.reverse();
+            for (const onAbort of onAbortStack) {
+                try {
+                    onAbort();
+                }
+                catch (_) {
+                    /* swallow error */
+                }
+            }
+            throw this.auth._errorFactory.create("login-blocked" /* AuthErrorCode.LOGIN_BLOCKED */, {
+                originalMessage: e === null || e === void 0 ? void 0 : e.message
+            });
         }
-        // Example response.recaptchaKey: "projects/proj123/keys/sitekey123"
-        this.siteKey = response.recaptchaKey.split('/')[3];
-        this.emailPasswordEnabled = response.recaptchaEnforcementState.some(enforcementState => enforcementState.provider === 'EMAIL_PASSWORD_PROVIDER' &&
-            enforcementState.enforcementState !== 'OFF');
     }
 }
 
 /**
  * @license
- * Copyright 2020 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20341,232 +20585,162 @@ class RecaptchaConfig {
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-function getScriptParentElement() {
-    var _a, _b;
-    return (_b = (_a = document.getElementsByTagName('head')) === null || _a === void 0 ? void 0 : _a[0]) !== null && _b !== void 0 ? _b : document;
-}
-function _loadJS(url) {
-    // TODO: consider adding timeout support & cancellation
-    return new Promise((resolve, reject) => {
-        const el = document.createElement('script');
-        el.setAttribute('src', url);
-        el.onload = resolve;
-        el.onerror = e => {
-            const error = _createError("internal-error" /* AuthErrorCode.INTERNAL_ERROR */);
-            error.customData = e;
-            reject(error);
-        };
-        el.type = 'text/javascript';
-        el.charset = 'UTF-8';
-        getScriptParentElement().appendChild(el);
-    });
-}
-function _generateCallbackName(prefix) {
-    return `__${prefix}${Math.floor(Math.random() * 1000000)}`;
+/**
+ * Fetches the password policy for the currently set tenant or the project if no tenant is set.
+ *
+ * @param auth Auth object.
+ * @param request Password policy request.
+ * @returns Password policy response.
+ */
+async function _getPasswordPolicy(auth, request = {}) {
+    return _performApiRequest(auth, "GET" /* HttpMethod.GET */, "/v2/passwordPolicy" /* Endpoint.GET_PASSWORD_POLICY */, _addTidIfNecessary(auth, request));
 }
 
-/* eslint-disable @typescript-eslint/no-require-imports */
-const RECAPTCHA_ENTERPRISE_URL = 'https://www.google.com/recaptcha/enterprise.js?render=';
-const RECAPTCHA_ENTERPRISE_VERIFIER_TYPE = 'recaptcha-enterprise';
-const FAKE_TOKEN = 'NO_RECAPTCHA';
-class RecaptchaEnterpriseVerifier {
+/**
+ * @license
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+// Minimum min password length enforced by the backend, even if no minimum length is set.
+const MINIMUM_MIN_PASSWORD_LENGTH = 6;
+/**
+ * Stores password policy requirements and provides password validation against the policy.
+ *
+ * @internal
+ */
+class PasswordPolicyImpl {
+    constructor(response) {
+        var _a, _b, _c, _d;
+        // Only include custom strength options defined in the response.
+        const responseOptions = response.customStrengthOptions;
+        this.customStrengthOptions = {};
+        // TODO: Remove once the backend is updated to include the minimum min password length instead of undefined when there is no minimum length set.
+        this.customStrengthOptions.minPasswordLength =
+            (_a = responseOptions.minPasswordLength) !== null && _a !== void 0 ? _a : MINIMUM_MIN_PASSWORD_LENGTH;
+        if (responseOptions.maxPasswordLength) {
+            this.customStrengthOptions.maxPasswordLength =
+                responseOptions.maxPasswordLength;
+        }
+        if (responseOptions.containsLowercaseCharacter !== undefined) {
+            this.customStrengthOptions.containsLowercaseLetter =
+                responseOptions.containsLowercaseCharacter;
+        }
+        if (responseOptions.containsUppercaseCharacter !== undefined) {
+            this.customStrengthOptions.containsUppercaseLetter =
+                responseOptions.containsUppercaseCharacter;
+        }
+        if (responseOptions.containsNumericCharacter !== undefined) {
+            this.customStrengthOptions.containsNumericCharacter =
+                responseOptions.containsNumericCharacter;
+        }
+        if (responseOptions.containsNonAlphanumericCharacter !== undefined) {
+            this.customStrengthOptions.containsNonAlphanumericCharacter =
+                responseOptions.containsNonAlphanumericCharacter;
+        }
+        this.enforcementState = response.enforcementState;
+        if (this.enforcementState === 'ENFORCEMENT_STATE_UNSPECIFIED') {
+            this.enforcementState = 'OFF';
+        }
+        // Use an empty string if no non-alphanumeric characters are specified in the response.
+        this.allowedNonAlphanumericCharacters =
+            (_c = (_b = response.allowedNonAlphanumericCharacters) === null || _b === void 0 ? void 0 : _b.join('')) !== null && _c !== void 0 ? _c : '';
+        this.forceUpgradeOnSignin = (_d = response.forceUpgradeOnSignin) !== null && _d !== void 0 ? _d : false;
+        this.schemaVersion = response.schemaVersion;
+    }
+    validatePassword(password) {
+        var _a, _b, _c, _d, _e, _f;
+        const status = {
+            isValid: true,
+            passwordPolicy: this
+        };
+        // Check the password length and character options.
+        this.validatePasswordLengthOptions(password, status);
+        this.validatePasswordCharacterOptions(password, status);
+        // Combine the status into single isValid property.
+        status.isValid && (status.isValid = (_a = status.meetsMinPasswordLength) !== null && _a !== void 0 ? _a : true);
+        status.isValid && (status.isValid = (_b = status.meetsMaxPasswordLength) !== null && _b !== void 0 ? _b : true);
+        status.isValid && (status.isValid = (_c = status.containsLowercaseLetter) !== null && _c !== void 0 ? _c : true);
+        status.isValid && (status.isValid = (_d = status.containsUppercaseLetter) !== null && _d !== void 0 ? _d : true);
+        status.isValid && (status.isValid = (_e = status.containsNumericCharacter) !== null && _e !== void 0 ? _e : true);
+        status.isValid && (status.isValid = (_f = status.containsNonAlphanumericCharacter) !== null && _f !== void 0 ? _f : true);
+        return status;
+    }
     /**
+     * Validates that the password meets the length options for the policy.
      *
-     * @param authExtern - The corresponding Firebase {@link Auth} instance.
-     *
+     * @param password Password to validate.
+     * @param status Validation status.
      */
-    constructor(authExtern) {
-        /**
-         * Identifies the type of application verifier (e.g. "recaptcha-enterprise").
-         */
-        this.type = RECAPTCHA_ENTERPRISE_VERIFIER_TYPE;
-        this.auth = _castAuth(authExtern);
+    validatePasswordLengthOptions(password, status) {
+        const minPasswordLength = this.customStrengthOptions.minPasswordLength;
+        const maxPasswordLength = this.customStrengthOptions.maxPasswordLength;
+        if (minPasswordLength) {
+            status.meetsMinPasswordLength = password.length >= minPasswordLength;
+        }
+        if (maxPasswordLength) {
+            status.meetsMaxPasswordLength = password.length <= maxPasswordLength;
+        }
     }
     /**
-     * Executes the verification process.
+     * Validates that the password meets the character options for the policy.
      *
-     * @returns A Promise for a token that can be used to assert the validity of a request.
+     * @param password Password to validate.
+     * @param status Validation status.
      */
-    async verify(action = 'verify', forceRefresh = false) {
-        async function retrieveSiteKey(auth) {
-            if (!forceRefresh) {
-                if (auth.tenantId == null && auth._agentRecaptchaConfig != null) {
-                    return auth._agentRecaptchaConfig.siteKey;
-                }
-                if (auth.tenantId != null &&
-                    auth._tenantRecaptchaConfigs[auth.tenantId] !== undefined) {
-                    return auth._tenantRecaptchaConfigs[auth.tenantId].siteKey;
-                }
-            }
-            return new Promise(async (resolve, reject) => {
-                getRecaptchaConfig(auth, {
-                    clientType: "CLIENT_TYPE_WEB" /* RecaptchaClientType.WEB */,
-                    version: "RECAPTCHA_ENTERPRISE" /* RecaptchaVersion.ENTERPRISE */
-                })
-                    .then(response => {
-                    if (response.recaptchaKey === undefined) {
-                        reject(new Error('recaptcha Enterprise site key undefined'));
-                    }
-                    else {
-                        const config = new RecaptchaConfig(response);
-                        if (auth.tenantId == null) {
-                            auth._agentRecaptchaConfig = config;
-                        }
-                        else {
-                            auth._tenantRecaptchaConfigs[auth.tenantId] = config;
-                        }
-                        return resolve(config.siteKey);
-                    }
-                })
-                    .catch(error => {
-                    reject(error);
-                });
-            });
+    validatePasswordCharacterOptions(password, status) {
+        // Assign statuses for requirements even if the password is an empty string.
+        this.updatePasswordCharacterOptionsStatuses(status, 
+        /* containsLowercaseCharacter= */ false, 
+        /* containsUppercaseCharacter= */ false, 
+        /* containsNumericCharacter= */ false, 
+        /* containsNonAlphanumericCharacter= */ false);
+        let passwordChar;
+        for (let i = 0; i < password.length; i++) {
+            passwordChar = password.charAt(i);
+            this.updatePasswordCharacterOptionsStatuses(status, 
+            /* containsLowercaseCharacter= */ passwordChar >= 'a' &&
+                passwordChar <= 'z', 
+            /* containsUppercaseCharacter= */ passwordChar >= 'A' &&
+                passwordChar <= 'Z', 
+            /* containsNumericCharacter= */ passwordChar >= '0' &&
+                passwordChar <= '9', 
+            /* containsNonAlphanumericCharacter= */ this.allowedNonAlphanumericCharacters.includes(passwordChar));
         }
-        function retrieveRecaptchaToken(siteKey, resolve, reject) {
-            const grecaptcha = window.grecaptcha;
-            if (isEnterprise(grecaptcha)) {
-                grecaptcha.enterprise.ready(() => {
-                    grecaptcha.enterprise
-                        .execute(siteKey, { action })
-                        .then(token => {
-                        resolve(token);
-                    })
-                        .catch(() => {
-                        resolve(FAKE_TOKEN);
-                    });
-                });
-            }
-            else {
-                reject(Error('No reCAPTCHA enterprise script loaded.'));
-            }
-        }
-        return new Promise((resolve, reject) => {
-            retrieveSiteKey(this.auth)
-                .then(siteKey => {
-                if (!forceRefresh && isEnterprise(window.grecaptcha)) {
-                    retrieveRecaptchaToken(siteKey, resolve, reject);
-                }
-                else {
-                    if (typeof window === 'undefined') {
-                        reject(new Error('RecaptchaVerifier is only supported in browser'));
-                        return;
-                    }
-                    _loadJS(RECAPTCHA_ENTERPRISE_URL + siteKey)
-                        .then(() => {
-                        retrieveRecaptchaToken(siteKey, resolve, reject);
-                    })
-                        .catch(error => {
-                        reject(error);
-                    });
-                }
-            })
-                .catch(error => {
-                reject(error);
-            });
-        });
-    }
-}
-async function injectRecaptchaFields(auth, request, action, captchaResp = false) {
-    const verifier = new RecaptchaEnterpriseVerifier(auth);
-    let captchaResponse;
-    try {
-        captchaResponse = await verifier.verify(action);
-    }
-    catch (error) {
-        captchaResponse = await verifier.verify(action, true);
-    }
-    const newRequest = Object.assign({}, request);
-    if (!captchaResp) {
-        Object.assign(newRequest, { captchaResponse });
-    }
-    else {
-        Object.assign(newRequest, { 'captchaResp': captchaResponse });
-    }
-    Object.assign(newRequest, { 'clientType': "CLIENT_TYPE_WEB" /* RecaptchaClientType.WEB */ });
-    Object.assign(newRequest, {
-        'recaptchaVersion': "RECAPTCHA_ENTERPRISE" /* RecaptchaVersion.ENTERPRISE */
-    });
-    return newRequest;
-}
-
-/**
- * @license
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-class AuthMiddlewareQueue {
-    constructor(auth) {
-        this.auth = auth;
-        this.queue = [];
     }
-    pushCallback(callback, onAbort) {
-        // The callback could be sync or async. Wrap it into a
-        // function that is always async.
-        const wrappedCallback = (user) => new Promise((resolve, reject) => {
-            try {
-                const result = callback(user);
-                // Either resolve with existing promise or wrap a non-promise
-                // return value into a promise.
-                resolve(result);
-            }
-            catch (e) {
-                // Sync callback throws.
-                reject(e);
-            }
-        });
-        // Attach the onAbort if present
-        wrappedCallback.onAbort = onAbort;
-        this.queue.push(wrappedCallback);
-        const index = this.queue.length - 1;
-        return () => {
-            // Unsubscribe. Replace with no-op. Do not remove from array, or it will disturb
-            // indexing of other elements.
-            this.queue[index] = () => Promise.resolve();
-        };
-    }
-    async runMiddleware(nextUser) {
-        if (this.auth.currentUser === nextUser) {
-            return;
+    /**
+     * Updates the running validation status with the statuses for the character options.
+     * Expected to be called each time a character is processed to update each option status
+     * based on the current character.
+     *
+     * @param status Validation status.
+     * @param containsLowercaseCharacter Whether the character is a lowercase letter.
+     * @param containsUppercaseCharacter Whether the character is an uppercase letter.
+     * @param containsNumericCharacter Whether the character is a numeric character.
+     * @param containsNonAlphanumericCharacter Whether the character is a non-alphanumeric character.
+     */
+    updatePasswordCharacterOptionsStatuses(status, containsLowercaseCharacter, containsUppercaseCharacter, containsNumericCharacter, containsNonAlphanumericCharacter) {
+        if (this.customStrengthOptions.containsLowercaseLetter) {
+            status.containsLowercaseLetter || (status.containsLowercaseLetter = containsLowercaseCharacter);
         }
-        // While running the middleware, build a temporary stack of onAbort
-        // callbacks to call if one middleware callback rejects.
-        const onAbortStack = [];
-        try {
-            for (const beforeStateCallback of this.queue) {
-                await beforeStateCallback(nextUser);
-                // Only push the onAbort if the callback succeeds
-                if (beforeStateCallback.onAbort) {
-                    onAbortStack.push(beforeStateCallback.onAbort);
-                }
-            }
+        if (this.customStrengthOptions.containsUppercaseLetter) {
+            status.containsUppercaseLetter || (status.containsUppercaseLetter = containsUppercaseCharacter);
         }
-        catch (e) {
-            // Run all onAbort, with separate try/catch to ignore any errors and
-            // continue
-            onAbortStack.reverse();
-            for (const onAbort of onAbortStack) {
-                try {
-                    onAbort();
-                }
-                catch (_) {
-                    /* swallow error */
-                }
-            }
-            throw this.auth._errorFactory.create("login-blocked" /* AuthErrorCode.LOGIN_BLOCKED */, {
-                originalMessage: e === null || e === void 0 ? void 0 : e.message
-            });
+        if (this.customStrengthOptions.containsNumericCharacter) {
+            status.containsNumericCharacter || (status.containsNumericCharacter = containsNumericCharacter);
+        }
+        if (this.customStrengthOptions.containsNonAlphanumericCharacter) {
+            status.containsNonAlphanumericCharacter || (status.containsNonAlphanumericCharacter = containsNonAlphanumericCharacter);
         }
     }
 }
@@ -20601,6 +20775,7 @@ class AuthImpl {
         this.beforeStateQueue = new AuthMiddlewareQueue(this);
         this.redirectUser = null;
         this.isProactiveRefreshEnabled = false;
+        this.EXPECTED_PASSWORD_POLICY_SCHEMA_VERSION = 1;
         // Any network calls will set this to true and prevent subsequent emulator
         // initialization
         this._canInitEmulator = true;
@@ -20611,6 +20786,8 @@ class AuthImpl {
         this._errorFactory = _DEFAULT_AUTH_ERROR_FACTORY;
         this._agentRecaptchaConfig = null;
         this._tenantRecaptchaConfigs = {};
+        this._projectPasswordPolicy = null;
+        this._tenantPasswordPolicies = {};
         // Tracks the last notified UID for state change listeners to prevent
         // repeated calls to the callbacks. Undefined means it's never been
         // called, whereas null means it's been called with a signed out user
@@ -20682,8 +20859,32 @@ class AuthImpl {
         // Skip blocking callbacks, they should not apply to a change in another tab.
         await this._updateCurrentUser(user, /* skipBeforeStateCallbacks */ true);
     }
+    async initializeCurrentUserFromIdToken(idToken) {
+        try {
+            const response = await getAccountInfo(this, { idToken });
+            const user = await UserImpl._fromGetAccountInfoResponse(this, response, idToken);
+            await this.directlySetCurrentUser(user);
+        }
+        catch (err) {
+            console.warn('FirebaseServerApp could not login user with provided authIdToken: ', err);
+            await this.directlySetCurrentUser(null);
+        }
+    }
     async initializeCurrentUser(popupRedirectResolver) {
         var _a;
+        if (_isFirebaseServerApp(this.app)) {
+            const idToken = this.app.settings.authIdToken;
+            if (idToken) {
+                // Start the auth operation in the next tick to allow a moment for the customer's app to
+                // attach an emulator, if desired.
+                return new Promise(resolve => {
+                    setTimeout(() => this.initializeCurrentUserFromIdToken(idToken).then(resolve, resolve));
+                });
+            }
+            else {
+                return this.directlySetCurrentUser(null);
+            }
+        }
         // First check to see if we have a pending redirect event.
         const previouslyStoredUser = (await this.assertedPersistence.getCurrentUser());
         let futureCurrentUser = previouslyStoredUser;
@@ -20789,6 +20990,9 @@ class AuthImpl {
         this._deleted = true;
     }
     async updateCurrentUser(userExtern) {
+        if (_isFirebaseServerApp(this.app)) {
+            return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(this));
+        }
         // The public updateCurrentUser method needs to make a copy of the user,
         // and also check that the project matches
         const user = userExtern
@@ -20815,6 +21019,9 @@ class AuthImpl {
         });
     }
     async signOut() {
+        if (_isFirebaseServerApp(this.app)) {
+            return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(this));
+        }
         // Run first, to block _setRedirectUser() if any callbacks fail.
         await this.beforeStateQueue.runMiddleware(null);
         // Clear the redirect user when signOut is called
@@ -20826,33 +21033,51 @@ class AuthImpl {
         return this._updateCurrentUser(null, /* skipBeforeStateCallbacks */ true);
     }
     setPersistence(persistence) {
+        if (_isFirebaseServerApp(this.app)) {
+            return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(this));
+        }
         return this.queue(async () => {
             await this.assertedPersistence.setPersistence(_getInstance(persistence));
         });
     }
-    async initializeRecaptchaConfig() {
-        const response = await getRecaptchaConfig(this, {
-            clientType: "CLIENT_TYPE_WEB" /* RecaptchaClientType.WEB */,
-            version: "RECAPTCHA_ENTERPRISE" /* RecaptchaVersion.ENTERPRISE */
-        });
-        const config = new RecaptchaConfig(response);
+    _getRecaptchaConfig() {
         if (this.tenantId == null) {
-            this._agentRecaptchaConfig = config;
+            return this._agentRecaptchaConfig;
         }
         else {
-            this._tenantRecaptchaConfigs[this.tenantId] = config;
+            return this._tenantRecaptchaConfigs[this.tenantId];
+        }
+    }
+    async validatePassword(password) {
+        if (!this._getPasswordPolicyInternal()) {
+            await this._updatePasswordPolicy();
         }
-        if (config.emailPasswordEnabled) {
-            const verifier = new RecaptchaEnterpriseVerifier(this);
-            void verifier.verify();
+        // Password policy will be defined after fetching.
+        const passwordPolicy = this._getPasswordPolicyInternal();
+        // Check that the policy schema version is supported by the SDK.
+        // TODO: Update this logic to use a max supported policy schema version once we have multiple schema versions.
+        if (passwordPolicy.schemaVersion !==
+            this.EXPECTED_PASSWORD_POLICY_SCHEMA_VERSION) {
+            return Promise.reject(this._errorFactory.create("unsupported-password-policy-schema-version" /* AuthErrorCode.UNSUPPORTED_PASSWORD_POLICY_SCHEMA_VERSION */, {}));
         }
+        return passwordPolicy.validatePassword(password);
     }
-    _getRecaptchaConfig() {
-        if (this.tenantId == null) {
-            return this._agentRecaptchaConfig;
+    _getPasswordPolicyInternal() {
+        if (this.tenantId === null) {
+            return this._projectPasswordPolicy;
         }
         else {
-            return this._tenantRecaptchaConfigs[this.tenantId];
+            return this._tenantPasswordPolicies[this.tenantId];
+        }
+    }
+    async _updatePasswordPolicy() {
+        const response = await _getPasswordPolicy(this);
+        const passwordPolicy = new PasswordPolicyImpl(response);
+        if (this.tenantId === null) {
+            this._projectPasswordPolicy = passwordPolicy;
+        }
+        else {
+            this._tenantPasswordPolicies[this.tenantId] = passwordPolicy;
         }
     }
     _getPersistence() {
@@ -20870,6 +21095,38 @@ class AuthImpl {
     onIdTokenChanged(nextOrObserver, error, completed) {
         return this.registerStateListener(this.idTokenSubscription, nextOrObserver, error, completed);
     }
+    authStateReady() {
+        return new Promise((resolve, reject) => {
+            if (this.currentUser) {
+                resolve();
+            }
+            else {
+                const unsubscribe = this.onAuthStateChanged(() => {
+                    unsubscribe();
+                    resolve();
+                }, reject);
+            }
+        });
+    }
+    /**
+     * Revokes the given access token. Currently only supports Apple OAuth access tokens.
+     */
+    async revokeAccessToken(token) {
+        if (this.currentUser) {
+            const idToken = await this.currentUser.getIdToken();
+            // Generalize this to accept other providers once supported.
+            const request = {
+                providerId: 'apple.com',
+                tokenType: "ACCESS_TOKEN" /* TokenType.ACCESS_TOKEN */,
+                token,
+                idToken
+            };
+            if (this.tenantId != null) {
+                request.tenantId = this.tenantId;
+            }
+            await revokeToken(this, request);
+        }
+    }
     toJSON() {
         var _a;
         return {
@@ -20960,18 +21217,32 @@ class AuthImpl {
         const cb = typeof nextOrObserver === 'function'
             ? nextOrObserver
             : nextOrObserver.next.bind(nextOrObserver);
+        let isUnsubscribed = false;
         const promise = this._isInitialized
             ? Promise.resolve()
             : this._initializationPromise;
         _assert(promise, this, "internal-error" /* AuthErrorCode.INTERNAL_ERROR */);
         // The callback needs to be called asynchronously per the spec.
         // eslint-disable-next-line @typescript-eslint/no-floating-promises
-        promise.then(() => cb(this.currentUser));
+        promise.then(() => {
+            if (isUnsubscribed) {
+                return;
+            }
+            cb(this.currentUser);
+        });
         if (typeof nextOrObserver === 'function') {
-            return subscription.addObserver(nextOrObserver, error, completed);
+            const unsubscribe = subscription.addObserver(nextOrObserver, error, completed);
+            return () => {
+                isUnsubscribed = true;
+                unsubscribe();
+            };
         }
         else {
-            return subscription.addObserver(nextOrObserver);
+            const unsubscribe = subscription.addObserver(nextOrObserver);
+            return () => {
+                isUnsubscribed = true;
+                unsubscribe();
+            };
         }
     }
     /**
@@ -21056,7 +21327,7 @@ class AuthImpl {
     }
 }
 /**
- * Method to be used to cast down to our private implmentation of Auth.
+ * Method to be used to cast down to our private implementation of Auth.
  * It will also handle unwrapping from the compat type if necessary
  *
  * @param auth Auth object passed in from developer
@@ -21077,6 +21348,194 @@ class Subscription {
     }
 }
 
+/**
+ * @license
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+let externalJSProvider = {
+    async loadJS() {
+        throw new Error('Unable to load external scripts');
+    },
+    recaptchaV2Script: '',
+    recaptchaEnterpriseScript: '',
+    gapiScript: ''
+};
+function _setExternalJSProvider(p) {
+    externalJSProvider = p;
+}
+function _loadJS(url) {
+    return externalJSProvider.loadJS(url);
+}
+function _recaptchaEnterpriseScriptUrl() {
+    return externalJSProvider.recaptchaEnterpriseScript;
+}
+function _gapiScriptUrl() {
+    return externalJSProvider.gapiScript;
+}
+function _generateCallbackName(prefix) {
+    return `__${prefix}${Math.floor(Math.random() * 1000000)}`;
+}
+
+/* eslint-disable @typescript-eslint/no-require-imports */
+const RECAPTCHA_ENTERPRISE_VERIFIER_TYPE = 'recaptcha-enterprise';
+const FAKE_TOKEN = 'NO_RECAPTCHA';
+class RecaptchaEnterpriseVerifier {
+    /**
+     *
+     * @param authExtern - The corresponding Firebase {@link Auth} instance.
+     *
+     */
+    constructor(authExtern) {
+        /**
+         * Identifies the type of application verifier (e.g. "recaptcha-enterprise").
+         */
+        this.type = RECAPTCHA_ENTERPRISE_VERIFIER_TYPE;
+        this.auth = _castAuth(authExtern);
+    }
+    /**
+     * Executes the verification process.
+     *
+     * @returns A Promise for a token that can be used to assert the validity of a request.
+     */
+    async verify(action = 'verify', forceRefresh = false) {
+        async function retrieveSiteKey(auth) {
+            if (!forceRefresh) {
+                if (auth.tenantId == null && auth._agentRecaptchaConfig != null) {
+                    return auth._agentRecaptchaConfig.siteKey;
+                }
+                if (auth.tenantId != null &&
+                    auth._tenantRecaptchaConfigs[auth.tenantId] !== undefined) {
+                    return auth._tenantRecaptchaConfigs[auth.tenantId].siteKey;
+                }
+            }
+            return new Promise(async (resolve, reject) => {
+                getRecaptchaConfig(auth, {
+                    clientType: "CLIENT_TYPE_WEB" /* RecaptchaClientType.WEB */,
+                    version: "RECAPTCHA_ENTERPRISE" /* RecaptchaVersion.ENTERPRISE */
+                })
+                    .then(response => {
+                    if (response.recaptchaKey === undefined) {
+                        reject(new Error('recaptcha Enterprise site key undefined'));
+                    }
+                    else {
+                        const config = new RecaptchaConfig(response);
+                        if (auth.tenantId == null) {
+                            auth._agentRecaptchaConfig = config;
+                        }
+                        else {
+                            auth._tenantRecaptchaConfigs[auth.tenantId] = config;
+                        }
+                        return resolve(config.siteKey);
+                    }
+                })
+                    .catch(error => {
+                    reject(error);
+                });
+            });
+        }
+        function retrieveRecaptchaToken(siteKey, resolve, reject) {
+            const grecaptcha = window.grecaptcha;
+            if (isEnterprise(grecaptcha)) {
+                grecaptcha.enterprise.ready(() => {
+                    grecaptcha.enterprise
+                        .execute(siteKey, { action })
+                        .then(token => {
+                        resolve(token);
+                    })
+                        .catch(() => {
+                        resolve(FAKE_TOKEN);
+                    });
+                });
+            }
+            else {
+                reject(Error('No reCAPTCHA enterprise script loaded.'));
+            }
+        }
+        return new Promise((resolve, reject) => {
+            retrieveSiteKey(this.auth)
+                .then(siteKey => {
+                if (!forceRefresh && isEnterprise(window.grecaptcha)) {
+                    retrieveRecaptchaToken(siteKey, resolve, reject);
+                }
+                else {
+                    if (typeof window === 'undefined') {
+                        reject(new Error('RecaptchaVerifier is only supported in browser'));
+                        return;
+                    }
+                    let url = _recaptchaEnterpriseScriptUrl();
+                    if (url.length !== 0) {
+                        url += siteKey;
+                    }
+                    _loadJS(url)
+                        .then(() => {
+                        retrieveRecaptchaToken(siteKey, resolve, reject);
+                    })
+                        .catch(error => {
+                        reject(error);
+                    });
+                }
+            })
+                .catch(error => {
+                reject(error);
+            });
+        });
+    }
+}
+async function injectRecaptchaFields(auth, request, action, captchaResp = false) {
+    const verifier = new RecaptchaEnterpriseVerifier(auth);
+    let captchaResponse;
+    try {
+        captchaResponse = await verifier.verify(action);
+    }
+    catch (error) {
+        captchaResponse = await verifier.verify(action, true);
+    }
+    const newRequest = Object.assign({}, request);
+    if (!captchaResp) {
+        Object.assign(newRequest, { captchaResponse });
+    }
+    else {
+        Object.assign(newRequest, { 'captchaResp': captchaResponse });
+    }
+    Object.assign(newRequest, { 'clientType': "CLIENT_TYPE_WEB" /* RecaptchaClientType.WEB */ });
+    Object.assign(newRequest, {
+        'recaptchaVersion': "RECAPTCHA_ENTERPRISE" /* RecaptchaVersion.ENTERPRISE */
+    });
+    return newRequest;
+}
+async function handleRecaptchaFlow(authInstance, request, actionName, actionMethod) {
+    var _a;
+    if ((_a = authInstance
+        ._getRecaptchaConfig()) === null || _a === void 0 ? void 0 : _a.isProviderEnabled("EMAIL_PASSWORD_PROVIDER" /* RecaptchaProvider.EMAIL_PASSWORD_PROVIDER */)) {
+        const requestWithRecaptcha = await injectRecaptchaFields(authInstance, request, actionName, actionName === "getOobCode" /* RecaptchaActionName.GET_OOB_CODE */);
+        return actionMethod(authInstance, requestWithRecaptcha);
+    }
+    else {
+        return actionMethod(authInstance, request).catch(async (error) => {
+            if (error.code === `auth/${"missing-recaptcha-token" /* AuthErrorCode.MISSING_RECAPTCHA_TOKEN */}`) {
+                console.log(`${actionName} is protected by reCAPTCHA Enterprise for this project. Automatically triggering the reCAPTCHA flow and restarting the flow.`);
+                const requestWithRecaptcha = await injectRecaptchaFields(authInstance, request, actionName, actionName === "getOobCode" /* RecaptchaActionName.GET_OOB_CODE */);
+                return actionMethod(authInstance, requestWithRecaptcha);
+            }
+            else {
+                return Promise.reject(error);
+            }
+        });
+    }
+}
+
 /**
  * @license
  * Copyright 2020 Google LLC
@@ -21340,8 +21799,10 @@ class AuthCredential {
 async function resetPassword(auth, request) {
     return _performApiRequest(auth, "POST" /* HttpMethod.POST */, "/v1/accounts:resetPassword" /* Endpoint.RESET_PASSWORD */, _addTidIfNecessary(auth, request));
 }
-async function updateEmailPassword(auth, request) {
-    return _performApiRequest(auth, "POST" /* HttpMethod.POST */, "/v1/accounts:update" /* Endpoint.SET_ACCOUNT_INFO */, request);
+// Used for linking an email/password account to an existing idToken. Uses the same request/response
+// format as updateEmailPassword.
+async function linkEmailPassword(auth, request) {
+    return _performApiRequest(auth, "POST" /* HttpMethod.POST */, "/v1/accounts:signUp" /* Endpoint.SIGN_UP */, request);
 }
 
 /**
@@ -21472,7 +21933,6 @@ class EmailAuthCredential extends AuthCredential {
     }
     /** @internal */
     async _getIdTokenResponse(auth) {
-        var _a;
         switch (this.signInMethod) {
             case "password" /* SignInMethod.EMAIL_PASSWORD */:
                 const request = {
@@ -21481,22 +21941,7 @@ class EmailAuthCredential extends AuthCredential {
                     password: this._password,
                     clientType: "CLIENT_TYPE_WEB" /* RecaptchaClientType.WEB */
                 };
-                if ((_a = auth._getRecaptchaConfig()) === null || _a === void 0 ? void 0 : _a.emailPasswordEnabled) {
-                    const requestWithRecaptcha = await injectRecaptchaFields(auth, request, "signInWithPassword" /* RecaptchaActionName.SIGN_IN_WITH_PASSWORD */);
-                    return signInWithPassword(auth, requestWithRecaptcha);
-                }
-                else {
-                    return signInWithPassword(auth, request).catch(async (error) => {
-                        if (error.code === `auth/${"missing-recaptcha-token" /* AuthErrorCode.MISSING_RECAPTCHA_TOKEN */}`) {
-                            console.log('Sign-in with email address and password is protected by reCAPTCHA for this project. Automatically triggering the reCAPTCHA flow and restarting the sign-in flow.');
-                            const requestWithRecaptcha = await injectRecaptchaFields(auth, request, "signInWithPassword" /* RecaptchaActionName.SIGN_IN_WITH_PASSWORD */);
-                            return signInWithPassword(auth, requestWithRecaptcha);
-                        }
-                        else {
-                            return Promise.reject(error);
-                        }
-                    });
-                }
+                return handleRecaptchaFlow(auth, request, "signInWithPassword" /* RecaptchaActionName.SIGN_IN_WITH_PASSWORD */, signInWithPassword);
             case "emailLink" /* SignInMethod.EMAIL_LINK */:
                 return signInWithEmailLink$1(auth, {
                     email: this._email,
@@ -21510,12 +21955,14 @@ class EmailAuthCredential extends AuthCredential {
     async _linkToIdToken(auth, idToken) {
         switch (this.signInMethod) {
             case "password" /* SignInMethod.EMAIL_PASSWORD */:
-                return updateEmailPassword(auth, {
+                const request = {
                     idToken,
                     returnSecureToken: true,
                     email: this._email,
-                    password: this._password
-                });
+                    password: this._password,
+                    clientType: "CLIENT_TYPE_WEB" /* RecaptchaClientType.WEB */
+                };
+                return handleRecaptchaFlow(auth, request, "signUpPassword" /* RecaptchaActionName.SIGN_UP_PASSWORD */, linkEmailPassword);
             case "emailLink" /* SignInMethod.EMAIL_LINK */:
                 return signInWithEmailLinkForLinking(auth, {
                     idToken,
@@ -22133,7 +22580,7 @@ FacebookAuthProvider.PROVIDER_ID = "facebook.com" /* ProviderId.FACEBOOK */;
  * limitations under the License.
  */
 /**
- * Provider for generating an an {@link OAuthCredential} for {@link ProviderId}.GOOGLE.
+ * Provider for generating an {@link OAuthCredential} for {@link ProviderId}.GOOGLE.
  *
  * @example
  * ```javascript
@@ -22275,7 +22722,7 @@ GoogleAuthProvider.PROVIDER_ID = "google.com" /* ProviderId.GOOGLE */;
  * if (result) {
  *   // This is the signed-in user
  *   const user = result.user;
- *   // This gives you a Github Access Token.
+ *   // This gives you a GitHub Access Token.
  *   const credential = GithubAuthProvider.credentialFromResult(result);
  *   const token = credential.accessToken;
  * }
@@ -22290,7 +22737,7 @@ GoogleAuthProvider.PROVIDER_ID = "google.com" /* ProviderId.GOOGLE */;
  *
  * // The signed-in user info.
  * const user = result.user;
- * // This gives you a Github Access Token.
+ * // This gives you a GitHub Access Token.
  * const credential = GithubAuthProvider.credentialFromResult(result);
  * const token = credential.accessToken;
  * ```
@@ -22301,9 +22748,9 @@ class GithubAuthProvider extends BaseOAuthProvider {
         super("github.com" /* ProviderId.GITHUB */);
     }
     /**
-     * Creates a credential for Github.
+     * Creates a credential for GitHub.
      *
-     * @param accessToken - Github access token.
+     * @param accessToken - GitHub access token.
      */
     static credential(accessToken) {
         return OAuthCredential._fromParams({
@@ -22584,6 +23031,9 @@ async function _link$1(user, credential, bypassAuthState = false) {
  */
 async function _reauthenticate(user, credential, bypassAuthState = false) {
     const { auth } = user;
+    if (_isFirebaseServerApp(auth.app)) {
+        return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth));
+    }
     const operationType = "reauthenticate" /* OperationType.REAUTHENTICATE */;
     try {
         const response = await _logoutIfInvalidated(user, _processCredentialSavingMfaContextIfNecessary(auth, operationType, credential, user), bypassAuthState);
@@ -22620,6 +23070,9 @@ async function _reauthenticate(user, credential, bypassAuthState = false) {
  * limitations under the License.
  */
 async function _signInWithCredential(auth, credential, bypassAuthState = false) {
+    if (_isFirebaseServerApp(auth.app)) {
+        return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth));
+    }
     const operationType = "signIn" /* OperationType.SIGN_IN */;
     const response = await _processCredentialSavingMfaContextIfNecessary(auth, operationType, credential);
     const userCredential = await UserCredentialImpl._fromIdTokenResponse(auth, operationType, response);
@@ -22634,6 +23087,9 @@ async function _signInWithCredential(auth, credential, bypassAuthState = false)
  * @remarks
  * An {@link AuthProvider} can be used to generate the credential.
  *
+ * This method is not supported by {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
+ *
  * @param auth - The {@link Auth} instance.
  * @param credential - The auth credential.
  *
@@ -22697,7 +23153,29 @@ function _setActionCodeSettingsOnRequest(auth, request, actionCodeSettings) {
  * limitations under the License.
  */
 /**
- * Sends a password reset email to the given email address.
+ * Updates the password policy cached in the {@link Auth} instance if a policy is already
+ * cached for the project or tenant.
+ *
+ * @remarks
+ * We only fetch the password policy if the password did not meet policy requirements and
+ * there is an existing policy cached. A developer must call validatePassword at least
+ * once for the cache to be automatically updated.
+ *
+ * @param auth - The {@link Auth} instance.
+ *
+ * @private
+ */
+async function recachePasswordPolicy(auth) {
+    const authInternal = _castAuth(auth);
+    if (authInternal._getPasswordPolicyInternal()) {
+        await authInternal._updatePasswordPolicy();
+    }
+}
+/**
+ * Sends a password reset email to the given email address. This method does not throw an error when
+ * there's no user account with the given email address and
+ * {@link https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection | Email Enumeration Protection}
+ * is enabled.
  *
  * @remarks
  * To complete the password reset, call {@link confirmPasswordReset} with the code supplied in
@@ -22729,39 +23207,16 @@ function _setActionCodeSettingsOnRequest(auth, request, actionCodeSettings) {
  * @public
  */
 async function sendPasswordResetEmail(auth, email, actionCodeSettings) {
-    var _a;
     const authInternal = _castAuth(auth);
     const request = {
         requestType: "PASSWORD_RESET" /* ActionCodeOperation.PASSWORD_RESET */,
         email,
         clientType: "CLIENT_TYPE_WEB" /* RecaptchaClientType.WEB */
     };
-    if ((_a = authInternal._getRecaptchaConfig()) === null || _a === void 0 ? void 0 : _a.emailPasswordEnabled) {
-        const requestWithRecaptcha = await injectRecaptchaFields(authInternal, request, "getOobCode" /* RecaptchaActionName.GET_OOB_CODE */, true);
-        if (actionCodeSettings) {
-            _setActionCodeSettingsOnRequest(authInternal, requestWithRecaptcha, actionCodeSettings);
-        }
-        await sendPasswordResetEmail$1(authInternal, requestWithRecaptcha);
-    }
-    else {
-        if (actionCodeSettings) {
-            _setActionCodeSettingsOnRequest(authInternal, request, actionCodeSettings);
-        }
-        await sendPasswordResetEmail$1(authInternal, request)
-            .catch(async (error) => {
-            if (error.code === `auth/${"missing-recaptcha-token" /* AuthErrorCode.MISSING_RECAPTCHA_TOKEN */}`) {
-                console.log('Password resets are protected by reCAPTCHA for this project. Automatically triggering the reCAPTCHA flow and restarting the password reset flow.');
-                const requestWithRecaptcha = await injectRecaptchaFields(authInternal, request, "getOobCode" /* RecaptchaActionName.GET_OOB_CODE */, true);
-                if (actionCodeSettings) {
-                    _setActionCodeSettingsOnRequest(authInternal, requestWithRecaptcha, actionCodeSettings);
-                }
-                await sendPasswordResetEmail$1(authInternal, requestWithRecaptcha);
-            }
-            else {
-                return Promise.reject(error);
-            }
-        });
+    if (actionCodeSettings) {
+        _setActionCodeSettingsOnRequest(authInternal, request, actionCodeSettings);
     }
+    await handleRecaptchaFlow(authInternal, request, "getOobCode" /* RecaptchaActionName.GET_OOB_CODE */, sendPasswordResetEmail$1);
 }
 /**
  * Completes the password reset process, given a confirmation code and new password.
@@ -22776,6 +23231,13 @@ async function confirmPasswordReset(auth, oobCode, newPassword) {
     await resetPassword(getModularInstance$1(auth), {
         oobCode,
         newPassword
+    })
+        .catch(async (error) => {
+        if (error.code ===
+            `auth/${"password-does-not-meet-requirements" /* AuthErrorCode.PASSWORD_DOES_NOT_MEET_REQUIREMENTS */}`) {
+            void recachePasswordPolicy(auth);
+        }
+        throw error;
     });
     // Do not return the email.
 }
@@ -22783,12 +23245,19 @@ async function confirmPasswordReset(auth, oobCode, newPassword) {
  * Asynchronously signs in using an email and password.
  *
  * @remarks
- * Fails with an error if the email address and password do not match.
+ * Fails with an error if the email address and password do not match. When
+ * {@link https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection | Email Enumeration Protection}
+ * is enabled, this method fails with "auth/invalid-credential" in case of an invalid
+ * email/password.
+ *
+ * This method is not supported on {@link Auth} instances created with a
+ * {@link @firebase/app#FirebaseServerApp}.
  *
  * Note: The user's password is NOT the password used to access the user's email account. The
  * email address serves as a unique identifier for the user, and the password is used to access
  * the user's account in your Firebase project. See also: {@link createUserWithEmailAndPassword}.
  *
+ *
  * @param auth - The {@link Auth} instance.
  * @param email - The users email address.
  * @param password - The users password.
@@ -22796,7 +23265,15 @@ async function confirmPasswordReset(auth, oobCode, newPassword) {
  * @public
  */
 function signInWithEmailAndPassword(auth, email, password) {
-    return signInWithCredential(getModularInstance$1(auth), EmailAuthProvider.credential(email, password));
+    if (_isFirebaseServerApp(auth.app)) {
+        return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth));
+    }
+    return signInWithCredential(getModularInstance$1(auth), EmailAuthProvider.credential(email, password)).catch(async (error) => {
+        if (error.code === `auth/${"password-does-not-meet-requirements" /* AuthErrorCode.PASSWORD_DOES_NOT_MEET_REQUIREMENTS */}`) {
+            void recachePasswordPolicy(auth);
+        }
+        throw error;
+    });
 }
 /**
  * Adds an observer for changes to the signed-in user's ID token.
@@ -22903,10 +23380,6 @@ class BrowserPersistenceClass {
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-function _iframeCannotSyncWebStorage() {
-    const ua = getUA();
-    return _isSafari(ua) || _isIOS(ua);
-}
 // The polling period in case events are not supported
 const _POLLING_INTERVAL_MS$1 = 1000;
 // The IE 10 localStorage cross tab synchronization delay in milliseconds
@@ -22920,8 +23393,6 @@ class BrowserLocalPersistence extends BrowserPersistenceClass {
         // setTimeout return value is platform specific
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         this.pollTimer = null;
-        // Safari or iOS browser and embedded in an iframe.
-        this.safariLocalStorageNotSynced = _iframeCannotSyncWebStorage() && _isIframe();
         // Whether to use polling instead of depending on window events
         this.fallbackToPolling = _isMobileBrowser();
         this._shouldAllowMigration = true;
@@ -22960,27 +23431,6 @@ class BrowserLocalPersistence extends BrowserPersistenceClass {
             // Remove polling listener to prevent possible event duplication.
             this.stopPolling();
         }
-        // Safari embedded iframe. Storage event will trigger with the delta
-        // changes but no changes will be applied to the iframe localStorage.
-        if (this.safariLocalStorageNotSynced) {
-            // Get current iframe page value.
-            const storedValue = this.storage.getItem(key);
-            // Value not synchronized, synchronize manually.
-            if (event.newValue !== storedValue) {
-                if (event.newValue !== null) {
-                    // Value changed from current value.
-                    this.storage.setItem(key, event.newValue);
-                }
-                else {
-                    // Current value deleted.
-                    this.storage.removeItem(key);
-                }
-            }
-            else if (this.localCache[key] === event.newValue && !poll) {
-                // Already detected and processed, do not trigger listeners again.
-                return;
-            }
-        }
         const triggerListeners = () => {
             // Keep local map up to date in case storage event is triggered before
             // poll.
@@ -23271,7 +23721,7 @@ class Receiver {
      * Unsubscribe an event handler from a particular event.
      *
      * @param eventType - Event name to unsubscribe from.
-     * @param eventHandler - Optinoal event handler, if none provided, unsubscribe all handlers on this event.
+     * @param eventHandler - Optional event handler, if none provided, unsubscribe all handlers on this event.
      *
      */
     _unsubscribe(eventType, eventHandler) {
@@ -23765,11 +24215,13 @@ class IndexedDBLocalPersistence {
         }
         const keys = [];
         const keysInResult = new Set();
-        for (const { fbase_key: key, value } of result) {
-            keysInResult.add(key);
-            if (JSON.stringify(this.localCache[key]) !== JSON.stringify(value)) {
-                this.notifyListeners(key, value);
-                keys.push(key);
+        if (result.length !== 0) {
+            for (const { fbase_key: key, value } of result) {
+                keysInResult.add(key);
+                if (JSON.stringify(this.localCache[key]) !== JSON.stringify(value)) {
+                    this.notifyListeners(key, value);
+                    keys.push(key);
+                }
             }
         }
         for (const localKey of Object.keys(this.localCache)) {
@@ -24225,6 +24677,9 @@ function pendingRedirectKey(auth) {
     return _persistenceKeyName(PENDING_REDIRECT_KEY, auth.config.apiKey, auth.name);
 }
 async function _getRedirectResult(auth, resolverExtern, bypassAuthState = false) {
+    if (_isFirebaseServerApp(auth.app)) {
+        return Promise.reject(_serverAppCurrentUserOperationNotSupportedError(auth));
+    }
     const authInternal = _castAuth(auth);
     const resolver = _withDefaultResolver(authInternal, resolverExtern);
     const action = new RedirectAction(authInternal, resolver, bypassAuthState);
@@ -24455,7 +24910,7 @@ function matchDomain(expected) {
  */
 const NETWORK_TIMEOUT = new Delay(30000, 60000);
 /**
- * Reset unlaoded GApi modules. If gapi.load fails due to a network error,
+ * Reset unloaded GApi modules. If gapi.load fails due to a network error,
  * it will stop working after a retrial. This is a hack to fix this issue.
  */
 function resetUnloadedGapiModules() {
@@ -24535,7 +24990,7 @@ function loadGapi(auth) {
                 }
             };
             // Load GApi loader.
-            return _loadJS(`https://apis.google.com/js/api.js?onload=${cbName}`)
+            return _loadJS(`${_gapiScriptUrl()}?onload=${cbName}`)
                 .catch(e => reject(e));
         }
     }).catch(error => {
@@ -24790,7 +25245,7 @@ async function _getRedirectUrl(auth, provider, authType, redirectUrl, eventId, a
     if (auth.tenantId) {
         params.tid = auth.tenantId;
     }
-    // TODO: maybe set eid as endipointId
+    // TODO: maybe set eid as endpointId
     // TODO: maybe set fw as Frameworks.join(",")
     const paramsDict = params;
     for (const key of Object.keys(paramsDict)) {
@@ -24918,12 +25373,15 @@ class BrowserPopupRedirectResolver {
  * An implementation of {@link PopupRedirectResolver} suitable for browser
  * based applications.
  *
+ * @remarks
+ * This method does not work in a Node.js environment.
+ *
  * @public
  */
 const browserPopupRedirectResolver = BrowserPopupRedirectResolver;
 
 var name = "@firebase/auth";
-var version = "0.23.2";
+var version = "1.7.7";
 
 /**
  * @license
@@ -25020,6 +25478,8 @@ function getVersionForPlatform(clientPlatform) {
             return 'webworker';
         case "Cordova" /* ClientPlatform.CORDOVA */:
             return 'cordova';
+        case "WebExtension" /* ClientPlatform.WEB_EXTENSION */:
+            return 'web-extension';
         default:
             return undefined;
     }
@@ -25129,11 +25589,18 @@ function getAuth(app = getApp()) {
             browserSessionPersistence
         ]
     });
-    const authTokenSyncUrl = getExperimentalSetting('authTokenSyncURL');
-    if (authTokenSyncUrl) {
-        const mintCookie = mintCookieFactory(authTokenSyncUrl);
-        beforeAuthStateChanged(auth, mintCookie, () => mintCookie(auth.currentUser));
-        onIdTokenChanged(auth, user => mintCookie(user));
+    const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
+    // Only do the Cookie exchange in a secure context
+    if (authTokenSyncPath &&
+        typeof isSecureContext === 'boolean' &&
+        isSecureContext) {
+        // Don't allow urls (XSS possibility), only paths on the same domain
+        const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
+        if (location.origin === authTokenSyncUrl.origin) {
+            const mintCookie = mintCookieFactory(authTokenSyncUrl.toString());
+            beforeAuthStateChanged(auth, mintCookie, () => mintCookie(auth.currentUser));
+            onIdTokenChanged(auth, user => mintCookie(user));
+        }
     }
     const authEmulatorHost = getDefaultEmulatorHost$1('auth');
     if (authEmulatorHost) {
@@ -25141,6 +25608,31 @@ function getAuth(app = getApp()) {
     }
     return auth;
 }
+function getScriptParentElement() {
+    var _a, _b;
+    return (_b = (_a = document.getElementsByTagName('head')) === null || _a === void 0 ? void 0 : _a[0]) !== null && _b !== void 0 ? _b : document;
+}
+_setExternalJSProvider({
+    loadJS(url) {
+        // TODO: consider adding timeout support & cancellation
+        return new Promise((resolve, reject) => {
+            const el = document.createElement('script');
+            el.setAttribute('src', url);
+            el.onload = resolve;
+            el.onerror = e => {
+                const error = _createError("internal-error" /* AuthErrorCode.INTERNAL_ERROR */);
+                error.customData = e;
+                reject(error);
+            };
+            el.type = 'text/javascript';
+            el.charset = 'UTF-8';
+            getScriptParentElement().appendChild(el);
+        });
+    },
+    gapiScript: 'https://apis.google.com/js/api.js',
+    recaptchaV2Script: 'https://www.google.com/recaptcha/api.js',
+    recaptchaEnterpriseScript: 'https://www.google.com/recaptcha/enterprise.js?render='
+});
 registerAuth("Browser" /* ClientPlatform.BROWSER */);
 
 const fromFirebaseDate = (date) => {
@@ -25187,16 +25679,16 @@ class FirebaseUser {
         var _a;
         return (_a = this.user) === null || _a === void 0 ? void 0 : _a.uid;
     }
-    onInit(brandId) {
-        return new Promise((resolve) => {
-            const unsub = this.auth.onAuthStateChanged((user) => {
-                this.setUser(user);
-                resolve(Boolean(user));
-                unsub();
-                if (user)
-                    this.logUserLogin(brandId, user);
-            });
+    async onInit(brandId) {
+        this.auth.onAuthStateChanged((user) => {
+            this.setUser(user);
+            if (user)
+                this.logUserLogin(brandId, user);
         });
+        await this.auth.authStateReady();
+        const user = this.auth.currentUser;
+        this.setUser(user);
+        return Boolean(user);
     }
     setUser(user) {
         this.user = user;