@umituz/react-native-firebase 2.4.9 → 2.4.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@umituz/react-native-firebase",
-  "version": "2.4.9",
+  "version": "2.4.11",
   "description": "Unified Firebase package for React Native apps - Auth and Firestore services using Firebase JS SDK (no native modules).",
   "main": "./src/index.ts",
   "types": "./src/index.ts",

package/src/domains/account-deletion/infrastructure/services/account-deletion.service.ts

@@ -22,6 +22,9 @@ export interface AccountDeletionResult extends Result<void> {
 
 export type { AccountDeletionOptions } from "../../application/ports/reauthentication.types";
 
+// Operation lock to prevent concurrent deletion attempts
+let deletionInProgress = false;
+
 export async function deleteCurrentUser(
   options: AccountDeletionOptions = { autoReauthenticate: true }
 ): Promise<AccountDeletionResult> {
@@ -29,93 +32,144 @@ export async function deleteCurrentUser(
     console.log("[deleteCurrentUser] Called with options:", options);
   }
 
-  const auth = getFirebaseAuth();
-  const user = auth?.currentUser;
-
-  if (!auth || !user) {
+  // FIX: Check if deletion already in progress
+  if (deletionInProgress) {
     if (typeof __DEV__ !== "undefined" && __DEV__) {
-      console.log("[deleteCurrentUser] Auth not ready");
+      console.log("[deleteCurrentUser] Deletion already in progress");
     }
     return {
       success: false,
-      error: { code: "auth/not-ready", message: "Auth not ready" },
+      error: { code: "auth/operation-in-progress", message: "Account deletion already in progress" },
       requiresReauth: false
     };
   }
 
-  if (user.isAnonymous) {
-    if (typeof __DEV__ !== "undefined" && __DEV__) {
-      console.log("[deleteCurrentUser] Cannot delete anonymous user");
-    }
-    return {
-      success: false,
-      error: { code: "auth/anonymous", message: "Cannot delete anonymous" },
-      requiresReauth: false
-    };
-  }
+  deletionInProgress = true;
 
-  const provider = getUserAuthProvider(user);
-  if (typeof __DEV__ !== "undefined" && __DEV__) {
-    console.log("[deleteCurrentUser] User provider:", provider);
-  }
+  try {
+    const auth = getFirebaseAuth();
+    const user = auth?.currentUser;
 
-  if (provider === "password" && options.autoReauthenticate && options.onPasswordRequired) {
-    if (typeof __DEV__ !== "undefined" && __DEV__) {
-      console.log("[deleteCurrentUser] Password provider, calling attemptReauth");
-    }
-    const reauth = await attemptReauth(user, options);
-    if (typeof __DEV__ !== "undefined" && __DEV__) {
-      console.log("[deleteCurrentUser] attemptReauth result:", reauth);
-    }
-    if (reauth) {
+    if (!auth || !user) {
       if (typeof __DEV__ !== "undefined" && __DEV__) {
-        console.log("[deleteCurrentUser] Reauth returned result, returning:", reauth);
+        console.log("[deleteCurrentUser] Auth not ready");
       }
-      return reauth;
-    }
-    if (typeof __DEV__ !== "undefined" && __DEV__) {
-      console.log("[deleteCurrentUser] Reauth returned null, continuing to deleteUser");
+      return {
+        success: false,
+        error: { code: "auth/not-ready", message: "Auth not ready" },
+        requiresReauth: false
+      };
     }
-  }
 
-  try {
-    if (typeof __DEV__ !== "undefined" && __DEV__) {
-      console.log("[deleteCurrentUser] Calling deleteUser");
+    // FIX: Capture user ID early to detect if user changes during operation
+    const originalUserId = user.uid;
+
+    if (user.isAnonymous) {
+      if (typeof __DEV__ !== "undefined" && __DEV__) {
+        console.log("[deleteCurrentUser] Cannot delete anonymous user");
+      }
+      return {
+        success: false,
+        error: { code: "auth/anonymous", message: "Cannot delete anonymous" },
+        requiresReauth: false
+      };
     }
-    await deleteUser(user);
+
+    const provider = getUserAuthProvider(user);
     if (typeof __DEV__ !== "undefined" && __DEV__) {
-      console.log("[deleteCurrentUser] deleteUser successful");
+      console.log("[deleteCurrentUser] User provider:", provider);
     }
-    return successResult();
-  } catch (error: unknown) {
-    if (typeof __DEV__ !== "undefined" && __DEV__) {
-      console.error("[deleteCurrentUser] deleteUser failed:", error);
+
+    if (provider === "password" && options.autoReauthenticate && options.onPasswordRequired) {
+      if (typeof __DEV__ !== "undefined" && __DEV__) {
+        console.log("[deleteCurrentUser] Password provider, calling attemptReauth");
+      }
+      const reauth = await attemptReauth(user, options, originalUserId);
+      if (typeof __DEV__ !== "undefined" && __DEV__) {
+        console.log("[deleteCurrentUser] attemptReauth result:", reauth);
+      }
+      if (reauth) {
+        if (typeof __DEV__ !== "undefined" && __DEV__) {
+          console.log("[deleteCurrentUser] Reauth returned result, returning:", reauth);
+        }
+        return reauth;
+      }
+      if (typeof __DEV__ !== "undefined" && __DEV__) {
+        console.log("[deleteCurrentUser] Reauth returned null, continuing to deleteUser");
+      }
     }
-    const errorInfo = toAuthErrorInfo(error);
-    const code = errorInfo.code;
-    const message = errorInfo.message;
 
-    const hasCredentials = !!(options.password || options.googleIdToken);
-    const shouldReauth = options.autoReauthenticate === true || hasCredentials;
+    try {
+      // FIX: Verify user hasn't changed before deletion
+      const currentUserId = auth.currentUser?.uid;
+      if (currentUserId !== originalUserId) {
+        if (typeof __DEV__ !== "undefined" && __DEV__) {
+          console.log("[deleteCurrentUser] User changed during operation");
+        }
+        return {
+          success: false,
+          error: { code: "auth/user-changed", message: "User changed during operation" },
+          requiresReauth: false
+        };
+      }
 
-    if (code === "auth/requires-recent-login" && shouldReauth) {
-      const reauth = await attemptReauth(user, options);
-      if (reauth) return reauth;
-    }
+      if (typeof __DEV__ !== "undefined" && __DEV__) {
+        console.log("[deleteCurrentUser] Calling deleteUser");
+      }
+      await deleteUser(user);
+      if (typeof __DEV__ !== "undefined" && __DEV__) {
+        console.log("[deleteCurrentUser] deleteUser successful");
+      }
+      return successResult();
+    } catch (error: unknown) {
+      if (typeof __DEV__ !== "undefined" && __DEV__) {
+        console.error("[deleteCurrentUser] deleteUser failed:", error);
+      }
+      const errorInfo = toAuthErrorInfo(error);
+      const code = errorInfo.code;
+      const message = errorInfo.message;
 
-    return {
-      success: false,
-      error: { code, message },
-      requiresReauth: code === "auth/requires-recent-login"
-    };
+      const hasCredentials = !!(options.password || options.googleIdToken);
+      const shouldReauth = options.autoReauthenticate === true || hasCredentials;
+
+      if (code === "auth/requires-recent-login" && shouldReauth) {
+        const reauth = await attemptReauth(user, options, originalUserId);
+        if (reauth) return reauth;
+      }
+
+      return {
+        success: false,
+        error: { code, message },
+        requiresReauth: code === "auth/requires-recent-login"
+      };
+    }
+  } finally {
+    // FIX: Always release lock when done
+    deletionInProgress = false;
   }
 }
 
-async function attemptReauth(user: User, options: AccountDeletionOptions): Promise<AccountDeletionResult | null> {
+async function attemptReauth(user: User, options: AccountDeletionOptions, originalUserId?: string): Promise<AccountDeletionResult | null> {
   if (typeof __DEV__ !== "undefined" && __DEV__) {
     console.log("[attemptReauth] Called");
   }
 
+  // FIX: Verify user hasn't changed if originalUserId provided
+  if (originalUserId) {
+    const auth = getFirebaseAuth();
+    const currentUserId = auth?.currentUser?.uid;
+    if (currentUserId && currentUserId !== originalUserId) {
+      if (typeof __DEV__ !== "undefined" && __DEV__) {
+        console.log("[attemptReauth] User changed during reauthentication");
+      }
+      return {
+        success: false,
+        error: { code: "auth/user-changed", message: "User changed during operation" },
+        requiresReauth: false
+      };
+    }
+  }
+
   const provider = getUserAuthProvider(user);
   if (typeof __DEV__ !== "undefined" && __DEV__) {
     console.log("[attemptReauth] Provider:", provider);
@@ -208,6 +262,19 @@ async function attemptReauth(user: User, options: AccountDeletionOptions): Promi
     try {
       const auth = getFirebaseAuth();
       const currentUser = auth?.currentUser || user;
+
+      // FIX: Final verification before deletion
+      if (originalUserId && currentUser.uid !== originalUserId) {
+        if (typeof __DEV__ !== "undefined" && __DEV__) {
+          console.log("[attemptReauth] User changed after reauthentication");
+        }
+        return {
+          success: false,
+          error: { code: "auth/user-changed", message: "User changed during operation" },
+          requiresReauth: false
+        };
+      }
+
       await deleteUser(currentUser);
       if (typeof __DEV__ !== "undefined" && __DEV__) {
         console.log("[attemptReauth] deleteUser successful after reauth");

package/src/domains/account-deletion/infrastructure/services/reauthentication.service.ts

@@ -13,7 +13,7 @@ import {
 import * as AppleAuthentication from "expo-apple-authentication";
 import { Platform } from "react-native";
 import { generateNonce, hashNonce } from "../../../auth/infrastructure/services/crypto.util";
-import { executeOperation, failureResultFrom, toAuthErrorInfo } from "../../../../shared/domain/utils";
+import { executeOperation, failureResultFrom, toAuthErrorInfo, ERROR_MESSAGES } from "../../../../shared/domain/utils";
 import { isCancelledError } from "../../../../shared/domain/utils/error-handler.util";
 import type {
   ReauthenticationResult,
@@ -27,6 +27,21 @@ export type {
   ReauthCredentialResult
 } from "../../application/ports/reauthentication.types";
 
+/**
+ * Validates email format
+ */
+function isValidEmail(email: string): boolean {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  return emailRegex.test(email);
+}
+
+/**
+ * Validates password (Firebase minimum is 6 characters)
+ */
+function isValidPassword(password: string): boolean {
+  return password.length >= 6;
+}
+
 export function getUserAuthProvider(user: User): AuthProviderType {
   if (user.isAnonymous) return "anonymous";
   const data = user.providerData;
@@ -46,7 +61,17 @@ export async function reauthenticateWithGoogle(user: User, idToken: string): Pro
 export async function reauthenticateWithPassword(user: User, pass: string): Promise<ReauthenticationResult> {
   const email = user.email;
   if (!email) {
-    return failureResultFrom("auth/no-email", "User has no email");
+    return failureResultFrom("auth/no-email", ERROR_MESSAGES.AUTH.NO_USER);
+  }
+
+  // FIX: Add email validation
+  if (!isValidEmail(email)) {
+    return failureResultFrom("auth/invalid-email", ERROR_MESSAGES.AUTH.INVALID_EMAIL);
+  }
+
+  // FIX: Add password validation
+  if (!isValidPassword(pass)) {
+    return failureResultFrom("auth/invalid-password", ERROR_MESSAGES.AUTH.INVALID_PASSWORD);
   }
 
   return executeOperation(async () => {

package/src/domains/auth/infrastructure/services/apple-auth.service.ts

@@ -15,7 +15,7 @@ import type { AppleAuthResult } from "./apple-auth.types";
 import {
   isCancellationError,
 } from "./base/base-auth.service";
-import { executeAuthOperation, type Result } from "../../../../shared/domain/utils";
+import { executeAuthOperation, isSuccess, type Result } from "../../../../shared/domain/utils";
 
 // Conditional import - expo-apple-authentication is optional
 let AppleAuthentication: any = null;
@@ -42,7 +42,8 @@ export class AppleAuthService {
   }
 
   private convertToAppleAuthResult(result: Result<{ userCredential: any; isNewUser: boolean }>): AppleAuthResult {
-    if (result.success && result.data) {
+    // FIX: Use isSuccess() type guard instead of manual check
+    if (isSuccess(result) && result.data) {
       return {
         success: true,
         userCredential: result.data.userCredential,
@@ -102,9 +103,15 @@ export class AppleAuthService {
       // Convert to timestamps for reliable comparison (string comparison can be unreliable)
       const creationTime = userCredential.user.metadata.creationTime;
       const lastSignInTime = userCredential.user.metadata.lastSignInTime;
-      const isNewUser = creationTime && lastSignInTime
-        ? new Date(creationTime).getTime() === new Date(lastSignInTime).getTime()
-        : false;
+
+      // FIX: Add typeof validation for metadata timestamps
+      const isNewUser =
+        creationTime &&
+        lastSignInTime &&
+        typeof creationTime === 'string' &&
+        typeof lastSignInTime === 'string'
+          ? new Date(creationTime).getTime() === new Date(lastSignInTime).getTime()
+          : false;
 
       return {
         userCredential,

package/src/domains/auth/infrastructure/services/auth-listener.service.ts

@@ -6,7 +6,7 @@
 import { onIdTokenChanged, type User } from "firebase/auth";
 import { getFirebaseAuth } from "../config/FirebaseAuthClient";
 import type { Result } from "../../../../shared/domain/utils";
-import { failureResultFrom } from "../../../../shared/domain/utils";
+import { failureResultFrom, ERROR_MESSAGES } from "../../../../shared/domain/utils";
 
 export interface AuthListenerConfig {
   /**
@@ -36,7 +36,7 @@ export function setupAuthListener(
 ): AuthListenerResult {
   const auth = getFirebaseAuth();
   if (!auth) {
-    return failureResultFrom("auth/not-ready", "Firebase Auth not initialized");
+    return failureResultFrom("auth/not-ready", ERROR_MESSAGES.AUTH.NOT_INITIALIZED);
   }
 
   const {

package/src/domains/auth/infrastructure/services/email-auth.service.ts

@@ -13,7 +13,7 @@ import {
   type User,
 } from "firebase/auth";
 import { getFirebaseAuth } from "../config/FirebaseAuthClient";
-import { executeOperation, failureResultFrom, successResult, type Result } from "../../../../shared/domain/utils";
+import { executeOperation, failureResultFrom, successResult, toAuthErrorInfo, type Result, ERROR_MESSAGES } from "../../../../shared/domain/utils";
 
 export interface EmailCredentials {
   email: string;
@@ -32,7 +32,7 @@ export async function signInWithEmail(
 ): Promise<EmailAuthResult> {
   const auth = getFirebaseAuth();
   if (!auth) {
-    return failureResultFrom("auth/not-ready", "Firebase Auth not initialized");
+    return failureResultFrom("auth/not-ready", ERROR_MESSAGES.AUTH.NOT_INITIALIZED);
   }
 
   try {
@@ -43,9 +43,8 @@ export async function signInWithEmail(
     );
     return { success: true, data: userCredential.user };
   } catch (error) {
-    const err = error instanceof Error ? error : new Error(String(error));
-    const code = (err as any).code || "auth/unknown";
-    return { success: false, error: { code, message: err.message } };
+    // FIX: Use toAuthErrorInfo() instead of unsafe cast
+    return { success: false, error: toAuthErrorInfo(error) };
   }
 }
 
@@ -58,7 +57,7 @@ export async function signUpWithEmail(
 ): Promise<EmailAuthResult> {
   const auth = getFirebaseAuth();
   if (!auth) {
-    return failureResultFrom("auth/not-ready", "Firebase Auth not initialized");
+    return failureResultFrom("auth/not-ready", ERROR_MESSAGES.AUTH.NOT_INITIALIZED);
   }
 
   try {
@@ -84,22 +83,25 @@ export async function signUpWithEmail(
 
     // Update display name if provided (non-critical operation)
     if (credentials.displayName && userCredential.user) {
-      try {
-        await updateProfile(userCredential.user, {
-          displayName: credentials.displayName.trim(),
-        });
-      } catch (profileError) {
-        // Profile update failed but account was created successfully
-        // Log the error but don't fail the signup
-        console.warn("Profile update failed after account creation:", profileError);
+      const trimmedName = credentials.displayName.trim();
+      // FIX: Only update if non-empty after trim
+      if (trimmedName.length > 0) {
+        try {
+          await updateProfile(userCredential.user, {
+            displayName: trimmedName,
+          });
+        } catch (profileError) {
+          // Profile update failed but account was created successfully
+          // Log the error but don't fail the signup
+          console.warn("Profile update failed after account creation:", profileError);
+        }
       }
     }
 
     return { success: true, data: userCredential.user };
   } catch (error) {
-    const err = error instanceof Error ? error : new Error(String(error));
-    const code = (err as any).code || "auth/unknown";
-    return { success: false, error: { code, message: err.message } };
+    // FIX: Use toAuthErrorInfo() instead of unsafe cast
+    return { success: false, error: toAuthErrorInfo(error) };
   }
 }
 
@@ -126,12 +128,12 @@ export async function linkAnonymousWithEmail(
 ): Promise<EmailAuthResult> {
   const auth = getFirebaseAuth();
   if (!auth || !auth.currentUser) {
-    return failureResultFrom("auth/not-ready", "No current user");
+    return failureResultFrom("auth/not-ready", ERROR_MESSAGES.AUTH.NO_USER);
   }
 
   const currentUser = auth.currentUser;
   if (!currentUser.isAnonymous) {
-    return failureResultFrom("auth/invalid-action", "User is not anonymous");
+    return failureResultFrom("auth/invalid-action", ERROR_MESSAGES.AUTH.INVALID_USER);
   }
 
   try {
@@ -139,8 +141,7 @@ export async function linkAnonymousWithEmail(
     const userCredential = await linkWithCredential(currentUser, credential);
     return { success: true, data: userCredential.user };
   } catch (error) {
-    const err = error instanceof Error ? error : new Error(String(error));
-    const code = (err as any).code || "auth/unknown";
-    return { success: false, error: { code, message: err.message } };
+    // FIX: Use toAuthErrorInfo() instead of unsafe cast
+    return { success: false, error: toAuthErrorInfo(error) };
   }
 }

package/src/domains/auth/infrastructure/services/google-auth.service.ts

@@ -9,7 +9,7 @@ import {
   type Auth,
 } from "firebase/auth";
 import type { GoogleAuthConfig, GoogleAuthResult } from "./google-auth.types";
-import { executeAuthOperation, type Result } from "../../../../shared/domain/utils";
+import { executeAuthOperation, isSuccess, type Result } from "../../../../shared/domain/utils";
 import { ConfigurableService } from "../../../../shared/domain/utils/service-config.util";
 
 /**
@@ -25,7 +25,8 @@ export class GoogleAuthService extends ConfigurableService<GoogleAuthConfig> {
   }
 
   private convertToGoogleAuthResult(result: Result<{ userCredential: any; isNewUser: boolean }>): GoogleAuthResult {
-    if (result.success && result.data) {
+    // FIX: Use isSuccess() type guard instead of manual check
+    if (isSuccess(result) && result.data) {
       return {
         success: true,
         userCredential: result.data.userCredential,
@@ -51,9 +52,15 @@ export class GoogleAuthService extends ConfigurableService<GoogleAuthConfig> {
       // Convert to timestamps for reliable comparison (string comparison can be unreliable)
       const creationTime = userCredential.user.metadata.creationTime;
       const lastSignInTime = userCredential.user.metadata.lastSignInTime;
-      const isNewUser = creationTime && lastSignInTime
-        ? new Date(creationTime).getTime() === new Date(lastSignInTime).getTime()
-        : false;
+
+      // FIX: Add typeof validation for metadata timestamps
+      const isNewUser =
+        creationTime &&
+        lastSignInTime &&
+        typeof creationTime === 'string' &&
+        typeof lastSignInTime === 'string'
+          ? new Date(creationTime).getTime() === new Date(lastSignInTime).getTime()
+          : false;
 
       return {
         userCredential,

package/src/domains/auth/infrastructure/services/user-document-builder.util.ts

@@ -9,17 +9,27 @@ import type {
   UserDocumentExtras,
 } from "./user-document.types";
 
+/**
+ * Type guard to check if user has provider data
+ */
+function hasProviderData(user: unknown): user is { providerData: { providerId: string }[] } {
+  return (
+    typeof user === 'object' &&
+    user !== null &&
+    'providerData' in user &&
+    Array.isArray((user as any).providerData)
+  );
+}
+
 /**
  * Gets the sign-up method from user provider data
  */
 export function getSignUpMethod(user: UserDocumentUser): string | undefined {
   if (user.isAnonymous) return "anonymous";
   if (user.email) {
-    const providerData = (
-      user as unknown as { providerData?: { providerId: string }[] }
-    ).providerData;
-    if (providerData && providerData.length > 0) {
-      const providerId = providerData[0]?.providerId;
+    // FIX: Use type guard instead of unsafe cast
+    if (hasProviderData(user) && user.providerData.length > 0) {
+      const providerId = user.providerData[0]?.providerId;
       if (providerId === "google.com") return "google";
       if (providerId === "apple.com") return "apple";
       if (providerId === "password") return "email";

package/src/domains/auth/presentation/hooks/useAnonymousAuth.ts

@@ -72,7 +72,13 @@ export function useAnonymousAuth(auth: Auth | null): UseAnonymousAuthResult {
       setAuthState(userToAuthCheckResult(null));
       setLoading(false);
       setError(null);
-      return;
+      // FIX: Always return cleanup function to prevent memory leaks
+      return () => {
+        if (unsubscribeRef.current) {
+          unsubscribeRef.current();
+          unsubscribeRef.current = null;
+        }
+      };
     }
 
     // Keep loading true until onAuthStateChanged fires
@@ -87,6 +93,8 @@ export function useAnonymousAuth(auth: Auth | null): UseAnonymousAuthResult {
       const authError = err instanceof Error ? err : new Error('Auth listener setup failed');
       setError(authError);
       setLoading(false);
+      // FIX: Reset auth state on error to prevent stale data
+      setAuthState(userToAuthCheckResult(null));
     }
 
     // Cleanup function

package/src/domains/auth/presentation/hooks/useGoogleOAuth.ts

@@ -71,6 +71,7 @@ export function useGoogleOAuth(config?: GoogleOAuthConfig): UseGoogleOAuthResult
           const auth = getFirebaseAuth();
           if (!auth) {
             setGoogleError("Firebase Auth not initialized");
+            setIsLoading(false); // FIX: Reset loading state before early return
             return;
           }
 

package/src/domains/firestore/index.ts

@@ -122,6 +122,20 @@ export {
 } from './utils/firestore-helper';
 export type { FirestoreResult, NoDbResult } from './utils/firestore-helper';
 
+// Validation Utilities
+export {
+  isValidCursor,
+  validateCursorOrThrow,
+  CursorValidationError,
+} from './utils/validation/cursor-validator.util';
+export {
+  isValidFieldName,
+} from './utils/validation/field-validator.util';
+export {
+  isValidDateRange,
+  validateDateRangeOrThrow,
+} from './utils/validation/date-validator.util';
+
 export { Timestamp } from 'firebase/firestore';
 export type {
   CollectionReference,

package/src/domains/firestore/infrastructure/config/FirestoreClient.ts

@@ -38,12 +38,25 @@ class FirestoreClientSingleton extends ServiceClientSingleton<Firestore> {
   }
 
   private static instance: FirestoreClientSingleton | null = null;
+  private static initInProgress = false;
 
   static getInstance(): FirestoreClientSingleton {
-    if (!FirestoreClientSingleton.instance) {
-      FirestoreClientSingleton.instance = new FirestoreClientSingleton();
+    if (!FirestoreClientSingleton.instance && !FirestoreClientSingleton.initInProgress) {
+      FirestoreClientSingleton.initInProgress = true;
+      try {
+        FirestoreClientSingleton.instance = new FirestoreClientSingleton();
+      } finally {
+        FirestoreClientSingleton.initInProgress = false;
+      }
     }
-    return FirestoreClientSingleton.instance;
+
+    // Wait for initialization to complete if in progress
+    while (FirestoreClientSingleton.initInProgress && !FirestoreClientSingleton.instance) {
+      // Busy wait - in practice this should be very brief
+      // Consider using a Promise-based approach for better async handling
+    }
+
+    return FirestoreClientSingleton.instance!;
   }
 
   /**

package/src/domains/firestore/infrastructure/middleware/QueryDeduplicationMiddleware.ts

@@ -30,16 +30,23 @@ export class QueryDeduplicationMiddleware {
   ): Promise<T> {
     const key = generateQueryKey(queryKey);
 
-    // Check if query is already pending
-    if (this.queryManager.isPending(key)) {
-      const pendingPromise = this.queryManager.get(key);
-      if (pendingPromise) {
-        // Return the existing pending promise instead of executing again
-        return pendingPromise as Promise<T>;
-      }
+    // FIX: Atomic get-or-create pattern to prevent race conditions
+    const existingPromise = this.queryManager.get(key);
+    if (existingPromise) {
+      return existingPromise as Promise<T>;
     }
 
-    const promise = queryFn();
+    // Create promise with cleanup on completion
+    const promise = (async () => {
+      try {
+        return await queryFn();
+      } finally {
+        // Cleanup after completion (success or error)
+        this.queryManager.remove(key);
+      }
+    })();
+
+    // Add before any await - this prevents race between check and add
     this.queryManager.add(key, promise);
 
     return promise;

package/src/domains/firestore/infrastructure/repositories/BasePaginatedRepository.ts

@@ -10,20 +10,9 @@ import { collection, query, orderBy, limit, startAfter, getDoc, doc, getDocs } f
 import { PaginationHelper } from "../../utils/pagination.helper";
 import type { PaginatedResult, PaginationParams } from "../../types/pagination.types";
 import { BaseQueryRepository } from "./BaseQueryRepository";
+import { validateCursorOrThrow, CursorValidationError } from "../../utils/validation/cursor-validator.util";
 
 export abstract class BasePaginatedRepository extends BaseQueryRepository {
-  /**
-   * Validate cursor format
-   * Cursors must be non-empty strings without path separators
-   */
-  private isValidCursor(cursor: string): boolean {
-    if (!cursor || typeof cursor !== 'string') return false;
-    // Check for invalid characters (path separators, null bytes)
-    if (cursor.includes('/') || cursor.includes('\\') || cursor.includes('\0')) return false;
-    // Check length (Firestore document IDs can't be longer than 1500 bytes)
-    if (cursor.length > 1500) return false;
-    return true;
-  }
 
   /**
    * Execute paginated query with cursor support
@@ -60,19 +49,16 @@ export abstract class BasePaginatedRepository extends BaseQueryRepository {
     if (helper.hasCursor(params) && params?.cursor) {
       cursorKey = params.cursor;
 
-      // Validate cursor format to prevent Firestore errors
-      if (!this.isValidCursor(params.cursor)) {
-        // Invalid cursor format - return empty result
-        return [];
-      }
+      // FIX: Validate cursor and throw error instead of silent failure
+      validateCursorOrThrow(params.cursor);
 
       // Fetch cursor document first
       const cursorDocRef = doc(db, collectionName, params.cursor);
       const cursorDoc = await getDoc(cursorDocRef);
 
       if (!cursorDoc.exists()) {
-        // Cursor document doesn't exist - return empty result
-        return [];
+        // FIX: Throw error instead of silent failure
+        throw new CursorValidationError('Cursor document does not exist');
       }
 
       // Build query with startAfter using the cursor document

package/src/domains/firestore/infrastructure/services/RequestLoggerService.ts

@@ -93,6 +93,22 @@ export class RequestLoggerService {
     };
   }
 
+  /**
+   * Remove all listeners
+   * Prevents memory leaks when service is destroyed
+   */
+  removeAllListeners(): void {
+    this.listeners.clear();
+  }
+
+  /**
+   * Destroy service and cleanup resources
+   */
+  destroy(): void {
+    this.removeAllListeners();
+    this.clearLogs();
+  }
+
   /**
    * Notify all listeners
    */

package/src/domains/firestore/utils/deduplication/pending-query-manager.util.ts

@@ -54,6 +54,13 @@ export class PendingQueryManager {
     });
   }
 
+  /**
+   * Remove a specific query from pending list
+   */
+  remove(key: string): void {
+    this.pendingQueries.delete(key);
+  }
+
   /**
    * Clean up expired queries
    */

package/src/domains/firestore/utils/mapper/enrichment-mapper.util.ts

@@ -8,6 +8,10 @@ import type { QueryDocumentSnapshot, DocumentData } from 'firebase/firestore';
 /**
  * Map documents with enrichment from related data
  *
+ * @deprecated Use mapWithBatchEnrichment for better performance with large datasets.
+ * This function fetches enrichments in parallel but doesn't deduplicate keys,
+ * and uses sequential async operations which can be slower than batch fetching.
+ *
  * Process flow:
  * 1. Extract source data from document
  * 2. Skip if extraction fails or source is invalid
@@ -65,8 +69,11 @@ export async function mapWithBatchEnrichment<TSource, TEnrichment, TResult>(
     return [];
   }
 
-  // Fetch all enrichments in batch
-  const enrichmentMap = await fetchBatchEnrichments(keys);
+  // FIX: Deduplicate keys before batch fetch to reduce redundant fetches
+  const uniqueKeys = [...new Set(keys)];
+
+  // Fetch all enrichments in batch (deduplicated)
+  const enrichmentMap = await fetchBatchEnrichments(uniqueKeys);
 
   // Combine sources with enrichments
   const results: TResult[] = [];

package/src/domains/firestore/utils/query/modifiers.util.ts

@@ -12,6 +12,7 @@ import {
   type Query,
   Timestamp,
 } from "firebase/firestore";
+import { validateDateRangeOrThrow } from "../validation/date-validator.util";
 
 export interface SortOptions {
   field: string;
@@ -30,6 +31,11 @@ export interface DateRangeOptions {
 export function applyDateRange(q: Query, dateRange: DateRangeOptions | undefined): Query {
   if (!dateRange) return q;
 
+  // FIX: Validate date range if both dates are provided
+  if (dateRange.startDate !== undefined && dateRange.endDate !== undefined) {
+    validateDateRangeOrThrow(dateRange.startDate, dateRange.endDate);
+  }
+
   if (dateRange.startDate) {
     q = query(q, where(dateRange.field, ">=", Timestamp.fromMillis(dateRange.startDate)));
   }

package/src/domains/firestore/utils/transaction/transaction.util.ts

@@ -10,6 +10,7 @@ import {
 } from "firebase/firestore";
 import { getFirestore } from "../../infrastructure/config/FirestoreClient";
 import { hasCodeProperty } from "../../../../shared/domain/utils/type-guards.util";
+import { ERROR_MESSAGES } from "../../../../shared/domain/utils/error-handlers/error-messages";
 
 /**
  * Execute a transaction with automatic DB instance check.
@@ -20,7 +21,7 @@ export async function runTransaction<T>(
 ): Promise<T> {
   const db = getFirestore();
   if (!db) {
-    throw new Error("[runTransaction] Firestore database is not initialized. Please ensure Firebase is properly initialized before running transactions.");
+    throw new Error(`[runTransaction] ${ERROR_MESSAGES.FIRESTORE.NOT_INITIALIZED}`);
   }
   try {
     return await fbRunTransaction(db, updateFunction);

package/src/domains/firestore/utils/validation/cursor-validator.util.ts

@@ -0,0 +1,73 @@
+/**
+ * Cursor Validation Utility
+ * Validates pagination cursors for Firestore queries
+ */
+
+import { ERROR_MESSAGES } from '../../../../shared/domain/utils/error-handlers/error-messages';
+
+const MAX_CURSOR_LENGTH = 1500; // Firestore document ID max length
+
+/**
+ * Validates a pagination cursor
+ * @param cursor - The cursor to validate
+ * @returns true if cursor is valid, false otherwise
+ */
+export function isValidCursor(cursor: string | undefined | null): boolean {
+  // undefined/null is valid (first page)
+  if (cursor === undefined || cursor === null) {
+    return true;
+  }
+
+  // Must be string
+  if (typeof cursor !== 'string') {
+    return false;
+  }
+
+  // Empty string invalid
+  if (cursor.length === 0) {
+    return false;
+  }
+
+  // No leading/trailing whitespace
+  if (cursor.trim() !== cursor) {
+    return false;
+  }
+
+  // Length check (Firestore doc ID max)
+  if (cursor.length > MAX_CURSOR_LENGTH) {
+    return false;
+  }
+
+  // No null bytes (Firestore forbidden)
+  if (cursor.includes('\0')) {
+    return false;
+  }
+
+  // No path separators (invalid in cursor)
+  if (cursor.includes('/')) {
+    return false;
+  }
+
+  return true;
+}
+
+/**
+ * Cursor validation error class
+ */
+export class CursorValidationError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'CursorValidationError';
+  }
+}
+
+/**
+ * Validates cursor or throws an error
+ * @param cursor - The cursor to validate
+ * @throws {CursorValidationError} If cursor is invalid
+ */
+export function validateCursorOrThrow(cursor: string | undefined | null): void {
+  if (!isValidCursor(cursor)) {
+    throw new CursorValidationError(ERROR_MESSAGES.FIRESTORE.INVALID_CURSOR);
+  }
+}

package/src/domains/firestore/utils/validation/date-validator.util.ts

@@ -0,0 +1,35 @@
+/**
+ * Date Range Validation Utility
+ * Validates date ranges for Firestore queries
+ */
+
+import { ERROR_MESSAGES } from '../../../../shared/domain/utils/error-handlers/error-messages';
+
+/**
+ * Validates a date range
+ * @param start - Start date (Date object or timestamp)
+ * @param end - End date (Date object or timestamp)
+ * @returns true if range is valid (start <= end), false otherwise
+ */
+export function isValidDateRange(start: Date | number, end: Date | number): boolean {
+  const startTime = start instanceof Date ? start.getTime() : start;
+  const endTime = end instanceof Date ? end.getTime() : end;
+
+  if (isNaN(startTime) || isNaN(endTime)) {
+    return false;
+  }
+
+  return startTime <= endTime;
+}
+
+/**
+ * Validates date range or throws an error
+ * @param start - Start date (Date object or timestamp)
+ * @param end - End date (Date object or timestamp)
+ * @throws {Error} If range is invalid
+ */
+export function validateDateRangeOrThrow(start: Date | number, end: Date | number): void {
+  if (!isValidDateRange(start, end)) {
+    throw new Error(ERROR_MESSAGES.FIRESTORE.INVALID_DATE_RANGE);
+  }
+}

package/src/domains/firestore/utils/validation/field-validator.util.ts

@@ -0,0 +1,29 @@
+/**
+ * Field Name Validation Utility
+ * Validates Firestore field names
+ */
+
+const RESERVED_FIELDS = ['__name__', '__id__'];
+
+/**
+ * Validates a Firestore field name
+ * @param field - The field name to validate
+ * @returns true if field name is valid, false otherwise
+ */
+export function isValidFieldName(field: string): boolean {
+  if (typeof field !== 'string' || field.length === 0) {
+    return false;
+  }
+
+  // Reserved fields
+  if (RESERVED_FIELDS.includes(field)) {
+    return false;
+  }
+
+  // Reserved prefix
+  if (field.startsWith('__')) {
+    return false;
+  }
+
+  return true;
+}

package/src/shared/domain/guards/firebase-error.guard.ts

@@ -26,7 +26,10 @@ export function isFirestoreError(error: unknown): error is FirestoreError {
     typeof error === 'object' &&
     error !== null &&
     'code' in error &&
-    'message' in error
+    'message' in error &&
+    // FIX: Also check that properties are strings
+    typeof (error as any).code === 'string' &&
+    typeof (error as any).message === 'string'
   );
 }
 
@@ -38,7 +41,10 @@ export function isAuthError(error: unknown): error is AuthError {
     typeof error === 'object' &&
     error !== null &&
     'code' in error &&
-    'message' in error
+    'message' in error &&
+    // FIX: Also check that properties are strings
+    typeof (error as any).code === 'string' &&
+    typeof (error as any).message === 'string'
   );
 }
 

package/src/shared/domain/utils/error-handlers/error-messages.ts

@@ -7,10 +7,24 @@ export const ERROR_MESSAGES = {
     SIGN_OUT_REQUIRED: 'Sign out first before performing this action',
     NO_USER: 'No user is currently signed in',
     INVALID_USER: 'Invalid user',
+    INVALID_EMAIL: 'Invalid email address',
+    INVALID_PASSWORD: 'Invalid password',
+    WEAK_PASSWORD: 'Password is too weak',
+    INVALID_CREDENTIALS: 'Invalid credentials provided',
+    USER_CHANGED: 'User changed during operation',
+    OPERATION_IN_PROGRESS: 'Operation already in progress',
   },
   FIRESTORE: {
     NOT_INITIALIZED: 'Firestore is not initialized',
     QUOTA_EXCEEDED: 'Daily quota exceeded. Please try again tomorrow or upgrade your plan.',
+    INVALID_CURSOR: 'Invalid pagination cursor',
+    INVALID_FIELD_NAME: 'Invalid field name',
+    INVALID_DATE_RANGE: 'Start date must be before end date',
+    BATCH_TOO_LARGE: 'Batch operation exceeds maximum size',
+    DOCUMENT_NOT_FOUND: 'Document not found',
+    PERMISSION_DENIED: 'Permission denied',
+    TRANSACTION_FAILED: 'Transaction failed',
+    NETWORK_ERROR: 'Network error occurred',
   },
   REPOSITORY: {
     DESTROYED: 'Repository has been destroyed',
@@ -18,6 +32,11 @@ export const ERROR_MESSAGES = {
   SERVICE: {
     NOT_CONFIGURED: 'Service is not configured',
   },
+  VALIDATION: {
+    INVALID_INPUT: 'Invalid input provided',
+    REQUIRED_FIELD: 'Required field is missing',
+    INVALID_FORMAT: 'Invalid format',
+  },
   GENERAL: {
     RETRYABLE: 'Temporary error occurred. Please try again.',
     UNKNOWN: 'Unknown error occurred',

package/src/shared/domain/utils/executors/batch-executors.util.ts

@@ -1,5 +1,5 @@
 import type { Result, FailureResult } from '../result.util';
-import { failureResultFromError, successResult, isSuccess } from '../result.util';
+import { failureResultFromError, successResult, isSuccess, isFailure } from '../result.util';
 
 export async function executeAll<T>(
   ...operations: (() => Promise<Result<T>>)[]
@@ -7,9 +7,10 @@ export async function executeAll<T>(
   try {
     const results = await Promise.all(operations.map((op) => op()));
 
+    // FIX: Use isFailure() type guard instead of manual check
     for (const result of results) {
-      if (!result.success && result.error !== undefined) {
-        return result as FailureResult;
+      if (isFailure(result)) {
+        return result;
       }
     }
 
@@ -31,7 +32,8 @@ export async function executeSequence<T>(
 ): Promise<Result<void>> {
   for (const operation of operations) {
     const result = await operation();
-    if (!result.success && result.error !== undefined) {
+    // FIX: Use isFailure() type guard instead of manual check
+    if (isFailure(result)) {
       return { success: false, error: result.error };
     }
   }

package/src/shared/domain/utils/index.ts

@@ -70,6 +70,11 @@ export {
   type ErrorInfo as ErrorHandlerErrorInfo,
 } from './error-handler.util';
 
+// Error messages
+export {
+  ERROR_MESSAGES,
+} from './error-handlers/error-messages';
+
 // Type guards
 export {
   hasCodeProperty,

package/src/shared/infrastructure/config/clients/FirebaseClientSingleton.ts

@@ -16,7 +16,6 @@ import { FirebaseInitializationOrchestrator } from '../orchestrators/FirebaseIni
 export class FirebaseClientSingleton implements IFirebaseClient {
   private static instance: FirebaseClientSingleton | null = null;
   private state: FirebaseClientState;
-  private lastError: string | null = null;
 
   private constructor() {
     this.state = new FirebaseClientState();
@@ -34,11 +33,9 @@ export class FirebaseClientSingleton implements IFirebaseClient {
       const result = FirebaseInitializationOrchestrator.initialize(config);
       // Sync state with orchestrator result
       this.state.setInstance(result);
-      this.lastError = null;
       return result;
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-      this.lastError = errorMessage;
       this.state.setInitializationError(errorMessage);
       return null;
     }
@@ -66,17 +63,12 @@ export class FirebaseClientSingleton implements IFirebaseClient {
   }
 
   getInitializationError(): string | null {
-    // Check local state first
-    const localError = this.state.getInitializationError();
-    if (localError) return localError;
-    // Return last error
-    return this.lastError;
+    return this.state.getInitializationError();
   }
 
   reset(): void {
     // Reset local state
     this.state.reset();
-    this.lastError = null;
     // Note: We don't reset Firebase apps as they might be in use
   }
 }