firebase-admin 11.6.0 → 11.8.0

package/lib/app/core.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.

package/lib/app/core.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license

package/lib/app/credential-factory.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.

package/lib/app/credential-factory.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license

package/lib/app/credential-internal.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2020 Google Inc.

package/lib/app/credential-internal.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license
@@ -115,6 +115,15 @@ exports.ServiceAccountCredential = ServiceAccountCredential;
  * A struct containing the properties necessary to use service account JSON credentials.
  */
 class ServiceAccount {
+    static fromPath(filePath) {
+        try {
+            return new ServiceAccount(JSON.parse(fs.readFileSync(filePath, 'utf8')));
+        }
+        catch (error) {
+            // Throw a nicely formed error message if the file contents cannot be parsed
+            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse service account json file: ' + error);
+        }
+    }
     constructor(json) {
         if (!util.isNonNullObject(json)) {
             throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Service account must be an object.');
@@ -144,15 +153,6 @@ class ServiceAccount {
             throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse private key: ' + error);
         }
     }
-    static fromPath(filePath) {
-        try {
-            return new ServiceAccount(JSON.parse(fs.readFileSync(filePath, 'utf8')));
-        }
-        catch (error) {
-            // Throw a nicely formed error message if the file contents cannot be parsed
-            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse service account json file: ' + error);
-        }
-    }
 }
 /**
  * Implementation of Credential that gets access tokens from the metadata service available
@@ -261,6 +261,19 @@ class RefreshTokenCredential {
 }
 exports.RefreshTokenCredential = RefreshTokenCredential;
 class RefreshToken {
+    /*
+     * Tries to load a RefreshToken from a path. Throws if the path doesn't exist or the
+     * data at the path is invalid.
+     */
+    static fromPath(filePath) {
+        try {
+            return new RefreshToken(JSON.parse(fs.readFileSync(filePath, 'utf8')));
+        }
+        catch (error) {
+            // Throw a nicely formed error message if the file contents cannot be parsed
+            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse refresh token file: ' + error);
+        }
+    }
     constructor(json) {
         copyAttr(this, json, 'clientId', 'client_id');
         copyAttr(this, json, 'clientSecret', 'client_secret');
@@ -283,19 +296,6 @@ class RefreshToken {
             throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, errorMessage);
         }
     }
-    /*
-     * Tries to load a RefreshToken from a path. Throws if the path doesn't exist or the
-     * data at the path is invalid.
-     */
-    static fromPath(filePath) {
-        try {
-            return new RefreshToken(JSON.parse(fs.readFileSync(filePath, 'utf8')));
-        }
-        catch (error) {
-            // Throw a nicely formed error message if the file contents cannot be parsed
-            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse refresh token file: ' + error);
-        }
-    }
 }
 /**
  * Implementation of Credential that uses impersonated service account.
@@ -342,6 +342,19 @@ exports.ImpersonatedServiceAccountCredential = ImpersonatedServiceAccountCredent
  * A struct containing the properties necessary to use impersonated service account JSON credentials.
  */
 class ImpersonatedServiceAccount {
+    /*
+     * Tries to load a ImpersonatedServiceAccount from a path. Throws if the path doesn't exist or the
+     * data at the path is invalid.
+     */
+    static fromPath(filePath) {
+        try {
+            return new ImpersonatedServiceAccount(JSON.parse(fs.readFileSync(filePath, 'utf8')));
+        }
+        catch (error) {
+            // Throw a nicely formed error message if the file contents cannot be parsed
+            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse impersonated service account file: ' + error);
+        }
+    }
     constructor(json) {
         const sourceCredentials = json['source_credentials'];
         if (sourceCredentials) {
@@ -367,19 +380,6 @@ class ImpersonatedServiceAccount {
             throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, errorMessage);
         }
     }
-    /*
-     * Tries to load a ImpersonatedServiceAccount from a path. Throws if the path doesn't exist or the
-     * data at the path is invalid.
-     */
-    static fromPath(filePath) {
-        try {
-            return new ImpersonatedServiceAccount(JSON.parse(fs.readFileSync(filePath, 'utf8')));
-        }
-        catch (error) {
-            // Throw a nicely formed error message if the file contents cannot be parsed
-            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse impersonated service account file: ' + error);
-        }
-    }
 }
 /**
  * Checks if the given credential was loaded via the application default credentials mechanism. This

package/lib/app/credential.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.

package/lib/app/credential.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license

package/lib/app/firebase-app.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2017 Google Inc.

package/lib/app/firebase-app.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license

package/lib/app/firebase-namespace.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2017 Google Inc.

package/lib/app/firebase-namespace.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license

package/lib/app/index.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.

package/lib/app/index.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license

package/lib/app/lifecycle.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.

package/lib/app/lifecycle.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license

package/lib/app-check/app-check-api-client-internal.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.
@@ -19,7 +19,7 @@ import { PrefixedFirebaseError } from '../utils/error';
 export declare const APP_CHECK_ERROR_CODE_MAPPING: {
     [key: string]: AppCheckErrorCode;
 };
-export declare type AppCheckErrorCode = 'aborted' | 'invalid-argument' | 'invalid-credential' | 'internal-error' | 'permission-denied' | 'unauthenticated' | 'not-found' | 'app-check-token-expired' | 'unknown-error';
+export type AppCheckErrorCode = 'aborted' | 'invalid-argument' | 'invalid-credential' | 'internal-error' | 'permission-denied' | 'unauthenticated' | 'not-found' | 'app-check-token-expired' | 'unknown-error';
 /**
  * Firebase App Check error code structure. This extends PrefixedFirebaseError.
  *

package/lib/app-check/app-check-api-client-internal.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license
@@ -24,6 +24,7 @@ const utils = require("../utils/index");
 const validator = require("../utils/validator");
 // App Check backend constants
 const FIREBASE_APP_CHECK_V1_API_URL_FORMAT = 'https://firebaseappcheck.googleapis.com/v1/projects/{projectId}/apps/{appId}:exchangeCustomToken';
+const ONE_TIME_USE_TOKEN_VERIFICATION_URL_FORMAT = 'https://firebaseappcheck.googleapis.com/v1beta/projects/{projectId}:verifyAppCheckToken';
 const FIREBASE_APP_CHECK_CONFIG_HEADERS = {
     'X-Firebase-Client': `fire-admin-node/${utils.getSdkVersion()}`
 };
@@ -71,6 +72,31 @@ class AppCheckApiClient {
             throw this.toFirebaseError(err);
         });
     }
+    verifyReplayProtection(token) {
+        if (!validator.isNonEmptyString(token)) {
+            throw new FirebaseAppCheckError('invalid-argument', '`token` must be a non-empty string.');
+        }
+        return this.getVerifyTokenUrl()
+            .then((url) => {
+            const request = {
+                method: 'POST',
+                url,
+                headers: FIREBASE_APP_CHECK_CONFIG_HEADERS,
+                data: { app_check_token: token }
+            };
+            return this.httpClient.send(request);
+        })
+            .then((resp) => {
+            if (typeof resp.data.alreadyConsumed !== 'undefined'
+                && !validator.isBoolean(resp.data?.alreadyConsumed)) {
+                throw new FirebaseAppCheckError('invalid-argument', '`alreadyConsumed` must be a boolean value.');
+            }
+            return resp.data.alreadyConsumed || false;
+        })
+            .catch((err) => {
+            throw this.toFirebaseError(err);
+        });
+    }
     getUrl(appId) {
         return this.getProjectId()
             .then((projectId) => {
@@ -82,6 +108,16 @@ class AppCheckApiClient {
             return utils.formatString(baseUrl);
         });
     }
+    getVerifyTokenUrl() {
+        return this.getProjectId()
+            .then((projectId) => {
+            const urlParams = {
+                projectId
+            };
+            const baseUrl = utils.formatString(ONE_TIME_USE_TOKEN_VERIFICATION_URL_FORMAT, urlParams);
+            return utils.formatString(baseUrl);
+        });
+    }
     getProjectId() {
         if (this.projectId) {
             return Promise.resolve(this.projectId);

package/lib/app-check/app-check-api.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.
@@ -38,6 +38,28 @@ export interface AppCheckTokenOptions {
      */
     ttlMillis?: number;
 }
+/**
+ * Interface representing options for the {@link AppCheck.verifyToken} method.
+ */
+export interface VerifyAppCheckTokenOptions {
+    /**
+     * To use the replay protection feature, set this to `true`. The {@link AppCheck.verifyToken}
+     * method will mark the token as consumed after verifying it.
+     *
+     * Tokens that are found to be already consumed will be marked as such in the response.
+     *
+     * Tokens are only considered to be consumed if it is sent to App Check backend by calling the
+     * {@link AppCheck.verifyToken} method with this field set to `true`; other uses of the token
+     * do not consume it.
+     *
+     * This replay protection feature requires an additional network call to the App Check backend
+     * and forces your clients to obtain a fresh attestation from your chosen attestation providers.
+     * This can therefore negatively impact performance and can potentially deplete your attestation
+     * providers' quotas faster. We recommend that you use this feature only for protecting
+     * low volume, security critical, or expensive operations.
+     */
+    consume?: boolean;
+}
 /**
  * Interface representing a decoded Firebase App Check token, returned from the
  * {@link AppCheck.verifyToken} method.
@@ -92,4 +114,16 @@ export interface VerifyAppCheckTokenResponse {
      * The decoded Firebase App Check token.
      */
     token: DecodedAppCheckToken;
+    /**
+     * Indicates weather this token was already consumed.
+     * If this is the first time {@link AppCheck.verifyToken} method has seen this token,
+     * this field will contain the value `false`. The given token will then be
+     * marked as `already_consumed` for all future invocations of this {@link AppCheck.verifyToken}
+     * method for this token.
+     *
+     * When this field is `true`, the caller is attempting to reuse a previously consumed token.
+     * You should take precautions against such a caller; for example, you can take actions such as
+     * rejecting the request or ask the caller to pass additional layers of security checks.
+     */
+    alreadyConsumed?: boolean;
 }

package/lib/app-check/app-check-api.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license

package/lib/app-check/app-check-namespace.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * Copyright 2021 Google Inc.
  *
@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 import { App } from '../app';
-import { AppCheckToken as TAppCheckToken, AppCheckTokenOptions as TAppCheckTokenOptions, DecodedAppCheckToken as TDecodedAppCheckToken, VerifyAppCheckTokenResponse as TVerifyAppCheckTokenResponse } from './app-check-api';
+import { AppCheckToken as TAppCheckToken, AppCheckTokenOptions as TAppCheckTokenOptions, DecodedAppCheckToken as TDecodedAppCheckToken, VerifyAppCheckTokenOptions as TVerifyAppCheckTokenOptions, VerifyAppCheckTokenResponse as TVerifyAppCheckTokenResponse } from './app-check-api';
 import { AppCheck as TAppCheck } from './app-check';
 /**
  * Gets the {@link firebase-admin.app-check#AppCheck} service for the default app or a given app.
@@ -61,5 +61,12 @@ export declare namespace appCheck {
      * Type alias to {@link firebase-admin.app-check#VerifyAppCheckTokenResponse}.
      */
     type VerifyAppCheckTokenResponse = TVerifyAppCheckTokenResponse;
+    /**
+     * Type alias to {@link firebase-admin.app-check#AppCheckTokenOptions}.
+     */
     type AppCheckTokenOptions = TAppCheckTokenOptions;
+    /**
+     * Type alias to {@link firebase-admin.app-check#VerifyAppCheckTokenOptions}.
+     */
+    type VerifyAppCheckTokenOptions = TVerifyAppCheckTokenOptions;
 }

package/lib/app-check/app-check-namespace.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * Copyright 2021 Google Inc.

package/lib/app-check/app-check.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.
@@ -16,7 +16,7 @@
  * limitations under the License.
  */
 import { App } from '../app';
-import { AppCheckToken, AppCheckTokenOptions, VerifyAppCheckTokenResponse } from './app-check-api';
+import { AppCheckToken, AppCheckTokenOptions, VerifyAppCheckTokenOptions, VerifyAppCheckTokenResponse } from './app-check-api';
 /**
  * The Firebase `AppCheck` service interface.
  */
@@ -41,9 +41,11 @@ export declare class AppCheck {
      * rejected.
      *
      * @param appCheckToken - The App Check token to verify.
+     * @param options - Optional {@link VerifyAppCheckTokenOptions} object when verifying an App Check Token.
      *
      * @returns A promise fulfilled with the token's decoded claims
      *   if the App Check token is valid; otherwise, a rejected promise.
      */
-    verifyToken(appCheckToken: string): Promise<VerifyAppCheckTokenResponse>;
+    verifyToken(appCheckToken: string, options?: VerifyAppCheckTokenOptions): Promise<VerifyAppCheckTokenResponse>;
+    private validateVerifyAppCheckTokenOptions;
 }

package/lib/app-check/app-check.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license
@@ -18,6 +18,7 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AppCheck = void 0;
+const validator = require("../utils/validator");
 const app_check_api_client_internal_1 = require("./app-check-api-client-internal");
 const token_generator_1 = require("./token-generator");
 const token_verifier_1 = require("./token-verifier");
@@ -63,18 +64,38 @@ class AppCheck {
      * rejected.
      *
      * @param appCheckToken - The App Check token to verify.
+     * @param options - Optional {@link VerifyAppCheckTokenOptions} object when verifying an App Check Token.
      *
      * @returns A promise fulfilled with the token's decoded claims
      *   if the App Check token is valid; otherwise, a rejected promise.
      */
-    verifyToken(appCheckToken) {
+    verifyToken(appCheckToken, options) {
+        this.validateVerifyAppCheckTokenOptions(options);
         return this.appCheckTokenVerifier.verifyToken(appCheckToken)
             .then((decodedToken) => {
+            if (options?.consume) {
+                return this.client.verifyReplayProtection(appCheckToken)
+                    .then((alreadyConsumed) => {
+                    return {
+                        alreadyConsumed,
+                        appId: decodedToken.app_id,
+                        token: decodedToken,
+                    };
+                });
+            }
             return {
                 appId: decodedToken.app_id,
                 token: decodedToken,
             };
         });
     }
+    validateVerifyAppCheckTokenOptions(options) {
+        if (typeof options === 'undefined') {
+            return;
+        }
+        if (!validator.isNonNullObject(options)) {
+            throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'VerifyAppCheckTokenOptions must be a non-null object.');
+        }
+    }
 }
 exports.AppCheck = AppCheck;

package/lib/app-check/index.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.
@@ -22,7 +22,7 @@
  */
 import { App } from '../app';
 import { AppCheck } from './app-check';
-export { AppCheckToken, AppCheckTokenOptions, DecodedAppCheckToken, VerifyAppCheckTokenResponse, } from './app-check-api';
+export { AppCheckToken, AppCheckTokenOptions, DecodedAppCheckToken, VerifyAppCheckTokenOptions, VerifyAppCheckTokenResponse, } from './app-check-api';
 export { AppCheck } from './app-check';
 /**
  * Gets the {@link AppCheck} service for the default app or a given app.

package/lib/app-check/index.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license

package/lib/app-check/token-generator.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.

package/lib/app-check/token-generator.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license

package/lib/app-check/token-verifier.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * Copyright 2021 Google Inc.
  *

package/lib/app-check/token-verifier.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * Copyright 2021 Google Inc.

package/lib/auth/action-code-settings-builder.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * Copyright 2018 Google Inc.
  *

package/lib/auth/action-code-settings-builder.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * Copyright 2018 Google Inc.

package/lib/auth/auth-api-request.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 /*!
  * @license
  * Copyright 2017 Google Inc.

package/lib/auth/auth-api-request.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v11.6.0 */
+/*! firebase-admin v11.8.0 */
 "use strict";
 /*!
  * @license
@@ -813,17 +813,6 @@ const LIST_INBOUND_SAML_CONFIGS = new api_request_1.ApiSettings('/inboundSamlCon
  * @internal
  */
 class AbstractAuthRequestHandler {
-    /**
-     * @param app - The app used to fetch access tokens to sign API requests.
-     * @constructor
-     */
-    constructor(app) {
-        this.app = app;
-        if (typeof app !== 'object' || app === null || !('options' in app)) {
-            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'First argument passed to admin.auth() must be a valid Firebase app instance.');
-        }
-        this.httpClient = new AuthHttpClient(app);
-    }
     /**
      * @param response - The response to check for errors.
      * @returns The error code if present; null otherwise.
@@ -868,6 +857,17 @@ class AbstractAuthRequestHandler {
             : request.federatedUserId = [federatedUserId];
         return request;
     }
+    /**
+     * @param app - The app used to fetch access tokens to sign API requests.
+     * @constructor
+     */
+    constructor(app) {
+        this.app = app;
+        if (typeof app !== 'object' || app === null || !('options' in app)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'First argument passed to admin.auth() must be a valid Firebase app instance.');
+        }
+        this.httpClient = new AuthHttpClient(app);
+    }
     /**
      * Creates a new Firebase session cookie with the specified duration that can be used for
      * session management (set as a server side session cookie with custom cookie policy).