firebase-admin 13.10.0 → 14.0.0

package/lib/auth/error.js

@@ -0,0 +1,690 @@
+/*! firebase-admin v14.0.0 */
+"use strict";
+/*!
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FirebaseAuthError = exports.authClientErrorCode = exports.AuthErrorCode = void 0;
+const error_1 = require("../utils/error");
+const deep_copy_1 = require("../utils/deep-copy");
+/**
+ * The constant mapping for valid Auth client error codes.
+ */
+exports.AuthErrorCode = {
+    AUTH_BLOCKING_TOKEN_EXPIRED: 'auth-blocking-token-expired',
+    BILLING_NOT_ENABLED: 'billing-not-enabled',
+    CLAIMS_TOO_LARGE: 'claims-too-large',
+    CONFIGURATION_EXISTS: 'configuration-exists',
+    CONFIGURATION_NOT_FOUND: 'configuration-not-found',
+    ID_TOKEN_EXPIRED: 'id-token-expired',
+    INVALID_ARGUMENT: 'argument-error',
+    INVALID_CONFIG: 'invalid-config',
+    EMAIL_ALREADY_EXISTS: 'email-already-exists',
+    EMAIL_NOT_FOUND: 'email-not-found',
+    FORBIDDEN_CLAIM: 'reserved-claim',
+    INVALID_ID_TOKEN: 'invalid-id-token',
+    ID_TOKEN_REVOKED: 'id-token-revoked',
+    INTERNAL_ERROR: 'internal-error',
+    INVALID_CLAIMS: 'invalid-claims',
+    INVALID_CONTINUE_URI: 'invalid-continue-uri',
+    INVALID_CREATION_TIME: 'invalid-creation-time',
+    INVALID_CREDENTIAL: 'invalid-credential',
+    INVALID_DISABLED_FIELD: 'invalid-disabled-field',
+    INVALID_DISPLAY_NAME: 'invalid-display-name',
+    INVALID_DYNAMIC_LINK_DOMAIN: 'invalid-dynamic-link-domain',
+    INVALID_HOSTING_LINK_DOMAIN: 'invalid-hosting-link-domain',
+    INVALID_EMAIL_VERIFIED: 'invalid-email-verified',
+    INVALID_EMAIL: 'invalid-email',
+    INVALID_NEW_EMAIL: 'invalid-new-email',
+    INVALID_ENROLLED_FACTORS: 'invalid-enrolled-factors',
+    INVALID_ENROLLMENT_TIME: 'invalid-enrollment-time',
+    INVALID_HASH_ALGORITHM: 'invalid-hash-algorithm',
+    INVALID_HASH_BLOCK_SIZE: 'invalid-hash-block-size',
+    INVALID_HASH_DERIVED_KEY_LENGTH: 'invalid-hash-derived-key-length',
+    INVALID_HASH_KEY: 'invalid-hash-key',
+    INVALID_HASH_MEMORY_COST: 'invalid-hash-memory-cost',
+    INVALID_HASH_PARALLELIZATION: 'invalid-hash-parallelization',
+    INVALID_HASH_ROUNDS: 'invalid-hash-rounds',
+    INVALID_HASH_SALT_SEPARATOR: 'invalid-hash-salt-separator',
+    INVALID_LAST_SIGN_IN_TIME: 'invalid-last-sign-in-time',
+    INVALID_NAME: 'invalid-name',
+    INVALID_OAUTH_CLIENT_ID: 'invalid-oauth-client-id',
+    INVALID_PAGE_TOKEN: 'invalid-page-token',
+    INVALID_PASSWORD: 'invalid-password',
+    INVALID_PASSWORD_HASH: 'invalid-password-hash',
+    INVALID_PASSWORD_SALT: 'invalid-password-salt',
+    INVALID_PHONE_NUMBER: 'invalid-phone-number',
+    INVALID_PHOTO_URL: 'invalid-photo-url',
+    INVALID_PROJECT_ID: 'invalid-project-id',
+    INVALID_PROVIDER_DATA: 'invalid-provider-data',
+    INVALID_PROVIDER_ID: 'invalid-provider-id',
+    INVALID_PROVIDER_UID: 'invalid-provider-uid',
+    INVALID_OAUTH_RESPONSETYPE: 'invalid-oauth-responsetype',
+    INVALID_SESSION_COOKIE_DURATION: 'invalid-session-cookie-duration',
+    INVALID_TENANT_ID: 'invalid-tenant-id',
+    INVALID_TENANT_TYPE: 'invalid-tenant-type',
+    INVALID_TESTING_PHONE_NUMBER: 'invalid-testing-phone-number',
+    INVALID_UID: 'invalid-uid',
+    INVALID_USER_IMPORT: 'invalid-user-import',
+    INVALID_TOKENS_VALID_AFTER_TIME: 'invalid-tokens-valid-after-time',
+    MISMATCHING_TENANT_ID: 'mismatching-tenant-id',
+    MISSING_ANDROID_PACKAGE_NAME: 'missing-android-package-name',
+    MISSING_CONFIG: 'missing-config',
+    MISSING_CONTINUE_URI: 'missing-continue-uri',
+    MISSING_DISPLAY_NAME: 'missing-display-name',
+    MISSING_EMAIL: 'missing-email',
+    MISSING_IOS_BUNDLE_ID: 'missing-ios-bundle-id',
+    MISSING_ISSUER: 'missing-issuer',
+    MISSING_HASH_ALGORITHM: 'missing-hash-algorithm',
+    MISSING_OAUTH_CLIENT_ID: 'missing-oauth-client-id',
+    MISSING_OAUTH_CLIENT_SECRET: 'missing-oauth-client-secret',
+    MISSING_PROVIDER_ID: 'missing-provider-id',
+    MISSING_SAML_RELYING_PARTY_CONFIG: 'missing-saml-relying-party-config',
+    MAXIMUM_TEST_PHONE_NUMBER_EXCEEDED: 'test-phone-number-limit-exceeded',
+    MAXIMUM_USER_COUNT_EXCEEDED: 'maximum-user-count-exceeded',
+    MISSING_UID: 'missing-uid',
+    OPERATION_NOT_ALLOWED: 'operation-not-allowed',
+    PHONE_NUMBER_ALREADY_EXISTS: 'phone-number-already-exists',
+    PROJECT_NOT_FOUND: 'project-not-found',
+    INSUFFICIENT_PERMISSION: 'insufficient-permission',
+    QUOTA_EXCEEDED: 'quota-exceeded',
+    SECOND_FACTOR_LIMIT_EXCEEDED: 'second-factor-limit-exceeded',
+    SECOND_FACTOR_UID_ALREADY_EXISTS: 'second-factor-uid-already-exists',
+    SESSION_COOKIE_EXPIRED: 'session-cookie-expired',
+    SESSION_COOKIE_REVOKED: 'session-cookie-revoked',
+    TENANT_NOT_FOUND: 'tenant-not-found',
+    UID_ALREADY_EXISTS: 'uid-already-exists',
+    UNAUTHORIZED_DOMAIN: 'unauthorized-continue-uri',
+    UNSUPPORTED_FIRST_FACTOR: 'unsupported-first-factor',
+    UNSUPPORTED_SECOND_FACTOR: 'unsupported-second-factor',
+    UNSUPPORTED_TENANT_OPERATION: 'unsupported-tenant-operation',
+    UNVERIFIED_EMAIL: 'unverified-email',
+    USER_NOT_FOUND: 'user-not-found',
+    NOT_FOUND: 'not-found',
+    USER_DISABLED: 'user-disabled',
+    USER_NOT_DISABLED: 'user-not-disabled',
+    INVALID_RECAPTCHA_ACTION: 'invalid-recaptcha-action',
+    INVALID_RECAPTCHA_ENFORCEMENT_STATE: 'invalid-recaptcha-enforcement-state',
+    RECAPTCHA_NOT_ENABLED: 'recaptcha-not-enabled',
+};
+/**
+ * Internal Auth client error code mapping used to construct ErrorInfo.
+ */
+exports.authClientErrorCode = {
+    AUTH_BLOCKING_TOKEN_EXPIRED: {
+        code: exports.AuthErrorCode.AUTH_BLOCKING_TOKEN_EXPIRED,
+        message: 'The provided Firebase Auth Blocking token is expired.',
+    },
+    BILLING_NOT_ENABLED: {
+        code: exports.AuthErrorCode.BILLING_NOT_ENABLED,
+        message: 'Feature requires billing to be enabled.',
+    },
+    CLAIMS_TOO_LARGE: {
+        code: exports.AuthErrorCode.CLAIMS_TOO_LARGE,
+        message: 'Developer claims maximum payload size exceeded.',
+    },
+    CONFIGURATION_EXISTS: {
+        code: exports.AuthErrorCode.CONFIGURATION_EXISTS,
+        message: 'A configuration already exists with the provided identifier.',
+    },
+    CONFIGURATION_NOT_FOUND: {
+        code: exports.AuthErrorCode.CONFIGURATION_NOT_FOUND,
+        message: 'There is no configuration corresponding to the provided identifier.',
+    },
+    ID_TOKEN_EXPIRED: {
+        code: exports.AuthErrorCode.ID_TOKEN_EXPIRED,
+        message: 'The provided Firebase ID token is expired.',
+    },
+    INVALID_ARGUMENT: {
+        code: exports.AuthErrorCode.INVALID_ARGUMENT,
+        message: 'Invalid argument provided.',
+    },
+    INVALID_CONFIG: {
+        code: exports.AuthErrorCode.INVALID_CONFIG,
+        message: 'The provided configuration is invalid.',
+    },
+    EMAIL_ALREADY_EXISTS: {
+        code: exports.AuthErrorCode.EMAIL_ALREADY_EXISTS,
+        message: 'The email address is already in use by another account.',
+    },
+    EMAIL_NOT_FOUND: {
+        code: exports.AuthErrorCode.EMAIL_NOT_FOUND,
+        message: 'There is no user record corresponding to the provided email.',
+    },
+    FORBIDDEN_CLAIM: {
+        code: exports.AuthErrorCode.FORBIDDEN_CLAIM,
+        message: 'The specified developer claim is reserved and cannot be specified.',
+    },
+    INVALID_ID_TOKEN: {
+        code: exports.AuthErrorCode.INVALID_ID_TOKEN,
+        message: 'The provided ID token is not a valid Firebase ID token.',
+    },
+    ID_TOKEN_REVOKED: {
+        code: exports.AuthErrorCode.ID_TOKEN_REVOKED,
+        message: 'The Firebase ID token has been revoked.',
+    },
+    INTERNAL_ERROR: {
+        code: exports.AuthErrorCode.INTERNAL_ERROR,
+        message: 'An internal error has occurred.',
+    },
+    INVALID_CLAIMS: {
+        code: exports.AuthErrorCode.INVALID_CLAIMS,
+        message: 'The provided custom claim attributes are invalid.',
+    },
+    INVALID_CONTINUE_URI: {
+        code: exports.AuthErrorCode.INVALID_CONTINUE_URI,
+        message: 'The continue URL must be a valid URL string.',
+    },
+    INVALID_CREATION_TIME: {
+        code: exports.AuthErrorCode.INVALID_CREATION_TIME,
+        message: 'The creation time must be a valid UTC date string.',
+    },
+    INVALID_CREDENTIAL: {
+        code: exports.AuthErrorCode.INVALID_CREDENTIAL,
+        message: 'Invalid credential object provided.',
+    },
+    INVALID_DISABLED_FIELD: {
+        code: exports.AuthErrorCode.INVALID_DISABLED_FIELD,
+        message: 'The disabled field must be a boolean.',
+    },
+    INVALID_DISPLAY_NAME: {
+        code: exports.AuthErrorCode.INVALID_DISPLAY_NAME,
+        message: 'The displayName field must be a valid string.',
+    },
+    INVALID_DYNAMIC_LINK_DOMAIN: {
+        code: exports.AuthErrorCode.INVALID_DYNAMIC_LINK_DOMAIN,
+        message: 'The provided dynamic link domain is not configured or authorized for the current project.',
+    },
+    INVALID_HOSTING_LINK_DOMAIN: {
+        code: exports.AuthErrorCode.INVALID_HOSTING_LINK_DOMAIN,
+        message: 'The provided hosting link domain is not configured in Firebase Hosting or ' +
+            'is not owned by the current project.',
+    },
+    INVALID_EMAIL_VERIFIED: {
+        code: exports.AuthErrorCode.INVALID_EMAIL_VERIFIED,
+        message: 'The emailVerified field must be a boolean.',
+    },
+    INVALID_EMAIL: {
+        code: exports.AuthErrorCode.INVALID_EMAIL,
+        message: 'The email address is improperly formatted.',
+    },
+    INVALID_NEW_EMAIL: {
+        code: exports.AuthErrorCode.INVALID_NEW_EMAIL,
+        message: 'The new email address is improperly formatted.',
+    },
+    INVALID_ENROLLED_FACTORS: {
+        code: exports.AuthErrorCode.INVALID_ENROLLED_FACTORS,
+        message: 'The enrolled factors must be a valid array of MultiFactorInfo objects.',
+    },
+    INVALID_ENROLLMENT_TIME: {
+        code: exports.AuthErrorCode.INVALID_ENROLLMENT_TIME,
+        message: 'The second factor enrollment time must be a valid UTC date string.',
+    },
+    INVALID_HASH_ALGORITHM: {
+        code: exports.AuthErrorCode.INVALID_HASH_ALGORITHM,
+        message: 'The hash algorithm must match one of the strings in the list of supported algorithms.',
+    },
+    INVALID_HASH_BLOCK_SIZE: {
+        code: exports.AuthErrorCode.INVALID_HASH_BLOCK_SIZE,
+        message: 'The hash block size must be a valid number.',
+    },
+    INVALID_HASH_DERIVED_KEY_LENGTH: {
+        code: exports.AuthErrorCode.INVALID_HASH_DERIVED_KEY_LENGTH,
+        message: 'The hash derived key length must be a valid number.',
+    },
+    INVALID_HASH_KEY: {
+        code: exports.AuthErrorCode.INVALID_HASH_KEY,
+        message: 'The hash key must a valid byte buffer.',
+    },
+    INVALID_HASH_MEMORY_COST: {
+        code: exports.AuthErrorCode.INVALID_HASH_MEMORY_COST,
+        message: 'The hash memory cost must be a valid number.',
+    },
+    INVALID_HASH_PARALLELIZATION: {
+        code: exports.AuthErrorCode.INVALID_HASH_PARALLELIZATION,
+        message: 'The hash parallelization must be a valid number.',
+    },
+    INVALID_HASH_ROUNDS: {
+        code: exports.AuthErrorCode.INVALID_HASH_ROUNDS,
+        message: 'The hash rounds must be a valid number.',
+    },
+    INVALID_HASH_SALT_SEPARATOR: {
+        code: exports.AuthErrorCode.INVALID_HASH_SALT_SEPARATOR,
+        message: 'The hashing algorithm salt separator field must be a valid byte buffer.',
+    },
+    INVALID_LAST_SIGN_IN_TIME: {
+        code: exports.AuthErrorCode.INVALID_LAST_SIGN_IN_TIME,
+        message: 'The last sign-in time must be a valid UTC date string.',
+    },
+    INVALID_NAME: {
+        code: exports.AuthErrorCode.INVALID_NAME,
+        message: 'The resource name provided is invalid.',
+    },
+    INVALID_OAUTH_CLIENT_ID: {
+        code: exports.AuthErrorCode.INVALID_OAUTH_CLIENT_ID,
+        message: 'The provided OAuth client ID is invalid.',
+    },
+    INVALID_PAGE_TOKEN: {
+        code: exports.AuthErrorCode.INVALID_PAGE_TOKEN,
+        message: 'The page token must be a valid non-empty string.',
+    },
+    INVALID_PASSWORD: {
+        code: exports.AuthErrorCode.INVALID_PASSWORD,
+        message: 'The password must be a string with at least 6 characters.',
+    },
+    INVALID_PASSWORD_HASH: {
+        code: exports.AuthErrorCode.INVALID_PASSWORD_HASH,
+        message: 'The password hash must be a valid byte buffer.',
+    },
+    INVALID_PASSWORD_SALT: {
+        code: exports.AuthErrorCode.INVALID_PASSWORD_SALT,
+        message: 'The password salt must be a valid byte buffer.',
+    },
+    INVALID_PHONE_NUMBER: {
+        code: exports.AuthErrorCode.INVALID_PHONE_NUMBER,
+        message: 'The phone number must be a non-empty E.164 standard compliant identifier string.',
+    },
+    INVALID_PHOTO_URL: {
+        code: exports.AuthErrorCode.INVALID_PHOTO_URL,
+        message: 'The photoURL field must be a valid URL.',
+    },
+    INVALID_PROJECT_ID: {
+        code: exports.AuthErrorCode.INVALID_PROJECT_ID,
+        message: 'Invalid parent project. Either parent project doesn\'t exist or didn\'t enable multi-tenancy.',
+    },
+    INVALID_PROVIDER_DATA: {
+        code: exports.AuthErrorCode.INVALID_PROVIDER_DATA,
+        message: 'The providerData must be a valid array of UserInfo objects.',
+    },
+    INVALID_PROVIDER_ID: {
+        code: exports.AuthErrorCode.INVALID_PROVIDER_ID,
+        message: 'The providerId must be a valid supported provider identifier string.',
+    },
+    INVALID_PROVIDER_UID: {
+        code: exports.AuthErrorCode.INVALID_PROVIDER_UID,
+        message: 'The providerUid must be a valid provider uid string.',
+    },
+    INVALID_OAUTH_RESPONSETYPE: {
+        code: exports.AuthErrorCode.INVALID_OAUTH_RESPONSETYPE,
+        message: 'Only exactly one OAuth responseType should be set to true.',
+    },
+    INVALID_SESSION_COOKIE_DURATION: {
+        code: exports.AuthErrorCode.INVALID_SESSION_COOKIE_DURATION,
+        message: 'The session cookie duration must be a valid number in milliseconds between 5 minutes and 2 weeks.',
+    },
+    INVALID_TENANT_ID: {
+        code: exports.AuthErrorCode.INVALID_TENANT_ID,
+        message: 'The tenant ID must be a valid non-empty string.',
+    },
+    INVALID_TENANT_TYPE: {
+        code: exports.AuthErrorCode.INVALID_TENANT_TYPE,
+        message: 'Tenant type must be either "full_service" or "lightweight".',
+    },
+    INVALID_TESTING_PHONE_NUMBER: {
+        code: exports.AuthErrorCode.INVALID_TESTING_PHONE_NUMBER,
+        message: 'Invalid testing phone number or invalid test code provided.',
+    },
+    INVALID_UID: {
+        code: exports.AuthErrorCode.INVALID_UID,
+        message: 'The uid must be a non-empty string with at most 128 characters.',
+    },
+    INVALID_USER_IMPORT: {
+        code: exports.AuthErrorCode.INVALID_USER_IMPORT,
+        message: 'The user record to import is invalid.',
+    },
+    INVALID_TOKENS_VALID_AFTER_TIME: {
+        code: exports.AuthErrorCode.INVALID_TOKENS_VALID_AFTER_TIME,
+        message: 'The tokensValidAfterTime must be a valid UTC number in seconds.',
+    },
+    MISMATCHING_TENANT_ID: {
+        code: exports.AuthErrorCode.MISMATCHING_TENANT_ID,
+        message: 'User tenant ID does not match with the current TenantAwareAuth tenant ID.',
+    },
+    MISSING_ANDROID_PACKAGE_NAME: {
+        code: exports.AuthErrorCode.MISSING_ANDROID_PACKAGE_NAME,
+        message: 'An Android Package Name must be provided if the Android App is required to be installed.',
+    },
+    MISSING_CONFIG: {
+        code: exports.AuthErrorCode.MISSING_CONFIG,
+        message: 'The provided configuration is missing required attributes.',
+    },
+    MISSING_CONTINUE_URI: {
+        code: exports.AuthErrorCode.MISSING_CONTINUE_URI,
+        message: 'A valid continue URL must be provided in the request.',
+    },
+    MISSING_DISPLAY_NAME: {
+        code: exports.AuthErrorCode.MISSING_DISPLAY_NAME,
+        message: 'The resource being created or edited is missing a valid display name.',
+    },
+    MISSING_EMAIL: {
+        code: exports.AuthErrorCode.MISSING_EMAIL,
+        message: 'The email is required for the specified action. For example, a multi-factor ' +
+            'user requires a verified email.',
+    },
+    MISSING_IOS_BUNDLE_ID: {
+        code: exports.AuthErrorCode.MISSING_IOS_BUNDLE_ID,
+        message: 'The request is missing an iOS Bundle ID.',
+    },
+    MISSING_ISSUER: {
+        code: exports.AuthErrorCode.MISSING_ISSUER,
+        message: 'The OAuth/OIDC configuration issuer must not be empty.',
+    },
+    MISSING_HASH_ALGORITHM: {
+        code: exports.AuthErrorCode.MISSING_HASH_ALGORITHM,
+        message: 'Importing users with password hashes requires that the hashing algorithm and its parameters be provided.',
+    },
+    MISSING_OAUTH_CLIENT_ID: {
+        code: exports.AuthErrorCode.MISSING_OAUTH_CLIENT_ID,
+        message: 'The OAuth/OIDC configuration client ID must not be empty.',
+    },
+    MISSING_OAUTH_CLIENT_SECRET: {
+        code: exports.AuthErrorCode.MISSING_OAUTH_CLIENT_SECRET,
+        message: 'The OAuth configuration client secret is required to enable OIDC code flow.',
+    },
+    MISSING_PROVIDER_ID: {
+        code: exports.AuthErrorCode.MISSING_PROVIDER_ID,
+        message: 'A valid provider ID must be provided in the request.',
+    },
+    MISSING_SAML_RELYING_PARTY_CONFIG: {
+        code: exports.AuthErrorCode.MISSING_SAML_RELYING_PARTY_CONFIG,
+        message: 'The SAML configuration provided is missing a relying party configuration.',
+    },
+    MAXIMUM_TEST_PHONE_NUMBER_EXCEEDED: {
+        code: exports.AuthErrorCode.MAXIMUM_TEST_PHONE_NUMBER_EXCEEDED,
+        message: 'The maximum allowed number of test phone number / code pairs has been exceeded.',
+    },
+    MAXIMUM_USER_COUNT_EXCEEDED: {
+        code: exports.AuthErrorCode.MAXIMUM_USER_COUNT_EXCEEDED,
+        message: 'The maximum allowed number of users to import has been exceeded.',
+    },
+    MISSING_UID: {
+        code: exports.AuthErrorCode.MISSING_UID,
+        message: 'A uid identifier is required for the current operation.',
+    },
+    OPERATION_NOT_ALLOWED: {
+        code: exports.AuthErrorCode.OPERATION_NOT_ALLOWED,
+        message: 'The given sign-in provider is disabled for this Firebase project. Enable it in the ' +
+            'Firebase console, under the sign-in method tab of the Auth section.',
+    },
+    PHONE_NUMBER_ALREADY_EXISTS: {
+        code: exports.AuthErrorCode.PHONE_NUMBER_ALREADY_EXISTS,
+        message: 'The user with the provided phone number already exists.',
+    },
+    PROJECT_NOT_FOUND: {
+        code: exports.AuthErrorCode.PROJECT_NOT_FOUND,
+        message: 'No Firebase project was found for the provided credential.',
+    },
+    INSUFFICIENT_PERMISSION: {
+        code: exports.AuthErrorCode.INSUFFICIENT_PERMISSION,
+        message: 'Credential implementation provided to initializeApp() via the "credential" property has insufficient permission to access the requested resource. See https://firebase.google.com/docs/admin/setup for details on how to authenticate this SDK with appropriate permissions.',
+    },
+    QUOTA_EXCEEDED: {
+        code: exports.AuthErrorCode.QUOTA_EXCEEDED,
+        message: 'The project quota for the specified operation has been exceeded.',
+    },
+    SECOND_FACTOR_LIMIT_EXCEEDED: {
+        code: exports.AuthErrorCode.SECOND_FACTOR_LIMIT_EXCEEDED,
+        message: 'The maximum number of allowed second factors on a user has been exceeded.',
+    },
+    SECOND_FACTOR_UID_ALREADY_EXISTS: {
+        code: exports.AuthErrorCode.SECOND_FACTOR_UID_ALREADY_EXISTS,
+        message: 'The specified second factor "uid" already exists.',
+    },
+    SESSION_COOKIE_EXPIRED: {
+        code: exports.AuthErrorCode.SESSION_COOKIE_EXPIRED,
+        message: 'The Firebase session cookie is expired.',
+    },
+    SESSION_COOKIE_REVOKED: {
+        code: exports.AuthErrorCode.SESSION_COOKIE_REVOKED,
+        message: 'The Firebase session cookie has been revoked.',
+    },
+    TENANT_NOT_FOUND: {
+        code: exports.AuthErrorCode.TENANT_NOT_FOUND,
+        message: 'There is no tenant corresponding to the provided identifier.',
+    },
+    UID_ALREADY_EXISTS: {
+        code: exports.AuthErrorCode.UID_ALREADY_EXISTS,
+        message: 'The user with the provided uid already exists.',
+    },
+    UNAUTHORIZED_DOMAIN: {
+        code: exports.AuthErrorCode.UNAUTHORIZED_DOMAIN,
+        message: 'The domain of the continue URL is not whitelisted. Whitelist the domain in the Firebase console.',
+    },
+    UNSUPPORTED_FIRST_FACTOR: {
+        code: exports.AuthErrorCode.UNSUPPORTED_FIRST_FACTOR,
+        message: 'A multi-factor user requires a supported first factor.',
+    },
+    UNSUPPORTED_SECOND_FACTOR: {
+        code: exports.AuthErrorCode.UNSUPPORTED_SECOND_FACTOR,
+        message: 'The request specified an unsupported type of second factor.',
+    },
+    UNSUPPORTED_TENANT_OPERATION: {
+        code: exports.AuthErrorCode.UNSUPPORTED_TENANT_OPERATION,
+        message: 'This operation is not supported in a multi-tenant context.',
+    },
+    UNVERIFIED_EMAIL: {
+        code: exports.AuthErrorCode.UNVERIFIED_EMAIL,
+        message: 'A verified email is required for the specified action. For example, a ' +
+            'multi-factor user requires a verified email.',
+    },
+    USER_NOT_FOUND: {
+        code: exports.AuthErrorCode.USER_NOT_FOUND,
+        message: 'There is no user record corresponding to the provided identifier.',
+    },
+    NOT_FOUND: {
+        code: exports.AuthErrorCode.NOT_FOUND,
+        message: 'The requested resource was not found.',
+    },
+    USER_DISABLED: {
+        code: exports.AuthErrorCode.USER_DISABLED,
+        message: 'The user record is disabled.',
+    },
+    USER_NOT_DISABLED: {
+        code: exports.AuthErrorCode.USER_NOT_DISABLED,
+        message: 'The user must be disabled in order to bulk delete it (or you must pass force=true).',
+    },
+    INVALID_RECAPTCHA_ACTION: {
+        code: exports.AuthErrorCode.INVALID_RECAPTCHA_ACTION,
+        message: 'reCAPTCHA action must be "BLOCK".',
+    },
+    INVALID_RECAPTCHA_ENFORCEMENT_STATE: {
+        code: exports.AuthErrorCode.INVALID_RECAPTCHA_ENFORCEMENT_STATE,
+        message: 'reCAPTCHA enforcement state must be either "OFF", "AUDIT" or "ENFORCE".',
+    },
+    RECAPTCHA_NOT_ENABLED: {
+        code: exports.AuthErrorCode.RECAPTCHA_NOT_ENABLED,
+        message: 'reCAPTCHA enterprise is not enabled.',
+    },
+};
+/** @const {Record<string, keyof typeof AuthErrorCode>} Auth server to client enum error codes. */
+const AUTH_SERVER_TO_CLIENT_CODE = {
+    // Feature being configured or used requires a billing account.
+    BILLING_NOT_ENABLED: 'BILLING_NOT_ENABLED',
+    // Claims payload is too large.
+    CLAIMS_TOO_LARGE: 'CLAIMS_TOO_LARGE',
+    // Configuration being added already exists.
+    CONFIGURATION_EXISTS: 'CONFIGURATION_EXISTS',
+    // Configuration not found.
+    CONFIGURATION_NOT_FOUND: 'CONFIGURATION_NOT_FOUND',
+    // Provided credential has insufficient permissions.
+    INSUFFICIENT_PERMISSION: 'INSUFFICIENT_PERMISSION',
+    // Provided configuration has invalid fields.
+    INVALID_CONFIG: 'INVALID_CONFIG',
+    // Provided configuration identifier is invalid.
+    INVALID_CONFIG_ID: 'INVALID_PROVIDER_ID',
+    // ActionCodeSettings missing continue URL.
+    INVALID_CONTINUE_URI: 'INVALID_CONTINUE_URI',
+    // Dynamic link domain in provided ActionCodeSettings is not authorized.
+    INVALID_DYNAMIC_LINK_DOMAIN: 'INVALID_DYNAMIC_LINK_DOMAIN',
+    // Hosting link domain in provided ActionCodeSettings is not owned by the current project.
+    INVALID_HOSTING_LINK_DOMAIN: 'INVALID_HOSTING_LINK_DOMAIN',
+    // uploadAccount provides an email that already exists.
+    DUPLICATE_EMAIL: 'EMAIL_ALREADY_EXISTS',
+    // uploadAccount provides a localId that already exists.
+    DUPLICATE_LOCAL_ID: 'UID_ALREADY_EXISTS',
+    // Request specified a multi-factor enrollment ID that already exists.
+    DUPLICATE_MFA_ENROLLMENT_ID: 'SECOND_FACTOR_UID_ALREADY_EXISTS',
+    // setAccountInfo email already exists.
+    EMAIL_EXISTS: 'EMAIL_ALREADY_EXISTS',
+    // /accounts:sendOobCode for password reset when user is not found.
+    EMAIL_NOT_FOUND: 'EMAIL_NOT_FOUND',
+    // Reserved claim name.
+    FORBIDDEN_CLAIM: 'FORBIDDEN_CLAIM',
+    // Invalid claims provided.
+    INVALID_CLAIMS: 'INVALID_CLAIMS',
+    // Invalid session cookie duration.
+    INVALID_DURATION: 'INVALID_SESSION_COOKIE_DURATION',
+    // Invalid email provided.
+    INVALID_EMAIL: 'INVALID_EMAIL',
+    // Invalid new email provided.
+    INVALID_NEW_EMAIL: 'INVALID_NEW_EMAIL',
+    // Invalid tenant display name. This can be thrown on CreateTenant and UpdateTenant.
+    INVALID_DISPLAY_NAME: 'INVALID_DISPLAY_NAME',
+    // Invalid ID token provided.
+    INVALID_ID_TOKEN: 'INVALID_ID_TOKEN',
+    // Invalid tenant/parent resource name.
+    INVALID_NAME: 'INVALID_NAME',
+    // OIDC configuration has an invalid OAuth client ID.
+    INVALID_OAUTH_CLIENT_ID: 'INVALID_OAUTH_CLIENT_ID',
+    // Invalid page token.
+    INVALID_PAGE_SELECTION: 'INVALID_PAGE_TOKEN',
+    // Invalid phone number.
+    INVALID_PHONE_NUMBER: 'INVALID_PHONE_NUMBER',
+    // Invalid agent project. Either agent project doesn't exist or didn't enable multi-tenancy.
+    INVALID_PROJECT_ID: 'INVALID_PROJECT_ID',
+    // Invalid provider ID.
+    INVALID_PROVIDER_ID: 'INVALID_PROVIDER_ID',
+    // Invalid service account.
+    INVALID_SERVICE_ACCOUNT: 'INVALID_CREDENTIAL',
+    // Invalid testing phone number.
+    INVALID_TESTING_PHONE_NUMBER: 'INVALID_TESTING_PHONE_NUMBER',
+    // Invalid tenant type.
+    INVALID_TENANT_TYPE: 'INVALID_TENANT_TYPE',
+    // Missing Android package name.
+    MISSING_ANDROID_PACKAGE_NAME: 'MISSING_ANDROID_PACKAGE_NAME',
+    // Missing configuration.
+    MISSING_CONFIG: 'MISSING_CONFIG',
+    // Missing configuration identifier.
+    MISSING_CONFIG_ID: 'MISSING_PROVIDER_ID',
+    // Missing tenant display name: This can be thrown on CreateTenant and UpdateTenant.
+    MISSING_DISPLAY_NAME: 'MISSING_DISPLAY_NAME',
+    // Email is required for the specified action. For example a multi-factor user requires
+    // a verified email.
+    MISSING_EMAIL: 'MISSING_EMAIL',
+    // Missing iOS bundle ID.
+    MISSING_IOS_BUNDLE_ID: 'MISSING_IOS_BUNDLE_ID',
+    // Missing OIDC issuer.
+    MISSING_ISSUER: 'MISSING_ISSUER',
+    // No localId provided (deleteAccount missing localId).
+    MISSING_LOCAL_ID: 'MISSING_UID',
+    // OIDC configuration is missing an OAuth client ID.
+    MISSING_OAUTH_CLIENT_ID: 'MISSING_OAUTH_CLIENT_ID',
+    // Missing provider ID.
+    MISSING_PROVIDER_ID: 'MISSING_PROVIDER_ID',
+    // Missing SAML RP config.
+    MISSING_SAML_RELYING_PARTY_CONFIG: 'MISSING_SAML_RELYING_PARTY_CONFIG',
+    // Empty user list in uploadAccount.
+    MISSING_USER_ACCOUNT: 'MISSING_UID',
+    // Password auth disabled in console.
+    OPERATION_NOT_ALLOWED: 'OPERATION_NOT_ALLOWED',
+    // Provided credential has insufficient permissions.
+    PERMISSION_DENIED: 'INSUFFICIENT_PERMISSION',
+    // Phone number already exists.
+    PHONE_NUMBER_EXISTS: 'PHONE_NUMBER_ALREADY_EXISTS',
+    // Project not found.
+    PROJECT_NOT_FOUND: 'PROJECT_NOT_FOUND',
+    // In multi-tenancy context: project creation quota exceeded.
+    QUOTA_EXCEEDED: 'QUOTA_EXCEEDED',
+    // Currently only 5 second factors can be set on the same user.
+    SECOND_FACTOR_LIMIT_EXCEEDED: 'SECOND_FACTOR_LIMIT_EXCEEDED',
+    // Tenant not found.
+    TENANT_NOT_FOUND: 'TENANT_NOT_FOUND',
+    // Tenant ID mismatch.
+    TENANT_ID_MISMATCH: 'MISMATCHING_TENANT_ID',
+    // Token expired error.
+    TOKEN_EXPIRED: 'ID_TOKEN_EXPIRED',
+    // Continue URL provided in ActionCodeSettings has a domain that is not whitelisted.
+    UNAUTHORIZED_DOMAIN: 'UNAUTHORIZED_DOMAIN',
+    // A multi-factor user requires a supported first factor.
+    UNSUPPORTED_FIRST_FACTOR: 'UNSUPPORTED_FIRST_FACTOR',
+    // The request specified an unsupported type of second factor.
+    UNSUPPORTED_SECOND_FACTOR: 'UNSUPPORTED_SECOND_FACTOR',
+    // Operation is not supported in a multi-tenant context.
+    UNSUPPORTED_TENANT_OPERATION: 'UNSUPPORTED_TENANT_OPERATION',
+    // A verified email is required for the specified action. For example a multi-factor user
+    // requires a verified email.
+    UNVERIFIED_EMAIL: 'UNVERIFIED_EMAIL',
+    // User on which action is to be performed is not found.
+    USER_NOT_FOUND: 'USER_NOT_FOUND',
+    // User record is disabled.
+    USER_DISABLED: 'USER_DISABLED',
+    // Password provided is too weak.
+    WEAK_PASSWORD: 'INVALID_PASSWORD',
+    // Unrecognized reCAPTCHA action.
+    INVALID_RECAPTCHA_ACTION: 'INVALID_RECAPTCHA_ACTION',
+    // Unrecognized reCAPTCHA enforcement state.
+    INVALID_RECAPTCHA_ENFORCEMENT_STATE: 'INVALID_RECAPTCHA_ENFORCEMENT_STATE',
+    // reCAPTCHA is not enabled for account defender.
+    RECAPTCHA_NOT_ENABLED: 'RECAPTCHA_NOT_ENABLED'
+};
+/**
+ * Firebase Auth error code structure. This extends `FirebaseError`.
+ */
+class FirebaseAuthError extends error_1.FirebaseError {
+    /**
+     * Creates the developer-facing error corresponding to the backend error code.
+     *
+     * @param serverErrorCode - The server error code.
+     * @param [message] The error message. The default message is used
+     *     if not provided.
+     * @param [serverError] The error's raw server response.
+     * @returns The corresponding developer-facing error.
+     * @internal
+     */
+    static fromServerError(serverErrorCode, message, serverError) {
+        // serverErrorCode could contain additional details:
+        // ERROR_CODE : Detailed message which can also contain colons
+        const colonSeparator = (serverErrorCode || '').indexOf(':');
+        let customMessage = null;
+        if (colonSeparator !== -1) {
+            customMessage = serverErrorCode.substring(colonSeparator + 1).trim();
+            serverErrorCode = serverErrorCode.substring(0, colonSeparator).trim();
+        }
+        // If not found, default to internal error.
+        const clientCodeKey = AUTH_SERVER_TO_CLIENT_CODE[serverErrorCode] || 'INTERNAL_ERROR';
+        const error = (0, deep_copy_1.deepCopy)(exports.authClientErrorCode[clientCodeKey]);
+        // Server detailed message should have highest priority.
+        error.message = customMessage || message || error.message;
+        error.cause = serverError;
+        error.httpResponse = serverError?.response ? (0, error_1.toHttpResponse)(serverError.response) : undefined;
+        return new FirebaseAuthError(error);
+    }
+    /**
+     * @param info - The error code info.
+     * @param message - The error message. This will override the default message if provided.
+     */
+    constructor(info, message) {
+        // Override default message if custom message provided.
+        super({
+            code: `auth/${info.code}`,
+            message: message || info.message,
+            httpResponse: info.httpResponse,
+            cause: info.cause,
+        });
+        /** @internal */
+        this.codePrefix = 'auth';
+    }
+}
+exports.FirebaseAuthError = FirebaseAuthError;