firebase-admin 9.100.0-alpha.0 → 10.0.2

package/lib/auth/base-auth.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.100.0-alpha.0 */
+/*! firebase-admin v10.0.2 */
 "use strict";
 /*!
  * Copyright 2021 Google Inc.
@@ -16,8 +16,9 @@
  * limitations under the License.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.BaseAuth = void 0;
+exports.BaseAuth = exports.createFirebaseTokenGenerator = void 0;
 var error_1 = require("../utils/error");
+var deep_copy_1 = require("../utils/deep-copy");
 var validator = require("../utils/validator");
 var auth_api_request_1 = require("./auth-api-request");
 var token_generator_1 = require("./token-generator");
@@ -25,6 +26,20 @@ var token_verifier_1 = require("./token-verifier");
 var auth_config_1 = require("./auth-config");
 var user_record_1 = require("./user-record");
 var identifier_1 = require("./identifier");
+var crypto_signer_1 = require("../utils/crypto-signer");
+/**
+ * @internal
+ */
+function createFirebaseTokenGenerator(app, tenantId) {
+    try {
+        var signer = auth_api_request_1.useEmulator() ? new token_generator_1.EmulatedSigner() : crypto_signer_1.cryptoSignerFromApp(app);
+        return new token_generator_1.FirebaseTokenGenerator(signer, tenantId);
+    }
+    catch (err) {
+        throw token_generator_1.handleCryptoSignerError(err);
+    }
+}
+exports.createFirebaseTokenGenerator = createFirebaseTokenGenerator;
 /**
  * Common parent interface for both `Auth` and `TenantAwareAuth` APIs.
  */
@@ -32,9 +47,9 @@ var BaseAuth = /** @class */ (function () {
     /**
      * The BaseAuth class constructor.
      *
-     * @param app The FirebaseApp to associate with this Auth instance.
-     * @param authRequestHandler The RPC request handler for this instance.
-     * @param tokenGenerator Optional token generator. If not specified, a
+     * @param app - The FirebaseApp to associate with this Auth instance.
+     * @param authRequestHandler - The RPC request handler for this instance.
+     * @param tokenGenerator - Optional token generator. If not specified, a
      *     (non-tenant-aware) instance will be created. Use this paramter to
      *     specify a tenant-aware tokenGenerator.
      * @constructor
@@ -47,8 +62,7 @@ var BaseAuth = /** @class */ (function () {
             this.tokenGenerator = tokenGenerator;
         }
         else {
-            var cryptoSigner = auth_api_request_1.useEmulator() ? new token_generator_1.EmulatedSigner() : token_generator_1.cryptoSignerFromApp(app);
-            this.tokenGenerator = new token_generator_1.FirebaseTokenGenerator(cryptoSigner);
+            this.tokenGenerator = createFirebaseTokenGenerator(app);
         }
         this.sessionCookieVerifier = token_verifier_1.createSessionCookieVerifier(app);
         this.idTokenVerifier = token_verifier_1.createIdTokenVerifier(app);
@@ -59,14 +73,14 @@ var BaseAuth = /** @class */ (function () {
      * methods. (Tenant-aware instances will also embed the tenant ID in the
      * token.)
      *
-     * See [Create Custom Tokens](/docs/auth/admin/create-custom-tokens) for code
-     * samples and detailed documentation.
+     * See {@link https://firebase.google.com/docs/auth/admin/create-custom-tokens | Create Custom Tokens}
+     * for code samples and detailed documentation.
      *
-     * @param uid The `uid` to use as the custom token's subject.
-     * @param developerClaims Optional additional claims to include
+     * @param uid - The `uid` to use as the custom token's subject.
+     * @param developerClaims - Optional additional claims to include
      *   in the custom token's payload.
      *
-     * @return A promise fulfilled with a custom token for the
+     * @returns A promise fulfilled with a custom token for the
      *   provided `uid` and payload.
      */
     BaseAuth.prototype.createCustomToken = function (uid, developerClaims) {
@@ -76,43 +90,48 @@ var BaseAuth = /** @class */ (function () {
      * Verifies a Firebase ID token (JWT). If the token is valid, the promise is
      * fulfilled with the token's decoded claims; otherwise, the promise is
      * rejected.
-     * An optional flag can be passed to additionally check whether the ID token
-     * was revoked.
      *
-     * See [Verify ID Tokens](/docs/auth/admin/verify-id-tokens) for code samples
-     * and detailed documentation.
+     * If `checkRevoked` is set to true, first verifies whether the corresponding
+     * user is disabled. If yes, an `auth/user-disabled` error is thrown. If no,
+     * verifies if the session corresponding to the ID token was revoked. If the
+     * corresponding user's session was invalidated, an `auth/id-token-revoked`
+     * error is thrown. If not specified the check is not applied.
      *
-     * @param idToken The ID token to verify.
-     * @param checkRevoked Whether to check if the ID token was revoked.
+     * See {@link https://firebase.google.com/docs/auth/admin/verify-id-tokens | Verify ID Tokens}
+     * for code samples and detailed documentation.
+     *
+     * @param idToken - The ID token to verify.
+     * @param checkRevoked - Whether to check if the ID token was revoked.
      *   This requires an extra request to the Firebase Auth backend to check
      *   the `tokensValidAfterTime` time for the corresponding user.
      *   When not specified, this additional check is not applied.
      *
-     * @return A promise fulfilled with the
+     * @returns A promise fulfilled with the
      *   token's decoded claims if the ID token is valid; otherwise, a rejected
      *   promise.
      */
     BaseAuth.prototype.verifyIdToken = function (idToken, checkRevoked) {
         var _this = this;
         if (checkRevoked === void 0) { checkRevoked = false; }
-        return this.idTokenVerifier.verifyJWT(idToken)
+        var isEmulator = auth_api_request_1.useEmulator();
+        return this.idTokenVerifier.verifyJWT(idToken, isEmulator)
             .then(function (decodedIdToken) {
             // Whether to check if the token was revoked.
-            if (!checkRevoked) {
-                return decodedIdToken;
+            if (checkRevoked || isEmulator) {
+                return _this.verifyDecodedJWTNotRevokedOrDisabled(decodedIdToken, error_1.AuthClientErrorCode.ID_TOKEN_REVOKED);
             }
-            return _this.verifyDecodedJWTNotRevoked(decodedIdToken, error_1.AuthClientErrorCode.ID_TOKEN_REVOKED);
+            return decodedIdToken;
         });
     };
     /**
      * Gets the user data for the user corresponding to a given `uid`.
      *
-     * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data)
+     * See {@link https://firebase.google.com/docs/auth/admin/manage-users#retrieve_user_data | Retrieve user data}
      * for code samples and detailed documentation.
      *
-     * @param uid The `uid` corresponding to the user whose data to fetch.
+     * @param uid - The `uid` corresponding to the user whose data to fetch.
      *
-     * @return A promise fulfilled with the user
+     * @returns A promise fulfilled with the user
      *   data corresponding to the provided `uid`.
      */
     BaseAuth.prototype.getUser = function (uid) {
@@ -125,13 +144,13 @@ var BaseAuth = /** @class */ (function () {
     /**
      * Gets the user data for the user corresponding to a given email.
      *
-     * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data)
+     * See {@link https://firebase.google.com/docs/auth/admin/manage-users#retrieve_user_data | Retrieve user data}
      * for code samples and detailed documentation.
      *
-     * @param email The email corresponding to the user whose data to
+     * @param email - The email corresponding to the user whose data to
      *   fetch.
      *
-     * @return A promise fulfilled with the user
+     * @returns A promise fulfilled with the user
      *   data corresponding to the provided email.
      */
     BaseAuth.prototype.getUserByEmail = function (email) {
@@ -145,13 +164,13 @@ var BaseAuth = /** @class */ (function () {
      * Gets the user data for the user corresponding to a given phone number. The
      * phone number has to conform to the E.164 specification.
      *
-     * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data)
+     * See {@link https://firebase.google.com/docs/auth/admin/manage-users#retrieve_user_data | Retrieve user data}
      * for code samples and detailed documentation.
      *
-     * @param phoneNumber The phone number corresponding to the user whose
+     * @param phoneNumber - The phone number corresponding to the user whose
      *   data to fetch.
      *
-     * @return A promise fulfilled with the user
+     * @returns A promise fulfilled with the user
      *   data corresponding to the provided phone number.
      */
     BaseAuth.prototype.getUserByPhoneNumber = function (phoneNumber) {
@@ -161,6 +180,35 @@ var BaseAuth = /** @class */ (function () {
             return new user_record_1.UserRecord(response.users[0]);
         });
     };
+    /**
+     * Gets the user data for the user corresponding to a given provider id.
+     *
+     * See {@link https://firebase.google.com/docs/auth/admin/manage-users#retrieve_user_data | Retrieve user data}
+     * for code samples and detailed documentation.
+     *
+     * @param providerId - The provider ID, for example, "google.com" for the
+     *   Google provider.
+     * @param uid - The user identifier for the given provider.
+     *
+     * @returns A promise fulfilled with the user data corresponding to the
+     *   given provider id.
+     */
+    BaseAuth.prototype.getUserByProviderUid = function (providerId, uid) {
+        // Although we don't really advertise it, we want to also handle
+        // non-federated idps with this call. So if we detect one of them, we'll
+        // reroute this request appropriately.
+        if (providerId === 'phone') {
+            return this.getUserByPhoneNumber(uid);
+        }
+        else if (providerId === 'email') {
+            return this.getUserByEmail(uid);
+        }
+        return this.authRequestHandler.getAccountInfoByFederatedUid(providerId, uid)
+            .then(function (response) {
+            // Returns the user record populated with server response.
+            return new user_record_1.UserRecord(response.users[0]);
+        });
+    };
     /**
      * Gets the user data corresponding to the specified identifiers.
      *
@@ -170,9 +218,9 @@ var BaseAuth = /** @class */ (function () {
      * Only a maximum of 100 identifiers may be supplied. If more than 100 identifiers are supplied,
      * this method throws a FirebaseAuthError.
      *
-     * @param identifiers The identifiers used to indicate which user records should be returned.
-     *     Must have <= 100 entries.
-     * @return {Promise<GetUsersResult>} A promise that resolves to the corresponding user records.
+     * @param identifiers - The identifiers used to indicate which user records should be returned.
+     *     Must not have more than 100 entries.
+     * @returns A promise that resolves to the corresponding user records.
      * @throws FirebaseAuthError If any of the identifiers are invalid or if more than 100
      *     identifiers are specified.
      */
@@ -219,14 +267,14 @@ var BaseAuth = /** @class */ (function () {
      * starting from the offset as specified by `pageToken`. This is used to
      * retrieve all the users of a specified project in batches.
      *
-     * See [List all users](/docs/auth/admin/manage-users#list_all_users)
+     * See {@link https://firebase.google.com/docs/auth/admin/manage-users#list_all_users | List all users}
      * for code samples and detailed documentation.
      *
-     * @param maxResults The page size, 1000 if undefined. This is also
+     * @param maxResults - The page size, 1000 if undefined. This is also
      *   the maximum allowed limit.
-     * @param pageToken The next page token. If not specified, returns
+     * @param pageToken - The next page token. If not specified, returns
      *   users starting without any offset.
-     * @return A promise that resolves with
+     * @returns A promise that resolves with
      *   the current batch of downloaded users and the next page token.
      */
     BaseAuth.prototype.listUsers = function (maxResults, pageToken) {
@@ -253,13 +301,13 @@ var BaseAuth = /** @class */ (function () {
     /**
      * Creates a new user.
      *
-     * See [Create a user](/docs/auth/admin/manage-users#create_a_user) for code
-     * samples and detailed documentation.
+     * See {@link https://firebase.google.com/docs/auth/admin/manage-users#create_a_user | Create a user}
+     * for code samples and detailed documentation.
      *
-     * @param properties The properties to set on the
+     * @param properties - The properties to set on the
      *   new user record to be created.
      *
-     * @return A promise fulfilled with the user
+     * @returns A promise fulfilled with the user
      *   data corresponding to the newly created user.
      */
     BaseAuth.prototype.createUser = function (properties) {
@@ -280,12 +328,12 @@ var BaseAuth = /** @class */ (function () {
     /**
      * Deletes an existing user.
      *
-     * See [Delete a user](/docs/auth/admin/manage-users#delete_a_user) for code
-     * samples and detailed documentation.
+     * See {@link https://firebase.google.com/docs/auth/admin/manage-users#delete_a_user | Delete a user}
+     * for code samples and detailed documentation.
      *
-     * @param uid The `uid` corresponding to the user to delete.
+     * @param uid - The `uid` corresponding to the user to delete.
      *
-     * @return An empty promise fulfilled once the user has been
+     * @returns An empty promise fulfilled once the user has been
      *   deleted.
      */
     BaseAuth.prototype.deleteUser = function (uid) {
@@ -310,9 +358,9 @@ var BaseAuth = /** @class */ (function () {
      * delete more than 1000 users, you may need to add a delay to ensure you
      * don't go over this limit.
      *
-     * @param uids The `uids` corresponding to the users to delete.
+     * @param uids - The `uids` corresponding to the users to delete.
      *
-     * @return A Promise that resolves to the total number of successful/failed
+     * @returns A Promise that resolves to the total number of successful/failed
      *     deletions, as well as the array of errors that corresponds to the
      *     failed deletions.
      */
@@ -354,18 +402,55 @@ var BaseAuth = /** @class */ (function () {
     /**
      * Updates an existing user.
      *
-     * See [Update a user](/docs/auth/admin/manage-users#update_a_user) for code
-     * samples and detailed documentation.
+     * See {@link https://firebase.google.com/docs/auth/admin/manage-users#update_a_user | Update a user}
+     * for code samples and detailed documentation.
      *
-     * @param uid The `uid` corresponding to the user to update.
-     * @param properties The properties to update on
+     * @param uid - The `uid` corresponding to the user to update.
+     * @param properties - The properties to update on
      *   the provided user.
      *
-     * @return A promise fulfilled with the
+     * @returns A promise fulfilled with the
      *   updated user data.
      */
     BaseAuth.prototype.updateUser = function (uid, properties) {
         var _this = this;
+        // Although we don't really advertise it, we want to also handle linking of
+        // non-federated idps with this call. So if we detect one of them, we'll
+        // adjust the properties parameter appropriately. This *does* imply that a
+        // conflict could arise, e.g. if the user provides a phoneNumber property,
+        // but also provides a providerToLink with a 'phone' provider id. In that
+        // case, we'll throw an error.
+        properties = deep_copy_1.deepCopy(properties);
+        if (properties === null || properties === void 0 ? void 0 : properties.providerToLink) {
+            if (properties.providerToLink.providerId === 'email') {
+                if (typeof properties.email !== 'undefined') {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Both UpdateRequest.email and UpdateRequest.providerToLink.providerId='email' were set. To "
+                        + 'link to the email/password provider, only specify the UpdateRequest.email field.');
+                }
+                properties.email = properties.providerToLink.uid;
+                delete properties.providerToLink;
+            }
+            else if (properties.providerToLink.providerId === 'phone') {
+                if (typeof properties.phoneNumber !== 'undefined') {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Both UpdateRequest.phoneNumber and UpdateRequest.providerToLink.providerId='phone' were set. To "
+                        + 'link to a phone provider, only specify the UpdateRequest.phoneNumber field.');
+                }
+                properties.phoneNumber = properties.providerToLink.uid;
+                delete properties.providerToLink;
+            }
+        }
+        if (properties === null || properties === void 0 ? void 0 : properties.providersToUnlink) {
+            if (properties.providersToUnlink.indexOf('phone') !== -1) {
+                // If we've been told to unlink the phone provider both via setting
+                // phoneNumber to null *and* by setting providersToUnlink to include
+                // 'phone', then we'll reject that. Though it might also be reasonable
+                // to relax this restriction and just unlink it.
+                if (properties.phoneNumber === null) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Both UpdateRequest.phoneNumber=null and UpdateRequest.providersToUnlink=['phone'] were set. To "
+                        + 'unlink from a phone provider, only specify the UpdateRequest.phoneNumber=null field.');
+                }
+            }
+        }
         return this.authRequestHandler.updateExistingAccount(uid, properties)
             .then(function (existingUid) {
             // Return the corresponding user record.
@@ -381,18 +466,18 @@ var BaseAuth = /** @class */ (function () {
      * is used (sub, iat, iss, etc), an error is thrown. They are set on the
      * authenticated user's ID token JWT.
      *
-     * See
-     * [Defining user roles and access levels](/docs/auth/admin/custom-claims)
+     * See {@link https://firebase.google.com/docs/auth/admin/custom-claims |
+     * Defining user roles and access levels}
      * for code samples and detailed documentation.
      *
-     * @param uid The `uid` of the user to edit.
-     * @param customUserClaims The developer claims to set. If null is
+     * @param uid - The `uid` of the user to edit.
+     * @param customUserClaims - The developer claims to set. If null is
      *   passed, existing custom claims are deleted. Passing a custom claims payload
      *   larger than 1000 bytes will throw an error. Custom claims are added to the
      *   user's ID token which is transmitted on every authenticated request.
      *   For profile non-access related user attributes, use database or other
      *   separate storage systems.
-     * @return A promise that resolves when the operation completes
+     * @returns A promise that resolves when the operation completes
      *   successfully.
      */
     BaseAuth.prototype.setCustomUserClaims = function (uid, customUserClaims) {
@@ -404,22 +489,20 @@ var BaseAuth = /** @class */ (function () {
     /**
      * Revokes all refresh tokens for an existing user.
      *
-     * This API will update the user's
-     * {@link auth.UserRecord.tokensValidAfterTime `tokensValidAfterTime`} to
+     * This API will update the user's {@link UserRecord.tokensValidAfterTime} to
      * the current UTC. It is important that the server on which this is called has
      * its clock set correctly and synchronized.
      *
      * While this will revoke all sessions for a specified user and disable any
      * new ID tokens for existing sessions from getting minted, existing ID tokens
      * may remain active until their natural expiration (one hour). To verify that
-     * ID tokens are revoked, use
-     * {@link auth.Auth.verifyIdToken `verifyIdToken(idToken, true)`}
+     * ID tokens are revoked, use {@link BaseAuth.verifyIdToken}
      * where `checkRevoked` is set to true.
      *
-     * @param uid The `uid` corresponding to the user whose refresh tokens
+     * @param uid - The `uid` corresponding to the user whose refresh tokens
      *   are to be revoked.
      *
-     * @return An empty promise fulfilled once the user's refresh
+     * @returns An empty promise fulfilled once the user's refresh
      *   tokens have been revoked.
      */
     BaseAuth.prototype.revokeRefreshTokens = function (uid) {
@@ -432,15 +515,15 @@ var BaseAuth = /** @class */ (function () {
      * Imports the provided list of users into Firebase Auth.
      * A maximum of 1000 users are allowed to be imported one at a time.
      * When importing users with passwords,
-     * {@link auth.UserImportOptions `UserImportOptions`} are required to be
+     * {@link UserImportOptions} are required to be
      * specified.
      * This operation is optimized for bulk imports and will ignore checks on `uid`,
      * `email` and other identifier uniqueness which could result in duplications.
      *
-     * @param users The list of user records to import to Firebase Auth.
-     * @param options The user import options, required when the users provided include
+     * @param users - The list of user records to import to Firebase Auth.
+     * @param options - The user import options, required when the users provided include
      *   password credentials.
-     * @return A promise that resolves when
+     * @returns A promise that resolves when
      *   the operation completes with the result of the import. This includes the
      *   number of successful imports, the number of failed imports and their
      *   corresponding errors.
@@ -454,15 +537,15 @@ var BaseAuth = /** @class */ (function () {
      * policy, and be used for session management. The session cookie JWT will have
      * the same payload claims as the provided ID token.
      *
-     * See [Manage Session Cookies](/docs/auth/admin/manage-cookies) for code
-     * samples and detailed documentation.
+     * See {@link https://firebase.google.com/docs/auth/admin/manage-cookies | Manage Session Cookies}
+     * for code samples and detailed documentation.
      *
-     * @param idToken The Firebase ID token to exchange for a session
+     * @param idToken - The Firebase ID token to exchange for a session
      *   cookie.
-     * @param sessionCookieOptions The session
+     * @param sessionCookieOptions - The session
      *   cookie options which includes custom session duration.
      *
-     * @return A promise that resolves on success with the
+     * @returns A promise that resolves on success with the
      *   created session cookie.
      */
     BaseAuth.prototype.createSessionCookie = function (idToken, sessionCookieOptions) {
@@ -475,41 +558,46 @@ var BaseAuth = /** @class */ (function () {
     };
     /**
      * Verifies a Firebase session cookie. Returns a Promise with the cookie claims.
-     * Rejects the promise if the cookie could not be verified. If `checkRevoked` is
-     * set to true, verifies if the session corresponding to the session cookie was
-     * revoked. If the corresponding user's session was revoked, an
-     * `auth/session-cookie-revoked` error is thrown. If not specified the check is
-     * not performed.
+     * Rejects the promise if the cookie could not be verified.
      *
-     * See [Verify Session Cookies](/docs/auth/admin/manage-cookies#verify_session_cookie_and_check_permissions)
+     * If `checkRevoked` is set to true, first verifies whether the corresponding
+     * user is disabled: If yes, an `auth/user-disabled` error is thrown. If no,
+     * verifies if the session corresponding to the session cookie was revoked.
+     * If the corresponding user's session was invalidated, an
+     * `auth/session-cookie-revoked` error is thrown. If not specified the check
+     * is not performed.
+     *
+     * See {@link https://firebase.google.com/docs/auth/admin/manage-cookies#verify_session_cookie_and_check_permissions |
+     * Verify Session Cookies}
      * for code samples and detailed documentation
      *
-     * @param sessionCookie The session cookie to verify.
-     * @param checkForRevocation  Whether to check if the session cookie was
+     * @param sessionCookie - The session cookie to verify.
+     * @param checkForRevocation -  Whether to check if the session cookie was
      *   revoked. This requires an extra request to the Firebase Auth backend to
      *   check the `tokensValidAfterTime` time for the corresponding user.
      *   When not specified, this additional check is not performed.
      *
-     * @return A promise fulfilled with the
+     * @returns A promise fulfilled with the
      *   session cookie's decoded claims if the session cookie is valid; otherwise,
      *   a rejected promise.
      */
     BaseAuth.prototype.verifySessionCookie = function (sessionCookie, checkRevoked) {
         var _this = this;
         if (checkRevoked === void 0) { checkRevoked = false; }
-        return this.sessionCookieVerifier.verifyJWT(sessionCookie)
+        var isEmulator = auth_api_request_1.useEmulator();
+        return this.sessionCookieVerifier.verifyJWT(sessionCookie, isEmulator)
             .then(function (decodedIdToken) {
             // Whether to check if the token was revoked.
-            if (!checkRevoked) {
-                return decodedIdToken;
+            if (checkRevoked || isEmulator) {
+                return _this.verifyDecodedJWTNotRevokedOrDisabled(decodedIdToken, error_1.AuthClientErrorCode.SESSION_COOKIE_REVOKED);
             }
-            return _this.verifyDecodedJWTNotRevoked(decodedIdToken, error_1.AuthClientErrorCode.SESSION_COOKIE_REVOKED);
+            return decodedIdToken;
         });
     };
     /**
      * Generates the out of band email action link to reset a user's password.
      * The link is generated for the user with the specified email address. The
-     * optional  {@link auth.ActionCodeSettings `ActionCodeSettings`} object
+     * optional  {@link ActionCodeSettings} object
      * defines whether the link is to be handled by a mobile app or browser and the
      * additional state information to be passed in the deep link, etc.
      *
@@ -538,9 +626,9 @@ var BaseAuth = /** @class */ (function () {
      *     });
      * ```
      *
-     * @param email The email address of the user whose password is to be
+     * @param email - The email address of the user whose password is to be
      *   reset.
-     * @param actionCodeSettings The action
+     * @param actionCodeSettings - The action
      *     code settings. If specified, the state/continue URL is set as the
      *     "continueUrl" parameter in the password reset link. The default password
      *     reset landing page will use this to display a link to go back to the app
@@ -553,15 +641,14 @@ var BaseAuth = /** @class */ (function () {
      *     and accepts the Firebase Dynamic Links terms of service.
      *     The Android package name and iOS bundle ID are respected only if they
      *     are configured in the same Firebase Auth project.
-     * @return A promise that resolves with the generated link.
+     * @returns A promise that resolves with the generated link.
      */
     BaseAuth.prototype.generatePasswordResetLink = function (email, actionCodeSettings) {
         return this.authRequestHandler.getEmailActionLink('PASSWORD_RESET', email, actionCodeSettings);
     };
     /**
      * Generates the out of band email action link to verify the user's ownership
-     * of the specified email. The
-     * {@link auth.ActionCodeSettings `ActionCodeSettings`} object provided
+     * of the specified email. The {@link ActionCodeSettings} object provided
      * as an argument to this method defines whether the link is to be handled by a
      * mobile app or browser along with additional state information to be passed in
      * the deep link, etc.
@@ -591,8 +678,8 @@ var BaseAuth = /** @class */ (function () {
      *     });
      * ```
      *
-     * @param email The email account to verify.
-     * @param actionCodeSettings The action
+     * @param email - The email account to verify.
+     * @param actionCodeSettings - The action
      *     code settings. If specified, the state/continue URL is set as the
      *     "continueUrl" parameter in the email verification link. The default email
      *     verification landing page will use this to display a link to go back to
@@ -605,15 +692,14 @@ var BaseAuth = /** @class */ (function () {
      *     and accepts the Firebase Dynamic Links terms of service.
      *     The Android package name and iOS bundle ID are respected only if they
      *     are configured in the same Firebase Auth project.
-     * @return A promise that resolves with the generated link.
+     * @returns A promise that resolves with the generated link.
      */
     BaseAuth.prototype.generateEmailVerificationLink = function (email, actionCodeSettings) {
         return this.authRequestHandler.getEmailActionLink('VERIFY_EMAIL', email, actionCodeSettings);
     };
     /**
      * Generates the out of band email action link to verify the user's ownership
-     * of the specified email. The
-     * {@link auth.ActionCodeSettings `ActionCodeSettings`} object provided
+     * of the specified email. The {@link ActionCodeSettings} object provided
      * as an argument to this method defines whether the link is to be handled by a
      * mobile app or browser along with additional state information to be passed in
      * the deep link, etc.
@@ -643,8 +729,8 @@ var BaseAuth = /** @class */ (function () {
      *     });
      * ```
      *
-     * @param email The email account to verify.
-     * @param actionCodeSettings The action
+     * @param email - The email account to verify.
+     * @param actionCodeSettings - The action
      *     code settings. If specified, the state/continue URL is set as the
      *     "continueUrl" parameter in the email verification link. The default email
      *     verification landing page will use this to display a link to go back to
@@ -657,7 +743,7 @@ var BaseAuth = /** @class */ (function () {
      *     and accepts the Firebase Dynamic Links terms of service.
      *     The Android package name and iOS bundle ID are respected only if they
      *     are configured in the same Firebase Auth project.
-     * @return A promise that resolves with the generated link.
+     * @returns A promise that resolves with the generated link.
      */
     BaseAuth.prototype.generateSignInWithEmailLink = function (email, actionCodeSettings) {
         return this.authRequestHandler.getEmailActionLink('EMAIL_SIGNIN', email, actionCodeSettings);
@@ -668,10 +754,10 @@ var BaseAuth = /** @class */ (function () {
      *
      * SAML and OIDC provider support requires Google Cloud's Identity Platform
      * (GCIP). To learn more about GCIP, including pricing and features,
-     * see the [GCIP documentation](https://cloud.google.com/identity-platform).
+     * see the {@link https://cloud.google.com/identity-platform | GCIP documentation}.
      *
-     * @param options The provider config filter to apply.
-     * @return A promise that resolves with the list of provider configs meeting the
+     * @param options - The provider config filter to apply.
+     * @returns A promise that resolves with the list of provider configs meeting the
      *   filter requirements.
      */
     BaseAuth.prototype.listProviderConfigs = function (options) {
@@ -722,11 +808,11 @@ var BaseAuth = /** @class */ (function () {
      *
      * SAML and OIDC provider support requires Google Cloud's Identity Platform
      * (GCIP). To learn more about GCIP, including pricing and features,
-     * see the [GCIP documentation](https://cloud.google.com/identity-platform).
+     * see the {@link https://cloud.google.com/identity-platform | GCIP documentation}.
      *
-     * @param providerId The provider ID corresponding to the provider
+     * @param providerId - The provider ID corresponding to the provider
      *     config to return.
-     * @return A promise that resolves
+     * @returns A promise that resolves
      *     with the configuration corresponding to the provided ID.
      */
     BaseAuth.prototype.getProviderConfig = function (providerId) {
@@ -751,11 +837,11 @@ var BaseAuth = /** @class */ (function () {
      *
      * SAML and OIDC provider support requires Google Cloud's Identity Platform
      * (GCIP). To learn more about GCIP, including pricing and features,
-     * see the [GCIP documentation](https://cloud.google.com/identity-platform).
+     * see the {@link https://cloud.google.com/identity-platform | GCIP documentation}.
      *
-     * @param providerId The provider ID corresponding to the provider
+     * @param providerId - The provider ID corresponding to the provider
      *     config to delete.
-     * @return A promise that resolves on completion.
+     * @returns A promise that resolves on completion.
      */
     BaseAuth.prototype.deleteProviderConfig = function (providerId) {
         if (auth_config_1.OIDCConfig.isProviderId(providerId)) {
@@ -774,12 +860,12 @@ var BaseAuth = /** @class */ (function () {
      *
      * SAML and OIDC provider support requires Google Cloud's Identity Platform
      * (GCIP). To learn more about GCIP, including pricing and features,
-     * see the [GCIP documentation](https://cloud.google.com/identity-platform).
+     * see the {@link https://cloud.google.com/identity-platform | GCIP documentation}.
      *
-     * @param providerId The provider ID corresponding to the provider
+     * @param providerId - The provider ID corresponding to the provider
      *     config to update.
-     * @param updatedConfig The updated configuration.
-     * @return A promise that resolves with the updated provider configuration.
+     * @param updatedConfig - The updated configuration.
+     * @returns A promise that resolves with the updated provider configuration.
      */
     BaseAuth.prototype.updateProviderConfig = function (providerId, updatedConfig) {
         if (!validator.isNonNullObject(updatedConfig)) {
@@ -805,10 +891,10 @@ var BaseAuth = /** @class */ (function () {
      *
      * SAML and OIDC provider support requires Google Cloud's Identity Platform
      * (GCIP). To learn more about GCIP, including pricing and features,
-     * see the [GCIP documentation](https://cloud.google.com/identity-platform).
+     * see the {@link https://cloud.google.com/identity-platform | GCIP documentation}.
      *
-     * @param config The provider configuration to create.
-     * @return A promise that resolves with the created provider configuration.
+     * @param config - The provider configuration to create.
+     * @returns A promise that resolves with the created provider configuration.
      */
     BaseAuth.prototype.createProviderConfig = function (config) {
         if (!validator.isNonNullObject(config)) {
@@ -829,18 +915,22 @@ var BaseAuth = /** @class */ (function () {
         return Promise.reject(new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_PROVIDER_ID));
     };
     /**
-     * Verifies the decoded Firebase issued JWT is not revoked. Returns a promise that resolves
-     * with the decoded claims on success. Rejects the promise with revocation error if revoked.
+     * Verifies the decoded Firebase issued JWT is not revoked or disabled. Returns a promise that
+     * resolves with the decoded claims on success. Rejects the promise with revocation error if revoked
+     * or user disabled.
      *
-     * @param decodedIdToken The JWT's decoded claims.
-     * @param revocationErrorInfo The revocation error info to throw on revocation
+     * @param decodedIdToken - The JWT's decoded claims.
+     * @param revocationErrorInfo - The revocation error info to throw on revocation
      *     detection.
-     * @return A Promise that will be fulfilled after a successful verification.
+     * @returns A promise that will be fulfilled after a successful verification.
      */
-    BaseAuth.prototype.verifyDecodedJWTNotRevoked = function (decodedIdToken, revocationErrorInfo) {
+    BaseAuth.prototype.verifyDecodedJWTNotRevokedOrDisabled = function (decodedIdToken, revocationErrorInfo) {
         // Get tokens valid after time for the corresponding user.
         return this.getUser(decodedIdToken.sub)
             .then(function (user) {
+            if (user.disabled) {
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.USER_DISABLED, 'The user record is disabled.');
+            }
             // If no tokens valid after time available, token is not revoked.
             if (user.tokensValidAfterTime) {
                 // Get the ID token authentication time and convert to milliseconds UTC.
@@ -856,26 +946,6 @@ var BaseAuth = /** @class */ (function () {
             return decodedIdToken;
         });
     };
-    /**
-     * Enable or disable ID token verification. This is used to safely short-circuit token verification with the
-     * Auth emulator. When disabled ONLY unsigned tokens will pass verification, production tokens will not pass.
-     *
-     * WARNING: This is a dangerous method that will compromise your app's security and break your app in
-     * production. Developers should never call this method, it is for internal testing use only.
-     *
-     * @internal
-     */
-    // @ts-expect-error: this method appears unused but is used privately.
-    BaseAuth.prototype.setJwtVerificationEnabled = function (enabled) {
-        if (!enabled && !auth_api_request_1.useEmulator()) {
-            // We only allow verification to be disabled in conjunction with
-            // the emulator environment variable.
-            throw new Error('This method is only available when connected to the Authentication emulator.');
-        }
-        var algorithm = enabled ? token_verifier_1.ALGORITHM_RS256 : 'none';
-        this.idTokenVerifier.setAlgorithm(algorithm);
-        this.sessionCookieVerifier.setAlgorithm(algorithm);
-    };
     return BaseAuth;
 }());
 exports.BaseAuth = BaseAuth;