firebase-admin 9.100.0-alpha.0 → 10.0.2

package/lib/app-check/token-generator.js

@@ -0,0 +1,159 @@
+/*! firebase-admin v10.0.2 */
+"use strict";
+/*!
+ * @license
+ * Copyright 2021 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+var __assign = (this && this.__assign) || function () {
+    __assign = Object.assign || function(t) {
+        for (var s, i = 1, n = arguments.length; i < n; i++) {
+            s = arguments[i];
+            for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
+                t[p] = s[p];
+        }
+        return t;
+    };
+    return __assign.apply(this, arguments);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.appCheckErrorFromCryptoSignerError = exports.AppCheckTokenGenerator = void 0;
+var validator = require("../utils/validator");
+var utils_1 = require("../utils");
+var crypto_signer_1 = require("../utils/crypto-signer");
+var app_check_api_client_internal_1 = require("./app-check-api-client-internal");
+var ONE_MINUTE_IN_SECONDS = 60;
+var ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1000;
+var ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1000;
+// Audience to use for Firebase App Check Custom tokens
+var FIREBASE_APP_CHECK_AUDIENCE = 'https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1beta.TokenExchangeService';
+/**
+ * Class for generating Firebase App Check tokens.
+ *
+ * @internal
+ */
+var AppCheckTokenGenerator = /** @class */ (function () {
+    /**
+     * The AppCheckTokenGenerator class constructor.
+     *
+     * @param signer - The CryptoSigner instance for this token generator.
+     * @constructor
+     */
+    function AppCheckTokenGenerator(signer) {
+        if (!validator.isNonNullObject(signer)) {
+            throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'INTERNAL ASSERT: Must provide a CryptoSigner to use AppCheckTokenGenerator.');
+        }
+        this.signer = signer;
+    }
+    /**
+     * Creates a new custom token that can be exchanged to an App Check token.
+     *
+     * @param appId - The Application ID to use for the generated token.
+     *
+     * @returns A Promise fulfilled with a custom token signed with a service account key
+     * that can be exchanged to an App Check token.
+     */
+    AppCheckTokenGenerator.prototype.createCustomToken = function (appId, options) {
+        var _this = this;
+        if (!validator.isNonEmptyString(appId)) {
+            throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', '`appId` must be a non-empty string.');
+        }
+        var customOptions = {};
+        if (typeof options !== 'undefined') {
+            customOptions = this.validateTokenOptions(options);
+        }
+        return this.signer.getAccountId().then(function (account) {
+            var header = {
+                alg: _this.signer.algorithm,
+                typ: 'JWT',
+            };
+            var iat = Math.floor(Date.now() / 1000);
+            var body = __assign({ iss: account, sub: account, app_id: appId, aud: FIREBASE_APP_CHECK_AUDIENCE, exp: iat + (ONE_MINUTE_IN_SECONDS * 5), iat: iat }, customOptions);
+            var token = _this.encodeSegment(header) + "." + _this.encodeSegment(body);
+            return _this.signer.sign(Buffer.from(token))
+                .then(function (signature) {
+                return token + "." + _this.encodeSegment(signature);
+            });
+        }).catch(function (err) {
+            throw appCheckErrorFromCryptoSignerError(err);
+        });
+    };
+    AppCheckTokenGenerator.prototype.encodeSegment = function (segment) {
+        var buffer = (segment instanceof Buffer) ? segment : Buffer.from(JSON.stringify(segment));
+        return utils_1.toWebSafeBase64(buffer).replace(/=+$/, '');
+    };
+    /**
+     * Checks if a given `AppCheckTokenOptions` object is valid. If successful, returns an object with
+     * custom properties.
+     *
+     * @param options - An options object to be validated.
+     * @returns A custom object with ttl converted to protobuf Duration string format.
+     */
+    AppCheckTokenGenerator.prototype.validateTokenOptions = function (options) {
+        if (!validator.isNonNullObject(options)) {
+            throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'AppCheckTokenOptions must be a non-null object.');
+        }
+        if (typeof options.ttlMillis !== 'undefined') {
+            if (!validator.isNumber(options.ttlMillis)) {
+                throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'ttlMillis must be a duration in milliseconds.');
+            }
+            // ttlMillis must be between 30 minutes and 7 days (inclusive)
+            if (options.ttlMillis < (ONE_MINUTE_IN_MILLIS * 30) || options.ttlMillis > (ONE_DAY_IN_MILLIS * 7)) {
+                throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'ttlMillis must be a duration in milliseconds between 30 minutes and 7 days (inclusive).');
+            }
+            return { ttl: utils_1.transformMillisecondsToSecondsString(options.ttlMillis) };
+        }
+        return {};
+    };
+    return AppCheckTokenGenerator;
+}());
+exports.AppCheckTokenGenerator = AppCheckTokenGenerator;
+/**
+ * Creates a new `FirebaseAppCheckError` by extracting the error code, message and other relevant
+ * details from a `CryptoSignerError`.
+ *
+ * @param err - The Error to convert into a `FirebaseAppCheckError` error
+ * @returns A Firebase App Check error that can be returned to the user.
+ */
+function appCheckErrorFromCryptoSignerError(err) {
+    if (!(err instanceof crypto_signer_1.CryptoSignerError)) {
+        return err;
+    }
+    if (err.code === crypto_signer_1.CryptoSignerErrorCode.SERVER_ERROR && validator.isNonNullObject(err.cause)) {
+        var httpError = err.cause;
+        var errorResponse = httpError.response.data;
+        if (errorResponse === null || errorResponse === void 0 ? void 0 : errorResponse.error) {
+            var status = errorResponse.error.status;
+            var description = errorResponse.error.message || JSON.stringify(httpError.response);
+            var code = 'unknown-error';
+            if (status && status in app_check_api_client_internal_1.APP_CHECK_ERROR_CODE_MAPPING) {
+                code = app_check_api_client_internal_1.APP_CHECK_ERROR_CODE_MAPPING[status];
+            }
+            return new app_check_api_client_internal_1.FirebaseAppCheckError(code, "Error returned from server while signing a custom token: " + description);
+        }
+        return new app_check_api_client_internal_1.FirebaseAppCheckError('internal-error', 'Error returned from server: ' + JSON.stringify(errorResponse) + '.');
+    }
+    return new app_check_api_client_internal_1.FirebaseAppCheckError(mapToAppCheckErrorCode(err.code), err.message);
+}
+exports.appCheckErrorFromCryptoSignerError = appCheckErrorFromCryptoSignerError;
+function mapToAppCheckErrorCode(code) {
+    switch (code) {
+        case crypto_signer_1.CryptoSignerErrorCode.INVALID_CREDENTIAL:
+            return 'invalid-credential';
+        case crypto_signer_1.CryptoSignerErrorCode.INVALID_ARGUMENT:
+            return 'invalid-argument';
+        default:
+            return 'internal-error';
+    }
+}

package/lib/app-check/token-verifier.d.ts

@@ -0,0 +1,17 @@
+/*! firebase-admin v10.0.2 */
+/*!
+ * Copyright 2021 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+export {};

package/lib/app-check/token-verifier.js

@@ -0,0 +1,151 @@
+/*! firebase-admin v10.0.2 */
+"use strict";
+/*!
+ * Copyright 2021 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AppCheckTokenVerifier = void 0;
+var validator = require("../utils/validator");
+var util = require("../utils/index");
+var app_check_api_client_internal_1 = require("./app-check-api-client-internal");
+var jwt_1 = require("../utils/jwt");
+var APP_CHECK_ISSUER = 'https://firebaseappcheck.googleapis.com/';
+var JWKS_URL = 'https://firebaseappcheck.googleapis.com/v1beta/jwks';
+/**
+ * Class for verifying Firebase App Check tokens.
+ *
+ * @internal
+ */
+var AppCheckTokenVerifier = /** @class */ (function () {
+    function AppCheckTokenVerifier(app) {
+        this.app = app;
+        this.signatureVerifier = jwt_1.PublicKeySignatureVerifier.withJwksUrl(JWKS_URL);
+    }
+    /**
+     * Verifies the format and signature of a Firebase App Check token.
+     *
+     * @param token - The Firebase Auth JWT token to verify.
+     * @returns A promise fulfilled with the decoded claims of the Firebase App Check token.
+     */
+    AppCheckTokenVerifier.prototype.verifyToken = function (token) {
+        var _this = this;
+        if (!validator.isString(token)) {
+            throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'App check token must be a non-null string.');
+        }
+        return this.ensureProjectId()
+            .then(function (projectId) {
+            return _this.decodeAndVerify(token, projectId);
+        })
+            .then(function (decoded) {
+            var decodedAppCheckToken = decoded.payload;
+            decodedAppCheckToken.app_id = decodedAppCheckToken.sub;
+            return decodedAppCheckToken;
+        });
+    };
+    AppCheckTokenVerifier.prototype.ensureProjectId = function () {
+        return util.findProjectId(this.app)
+            .then(function (projectId) {
+            if (!validator.isNonEmptyString(projectId)) {
+                throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-credential', 'Must initialize app with a cert credential or set your Firebase project ID as the ' +
+                    'GOOGLE_CLOUD_PROJECT environment variable to verify an App Check token.');
+            }
+            return projectId;
+        });
+    };
+    AppCheckTokenVerifier.prototype.decodeAndVerify = function (token, projectId) {
+        var _this = this;
+        return this.safeDecode(token)
+            .then(function (decodedToken) {
+            _this.verifyContent(decodedToken, projectId);
+            return _this.verifySignature(token)
+                .then(function () { return decodedToken; });
+        });
+    };
+    AppCheckTokenVerifier.prototype.safeDecode = function (jwtToken) {
+        return jwt_1.decodeJwt(jwtToken)
+            .catch(function () {
+            var errorMessage = 'Decoding App Check token failed. Make sure you passed ' +
+                'the entire string JWT which represents the Firebase App Check token.';
+            throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
+        });
+    };
+    /**
+     * Verifies the content of a Firebase App Check JWT.
+     *
+     * @param fullDecodedToken - The decoded JWT.
+     * @param projectId - The Firebase Project Id.
+     */
+    AppCheckTokenVerifier.prototype.verifyContent = function (fullDecodedToken, projectId) {
+        var header = fullDecodedToken.header;
+        var payload = fullDecodedToken.payload;
+        var projectIdMatchMessage = ' Make sure the App Check token comes from the same ' +
+            'Firebase project as the service account used to authenticate this SDK.';
+        var scopedProjectId = "projects/" + projectId;
+        var errorMessage;
+        if (header.alg !== jwt_1.ALGORITHM_RS256) {
+            errorMessage = 'The provided App Check token has incorrect algorithm. Expected "' +
+                jwt_1.ALGORITHM_RS256 + '" but got ' + '"' + header.alg + '".';
+        }
+        else if (!validator.isNonEmptyArray(payload.aud) || !payload.aud.includes(scopedProjectId)) {
+            errorMessage = 'The provided App Check token has incorrect "aud" (audience) claim. Expected "' +
+                scopedProjectId + '" but got "' + payload.aud + '".' + projectIdMatchMessage;
+        }
+        else if (typeof payload.iss !== 'string' || !payload.iss.startsWith(APP_CHECK_ISSUER)) {
+            errorMessage = 'The provided App Check token has incorrect "iss" (issuer) claim.';
+        }
+        else if (typeof payload.sub !== 'string') {
+            errorMessage = 'The provided App Check token has no "sub" (subject) claim.';
+        }
+        else if (payload.sub === '') {
+            errorMessage = 'The provided App Check token has an empty string "sub" (subject) claim.';
+        }
+        if (errorMessage) {
+            throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
+        }
+    };
+    AppCheckTokenVerifier.prototype.verifySignature = function (jwtToken) {
+        var _this = this;
+        return this.signatureVerifier.verify(jwtToken)
+            .catch(function (error) {
+            throw _this.mapJwtErrorToAppCheckError(error);
+        });
+    };
+    /**
+     * Maps JwtError to FirebaseAppCheckError
+     *
+     * @param error - JwtError to be mapped.
+     * @returns FirebaseAppCheckError instance.
+     */
+    AppCheckTokenVerifier.prototype.mapJwtErrorToAppCheckError = function (error) {
+        if (error.code === jwt_1.JwtErrorCode.TOKEN_EXPIRED) {
+            var errorMessage = 'The provided App Check token has expired. Get a fresh App Check token' +
+                ' from your client app and try again.';
+            return new app_check_api_client_internal_1.FirebaseAppCheckError('app-check-token-expired', errorMessage);
+        }
+        else if (error.code === jwt_1.JwtErrorCode.INVALID_SIGNATURE) {
+            var errorMessage = 'The provided App Check token has invalid signature.';
+            return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
+        }
+        else if (error.code === jwt_1.JwtErrorCode.NO_MATCHING_KID) {
+            var errorMessage = 'The provided App Check token has "kid" claim which does not ' +
+                'correspond to a known public key. Most likely the provided App Check token ' +
+                'is expired, so get a fresh token from your client app and try again.';
+            return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
+        }
+        return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', error.message);
+    };
+    return AppCheckTokenVerifier;
+}());
+exports.AppCheckTokenVerifier = AppCheckTokenVerifier;

package/lib/auth/action-code-settings-builder.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.100.0-alpha.0 */
+/*! firebase-admin v10.0.2 */
 /*!
  * Copyright 2018 Google Inc.
  *

package/lib/auth/action-code-settings-builder.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.100.0-alpha.0 */
+/*! firebase-admin v10.0.2 */
 "use strict";
 /*!
  * Copyright 2018 Google Inc.
@@ -93,7 +93,7 @@ var ActionCodeSettingsBuilder = /** @class */ (function () {
      * Returns the corresponding constructed server request corresponding to the
      * current ActionCodeSettings.
      *
-     * @return {EmailActionCodeRequest} The constructed EmailActionCodeRequest request.
+     * @returns The constructed EmailActionCodeRequest request.
      */
     ActionCodeSettingsBuilder.prototype.buildRequest = function () {
         var request = {

package/lib/auth/auth-api-request.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.100.0-alpha.0 */
+/*! firebase-admin v10.0.2 */
 /*!
  * @license
  * Copyright 2017 Google Inc.
@@ -31,18 +31,18 @@ declare class AuthResourceUrlBuilder {
     /**
      * The resource URL builder constructor.
      *
-     * @param {string} projectId The resource project ID.
-     * @param {string} version The endpoint API version.
+     * @param projectId - The resource project ID.
+     * @param version - The endpoint API version.
      * @constructor
      */
     constructor(app: App, version?: string);
     /**
      * Returns the resource URL corresponding to the provided parameters.
      *
-     * @param {string=} api The backend API name.
-     * @param {object=} params The optional additional parameters to substitute in the
+     * @param api - The backend API name.
+     * @param params - The optional additional parameters to substitute in the
      *     URL path.
-     * @return {Promise<string>} The corresponding resource URL.
+     * @returns The corresponding resource URL.
      */
     getUrl(api?: string, params?: object): Promise<string>;
     private getProjectId;
@@ -65,35 +65,35 @@ export declare class AuthRequestHandler extends AbstractAuthRequestHandler {
     /**
      * The FirebaseAuthRequestHandler constructor used to initialize an instance using a FirebaseApp.
      *
-     * @param {FirebaseApp} app The app used to fetch access tokens to sign API requests.
+     * @param app - The app used to fetch access tokens to sign API requests.
      * @constructor.
      */
     constructor(app: App);
     /**
-     * @return {AuthResourceUrlBuilder} A new Auth user management resource URL builder instance.
+     * @returns A new Auth user management resource URL builder instance.
      */
     protected newAuthUrlBuilder(): AuthResourceUrlBuilder;
     /**
-     * @return {AuthResourceUrlBuilder} A new project config resource URL builder instance.
+     * @returns A new project config resource URL builder instance.
      */
     protected newProjectConfigUrlBuilder(): AuthResourceUrlBuilder;
     /**
      * Looks up a tenant by tenant ID.
      *
-     * @param {string} tenantId The tenant identifier of the tenant to lookup.
-     * @return {Promise<TenantServerResponse>} A promise that resolves with the tenant information.
+     * @param tenantId - The tenant identifier of the tenant to lookup.
+     * @returns A promise that resolves with the tenant information.
      */
     getTenant(tenantId: string): Promise<TenantServerResponse>;
     /**
      * Exports the tenants (single batch only) with a size of maxResults and starting from
      * the offset as specified by pageToken.
      *
-     * @param {number=} maxResults The page size, 1000 if undefined. This is also the maximum
+     * @param maxResults - The page size, 1000 if undefined. This is also the maximum
      *     allowed limit.
-     * @param {string=} pageToken The next page token. If not specified, returns tenants starting
+     * @param pageToken - The next page token. If not specified, returns tenants starting
      *     without any offset. Tenants are returned in the order they were created from oldest to
      *     newest, relative to the page token offset.
-     * @return {Promise<object>} A promise that resolves with the current batch of downloaded
+     * @returns A promise that resolves with the current batch of downloaded
      *     tenants and the next page token if available. For the last page, an empty list of tenants
      *     and no page token are returned.
      */
@@ -104,23 +104,23 @@ export declare class AuthRequestHandler extends AbstractAuthRequestHandler {
     /**
      * Deletes a tenant identified by a tenantId.
      *
-     * @param {string} tenantId The identifier of the tenant to delete.
-     * @return {Promise<void>} A promise that resolves when the tenant is deleted.
+     * @param tenantId - The identifier of the tenant to delete.
+     * @returns A promise that resolves when the tenant is deleted.
      */
     deleteTenant(tenantId: string): Promise<void>;
     /**
      * Creates a new tenant with the properties provided.
      *
-     * @param {TenantOptions} tenantOptions The properties to set on the new tenant to be created.
-     * @return {Promise<TenantServerResponse>} A promise that resolves with the newly created tenant object.
+     * @param tenantOptions - The properties to set on the new tenant to be created.
+     * @returns A promise that resolves with the newly created tenant object.
      */
     createTenant(tenantOptions: CreateTenantRequest): Promise<TenantServerResponse>;
     /**
      * Updates an existing tenant with the properties provided.
      *
-     * @param {string} tenantId The tenant identifier of the tenant to update.
-     * @param {TenantOptions} tenantOptions The properties to update on the existing tenant.
-     * @return {Promise<TenantServerResponse>} A promise that resolves with the modified tenant object.
+     * @param tenantId - The tenant identifier of the tenant to update.
+     * @param tenantOptions - The properties to update on the existing tenant.
+     * @returns A promise that resolves with the modified tenant object.
      */
     updateTenant(tenantId: string, tenantOptions: UpdateTenantRequest): Promise<TenantServerResponse>;
 }
@@ -135,17 +135,17 @@ export declare class TenantAwareAuthRequestHandler extends AbstractAuthRequestHa
      * The FirebaseTenantRequestHandler constructor used to initialize an instance using a
      * FirebaseApp and a tenant ID.
      *
-     * @param {FirebaseApp} app The app used to fetch access tokens to sign API requests.
-     * @param {string} tenantId The request handler's tenant ID.
+     * @param app - The app used to fetch access tokens to sign API requests.
+     * @param tenantId - The request handler's tenant ID.
      * @constructor
      */
     constructor(app: App, tenantId: string);
     /**
-     * @return {AuthResourceUrlBuilder} A new Auth user management resource URL builder instance.
+     * @returns A new Auth user management resource URL builder instance.
      */
     protected newAuthUrlBuilder(): AuthResourceUrlBuilder;
     /**
-     * @return {AuthResourceUrlBuilder} A new project config resource URL builder instance.
+     * @returns A new project config resource URL builder instance.
      */
     protected newProjectConfigUrlBuilder(): AuthResourceUrlBuilder;
     /**
@@ -157,10 +157,10 @@ export declare class TenantAwareAuthRequestHandler extends AbstractAuthRequestHa
      * Overrides the superclass methods by adding an additional check to match tenant IDs of
      * imported user records if present.
      *
-     * @param {UserImportRecord[]} users The list of user records to import to Firebase Auth.
-     * @param {UserImportOptions=} options The user import options, required when the users provided
+     * @param users - The list of user records to import to Firebase Auth.
+     * @param options - The user import options, required when the users provided
      *     include password credentials.
-     * @return {Promise<UserImportResult>} A promise that resolves when the operation completes
+     * @returns A promise that resolves when the operation completes
      *     with the result of the import. This includes the number of successful imports, the number
      *     of failed uploads and their corresponding errors.
      */
@@ -169,10 +169,6 @@ export declare class TenantAwareAuthRequestHandler extends AbstractAuthRequestHa
 /**
  * When true the SDK should communicate with the Auth Emulator for all API
  * calls and also produce unsigned tokens.
- *
- * This alone does <b>NOT<b> short-circuit ID Token verification.
- * For security reasons that must be explicitly disabled through
- * setJwtVerificationEnabled(false);
  */
 export declare function useEmulator(): boolean;
 export {};