firebase-admin 9.12.0

package/lib/auth/index.js

@@ -0,0 +1,18 @@
+/*! firebase-admin v9.12.0 */
+"use strict";
+/*!
+ * Copyright 2020 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/auth/tenant-manager.js

@@ -0,0 +1,140 @@
+/*! firebase-admin v9.12.0 */
+"use strict";
+/*!
+ * Copyright 2019 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TenantManager = void 0;
+var auth_api_request_1 = require("./auth-api-request");
+var auth_1 = require("./auth");
+var tenant_1 = require("./tenant");
+var error_1 = require("../utils/error");
+var validator = require("../utils/validator");
+/**
+ * Data structure used to help manage tenant related operations.
+ * This includes:
+ * - The ability to create, update, list, get and delete tenants for the underlying project.
+ * - Getting a TenantAwareAuth instance for running Auth related operations (user mgmt, provider config mgmt, etc)
+ *   in the context of a specified tenant.
+ */
+var TenantManager = /** @class */ (function () {
+    /**
+     * Initializes a TenantManager instance for a specified FirebaseApp.
+     * @param app The app for this TenantManager instance.
+     */
+    function TenantManager(app) {
+        this.app = app;
+        this.authRequestHandler = new auth_api_request_1.AuthRequestHandler(app);
+        this.tenantsMap = {};
+    }
+    /**
+     * Returns a TenantAwareAuth instance for the corresponding tenant ID.
+     *
+     * @param tenantId The tenant ID whose TenantAwareAuth is to be returned.
+     * @return The corresponding TenantAwareAuth instance.
+     */
+    TenantManager.prototype.authForTenant = function (tenantId) {
+        if (!validator.isNonEmptyString(tenantId)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_TENANT_ID);
+        }
+        if (typeof this.tenantsMap[tenantId] === 'undefined') {
+            this.tenantsMap[tenantId] = new auth_1.TenantAwareAuth(this.app, tenantId);
+        }
+        return this.tenantsMap[tenantId];
+    };
+    /**
+     * Looks up the tenant identified by the provided tenant ID and returns a promise that is
+     * fulfilled with the corresponding tenant if it is found.
+     *
+     * @param tenantId The tenant ID of the tenant to look up.
+     * @return A promise that resolves with the corresponding tenant.
+     */
+    TenantManager.prototype.getTenant = function (tenantId) {
+        return this.authRequestHandler.getTenant(tenantId)
+            .then(function (response) {
+            return new tenant_1.Tenant(response);
+        });
+    };
+    /**
+     * Exports a batch of tenant accounts. Batch size is determined by the maxResults argument.
+     * Starting point of the batch is determined by the pageToken argument.
+     *
+     * @param maxResults The page size, 1000 if undefined. This is also the maximum
+     *     allowed limit.
+     * @param pageToken The next page token. If not specified, returns users starting
+     *     without any offset.
+     * @return A promise that resolves with
+     *     the current batch of downloaded tenants and the next page token. For the last page, an
+     *     empty list of tenants and no page token are returned.
+     */
+    TenantManager.prototype.listTenants = function (maxResults, pageToken) {
+        return this.authRequestHandler.listTenants(maxResults, pageToken)
+            .then(function (response) {
+            // List of tenants to return.
+            var tenants = [];
+            // Convert each user response to a Tenant.
+            response.tenants.forEach(function (tenantResponse) {
+                tenants.push(new tenant_1.Tenant(tenantResponse));
+            });
+            // Return list of tenants and the next page token if available.
+            var result = {
+                tenants: tenants,
+                pageToken: response.nextPageToken,
+            };
+            // Delete result.pageToken if undefined.
+            if (typeof result.pageToken === 'undefined') {
+                delete result.pageToken;
+            }
+            return result;
+        });
+    };
+    /**
+     * Deletes the tenant identified by the provided tenant ID and returns a promise that is
+     * fulfilled when the tenant is found and successfully deleted.
+     *
+     * @param tenantId The tenant ID of the tenant to delete.
+     * @return A promise that resolves when the tenant is successfully deleted.
+     */
+    TenantManager.prototype.deleteTenant = function (tenantId) {
+        return this.authRequestHandler.deleteTenant(tenantId);
+    };
+    /**
+     * Creates a new tenant with the properties provided.
+     *
+     * @param tenantOptions The properties to set on the new tenant to be created.
+     * @return A promise that resolves with the newly created tenant.
+     */
+    TenantManager.prototype.createTenant = function (tenantOptions) {
+        return this.authRequestHandler.createTenant(tenantOptions)
+            .then(function (response) {
+            return new tenant_1.Tenant(response);
+        });
+    };
+    /**
+     * Updates an existing tenant identified by the tenant ID with the properties provided.
+     *
+     * @param tenantId The tenant identifier of the tenant to update.
+     * @param tenantOptions The properties to update on the existing tenant.
+     * @return A promise that resolves with the modified tenant.
+     */
+    TenantManager.prototype.updateTenant = function (tenantId, tenantOptions) {
+        return this.authRequestHandler.updateTenant(tenantId, tenantOptions)
+            .then(function (response) {
+            return new tenant_1.Tenant(response);
+        });
+    };
+    return TenantManager;
+}());
+exports.TenantManager = TenantManager;

package/lib/auth/tenant.js

@@ -0,0 +1,171 @@
+/*! firebase-admin v9.12.0 */
+"use strict";
+/*!
+ * Copyright 2019 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Tenant = void 0;
+var validator = require("../utils/validator");
+var deep_copy_1 = require("../utils/deep-copy");
+var error_1 = require("../utils/error");
+var auth_config_1 = require("./auth-config");
+/**
+ * Tenant class that defines a Firebase Auth tenant.
+ */
+var Tenant = /** @class */ (function () {
+    /**
+     * The Tenant object constructor.
+     *
+     * @param response The server side response used to initialize the Tenant object.
+     * @constructor
+     */
+    function Tenant(response) {
+        var tenantId = Tenant.getTenantIdFromResourceName(response.name);
+        if (!tenantId) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'INTERNAL ASSERT FAILED: Invalid tenant response');
+        }
+        this.tenantId = tenantId;
+        this.displayName = response.displayName;
+        try {
+            this.emailSignInConfig = new auth_config_1.EmailSignInConfig(response);
+        }
+        catch (e) {
+            // If allowPasswordSignup is undefined, it is disabled by default.
+            this.emailSignInConfig = new auth_config_1.EmailSignInConfig({
+                allowPasswordSignup: false,
+            });
+        }
+        this.anonymousSignInEnabled = !!response.enableAnonymousUser;
+        if (typeof response.mfaConfig !== 'undefined') {
+            this.multiFactorConfig = new auth_config_1.MultiFactorAuthConfig(response.mfaConfig);
+        }
+        if (typeof response.testPhoneNumbers !== 'undefined') {
+            this.testPhoneNumbers = deep_copy_1.deepCopy(response.testPhoneNumbers || {});
+        }
+    }
+    /**
+     * Builds the corresponding server request for a TenantOptions object.
+     *
+     * @param {TenantOptions} tenantOptions The properties to convert to a server request.
+     * @param {boolean} createRequest Whether this is a create request.
+     * @return {object} The equivalent server request.
+     */
+    Tenant.buildServerRequest = function (tenantOptions, createRequest) {
+        var _a;
+        Tenant.validate(tenantOptions, createRequest);
+        var request = {};
+        if (typeof tenantOptions.emailSignInConfig !== 'undefined') {
+            request = auth_config_1.EmailSignInConfig.buildServerRequest(tenantOptions.emailSignInConfig);
+        }
+        if (typeof tenantOptions.displayName !== 'undefined') {
+            request.displayName = tenantOptions.displayName;
+        }
+        if (typeof tenantOptions.anonymousSignInEnabled !== 'undefined') {
+            request.enableAnonymousUser = tenantOptions.anonymousSignInEnabled;
+        }
+        if (typeof tenantOptions.multiFactorConfig !== 'undefined') {
+            request.mfaConfig = auth_config_1.MultiFactorAuthConfig.buildServerRequest(tenantOptions.multiFactorConfig);
+        }
+        if (typeof tenantOptions.testPhoneNumbers !== 'undefined') {
+            // null will clear existing test phone numbers. Translate to empty object.
+            request.testPhoneNumbers = (_a = tenantOptions.testPhoneNumbers) !== null && _a !== void 0 ? _a : {};
+        }
+        return request;
+    };
+    /**
+     * Returns the tenant ID corresponding to the resource name if available.
+     *
+     * @param {string} resourceName The server side resource name
+     * @return {?string} The tenant ID corresponding to the resource, null otherwise.
+     */
+    Tenant.getTenantIdFromResourceName = function (resourceName) {
+        // name is of form projects/project1/tenants/tenant1
+        var matchTenantRes = resourceName.match(/\/tenants\/(.*)$/);
+        if (!matchTenantRes || matchTenantRes.length < 2) {
+            return null;
+        }
+        return matchTenantRes[1];
+    };
+    /**
+     * Validates a tenant options object. Throws an error on failure.
+     *
+     * @param {any} request The tenant options object to validate.
+     * @param {boolean} createRequest Whether this is a create request.
+     */
+    Tenant.validate = function (request, createRequest) {
+        var validKeys = {
+            displayName: true,
+            emailSignInConfig: true,
+            anonymousSignInEnabled: true,
+            multiFactorConfig: true,
+            testPhoneNumbers: true,
+        };
+        var label = createRequest ? 'CreateTenantRequest' : 'UpdateTenantRequest';
+        if (!validator.isNonNullObject(request)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "\"" + label + "\" must be a valid non-null object.");
+        }
+        // Check for unsupported top level attributes.
+        for (var key in request) {
+            if (!(key in validKeys)) {
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "\"" + key + "\" is not a valid " + label + " parameter.");
+            }
+        }
+        // Validate displayName type if provided.
+        if (typeof request.displayName !== 'undefined' &&
+            !validator.isNonEmptyString(request.displayName)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "\"" + label + ".displayName\" must be a valid non-empty string.");
+        }
+        // Validate emailSignInConfig type if provided.
+        if (typeof request.emailSignInConfig !== 'undefined') {
+            // This will throw an error if invalid.
+            auth_config_1.EmailSignInConfig.buildServerRequest(request.emailSignInConfig);
+        }
+        // Validate test phone numbers if provided.
+        if (typeof request.testPhoneNumbers !== 'undefined' &&
+            request.testPhoneNumbers !== null) {
+            auth_config_1.validateTestPhoneNumbers(request.testPhoneNumbers);
+        }
+        else if (request.testPhoneNumbers === null && createRequest) {
+            // null allowed only for update operations.
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "\"" + label + ".testPhoneNumbers\" must be a non-null object.");
+        }
+        // Validate multiFactorConfig type if provided.
+        if (typeof request.multiFactorConfig !== 'undefined') {
+            // This will throw an error if invalid.
+            auth_config_1.MultiFactorAuthConfig.buildServerRequest(request.multiFactorConfig);
+        }
+    };
+    /** @return {object} The plain object representation of the tenant. */
+    Tenant.prototype.toJSON = function () {
+        var _a, _b;
+        var json = {
+            tenantId: this.tenantId,
+            displayName: this.displayName,
+            emailSignInConfig: (_a = this.emailSignInConfig) === null || _a === void 0 ? void 0 : _a.toJSON(),
+            anonymousSignInEnabled: this.anonymousSignInEnabled,
+            multiFactorConfig: (_b = this.multiFactorConfig) === null || _b === void 0 ? void 0 : _b.toJSON(),
+            testPhoneNumbers: this.testPhoneNumbers,
+        };
+        if (typeof json.multiFactorConfig === 'undefined') {
+            delete json.multiFactorConfig;
+        }
+        if (typeof json.testPhoneNumbers === 'undefined') {
+            delete json.testPhoneNumbers;
+        }
+        return json;
+    };
+    return Tenant;
+}());
+exports.Tenant = Tenant;

package/lib/auth/token-generator.js

@@ -0,0 +1,200 @@
+/*! firebase-admin v9.12.0 */
+"use strict";
+/*!
+ * @license
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleCryptoSignerError = exports.FirebaseTokenGenerator = exports.EmulatedSigner = exports.BLACKLISTED_CLAIMS = void 0;
+var error_1 = require("../utils/error");
+var crypto_signer_1 = require("../utils/crypto-signer");
+var validator = require("../utils/validator");
+var utils_1 = require("../utils");
+var ALGORITHM_NONE = 'none';
+var ONE_HOUR_IN_SECONDS = 60 * 60;
+// List of blacklisted claims which cannot be provided when creating a custom token
+exports.BLACKLISTED_CLAIMS = [
+    'acr', 'amr', 'at_hash', 'aud', 'auth_time', 'azp', 'cnf', 'c_hash', 'exp', 'iat', 'iss', 'jti',
+    'nbf', 'nonce',
+];
+// Audience to use for Firebase Auth Custom tokens
+var FIREBASE_AUDIENCE = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit';
+/**
+ * A CryptoSigner implementation that is used when communicating with the Auth emulator.
+ * It produces unsigned tokens.
+ */
+var EmulatedSigner = /** @class */ (function () {
+    function EmulatedSigner() {
+        this.algorithm = ALGORITHM_NONE;
+    }
+    /**
+     * @inheritDoc
+     */
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    EmulatedSigner.prototype.sign = function (buffer) {
+        return Promise.resolve(Buffer.from(''));
+    };
+    /**
+     * @inheritDoc
+     */
+    EmulatedSigner.prototype.getAccountId = function () {
+        return Promise.resolve('firebase-auth-emulator@example.com');
+    };
+    return EmulatedSigner;
+}());
+exports.EmulatedSigner = EmulatedSigner;
+/**
+ * Class for generating different types of Firebase Auth tokens (JWTs).
+ */
+var FirebaseTokenGenerator = /** @class */ (function () {
+    /**
+     * @param tenantId The tenant ID to use for the generated Firebase Auth
+     *     Custom token. If absent, then no tenant ID claim will be set in the
+     *     resulting JWT.
+     */
+    function FirebaseTokenGenerator(signer, tenantId) {
+        this.tenantId = tenantId;
+        if (!validator.isNonNullObject(signer)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'INTERNAL ASSERT: Must provide a CryptoSigner to use FirebaseTokenGenerator.');
+        }
+        if (typeof this.tenantId !== 'undefined' && !validator.isNonEmptyString(this.tenantId)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '`tenantId` argument must be a non-empty string.');
+        }
+        this.signer = signer;
+    }
+    /**
+     * Creates a new Firebase Auth Custom token.
+     *
+     * @param uid The user ID to use for the generated Firebase Auth Custom token.
+     * @param developerClaims Optional developer claims to include in the generated Firebase
+     *     Auth Custom token.
+     * @return A Promise fulfilled with a Firebase Auth Custom token signed with a
+     *     service account key and containing the provided payload.
+     */
+    FirebaseTokenGenerator.prototype.createCustomToken = function (uid, developerClaims) {
+        var _this = this;
+        var errorMessage;
+        if (!validator.isNonEmptyString(uid)) {
+            errorMessage = '`uid` argument must be a non-empty string uid.';
+        }
+        else if (uid.length > 128) {
+            errorMessage = '`uid` argument must a uid with less than or equal to 128 characters.';
+        }
+        else if (!this.isDeveloperClaimsValid_(developerClaims)) {
+            errorMessage = '`developerClaims` argument must be a valid, non-null object containing the developer claims.';
+        }
+        if (errorMessage) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
+        }
+        var claims = {};
+        if (typeof developerClaims !== 'undefined') {
+            for (var key in developerClaims) {
+                /* istanbul ignore else */
+                if (Object.prototype.hasOwnProperty.call(developerClaims, key)) {
+                    if (exports.BLACKLISTED_CLAIMS.indexOf(key) !== -1) {
+                        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Developer claim \"" + key + "\" is reserved and cannot be specified.");
+                    }
+                    claims[key] = developerClaims[key];
+                }
+            }
+        }
+        return this.signer.getAccountId().then(function (account) {
+            var header = {
+                alg: _this.signer.algorithm,
+                typ: 'JWT',
+            };
+            var iat = Math.floor(Date.now() / 1000);
+            var body = {
+                aud: FIREBASE_AUDIENCE,
+                iat: iat,
+                exp: iat + ONE_HOUR_IN_SECONDS,
+                iss: account,
+                sub: account,
+                uid: uid,
+            };
+            if (_this.tenantId) {
+                // eslint-disable-next-line @typescript-eslint/camelcase
+                body.tenant_id = _this.tenantId;
+            }
+            if (Object.keys(claims).length > 0) {
+                body.claims = claims;
+            }
+            var token = _this.encodeSegment(header) + "." + _this.encodeSegment(body);
+            var signPromise = _this.signer.sign(Buffer.from(token));
+            return Promise.all([token, signPromise]);
+        }).then(function (_a) {
+            var token = _a[0], signature = _a[1];
+            return token + "." + _this.encodeSegment(signature);
+        }).catch(function (err) {
+            throw handleCryptoSignerError(err);
+        });
+    };
+    FirebaseTokenGenerator.prototype.encodeSegment = function (segment) {
+        var buffer = (segment instanceof Buffer) ? segment : Buffer.from(JSON.stringify(segment));
+        return utils_1.toWebSafeBase64(buffer).replace(/=+$/, '');
+    };
+    /**
+     * Returns whether or not the provided developer claims are valid.
+     *
+     * @param {object} [developerClaims] Optional developer claims to validate.
+     * @return {boolean} True if the provided claims are valid; otherwise, false.
+     */
+    FirebaseTokenGenerator.prototype.isDeveloperClaimsValid_ = function (developerClaims) {
+        if (typeof developerClaims === 'undefined') {
+            return true;
+        }
+        return validator.isNonNullObject(developerClaims);
+    };
+    return FirebaseTokenGenerator;
+}());
+exports.FirebaseTokenGenerator = FirebaseTokenGenerator;
+/**
+ * Creates a new FirebaseAuthError by extracting the error code, message and other relevant
+ * details from a CryptoSignerError.
+ *
+ * @param {Error} err The Error to convert into a FirebaseAuthError error
+ * @return {FirebaseAuthError} A Firebase Auth error that can be returned to the user.
+ */
+function handleCryptoSignerError(err) {
+    if (!(err instanceof crypto_signer_1.CryptoSignerError)) {
+        return err;
+    }
+    if (err.code === crypto_signer_1.CryptoSignerErrorCode.SERVER_ERROR && validator.isNonNullObject(err.cause)) {
+        var httpError = err.cause;
+        var errorResponse = httpError.response.data;
+        if (validator.isNonNullObject(errorResponse) && errorResponse.error) {
+            var errorCode = errorResponse.error.status;
+            var description = 'Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens ' +
+                'for more details on how to use and troubleshoot this feature.';
+            var errorMsg = errorResponse.error.message + "; " + description;
+            return error_1.FirebaseAuthError.fromServerError(errorCode, errorMsg, errorResponse);
+        }
+        return new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'Error returned from server: ' + errorResponse + '. Additionally, an ' +
+            'internal error occurred while attempting to extract the ' +
+            'errorcode from the error.');
+    }
+    return new error_1.FirebaseAuthError(mapToAuthClientErrorCode(err.code), err.message);
+}
+exports.handleCryptoSignerError = handleCryptoSignerError;
+function mapToAuthClientErrorCode(code) {
+    switch (code) {
+        case crypto_signer_1.CryptoSignerErrorCode.INVALID_CREDENTIAL:
+            return error_1.AuthClientErrorCode.INVALID_CREDENTIAL;
+        case crypto_signer_1.CryptoSignerErrorCode.INVALID_ARGUMENT:
+            return error_1.AuthClientErrorCode.INVALID_ARGUMENT;
+        default:
+            return error_1.AuthClientErrorCode.INTERNAL_ERROR;
+    }
+}