firebase-admin 9.12.0

package/lib/auth/token-verifier.js

@@ -0,0 +1,259 @@
+/*! firebase-admin v9.12.0 */
+"use strict";
+/*!
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSessionCookieVerifier = exports.createIdTokenVerifier = exports.FirebaseTokenVerifier = exports.SESSION_COOKIE_INFO = exports.ID_TOKEN_INFO = void 0;
+var error_1 = require("../utils/error");
+var util = require("../utils/index");
+var validator = require("../utils/validator");
+var jwt_1 = require("../utils/jwt");
+// Audience to use for Firebase Auth Custom tokens
+var FIREBASE_AUDIENCE = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit';
+// URL containing the public keys for the Google certs (whose private keys are used to sign Firebase
+// Auth ID tokens)
+var CLIENT_CERT_URL = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com';
+// URL containing the public keys for Firebase session cookies. This will be updated to a different URL soon.
+var SESSION_COOKIE_CERT_URL = 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys';
+var EMULATOR_VERIFIER = new jwt_1.EmulatorSignatureVerifier();
+/** User facing token information related to the Firebase ID token. */
+exports.ID_TOKEN_INFO = {
+    url: 'https://firebase.google.com/docs/auth/admin/verify-id-tokens',
+    verifyApiName: 'verifyIdToken()',
+    jwtName: 'Firebase ID token',
+    shortName: 'ID token',
+    expiredErrorCode: error_1.AuthClientErrorCode.ID_TOKEN_EXPIRED,
+};
+/** User facing token information related to the Firebase session cookie. */
+exports.SESSION_COOKIE_INFO = {
+    url: 'https://firebase.google.com/docs/auth/admin/manage-cookies',
+    verifyApiName: 'verifySessionCookie()',
+    jwtName: 'Firebase session cookie',
+    shortName: 'session cookie',
+    expiredErrorCode: error_1.AuthClientErrorCode.SESSION_COOKIE_EXPIRED,
+};
+/**
+ * Class for verifying ID tokens and session cookies.
+ */
+var FirebaseTokenVerifier = /** @class */ (function () {
+    function FirebaseTokenVerifier(clientCertUrl, issuer, tokenInfo, app) {
+        this.issuer = issuer;
+        this.tokenInfo = tokenInfo;
+        this.app = app;
+        if (!validator.isURL(clientCertUrl)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The provided public client certificate URL is an invalid URL.');
+        }
+        else if (!validator.isURL(issuer)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The provided JWT issuer is an invalid URL.');
+        }
+        else if (!validator.isNonNullObject(tokenInfo)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The provided JWT information is not an object or null.');
+        }
+        else if (!validator.isURL(tokenInfo.url)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The provided JWT verification documentation URL is invalid.');
+        }
+        else if (!validator.isNonEmptyString(tokenInfo.verifyApiName)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The JWT verify API name must be a non-empty string.');
+        }
+        else if (!validator.isNonEmptyString(tokenInfo.jwtName)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The JWT public full name must be a non-empty string.');
+        }
+        else if (!validator.isNonEmptyString(tokenInfo.shortName)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The JWT public short name must be a non-empty string.');
+        }
+        else if (!validator.isNonNullObject(tokenInfo.expiredErrorCode) || !('code' in tokenInfo.expiredErrorCode)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The JWT expiration error code must be a non-null ErrorInfo object.');
+        }
+        this.shortNameArticle = tokenInfo.shortName.charAt(0).match(/[aeiou]/i) ? 'an' : 'a';
+        this.signatureVerifier =
+            jwt_1.PublicKeySignatureVerifier.withCertificateUrl(clientCertUrl, app.options.httpAgent);
+        // For backward compatibility, the project ID is validated in the verification call.
+    }
+    /**
+     * Verifies the format and signature of a Firebase Auth JWT token.
+     *
+     * @param jwtToken The Firebase Auth JWT token to verify.
+     * @param isEmulator Whether to accept Auth Emulator tokens.
+     * @return A promise fulfilled with the decoded claims of the Firebase Auth ID token.
+     */
+    FirebaseTokenVerifier.prototype.verifyJWT = function (jwtToken, isEmulator) {
+        var _this = this;
+        if (isEmulator === void 0) { isEmulator = false; }
+        if (!validator.isString(jwtToken)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "First argument to " + this.tokenInfo.verifyApiName + " must be a " + this.tokenInfo.jwtName + " string.");
+        }
+        return this.ensureProjectId()
+            .then(function (projectId) {
+            return _this.decodeAndVerify(jwtToken, projectId, isEmulator);
+        })
+            .then(function (decoded) {
+            var decodedIdToken = decoded.payload;
+            decodedIdToken.uid = decodedIdToken.sub;
+            return decodedIdToken;
+        });
+    };
+    FirebaseTokenVerifier.prototype.ensureProjectId = function () {
+        var _this = this;
+        return util.findProjectId(this.app)
+            .then(function (projectId) {
+            if (!validator.isNonEmptyString(projectId)) {
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'Must initialize app with a cert credential or set your Firebase project ID as the ' +
+                    ("GOOGLE_CLOUD_PROJECT environment variable to call " + _this.tokenInfo.verifyApiName + "."));
+            }
+            return Promise.resolve(projectId);
+        });
+    };
+    FirebaseTokenVerifier.prototype.decodeAndVerify = function (token, projectId, isEmulator) {
+        var _this = this;
+        return this.safeDecode(token)
+            .then(function (decodedToken) {
+            _this.verifyContent(decodedToken, projectId, isEmulator);
+            return _this.verifySignature(token, isEmulator)
+                .then(function () { return decodedToken; });
+        });
+    };
+    FirebaseTokenVerifier.prototype.safeDecode = function (jwtToken) {
+        var _this = this;
+        return jwt_1.decodeJwt(jwtToken)
+            .catch(function (err) {
+            if (err.code == jwt_1.JwtErrorCode.INVALID_ARGUMENT) {
+                var verifyJwtTokenDocsMessage = " See " + _this.tokenInfo.url + " " +
+                    ("for details on how to retrieve " + _this.shortNameArticle + " " + _this.tokenInfo.shortName + ".");
+                var errorMessage = "Decoding " + _this.tokenInfo.jwtName + " failed. Make sure you passed " +
+                    ("the entire string JWT which represents " + _this.shortNameArticle + " ") +
+                    (_this.tokenInfo.shortName + ".") + verifyJwtTokenDocsMessage;
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
+            }
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, err.message);
+        });
+    };
+    /**
+     * Verifies the content of a Firebase Auth JWT.
+     *
+     * @param fullDecodedToken The decoded JWT.
+     * @param projectId The Firebase Project Id.
+     * @param isEmulator Whether the token is an Emulator token.
+     */
+    FirebaseTokenVerifier.prototype.verifyContent = function (fullDecodedToken, projectId, isEmulator) {
+        var header = fullDecodedToken && fullDecodedToken.header;
+        var payload = fullDecodedToken && fullDecodedToken.payload;
+        var projectIdMatchMessage = " Make sure the " + this.tokenInfo.shortName + " comes from the same " +
+            'Firebase project as the service account used to authenticate this SDK.';
+        var verifyJwtTokenDocsMessage = " See " + this.tokenInfo.url + " " +
+            ("for details on how to retrieve " + this.shortNameArticle + " " + this.tokenInfo.shortName + ".");
+        var errorMessage;
+        if (!isEmulator && typeof header.kid === 'undefined') {
+            var isCustomToken = (payload.aud === FIREBASE_AUDIENCE);
+            var isLegacyCustomToken = (header.alg === 'HS256' && payload.v === 0 && 'd' in payload && 'uid' in payload.d);
+            if (isCustomToken) {
+                errorMessage = this.tokenInfo.verifyApiName + " expects " + this.shortNameArticle + " " +
+                    (this.tokenInfo.shortName + ", but was given a custom token.");
+            }
+            else if (isLegacyCustomToken) {
+                errorMessage = this.tokenInfo.verifyApiName + " expects " + this.shortNameArticle + " " +
+                    (this.tokenInfo.shortName + ", but was given a legacy custom token.");
+            }
+            else {
+                errorMessage = 'Firebase ID token has no "kid" claim.';
+            }
+            errorMessage += verifyJwtTokenDocsMessage;
+        }
+        else if (!isEmulator && header.alg !== jwt_1.ALGORITHM_RS256) {
+            errorMessage = this.tokenInfo.jwtName + " has incorrect algorithm. Expected \"" + jwt_1.ALGORITHM_RS256 + '" but got ' +
+                '"' + header.alg + '".' + verifyJwtTokenDocsMessage;
+        }
+        else if (payload.aud !== projectId) {
+            errorMessage = this.tokenInfo.jwtName + " has incorrect \"aud\" (audience) claim. Expected \"" +
+                projectId + '" but got "' + payload.aud + '".' + projectIdMatchMessage +
+                verifyJwtTokenDocsMessage;
+        }
+        else if (payload.iss !== this.issuer + projectId) {
+            errorMessage = this.tokenInfo.jwtName + " has incorrect \"iss\" (issuer) claim. Expected " +
+                ("\"" + this.issuer) + projectId + '" but got "' +
+                payload.iss + '".' + projectIdMatchMessage + verifyJwtTokenDocsMessage;
+        }
+        else if (typeof payload.sub !== 'string') {
+            errorMessage = this.tokenInfo.jwtName + " has no \"sub\" (subject) claim." + verifyJwtTokenDocsMessage;
+        }
+        else if (payload.sub === '') {
+            errorMessage = this.tokenInfo.jwtName + " has an empty string \"sub\" (subject) claim." + verifyJwtTokenDocsMessage;
+        }
+        else if (payload.sub.length > 128) {
+            errorMessage = this.tokenInfo.jwtName + " has \"sub\" (subject) claim longer than 128 characters." +
+                verifyJwtTokenDocsMessage;
+        }
+        if (errorMessage) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
+        }
+    };
+    FirebaseTokenVerifier.prototype.verifySignature = function (jwtToken, isEmulator) {
+        var _this = this;
+        var verifier = isEmulator ? EMULATOR_VERIFIER : this.signatureVerifier;
+        return verifier.verify(jwtToken)
+            .catch(function (error) {
+            throw _this.mapJwtErrorToAuthError(error);
+        });
+    };
+    /**
+     * Maps JwtError to FirebaseAuthError
+     *
+     * @param error JwtError to be mapped.
+     * @returns FirebaseAuthError or Error instance.
+     */
+    FirebaseTokenVerifier.prototype.mapJwtErrorToAuthError = function (error) {
+        var verifyJwtTokenDocsMessage = " See " + this.tokenInfo.url + " " +
+            ("for details on how to retrieve " + this.shortNameArticle + " " + this.tokenInfo.shortName + ".");
+        if (error.code === jwt_1.JwtErrorCode.TOKEN_EXPIRED) {
+            var errorMessage = this.tokenInfo.jwtName + " has expired. Get a fresh " + this.tokenInfo.shortName +
+                (" from your client app and try again (auth/" + this.tokenInfo.expiredErrorCode.code + ").") +
+                verifyJwtTokenDocsMessage;
+            return new error_1.FirebaseAuthError(this.tokenInfo.expiredErrorCode, errorMessage);
+        }
+        else if (error.code === jwt_1.JwtErrorCode.INVALID_SIGNATURE) {
+            var errorMessage = this.tokenInfo.jwtName + " has invalid signature." + verifyJwtTokenDocsMessage;
+            return new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
+        }
+        else if (error.code === jwt_1.JwtErrorCode.NO_MATCHING_KID) {
+            var errorMessage = this.tokenInfo.jwtName + " has \"kid\" claim which does not " +
+                ("correspond to a known public key. Most likely the " + this.tokenInfo.shortName + " ") +
+                'is expired, so get a fresh token from your client app and try again.';
+            return new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
+        }
+        return new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, error.message);
+    };
+    return FirebaseTokenVerifier;
+}());
+exports.FirebaseTokenVerifier = FirebaseTokenVerifier;
+/**
+ * Creates a new FirebaseTokenVerifier to verify Firebase ID tokens.
+ *
+ * @param app Firebase app instance.
+ * @return FirebaseTokenVerifier
+ */
+function createIdTokenVerifier(app) {
+    return new FirebaseTokenVerifier(CLIENT_CERT_URL, 'https://securetoken.google.com/', exports.ID_TOKEN_INFO, app);
+}
+exports.createIdTokenVerifier = createIdTokenVerifier;
+/**
+ * Creates a new FirebaseTokenVerifier to verify Firebase session cookies.
+ *
+ * @param app Firebase app instance.
+ * @return FirebaseTokenVerifier
+ */
+function createSessionCookieVerifier(app) {
+    return new FirebaseTokenVerifier(SESSION_COOKIE_CERT_URL, 'https://session.firebase.google.com/', exports.SESSION_COOKIE_INFO, app);
+}
+exports.createSessionCookieVerifier = createSessionCookieVerifier;

package/lib/auth/user-import-builder.js

@@ -0,0 +1,387 @@
+/*! firebase-admin v9.12.0 */
+"use strict";
+/*!
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserImportBuilder = exports.convertMultiFactorInfoToServerFormat = void 0;
+var deep_copy_1 = require("../utils/deep-copy");
+var utils = require("../utils");
+var validator = require("../utils/validator");
+var error_1 = require("../utils/error");
+/**
+ * Converts a client format second factor object to server format.
+ * @param multiFactorInfo The client format second factor.
+ * @return The corresponding AuthFactorInfo server request format.
+ */
+function convertMultiFactorInfoToServerFormat(multiFactorInfo) {
+    var enrolledAt;
+    if (typeof multiFactorInfo.enrollmentTime !== 'undefined') {
+        if (validator.isUTCDateString(multiFactorInfo.enrollmentTime)) {
+            // Convert from UTC date string (client side format) to ISO date string (server side format).
+            enrolledAt = new Date(multiFactorInfo.enrollmentTime).toISOString();
+        }
+        else {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ENROLLMENT_TIME, "The second factor \"enrollmentTime\" for \"" + multiFactorInfo.uid + "\" must be a valid " +
+                'UTC date string.');
+        }
+    }
+    // Currently only phone second factors are supported.
+    if (isPhoneFactor(multiFactorInfo)) {
+        // If any required field is missing or invalid, validation will still fail later.
+        var authFactorInfo = {
+            mfaEnrollmentId: multiFactorInfo.uid,
+            displayName: multiFactorInfo.displayName,
+            // Required for all phone second factors.
+            phoneInfo: multiFactorInfo.phoneNumber,
+            enrolledAt: enrolledAt,
+        };
+        for (var objKey in authFactorInfo) {
+            if (typeof authFactorInfo[objKey] === 'undefined') {
+                delete authFactorInfo[objKey];
+            }
+        }
+        return authFactorInfo;
+    }
+    else {
+        // Unsupported second factor.
+        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.UNSUPPORTED_SECOND_FACTOR, "Unsupported second factor \"" + JSON.stringify(multiFactorInfo) + "\" provided.");
+    }
+}
+exports.convertMultiFactorInfoToServerFormat = convertMultiFactorInfoToServerFormat;
+function isPhoneFactor(multiFactorInfo) {
+    return multiFactorInfo.factorId === 'phone';
+}
+/**
+ * @param {any} obj The object to check for number field within.
+ * @param {string} key The entry key.
+ * @return {number} The corresponding number if available. Otherwise, NaN.
+ */
+function getNumberField(obj, key) {
+    if (typeof obj[key] !== 'undefined' && obj[key] !== null) {
+        return parseInt(obj[key].toString(), 10);
+    }
+    return NaN;
+}
+/**
+ * Converts a UserImportRecord to a UploadAccountUser object. Throws an error when invalid
+ * fields are provided.
+ * @param {UserImportRecord} user The UserImportRecord to conver to UploadAccountUser.
+ * @param {ValidatorFunction=} userValidator The user validator function.
+ * @return {UploadAccountUser} The corresponding UploadAccountUser to return.
+ */
+function populateUploadAccountUser(user, userValidator) {
+    var result = {
+        localId: user.uid,
+        email: user.email,
+        emailVerified: user.emailVerified,
+        displayName: user.displayName,
+        disabled: user.disabled,
+        photoUrl: user.photoURL,
+        phoneNumber: user.phoneNumber,
+        providerUserInfo: [],
+        mfaInfo: [],
+        tenantId: user.tenantId,
+        customAttributes: user.customClaims && JSON.stringify(user.customClaims),
+    };
+    if (typeof user.passwordHash !== 'undefined') {
+        if (!validator.isBuffer(user.passwordHash)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_PASSWORD_HASH);
+        }
+        result.passwordHash = utils.toWebSafeBase64(user.passwordHash);
+    }
+    if (typeof user.passwordSalt !== 'undefined') {
+        if (!validator.isBuffer(user.passwordSalt)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_PASSWORD_SALT);
+        }
+        result.salt = utils.toWebSafeBase64(user.passwordSalt);
+    }
+    if (validator.isNonNullObject(user.metadata)) {
+        if (validator.isNonEmptyString(user.metadata.creationTime)) {
+            result.createdAt = new Date(user.metadata.creationTime).getTime();
+        }
+        if (validator.isNonEmptyString(user.metadata.lastSignInTime)) {
+            result.lastLoginAt = new Date(user.metadata.lastSignInTime).getTime();
+        }
+    }
+    if (validator.isArray(user.providerData)) {
+        user.providerData.forEach(function (providerData) {
+            result.providerUserInfo.push({
+                providerId: providerData.providerId,
+                rawId: providerData.uid,
+                email: providerData.email,
+                displayName: providerData.displayName,
+                photoUrl: providerData.photoURL,
+            });
+        });
+    }
+    // Convert user.multiFactor.enrolledFactors to server format.
+    if (validator.isNonNullObject(user.multiFactor) &&
+        validator.isNonEmptyArray(user.multiFactor.enrolledFactors)) {
+        user.multiFactor.enrolledFactors.forEach(function (multiFactorInfo) {
+            result.mfaInfo.push(convertMultiFactorInfoToServerFormat(multiFactorInfo));
+        });
+    }
+    // Remove blank fields.
+    var key;
+    for (key in result) {
+        if (typeof result[key] === 'undefined') {
+            delete result[key];
+        }
+    }
+    if (result.providerUserInfo.length === 0) {
+        delete result.providerUserInfo;
+    }
+    if (result.mfaInfo.length === 0) {
+        delete result.mfaInfo;
+    }
+    // Validate the constructured user individual request. This will throw if an error
+    // is detected.
+    if (typeof userValidator === 'function') {
+        userValidator(result);
+    }
+    return result;
+}
+/**
+ * Class that provides a helper for building/validating uploadAccount requests and
+ * UserImportResult responses.
+ */
+var UserImportBuilder = /** @class */ (function () {
+    /**
+     * @param {UserImportRecord[]} users The list of user records to import.
+     * @param {UserImportOptions=} options The import options which includes hashing
+     *     algorithm details.
+     * @param {ValidatorFunction=} userRequestValidator The user request validator function.
+     * @constructor
+     */
+    function UserImportBuilder(users, options, userRequestValidator) {
+        this.requiresHashOptions = false;
+        this.validatedUsers = [];
+        this.userImportResultErrors = [];
+        this.indexMap = {};
+        this.validatedUsers = this.populateUsers(users, userRequestValidator);
+        this.validatedOptions = this.populateOptions(options, this.requiresHashOptions);
+    }
+    /**
+     * Returns the corresponding constructed uploadAccount request.
+     * @return {UploadAccountRequest} The constructed uploadAccount request.
+     */
+    UserImportBuilder.prototype.buildRequest = function () {
+        var users = this.validatedUsers.map(function (user) {
+            return deep_copy_1.deepCopy(user);
+        });
+        return deep_copy_1.deepExtend({ users: users }, deep_copy_1.deepCopy(this.validatedOptions));
+    };
+    /**
+     * Populates the UserImportResult using the client side detected errors and the server
+     * side returned errors.
+     * @return {UserImportResult} The user import result based on the returned failed
+     *     uploadAccount response.
+     */
+    UserImportBuilder.prototype.buildResponse = function (failedUploads) {
+        var _this = this;
+        // Initialize user import result.
+        var importResult = {
+            successCount: this.validatedUsers.length,
+            failureCount: this.userImportResultErrors.length,
+            errors: deep_copy_1.deepCopy(this.userImportResultErrors),
+        };
+        importResult.failureCount += failedUploads.length;
+        importResult.successCount -= failedUploads.length;
+        failedUploads.forEach(function (failedUpload) {
+            importResult.errors.push({
+                // Map backend request index to original developer provided array index.
+                index: _this.indexMap[failedUpload.index],
+                error: new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_USER_IMPORT, failedUpload.message),
+            });
+        });
+        // Sort errors by index.
+        importResult.errors.sort(function (a, b) {
+            return a.index - b.index;
+        });
+        // Return sorted result.
+        return importResult;
+    };
+    /**
+     * Validates and returns the hashing options of the uploadAccount request.
+     * Throws an error whenever an invalid or missing options is detected.
+     * @param {UserImportOptions} options The UserImportOptions.
+     * @param {boolean} requiresHashOptions Whether to require hash options.
+     * @return {UploadAccountOptions} The populated UploadAccount options.
+     */
+    UserImportBuilder.prototype.populateOptions = function (options, requiresHashOptions) {
+        var populatedOptions;
+        if (!requiresHashOptions) {
+            return {};
+        }
+        if (!validator.isNonNullObject(options)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"UserImportOptions" are required when importing users with passwords.');
+        }
+        if (!validator.isNonNullObject(options.hash)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.MISSING_HASH_ALGORITHM, '"hash.algorithm" is missing from the provided "UserImportOptions".');
+        }
+        if (typeof options.hash.algorithm === 'undefined' ||
+            !validator.isNonEmptyString(options.hash.algorithm)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_ALGORITHM, '"hash.algorithm" must be a string matching the list of supported algorithms.');
+        }
+        var rounds;
+        switch (options.hash.algorithm) {
+            case 'HMAC_SHA512':
+            case 'HMAC_SHA256':
+            case 'HMAC_SHA1':
+            case 'HMAC_MD5':
+                if (!validator.isBuffer(options.hash.key)) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_KEY, 'A non-empty "hash.key" byte buffer must be provided for ' +
+                        ("hash algorithm " + options.hash.algorithm + "."));
+                }
+                populatedOptions = {
+                    hashAlgorithm: options.hash.algorithm,
+                    signerKey: utils.toWebSafeBase64(options.hash.key),
+                };
+                break;
+            case 'MD5':
+            case 'SHA1':
+            case 'SHA256':
+            case 'SHA512': {
+                // MD5 is [0,8192] but SHA1, SHA256, and SHA512 are [1,8192]
+                rounds = getNumberField(options.hash, 'rounds');
+                var minRounds = options.hash.algorithm === 'MD5' ? 0 : 1;
+                if (isNaN(rounds) || rounds < minRounds || rounds > 8192) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_ROUNDS, "A valid \"hash.rounds\" number between " + minRounds + " and 8192 must be provided for " +
+                        ("hash algorithm " + options.hash.algorithm + "."));
+                }
+                populatedOptions = {
+                    hashAlgorithm: options.hash.algorithm,
+                    rounds: rounds,
+                };
+                break;
+            }
+            case 'PBKDF_SHA1':
+            case 'PBKDF2_SHA256':
+                rounds = getNumberField(options.hash, 'rounds');
+                if (isNaN(rounds) || rounds < 0 || rounds > 120000) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_ROUNDS, 'A valid "hash.rounds" number between 0 and 120000 must be provided for ' +
+                        ("hash algorithm " + options.hash.algorithm + "."));
+                }
+                populatedOptions = {
+                    hashAlgorithm: options.hash.algorithm,
+                    rounds: rounds,
+                };
+                break;
+            case 'SCRYPT': {
+                if (!validator.isBuffer(options.hash.key)) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_KEY, 'A "hash.key" byte buffer must be provided for ' +
+                        ("hash algorithm " + options.hash.algorithm + "."));
+                }
+                rounds = getNumberField(options.hash, 'rounds');
+                if (isNaN(rounds) || rounds <= 0 || rounds > 8) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_ROUNDS, 'A valid "hash.rounds" number between 1 and 8 must be provided for ' +
+                        ("hash algorithm " + options.hash.algorithm + "."));
+                }
+                var memoryCost = getNumberField(options.hash, 'memoryCost');
+                if (isNaN(memoryCost) || memoryCost <= 0 || memoryCost > 14) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_MEMORY_COST, 'A valid "hash.memoryCost" number between 1 and 14 must be provided for ' +
+                        ("hash algorithm " + options.hash.algorithm + "."));
+                }
+                if (typeof options.hash.saltSeparator !== 'undefined' &&
+                    !validator.isBuffer(options.hash.saltSeparator)) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_SALT_SEPARATOR, '"hash.saltSeparator" must be a byte buffer.');
+                }
+                populatedOptions = {
+                    hashAlgorithm: options.hash.algorithm,
+                    signerKey: utils.toWebSafeBase64(options.hash.key),
+                    rounds: rounds,
+                    memoryCost: memoryCost,
+                    saltSeparator: utils.toWebSafeBase64(options.hash.saltSeparator || Buffer.from('')),
+                };
+                break;
+            }
+            case 'BCRYPT':
+                populatedOptions = {
+                    hashAlgorithm: options.hash.algorithm,
+                };
+                break;
+            case 'STANDARD_SCRYPT': {
+                var cpuMemCost = getNumberField(options.hash, 'memoryCost');
+                if (isNaN(cpuMemCost)) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_MEMORY_COST, 'A valid "hash.memoryCost" number must be provided for ' +
+                        ("hash algorithm " + options.hash.algorithm + "."));
+                }
+                var parallelization = getNumberField(options.hash, 'parallelization');
+                if (isNaN(parallelization)) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_PARALLELIZATION, 'A valid "hash.parallelization" number must be provided for ' +
+                        ("hash algorithm " + options.hash.algorithm + "."));
+                }
+                var blockSize = getNumberField(options.hash, 'blockSize');
+                if (isNaN(blockSize)) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_BLOCK_SIZE, 'A valid "hash.blockSize" number must be provided for ' +
+                        ("hash algorithm " + options.hash.algorithm + "."));
+                }
+                var dkLen = getNumberField(options.hash, 'derivedKeyLength');
+                if (isNaN(dkLen)) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_DERIVED_KEY_LENGTH, 'A valid "hash.derivedKeyLength" number must be provided for ' +
+                        ("hash algorithm " + options.hash.algorithm + "."));
+                }
+                populatedOptions = {
+                    hashAlgorithm: options.hash.algorithm,
+                    cpuMemCost: cpuMemCost,
+                    parallelization: parallelization,
+                    blockSize: blockSize,
+                    dkLen: dkLen,
+                };
+                break;
+            }
+            default:
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_HASH_ALGORITHM, "Unsupported hash algorithm provider \"" + options.hash.algorithm + "\".");
+        }
+        return populatedOptions;
+    };
+    /**
+     * Validates and returns the users list of the uploadAccount request.
+     * Whenever a user with an error is detected, the error is cached and will later be
+     * merged into the user import result. This allows the processing of valid users without
+     * failing early on the first error detected.
+     * @param {UserImportRecord[]} users The UserImportRecords to convert to UnploadAccountUser
+     *     objects.
+     * @param {ValidatorFunction=} userValidator The user validator function.
+     * @return {UploadAccountUser[]} The populated uploadAccount users.
+     */
+    UserImportBuilder.prototype.populateUsers = function (users, userValidator) {
+        var _this = this;
+        var populatedUsers = [];
+        users.forEach(function (user, index) {
+            try {
+                var result = populateUploadAccountUser(user, userValidator);
+                if (typeof result.passwordHash !== 'undefined') {
+                    _this.requiresHashOptions = true;
+                }
+                // Only users that pass client screening will be passed to backend for processing.
+                populatedUsers.push(result);
+                // Map user's index (the one to be sent to backend) to original developer provided array.
+                _this.indexMap[populatedUsers.length - 1] = index;
+            }
+            catch (error) {
+                // Save the client side error with respect to the developer provided array.
+                _this.userImportResultErrors.push({
+                    index: index,
+                    error: error,
+                });
+            }
+        });
+        return populatedUsers;
+    };
+    return UserImportBuilder;
+}());
+exports.UserImportBuilder = UserImportBuilder;