firebase-admin 9.3.0 → 9.5.0

package/lib/auth/action-code-settings-builder.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.3.0 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2018 Google Inc.

package/lib/auth/auth-api-request.js

@@ -1,6 +1,7 @@
-/*! firebase-admin v9.3.0 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
+ * @license
  * Copyright 2017 Google Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -29,7 +30,7 @@ var __extends = (this && this.__extends) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TenantAwareAuthRequestHandler = exports.AuthRequestHandler = exports.AbstractAuthRequestHandler = exports.FIREBASE_AUTH_SIGN_UP_NEW_USER = exports.FIREBASE_AUTH_SET_ACCOUNT_INFO = exports.FIREBASE_AUTH_BATCH_DELETE_ACCOUNTS = exports.FIREBASE_AUTH_DELETE_ACCOUNT = exports.FIREBASE_AUTH_GET_ACCOUNTS_INFO = exports.FIREBASE_AUTH_GET_ACCOUNT_INFO = exports.FIREBASE_AUTH_DOWNLOAD_ACCOUNT = exports.FIREBASE_AUTH_UPLOAD_ACCOUNT = exports.FIREBASE_AUTH_CREATE_SESSION_COOKIE = exports.EMAIL_ACTION_REQUEST_TYPES = exports.RESERVED_CLAIMS = void 0;
+exports.useEmulator = exports.TenantAwareAuthRequestHandler = exports.AuthRequestHandler = exports.AbstractAuthRequestHandler = exports.FIREBASE_AUTH_SIGN_UP_NEW_USER = exports.FIREBASE_AUTH_SET_ACCOUNT_INFO = exports.FIREBASE_AUTH_BATCH_DELETE_ACCOUNTS = exports.FIREBASE_AUTH_DELETE_ACCOUNT = exports.FIREBASE_AUTH_GET_ACCOUNTS_INFO = exports.FIREBASE_AUTH_GET_ACCOUNT_INFO = exports.FIREBASE_AUTH_DOWNLOAD_ACCOUNT = exports.FIREBASE_AUTH_UPLOAD_ACCOUNT = exports.FIREBASE_AUTH_CREATE_SESSION_COOKIE = exports.EMAIL_ACTION_REQUEST_TYPES = exports.RESERVED_CLAIMS = void 0;
 var validator = require("../utils/validator");
 var deep_copy_1 = require("../utils/deep-copy");
 var identifier_1 = require("./identifier");
@@ -103,10 +104,9 @@ var AuthResourceUrlBuilder = /** @class */ (function () {
         if (version === void 0) { version = 'v1'; }
         this.app = app;
         this.version = version;
-        var emulatorHost = process.env.FIREBASE_AUTH_EMULATOR_HOST;
-        if (emulatorHost) {
+        if (useEmulator()) {
             this.urlFormat = utils.formatString(FIREBASE_AUTH_EMULATOR_BASE_URL_FORMAT, {
-                host: emulatorHost
+                host: emulatorHost()
             });
         }
         else {
@@ -169,10 +169,9 @@ var TenantAwareAuthResourceUrlBuilder = /** @class */ (function (_super) {
         _this.app = app;
         _this.version = version;
         _this.tenantId = tenantId;
-        var emulatorHost = process.env.FIREBASE_AUTH_EMULATOR_HOST;
-        if (emulatorHost) {
+        if (useEmulator()) {
             _this.urlFormat = utils.formatString(FIREBASE_AUTH_EMULATOR_TENANT_URL_FORMAT, {
-                host: emulatorHost
+                host: emulatorHost()
             });
         }
         else {
@@ -197,6 +196,23 @@ var TenantAwareAuthResourceUrlBuilder = /** @class */ (function (_super) {
     };
     return TenantAwareAuthResourceUrlBuilder;
 }(AuthResourceUrlBuilder));
+/**
+ * Auth-specific HTTP client which uses the special "owner" token
+ * when communicating with the Auth Emulator.
+ */
+var AuthHttpClient = /** @class */ (function (_super) {
+    __extends(AuthHttpClient, _super);
+    function AuthHttpClient() {
+        return _super !== null && _super.apply(this, arguments) || this;
+    }
+    AuthHttpClient.prototype.getToken = function () {
+        if (useEmulator()) {
+            return Promise.resolve('owner');
+        }
+        return _super.prototype.getToken.call(this);
+    };
+    return AuthHttpClient;
+}(api_request_1.AuthorizedHttpClient));
 /**
  * Validates an AuthFactorInfo object. All unsupported parameters
  * are removed from the original request. If an invalid field is passed
@@ -223,7 +239,7 @@ function validateAuthFactorInfo(request, writeOperationType) {
     var uidRequired = writeOperationType !== WriteOperationType.Create;
     if ((typeof request.mfaEnrollmentId !== 'undefined' || uidRequired) &&
         !validator.isNonEmptyString(request.mfaEnrollmentId)) {
-        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_UID, "The second factor \"uid\" must be a valid non-empty string.");
+        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_UID, 'The second factor "uid" must be a valid non-empty string.');
     }
     if (typeof request.displayName !== 'undefined' &&
         !validator.isString(request.displayName)) {
@@ -233,20 +249,20 @@ function validateAuthFactorInfo(request, writeOperationType) {
     if (typeof request.enrolledAt !== 'undefined' &&
         !validator.isISODateString(request.enrolledAt)) {
         throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ENROLLMENT_TIME, "The second factor \"enrollmentTime\" for \"" + authFactorInfoIdentifier + "\" must be a valid " +
-            "UTC date string.");
+            'UTC date string.');
     }
     // Validate required fields depending on second factor type.
     if (typeof request.phoneInfo !== 'undefined') {
         // phoneNumber should be a string and a valid phone number.
         if (!validator.isPhoneNumber(request.phoneInfo)) {
             throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_PHONE_NUMBER, "The second factor \"phoneNumber\" for \"" + authFactorInfoIdentifier + "\" must be a non-empty " +
-                "E.164 standard compliant identifier string.");
+                'E.164 standard compliant identifier string.');
         }
     }
     else {
         // Invalid second factor. For example, a phone second factor may have been provided without
         // a phone number. A TOTP based second factor may require a secret key, etc.
-        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ENROLLED_FACTORS, "MFAInfo object provided is invalid.");
+        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ENROLLED_FACTORS, 'MFAInfo object provided is invalid.');
     }
 }
 /**
@@ -321,6 +337,8 @@ function validateCreateEditRequest(request, writeOperationType) {
         phoneNumber: true,
         customAttributes: true,
         validSince: true,
+        // Pass linkProviderUserInfo only for updates (i.e. not for uploads.)
+        linkProviderUserInfo: !uploadAccountRequest,
         // Pass tenantId only for uploadAccount requests.
         tenantId: uploadAccountRequest,
         passwordHash: uploadAccountRequest,
@@ -465,6 +483,10 @@ function validateCreateEditRequest(request, writeOperationType) {
             validateProviderUserInfo(providerUserInfoEntry);
         });
     }
+    // linkProviderUserInfo must be a (single) UserProvider value.
+    if (typeof request.linkProviderUserInfo !== 'undefined') {
+        validateProviderUserInfo(request.linkProviderUserInfo);
+    }
     // mfaInfo is used for importUsers.
     // mfa.enrollments is used for setAccountInfo.
     // enrollments has to be an array of valid AuthFactorInfo requests.
@@ -521,7 +543,7 @@ exports.FIREBASE_AUTH_DOWNLOAD_ACCOUNT = new api_request_1.ApiSettings('/account
     if (!validator.isNumber(request.maxResults) ||
         request.maxResults <= 0 ||
         request.maxResults > MAX_DOWNLOAD_ACCOUNT_PAGE_SIZE) {
-        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Required \"maxResults\" must be a positive integer that does not exceed " +
+        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'Required "maxResults" must be a positive integer that does not exceed ' +
             (MAX_DOWNLOAD_ACCOUNT_PAGE_SIZE + "."));
     }
 });
@@ -535,7 +557,7 @@ exports.FIREBASE_AUTH_GET_ACCOUNT_INFO = new api_request_1.ApiSettings('/account
 })
     // Set response validator.
     .setResponseValidator(function (response) {
-    if (!response.users) {
+    if (!response.users || !response.users.length) {
         throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.USER_NOT_FOUND);
     }
 });
@@ -609,11 +631,11 @@ exports.FIREBASE_AUTH_SIGN_UP_NEW_USER = new api_request_1.ApiSettings('/account
     .setRequestValidator(function (request) {
     // signupNewUser does not support customAttributes.
     if (typeof request.customAttributes !== 'undefined') {
-        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "\"customAttributes\" cannot be set when creating a new user.");
+        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"customAttributes" cannot be set when creating a new user.');
     }
     // signupNewUser does not support validSince.
     if (typeof request.validSince !== 'undefined') {
-        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "\"validSince\" cannot be set when creating a new user.");
+        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"validSince" cannot be set when creating a new user.');
     }
     // Throw error when tenantId is passed in POST body.
     if (typeof request.tenantId !== 'undefined') {
@@ -687,7 +709,7 @@ var LIST_OAUTH_IDP_CONFIGS = new api_request_1.ApiSettings('/oauthIdpConfigs', '
     if (!validator.isNumber(request.pageSize) ||
         request.pageSize <= 0 ||
         request.pageSize > MAX_LIST_PROVIDER_CONFIGURATION_PAGE_SIZE) {
-        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Required \"maxResults\" must be a positive integer that does not exceed " +
+        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'Required "maxResults" must be a positive integer that does not exceed ' +
             (MAX_LIST_PROVIDER_CONFIGURATION_PAGE_SIZE + "."));
     }
 });
@@ -733,7 +755,7 @@ var LIST_INBOUND_SAML_CONFIGS = new api_request_1.ApiSettings('/inboundSamlConfi
     if (!validator.isNumber(request.pageSize) ||
         request.pageSize <= 0 ||
         request.pageSize > MAX_LIST_PROVIDER_CONFIGURATION_PAGE_SIZE) {
-        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Required \"maxResults\" must be a positive integer that does not exceed " +
+        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'Required "maxResults" must be a positive integer that does not exceed ' +
             (MAX_LIST_PROVIDER_CONFIGURATION_PAGE_SIZE + "."));
     }
 });
@@ -750,7 +772,7 @@ var AbstractAuthRequestHandler = /** @class */ (function () {
         if (typeof app !== 'object' || app === null || !('options' in app)) {
             throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'First argument passed to admin.auth() must be a valid Firebase app instance.');
         }
-        this.httpClient = new api_request_1.AuthorizedHttpClient(app);
+        this.httpClient = new AuthHttpClient(app);
     }
     /**
      * @param {any} response The response to check for errors.
@@ -860,6 +882,18 @@ var AbstractAuthRequestHandler = /** @class */ (function () {
         };
         return this.invokeRequestHandler(this.getAuthUrlBuilder(), exports.FIREBASE_AUTH_GET_ACCOUNT_INFO, request);
     };
+    AbstractAuthRequestHandler.prototype.getAccountInfoByFederatedUid = function (providerId, rawId) {
+        if (!validator.isNonEmptyString(providerId) || !validator.isNonEmptyString(rawId)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_PROVIDER_ID);
+        }
+        var request = {
+            federatedUserId: [{
+                    providerId: providerId,
+                    rawId: rawId,
+                }],
+        };
+        return this.invokeRequestHandler(this.getAuthUrlBuilder(), exports.FIREBASE_AUTH_GET_ACCOUNT_INFO, request);
+    };
     /**
      * Looks up multiple users by their identifiers (uid, email, etc).
      *
@@ -1048,6 +1082,26 @@ var AbstractAuthRequestHandler = /** @class */ (function () {
         else if (!validator.isNonNullObject(properties)) {
             return Promise.reject(new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'Properties argument must be a non-null object.'));
         }
+        else if (validator.isNonNullObject(properties.providerToLink)) {
+            // TODO(rsgowman): These checks overlap somewhat with
+            // validateProviderUserInfo. It may be possible to refactor a bit.
+            if (!validator.isNonEmptyString(properties.providerToLink.providerId)) {
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'providerToLink.providerId of properties argument must be a non-empty string.');
+            }
+            if (!validator.isNonEmptyString(properties.providerToLink.uid)) {
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'providerToLink.uid of properties argument must be a non-empty string.');
+            }
+        }
+        else if (typeof properties.providersToUnlink !== 'undefined') {
+            if (!validator.isArray(properties.providersToUnlink)) {
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'providersToUnlink of properties argument must be an array of strings.');
+            }
+            properties.providersToUnlink.forEach(function (providerId) {
+                if (!validator.isNonEmptyString(providerId)) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'providersToUnlink of properties argument must be an array of strings.');
+                }
+            });
+        }
         // Build the setAccountInfo request.
         var request = deep_copy_1.deepCopy(properties);
         request.localId = uid;
@@ -1078,14 +1132,22 @@ var AbstractAuthRequestHandler = /** @class */ (function () {
         // It will be removed from the backend request and an additional parameter
         // deleteProvider: ['phone'] with an array of providerIds (phone in this case),
         // will be passed.
-        // Currently this applies to phone provider only.
         if (request.phoneNumber === null) {
-            request.deleteProvider = ['phone'];
+            request.deleteProvider ? request.deleteProvider.push('phone') : request.deleteProvider = ['phone'];
             delete request.phoneNumber;
         }
-        else {
-            // Doesn't apply to other providers in admin SDK.
-            delete request.deleteProvider;
+        if (typeof (request.providerToLink) !== 'undefined') {
+            request.linkProviderUserInfo = deep_copy_1.deepCopy(request.providerToLink);
+            delete request.providerToLink;
+            request.linkProviderUserInfo.rawId = request.linkProviderUserInfo.uid;
+            delete request.linkProviderUserInfo.uid;
+        }
+        if (typeof (request.providersToUnlink) !== 'undefined') {
+            if (!validator.isArray(request.deleteProvider)) {
+                request.deleteProvider = [];
+            }
+            request.deleteProvider = request.deleteProvider.concat(request.providersToUnlink);
+            delete request.providersToUnlink;
         }
         // Rewrite photoURL to photoUrl.
         if (typeof request.photoURL !== 'undefined') {
@@ -1567,7 +1629,7 @@ var LIST_TENANTS = new api_request_1.ApiSettings('/tenants', 'GET')
     if (!validator.isNumber(request.pageSize) ||
         request.pageSize <= 0 ||
         request.pageSize > MAX_LIST_TENANT_PAGE_SIZE) {
-        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Required \"maxResults\" must be a positive non-zero number that does not exceed " +
+        throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'Required "maxResults" must be a positive non-zero number that does not exceed ' +
             ("the allowed " + MAX_LIST_TENANT_PAGE_SIZE + "."));
     }
 });
@@ -1783,3 +1845,14 @@ var TenantAwareAuthRequestHandler = /** @class */ (function (_super) {
     return TenantAwareAuthRequestHandler;
 }(AbstractAuthRequestHandler));
 exports.TenantAwareAuthRequestHandler = TenantAwareAuthRequestHandler;
+function emulatorHost() {
+    return process.env.FIREBASE_AUTH_EMULATOR_HOST;
+}
+/**
+ * When true the SDK should communicate with the Auth Emulator for all API
+ * calls and also produce unsigned tokens.
+ */
+function useEmulator() {
+    return !!emulatorHost();
+}
+exports.useEmulator = useEmulator;

package/lib/auth/auth-config.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.3.0 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2018 Google Inc.
@@ -16,20 +16,20 @@
  * limitations under the License.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.OIDCConfig = exports.SAMLConfig = exports.EmailSignInConfig = exports.validateTestPhoneNumbers = exports.MultiFactorAuthConfig = exports.AUTH_FACTOR_SERVER_TO_CLIENT_TYPE = exports.AUTH_FACTOR_CLIENT_TO_SERVER_TYPE = exports.MAXIMUM_TEST_PHONE_NUMBERS = void 0;
+exports.OIDCConfig = exports.SAMLConfig = exports.EmailSignInConfig = exports.validateTestPhoneNumbers = exports.MultiFactorAuthConfig = exports.MAXIMUM_TEST_PHONE_NUMBERS = void 0;
 var validator = require("../utils/validator");
 var deep_copy_1 = require("../utils/deep-copy");
 var error_1 = require("../utils/error");
 /** A maximum of 10 test phone number / code pairs can be configured. */
 exports.MAXIMUM_TEST_PHONE_NUMBERS = 10;
 /** Client Auth factor type to server auth factor type mapping. */
-exports.AUTH_FACTOR_CLIENT_TO_SERVER_TYPE = {
+var AUTH_FACTOR_CLIENT_TO_SERVER_TYPE = {
     phone: 'PHONE_SMS',
 };
 /** Server Auth factor type to client auth factor type mapping. */
-exports.AUTH_FACTOR_SERVER_TO_CLIENT_TYPE = Object.keys(exports.AUTH_FACTOR_CLIENT_TO_SERVER_TYPE)
+var AUTH_FACTOR_SERVER_TO_CLIENT_TYPE = Object.keys(AUTH_FACTOR_CLIENT_TO_SERVER_TYPE)
     .reduce(function (res, key) {
-    res[exports.AUTH_FACTOR_CLIENT_TO_SERVER_TYPE[key]] = key;
+    res[AUTH_FACTOR_CLIENT_TO_SERVER_TYPE[key]] = key;
     return res;
 }, {});
 /**
@@ -54,8 +54,8 @@ var MultiFactorAuthConfig = /** @class */ (function () {
         (response.enabledProviders || []).forEach(function (enabledProvider) {
             // Ignore unsupported types. It is possible the current admin SDK version is
             // not up to date and newer backend types are supported.
-            if (typeof exports.AUTH_FACTOR_SERVER_TO_CLIENT_TYPE[enabledProvider] !== 'undefined') {
-                _this.factorIds.push(exports.AUTH_FACTOR_SERVER_TO_CLIENT_TYPE[enabledProvider]);
+            if (typeof AUTH_FACTOR_SERVER_TO_CLIENT_TYPE[enabledProvider] !== 'undefined') {
+                _this.factorIds.push(AUTH_FACTOR_SERVER_TO_CLIENT_TYPE[enabledProvider]);
             }
         });
     }
@@ -77,7 +77,7 @@ var MultiFactorAuthConfig = /** @class */ (function () {
                 if (typeof request.enabledProviders === 'undefined') {
                     request.enabledProviders = [];
                 }
-                request.enabledProviders.push(exports.AUTH_FACTOR_CLIENT_TO_SERVER_TYPE[factorId]);
+                request.enabledProviders.push(AUTH_FACTOR_CLIENT_TO_SERVER_TYPE[factorId]);
             });
             // In case an empty array is passed. Ensure it gets populated so the array is cleared.
             if (options.factorIds && options.factorIds.length === 0) {
@@ -117,7 +117,7 @@ var MultiFactorAuthConfig = /** @class */ (function () {
             }
             // Validate content of array.
             options.factorIds.forEach(function (factorId) {
-                if (typeof exports.AUTH_FACTOR_CLIENT_TO_SERVER_TYPE[factorId] === 'undefined') {
+                if (typeof AUTH_FACTOR_CLIENT_TO_SERVER_TYPE[factorId] === 'undefined') {
                     throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, "\"" + factorId + "\" is not a valid \"AuthFactorType\".");
                 }
             });
@@ -425,7 +425,7 @@ var SAMLConfig = /** @class */ (function () {
             throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig.displayName" must be a valid string.');
         }
     };
-    /** @return {SAMLAuthProviderConfig} The plain object representation of the SAMLConfig. */
+    /** @return The plain object representation of the SAMLConfig. */
     SAMLConfig.prototype.toJSON = function () {
         return {
             enabled: this.enabled,
@@ -479,9 +479,9 @@ var OIDCConfig = /** @class */ (function () {
      * Throws an error if validation fails. If the request is not a OIDCConfig request,
      * returns null.
      *
-     * @param {OIDCAuthProviderRequest} options The options object to convert to a server request.
-     * @param {boolean=} ignoreMissingFields Whether to ignore missing fields.
-     * @return {?OIDCConfigServerRequest} The resulting server request or null if not valid.
+     * @param options The options object to convert to a server request.
+     * @param ignoreMissingFields Whether to ignore missing fields.
+     * @return The resulting server request or null if not valid.
      */
     OIDCConfig.buildServerRequest = function (options, ignoreMissingFields) {
         if (ignoreMissingFields === void 0) { ignoreMissingFields = false; }
@@ -523,8 +523,8 @@ var OIDCConfig = /** @class */ (function () {
     /**
      * Validates the OIDCConfig options object. Throws an error on failure.
      *
-     * @param {OIDCAuthProviderRequest} options The options object to validate.
-     * @param {boolean=} ignoreMissingFields Whether to ignore missing fields.
+     * @param options The options object to validate.
+     * @param ignoreMissingFields Whether to ignore missing fields.
      */
     OIDCConfig.validate = function (options, ignoreMissingFields) {
         if (ignoreMissingFields === void 0) { ignoreMissingFields = false; }

package/lib/auth/auth.js

@@ -1,6 +1,7 @@
-/*! firebase-admin v9.3.0 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
+ * @license
  * Copyright 2017 Google Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -30,6 +31,7 @@ var __extends = (this && this.__extends) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Auth = exports.TenantAwareAuth = exports.BaseAuth = void 0;
+var deep_copy_1 = require("../utils/deep-copy");
 var user_record_1 = require("./user-record");
 var identifier_1 = require("./identifier");
 var token_generator_1 = require("./token-generator");
@@ -40,23 +42,6 @@ var validator = require("../utils/validator");
 var token_verifier_1 = require("./token-verifier");
 var auth_config_1 = require("./auth-config");
 var tenant_manager_1 = require("./tenant-manager");
-/**
- * Internals of an Auth instance.
- */
-var AuthInternals = /** @class */ (function () {
-    function AuthInternals() {
-    }
-    /**
-     * Deletes the service and its associated resources.
-     *
-     * @return {Promise<()>} An empty Promise that will be fulfilled when the service is deleted.
-     */
-    AuthInternals.prototype.delete = function () {
-        // There are no resources to clean up
-        return Promise.resolve(undefined);
-    };
-    return AuthInternals;
-}());
 /**
  * Base Auth class. Mainly used for user management APIs.
  */
@@ -77,7 +62,7 @@ var BaseAuth = /** @class */ (function () {
             this.tokenGenerator = tokenGenerator;
         }
         else {
-            var cryptoSigner = useEmulator() ? new token_generator_1.EmulatedSigner() : token_generator_1.cryptoSignerFromApp(app);
+            var cryptoSigner = auth_api_request_1.useEmulator() ? new token_generator_1.EmulatedSigner() : token_generator_1.cryptoSignerFromApp(app);
             this.tokenGenerator = new token_generator_1.FirebaseTokenGenerator(cryptoSigner);
         }
         this.sessionCookieVerifier = token_verifier_1.createSessionCookieVerifier(app);
@@ -110,13 +95,14 @@ var BaseAuth = /** @class */ (function () {
     BaseAuth.prototype.verifyIdToken = function (idToken, checkRevoked) {
         var _this = this;
         if (checkRevoked === void 0) { checkRevoked = false; }
-        return this.idTokenVerifier.verifyJWT(idToken)
+        var isEmulator = auth_api_request_1.useEmulator();
+        return this.idTokenVerifier.verifyJWT(idToken, isEmulator)
             .then(function (decodedIdToken) {
             // Whether to check if the token was revoked.
-            if (!checkRevoked) {
-                return decodedIdToken;
+            if (checkRevoked || isEmulator) {
+                return _this.verifyDecodedJWTNotRevoked(decodedIdToken, error_1.AuthClientErrorCode.ID_TOKEN_REVOKED);
             }
-            return _this.verifyDecodedJWTNotRevoked(decodedIdToken, error_1.AuthClientErrorCode.ID_TOKEN_REVOKED);
+            return decodedIdToken;
         });
     };
     /**
@@ -161,6 +147,35 @@ var BaseAuth = /** @class */ (function () {
             return new user_record_1.UserRecord(response.users[0]);
         });
     };
+    /**
+     * Gets the user data for the user corresponding to a given provider id.
+     *
+     * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data)
+     * for code samples and detailed documentation.
+     *
+     * @param providerId The provider ID, for example, "google.com" for the
+     *   Google provider.
+     * @param uid The user identifier for the given provider.
+     *
+     * @return A promise fulfilled with the user data corresponding to the
+     *   given provider id.
+     */
+    BaseAuth.prototype.getUserByProviderUid = function (providerId, uid) {
+        // Although we don't really advertise it, we want to also handle
+        // non-federated idps with this call. So if we detect one of them, we'll
+        // reroute this request appropriately.
+        if (providerId === 'phone') {
+            return this.getUserByPhoneNumber(uid);
+        }
+        else if (providerId === 'email') {
+            return this.getUserByEmail(uid);
+        }
+        return this.authRequestHandler.getAccountInfoByFederatedUid(providerId, uid)
+            .then(function (response) {
+            // Returns the user record populated with server response.
+            return new user_record_1.UserRecord(response.users[0]);
+        });
+    };
     /**
      * Gets the user data corresponding to the specified identifiers.
      *
@@ -325,6 +340,43 @@ var BaseAuth = /** @class */ (function () {
      */
     BaseAuth.prototype.updateUser = function (uid, properties) {
         var _this = this;
+        // Although we don't really advertise it, we want to also handle linking of
+        // non-federated idps with this call. So if we detect one of them, we'll
+        // adjust the properties parameter appropriately. This *does* imply that a
+        // conflict could arise, e.g. if the user provides a phoneNumber property,
+        // but also provides a providerToLink with a 'phone' provider id. In that
+        // case, we'll throw an error.
+        properties = deep_copy_1.deepCopy(properties);
+        if (properties === null || properties === void 0 ? void 0 : properties.providerToLink) {
+            if (properties.providerToLink.providerId === 'email') {
+                if (typeof properties.email !== 'undefined') {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Both UpdateRequest.email and UpdateRequest.providerToLink.providerId='email' were set. To "
+                        + 'link to the email/password provider, only specify the UpdateRequest.email field.');
+                }
+                properties.email = properties.providerToLink.uid;
+                delete properties.providerToLink;
+            }
+            else if (properties.providerToLink.providerId === 'phone') {
+                if (typeof properties.phoneNumber !== 'undefined') {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Both UpdateRequest.phoneNumber and UpdateRequest.providerToLink.providerId='phone' were set. To "
+                        + 'link to a phone provider, only specify the UpdateRequest.phoneNumber field.');
+                }
+                properties.phoneNumber = properties.providerToLink.uid;
+                delete properties.providerToLink;
+            }
+        }
+        if (properties === null || properties === void 0 ? void 0 : properties.providersToUnlink) {
+            if (properties.providersToUnlink.indexOf('phone') !== -1) {
+                // If we've been told to unlink the phone provider both via setting
+                // phoneNumber to null *and* by setting providersToUnlink to include
+                // 'phone', then we'll reject that. Though it might also be reasonable
+                // to relax this restriction and just unlink it.
+                if (properties.phoneNumber === null) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Both UpdateRequest.phoneNumber=null and UpdateRequest.providersToUnlink=['phone'] were set. To "
+                        + 'unlink from a phone provider, only specify the UpdateRequest.phoneNumber=null field.');
+                }
+            }
+        }
         return this.authRequestHandler.updateExistingAccount(uid, properties)
             .then(function (existingUid) {
             // Return the corresponding user record.
@@ -411,13 +463,14 @@ var BaseAuth = /** @class */ (function () {
     BaseAuth.prototype.verifySessionCookie = function (sessionCookie, checkRevoked) {
         var _this = this;
         if (checkRevoked === void 0) { checkRevoked = false; }
-        return this.sessionCookieVerifier.verifyJWT(sessionCookie)
+        var isEmulator = auth_api_request_1.useEmulator();
+        return this.sessionCookieVerifier.verifyJWT(sessionCookie, isEmulator)
             .then(function (decodedIdToken) {
             // Whether to check if the token was revoked.
-            if (!checkRevoked) {
-                return decodedIdToken;
+            if (checkRevoked || isEmulator) {
+                return _this.verifyDecodedJWTNotRevoked(decodedIdToken, error_1.AuthClientErrorCode.SESSION_COOKIE_REVOKED);
             }
-            return _this.verifyDecodedJWTNotRevoked(decodedIdToken, error_1.AuthClientErrorCode.SESSION_COOKIE_REVOKED);
+            return decodedIdToken;
         });
     };
     /**
@@ -508,7 +561,7 @@ var BaseAuth = /** @class */ (function () {
                 return processResponse(response, providerConfigs);
             });
         }
-        return Promise.reject(new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "\"AuthProviderConfigFilter.type\" must be either \"saml' or \"oidc\""));
+        return Promise.reject(new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"AuthProviderConfigFilter.type" must be either "saml" or "oidc"'));
     };
     /**
      * Looks up an Auth provider configuration by ID.
@@ -626,26 +679,6 @@ var BaseAuth = /** @class */ (function () {
             return decodedIdToken;
         });
     };
-    /**
-     * Enable or disable ID token verification. This is used to safely short-circuit token verification with the
-     * Auth emulator. When disabled ONLY unsigned tokens will pass verification, production tokens will not pass.
-     *
-     * WARNING: This is a dangerous method that will compromise your app's security and break your app in
-     * production. Developers should never call this method, it is for internal testing use only.
-     *
-     * @internal
-     */
-    // @ts-expect-error: this method appears unused but is used privately.
-    BaseAuth.prototype.setJwtVerificationEnabled = function (enabled) {
-        if (!enabled && !useEmulator()) {
-            // We only allow verification to be disabled in conjunction with
-            // the emulator environment variable.
-            throw new Error('This method is only available when connected to the Authentication emulator.');
-        }
-        var algorithm = enabled ? token_verifier_1.ALGORITHM_RS256 : 'none';
-        this.idTokenVerifier.setAlgorithm(algorithm);
-        this.sessionCookieVerifier.setAlgorithm(algorithm);
-    };
     return BaseAuth;
 }());
 exports.BaseAuth = BaseAuth;
@@ -663,7 +696,7 @@ var TenantAwareAuth = /** @class */ (function (_super) {
      */
     function TenantAwareAuth(app, tenantId) {
         var _this = this;
-        var cryptoSigner = useEmulator() ? new token_generator_1.EmulatedSigner() : token_generator_1.cryptoSignerFromApp(app);
+        var cryptoSigner = auth_api_request_1.useEmulator() ? new token_generator_1.EmulatedSigner() : token_generator_1.cryptoSignerFromApp(app);
         var tokenGenerator = new token_generator_1.FirebaseTokenGenerator(cryptoSigner, tenantId);
         _this = _super.call(this, app, new auth_api_request_1.TenantAwareAuthRequestHandler(app, tenantId), tokenGenerator) || this;
         utils.addReadonlyGetter(_this, 'tenantId', tenantId);
@@ -758,7 +791,6 @@ var Auth = /** @class */ (function (_super) {
      */
     function Auth(app) {
         var _this = _super.call(this, app, new auth_api_request_1.AuthRequestHandler(app)) || this;
-        _this.INTERNAL = new AuthInternals();
         _this.app_ = app;
         _this.tenantManager_ = new tenant_manager_1.TenantManager(app);
         return _this;
@@ -782,14 +814,3 @@ var Auth = /** @class */ (function (_super) {
     return Auth;
 }(BaseAuth));
 exports.Auth = Auth;
-/**
- * When true the SDK should communicate with the Auth Emulator for all API
- * calls and also produce unsigned tokens.
- *
- * This alone does <b>NOT<b> short-circuit ID Token verification.
- * For security reasons that must be explicitly disabled through
- * setJwtVerificationEnabled(false);
- */
-function useEmulator() {
-    return !!process.env.FIREBASE_AUTH_EMULATOR_HOST;
-}

package/lib/auth/identifier.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.3.0 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2020 Google Inc.
@@ -17,7 +17,8 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.isProviderIdentifier = exports.isPhoneIdentifier = exports.isEmailIdentifier = exports.isUidIdentifier = void 0;
-/* User defined type guards. See
+/*
+ * User defined type guards. See
  * https://www.typescriptlang.org/docs/handbook/advanced-types.html#user-defined-type-guards
  */
 function isUidIdentifier(id) {