firebase-admin 9.4.2 → 9.5.0

package/lib/auth/action-code-settings-builder.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2018 Google Inc.

package/lib/auth/auth-api-request.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * @license
@@ -337,6 +337,8 @@ function validateCreateEditRequest(request, writeOperationType) {
         phoneNumber: true,
         customAttributes: true,
         validSince: true,
+        // Pass linkProviderUserInfo only for updates (i.e. not for uploads.)
+        linkProviderUserInfo: !uploadAccountRequest,
         // Pass tenantId only for uploadAccount requests.
         tenantId: uploadAccountRequest,
         passwordHash: uploadAccountRequest,
@@ -481,6 +483,10 @@ function validateCreateEditRequest(request, writeOperationType) {
             validateProviderUserInfo(providerUserInfoEntry);
         });
     }
+    // linkProviderUserInfo must be a (single) UserProvider value.
+    if (typeof request.linkProviderUserInfo !== 'undefined') {
+        validateProviderUserInfo(request.linkProviderUserInfo);
+    }
     // mfaInfo is used for importUsers.
     // mfa.enrollments is used for setAccountInfo.
     // enrollments has to be an array of valid AuthFactorInfo requests.
@@ -876,6 +882,18 @@ var AbstractAuthRequestHandler = /** @class */ (function () {
         };
         return this.invokeRequestHandler(this.getAuthUrlBuilder(), exports.FIREBASE_AUTH_GET_ACCOUNT_INFO, request);
     };
+    AbstractAuthRequestHandler.prototype.getAccountInfoByFederatedUid = function (providerId, rawId) {
+        if (!validator.isNonEmptyString(providerId) || !validator.isNonEmptyString(rawId)) {
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_PROVIDER_ID);
+        }
+        var request = {
+            federatedUserId: [{
+                    providerId: providerId,
+                    rawId: rawId,
+                }],
+        };
+        return this.invokeRequestHandler(this.getAuthUrlBuilder(), exports.FIREBASE_AUTH_GET_ACCOUNT_INFO, request);
+    };
     /**
      * Looks up multiple users by their identifiers (uid, email, etc).
      *
@@ -1064,6 +1082,26 @@ var AbstractAuthRequestHandler = /** @class */ (function () {
         else if (!validator.isNonNullObject(properties)) {
             return Promise.reject(new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'Properties argument must be a non-null object.'));
         }
+        else if (validator.isNonNullObject(properties.providerToLink)) {
+            // TODO(rsgowman): These checks overlap somewhat with
+            // validateProviderUserInfo. It may be possible to refactor a bit.
+            if (!validator.isNonEmptyString(properties.providerToLink.providerId)) {
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'providerToLink.providerId of properties argument must be a non-empty string.');
+            }
+            if (!validator.isNonEmptyString(properties.providerToLink.uid)) {
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'providerToLink.uid of properties argument must be a non-empty string.');
+            }
+        }
+        else if (typeof properties.providersToUnlink !== 'undefined') {
+            if (!validator.isArray(properties.providersToUnlink)) {
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'providersToUnlink of properties argument must be an array of strings.');
+            }
+            properties.providersToUnlink.forEach(function (providerId) {
+                if (!validator.isNonEmptyString(providerId)) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'providersToUnlink of properties argument must be an array of strings.');
+                }
+            });
+        }
         // Build the setAccountInfo request.
         var request = deep_copy_1.deepCopy(properties);
         request.localId = uid;
@@ -1094,14 +1132,22 @@ var AbstractAuthRequestHandler = /** @class */ (function () {
         // It will be removed from the backend request and an additional parameter
         // deleteProvider: ['phone'] with an array of providerIds (phone in this case),
         // will be passed.
-        // Currently this applies to phone provider only.
         if (request.phoneNumber === null) {
-            request.deleteProvider = ['phone'];
+            request.deleteProvider ? request.deleteProvider.push('phone') : request.deleteProvider = ['phone'];
             delete request.phoneNumber;
         }
-        else {
-            // Doesn't apply to other providers in admin SDK.
-            delete request.deleteProvider;
+        if (typeof (request.providerToLink) !== 'undefined') {
+            request.linkProviderUserInfo = deep_copy_1.deepCopy(request.providerToLink);
+            delete request.providerToLink;
+            request.linkProviderUserInfo.rawId = request.linkProviderUserInfo.uid;
+            delete request.linkProviderUserInfo.uid;
+        }
+        if (typeof (request.providersToUnlink) !== 'undefined') {
+            if (!validator.isArray(request.deleteProvider)) {
+                request.deleteProvider = [];
+            }
+            request.deleteProvider = request.deleteProvider.concat(request.providersToUnlink);
+            delete request.providersToUnlink;
         }
         // Rewrite photoURL to photoUrl.
         if (typeof request.photoURL !== 'undefined') {
@@ -1805,10 +1851,6 @@ function emulatorHost() {
 /**
  * When true the SDK should communicate with the Auth Emulator for all API
  * calls and also produce unsigned tokens.
- *
- * This alone does <b>NOT<b> short-circuit ID Token verification.
- * For security reasons that must be explicitly disabled through
- * setJwtVerificationEnabled(false);
  */
 function useEmulator() {
     return !!emulatorHost();

package/lib/auth/auth-config.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2018 Google Inc.

package/lib/auth/auth.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * @license
@@ -31,6 +31,7 @@ var __extends = (this && this.__extends) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Auth = exports.TenantAwareAuth = exports.BaseAuth = void 0;
+var deep_copy_1 = require("../utils/deep-copy");
 var user_record_1 = require("./user-record");
 var identifier_1 = require("./identifier");
 var token_generator_1 = require("./token-generator");
@@ -41,23 +42,6 @@ var validator = require("../utils/validator");
 var token_verifier_1 = require("./token-verifier");
 var auth_config_1 = require("./auth-config");
 var tenant_manager_1 = require("./tenant-manager");
-/**
- * Internals of an Auth instance.
- */
-var AuthInternals = /** @class */ (function () {
-    function AuthInternals() {
-    }
-    /**
-     * Deletes the service and its associated resources.
-     *
-     * @return {Promise<()>} An empty Promise that will be fulfilled when the service is deleted.
-     */
-    AuthInternals.prototype.delete = function () {
-        // There are no resources to clean up
-        return Promise.resolve(undefined);
-    };
-    return AuthInternals;
-}());
 /**
  * Base Auth class. Mainly used for user management APIs.
  */
@@ -111,13 +95,14 @@ var BaseAuth = /** @class */ (function () {
     BaseAuth.prototype.verifyIdToken = function (idToken, checkRevoked) {
         var _this = this;
         if (checkRevoked === void 0) { checkRevoked = false; }
-        return this.idTokenVerifier.verifyJWT(idToken)
+        var isEmulator = auth_api_request_1.useEmulator();
+        return this.idTokenVerifier.verifyJWT(idToken, isEmulator)
             .then(function (decodedIdToken) {
             // Whether to check if the token was revoked.
-            if (!checkRevoked) {
-                return decodedIdToken;
+            if (checkRevoked || isEmulator) {
+                return _this.verifyDecodedJWTNotRevoked(decodedIdToken, error_1.AuthClientErrorCode.ID_TOKEN_REVOKED);
             }
-            return _this.verifyDecodedJWTNotRevoked(decodedIdToken, error_1.AuthClientErrorCode.ID_TOKEN_REVOKED);
+            return decodedIdToken;
         });
     };
     /**
@@ -162,6 +147,35 @@ var BaseAuth = /** @class */ (function () {
             return new user_record_1.UserRecord(response.users[0]);
         });
     };
+    /**
+     * Gets the user data for the user corresponding to a given provider id.
+     *
+     * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data)
+     * for code samples and detailed documentation.
+     *
+     * @param providerId The provider ID, for example, "google.com" for the
+     *   Google provider.
+     * @param uid The user identifier for the given provider.
+     *
+     * @return A promise fulfilled with the user data corresponding to the
+     *   given provider id.
+     */
+    BaseAuth.prototype.getUserByProviderUid = function (providerId, uid) {
+        // Although we don't really advertise it, we want to also handle
+        // non-federated idps with this call. So if we detect one of them, we'll
+        // reroute this request appropriately.
+        if (providerId === 'phone') {
+            return this.getUserByPhoneNumber(uid);
+        }
+        else if (providerId === 'email') {
+            return this.getUserByEmail(uid);
+        }
+        return this.authRequestHandler.getAccountInfoByFederatedUid(providerId, uid)
+            .then(function (response) {
+            // Returns the user record populated with server response.
+            return new user_record_1.UserRecord(response.users[0]);
+        });
+    };
     /**
      * Gets the user data corresponding to the specified identifiers.
      *
@@ -326,6 +340,43 @@ var BaseAuth = /** @class */ (function () {
      */
     BaseAuth.prototype.updateUser = function (uid, properties) {
         var _this = this;
+        // Although we don't really advertise it, we want to also handle linking of
+        // non-federated idps with this call. So if we detect one of them, we'll
+        // adjust the properties parameter appropriately. This *does* imply that a
+        // conflict could arise, e.g. if the user provides a phoneNumber property,
+        // but also provides a providerToLink with a 'phone' provider id. In that
+        // case, we'll throw an error.
+        properties = deep_copy_1.deepCopy(properties);
+        if (properties === null || properties === void 0 ? void 0 : properties.providerToLink) {
+            if (properties.providerToLink.providerId === 'email') {
+                if (typeof properties.email !== 'undefined') {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Both UpdateRequest.email and UpdateRequest.providerToLink.providerId='email' were set. To "
+                        + 'link to the email/password provider, only specify the UpdateRequest.email field.');
+                }
+                properties.email = properties.providerToLink.uid;
+                delete properties.providerToLink;
+            }
+            else if (properties.providerToLink.providerId === 'phone') {
+                if (typeof properties.phoneNumber !== 'undefined') {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Both UpdateRequest.phoneNumber and UpdateRequest.providerToLink.providerId='phone' were set. To "
+                        + 'link to a phone provider, only specify the UpdateRequest.phoneNumber field.');
+                }
+                properties.phoneNumber = properties.providerToLink.uid;
+                delete properties.providerToLink;
+            }
+        }
+        if (properties === null || properties === void 0 ? void 0 : properties.providersToUnlink) {
+            if (properties.providersToUnlink.indexOf('phone') !== -1) {
+                // If we've been told to unlink the phone provider both via setting
+                // phoneNumber to null *and* by setting providersToUnlink to include
+                // 'phone', then we'll reject that. Though it might also be reasonable
+                // to relax this restriction and just unlink it.
+                if (properties.phoneNumber === null) {
+                    throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Both UpdateRequest.phoneNumber=null and UpdateRequest.providersToUnlink=['phone'] were set. To "
+                        + 'unlink from a phone provider, only specify the UpdateRequest.phoneNumber=null field.');
+                }
+            }
+        }
         return this.authRequestHandler.updateExistingAccount(uid, properties)
             .then(function (existingUid) {
             // Return the corresponding user record.
@@ -412,13 +463,14 @@ var BaseAuth = /** @class */ (function () {
     BaseAuth.prototype.verifySessionCookie = function (sessionCookie, checkRevoked) {
         var _this = this;
         if (checkRevoked === void 0) { checkRevoked = false; }
-        return this.sessionCookieVerifier.verifyJWT(sessionCookie)
+        var isEmulator = auth_api_request_1.useEmulator();
+        return this.sessionCookieVerifier.verifyJWT(sessionCookie, isEmulator)
             .then(function (decodedIdToken) {
             // Whether to check if the token was revoked.
-            if (!checkRevoked) {
-                return decodedIdToken;
+            if (checkRevoked || isEmulator) {
+                return _this.verifyDecodedJWTNotRevoked(decodedIdToken, error_1.AuthClientErrorCode.SESSION_COOKIE_REVOKED);
             }
-            return _this.verifyDecodedJWTNotRevoked(decodedIdToken, error_1.AuthClientErrorCode.SESSION_COOKIE_REVOKED);
+            return decodedIdToken;
         });
     };
     /**
@@ -627,26 +679,6 @@ var BaseAuth = /** @class */ (function () {
             return decodedIdToken;
         });
     };
-    /**
-     * Enable or disable ID token verification. This is used to safely short-circuit token verification with the
-     * Auth emulator. When disabled ONLY unsigned tokens will pass verification, production tokens will not pass.
-     *
-     * WARNING: This is a dangerous method that will compromise your app's security and break your app in
-     * production. Developers should never call this method, it is for internal testing use only.
-     *
-     * @internal
-     */
-    // @ts-expect-error: this method appears unused but is used privately.
-    BaseAuth.prototype.setJwtVerificationEnabled = function (enabled) {
-        if (!enabled && !auth_api_request_1.useEmulator()) {
-            // We only allow verification to be disabled in conjunction with
-            // the emulator environment variable.
-            throw new Error('This method is only available when connected to the Authentication emulator.');
-        }
-        var algorithm = enabled ? token_verifier_1.ALGORITHM_RS256 : 'none';
-        this.idTokenVerifier.setAlgorithm(algorithm);
-        this.sessionCookieVerifier.setAlgorithm(algorithm);
-    };
     return BaseAuth;
 }());
 exports.BaseAuth = BaseAuth;
@@ -759,7 +791,6 @@ var Auth = /** @class */ (function (_super) {
      */
     function Auth(app) {
         var _this = _super.call(this, app, new auth_api_request_1.AuthRequestHandler(app)) || this;
-        _this.INTERNAL = new AuthInternals();
         _this.app_ = app;
         _this.tenantManager_ = new tenant_manager_1.TenantManager(app);
         return _this;

package/lib/auth/identifier.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2020 Google Inc.

package/lib/auth/index.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 /*!
  * Copyright 2020 Google Inc.
  *
@@ -130,6 +130,35 @@ export declare namespace auth {
          */
         phoneNumber: string;
     }
+    /**
+     * Represents a user identity provider that can be associated with a Firebase user.
+     */
+    interface UserProvider {
+        /**
+         * The user identifier for the linked provider.
+         */
+        uid?: string;
+        /**
+         * The display name for the linked provider.
+         */
+        displayName?: string;
+        /**
+         * The email for the linked provider.
+         */
+        email?: string;
+        /**
+         * The phone number for the linked provider.
+         */
+        phoneNumber?: string;
+        /**
+         * The photo URL for the linked provider.
+         */
+        photoURL?: string;
+        /**
+         * The linked provider ID (for example, "google.com" for the Google provider).
+         */
+        providerId?: string;
+    }
     /**
      * Interface representing a user.
      */
@@ -325,6 +354,24 @@ export declare namespace auth {
          * The user's updated multi-factor related properties.
          */
         multiFactor?: MultiFactorUpdateSettings;
+        /**
+         * Links this user to the specified provider.
+         *
+         * Linking a provider to an existing user account does not invalidate the
+         * refresh token of that account. In other words, the existing account
+         * would continue to be able to access resources, despite not having used
+         * the newly linked provider to log in. If you wish to force the user to
+         * authenticate with this new provider, you need to (a) revoke their
+         * refresh token (see
+         * https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens),
+         * and (b) ensure no other authentication methods are present on this
+         * account.
+         */
+        providerToLink?: UserProvider;
+        /**
+         * Unlinks this user from the specified providers.
+         */
+        providersToUnlink?: string[];
     }
     /**
      * Interface representing base properties of a user enrolled second factor for a
@@ -863,6 +910,10 @@ export declare namespace auth {
              */
             passwordRequired?: boolean;
         };
+        /**
+         * Whether the anonymous provider is enabled.
+         */
+        anonymousSignInEnabled: boolean;
         /**
          * The multi-factor auth configuration on the current tenant.
          */
@@ -928,6 +979,10 @@ export declare namespace auth {
          * The email sign in configuration.
          */
         emailSignInConfig?: EmailSignInProviderConfig;
+        /**
+         * Whether the anonymous provider is enabled.
+         */
+        anonymousSignInEnabled?: boolean;
         /**
          * The multi-factor auth configuration to update on the tenant.
          */
@@ -1302,6 +1357,20 @@ export declare namespace auth {
          *   data corresponding to the provided phone number.
          */
         getUserByPhoneNumber(phoneNumber: string): Promise<UserRecord>;
+        /**
+         * Gets the user data for the user corresponding to a given provider ID.
+         *
+         * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data)
+         * for code samples and detailed documentation.
+         *
+         * @param providerId The provider ID, for example, "google.com" for the
+         *   Google provider.
+         * @param uid The user identifier for the given provider.
+         *
+         * @return A promise fulfilled with the user data corresponding to the
+         *   given provider id.
+         */
+        getUserByProviderUid(providerId: string, uid: string): Promise<UserRecord>;
         /**
          * Gets the user data corresponding to the specified identifiers.
          *

package/lib/auth/index.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2020 Google Inc.

package/lib/auth/tenant-manager.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2019 Google Inc.

package/lib/auth/tenant.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2019 Google Inc.
@@ -47,6 +47,7 @@ var Tenant = /** @class */ (function () {
                 allowPasswordSignup: false,
             });
         }
+        this.anonymousSignInEnabled = !!response.enableAnonymousUser;
         if (typeof response.mfaConfig !== 'undefined') {
             this.multiFactorConfig = new auth_config_1.MultiFactorAuthConfig(response.mfaConfig);
         }
@@ -71,6 +72,9 @@ var Tenant = /** @class */ (function () {
         if (typeof tenantOptions.displayName !== 'undefined') {
             request.displayName = tenantOptions.displayName;
         }
+        if (typeof tenantOptions.anonymousSignInEnabled !== 'undefined') {
+            request.enableAnonymousUser = tenantOptions.anonymousSignInEnabled;
+        }
         if (typeof tenantOptions.multiFactorConfig !== 'undefined') {
             request.mfaConfig = auth_config_1.MultiFactorAuthConfig.buildServerRequest(tenantOptions.multiFactorConfig);
         }
@@ -104,6 +108,7 @@ var Tenant = /** @class */ (function () {
         var validKeys = {
             displayName: true,
             emailSignInConfig: true,
+            anonymousSignInEnabled: true,
             multiFactorConfig: true,
             testPhoneNumbers: true,
         };
@@ -149,6 +154,7 @@ var Tenant = /** @class */ (function () {
             tenantId: this.tenantId,
             displayName: this.displayName,
             emailSignInConfig: (_a = this.emailSignInConfig) === null || _a === void 0 ? void 0 : _a.toJSON(),
+            anonymousSignInEnabled: this.anonymousSignInEnabled,
             multiFactorConfig: (_b = this.multiFactorConfig) === null || _b === void 0 ? void 0 : _b.toJSON(),
             testPhoneNumbers: this.testPhoneNumbers,
         };

package/lib/auth/token-generator.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * @license

package/lib/auth/token-verifier.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2018 Google Inc.
@@ -90,27 +90,22 @@ var FirebaseTokenVerifier = /** @class */ (function () {
      * Verifies the format and signature of a Firebase Auth JWT token.
      *
      * @param {string} jwtToken The Firebase Auth JWT token to verify.
+     * @param {boolean=} isEmulator Whether to accept Auth Emulator tokens.
      * @return {Promise<DecodedIdToken>} A promise fulfilled with the decoded claims of the Firebase Auth ID
      *                           token.
      */
-    FirebaseTokenVerifier.prototype.verifyJWT = function (jwtToken) {
+    FirebaseTokenVerifier.prototype.verifyJWT = function (jwtToken, isEmulator) {
         var _this = this;
+        if (isEmulator === void 0) { isEmulator = false; }
         if (!validator.isString(jwtToken)) {
             throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "First argument to " + this.tokenInfo.verifyApiName + " must be a " + this.tokenInfo.jwtName + " string.");
         }
         return util.findProjectId(this.app)
             .then(function (projectId) {
-            return _this.verifyJWTWithProjectId(jwtToken, projectId);
+            return _this.verifyJWTWithProjectId(jwtToken, projectId, isEmulator);
         });
     };
-    /**
-     * Override the JWT signing algorithm.
-     * @param algorithm the new signing algorithm.
-     */
-    FirebaseTokenVerifier.prototype.setAlgorithm = function (algorithm) {
-        this.algorithm = algorithm;
-    };
-    FirebaseTokenVerifier.prototype.verifyJWTWithProjectId = function (jwtToken, projectId) {
+    FirebaseTokenVerifier.prototype.verifyJWTWithProjectId = function (jwtToken, projectId, isEmulator) {
         var _this = this;
         if (!validator.isNonEmptyString(projectId)) {
             throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'Must initialize app with a cert credential or set your Firebase project ID as the ' +
@@ -130,7 +125,7 @@ var FirebaseTokenVerifier = /** @class */ (function () {
             errorMessage = "Decoding " + this.tokenInfo.jwtName + " failed. Make sure you passed the entire string JWT " +
                 ("which represents " + this.shortNameArticle + " " + this.tokenInfo.shortName + ".") + verifyJwtTokenDocsMessage;
         }
-        else if (typeof header.kid === 'undefined' && this.algorithm !== 'none') {
+        else if (!isEmulator && typeof header.kid === 'undefined') {
             var isCustomToken = (payload.aud === FIREBASE_AUDIENCE);
             var isLegacyCustomToken = (header.alg === 'HS256' && payload.v === 0 && 'd' in payload && 'uid' in payload.d);
             if (isCustomToken) {
@@ -146,7 +141,7 @@ var FirebaseTokenVerifier = /** @class */ (function () {
             }
             errorMessage += verifyJwtTokenDocsMessage;
         }
-        else if (header.alg !== this.algorithm) {
+        else if (!isEmulator && header.alg !== this.algorithm) {
             errorMessage = this.tokenInfo.jwtName + " has incorrect algorithm. Expected \"" + this.algorithm + '" but got ' +
                 '"' + header.alg + '".' + verifyJwtTokenDocsMessage;
         }
@@ -157,7 +152,7 @@ var FirebaseTokenVerifier = /** @class */ (function () {
         }
         else if (payload.iss !== this.issuer + projectId) {
             errorMessage = this.tokenInfo.jwtName + " has incorrect \"iss\" (issuer) claim. Expected " +
-                ("\"" + this.issuer + "\"") + projectId + '" but got "' +
+                ("\"" + this.issuer) + projectId + '" but got "' +
                 payload.iss + '".' + projectIdMatchMessage + verifyJwtTokenDocsMessage;
         }
         else if (typeof payload.sub !== 'string') {
@@ -173,9 +168,8 @@ var FirebaseTokenVerifier = /** @class */ (function () {
         if (errorMessage) {
             return Promise.reject(new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage));
         }
-        // When the algorithm is set to 'none' there will be no signature and therefore we don't check
-        // the public keys.
-        if (this.algorithm === 'none') {
+        if (isEmulator) {
+            // Signature checks skipped for emulator; no need to fetch public keys.
             return this.verifyJwtSignatureWithKey(jwtToken, null);
         }
         return this.fetchPublicKeys().then(function (publicKeys) {
@@ -201,9 +195,11 @@ var FirebaseTokenVerifier = /** @class */ (function () {
         var verifyJwtTokenDocsMessage = " See " + this.tokenInfo.url + " " +
             ("for details on how to retrieve " + this.shortNameArticle + " " + this.tokenInfo.shortName + ".");
         return new Promise(function (resolve, reject) {
-            jwt.verify(jwtToken, publicKey || '', {
-                algorithms: [_this.algorithm],
-            }, function (error, decodedToken) {
+            var verifyOptions = {};
+            if (publicKey !== null) {
+                verifyOptions.algorithms = [_this.algorithm];
+            }
+            jwt.verify(jwtToken, publicKey || '', verifyOptions, function (error, decodedToken) {
                 if (error) {
                     if (error.name === 'TokenExpiredError') {
                         var errorMessage = _this.tokenInfo.jwtName + " has expired. Get a fresh " + _this.tokenInfo.shortName +

package/lib/auth/user-import-builder.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2018 Google Inc.

package/lib/auth/user-record.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * @license

package/lib/credential/credential-internal.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2020 Google Inc.

package/lib/credential/credential.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * @license

package/lib/credential/index.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 /*!
  * Copyright 2020 Google Inc.
  *

package/lib/credential/index.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.4.2 */
+/*! firebase-admin v9.5.0 */
 "use strict";
 /*!
  * Copyright 2020 Google Inc.