firebase-functions 3.19.0 → 3.21.0

package/lib/cloud-functions.d.ts

@@ -180,6 +180,10 @@ export interface Resource {
 export interface TriggerAnnotated {
     __trigger: {
         availableMemoryMb?: number;
+        blockingTrigger?: {
+            eventType: string;
+            options?: Record<string, unknown>;
+        };
         eventTrigger?: {
             eventType: string;
             resource: string;
@@ -227,6 +231,10 @@ export interface Runnable<T> {
  * arguments.
  */
 export declare type HttpsFunction = TriggerAnnotated & EndpointAnnotated & ((req: Request, resp: Response) => void | Promise<void>);
+/**
+ * The Cloud Function type for Blocking triggers.
+ */
+export declare type BlockingFunction = HttpsFunction;
 /**
  * The Cloud Function type for all non-HTTPS triggers. This should be exported
  * from your JavaScript file to define a Cloud Function.

package/lib/cloud-functions.js

@@ -180,12 +180,9 @@ function makeCloudFunction({ after = () => { }, before = () => { }, contextOnlyH
             else {
                 endpoint.eventTrigger = {
                     eventType: legacyEventType || provider + '.' + eventType,
-                    eventFilters: [
-                        {
-                            attribute: 'resource',
-                            value: triggerResource(),
-                        },
-                    ],
+                    eventFilters: {
+                        resource: triggerResource(),
+                    },
                     retry: !!options.failurePolicy,
                 };
             }
@@ -289,7 +286,7 @@ function optionsToEndpoint(options) {
     (0, encoding_1.copyIfPresent)(endpoint, options, 'minInstances', 'maxInstances', 'ingressSettings', 'labels', 'timeoutSeconds');
     (0, encoding_1.convertIfPresent)(endpoint, options, 'region', 'regions');
     (0, encoding_1.convertIfPresent)(endpoint, options, 'serviceAccountEmail', 'serviceAccount', (sa) => sa);
-    (0, encoding_1.convertIfPresent)(endpoint, options, 'secretEnvironmentVariables', 'secrets', (secrets) => secrets.map((secret) => ({ secret, key: secret })));
+    (0, encoding_1.convertIfPresent)(endpoint, options, 'secretEnvironmentVariables', 'secrets', (secrets) => secrets.map((secret) => ({ key: secret })));
     if (options === null || options === void 0 ? void 0 : options.vpcConnector) {
         endpoint.vpc = { connector: options.vpcConnector };
         (0, encoding_1.convertIfPresent)(endpoint.vpc, options, 'egressSettings', 'vpcConnectorEgressSettings');

package/lib/common/providers/https.d.ts

@@ -1,6 +1,7 @@
 /// <reference types="node" />
 import * as express from 'express';
 import * as firebase from 'firebase-admin';
+import { TaskContext } from './tasks';
 /** @hidden */
 export interface Request extends express.Request {
     rawBody: Buffer;
@@ -107,55 +108,6 @@ export interface CallableRequest<T = any> {
      */
     rawRequest: Request;
 }
-/** How a task should be retried in the event of a non-2xx return. */
-export interface TaskRetryConfig {
-    /**
-     * Maximum number of times a request should be attempted.
-     * If left unspecified, will default to 3.
-     */
-    maxAttempts?: number;
-    /**
-     * The maximum amount of time to wait between attempts.
-     * If left unspecified will default to 1hr.
-     */
-    maxBackoffSeconds?: number;
-    /**
-     * The maximum number of times to double the backoff between
-     * retries. If left unspecified will default to 16.
-     */
-    maxDoublings?: number;
-    /**
-     * The minimum time to wait between attempts. If left unspecified
-     * will default to 100ms.
-     */
-    minBackoffSeconds?: number;
-}
-/** How congestion control should be applied to the function. */
-export interface TaskRateLimits {
-    maxBurstSize?: number;
-    maxConcurrentDispatches?: number;
-    maxDispatchesPerSecond?: number;
-}
-/** Metadata about a call to a Task Queue function. */
-export interface TaskContext {
-    /**
-     * The result of decoding and verifying an ODIC token.
-     */
-    auth?: AuthData;
-}
-/**
- * The request used to call a Task Queue function.
- */
-export interface TaskRequest<T = any> {
-    /**
-     * The parameters used by a client when calling this function.
-     */
-    data: T;
-    /**
-     * The result of decoding and verifying an ODIC token.
-     */
-    auth?: AuthData;
-}
 /**
  * The set of Firebase Functions status codes. The codes are the same at the
  * ones exposed by gRPC here:
@@ -232,6 +184,14 @@ export declare class HttpsError extends Error {
     constructor(code: FunctionsErrorCode, message: string, details?: unknown);
     toJSON(): HttpErrorWireFormat;
 }
+/** @hidden */
+interface HttpRequest extends Request {
+    body: {
+        data: any;
+    };
+}
+/** @hidden */
+export declare function isValidRequest(req: Request): req is HttpRequest;
 /**
  * Encodes arbitrary data in our special format for JSON.
  * This is exposed only for testing.
@@ -244,4 +204,15 @@ export declare function encode(data: any): any;
  */
 /** @hidden */
 export declare function decode(data: any): any;
+/**
+ * Be careful when changing token status values.
+ *
+ * Users are encouraged to setup log-based metric based on these values, and
+ * changing their values may cause their metrics to break.
+ *
+ */
+/** @hidden */
+declare type TokenStatus = 'MISSING' | 'VALID' | 'INVALID';
+/** @interanl */
+export declare function checkAuthToken(req: Request, ctx: CallableContext | TaskContext): Promise<TokenStatus>;
 export {};

package/lib/common/providers/https.js

@@ -21,13 +21,13 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.onDispatchHandler = exports.onCallHandler = exports.unsafeDecodeAppCheckToken = exports.unsafeDecodeIdToken = exports.decode = exports.encode = exports.HttpsError = void 0;
+exports.onCallHandler = exports.checkAuthToken = exports.unsafeDecodeAppCheckToken = exports.unsafeDecodeIdToken = exports.unsafeDecodeToken = exports.decode = exports.encode = exports.isValidRequest = exports.HttpsError = void 0;
 const cors = require("cors");
 const logger = require("../../logger");
 // TODO(inlined): Decide whether we want to un-version apps or whether we want a
 // different strategy
 const apps_1 = require("../../apps");
-const debug_1 = require("../../common/debug");
+const debug_1 = require("../debug");
 const JWT_REGEX = /^[a-zA-Z0-9\-_=]+?\.[a-zA-Z0-9\-_=]+?\.([a-zA-Z0-9\-_=]+)?$/;
 /**
  * Standard error codes and HTTP statuses for different ways a request can fail,
@@ -100,7 +100,7 @@ function isValidRequest(req) {
     // If it has a charset, just ignore it for now.
     const semiColon = contentType.indexOf(';');
     if (semiColon >= 0) {
-        contentType = contentType.substr(0, semiColon).trim();
+        contentType = contentType.slice(0, semiColon).trim();
     }
     if (contentType !== 'application/json') {
         logger.warn('Request has incorrect Content-Type.', contentType);
@@ -120,6 +120,7 @@ function isValidRequest(req) {
     }
     return true;
 }
+exports.isValidRequest = isValidRequest;
 /** @hidden */
 const LONG_TYPE = 'type.googleapis.com/google.protobuf.Int64Value';
 /** @hidden */
@@ -208,6 +209,7 @@ function decode(data) {
     return data;
 }
 exports.decode = decode;
+/** @internal */
 function unsafeDecodeToken(token) {
     if (!JWT_REGEX.test(token)) {
         return {};
@@ -227,6 +229,7 @@ function unsafeDecodeToken(token) {
     }
     return payload;
 }
+exports.unsafeDecodeToken = unsafeDecodeToken;
 /**
  * Decode, but not verify, a Auth ID token.
  *
@@ -329,6 +332,7 @@ async function checkAuthToken(req, ctx) {
         }
     }
 }
+exports.checkAuthToken = checkAuthToken;
 /** @internal */
 async function checkAppCheckToken(req, ctx) {
     const appCheck = req.header('X-Firebase-AppCheck');
@@ -426,45 +430,3 @@ function wrapOnCallHandler(options, handler) {
         }
     };
 }
-/** @internal */
-function onDispatchHandler(handler) {
-    return async (req, res) => {
-        try {
-            if (!isValidRequest(req)) {
-                logger.error('Invalid request, unable to process.');
-                throw new HttpsError('invalid-argument', 'Bad Request');
-            }
-            const context = {};
-            const status = await checkAuthToken(req, context);
-            // Note: this should never happen since task queue functions are guarded by IAM.
-            if (status === 'INVALID') {
-                throw new HttpsError('unauthenticated', 'Unauthenticated');
-            }
-            const data = decode(req.body.data);
-            if (handler.length === 2) {
-                await handler(data, context);
-            }
-            else {
-                const arg = {
-                    ...context,
-                    data,
-                };
-                // For some reason the type system isn't picking up that the handler
-                // is a one argument function.
-                await handler(arg);
-            }
-            res.status(204).end();
-        }
-        catch (err) {
-            if (!(err instanceof HttpsError)) {
-                // This doesn't count as an 'explicit' error.
-                logger.error('Unhandled error', err);
-                err = new HttpsError('internal', 'INTERNAL');
-            }
-            const { status } = err.httpErrorCode;
-            const body = { error: err.toJSON() };
-            res.status(status).send(body);
-        }
-    };
-}
-exports.onDispatchHandler = onDispatchHandler;

package/lib/common/providers/identity.d.ts

@@ -1,4 +1,9 @@
 import * as firebase from 'firebase-admin';
+import { EventContext } from '../../cloud-functions';
+import { HttpsError } from './https';
+export { HttpsError };
+/** Shorthand auth blocking events from GCIP. */
+export declare type AuthBlockingEventType = 'beforeCreate' | 'beforeSignIn';
 /**
  * The UserRecord passed to Cloud Functions is the same UserRecord that is returned by the Firebase Admin
  * SDK.
@@ -16,10 +21,7 @@ export declare class UserRecordMetadata implements firebase.auth.UserMetadata {
     lastSignInTime: string;
     constructor(creationTime: string, lastSignInTime: string);
     /** Returns a plain JavaScript object with the properties of UserRecordMetadata. */
-    toJSON(): {
-        creationTime: string;
-        lastSignInTime: string;
-    };
+    toJSON(): AuthUserMetadata;
 }
 /**
  * Helper function that creates a UserRecord Class from data sent over the wire.
@@ -27,3 +29,190 @@ export declare class UserRecordMetadata implements firebase.auth.UserMetadata {
  * @returns an instance of UserRecord with correct toJSON functions
  */
 export declare function userRecordConstructor(wireData: Object): UserRecord;
+/**
+ * User info that is part of the AuthUserRecord
+ */
+export interface AuthUserInfo {
+    /**
+     * The user identifier for the linked provider.
+     */
+    uid: string;
+    /**
+     * The display name for the linked provider.
+     */
+    displayName: string;
+    /**
+     * The email for the linked provider.
+     */
+    email: string;
+    /**
+     * The photo URL for the linked provider.
+     */
+    photoURL: string;
+    /**
+     * The linked provider ID (for example, "google.com" for the Google provider).
+     */
+    providerId: string;
+    /**
+     * The phone number for the linked provider.
+     */
+    phoneNumber: string;
+}
+/**
+ * Additional metadata about the user.
+ */
+export interface AuthUserMetadata {
+    /**
+     * The date the user was created, formatted as a UTC string.
+     */
+    creationTime: string;
+    /**
+     * The date the user last signed in, formatted as a UTC string.
+     */
+    lastSignInTime: string;
+}
+/**
+ * Interface representing the common properties of a user-enrolled second factor.
+ */
+export interface AuthMultiFactorInfo {
+    /**
+     * The ID of the enrolled second factor. This ID is unique to the user.
+     */
+    uid: string;
+    /**
+     * The optional display name of the enrolled second factor.
+     */
+    displayName?: string;
+    /**
+     * The type identifier of the second factor. For SMS second factors, this is `phone`.
+     */
+    factorId: string;
+    /**
+     * The optional date the second factor was enrolled, formatted as a UTC string.
+     */
+    enrollmentTime?: string;
+    /**
+     * The phone number associated with a phone second factor.
+     */
+    phoneNumber?: string;
+}
+/**
+ * The multi-factor related properties for the current user, if available.
+ */
+export interface AuthMultiFactorSettings {
+    /**
+     * List of second factors enrolled with the current user.
+     */
+    enrolledFactors: AuthMultiFactorInfo[];
+}
+/**
+ * The UserRecord passed to auth blocking Cloud Functions from the identity platform.
+ */
+export interface AuthUserRecord {
+    /**
+     * The user's `uid`.
+     */
+    uid: string;
+    /**
+     * The user's primary email, if set.
+     */
+    email?: string;
+    /**
+     * Whether or not the user's primary email is verified.
+     */
+    emailVerified: boolean;
+    /**
+     * The user's display name.
+     */
+    displayName?: string;
+    /**
+     * The user's photo URL.
+     */
+    photoURL?: string;
+    /**
+     * The user's primary phone number, if set.
+     */
+    phoneNumber?: string;
+    /**
+     * Whether or not the user is disabled: `true` for disabled; `false` for
+     * enabled.
+     */
+    disabled: boolean;
+    /**
+     * Additional metadata about the user.
+     */
+    metadata: AuthUserMetadata;
+    /**
+     * An array of providers (for example, Google, Facebook) linked to the user.
+     */
+    providerData: AuthUserInfo[];
+    /**
+     * The user's hashed password (base64-encoded).
+     */
+    passwordHash?: string;
+    /**
+     * The user's password salt (base64-encoded).
+     */
+    passwordSalt?: string;
+    /**
+     * The user's custom claims object if available, typically used to define
+     * user roles and propagated to an authenticated user's ID token.
+     */
+    customClaims?: Record<string, any>;
+    /**
+     * The ID of the tenant the user belongs to, if available.
+     */
+    tenantId?: string | null;
+    /**
+     * The date the user's tokens are valid after, formatted as a UTC string.
+     */
+    tokensValidAfterTime?: string;
+    /**
+     * The multi-factor related properties for the current user, if available.
+     */
+    multiFactor?: AuthMultiFactorSettings;
+}
+/** The additional user info component of the auth event context */
+export interface AdditionalUserInfo {
+    providerId: string;
+    profile?: any;
+    username?: string;
+    isNewUser: boolean;
+}
+/** The credential component of the auth event context */
+export interface Credential {
+    claims?: {
+        [key: string]: any;
+    };
+    idToken?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    expirationTime?: string;
+    secret?: string;
+    providerId: string;
+    signInMethod: string;
+}
+/** Defines the auth event context for blocking events */
+export interface AuthEventContext extends EventContext {
+    locale?: string;
+    ipAddress: string;
+    userAgent: string;
+    additionalUserInfo?: AdditionalUserInfo;
+    credential?: Credential;
+}
+/** Defines the auth event for v2 blocking events */
+export interface AuthBlockingEvent extends AuthEventContext {
+    data: AuthUserRecord;
+}
+/** The handler response type for beforeCreate blocking events */
+export interface BeforeCreateResponse {
+    displayName?: string;
+    disabled?: boolean;
+    emailVerified?: boolean;
+    photoURL?: string;
+    customClaims?: object;
+}
+/** The handler response type for beforeSignIn blocking events */
+export interface BeforeSignInResponse extends BeforeCreateResponse {
+    sessionClaims?: object;
+}