firebase-functions 3.19.0 → 3.21.0

package/lib/common/providers/identity.js

@@ -21,8 +21,34 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.userRecordConstructor = exports.UserRecordMetadata = void 0;
-const _ = require("lodash");
+exports.wrapHandler = exports.getUpdateMask = exports.validateAuthResponse = exports.parseAuthEventContext = exports.parseAuthUserRecord = exports.parseMultiFactor = exports.parseDate = exports.parseProviderData = exports.parseMetadata = exports.isValidRequest = exports.userRecordConstructor = exports.UserRecordMetadata = exports.HttpsError = void 0;
+const __1 = require("../..");
+const apps_1 = require("../../apps");
+const debug_1 = require("../debug");
+const https_1 = require("./https");
+Object.defineProperty(exports, "HttpsError", { enumerable: true, get: function () { return https_1.HttpsError; } });
+const DISALLOWED_CUSTOM_CLAIMS = [
+    'acr',
+    'amr',
+    'at_hash',
+    'aud',
+    'auth_time',
+    'azp',
+    'cnf',
+    'c_hash',
+    'exp',
+    'iat',
+    'iss',
+    'jti',
+    'nbf',
+    'nonce',
+    'firebase',
+];
+const CLAIMS_MAX_PAYLOAD_SIZE = 1000;
+const EVENT_MAPPING = {
+    beforeCreate: 'providers/cloud.auth/eventTypes/user.beforeCreate',
+    beforeSignIn: 'providers/cloud.auth/eventTypes/user.beforeSignIn',
+};
 /**
  * Helper class to create the user metadata in a UserRecord object
  */
@@ -60,37 +86,385 @@ function userRecordConstructor(wireData) {
         passwordHash: null,
         tokensValidAfterTime: null,
     };
-    const record = _.assign({}, falseyValues, wireData);
-    const meta = _.get(record, 'metadata');
+    const record = { ...falseyValues, ...wireData };
+    const meta = record.metadata;
     if (meta) {
-        _.set(record, 'metadata', new UserRecordMetadata(meta.createdAt || meta.creationTime, meta.lastSignedInAt || meta.lastSignInTime));
+        record.metadata = new UserRecordMetadata(meta.createdAt || meta.creationTime, meta.lastSignedInAt || meta.lastSignInTime);
     }
     else {
-        _.set(record, 'metadata', new UserRecordMetadata(null, null));
+        record.metadata = new UserRecordMetadata(null, null);
     }
-    _.forEach(record.providerData, (entry) => {
-        _.set(entry, 'toJSON', () => {
-            return entry;
-        });
-    });
-    _.set(record, 'toJSON', () => {
-        const json = _.pick(record, [
-            'uid',
-            'email',
-            'emailVerified',
-            'displayName',
-            'photoURL',
-            'phoneNumber',
-            'disabled',
-            'passwordHash',
-            'passwordSalt',
-            'tokensValidAfterTime',
-        ]);
-        json.metadata = _.get(record, 'metadata').toJSON();
-        json.customClaims = _.cloneDeep(record.customClaims);
-        json.providerData = _.map(record.providerData, (entry) => entry.toJSON());
+    record.toJSON = () => {
+        const { uid, email, emailVerified, displayName, photoURL, phoneNumber, disabled, passwordHash, passwordSalt, tokensValidAfterTime, } = record;
+        const json = {
+            uid,
+            email,
+            emailVerified,
+            displayName,
+            photoURL,
+            phoneNumber,
+            disabled,
+            passwordHash,
+            passwordSalt,
+            tokensValidAfterTime,
+        };
+        json.metadata = record.metadata.toJSON();
+        json.customClaims = JSON.parse(JSON.stringify(record.customClaims));
+        json.providerData = record.providerData.map((entry) => entry.toJSON());
         return json;
-    });
+    };
     return record;
 }
 exports.userRecordConstructor = userRecordConstructor;
+/**
+ * Checks for a valid identity platform web request, otherwise throws an HttpsError
+ * @internal
+ */
+function isValidRequest(req) {
+    var _a, _b;
+    if (req.method !== 'POST') {
+        __1.logger.warn(`Request has invalid method "${req.method}".`);
+        return false;
+    }
+    const contentType = (req.header('Content-Type') || '').toLowerCase();
+    if (!contentType.includes('application/json')) {
+        __1.logger.warn('Request has invalid header Content-Type.');
+        return false;
+    }
+    if (!((_b = (_a = req.body) === null || _a === void 0 ? void 0 : _a.data) === null || _b === void 0 ? void 0 : _b.jwt)) {
+        __1.logger.warn('Request has an invalid body.');
+        return false;
+    }
+    return true;
+}
+exports.isValidRequest = isValidRequest;
+/**
+ * Decode, but not verify, an Auth Blocking token.
+ *
+ * Do not use in production. Token should always be verified using the Admin SDK.
+ *
+ * This is exposed only for testing.
+ */
+function unsafeDecodeAuthBlockingToken(token) {
+    const decoded = (0, https_1.unsafeDecodeToken)(token);
+    decoded.uid = decoded.sub;
+    return decoded;
+}
+/**
+ * Helper function to parse the decoded metadata object into a UserMetaData object
+ * @internal
+ */
+function parseMetadata(metadata) {
+    const creationTime = (metadata === null || metadata === void 0 ? void 0 : metadata.creation_time)
+        ? new Date(metadata.creation_time * 1000).toUTCString()
+        : null;
+    const lastSignInTime = (metadata === null || metadata === void 0 ? void 0 : metadata.last_sign_in_time)
+        ? new Date(metadata.last_sign_in_time * 1000).toUTCString()
+        : null;
+    return {
+        creationTime,
+        lastSignInTime,
+    };
+}
+exports.parseMetadata = parseMetadata;
+/**
+ * Helper function to parse the decoded user info array into an AuthUserInfo array
+ * @internal
+ */
+function parseProviderData(providerData) {
+    const providers = [];
+    for (const provider of providerData) {
+        providers.push({
+            uid: provider.uid,
+            displayName: provider.display_name,
+            email: provider.email,
+            photoURL: provider.photo_url,
+            providerId: provider.provider_id,
+            phoneNumber: provider.phone_number,
+        });
+    }
+    return providers;
+}
+exports.parseProviderData = parseProviderData;
+/**
+ * Helper function to parse the date into a UTC string
+ * @internal
+ */
+function parseDate(tokensValidAfterTime) {
+    if (!tokensValidAfterTime) {
+        return null;
+    }
+    tokensValidAfterTime = tokensValidAfterTime * 1000;
+    try {
+        const date = new Date(tokensValidAfterTime);
+        if (!isNaN(date.getTime())) {
+            return date.toUTCString();
+        }
+    }
+    catch (_a) { }
+    return null;
+}
+exports.parseDate = parseDate;
+/**
+ * Helper function to parse the decoded enrolled factors into a valid MultiFactorSettings
+ * @internal
+ */
+function parseMultiFactor(multiFactor) {
+    if (!multiFactor) {
+        return null;
+    }
+    const parsedEnrolledFactors = [];
+    for (const factor of multiFactor.enrolled_factors || []) {
+        if (!factor.uid) {
+            throw new https_1.HttpsError('internal', 'INTERNAL ASSERT FAILED: Invalid multi-factor info response');
+        }
+        const enrollmentTime = factor.enrollment_time
+            ? new Date(factor.enrollment_time).toUTCString()
+            : null;
+        parsedEnrolledFactors.push({
+            uid: factor.uid,
+            factorId: factor.phone_number
+                ? factor.factor_id || 'phone'
+                : factor.factor_id,
+            displayName: factor.display_name,
+            enrollmentTime,
+            phoneNumber: factor.phone_number,
+        });
+    }
+    if (parsedEnrolledFactors.length > 0) {
+        return {
+            enrolledFactors: parsedEnrolledFactors,
+        };
+    }
+    return null;
+}
+exports.parseMultiFactor = parseMultiFactor;
+/**
+ * Parses the decoded user record into a valid UserRecord for use in the handler
+ * @internal
+ */
+function parseAuthUserRecord(decodedJWTUserRecord) {
+    if (!decodedJWTUserRecord.uid) {
+        throw new https_1.HttpsError('internal', 'INTERNAL ASSERT FAILED: Invalid user response');
+    }
+    const disabled = decodedJWTUserRecord.disabled || false;
+    const metadata = parseMetadata(decodedJWTUserRecord.metadata);
+    const providerData = parseProviderData(decodedJWTUserRecord.provider_data);
+    const tokensValidAfterTime = parseDate(decodedJWTUserRecord.tokens_valid_after_time);
+    const multiFactor = parseMultiFactor(decodedJWTUserRecord.multi_factor);
+    return {
+        uid: decodedJWTUserRecord.uid,
+        email: decodedJWTUserRecord.email,
+        emailVerified: decodedJWTUserRecord.email_verified,
+        displayName: decodedJWTUserRecord.display_name,
+        photoURL: decodedJWTUserRecord.photo_url,
+        phoneNumber: decodedJWTUserRecord.phone_number,
+        disabled,
+        metadata,
+        providerData,
+        passwordHash: decodedJWTUserRecord.password_hash,
+        passwordSalt: decodedJWTUserRecord.password_salt,
+        customClaims: decodedJWTUserRecord.custom_claims,
+        tenantId: decodedJWTUserRecord.tenant_id,
+        tokensValidAfterTime,
+        multiFactor,
+    };
+}
+exports.parseAuthUserRecord = parseAuthUserRecord;
+/** Helper to get the AdditionalUserInfo from the decoded jwt */
+function parseAdditionalUserInfo(decodedJWT) {
+    let profile, username;
+    if (decodedJWT.raw_user_info) {
+        try {
+            profile = JSON.parse(decodedJWT.raw_user_info);
+        }
+        catch (err) {
+            __1.logger.debug(`Parse Error: ${err.message}`);
+        }
+    }
+    if (profile) {
+        if (decodedJWT.sign_in_method === 'github.com') {
+            username = profile.login;
+        }
+        if (decodedJWT.sign_in_method === 'twitter.com') {
+            username = profile.screen_name;
+        }
+    }
+    return {
+        providerId: decodedJWT.sign_in_method === 'emailLink'
+            ? 'password'
+            : decodedJWT.sign_in_method,
+        profile,
+        username,
+        isNewUser: decodedJWT.event_type === 'beforeCreate' ? true : false,
+    };
+}
+/** Helper to get the Credential from the decoded jwt */
+function parseAuthCredential(decodedJWT, time) {
+    if (!decodedJWT.sign_in_attributes &&
+        !decodedJWT.oauth_id_token &&
+        !decodedJWT.oauth_access_token &&
+        !decodedJWT.oauth_refresh_token) {
+        return null;
+    }
+    return {
+        claims: decodedJWT.sign_in_attributes,
+        idToken: decodedJWT.oauth_id_token,
+        accessToken: decodedJWT.oauth_access_token,
+        refreshToken: decodedJWT.oauth_refresh_token,
+        expirationTime: decodedJWT.oauth_expires_in
+            ? new Date(time + decodedJWT.oauth_expires_in * 1000).toUTCString()
+            : undefined,
+        secret: decodedJWT.oauth_token_secret,
+        providerId: decodedJWT.sign_in_method === 'emailLink'
+            ? 'password'
+            : decodedJWT.sign_in_method,
+        signInMethod: decodedJWT.sign_in_method,
+    };
+}
+/**
+ * Parses the decoded jwt into a valid AuthEventContext for use in the handler
+ * @internal
+ */
+function parseAuthEventContext(decodedJWT, projectId, time = new Date().getTime()) {
+    const eventType = (EVENT_MAPPING[decodedJWT.event_type] || decodedJWT.event_type) +
+        (decodedJWT.sign_in_method ? `:${decodedJWT.sign_in_method}` : '');
+    return {
+        locale: decodedJWT.locale,
+        ipAddress: decodedJWT.ip_address,
+        userAgent: decodedJWT.user_agent,
+        eventId: decodedJWT.event_id,
+        eventType,
+        authType: !!decodedJWT.user_record ? 'USER' : 'UNAUTHENTICATED',
+        resource: {
+            // TODO(colerogers): figure out the correct service
+            service: 'identitytoolkit.googleapis.com',
+            name: !!decodedJWT.tenant_id
+                ? `projects/${projectId}/tenants/${decodedJWT.tenant_id}`
+                : `projects/${projectId}`,
+        },
+        timestamp: new Date(decodedJWT.iat * 1000).toUTCString(),
+        additionalUserInfo: parseAdditionalUserInfo(decodedJWT),
+        credential: parseAuthCredential(decodedJWT, time),
+        params: {},
+    };
+}
+exports.parseAuthEventContext = parseAuthEventContext;
+/**
+ * Checks the handler response for invalid customClaims & sessionClaims objects
+ * @internal
+ */
+function validateAuthResponse(eventType, authRequest) {
+    if (!authRequest) {
+        authRequest = {};
+    }
+    if (authRequest.customClaims) {
+        const invalidClaims = DISALLOWED_CUSTOM_CLAIMS.filter((claim) => authRequest.customClaims.hasOwnProperty(claim));
+        if (invalidClaims.length > 0) {
+            throw new https_1.HttpsError('invalid-argument', `The customClaims claims "${invalidClaims.join(',')}" are reserved and cannot be specified.`);
+        }
+        if (JSON.stringify(authRequest.customClaims).length > CLAIMS_MAX_PAYLOAD_SIZE) {
+            throw new https_1.HttpsError('invalid-argument', `The customClaims payload should not exceed ${CLAIMS_MAX_PAYLOAD_SIZE} characters.`);
+        }
+    }
+    if (eventType === 'beforeSignIn' &&
+        authRequest.sessionClaims) {
+        const invalidClaims = DISALLOWED_CUSTOM_CLAIMS.filter((claim) => authRequest.sessionClaims.hasOwnProperty(claim));
+        if (invalidClaims.length > 0) {
+            throw new https_1.HttpsError('invalid-argument', `The sessionClaims claims "${invalidClaims.join(',')}" are reserved and cannot be specified.`);
+        }
+        if (JSON.stringify(authRequest.sessionClaims)
+            .length > CLAIMS_MAX_PAYLOAD_SIZE) {
+            throw new https_1.HttpsError('invalid-argument', `The sessionClaims payload should not exceed ${CLAIMS_MAX_PAYLOAD_SIZE} characters.`);
+        }
+        const combinedClaims = {
+            ...authRequest.customClaims,
+            ...authRequest.sessionClaims,
+        };
+        if (JSON.stringify(combinedClaims).length > CLAIMS_MAX_PAYLOAD_SIZE) {
+            throw new https_1.HttpsError('invalid-argument', `The customClaims and sessionClaims payloads should not exceed ${CLAIMS_MAX_PAYLOAD_SIZE} characters combined.`);
+        }
+    }
+}
+exports.validateAuthResponse = validateAuthResponse;
+/**
+ * Helper function to generate the update mask for the identity platform changed values
+ * @internal
+ */
+function getUpdateMask(authResponse) {
+    if (!authResponse) {
+        return '';
+    }
+    const updateMask = [];
+    for (const key in authResponse) {
+        if (key === 'customClaims' || key === 'sessionClaims') {
+            continue;
+        }
+        if (authResponse.hasOwnProperty(key) &&
+            typeof authResponse[key] !== 'undefined') {
+            updateMask.push(key);
+        }
+    }
+    return updateMask.join(',');
+}
+exports.getUpdateMask = getUpdateMask;
+/** @internal */
+function wrapHandler(eventType, handler) {
+    return async (req, res) => {
+        try {
+            const projectId = process.env.GCLOUD_PROJECT;
+            if (!isValidRequest(req)) {
+                __1.logger.error('Invalid request, unable to process');
+                throw new https_1.HttpsError('invalid-argument', 'Bad Request');
+            }
+            if (!(0, apps_1.apps)().admin.auth()._verifyAuthBlockingToken) {
+                throw new Error('Cannot validate Auth Blocking token. Please update Firebase Admin SDK to >= v10.1.0');
+            }
+            const decodedPayload = (0, debug_1.isDebugFeatureEnabled)('skipTokenVerification')
+                ? unsafeDecodeAuthBlockingToken(req.body.data.jwt)
+                : await (0, apps_1.apps)()
+                    .admin.auth()
+                    ._verifyAuthBlockingToken(req.body.data.jwt);
+            const authUserRecord = parseAuthUserRecord(decodedPayload.user_record);
+            const authEventContext = parseAuthEventContext(decodedPayload, projectId);
+            let authResponse;
+            if (handler.length === 2) {
+                authResponse =
+                    (await handler(authUserRecord, authEventContext)) ||
+                        undefined;
+            }
+            else {
+                authResponse =
+                    (await handler({
+                        ...authEventContext,
+                        data: authUserRecord,
+                    })) || undefined;
+            }
+            validateAuthResponse(eventType, authResponse);
+            const updateMask = getUpdateMask(authResponse);
+            const result = updateMask.length === 0
+                ? {}
+                : {
+                    userRecord: {
+                        ...authResponse,
+                        updateMask,
+                    },
+                };
+            res.status(200);
+            res.setHeader('Content-Type', 'application/json');
+            res.send(JSON.stringify(result));
+        }
+        catch (err) {
+            if (!(err instanceof https_1.HttpsError)) {
+                // This doesn't count as an 'explicit' error.
+                __1.logger.error('Unhandled error', err);
+                err = new https_1.HttpsError('internal', 'An unexpected error occurred.');
+            }
+            const { status } = err.httpErrorCode;
+            const body = { error: err.toJSON() };
+            res.setHeader('Content-Type', 'application/json');
+            res.status(status).send(body);
+        }
+    };
+}
+exports.wrapHandler = wrapHandler;

package/lib/common/providers/tasks.d.ts

@@ -0,0 +1,58 @@
+import * as firebase from 'firebase-admin';
+/** How a task should be retried in the event of a non-2xx return. */
+export interface RetryConfig {
+    /**
+     * Maximum number of times a request should be attempted.
+     * If left unspecified, will default to 3.
+     */
+    maxAttempts?: number;
+    /**
+     * Maximum amount of time for retrying failed task.
+     * If left unspecified will retry indefinitely.
+     */
+    maxRetrySeconds?: number;
+    /**
+     * The maximum amount of time to wait between attempts.
+     * If left unspecified will default to 1hr.
+     */
+    maxBackoffSeconds?: number;
+    /**
+     * The maximum number of times to double the backoff between
+     * retries. If left unspecified will default to 16.
+     */
+    maxDoublings?: number;
+    /**
+     * The minimum time to wait between attempts. If left unspecified
+     * will default to 100ms.
+     */
+    minBackoffSeconds?: number;
+}
+/** How congestion control should be applied to the function. */
+export interface RateLimits {
+    maxConcurrentDispatches?: number;
+    maxDispatchesPerSecond?: number;
+}
+export interface AuthData {
+    uid: string;
+    token: firebase.auth.DecodedIdToken;
+}
+/** Metadata about a call to a Task Queue function. */
+export interface TaskContext {
+    /**
+     * The result of decoding and verifying an ODIC token.
+     */
+    auth?: AuthData;
+}
+/**
+ * The request used to call a Task Queue function.
+ */
+export interface Request<T = any> {
+    /**
+     * The parameters used by a client when calling this function.
+     */
+    data: T;
+    /**
+     * The result of decoding and verifying an ODIC token.
+     */
+    auth?: AuthData;
+}

package/lib/common/providers/tasks.js

@@ -0,0 +1,77 @@
+"use strict";
+// The MIT License (MIT)
+//
+// Copyright (c) 2022 Firebase
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.onDispatchHandler = void 0;
+const logger = require("../../logger");
+const https = require("./https");
+/** @internal */
+function onDispatchHandler(handler) {
+    return async (req, res) => {
+        var _a;
+        try {
+            if (!https.isValidRequest(req)) {
+                logger.error('Invalid request, unable to process.');
+                throw new https.HttpsError('invalid-argument', 'Bad Request');
+            }
+            const authHeader = req.header('Authorization') || '';
+            const token = (_a = authHeader.match(/^Bearer (.*)$/)) === null || _a === void 0 ? void 0 : _a[1];
+            // Note: this should never happen since task queue functions are guarded by IAM.
+            if (!token) {
+                throw new https.HttpsError('unauthenticated', 'Unauthenticated');
+            }
+            // We skip authenticating the token since tq functions are guarded by IAM.
+            const authToken = await https.unsafeDecodeIdToken(token);
+            const context = {
+                auth: {
+                    uid: authToken.uid,
+                    token: authToken,
+                },
+            };
+            const data = https.decode(req.body.data);
+            if (handler.length === 2) {
+                await handler(data, context);
+            }
+            else {
+                const arg = {
+                    ...context,
+                    data,
+                };
+                // For some reason the type system isn't picking up that the handler
+                // is a one argument function.
+                await handler(arg);
+            }
+            res.status(204).end();
+        }
+        catch (err) {
+            if (!(err instanceof https.HttpsError)) {
+                // This doesn't count as an 'explicit' error.
+                logger.error('Unhandled error', err);
+                err = new https.HttpsError('internal', 'INTERNAL');
+            }
+            const { status } = err.httpErrorCode;
+            const body = { error: err.toJSON() };
+            res.status(status).send(body);
+        }
+    };
+}
+exports.onDispatchHandler = onDispatchHandler;

package/lib/function-builder.d.ts

@@ -9,6 +9,7 @@ import * as https from './providers/https';
 import * as pubsub from './providers/pubsub';
 import * as remoteConfig from './providers/remoteConfig';
 import * as storage from './providers/storage';
+import * as tasks from './providers/tasks';
 import * as testLab from './providers/testLab';
 /**
  * Configure the regions that the function is deployed to.
@@ -78,12 +79,14 @@ export declare class FunctionBuilder {
          * @param handler A method that takes a data and context and returns a value.
          */
         onCall: (handler: (data: any, context: https.CallableContext) => any | Promise<any>) => import("./cloud-functions").TriggerAnnotated & import("./cloud-functions").EndpointAnnotated & ((req: express.Request<import("express-serve-static-core").ParamsDictionary>, resp: express.Response<any>) => void | Promise<void>) & import("./cloud-functions").Runnable<any>;
+    };
+    get tasks(): {
         /**
          * Declares a task queue function for clients to call using a Firebase Admin SDK.
          * @param options Configurations for the task queue function.
          */
         /** @hidden */
-        taskQueue: (options?: https.TaskQueueOptions) => https.TaskQueueBuilder;
+        taskQueue: (options?: tasks.TaskQueueOptions) => tasks.TaskQueueBuilder;
     };
     get database(): {
         /**
@@ -175,7 +178,7 @@ export declare class FunctionBuilder {
         /**
          * Handle events related to Firebase authentication users.
          */
-        user: () => auth.UserBuilder;
+        user: (userOptions?: auth.UserOptions) => auth.UserBuilder;
     };
     get testLab(): {
         /**

package/lib/function-builder.js

@@ -32,6 +32,7 @@ const https = require("./providers/https");
 const pubsub = require("./providers/pubsub");
 const remoteConfig = require("./providers/remoteConfig");
 const storage = require("./providers/storage");
+const tasks = require("./providers/tasks");
 const testLab = require("./providers/testLab");
 /**
  * Assert that the runtime options passed in are valid.
@@ -238,13 +239,17 @@ class FunctionBuilder {
              * @param handler A method that takes a data and context and returns a value.
              */
             onCall: (handler) => https._onCallWithOptions(handler, this.options),
+        };
+    }
+    get tasks() {
+        return {
             /**
              * Declares a task queue function for clients to call using a Firebase Admin SDK.
              * @param options Configurations for the task queue function.
              */
             /** @hidden */
             taskQueue: (options) => {
-                return new https.TaskQueueBuilder(options, this.options);
+                return new tasks.TaskQueueBuilder(options, this.options);
             },
         };
     }
@@ -351,7 +356,7 @@ class FunctionBuilder {
             /**
              * Handle events related to Firebase authentication users.
              */
-            user: () => auth._userWithOptions(this.options),
+            user: (userOptions) => auth._userWithOptions(this.options, userOptions),
         };
     }
     get testLab() {

package/lib/handler-builder.d.ts

@@ -8,6 +8,7 @@ import * as https from './providers/https';
 import * as pubsub from './providers/pubsub';
 import * as remoteConfig from './providers/remoteConfig';
 import * as storage from './providers/storage';
+import * as tasks from './providers/tasks';
 import * as testLab from './providers/testLab';
 /**
  * The `HandlerBuilder` class facilitates the writing of functions by developers
@@ -40,9 +41,19 @@ export declare class HandlerBuilder {
     get https(): {
         onRequest: (handler: (req: express.Request, resp: express.Response) => void) => HttpsFunction;
         onCall: (handler: (data: any, context: https.CallableContext) => any | Promise<any>) => HttpsFunction;
-        /** @hidden */
+    };
+    /**
+     * Create a handler for tasks functions.
+     *
+     * @example
+     * ```javascript
+     * exports.myFunction = functions.handler.tasks.onDispatch((data, context) => { ... })
+     * ```
+     */
+    /** @hidden */
+    get tasks(): {
         readonly taskQueue: {
-            onEnqueue(handler: (data: any, context: https.TaskContext) => void | Promise<void>): https.TaskQueueFunction;
+            onDispatch: (handler: (data: any, context: tasks.TaskContext) => void | Promise<void>) => HttpsFunction;
         };
     };
     /**