firebase-functions 3.20.1 → 3.21.0

package/lib/apps.js

@@ -103,7 +103,7 @@ exports.apps = apps;
             this._emulatedAdminApp = app;
         }
         get firebaseArgs() {
-            return _.assign({}, config_1.firebaseConfig(), {
+            return _.assign({}, (0, config_1.firebaseConfig)(), {
                 credential: firebase.credential.applicationDefault(),
             });
         }

package/lib/bin/firebase-functions.js

@@ -31,7 +31,7 @@ app.post('/__/quitquitquit', handleQuitquitquit);
 if (process.env.FUNCTIONS_CONTROL_API === 'true') {
     app.get('/__/functions.yaml', async (req, res) => {
         try {
-            const stack = await loader_1.loadStack(functionsDir);
+            const stack = await (0, loader_1.loadStack)(functionsDir);
             res.setHeader('content-type', 'text/yaml');
             res.send(JSON.stringify(stack));
         }

package/lib/cloud-functions.d.ts

@@ -180,6 +180,10 @@ export interface Resource {
 export interface TriggerAnnotated {
     __trigger: {
         availableMemoryMb?: number;
+        blockingTrigger?: {
+            eventType: string;
+            options?: Record<string, unknown>;
+        };
         eventTrigger?: {
             eventType: string;
             resource: string;
@@ -227,6 +231,10 @@ export interface Runnable<T> {
  * arguments.
  */
 export declare type HttpsFunction = TriggerAnnotated & EndpointAnnotated & ((req: Request, resp: Response) => void | Promise<void>);
+/**
+ * The Cloud Function type for Blocking triggers.
+ */
+export declare type BlockingFunction = HttpsFunction;
 /**
  * The Cloud Function type for all non-HTTPS triggers. This should be exported
  * from your JavaScript file to define a Cloud Function.

package/lib/cloud-functions.js

@@ -135,7 +135,7 @@ function makeCloudFunction({ after = () => { }, before = () => { }, contextOnlyH
             promise = handler(dataOrChange, context);
         }
         if (typeof promise === 'undefined') {
-            logger_1.warn('Function returned undefined, expected Promise or value');
+            (0, logger_1.warn)('Function returned undefined, expected Promise or value');
         }
         return Promise.resolve(promise)
             .then((result) => {
@@ -252,8 +252,8 @@ function _detectAuthType(event) {
 /** @hidden */
 function optionsToTrigger(options) {
     const trigger = {};
-    encoding_1.copyIfPresent(trigger, options, 'regions', 'schedule', 'minInstances', 'maxInstances', 'ingressSettings', 'vpcConnectorEgressSettings', 'vpcConnector', 'labels', 'secrets');
-    encoding_1.convertIfPresent(trigger, options, 'failurePolicy', 'failurePolicy', (policy) => {
+    (0, encoding_1.copyIfPresent)(trigger, options, 'regions', 'schedule', 'minInstances', 'maxInstances', 'ingressSettings', 'vpcConnectorEgressSettings', 'vpcConnector', 'labels', 'secrets');
+    (0, encoding_1.convertIfPresent)(trigger, options, 'failurePolicy', 'failurePolicy', (policy) => {
         if (policy === false) {
             return undefined;
         }
@@ -264,8 +264,8 @@ function optionsToTrigger(options) {
             return policy;
         }
     });
-    encoding_1.convertIfPresent(trigger, options, 'timeout', 'timeoutSeconds', encoding_1.durationFromSeconds);
-    encoding_1.convertIfPresent(trigger, options, 'availableMemoryMb', 'memory', (mem) => {
+    (0, encoding_1.convertIfPresent)(trigger, options, 'timeout', 'timeoutSeconds', encoding_1.durationFromSeconds);
+    (0, encoding_1.convertIfPresent)(trigger, options, 'availableMemoryMb', 'memory', (mem) => {
         const memoryLookup = {
             '128MB': 128,
             '256MB': 256,
@@ -277,21 +277,21 @@ function optionsToTrigger(options) {
         };
         return memoryLookup[mem];
     });
-    encoding_1.convertIfPresent(trigger, options, 'serviceAccountEmail', 'serviceAccount', encoding_1.serviceAccountFromShorthand);
+    (0, encoding_1.convertIfPresent)(trigger, options, 'serviceAccountEmail', 'serviceAccount', encoding_1.serviceAccountFromShorthand);
     return trigger;
 }
 exports.optionsToTrigger = optionsToTrigger;
 function optionsToEndpoint(options) {
     const endpoint = {};
-    encoding_1.copyIfPresent(endpoint, options, 'minInstances', 'maxInstances', 'ingressSettings', 'labels', 'timeoutSeconds');
-    encoding_1.convertIfPresent(endpoint, options, 'region', 'regions');
-    encoding_1.convertIfPresent(endpoint, options, 'serviceAccountEmail', 'serviceAccount', (sa) => sa);
-    encoding_1.convertIfPresent(endpoint, options, 'secretEnvironmentVariables', 'secrets', (secrets) => secrets.map((secret) => ({ secret, key: secret })));
+    (0, encoding_1.copyIfPresent)(endpoint, options, 'minInstances', 'maxInstances', 'ingressSettings', 'labels', 'timeoutSeconds');
+    (0, encoding_1.convertIfPresent)(endpoint, options, 'region', 'regions');
+    (0, encoding_1.convertIfPresent)(endpoint, options, 'serviceAccountEmail', 'serviceAccount', (sa) => sa);
+    (0, encoding_1.convertIfPresent)(endpoint, options, 'secretEnvironmentVariables', 'secrets', (secrets) => secrets.map((secret) => ({ key: secret })));
     if (options === null || options === void 0 ? void 0 : options.vpcConnector) {
         endpoint.vpc = { connector: options.vpcConnector };
-        encoding_1.convertIfPresent(endpoint.vpc, options, 'egressSettings', 'vpcConnectorEgressSettings');
+        (0, encoding_1.convertIfPresent)(endpoint.vpc, options, 'egressSettings', 'vpcConnectorEgressSettings');
     }
-    encoding_1.convertIfPresent(endpoint, options, 'availableMemoryMb', 'memory', (mem) => {
+    (0, encoding_1.convertIfPresent)(endpoint, options, 'availableMemoryMb', 'memory', (mem) => {
         const memoryLookup = {
             '128MB': 128,
             '256MB': 256,

package/lib/common/providers/https.js

@@ -21,7 +21,7 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.onCallHandler = exports.checkAuthToken = exports.unsafeDecodeAppCheckToken = exports.unsafeDecodeIdToken = exports.decode = exports.encode = exports.isValidRequest = exports.HttpsError = void 0;
+exports.onCallHandler = exports.checkAuthToken = exports.unsafeDecodeAppCheckToken = exports.unsafeDecodeIdToken = exports.unsafeDecodeToken = exports.decode = exports.encode = exports.isValidRequest = exports.HttpsError = void 0;
 const cors = require("cors");
 const logger = require("../../logger");
 // TODO(inlined): Decide whether we want to un-version apps or whether we want a
@@ -209,6 +209,7 @@ function decode(data) {
     return data;
 }
 exports.decode = decode;
+/** @internal */
 function unsafeDecodeToken(token) {
     if (!JWT_REGEX.test(token)) {
         return {};
@@ -228,6 +229,7 @@ function unsafeDecodeToken(token) {
     }
     return payload;
 }
+exports.unsafeDecodeToken = unsafeDecodeToken;
 /**
  * Decode, but not verify, a Auth ID token.
  *
@@ -310,11 +312,11 @@ async function checkAuthToken(req, ctx) {
         const idToken = match[1];
         try {
             let authToken;
-            if (debug_1.isDebugFeatureEnabled('skipTokenVerification')) {
+            if ((0, debug_1.isDebugFeatureEnabled)('skipTokenVerification')) {
                 authToken = unsafeDecodeIdToken(idToken);
             }
             else {
-                authToken = await apps_1.apps()
+                authToken = await (0, apps_1.apps)()
                     .admin.auth()
                     .verifyIdToken(idToken);
             }
@@ -338,16 +340,16 @@ async function checkAppCheckToken(req, ctx) {
         return 'MISSING';
     }
     try {
-        if (!apps_1.apps().admin.appCheck) {
+        if (!(0, apps_1.apps)().admin.appCheck) {
             throw new Error('Cannot validate AppCheck token. Please update Firebase Admin SDK to >= v9.8.0');
         }
         let appCheckData;
-        if (debug_1.isDebugFeatureEnabled('skipTokenVerification')) {
+        if ((0, debug_1.isDebugFeatureEnabled)('skipTokenVerification')) {
             const decodedToken = unsafeDecodeAppCheckToken(appCheck);
             appCheckData = { appId: decodedToken.app_id, token: decodedToken };
         }
         else {
-            appCheckData = await apps_1.apps()
+            appCheckData = await (0, apps_1.apps)()
                 .admin.appCheck()
                 .verifyToken(appCheck);
         }

package/lib/common/providers/identity.d.ts

@@ -1,7 +1,9 @@
 import * as firebase from 'firebase-admin';
-import { HttpsError } from './https';
 import { EventContext } from '../../cloud-functions';
+import { HttpsError } from './https';
 export { HttpsError };
+/** Shorthand auth blocking events from GCIP. */
+export declare type AuthBlockingEventType = 'beforeCreate' | 'beforeSignIn';
 /**
  * The UserRecord passed to Cloud Functions is the same UserRecord that is returned by the Firebase Admin
  * SDK.
@@ -198,6 +200,10 @@ export interface AuthEventContext extends EventContext {
     additionalUserInfo?: AdditionalUserInfo;
     credential?: Credential;
 }
+/** Defines the auth event for v2 blocking events */
+export interface AuthBlockingEvent extends AuthEventContext {
+    data: AuthUserRecord;
+}
 /** The handler response type for beforeCreate blocking events */
 export interface BeforeCreateResponse {
     displayName?: string;

package/lib/common/providers/identity.js

@@ -21,23 +21,12 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createHandler = exports.getUpdateMask = exports.validateAuthResponse = exports.parseAuthEventContext = exports.parseAuthUserRecord = exports.parseMultiFactor = exports.parseDate = exports.parseProviderData = exports.parseMetadata = exports.verifyJWT = exports.shouldVerifyJWT = exports.decodeJWT = exports.checkDecodedToken = exports.isAuthorizedCloudFunctionURL = exports.getPublicKeyFromHeader = exports.isValidRequest = exports.setKeyExpirationTime = exports.invalidPublicKeys = exports.userRecordConstructor = exports.UserRecordMetadata = exports.JWT_ISSUER = exports.JWT_ALG = exports.JWT_CLIENT_CERT_PATH = exports.JWT_CLIENT_CERT_URL = exports.INVALID_TOKEN_BUFFER = exports.HttpsError = void 0;
-const jwt = require("jsonwebtoken");
-const node_fetch_1 = require("node-fetch");
+exports.wrapHandler = exports.getUpdateMask = exports.validateAuthResponse = exports.parseAuthEventContext = exports.parseAuthUserRecord = exports.parseMultiFactor = exports.parseDate = exports.parseProviderData = exports.parseMetadata = exports.isValidRequest = exports.userRecordConstructor = exports.UserRecordMetadata = exports.HttpsError = void 0;
+const __1 = require("../..");
+const apps_1 = require("../../apps");
+const debug_1 = require("../debug");
 const https_1 = require("./https");
 Object.defineProperty(exports, "HttpsError", { enumerable: true, get: function () { return https_1.HttpsError; } });
-const function_configuration_1 = require("../../function-configuration");
-const __1 = require("../..");
-/** @internal */
-exports.INVALID_TOKEN_BUFFER = 60000; // set to 1 minute
-/** @internal */
-exports.JWT_CLIENT_CERT_URL = 'https://www.googleapis.com';
-/** @internal */
-exports.JWT_CLIENT_CERT_PATH = 'robot/v1/metadata/x509/securetoken@system.gserviceaccount.com';
-/** @internal */
-exports.JWT_ALG = 'RS256';
-/** @internal */
-exports.JWT_ISSUER = 'https://securetoken.google.com/';
 const DISALLOWED_CUSTOM_CLAIMS = [
     'acr',
     'amr',
@@ -98,19 +87,14 @@ function userRecordConstructor(wireData) {
         tokensValidAfterTime: null,
     };
     const record = { ...falseyValues, ...wireData };
-    const meta = record['metadata'];
+    const meta = record.metadata;
     if (meta) {
-        record['metadata'] = new UserRecordMetadata(meta.createdAt || meta.creationTime, meta.lastSignedInAt || meta.lastSignInTime);
+        record.metadata = new UserRecordMetadata(meta.createdAt || meta.creationTime, meta.lastSignedInAt || meta.lastSignInTime);
     }
     else {
-        record['metadata'] = new UserRecordMetadata(null, null);
+        record.metadata = new UserRecordMetadata(null, null);
     }
-    for (const entry of Object.entries(record.providerData)) {
-        entry['toJSON'] = () => {
-            return entry;
-        };
-    }
-    record['toJSON'] = () => {
+    record.toJSON = () => {
         const { uid, email, emailVerified, displayName, photoURL, phoneNumber, disabled, passwordHash, passwordSalt, tokensValidAfterTime, } = record;
         const json = {
             uid,
@@ -124,58 +108,14 @@ function userRecordConstructor(wireData) {
             passwordSalt,
             tokensValidAfterTime,
         };
-        json['metadata'] = record['metadata'].toJSON();
-        json['customClaims'] = JSON.parse(JSON.stringify(record.customClaims));
-        json['providerData'] = record.providerData.map((entry) => entry.toJSON());
+        json.metadata = record.metadata.toJSON();
+        json.customClaims = JSON.parse(JSON.stringify(record.customClaims));
+        json.providerData = record.providerData.map((entry) => entry.toJSON());
         return json;
     };
     return record;
 }
 exports.userRecordConstructor = userRecordConstructor;
-/**
- * Helper to determine if we refresh the public keys
- * @internal
- */
-function invalidPublicKeys(keys, time = Date.now()) {
-    if (!keys.publicKeysExpireAt) {
-        return true;
-    }
-    return time + exports.INVALID_TOKEN_BUFFER >= keys.publicKeysExpireAt;
-}
-exports.invalidPublicKeys = invalidPublicKeys;
-/**
- * Helper to parse the response headers to obtain the expiration time.
- * @internal
- */
-function setKeyExpirationTime(response, keysCache, time) {
-    if (response.headers.has('cache-control')) {
-        const ccHeader = response.headers.get('cache-control');
-        const maxAgeEntry = ccHeader
-            .split(', ')
-            .find((item) => item.includes('max-age'));
-        if (maxAgeEntry) {
-            const maxAge = +maxAgeEntry.trim().split('=')[1];
-            keysCache.publicKeysExpireAt = time + maxAge * 1000;
-        }
-    }
-}
-exports.setKeyExpirationTime = setKeyExpirationTime;
-/**
- * Fetch the public keys for use in decoding and verifying the jwt sent from identity platform.
- */
-async function refreshPublicKeys(keysCache, time = Date.now()) {
-    const url = `${exports.JWT_CLIENT_CERT_URL}/${exports.JWT_CLIENT_CERT_PATH}`;
-    try {
-        const response = await node_fetch_1.default(url);
-        setKeyExpirationTime(response, keysCache, time);
-        const data = await response.json();
-        keysCache.publicKeys = data;
-    }
-    catch (err) {
-        __1.logger.error(`Failed to obtain public keys for JWT verification: ${err.message}`);
-        throw new https_1.HttpsError('internal', 'Failed to obtain the public keys for JWT verification.');
-    }
-}
 /**
  * Checks for a valid identity platform web request, otherwise throws an HttpsError
  * @internal
@@ -198,120 +138,18 @@ function isValidRequest(req) {
     return true;
 }
 exports.isValidRequest = isValidRequest;
-/** @internal */
-function getPublicKeyFromHeader(header, publicKeys) {
-    if (header.alg !== exports.JWT_ALG) {
-        throw new https_1.HttpsError('invalid-argument', `Provided JWT has incorrect algorithm. Expected ${exports.JWT_ALG} but got ${header.alg}.`);
-    }
-    if (!header.kid) {
-        throw new https_1.HttpsError('invalid-argument', 'JWT header missing "kid" claim.');
-    }
-    if (!publicKeys.hasOwnProperty(header.kid)) {
-        throw new https_1.HttpsError('invalid-argument', 'Provided JWT has "kid" claim which does not correspond to a known public key. Most likely the JWT is expired.');
-    }
-    return publicKeys[header.kid];
-}
-exports.getPublicKeyFromHeader = getPublicKeyFromHeader;
 /**
- * Checks for a well forms cloud functions url
- * @internal
+ * Decode, but not verify, an Auth Blocking token.
+ *
+ * Do not use in production. Token should always be verified using the Admin SDK.
+ *
+ * This is exposed only for testing.
  */
-function isAuthorizedCloudFunctionURL(cloudFunctionUrl, projectId) {
-    const re = new RegExp(`^https://(${function_configuration_1.SUPPORTED_REGIONS.join('|')})+-${projectId}\.cloudfunctions\.net/`);
-    const res = re.exec(cloudFunctionUrl) || [];
-    return res.length > 0;
-}
-exports.isAuthorizedCloudFunctionURL = isAuthorizedCloudFunctionURL;
-/**
- * Checks for errors in a decoded jwt
- * @internal
- */
-function checkDecodedToken(decodedJWT, eventType, projectId) {
-    if (decodedJWT.event_type !== eventType) {
-        throw new https_1.HttpsError('invalid-argument', `Expected "${eventType}" but received "${decodedJWT.event_type}".`);
-    }
-    if (!isAuthorizedCloudFunctionURL(decodedJWT.aud, projectId)) {
-        throw new https_1.HttpsError('invalid-argument', 'Provided JWT has incorrect "aud" (audience) claim.');
-    }
-    if (decodedJWT.iss !== `${exports.JWT_ISSUER}${projectId}`) {
-        throw new https_1.HttpsError('invalid-argument', `Provided JWT has incorrect "iss" (issuer) claim. Expected ` +
-            `"${exports.JWT_ISSUER}${projectId}" but got "${decodedJWT.iss}".`);
-    }
-    if (typeof decodedJWT.sub !== 'string' || decodedJWT.sub.length === 0) {
-        throw new https_1.HttpsError('invalid-argument', 'Provided JWT has no "sub" (subject) claim.');
-    }
-    if (decodedJWT.sub.length > 128) {
-        throw new https_1.HttpsError('invalid-argument', 'Provided JWT has "sub" (subject) claim longer than 128 characters.');
-    }
-    // set uid to sub
-    decodedJWT.uid = decodedJWT.sub;
-}
-exports.checkDecodedToken = checkDecodedToken;
-/**
- * Helper function to decode the jwt, internally uses the 'jsonwebtoken' package.
- * @internal
- */
-function decodeJWT(token) {
-    let decoded;
-    try {
-        decoded = jwt.decode(token, { complete: true });
-    }
-    catch (err) {
-        __1.logger.error('Decoding the JWT failed', err);
-        throw new https_1.HttpsError('internal', 'Failed to decode the JWT.');
-    }
-    if (!(decoded === null || decoded === void 0 ? void 0 : decoded.payload)) {
-        throw new https_1.HttpsError('internal', 'The decoded JWT is not structured correctly.');
-    }
+function unsafeDecodeAuthBlockingToken(token) {
+    const decoded = (0, https_1.unsafeDecodeToken)(token);
+    decoded.uid = decoded.sub;
     return decoded;
 }
-exports.decodeJWT = decodeJWT;
-/**
- * Helper function to determine if we need to do full verification of the jwt
- * @internal
- */
-function shouldVerifyJWT() {
-    // TODO(colerogers): add emulator support to skip verification
-    return true;
-}
-exports.shouldVerifyJWT = shouldVerifyJWT;
-/**
- * Verifies the jwt using the 'jwt' library and decodes the token with the public keys
- * Throws an error if the event types do not match
- * @internal
- */
-function verifyJWT(token, rawDecodedJWT, keysCache, time = Date.now()) {
-    if (!rawDecodedJWT.header) {
-        throw new https_1.HttpsError('internal', 'Unable to verify JWT payload, the decoded JWT does not have a header property.');
-    }
-    const header = rawDecodedJWT.header;
-    let publicKey;
-    try {
-        if (invalidPublicKeys(keysCache, time)) {
-            refreshPublicKeys(keysCache);
-        }
-        publicKey = getPublicKeyFromHeader(header, keysCache.publicKeys);
-        return jwt.verify(token, publicKey, {
-            algorithms: [exports.JWT_ALG],
-        });
-    }
-    catch (err) {
-        __1.logger.error('Verifying the JWT failed', err);
-    }
-    // force refresh keys and retry one more time
-    try {
-        refreshPublicKeys(keysCache);
-        publicKey = getPublicKeyFromHeader(header, keysCache.publicKeys);
-        return jwt.verify(token, publicKey, {
-            algorithms: [exports.JWT_ALG],
-        });
-    }
-    catch (err) {
-        __1.logger.error('Verifying the JWT failed again', err);
-        throw new https_1.HttpsError('internal', 'Failed to verify the JWT.');
-    }
-}
-exports.verifyJWT = verifyJWT;
 /**
  * Helper function to parse the decoded metadata object into a UserMetaData object
  * @internal
@@ -436,13 +274,14 @@ exports.parseAuthUserRecord = parseAuthUserRecord;
 /** Helper to get the AdditionalUserInfo from the decoded jwt */
 function parseAdditionalUserInfo(decodedJWT) {
     let profile, username;
-    if (decodedJWT.raw_user_info)
+    if (decodedJWT.raw_user_info) {
         try {
             profile = JSON.parse(decodedJWT.raw_user_info);
         }
         catch (err) {
             __1.logger.debug(`Parse Error: ${err.message}`);
         }
+    }
     if (profile) {
         if (decodedJWT.sign_in_method === 'github.com') {
             username = profile.login;
@@ -570,17 +409,7 @@ function getUpdateMask(authResponse) {
 }
 exports.getUpdateMask = getUpdateMask;
 /** @internal */
-function createHandler(handler, eventType, keysCache) {
-    const wrappedHandler = wrapHandler(handler, eventType, keysCache);
-    return (req, res) => {
-        return new Promise((resolve) => {
-            res.on('finish', resolve);
-            resolve(wrappedHandler(req, res));
-        });
-    };
-}
-exports.createHandler = createHandler;
-function wrapHandler(handler, eventType, keysCache) {
+function wrapHandler(eventType, handler) {
     return async (req, res) => {
         try {
             const projectId = process.env.GCLOUD_PROJECT;
@@ -588,22 +417,39 @@ function wrapHandler(handler, eventType, keysCache) {
                 __1.logger.error('Invalid request, unable to process');
                 throw new https_1.HttpsError('invalid-argument', 'Bad Request');
             }
-            const rawDecodedJWT = decodeJWT(req.body.data.jwt);
-            const decodedPayload = shouldVerifyJWT()
-                ? verifyJWT(req.body.data.jwt, rawDecodedJWT, keysCache)
-                : rawDecodedJWT.payload;
-            checkDecodedToken(decodedPayload, eventType, projectId);
+            if (!(0, apps_1.apps)().admin.auth()._verifyAuthBlockingToken) {
+                throw new Error('Cannot validate Auth Blocking token. Please update Firebase Admin SDK to >= v10.1.0');
+            }
+            const decodedPayload = (0, debug_1.isDebugFeatureEnabled)('skipTokenVerification')
+                ? unsafeDecodeAuthBlockingToken(req.body.data.jwt)
+                : await (0, apps_1.apps)()
+                    .admin.auth()
+                    ._verifyAuthBlockingToken(req.body.data.jwt);
             const authUserRecord = parseAuthUserRecord(decodedPayload.user_record);
             const authEventContext = parseAuthEventContext(decodedPayload, projectId);
-            const authResponse = (await handler(authUserRecord, authEventContext)) || undefined;
+            let authResponse;
+            if (handler.length === 2) {
+                authResponse =
+                    (await handler(authUserRecord, authEventContext)) ||
+                        undefined;
+            }
+            else {
+                authResponse =
+                    (await handler({
+                        ...authEventContext,
+                        data: authUserRecord,
+                    })) || undefined;
+            }
             validateAuthResponse(eventType, authResponse);
             const updateMask = getUpdateMask(authResponse);
-            const result = {
-                userRecord: {
-                    ...authResponse,
-                    updateMask,
-                },
-            };
+            const result = updateMask.length === 0
+                ? {}
+                : {
+                    userRecord: {
+                        ...authResponse,
+                        updateMask,
+                    },
+                };
             res.status(200);
             res.setHeader('Content-Type', 'application/json');
             res.send(JSON.stringify(result));
@@ -614,9 +460,11 @@ function wrapHandler(handler, eventType, keysCache) {
                 __1.logger.error('Unhandled error', err);
                 err = new https_1.HttpsError('internal', 'An unexpected error occurred.');
             }
-            res.status(err.code);
+            const { status } = err.httpErrorCode;
+            const body = { error: err.toJSON() };
             res.setHeader('Content-Type', 'application/json');
-            res.send({ error: err.toJson() });
+            res.status(status).send(body);
         }
     };
 }
+exports.wrapHandler = wrapHandler;

package/lib/function-builder.d.ts

@@ -178,7 +178,7 @@ export declare class FunctionBuilder {
         /**
          * Handle events related to Firebase authentication users.
          */
-        user: () => auth.UserBuilder;
+        user: (userOptions?: auth.UserOptions) => auth.UserBuilder;
     };
     get testLab(): {
         /**

package/lib/function-builder.js

@@ -356,7 +356,7 @@ class FunctionBuilder {
             /**
              * Handle events related to Firebase authentication users.
              */
-            user: () => auth._userWithOptions(this.options),
+            user: (userOptions) => auth._userWithOptions(this.options, userOptions),
         };
     }
     get testLab() {

package/lib/handler-builder.js

@@ -141,12 +141,12 @@ class HandlerBuilder {
             get instance() {
                 return {
                     get ref() {
-                        return new database.RefBuilder(apps_1.apps(), () => null, {});
+                        return new database.RefBuilder((0, apps_1.apps)(), () => null, {});
                     },
                 };
             },
             get ref() {
-                return new database.RefBuilder(apps_1.apps(), () => null, {});
+                return new database.RefBuilder((0, apps_1.apps)(), () => null, {});
             },
         };
     }
@@ -323,7 +323,7 @@ class HandlerBuilder {
     get auth() {
         return {
             get user() {
-                return new auth.UserBuilder(() => null, {});
+                return new auth.UserBuilder(() => null, {}, {});
             },
         };
     }

package/lib/index.js

@@ -22,7 +22,11 @@
 // SOFTWARE.
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
@@ -66,4 +70,4 @@ __exportStar(require("./cloud-functions"), exports);
 __exportStar(require("./config"), exports);
 __exportStar(require("./function-builder"), exports);
 __exportStar(require("./function-configuration"), exports);
-setup_1.setup();
+(0, setup_1.setup)();

package/lib/logger/compat.js

@@ -6,7 +6,7 @@ const common_1 = require("./common");
 function patchedConsole(severity) {
     return function (data, ...args) {
         if (common_1.SUPPORTS_STRUCTURED_LOGS) {
-            common_1.UNPATCHED_CONSOLE[common_1.CONSOLE_SEVERITY[severity]](JSON.stringify({ severity, message: util_1.format(data, ...args) }));
+            common_1.UNPATCHED_CONSOLE[common_1.CONSOLE_SEVERITY[severity]](JSON.stringify({ severity, message: (0, util_1.format)(data, ...args) }));
             return;
         }
         common_1.UNPATCHED_CONSOLE[common_1.CONSOLE_SEVERITY[severity]](data, ...args);

package/lib/providers/analytics.js

@@ -73,7 +73,7 @@ class AnalyticsEventBuilder {
         const dataConstructor = (raw) => {
             return new AnalyticsEvent(raw.data);
         };
-        return cloud_functions_1.makeCloudFunction({
+        return (0, cloud_functions_1.makeCloudFunction)({
             handler,
             provider: exports.provider,
             eventType: 'event.log',

package/lib/providers/auth.d.ts

@@ -1,27 +1,40 @@
-import { UserRecord, UserInfo, UserRecordMetadata, userRecordConstructor } from '../common/providers/identity';
-import { CloudFunction, EventContext } from '../cloud-functions';
+import { BlockingFunction, CloudFunction, EventContext } from '../cloud-functions';
+import { AuthEventContext, AuthUserRecord, BeforeCreateResponse, BeforeSignInResponse, HttpsError, UserInfo, UserRecord, userRecordConstructor, UserRecordMetadata } from '../common/providers/identity';
 import { DeploymentOptions } from '../function-configuration';
 export { UserRecord, UserInfo, UserRecordMetadata, userRecordConstructor };
+export { HttpsError };
 /** @hidden */
 export declare const provider = "google.firebase.auth";
 /** @hidden */
 export declare const service = "firebaseauth.googleapis.com";
+/** Resource level options */
+export interface UserOptions {
+    blockingOptions?: {
+        idToken?: boolean;
+        accessToken?: boolean;
+        refreshToken?: boolean;
+    };
+}
 /**
  * Handle events related to Firebase authentication users.
  */
-export declare function user(): UserBuilder;
+export declare function user(userOptions?: UserOptions): UserBuilder;
 /** @hidden */
-export declare function _userWithOptions(options: DeploymentOptions): UserBuilder;
+export declare function _userWithOptions(options: DeploymentOptions, userOptions: UserOptions): UserBuilder;
 /** Builder used to create Cloud Functions for Firebase Auth user lifecycle events. */
 export declare class UserBuilder {
     private triggerResource;
-    private options?;
+    private options;
+    private userOptions?;
     private static dataConstructor;
     /** @hidden */
-    constructor(triggerResource: () => string, options?: DeploymentOptions);
+    constructor(triggerResource: () => string, options: DeploymentOptions, userOptions?: UserOptions);
     /** Respond to the creation of a Firebase Auth user. */
     onCreate(handler: (user: UserRecord, context: EventContext) => PromiseLike<any> | any): CloudFunction<UserRecord>;
     /** Respond to the deletion of a Firebase Auth user. */
     onDelete(handler: (user: UserRecord, context: EventContext) => PromiseLike<any> | any): CloudFunction<UserRecord>;
+    beforeCreate(handler: (user: AuthUserRecord, context: AuthEventContext) => BeforeCreateResponse | void | Promise<BeforeCreateResponse> | Promise<void>): BlockingFunction;
+    beforeSignIn(handler: (user: AuthUserRecord, context: AuthEventContext) => BeforeSignInResponse | void | Promise<BeforeSignInResponse> | Promise<void>): BlockingFunction;
     private onOperation;
+    private beforeOperation;
 }