firebase-functions 3.24.1 → 4.0.0

package/lib/common/providers/https.js

@@ -26,7 +26,9 @@ const cors = require("cors");
 const logger = require("../../logger");
 // TODO(inlined): Decide whether we want to un-version apps or whether we want a
 // different strategy
-const apps_1 = require("../../apps");
+const app_check_1 = require("firebase-admin/app-check");
+const auth_1 = require("firebase-admin/auth");
+const app_1 = require("../app");
 const debug_1 = require("../debug");
 const JWT_REGEX = /^[a-zA-Z0-9\-_=]+?\.[a-zA-Z0-9\-_=]+?\.([a-zA-Z0-9\-_=]+)?$/;
 /**
@@ -39,23 +41,23 @@ const JWT_REGEX = /^[a-zA-Z0-9\-_=]+?\.[a-zA-Z0-9\-_=]+?\.([a-zA-Z0-9\-_=]+)?$/;
  * supported set.
  */
 const errorCodeMap = {
-    ok: { canonicalName: 'OK', status: 200 },
-    cancelled: { canonicalName: 'CANCELLED', status: 499 },
-    unknown: { canonicalName: 'UNKNOWN', status: 500 },
-    'invalid-argument': { canonicalName: 'INVALID_ARGUMENT', status: 400 },
-    'deadline-exceeded': { canonicalName: 'DEADLINE_EXCEEDED', status: 504 },
-    'not-found': { canonicalName: 'NOT_FOUND', status: 404 },
-    'already-exists': { canonicalName: 'ALREADY_EXISTS', status: 409 },
-    'permission-denied': { canonicalName: 'PERMISSION_DENIED', status: 403 },
-    unauthenticated: { canonicalName: 'UNAUTHENTICATED', status: 401 },
-    'resource-exhausted': { canonicalName: 'RESOURCE_EXHAUSTED', status: 429 },
-    'failed-precondition': { canonicalName: 'FAILED_PRECONDITION', status: 400 },
-    aborted: { canonicalName: 'ABORTED', status: 409 },
-    'out-of-range': { canonicalName: 'OUT_OF_RANGE', status: 400 },
-    unimplemented: { canonicalName: 'UNIMPLEMENTED', status: 501 },
-    internal: { canonicalName: 'INTERNAL', status: 500 },
-    unavailable: { canonicalName: 'UNAVAILABLE', status: 503 },
-    'data-loss': { canonicalName: 'DATA_LOSS', status: 500 },
+    ok: { canonicalName: "OK", status: 200 },
+    cancelled: { canonicalName: "CANCELLED", status: 499 },
+    unknown: { canonicalName: "UNKNOWN", status: 500 },
+    "invalid-argument": { canonicalName: "INVALID_ARGUMENT", status: 400 },
+    "deadline-exceeded": { canonicalName: "DEADLINE_EXCEEDED", status: 504 },
+    "not-found": { canonicalName: "NOT_FOUND", status: 404 },
+    "already-exists": { canonicalName: "ALREADY_EXISTS", status: 409 },
+    "permission-denied": { canonicalName: "PERMISSION_DENIED", status: 403 },
+    unauthenticated: { canonicalName: "UNAUTHENTICATED", status: 401 },
+    "resource-exhausted": { canonicalName: "RESOURCE_EXHAUSTED", status: 429 },
+    "failed-precondition": { canonicalName: "FAILED_PRECONDITION", status: 400 },
+    aborted: { canonicalName: "ABORTED", status: 409 },
+    "out-of-range": { canonicalName: "OUT_OF_RANGE", status: 400 },
+    unimplemented: { canonicalName: "UNIMPLEMENTED", status: 501 },
+    internal: { canonicalName: "INTERNAL", status: 500 },
+    unavailable: { canonicalName: "UNAVAILABLE", status: 503 },
+    "data-loss": { canonicalName: "DATA_LOSS", status: 500 },
 };
 /**
  * An explicit error that can be thrown from a handler to send an error to the
@@ -90,51 +92,51 @@ exports.HttpsError = HttpsError;
 function isValidRequest(req) {
     // The body must not be empty.
     if (!req.body) {
-        logger.warn('Request is missing body.');
+        logger.warn("Request is missing body.");
         return false;
     }
     // Make sure it's a POST.
-    if (req.method !== 'POST') {
-        logger.warn('Request has invalid method.', req.method);
+    if (req.method !== "POST") {
+        logger.warn("Request has invalid method.", req.method);
         return false;
     }
     // Check that the Content-Type is JSON.
-    let contentType = (req.header('Content-Type') || '').toLowerCase();
+    let contentType = (req.header("Content-Type") || "").toLowerCase();
     // If it has a charset, just ignore it for now.
-    const semiColon = contentType.indexOf(';');
+    const semiColon = contentType.indexOf(";");
     if (semiColon >= 0) {
         contentType = contentType.slice(0, semiColon).trim();
     }
-    if (contentType !== 'application/json') {
-        logger.warn('Request has incorrect Content-Type.', contentType);
+    if (contentType !== "application/json") {
+        logger.warn("Request has incorrect Content-Type.", contentType);
         return false;
     }
     // The body must have data.
-    if (typeof req.body.data === 'undefined') {
-        logger.warn('Request body is missing data.', req.body);
+    if (typeof req.body.data === "undefined") {
+        logger.warn("Request body is missing data.", req.body);
         return false;
     }
     // TODO(klimt): Allow only specific http headers.
     // Verify that the body does not have any extra fields.
-    const extraKeys = Object.keys(req.body).filter((field) => field !== 'data');
+    const extraKeys = Object.keys(req.body).filter((field) => field !== "data");
     if (extraKeys.length !== 0) {
-        logger.warn('Request body has extra fields: ', extraKeys.join(', '));
+        logger.warn("Request body has extra fields: ", extraKeys.join(", "));
         return false;
     }
     return true;
 }
 exports.isValidRequest = isValidRequest;
 /** @hidden */
-const LONG_TYPE = 'type.googleapis.com/google.protobuf.Int64Value';
+const LONG_TYPE = "type.googleapis.com/google.protobuf.Int64Value";
 /** @hidden */
-const UNSIGNED_LONG_TYPE = 'type.googleapis.com/google.protobuf.UInt64Value';
+const UNSIGNED_LONG_TYPE = "type.googleapis.com/google.protobuf.UInt64Value";
 /**
  * Encodes arbitrary data in our special format for JSON.
  * This is exposed only for testing.
  */
 /** @hidden */
 function encode(data) {
-    if (data === null || typeof data === 'undefined') {
+    if (data === null || typeof data === "undefined") {
         return null;
     }
     if (data instanceof Number) {
@@ -145,16 +147,16 @@ function encode(data) {
         // without any loss of precision.
         return data;
     }
-    if (typeof data === 'boolean') {
+    if (typeof data === "boolean") {
         return data;
     }
-    if (typeof data === 'string') {
+    if (typeof data === "string") {
         return data;
     }
     if (Array.isArray(data)) {
         return data.map(encode);
     }
-    if (typeof data === 'object' || typeof data === 'function') {
+    if (typeof data === "object" || typeof data === "function") {
         // Sadly we don't have Object.fromEntries in Node 10, so we can't use a single
         // list comprehension
         const obj = {};
@@ -164,8 +166,8 @@ function encode(data) {
         return obj;
     }
     // If we got this far, the data is not encodable.
-    logger.error('Data cannot be encoded in JSON.', data);
-    throw new Error('Data cannot be encoded in JSON: ' + data);
+    logger.error("Data cannot be encoded in JSON.", data);
+    throw new Error(`Data cannot be encoded in JSON: ${data}`);
 }
 exports.encode = encode;
 /**
@@ -177,8 +179,8 @@ function decode(data) {
     if (data === null) {
         return data;
     }
-    if (data['@type']) {
-        switch (data['@type']) {
+    if (data["@type"]) {
+        switch (data["@type"]) {
             case LONG_TYPE:
             // Fall through and handle this the same as unsigned.
             case UNSIGNED_LONG_TYPE: {
@@ -187,21 +189,21 @@ function decode(data) {
                 // worth all the extra code to detect that case.
                 const value = parseFloat(data.value);
                 if (isNaN(value)) {
-                    logger.error('Data cannot be decoded from JSON.', data);
-                    throw new Error('Data cannot be decoded from JSON: ' + data);
+                    logger.error("Data cannot be decoded from JSON.", data);
+                    throw new Error(`Data cannot be decoded from JSON: ${data}`);
                 }
                 return value;
             }
             default: {
-                logger.error('Data cannot be decoded from JSON.', data);
-                throw new Error('Data cannot be decoded from JSON: ' + data);
+                logger.error("Data cannot be decoded from JSON.", data);
+                throw new Error(`Data cannot be decoded from JSON: ${data}`);
             }
         }
     }
     if (Array.isArray(data)) {
         return data.map(decode);
     }
-    if (typeof data === 'object') {
+    if (typeof data === "object") {
         const obj = {};
         for (const [k, v] of Object.entries(data)) {
             obj[k] = decode(v);
@@ -217,18 +219,18 @@ function unsafeDecodeToken(token) {
     if (!JWT_REGEX.test(token)) {
         return {};
     }
-    const components = token
-        .split('.')
-        .map((s) => Buffer.from(s, 'base64').toString());
+    const components = token.split(".").map((s) => Buffer.from(s, "base64").toString());
     let payload = components[1];
-    if (typeof payload === 'string') {
+    if (typeof payload === "string") {
         try {
             const obj = JSON.parse(payload);
-            if (typeof obj === 'object') {
+            if (typeof obj === "object") {
                 payload = obj;
             }
         }
-        catch (e) { }
+        catch (e) {
+            // ignore error
+        }
     }
     return payload;
 }
@@ -267,13 +269,13 @@ exports.unsafeDecodeAppCheckToken = unsafeDecodeAppCheckToken;
  *
  * @param {Request} req - Request sent to the Callable function.
  * @param {CallableContext} ctx - Context to be sent to callable function handler.
- * @return {CallableTokenStatus} Status of the token verifications.
+ * @returns {CallableTokenStatus} Status of the token verifications.
  */
 /** @internal */
 async function checkTokens(req, ctx) {
     const verifications = {
-        app: 'INVALID',
-        auth: 'INVALID',
+        app: "INVALID",
+        auth: "INVALID",
     };
     await Promise.all([
         Promise.resolve().then(async () => {
@@ -285,83 +287,77 @@ async function checkTokens(req, ctx) {
     ]);
     const logPayload = {
         verifications,
-        'logging.googleapis.com/labels': {
-            'firebase-log-type': 'callable-request-verification',
+        "logging.googleapis.com/labels": {
+            "firebase-log-type": "callable-request-verification",
         },
     };
     const errs = [];
-    if (verifications.app === 'INVALID') {
-        errs.push('AppCheck token was rejected.');
+    if (verifications.app === "INVALID") {
+        errs.push("AppCheck token was rejected.");
     }
-    if (verifications.auth === 'INVALID') {
-        errs.push('Auth token was rejected.');
+    if (verifications.auth === "INVALID") {
+        errs.push("Auth token was rejected.");
     }
-    if (errs.length == 0) {
-        logger.info('Callable request verification passed', logPayload);
+    if (errs.length === 0) {
+        logger.debug("Callable request verification passed", logPayload);
     }
     else {
-        logger.warn(`Callable request verification failed: ${errs.join(' ')}`, logPayload);
+        logger.warn(`Callable request verification failed: ${errs.join(" ")}`, logPayload);
     }
     return verifications;
 }
 /** @interanl */
 async function checkAuthToken(req, ctx) {
-    const authorization = req.header('Authorization');
+    const authorization = req.header("Authorization");
     if (!authorization) {
-        return 'MISSING';
+        return "MISSING";
     }
-    const match = authorization.match(/^Bearer (.*)$/);
-    if (match) {
-        const idToken = match[1];
-        try {
-            let authToken;
-            if ((0, debug_1.isDebugFeatureEnabled)('skipTokenVerification')) {
-                authToken = unsafeDecodeIdToken(idToken);
-            }
-            else {
-                authToken = await (0, apps_1.apps)()
-                    .admin.auth()
-                    .verifyIdToken(idToken);
-            }
-            ctx.auth = {
-                uid: authToken.uid,
-                token: authToken,
-            };
-            return 'VALID';
+    const match = authorization.match(/^Bearer (.*)$/i);
+    if (!match) {
+        return "INVALID";
+    }
+    const idToken = match[1];
+    try {
+        let authToken;
+        if ((0, debug_1.isDebugFeatureEnabled)("skipTokenVerification")) {
+            authToken = unsafeDecodeIdToken(idToken);
         }
-        catch (err) {
-            logger.warn('Failed to validate auth token.', err);
-            return 'INVALID';
+        else {
+            authToken = await (0, auth_1.getAuth)((0, app_1.getApp)()).verifyIdToken(idToken);
         }
+        ctx.auth = {
+            uid: authToken.uid,
+            token: authToken,
+        };
+        return "VALID";
+    }
+    catch (err) {
+        logger.warn("Failed to validate auth token.", err);
+        return "INVALID";
     }
 }
 exports.checkAuthToken = checkAuthToken;
 /** @internal */
 async function checkAppCheckToken(req, ctx) {
-    const appCheck = req.header('X-Firebase-AppCheck');
+    const appCheck = req.header("X-Firebase-AppCheck");
     if (!appCheck) {
-        return 'MISSING';
+        return "MISSING";
     }
     try {
-        if (!(0, apps_1.apps)().admin.appCheck) {
-            throw new Error('Cannot validate AppCheck token. Please update Firebase Admin SDK to >= v9.8.0');
-        }
         let appCheckData;
-        if ((0, debug_1.isDebugFeatureEnabled)('skipTokenVerification')) {
+        if ((0, debug_1.isDebugFeatureEnabled)("skipTokenVerification")) {
             const decodedToken = unsafeDecodeAppCheckToken(appCheck);
             appCheckData = { appId: decodedToken.app_id, token: decodedToken };
         }
         else {
-            appCheckData = await (0, apps_1.apps)()
-                .admin.appCheck()
-                .verifyToken(appCheck);
+            appCheckData = await (0, app_check_1.getAppCheck)((0, app_1.getApp)()).verifyToken(appCheck);
         }
         ctx.app = appCheckData;
-        return 'VALID';
+        return "VALID";
     }
     catch (err) {
-        logger.warn('Failed to validate AppCheck token.', err);
-        return 'INVALID';
+        logger.warn("Failed to validate AppCheck token.", err);
+        return "INVALID";
     }
 }
 /** @internal */
@@ -369,7 +365,7 @@ function onCallHandler(options, handler) {
     const wrapped = wrapOnCallHandler(options, handler);
     return (req, res) => {
         return new Promise((resolve) => {
-            res.on('finish', resolve);
+            res.on("finish", resolve);
             cors(options.cors)(req, res, () => {
                 resolve(wrapped(req, res));
             });
@@ -382,24 +378,32 @@ function wrapOnCallHandler(options, handler) {
     return async (req, res) => {
         try {
             if (!isValidRequest(req)) {
-                logger.error('Invalid request, unable to process.');
-                throw new HttpsError('invalid-argument', 'Bad Request');
+                logger.error("Invalid request, unable to process.");
+                throw new HttpsError("invalid-argument", "Bad Request");
             }
             const context = { rawRequest: req };
             const tokenStatus = await checkTokens(req, context);
-            if (tokenStatus.auth === 'INVALID') {
-                throw new HttpsError('unauthenticated', 'Unauthenticated');
+            if (tokenStatus.auth === "INVALID") {
+                throw new HttpsError("unauthenticated", "Unauthenticated");
+            }
+            if (tokenStatus.app === "INVALID") {
+                if (options.enforceAppCheck) {
+                    throw new HttpsError("unauthenticated", "Unauthenticated");
+                }
+                else {
+                    logger.warn("Allowing request with invalid AppCheck token because enforcement is disabled");
+                }
             }
-            if (tokenStatus.app === 'INVALID' && !options.allowInvalidAppCheckToken) {
-                throw new HttpsError('unauthenticated', 'Unauthenticated');
+            if (tokenStatus.app === "MISSING" && options.enforceAppCheck) {
+                throw new HttpsError("unauthenticated", "Unauthenticated");
             }
-            const instanceId = req.header('Firebase-Instance-ID-Token');
+            const instanceId = req.header("Firebase-Instance-ID-Token");
             if (instanceId) {
                 // Validating the token requires an http request, so we don't do it.
                 // If the user wants to use it for something, it will be validated then.
                 // Currently, the only real use case for this token is for sending
                 // pushes with FCM. In that case, the FCM APIs will validate the token.
-                context.instanceIdToken = req.header('Firebase-Instance-ID-Token');
+                context.instanceIdToken = req.header("Firebase-Instance-ID-Token");
             }
             const data = decode(req.body.data);
             let result;
@@ -422,13 +426,14 @@ function wrapOnCallHandler(options, handler) {
             res.status(200).send(responseBody);
         }
         catch (err) {
+            let httpErr = err;
             if (!(err instanceof HttpsError)) {
                 // This doesn't count as an 'explicit' error.
-                logger.error('Unhandled error', err);
-                err = new HttpsError('internal', 'INTERNAL');
+                logger.error("Unhandled error", err);
+                httpErr = new HttpsError("internal", "INTERNAL");
             }
-            const { status } = err.httpErrorCode;
-            const body = { error: err.toJSON() };
+            const { status } = httpErr.httpErrorCode;
+            const body = { error: httpErr.toJSON() };
             res.status(status).send(body);
         }
     };

package/lib/common/providers/identity.d.ts

@@ -1,26 +1,26 @@
-import * as firebase from 'firebase-admin';
-import { EventContext } from '../../cloud-functions';
-import { HttpsError } from './https';
+import * as auth from "firebase-admin/auth";
+import { EventContext } from "../../v1/cloud-functions";
+import { HttpsError } from "./https";
 export { HttpsError };
 /**
  * Shorthand auth blocking events from GCIP.
  * @hidden
  * @alpha
  */
-export declare type AuthBlockingEventType = 'beforeCreate' | 'beforeSignIn';
+export declare type AuthBlockingEventType = "beforeCreate" | "beforeSignIn";
 /**
  * The UserRecord passed to Cloud Functions is the same UserRecord that is returned by the Firebase Admin
  * SDK.
  */
-export declare type UserRecord = firebase.auth.UserRecord;
+export declare type UserRecord = auth.UserRecord;
 /**
  * UserInfo that is part of the UserRecord
  */
-export declare type UserInfo = firebase.auth.UserInfo;
+export declare type UserInfo = auth.UserInfo;
 /**
  * Helper class to create the user metadata in a UserRecord object
  */
-export declare class UserRecordMetadata implements firebase.auth.UserMetadata {
+export declare class UserRecordMetadata implements auth.UserMetadata {
     creationTime: string;
     lastSignInTime: string;
     constructor(creationTime: string, lastSignInTime: string);
@@ -32,7 +32,7 @@ export declare class UserRecordMetadata implements firebase.auth.UserMetadata {
  * @param wireData data sent over the wire
  * @returns an instance of UserRecord with correct toJSON functions
  */
-export declare function userRecordConstructor(wireData: Object): UserRecord;
+export declare function userRecordConstructor(wireData: Record<string, unknown>): UserRecord;
 /**
  * User info that is part of the AuthUserRecord
  */