firebase-tools 10.4.2 → 10.7.0

package/lib/deploy/functions/release/reporter.js

@@ -4,7 +4,7 @@ exports.triggerTag = exports.printAbortedErrors = exports.printErrors = exports.
 const backend = require("../backend");
 const clc = require("cli-color");
 const logger_1 = require("../../../logger");
-const track = require("../../../track");
+const track_1 = require("../../../track");
 const utils = require("../../../utils");
 const functionsDeployHelper_1 = require("../functionsDeployHelper");
 class DeploymentError extends Error {
@@ -36,23 +36,23 @@ async function logAndTrackDeployStats(summary) {
         totalTime += result.durationMs;
         if (!result.error) {
             totalSuccesses++;
-            reports.push(track.track("function_deploy_success", tag, result.durationMs));
+            reports.push((0, track_1.track)("function_deploy_success", tag, result.durationMs));
         }
         else if (result.error instanceof AbortedDeploymentError) {
             totalAborts++;
-            reports.push(track.track("function_deploy_abort", tag, result.durationMs));
+            reports.push((0, track_1.track)("function_deploy_abort", tag, result.durationMs));
         }
         else {
             totalErrors++;
-            reports.push(track.track("function_deploy_failure", tag, result.durationMs));
+            reports.push((0, track_1.track)("function_deploy_failure", tag, result.durationMs));
         }
     }
     const regionCountTag = regions.size < 5 ? regions.size.toString() : ">=5";
-    reports.push(track.track("functions_region_count", regionCountTag, 1));
+    reports.push((0, track_1.track)("functions_region_count", regionCountTag, 1));
     const gcfv1 = summary.results.find((r) => r.endpoint.platform === "gcfv1");
     const gcfv2 = summary.results.find((r) => r.endpoint.platform === "gcfv2");
     const tag = gcfv1 && gcfv2 ? "v1+v2" : gcfv1 ? "v1" : "v2";
-    reports.push(track.track("functions_codebase_deploy", tag, summary.results.length));
+    reports.push((0, track_1.track)("functions_codebase_deploy", tag, summary.results.length));
     const avgTime = totalTime / (totalSuccesses + totalErrors);
     logger_1.logger.debug(`Total Function Deployment time: ${summary.totalTime}`);
     logger_1.logger.debug(`${totalErrors + totalSuccesses + totalAborts} Functions Deployed`);
@@ -61,15 +61,15 @@ async function logAndTrackDeployStats(summary) {
     logger_1.logger.debug(`Average Function Deployment time: ${avgTime}`);
     if (totalErrors + totalSuccesses > 0) {
         if (totalErrors === 0) {
-            reports.push(track.track("functions_deploy_result", "success", totalSuccesses));
+            reports.push((0, track_1.track)("functions_deploy_result", "success", totalSuccesses));
         }
         else if (totalSuccesses > 0) {
-            reports.push(track.track("functions_deploy_result", "partial_success", totalSuccesses));
-            reports.push(track.track("functions_deploy_result", "partial_failure", totalErrors));
-            reports.push(track.track("functions_deploy_result", "partial_error_ratio", totalErrors / (totalSuccesses + totalErrors)));
+            reports.push((0, track_1.track)("functions_deploy_result", "partial_success", totalSuccesses));
+            reports.push((0, track_1.track)("functions_deploy_result", "partial_failure", totalErrors));
+            reports.push((0, track_1.track)("functions_deploy_result", "partial_error_ratio", totalErrors / (totalSuccesses + totalErrors)));
         }
         else {
-            reports.push(track.track("functions_deploy_result", "failure", totalErrors));
+            reports.push((0, track_1.track)("functions_deploy_result", "failure", totalErrors));
         }
     }
     await utils.allSettled(reports);
@@ -171,6 +171,9 @@ function triggerTag(endpoint) {
         }
         return `${prefix}.https`;
     }
+    if (backend.isBlockingTriggered(endpoint)) {
+        return `${prefix}.blocking`;
+    }
     return endpoint.eventTrigger.eventType;
 }
 exports.triggerTag = triggerTag;

package/lib/deploy/functions/runtimes/discovery/parsing.js

@@ -19,31 +19,37 @@ function assertKeyTypes(prefix, yaml, schema) {
     }
     for (const [keyAsString, value] of Object.entries(yaml)) {
         const key = keyAsString;
-        const fullKey = prefix ? prefix + "." + key : key;
+        const fullKey = prefix ? `${prefix}.${keyAsString}` : keyAsString;
         if (!schema[key] || schema[key] === "omit") {
             throw new error_1.FirebaseError(`Unexpected key ${fullKey}. You may need to install a newer version of the Firebase CLI.`);
         }
-        if (schema[key] === "string") {
+        const schemaType = schema[key];
+        if (typeof schemaType === "function") {
+            if (!schemaType(value)) {
+                throw new error_1.FirebaseError(`${Array.isArray(value) ? "array" : typeof value} ${fullKey} failed validation`);
+            }
+        }
+        else if (schemaType === "string") {
             if (typeof value !== "string") {
                 throw new error_1.FirebaseError(`Expected ${fullKey} to be string; was ${typeof value}`);
             }
         }
-        else if (schema[key] === "number") {
+        else if (schemaType === "number") {
             if (typeof value !== "number") {
                 throw new error_1.FirebaseError(`Expected ${fullKey} to be a number; was ${typeof value}`);
             }
         }
-        else if (schema[key] === "boolean") {
+        else if (schemaType === "boolean") {
             if (typeof value !== "boolean") {
                 throw new error_1.FirebaseError(`Expected ${fullKey} to be a boolean; was ${typeof value}`);
             }
         }
-        else if (schema[key] === "array") {
+        else if (schemaType === "array") {
             if (!Array.isArray(value)) {
                 throw new error_1.FirebaseError(`Expected ${fullKey} to be an array; was ${typeof value}`);
             }
         }
-        else if (schema[key] === "object") {
+        else if (schemaType === "object") {
             if (value === null || typeof value !== "object" || Array.isArray(value)) {
                 throw new error_1.FirebaseError(`Expected ${fullKey} to be an object; was ${typeof value}`);
             }

package/lib/deploy/functions/runtimes/discovery/v1alpha1.js

@@ -5,6 +5,12 @@ const backend = require("../../backend");
 const proto_1 = require("../../../../gcp/proto");
 const parsing_1 = require("./parsing");
 const error_1 = require("../../../../error");
+const CHANNEL_NAME_REGEX = new RegExp("(projects\\/" +
+    "(?<project>(?:\\d+)|(?:[A-Za-z]+[A-Za-z\\d-]*[A-Za-z\\d]?))\\/)?" +
+    "locations\\/" +
+    "(?<location>[A-Za-z\\d\\-_]+)\\/" +
+    "channels\\/" +
+    "(?<channel>[A-Za-z\\d\\-_]+)");
 function backendFromV1Alpha1(yaml, project, region, runtime) {
     const manifest = JSON.parse(JSON.stringify(yaml));
     const bkend = backend.empty();
@@ -42,17 +48,17 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
     const ep = manifest.endpoints[id];
     (0, parsing_1.assertKeyTypes)(prefix, ep, {
         region: "array",
-        platform: "string",
+        platform: (platform) => backend.AllFunctionsPlatforms.includes(platform),
         entryPoint: "string",
-        availableMemoryMb: "number",
+        availableMemoryMb: (mem) => backend.AllMemoryOptions.includes(mem),
         maxInstances: "number",
         minInstances: "number",
         concurrency: "number",
         serviceAccountEmail: "string",
-        timeout: "string",
+        timeoutSeconds: "number",
         vpc: "object",
         labels: "object",
-        ingressSettings: "string",
+        ingressSettings: (setting) => backend.AllIngressSettings.includes(setting),
         environmentVariables: "object",
         secretEnvironmentVariables: "array",
         httpsTrigger: "object",
@@ -60,7 +66,16 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
         eventTrigger: "object",
         scheduleTrigger: "object",
         taskQueueTrigger: "object",
+        blockingTrigger: "object",
+        cpu: (cpu) => typeof cpu === "number" || cpu === "gcf_gen1",
     });
+    if (ep.vpc) {
+        (0, parsing_1.assertKeyTypes)(prefix + ".vpc", ep.vpc, {
+            connector: "string",
+            egressSettings: (setting) => backend.AllVpcEgressSettings.includes(setting),
+        });
+        (0, parsing_1.requireKeys)(prefix + ".vpc", ep.vpc, "connector");
+    }
     let triggerCount = 0;
     if (ep.httpsTrigger) {
         triggerCount++;
@@ -77,6 +92,9 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
     if (ep.taskQueueTrigger) {
         triggerCount++;
     }
+    if (ep.blockingTrigger) {
+        triggerCount++;
+    }
     if (!triggerCount) {
         throw new error_1.FirebaseError("Expected trigger in endpoint " + id);
     }
@@ -88,16 +106,19 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
         if (backend.isEventTriggered(ep)) {
             (0, parsing_1.requireKeys)(prefix + ".eventTrigger", ep.eventTrigger, "eventType", "eventFilters");
             (0, parsing_1.assertKeyTypes)(prefix + ".eventTrigger", ep.eventTrigger, {
-                eventFilters: "array",
+                eventFilters: "object",
+                eventFilterPathPatterns: "object",
                 eventType: "string",
                 retry: "boolean",
                 region: "string",
                 serviceAccountEmail: "string",
+                channel: "string",
             });
             triggered = { eventTrigger: ep.eventTrigger };
-            for (const eventFilter of triggered.eventTrigger.eventFilters) {
-                if (eventFilter.attribute === "topic" && !eventFilter.value.startsWith("projects/")) {
-                    eventFilter.value = `projects/${project}/topics/${eventFilter.value}`;
+            (0, proto_1.renameIfPresent)(triggered.eventTrigger, ep.eventTrigger, "channel", "channel", (c) => resolveChannelName(project, c, defaultRegion));
+            for (const [k, v] of Object.entries(triggered.eventTrigger.eventFilters)) {
+                if (k === "topic" && !v.startsWith("projects/")) {
+                    triggered.eventTrigger.eventFilters[k] = `projects/${project}/topics/${v}`;
                 }
             }
         }
@@ -134,7 +155,6 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
             });
             if (ep.taskQueueTrigger.rateLimits) {
                 (0, parsing_1.assertKeyTypes)(prefix + ".taskQueueTrigger.rateLimits", ep.taskQueueTrigger.rateLimits, {
-                    maxBurstSize: "number",
                     maxConcurrentDispatches: "number",
                     maxDispatchesPerSecond: "number",
                 });
@@ -142,14 +162,22 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
             if (ep.taskQueueTrigger.retryConfig) {
                 (0, parsing_1.assertKeyTypes)(prefix + ".taskQueueTrigger.retryConfig", ep.taskQueueTrigger.retryConfig, {
                     maxAttempts: "number",
-                    maxRetryDuration: "string",
-                    minBackoff: "string",
-                    maxBackoff: "string",
+                    maxRetrySeconds: "number",
+                    minBackoffSeconds: "number",
+                    maxBackoffSeconds: "number",
                     maxDoublings: "number",
                 });
             }
             triggered = { taskQueueTrigger: ep.taskQueueTrigger };
         }
+        else if (backend.isBlockingTriggered(ep)) {
+            (0, parsing_1.requireKeys)(prefix + ".blockingTrigger", ep.blockingTrigger, "eventType");
+            (0, parsing_1.assertKeyTypes)(prefix + ".blockingTrigger", ep.blockingTrigger, {
+                eventType: "string",
+                options: "object",
+            });
+            triggered = { blockingTrigger: ep.blockingTrigger };
+        }
         else {
             throw new error_1.FirebaseError(`Do not recognize trigger type for endpoint ${id}. Try upgrading ` +
                 "firebase-tools with npm install -g firebase-tools@latest");
@@ -159,8 +187,28 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
             region,
             project,
             runtime, entryPoint: ep.entryPoint }, triggered);
-        (0, proto_1.copyIfPresent)(parsed, ep, "availableMemoryMb", "maxInstances", "minInstances", "concurrency", "serviceAccountEmail", "timeout", "vpc", "labels", "ingressSettings", "environmentVariables");
+        (0, proto_1.copyIfPresent)(parsed, ep, "availableMemoryMb", "maxInstances", "minInstances", "concurrency", "serviceAccountEmail", "timeoutSeconds", "vpc", "labels", "ingressSettings", "environmentVariables");
         allParsed.push(parsed);
     }
     return allParsed;
 }
+function resolveChannelName(projectId, channel, defaultRegion) {
+    if (!channel.includes("/")) {
+        const location = defaultRegion;
+        const channelId = channel;
+        return "projects/" + projectId + "/locations/" + location + "/channels/" + channelId;
+    }
+    const match = CHANNEL_NAME_REGEX.exec(channel);
+    if (!(match === null || match === void 0 ? void 0 : match.groups)) {
+        throw new error_1.FirebaseError("Invalid channel name format.");
+    }
+    const matchedProjectId = match.groups.project;
+    const location = match.groups.location;
+    const channelId = match.groups.channel;
+    if (matchedProjectId) {
+        return "projects/" + matchedProjectId + "/locations/" + location + "/channels/" + channelId;
+    }
+    else {
+        return "projects/" + projectId + "/locations/" + location + "/channels/" + channelId;
+    }
+}

package/lib/deploy/functions/runtimes/node/index.js

@@ -17,7 +17,7 @@ const discovery = require("../discovery");
 const validate = require("./validate");
 const versioning = require("./versioning");
 const parseTriggers = require("./parseTriggers");
-const MIN_FUNCTIONS_SDK_VERSION = "3.19.0";
+const MIN_FUNCTIONS_SDK_VERSION = "3.20.0";
 async function tryCreateDelegate(context) {
     const packageJsonPath = path.join(context.sourceDir, "package.json");
     if (!(await (0, util_1.promisify)(fs.exists)(packageJsonPath))) {

package/lib/deploy/functions/runtimes/node/parseRuntimeAndValidateSDK.js

@@ -4,7 +4,7 @@ exports.getRuntimeChoice = exports.DEPRECATED_NODE_VERSION_INFO = exports.UNSUPP
 const path = require("path");
 const clc = require("cli-color");
 const error_1 = require("../../../../error");
-const track = require("../../../../track");
+const track_1 = require("../../../../track");
 const runtimes = require("../../runtimes");
 const cjson = require("cjson");
 const ENGINE_RUNTIMES = {
@@ -46,11 +46,11 @@ function getRuntimeChoice(sourceDir, runtimeFromConfig) {
         ? exports.UNSUPPORTED_NODE_VERSION_FIREBASE_JSON_MSG
         : exports.UNSUPPORTED_NODE_VERSION_PACKAGE_JSON_MSG) + exports.DEPRECATED_NODE_VERSION_INFO;
     if (!runtime || !ENGINE_RUNTIMES_NAMES.includes(runtime)) {
-        void track("functions_runtime_notices", "package_missing_runtime");
+        void (0, track_1.track)("functions_runtime_notices", "package_missing_runtime");
         throw new error_1.FirebaseError(errorMessage, { exit: 1 });
     }
     if (runtimes.isDeprecatedRuntime(runtime) || !runtimes.isValidRuntime(runtime)) {
-        void track("functions_runtime_notices", `${runtime}_deploy_prohibited`);
+        void (0, track_1.track)("functions_runtime_notices", `${runtime}_deploy_prohibited`);
         throw new error_1.FirebaseError(errorMessage, { exit: 1 });
     }
     return runtime;

package/lib/deploy/functions/runtimes/node/parseTriggers.js

@@ -9,7 +9,7 @@ const logger_1 = require("../../../../logger");
 const backend = require("../../backend");
 const api = require("../../../../api");
 const proto = require("../../../../gcp/proto");
-const v2events = require("../../../../functions/events/v2");
+const events = require("../../../../functions/events");
 const TRIGGER_PARSER = path.resolve(__dirname, "./triggerParser.js");
 function removeInspectOptions(options) {
     return options.filter((opt) => !opt.startsWith("--inspect"));
@@ -62,7 +62,9 @@ function mergeRequiredAPIs(backend) {
     const apiToReasons = {};
     for (const { api, reason } of backend.requiredAPIs) {
         const reasons = apiToReasons[api] || new Set();
-        reasons.add(reason);
+        if (reason) {
+            reasons.add(reason);
+        }
         apiToReasons[api] = reasons;
     }
     const merged = [];
@@ -77,7 +79,10 @@ function addResourcesToBackend(projectId, runtime, annotation, want) {
     Object.freeze(annotation);
     for (const region of annotation.regions || [api.functionsDefaultRegion]) {
         let triggered;
-        const triggerCount = +!!annotation.httpsTrigger + +!!annotation.eventTrigger + +!!annotation.taskQueueTrigger;
+        const triggerCount = +!!annotation.httpsTrigger +
+            +!!annotation.eventTrigger +
+            +!!annotation.taskQueueTrigger +
+            +!!annotation.blockingTrigger;
         if (triggerCount !== 1) {
             throw new error_1.FirebaseError("Unexpected annotation generated by the Firebase Functions SDK. This should never happen.");
         }
@@ -109,35 +114,34 @@ function addResourcesToBackend(projectId, runtime, annotation, want) {
             });
             triggered = { scheduleTrigger: annotation.schedule };
         }
+        else if (annotation.blockingTrigger) {
+            if (events.v1.AUTH_BLOCKING_EVENTS.includes(annotation.blockingTrigger.eventType)) {
+                want.requiredAPIs.push({
+                    api: "identitytoolkit.googleapis.com",
+                    reason: "Needed for auth blocking functions.",
+                });
+            }
+            triggered = {
+                blockingTrigger: {
+                    eventType: annotation.blockingTrigger.eventType,
+                    options: annotation.blockingTrigger.options,
+                },
+            };
+        }
         else {
             triggered = {
                 eventTrigger: {
                     eventType: annotation.eventTrigger.eventType,
-                    eventFilters: [
-                        {
-                            attribute: "resource",
-                            value: annotation.eventTrigger.resource,
-                        },
-                    ],
+                    eventFilters: { resource: annotation.eventTrigger.resource },
                     retry: !!annotation.failurePolicy,
                 },
             };
             if (annotation.platform === "gcfv2") {
-                if (annotation.eventTrigger.eventType === v2events.PUBSUB_PUBLISH_EVENT) {
-                    triggered.eventTrigger.eventFilters = [
-                        {
-                            attribute: "topic",
-                            value: annotation.eventTrigger.resource,
-                        },
-                    ];
+                if (annotation.eventTrigger.eventType === events.v2.PUBSUB_PUBLISH_EVENT) {
+                    triggered.eventTrigger.eventFilters = { topic: annotation.eventTrigger.resource };
                 }
-                if (v2events.STORAGE_EVENTS.find((event) => { var _a; return event === (((_a = annotation.eventTrigger) === null || _a === void 0 ? void 0 : _a.eventType) || ""); })) {
-                    triggered.eventTrigger.eventFilters = [
-                        {
-                            attribute: "bucket",
-                            value: annotation.eventTrigger.resource,
-                        },
-                    ];
+                if (events.v2.STORAGE_EVENTS.find((event) => { var _a; return event === (((_a = annotation.eventTrigger) === null || _a === void 0 ? void 0 : _a.eventType) || ""); })) {
+                    triggered.eventTrigger.eventFilters = { bucket: annotation.eventTrigger.resource };
                 }
             }
         }
@@ -162,7 +166,8 @@ function addResourcesToBackend(projectId, runtime, annotation, want) {
             }
             endpoint.secretEnvironmentVariables = secretEnvs;
         }
-        proto.copyIfPresent(endpoint, annotation, "concurrency", "serviceAccountEmail", "labels", "ingressSettings", "timeout", "maxInstances", "minInstances", "availableMemoryMb");
+        proto.copyIfPresent(endpoint, annotation, "concurrency", "serviceAccountEmail", "labels", "ingressSettings", "maxInstances", "minInstances", "availableMemoryMb");
+        proto.renameIfPresent(endpoint, annotation, "timeoutSeconds", "timeout", proto.secondsFromDuration);
         want.endpoints[region] = want.endpoints[region] || {};
         want.endpoints[region][endpoint.id] = endpoint;
         mergeRequiredAPIs(want);

package/lib/deploy/functions/runtimes/node/versioning.js

@@ -7,7 +7,7 @@ const semver = require("semver");
 const spawn = require("cross-spawn");
 const utils = require("../../../../utils");
 const logger_1 = require("../../../../logger");
-const track = require("../../../../track");
+const track_1 = require("../../../../track");
 const MIN_SDK_VERSION = "2.0.0";
 exports.FUNCTIONS_SDK_VERSION_TOO_OLD_WARNING = clc.bold.yellow("functions: ") +
     "You must have a " +
@@ -52,7 +52,7 @@ exports.getLatestSDKVersion = getLatestSDKVersion;
 function checkFunctionsSDKVersion(currentVersion) {
     try {
         if (semver.lt(currentVersion, MIN_SDK_VERSION)) {
-            void track("functions_runtime_notices", "functions_sdk_too_old");
+            void (0, track_1.track)("functions_runtime_notices", "functions_sdk_too_old");
             utils.logWarning(exports.FUNCTIONS_SDK_VERSION_TOO_OLD_WARNING);
         }
         const latest = exports.getLatestSDKVersion();

package/lib/deploy/functions/services/auth.js

@@ -0,0 +1,95 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthBlockingService = void 0;
+const backend = require("../backend");
+const identityPlatform = require("../../../gcp/identityPlatform");
+const events = require("../../../functions/events");
+const error_1 = require("../../../error");
+const utils_1 = require("../../../utils");
+const index_1 = require("./index");
+class AuthBlockingService {
+    constructor() {
+        this.name = "authblocking";
+        this.api = "identitytoolkit.googleapis.com";
+        this.triggerQueue = Promise.resolve();
+        this.ensureTriggerRegion = index_1.noop;
+    }
+    validateTrigger(endpoint, wantBackend) {
+        if (!backend.isBlockingTriggered(endpoint)) {
+            return;
+        }
+        const blockingEndpoints = backend
+            .allEndpoints(wantBackend)
+            .filter((ep) => backend.isBlockingTriggered(ep));
+        if (blockingEndpoints.find((ep) => ep.blockingTrigger.eventType === endpoint.blockingTrigger.eventType &&
+            ep.id !== endpoint.id)) {
+            throw new error_1.FirebaseError(`Can only create at most one Auth Blocking Trigger for ${endpoint.blockingTrigger.eventType} events`);
+        }
+    }
+    configChanged(newConfig, config) {
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p;
+        if (((_b = (_a = newConfig.triggers) === null || _a === void 0 ? void 0 : _a.beforeCreate) === null || _b === void 0 ? void 0 : _b.functionUri) !==
+            ((_d = (_c = config.triggers) === null || _c === void 0 ? void 0 : _c.beforeCreate) === null || _d === void 0 ? void 0 : _d.functionUri) ||
+            ((_f = (_e = newConfig.triggers) === null || _e === void 0 ? void 0 : _e.beforeSignIn) === null || _f === void 0 ? void 0 : _f.functionUri) !== ((_h = (_g = config.triggers) === null || _g === void 0 ? void 0 : _g.beforeSignIn) === null || _h === void 0 ? void 0 : _h.functionUri)) {
+            return true;
+        }
+        if (!!((_j = newConfig.forwardInboundCredentials) === null || _j === void 0 ? void 0 : _j.accessToken) !==
+            !!((_k = config.forwardInboundCredentials) === null || _k === void 0 ? void 0 : _k.accessToken) ||
+            !!((_l = newConfig.forwardInboundCredentials) === null || _l === void 0 ? void 0 : _l.idToken) !==
+                !!((_m = config.forwardInboundCredentials) === null || _m === void 0 ? void 0 : _m.idToken) ||
+            !!((_o = newConfig.forwardInboundCredentials) === null || _o === void 0 ? void 0 : _o.refreshToken) !==
+                !!((_p = config.forwardInboundCredentials) === null || _p === void 0 ? void 0 : _p.refreshToken)) {
+            return true;
+        }
+        return false;
+    }
+    async registerTriggerLocked(endpoint) {
+        const newBlockingConfig = await identityPlatform.getBlockingFunctionsConfig(endpoint.project);
+        const oldBlockingConfig = (0, utils_1.cloneDeep)(newBlockingConfig);
+        if (endpoint.blockingTrigger.eventType === events.v1.BEFORE_CREATE_EVENT) {
+            newBlockingConfig.triggers = Object.assign(Object.assign({}, newBlockingConfig.triggers), { beforeCreate: {
+                    functionUri: endpoint.uri,
+                } });
+        }
+        else {
+            newBlockingConfig.triggers = Object.assign(Object.assign({}, newBlockingConfig.triggers), { beforeSignIn: {
+                    functionUri: endpoint.uri,
+                } });
+        }
+        newBlockingConfig.forwardInboundCredentials = Object.assign(Object.assign({}, oldBlockingConfig.forwardInboundCredentials), endpoint.blockingTrigger.options);
+        if (!this.configChanged(newBlockingConfig, oldBlockingConfig)) {
+            return;
+        }
+        await identityPlatform.setBlockingFunctionsConfig(endpoint.project, newBlockingConfig);
+    }
+    registerTrigger(ep) {
+        if (!backend.isBlockingTriggered(ep)) {
+            return Promise.resolve();
+        }
+        this.triggerQueue = this.triggerQueue.then(() => this.registerTriggerLocked(ep));
+        return this.triggerQueue;
+    }
+    async unregisterTriggerLocked(endpoint) {
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k;
+        const blockingConfig = await identityPlatform.getBlockingFunctionsConfig(endpoint.project);
+        if (endpoint.uri !== ((_b = (_a = blockingConfig.triggers) === null || _a === void 0 ? void 0 : _a.beforeCreate) === null || _b === void 0 ? void 0 : _b.functionUri) &&
+            endpoint.uri !== ((_d = (_c = blockingConfig.triggers) === null || _c === void 0 ? void 0 : _c.beforeSignIn) === null || _d === void 0 ? void 0 : _d.functionUri)) {
+            return;
+        }
+        if (endpoint.uri === ((_f = (_e = blockingConfig.triggers) === null || _e === void 0 ? void 0 : _e.beforeCreate) === null || _f === void 0 ? void 0 : _f.functionUri)) {
+            (_g = blockingConfig.triggers) === null || _g === void 0 ? true : delete _g.beforeCreate;
+        }
+        if (endpoint.uri === ((_j = (_h = blockingConfig.triggers) === null || _h === void 0 ? void 0 : _h.beforeSignIn) === null || _j === void 0 ? void 0 : _j.functionUri)) {
+            (_k = blockingConfig.triggers) === null || _k === void 0 ? true : delete _k.beforeSignIn;
+        }
+        await identityPlatform.setBlockingFunctionsConfig(endpoint.project, blockingConfig);
+    }
+    unregisterTrigger(ep) {
+        if (!backend.isBlockingTriggered(ep)) {
+            return Promise.resolve();
+        }
+        this.triggerQueue = this.triggerQueue.then(() => this.unregisterTriggerLocked(ep));
+        return this.triggerQueue;
+    }
+}
+exports.AuthBlockingService = AuthBlockingService;

package/lib/deploy/functions/services/index.js

@@ -1,47 +1,67 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.serviceForEndpoint = exports.EVENT_SERVICE_MAPPING = exports.FirebaseAlertsService = exports.StorageService = exports.PubSubService = exports.NoOpService = void 0;
+exports.serviceForEndpoint = exports.noopProjectBindings = exports.noop = void 0;
 const backend = require("../backend");
+const auth_1 = require("./auth");
 const storage_1 = require("./storage");
 const firebaseAlerts_1 = require("./firebaseAlerts");
 const noop = () => Promise.resolve();
+exports.noop = noop;
 const noopProjectBindings = () => Promise.resolve([]);
-exports.NoOpService = {
+exports.noopProjectBindings = noopProjectBindings;
+const noOpService = {
     name: "noop",
     api: "",
-    requiredProjectBindings: undefined,
-    ensureTriggerRegion: noop,
+    ensureTriggerRegion: exports.noop,
+    validateTrigger: exports.noop,
+    registerTrigger: exports.noop,
+    unregisterTrigger: exports.noop,
 };
-exports.PubSubService = {
+const pubSubService = {
     name: "pubsub",
     api: "pubsub.googleapis.com",
-    requiredProjectBindings: undefined,
-    ensureTriggerRegion: noop,
+    requiredProjectBindings: exports.noopProjectBindings,
+    ensureTriggerRegion: exports.noop,
+    validateTrigger: exports.noop,
+    registerTrigger: exports.noop,
+    unregisterTrigger: exports.noop,
 };
-exports.StorageService = {
+const storageService = {
     name: "storage",
     api: "storage.googleapis.com",
     requiredProjectBindings: storage_1.obtainStorageBindings,
     ensureTriggerRegion: storage_1.ensureStorageTriggerRegion,
+    validateTrigger: exports.noop,
+    registerTrigger: exports.noop,
+    unregisterTrigger: exports.noop,
 };
-exports.FirebaseAlertsService = {
+const firebaseAlertsService = {
     name: "firebasealerts",
-    api: "logging.googleapis.com",
-    requiredProjectBindings: noopProjectBindings,
+    api: "firebasealerts.googleapis.com",
+    requiredProjectBindings: exports.noopProjectBindings,
     ensureTriggerRegion: firebaseAlerts_1.ensureFirebaseAlertsTriggerRegion,
+    validateTrigger: exports.noop,
+    registerTrigger: exports.noop,
+    unregisterTrigger: exports.noop,
 };
-exports.EVENT_SERVICE_MAPPING = {
-    "google.cloud.pubsub.topic.v1.messagePublished": exports.PubSubService,
-    "google.cloud.storage.object.v1.finalized": exports.StorageService,
-    "google.cloud.storage.object.v1.archived": exports.StorageService,
-    "google.cloud.storage.object.v1.deleted": exports.StorageService,
-    "google.cloud.storage.object.v1.metadataUpdated": exports.StorageService,
-    "google.firebase.firebasealerts.alerts.v1.published": exports.FirebaseAlertsService,
+const authBlockingService = new auth_1.AuthBlockingService();
+const EVENT_SERVICE_MAPPING = {
+    "google.cloud.pubsub.topic.v1.messagePublished": pubSubService,
+    "google.cloud.storage.object.v1.finalized": storageService,
+    "google.cloud.storage.object.v1.archived": storageService,
+    "google.cloud.storage.object.v1.deleted": storageService,
+    "google.cloud.storage.object.v1.metadataUpdated": storageService,
+    "google.firebase.firebasealerts.alerts.v1.published": firebaseAlertsService,
+    "providers/cloud.auth/eventTypes/user.beforeCreate": authBlockingService,
+    "providers/cloud.auth/eventTypes/user.beforeSignIn": authBlockingService,
 };
 function serviceForEndpoint(endpoint) {
-    if (!backend.isEventTriggered(endpoint)) {
-        return exports.NoOpService;
+    if (backend.isEventTriggered(endpoint)) {
+        return EVENT_SERVICE_MAPPING[endpoint.eventTrigger.eventType] || noOpService;
     }
-    return exports.EVENT_SERVICE_MAPPING[endpoint.eventTrigger.eventType] || exports.NoOpService;
+    if (backend.isBlockingTriggered(endpoint)) {
+        return EVENT_SERVICE_MAPPING[endpoint.blockingTrigger.eventType] || noOpService;
+    }
+    return noOpService;
 }
 exports.serviceForEndpoint = serviceForEndpoint;

package/lib/deploy/functions/services/storage.js

@@ -2,7 +2,6 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ensureStorageTriggerRegion = exports.obtainStorageBindings = void 0;
 const storage = require("../../../gcp/storage");
-const backend = require("../backend");
 const logger_1 = require("../../../logger");
 const error_1 = require("../../../error");
 const location_1 = require("../../../gcp/location");
@@ -27,12 +26,8 @@ async function ensureStorageTriggerRegion(endpoint) {
     const { eventTrigger } = endpoint;
     if (!eventTrigger.region) {
         logger_1.logger.debug("Looking up bucket region for the storage event trigger");
-        const bucketFilter = backend.findEventFilter(endpoint, "bucket");
-        if (!bucketFilter) {
-            throw new error_1.FirebaseError("Storage event trigger unexpectedly missing event filter with bucket attribute.");
-        }
         try {
-            const bucket = await storage.getBucket(bucketFilter.value);
+            const bucket = await storage.getBucket(eventTrigger.eventFilters.bucket);
             eventTrigger.region = bucket.location.toLowerCase();
             logger_1.logger.debug("Setting the event trigger region to", eventTrigger.region, ".");
         }

package/lib/deploy/functions/validate.js

@@ -10,18 +10,21 @@ const fsutils = require("../../fsutils");
 const backend = require("./backend");
 const utils = require("../../utils");
 const secrets = require("../../functions/secrets");
+const services_1 = require("./services");
 function endpointsAreValid(wantBackend) {
-    functionIdsAreValid(backend.allEndpoints(wantBackend));
-    const gcfV1WithConcurrency = backend
-        .allEndpoints(wantBackend)
+    const endpoints = backend.allEndpoints(wantBackend);
+    functionIdsAreValid(endpoints);
+    for (const ep of endpoints) {
+        (0, services_1.serviceForEndpoint)(ep).validateTrigger(ep, wantBackend);
+    }
+    const gcfV1WithConcurrency = endpoints
         .filter((endpoint) => (endpoint.concurrency || 1) !== 1 && endpoint.platform === "gcfv1")
         .map((endpoint) => endpoint.id);
     if (gcfV1WithConcurrency.length) {
         const msg = `Cannot set concurrency on the functions ${gcfV1WithConcurrency.join(",")} because they are GCF gen 1`;
         throw new error_1.FirebaseError(msg);
     }
-    const tooSmallForConcurrency = backend
-        .allEndpoints(wantBackend)
+    const tooSmallForConcurrency = endpoints
         .filter((endpoint) => {
         if ((endpoint.concurrency || 1) === 1) {
             return false;