firebase-tools 11.0.1 → 11.2.1

package/lib/emulator/auth/operations.js

@@ -1,8 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.setAccountInfoImpl = exports.resetPassword = exports.SESSION_COOKIE_MAX_VALID_DURATION = exports.CUSTOM_TOKEN_AUDIENCE = exports.authOperations = void 0;
+exports.parseBlockingFunctionJwt = exports.setAccountInfoImpl = exports.resetPassword = exports.SESSION_COOKIE_MAX_VALID_DURATION = exports.CUSTOM_TOKEN_AUDIENCE = exports.authOperations = void 0;
 const url_1 = require("url");
 const jsonwebtoken_1 = require("jsonwebtoken");
+const node_fetch_1 = require("node-fetch");
+const abort_controller_1 = require("abort-controller");
 const utils_1 = require("./utils");
 const errors_1 = require("./errors");
 const types_1 = require("../types");
@@ -102,13 +104,13 @@ const MFA_INELIGIBLE_PROVIDER = new Set([
     state_1.PROVIDER_CUSTOM,
     state_1.PROVIDER_GAME_CENTER,
 ]);
-function signUp(state, reqBody, ctx) {
-    var _a;
+async function signUp(state, reqBody, ctx) {
+    var _a, _b, _c, _d;
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     let provider;
-    const updates = {
-        lastLoginAt: Date.now().toString(),
+    const timestamp = new Date();
+    let updates = {
+        lastLoginAt: timestamp.getTime().toString(),
     };
     if ((_a = ctx.security) === null || _a === void 0 ? void 0 : _a.Oauth2) {
         if (reqBody.idToken) {
@@ -169,19 +171,31 @@ function signUp(state, reqBody, ctx) {
     if (reqBody.idToken) {
         ({ user } = parseIdToken(state, reqBody.idToken));
     }
+    let extraClaims;
     if (!user) {
-        if (reqBody.localId) {
-            user = state.createUserWithLocalId(reqBody.localId, updates);
-            (0, errors_1.assert)(user, "DUPLICATE_LOCAL_ID");
+        updates.createdAt = timestamp.getTime().toString();
+        const localId = (_b = reqBody.localId) !== null && _b !== void 0 ? _b : state.generateLocalId();
+        if (reqBody.email && !((_c = ctx.security) === null || _c === void 0 ? void 0 : _c.Oauth2)) {
+            const userBeforeCreate = Object.assign({ localId }, updates);
+            const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_CREATE, userBeforeCreate, { signInMethod: "password" });
+            updates = Object.assign(Object.assign({}, updates), blockingResponse.updates);
         }
-        else {
-            user = state.createUser(updates);
+        user = state.createUserWithLocalId(localId, updates);
+        (0, errors_1.assert)(user, "DUPLICATE_LOCAL_ID");
+        if (reqBody.email && !((_d = ctx.security) === null || _d === void 0 ? void 0 : _d.Oauth2)) {
+            if (!user.disabled) {
+                const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_SIGN_IN, user, { signInMethod: "password" });
+                updates = blockingResponse.updates;
+                extraClaims = blockingResponse.extraClaims;
+                user = state.updateUserByLocalId(user.localId, updates);
+            }
+            (0, errors_1.assert)(!user.disabled, "USER_DISABLED");
         }
     }
     else {
         user = state.updateUserByLocalId(user.localId, updates);
     }
-    return Object.assign({ kind: "identitytoolkit#SignupNewUserResponse", localId: user.localId, displayName: user.displayName, email: user.email }, (provider ? issueTokens(state, user, provider) : {}));
+    return Object.assign({ kind: "identitytoolkit#SignupNewUserResponse", localId: user.localId, displayName: user.displayName, email: user.email }, (provider ? issueTokens(state, user, provider, { extraClaims }) : {}));
 }
 function lookup(state, reqBody, ctx) {
     var _a, _b, _c, _d, _e;
@@ -227,7 +241,6 @@ function lookup(state, reqBody, ctx) {
 function batchCreate(state, reqBody) {
     var _a, _b;
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     (0, errors_1.assert)((_a = reqBody.users) === null || _a === void 0 ? void 0 : _a.length, "MISSING_USER_ACCOUNT");
     if (reqBody.sanityCheck) {
         if (state.oneAccountPerEmail) {
@@ -423,7 +436,6 @@ function batchGet(state, reqBody, ctx) {
 function createAuthUri(state, reqBody) {
     var _a;
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const sessionId = reqBody.sessionId || (0, utils_1.randomId)(27);
     if (reqBody.providerId) {
         throw new errors_1.NotImplementedError("Sign-in with IDP is not yet supported.");
@@ -482,8 +494,7 @@ function createAuthUri(state, reqBody) {
 }
 const SESSION_COOKIE_MIN_VALID_DURATION = 5 * 60;
 exports.SESSION_COOKIE_MAX_VALID_DURATION = 14 * 24 * 60 * 60;
-function createSessionCookie(state, reqBody, ctx) {
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
+function createSessionCookie(state, reqBody) {
     (0, errors_1.assert)(reqBody.idToken, "MISSING_ID_TOKEN");
     const validDuration = Number(reqBody.validDuration) || exports.SESSION_COOKIE_MAX_VALID_DURATION;
     (0, errors_1.assert)(validDuration >= SESSION_COOKIE_MIN_VALID_DURATION &&
@@ -573,7 +584,6 @@ function queryAccounts(state, reqBody) {
 function resetPassword(state, reqBody) {
     var _a;
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     (0, errors_1.assert)(state.allowPasswordSignup, "PASSWORD_LOGIN_DISABLED");
     (0, errors_1.assert)(reqBody.oobCode, "MISSING_OOB_CODE");
     const oob = state.validateOobCode(reqBody.oobCode);
@@ -604,7 +614,6 @@ exports.resetPassword = resetPassword;
 function sendOobCode(state, reqBody, ctx) {
     var _a;
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     (0, errors_1.assert)(reqBody.requestType && reqBody.requestType !== "OOB_REQ_TYPE_UNSPECIFIED", "MISSING_REQ_TYPE");
     if (reqBody.returnOobLink) {
         (0, errors_1.assert)((_a = ctx.security) === null || _a === void 0 ? void 0 : _a.Oauth2, "INSUFFICIENT_PERMISSION");
@@ -673,7 +682,6 @@ function sendVerificationCode(state, reqBody) {
     var _a;
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
     (0, errors_1.assert)(state instanceof state_1.AgentProjectState, "UNSUPPORTED_TENANT_OPERATION");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     (0, errors_1.assert)(reqBody.phoneNumber && (0, utils_1.isValidPhoneNumber)(reqBody.phoneNumber), "INVALID_PHONE_NUMBER : Invalid format.");
     const user = state.getUserByPhoneNumber(reqBody.phoneNumber);
     (0, errors_1.assert)(!((_a = user === null || user === void 0 ? void 0 : user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length), "UNSUPPORTED_FIRST_FACTOR : A phone number cannot be set as a first factor on an SMS based MFA user.");
@@ -686,7 +694,6 @@ function sendVerificationCode(state, reqBody) {
 function setAccountInfo(state, reqBody, ctx) {
     var _a;
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const url = (0, utils_1.authEmulatorUrl)(ctx.req);
     return setAccountInfoImpl(state, reqBody, {
         privileged: !!((_a = ctx.security) === null || _a === void 0 ? void 0 : _a.Oauth2),
@@ -943,10 +950,11 @@ function signInWithCustomToken(state, reqBody) {
         extraClaims = payload.claims;
     }
     let user = state.getUserByLocalId(localId);
-    const isNewUser = state.usageMode === state_1.UsageMode.PASSTHROUGH ? false : !user;
+    const isNewUser = !user;
+    const timestamp = new Date();
     const updates = {
         customAuth: true,
-        lastLoginAt: Date.now().toString(),
+        lastLoginAt: timestamp.getTime().toString(),
         tenantId: state instanceof state_1.TenantProjectState ? state.tenantId : undefined,
     };
     if (user) {
@@ -954,6 +962,7 @@ function signInWithCustomToken(state, reqBody) {
         user = state.updateUserByLocalId(localId, updates);
     }
     else {
+        updates.createdAt = timestamp.getTime().toString();
         user = state.createUserWithLocalId(localId, updates);
         if (!user) {
             throw new Error(`Internal assertion error: trying to create duplicate localId: ${localId}`);
@@ -961,11 +970,9 @@ function signInWithCustomToken(state, reqBody) {
     }
     return Object.assign({ kind: "identitytoolkit#VerifyCustomTokenResponse", isNewUser }, issueTokens(state, user, state_1.PROVIDER_CUSTOM, { extraClaims }));
 }
-function signInWithEmailLink(state, reqBody) {
-    var _a;
+async function signInWithEmailLink(state, reqBody) {
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
     (0, errors_1.assert)(state.enableEmailLinkSignin, "OPERATION_NOT_ALLOWED");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const userFromIdToken = reqBody.idToken ? parseIdToken(state, reqBody.idToken).user : undefined;
     (0, errors_1.assert)(reqBody.email, "MISSING_EMAIL");
     const email = (0, utils_1.canonicalizeEmailAddress)(reqBody.email);
@@ -974,7 +981,11 @@ function signInWithEmailLink(state, reqBody) {
     (0, errors_1.assert)(oob && oob.requestType === "EMAIL_SIGNIN", "INVALID_OOB_CODE");
     (0, errors_1.assert)(email === oob.email, "INVALID_EMAIL : The email provided does not match the sign-in email address.");
     state.deleteOobCode(reqBody.oobCode);
-    const updates = {
+    const userFromEmail = state.getUserByEmail(email);
+    let user = userFromIdToken || userFromEmail;
+    const isNewUser = !user;
+    const timestamp = new Date();
+    let updates = {
         email,
         emailVerified: true,
         emailLinkSignin: true,
@@ -982,19 +993,31 @@ function signInWithEmailLink(state, reqBody) {
     if (state instanceof state_1.TenantProjectState) {
         updates.tenantId = state.tenantId;
     }
-    let user = state.getUserByEmail(email);
-    const isNewUser = !user && !userFromIdToken;
+    let extraClaims;
     if (!user) {
-        if (userFromIdToken) {
-            user = state.updateUserByLocalId(userFromIdToken.localId, updates);
-        }
-        else {
-            user = state.createUser(updates);
+        updates.createdAt = timestamp.getTime().toString();
+        const localId = state.generateLocalId();
+        const userBeforeCreate = Object.assign({ localId }, updates);
+        const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_CREATE, userBeforeCreate, { signInMethod: "emailLink" });
+        updates = Object.assign(Object.assign({}, updates), blockingResponse.updates);
+        user = state.createUserWithLocalId(localId, updates);
+        if (!user.disabled && !isMfaEnabled(state, user)) {
+            const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_SIGN_IN, user, { signInMethod: "emailLink" });
+            updates = blockingResponse.updates;
+            extraClaims = blockingResponse.extraClaims;
+            user = state.updateUserByLocalId(user.localId, updates);
         }
     }
     else {
         (0, errors_1.assert)(!user.disabled, "USER_DISABLED");
-        (0, errors_1.assert)(!userFromIdToken || userFromIdToken.localId === user.localId, "EMAIL_EXISTS");
+        if (userFromIdToken && userFromEmail) {
+            (0, errors_1.assert)(userFromIdToken.localId === userFromEmail.localId, "EMAIL_EXISTS");
+        }
+        if (!user.disabled && !isMfaEnabled(state, user)) {
+            const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_SIGN_IN, Object.assign(Object.assign({}, user), updates), { signInMethod: "emailLink" });
+            updates = Object.assign(Object.assign({}, updates), blockingResponse.updates);
+            extraClaims = blockingResponse.extraClaims;
+        }
         user = state.updateUserByLocalId(user.localId, updates);
     }
     const response = {
@@ -1003,19 +1026,18 @@ function signInWithEmailLink(state, reqBody) {
         localId: user.localId,
         isNewUser,
     };
-    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") &&
-        ((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length)) {
+    (0, errors_1.assert)(!user.disabled, "USER_DISABLED");
+    if (isMfaEnabled(state, user)) {
         return Object.assign(Object.assign({}, response), mfaPending(state, user, state_1.PROVIDER_PASSWORD));
     }
     else {
         user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
-        return Object.assign(Object.assign({}, response), issueTokens(state, user, state_1.PROVIDER_PASSWORD));
+        return Object.assign(Object.assign({}, response), issueTokens(state, user, state_1.PROVIDER_PASSWORD, { extraClaims }));
     }
 }
-function signInWithIdp(state, reqBody) {
-    var _a, _b, _c;
+async function signInWithIdp(state, reqBody) {
+    var _a, _b;
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     if (reqBody.returnRefreshToken) {
         throw new errors_1.NotImplementedError("returnRefreshToken is not implemented yet.");
     }
@@ -1095,15 +1117,55 @@ function signInWithIdp(state, reqBody) {
         screenName: response.screenName,
     };
     let user;
+    let extraClaims;
+    const oauthTokens = {
+        oauthIdToken: response.oauthIdToken,
+        oauthAccessToken: response.oauthAccessToken,
+        oauthRefreshToken: response.oauthRefreshToken,
+        oauthTokenSecret: response.oauthTokenSecret,
+        oauthExpiresIn: coercePrimitiveToString(response.oauthExpireIn),
+    };
     if (response.isNewUser) {
-        user = state.createUser(Object.assign(Object.assign({}, accountUpdates.fields), { lastLoginAt: Date.now().toString(), providerUserInfo: [providerUserInfo], tenantId: state instanceof state_1.TenantProjectState ? state.tenantId : undefined }));
+        let updates = Object.assign(Object.assign({}, accountUpdates.fields), { lastLoginAt: Date.now().toString(), providerUserInfo: [providerUserInfo], tenantId: state instanceof state_1.TenantProjectState ? state.tenantId : undefined });
+        const localId = state.generateLocalId();
+        const userBeforeCreate = Object.assign({ localId }, updates);
+        const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_CREATE, userBeforeCreate, {
+            signInMethod: response.providerId,
+            rawUserInfo: response.rawUserInfo,
+            signInAttributes: JSON.stringify(signInAttributes),
+        }, oauthTokens);
+        updates = Object.assign(Object.assign({}, updates), blockingResponse.updates);
+        user = state.createUserWithLocalId(localId, updates);
         response.localId = user.localId;
+        if (!user.disabled && !isMfaEnabled(state, user)) {
+            const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_SIGN_IN, user, {
+                signInMethod: response.providerId,
+                rawUserInfo: response.rawUserInfo,
+                signInAttributes: JSON.stringify(signInAttributes),
+            }, oauthTokens);
+            updates = blockingResponse.updates;
+            extraClaims = blockingResponse.extraClaims;
+            user = state.updateUserByLocalId(user.localId, updates);
+        }
     }
     else {
         if (!response.localId) {
             throw new Error("Internal assertion error: localId not set for exising user.");
         }
-        user = state.updateUserByLocalId(response.localId, Object.assign({}, accountUpdates.fields), {
+        const maybeUser = state.getUserByLocalId(response.localId);
+        (0, errors_1.assert)(maybeUser, "USER_NOT_FOUND");
+        user = maybeUser;
+        let updates = Object.assign({}, accountUpdates.fields);
+        if (!user.disabled && !isMfaEnabled(state, user)) {
+            const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_SIGN_IN, Object.assign(Object.assign({}, user), updates), {
+                signInMethod: response.providerId,
+                rawUserInfo: response.rawUserInfo,
+                signInAttributes: JSON.stringify(signInAttributes),
+            }, oauthTokens);
+            extraClaims = blockingResponse.extraClaims;
+            updates = Object.assign(Object.assign({}, updates), blockingResponse.updates);
+        }
+        user = state.updateUserByLocalId(response.localId, updates, {
             upsertProviders: [providerUserInfo],
         });
     }
@@ -1113,20 +1175,18 @@ function signInWithIdp(state, reqBody) {
     if (state instanceof state_1.TenantProjectState) {
         response.tenantId = state.tenantId;
     }
-    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") &&
-        ((_c = user.mfaInfo) === null || _c === void 0 ? void 0 : _c.length)) {
+    if (isMfaEnabled(state, user)) {
         return Object.assign(Object.assign({}, response), mfaPending(state, user, providerId));
     }
     else {
         user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
-        return Object.assign(Object.assign({}, response), issueTokens(state, user, providerId, { signInAttributes }));
+        (0, errors_1.assert)(!(user === null || user === void 0 ? void 0 : user.disabled), "USER_DISABLED");
+        return Object.assign(Object.assign({}, response), issueTokens(state, user, providerId, { signInAttributes, extraClaims }));
     }
 }
-function signInWithPassword(state, reqBody) {
-    var _a;
+async function signInWithPassword(state, reqBody) {
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
     (0, errors_1.assert)(state.allowPasswordSignup, "PASSWORD_LOGIN_DISABLED");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     (0, errors_1.assert)(reqBody.email, "MISSING_EMAIL");
     (0, errors_1.assert)(reqBody.password, "MISSING_PASSWORD");
     if (reqBody.captchaResponse || reqBody.captchaChallenge) {
@@ -1147,20 +1207,20 @@ function signInWithPassword(state, reqBody) {
         localId: user.localId,
         email,
     };
-    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") &&
-        ((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length)) {
+    if (isMfaEnabled(state, user)) {
         return Object.assign(Object.assign({}, response), mfaPending(state, user, state_1.PROVIDER_PASSWORD));
     }
     else {
-        user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
-        return Object.assign(Object.assign({}, response), issueTokens(state, user, state_1.PROVIDER_PASSWORD));
+        const { updates, extraClaims } = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_SIGN_IN, user, { signInMethod: "password" });
+        user = state.updateUserByLocalId(user.localId, Object.assign(Object.assign({}, updates), { lastLoginAt: Date.now().toString() }));
+        (0, errors_1.assert)(!user.disabled, "USER_DISABLED");
+        return Object.assign(Object.assign({}, response), issueTokens(state, user, state_1.PROVIDER_PASSWORD, { extraClaims }));
     }
 }
-function signInWithPhoneNumber(state, reqBody) {
+async function signInWithPhoneNumber(state, reqBody) {
     var _a;
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
     (0, errors_1.assert)(state instanceof state_1.AgentProjectState, "UNSUPPORTED_TENANT_OPERATION");
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     let phoneNumber;
     if (reqBody.temporaryProof) {
         (0, errors_1.assert)(reqBody.phoneNumber, "MISSING_PHONE_NUMBER");
@@ -1173,39 +1233,54 @@ function signInWithPhoneNumber(state, reqBody) {
         (0, errors_1.assert)(reqBody.code, "MISSING_CODE");
         phoneNumber = verifyPhoneNumber(state, reqBody.sessionInfo, reqBody.code);
     }
-    let user = state.getUserByPhoneNumber(phoneNumber);
-    let isNewUser = false;
-    const updates = {
+    const userFromPhoneNumber = state.getUserByPhoneNumber(phoneNumber);
+    const userFromIdToken = reqBody.idToken ? parseIdToken(state, reqBody.idToken).user : undefined;
+    if (userFromPhoneNumber && userFromIdToken) {
+        if (userFromPhoneNumber.localId !== userFromIdToken.localId) {
+            (0, errors_1.assert)(!reqBody.temporaryProof, "PHONE_NUMBER_EXISTS");
+            return Object.assign({}, state.createTemporaryProof(phoneNumber));
+        }
+    }
+    let user = userFromIdToken || userFromPhoneNumber;
+    const isNewUser = !user;
+    const timestamp = new Date();
+    let updates = {
         phoneNumber,
-        lastLoginAt: Date.now().toString(),
+        lastLoginAt: timestamp.getTime().toString(),
     };
-    const userFromIdToken = reqBody.idToken ? parseIdToken(state, reqBody.idToken).user : undefined;
+    let extraClaims;
     if (!user) {
-        if (userFromIdToken) {
-            (0, errors_1.assert)(!((_a = userFromIdToken.mfaInfo) === null || _a === void 0 ? void 0 : _a.length), "UNSUPPORTED_FIRST_FACTOR : A phone number cannot be set as a first factor on an SMS based MFA user.");
-            user = state.updateUserByLocalId(userFromIdToken.localId, updates);
-        }
-        else {
-            isNewUser = true;
-            user = state.createUser(updates);
+        updates.createdAt = timestamp.getTime().toString();
+        const localId = state.generateLocalId();
+        const userBeforeCreate = Object.assign({ localId }, updates);
+        const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_CREATE, userBeforeCreate, { signInMethod: "phone" });
+        updates = Object.assign(Object.assign({}, updates), blockingResponse.updates);
+        user = state.createUserWithLocalId(localId, updates);
+        if (!user.disabled) {
+            const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_SIGN_IN, user, { signInMethod: "phone" });
+            updates = blockingResponse.updates;
+            extraClaims = blockingResponse.extraClaims;
+            user = state.updateUserByLocalId(user.localId, updates);
         }
     }
     else {
         (0, errors_1.assert)(!user.disabled, "USER_DISABLED");
-        if (userFromIdToken && userFromIdToken.localId !== user.localId) {
-            if (!reqBody.temporaryProof) {
-                return Object.assign({}, state.createTemporaryProof(phoneNumber));
-            }
-            throw new errors_1.BadRequestError("PHONE_NUMBER_EXISTS");
+        (0, errors_1.assert)(!((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length), "UNSUPPORTED_FIRST_FACTOR : A phone number cannot be set as a first factor on an SMS based MFA user.");
+        if (!user.disabled) {
+            const blockingResponse = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_SIGN_IN, Object.assign(Object.assign({}, user), updates), { signInMethod: "phone" });
+            updates = Object.assign(Object.assign({}, updates), blockingResponse.updates);
+            extraClaims = blockingResponse.extraClaims;
         }
         user = state.updateUserByLocalId(user.localId, updates);
     }
-    const tokens = issueTokens(state, user, state_1.PROVIDER_PHONE);
+    (0, errors_1.assert)(!(user === null || user === void 0 ? void 0 : user.disabled), "USER_DISABLED");
+    const tokens = issueTokens(state, user, state_1.PROVIDER_PHONE, {
+        extraClaims,
+    });
     return Object.assign({ isNewUser,
         phoneNumber, localId: user.localId }, tokens);
 }
 function grantToken(state, reqBody) {
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     (0, errors_1.assert)(reqBody.grantType, "MISSING_GRANT_TYPE");
     (0, errors_1.assert)(reqBody.grantType === "refresh_token", "INVALID_GRANT_TYPE");
     (0, errors_1.assert)(reqBody.refreshToken, "MISSING_REFRESH_TOKEN");
@@ -1234,7 +1309,6 @@ function getEmulatorProjectConfig(state) {
         signIn: {
             allowDuplicateEmails: !state.oneAccountPerEmail,
         },
-        usageMode: state.usageMode,
     };
 }
 function updateEmulatorProjectConfig(state, reqBody, ctx) {
@@ -1243,9 +1317,6 @@ function updateEmulatorProjectConfig(state, reqBody, ctx) {
     if (((_a = reqBody.signIn) === null || _a === void 0 ? void 0 : _a.allowDuplicateEmails) != null) {
         updateMask.push("signIn.allowDuplicateEmails");
     }
-    if (reqBody.usageMode) {
-        updateMask.push("usageMode");
-    }
     ctx.params.query.updateMask = updateMask.join();
     updateConfig(state, reqBody, ctx);
     return getEmulatorProjectConfig(state);
@@ -1353,7 +1424,7 @@ function mfaSignInStart(state, reqBody) {
         },
     };
 }
-function mfaSignInFinalize(state, reqBody) {
+async function mfaSignInFinalize(state, reqBody) {
     var _a, _b;
     (0, errors_1.assert)(!state.disableAuth, "PROJECT_DISABLED");
     (0, errors_1.assert)((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") &&
@@ -1369,10 +1440,12 @@ function mfaSignInFinalize(state, reqBody) {
     const phoneNumber = verifyPhoneNumber(state, sessionInfo, code);
     let { user, signInProvider } = parsePendingCredential(state, reqBody.mfaPendingCredential);
     const enrollment = (_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.find((enrollment) => enrollment.unobfuscatedPhoneInfo === phoneNumber);
+    const { updates, extraClaims } = await fetchBlockingFunction(state, state_1.BlockingFunctionEvents.BEFORE_SIGN_IN, user, { signInMethod: signInProvider, signInSecondFactor: "phone" });
+    user = state.updateUserByLocalId(user.localId, Object.assign(Object.assign({}, updates), { lastLoginAt: Date.now().toString() }));
     (0, errors_1.assert)(enrollment && enrollment.mfaEnrollmentId, "MFA_ENROLLMENT_NOT_FOUND");
-    user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
     (0, errors_1.assert)(!user.disabled, "USER_DISABLED");
     const { idToken, refreshToken } = issueTokens(state, user, signInProvider, {
+        extraClaims,
         secondFactor: { identifier: enrollment.mfaEnrollmentId, provider: state_1.PROVIDER_PHONE },
     });
     return {
@@ -1380,7 +1453,7 @@ function mfaSignInFinalize(state, reqBody) {
         refreshToken,
     };
 }
-function getConfig(state, reqBody, ctx) {
+function getConfig(state) {
     (0, errors_1.assert)(state instanceof state_1.AgentProjectState, "((Can only get top-level configurations on agent projects.))");
     return state.config;
 }
@@ -1414,7 +1487,6 @@ function hashPassword(password, salt) {
 }
 function issueTokens(state, user, signInProvider, { extraClaims, secondFactor, signInAttributes, } = {}) {
     user = state.updateUserByLocalId(user.localId, { lastRefreshAt: new Date().toISOString() });
-    const usageMode = state.usageMode === state_1.UsageMode.PASSTHROUGH ? "passthrough" : undefined;
     const tenantId = state instanceof state_1.TenantProjectState ? state.tenantId : undefined;
     const expiresInSeconds = 60 * 60;
     const idToken = generateJwt(user, {
@@ -1423,16 +1495,13 @@ function issueTokens(state, user, signInProvider, { extraClaims, secondFactor, s
         expiresInSeconds,
         extraClaims,
         secondFactor,
-        usageMode,
         tenantId,
         signInAttributes,
     });
-    const refreshToken = state.usageMode === state_1.UsageMode.DEFAULT
-        ? state.createRefreshTokenFor(user, signInProvider, {
-            extraClaims,
-            secondFactor,
-        })
-        : undefined;
+    const refreshToken = state.createRefreshTokenFor(user, signInProvider, {
+        extraClaims,
+        secondFactor,
+    });
     return {
         idToken,
         refreshToken,
@@ -1440,7 +1509,6 @@ function issueTokens(state, user, signInProvider, { extraClaims, secondFactor, s
     };
 }
 function parseIdToken(state, idToken) {
-    (0, errors_1.assert)(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const decoded = (0, jsonwebtoken_1.decode)(idToken, { complete: true });
     (0, errors_1.assert)(decoded, "INVALID_ID_TOKEN");
     if (decoded.header.alg !== "none") {
@@ -1457,7 +1525,7 @@ function parseIdToken(state, idToken) {
     const signInProvider = decoded.payload.firebase.sign_in_provider;
     return { user, signInProvider, payload: decoded.payload };
 }
-function generateJwt(user, { projectId, signInProvider, expiresInSeconds, extraClaims = {}, secondFactor, usageMode, tenantId, signInAttributes, }) {
+function generateJwt(user, { projectId, signInProvider, expiresInSeconds, extraClaims = {}, secondFactor, tenantId, signInAttributes, }) {
     const identities = {};
     if (user.email) {
         identities["email"] = [user.email];
@@ -1479,7 +1547,6 @@ function generateJwt(user, { projectId, signInProvider, expiresInSeconds, extraC
             sign_in_provider: signInProvider,
             second_factor_identifier: secondFactor === null || secondFactor === void 0 ? void 0 : secondFactor.identifier,
             sign_in_second_factor: secondFactor === null || secondFactor === void 0 ? void 0 : secondFactor.provider,
-            usage_mode: usageMode,
             tenant: tenantId,
             sign_in_attributes: signInAttributes,
         } });
@@ -1867,12 +1934,12 @@ function listTenants(state, reqBody, ctx) {
         tenants,
     };
 }
-function deleteTenant(state, reqBody, ctx) {
+function deleteTenant(state) {
     (0, errors_1.assert)(state instanceof state_1.TenantProjectState, "((Can only delete tenant on tenant projects.))");
     state.delete();
     return {};
 }
-function getTenant(state, reqBody, ctx) {
+function getTenant(state) {
     (0, errors_1.assert)(state instanceof state_1.TenantProjectState, "((Can only get tenant on tenant projects.))");
     return state.tenantConfig;
 }
@@ -1880,3 +1947,185 @@ function updateTenant(state, reqBody, ctx) {
     (0, errors_1.assert)(state instanceof state_1.TenantProjectState, "((Can only update tenant on tenant projects.))");
     return state.updateTenant(reqBody, ctx.params.query.updateMask);
 }
+function isMfaEnabled(state, user) {
+    var _a;
+    return ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") &&
+        ((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length));
+}
+async function fetchBlockingFunction(state, event, user, options = {}, oauthTokens = {}, timeoutMs = 60000) {
+    const url = state.getBlockingFunctionUri(event);
+    if (!url) {
+        return { updates: {} };
+    }
+    const jwt = generateBlockingFunctionJwt(state, event, url, timeoutMs, user, options, oauthTokens);
+    const reqBody = {
+        data: {
+            jwt,
+        },
+    };
+    const controller = new abort_controller_1.default();
+    const timeout = setTimeout(() => {
+        controller.abort();
+    }, timeoutMs);
+    let response;
+    try {
+        const res = await (0, node_fetch_1.default)(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(reqBody),
+            signal: controller.signal,
+        });
+        const text = await res.text();
+        (0, errors_1.assert)(res.ok, `BLOCKING_FUNCTION_ERROR_RESPONSE: ((HTTP request to ${url} returned HTTP error${res.status}: ${text}))`);
+        response = JSON.parse(text);
+    }
+    catch (thrown) {
+        const err = thrown instanceof Error ? thrown : new Error(thrown);
+        const isAbortError = err.name.includes("AbortError");
+        if (isAbortError) {
+            throw new errors_1.InternalError(`BLOCKING_FUNCTION_ERROR_RESPONSE: ((Deadline exceeded making request to ${url}.))`, err.message);
+        }
+        throw new errors_1.InternalError(`BLOCKING_FUNCTION_ERROR_RESPONSE: ((Failed to make request to ${url}.))`, err.message);
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+    return processBlockingFunctionResponse(event, response);
+}
+function processBlockingFunctionResponse(event, response) {
+    let extraClaims;
+    const updates = {};
+    if (response.userRecord) {
+        const userRecord = response.userRecord;
+        (0, errors_1.assert)(userRecord.updateMask, "BLOCKING_FUNCTION_ERROR_RESPONSE: ((Response UserRecord is missing updateMask.))");
+        const mask = userRecord.updateMask;
+        const fields = mask.split(",");
+        for (const field of fields) {
+            switch (field) {
+                case "displayName":
+                case "photoUrl":
+                    updates[field] = coercePrimitiveToString(userRecord[field]);
+                    break;
+                case "disabled":
+                case "emailVerified":
+                    updates[field] = !!userRecord[field];
+                    break;
+                case "customClaims":
+                    validateSerializedCustomClaims(userRecord.customClaims);
+                    updates.customAttributes = userRecord.customClaims;
+                    break;
+                case "sessionClaims":
+                    if (event !== state_1.BlockingFunctionEvents.BEFORE_SIGN_IN) {
+                        break;
+                    }
+                    try {
+                        extraClaims = JSON.parse(userRecord.sessionClaims);
+                    }
+                    catch (_a) {
+                        throw new errors_1.BadRequestError("BLOCKING_FUNCTION_ERROR_RESPONSE: ((Response has malformed session claims.))");
+                    }
+                    break;
+                default:
+                    break;
+            }
+        }
+    }
+    return { updates, extraClaims };
+}
+function generateBlockingFunctionJwt(state, event, url, timeoutMs, user, options, oauthTokens) {
+    const issuedAt = (0, utils_1.toUnixTimestamp)(new Date());
+    const jwt = {
+        iss: `https://securetoken.google.com/${state.projectId}`,
+        aud: url,
+        iat: issuedAt,
+        exp: issuedAt + timeoutMs / 100,
+        event_id: (0, utils_1.randomBase64UrlStr)(16),
+        event_type: event,
+        user_agent: "NotYetSupportedInFirebaseAuthEmulator",
+        ip_address: "127.0.0.1",
+        locale: "en",
+        user_record: {
+            uid: user.localId,
+            email: user.email,
+            email_verified: user.emailVerified,
+            display_name: user.displayName,
+            photo_url: user.photoUrl,
+            disabled: user.disabled,
+            phone_number: user.phoneNumber,
+            custom_claims: user.customAttributes,
+        },
+        sub: user.localId,
+        sign_in_method: options.signInMethod,
+        sign_in_second_factor: options.signInSecondFactor,
+        sign_in_attributes: options.signInAttributes,
+        raw_user_info: options.rawUserInfo,
+    };
+    if (state instanceof state_1.TenantProjectState) {
+        jwt.tenant_id = state.tenantId;
+        jwt.user_record.tenant_id = state.tenantId;
+    }
+    const provider_data = [];
+    if (user.providerUserInfo) {
+        for (const providerUserInfo of user.providerUserInfo) {
+            const provider = {
+                provider_id: providerUserInfo.providerId,
+                display_name: providerUserInfo.displayName,
+                photo_url: providerUserInfo.photoUrl,
+                email: providerUserInfo.email,
+                uid: providerUserInfo.rawId,
+                phone_number: providerUserInfo.phoneNumber,
+            };
+            provider_data.push(provider);
+        }
+    }
+    jwt.user_record.provider_data = provider_data;
+    if (user.mfaInfo) {
+        const enrolled_factors = [];
+        for (const mfaEnrollment of user.mfaInfo) {
+            if (!mfaEnrollment.mfaEnrollmentId) {
+                continue;
+            }
+            const enrolledFactor = {
+                uid: mfaEnrollment.mfaEnrollmentId,
+                display_name: mfaEnrollment.displayName,
+                enrollment_time: mfaEnrollment.enrolledAt,
+                phone_number: mfaEnrollment.phoneInfo,
+                factor_id: state_1.PROVIDER_PHONE,
+            };
+            enrolled_factors.push(enrolledFactor);
+        }
+        jwt.user_record.multi_factor = {
+            enrolled_factors,
+        };
+    }
+    if (user.lastLoginAt || user.createdAt) {
+        jwt.user_record.metadata = {
+            last_sign_in_time: user.lastLoginAt,
+            creation_time: user.createdAt,
+        };
+    }
+    if (state.shouldForwardCredentialToBlockingFunction("accessToken")) {
+        jwt.oauth_access_token = oauthTokens.oauthAccessToken;
+        jwt.oauth_token_secret = oauthTokens.oauthTokenSecret;
+        jwt.oauth_expires_in = oauthTokens.oauthExpiresIn;
+    }
+    if (state.shouldForwardCredentialToBlockingFunction("idToken")) {
+        jwt.oauth_id_token = oauthTokens.oauthIdToken;
+    }
+    if (state.shouldForwardCredentialToBlockingFunction("refreshToken")) {
+        jwt.oauth_refresh_token = oauthTokens.oauthRefreshToken;
+    }
+    const jwtStr = (0, jsonwebtoken_1.sign)(jwt, "", {
+        algorithm: "none",
+    });
+    return jwtStr;
+}
+function parseBlockingFunctionJwt(jwt) {
+    const decoded = (0, jsonwebtoken_1.decode)(jwt, { json: true });
+    (0, errors_1.assert)(decoded, "((Invalid blocking function jwt.))");
+    (0, errors_1.assert)(decoded.iss, "((Invalid blocking function jwt, missing `iss` claim.))");
+    (0, errors_1.assert)(decoded.aud, "((Invalid blocking function jwt, missing `aud` claim.))");
+    (0, errors_1.assert)(decoded.user_record, "((Invalid blocking function jwt, missing `user_record` claim.))");
+    return decoded;
+}
+exports.parseBlockingFunctionJwt = parseBlockingFunctionJwt;