firebase-tools 9.18.0 → 9.22.0

package/lib/emulator/auth/operations.js

@@ -26,6 +26,15 @@ exports.authOperations = {
             signInWithPhoneNumber,
             signUp,
             update: setAccountInfo,
+            mfaEnrollment: {
+                finalize: mfaEnrollmentFinalize,
+                start: mfaEnrollmentStart,
+                withdraw: mfaEnrollmentWithdraw,
+            },
+            mfaSignIn: {
+                start: mfaSignInStart,
+                finalize: mfaSignInFinalize,
+            },
         },
         projects: {
             createSessionCookie,
@@ -41,6 +50,25 @@ exports.authOperations = {
                 batchDelete,
                 batchGet,
             },
+            tenants: {
+                create: createTenant,
+                delete: deleteTenant,
+                get: getTenant,
+                list: listTenants,
+                patch: updateTenant,
+                createSessionCookie,
+                accounts: {
+                    _: signUp,
+                    batchCreate,
+                    batchDelete,
+                    batchGet,
+                    delete: deleteAccount,
+                    lookup,
+                    query: queryAccounts,
+                    sendOobCode,
+                    update: setAccountInfo,
+                },
+            },
         },
     },
     securetoken: {
@@ -66,8 +94,16 @@ exports.authOperations = {
 };
 const PASSWORD_MIN_LENGTH = 6;
 exports.CUSTOM_TOKEN_AUDIENCE = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit";
+const MFA_INELIGIBLE_PROVIDER = new Set([
+    state_1.PROVIDER_ANONYMOUS,
+    state_1.PROVIDER_PHONE,
+    state_1.PROVIDER_CUSTOM,
+    state_1.PROVIDER_GAME_CENTER,
+]);
 function signUp(state, reqBody, ctx) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     let provider;
     const updates = {
         lastLoginAt: Date.now().toString(),
@@ -99,9 +135,11 @@ function signUp(state, reqBody, ctx) {
             errors_1.assert(reqBody.email, "MISSING_EMAIL");
             errors_1.assert(reqBody.password, "MISSING_PASSWORD");
             provider = state_1.PROVIDER_PASSWORD;
+            errors_1.assert(state.allowPasswordSignup, "OPERATION_NOT_ALLOWED");
         }
         else {
             provider = state_1.PROVIDER_ANONYMOUS;
+            errors_1.assert(state.enableAnonymousUser, "ADMIN_ONLY_OPERATION");
         }
     }
     if (reqBody.email) {
@@ -122,6 +160,9 @@ function signUp(state, reqBody, ctx) {
             generateEnrollmentIds: true,
         });
     }
+    if (state instanceof state_1.TenantProjectState) {
+        updates.tenantId = state.tenantId;
+    }
     let user;
     if (reqBody.idToken) {
         ({ user } = parseIdToken(state, reqBody.idToken));
@@ -142,6 +183,7 @@ function signUp(state, reqBody, ctx) {
 }
 function lookup(state, reqBody, ctx) {
     var _a, _b, _c, _d, _e;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     const seenLocalIds = new Set();
     const users = [];
     function tryAddUser(maybeUser) {
@@ -182,6 +224,8 @@ function lookup(state, reqBody, ctx) {
 }
 function batchCreate(state, reqBody) {
     var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     errors_1.assert((_a = reqBody.users) === null || _a === void 0 ? void 0 : _a.length, "MISSING_USER_ACCOUNT");
     if (reqBody.sanityCheck) {
         if (state.oneAccountPerEmail) {
@@ -221,6 +265,12 @@ function batchCreate(state, reqBody) {
                 photoUrl: userInfo.photoUrl,
                 lastLoginAt: userInfo.lastLoginAt,
             };
+            if (userInfo.tenantId) {
+                errors_1.assert(state instanceof state_1.TenantProjectState && state.tenantId === userInfo.tenantId, "Tenant id in userInfo does not match the tenant id in request.");
+            }
+            if (state instanceof state_1.TenantProjectState) {
+                fields.tenantId = state.tenantId;
+            }
             if (userInfo.passwordHash) {
                 fields.passwordHash = userInfo.passwordHash;
                 fields.salt = userInfo.salt;
@@ -275,6 +325,26 @@ function batchCreate(state, reqBody) {
             }
             fields.emailVerified = !!userInfo.emailVerified;
             fields.disabled = !!userInfo.disabled;
+            if (userInfo.mfaInfo) {
+                fields.mfaInfo = [];
+                errors_1.assert(fields.email, "Second factor account requires email to be presented.");
+                errors_1.assert(fields.emailVerified, "Second factor account requires email to be verified.");
+                const existingIds = new Set();
+                for (const enrollment of userInfo.mfaInfo) {
+                    if (enrollment.mfaEnrollmentId) {
+                        errors_1.assert(!existingIds.has(enrollment.mfaEnrollmentId), "Enrollment id already exists.");
+                        existingIds.add(enrollment.mfaEnrollmentId);
+                    }
+                }
+                for (const enrollment of userInfo.mfaInfo) {
+                    enrollment.mfaEnrollmentId = enrollment.mfaEnrollmentId || newRandomId(28, existingIds);
+                    enrollment.enrolledAt = enrollment.enrolledAt || new Date().toISOString();
+                    errors_1.assert(enrollment.phoneInfo, "Second factor not supported.");
+                    errors_1.assert(utils_1.isValidPhoneNumber(enrollment.phoneInfo), "Phone number format is invalid");
+                    enrollment.unobfuscatedPhoneInfo = enrollment.phoneInfo;
+                    fields.mfaInfo.push(enrollment);
+                }
+            }
             if (state.getUserByLocalId(userInfo.localId)) {
                 errors_1.assert(reqBody.allowOverwrite, "localId belongs to an existing account - can not overwrite.");
             }
@@ -332,6 +402,7 @@ function batchDelete(state, reqBody) {
     return { errors: errors.length ? errors : undefined };
 }
 function batchGet(state, reqBody, ctx) {
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     const maxResults = Math.min(Math.floor(ctx.params.query.maxResults) || 20, 1000);
     const users = state.queryUsers({}, { sortByField: "localId", order: "ASC", startToken: ctx.params.query.nextPageToken });
     let newPageToken = undefined;
@@ -349,6 +420,8 @@ function batchGet(state, reqBody, ctx) {
 }
 function createAuthUri(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const sessionId = reqBody.sessionId || utils_1.randomId(27);
     if (reqBody.providerId) {
         throw new errors_1.NotImplementedError("Sign-in with IDP is not yet supported.");
@@ -408,6 +481,7 @@ function createAuthUri(state, reqBody) {
 const SESSION_COOKIE_MIN_VALID_DURATION = 5 * 60;
 exports.SESSION_COOKIE_MAX_VALID_DURATION = 14 * 24 * 60 * 60;
 function createSessionCookie(state, reqBody, ctx) {
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     errors_1.assert(reqBody.idToken, "MISSING_ID_TOKEN");
     const validDuration = Number(reqBody.validDuration) || exports.SESSION_COOKIE_MAX_VALID_DURATION;
     errors_1.assert(validDuration >= SESSION_COOKIE_MIN_VALID_DURATION &&
@@ -422,6 +496,7 @@ function createSessionCookie(state, reqBody, ctx) {
 }
 function deleteAccount(state, reqBody, ctx) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     let user;
     if ((_a = ctx.security) === null || _a === void 0 ? void 0 : _a.Oauth2) {
         errors_1.assert(reqBody.localId, "MISSING_LOCAL_ID");
@@ -439,6 +514,8 @@ function deleteAccount(state, reqBody, ctx) {
     };
 }
 function getProjects(state) {
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state instanceof state_1.AgentProjectState, "UNSUPPORTED_TENANT_OPERATION");
     return {
         projectId: state.projectNumber,
         authorizedDomains: [
@@ -446,7 +523,8 @@ function getProjects(state) {
         ],
     };
 }
-function getRecaptchaParams() {
+function getRecaptchaParams(state) {
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     return {
         kind: "identitytoolkit#GetRecaptchaParamResponse",
         recaptchaStoken: "This-is-a-fake-token__Dont-send-this-to-the-Recaptcha-service__The-Auth-Emulator-does-not-support-Recaptcha",
@@ -455,6 +533,7 @@ function getRecaptchaParams() {
 }
 function queryAccounts(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     if ((_a = reqBody.expression) === null || _a === void 0 ? void 0 : _a.length) {
         throw new errors_1.NotImplementedError("expression is not implemented.");
     }
@@ -491,6 +570,9 @@ function queryAccounts(state, reqBody) {
 }
 function resetPassword(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
+    errors_1.assert(state.allowPasswordSignup, "PASSWORD_LOGIN_DISABLED");
     errors_1.assert(reqBody.oobCode, "MISSING_OOB_CODE");
     const oob = state.validateOobCode(reqBody.oobCode);
     errors_1.assert(oob, "INVALID_OOB_CODE");
@@ -498,11 +580,11 @@ function resetPassword(state, reqBody) {
         errors_1.assert(oob.requestType === "PASSWORD_RESET", "INVALID_OOB_CODE");
         errors_1.assert(reqBody.newPassword.length >= PASSWORD_MIN_LENGTH, `WEAK_PASSWORD : Password should be at least ${PASSWORD_MIN_LENGTH} characters`);
         state.deleteOobCode(reqBody.oobCode);
-        const user = state.getUserByEmail(oob.email);
+        let user = state.getUserByEmail(oob.email);
         errors_1.assert(user, "INVALID_OOB_CODE");
         const salt = "fakeSalt" + utils_1.randomId(20);
         const passwordHash = hashPassword(reqBody.newPassword, salt);
-        state.updateUserByLocalId(user.localId, {
+        user = state.updateUserByLocalId(user.localId, {
             emailVerified: true,
             passwordHash,
             salt,
@@ -519,6 +601,8 @@ function resetPassword(state, reqBody) {
 exports.resetPassword = resetPassword;
 function sendOobCode(state, reqBody, ctx) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     errors_1.assert(reqBody.requestType && reqBody.requestType !== "OOB_REQ_TYPE_UNSPECIFIED", "MISSING_REQ_TYPE");
     if (reqBody.returnOobLink) {
         errors_1.assert((_a = ctx.security) === null || _a === void 0 ? void 0 : _a.Oauth2, "INSUFFICIENT_PERMISSION");
@@ -530,6 +614,7 @@ function sendOobCode(state, reqBody, ctx) {
     let mode;
     switch (reqBody.requestType) {
         case "EMAIL_SIGNIN":
+            errors_1.assert(state.enableEmailLinkSignin, "OPERATION_NOT_ALLOWED");
             mode = "signIn";
             errors_1.assert(reqBody.email, "MISSING_EMAIL");
             email = utils_1.canonicalizeEmailAddress(reqBody.email);
@@ -583,7 +668,13 @@ function sendOobCode(state, reqBody, ctx) {
     }
 }
 function sendVerificationCode(state, reqBody) {
+    var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state instanceof state_1.AgentProjectState, "UNSUPPORTED_TENANT_OPERATION");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     errors_1.assert(reqBody.phoneNumber && utils_1.isValidPhoneNumber(reqBody.phoneNumber), "INVALID_PHONE_NUMBER : Invalid format.");
+    const user = state.getUserByPhoneNumber(reqBody.phoneNumber);
+    errors_1.assert(!((_a = user === null || user === void 0 ? void 0 : user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length), "UNSUPPORTED_FIRST_FACTOR : A phone number cannot be set as a first factor on an SMS based MFA user.");
     const { sessionInfo, phoneNumber, code } = state.createVerificationCode(reqBody.phoneNumber);
     emulatorLogger_1.EmulatorLogger.forEmulator(types_1.Emulators.AUTH).log("BULLET", `To verify the phone number ${phoneNumber}, use the code ${code}.`);
     return {
@@ -592,6 +683,8 @@ function sendVerificationCode(state, reqBody) {
 }
 function setAccountInfo(state, reqBody, ctx) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const url = utils_1.authEmulatorUrl(ctx.req);
     return setAccountInfoImpl(state, reqBody, {
         privileged: !!((_a = ctx.security) === null || _a === void 0 ? void 0 : _a.Oauth2),
@@ -603,8 +696,6 @@ function setAccountInfoImpl(state, reqBody, { privileged = false, emulatorUrl =
     const unimplementedFields = [
         "provider",
         "upgradeToFederatedLogin",
-        "captchaChallenge",
-        "captchaResponse",
         "linkProviderUserInfo",
     ];
     for (const field of unimplementedFields) {
@@ -787,6 +878,9 @@ function createOobRecord(state, email, url, params) {
         if (params.continueUrl) {
             url.searchParams.set("continueUrl", params.continueUrl);
         }
+        if (state instanceof state_1.TenantProjectState) {
+            url.searchParams.set("tenantId", state.tenantId);
+        }
         return url.toString();
     });
     return oobRecord;
@@ -815,6 +909,7 @@ function logOobMessage(oobRecord) {
 }
 function signInWithCustomToken(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(reqBody.token, "MISSING_CUSTOM_TOKEN");
     let payload;
     if (reqBody.token.startsWith("{")) {
@@ -827,6 +922,9 @@ function signInWithCustomToken(state, reqBody) {
     }
     else {
         const decoded = jsonwebtoken_1.decode(reqBody.token, { complete: true });
+        if (state instanceof state_1.TenantProjectState) {
+            errors_1.assert((decoded === null || decoded === void 0 ? void 0 : decoded.payload.tenant_id) === state.tenantId, "TENANT_ID_MISMATCH");
+        }
         errors_1.assert(decoded, "INVALID_CUSTOM_TOKEN : Invalid assertion format");
         if (decoded.header.alg !== "none") {
             emulatorLogger_1.EmulatorLogger.forEmulator(types_1.Emulators.AUTH).log("WARN", "Received a signed custom token. Auth Emulator does not validate JWTs and IS NOT SECURE");
@@ -837,16 +935,17 @@ function signInWithCustomToken(state, reqBody) {
     }
     const localId = (_a = coercePrimitiveToString(payload.uid)) !== null && _a !== void 0 ? _a : coercePrimitiveToString(payload.user_id);
     errors_1.assert(localId, "MISSING_IDENTIFIER");
-    let claims = {};
+    let extraClaims = {};
     if ("claims" in payload) {
         validateCustomClaims(payload.claims);
-        claims = payload.claims;
+        extraClaims = payload.claims;
     }
     let user = state.getUserByLocalId(localId);
-    const isNewUser = !user;
+    const isNewUser = state.usageMode === state_1.UsageMode.PASSTHROUGH ? false : !user;
     const updates = {
         customAuth: true,
         lastLoginAt: Date.now().toString(),
+        tenantId: state instanceof state_1.TenantProjectState ? state.tenantId : undefined,
     };
     if (user) {
         errors_1.assert(!user.disabled, "USER_DISABLED");
@@ -858,12 +957,13 @@ function signInWithCustomToken(state, reqBody) {
             throw new Error(`Internal assertion error: trying to create duplicate localId: ${localId}`);
         }
     }
-    if (user.mfaInfo) {
-        throw new errors_1.NotImplementedError("MFA Login not yet implemented.");
-    }
-    return Object.assign({ kind: "identitytoolkit#VerifyCustomTokenResponse", isNewUser }, issueTokens(state, user, state_1.PROVIDER_CUSTOM, claims));
+    return Object.assign({ kind: "identitytoolkit#VerifyCustomTokenResponse", isNewUser }, issueTokens(state, user, state_1.PROVIDER_CUSTOM, { extraClaims }));
 }
 function signInWithEmailLink(state, reqBody) {
+    var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.enableEmailLinkSignin, "OPERATION_NOT_ALLOWED");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const userFromIdToken = reqBody.idToken ? parseIdToken(state, reqBody.idToken).user : undefined;
     errors_1.assert(reqBody.email, "MISSING_EMAIL");
     const email = utils_1.canonicalizeEmailAddress(reqBody.email);
@@ -876,8 +976,10 @@ function signInWithEmailLink(state, reqBody) {
         email,
         emailVerified: true,
         emailLinkSignin: true,
-        lastLoginAt: Date.now().toString(),
     };
+    if (state instanceof state_1.TenantProjectState) {
+        updates.tenantId = state.tenantId;
+    }
     let user = state.getUserByEmail(email);
     const isNewUser = !user && !userFromIdToken;
     if (!user) {
@@ -893,14 +995,24 @@ function signInWithEmailLink(state, reqBody) {
         errors_1.assert(!userFromIdToken || userFromIdToken.localId === user.localId, "EMAIL_EXISTS");
         user = state.updateUserByLocalId(user.localId, updates);
     }
-    if (user.mfaInfo) {
-        throw new errors_1.NotImplementedError("MFA Login not yet implemented.");
+    const response = {
+        kind: "identitytoolkit#EmailLinkSigninResponse",
+        email,
+        localId: user.localId,
+        isNewUser,
+    };
+    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length)) {
+        return Object.assign(Object.assign({}, response), mfaPending(state, user, state_1.PROVIDER_PASSWORD));
+    }
+    else {
+        user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
+        return Object.assign(Object.assign({}, response), issueTokens(state, user, state_1.PROVIDER_PASSWORD));
     }
-    const tokens = issueTokens(state, user, state_1.PROVIDER_PASSWORD);
-    return Object.assign({ kind: "identitytoolkit#EmailLinkSigninResponse", email, localId: user.localId, isNewUser }, tokens);
 }
 function signInWithIdp(state, reqBody) {
-    var _a;
+    var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     if (reqBody.returnRefreshToken) {
         throw new errors_1.NotImplementedError("returnRefreshToken is not implemented yet.");
     }
@@ -972,27 +1084,36 @@ function signInWithIdp(state, reqBody) {
     };
     let user;
     if (response.isNewUser) {
-        user = state.createUser(Object.assign(Object.assign({}, accountUpdates.fields), { lastLoginAt: Date.now().toString(), providerUserInfo: [providerUserInfo] }));
+        user = state.createUser(Object.assign(Object.assign({}, accountUpdates.fields), { lastLoginAt: Date.now().toString(), providerUserInfo: [providerUserInfo], tenantId: state instanceof state_1.TenantProjectState ? state.tenantId : undefined }));
         response.localId = user.localId;
     }
     else {
         if (!response.localId) {
             throw new Error("Internal assertion error: localId not set for exising user.");
         }
-        user = state.updateUserByLocalId(response.localId, Object.assign(Object.assign({}, accountUpdates.fields), { lastLoginAt: Date.now().toString() }), {
+        user = state.updateUserByLocalId(response.localId, Object.assign({}, accountUpdates.fields), {
             upsertProviders: [providerUserInfo],
         });
     }
-    if (user.mfaInfo) {
-        throw new errors_1.NotImplementedError("MFA Login not yet implemented.");
-    }
     if (user.email === response.email) {
         response.emailVerified = user.emailVerified;
     }
-    Object.assign(response, issueTokens(state, user, providerId));
-    return response;
+    if (state instanceof state_1.TenantProjectState) {
+        response.tenantId = state.tenantId;
+    }
+    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.length)) {
+        return Object.assign(Object.assign({}, response), mfaPending(state, user, providerId));
+    }
+    else {
+        user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
+        return Object.assign(Object.assign({}, response), issueTokens(state, user, providerId));
+    }
 }
 function signInWithPassword(state, reqBody) {
+    var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.allowPasswordSignup, "PASSWORD_LOGIN_DISABLED");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     errors_1.assert(reqBody.email, "MISSING_EMAIL");
     errors_1.assert(reqBody.password, "MISSING_PASSWORD");
     if (reqBody.captchaResponse || reqBody.captchaChallenge) {
@@ -1007,14 +1128,25 @@ function signInWithPassword(state, reqBody) {
     errors_1.assert(!user.disabled, "USER_DISABLED");
     errors_1.assert(user.passwordHash && user.salt, "INVALID_PASSWORD");
     errors_1.assert(user.passwordHash === hashPassword(reqBody.password, user.salt), "INVALID_PASSWORD");
-    if (user.mfaInfo) {
-        throw new errors_1.NotImplementedError("MFA Login not yet implemented.");
+    const response = {
+        kind: "identitytoolkit#VerifyPasswordResponse",
+        registered: true,
+        localId: user.localId,
+        email,
+    };
+    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length)) {
+        return Object.assign(Object.assign({}, response), mfaPending(state, user, state_1.PROVIDER_PASSWORD));
+    }
+    else {
+        user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
+        return Object.assign(Object.assign({}, response), issueTokens(state, user, state_1.PROVIDER_PASSWORD));
     }
-    user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
-    const tokens = issueTokens(state, user, state_1.PROVIDER_PASSWORD);
-    return Object.assign({ kind: "identitytoolkit#VerifyPasswordResponse", registered: true, localId: user.localId, email, displayName: user.displayName, profilePicture: user.photoUrl }, tokens);
 }
 function signInWithPhoneNumber(state, reqBody) {
+    var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state instanceof state_1.AgentProjectState, "UNSUPPORTED_TENANT_OPERATION");
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     let phoneNumber;
     if (reqBody.temporaryProof) {
         errors_1.assert(reqBody.phoneNumber, "MISSING_PHONE_NUMBER");
@@ -1036,6 +1168,7 @@ function signInWithPhoneNumber(state, reqBody) {
     const userFromIdToken = reqBody.idToken ? parseIdToken(state, reqBody.idToken).user : undefined;
     if (!user) {
         if (userFromIdToken) {
+            errors_1.assert(!((_a = userFromIdToken.mfaInfo) === null || _a === void 0 ? void 0 : _a.length), "UNSUPPORTED_FIRST_FACTOR : A phone number cannot be set as a first factor on an SMS based MFA user.");
             user = state.updateUserByLocalId(userFromIdToken.localId, updates);
         }
         else {
@@ -1053,21 +1186,22 @@ function signInWithPhoneNumber(state, reqBody) {
         }
         user = state.updateUserByLocalId(user.localId, updates);
     }
-    if (user.mfaInfo) {
-        throw new errors_1.NotImplementedError("MFA Login not yet implemented.");
-    }
     const tokens = issueTokens(state, user, state_1.PROVIDER_PHONE);
     return Object.assign({ isNewUser,
         phoneNumber, localId: user.localId }, tokens);
 }
 function grantToken(state, reqBody) {
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     errors_1.assert(reqBody.grantType, "MISSING_GRANT_TYPE");
     errors_1.assert(reqBody.grantType === "refresh_token", "INVALID_GRANT_TYPE");
     errors_1.assert(reqBody.refreshToken, "MISSING_REFRESH_TOKEN");
     const refreshTokenRecord = state.validateRefreshToken(reqBody.refreshToken);
     errors_1.assert(refreshTokenRecord, "INVALID_REFRESH_TOKEN");
     errors_1.assert(!refreshTokenRecord.user.disabled, "USER_DISABLED");
-    const tokens = issueTokens(state, refreshTokenRecord.user, refreshTokenRecord.provider, refreshTokenRecord.extraClaims);
+    const tokens = issueTokens(state, refreshTokenRecord.user, refreshTokenRecord.provider, {
+        extraClaims: refreshTokenRecord.extraClaims,
+        secondFactor: refreshTokenRecord.secondFactor,
+    });
     return {
         id_token: tokens.idToken,
         access_token: tokens.idToken,
@@ -1087,14 +1221,31 @@ function getEmulatorProjectConfig(state) {
         signIn: {
             allowDuplicateEmails: !state.oneAccountPerEmail,
         },
+        usageMode: state.usageMode,
     };
 }
 function updateEmulatorProjectConfig(state, reqBody) {
     var _a;
     const allowDuplicateEmails = (_a = reqBody.signIn) === null || _a === void 0 ? void 0 : _a.allowDuplicateEmails;
     if (allowDuplicateEmails != null) {
+        errors_1.assert(state instanceof state_1.AgentProjectState, "((Only top level projects can set oneAccountPerEmail.))");
         state.oneAccountPerEmail = !allowDuplicateEmails;
     }
+    const usageMode = reqBody.usageMode;
+    if (usageMode != null) {
+        errors_1.assert(state instanceof state_1.AgentProjectState, "((Only top level projects can set usageMode.))");
+        switch (usageMode) {
+            case "PASSTHROUGH":
+                errors_1.assert(state.getUserCount() === 0, "Users are present, unable to set passthrough mode");
+                state.usageMode = state_1.UsageMode.PASSTHROUGH;
+                break;
+            case "DEFAULT":
+                state.usageMode = state_1.UsageMode.DEFAULT;
+                break;
+            default:
+                throw new errors_1.BadRequestError("Invalid usage mode provided");
+        }
+    }
     return getEmulatorProjectConfig(state);
 }
 function listOobCodesInProject(state) {
@@ -1107,6 +1258,122 @@ function listVerificationCodesInProject(state) {
         verificationCodes: [...state.listVerificationCodes()],
     };
 }
+function mfaEnrollmentStart(state, reqBody) {
+    var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = state.mfaConfig.enabledProviders) === null || _a === void 0 ? void 0 : _a.includes("PHONE_SMS")), "OPERATION_NOT_ALLOWED : SMS based MFA not enabled.");
+    errors_1.assert(reqBody.idToken, "MISSING_ID_TOKEN");
+    const { user, signInProvider } = parseIdToken(state, reqBody.idToken);
+    errors_1.assert(!MFA_INELIGIBLE_PROVIDER.has(signInProvider), "UNSUPPORTED_FIRST_FACTOR : MFA is not available for the given first factor.");
+    errors_1.assert(user.emailVerified, "UNVERIFIED_EMAIL : Need to verify email first before enrolling second factors.");
+    errors_1.assert(reqBody.phoneEnrollmentInfo, "INVALID_ARGUMENT : ((Missing phoneEnrollmentInfo.))");
+    const phoneNumber = reqBody.phoneEnrollmentInfo.phoneNumber;
+    errors_1.assert(phoneNumber && utils_1.isValidPhoneNumber(phoneNumber), "INVALID_PHONE_NUMBER : Invalid format.");
+    errors_1.assert(!((_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.some((enrollment) => enrollment.unobfuscatedPhoneInfo === phoneNumber)), "SECOND_FACTOR_EXISTS : Phone number already enrolled as second factor for this account.");
+    const { sessionInfo, code } = state.createVerificationCode(phoneNumber);
+    emulatorLogger_1.EmulatorLogger.forEmulator(types_1.Emulators.AUTH).log("BULLET", `To enroll MFA with ${phoneNumber}, use the code ${code}.`);
+    return {
+        phoneSessionInfo: {
+            sessionInfo,
+        },
+    };
+}
+function mfaEnrollmentFinalize(state, reqBody) {
+    var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = state.mfaConfig.enabledProviders) === null || _a === void 0 ? void 0 : _a.includes("PHONE_SMS")), "OPERATION_NOT_ALLOWED : SMS based MFA not enabled.");
+    errors_1.assert(reqBody.idToken, "MISSING_ID_TOKEN");
+    let { user, signInProvider } = parseIdToken(state, reqBody.idToken);
+    errors_1.assert(!MFA_INELIGIBLE_PROVIDER.has(signInProvider), "UNSUPPORTED_FIRST_FACTOR : MFA is not available for the given first factor.");
+    errors_1.assert(reqBody.phoneVerificationInfo, "INVALID_ARGUMENT : ((Missing phoneVerificationInfo.))");
+    if (reqBody.phoneVerificationInfo.androidVerificationProof) {
+        throw new errors_1.NotImplementedError("androidVerificationProof is unsupported!");
+    }
+    const { code, sessionInfo } = reqBody.phoneVerificationInfo;
+    errors_1.assert(code, "MISSING_CODE");
+    errors_1.assert(sessionInfo, "MISSING_SESSION_INFO");
+    const phoneNumber = verifyPhoneNumber(state, sessionInfo, code);
+    errors_1.assert(!((_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.some((enrollment) => enrollment.unobfuscatedPhoneInfo === phoneNumber)), "SECOND_FACTOR_EXISTS : Phone number already enrolled as second factor for this account.");
+    const existingFactors = user.mfaInfo || [];
+    const existingIds = new Set();
+    for (const { mfaEnrollmentId } of existingFactors) {
+        if (mfaEnrollmentId) {
+            existingIds.add(mfaEnrollmentId);
+        }
+    }
+    const enrollment = {
+        displayName: reqBody.displayName,
+        enrolledAt: new Date().toISOString(),
+        mfaEnrollmentId: newRandomId(28, existingIds),
+        phoneInfo: phoneNumber,
+        unobfuscatedPhoneInfo: phoneNumber,
+    };
+    user = state.updateUserByLocalId(user.localId, {
+        mfaInfo: [...existingFactors, enrollment],
+    });
+    const { idToken, refreshToken } = issueTokens(state, user, signInProvider, {
+        secondFactor: { identifier: enrollment.mfaEnrollmentId, provider: state_1.PROVIDER_PHONE },
+    });
+    return {
+        idToken,
+        refreshToken,
+    };
+}
+function mfaEnrollmentWithdraw(state, reqBody) {
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(reqBody.idToken, "MISSING_ID_TOKEN");
+    let { user, signInProvider } = parseIdToken(state, reqBody.idToken);
+    errors_1.assert(user.mfaInfo, "MFA_ENROLLMENT_NOT_FOUND");
+    const updatedList = user.mfaInfo.filter((enrollment) => enrollment.mfaEnrollmentId !== reqBody.mfaEnrollmentId);
+    errors_1.assert(updatedList.length < user.mfaInfo.length, "MFA_ENROLLMENT_NOT_FOUND");
+    user = state.updateUserByLocalId(user.localId, { mfaInfo: updatedList });
+    return Object.assign({}, issueTokens(state, user, signInProvider));
+}
+function mfaSignInStart(state, reqBody) {
+    var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = state.mfaConfig.enabledProviders) === null || _a === void 0 ? void 0 : _a.includes("PHONE_SMS")), "OPERATION_NOT_ALLOWED : SMS based MFA not enabled.");
+    errors_1.assert(reqBody.mfaPendingCredential, "MISSING_MFA_PENDING_CREDENTIAL : Request does not have MFA pending credential.");
+    errors_1.assert(reqBody.mfaEnrollmentId, "MISSING_MFA_ENROLLMENT_ID : No second factor identifier is provided.");
+    const { user } = parsePendingCredential(state, reqBody.mfaPendingCredential);
+    const enrollment = (_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.find((factor) => factor.mfaEnrollmentId === reqBody.mfaEnrollmentId);
+    errors_1.assert(enrollment, "MFA_ENROLLMENT_NOT_FOUND");
+    const phoneNumber = enrollment.unobfuscatedPhoneInfo;
+    errors_1.assert(phoneNumber, "INVALID_ARGUMENT : MFA provider not supported!");
+    const { sessionInfo, code } = state.createVerificationCode(phoneNumber);
+    emulatorLogger_1.EmulatorLogger.forEmulator(types_1.Emulators.AUTH).log("BULLET", `To sign in with MFA using ${phoneNumber}, use the code ${code}.`);
+    return {
+        phoneResponseInfo: {
+            sessionInfo,
+        },
+    };
+}
+function mfaSignInFinalize(state, reqBody) {
+    var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = state.mfaConfig.enabledProviders) === null || _a === void 0 ? void 0 : _a.includes("PHONE_SMS")), "OPERATION_NOT_ALLOWED : SMS based MFA not enabled.");
+    errors_1.assert(reqBody.mfaPendingCredential, "MISSING_CREDENTIAL : Please set MFA Pending Credential.");
+    errors_1.assert(reqBody.phoneVerificationInfo, "INVALID_ARGUMENT : MFA provider not supported!");
+    if (reqBody.phoneVerificationInfo.androidVerificationProof) {
+        throw new errors_1.NotImplementedError("androidVerificationProof is unsupported!");
+    }
+    const { code, sessionInfo } = reqBody.phoneVerificationInfo;
+    errors_1.assert(code, "MISSING_CODE");
+    errors_1.assert(sessionInfo, "MISSING_SESSION_INFO");
+    const phoneNumber = verifyPhoneNumber(state, sessionInfo, code);
+    let { user, signInProvider } = parsePendingCredential(state, reqBody.mfaPendingCredential);
+    const enrollment = (_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.find((enrollment) => enrollment.unobfuscatedPhoneInfo == phoneNumber);
+    errors_1.assert(enrollment && enrollment.mfaEnrollmentId, "MFA_ENROLLMENT_NOT_FOUND");
+    user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
+    errors_1.assert(!user.disabled, "USER_DISABLED");
+    const { idToken, refreshToken } = issueTokens(state, user, signInProvider, {
+        secondFactor: { identifier: enrollment.mfaEnrollmentId, provider: state_1.PROVIDER_PHONE },
+    });
+    return {
+        idToken,
+        refreshToken,
+    };
+}
 function coercePrimitiveToString(value) {
     switch (typeof value) {
         case "string":
@@ -1124,11 +1391,26 @@ function redactPasswordHash(user) {
 function hashPassword(password, salt) {
     return `fakeHash:salt=${salt}:password=${password}`;
 }
-function issueTokens(state, user, signInProvider, extraClaims = {}) {
-    state.updateUserByLocalId(user.localId, { lastRefreshAt: new Date().toISOString() });
+function issueTokens(state, user, signInProvider, { extraClaims, secondFactor, } = {}) {
+    user = state.updateUserByLocalId(user.localId, { lastRefreshAt: new Date().toISOString() });
+    const usageMode = state.usageMode === state_1.UsageMode.PASSTHROUGH ? "passthrough" : undefined;
+    const tenantId = state instanceof state_1.TenantProjectState ? state.tenantId : undefined;
     const expiresInSeconds = 60 * 60;
-    const idToken = generateJwt(state.projectId, user, signInProvider, expiresInSeconds, extraClaims);
-    const refreshToken = state.createRefreshTokenFor(user, signInProvider, extraClaims);
+    const idToken = generateJwt(user, {
+        projectId: state.projectId,
+        signInProvider,
+        expiresInSeconds,
+        extraClaims,
+        secondFactor,
+        usageMode,
+        tenantId,
+    });
+    const refreshToken = state.usageMode === state_1.UsageMode.DEFAULT
+        ? state.createRefreshTokenFor(user, signInProvider, {
+            extraClaims,
+            secondFactor,
+        })
+        : undefined;
     return {
         idToken,
         refreshToken,
@@ -1136,11 +1418,16 @@ function issueTokens(state, user, signInProvider, extraClaims = {}) {
     };
 }
 function parseIdToken(state, idToken) {
+    errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const decoded = jsonwebtoken_1.decode(idToken, { complete: true });
     errors_1.assert(decoded, "INVALID_ID_TOKEN");
     if (decoded.header.alg !== "none") {
         emulatorLogger_1.EmulatorLogger.forEmulator(types_1.Emulators.AUTH).log("WARN", "Received a signed JWT. Auth Emulator does not validate JWTs and IS NOT SECURE");
     }
+    if (decoded.payload.firebase.tenant) {
+        errors_1.assert(state instanceof state_1.TenantProjectState, "((Parsed token that belongs to tenant in a non-tenant project.))");
+        errors_1.assert(decoded.payload.firebase.tenant === state.tenantId, "TENANT_ID_MISMATCH");
+    }
     const user = state.getUserByLocalId(decoded.payload.user_id);
     errors_1.assert(user, "USER_NOT_FOUND");
     errors_1.assert(!user.validSince || decoded.payload.iat >= Number(user.validSince), "TOKEN_EXPIRED");
@@ -1148,7 +1435,7 @@ function parseIdToken(state, idToken) {
     const signInProvider = decoded.payload.firebase.sign_in_provider;
     return { user, signInProvider, payload: decoded.payload };
 }
-function generateJwt(projectId, user, signInProvider, expiresInSeconds, extraClaims = {}) {
+function generateJwt(user, { projectId, signInProvider, expiresInSeconds, extraClaims = {}, secondFactor, usageMode, tenantId, }) {
     const identities = {};
     if (user.email) {
         identities["email"] = [user.email];
@@ -1168,6 +1455,10 @@ function generateJwt(projectId, user, signInProvider, expiresInSeconds, extraCla
     const customPayloadFields = Object.assign(Object.assign(Object.assign({ name: user.displayName, picture: user.photoUrl }, customAttributes), extraClaims), { email: user.email, email_verified: user.emailVerified, phone_number: user.phoneNumber, provider_id: signInProvider === "anonymous" ? signInProvider : undefined, auth_time: utils_1.toUnixTimestamp(getAuthTime(user)), user_id: user.localId, firebase: {
             identities,
             sign_in_provider: signInProvider,
+            second_factor_identifier: secondFactor === null || secondFactor === void 0 ? void 0 : secondFactor.identifier,
+            sign_in_second_factor: secondFactor === null || secondFactor === void 0 ? void 0 : secondFactor.provider,
+            usage_mode: usageMode,
+            tenant: tenantId,
         } });
     const jwtStr = jsonwebtoken_1.sign(customPayloadFields, "", {
         algorithm: "none",
@@ -1261,7 +1552,7 @@ function getMfaEnrollmentsFromRequest(state, request, options) {
                 : enrollment.mfaEnrollmentId;
             errors_1.assert(mfaEnrollmentId, "INVALID_MFA_ENROLLMENT_ID : mfaEnrollmentId must be defined.");
             errors_1.assert(!enrollmentIds.has(mfaEnrollmentId), "DUPLICATE_MFA_ENROLLMENT_ID");
-            enrollments.push(Object.assign(Object.assign({}, enrollment), { mfaEnrollmentId }));
+            enrollments.push(Object.assign(Object.assign({}, enrollment), { mfaEnrollmentId, unobfuscatedPhoneInfo: enrollment.phoneInfo }));
             phoneNumbers.add(enrollment.phoneInfo);
             enrollmentIds.add(mfaEnrollmentId);
         }
@@ -1450,3 +1741,111 @@ function handleIdpSignUp(response, options) {
         accountUpdates,
     };
 }
+function mfaPending(state, user, signInProvider) {
+    if (!user.mfaInfo) {
+        throw new Error("Internal assertion error: mfaPending called on user without MFA.");
+    }
+    const pendingCredentialPayload = {
+        _AuthEmulatorMfaPendingCredential: "DO NOT MODIFY",
+        localId: user.localId,
+        signInProvider,
+        projectId: state.projectId,
+    };
+    if (state instanceof state_1.TenantProjectState) {
+        pendingCredentialPayload.tenantId = state.tenantId;
+    }
+    const mfaPendingCredential = Buffer.from(JSON.stringify(pendingCredentialPayload), "utf8").toString("base64");
+    return { mfaPendingCredential, mfaInfo: user.mfaInfo.map(redactMfaInfo) };
+}
+function redactMfaInfo(mfaInfo) {
+    return {
+        displayName: mfaInfo.displayName,
+        enrolledAt: mfaInfo.enrolledAt,
+        mfaEnrollmentId: mfaInfo.mfaEnrollmentId,
+        phoneInfo: mfaInfo.unobfuscatedPhoneInfo
+            ? obfuscatePhoneNumber(mfaInfo.unobfuscatedPhoneInfo)
+            : undefined,
+    };
+}
+function obfuscatePhoneNumber(phoneNumber) {
+    const split = phoneNumber.split("");
+    let digitsEncountered = 0;
+    for (let i = split.length - 1; i >= 0; i--) {
+        if (/[0-9]/.test(split[i])) {
+            digitsEncountered++;
+            if (digitsEncountered > 4) {
+                split[i] = "*";
+            }
+        }
+    }
+    return split.join("");
+}
+function parsePendingCredential(state, pendingCredential) {
+    let pendingCredentialPayload;
+    try {
+        const json = Buffer.from(pendingCredential, "base64").toString("utf8");
+        pendingCredentialPayload = JSON.parse(json);
+    }
+    catch (_a) {
+        errors_1.assert(false, "((Invalid phoneVerificationInfo.mfaPendingCredential.))");
+    }
+    errors_1.assert(pendingCredentialPayload._AuthEmulatorMfaPendingCredential, "((Invalid phoneVerificationInfo.mfaPendingCredential.))");
+    errors_1.assert(pendingCredentialPayload.projectId === state.projectId, "INVALID_PROJECT_ID : Project ID does not match MFA pending credential.");
+    if (state instanceof state_1.TenantProjectState) {
+        errors_1.assert(pendingCredentialPayload.tenantId === state.tenantId, "INVALID_PROJECT_ID : Project ID does not match MFA pending credential.");
+    }
+    const { localId, signInProvider } = pendingCredentialPayload;
+    const user = state.getUserByLocalId(localId);
+    errors_1.assert(user, "((User in pendingCredentialPayload does not exist.))");
+    return { user, signInProvider };
+}
+function createTenant(state, reqBody) {
+    var _a, _b, _c, _d, _e;
+    if (!(state instanceof state_1.AgentProjectState)) {
+        throw new errors_1.InternalError("INTERNAL_ERROR: Can only create tenant in agent project", "INTERNAL");
+    }
+    const mfaConfig = (_a = reqBody.mfaConfig) !== null && _a !== void 0 ? _a : {};
+    if (!("state" in mfaConfig)) {
+        mfaConfig.state = "DISABLED";
+    }
+    if (!("enabledProviders" in mfaConfig)) {
+        mfaConfig.enabledProviders = [];
+    }
+    const tenant = {
+        displayName: reqBody.displayName,
+        allowPasswordSignup: (_b = reqBody.allowPasswordSignup) !== null && _b !== void 0 ? _b : false,
+        enableEmailLinkSignin: (_c = reqBody.enableEmailLinkSignin) !== null && _c !== void 0 ? _c : false,
+        enableAnonymousUser: (_d = reqBody.enableAnonymousUser) !== null && _d !== void 0 ? _d : false,
+        disableAuth: (_e = reqBody.disableAuth) !== null && _e !== void 0 ? _e : false,
+        mfaConfig: mfaConfig,
+        tenantId: "",
+    };
+    return state.createTenant(tenant);
+}
+function listTenants(state, reqBody, ctx) {
+    errors_1.assert(state instanceof state_1.AgentProjectState, "((Can only list tenants in agent project.))");
+    const pageSize = Math.min(Math.floor(ctx.params.query.pageSize) || 20, 1000);
+    const tenants = state.listTenants(ctx.params.query.pageToken);
+    let nextPageToken = undefined;
+    if (pageSize > 0 && tenants.length >= pageSize) {
+        tenants.length = pageSize;
+        nextPageToken = tenants[tenants.length - 1].tenantId;
+    }
+    return {
+        nextPageToken,
+        tenants,
+    };
+}
+function deleteTenant(state, reqBody, ctx) {
+    errors_1.assert(state instanceof state_1.TenantProjectState, "((Can only delete tenant on tenant projects.))");
+    state.delete();
+    return {};
+}
+function getTenant(state, reqBody, ctx) {
+    errors_1.assert(state instanceof state_1.TenantProjectState, "((Can only get tenant on tenant projects.))");
+    return state.tenantConfig;
+}
+function updateTenant(state, reqBody, ctx) {
+    errors_1.assert(state instanceof state_1.TenantProjectState, "((Can only update tenant on tenant projects.))");
+    return state.updateTenant(reqBody, ctx.params.query.updateMask);
+}