firebase-tools 9.19.0 → 9.23.0

package/lib/emulator/auth/handlers.js

@@ -7,7 +7,7 @@ const errors_1 = require("./errors");
 const widget_ui_1 = require("./widget_ui");
 function registerHandlers(app, getProjectStateByApiKey) {
     app.get(`/emulator/action`, (req, res) => {
-        const { mode, oobCode, continueUrl, apiKey } = req.query;
+        const { mode, oobCode, continueUrl, apiKey, tenantId } = req.query;
         if (!apiKey) {
             return res.status(400).json({
                 authEmulator: {
@@ -24,7 +24,7 @@ function registerHandlers(app, getProjectStateByApiKey) {
                 },
             });
         }
-        const state = getProjectStateByApiKey(apiKey);
+        const state = getProjectStateByApiKey(apiKey, tenantId);
         switch (mode) {
             case "recoverEmail": {
                 const oob = state.validateOobCode(oobCode);
@@ -159,6 +159,7 @@ function registerHandlers(app, getProjectStateByApiKey) {
         res.set("Content-Type", "text/html; charset=utf-8");
         const apiKey = req.query.apiKey;
         const providerId = req.query.providerId;
+        const tenantId = req.query.tenantId;
         if (!apiKey || !providerId) {
             return res.status(400).json({
                 authEmulator: {
@@ -166,7 +167,7 @@ function registerHandlers(app, getProjectStateByApiKey) {
                 },
             });
         }
-        const state = getProjectStateByApiKey(apiKey);
+        const state = getProjectStateByApiKey(apiKey, tenantId);
         const providerInfos = state.listProviderInfosByProviderId(providerId);
         const options = providerInfos
             .map((info) => `<li class="js-reuse-account mdc-list-item mdc-ripple-upgraded" tabindex="0" data-id-token="${encodeURIComponent(createFakeClaims(info))}">

package/lib/emulator/auth/operations.js

@@ -50,6 +50,25 @@ exports.authOperations = {
                 batchDelete,
                 batchGet,
             },
+            tenants: {
+                create: createTenant,
+                delete: deleteTenant,
+                get: getTenant,
+                list: listTenants,
+                patch: updateTenant,
+                createSessionCookie,
+                accounts: {
+                    _: signUp,
+                    batchCreate,
+                    batchDelete,
+                    batchGet,
+                    delete: deleteAccount,
+                    lookup,
+                    query: queryAccounts,
+                    sendOobCode,
+                    update: setAccountInfo,
+                },
+            },
         },
     },
     securetoken: {
@@ -83,6 +102,7 @@ const MFA_INELIGIBLE_PROVIDER = new Set([
 ]);
 function signUp(state, reqBody, ctx) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     let provider;
     const updates = {
@@ -115,9 +135,11 @@ function signUp(state, reqBody, ctx) {
             errors_1.assert(reqBody.email, "MISSING_EMAIL");
             errors_1.assert(reqBody.password, "MISSING_PASSWORD");
             provider = state_1.PROVIDER_PASSWORD;
+            errors_1.assert(state.allowPasswordSignup, "OPERATION_NOT_ALLOWED");
         }
         else {
             provider = state_1.PROVIDER_ANONYMOUS;
+            errors_1.assert(state.enableAnonymousUser, "ADMIN_ONLY_OPERATION");
         }
     }
     if (reqBody.email) {
@@ -138,6 +160,9 @@ function signUp(state, reqBody, ctx) {
             generateEnrollmentIds: true,
         });
     }
+    if (state instanceof state_1.TenantProjectState) {
+        updates.tenantId = state.tenantId;
+    }
     let user;
     if (reqBody.idToken) {
         ({ user } = parseIdToken(state, reqBody.idToken));
@@ -158,6 +183,7 @@ function signUp(state, reqBody, ctx) {
 }
 function lookup(state, reqBody, ctx) {
     var _a, _b, _c, _d, _e;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     const seenLocalIds = new Set();
     const users = [];
     function tryAddUser(maybeUser) {
@@ -198,6 +224,7 @@ function lookup(state, reqBody, ctx) {
 }
 function batchCreate(state, reqBody) {
     var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     errors_1.assert((_a = reqBody.users) === null || _a === void 0 ? void 0 : _a.length, "MISSING_USER_ACCOUNT");
     if (reqBody.sanityCheck) {
@@ -238,6 +265,12 @@ function batchCreate(state, reqBody) {
                 photoUrl: userInfo.photoUrl,
                 lastLoginAt: userInfo.lastLoginAt,
             };
+            if (userInfo.tenantId) {
+                errors_1.assert(state instanceof state_1.TenantProjectState && state.tenantId === userInfo.tenantId, "Tenant id in userInfo does not match the tenant id in request.");
+            }
+            if (state instanceof state_1.TenantProjectState) {
+                fields.tenantId = state.tenantId;
+            }
             if (userInfo.passwordHash) {
                 fields.passwordHash = userInfo.passwordHash;
                 fields.salt = userInfo.salt;
@@ -369,6 +402,7 @@ function batchDelete(state, reqBody) {
     return { errors: errors.length ? errors : undefined };
 }
 function batchGet(state, reqBody, ctx) {
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     const maxResults = Math.min(Math.floor(ctx.params.query.maxResults) || 20, 1000);
     const users = state.queryUsers({}, { sortByField: "localId", order: "ASC", startToken: ctx.params.query.nextPageToken });
     let newPageToken = undefined;
@@ -386,6 +420,7 @@ function batchGet(state, reqBody, ctx) {
 }
 function createAuthUri(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const sessionId = reqBody.sessionId || utils_1.randomId(27);
     if (reqBody.providerId) {
@@ -461,6 +496,7 @@ function createSessionCookie(state, reqBody, ctx) {
 }
 function deleteAccount(state, reqBody, ctx) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     let user;
     if ((_a = ctx.security) === null || _a === void 0 ? void 0 : _a.Oauth2) {
         errors_1.assert(reqBody.localId, "MISSING_LOCAL_ID");
@@ -478,6 +514,8 @@ function deleteAccount(state, reqBody, ctx) {
     };
 }
 function getProjects(state) {
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state instanceof state_1.AgentProjectState, "UNSUPPORTED_TENANT_OPERATION");
     return {
         projectId: state.projectNumber,
         authorizedDomains: [
@@ -485,7 +523,8 @@ function getProjects(state) {
         ],
     };
 }
-function getRecaptchaParams() {
+function getRecaptchaParams(state) {
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     return {
         kind: "identitytoolkit#GetRecaptchaParamResponse",
         recaptchaStoken: "This-is-a-fake-token__Dont-send-this-to-the-Recaptcha-service__The-Auth-Emulator-does-not-support-Recaptcha",
@@ -494,6 +533,7 @@ function getRecaptchaParams() {
 }
 function queryAccounts(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     if ((_a = reqBody.expression) === null || _a === void 0 ? void 0 : _a.length) {
         throw new errors_1.NotImplementedError("expression is not implemented.");
     }
@@ -530,7 +570,9 @@ function queryAccounts(state, reqBody) {
 }
 function resetPassword(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
+    errors_1.assert(state.allowPasswordSignup, "PASSWORD_LOGIN_DISABLED");
     errors_1.assert(reqBody.oobCode, "MISSING_OOB_CODE");
     const oob = state.validateOobCode(reqBody.oobCode);
     errors_1.assert(oob, "INVALID_OOB_CODE");
@@ -559,6 +601,7 @@ function resetPassword(state, reqBody) {
 exports.resetPassword = resetPassword;
 function sendOobCode(state, reqBody, ctx) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     errors_1.assert(reqBody.requestType && reqBody.requestType !== "OOB_REQ_TYPE_UNSPECIFIED", "MISSING_REQ_TYPE");
     if (reqBody.returnOobLink) {
@@ -571,6 +614,7 @@ function sendOobCode(state, reqBody, ctx) {
     let mode;
     switch (reqBody.requestType) {
         case "EMAIL_SIGNIN":
+            errors_1.assert(state.enableEmailLinkSignin, "OPERATION_NOT_ALLOWED");
             mode = "signIn";
             errors_1.assert(reqBody.email, "MISSING_EMAIL");
             email = utils_1.canonicalizeEmailAddress(reqBody.email);
@@ -625,6 +669,8 @@ function sendOobCode(state, reqBody, ctx) {
 }
 function sendVerificationCode(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state instanceof state_1.AgentProjectState, "UNSUPPORTED_TENANT_OPERATION");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     errors_1.assert(reqBody.phoneNumber && utils_1.isValidPhoneNumber(reqBody.phoneNumber), "INVALID_PHONE_NUMBER : Invalid format.");
     const user = state.getUserByPhoneNumber(reqBody.phoneNumber);
@@ -637,6 +683,7 @@ function sendVerificationCode(state, reqBody) {
 }
 function setAccountInfo(state, reqBody, ctx) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const url = utils_1.authEmulatorUrl(ctx.req);
     return setAccountInfoImpl(state, reqBody, {
@@ -831,6 +878,9 @@ function createOobRecord(state, email, url, params) {
         if (params.continueUrl) {
             url.searchParams.set("continueUrl", params.continueUrl);
         }
+        if (state instanceof state_1.TenantProjectState) {
+            url.searchParams.set("tenantId", state.tenantId);
+        }
         return url.toString();
     });
     return oobRecord;
@@ -859,6 +909,7 @@ function logOobMessage(oobRecord) {
 }
 function signInWithCustomToken(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(reqBody.token, "MISSING_CUSTOM_TOKEN");
     let payload;
     if (reqBody.token.startsWith("{")) {
@@ -871,6 +922,9 @@ function signInWithCustomToken(state, reqBody) {
     }
     else {
         const decoded = jsonwebtoken_1.decode(reqBody.token, { complete: true });
+        if (state instanceof state_1.TenantProjectState) {
+            errors_1.assert((decoded === null || decoded === void 0 ? void 0 : decoded.payload.tenant_id) === state.tenantId, "TENANT_ID_MISMATCH");
+        }
         errors_1.assert(decoded, "INVALID_CUSTOM_TOKEN : Invalid assertion format");
         if (decoded.header.alg !== "none") {
             emulatorLogger_1.EmulatorLogger.forEmulator(types_1.Emulators.AUTH).log("WARN", "Received a signed custom token. Auth Emulator does not validate JWTs and IS NOT SECURE");
@@ -891,6 +945,7 @@ function signInWithCustomToken(state, reqBody) {
     const updates = {
         customAuth: true,
         lastLoginAt: Date.now().toString(),
+        tenantId: state instanceof state_1.TenantProjectState ? state.tenantId : undefined,
     };
     if (user) {
         errors_1.assert(!user.disabled, "USER_DISABLED");
@@ -906,6 +961,8 @@ function signInWithCustomToken(state, reqBody) {
 }
 function signInWithEmailLink(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.enableEmailLinkSignin, "OPERATION_NOT_ALLOWED");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     const userFromIdToken = reqBody.idToken ? parseIdToken(state, reqBody.idToken).user : undefined;
     errors_1.assert(reqBody.email, "MISSING_EMAIL");
@@ -920,6 +977,9 @@ function signInWithEmailLink(state, reqBody) {
         emailVerified: true,
         emailLinkSignin: true,
     };
+    if (state instanceof state_1.TenantProjectState) {
+        updates.tenantId = state.tenantId;
+    }
     let user = state.getUserByEmail(email);
     const isNewUser = !user && !userFromIdToken;
     if (!user) {
@@ -941,7 +1001,7 @@ function signInWithEmailLink(state, reqBody) {
         localId: user.localId,
         isNewUser,
     };
-    if ((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length) {
+    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length)) {
         return Object.assign(Object.assign({}, response), mfaPending(state, user, state_1.PROVIDER_PASSWORD));
     }
     else {
@@ -951,6 +1011,7 @@ function signInWithEmailLink(state, reqBody) {
 }
 function signInWithIdp(state, reqBody) {
     var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     if (reqBody.returnRefreshToken) {
         throw new errors_1.NotImplementedError("returnRefreshToken is not implemented yet.");
@@ -1023,7 +1084,7 @@ function signInWithIdp(state, reqBody) {
     };
     let user;
     if (response.isNewUser) {
-        user = state.createUser(Object.assign(Object.assign({}, accountUpdates.fields), { lastLoginAt: Date.now().toString(), providerUserInfo: [providerUserInfo] }));
+        user = state.createUser(Object.assign(Object.assign({}, accountUpdates.fields), { lastLoginAt: Date.now().toString(), providerUserInfo: [providerUserInfo], tenantId: state instanceof state_1.TenantProjectState ? state.tenantId : undefined }));
         response.localId = user.localId;
     }
     else {
@@ -1037,7 +1098,10 @@ function signInWithIdp(state, reqBody) {
     if (user.email === response.email) {
         response.emailVerified = user.emailVerified;
     }
-    if ((_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.length) {
+    if (state instanceof state_1.TenantProjectState) {
+        response.tenantId = state.tenantId;
+    }
+    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.length)) {
         return Object.assign(Object.assign({}, response), mfaPending(state, user, providerId));
     }
     else {
@@ -1047,6 +1111,8 @@ function signInWithIdp(state, reqBody) {
 }
 function signInWithPassword(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state.allowPasswordSignup, "PASSWORD_LOGIN_DISABLED");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     errors_1.assert(reqBody.email, "MISSING_EMAIL");
     errors_1.assert(reqBody.password, "MISSING_PASSWORD");
@@ -1068,7 +1134,7 @@ function signInWithPassword(state, reqBody) {
         localId: user.localId,
         email,
     };
-    if ((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length) {
+    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.length)) {
         return Object.assign(Object.assign({}, response), mfaPending(state, user, state_1.PROVIDER_PASSWORD));
     }
     else {
@@ -1078,6 +1144,8 @@ function signInWithPassword(state, reqBody) {
 }
 function signInWithPhoneNumber(state, reqBody) {
     var _a;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert(state instanceof state_1.AgentProjectState, "UNSUPPORTED_TENANT_OPERATION");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     let phoneNumber;
     if (reqBody.temporaryProof) {
@@ -1191,7 +1259,9 @@ function listVerificationCodesInProject(state) {
     };
 }
 function mfaEnrollmentStart(state, reqBody) {
-    var _a;
+    var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = state.mfaConfig.enabledProviders) === null || _a === void 0 ? void 0 : _a.includes("PHONE_SMS")), "OPERATION_NOT_ALLOWED : SMS based MFA not enabled.");
     errors_1.assert(reqBody.idToken, "MISSING_ID_TOKEN");
     const { user, signInProvider } = parseIdToken(state, reqBody.idToken);
     errors_1.assert(!MFA_INELIGIBLE_PROVIDER.has(signInProvider), "UNSUPPORTED_FIRST_FACTOR : MFA is not available for the given first factor.");
@@ -1199,7 +1269,7 @@ function mfaEnrollmentStart(state, reqBody) {
     errors_1.assert(reqBody.phoneEnrollmentInfo, "INVALID_ARGUMENT : ((Missing phoneEnrollmentInfo.))");
     const phoneNumber = reqBody.phoneEnrollmentInfo.phoneNumber;
     errors_1.assert(phoneNumber && utils_1.isValidPhoneNumber(phoneNumber), "INVALID_PHONE_NUMBER : Invalid format.");
-    errors_1.assert(!((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.some((enrollment) => enrollment.unobfuscatedPhoneInfo === phoneNumber)), "SECOND_FACTOR_EXISTS : Phone number already enrolled as second factor for this account.");
+    errors_1.assert(!((_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.some((enrollment) => enrollment.unobfuscatedPhoneInfo === phoneNumber)), "SECOND_FACTOR_EXISTS : Phone number already enrolled as second factor for this account.");
     const { sessionInfo, code } = state.createVerificationCode(phoneNumber);
     emulatorLogger_1.EmulatorLogger.forEmulator(types_1.Emulators.AUTH).log("BULLET", `To enroll MFA with ${phoneNumber}, use the code ${code}.`);
     return {
@@ -1209,7 +1279,9 @@ function mfaEnrollmentStart(state, reqBody) {
     };
 }
 function mfaEnrollmentFinalize(state, reqBody) {
-    var _a;
+    var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = state.mfaConfig.enabledProviders) === null || _a === void 0 ? void 0 : _a.includes("PHONE_SMS")), "OPERATION_NOT_ALLOWED : SMS based MFA not enabled.");
     errors_1.assert(reqBody.idToken, "MISSING_ID_TOKEN");
     let { user, signInProvider } = parseIdToken(state, reqBody.idToken);
     errors_1.assert(!MFA_INELIGIBLE_PROVIDER.has(signInProvider), "UNSUPPORTED_FIRST_FACTOR : MFA is not available for the given first factor.");
@@ -1221,7 +1293,7 @@ function mfaEnrollmentFinalize(state, reqBody) {
     errors_1.assert(code, "MISSING_CODE");
     errors_1.assert(sessionInfo, "MISSING_SESSION_INFO");
     const phoneNumber = verifyPhoneNumber(state, sessionInfo, code);
-    errors_1.assert(!((_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.some((enrollment) => enrollment.unobfuscatedPhoneInfo === phoneNumber)), "SECOND_FACTOR_EXISTS : Phone number already enrolled as second factor for this account.");
+    errors_1.assert(!((_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.some((enrollment) => enrollment.unobfuscatedPhoneInfo === phoneNumber)), "SECOND_FACTOR_EXISTS : Phone number already enrolled as second factor for this account.");
     const existingFactors = user.mfaInfo || [];
     const existingIds = new Set();
     for (const { mfaEnrollmentId } of existingFactors) {
@@ -1248,6 +1320,7 @@ function mfaEnrollmentFinalize(state, reqBody) {
     };
 }
 function mfaEnrollmentWithdraw(state, reqBody) {
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(reqBody.idToken, "MISSING_ID_TOKEN");
     let { user, signInProvider } = parseIdToken(state, reqBody.idToken);
     errors_1.assert(user.mfaInfo, "MFA_ENROLLMENT_NOT_FOUND");
@@ -1257,11 +1330,13 @@ function mfaEnrollmentWithdraw(state, reqBody) {
     return Object.assign({}, issueTokens(state, user, signInProvider));
 }
 function mfaSignInStart(state, reqBody) {
-    var _a;
+    var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = state.mfaConfig.enabledProviders) === null || _a === void 0 ? void 0 : _a.includes("PHONE_SMS")), "OPERATION_NOT_ALLOWED : SMS based MFA not enabled.");
     errors_1.assert(reqBody.mfaPendingCredential, "MISSING_MFA_PENDING_CREDENTIAL : Request does not have MFA pending credential.");
     errors_1.assert(reqBody.mfaEnrollmentId, "MISSING_MFA_ENROLLMENT_ID : No second factor identifier is provided.");
     const { user } = parsePendingCredential(state, reqBody.mfaPendingCredential);
-    const enrollment = (_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.find((factor) => factor.mfaEnrollmentId === reqBody.mfaEnrollmentId);
+    const enrollment = (_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.find((factor) => factor.mfaEnrollmentId === reqBody.mfaEnrollmentId);
     errors_1.assert(enrollment, "MFA_ENROLLMENT_NOT_FOUND");
     const phoneNumber = enrollment.unobfuscatedPhoneInfo;
     errors_1.assert(phoneNumber, "INVALID_ARGUMENT : MFA provider not supported!");
@@ -1274,7 +1349,9 @@ function mfaSignInStart(state, reqBody) {
     };
 }
 function mfaSignInFinalize(state, reqBody) {
-    var _a;
+    var _a, _b;
+    errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
+    errors_1.assert((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_a = state.mfaConfig.enabledProviders) === null || _a === void 0 ? void 0 : _a.includes("PHONE_SMS")), "OPERATION_NOT_ALLOWED : SMS based MFA not enabled.");
     errors_1.assert(reqBody.mfaPendingCredential, "MISSING_CREDENTIAL : Please set MFA Pending Credential.");
     errors_1.assert(reqBody.phoneVerificationInfo, "INVALID_ARGUMENT : MFA provider not supported!");
     if (reqBody.phoneVerificationInfo.androidVerificationProof) {
@@ -1285,7 +1362,7 @@ function mfaSignInFinalize(state, reqBody) {
     errors_1.assert(sessionInfo, "MISSING_SESSION_INFO");
     const phoneNumber = verifyPhoneNumber(state, sessionInfo, code);
     let { user, signInProvider } = parsePendingCredential(state, reqBody.mfaPendingCredential);
-    const enrollment = (_a = user.mfaInfo) === null || _a === void 0 ? void 0 : _a.find((enrollment) => enrollment.unobfuscatedPhoneInfo == phoneNumber);
+    const enrollment = (_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.find((enrollment) => enrollment.unobfuscatedPhoneInfo == phoneNumber);
     errors_1.assert(enrollment && enrollment.mfaEnrollmentId, "MFA_ENROLLMENT_NOT_FOUND");
     user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
     errors_1.assert(!user.disabled, "USER_DISABLED");
@@ -1317,6 +1394,7 @@ function hashPassword(password, salt) {
 function issueTokens(state, user, signInProvider, { extraClaims, secondFactor, } = {}) {
     user = state.updateUserByLocalId(user.localId, { lastRefreshAt: new Date().toISOString() });
     const usageMode = state.usageMode === state_1.UsageMode.PASSTHROUGH ? "passthrough" : undefined;
+    const tenantId = state instanceof state_1.TenantProjectState ? state.tenantId : undefined;
     const expiresInSeconds = 60 * 60;
     const idToken = generateJwt(user, {
         projectId: state.projectId,
@@ -1325,6 +1403,7 @@ function issueTokens(state, user, signInProvider, { extraClaims, secondFactor, }
         extraClaims,
         secondFactor,
         usageMode,
+        tenantId,
     });
     const refreshToken = state.usageMode === state_1.UsageMode.DEFAULT
         ? state.createRefreshTokenFor(user, signInProvider, {
@@ -1345,6 +1424,10 @@ function parseIdToken(state, idToken) {
     if (decoded.header.alg !== "none") {
         emulatorLogger_1.EmulatorLogger.forEmulator(types_1.Emulators.AUTH).log("WARN", "Received a signed JWT. Auth Emulator does not validate JWTs and IS NOT SECURE");
     }
+    if (decoded.payload.firebase.tenant) {
+        errors_1.assert(state instanceof state_1.TenantProjectState, "((Parsed token that belongs to tenant in a non-tenant project.))");
+        errors_1.assert(decoded.payload.firebase.tenant === state.tenantId, "TENANT_ID_MISMATCH");
+    }
     const user = state.getUserByLocalId(decoded.payload.user_id);
     errors_1.assert(user, "USER_NOT_FOUND");
     errors_1.assert(!user.validSince || decoded.payload.iat >= Number(user.validSince), "TOKEN_EXPIRED");
@@ -1352,7 +1435,7 @@ function parseIdToken(state, idToken) {
     const signInProvider = decoded.payload.firebase.sign_in_provider;
     return { user, signInProvider, payload: decoded.payload };
 }
-function generateJwt(user, { projectId, signInProvider, expiresInSeconds, extraClaims = {}, secondFactor, usageMode, }) {
+function generateJwt(user, { projectId, signInProvider, expiresInSeconds, extraClaims = {}, secondFactor, usageMode, tenantId, }) {
     const identities = {};
     if (user.email) {
         identities["email"] = [user.email];
@@ -1375,6 +1458,7 @@ function generateJwt(user, { projectId, signInProvider, expiresInSeconds, extraC
             second_factor_identifier: secondFactor === null || secondFactor === void 0 ? void 0 : secondFactor.identifier,
             sign_in_second_factor: secondFactor === null || secondFactor === void 0 ? void 0 : secondFactor.provider,
             usage_mode: usageMode,
+            tenant: tenantId,
         } });
     const jwtStr = jsonwebtoken_1.sign(customPayloadFields, "", {
         algorithm: "none",
@@ -1667,6 +1751,9 @@ function mfaPending(state, user, signInProvider) {
         signInProvider,
         projectId: state.projectId,
     };
+    if (state instanceof state_1.TenantProjectState) {
+        pendingCredentialPayload.tenantId = state.tenantId;
+    }
     const mfaPendingCredential = Buffer.from(JSON.stringify(pendingCredentialPayload), "utf8").toString("base64");
     return { mfaPendingCredential, mfaInfo: user.mfaInfo.map(redactMfaInfo) };
 }
@@ -1704,8 +1791,61 @@ function parsePendingCredential(state, pendingCredential) {
     }
     errors_1.assert(pendingCredentialPayload._AuthEmulatorMfaPendingCredential, "((Invalid phoneVerificationInfo.mfaPendingCredential.))");
     errors_1.assert(pendingCredentialPayload.projectId === state.projectId, "INVALID_PROJECT_ID : Project ID does not match MFA pending credential.");
+    if (state instanceof state_1.TenantProjectState) {
+        errors_1.assert(pendingCredentialPayload.tenantId === state.tenantId, "INVALID_PROJECT_ID : Project ID does not match MFA pending credential.");
+    }
     const { localId, signInProvider } = pendingCredentialPayload;
     const user = state.getUserByLocalId(localId);
     errors_1.assert(user, "((User in pendingCredentialPayload does not exist.))");
     return { user, signInProvider };
 }
+function createTenant(state, reqBody) {
+    var _a, _b, _c, _d, _e;
+    if (!(state instanceof state_1.AgentProjectState)) {
+        throw new errors_1.InternalError("INTERNAL_ERROR: Can only create tenant in agent project", "INTERNAL");
+    }
+    const mfaConfig = (_a = reqBody.mfaConfig) !== null && _a !== void 0 ? _a : {};
+    if (!("state" in mfaConfig)) {
+        mfaConfig.state = "DISABLED";
+    }
+    if (!("enabledProviders" in mfaConfig)) {
+        mfaConfig.enabledProviders = [];
+    }
+    const tenant = {
+        displayName: reqBody.displayName,
+        allowPasswordSignup: (_b = reqBody.allowPasswordSignup) !== null && _b !== void 0 ? _b : false,
+        enableEmailLinkSignin: (_c = reqBody.enableEmailLinkSignin) !== null && _c !== void 0 ? _c : false,
+        enableAnonymousUser: (_d = reqBody.enableAnonymousUser) !== null && _d !== void 0 ? _d : false,
+        disableAuth: (_e = reqBody.disableAuth) !== null && _e !== void 0 ? _e : false,
+        mfaConfig: mfaConfig,
+        tenantId: "",
+    };
+    return state.createTenant(tenant);
+}
+function listTenants(state, reqBody, ctx) {
+    errors_1.assert(state instanceof state_1.AgentProjectState, "((Can only list tenants in agent project.))");
+    const pageSize = Math.min(Math.floor(ctx.params.query.pageSize) || 20, 1000);
+    const tenants = state.listTenants(ctx.params.query.pageToken);
+    let nextPageToken = undefined;
+    if (pageSize > 0 && tenants.length >= pageSize) {
+        tenants.length = pageSize;
+        nextPageToken = tenants[tenants.length - 1].tenantId;
+    }
+    return {
+        nextPageToken,
+        tenants,
+    };
+}
+function deleteTenant(state, reqBody, ctx) {
+    errors_1.assert(state instanceof state_1.TenantProjectState, "((Can only delete tenant on tenant projects.))");
+    state.delete();
+    return {};
+}
+function getTenant(state, reqBody, ctx) {
+    errors_1.assert(state instanceof state_1.TenantProjectState, "((Can only get tenant on tenant projects.))");
+    return state.tenantConfig;
+}
+function updateTenant(state, reqBody, ctx) {
+    errors_1.assert(state instanceof state_1.TenantProjectState, "((Can only update tenant on tenant projects.))");
+    return state.updateTenant(reqBody, ctx.params.query.updateMask);
+}

package/lib/emulator/auth/server.js

@@ -17,6 +17,7 @@ const lodash_1 = require("lodash");
 const handlers_1 = require("./handlers");
 const bodyParser = require("body-parser");
 const url_1 = require("url");
+const jsonwebtoken_1 = require("jsonwebtoken");
 const apiSpec = apiSpec_1.default;
 const API_SPEC_PATH = "/emulator/openapi.json";
 const AUTH_HEADER_PREFIX = "bearer ";
@@ -70,6 +71,10 @@ async function createApp(defaultProjectId, projectStateForId = new Map()) {
     const app = express();
     app.set("json spaces", 2);
     app.use(cors({ origin: true }));
+    app.delete("*", (req, _, next) => {
+        delete req.headers["content-type"];
+        next();
+    });
     app.get("/", (req, res) => {
         return res.json({
             authEmulator: {
@@ -83,7 +88,7 @@ async function createApp(defaultProjectId, projectStateForId = new Map()) {
         res.json(specWithEmulatorServer(req.protocol, req.headers.host));
     });
     registerLegacyRoutes(app);
-    handlers_1.registerHandlers(app, (apiKey) => getProjectStateById(getProjectIdByApiKey(apiKey)));
+    handlers_1.registerHandlers(app, (apiKey, tenantId) => getProjectStateById(getProjectIdByApiKey(apiKey), tenantId));
     const apiKeyAuthenticator = (ctx, info) => {
         if (info.in !== "query") {
             throw new Error('apiKey must be defined as in: "query" in API spec.');
@@ -169,6 +174,9 @@ async function createApp(defaultProjectId, projectStateForId = new Map()) {
             "google-fieldmask"() {
                 return true;
             },
+            "google-duration"() {
+                return true;
+            },
             uint64() {
                 return true;
             },
@@ -235,21 +243,15 @@ async function createApp(defaultProjectId, projectStateForId = new Map()) {
         return defaultProjectId;
     }
     function getProjectStateById(projectId, tenantId) {
-        let agentProject = projectStateForId.get(projectId);
-        if (!agentProject) {
-            const state = new state_1.AgentProjectState(projectId);
-            agentProject = { state, tenantProjects: new Map() };
-            projectStateForId.set(projectId, agentProject);
+        let agentState = projectStateForId.get(projectId);
+        if (!agentState) {
+            agentState = new state_1.AgentProjectState(projectId);
+            projectStateForId.set(projectId, agentState);
         }
         if (!tenantId) {
-            return agentProject.state;
+            return agentState;
         }
-        let tenantState = agentProject.tenantProjects.get(tenantId);
-        if (!tenantState) {
-            tenantState = new state_1.TenantProjectState(projectId, tenantId, agentProject.state);
-            agentProject.tenantProjects.set(tenantId, tenantState);
-        }
-        return tenantState;
+        return agentState.getTenantProject(tenantId);
     }
 }
 exports.createApp = createApp;
@@ -337,7 +339,7 @@ function toExegesisController(ops, getProjectStateById) {
     }
     function toExegesisOperation(operation) {
         return (ctx) => {
-            var _a, _b, _c, _d, _e;
+            var _a, _b, _c, _d, _e, _f, _g;
             let targetProjectId = ctx.params.path.targetProjectId || ((_a = ctx.requestBody) === null || _a === void 0 ? void 0 : _a.targetProjectId);
             if (targetProjectId) {
                 if ((_b = ctx.api.operationObject.security) === null || _b === void 0 ? void 0 : _b.some((sec) => sec.Oauth2)) {
@@ -347,10 +349,19 @@ function toExegesisController(ops, getProjectStateById) {
             else {
                 targetProjectId = ctx.user;
             }
+            let targetTenantId = undefined;
             if (ctx.params.path.tenantId && ((_d = ctx.requestBody) === null || _d === void 0 ? void 0 : _d.tenantId)) {
                 errors_2.assert(ctx.params.path.tenantId === ctx.requestBody.tenantId, "TENANT_ID_MISMATCH");
             }
-            const targetTenantId = ctx.params.path.tenantId || ((_e = ctx.requestBody) === null || _e === void 0 ? void 0 : _e.tenantId);
+            targetTenantId = ctx.params.path.tenantId || ((_e = ctx.requestBody) === null || _e === void 0 ? void 0 : _e.tenantId);
+            if ((_f = ctx.requestBody) === null || _f === void 0 ? void 0 : _f.idToken) {
+                const idToken = (_g = ctx.requestBody) === null || _g === void 0 ? void 0 : _g.idToken;
+                const decoded = jsonwebtoken_1.decode(idToken, { complete: true });
+                if ((decoded === null || decoded === void 0 ? void 0 : decoded.payload.firebase.tenant) && targetTenantId) {
+                    errors_2.assert((decoded === null || decoded === void 0 ? void 0 : decoded.payload.firebase.tenant) === targetTenantId, "TENANT_ID_MISMATCH");
+                }
+                targetTenantId = targetTenantId || (decoded === null || decoded === void 0 ? void 0 : decoded.payload.firebase.tenant);
+            }
             return operation(getProjectStateById(targetProjectId, targetTenantId), ctx.requestBody, ctx);
         };
     }