firebase-tools 9.20.0 → 9.23.1

package/lib/deploy/functions/services/storage.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureStorageTriggerRegion = exports.obtainStorageBindings = void 0;
+const storage = require("../../../gcp/storage");
+const logger_1 = require("../../../logger");
+const error_1 = require("../../../error");
+const location_1 = require("../../../gcp/location");
+const PUBSUB_PUBLISHER_ROLE = "roles/pubsub.publisher";
+async function obtainStorageBindings(projectId, existingPolicy) {
+    const storageResponse = await storage.getServiceAccount(projectId);
+    const storageServiceAgent = `serviceAccount:${storageResponse.email_address}`;
+    let pubsubBinding = existingPolicy.bindings.find((b) => b.role === PUBSUB_PUBLISHER_ROLE);
+    if (!pubsubBinding) {
+        pubsubBinding = {
+            role: PUBSUB_PUBLISHER_ROLE,
+            members: [],
+        };
+    }
+    if (!pubsubBinding.members.find((m) => m === storageServiceAgent)) {
+        pubsubBinding.members.push(storageServiceAgent);
+    }
+    return [pubsubBinding];
+}
+exports.obtainStorageBindings = obtainStorageBindings;
+async function ensureStorageTriggerRegion(endpoint, eventTrigger) {
+    if (!eventTrigger.region) {
+        logger_1.logger.debug("Looking up bucket region for the storage event trigger");
+        try {
+            const bucket = await storage.getBucket(eventTrigger.eventFilters.bucket);
+            eventTrigger.region = bucket.location.toLowerCase();
+            logger_1.logger.debug("Setting the event trigger region to", eventTrigger.region, ".");
+        }
+        catch (err) {
+            throw new error_1.FirebaseError("Can't find the storage bucket region", { original: err });
+        }
+    }
+    if (endpoint.region !== eventTrigger.region &&
+        eventTrigger.region !== "us-central1" &&
+        !location_1.regionInLocation(endpoint.region, eventTrigger.region)) {
+        throw new error_1.FirebaseError(`A function in region ${endpoint.region} cannot listen to a bucket in region ${eventTrigger.region}`);
+    }
+}
+exports.ensureStorageTriggerRegion = ensureStorageTriggerRegion;

package/lib/deploy/functions/triggerRegionHelper.js

@@ -1,32 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.setTriggerRegion = void 0;
+exports.ensureTriggerRegions = void 0;
 const backend = require("./backend");
-const storage = require("../../gcp/storage");
-const error_1 = require("../../error");
-async function setTriggerRegion(want, have) {
-    var _a;
-    for (const wantFn of want) {
-        if (wantFn.platform === "gcfv1" || !backend.isEventTrigger(wantFn.trigger)) {
+const services_1 = require("./services");
+async function ensureTriggerRegions(want) {
+    const regionLookups = [];
+    for (const ep of backend.allEndpoints(want)) {
+        if (ep.platform === "gcfv1" || !backend.isEventTriggered(ep)) {
             continue;
         }
-        const match = (_a = have.find(backend.sameFunctionName(wantFn))) === null || _a === void 0 ? void 0 : _a.trigger;
-        if (match === null || match === void 0 ? void 0 : match.region) {
-            wantFn.trigger.region = match.region;
-        }
-        else {
-            await setTriggerRegionFromTriggerType(wantFn.trigger);
-        }
-    }
-}
-exports.setTriggerRegion = setTriggerRegion;
-async function setTriggerRegionFromTriggerType(trigger) {
-    if (trigger.eventFilters.bucket) {
-        try {
-            trigger.region = (await storage.getBucket(trigger.eventFilters.bucket)).location.toLowerCase();
-        }
-        catch (err) {
-            throw new error_1.FirebaseError("Can't find the storage bucket region", { original: err });
-        }
+        regionLookups.push(services_1.serviceForEndpoint(ep).ensureTriggerRegion(ep, ep.eventTrigger));
     }
+    await Promise.all(regionLookups);
 }
+exports.ensureTriggerRegions = ensureTriggerRegions;

package/lib/deploy/functions/validate.js

@@ -1,10 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.checkForInvalidChangeOfTrigger = exports.functionIdsAreValid = exports.functionsDirectoryExists = void 0;
+exports.functionIdsAreValid = exports.functionsDirectoryExists = void 0;
 const clc = require("cli-color");
 const error_1 = require("../../error");
-const functionsDeployHelper_1 = require("./functionsDeployHelper");
-const backend = require("./backend");
 const fsutils = require("../../fsutils");
 const projectPath = require("../../projectPath");
 function functionsDirectoryExists(options, sourceDirName) {
@@ -36,24 +34,3 @@ function functionIdsAreValid(functions) {
     }
 }
 exports.functionIdsAreValid = functionIdsAreValid;
-function checkForInvalidChangeOfTrigger(fn, exFn) {
-    var _a, _b;
-    const wantEventTrigger = backend.isEventTrigger(fn.trigger);
-    const haveEventTrigger = backend.isEventTrigger(exFn.trigger);
-    if (!wantEventTrigger && haveEventTrigger) {
-        throw new error_1.FirebaseError(`[${functionsDeployHelper_1.getFunctionLabel(fn)}] Changing from a background triggered function to an HTTPS function is not allowed. Please delete your function and create a new one instead.`);
-    }
-    if (wantEventTrigger && !haveEventTrigger) {
-        throw new error_1.FirebaseError(`[${functionsDeployHelper_1.getFunctionLabel(fn)}] Changing from an HTTPS function to an background triggered function is not allowed. Please delete your function and create a new one instead.`);
-    }
-    if (fn.platform == "gcfv2" && exFn.platform == "gcfv1") {
-        throw new error_1.FirebaseError(`[${functionsDeployHelper_1.getFunctionLabel(fn)}] Upgrading from GCFv1 to GCFv2 is not yet supported. Please delete your old function or wait for this feature to be ready.`);
-    }
-    if (fn.platform == "gcfv1" && exFn.platform == "gcfv2") {
-        throw new error_1.FirebaseError(`[${functionsDeployHelper_1.getFunctionLabel(fn)}] Functions cannot be downgraded from GCFv2 to GCFv1`);
-    }
-    if (((_a = exFn.labels) === null || _a === void 0 ? void 0 : _a["deployment-scheduled"]) && !((_b = fn.labels) === null || _b === void 0 ? void 0 : _b["deployment-scheduled"])) {
-        throw new error_1.FirebaseError(`[${functionsDeployHelper_1.getFunctionLabel(fn)}] Scheduled functions cannot be changed to event handler or HTTP functions`);
-    }
-}
-exports.checkForInvalidChangeOfTrigger = checkForInvalidChangeOfTrigger;

package/lib/deploy/index.js

@@ -15,6 +15,7 @@ var TARGETS = {
     functions: require("./functions"),
     storage: require("./storage"),
     remoteconfig: require("./remoteconfig"),
+    extensions: require("./extensions"),
 };
 var _noop = function () {
     return Promise.resolve();
@@ -37,6 +38,7 @@ var deploy = function (targetNames, options, customContext = {}) {
     var deploys = [];
     var releases = [];
     var postdeploys = [];
+    var startTime = Date.now();
     for (var i = 0; i < targetNames.length; i++) {
         var targetName = targetNames[i];
         var target = TARGETS[targetName];
@@ -74,8 +76,15 @@ var deploy = function (targetNames, options, customContext = {}) {
     })
         .then(function () {
         if (_.has(options, "config.notes.databaseRules")) {
-            track("Rules Deploy", options.config.notes.databaseRules);
+            return track("Rules Deploy", options.config.notes.databaseRules);
         }
+        return;
+    })
+        .then(function () {
+        const duration = Date.now() - startTime;
+        return track("Product Deploy", [...targetNames].sort().join(","), duration);
+    })
+        .then(function () {
         logger.info();
         utils.logSuccess(clc.underline.bold("Deploy complete!"));
         logger.info();

package/lib/emulator/auth/apiSpec.js

@@ -3580,6 +3580,37 @@ exports.default = {
                 tags: ["emulator"],
             },
         },
+        "/emulator/v1/projects/{targetProjectId}/tenants/{tenantId}/accounts": {
+            parameters: [
+                {
+                    name: "targetProjectId",
+                    in: "path",
+                    description: "The ID of the Google Cloud project that the accounts belong to.",
+                    required: true,
+                    schema: { type: "string" },
+                },
+                {
+                    name: "tenantId",
+                    in: "path",
+                    description: "The ID of the Identity Platform tenant the accounts belongs to. If not specified, accounts on the Identity Platform project are returned.",
+                    required: true,
+                    schema: { type: "string" },
+                },
+            ],
+            servers: [{ url: "" }],
+            delete: {
+                description: "Remove all accounts in the project, regardless of state.",
+                operationId: "emulator.projects.accounts.delete",
+                responses: {
+                    200: {
+                        description: "Successful response",
+                        content: { "application/json": { schema: { type: "object" } } },
+                    },
+                },
+                security: [],
+                tags: ["emulator"],
+            },
+        },
         "/emulator/v1/projects/{targetProjectId}/config": {
             parameters: [
                 {
@@ -4978,7 +5009,7 @@ exports.default = {
                         type: "string",
                     },
                     postBody: {
-                        description: "If the user is signing in with an authorization response obtained via a previous CreateAuthUri authorization request, this is the body of the HTTP POST callback from the IdP, if present. Otherwise, if the user is signing in with a manually provided IdP credential, this should be a URL-encoded form that contains the credential (e.g. an ID token or access token for OAuth 2.0 IdPs) and the provider ID of the IdP that issued the credential. For example, if the user is signing in to the Google provider using a Google ID token, this should be set to `id_token=[GOOGLE_ID_TOKEN]&providerId=google.com`, where `[GOOGLE_ID_TOKEN]` should be replaced with the Google ID token. If the user is signing in to the Facebook provider using a Facebook access token, this should be set to `access_token=[FACEBOOK_ACCESS_TOKEN]&providerId=facebook.com`, where `[FACEBOOK_ACCESS_TOKEN]` should be replaced with the Facebook access token. If the user is signing in to the Twitter provider using a Twitter OAuth 1.0 credential, this should be set to `access_token=[TWITTER_ACCESS_TOKEN]&oauth_token_secret=[TWITTER_TOKEN_SECRET]&providerId=twitter.com`, where `[TWITTER_ACCESS_TOKEN]` and `[TWITTER_TOKEN_SECRET]` should be replaced with the Twitter OAuth access token and Twitter OAuth token secret respectively.",
+                        description: "If the user is signing in with an authorization response obtained via a previous CreateAuthUri authorization request, this is the body of the HTTP POST callback from the IdP, if present. Otherwise, if the user is signing in with a manually provided IdP credential, this should be a URL-encoded form that contains the credential (e.g. an ID token or access token for OAuth 2.0 IdPs) and the provider ID of the IdP that issued the credential. For example, if the user is signing in to the Google provider using a Google ID token, this should be set to `id_token=[GOOGLE_ID_TOKEN]&providerId=google.com`, where `[GOOGLE_ID_TOKEN]` should be replaced with the Google ID token. If the user is signing in to the Facebook provider using a Facebook authentication token, this should be set to `id_token=[FACEBOOK_AUTHENTICATION_TOKEN]&providerId=facebook.com&nonce= [NONCE]`, where `[FACEBOOK_AUTHENTICATION_TOKEN]` should be replaced with the Facebook authentication token. Nonce is required for validating the token. The request will fail if no nonce is provided. If the user is signing in to the Facebook provider using a Facebook access token, this should be set to `access_token=[FACEBOOK_ACCESS_TOKEN]&providerId=facebook.com`, where `[FACEBOOK_ACCESS_TOKEN]` should be replaced with the Facebook access token. If the user is signing in to the Twitter provider using a Twitter OAuth 1.0 credential, this should be set to `access_token=[TWITTER_ACCESS_TOKEN]&oauth_token_secret=[TWITTER_TOKEN_SECRET]&providerId=twitter.com`, where `[TWITTER_ACCESS_TOKEN]` and `[TWITTER_TOKEN_SECRET]` should be replaced with the Twitter OAuth access token and Twitter OAuth token secret respectively.",
                         type: "string",
                     },
                     requestUri: {
@@ -6665,16 +6696,16 @@ exports.default = {
                 type: "object",
             },
             GoogleIamV1Binding: {
-                description: "Associates `members` with a `role`.",
+                description: "Associates `members`, or principals, with a `role`.",
                 properties: {
                     condition: { $ref: "#/components/schemas/GoogleTypeExpr" },
                     members: {
-                        description: "Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. ",
+                        description: "Specifies the principals requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. ",
                         items: { type: "string" },
                         type: "array",
                     },
                     role: {
-                        description: "Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.",
+                        description: "Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.",
                         type: "string",
                     },
                 },
@@ -6697,7 +6728,7 @@ exports.default = {
                 type: "object",
             },
             GoogleIamV1Policy: {
-                description: 'An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp(\'2020-10-01T00:00:00.000Z\')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp(\'2020-10-01T00:00:00.000Z\') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).',
+                description: 'An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members`, or principals, to a single `role`. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp(\'2020-10-01T00:00:00.000Z\')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp(\'2020-10-01T00:00:00.000Z\') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/).',
                 properties: {
                     auditConfigs: {
                         description: "Specifies cloud audit logging configuration for this policy.",
@@ -6705,7 +6736,7 @@ exports.default = {
                         type: "array",
                     },
                     bindings: {
-                        description: "Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member. The `bindings` in a `Policy` can refer to up to 1,500 members; up to 250 of these members can be Google groups. Each occurrence of a member counts towards these limits. For example, if the `bindings` grant 50 different roles to `user:alice@example.com`, and not to any other member, then you can add another 1,450 members to the `bindings` in the `Policy`.",
+                        description: "Associates a list of `members`, or principals, with a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one principal. The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 of these principals can be Google groups. Each occurrence of a principal counts towards these limits. For example, if the `bindings` grant 50 different roles to `user:alice@example.com`, and not to any other principal, then you can add another 1,450 principals to the `bindings` in the `Policy`.",
                         items: { $ref: "#/components/schemas/GoogleIamV1Binding" },
                         type: "array",
                     },

package/lib/emulator/auth/operations.js

@@ -160,8 +160,8 @@ function signUp(state, reqBody, ctx) {
             generateEnrollmentIds: true,
         });
     }
-    if (reqBody.tenantId) {
-        updates.tenantId = reqBody.tenantId;
+    if (state instanceof state_1.TenantProjectState) {
+        updates.tenantId = state.tenantId;
     }
     let user;
     if (reqBody.idToken) {
@@ -267,6 +267,8 @@ function batchCreate(state, reqBody) {
             };
             if (userInfo.tenantId) {
                 errors_1.assert(state instanceof state_1.TenantProjectState && state.tenantId === userInfo.tenantId, "Tenant id in userInfo does not match the tenant id in request.");
+            }
+            if (state instanceof state_1.TenantProjectState) {
                 fields.tenantId = state.tenantId;
             }
             if (userInfo.passwordHash) {
@@ -921,7 +923,7 @@ function signInWithCustomToken(state, reqBody) {
     else {
         const decoded = jsonwebtoken_1.decode(reqBody.token, { complete: true });
         if (state instanceof state_1.TenantProjectState) {
-            errors_1.assert((decoded === null || decoded === void 0 ? void 0 : decoded.payload.tenantId) === state.tenantId, "TENANT_ID_MISMATCH");
+            errors_1.assert((decoded === null || decoded === void 0 ? void 0 : decoded.payload.tenant_id) === state.tenantId, "TENANT_ID_MISMATCH");
         }
         errors_1.assert(decoded, "INVALID_CUSTOM_TOKEN : Invalid assertion format");
         if (decoded.header.alg !== "none") {
@@ -1008,7 +1010,7 @@ function signInWithEmailLink(state, reqBody) {
     }
 }
 function signInWithIdp(state, reqBody) {
-    var _a, _b;
+    var _a, _b, _c;
     errors_1.assert(!state.disableAuth, "PROJECT_DISABLED");
     errors_1.assert(state.usageMode !== state_1.UsageMode.PASSTHROUGH, "UNSUPPORTED_PASSTHROUGH_OPERATION");
     if (reqBody.returnRefreshToken) {
@@ -1039,7 +1041,16 @@ function signInWithIdp(state, reqBody) {
             throw new errors_1.NotImplementedError("The Auth Emulator only supports sign-in with credentials (id_token required).");
         }
     }
-    let { response, rawId } = fakeFetchUserInfoFromIdp(providerId, claims);
+    let samlResponse;
+    let signInAttributes = undefined;
+    if (normalizedUri.searchParams.get("SAMLResponse")) {
+        samlResponse = JSON.parse(normalizedUri.searchParams.get("SAMLResponse"));
+        signInAttributes = (_b = samlResponse.assertion) === null || _b === void 0 ? void 0 : _b.attributeStatements;
+        errors_1.assert(samlResponse.assertion, "INVALID_IDP_RESPONSE ((Missing assertion in SAMLResponse.))");
+        errors_1.assert(samlResponse.assertion.subject, "INVALID_IDP_RESPONSE ((Missing assertion.subject in SAMLResponse.))");
+        errors_1.assert(samlResponse.assertion.subject.nameId, "INVALID_IDP_RESPONSE ((Missing assertion.subject.nameId in SAMLResponse.))");
+    }
+    let { response, rawId } = fakeFetchUserInfoFromIdp(providerId, claims, samlResponse);
     response.oauthAccessToken =
         oauthAccessToken || `FirebaseAuthEmulatorFakeAccessToken_${providerId}`;
     response.oauthIdToken = oauthIdToken;
@@ -1099,12 +1110,12 @@ function signInWithIdp(state, reqBody) {
     if (state instanceof state_1.TenantProjectState) {
         response.tenantId = state.tenantId;
     }
-    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_b = user.mfaInfo) === null || _b === void 0 ? void 0 : _b.length)) {
+    if ((state.mfaConfig.state === "ENABLED" || state.mfaConfig.state === "MANDATORY") && ((_c = user.mfaInfo) === null || _c === void 0 ? void 0 : _c.length)) {
         return Object.assign(Object.assign({}, response), mfaPending(state, user, providerId));
     }
     else {
         user = state.updateUserByLocalId(user.localId, { lastLoginAt: Date.now().toString() });
-        return Object.assign(Object.assign({}, response), issueTokens(state, user, providerId));
+        return Object.assign(Object.assign({}, response), issueTokens(state, user, providerId, { signInAttributes }));
     }
 }
 function signInWithPassword(state, reqBody) {
@@ -1389,7 +1400,7 @@ function redactPasswordHash(user) {
 function hashPassword(password, salt) {
     return `fakeHash:salt=${salt}:password=${password}`;
 }
-function issueTokens(state, user, signInProvider, { extraClaims, secondFactor, } = {}) {
+function issueTokens(state, user, signInProvider, { extraClaims, secondFactor, signInAttributes, } = {}) {
     user = state.updateUserByLocalId(user.localId, { lastRefreshAt: new Date().toISOString() });
     const usageMode = state.usageMode === state_1.UsageMode.PASSTHROUGH ? "passthrough" : undefined;
     const tenantId = state instanceof state_1.TenantProjectState ? state.tenantId : undefined;
@@ -1402,6 +1413,7 @@ function issueTokens(state, user, signInProvider, { extraClaims, secondFactor, }
         secondFactor,
         usageMode,
         tenantId,
+        signInAttributes,
     });
     const refreshToken = state.usageMode === state_1.UsageMode.DEFAULT
         ? state.createRefreshTokenFor(user, signInProvider, {
@@ -1433,7 +1445,7 @@ function parseIdToken(state, idToken) {
     const signInProvider = decoded.payload.firebase.sign_in_provider;
     return { user, signInProvider, payload: decoded.payload };
 }
-function generateJwt(user, { projectId, signInProvider, expiresInSeconds, extraClaims = {}, secondFactor, usageMode, tenantId, }) {
+function generateJwt(user, { projectId, signInProvider, expiresInSeconds, extraClaims = {}, secondFactor, usageMode, tenantId, signInAttributes, }) {
     const identities = {};
     if (user.email) {
         identities["email"] = [user.email];
@@ -1457,6 +1469,7 @@ function generateJwt(user, { projectId, signInProvider, expiresInSeconds, extraC
             sign_in_second_factor: secondFactor === null || secondFactor === void 0 ? void 0 : secondFactor.provider,
             usage_mode: usageMode,
             tenant: tenantId,
+            sign_in_attributes: signInAttributes,
         } });
     const jwtStr = jsonwebtoken_1.sign(customPayloadFields, "", {
         algorithm: "none",
@@ -1601,7 +1614,8 @@ function parseClaims(idTokenOrJsonClaims) {
     errors_1.assert(typeof claims.sub === "string", 'INVALID_IDP_RESPONSE : ((The "sub" field must be a string.))');
     return claims;
 }
-function fakeFetchUserInfoFromIdp(providerId, claims) {
+function fakeFetchUserInfoFromIdp(providerId, claims, samlResponse) {
+    var _a, _b, _c, _d, _e;
     const rawId = claims.sub;
     const email = claims.email ? utils_1.canonicalizeEmailAddress(claims.email) : undefined;
     const emailVerified = !!claims.email_verified;
@@ -1618,7 +1632,7 @@ function fakeFetchUserInfoFromIdp(providerId, claims) {
         emailVerified,
         photoUrl,
     };
-    let federatedId;
+    let federatedId = rawId;
     switch (providerId) {
         case "google.com": {
             federatedId = `https://accounts.google.com/${rawId}`;
@@ -1641,8 +1655,14 @@ function fakeFetchUserInfoFromIdp(providerId, claims) {
             });
             break;
         }
+        case (_a = providerId.match(/^saml\./)) === null || _a === void 0 ? void 0 : _a.input:
+            const nameId = (_c = (_b = samlResponse === null || samlResponse === void 0 ? void 0 : samlResponse.assertion) === null || _b === void 0 ? void 0 : _b.subject) === null || _c === void 0 ? void 0 : _c.nameId;
+            response.email = nameId && utils_1.isValidEmailAddress(nameId) ? nameId : response.email;
+            response.emailVerified = true;
+            response.rawUserInfo = JSON.stringify((_d = samlResponse === null || samlResponse === void 0 ? void 0 : samlResponse.assertion) === null || _d === void 0 ? void 0 : _d.attributeStatements);
+            break;
+        case (_e = providerId.match(/^oidc\./)) === null || _e === void 0 ? void 0 : _e.input:
         default:
-            federatedId = rawId;
             response.rawUserInfo = JSON.stringify(claims);
             break;
     }
@@ -1798,16 +1818,24 @@ function parsePendingCredential(state, pendingCredential) {
     return { user, signInProvider };
 }
 function createTenant(state, reqBody) {
+    var _a, _b, _c, _d, _e;
     if (!(state instanceof state_1.AgentProjectState)) {
         throw new errors_1.InternalError("INTERNAL_ERROR: Can only create tenant in agent project", "INTERNAL");
     }
+    const mfaConfig = (_a = reqBody.mfaConfig) !== null && _a !== void 0 ? _a : {};
+    if (!("state" in mfaConfig)) {
+        mfaConfig.state = "DISABLED";
+    }
+    if (!("enabledProviders" in mfaConfig)) {
+        mfaConfig.enabledProviders = [];
+    }
     const tenant = {
         displayName: reqBody.displayName,
-        allowPasswordSignup: reqBody.allowPasswordSignup,
-        enableEmailLinkSignin: reqBody.enableEmailLinkSignin,
-        enableAnonymousUser: reqBody.enableAnonymousUser,
-        disableAuth: reqBody.disableAuth,
-        mfaConfig: reqBody.mfaConfig,
+        allowPasswordSignup: (_b = reqBody.allowPasswordSignup) !== null && _b !== void 0 ? _b : false,
+        enableEmailLinkSignin: (_c = reqBody.enableEmailLinkSignin) !== null && _c !== void 0 ? _c : false,
+        enableAnonymousUser: (_d = reqBody.enableAnonymousUser) !== null && _d !== void 0 ? _d : false,
+        disableAuth: (_e = reqBody.disableAuth) !== null && _e !== void 0 ? _e : false,
+        mfaConfig: mfaConfig,
         tenantId: "",
     };
     return state.createTenant(tenant);

package/lib/emulator/auth/server.js

@@ -17,6 +17,7 @@ const lodash_1 = require("lodash");
 const handlers_1 = require("./handlers");
 const bodyParser = require("body-parser");
 const url_1 = require("url");
+const jsonwebtoken_1 = require("jsonwebtoken");
 const apiSpec = apiSpec_1.default;
 const API_SPEC_PATH = "/emulator/openapi.json";
 const AUTH_HEADER_PREFIX = "bearer ";
@@ -70,6 +71,10 @@ async function createApp(defaultProjectId, projectStateForId = new Map()) {
     const app = express();
     app.set("json spaces", 2);
     app.use(cors({ origin: true }));
+    app.delete("*", (req, _, next) => {
+        delete req.headers["content-type"];
+        next();
+    });
     app.get("/", (req, res) => {
         return res.json({
             authEmulator: {
@@ -334,7 +339,7 @@ function toExegesisController(ops, getProjectStateById) {
     }
     function toExegesisOperation(operation) {
         return (ctx) => {
-            var _a, _b, _c, _d, _e;
+            var _a, _b, _c, _d, _e, _f, _g;
             let targetProjectId = ctx.params.path.targetProjectId || ((_a = ctx.requestBody) === null || _a === void 0 ? void 0 : _a.targetProjectId);
             if (targetProjectId) {
                 if ((_b = ctx.api.operationObject.security) === null || _b === void 0 ? void 0 : _b.some((sec) => sec.Oauth2)) {
@@ -344,10 +349,19 @@ function toExegesisController(ops, getProjectStateById) {
             else {
                 targetProjectId = ctx.user;
             }
+            let targetTenantId = undefined;
             if (ctx.params.path.tenantId && ((_d = ctx.requestBody) === null || _d === void 0 ? void 0 : _d.tenantId)) {
                 errors_2.assert(ctx.params.path.tenantId === ctx.requestBody.tenantId, "TENANT_ID_MISMATCH");
             }
-            const targetTenantId = ctx.params.path.tenantId || ((_e = ctx.requestBody) === null || _e === void 0 ? void 0 : _e.tenantId);
+            targetTenantId = ctx.params.path.tenantId || ((_e = ctx.requestBody) === null || _e === void 0 ? void 0 : _e.tenantId);
+            if ((_f = ctx.requestBody) === null || _f === void 0 ? void 0 : _f.idToken) {
+                const idToken = (_g = ctx.requestBody) === null || _g === void 0 ? void 0 : _g.idToken;
+                const decoded = jsonwebtoken_1.decode(idToken, { complete: true });
+                if ((decoded === null || decoded === void 0 ? void 0 : decoded.payload.firebase.tenant) && targetTenantId) {
+                    errors_2.assert((decoded === null || decoded === void 0 ? void 0 : decoded.payload.firebase.tenant) === targetTenantId, "TENANT_ID_MISMATCH");
+                }
+                targetTenantId = targetTenantId || (decoded === null || decoded === void 0 ? void 0 : decoded.payload.firebase.tenant);
+            }
             return operation(getProjectStateById(targetProjectId, targetTenantId), ctx.requestBody, ctx);
         };
     }

package/lib/emulator/auth/state.js

@@ -459,7 +459,17 @@ class AgentProjectState extends ProjectState {
     }
     getTenantProject(tenantId) {
         if (!this.tenantProjectForTenantId.has(tenantId)) {
-            this.createTenantWithTenantId(tenantId, { tenantId });
+            this.createTenantWithTenantId(tenantId, {
+                tenantId,
+                allowPasswordSignup: true,
+                disableAuth: false,
+                mfaConfig: {
+                    state: "ENABLED",
+                    enabledProviders: ["PHONE_SMS"],
+                },
+                enableAnonymousUser: true,
+                enableEmailLinkSignin: true,
+            });
         }
         return this.tenantProjectForTenantId.get(tenantId);
     }
@@ -525,34 +535,43 @@ class TenantProjectState extends ProjectState {
         return this._tenantConfig;
     }
     get allowPasswordSignup() {
-        var _a;
-        return (_a = this._tenantConfig.allowPasswordSignup) !== null && _a !== void 0 ? _a : true;
+        return this._tenantConfig.allowPasswordSignup;
     }
     get disableAuth() {
-        var _a;
-        return (_a = this._tenantConfig.disableAuth) !== null && _a !== void 0 ? _a : false;
+        return this._tenantConfig.disableAuth;
     }
     get mfaConfig() {
-        var _a;
-        return ((_a = this._tenantConfig.mfaConfig) !== null && _a !== void 0 ? _a : {
-            state: "ENABLED",
-            enabledProviders: ["PHONE_SMS"],
-        });
+        return this._tenantConfig.mfaConfig;
     }
     get enableAnonymousUser() {
-        var _a;
-        return (_a = this._tenantConfig.enableAnonymousUser) !== null && _a !== void 0 ? _a : true;
+        return this._tenantConfig.enableAnonymousUser;
     }
     get enableEmailLinkSignin() {
-        var _a;
-        return (_a = this._tenantConfig.enableEmailLinkSignin) !== null && _a !== void 0 ? _a : true;
+        return this._tenantConfig.enableEmailLinkSignin;
     }
     delete() {
         this.parentProject.deleteTenant(this.tenantId);
     }
     updateTenant(update, updateMask) {
+        var _a, _b, _c, _d, _e;
         if (!updateMask) {
-            this._tenantConfig = Object.assign(Object.assign({}, update), { tenantId: this.tenantId, name: this.tenantConfig.name });
+            const mfaConfig = (_a = update.mfaConfig) !== null && _a !== void 0 ? _a : {};
+            if (!("state" in mfaConfig)) {
+                mfaConfig.state = "DISABLED";
+            }
+            if (!("enabledProviders" in mfaConfig)) {
+                mfaConfig.enabledProviders = [];
+            }
+            this._tenantConfig = {
+                tenantId: this.tenantId,
+                name: this.tenantConfig.name,
+                allowPasswordSignup: (_b = update.allowPasswordSignup) !== null && _b !== void 0 ? _b : false,
+                disableAuth: (_c = update.disableAuth) !== null && _c !== void 0 ? _c : false,
+                mfaConfig: mfaConfig,
+                enableAnonymousUser: (_d = update.enableAnonymousUser) !== null && _d !== void 0 ? _d : false,
+                enableEmailLinkSignin: (_e = update.enableEmailLinkSignin) !== null && _e !== void 0 ? _e : false,
+                displayName: update.displayName,
+            };
             return this.tenantConfig;
         }
         const paths = updateMask.split(",");

package/lib/emulator/auth/widget_ui.js

@@ -33,6 +33,7 @@ var firebaseAppId = query.get('appId');
 var apn = query.get('apn');
 var ibi = query.get('ibi');
 var appIdentifier = apn || ibi;
+var isSamlProvider = !!providerId.match(/^saml\./);
 assert(
   appName || clientId || firebaseAppId || appIdentifier,
   'Missing one of appName / clientId / appId / apn / ibi query params.'
@@ -172,6 +173,19 @@ function finishWithUser(urlEncodedIdToken) {
   // Avoid URLSearchParams for browser compatibility.
   url += '?providerId=' + encodeURIComponent(providerId);
   url += '&id_token=' + urlEncodedIdToken;
+
+  // Save reasonable defaults for SAML providers
+  if (isSamlProvider) {
+    var email = document.getElementById('email-input').value;
+    url += '&SAMLResponse=' + encodeURIComponent(JSON.stringify({
+      assertion: {
+        subject: {
+          nameId: email,
+        },
+      },
+    }));
+  }
+
   saveAuthEvent({
     type: authType,
     eventId: eventId,

package/lib/emulator/downloadableEmulators.js

@@ -50,15 +50,15 @@ exports.DownloadDetails = {
         },
     },
     ui: {
-        version: "1.6.3",
-        downloadPath: path.join(CACHE_DIR, "ui-v1.6.3.zip"),
-        unzipDir: path.join(CACHE_DIR, "ui-v1.6.3"),
-        binaryPath: path.join(CACHE_DIR, "ui-v1.6.3", "server.bundle.js"),
+        version: "1.6.4",
+        downloadPath: path.join(CACHE_DIR, "ui-v1.6.4.zip"),
+        unzipDir: path.join(CACHE_DIR, "ui-v1.6.4"),
+        binaryPath: path.join(CACHE_DIR, "ui-v1.6.4", "server.bundle.js"),
         opts: {
             cacheDir: CACHE_DIR,
-            remoteUrl: "https://storage.googleapis.com/firebase-preview-drop/emulator/ui-v1.6.3.zip",
-            expectedSize: 3757268,
-            expectedChecksum: "153090a46072545aadeb307397cc8f45",
+            remoteUrl: "https://storage.googleapis.com/firebase-preview-drop/emulator/ui-v1.6.4.zip",
+            expectedSize: 3757300,
+            expectedChecksum: "20d4ee71e4ff7527b1843b6a8636142e",
             namePrefix: "ui",
         },
     },