npm - kasy-cli - Versions diffs - 1.21.8 → 1.21.9 - Mend

kasy-cli 1.21.8 → 1.21.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/lib/commands/new.js +6 -1
package/lib/scaffold/backends/firebase/enable-auth-via-cli.js +14 -6
package/lib/scaffold/backends/firebase/setup-from-scratch.js +69 -45
package/package.json +1 -1

package/lib/commands/new.js CHANGED Viewed

@@ -44,7 +44,7 @@ const { generateApiProject } = require('../scaffold/backends/api/generator');
 const { createProjectAndGetKeys, setupLinkedProject, checkLoggedIn, getOrgsList, getProjectsByOrg, getProjectKeys } = require('../scaffold/backends/supabase/deploy');
 const { writeSupabaseGoogleAuthOptions, readSupabaseGoogleCredentials, getGoogleClientSecretViaGcloud, flutterfireConfigure, writeGoogleAuthOptions, writeGoogleIosUrlScheme, writeGoogleIosUrlSchemeFromClientId } = require('../scaffold/shared/post-build');
 const { toPackageName } = require('../scaffold/backends/firebase/tokens');
-const { setupFromScratch, setupExistingProject, listBillingAccounts, listGcpOrganizations, checkGcloudAuth, getFirebaseAccount, getGcloudInstallInstructions, enableAuthProviders, registerDebugSha1 } = require('../scaffold/backends/firebase/setup-from-scratch');
+const { setupFromScratch, setupExistingProject, listBillingAccounts, listGcpOrganizations, checkGcloudAuth, getFirebaseAccount, getGcloudInstallInstructions, enableAuthProviders, ensureFirebaseAuthInitialized, registerDebugSha1 } = require('../scaffold/backends/firebase/setup-from-scratch');
 const { enableAuthViaFirebaseCli } = require('../scaffold/backends/firebase/enable-auth-via-cli');
 const { createFcmServiceAccountKey } = require('../scaffold/shared/fcm-service-account');
@@ -1689,10 +1689,15 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
       // client, which is why Google used to come out disabled on Supabase projects.
       const googleSpinner = ui.spinner();
       googleSpinner.start(tr('new.google.enabling'));
+      // The deploy below needs the project's Identity Platform config to exist.
+      // Supabase setup runs in fcmOnly mode, which intentionally leaves Firebase
+      // Auth untouched, so initialize it here (idempotent) before the deploy.
+      await ensureFirebaseAuthInitialized(answers.firebaseProjectId);
       const cliResult = await enableAuthViaFirebaseCli({
         projectDir: targetDir,
         projectId: answers.firebaseProjectId,
         appName: answers.appName,
+        googleOnly: true,
       });
       googleSpinner.stop(tr('new.google.enabling'));

package/lib/scaffold/backends/firebase/enable-auth-via-cli.js CHANGED Viewed

@@ -63,9 +63,12 @@ async function mergeAuthIntoFirebaseJson(projectDir, providers) {
  * @param {string} options.projectId
  * @param {string} options.appName
  * @param {string} [options.supportEmail] - falls back to active gcloud account
+ * @param {boolean} [options.googleOnly] - Supabase: enable ONLY Google (the deploy's
+ *   side effect creates the OAuth Web Client we need). Anonymous/Email/Password in
+ *   Firebase Auth would be dead config there, since the app uses Supabase Auth.
  * @returns {{ ok: boolean, error?: string, supportEmail?: string }}
  */
-async function enableAuthViaFirebaseCli({ projectDir, projectId, appName, supportEmail }) {
+async function enableAuthViaFirebaseCli({ projectDir, projectId, appName, supportEmail, googleOnly = false }) {
   // 1. Resolve support email (required by Google's OAuth consent screen)
   let email = (supportEmail || '').trim();
   if (!email) email = await getGcloudAccountEmail();
@@ -76,15 +79,20 @@ async function enableAuthViaFirebaseCli({ projectDir, projectId, appName, suppor
     };
   }
-  // 2. Merge firebase.json
-  const merge = await mergeAuthIntoFirebaseJson(projectDir, {
-    anonymous: true,
-    emailPassword: true,
+  // 2. Merge firebase.json. Google is always enabled (it's the whole point — the
+  // deploy creates its OAuth Web Client). Anonymous + Email/Password are added only
+  // for the Firebase backend, whose app actually signs in through Firebase Auth.
+  const providers = {
     googleSignIn: {
       oAuthBrandDisplayName: appName,
       supportEmail: email,
     },
-  });
+  };
+  if (!googleOnly) {
+    providers.anonymous = true;
+    providers.emailPassword = true;
+  }
+  const merge = await mergeAuthIntoFirebaseJson(projectDir, providers);
   if (!merge.ok) return merge;
   // 3. Deploy. --non-interactive prevents the CLI from prompting on edge cases.

package/lib/scaffold/backends/firebase/setup-from-scratch.js CHANGED Viewed

@@ -730,34 +730,24 @@ async function ensureLocalhostAuthorizedDomains(projectId, token) {
 }
 /**
- * Enable Firebase Auth sign-in providers: Email/Password, Anonymous and Google.
- * Uses the Identity Toolkit Admin v2 REST API with gcloud credentials.
+ * Initialize Firebase Auth (Identity Platform) for a project. Brand-new projects
+ * have no auth config, so any Admin v2 operation (PATCH /config, or the Firebase
+ * CLI `deploy --only auth`) fails with CONFIGURATION_NOT_FOUND until this runs.
  *
- * Flow:
- *  1. Call identityPlatform:initializeAuth to create the auth config for the project
- *     (required for new projects — PATCH fails with CONFIGURATION_NOT_FOUND without it).
- *  2. PATCH /config to enable Email/Password and Anonymous.
- *  3. POST defaultSupportedIdpConfigs to enable Google Sign-In.
- *     Google Sign-In requires an OAuth client_id that Firebase creates when the user
- *     enables it in the Console — if the client doesn't exist yet this step is skipped
- *     and googleSignInSkipped=true is returned so the caller can show a targeted hint.
- *
- * Non-fatal: returns { ok: false, error } without throwing if the API call fails.
+ * The endpoint is idempotent: it returns {} both on first init and when auth was
+ * already initialized. Non-fatal by contract — callers proceed on failure since
+ * the config may already exist.
  *
  * @param {string} projectId
- * @returns {{ ok: boolean, googleSignInSkipped?: boolean, error?: string }}
+ * @returns {{ ok: boolean, error?: string }}
  */
-async function enableAuthProviders(projectId, { maxRetries = 3, retryDelayMs = 15000 } = {}) {
+async function ensureFirebaseAuthInitialized(projectId, { maxRetries = 3, retryDelayMs = 15000 } = {}) {
   let token;
   try {
     token = await getAccessToken();
   } catch (_) {
     return { ok: false, error: 'Could not get access token' };
   }
-  // Step 1: Initialize Firebase Auth for the project.
-  // New projects have no auth config — PATCH returns CONFIGURATION_NOT_FOUND without this.
-  // The endpoint is idempotent: it returns {} on success or if already initialized.
   const initUrl = `https://identitytoolkit.googleapis.com/v2/projects/${projectId}/identityPlatform:initializeAuth`;
   for (let attempt = 1; attempt <= maxRetries; attempt++) {
     const initRes = await fetch(initUrl, {
@@ -769,19 +759,45 @@ async function enableAuthProviders(projectId, { maxRetries = 3, retryDelayMs = 1
       },
       body: JSON.stringify({}),
     });
-    if (initRes.ok) break;
-    await initRes.text(); // consume body to release connection
+    if (initRes.ok) return { ok: true };
+    const text = await initRes.text(); // consume body to release connection
     if (attempt < maxRetries && (initRes.status === 404 || initRes.status === 503)) {
       await sleep(retryDelayMs);
       try { token = await getAccessToken(); } catch (_) {}
       continue;
     }
-    // Non-fatal — still attempt PATCH below in case auth was already initialized.
-    break;
+    return { ok: false, error: `${initRes.status}: ${text}` };
   }
+  return { ok: false, error: 'initializeAuth: exhausted retries' };
+}
+/**
+ * Enable Firebase Auth sign-in providers: Email/Password, Anonymous and Google.
+ * Uses the Identity Toolkit Admin v2 REST API with gcloud credentials.
+ *
+ * Flow:
+ *  1. Call identityPlatform:initializeAuth to create the auth config for the project
+ *     (required for new projects — PATCH fails with CONFIGURATION_NOT_FOUND without it).
+ *  2. PATCH /config to enable Email/Password and Anonymous.
+ *  3. POST defaultSupportedIdpConfigs to enable Google Sign-In.
+ *     Google Sign-In requires an OAuth client_id that Firebase creates when the user
+ *     enables it in the Console — if the client doesn't exist yet this step is skipped
+ *     and googleSignInSkipped=true is returned so the caller can show a targeted hint.
+ *
+ * Non-fatal: returns { ok: false, error } without throwing if the API call fails.
+ *
+ * @param {string} projectId
+ * @returns {{ ok: boolean, googleSignInSkipped?: boolean, error?: string }}
+ */
+async function enableAuthProviders(projectId, { maxRetries = 3, retryDelayMs = 15000 } = {}) {
+  // Step 1: Initialize Firebase Auth (non-fatal — the PATCH below still runs in
+  // case auth was already initialized). The shared helper keeps the init logic in
+  // one place so the Supabase flow can reuse it before its `deploy --only auth`.
+  await ensureFirebaseAuthInitialized(projectId, { maxRetries, retryDelayMs });
   // Step 2: Enable Email/Password and Anonymous auth providers.
   const configUrl = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/config?updateMask=signIn.email,signIn.anonymous`;
+  let token;
   let lastError;
   for (let attempt = 1; attempt <= maxRetries; attempt++) {
     try { token = await getAccessToken(); } catch (_) {
@@ -996,27 +1012,34 @@ async function setupFromScratch(appName, bundleId, options = {}) {
   const addResult = await addFirebaseToProject(projectId, { onProgress });
   if (!addResult.ok) return { ok: false, error: `[addFirebase] ${addResult.error}`, projectId };
-  // Enable Email/Password, Anonymous and Google Sign-In auth providers automatically.
-  // Non-fatal — project setup continues even if this call fails.
-  const authResult = await enableAuthProviders(projectId);
-  if (!authResult.ok) {
-    onProgress('auth-providers-warn', {
-      error: authResult.error,
-      url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
-    });
-  } else if (authResult.googleSignInSkipped) {
-    // Email/Password and Anonymous were enabled. Google Sign-In needs an OAuth client
-    // that Firebase creates when you enable it in the Console for the first time.
-    onProgress('auth-google-warn', {
-      url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
-    });
-  }
-  // Providers were enabled but localhost couldn't be authorized — warn so the user
-  // isn't surprised by [firebase_auth/unauthorized-domain] on web sign-in.
-  if (authResult.ok && authResult.localhostAuthorized === false) {
-    onProgress('auth-localhost-warn', {
-      url: `https://console.firebase.google.com/project/${projectId}/authentication/settings`,
-    });
+  // Firebase Auth providers (Email/Password, Anonymous, Google, Apple) only matter
+  // for the Firebase backend, whose app authenticates against Firebase Auth. In
+  // fcmOnly mode the app is Supabase/API and authenticates elsewhere, so we leave
+  // Firebase Auth untouched — this project exists purely for FCM/push (and, for
+  // Supabase, the Google OAuth client, which new.js creates separately via
+  // `firebase deploy --only auth`). Non-fatal — setup continues even if it fails.
+  let authResult = null;
+  if (!fcmOnly) {
+    authResult = await enableAuthProviders(projectId);
+    if (!authResult.ok) {
+      onProgress('auth-providers-warn', {
+        error: authResult.error,
+        url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
+      });
+    } else if (authResult.googleSignInSkipped) {
+      // Email/Password and Anonymous were enabled. Google Sign-In needs an OAuth client
+      // that Firebase creates when you enable it in the Console for the first time.
+      onProgress('auth-google-warn', {
+        url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
+      });
+    }
+    // Providers were enabled but localhost couldn't be authorized — warn so the user
+    // isn't surprised by [firebase_auth/unauthorized-domain] on web sign-in.
+    if (authResult.ok && authResult.localhostAuthorized === false) {
+      onProgress('auth-localhost-warn', {
+        url: `https://console.firebase.google.com/project/${projectId}/authentication/settings`,
+      });
+    }
   }
   // Firestore + Storage are Firebase-backend features (and need Blaze). In
@@ -1089,8 +1112,8 @@ async function setupFromScratch(appName, bundleId, options = {}) {
   return {
     ok: true,
     projectId,
-    authEnabled: authResult.ok,
-    googleSignInSkipped: authResult.ok && !!authResult.googleSignInSkipped,
+    authEnabled: authResult ? authResult.ok : null,
+    googleSignInSkipped: authResult ? (authResult.ok && !!authResult.googleSignInSkipped) : false,
     sha1Skipped,
     sha1Error,
     sha1ManualUrl: `https://console.firebase.google.com/project/${projectId}/settings/general/android:${bundleId}`,
@@ -1238,6 +1261,7 @@ module.exports = {
   applyStorageCors,
   checkBillingEnabled,
   enableAuthProviders,
+  ensureFirebaseAuthInitialized,
   ensureLocalhostAuthorizedDomains,
   listBillingAccounts,
   listGcpOrganizations,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.21.8",
+  "version": "1.21.9",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"