strapi-plugin-firebase-authentication 1.1.0 → 1.1.8

package/dist/_chunks/{index-BbVqBI3M.js → index-C87l6qcA.js}

@@ -4,7 +4,7 @@ const jsxRuntime = require("react/jsx-runtime");
 const React = require("react");
 const designSystem = require("@strapi/design-system");
 const admin = require("@strapi/strapi/admin");
-const api = require("./api-BSejy8nn.js");
+const api = require("./api-CxfueBVM.js");
 const reactRouterDom = require("react-router-dom");
 function SettingsPage() {
   const { toggleNotification } = admin.useNotification();

package/dist/_chunks/{index-4hUrKd7Y.mjs → index-Do9Y0scX.mjs}

@@ -738,7 +738,7 @@ const index = {
         id: `${PLUGIN_ID}.page.title`,
         defaultMessage: PLUGIN_ID
       },
-      Component: () => import("./App-Bl6D4TFu.mjs").then((mod) => ({
+      Component: () => import("./App-Dt8F60Rl.mjs").then((mod) => ({
         default: mod.App
       })),
       permissions: PERMISSIONS["menu-link"]
@@ -760,7 +760,7 @@ const index = {
           id: "settings",
           to: `/settings/${PLUGIN_ID}`,
           async Component() {
-            const component = await import("./index-BqF9RRVF.mjs");
+            const component = await import("./index-BzSU0Li9.mjs");
             return component.default;
           },
           permissions: PERMISSIONS["menu-link"]

package/dist/admin/index.js

@@ -1,5 +1,5 @@
 "use strict";
-const index = require("../_chunks/index-DgfRCyyQ.js");
+const index = require("../_chunks/index-BIHS9XB4.js");
 require("react/jsx-runtime");
 require("@strapi/strapi/admin");
 require("@strapi/design-system");

package/dist/admin/index.mjs

@@ -1,4 +1,4 @@
-import { p } from "../_chunks/index-4hUrKd7Y.mjs";
+import { p } from "../_chunks/index-Do9Y0scX.mjs";
 import "react/jsx-runtime";
 import "@strapi/strapi/admin";
 import "@strapi/design-system";

package/dist/server/index.js

@@ -442,7 +442,7 @@ const firebaseController = {
       const result = await strapi.plugin(pluginName).service("firebaseService").validateFirebaseToken(idToken, profileMetaData, populate2);
       ctx.body = result;
     } catch (error2) {
-      strapi.log.error("validateToken controller error:", error2);
+      strapi.log.error("validateToken controller error:", error2.message);
       if (error2.name === "ValidationError") {
         return ctx.badRequest(error2.message);
       }
@@ -532,9 +532,11 @@ const firebaseController = {
     }
   },
   /**
-   * Reset password - authenticated with 1hr JWT
+   * Reset password - authenticated password change
    * POST /api/firebase-authentication/resetPassword
-   * Public endpoint - uses JWT from Authorization header
+   * Public endpoint - requires valid JWT in Authorization header
+   * Used for admin-initiated resets or user self-service password changes
+   * NOT used for forgot password email flow (which uses Firebase's hosted UI)
    */
   async resetPassword(ctx) {
     strapi.log.debug("resetPassword endpoint called");
@@ -5218,13 +5220,13 @@ lodash.exports;
         return string2.slice(position, position + target.length) == target;
       }
       function template(string2, options2, guard) {
-        var settings2 = lodash2.templateSettings;
+        var settings = lodash2.templateSettings;
         if (guard && isIterateeCall(string2, options2, guard)) {
           options2 = undefined$1;
         }
         string2 = toString4(string2);
-        options2 = assignInWith({}, options2, settings2, customDefaultsAssignIn);
-        var imports = assignInWith({}, options2.imports, settings2.imports, customDefaultsAssignIn), importsKeys = keys2(imports), importsValues = baseValues(imports, importsKeys);
+        options2 = assignInWith({}, options2, settings, customDefaultsAssignIn);
+        var imports = assignInWith({}, options2.imports, settings.imports, customDefaultsAssignIn), importsKeys = keys2(imports), importsValues = baseValues(imports, importsKeys);
         var isEscaping, isEvaluating, index2 = 0, interpolate = options2.interpolate || reNoMatch, source = "__p += '";
         var reDelimiters = RegExp2(
           (options2.escape || reNoMatch).source + "|" + interpolate.source + "|" + (interpolate === reInterpolate ? reEsTemplate : reNoMatch).source + "|" + (options2.evaluate || reNoMatch).source + "|$",
@@ -28934,9 +28936,6 @@ const userController = {
   }
 };
 const settingsController = {
-  setToken: async (ctx) => {
-    ctx.body = await strapi.plugin("firebase-authentication").service("settingsService").setToken(ctx);
-  },
   setFirebaseConfigJson: async (ctx) => {
     ctx.body = await strapi.plugin("firebase-authentication").service("settingsService").setFirebaseConfigJson(ctx);
   },
@@ -29091,13 +29090,7 @@ const controllers = {
 };
 const middlewares = {};
 const policies = {};
-const settings = [
-  {
-    method: "POST",
-    path: "/settings/token",
-    handler: "settingsController.setToken",
-    config: { policies: ["admin::isAuthenticatedAdmin"] }
-  },
+const settingsRoute = [
   {
     method: "POST",
     path: "/settings/firebase-config",
@@ -29131,75 +29124,9 @@ const settings = [
 ];
 const admin = {
   type: "admin",
-  routes: [...settings]
-};
-const contentApi = {
-  type: "content-api",
-  routes: [
-    {
-      method: "POST",
-      path: "/",
-      handler: "firebaseController.validateToken",
-      config: {
-        auth: false,
-        // Public endpoint - this IS the authentication endpoint
-        policies: []
-      }
-    },
-    {
-      method: "POST",
-      path: "/emailLogin",
-      handler: "firebaseController.emailLogin",
-      config: {
-        auth: false,
-        // Public endpoint - email/password login
-        policies: []
-      }
-    },
-    {
-      method: "POST",
-      path: "/forgotPassword",
-      handler: "firebaseController.forgotPassword",
-      config: {
-        auth: false,
-        // Public endpoint - no authentication required
-        policies: []
-      }
-    },
-    {
-      method: "POST",
-      path: "/resetPassword",
-      handler: "firebaseController.resetPassword",
-      config: {
-        auth: false,
-        // Public endpoint - uses JWT from Authorization header
-        policies: []
-      }
-    },
-    {
-      method: "GET",
-      path: "/config",
-      handler: "settingsController.getPublicConfig",
-      config: {
-        auth: false,
-        // Public endpoint - frontend needs this for validation
-        policies: []
-      }
-    },
-    {
-      method: "POST",
-      path: "/requestMagicLink",
-      handler: "firebaseController.requestMagicLink",
-      config: {
-        auth: false,
-        // Public endpoint - passwordless authentication
-        policies: []
-      }
-    }
-  ]
-};
-const contentInternalApi = {
   routes: [
+    ...settingsRoute,
+    // User management routes
     {
       method: "GET",
       path: "/users",
@@ -29263,23 +29190,77 @@ const contentInternalApi = {
       config: {
         policies: ["admin::isAuthenticatedAdmin"]
       }
+    }
+  ]
+};
+const contentApi = {
+  type: "content-api",
+  routes: [
+    {
+      method: "POST",
+      path: "/",
+      handler: "firebaseController.validateToken",
+      config: {
+        auth: false,
+        // Public endpoint - this IS the authentication endpoint
+        policies: []
+      }
+    },
+    {
+      method: "POST",
+      path: "/emailLogin",
+      handler: "firebaseController.emailLogin",
+      config: {
+        auth: false,
+        // Public endpoint - email/password login
+        policies: []
+      }
+    },
+    {
+      method: "POST",
+      path: "/forgotPassword",
+      handler: "firebaseController.forgotPassword",
+      config: {
+        auth: false,
+        // Public endpoint - no authentication required
+        policies: []
+      }
+    },
+    {
+      method: "POST",
+      path: "/resetPassword",
+      handler: "firebaseController.resetPassword",
+      config: {
+        auth: false,
+        // Public endpoint - authenticated password change, requires valid JWT in Authorization header
+        policies: []
+      }
     },
     {
       method: "GET",
       path: "/config",
       handler: "settingsController.getPublicConfig",
       config: {
+        auth: false,
+        // Public endpoint - frontend needs this for validation
         policies: []
-        // This is intentionally public for frontend config
       }
     },
-    ...settings
+    {
+      method: "POST",
+      path: "/requestMagicLink",
+      handler: "firebaseController.requestMagicLink",
+      config: {
+        auth: false,
+        // Public endpoint - passwordless authentication
+        policies: []
+      }
+    }
   ]
 };
 const routes = {
   admin,
-  "content-api": contentApi,
-  "content-internal-api": contentInternalApi
+  "content-api": contentApi
 };
 const checkValidJson = (jsonString) => {
   try {
@@ -29571,7 +29552,7 @@ const settingsService = ({ strapi: strapi2 }) => {
     /**
      * Updates only the magic link settings without affecting other configuration
      */
-    async updateMagicLinkSettings(settings2) {
+    async updateMagicLinkSettings(settings) {
       try {
         const foundConfig = await strapi2.db.query(CONFIG_CONTENT_TYPE).findOne({ where: {} });
         if (!foundConfig) {
@@ -29580,10 +29561,10 @@ const settingsService = ({ strapi: strapi2 }) => {
         const result = await strapi2.db.query(CONFIG_CONTENT_TYPE).update({
           where: { id: foundConfig.id },
           data: {
-            enableMagicLink: settings2.enableMagicLink,
-            magicLinkUrl: settings2.magicLinkUrl,
-            magicLinkEmailSubject: settings2.magicLinkEmailSubject,
-            magicLinkExpiryHours: settings2.magicLinkExpiryHours
+            enableMagicLink: settings.enableMagicLink,
+            magicLinkUrl: settings.magicLinkUrl,
+            magicLinkEmailSubject: settings.magicLinkEmailSubject,
+            magicLinkExpiryHours: settings.magicLinkExpiryHours
           }
         });
         return {
@@ -29999,7 +29980,7 @@ const userService = ({ strapi: strapi2 }) => {
         try {
           const actionCodeSettings = {
             url: passwordResetUrl,
-            handleCodeInApp: true
+            handleCodeInApp: false
           };
           const timeoutPromise = new Promise((_2, reject) => {
             setTimeout(
@@ -30220,17 +30201,13 @@ const firebaseService = ({ strapi: strapi2 }) => ({
       });
       if (userByEmail) {
         validateUserNotBlocked(userByEmail);
-        try {
-          await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").updateForUser(userByEmail.documentId, {
-            firebaseUserID: firebaseUID
-          });
-          strapi2.log.info(`Auto-linked user ${userByEmail.username} to Firebase UID ${firebaseUID}`);
-        } catch (error2) {
-          if (error2.code !== "23505") {
-            throw error2;
-          }
-          strapi2.log.info(`User ${userByEmail.username} already linked to Firebase (race condition handled)`);
+        const existingLink = await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").getByFirebaseUID(firebaseUID);
+        if (existingLink && existingLink.user) {
+          validateUserNotBlocked(existingLink.user);
+          return existingLink.user;
         }
+        await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").updateForUser(userByEmail.documentId, { firebaseUserID: firebaseUID });
+        strapi2.log.info(`Auto-linked user ${userByEmail.username} to Firebase UID ${firebaseUID}`);
         return userByEmail;
       }
       const firebaseDataByApple = await strapi2.documents("plugin::firebase-authentication.firebase-user-data").findMany({
@@ -30244,21 +30221,13 @@ const firebaseService = ({ strapi: strapi2 }) => ({
       const userByAppleEmail = firebaseDataByApple?.[0]?.user || null;
       if (userByAppleEmail) {
         validateUserNotBlocked(userByAppleEmail);
-        try {
-          await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").updateForUser(userByAppleEmail.documentId, {
-            firebaseUserID: firebaseUID
-          });
-          strapi2.log.info(
-            `Auto-linked Apple user ${userByAppleEmail.username} to Firebase UID ${firebaseUID}`
-          );
-        } catch (error2) {
-          if (error2.code !== "23505") {
-            throw error2;
-          }
-          strapi2.log.info(
-            `User ${userByAppleEmail.username} already linked to Firebase (race condition handled)`
-          );
+        const existingLink = await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").getByFirebaseUID(firebaseUID);
+        if (existingLink && existingLink.user) {
+          validateUserNotBlocked(existingLink.user);
+          return existingLink.user;
         }
+        await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").updateForUser(userByAppleEmail.documentId, { firebaseUserID: firebaseUID });
+        strapi2.log.info(`Auto-linked Apple user ${userByAppleEmail.username} to Firebase UID ${firebaseUID}`);
         return userByAppleEmail;
       }
     }
@@ -30269,17 +30238,13 @@ const firebaseService = ({ strapi: strapi2 }) => ({
       });
       if (userByPhone) {
         validateUserNotBlocked(userByPhone);
-        try {
-          await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").updateForUser(userByPhone.documentId, {
-            firebaseUserID: firebaseUID
-          });
-          strapi2.log.info(`Auto-linked phone user ${userByPhone.username} to Firebase UID ${firebaseUID}`);
-        } catch (error2) {
-          if (error2.code !== "23505") {
-            throw error2;
-          }
-          strapi2.log.info(`User ${userByPhone.username} already linked to Firebase (race condition handled)`);
+        const existingLink = await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").getByFirebaseUID(firebaseUID);
+        if (existingLink && existingLink.user) {
+          validateUserNotBlocked(existingLink.user);
+          return existingLink.user;
         }
+        await strapi2.plugin("firebase-authentication").service("firebaseUserDataService").updateForUser(userByPhone.documentId, { firebaseUserID: firebaseUID });
+        strapi2.log.info(`Auto-linked phone user ${userByPhone.username} to Firebase UID ${firebaseUID}`);
         return userByPhone;
       }
     }
@@ -30306,12 +30271,13 @@ const firebaseService = ({ strapi: strapi2 }) => ({
         type: "plugin",
         name: "users-permissions"
       });
-      const settings2 = await pluginStore.get({
+      const settings = await pluginStore.get({
         key: "advanced"
       });
-      const role = await strapi2.db.query("plugin::users-permissions.role").findOne({ where: { type: settings2.default_role } });
+      const role = await strapi2.db.query("plugin::users-permissions.role").findOne({ where: { type: settings.default_role } });
       userPayload.role = role.id;
       userPayload.confirmed = true;
+      userPayload.provider = "firebase";
       userPayload.email = decodedToken.email;
       userPayload.phoneNumber = decodedToken.phone_number;
       if (profileMetaData) {
@@ -30347,7 +30313,22 @@ const firebaseService = ({ strapi: strapi2 }) => ({
       strapi2.log.info(`Created user ${newUser.username} and linked to Firebase UID ${decodedToken.uid}`);
       return newUser;
     } catch (error2) {
-      if (newUser) {
+      if (error2.code === "23505") {
+        strapi2.log.warn(
+          `[Race Condition] User creation conflict for Firebase UID ${decodedToken.uid}. Another concurrent request created the user first. Retrying lookup...`
+        );
+        const existingUser = await strapi2.plugin("firebase-authentication").service("firebaseService").checkIfUserExists(decodedToken);
+        if (existingUser) {
+          strapi2.log.info(
+            `[Race Condition] Successfully found user ${existingUser.username} created by concurrent request`
+          );
+          return existingUser;
+        }
+        strapi2.log.error(
+          `[Race Condition] Failed to find user after race condition retry for Firebase UID ${decodedToken.uid}`
+        );
+      }
+      if (error2.code !== "23505" && newUser) {
         try {
           await strapi2.db.query("plugin::users-permissions.user").delete({
             where: { documentId: newUser.documentId }
@@ -30483,7 +30464,7 @@ const firebaseService = ({ strapi: strapi2 }) => ({
   },
   /**
    * Forgot password flow - sends reset email
-   * Public endpoint that generates a JWT token and sends a password reset email
+   * Public endpoint that sends a Firebase-hosted password reset email using Firebase's secure hosted UI
    */
   forgotPassword: async (ctx) => {
     const { email: email2 } = ctx.request.body;
@@ -30529,13 +30510,30 @@ const firebaseService = ({ strapi: strapi2 }) => ({
       if (!strapiUser) {
         return { message: "If an account with that email exists, a password reset link has been sent." };
       }
-      const jwtService = strapi2.plugin("users-permissions").service("jwt");
-      const token = jwtService.issue(
-        { id: strapiUser.id },
-        // Use numeric id, not documentId
-        { expiresIn: "1h" }
-      );
-      const resetLink = `${resetUrl}?token=${token}`;
+      const actionCodeSettings = {
+        url: resetUrl,
+        // Continue URL after reset completes on Firebase's page
+        handleCodeInApp: false
+      };
+      const timeoutPromise = new Promise((_2, reject) => {
+        setTimeout(
+          () => reject(new Error("Firebase generatePasswordResetLink timeout after 10 seconds")),
+          1e4
+        );
+      });
+      let resetLink;
+      try {
+        resetLink = await Promise.race([
+          strapi2.firebase.auth().generatePasswordResetLink(strapiUser.email, actionCodeSettings),
+          timeoutPromise
+        ]);
+        strapi2.log.info(
+          `✅ Password reset link generated successfully for ${strapiUser.email}: ${resetLink}`
+        );
+      } catch (error2) {
+        strapi2.log.error(`❌ Failed to generate password reset link for ${strapiUser.email}:`, error2);
+        throw error2;
+      }
       await strapi2.plugin("firebase-authentication").service("emailService").sendPasswordResetEmail(strapiUser, resetLink);
       return {
         message: "If an account with that email exists, a password reset link has been sent."
@@ -30549,7 +30547,17 @@ const firebaseService = ({ strapi: strapi2 }) => ({
   },
   /**
    * Reset password with authenticated JWT
-   * Public endpoint that validates a JWT token and resets the user's password
+   * Allows authenticated users (or admins) to change a user's Firebase password
+   *
+   * @param ctx - Koa context with JWT in Authorization header and new password in body
+   * @returns User object and fresh JWT for auto-login
+   *
+   * @remarks
+   * Use cases:
+   * 1. Admin-initiated password reset (via admin panel)
+   * 2. User-initiated password change (when already authenticated)
+   *
+   * NOT used for forgot password email flow - that now uses Firebase's hosted UI
    */
   resetPassword: async (ctx) => {
     const { password } = ctx.request.body;
@@ -31284,7 +31292,7 @@ const firebaseUserDataService = ({ strapi: strapi2 }) => ({
     if (!userId || typeof userId !== "string") {
       throw new Error("Invalid user documentId");
     }
-    let firebaseData = await strapi2.documents("plugin::firebase-authentication.firebase-user-data").findOne({
+    let firebaseData = await strapi2.documents("plugin::firebase-authentication.firebase-user-data").findFirst({
       filters: { user: { documentId: { $eq: userId } } },
       populate: ["user"]
     });
@@ -31299,7 +31307,7 @@ const firebaseUserDataService = ({ strapi: strapi2 }) => ({
    * @returns Firebase user data with populated user
    */
   async getByFirebaseUID(firebaseUID) {
-    return await strapi2.documents("plugin::firebase-authentication.firebase-user-data").findOne({
+    return await strapi2.documents("plugin::firebase-authentication.firebase-user-data").findFirst({
       filters: { firebaseUserID: { $eq: firebaseUID } },
       populate: ["user"]
     });
@@ -31310,7 +31318,7 @@ const firebaseUserDataService = ({ strapi: strapi2 }) => ({
    * @param data - Fields to update
    */
   async updateForUser(userId, data) {
-    let firebaseData = await strapi2.documents("plugin::firebase-authentication.firebase-user-data").findOne({
+    let firebaseData = await strapi2.documents("plugin::firebase-authentication.firebase-user-data").findFirst({
       filters: { user: { documentId: { $eq: userId } } }
     });
     if (!firebaseData) {
@@ -31326,8 +31334,8 @@ const firebaseUserDataService = ({ strapi: strapi2 }) => ({
         });
       } catch (error2) {
         if (error2.code === "23505") {
-          strapi2.log.warn(`Race condition detected for user ${userId}, retrying findOne`);
-          firebaseData = await strapi2.documents("plugin::firebase-authentication.firebase-user-data").findOne({
+          strapi2.log.warn(`Race condition detected for user ${userId}, retrying findFirst`);
+          firebaseData = await strapi2.documents("plugin::firebase-authentication.firebase-user-data").findFirst({
             filters: { user: { documentId: { $eq: userId } } }
           });
           if (firebaseData) {