/*! firebase-admin v12.1.1 */ "use strict"; /*! * Copyright 2018 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ Object.defineProperty(exports, "__esModule", { value: true }); exports.EmailPrivacyAuthConfig = exports.PasswordPolicyAuthConfig = exports.RecaptchaAuthConfig = exports.SmsRegionsAuthConfig = exports.OIDCConfig = exports.SAMLConfig = exports.EmailSignInConfig = exports.validateTestPhoneNumbers = exports.MultiFactorAuthConfig = exports.MAXIMUM_TEST_PHONE_NUMBERS = void 0; const validator = require("../utils/validator"); const deep_copy_1 = require("../utils/deep-copy"); const error_1 = require("../utils/error"); /** A maximum of 10 test phone number / code pairs can be configured. */ exports.MAXIMUM_TEST_PHONE_NUMBERS = 10; /** Client Auth factor type to server auth factor type mapping. */ const AUTH_FACTOR_CLIENT_TO_SERVER_TYPE = { phone: 'PHONE_SMS', }; /** Server Auth factor type to client auth factor type mapping. */ const AUTH_FACTOR_SERVER_TO_CLIENT_TYPE = Object.keys(AUTH_FACTOR_CLIENT_TO_SERVER_TYPE) .reduce((res, key) => { res[AUTH_FACTOR_CLIENT_TO_SERVER_TYPE[key]] = key; return res; }, {}); /** * Defines the multi-factor config class used to convert client side MultiFactorConfig * to a format that is understood by the Auth server. * * @internal */ class MultiFactorAuthConfig { /** * Static method to convert a client side request to a MultiFactorAuthServerConfig. * Throws an error if validation fails. * * @param options - The options object to convert to a server request. * @returns The resulting server request. * @internal */ static buildServerRequest(options) { const request = {}; MultiFactorAuthConfig.validate(options); if (Object.prototype.hasOwnProperty.call(options, 'state')) { request.state = options.state; } if (Object.prototype.hasOwnProperty.call(options, 'factorIds')) { (options.factorIds || []).forEach((factorId) => { if (typeof request.enabledProviders === 'undefined') { request.enabledProviders = []; } request.enabledProviders.push(AUTH_FACTOR_CLIENT_TO_SERVER_TYPE[factorId]); }); // In case an empty array is passed. Ensure it gets populated so the array is cleared. if (options.factorIds && options.factorIds.length === 0) { request.enabledProviders = []; } } if (Object.prototype.hasOwnProperty.call(options, 'providerConfigs')) { request.providerConfigs = options.providerConfigs; } return request; } /** * Validates the MultiFactorConfig options object. Throws an error on failure. * * @param options - The options object to validate. */ static validate(options) { const validKeys = { state: true, factorIds: true, providerConfigs: true, }; if (!validator.isNonNullObject(options)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"MultiFactorConfig" must be a non-null object.'); } // Check for unsupported top level attributes. for (const key in options) { if (!(key in validKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid MultiFactorConfig parameter.`); } } // Validate content. if (typeof options.state !== 'undefined' && options.state !== 'ENABLED' && options.state !== 'DISABLED') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"MultiFactorConfig.state" must be either "ENABLED" or "DISABLED".'); } if (typeof options.factorIds !== 'undefined') { if (!validator.isArray(options.factorIds)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"MultiFactorConfig.factorIds" must be an array of valid "AuthFactorTypes".'); } // Validate content of array. options.factorIds.forEach((factorId) => { if (typeof AUTH_FACTOR_CLIENT_TO_SERVER_TYPE[factorId] === 'undefined') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${factorId}" is not a valid "AuthFactorType".`); } }); } if (typeof options.providerConfigs !== 'undefined') { if (!validator.isArray(options.providerConfigs)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"MultiFactorConfig.providerConfigs" must be an array of valid "MultiFactorProviderConfig."'); } //Validate content of array. options.providerConfigs.forEach((multiFactorProviderConfig) => { if (typeof multiFactorProviderConfig === 'undefined' || !validator.isObject(multiFactorProviderConfig)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${multiFactorProviderConfig}" is not a valid "MultiFactorProviderConfig" type.`); } const validProviderConfigKeys = { state: true, totpProviderConfig: true, }; for (const key in multiFactorProviderConfig) { if (!(key in validProviderConfigKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid ProviderConfig parameter.`); } } if (typeof multiFactorProviderConfig.state === 'undefined' || (multiFactorProviderConfig.state !== 'ENABLED' && multiFactorProviderConfig.state !== 'DISABLED')) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"MultiFactorConfig.providerConfigs.state" must be either "ENABLED" or "DISABLED".'); } // Since TOTP is the only provider config available right now, not defining it will lead into an error if (typeof multiFactorProviderConfig.totpProviderConfig === 'undefined') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"MultiFactorConfig.providerConfigs.totpProviderConfig" must be defined.'); } const validTotpProviderConfigKeys = { adjacentIntervals: true, }; for (const key in multiFactorProviderConfig.totpProviderConfig) { if (!(key in validTotpProviderConfigKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid TotpProviderConfig parameter.`); } } const adjIntervals = multiFactorProviderConfig.totpProviderConfig.adjacentIntervals; if (typeof adjIntervals !== 'undefined' && (!Number.isInteger(adjIntervals) || adjIntervals < 0 || adjIntervals > 10)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"MultiFactorConfig.providerConfigs.totpProviderConfig.adjacentIntervals" must' + ' be a valid number between 0 and 10 (both inclusive).'); } }); } } /** * The MultiFactorAuthConfig constructor. * * @param response - The server side response used to initialize the * MultiFactorAuthConfig object. * @constructor * @internal */ constructor(response) { if (typeof response.state === 'undefined') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'INTERNAL ASSERT FAILED: Invalid multi-factor configuration response'); } this.state = response.state; this.factorIds = []; (response.enabledProviders || []).forEach((enabledProvider) => { // Ignore unsupported types. It is possible the current admin SDK version is // not up to date and newer backend types are supported. if (typeof AUTH_FACTOR_SERVER_TO_CLIENT_TYPE[enabledProvider] !== 'undefined') { this.factorIds.push(AUTH_FACTOR_SERVER_TO_CLIENT_TYPE[enabledProvider]); } }); this.providerConfigs = []; (response.providerConfigs || []).forEach((providerConfig) => { if (typeof providerConfig !== 'undefined') { if (typeof providerConfig.state === 'undefined' || typeof providerConfig.totpProviderConfig === 'undefined' || (typeof providerConfig.totpProviderConfig.adjacentIntervals !== 'undefined' && typeof providerConfig.totpProviderConfig.adjacentIntervals !== 'number')) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'INTERNAL ASSERT FAILED: Invalid multi-factor configuration response'); } this.providerConfigs.push(providerConfig); } }); } /** Converts MultiFactorConfig to JSON object * @returns The plain object representation of the multi-factor config instance. */ toJSON() { return { state: this.state, factorIds: this.factorIds, providerConfigs: this.providerConfigs, }; } } exports.MultiFactorAuthConfig = MultiFactorAuthConfig; /** * Validates the provided map of test phone number / code pairs. * @param testPhoneNumbers - The phone number / code pairs to validate. */ function validateTestPhoneNumbers(testPhoneNumbers) { if (!validator.isObject(testPhoneNumbers)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"testPhoneNumbers" must be a map of phone number / code pairs.'); } if (Object.keys(testPhoneNumbers).length > exports.MAXIMUM_TEST_PHONE_NUMBERS) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.MAXIMUM_TEST_PHONE_NUMBER_EXCEEDED); } for (const phoneNumber in testPhoneNumbers) { // Validate phone number. if (!validator.isPhoneNumber(phoneNumber)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_TESTING_PHONE_NUMBER, `"${phoneNumber}" is not a valid E.164 standard compliant phone number.`); } // Validate code. if (!validator.isString(testPhoneNumbers[phoneNumber]) || !/^[\d]{6}$/.test(testPhoneNumbers[phoneNumber])) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_TESTING_PHONE_NUMBER, `"${testPhoneNumbers[phoneNumber]}" is not a valid 6 digit code string.`); } } } exports.validateTestPhoneNumbers = validateTestPhoneNumbers; /** * Defines the email sign-in config class used to convert client side EmailSignInConfig * to a format that is understood by the Auth server. * * @internal */ class EmailSignInConfig { /** * Static method to convert a client side request to a EmailSignInConfigServerRequest. * Throws an error if validation fails. * * @param options - The options object to convert to a server request. * @returns The resulting server request. * @internal */ static buildServerRequest(options) { const request = {}; EmailSignInConfig.validate(options); if (Object.prototype.hasOwnProperty.call(options, 'enabled')) { request.allowPasswordSignup = options.enabled; } if (Object.prototype.hasOwnProperty.call(options, 'passwordRequired')) { request.enableEmailLinkSignin = !options.passwordRequired; } return request; } /** * Validates the EmailSignInConfig options object. Throws an error on failure. * * @param options - The options object to validate. */ static validate(options) { // TODO: Validate the request. const validKeys = { enabled: true, passwordRequired: true, }; if (!validator.isNonNullObject(options)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"EmailSignInConfig" must be a non-null object.'); } // Check for unsupported top level attributes. for (const key in options) { if (!(key in validKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, `"${key}" is not a valid EmailSignInConfig parameter.`); } } // Validate content. if (typeof options.enabled !== 'undefined' && !validator.isBoolean(options.enabled)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"EmailSignInConfig.enabled" must be a boolean.'); } if (typeof options.passwordRequired !== 'undefined' && !validator.isBoolean(options.passwordRequired)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"EmailSignInConfig.passwordRequired" must be a boolean.'); } } /** * The EmailSignInConfig constructor. * * @param response - The server side response used to initialize the * EmailSignInConfig object. * @constructor */ constructor(response) { if (typeof response.allowPasswordSignup === 'undefined') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'INTERNAL ASSERT FAILED: Invalid email sign-in configuration response'); } this.enabled = response.allowPasswordSignup; this.passwordRequired = !response.enableEmailLinkSignin; } /** @returns The plain object representation of the email sign-in config. */ toJSON() { return { enabled: this.enabled, passwordRequired: this.passwordRequired, }; } } exports.EmailSignInConfig = EmailSignInConfig; /** * Defines the SAMLConfig class used to convert a client side configuration to its * server side representation. * * @internal */ class SAMLConfig { /** * Converts a client side request to a SAMLConfigServerRequest which is the format * accepted by the backend server. * Throws an error if validation fails. If the request is not a SAMLConfig request, * returns null. * * @param options - The options object to convert to a server request. * @param ignoreMissingFields - Whether to ignore missing fields. * @returns The resulting server request or null if not valid. */ static buildServerRequest(options, ignoreMissingFields = false) { const makeRequest = validator.isNonNullObject(options) && (options.providerId || ignoreMissingFields); if (!makeRequest) { return null; } const request = {}; // Validate options. SAMLConfig.validate(options, ignoreMissingFields); request.enabled = options.enabled; request.displayName = options.displayName; // IdP config. if (options.idpEntityId || options.ssoURL || options.x509Certificates) { request.idpConfig = { idpEntityId: options.idpEntityId, ssoUrl: options.ssoURL, signRequest: options.enableRequestSigning, idpCertificates: typeof options.x509Certificates === 'undefined' ? undefined : [], }; if (options.x509Certificates) { for (const cert of (options.x509Certificates || [])) { request.idpConfig.idpCertificates.push({ x509Certificate: cert }); } } } // RP config. if (options.callbackURL || options.rpEntityId) { request.spConfig = { spEntityId: options.rpEntityId, callbackUri: options.callbackURL, }; } return request; } /** * Returns the provider ID corresponding to the resource name if available. * * @param resourceName - The server side resource name. * @returns The provider ID corresponding to the resource, null otherwise. */ static getProviderIdFromResourceName(resourceName) { // name is of form projects/project1/inboundSamlConfigs/providerId1 const matchProviderRes = resourceName.match(/\/inboundSamlConfigs\/(saml\..*)$/); if (!matchProviderRes || matchProviderRes.length < 2) { return null; } return matchProviderRes[1]; } /** * @param providerId - The provider ID to check. * @returns Whether the provider ID corresponds to a SAML provider. */ static isProviderId(providerId) { return validator.isNonEmptyString(providerId) && providerId.indexOf('saml.') === 0; } /** * Validates the SAMLConfig options object. Throws an error on failure. * * @param options - The options object to validate. * @param ignoreMissingFields - Whether to ignore missing fields. */ static validate(options, ignoreMissingFields = false) { const validKeys = { enabled: true, displayName: true, providerId: true, idpEntityId: true, ssoURL: true, x509Certificates: true, rpEntityId: true, callbackURL: true, enableRequestSigning: true, }; if (!validator.isNonNullObject(options)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig" must be a valid non-null object.'); } // Check for unsupported top level attributes. for (const key in options) { if (!(key in validKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid SAML config parameter.`); } } // Required fields. if (validator.isNonEmptyString(options.providerId)) { if (options.providerId.indexOf('saml.') !== 0) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_PROVIDER_ID, '"SAMLAuthProviderConfig.providerId" must be a valid non-empty string prefixed with "saml.".'); } } else if (!ignoreMissingFields) { // providerId is required and not provided correctly. throw new error_1.FirebaseAuthError(!options.providerId ? error_1.AuthClientErrorCode.MISSING_PROVIDER_ID : error_1.AuthClientErrorCode.INVALID_PROVIDER_ID, '"SAMLAuthProviderConfig.providerId" must be a valid non-empty string prefixed with "saml.".'); } if (!(ignoreMissingFields && typeof options.idpEntityId === 'undefined') && !validator.isNonEmptyString(options.idpEntityId)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig.idpEntityId" must be a valid non-empty string.'); } if (!(ignoreMissingFields && typeof options.ssoURL === 'undefined') && !validator.isURL(options.ssoURL)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig.ssoURL" must be a valid URL string.'); } if (!(ignoreMissingFields && typeof options.rpEntityId === 'undefined') && !validator.isNonEmptyString(options.rpEntityId)) { throw new error_1.FirebaseAuthError(!options.rpEntityId ? error_1.AuthClientErrorCode.MISSING_SAML_RELYING_PARTY_CONFIG : error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig.rpEntityId" must be a valid non-empty string.'); } if (!(ignoreMissingFields && typeof options.callbackURL === 'undefined') && !validator.isURL(options.callbackURL)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig.callbackURL" must be a valid URL string.'); } if (!(ignoreMissingFields && typeof options.x509Certificates === 'undefined') && !validator.isArray(options.x509Certificates)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig.x509Certificates" must be a valid array of X509 certificate strings.'); } (options.x509Certificates || []).forEach((cert) => { if (!validator.isNonEmptyString(cert)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig.x509Certificates" must be a valid array of X509 certificate strings.'); } }); if (typeof options.enableRequestSigning !== 'undefined' && !validator.isBoolean(options.enableRequestSigning)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig.enableRequestSigning" must be a boolean.'); } if (typeof options.enabled !== 'undefined' && !validator.isBoolean(options.enabled)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig.enabled" must be a boolean.'); } if (typeof options.displayName !== 'undefined' && !validator.isString(options.displayName)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SAMLAuthProviderConfig.displayName" must be a valid string.'); } } /** * The SAMLConfig constructor. * * @param response - The server side response used to initialize the SAMLConfig object. * @constructor */ constructor(response) { if (!response || !response.idpConfig || !response.idpConfig.idpEntityId || !response.idpConfig.ssoUrl || !response.spConfig || !response.spConfig.spEntityId || !response.name || !(validator.isString(response.name) && SAMLConfig.getProviderIdFromResourceName(response.name))) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'INTERNAL ASSERT FAILED: Invalid SAML configuration response'); } const providerId = SAMLConfig.getProviderIdFromResourceName(response.name); if (!providerId) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'INTERNAL ASSERT FAILED: Invalid SAML configuration response'); } this.providerId = providerId; // RP config. this.rpEntityId = response.spConfig.spEntityId; this.callbackURL = response.spConfig.callbackUri; // IdP config. this.idpEntityId = response.idpConfig.idpEntityId; this.ssoURL = response.idpConfig.ssoUrl; this.enableRequestSigning = !!response.idpConfig.signRequest; const x509Certificates = []; for (const cert of (response.idpConfig.idpCertificates || [])) { if (cert.x509Certificate) { x509Certificates.push(cert.x509Certificate); } } this.x509Certificates = x509Certificates; // When enabled is undefined, it takes its default value of false. this.enabled = !!response.enabled; this.displayName = response.displayName; } /** @returns The plain object representation of the SAMLConfig. */ toJSON() { return { enabled: this.enabled, displayName: this.displayName, providerId: this.providerId, idpEntityId: this.idpEntityId, ssoURL: this.ssoURL, x509Certificates: (0, deep_copy_1.deepCopy)(this.x509Certificates), rpEntityId: this.rpEntityId, callbackURL: this.callbackURL, enableRequestSigning: this.enableRequestSigning, }; } } exports.SAMLConfig = SAMLConfig; /** * Defines the OIDCConfig class used to convert a client side configuration to its * server side representation. * * @internal */ class OIDCConfig { /** * Converts a client side request to a OIDCConfigServerRequest which is the format * accepted by the backend server. * Throws an error if validation fails. If the request is not a OIDCConfig request, * returns null. * * @param options - The options object to convert to a server request. * @param ignoreMissingFields - Whether to ignore missing fields. * @returns The resulting server request or null if not valid. */ static buildServerRequest(options, ignoreMissingFields = false) { const makeRequest = validator.isNonNullObject(options) && (options.providerId || ignoreMissingFields); if (!makeRequest) { return null; } const request = {}; // Validate options. OIDCConfig.validate(options, ignoreMissingFields); request.enabled = options.enabled; request.displayName = options.displayName; request.issuer = options.issuer; request.clientId = options.clientId; if (typeof options.clientSecret !== 'undefined') { request.clientSecret = options.clientSecret; } if (typeof options.responseType !== 'undefined') { request.responseType = options.responseType; } return request; } /** * Returns the provider ID corresponding to the resource name if available. * * @param resourceName - The server side resource name * @returns The provider ID corresponding to the resource, null otherwise. */ static getProviderIdFromResourceName(resourceName) { // name is of form projects/project1/oauthIdpConfigs/providerId1 const matchProviderRes = resourceName.match(/\/oauthIdpConfigs\/(oidc\..*)$/); if (!matchProviderRes || matchProviderRes.length < 2) { return null; } return matchProviderRes[1]; } /** * @param providerId - The provider ID to check. * @returns Whether the provider ID corresponds to an OIDC provider. */ static isProviderId(providerId) { return validator.isNonEmptyString(providerId) && providerId.indexOf('oidc.') === 0; } /** * Validates the OIDCConfig options object. Throws an error on failure. * * @param options - The options object to validate. * @param ignoreMissingFields - Whether to ignore missing fields. */ static validate(options, ignoreMissingFields = false) { const validKeys = { enabled: true, displayName: true, providerId: true, clientId: true, issuer: true, clientSecret: true, responseType: true, }; const validResponseTypes = { idToken: true, code: true, }; if (!validator.isNonNullObject(options)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"OIDCAuthProviderConfig" must be a valid non-null object.'); } // Check for unsupported top level attributes. for (const key in options) { if (!(key in validKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid OIDC config parameter.`); } } // Required fields. if (validator.isNonEmptyString(options.providerId)) { if (options.providerId.indexOf('oidc.') !== 0) { throw new error_1.FirebaseAuthError(!options.providerId ? error_1.AuthClientErrorCode.MISSING_PROVIDER_ID : error_1.AuthClientErrorCode.INVALID_PROVIDER_ID, '"OIDCAuthProviderConfig.providerId" must be a valid non-empty string prefixed with "oidc.".'); } } else if (!ignoreMissingFields) { throw new error_1.FirebaseAuthError(!options.providerId ? error_1.AuthClientErrorCode.MISSING_PROVIDER_ID : error_1.AuthClientErrorCode.INVALID_PROVIDER_ID, '"OIDCAuthProviderConfig.providerId" must be a valid non-empty string prefixed with "oidc.".'); } if (!(ignoreMissingFields && typeof options.clientId === 'undefined') && !validator.isNonEmptyString(options.clientId)) { throw new error_1.FirebaseAuthError(!options.clientId ? error_1.AuthClientErrorCode.MISSING_OAUTH_CLIENT_ID : error_1.AuthClientErrorCode.INVALID_OAUTH_CLIENT_ID, '"OIDCAuthProviderConfig.clientId" must be a valid non-empty string.'); } if (!(ignoreMissingFields && typeof options.issuer === 'undefined') && !validator.isURL(options.issuer)) { throw new error_1.FirebaseAuthError(!options.issuer ? error_1.AuthClientErrorCode.MISSING_ISSUER : error_1.AuthClientErrorCode.INVALID_CONFIG, '"OIDCAuthProviderConfig.issuer" must be a valid URL string.'); } if (typeof options.enabled !== 'undefined' && !validator.isBoolean(options.enabled)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"OIDCAuthProviderConfig.enabled" must be a boolean.'); } if (typeof options.displayName !== 'undefined' && !validator.isString(options.displayName)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"OIDCAuthProviderConfig.displayName" must be a valid string.'); } if (typeof options.clientSecret !== 'undefined' && !validator.isNonEmptyString(options.clientSecret)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"OIDCAuthProviderConfig.clientSecret" must be a valid string.'); } if (validator.isNonNullObject(options.responseType) && typeof options.responseType !== 'undefined') { Object.keys(options.responseType).forEach((key) => { if (!(key in validResponseTypes)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid OAuthResponseType parameter.`); } }); const idToken = options.responseType.idToken; if (typeof idToken !== 'undefined' && !validator.isBoolean(idToken)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"OIDCAuthProviderConfig.responseType.idToken" must be a boolean.'); } const code = options.responseType.code; if (typeof code !== 'undefined') { if (!validator.isBoolean(code)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"OIDCAuthProviderConfig.responseType.code" must be a boolean.'); } // If code flow is enabled, client secret must be provided. if (code && typeof options.clientSecret === 'undefined') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.MISSING_OAUTH_CLIENT_SECRET, 'The OAuth configuration client secret is required to enable OIDC code flow.'); } } const allKeys = Object.keys(options.responseType).length; const enabledCount = Object.values(options.responseType).filter(Boolean).length; // Only one of OAuth response types can be set to true. if (allKeys > 1 && enabledCount !== 1) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_OAUTH_RESPONSETYPE, 'Only exactly one OAuth responseType should be set to true.'); } } } /** * The OIDCConfig constructor. * * @param response - The server side response used to initialize the OIDCConfig object. * @constructor */ constructor(response) { if (!response || !response.issuer || !response.clientId || !response.name || !(validator.isString(response.name) && OIDCConfig.getProviderIdFromResourceName(response.name))) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'INTERNAL ASSERT FAILED: Invalid OIDC configuration response'); } const providerId = OIDCConfig.getProviderIdFromResourceName(response.name); if (!providerId) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'INTERNAL ASSERT FAILED: Invalid SAML configuration response'); } this.providerId = providerId; this.clientId = response.clientId; this.issuer = response.issuer; // When enabled is undefined, it takes its default value of false. this.enabled = !!response.enabled; this.displayName = response.displayName; if (typeof response.clientSecret !== 'undefined') { this.clientSecret = response.clientSecret; } if (typeof response.responseType !== 'undefined') { this.responseType = response.responseType; } } /** @returns The plain object representation of the OIDCConfig. */ toJSON() { return { enabled: this.enabled, displayName: this.displayName, providerId: this.providerId, issuer: this.issuer, clientId: this.clientId, clientSecret: (0, deep_copy_1.deepCopy)(this.clientSecret), responseType: (0, deep_copy_1.deepCopy)(this.responseType), }; } } exports.OIDCConfig = OIDCConfig; /** * Defines the SMSRegionConfig class used for validation. * * @internal */ class SmsRegionsAuthConfig { static validate(options) { if (!validator.isNonNullObject(options)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SmsRegionConfig" must be a non-null object.'); } const validKeys = { allowlistOnly: true, allowByDefault: true, }; for (const key in options) { if (!(key in validKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid SmsRegionConfig parameter.`); } } // validate mutual exclusiveness of allowByDefault and allowlistOnly if (typeof options.allowByDefault !== 'undefined' && typeof options.allowlistOnly !== 'undefined') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, 'SmsRegionConfig cannot have both "allowByDefault" and "allowlistOnly" parameters.'); } // validation for allowByDefault type if (typeof options.allowByDefault !== 'undefined') { const allowByDefaultValidKeys = { disallowedRegions: true, }; for (const key in options.allowByDefault) { if (!(key in allowByDefaultValidKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid SmsRegionConfig.allowByDefault parameter.`); } } // disallowedRegion can be empty. if (typeof options.allowByDefault.disallowedRegions !== 'undefined' && !validator.isArray(options.allowByDefault.disallowedRegions)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SmsRegionConfig.allowByDefault.disallowedRegions" must be a valid string array.'); } } if (typeof options.allowlistOnly !== 'undefined') { const allowListOnlyValidKeys = { allowedRegions: true, }; for (const key in options.allowlistOnly) { if (!(key in allowListOnlyValidKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid SmsRegionConfig.allowlistOnly parameter.`); } } // allowedRegions can be empty if (typeof options.allowlistOnly.allowedRegions !== 'undefined' && !validator.isArray(options.allowlistOnly.allowedRegions)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"SmsRegionConfig.allowlistOnly.allowedRegions" must be a valid string array.'); } } } } exports.SmsRegionsAuthConfig = SmsRegionsAuthConfig; class RecaptchaAuthConfig { constructor(recaptchaConfig) { this.emailPasswordEnforcementState = recaptchaConfig.emailPasswordEnforcementState; this.managedRules = recaptchaConfig.managedRules; this.recaptchaKeys = recaptchaConfig.recaptchaKeys; this.useAccountDefender = recaptchaConfig.useAccountDefender; } /** * Validates the RecaptchaConfig options object. Throws an error on failure. * @param options - The options object to validate. */ static validate(options) { const validKeys = { emailPasswordEnforcementState: true, managedRules: true, recaptchaKeys: true, useAccountDefender: true, }; if (!validator.isNonNullObject(options)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"RecaptchaConfig" must be a non-null object.'); } for (const key in options) { if (!(key in validKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid RecaptchaConfig parameter.`); } } // Validation if (typeof options.emailPasswordEnforcementState !== undefined) { if (!validator.isNonEmptyString(options.emailPasswordEnforcementState)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '"RecaptchaConfig.emailPasswordEnforcementState" must be a valid non-empty string.'); } if (options.emailPasswordEnforcementState !== 'OFF' && options.emailPasswordEnforcementState !== 'AUDIT' && options.emailPasswordEnforcementState !== 'ENFORCE') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"RecaptchaConfig.emailPasswordEnforcementState" must be either "OFF", "AUDIT" or "ENFORCE".'); } } if (typeof options.managedRules !== 'undefined') { // Validate array if (!validator.isArray(options.managedRules)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"RecaptchaConfig.managedRules" must be an array of valid "RecaptchaManagedRule".'); } // Validate each rule of the array options.managedRules.forEach((managedRule) => { RecaptchaAuthConfig.validateManagedRule(managedRule); }); } if (typeof options.useAccountDefender !== 'undefined') { if (!validator.isBoolean(options.useAccountDefender)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"RecaptchaConfig.useAccountDefender" must be a boolean value".'); } } } /** * Validate each element in ManagedRule array * @param options - The options object to validate. */ static validateManagedRule(options) { const validKeys = { endScore: true, action: true, }; if (!validator.isNonNullObject(options)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"RecaptchaManagedRule" must be a non-null object.'); } // Check for unsupported top level attributes. for (const key in options) { if (!(key in validKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid RecaptchaManagedRule parameter.`); } } // Validate content. if (typeof options.action !== 'undefined' && options.action !== 'BLOCK') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"RecaptchaManagedRule.action" must be "BLOCK".'); } } /** * Returns a JSON-serializable representation of this object. * @returns The JSON-serializable object representation of the ReCaptcha config instance */ toJSON() { const json = { emailPasswordEnforcementState: this.emailPasswordEnforcementState, managedRules: (0, deep_copy_1.deepCopy)(this.managedRules), recaptchaKeys: (0, deep_copy_1.deepCopy)(this.recaptchaKeys), useAccountDefender: this.useAccountDefender, }; if (typeof json.emailPasswordEnforcementState === 'undefined') { delete json.emailPasswordEnforcementState; } if (typeof json.managedRules === 'undefined') { delete json.managedRules; } if (typeof json.recaptchaKeys === 'undefined') { delete json.recaptchaKeys; } if (typeof json.useAccountDefender === 'undefined') { delete json.useAccountDefender; } return json; } } exports.RecaptchaAuthConfig = RecaptchaAuthConfig; /** * Defines the password policy config class used to convert client side PasswordPolicyConfig * to a format that is understood by the Auth server. * * @internal */ class PasswordPolicyAuthConfig { /** * Static method to convert a client side request to a PasswordPolicyAuthServerConfig. * Throws an error if validation fails. * * @param options - The options object to convert to a server request. * @returns The resulting server request. * @internal */ static buildServerRequest(options) { const request = {}; PasswordPolicyAuthConfig.validate(options); if (Object.prototype.hasOwnProperty.call(options, 'enforcementState')) { request.passwordPolicyEnforcementState = options.enforcementState; } request.forceUpgradeOnSignin = false; if (Object.prototype.hasOwnProperty.call(options, 'forceUpgradeOnSignin')) { request.forceUpgradeOnSignin = options.forceUpgradeOnSignin; } const constraintsRequest = { containsUppercaseCharacter: false, containsLowercaseCharacter: false, containsNonAlphanumericCharacter: false, containsNumericCharacter: false, minPasswordLength: 6, maxPasswordLength: 4096, }; request.passwordPolicyVersions = []; if (Object.prototype.hasOwnProperty.call(options, 'constraints')) { if (options) { if (options.constraints?.requireUppercase !== undefined) { constraintsRequest.containsUppercaseCharacter = options.constraints.requireUppercase; } if (options.constraints?.requireLowercase !== undefined) { constraintsRequest.containsLowercaseCharacter = options.constraints.requireLowercase; } if (options.constraints?.requireNonAlphanumeric !== undefined) { constraintsRequest.containsNonAlphanumericCharacter = options.constraints.requireNonAlphanumeric; } if (options.constraints?.requireNumeric !== undefined) { constraintsRequest.containsNumericCharacter = options.constraints.requireNumeric; } if (options.constraints?.minLength !== undefined) { constraintsRequest.minPasswordLength = options.constraints.minLength; } if (options.constraints?.maxLength !== undefined) { constraintsRequest.maxPasswordLength = options.constraints.maxLength; } } } request.passwordPolicyVersions.push({ customStrengthOptions: constraintsRequest }); return request; } /** * Validates the PasswordPolicyConfig options object. Throws an error on failure. * * @param options - The options object to validate. * @internal */ static validate(options) { const validKeys = { enforcementState: true, forceUpgradeOnSignin: true, constraints: true, }; if (!validator.isNonNullObject(options)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig" must be a non-null object.'); } // Check for unsupported top level attributes. for (const key in options) { if (!(key in validKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid PasswordPolicyConfig parameter.`); } } // Validate content. if (typeof options.enforcementState === 'undefined' || !(options.enforcementState === 'ENFORCE' || options.enforcementState === 'OFF')) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.enforcementState" must be either "ENFORCE" or "OFF".'); } if (typeof options.forceUpgradeOnSignin !== 'undefined') { if (!validator.isBoolean(options.forceUpgradeOnSignin)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.forceUpgradeOnSignin" must be a boolean.'); } } if (typeof options.constraints !== 'undefined') { if (options.enforcementState === 'ENFORCE' && !validator.isNonNullObject(options.constraints)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.constraints" must be a non-empty object.'); } const validCharKeys = { requireUppercase: true, requireLowercase: true, requireNumeric: true, requireNonAlphanumeric: true, minLength: true, maxLength: true, }; // Check for unsupported attributes. for (const key in options.constraints) { if (!(key in validCharKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid PasswordPolicyConfig.constraints parameter.`); } } if (typeof options.constraints.requireUppercase !== 'undefined' && !validator.isBoolean(options.constraints.requireUppercase)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.constraints.requireUppercase" must be a boolean.'); } if (typeof options.constraints.requireLowercase !== 'undefined' && !validator.isBoolean(options.constraints.requireLowercase)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.constraints.requireLowercase" must be a boolean.'); } if (typeof options.constraints.requireNonAlphanumeric !== 'undefined' && !validator.isBoolean(options.constraints.requireNonAlphanumeric)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.constraints.requireNonAlphanumeric"' + ' must be a boolean.'); } if (typeof options.constraints.requireNumeric !== 'undefined' && !validator.isBoolean(options.constraints.requireNumeric)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.constraints.requireNumeric" must be a boolean.'); } if (typeof options.constraints.minLength === 'undefined') { options.constraints.minLength = 6; } else if (!validator.isNumber(options.constraints.minLength)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.constraints.minLength" must be a number.'); } else { if (!(options.constraints.minLength >= 6 && options.constraints.minLength <= 30)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.constraints.minLength"' + ' must be an integer between 6 and 30, inclusive.'); } } if (typeof options.constraints.maxLength === 'undefined') { options.constraints.maxLength = 4096; } else if (!validator.isNumber(options.constraints.maxLength)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.constraints.maxLength" must be a number.'); } else { if (!(options.constraints.maxLength >= options.constraints.minLength && options.constraints.maxLength <= 4096)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.constraints.maxLength"' + ' must be greater than or equal to minLength and at max 4096.'); } } } else { if (options.enforcementState === 'ENFORCE') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"PasswordPolicyConfig.constraints" must be defined.'); } } } /** * The PasswordPolicyAuthConfig constructor. * * @param response - The server side response used to initialize the * PasswordPolicyAuthConfig object. * @constructor * @internal */ constructor(response) { if (typeof response.passwordPolicyEnforcementState === 'undefined') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'INTERNAL ASSERT FAILED: Invalid password policy configuration response'); } this.enforcementState = response.passwordPolicyEnforcementState; let constraintsResponse = {}; if (typeof response.passwordPolicyVersions !== 'undefined') { (response.passwordPolicyVersions || []).forEach((policyVersion) => { constraintsResponse = { requireLowercase: policyVersion.customStrengthOptions?.containsLowercaseCharacter, requireUppercase: policyVersion.customStrengthOptions?.containsUppercaseCharacter, requireNonAlphanumeric: policyVersion.customStrengthOptions?.containsNonAlphanumericCharacter, requireNumeric: policyVersion.customStrengthOptions?.containsNumericCharacter, minLength: policyVersion.customStrengthOptions?.minPasswordLength, maxLength: policyVersion.customStrengthOptions?.maxPasswordLength, }; }); } this.constraints = constraintsResponse; this.forceUpgradeOnSignin = response.forceUpgradeOnSignin ? true : false; } } exports.PasswordPolicyAuthConfig = PasswordPolicyAuthConfig; /** * Defines the EmailPrivacyAuthConfig class used for validation. * * @internal */ class EmailPrivacyAuthConfig { static validate(options) { if (!validator.isNonNullObject(options)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"EmailPrivacyConfig" must be a non-null object.'); } const validKeys = { enableImprovedEmailPrivacy: true, }; for (const key in options) { if (!(key in validKeys)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, `"${key}" is not a valid "EmailPrivacyConfig" parameter.`); } } if (typeof options.enableImprovedEmailPrivacy !== 'undefined' && !validator.isBoolean(options.enableImprovedEmailPrivacy)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CONFIG, '"EmailPrivacyConfig.enableImprovedEmailPrivacy" must be a valid boolean value.'); } } } exports.EmailPrivacyAuthConfig = EmailPrivacyAuthConfig;