chore: Merging main branch into modular-sdk

.github/workflows/nightly.yml

@@ -82,7 +82,7 @@ jobs:
         subject: 'Nightly build ${{github.run_id}} of ${{github.repository}} failed!'
         html: >
           <b>Nightly workflow ${{github.run_id}} failed on: ${{github.repository}}</b>
-          <br /><br />Navigate to the 
+          <br /><br />Navigate to the
           <a href="https://github.com/firebase/firebase-admin-node/actions/runs/${{github.run_id}}">failed workflow</a>.
       continue-on-error: true
 
@@ -97,6 +97,6 @@ jobs:
         subject: 'Nightly build ${{github.run_id}} of ${{github.repository}} cancelled!'
         html: >
           <b>Nightly workflow ${{github.run_id}} cancelled on: ${{github.repository}}</b>
-          <br /><br />Navigate to the 
+          <br /><br />Navigate to the
           <a href="https://github.com/firebase/firebase-admin-node/actions/runs/${{github.run_id}}">cancelled workflow</a>.
       continue-on-error: true

etc/firebase-admin.api.md

@@ -431,6 +431,8 @@ export namespace remoteConfig {
     export type ListVersionsOptions = ListVersionsOptions;
     // Warning: (ae-forgotten-export) The symbol "ListVersionsResult" needs to be exported by the entry point default-namespace.d.ts
     export type ListVersionsResult = ListVersionsResult;
+    // Warning: (ae-forgotten-export) The symbol "ParameterValueType" needs to be exported by the entry point default-namespace.d.ts
+    export type ParameterValueType = ParameterValueType;
     // Warning: (ae-forgotten-export) The symbol "RemoteConfig" needs to be exported by the entry point default-namespace.d.ts
     export type RemoteConfig = RemoteConfig;
     // Warning: (ae-forgotten-export) The symbol "RemoteConfigCondition" needs to be exported by the entry point default-namespace.d.ts

etc/firebase-admin.installations.api.md

@@ -15,7 +15,6 @@ export function getInstallations(app?: App): Installations;
 
 // @public
 export class Installations {
-    constructor(app: App);
     get app(): App;
     deleteInstallation(fid: string): Promise<void>;
 }

etc/firebase-admin.remote-config.api.md

@@ -38,6 +38,9 @@ export interface ListVersionsResult {
     versions: Version[];
 }
 
+// @public
+export type ParameterValueType = 'STRING' | 'BOOLEAN' | 'NUMBER' | 'JSON';
+
 // @public
 export class RemoteConfig {
     // (undocumented)
@@ -67,6 +70,7 @@ export interface RemoteConfigParameter {
     };
     defaultValue?: RemoteConfigParameterValue;
     description?: string;
+    valueType?: ParameterValueType;
 }
 
 // @public

gulpfile.js

@@ -54,7 +54,9 @@ var paths = {
 // emitted.
 var buildProject = ts.createProject('tsconfig.json', { rootDir: 'src', declarationMap: true });
 
-var buildTest = ts.createProject('tsconfig.json');
+// Include dom libraries during test compilation since we use some web SDK
+// libraries in our tests.
+var buildTest = ts.createProject('tsconfig.json', { lib: ['es2018', 'dom'] });
 
 var banner = `/*! firebase-admin v${pkg.version} */\n`;
 

package.json

@@ -159,7 +159,7 @@
     }
   },
   "dependencies": {
-    "@firebase/database": "^0.10.0",
+    "@firebase/database-compat": "^0.1.1",
     "@firebase/database-types": "^0.7.2",
     "@types/node": ">=12.12.47",
     "dicer": "^0.3.0",
@@ -173,15 +173,15 @@
   },
   "devDependencies": {
     "@firebase/api-documenter": "^0.1.2",
-    "@firebase/app": "^0.6.21",
-    "@firebase/auth": "^0.16.5",
+    "@firebase/app-compat": "^0.1.2",
+    "@firebase/auth-compat": "^0.1.3",
     "@firebase/auth-types": "^0.10.3",
     "@microsoft/api-extractor": "^7.11.2",
     "@types/bcrypt": "^5.0.0",
     "@types/chai": "^4.0.0",
     "@types/chai-as-promised": "^7.1.0",
     "@types/firebase-token-generator": "^2.0.28",
-    "@types/jsonwebtoken": "^8.5.0",
+    "@types/jsonwebtoken": "8.5.1",
     "@types/lodash": "^4.14.104",
     "@types/minimist": "^1.2.0",
     "@types/mocha": "^8.2.2",

src/app-check/token-generator.ts

@@ -62,7 +62,7 @@ export class AppCheckTokenGenerator {
    *
    * @param appId The Application ID to use for the generated token.
    *
-   * @return A Promise fulfilled with a custom token signed with a service account key
+   * @returns A Promise fulfilled with a custom token signed with a service account key
    * that can be exchanged to an App Check token.
    */
   public createCustomToken(appId: string, options?: AppCheckTokenOptions): Promise<string> {
@@ -141,7 +141,7 @@ export class AppCheckTokenGenerator {
  * details from a CryptoSignerError.
  *
  * @param err The Error to convert into a FirebaseAppCheckError error
- * @return A Firebase App Check error that can be returned to the user.
+ * @returns A Firebase App Check error that can be returned to the user.
  */
 export function appCheckErrorFromCryptoSignerError(err: Error): Error {
   if (!(err instanceof CryptoSignerError)) {

src/app-check/token-verifier.ts

@@ -44,7 +44,7 @@ export class AppCheckTokenVerifier {
    * Verifies the format and signature of a Firebase App Check token.
    *
    * @param token The Firebase Auth JWT token to verify.
-   * @return A promise fulfilled with the decoded claims of the Firebase App Check token.
+   * @returns A promise fulfilled with the decoded claims of the Firebase App Check token.
    */
   public verifyToken(token: string): Promise<DecodedAppCheckToken> {
     if (!validator.isString(token)) {

src/app/firebase-namespace.ts

@@ -135,7 +135,7 @@ export class FirebaseNamespace {
     };
 
     // eslint-disable-next-line @typescript-eslint/no-var-requires
-    return Object.assign(fn, require('@firebase/database'));
+    return Object.assign(fn, require('@firebase/database-compat/standalone'));
   }
 
   /**

src/auth/auth-config.ts

@@ -1369,7 +1369,6 @@ export class OIDCConfig implements OIDCAuthProviderConfig {
           '"OIDCAuthProviderConfig.responseType.idToken" must be a boolean.',
         );
       }
-
       const code = options.responseType.code;
       if (typeof code !== 'undefined') {
         if (!validator.isBoolean(code)) {
@@ -1378,7 +1377,6 @@ export class OIDCConfig implements OIDCAuthProviderConfig {
             '"OIDCAuthProviderConfig.responseType.code" must be a boolean.',
           );
         }
-
         // If code flow is enabled, client secret must be provided.
         if (code && typeof options.clientSecret === 'undefined') {
           throw new FirebaseAuthError(

src/auth/base-auth.ts

@@ -20,7 +20,7 @@ import { deepCopy } from '../utils/deep-copy';
 import * as validator from '../utils/validator';
 
 import { AbstractAuthRequestHandler, useEmulator } from './auth-api-request';
-import { FirebaseTokenGenerator, EmulatedSigner } from './token-generator';
+import { FirebaseTokenGenerator, EmulatedSigner, handleCryptoSignerError } from './token-generator';
 import {
   FirebaseTokenVerifier, createSessionCookieVerifier, createIdTokenVerifier,
   DecodedIdToken,
@@ -37,7 +37,6 @@ import {
 import { UserImportOptions, UserImportRecord, UserImportResult } from './user-import-builder';
 import { ActionCodeSettings } from './action-code-settings-builder';
 import { cryptoSignerFromApp } from '../utils/crypto-signer';
-import { FirebaseApp } from '../app/firebase-app';
 
 /** Represents the result of the {@link BaseAuth.getUsers} API. */
 export interface GetUsersResult {
@@ -109,6 +108,19 @@ export interface SessionCookieOptions {
   expiresIn: number;
 }
 
+/**
+ * @internal
+ */
+export function createFirebaseTokenGenerator(app: App,
+  tenantId?: string): FirebaseTokenGenerator {
+  try {
+    const signer = useEmulator() ? new EmulatedSigner() : cryptoSignerFromApp(app);
+    return new FirebaseTokenGenerator(signer, tenantId);
+  } catch (err) {
+    throw handleCryptoSignerError(err);
+  }
+}
+
 /**
  * Common parent interface for both `Auth` and `TenantAwareAuth` APIs.
  */
@@ -134,13 +146,12 @@ export abstract class BaseAuth {
    */
   constructor(
     app: App,
-    /** @internal */protected readonly authRequestHandler: AbstractAuthRequestHandler,
+    /** @internal */ protected readonly authRequestHandler: AbstractAuthRequestHandler,
     tokenGenerator?: FirebaseTokenGenerator) {
     if (tokenGenerator) {
       this.tokenGenerator = tokenGenerator;
     } else {
-      const cryptoSigner = useEmulator() ? new EmulatedSigner() : cryptoSignerFromApp(app as FirebaseApp);
-      this.tokenGenerator = new FirebaseTokenGenerator(cryptoSigner);
+      this.tokenGenerator = createFirebaseTokenGenerator(app);
     }
 
     this.sessionCookieVerifier = createSessionCookieVerifier(app);
@@ -171,8 +182,12 @@ export abstract class BaseAuth {
    * Verifies a Firebase ID token (JWT). If the token is valid, the promise is
    * fulfilled with the token's decoded claims; otherwise, the promise is
    * rejected.
-   * An optional flag can be passed to additionally check whether the ID token
-   * was revoked.
+   *
+   * If `checkRevoked` is set to true, first verifies whether the corresponding
+   * user is disabled. If yes, an `auth/user-disabled` error is thrown. If no,
+   * verifies if the session corresponding to the ID token was revoked. If the
+   * corresponding user's session was invalidated, an `auth/id-token-revoked`
+   * error is thrown. If not specified the check is not applied.
    *
    * See {@link https://firebase.google.com/docs/auth/admin/verify-id-tokens | Verify ID Tokens}
    * for code samples and detailed documentation.
@@ -193,7 +208,7 @@ export abstract class BaseAuth {
       .then((decodedIdToken: DecodedIdToken) => {
         // Whether to check if the token was revoked.
         if (checkRevoked || isEmulator) {
-          return this.verifyDecodedJWTNotRevoked(
+          return this.verifyDecodedJWTNotRevokedOrDisabled(
             decodedIdToken,
             AuthClientErrorCode.ID_TOKEN_REVOKED);
         }
@@ -669,11 +684,14 @@ export abstract class BaseAuth {
 
   /**
    * Verifies a Firebase session cookie. Returns a Promise with the cookie claims.
-   * Rejects the promise if the cookie could not be verified. If `checkRevoked` is
-   * set to true, verifies if the session corresponding to the session cookie was
-   * revoked. If the corresponding user's session was revoked, an
-   * `auth/session-cookie-revoked` error is thrown. If not specified the check is
-   * not performed.
+   * Rejects the promise if the cookie could not be verified.
+   *
+   * If `checkRevoked` is set to true, first verifies whether the corresponding
+   * user is disabled: If yes, an `auth/user-disabled` error is thrown. If no,
+   * verifies if the session corresponding to the session cookie was revoked.
+   * If the corresponding user's session was invalidated, an
+   * `auth/session-cookie-revoked` error is thrown. If not specified the check
+   * is not performed.
    *
    * See {@link https://firebase.google.com/docs/auth/admin/manage-cookies#verify_session_cookie_and_check_permissions |
    * Verify Session Cookies}
@@ -696,7 +714,7 @@ export abstract class BaseAuth {
       .then((decodedIdToken: DecodedIdToken) => {
         // Whether to check if the token was revoked.
         if (checkRevoked || isEmulator) {
-          return this.verifyDecodedJWTNotRevoked(
+          return this.verifyDecodedJWTNotRevokedOrDisabled(
             decodedIdToken,
             AuthClientErrorCode.SESSION_COOKIE_REVOKED);
         }
@@ -1038,19 +1056,25 @@ export abstract class BaseAuth {
   }
 
   /**
-   * Verifies the decoded Firebase issued JWT is not revoked. Returns a promise that resolves
-   * with the decoded claims on success. Rejects the promise with revocation error if revoked.
+   * Verifies the decoded Firebase issued JWT is not revoked or disabled. Returns a promise that
+   * resolves with the decoded claims on success. Rejects the promise with revocation error if revoked
+   * or user disabled.
    *
    * @param decodedIdToken The JWT's decoded claims.
    * @param revocationErrorInfo The revocation error info to throw on revocation
    *     detection.
-   * @returns A Promise that will be fulfilled after a successful verification.
+   * @returns A promise that will be fulfilled after a successful verification.
    */
-  private verifyDecodedJWTNotRevoked(
+  private verifyDecodedJWTNotRevokedOrDisabled(
     decodedIdToken: DecodedIdToken, revocationErrorInfo: ErrorInfo): Promise<DecodedIdToken> {
     // Get tokens valid after time for the corresponding user.
     return this.getUser(decodedIdToken.sub)
       .then((user: UserRecord) => {
+        if (user.disabled) {
+          throw new FirebaseAuthError(
+            AuthClientErrorCode.USER_DISABLED,
+            'The user record is disabled.');
+        }
         // If no tokens valid after time available, token is not revoked.
         if (user.tokensValidAfterTime) {
           // Get the ID token authentication time and convert to milliseconds UTC.

src/auth/tenant-manager.ts

@@ -19,15 +19,12 @@ import { App } from '../app';
 import * as utils from '../utils/index';
 import { AuthClientErrorCode, FirebaseAuthError } from '../utils/error';
 
-import { BaseAuth, SessionCookieOptions } from './base-auth';
+import { BaseAuth, createFirebaseTokenGenerator, SessionCookieOptions } from './base-auth';
 import { Tenant, TenantServerResponse, CreateTenantRequest, UpdateTenantRequest } from './tenant';
-import { FirebaseTokenGenerator, EmulatedSigner } from './token-generator';
 import {
-  AuthRequestHandler, TenantAwareAuthRequestHandler, useEmulator,
+  AuthRequestHandler, TenantAwareAuthRequestHandler,
 } from './auth-api-request';
 import { DecodedIdToken } from './token-verifier';
-import { FirebaseApp } from '../app/firebase-app';
-import { cryptoSignerFromApp } from '../utils/crypto-signer';
 
 /**
  * Interface representing the object returned from a
@@ -83,9 +80,8 @@ export class TenantAwareAuth extends BaseAuth {
    * @internal
    */
   constructor(app: App, tenantId: string) {
-    const cryptoSigner = useEmulator() ? new EmulatedSigner() : cryptoSignerFromApp(app as FirebaseApp);
-    const tokenGenerator = new FirebaseTokenGenerator(cryptoSigner, tenantId);
-    super(app, new TenantAwareAuthRequestHandler(app, tenantId), tokenGenerator);
+    super(app, new TenantAwareAuthRequestHandler(
+      app, tenantId), createFirebaseTokenGenerator(app, tenantId));
     utils.addReadonlyGetter(this, 'tenantId', tenantId);
   }
 

src/auth/token-generator.ts

@@ -84,6 +84,8 @@ export class EmulatedSigner implements CryptoSigner {
 
 /**
  * Class for generating different types of Firebase Auth tokens (JWTs).
+ *
+ * @internal
  */
 export class FirebaseTokenGenerator {
 
@@ -202,8 +204,8 @@ export class FirebaseTokenGenerator {
  * Creates a new FirebaseAuthError by extracting the error code, message and other relevant
  * details from a CryptoSignerError.
  *
- * @param {Error} err The Error to convert into a FirebaseAuthError error
- * @return {FirebaseAuthError} A Firebase Auth error that can be returned to the user.
+ * @param err The Error to convert into a FirebaseAuthError error
+ * @returns A Firebase Auth error that can be returned to the user.
  */
 export function handleCryptoSignerError(err: Error): Error {
   if (!(err instanceof CryptoSignerError)) {

src/auth/token-verifier.ts

@@ -370,7 +370,6 @@ export class FirebaseTokenVerifier {
     fullDecodedToken: DecodedToken,
     projectId: string | null,
     isEmulator: boolean): void {
-
     const header = fullDecodedToken && fullDecodedToken.header;
     const payload = fullDecodedToken && fullDecodedToken.payload;
 

src/database/database.ts

@@ -17,12 +17,12 @@
 import { URL } from 'url';
 import * as path from 'path';
 
-import { Database as DatabaseImpl } from '@firebase/database';
 import { FirebaseDatabase } from '@firebase/database-types';
+import { FirebaseDatabaseError, AppErrorCodes, FirebaseAppError } from '../utils/error';
+import { Database as DatabaseImpl } from '@firebase/database-compat/standalone';
 
 import { App } from '../app';
 import { FirebaseApp } from '../app/firebase-app';
-import { FirebaseDatabaseError, AppErrorCodes, FirebaseAppError } from '../utils/error';
 import * as validator from '../utils/validator';
 import { AuthorizedHttpClient, HttpRequestConfig, HttpError } from '../utils/api-request';
 import { getSdkVersion } from '../utils/index';
@@ -124,7 +124,8 @@ export class DatabaseService {
 
     let db: Database = this.databases[dbUrl];
     if (typeof db === 'undefined') {
-      const rtdb = require('@firebase/database'); // eslint-disable-line @typescript-eslint/no-var-requires
+      // eslint-disable-next-line @typescript-eslint/no-var-requires
+      const rtdb = require('@firebase/database-compat/standalone');
       db = rtdb.initStandalone(this.appInternal, dbUrl, getSdkVersion()).instance;
 
       const rulesClient = new DatabaseRulesClient(this.app, dbUrl);

src/database/index.ts

@@ -24,7 +24,7 @@ import * as rtdb from '@firebase/database-types';
 import {
   enableLogging as enableLoggingFunc,
   ServerValue as serverValueConst,
-} from '@firebase/database';
+} from '@firebase/database-compat/standalone';
 
 import { App, getApp } from '../app';
 import { FirebaseApp } from '../app/firebase-app';
@@ -40,11 +40,13 @@ export {
   ThenableReference,
 } from '@firebase/database-types';
 
+// TODO: Remove the following any-cast once the typins in @firebase/database-types are fixed.
+
 /**
  * {@link https://firebase.google.com/docs/reference/js/firebase.database#enablelogging | enableLogging}
  * function from the `@firebase/database` package.
  */
-export const enableLogging: typeof rtdb.enableLogging = enableLoggingFunc;
+export const enableLogging: typeof rtdb.enableLogging = enableLoggingFunc as any;
 
 /**
  * {@link https://firebase.google.com/docs/reference/js/firebase.database.ServerValue | ServerValue}

src/installations/installations-namespace.ts

@@ -43,7 +43,7 @@ import { Installations as TInstallations } from './installations';
  *   return. If not provided, the default `Installations` service is
  *   returned.
  *
- * @return The default `Installations` service if
+ * @returns The default `Installations` service if
  *   no app is provided or the `Installations` service associated with the
  *   provided app.
  */