UNPKG

firebase-admin

Version:

Firebase admin SDK for Node.js

firebase.google.com

firebase/firebase-admin-node

322 lines (321 loc) 15.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
/*! firebase-admin v5.11.0 */ "use strict"; /*! * Copyright 2017 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ Object.defineProperty(exports, "__esModule", { value: true }); var user_record_1 = require("./user-record"); var token_generator_1 = require("./token-generator"); var auth_api_request_1 = require("./auth-api-request"); var error_1 = require("../utils/error"); var validator = require("../utils/validator"); /** * Internals of an Auth instance. */ var AuthInternals = /** @class */ (function () { function AuthInternals() { } /** * Deletes the service and its associated resources. * * @return {Promise<()>} An empty Promise that will be fulfilled when the service is deleted. */ AuthInternals.prototype.delete = function () { // There are no resources to clean up return Promise.resolve(undefined); }; return AuthInternals; }()); /** * Auth service bound to the provided app. */ var Auth = /** @class */ (function () { /** * @param {object} app The app for this Auth service. * @constructor */ function Auth(app) { this.INTERNAL = new AuthInternals(); if (typeof app !== 'object' || app === null || !('options' in app)) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'First argument passed to admin.auth() must be a valid Firebase app instance.'); } this.app_ = app; // TODO (inlined): plumb this into a factory method for tokenGenerator_ once we // can generate custom tokens from access tokens. var serviceAccount; if (typeof app.options.credential.getCertificate === 'function') { serviceAccount = app.options.credential.getCertificate(); } if (serviceAccount) { // Cert credentials and Application Default Credentials created from a service account file // provide a certificate we can use to mint custom tokens and verify ID tokens. this.tokenGenerator_ = new token_generator_1.FirebaseTokenGenerator(serviceAccount); } else if (validator.isNonEmptyString(process.env.GCLOUD_PROJECT)) { // Google infrastructure like GAE, GCE, and GCF store the GCP / Firebase project ID in an // environment variable that we can use to get verifyIdToken() to work. createCustomToken() // still won't work since it requires a private key and client email which we do not have. var cert = { projectId: process.env.GCLOUD_PROJECT, }; this.tokenGenerator_ = new token_generator_1.FirebaseTokenGenerator(cert); } // Initialize auth request handler with the app. this.authRequestHandler = new auth_api_request_1.FirebaseAuthRequestHandler(app); } Object.defineProperty(Auth.prototype, "app", { /** * Returns the app associated with this Auth instance. * * @return {FirebaseApp} The app associated with this Auth instance. */ get: function () { return this.app_; }, enumerable: true, configurable: true }); /** * Creates a new custom token that can be sent back to a client to use with * signInWithCustomToken(). * * @param {string} uid The uid to use as the JWT subject. * @param {object=} developerClaims Optional additional claims to include in the JWT payload. * * @return {Promise<string>} A JWT for the provided payload. */ Auth.prototype.createCustomToken = function (uid, developerClaims) { if (typeof this.tokenGenerator_ === 'undefined') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'Must initialize app with a cert credential to call auth().createCustomToken().'); } return this.tokenGenerator_.createCustomToken(uid, developerClaims); }; /** * Verifies a JWT auth token. Returns a Promise with the tokens claims. Rejects * the promise if the token could not be verified. If checkRevoked is set to true, * verifies if the session corresponding to the ID token was revoked. If the corresponding * user's session was invalidated, an auth/id-token-revoked error is thrown. If not specified * the check is not applied. * * @param {string} idToken The JWT to verify. * @param {boolean=} checkRevoked Whether to check if the ID token is revoked. * @return {Promise<DecodedIdToken>} A Promise that will be fulfilled after a successful * verification. */ Auth.prototype.verifyIdToken = function (idToken, checkRevoked) { var _this = this; if (checkRevoked === void 0) { checkRevoked = false; } if (typeof this.tokenGenerator_ === 'undefined') { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'Must initialize app with a cert credential or set your Firebase project ID as the ' + 'GCLOUD_PROJECT environment variable to call auth().verifyIdToken().'); } return this.tokenGenerator_.verifyIdToken(idToken) .then(function (decodedIdToken) { // Whether to check if the token was revoked. if (!checkRevoked) { return decodedIdToken; } // Get tokens valid after time for the corresponding user. return _this.getUser(decodedIdToken.sub) .then(function (user) { // If no tokens valid after time available, token is not revoked. if (user.tokensValidAfterTime) { // Get the ID token authentication time and convert to milliseconds UTC. var authTimeUtc = decodedIdToken.auth_time * 1000; // Get user tokens valid after time in milliseconds UTC. var validSinceUtc = new Date(user.tokensValidAfterTime).getTime(); // Check if authentication time is older than valid since time. if (authTimeUtc < validSinceUtc) { throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.ID_TOKEN_REVOKED); } } // All checks above passed. Return the decoded token. return decodedIdToken; }); }); }; /** * Looks up the user identified by the provided user id and returns a promise that is * fulfilled with a user record for the given user if that user is found. * * @param {string} uid The uid of the user to look up. * @return {Promise<UserRecord>} A promise that resolves with the corresponding user record. */ Auth.prototype.getUser = function (uid) { return this.authRequestHandler.getAccountInfoByUid(uid) .then(function (response) { // Returns the user record populated with server response. return new user_record_1.UserRecord(response.users[0]); }); }; /** * Looks up the user identified by the provided email and returns a promise that is * fulfilled with a user record for the given user if that user is found. * * @param {string} email The email of the user to look up. * @return {Promise<UserRecord>} A promise that resolves with the corresponding user record. */ Auth.prototype.getUserByEmail = function (email) { return this.authRequestHandler.getAccountInfoByEmail(email) .then(function (response) { // Returns the user record populated with server response. return new user_record_1.UserRecord(response.users[0]); }); }; /** * Looks up the user identified by the provided phone number and returns a promise that is * fulfilled with a user record for the given user if that user is found. * * @param {string} phoneNumber The phone number of the user to look up. * @return {Promise<UserRecord>} A promise that resolves with the corresponding user record. */ Auth.prototype.getUserByPhoneNumber = function (phoneNumber) { return this.authRequestHandler.getAccountInfoByPhoneNumber(phoneNumber) .then(function (response) { // Returns the user record populated with server response. return new user_record_1.UserRecord(response.users[0]); }); }; /** * Exports a batch of user accounts. Batch size is determined by the maxResults argument. * Starting point of the batch is determined by the pageToken argument. * * @param {number=} maxResults The page size, 1000 if undefined. This is also the maximum * allowed limit. * @param {string=} pageToken The next page token. If not specified, returns users starting * without any offset. * @return {Promise<{users: UserRecord[], pageToken?: string}>} A promise that resolves with * the current batch of downloaded users and the next page token. For the last page, an * empty list of users and no page token are returned. */ Auth.prototype.listUsers = function (maxResults, pageToken) { return this.authRequestHandler.downloadAccount(maxResults, pageToken) .then(function (response) { // List of users to return. var users = []; // Convert each user response to a UserRecord. response.users.forEach(function (userResponse) { users.push(new user_record_1.UserRecord(userResponse)); }); // Return list of user records and the next page token if available. var result = { users: users, pageToken: response.nextPageToken, }; // Delete result.pageToken if undefined. if (typeof result.pageToken === 'undefined') { delete result.pageToken; } return result; }); }; /** * Creates a new user with the properties provided. * * @param {CreateRequest} properties The properties to set on the new user record to be created. * @return {Promise<UserRecord>} A promise that resolves with the newly created user record. */ Auth.prototype.createUser = function (properties) { var _this = this; return this.authRequestHandler.createNewAccount(properties) .then(function (uid) { // Return the corresponding user record. return _this.getUser(uid); }) .catch(function (error) { if (error.code === 'auth/user-not-found') { // Something must have happened after creating the user and then retrieving it. throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'Unable to create the user record provided.'); } throw error; }); }; /** * Deletes the user identified by the provided user id and returns a promise that is * fulfilled when the user is found and successfully deleted. * * @param {string} uid The uid of the user to delete. * @return {Promise<void>} A promise that resolves when the user is successfully deleted. */ Auth.prototype.deleteUser = function (uid) { return this.authRequestHandler.deleteAccount(uid) .then(function (response) { // Return nothing on success. }); }; /** * Updates an existing user with the properties provided. * * @param {string} uid The uid identifier of the user to update. * @param {UpdateRequest} properties The properties to update on the existing user. * @return {Promise<UserRecord>} A promise that resolves with the modified user record. */ Auth.prototype.updateUser = function (uid, properties) { var _this = this; return this.authRequestHandler.updateExistingAccount(uid, properties) .then(function (existingUid) { // Return the corresponding user record. return _this.getUser(existingUid); }); }; /** * Sets additional developer claims on an existing user identified by the provided UID. * * @param {string} uid The user to edit. * @param {object} customUserClaims The developer claims to set. * @return {Promise<void>} A promise that resolves when the operation completes * successfully. */ Auth.prototype.setCustomUserClaims = function (uid, customUserClaims) { return this.authRequestHandler.setCustomUserClaims(uid, customUserClaims) .then(function (existingUid) { // Return nothing on success. }); }; /** * Revokes all refresh tokens for the specified user identified by the provided UID. * In addition to revoking all refresh tokens for a user, all ID tokens issued before * revocation will also be revoked on the Auth backend. Any request with an ID token * generated before revocation will be rejected with a token expired error. * * @param {string} uid The user whose tokens are to be revoked. * @return {Promise<void>} A promise that resolves when the operation completes * successfully. */ Auth.prototype.revokeRefreshTokens = function (uid) { return this.authRequestHandler.revokeRefreshTokens(uid) .then(function (existingUid) { // Return nothing on success. }); }; /** * Imports the list of users provided to Firebase Auth. This is useful when * migrating from an external authentication system without having to use the Firebase CLI SDK. * At most, 1000 users are allowed to be imported one at a time. * When importing a list of password users, UserImportOptions are required to be specified. * * @param {UserImportRecord[]} users The list of user records to import to Firebase Auth. * @param {UserImportOptions=} options The user import options, required when the users provided * include password credentials. * @return {Promise<UserImportResult>} A promise that resolves when the operation completes * with the result of the import. This includes the number of successful imports, the number * of failed uploads and their corresponding errors. */ Auth.prototype.importUsers = function (users, options) { return this.authRequestHandler.uploadAccount(users, options); }; return Auth; }()); exports.Auth = Auth;