diff --git a/docgen/content-sources/node/toc.yaml b/docgen/content-sources/node/toc.yaml index 7251e68ff8..e7da53d3f6 100644 --- a/docgen/content-sources/node/toc.yaml +++ b/docgen/content-sources/node/toc.yaml @@ -26,8 +26,22 @@ toc: path: /docs/reference/admin/node/admin.auth.Auth - title: "ActionCodeSettings" path: /docs/reference/admin/node/admin.auth.ActionCodeSettings + - title: "AuthProviderConfig" + path: /docs/reference/admin/node/admin.auth.AuthProviderConfig + - title: "AuthProviderConfigFilter" + path: /docs/reference/admin/node/admin.auth.AuthProviderConfigFilter - title: "CreateRequest" path: /docs/reference/admin/node/admin.auth.CreateRequest + - title: "ListProviderConfigResults" + path: /docs/reference/admin/node/admin.auth.ListProviderConfigResults + - title: "OIDCAuthProviderConfig" + path: /docs/reference/admin/node/admin.auth.OIDCAuthProviderConfig + - title: "OIDCUpdateAuthProviderRequest" + path: /docs/reference/admin/node/admin.auth.OIDCUpdateAuthProviderRequest + - title: "SAMLAuthProviderConfig" + path: /docs/reference/admin/node/admin.auth.SAMLAuthProviderConfig + - title: "SAMLUpdateAuthProviderRequest" + path: /docs/reference/admin/node/admin.auth.SAMLUpdateAuthProviderRequests - title: "UpdateRequest" path: /docs/reference/admin/node/admin.auth.UpdateRequest - title: "UserImportOptions" diff --git a/src/index.d.ts b/src/index.d.ts index 5c1073273a..c15b4b615e 100755 --- a/src/index.d.ts +++ b/src/index.d.ts @@ -182,6 +182,28 @@ declare namespace admin { var apps: (admin.app.App|null)[]; function app(name?: string): admin.app.App; + + /** + * Gets the {@link admin.auth.Auth `Auth`} service for the default app or a + * given app. + * + * `admin.auth()` can be called with no arguments to access the default app's + * {@link admin.auth.Auth `Auth`} service or as `admin.auth(app)` to access the + * {@link admin.auth.Auth `Auth`} service associated with a specific app. + * + * @example + * ```javascript + * // Get the Auth service for the default app + * var defaultAuth = admin.auth(); + * ``` + * + * @example + * ```javascript + * // Get the Auth service for a given app + * var otherAuth = admin.auth(otherApp); + * ``` + * + */ function auth(app?: admin.app.App): admin.auth.Auth; function database(app?: admin.app.App): admin.database.Database; @@ -393,76 +415,338 @@ declare namespace admin.app { } declare namespace admin.auth { + + /** + * Interface representing a user's metadata. + */ interface UserMetadata { + + /** + * The date the user last signed in, formatted as a UTC string. + */ lastSignInTime: string; + + /** + * The date the user was created, formatted as a UTC string. + * + */ creationTime: string; toJSON(): Object; } + /** + * Interface representing a user's info from a third-party identity provider + * such as Google or Facebook. + */ interface UserInfo { + + /** + * The user identifier for the linked provider. + */ uid: string; + + /** + * The display name for the linked provider. + */ displayName: string; + + /** + * The email for the linked provider. + */ email: string; + + /** + * The phone number for the linked provider. + */ phoneNumber: string; + + /** + * The photo URL for the linked provider. + */ photoURL: string; - providerId: string; + /** + * The linked provider ID (for example, "google.com" for the Google provider). + */ + providerId: string; + + /** + * Returns a JSON-serializable representation of this object. + */ toJSON(): Object; } + /** + * Interface representing a user. + */ interface UserRecord { + + /** + * The user's `uid`. + */ uid: string; + + /** + * The user's primary email, if set. + */ email?: string; + + /** + * Whether or not the user's primary email is verified. + */ emailVerified: boolean; + + /** + * The user's display name. + */ displayName?: string; + + /** + * The user's primary phone number, if set. + */ phoneNumber?: string; + + /** + * The user's photo URL. + */ photoURL?: string; + + /** + * Whether or not the user is disabled: `true` for disabled; `false` for + * enabled. + */ disabled: boolean; + + /** + * Additional metadata about the user. + */ metadata: admin.auth.UserMetadata; + + /** + * An array of providers (for example, Google, Facebook) linked to the user. + */ providerData: admin.auth.UserInfo[]; + + /** + * The user’s hashed password (base64-encoded), only if Firebase Auth hashing + * algorithm (SCRYPT) is used. If a different hashing algorithm had been used + * when uploading this user, as is typical when migrating from another Auth + * system, this will be an empty string. If no password is set, this is + * null. This is only available when the user is obtained from + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#listUsers `listUsers()`}. + * + */ passwordHash?: string; + + /** + * The user’s password salt (base64-encoded), only if Firebase Auth hashing + * algorithm (SCRYPT) is used. If a different hashing algorithm had been used to + * upload this user, typical when migrating from another Auth system, this will + * be an empty string. If no password is set, this is null. This is only + * available when the user is obtained from + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#listUsers `listUsers()`}. + * + */ passwordSalt?: string; + + /** + * The user's custom claims object if available, typically used to define + * user roles and propagated to an authenticated user's ID token. + * This is set via + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#setCustomUserClaims `setCustomUserClaims()`} + */ customClaims?: Object; + + /** + * The date the user's tokens are valid after, formatted as a UTC string. + * This is updated every time the user's refresh token are revoked either + * from the {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#revokeRefreshTokens `revokeRefreshTokens()`} + * API or from the Firebase Auth backend on big account changes (password + * resets, password or email updates, etc). + */ tokensValidAfterTime?: string; + /** + * Returns a JSON-serializable representation of this object. + */ toJSON(): Object; } + /** + * Interface representing the properties to update on the provided user. + */ interface UpdateRequest { + + /** + * Whether or not the user is disabled: `true` for disabled; + * `false` for enabled. + */ disabled?: boolean; + + /** + * The user's display name. + */ displayName?: string | null; + + /** + * The user's primary email. + */ email?: string; + + /** + * Whether or not the user's primary email is verified. + */ emailVerified?: boolean; + + /** + * The user's unhashed password. + */ password?: string; + + /** + * The user's primary phone number. + */ phoneNumber?: string | null; + + /** + * The user's photo URL. + */ photoURL?: string | null; } + /** + * Interface representing the properties to set on a new user record to be + * created. + */ interface CreateRequest extends UpdateRequest { + + /** + * The user's `uid`. + */ uid?: string; } + /** + * Interface representing a decoded Firebase ID token, returned from the + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#verifyIdToken `verifyIdToken()`} method. + * + * Firebase ID tokens are OpenID Connect spec-compliant JSON Web Tokens (JWTs). + * See the + * [ID Token section of the OpenID Connect spec](http://openid.net/specs/openid-connect-core-1_0.html#IDToken) + * for more information about the specific properties below. + */ interface DecodedIdToken { + + /** + * The audience for which this token is intended. + * + * This value is a string equal to your Firebase project ID, the unique + * identifier for your Firebase project, which can be found in [your project's + * settings](https://console.firebase.google.com/project/_/settings/general/android:com.random.android). + */ aud: string; + + /** + * Time, in seconds since the Unix epoch, when the end-user authentication + * occurred. + * + * This value is not set when this particular ID token was created, but when the + * user initially logged in to this session. In a single session, the Firebase + * SDKs will refresh a user's ID tokens every hour. Each ID token will have a + * different [`iat`](#iat) value, but the same `auth_time` value. + */ auth_time: number; + + /** + * The ID token's expiration time, in seconds since the Unix epoch. That is, the + * time at which this ID token expires and should no longer be considered valid. + * + * The Firebase SDKs transparently refresh ID tokens every hour, issuing a new + * ID token with up to a one hour expiration. + */ exp: number; + + /** + * Information about the sign in event, including which sign in provider was + * used and provider-specific identity details. + * + * This data is provided by the Firebase Authentication service and is a + * reserved claim in the ID token. + */ firebase: { + + /** + * Provider-specific identity details corresponding + * to the provider used to sign in the user. + */ identities: { [key: string]: any; }; + + /** + * The ID of the provider used to sign in the user. + * One of `"anonymous"`, `"password"`, `"facebook.com"`, `"github.com"`, + * `"google.com"`, `"twitter.com"`, or `"custom"`. + */ sign_in_provider: string; [key: string]: any; }; + + /** + * The ID token's issued-at time, in seconds since the Unix epoch. That is, the + * time at which this ID token was issued and should start to be considered + * valid. + * + * The Firebase SDKs transparently refresh ID tokens every hour, issuing a new + * ID token with a new issued-at time. If you want to get the time at which the + * user session corresponding to the ID token initially occurred, see the + * [`auth_time`](#auth_time) property. + */ iat: number; + + /** + * The issuer identifier for the issuer of the response. + * + * This value is a URL with the format + * `https://securetoken.google.com/`, where `` is the + * same project ID specified in the [`aud`](#aud) property. + */ iss: string; + + /** + * The `uid` corresponding to the user who the ID token belonged to. + * + * As a convenience, this value is copied over to the [`uid`](#uid) property. + */ sub: string; + + /** + * The `uid` corresponding to the user who the ID token belonged to. + * + * This value is not actually in the JWT token claims itself. It is added as a + * convenience, and is set as the value of the [`sub`](#sub) property. + */ uid: string; [key: string]: any; } - + + /** + * Interface representing the object returned from a + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#listUsers `listUsers()`} operation. Contains the list + * of users for the current batch and the next page token if available. + */ interface ListUsersResult { + + /** + * The list of {@link admin.auth.UserRecord `UserRecord`} objects for the + * current downloaded batch. + */ users: admin.auth.UserRecord[]; + + /** + * The next page token if available. This is needed for the next batch download. + */ pageToken?: string; } @@ -470,120 +754,507 @@ declare namespace admin.auth { 'HMAC_SHA256' | 'HMAC_SHA1' | 'HMAC_MD5' | 'MD5' | 'PBKDF_SHA1' | 'BCRYPT' | 'PBKDF2_SHA256' | 'SHA512' | 'SHA256' | 'SHA1'; - + /** + * Interface representing the user import options needed for + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#importUsers `importUsers()`} method. This is used to + * provide the password hashing algorithm information. + */ interface UserImportOptions { + + /** + * The password hashing information. + */ hash: { + + /** + * The password hashing algorithm identifier. The following algorithm + * identifiers are supported: + * `SCRYPT`, `STANDARD_SCRYPT`, `HMAC_SHA512`, `HMAC_SHA256`, `HMAC_SHA1`, + * `HMAC_MD5`, `MD5`, `PBKDF_SHA1`, `BCRYPT`, `PBKDF2_SHA256`, `SHA512`, + * `SHA256` and `SHA1`. + */ algorithm: HashAlgorithmType; + + /** + * The signing key used in the hash algorithm in buffer bytes. + * Required by hashing algorithms `SCRYPT`, `HMAC_SHA512`, `HMAC_SHA256`, + * `HAMC_SHA1` and `HMAC_MD5`. + */ key?: Buffer; + + /** + * The salt separator in buffer bytes which is appended to salt when + * verifying a password. This is only used by the `SCRYPT` algorithm. + */ saltSeparator?: string; + + /** + * The number of rounds for hashing calculation. + * Required for `SCRYPT`, `MD5`, `SHA512`, `SHA256`, `SHA1`, `PBKDF_SHA1` and + * `PBKDF2_SHA256`. + */ rounds?: number; + + /** + * The memory cost required for `SCRYPT` algorithm, or the CPU/memory cost. + * Required for `STANDARD_SCRYPT` algorithm. + */ memoryCost?: number; + + /** + * The parallelization of the hashing algorithm. Required for the + * `STANDARD_SCRYPT` algorithm. + */ parallelization?: number; + + /** + * The block size (normally 8) of the hashing algorithm. Required for the + * `STANDARD_SCRYPT` algorithm. + */ blockSize?: number; + /** + * The derived key length of the hashing algorithm. Required for the + * `STANDARD_SCRYPT` algorithm. + */ derivedKeyLength?: number; }; } + /** + * Interface representing the response from the + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#importUsers `importUsers()`} method for batch + * importing users to Firebase Auth. + */ interface UserImportResult { + + /** + * The number of user records that failed to import to Firebase Auth. + */ failureCount: number; + + /** + * The number of user records that successfully imported to Firebase Auth. + */ successCount: number; + + /** + * An array of errors corresponding to the provided users to import. The + * length of this array is equal to [`failureCount`](#failureCount). + */ errors: admin.FirebaseArrayIndexError[]; } + /** + * Interface representing a user to import to Firebase Auth via the + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#importUsers `importUsers()`} method. + */ interface UserImportRecord { + + /** + * The user's `uid`. + */ uid: string; + + /** + * The user's primary email, if set. + */ email?: string; - emailVerified?: boolean; + + /** + * Whether or not the user's primary email is verified. + */ + emailVerified: boolean; + + /** + * The user's display name. + */ displayName?: string; + + /** + * The user's primary phone number, if set.. + */ phoneNumber?: string; + + /** + * The user's photo URL. + */ photoURL?: string; - disabled?: boolean; - metadata?: { - lastSignInTime?: string; - creationTime?: string; - }; - providerData?: { - uid: string, - displayName?: string, - email?: string, - photoURL?: string, - providerId: string, - }[]; + + /** + * Whether or not the user is disabled: `true` for disabled; `false` for + * enabled. + */ + disabled: boolean; + + /** + * Additional metadata about the user. + */ + metadata: admin.auth.UserMetadata; + + /** + * An array of providers (for example, Google, Facebook) linked to the user. + */ + providerData?: admin.auth.UserInfo[]; + + /** + * The user's custom claims object if available, typically used to define + * user roles and propagated to an authenticated user's ID token. + */ customClaims?: Object; + + /** + * The buffer of bytes representing the user’s hashed password. + * When a user is to be imported with a password hash, + * {@link admin.auth.UserImportOptions `UserImportOptions`} are required to be + * specified to identify the hashing algorithm used to generate this hash. + */ passwordHash?: Buffer; + + /** + * The buffer of bytes representing the user’s password salt. + */ passwordSalt?: Buffer; } + /** + * Interface representing the session cookie options needed for the + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#createSessionCookie `createSessionCookie()`} method. + */ interface SessionCookieOptions { + + /** + * The session cookie custom expiration in milliseconds. The minimum allowed is + * 5 minutes and the maxium allowed is 2 weeks. + */ expiresIn: number; } + /** + * This is the interface that defines the required continue/state URL with + * optional Android and iOS bundle identifiers. + */ interface ActionCodeSettings { + + /** + * Defines the link continue/state URL, which has different meanings in + * different contexts: + * + */ url: string; + + /** + * Whether to open the link via a mobile app or a browser. + * The default is false. When set to true, the action code link is sent + * as a Universal Link or Android App Link and is opened by the app if + * installed. In the false case, the code is sent to the web widget first + * and then redirects to the app if installed. + */ handleCodeInApp?: boolean; + + /** + * Defines the iOS bundle ID. This will try to open the link in an iOS app if it + * is installed. + */ iOS?: { + + /** + * Defines the required iOS bundle ID of the app where the link should be + * handled if the application is already installed on the device. + */ bundleId: string; }; + + /** + * Defines the Android package name. This will try to open the link in an + * android app if it is installed. If `installApp` is passed, it specifies + * whether to install the Android app if the device supports it and the app is + * not already installed. If this field is provided without a `packageName`, an + * error is thrown explaining that the `packageName` must be provided in + * conjunction with this field. If `minimumVersion` is specified, and an older + * version of the app is installed, the user is taken to the Play Store to + * upgrade the app. + */ android?: { + + /** + * Defines the required Android package name of the app where the link should be + * handled if the Android app is installed. + */ packageName: string; + + /** + * Whether to install the Android app if the device supports it and the app is + * not already installed. + */ installApp?: boolean; + + /** + * The Android minimum version if available. If the installed app is an older + * version, the user is taken to the GOogle Play Store to upgrade the app. + */ minimumVersion?: string; }; + + /** + * Defines the dynamic link domain to use for the current link if it is to be + * opened using Firebase Dynamic Links, as multiple dynamic link domains can be + * configured per project. This fields provides the ability explicitly choose + * one. If none is provided, the oldest domain is used by default. + */ dynamicLinkDomain?: string; } + /** + * The filter interface used for listing provider configurations. This is used + * when specifying how to list configured identity providers via + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#listProviderConfigs `listProviderConfigs()`}. + */ interface AuthProviderConfigFilter { + + /** + * The Auth provider configuration filter. This can be either `saml` or `oidc`. + * The former is used to look up SAML providers only, while the latter is used + * for OIDC providers. + */ type: 'saml' | 'oidc'; + + /** + * The maximum number of results to return per page. The default and maximum is + * 100. + */ maxResults?: number; + + /** + * The next page token. When not specified, the lookup starts from the beginning + * of the list. + */ pageToken?: string; } - + + /** + * The base Auth provider configuration interface. + */ interface AuthProviderConfig { + + /** + * The provider ID defined by the developer. + * For a SAML provider, this is always prefixed by `saml.`. + * For an OIDC provider, this is always prefixed by `oidc.`. + */ providerId: string; + + /** + * The user-friendly display name to the current configuration. This name is + * also used as the provider label in the Cloud Console. + */ displayName: string; + + /** + * Whether the current provider configuration is enabled or disabled. A user + * cannot sign in using a disabled provider. + */ enabled: boolean; } + /** + * The + * [SAML](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) + * Auth provider configuration interface. A SAML provider can be created via + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#createProviderConfig `createProviderConfig()`}. + */ interface SAMLAuthProviderConfig extends admin.auth.AuthProviderConfig { + + /** + * The SAML IdP entity identifier. + */ idpEntityId: string; + + /** + * The SAML IdP SSO URL. This must be a valid URL. + */ ssoURL: string; + + /** + * The list of SAML IdP X.509 certificates issued by CA for this provider. + * Multiple certificates are accepted to prevent outages during + * IdP key rotation (for example ADFS rotates every 10 days). When the Auth + * server receives a SAML response, it will match the SAML response with the + * certificate on record. Otherwise the response is rejected. + * Developers are expected to manage the certificate updates as keys are + * rotated. + */ x509Certificates: string[]; + + /** + * The SAML relying party (service provider) entity ID. + * This is defined by the developer but needs to be provided to the SAML IdP. + */ rpEntityId: string; + + /** + * This is fixed and must always be the same as the OAuth redirect URL + * provisioned by Firebase Auth, + * `https://project-id.firebaseapp.com/__/auth/handler` unless a custom + * `authDomain` is used. + * The callback URL should also be provided to the SAML IdP during + * configuration. + */ callbackURL?: string; + + /** + * + */ enableRequestSigning?: boolean; } - + + /** + * The [OIDC](https://openid.net/specs/openid-connect-core-1_0-final.html) Auth + * provider configuration interface. An OIDC provider can be created via + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#createProviderConfig `createProviderConfig()`}. + */ interface OIDCAuthProviderConfig extends admin.auth.AuthProviderConfig { + + /** + * This is the required client ID used to confirm the audience of an OIDC + * provider's + * [ID token](https://openid.net/specs/openid-connect-core-1_0-final.html#IDToken). + */ clientId: string; + + /** + * This is the required provider issuer used to match the provider issuer of + * the ID token and to determine the corresponding OIDC discovery document, eg. + * [`/.well-known/openid-configuration`](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig). + * This is needed for the following: + * + * ID token validation will be performed as defined in the + * [spec](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). + */ issuer: string; } + /** + * The request interface for updating a SAML Auth provider. This is used + * when updating a SAML provider's configuration via + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#updateProviderConfig `updateProviderConfig()`}. + */ interface SAMLUpdateAuthProviderRequest { + + /** + * The SAML provider's updated display name. If not provided, the existing + * configuration's value is not modified. + */ displayName?: string; + + /** + * Whether the SAML provider is enabled or not. If not provided, the existing + * configuration's setting is not modified. + */ enabled?: boolean; + + /** + * The SAML provider's updated IdP entity ID. If not provided, the existing + * configuration's value is not modified. + */ idpEntityId?: string; + + /** + * The SAML provider's updated SSO URL. If not provided, the existing + * configuration's value is not modified. + */ ssoURL?: string; + + /** + * The SAML provider's updated list of X.509 certificated. If not provided, the + * existing configuration list is not modified. + */ x509Certificates?: string[]; + + /** + * The SAML provider's updated RP entity ID. If not provided, the existing + * configuration's value is not modified. + */ rpEntityId?: string; + + /** + * The SAML provider's callback URL. If not provided, the existing + * configuration's value is not modified. + */ callbackURL?: string; + + /** + * + */ enableRequestSigning?: boolean; } + /** + * The request interface for updating an OIDC Auth provider. This is used + * when updating an OIDC provider's configuration via + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#updateProviderConfig `updateProviderConfig()`}. + */ interface OIDCUpdateAuthProviderRequest { + + /** + * The OIDC provider's updated display name. If not provided, the existing + * configuration's value is not modified. + */ displayName?: string; + + /** + * Whether the OIDC provider is enabled or not. If not provided, the existing + * configuration's setting is not modified. + */ enabled?: boolean; + + /** + * The OIDC provider's updated client ID. If not provided, the existing + * configuration's value is not modified. + */ clientId?: string; + + /** + * The OIDC provider's updated issuer. If not provided, the existing + * configuration's value is not modified. + */ issuer?: string; } + /** + * The response interface for listing provider configs. This is only available + * when listing all identity providers' configurations via + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#listProviderConfigs `listProviderConfigs()`}. + */ interface ListProviderConfigResults { + + /** + * The list of providers for the specified type in the current page. + */ providerConfigs: admin.auth.AuthProviderConfig[]; + + /** + * The next page token, if available. + */ pageToken?: string; } + type UpdateAuthProviderRequest = admin.auth.SAMLUpdateAuthProviderRequest | admin.auth.OIDCUpdateAuthProviderRequest; - + interface BaseAuth { createCustomToken(uid: string, developerClaims?: Object): Promise; createUser(properties: admin.auth.CreateRequest): Promise; @@ -670,6 +1341,10 @@ declare namespace admin.database { hasChild(path: string): boolean; hasChildren(): boolean; numChildren(): number; + + /** + * Returns a JSON-serializable representation of this object. + */ toJSON(): Object | null; val(): any; } @@ -718,6 +1393,10 @@ declare namespace admin.database { orderByPriority(): admin.database.Query; orderByValue(): admin.database.Query; startAt(value: number|string|boolean|null, key?: string): admin.database.Query; + + /** + * Returns a JSON-serializable representation of this object. + */ toJSON(): Object; toString(): string; } @@ -1969,9 +2648,11 @@ declare namespace admin.instanceId { * current app. * * @example + * ```javascript * var instanceId = app.instanceId(); * // The above is shorthand for: * // var instanceId = admin.instanceId(app); + * ``` * * @return The `InstanceId` service for the * current app.