Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 49 additions & 5 deletions src/auth/auth-api-request.ts
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,8 @@ function validateCreateEditRequest(request: any, uploadAccountRequest: boolean =
phoneNumber: true,
customAttributes: true,
validSince: true,
// Pass linkProviderUserInfo only for updates (i.e. not for uploads.)
linkProviderUserInfo: !uploadAccountRequest,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add deleteProvider as well?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's already present (line 263) since it was used previously to remove phone auth entries.

// Pass tenantId only for uploadAccount requests.
tenantId: uploadAccountRequest,
passwordHash: uploadAccountRequest,
Expand Down Expand Up @@ -410,6 +412,11 @@ function validateCreateEditRequest(request: any, uploadAccountRequest: boolean =
validateProviderUserInfo(providerUserInfoEntry);
});
}

// linkProviderUserInfo must be a (single) UserProvider value.
if (typeof request.linkProviderUserInfo !== 'undefined') {
validateProviderUserInfo(request.linkProviderUserInfo);
}
}


Expand Down Expand Up @@ -961,6 +968,31 @@ export abstract class AbstractAuthRequestHandler {
'Properties argument must be a non-null object.',
),
);
} else if (validator.isNonNullObject(properties.providerToLink)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aren't the validations at validateCreateEditRequest sufficient? Seems like the validation is added in two places.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Missed this comment, sorry!)

IIUC, the parameters are slightly different, so it doesn't quite work. (eg rawId). Some refactoring could be done though... I've added a TODO.

if (!validator.isNonEmptyString(properties.providerToLink.providerId)) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
'providerToLink.providerId of properties argument must be a non-empty string.');
}
if (!validator.isNonEmptyString(properties.providerToLink.uid)) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
'providerToLink.uid of properties argument must be a non-empty string.');
}
} else if (typeof properties.providersToDelete !== 'undefined') {
if (!validator.isArray(properties.providersToDelete)) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
'providersToDelete of properties argument must be an array of strings.');
}

properties.providersToDelete.forEach((providerId) => {
if (!validator.isNonEmptyString(providerId)) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
'providersToDelete of properties argument must be an array of strings.');
}
});
}

// Build the setAccountInfo request.
Expand Down Expand Up @@ -995,13 +1027,25 @@ export abstract class AbstractAuthRequestHandler {
// It will be removed from the backend request and an additional parameter
// deleteProvider: ['phone'] with an array of providerIds (phone in this case),
// will be passed.
// Currently this applies to phone provider only.
if (request.phoneNumber === null) {
request.deleteProvider = ['phone'];
request.deleteProvider ? request.deleteProvider.push('phone') : request.deleteProvider = ['phone'];
delete request.phoneNumber;
} else {
// Doesn't apply to other providers in admin SDK.
delete request.deleteProvider;
}

if (typeof(request.providerToLink) !== 'undefined') {
request.linkProviderUserInfo = deepCopy(request.providerToLink);
delete request.providerToLink;

request.linkProviderUserInfo.rawId = request.linkProviderUserInfo.uid;
delete request.linkProviderUserInfo.uid;
}

if (typeof(request.providersToDelete) !== 'undefined') {
if (!validator.isArray(request.deleteProvider)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this check redundant, considering the condition gets checked at validation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deleteProvider might not yet exist. (Or technically, the end user could set it to anything they like if they're using javascript rather than typescript.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will achieve the same result without the if condition I think:

request.deleteProvider = (request.deleteProvider || []).concat(request.providersToUnlink);

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The user could set this value to anything they like which could interact badly:

request.deleteProvider = "foo"
request.providersToUnlink = [ "phone", "email" ]
request.deleteProvider = (request.deleteProvider || []).concat(request.providersToUnlink);
console.log(request.deleteProvider)
> ["foophone", "email"]

Such use would be pretty questionable since deleteProvider doesn't show up in the UpdateRequest interface... though that doesn't stop the user from setting it anyways for their own purposes. (Although we modify it here, we also take a copy first, so this won't impact the user's copy.) Given that, it seems easiest to just check to see if it's an array first.

Thinking about it a bit more though, another alternative would be to just set deleteProvider to undefined (or []) after we take the copy, thus ensuring any value that the user sets can't interfere with this value.

I've left it as is for now, though could switch to the alternative if you'd prefer.

request.deleteProvider = [];
}
request.deleteProvider = request.deleteProvider.concat(request.providersToDelete);
delete request.providersToDelete;
}

// Rewrite photoURL to photoUrl.
Expand Down
44 changes: 44 additions & 0 deletions src/auth/auth.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
* limitations under the License.
*/

import {deepCopy} from '../utils/deep-copy';
import {UserRecord, CreateRequest, UpdateRequest} from './user-record';
import {FirebaseApp} from '../firebase-app';
import {FirebaseTokenGenerator, cryptoSignerFromApp} from './token-generator';
Expand Down Expand Up @@ -279,6 +280,49 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> {
* @return {Promise<UserRecord>} A promise that resolves with the modified user record.
*/
public updateUser(uid: string, properties: UpdateRequest): Promise<UserRecord> {
// Although we don't really advertise it, we want to also handle linking of
// non-federated idps with this call. So if we detect one of them, we'll
// adjust the properties parameter appropriately. This *does* imply that a
// conflict could arise, e.g. if the user provides a phoneNumber property,
// but also provides a providerToLink with a 'phone' provider id. In that
// case, we'll throw an error.
properties = deepCopy(properties);
if (validator.isNonNullObject(properties) && typeof properties.providerToLink !== 'undefined') {
if (properties.providerToLink.providerId === 'email') {
if (typeof properties.email !== 'undefined') {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
"Both UpdateRequest.email and UpdateRequest.providerToLink.providerId='email' were set. To "
+ 'link to the email/password provider, only specify the UpdateRequest.email field.');
}
properties.email = properties.providerToLink.uid;
delete properties.providerToLink;
} else if (properties.providerToLink.providerId === 'phone') {
if (typeof properties.phoneNumber !== 'undefined') {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
"Both UpdateRequest.phoneNumber and UpdateRequest.providerToLink.providerId='phone' were set. To "
+ 'link to a phone provider, only specify the UpdateRequest.phoneNumber field.');
}
properties.phoneNumber = properties.providerToLink.uid;
delete properties.providerToLink;
}
}
if (validator.isNonNullObject(properties) && typeof properties.providersToDelete !== 'undefined') {
if (properties.providersToDelete.indexOf('phone') !== -1) {
// If we've been told to unlink the phone provider both via setting
// phoneNumber to null *and* by setting providersToDelete to include
// 'phone', then we'll reject that. Though it might also be reasonable
// to relax this restriction and just unlink it.
if (properties.phoneNumber === null) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
"Both UpdateRequest.phoneNumber=null and UpdateRequest.providersToDelete=['phone'] were set. To "
+ 'unlink from a phone provider, only specify the UpdateRequest.phoneNumber=null field.');
}
}
}

return this.authRequestHandler.updateExistingAccount(uid, properties)
.then((existingUid) => {
// Return the corresponding user record.
Expand Down
37 changes: 37 additions & 0 deletions src/auth/user-record.ts
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ export interface UpdateRequest {
password?: string;
phoneNumber?: string | null;
photoURL?: string | null;
providerToLink?: UserProvider;
providersToDelete?: string[];
}

/** Parameters for create user operation */
Expand Down Expand Up @@ -132,6 +134,41 @@ export class UserInfo {
}
}

/**
* Represents a user identity provider that can be associated with a Firebase user.
*/
interface UserProvider {
/**
* The user identifier for the linked provider.
*/
uid?: string;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

providerUid?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's just uid in the other ports. Combined with the interface name (which contains 'provider'), I think that's probably ok.


/**
* The display name for the linked provider.
*/
displayName?: string;

/**
* The email for the linked provider.
*/
email?: string;

/**
* The phone number for the linked provider.
*/
phoneNumber?: string;

/**
* The photo URL for the linked provider.
*/
photoURL?: string;

/**
* The linked provider ID (for example, "google.com" for the Google provider).
*/
providerId?: string;
}

/**
* User record class that defines the Firebase user object populated from
* the Firebase Auth getAccountInfo response.
Expand Down
46 changes: 46 additions & 0 deletions src/index.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -545,6 +545,42 @@ declare namespace admin.auth {
toJSON(): Object;
}

/**
* Represents a user identity provider that can be associated with a Firebase user.
*/
interface UserProvider {

/**
* The user identifier for the linked provider.
*/
uid?: string;

/**
* The display name for the linked provider.
*/
displayName?: string;

/**
* The email for the linked provider.
*/
email?: string;

/**
* The phone number for the linked provider.
*/
phoneNumber?: string;

/**
* The photo URL for the linked provider.
*/
photoURL?: string;

/**
* The linked provider ID (for example, "google.com" for the Google provider).
*/
providerId?: string;
}

/**
* Interface representing a user.
*/
Expand Down Expand Up @@ -686,6 +722,16 @@ declare namespace admin.auth {
* The user's photo URL.
*/
photoURL?: string | null;

/**
* Links this user to the specified provider.
*/
providerToLink?: UserProvider;

/**
* Unlinks this user from the specified providers.
*/
providersToDelete?: string[];
}

/**
Expand Down
Loading