1 | /*! firebase-admin v10.0.0 */
|
2 | /*!
|
3 | * Copyright 2018 Google Inc.
|
4 | *
|
5 | * Licensed under the Apache License, Version 2.0 (the "License");
|
6 | * you may not use this file except in compliance with the License.
|
7 | * You may obtain a copy of the License at
|
8 | *
|
9 | * http://www.apache.org/licenses/LICENSE-2.0
|
10 | *
|
11 | * Unless required by applicable law or agreed to in writing, software
|
12 | * distributed under the License is distributed on an "AS IS" BASIS,
|
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14 | * See the License for the specific language governing permissions and
|
15 | * limitations under the License.
|
16 | */
|
17 | /**
|
18 | * Interface representing base properties of a user-enrolled second factor for a
|
19 | * `CreateRequest`.
|
20 | */
|
21 | export interface BaseCreateMultiFactorInfoRequest {
|
22 | /**
|
23 | * The optional display name for an enrolled second factor.
|
24 | */
|
25 | displayName?: string;
|
26 | /**
|
27 | * The type identifier of the second factor. For SMS second factors, this is `phone`.
|
28 | */
|
29 | factorId: string;
|
30 | }
|
31 | /**
|
32 | * Interface representing a phone specific user-enrolled second factor for a
|
33 | * `CreateRequest`.
|
34 | */
|
35 | export interface CreatePhoneMultiFactorInfoRequest extends BaseCreateMultiFactorInfoRequest {
|
36 | /**
|
37 | * The phone number associated with a phone second factor.
|
38 | */
|
39 | phoneNumber: string;
|
40 | }
|
41 | /**
|
42 | * Type representing the properties of a user-enrolled second factor
|
43 | * for a `CreateRequest`.
|
44 | */
|
45 | export declare type CreateMultiFactorInfoRequest = CreatePhoneMultiFactorInfoRequest;
|
46 | /**
|
47 | * Interface representing common properties of a user-enrolled second factor
|
48 | * for an `UpdateRequest`.
|
49 | */
|
50 | export interface BaseUpdateMultiFactorInfoRequest {
|
51 | /**
|
52 | * The ID of the enrolled second factor. This ID is unique to the user. When not provided,
|
53 | * a new one is provisioned by the Auth server.
|
54 | */
|
55 | uid?: string;
|
56 | /**
|
57 | * The optional display name for an enrolled second factor.
|
58 | */
|
59 | displayName?: string;
|
60 | /**
|
61 | * The optional date the second factor was enrolled, formatted as a UTC string.
|
62 | */
|
63 | enrollmentTime?: string;
|
64 | /**
|
65 | * The type identifier of the second factor. For SMS second factors, this is `phone`.
|
66 | */
|
67 | factorId: string;
|
68 | }
|
69 | /**
|
70 | * Interface representing a phone specific user-enrolled second factor
|
71 | * for an `UpdateRequest`.
|
72 | */
|
73 | export interface UpdatePhoneMultiFactorInfoRequest extends BaseUpdateMultiFactorInfoRequest {
|
74 | /**
|
75 | * The phone number associated with a phone second factor.
|
76 | */
|
77 | phoneNumber: string;
|
78 | }
|
79 | /**
|
80 | * Type representing the properties of a user-enrolled second factor
|
81 | * for an `UpdateRequest`.
|
82 | */
|
83 | export declare type UpdateMultiFactorInfoRequest = UpdatePhoneMultiFactorInfoRequest;
|
84 | /**
|
85 | * The multi-factor related user settings for create operations.
|
86 | */
|
87 | export interface MultiFactorCreateSettings {
|
88 | /**
|
89 | * The created user's list of enrolled second factors.
|
90 | */
|
91 | enrolledFactors: CreateMultiFactorInfoRequest[];
|
92 | }
|
93 | /**
|
94 | * The multi-factor related user settings for update operations.
|
95 | */
|
96 | export interface MultiFactorUpdateSettings {
|
97 | /**
|
98 | * The updated list of enrolled second factors. The provided list overwrites the user's
|
99 | * existing list of second factors.
|
100 | * When null is passed, all of the user's existing second factors are removed.
|
101 | */
|
102 | enrolledFactors: UpdateMultiFactorInfoRequest[] | null;
|
103 | }
|
104 | /**
|
105 | * Interface representing the properties to update on the provided user.
|
106 | */
|
107 | export interface UpdateRequest {
|
108 | /**
|
109 | * Whether or not the user is disabled: `true` for disabled;
|
110 | * `false` for enabled.
|
111 | */
|
112 | disabled?: boolean;
|
113 | /**
|
114 | * The user's display name.
|
115 | */
|
116 | displayName?: string | null;
|
117 | /**
|
118 | * The user's primary email.
|
119 | */
|
120 | email?: string;
|
121 | /**
|
122 | * Whether or not the user's primary email is verified.
|
123 | */
|
124 | emailVerified?: boolean;
|
125 | /**
|
126 | * The user's unhashed password.
|
127 | */
|
128 | password?: string;
|
129 | /**
|
130 | * The user's primary phone number.
|
131 | */
|
132 | phoneNumber?: string | null;
|
133 | /**
|
134 | * The user's photo URL.
|
135 | */
|
136 | photoURL?: string | null;
|
137 | /**
|
138 | * The user's updated multi-factor related properties.
|
139 | */
|
140 | multiFactor?: MultiFactorUpdateSettings;
|
141 | /**
|
142 | * Links this user to the specified provider.
|
143 | *
|
144 | * Linking a provider to an existing user account does not invalidate the
|
145 | * refresh token of that account. In other words, the existing account
|
146 | * would continue to be able to access resources, despite not having used
|
147 | * the newly linked provider to log in. If you wish to force the user to
|
148 | * authenticate with this new provider, you need to (a) revoke their
|
149 | * refresh token (see
|
150 | * https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens),
|
151 | * and (b) ensure no other authentication methods are present on this
|
152 | * account.
|
153 | */
|
154 | providerToLink?: UserProvider;
|
155 | /**
|
156 | * Unlinks this user from the specified providers.
|
157 | */
|
158 | providersToUnlink?: string[];
|
159 | }
|
160 | /**
|
161 | * Represents a user identity provider that can be associated with a Firebase user.
|
162 | */
|
163 | export interface UserProvider {
|
164 | /**
|
165 | * The user identifier for the linked provider.
|
166 | */
|
167 | uid?: string;
|
168 | /**
|
169 | * The display name for the linked provider.
|
170 | */
|
171 | displayName?: string;
|
172 | /**
|
173 | * The email for the linked provider.
|
174 | */
|
175 | email?: string;
|
176 | /**
|
177 | * The phone number for the linked provider.
|
178 | */
|
179 | phoneNumber?: string;
|
180 | /**
|
181 | * The photo URL for the linked provider.
|
182 | */
|
183 | photoURL?: string;
|
184 | /**
|
185 | * The linked provider ID (for example, "google.com" for the Google provider).
|
186 | */
|
187 | providerId?: string;
|
188 | }
|
189 | /**
|
190 | * Interface representing the properties to set on a new user record to be
|
191 | * created.
|
192 | */
|
193 | export interface CreateRequest extends UpdateRequest {
|
194 | /**
|
195 | * The user's `uid`.
|
196 | */
|
197 | uid?: string;
|
198 | /**
|
199 | * The user's multi-factor related properties.
|
200 | */
|
201 | multiFactor?: MultiFactorCreateSettings;
|
202 | }
|
203 | /**
|
204 | * The response interface for listing provider configs. This is only available
|
205 | * when listing all identity providers' configurations via
|
206 | * {@link BaseAuth.listProviderConfigs}.
|
207 | */
|
208 | export interface ListProviderConfigResults {
|
209 | /**
|
210 | * The list of providers for the specified type in the current page.
|
211 | */
|
212 | providerConfigs: AuthProviderConfig[];
|
213 | /**
|
214 | * The next page token, if available.
|
215 | */
|
216 | pageToken?: string;
|
217 | }
|
218 | /**
|
219 | * The filter interface used for listing provider configurations. This is used
|
220 | * when specifying how to list configured identity providers via
|
221 | * {@link BaseAuth.listProviderConfigs}.
|
222 | */
|
223 | export interface AuthProviderConfigFilter {
|
224 | /**
|
225 | * The Auth provider configuration filter. This can be either `saml` or `oidc`.
|
226 | * The former is used to look up SAML providers only, while the latter is used
|
227 | * for OIDC providers.
|
228 | */
|
229 | type: 'saml' | 'oidc';
|
230 | /**
|
231 | * The maximum number of results to return per page. The default and maximum is
|
232 | * 100.
|
233 | */
|
234 | maxResults?: number;
|
235 | /**
|
236 | * The next page token. When not specified, the lookup starts from the beginning
|
237 | * of the list.
|
238 | */
|
239 | pageToken?: string;
|
240 | }
|
241 | /**
|
242 | * The request interface for updating a SAML Auth provider. This is used
|
243 | * when updating a SAML provider's configuration via
|
244 | * {@link BaseAuth.updateProviderConfig}.
|
245 | */
|
246 | export interface SAMLUpdateAuthProviderRequest {
|
247 | /**
|
248 | * The SAML provider's updated display name. If not provided, the existing
|
249 | * configuration's value is not modified.
|
250 | */
|
251 | displayName?: string;
|
252 | /**
|
253 | * Whether the SAML provider is enabled or not. If not provided, the existing
|
254 | * configuration's setting is not modified.
|
255 | */
|
256 | enabled?: boolean;
|
257 | /**
|
258 | * The SAML provider's updated IdP entity ID. If not provided, the existing
|
259 | * configuration's value is not modified.
|
260 | */
|
261 | idpEntityId?: string;
|
262 | /**
|
263 | * The SAML provider's updated SSO URL. If not provided, the existing
|
264 | * configuration's value is not modified.
|
265 | */
|
266 | ssoURL?: string;
|
267 | /**
|
268 | * The SAML provider's updated list of X.509 certificated. If not provided, the
|
269 | * existing configuration list is not modified.
|
270 | */
|
271 | x509Certificates?: string[];
|
272 | /**
|
273 | * The SAML provider's updated RP entity ID. If not provided, the existing
|
274 | * configuration's value is not modified.
|
275 | */
|
276 | rpEntityId?: string;
|
277 | /**
|
278 | * The SAML provider's callback URL. If not provided, the existing
|
279 | * configuration's value is not modified.
|
280 | */
|
281 | callbackURL?: string;
|
282 | }
|
283 | /**
|
284 | * The request interface for updating an OIDC Auth provider. This is used
|
285 | * when updating an OIDC provider's configuration via
|
286 | * {@link BaseAuth.updateProviderConfig}.
|
287 | */
|
288 | export interface OIDCUpdateAuthProviderRequest {
|
289 | /**
|
290 | * The OIDC provider's updated display name. If not provided, the existing
|
291 | * configuration's value is not modified.
|
292 | */
|
293 | displayName?: string;
|
294 | /**
|
295 | * Whether the OIDC provider is enabled or not. If not provided, the existing
|
296 | * configuration's setting is not modified.
|
297 | */
|
298 | enabled?: boolean;
|
299 | /**
|
300 | * The OIDC provider's updated client ID. If not provided, the existing
|
301 | * configuration's value is not modified.
|
302 | */
|
303 | clientId?: string;
|
304 | /**
|
305 | * The OIDC provider's updated issuer. If not provided, the existing
|
306 | * configuration's value is not modified.
|
307 | */
|
308 | issuer?: string;
|
309 | /**
|
310 | * The OIDC provider's client secret to enable OIDC code flow.
|
311 | * If not provided, the existing configuration's value is not modified.
|
312 | */
|
313 | clientSecret?: string;
|
314 | /**
|
315 | * The OIDC provider's response object for OAuth authorization flow.
|
316 | */
|
317 | responseType?: OAuthResponseType;
|
318 | }
|
319 | export declare type UpdateAuthProviderRequest = SAMLUpdateAuthProviderRequest | OIDCUpdateAuthProviderRequest;
|
320 | /** A maximum of 10 test phone number / code pairs can be configured. */
|
321 | export declare const MAXIMUM_TEST_PHONE_NUMBERS = 10;
|
322 | /** The server side SAML configuration request interface. */
|
323 | export interface SAMLConfigServerRequest {
|
324 | idpConfig?: {
|
325 | idpEntityId?: string;
|
326 | ssoUrl?: string;
|
327 | idpCertificates?: Array<{
|
328 | x509Certificate: string;
|
329 | }>;
|
330 | signRequest?: boolean;
|
331 | };
|
332 | spConfig?: {
|
333 | spEntityId?: string;
|
334 | callbackUri?: string;
|
335 | };
|
336 | displayName?: string;
|
337 | enabled?: boolean;
|
338 | [key: string]: any;
|
339 | }
|
340 | /** The server side SAML configuration response interface. */
|
341 | export interface SAMLConfigServerResponse {
|
342 | name?: string;
|
343 | idpConfig?: {
|
344 | idpEntityId?: string;
|
345 | ssoUrl?: string;
|
346 | idpCertificates?: Array<{
|
347 | x509Certificate: string;
|
348 | }>;
|
349 | signRequest?: boolean;
|
350 | };
|
351 | spConfig?: {
|
352 | spEntityId?: string;
|
353 | callbackUri?: string;
|
354 | };
|
355 | displayName?: string;
|
356 | enabled?: boolean;
|
357 | }
|
358 | /** The server side OIDC configuration request interface. */
|
359 | export interface OIDCConfigServerRequest {
|
360 | clientId?: string;
|
361 | issuer?: string;
|
362 | displayName?: string;
|
363 | enabled?: boolean;
|
364 | clientSecret?: string;
|
365 | responseType?: OAuthResponseType;
|
366 | [key: string]: any;
|
367 | }
|
368 | /** The server side OIDC configuration response interface. */
|
369 | export interface OIDCConfigServerResponse {
|
370 | name?: string;
|
371 | clientId?: string;
|
372 | issuer?: string;
|
373 | displayName?: string;
|
374 | enabled?: boolean;
|
375 | clientSecret?: string;
|
376 | responseType?: OAuthResponseType;
|
377 | }
|
378 | /** The server side email configuration request interface. */
|
379 | export interface EmailSignInConfigServerRequest {
|
380 | allowPasswordSignup?: boolean;
|
381 | enableEmailLinkSignin?: boolean;
|
382 | }
|
383 | /** Identifies the server side second factor type. */
|
384 | declare type AuthFactorServerType = 'PHONE_SMS';
|
385 | /** Server side multi-factor configuration. */
|
386 | export interface MultiFactorAuthServerConfig {
|
387 | state?: MultiFactorConfigState;
|
388 | enabledProviders?: AuthFactorServerType[];
|
389 | }
|
390 | /**
|
391 | * Identifies a second factor type.
|
392 | */
|
393 | export declare type AuthFactorType = 'phone';
|
394 | /**
|
395 | * Identifies a multi-factor configuration state.
|
396 | */
|
397 | export declare type MultiFactorConfigState = 'ENABLED' | 'DISABLED';
|
398 | /**
|
399 | * Interface representing a multi-factor configuration.
|
400 | * This can be used to define whether multi-factor authentication is enabled
|
401 | * or disabled and the list of second factor challenges that are supported.
|
402 | */
|
403 | export interface MultiFactorConfig {
|
404 | /**
|
405 | * The multi-factor config state.
|
406 | */
|
407 | state: MultiFactorConfigState;
|
408 | /**
|
409 | * The list of identifiers for enabled second factors.
|
410 | * Currently only ‘phone’ is supported.
|
411 | */
|
412 | factorIds?: AuthFactorType[];
|
413 | }
|
414 | /**
|
415 | * Defines the multi-factor config class used to convert client side MultiFactorConfig
|
416 | * to a format that is understood by the Auth server.
|
417 | */
|
418 | export declare class MultiFactorAuthConfig implements MultiFactorConfig {
|
419 | readonly state: MultiFactorConfigState;
|
420 | readonly factorIds: AuthFactorType[];
|
421 | /**
|
422 | * Validates the MultiFactorConfig options object. Throws an error on failure.
|
423 | *
|
424 | * @param options - The options object to validate.
|
425 | */
|
426 | private static validate;
|
427 | /** @returns The plain object representation of the multi-factor config instance. */
|
428 | toJSON(): object;
|
429 | }
|
430 | /**
|
431 | * Validates the provided map of test phone number / code pairs.
|
432 | * @param testPhoneNumbers - The phone number / code pairs to validate.
|
433 | */
|
434 | export declare function validateTestPhoneNumbers(testPhoneNumbers: {
|
435 | [phoneNumber: string]: string;
|
436 | }): void;
|
437 | /**
|
438 | * The email sign in provider configuration.
|
439 | */
|
440 | export interface EmailSignInProviderConfig {
|
441 | /**
|
442 | * Whether email provider is enabled.
|
443 | */
|
444 | enabled: boolean;
|
445 | /**
|
446 | * Whether password is required for email sign-in. When not required,
|
447 | * email sign-in can be performed with password or via email link sign-in.
|
448 | */
|
449 | passwordRequired?: boolean;
|
450 | }
|
451 | /**
|
452 | * The base Auth provider configuration interface.
|
453 | */
|
454 | export interface BaseAuthProviderConfig {
|
455 | /**
|
456 | * The provider ID defined by the developer.
|
457 | * For a SAML provider, this is always prefixed by `saml.`.
|
458 | * For an OIDC provider, this is always prefixed by `oidc.`.
|
459 | */
|
460 | providerId: string;
|
461 | /**
|
462 | * The user-friendly display name to the current configuration. This name is
|
463 | * also used as the provider label in the Cloud Console.
|
464 | */
|
465 | displayName?: string;
|
466 | /**
|
467 | * Whether the provider configuration is enabled or disabled. A user
|
468 | * cannot sign in using a disabled provider.
|
469 | */
|
470 | enabled: boolean;
|
471 | }
|
472 | /**
|
473 | * The
|
474 | * [SAML](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html)
|
475 | * Auth provider configuration interface. A SAML provider can be created via
|
476 | * {@link BaseAuth.createProviderConfig}.
|
477 | */
|
478 | export interface SAMLAuthProviderConfig extends BaseAuthProviderConfig {
|
479 | /**
|
480 | * The SAML IdP entity identifier.
|
481 | */
|
482 | idpEntityId: string;
|
483 | /**
|
484 | * The SAML IdP SSO URL. This must be a valid URL.
|
485 | */
|
486 | ssoURL: string;
|
487 | /**
|
488 | * The list of SAML IdP X.509 certificates issued by CA for this provider.
|
489 | * Multiple certificates are accepted to prevent outages during
|
490 | * IdP key rotation (for example ADFS rotates every 10 days). When the Auth
|
491 | * server receives a SAML response, it will match the SAML response with the
|
492 | * certificate on record. Otherwise the response is rejected.
|
493 | * Developers are expected to manage the certificate updates as keys are
|
494 | * rotated.
|
495 | */
|
496 | x509Certificates: string[];
|
497 | /**
|
498 | * The SAML relying party (service provider) entity ID.
|
499 | * This is defined by the developer but needs to be provided to the SAML IdP.
|
500 | */
|
501 | rpEntityId: string;
|
502 | /**
|
503 | * This is fixed and must always be the same as the OAuth redirect URL
|
504 | * provisioned by Firebase Auth,
|
505 | * `https://project-id.firebaseapp.com/__/auth/handler` unless a custom
|
506 | * `authDomain` is used.
|
507 | * The callback URL should also be provided to the SAML IdP during
|
508 | * configuration.
|
509 | */
|
510 | callbackURL?: string;
|
511 | }
|
512 | /**
|
513 | * The interface representing OIDC provider's response object for OAuth
|
514 | * authorization flow.
|
515 | * One of the following settings is required:
|
516 | * <ul>
|
517 | * <li>Set <code>code</code> to <code>true</code> for the code flow.</li>
|
518 | * <li>Set <code>idToken</code> to <code>true</code> for the ID token flow.</li>
|
519 | * </ul>
|
520 | */
|
521 | export interface OAuthResponseType {
|
522 | /**
|
523 | * Whether ID token is returned from IdP's authorization endpoint.
|
524 | */
|
525 | idToken?: boolean;
|
526 | /**
|
527 | * Whether authorization code is returned from IdP's authorization endpoint.
|
528 | */
|
529 | code?: boolean;
|
530 | }
|
531 | /**
|
532 | * The [OIDC](https://openid.net/specs/openid-connect-core-1_0-final.html) Auth
|
533 | * provider configuration interface. An OIDC provider can be created via
|
534 | * {@link BaseAuth.createProviderConfig}.
|
535 | */
|
536 | export interface OIDCAuthProviderConfig extends BaseAuthProviderConfig {
|
537 | /**
|
538 | * This is the required client ID used to confirm the audience of an OIDC
|
539 | * provider's
|
540 | * [ID token](https://openid.net/specs/openid-connect-core-1_0-final.html#IDToken).
|
541 | */
|
542 | clientId: string;
|
543 | /**
|
544 | * This is the required provider issuer used to match the provider issuer of
|
545 | * the ID token and to determine the corresponding OIDC discovery document, eg.
|
546 | * [`/.well-known/openid-configuration`](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig).
|
547 | * This is needed for the following:
|
548 | * <ul>
|
549 | * <li>To verify the provided issuer.</li>
|
550 | * <li>Determine the authentication/authorization endpoint during the OAuth
|
551 | * `id_token` authentication flow.</li>
|
552 | * <li>To retrieve the public signing keys via `jwks_uri` to verify the OIDC
|
553 | * provider's ID token's signature.</li>
|
554 | * <li>To determine the claims_supported to construct the user attributes to be
|
555 | * returned in the additional user info response.</li>
|
556 | * </ul>
|
557 | * ID token validation will be performed as defined in the
|
558 | * [spec](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).
|
559 | */
|
560 | issuer: string;
|
561 | /**
|
562 | * The OIDC provider's client secret to enable OIDC code flow.
|
563 | */
|
564 | clientSecret?: string;
|
565 | /**
|
566 | * The OIDC provider's response object for OAuth authorization flow.
|
567 | */
|
568 | responseType?: OAuthResponseType;
|
569 | }
|
570 | /**
|
571 | * The Auth provider configuration type.
|
572 | * {@link BaseAuth.createProviderConfig}.
|
573 | */
|
574 | export declare type AuthProviderConfig = SAMLAuthProviderConfig | OIDCAuthProviderConfig;
|
575 | export {};
|