1 | /*! firebase-admin v12.0.0 */
|
2 | /*!
|
3 | * Copyright 2018 Google Inc.
|
4 | *
|
5 | * Licensed under the Apache License, Version 2.0 (the "License");
|
6 | * you may not use this file except in compliance with the License.
|
7 | * You may obtain a copy of the License at
|
8 | *
|
9 | * http://www.apache.org/licenses/LICENSE-2.0
|
10 | *
|
11 | * Unless required by applicable law or agreed to in writing, software
|
12 | * distributed under the License is distributed on an "AS IS" BASIS,
|
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14 | * See the License for the specific language governing permissions and
|
15 | * limitations under the License.
|
16 | */
|
17 | /**
|
18 | * Interface representing base properties of a user-enrolled second factor for a
|
19 | * `CreateRequest`.
|
20 | */
|
21 | export interface BaseCreateMultiFactorInfoRequest {
|
22 | /**
|
23 | * The optional display name for an enrolled second factor.
|
24 | */
|
25 | displayName?: string;
|
26 | /**
|
27 | * The type identifier of the second factor. For SMS second factors, this is `phone`.
|
28 | */
|
29 | factorId: string;
|
30 | }
|
31 | /**
|
32 | * Interface representing a phone specific user-enrolled second factor for a
|
33 | * `CreateRequest`.
|
34 | */
|
35 | export interface CreatePhoneMultiFactorInfoRequest extends BaseCreateMultiFactorInfoRequest {
|
36 | /**
|
37 | * The phone number associated with a phone second factor.
|
38 | */
|
39 | phoneNumber: string;
|
40 | }
|
41 | /**
|
42 | * Type representing the properties of a user-enrolled second factor
|
43 | * for a `CreateRequest`.
|
44 | */
|
45 | export type CreateMultiFactorInfoRequest = CreatePhoneMultiFactorInfoRequest;
|
46 | /**
|
47 | * Interface representing common properties of a user-enrolled second factor
|
48 | * for an `UpdateRequest`.
|
49 | */
|
50 | export interface BaseUpdateMultiFactorInfoRequest {
|
51 | /**
|
52 | * The ID of the enrolled second factor. This ID is unique to the user. When not provided,
|
53 | * a new one is provisioned by the Auth server.
|
54 | */
|
55 | uid?: string;
|
56 | /**
|
57 | * The optional display name for an enrolled second factor.
|
58 | */
|
59 | displayName?: string;
|
60 | /**
|
61 | * The optional date the second factor was enrolled, formatted as a UTC string.
|
62 | */
|
63 | enrollmentTime?: string;
|
64 | /**
|
65 | * The type identifier of the second factor. For SMS second factors, this is `phone`.
|
66 | */
|
67 | factorId: string;
|
68 | }
|
69 | /**
|
70 | * Interface representing a phone specific user-enrolled second factor
|
71 | * for an `UpdateRequest`.
|
72 | */
|
73 | export interface UpdatePhoneMultiFactorInfoRequest extends BaseUpdateMultiFactorInfoRequest {
|
74 | /**
|
75 | * The phone number associated with a phone second factor.
|
76 | */
|
77 | phoneNumber: string;
|
78 | }
|
79 | /**
|
80 | * Type representing the properties of a user-enrolled second factor
|
81 | * for an `UpdateRequest`.
|
82 | */
|
83 | export type UpdateMultiFactorInfoRequest = UpdatePhoneMultiFactorInfoRequest;
|
84 | /**
|
85 | * The multi-factor related user settings for create operations.
|
86 | */
|
87 | export interface MultiFactorCreateSettings {
|
88 | /**
|
89 | * The created user's list of enrolled second factors.
|
90 | */
|
91 | enrolledFactors: CreateMultiFactorInfoRequest[];
|
92 | }
|
93 | /**
|
94 | * The multi-factor related user settings for update operations.
|
95 | */
|
96 | export interface MultiFactorUpdateSettings {
|
97 | /**
|
98 | * The updated list of enrolled second factors. The provided list overwrites the user's
|
99 | * existing list of second factors.
|
100 | * When null is passed, all of the user's existing second factors are removed.
|
101 | */
|
102 | enrolledFactors: UpdateMultiFactorInfoRequest[] | null;
|
103 | }
|
104 | /**
|
105 | * Interface representing the properties to update on the provided user.
|
106 | */
|
107 | export interface UpdateRequest {
|
108 | /**
|
109 | * Whether or not the user is disabled: `true` for disabled;
|
110 | * `false` for enabled.
|
111 | */
|
112 | disabled?: boolean;
|
113 | /**
|
114 | * The user's display name.
|
115 | */
|
116 | displayName?: string | null;
|
117 | /**
|
118 | * The user's primary email.
|
119 | */
|
120 | email?: string;
|
121 | /**
|
122 | * Whether or not the user's primary email is verified.
|
123 | */
|
124 | emailVerified?: boolean;
|
125 | /**
|
126 | * The user's unhashed password.
|
127 | */
|
128 | password?: string;
|
129 | /**
|
130 | * The user's primary phone number.
|
131 | */
|
132 | phoneNumber?: string | null;
|
133 | /**
|
134 | * The user's photo URL.
|
135 | */
|
136 | photoURL?: string | null;
|
137 | /**
|
138 | * The user's updated multi-factor related properties.
|
139 | */
|
140 | multiFactor?: MultiFactorUpdateSettings;
|
141 | /**
|
142 | * Links this user to the specified provider.
|
143 | *
|
144 | * Linking a provider to an existing user account does not invalidate the
|
145 | * refresh token of that account. In other words, the existing account
|
146 | * would continue to be able to access resources, despite not having used
|
147 | * the newly linked provider to log in. If you wish to force the user to
|
148 | * authenticate with this new provider, you need to (a) revoke their
|
149 | * refresh token (see
|
150 | * https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens),
|
151 | * and (b) ensure no other authentication methods are present on this
|
152 | * account.
|
153 | */
|
154 | providerToLink?: UserProvider;
|
155 | /**
|
156 | * Unlinks this user from the specified providers.
|
157 | */
|
158 | providersToUnlink?: string[];
|
159 | }
|
160 | /**
|
161 | * Represents a user identity provider that can be associated with a Firebase user.
|
162 | */
|
163 | export interface UserProvider {
|
164 | /**
|
165 | * The user identifier for the linked provider.
|
166 | */
|
167 | uid?: string;
|
168 | /**
|
169 | * The display name for the linked provider.
|
170 | */
|
171 | displayName?: string;
|
172 | /**
|
173 | * The email for the linked provider.
|
174 | */
|
175 | email?: string;
|
176 | /**
|
177 | * The phone number for the linked provider.
|
178 | */
|
179 | phoneNumber?: string;
|
180 | /**
|
181 | * The photo URL for the linked provider.
|
182 | */
|
183 | photoURL?: string;
|
184 | /**
|
185 | * The linked provider ID (for example, "google.com" for the Google provider).
|
186 | */
|
187 | providerId?: string;
|
188 | }
|
189 | /**
|
190 | * Interface representing the properties to set on a new user record to be
|
191 | * created.
|
192 | */
|
193 | export interface CreateRequest extends UpdateRequest {
|
194 | /**
|
195 | * The user's `uid`.
|
196 | */
|
197 | uid?: string;
|
198 | /**
|
199 | * The user's multi-factor related properties.
|
200 | */
|
201 | multiFactor?: MultiFactorCreateSettings;
|
202 | }
|
203 | /**
|
204 | * The response interface for listing provider configs. This is only available
|
205 | * when listing all identity providers' configurations via
|
206 | * {@link BaseAuth.listProviderConfigs}.
|
207 | */
|
208 | export interface ListProviderConfigResults {
|
209 | /**
|
210 | * The list of providers for the specified type in the current page.
|
211 | */
|
212 | providerConfigs: AuthProviderConfig[];
|
213 | /**
|
214 | * The next page token, if available.
|
215 | */
|
216 | pageToken?: string;
|
217 | }
|
218 | /**
|
219 | * The filter interface used for listing provider configurations. This is used
|
220 | * when specifying how to list configured identity providers via
|
221 | * {@link BaseAuth.listProviderConfigs}.
|
222 | */
|
223 | export interface AuthProviderConfigFilter {
|
224 | /**
|
225 | * The Auth provider configuration filter. This can be either `saml` or `oidc`.
|
226 | * The former is used to look up SAML providers only, while the latter is used
|
227 | * for OIDC providers.
|
228 | */
|
229 | type: 'saml' | 'oidc';
|
230 | /**
|
231 | * The maximum number of results to return per page. The default and maximum is
|
232 | * 100.
|
233 | */
|
234 | maxResults?: number;
|
235 | /**
|
236 | * The next page token. When not specified, the lookup starts from the beginning
|
237 | * of the list.
|
238 | */
|
239 | pageToken?: string;
|
240 | }
|
241 | /**
|
242 | * The request interface for updating a SAML Auth provider. This is used
|
243 | * when updating a SAML provider's configuration via
|
244 | * {@link BaseAuth.updateProviderConfig}.
|
245 | */
|
246 | export interface SAMLUpdateAuthProviderRequest {
|
247 | /**
|
248 | * The SAML provider's updated display name. If not provided, the existing
|
249 | * configuration's value is not modified.
|
250 | */
|
251 | displayName?: string;
|
252 | /**
|
253 | * Whether the SAML provider is enabled or not. If not provided, the existing
|
254 | * configuration's setting is not modified.
|
255 | */
|
256 | enabled?: boolean;
|
257 | /**
|
258 | * The SAML provider's updated IdP entity ID. If not provided, the existing
|
259 | * configuration's value is not modified.
|
260 | */
|
261 | idpEntityId?: string;
|
262 | /**
|
263 | * The SAML provider's updated SSO URL. If not provided, the existing
|
264 | * configuration's value is not modified.
|
265 | */
|
266 | ssoURL?: string;
|
267 | /**
|
268 | * The SAML provider's updated list of X.509 certificated. If not provided, the
|
269 | * existing configuration list is not modified.
|
270 | */
|
271 | x509Certificates?: string[];
|
272 | /**
|
273 | * The SAML provider's updated RP entity ID. If not provided, the existing
|
274 | * configuration's value is not modified.
|
275 | */
|
276 | rpEntityId?: string;
|
277 | /**
|
278 | * The SAML provider's callback URL. If not provided, the existing
|
279 | * configuration's value is not modified.
|
280 | */
|
281 | callbackURL?: string;
|
282 | }
|
283 | /**
|
284 | * The request interface for updating an OIDC Auth provider. This is used
|
285 | * when updating an OIDC provider's configuration via
|
286 | * {@link BaseAuth.updateProviderConfig}.
|
287 | */
|
288 | export interface OIDCUpdateAuthProviderRequest {
|
289 | /**
|
290 | * The OIDC provider's updated display name. If not provided, the existing
|
291 | * configuration's value is not modified.
|
292 | */
|
293 | displayName?: string;
|
294 | /**
|
295 | * Whether the OIDC provider is enabled or not. If not provided, the existing
|
296 | * configuration's setting is not modified.
|
297 | */
|
298 | enabled?: boolean;
|
299 | /**
|
300 | * The OIDC provider's updated client ID. If not provided, the existing
|
301 | * configuration's value is not modified.
|
302 | */
|
303 | clientId?: string;
|
304 | /**
|
305 | * The OIDC provider's updated issuer. If not provided, the existing
|
306 | * configuration's value is not modified.
|
307 | */
|
308 | issuer?: string;
|
309 | /**
|
310 | * The OIDC provider's client secret to enable OIDC code flow.
|
311 | * If not provided, the existing configuration's value is not modified.
|
312 | */
|
313 | clientSecret?: string;
|
314 | /**
|
315 | * The OIDC provider's response object for OAuth authorization flow.
|
316 | */
|
317 | responseType?: OAuthResponseType;
|
318 | }
|
319 | export type UpdateAuthProviderRequest = SAMLUpdateAuthProviderRequest | OIDCUpdateAuthProviderRequest;
|
320 | /** A maximum of 10 test phone number / code pairs can be configured. */
|
321 | export declare const MAXIMUM_TEST_PHONE_NUMBERS = 10;
|
322 | /** The server side SAML configuration request interface. */
|
323 | export interface SAMLConfigServerRequest {
|
324 | idpConfig?: {
|
325 | idpEntityId?: string;
|
326 | ssoUrl?: string;
|
327 | idpCertificates?: Array<{
|
328 | x509Certificate: string;
|
329 | }>;
|
330 | signRequest?: boolean;
|
331 | };
|
332 | spConfig?: {
|
333 | spEntityId?: string;
|
334 | callbackUri?: string;
|
335 | };
|
336 | displayName?: string;
|
337 | enabled?: boolean;
|
338 | [key: string]: any;
|
339 | }
|
340 | /** The server side SAML configuration response interface. */
|
341 | export interface SAMLConfigServerResponse {
|
342 | name?: string;
|
343 | idpConfig?: {
|
344 | idpEntityId?: string;
|
345 | ssoUrl?: string;
|
346 | idpCertificates?: Array<{
|
347 | x509Certificate: string;
|
348 | }>;
|
349 | signRequest?: boolean;
|
350 | };
|
351 | spConfig?: {
|
352 | spEntityId?: string;
|
353 | callbackUri?: string;
|
354 | };
|
355 | displayName?: string;
|
356 | enabled?: boolean;
|
357 | }
|
358 | /** The server side OIDC configuration request interface. */
|
359 | export interface OIDCConfigServerRequest {
|
360 | clientId?: string;
|
361 | issuer?: string;
|
362 | displayName?: string;
|
363 | enabled?: boolean;
|
364 | clientSecret?: string;
|
365 | responseType?: OAuthResponseType;
|
366 | [key: string]: any;
|
367 | }
|
368 | /** The server side OIDC configuration response interface. */
|
369 | export interface OIDCConfigServerResponse {
|
370 | name?: string;
|
371 | clientId?: string;
|
372 | issuer?: string;
|
373 | displayName?: string;
|
374 | enabled?: boolean;
|
375 | clientSecret?: string;
|
376 | responseType?: OAuthResponseType;
|
377 | }
|
378 | /** The server side email configuration request interface. */
|
379 | export interface EmailSignInConfigServerRequest {
|
380 | allowPasswordSignup?: boolean;
|
381 | enableEmailLinkSignin?: boolean;
|
382 | }
|
383 | /** Identifies the server side second factor type. */
|
384 | type AuthFactorServerType = 'PHONE_SMS';
|
385 | /** Server side multi-factor configuration. */
|
386 | export interface MultiFactorAuthServerConfig {
|
387 | state?: MultiFactorConfigState;
|
388 | enabledProviders?: AuthFactorServerType[];
|
389 | providerConfigs?: MultiFactorProviderConfig[];
|
390 | }
|
391 | /**
|
392 | * Identifies a second factor type.
|
393 | */
|
394 | export type AuthFactorType = 'phone';
|
395 | /**
|
396 | * Identifies a multi-factor configuration state.
|
397 | */
|
398 | export type MultiFactorConfigState = 'ENABLED' | 'DISABLED';
|
399 | /**
|
400 | * Interface representing a multi-factor configuration.
|
401 | * This can be used to define whether multi-factor authentication is enabled
|
402 | * or disabled and the list of second factor challenges that are supported.
|
403 | */
|
404 | export interface MultiFactorConfig {
|
405 | /**
|
406 | * The multi-factor config state.
|
407 | */
|
408 | state: MultiFactorConfigState;
|
409 | /**
|
410 | * The list of identifiers for enabled second factors.
|
411 | * Currently only ‘phone’ is supported.
|
412 | */
|
413 | factorIds?: AuthFactorType[];
|
414 | /**
|
415 | * A list of multi-factor provider configurations.
|
416 | * MFA providers (except phone) indicate whether they're enabled through this field. */
|
417 | providerConfigs?: MultiFactorProviderConfig[];
|
418 | }
|
419 | /**
|
420 | * Interface representing a multi-factor auth provider configuration.
|
421 | * This interface is used for second factor auth providers other than SMS.
|
422 | * Currently, only TOTP is supported.
|
423 | */ export interface MultiFactorProviderConfig {
|
424 | /**
|
425 | * Indicates whether this multi-factor provider is enabled or disabled. */
|
426 | state: MultiFactorConfigState;
|
427 | /**
|
428 | * TOTP multi-factor provider config. */
|
429 | totpProviderConfig?: TotpMultiFactorProviderConfig;
|
430 | }
|
431 | /**
|
432 | * Interface representing configuration settings for TOTP second factor auth.
|
433 | */
|
434 | export interface TotpMultiFactorProviderConfig {
|
435 | /**
|
436 | * The allowed number of adjacent intervals that will be used for verification
|
437 | * to compensate for clock skew. */
|
438 | adjacentIntervals?: number;
|
439 | }
|
440 | /**
|
441 | * Validates the provided map of test phone number / code pairs.
|
442 | * @param testPhoneNumbers - The phone number / code pairs to validate.
|
443 | */
|
444 | export declare function validateTestPhoneNumbers(testPhoneNumbers: {
|
445 | [phoneNumber: string]: string;
|
446 | }): void;
|
447 | /**
|
448 | * The email sign in provider configuration.
|
449 | */
|
450 | export interface EmailSignInProviderConfig {
|
451 | /**
|
452 | * Whether email provider is enabled.
|
453 | */
|
454 | enabled: boolean;
|
455 | /**
|
456 | * Whether password is required for email sign-in. When not required,
|
457 | * email sign-in can be performed with password or via email link sign-in.
|
458 | */
|
459 | passwordRequired?: boolean;
|
460 | }
|
461 | /**
|
462 | * The base Auth provider configuration interface.
|
463 | */
|
464 | export interface BaseAuthProviderConfig {
|
465 | /**
|
466 | * The provider ID defined by the developer.
|
467 | * For a SAML provider, this is always prefixed by `saml.`.
|
468 | * For an OIDC provider, this is always prefixed by `oidc.`.
|
469 | */
|
470 | providerId: string;
|
471 | /**
|
472 | * The user-friendly display name to the current configuration. This name is
|
473 | * also used as the provider label in the Cloud Console.
|
474 | */
|
475 | displayName?: string;
|
476 | /**
|
477 | * Whether the provider configuration is enabled or disabled. A user
|
478 | * cannot sign in using a disabled provider.
|
479 | */
|
480 | enabled: boolean;
|
481 | }
|
482 | /**
|
483 | * The
|
484 | * [SAML](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html)
|
485 | * Auth provider configuration interface. A SAML provider can be created via
|
486 | * {@link BaseAuth.createProviderConfig}.
|
487 | */
|
488 | export interface SAMLAuthProviderConfig extends BaseAuthProviderConfig {
|
489 | /**
|
490 | * The SAML IdP entity identifier.
|
491 | */
|
492 | idpEntityId: string;
|
493 | /**
|
494 | * The SAML IdP SSO URL. This must be a valid URL.
|
495 | */
|
496 | ssoURL: string;
|
497 | /**
|
498 | * The list of SAML IdP X.509 certificates issued by CA for this provider.
|
499 | * Multiple certificates are accepted to prevent outages during
|
500 | * IdP key rotation (for example ADFS rotates every 10 days). When the Auth
|
501 | * server receives a SAML response, it will match the SAML response with the
|
502 | * certificate on record. Otherwise the response is rejected.
|
503 | * Developers are expected to manage the certificate updates as keys are
|
504 | * rotated.
|
505 | */
|
506 | x509Certificates: string[];
|
507 | /**
|
508 | * The SAML relying party (service provider) entity ID.
|
509 | * This is defined by the developer but needs to be provided to the SAML IdP.
|
510 | */
|
511 | rpEntityId: string;
|
512 | /**
|
513 | * This is fixed and must always be the same as the OAuth redirect URL
|
514 | * provisioned by Firebase Auth,
|
515 | * `https://project-id.firebaseapp.com/__/auth/handler` unless a custom
|
516 | * `authDomain` is used.
|
517 | * The callback URL should also be provided to the SAML IdP during
|
518 | * configuration.
|
519 | */
|
520 | callbackURL?: string;
|
521 | }
|
522 | /**
|
523 | * The interface representing OIDC provider's response object for OAuth
|
524 | * authorization flow.
|
525 | * One of the following settings is required:
|
526 | * <ul>
|
527 | * <li>Set <code>code</code> to <code>true</code> for the code flow.</li>
|
528 | * <li>Set <code>idToken</code> to <code>true</code> for the ID token flow.</li>
|
529 | * </ul>
|
530 | */
|
531 | export interface OAuthResponseType {
|
532 | /**
|
533 | * Whether ID token is returned from IdP's authorization endpoint.
|
534 | */
|
535 | idToken?: boolean;
|
536 | /**
|
537 | * Whether authorization code is returned from IdP's authorization endpoint.
|
538 | */
|
539 | code?: boolean;
|
540 | }
|
541 | /**
|
542 | * The [OIDC](https://openid.net/specs/openid-connect-core-1_0-final.html) Auth
|
543 | * provider configuration interface. An OIDC provider can be created via
|
544 | * {@link BaseAuth.createProviderConfig}.
|
545 | */
|
546 | export interface OIDCAuthProviderConfig extends BaseAuthProviderConfig {
|
547 | /**
|
548 | * This is the required client ID used to confirm the audience of an OIDC
|
549 | * provider's
|
550 | * [ID token](https://openid.net/specs/openid-connect-core-1_0-final.html#IDToken).
|
551 | */
|
552 | clientId: string;
|
553 | /**
|
554 | * This is the required provider issuer used to match the provider issuer of
|
555 | * the ID token and to determine the corresponding OIDC discovery document, eg.
|
556 | * [`/.well-known/openid-configuration`](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig).
|
557 | * This is needed for the following:
|
558 | * <ul>
|
559 | * <li>To verify the provided issuer.</li>
|
560 | * <li>Determine the authentication/authorization endpoint during the OAuth
|
561 | * `id_token` authentication flow.</li>
|
562 | * <li>To retrieve the public signing keys via `jwks_uri` to verify the OIDC
|
563 | * provider's ID token's signature.</li>
|
564 | * <li>To determine the claims_supported to construct the user attributes to be
|
565 | * returned in the additional user info response.</li>
|
566 | * </ul>
|
567 | * ID token validation will be performed as defined in the
|
568 | * [spec](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).
|
569 | */
|
570 | issuer: string;
|
571 | /**
|
572 | * The OIDC provider's client secret to enable OIDC code flow.
|
573 | */
|
574 | clientSecret?: string;
|
575 | /**
|
576 | * The OIDC provider's response object for OAuth authorization flow.
|
577 | */
|
578 | responseType?: OAuthResponseType;
|
579 | }
|
580 | /**
|
581 | * The Auth provider configuration type.
|
582 | * {@link BaseAuth.createProviderConfig}.
|
583 | */
|
584 | export type AuthProviderConfig = SAMLAuthProviderConfig | OIDCAuthProviderConfig;
|
585 | /**
|
586 | * The request interface for updating a SMS Region Config.
|
587 | * Configures the regions where users are allowed to send verification SMS.
|
588 | * This is based on the calling code of the destination phone number.
|
589 | */
|
590 | export type SmsRegionConfig = AllowByDefaultWrap | AllowlistOnlyWrap;
|
591 | /**
|
592 | * Mutual exclusive SMS Region Config of AllowByDefault interface
|
593 | */
|
594 | export interface AllowByDefaultWrap {
|
595 | /**
|
596 | * Allow every region by default.
|
597 | */
|
598 | allowByDefault: AllowByDefault;
|
599 | /** @alpha */
|
600 | allowlistOnly?: never;
|
601 | }
|
602 | /**
|
603 | * Mutually exclusive SMS Region Config of AllowlistOnly interface
|
604 | */
|
605 | export interface AllowlistOnlyWrap {
|
606 | /**
|
607 | * Only allowing regions by explicitly adding them to an
|
608 | * allowlist.
|
609 | */
|
610 | allowlistOnly: AllowlistOnly;
|
611 | /** @alpha */
|
612 | allowByDefault?: never;
|
613 | }
|
614 | /**
|
615 | * Defines a policy of allowing every region by default and adding disallowed
|
616 | * regions to a disallow list.
|
617 | */
|
618 | export interface AllowByDefault {
|
619 | /**
|
620 | * Two letter unicode region codes to disallow as defined by
|
621 | * https://cldr.unicode.org/
|
622 | * The full list of these region codes is here:
|
623 | * https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json
|
624 | */
|
625 | disallowedRegions: string[];
|
626 | }
|
627 | /**
|
628 | * Defines a policy of only allowing regions by explicitly adding them to an
|
629 | * allowlist.
|
630 | */
|
631 | export interface AllowlistOnly {
|
632 | /**
|
633 | * Two letter unicode region codes to allow as defined by
|
634 | * https://cldr.unicode.org/
|
635 | * The full list of these region codes is here:
|
636 | * https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json
|
637 | */
|
638 | allowedRegions: string[];
|
639 | }
|
640 | /**
|
641 | * Enforcement state of reCAPTCHA protection.
|
642 | * - 'OFF': Unenforced.
|
643 | * - 'AUDIT': Create assessment but don't enforce the result.
|
644 | * - 'ENFORCE': Create assessment and enforce the result.
|
645 | */
|
646 | export type RecaptchaProviderEnforcementState = 'OFF' | 'AUDIT' | 'ENFORCE';
|
647 | /**
|
648 | * The actions to take for reCAPTCHA-protected requests.
|
649 | * - 'BLOCK': The reCAPTCHA-protected request will be blocked.
|
650 | */
|
651 | export type RecaptchaAction = 'BLOCK';
|
652 | /**
|
653 | * The config for a reCAPTCHA action rule.
|
654 | */
|
655 | export interface RecaptchaManagedRule {
|
656 | /**
|
657 | * The action will be enforced if the reCAPTCHA score of a request is larger than endScore.
|
658 | */
|
659 | endScore: number;
|
660 | /**
|
661 | * The action for reCAPTCHA-protected requests.
|
662 | */
|
663 | action?: RecaptchaAction;
|
664 | }
|
665 | /**
|
666 | * The key's platform type.
|
667 | */
|
668 | export type RecaptchaKeyClientType = 'WEB' | 'IOS' | 'ANDROID';
|
669 | /**
|
670 | * The reCAPTCHA key config.
|
671 | */
|
672 | export interface RecaptchaKey {
|
673 | /**
|
674 | * The key's client platform type.
|
675 | */
|
676 | type?: RecaptchaKeyClientType;
|
677 | /**
|
678 | * The reCAPTCHA site key.
|
679 | */
|
680 | key: string;
|
681 | }
|
682 | /**
|
683 | * The request interface for updating a reCAPTCHA Config.
|
684 | * By enabling reCAPTCHA Enterprise Integration you are
|
685 | * agreeing to reCAPTCHA Enterprise
|
686 | * {@link https://cloud.google.com/terms/service-terms | Term of Service}.
|
687 | */
|
688 | export interface RecaptchaConfig {
|
689 | /**
|
690 | * The enforcement state of the email password provider.
|
691 | */
|
692 | emailPasswordEnforcementState?: RecaptchaProviderEnforcementState;
|
693 | /**
|
694 | * The reCAPTCHA managed rules.
|
695 | */
|
696 | managedRules?: RecaptchaManagedRule[];
|
697 | /**
|
698 | * The reCAPTCHA keys.
|
699 | */
|
700 | recaptchaKeys?: RecaptchaKey[];
|
701 | /**
|
702 | * Whether to use account defender for reCAPTCHA assessment.
|
703 | * The default value is false.
|
704 | */
|
705 | useAccountDefender?: boolean;
|
706 | }
|
707 | export declare class RecaptchaAuthConfig implements RecaptchaConfig {
|
708 | readonly emailPasswordEnforcementState?: RecaptchaProviderEnforcementState;
|
709 | readonly managedRules?: RecaptchaManagedRule[];
|
710 | readonly recaptchaKeys?: RecaptchaKey[];
|
711 | readonly useAccountDefender?: boolean;
|
712 | constructor(recaptchaConfig: RecaptchaConfig);
|
713 | /**
|
714 | * Validates the RecaptchaConfig options object. Throws an error on failure.
|
715 | * @param options - The options object to validate.
|
716 | */
|
717 | static validate(options: RecaptchaConfig): void;
|
718 | /**
|
719 | * Validate each element in ManagedRule array
|
720 | * @param options - The options object to validate.
|
721 | */
|
722 | private static validateManagedRule;
|
723 | /**
|
724 | * Returns a JSON-serializable representation of this object.
|
725 | * @returns The JSON-serializable object representation of the ReCaptcha config instance
|
726 | */
|
727 | toJSON(): object;
|
728 | }
|
729 | /**
|
730 | * A password policy configuration for a project or tenant
|
731 | */
|
732 | export interface PasswordPolicyConfig {
|
733 | /**
|
734 | * Enforcement state of the password policy
|
735 | */
|
736 | enforcementState?: PasswordPolicyEnforcementState;
|
737 | /**
|
738 | * Require users to have a policy-compliant password to sign in
|
739 | */
|
740 | forceUpgradeOnSignin?: boolean;
|
741 | /**
|
742 | * The constraints that make up the password strength policy
|
743 | */
|
744 | constraints?: CustomStrengthOptionsConfig;
|
745 | }
|
746 | /**
|
747 | * A password policy's enforcement state.
|
748 | */
|
749 | export type PasswordPolicyEnforcementState = 'ENFORCE' | 'OFF';
|
750 | /**
|
751 | * Constraints to be enforced on the password policy
|
752 | */
|
753 | export interface CustomStrengthOptionsConfig {
|
754 | /**
|
755 | * The password must contain an upper case character
|
756 | */
|
757 | requireUppercase?: boolean;
|
758 | /**
|
759 | * The password must contain a lower case character
|
760 | */
|
761 | requireLowercase?: boolean;
|
762 | /**
|
763 | * The password must contain a non-alphanumeric character
|
764 | */
|
765 | requireNonAlphanumeric?: boolean;
|
766 | /**
|
767 | * The password must contain a number
|
768 | */
|
769 | requireNumeric?: boolean;
|
770 | /**
|
771 | * Minimum password length. Valid values are from 6 to 30
|
772 | */
|
773 | minLength?: number;
|
774 | /**
|
775 | * Maximum password length. No default max length
|
776 | */
|
777 | maxLength?: number;
|
778 | }
|
779 | /**
|
780 | * Server side password policy configuration.
|
781 | */
|
782 | export interface PasswordPolicyAuthServerConfig {
|
783 | passwordPolicyEnforcementState?: PasswordPolicyEnforcementState;
|
784 | passwordPolicyVersions?: PasswordPolicyVersionsAuthServerConfig[];
|
785 | forceUpgradeOnSignin?: boolean;
|
786 | }
|
787 | /**
|
788 | * Server side password policy versions configuration.
|
789 | */
|
790 | export interface PasswordPolicyVersionsAuthServerConfig {
|
791 | customStrengthOptions?: CustomStrengthOptionsAuthServerConfig;
|
792 | }
|
793 | /**
|
794 | * Server side password policy constraints configuration.
|
795 | */
|
796 | export interface CustomStrengthOptionsAuthServerConfig {
|
797 | containsLowercaseCharacter?: boolean;
|
798 | containsUppercaseCharacter?: boolean;
|
799 | containsNumericCharacter?: boolean;
|
800 | containsNonAlphanumericCharacter?: boolean;
|
801 | minPasswordLength?: number;
|
802 | maxPasswordLength?: number;
|
803 | }
|
804 | /**
|
805 | * The email privacy configuration of a project or tenant.
|
806 | */
|
807 | export interface EmailPrivacyConfig {
|
808 | /**
|
809 | * Whether enhanced email privacy is enabled.
|
810 | */
|
811 | enableImprovedEmailPrivacy?: boolean;
|
812 | }
|
813 | export {};
|