Merge branch 'master' into ss-admin-auth-features

Author: morganchen12

.github/workflows/node.yml

@@ -13,16 +13,16 @@ jobs:
     strategy:
       matrix:
         node-version:
-          - 10.x
-          - 12.x
+          - 18.x
+          - 20.x
     steps:
-      - uses: actions/checkout@v1
-      - uses: actions/setup-node@v1
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
 
       - name: Cache npm
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.npm
           key: ${{ runner.os }}-node-${{ matrix.node-version }}-${{ hashFiles('**/package-lock.json') }}

.gitignore

@@ -13,3 +13,8 @@ firebase-debug.log
 
 .idea/
 
+# pnpm manages deps in the pnpm-lock.yaml file instead
+**/package-lock.json
+# keep the root package-lock so that tools are consistent
+!/package-lock.json
+

auth/create_custom_tokens.js

@@ -1,23 +1,23 @@
 'use strict';
-const admin = require('firebase-admin');
+const { initializeApp } = require('firebase-admin/app');
+const { getAuth } = require('firebase-admin/auth');
 
 // Initialize the Admin app with the default appication credentials
 // [START initialize_sdk_with_default_config]
-admin.initializeApp();
+initializeApp();
 // [END initialize_sdk_with_default_config]
 
 // Initialize the Admin app by providing a service accoune key
 // [START initialize_sdk_with_service_account_id]
-admin.initializeApp({
+initializeApp({
   serviceAccountId: '[email protected]',
 });
 // [END initialize_sdk_with_service_account_id]
 
 // [START custom_token]
 const uid = 'some-uid';
 
-admin
-  .auth()
+getAuth()
   .createCustomToken(uid)
   .then((customToken) => {
     // Send token back to client
@@ -33,8 +33,7 @@ const additionalClaims = {
   premiumAccount: true,
 };
 
-admin
-  .auth()
+getAuth()
   .createCustomToken(userId, additionalClaims)
   .then((customToken) => {
     // Send token back to client

auth/custom_claims.js

@@ -1,15 +1,18 @@
 'use strict';
-const admin = require('firebase-admin');
-admin.initializeApp();
+const { initializeApp } = require('firebase-admin/app');
+const { getAuth } = require('firebase-admin/auth');
+const { getDatabase } = require('firebase-admin/database');
+initializeApp();
+
+const express = require('express');
 
 const uid = 'firebaseUserId123';
 const idToken = 'some-invalid-token';
 
 // [START set_custom_user_claims]
 // Set admin privilege on the user corresponding to uid.
 
-admin
-  .auth()
+getAuth()
   .setCustomUserClaims(uid, { admin: true })
   .then(() => {
     // The new custom claims will propagate to the user's ID token the
@@ -19,8 +22,7 @@ admin
 
 // [START verify_custom_claims]
 // Verify the ID token first.
-admin
-  .auth()
+getAuth()
   .verifyIdToken(idToken)
   .then((claims) => {
     if (claims.admin === true) {
@@ -31,8 +33,7 @@ admin
 
 // [START read_custom_user_claims]
 // Lookup the user associated with the specified uid.
-admin
-  .auth()
+getAuth()
   .getUser(uid)
   .then((userRecord) => {
     // The claims can be accessed on the user record.
@@ -41,15 +42,14 @@ admin
 // [END read_custom_user_claims]
 
 // [START set_custom_user_claims_script]
-admin
-  .auth()
+getAuth()
   .getUserByEmail('[email protected]')
   .then((user) => {
     // Confirm user is verified.
     if (user.emailVerified) {
       // Add custom claims for additional privileges.
       // This will be picked up by the user on token refresh or next sign in on new device.
-      return admin.auth().setCustomUserClaims(user.uid, {
+      return getAuth().setCustomUserClaims(user.uid, {
         admin: true,
       });
     }
@@ -60,8 +60,7 @@ admin
 // [END set_custom_user_claims_script]
 
 // [START set_custom_user_claims_incremental]
-admin
-  .auth()
+getAuth()
   .getUserByEmail('[email protected]')
   .then((user) => {
     // Add incremental custom claim without overwriting existing claims.
@@ -70,10 +69,45 @@ admin
       // Add level.
       currentCustomClaims['accessLevel'] = 10;
       // Add custom claims for additional privileges.
-      return admin.auth().setCustomUserClaims(user.uid, currentCustomClaims);
+      return getAuth().setCustomUserClaims(user.uid, currentCustomClaims);
     }
   })
   .catch((error) => {
     console.log(error);
   });
 // [END set_custom_user_claims_incremental]
+
+function customClaimsServer() {
+  const app = express();
+
+  // [START auth_custom_claims_server]
+  app.post('/setCustomClaims', async (req, res) => {
+    // Get the ID token passed.
+    const idToken = req.body.idToken;
+
+    // Verify the ID token and decode its payload.
+    const claims = await getAuth().verifyIdToken(idToken);
+
+    // Verify user is eligible for additional privileges.
+    if (
+      typeof claims.email !== 'undefined' &&
+      typeof claims.email_verified !== 'undefined' &&
+      claims.email_verified &&
+      claims.email.endsWith('@admin.example.com')
+    ) {
+      // Add custom claims for additional privileges.
+      await getAuth().setCustomUserClaims(claims.sub, {
+        admin: true
+      });
+
+      // Tell client to refresh token on user.
+      res.end(JSON.stringify({
+        status: 'success'
+      }));
+    } else {
+      // Return nothing.
+      res.end(JSON.stringify({ status: 'ineligible' }));
+    }
+  });
+  // [END auth_custom_claims_server]
+}

auth/email_action_links.js

@@ -1,6 +1,7 @@
 'use strict';
-const admin = require('firebase-admin');
-admin.initializeApp();
+const { initializeApp } = require('firebase-admin/app');
+const { getAuth } = require('firebase-admin/auth');
+initializeApp();
 
 // [START init_action_code_settings]
 const actionCodeSettings = {
@@ -17,73 +18,59 @@ const actionCodeSettings = {
     installApp: true,
     minimumVersion: '12',
   },
-  // FDL custom domain.
-  dynamicLinkDomain: 'coolapp.page.link',
+  // The domain must be configured in Firebase Hosting and owned by the project.
+  linkDomain: 'custom-domain.com',
 };
 // [END init_action_code_settings]
 
 // [START password_reset_link]
 // Admin SDK API to generate the password reset link.
 const userEmail = '[email protected]';
-admin
-  .auth()
+getAuth()
   .generatePasswordResetLink(userEmail, actionCodeSettings)
   .then((link) => {
     // Construct password reset email template, embed the link and send
     // using custom SMTP server.
-    return sendCustomPasswordResetEmail(email, displayName, link);
+    return sendCustomPasswordResetEmail(userEmail, displayName, link);
   })
   .catch((error) => {
     // Some error occurred.
   });
 // [END password_reset_link]
 
-// [START email_verification_link]
-// Admin SDK API to generate the password reset link.
-const email = '[email protected]';
-admin
-  .auth()
-  .generatePasswordResetLink(email, actionCodeSettings)
-  .then((link) => {
-    // Construct password reset email template, embed the link and send
-    // using custom SMTP server.
-    return sendCustomPasswordResetEmail(email, displayName, link);
-  })
-  .catch((error) => {
-    // Some error occurred.
-  });
-
-// [START email_verification_link]
-// Admin SDK API to generate the email verification link.
-const useremail = '[email protected]';
-admin
-  .auth()
-  .generateEmailVerificationLink(useremail, actionCodeSettings)
-  .then((link) => {
-    // Construct email verification template, embed the link and send
-    // using custom SMTP server.
-    return sendCustomVerificationEmail(useremail, displayName, link);
-  })
-  .catch((error) => {
-    // Some error occurred.
-  });
-// [END email_verification_link]
+function emailVerificationLink() {
+  // [START email_verification_link]
+  // Admin SDK API to generate the email verification link.
+  const useremail = '[email protected]';
+  getAuth()
+    .generateEmailVerificationLink(useremail, actionCodeSettings)
+    .then((link) => {
+      // Construct email verification template, embed the link and send
+      // using custom SMTP server.
+      return sendCustomVerificationEmail(useremail, displayName, link);
+    })
+    .catch((error) => {
+      // Some error occurred.
+    });
+  // [END email_verification_link]
+}
 
-// [START sign_in_with_email_link]
-// Admin SDK API to generate the sign in with email link.
-const usremail = '[email protected]';
-admin
-  .auth()
-  .generateSignInWithEmailLink(usremail, actionCodeSettings)
-  .then((link) => {
-    // Construct sign-in with email link template, embed the link and
-    // send using custom SMTP server.
-    return sendSignInEmail(usremail, displayName, link);
-  })
-  .catch((error) => {
-    // Some error occurred.
-  });
-// [END sign_in_with_email_link]
+function signInWithEmailLink() {
+  // [START sign_in_with_email_link]
+  // Admin SDK API to generate the sign in with email link.
+  const useremail = '[email protected]';
+  getAuth()
+    .generateSignInWithEmailLink(useremail, actionCodeSettings)
+    .then((link) => {
+      // Construct sign-in with email link template, embed the link and
+      // send using custom SMTP server.
+      return sendSignInEmail(useremail, displayName, link);
+    })
+    .catch((error) => {
+      // Some error occurred.
+    });
+  // [END sign_in_with_email_link]
+}
 
 let displayName;
 const sendSignInEmail = (...args) => {

auth/functions/custom_claims.js

@@ -0,0 +1,37 @@
+// [START auth_custom_claims_cloud_function]
+const functions = require('firebase-functions');
+const { initializeApp } = require('firebase-admin/app');
+const { getAuth } = require('firebase-admin/auth');
+const { getDatabase } = require('firebase-admin/database');
+
+initializeApp();
+
+// On sign up.
+exports.processSignUp = functions.auth.user().onCreate(async (user) => {
+  // Check if user meets role criteria.
+  if (
+    user.email &&
+    user.email.endsWith('@admin.example.com') &&
+    user.emailVerified
+  ) {
+    const customClaims = {
+      admin: true,
+      accessLevel: 9
+    };
+
+    try {
+      // Set custom user claims on this newly created user.
+      await getAuth().setCustomUserClaims(user.uid, customClaims);
+
+      // Update real-time database to notify client to force refresh.
+      const metadataRef = getDatabase().ref('metadata/' + user.uid);
+
+      // Set the refresh time to the current UTC timestamp.
+      // This will be captured on the client to force a token refresh.
+      await  metadataRef.set({refreshTime: new Date().getTime()});
+    } catch (error) {
+      console.log(error);
+    }
+  }
+});
+// [END auth_custom_claims_cloud_function]

auth/functions/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "auth-functions",
+  "version": "1.0.0",
+  "main": "index.js",
+  "author": "",
+  "license": "Apache-2.0",
+  "scripts": {
+    "compile": "cp ../../tsconfig.template.json ./tsconfig.json && tsc"
+  },
+  "dependencies": {
+    "firebase-admin": "^11.9.0",
+    "firebase-functions": "^4.4.0"
+  }
+}

auth/get_service_account_tokens.js

@@ -15,10 +15,10 @@
  */
 'use strict';
 // [START get_service_account_tokens]
-const admin = require('firebase-admin');
+const { cert } = require('firebase-admin/app');
 
 const serviceAccount = require('./path/to/serviceAccountKey.json');
-const credential = admin.credential.cert(serviceAccount);
+const credential = cert(serviceAccount);
 
 credential.getAccessToken().then((accessTokenInfo) => {
   const accessToken = accessTokenInfo.access_token;