Edit File: index.d.ts
/*! firebase-admin v9.12.0 */ /*! * Copyright 2020 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /// <reference types="node" /> import { app, FirebaseArrayIndexError } from '../firebase-namespace-api'; /** * Gets the {@link auth.Auth `Auth`} service for the default app or a * given app. * * `admin.auth()` can be called with no arguments to access the default app's * {@link auth.Auth `Auth`} service or as `admin.auth(app)` to access the * {@link auth.Auth `Auth`} service associated with a specific app. * * @example * ```javascript * // Get the Auth service for the default app * var defaultAuth = admin.auth(); * ``` * * @example * ```javascript * // Get the Auth service for a given app * var otherAuth = admin.auth(otherApp); * ``` * */ export declare function auth(app?: app.App): auth.Auth; export declare namespace auth { /** * Interface representing a user's metadata. */ interface UserMetadata { /** * The date the user last signed in, formatted as a UTC string. */ lastSignInTime: string; /** * The date the user was created, formatted as a UTC string. */ creationTime: string; /** * The time at which the user was last active (ID token refreshed), * formatted as a UTC Date string (eg 'Sat, 03 Feb 2001 04:05:06 GMT'). * Returns null if the user was never active. */ lastRefreshTime?: string | null; /** * @return A JSON-serializable representation of this object. */ toJSON(): object; } /** * Interface representing a user's info from a third-party identity provider * such as Google or Facebook. */ interface UserInfo { /** * The user identifier for the linked provider. */ uid: string; /** * The display name for the linked provider. */ displayName: string; /** * The email for the linked provider. */ email: string; /** * The phone number for the linked provider. */ phoneNumber: string; /** * The photo URL for the linked provider. */ photoURL: string; /** * The linked provider ID (for example, "google.com" for the Google provider). */ providerId: string; /** * @return A JSON-serializable representation of this object. */ toJSON(): object; } /** * Interface representing the common properties of a user-enrolled second factor. */ interface MultiFactorInfo { /** * The ID of the enrolled second factor. This ID is unique to the user. */ uid: string; /** * The optional display name of the enrolled second factor. */ displayName?: string; /** * The optional date the second factor was enrolled, formatted as a UTC string. */ enrollmentTime?: string; /** * The type identifier of the second factor. For SMS second factors, this is `phone`. */ factorId: string; /** * @return A JSON-serializable representation of this object. */ toJSON(): object; } /** * Interface representing a phone specific user-enrolled second factor. */ interface PhoneMultiFactorInfo extends MultiFactorInfo { /** * The phone number associated with a phone second factor. */ phoneNumber: string; } /** * Represents a user identity provider that can be associated with a Firebase user. */ interface UserProvider { /** * The user identifier for the linked provider. */ uid?: string; /** * The display name for the linked provider. */ displayName?: string; /** * The email for the linked provider. */ email?: string; /** * The phone number for the linked provider. */ phoneNumber?: string; /** * The photo URL for the linked provider. */ photoURL?: string; /** * The linked provider ID (for example, "google.com" for the Google provider). */ providerId?: string; } /** * Interface representing a user. */ interface UserRecord { /** * The user's `uid`. */ uid: string; /** * The user's primary email, if set. */ email?: string; /** * Whether or not the user's primary email is verified. */ emailVerified: boolean; /** * The user's display name. */ displayName?: string; /** * The user's primary phone number, if set. */ phoneNumber?: string; /** * The user's photo URL. */ photoURL?: string; /** * Whether or not the user is disabled: `true` for disabled; `false` for * enabled. */ disabled: boolean; /** * Additional metadata about the user. */ metadata: UserMetadata; /** * An array of providers (for example, Google, Facebook) linked to the user. */ providerData: UserInfo[]; /** * The user's hashed password (base64-encoded), only if Firebase Auth hashing * algorithm (SCRYPT) is used. If a different hashing algorithm had been used * when uploading this user, as is typical when migrating from another Auth * system, this will be an empty string. If no password is set, this is * null. This is only available when the user is obtained from * {@link auth.Auth.listUsers `listUsers()`}. * */ passwordHash?: string; /** * The user's password salt (base64-encoded), only if Firebase Auth hashing * algorithm (SCRYPT) is used. If a different hashing algorithm had been used to * upload this user, typical when migrating from another Auth system, this will * be an empty string. If no password is set, this is null. This is only * available when the user is obtained from * {@link auth.Auth.listUsers `listUsers()`}. * */ passwordSalt?: string; /** * The user's custom claims object if available, typically used to define * user roles and propagated to an authenticated user's ID token. * This is set via * {@link auth.Auth.setCustomUserClaims `setCustomUserClaims()`} */ customClaims?: { [key: string]: any; }; /** * The date the user's tokens are valid after, formatted as a UTC string. * This is updated every time the user's refresh token are revoked either * from the {@link auth.Auth.revokeRefreshTokens `revokeRefreshTokens()`} * API or from the Firebase Auth backend on big account changes (password * resets, password or email updates, etc). */ tokensValidAfterTime?: string; /** * The ID of the tenant the user belongs to, if available. */ tenantId?: string | null; /** * The multi-factor related properties for the current user, if available. */ multiFactor?: MultiFactorSettings; /** * @return A JSON-serializable representation of this object. */ toJSON(): object; } /** * The multi-factor related user settings. */ interface MultiFactorSettings { /** * List of second factors enrolled with the current user. * Currently only phone second factors are supported. */ enrolledFactors: MultiFactorInfo[]; /** * @return A JSON-serializable representation of this multi-factor object. */ toJSON(): object; } /** * The multi-factor related user settings for create operations. */ interface MultiFactorCreateSettings { /** * The created user's list of enrolled second factors. */ enrolledFactors: CreateMultiFactorInfoRequest[]; } /** * The multi-factor related user settings for update operations. */ interface MultiFactorUpdateSettings { /** * The updated list of enrolled second factors. The provided list overwrites the user's * existing list of second factors. * When null is passed, all of the user's existing second factors are removed. */ enrolledFactors: UpdateMultiFactorInfoRequest[] | null; } /** * Interface representing common properties of a user-enrolled second factor * for an `UpdateRequest`. */ interface BaseUpdateMultiFactorInfoRequest { /** * The ID of the enrolled second factor. This ID is unique to the user. When not provided, * a new one is provisioned by the Auth server. */ uid?: string; /** * The optional display name for an enrolled second factor. */ displayName?: string; /** * The optional date the second factor was enrolled, formatted as a UTC string. */ enrollmentTime?: string; /** * The type identifier of the second factor. For SMS second factors, this is `phone`. */ factorId: string; } /** * Interface representing a phone specific user-enrolled second factor * for an `UpdateRequest`. */ interface UpdatePhoneMultiFactorInfoRequest extends BaseUpdateMultiFactorInfoRequest { /** * The phone number associated with a phone second factor. */ phoneNumber: string; } /** * Type representing the properties of a user-enrolled second factor * for an `UpdateRequest`. */ type UpdateMultiFactorInfoRequest = UpdatePhoneMultiFactorInfoRequest; /** * Interface representing the properties to update on the provided user. */ interface UpdateRequest { /** * Whether or not the user is disabled: `true` for disabled; * `false` for enabled. */ disabled?: boolean; /** * The user's display name. */ displayName?: string | null; /** * The user's primary email. */ email?: string; /** * Whether or not the user's primary email is verified. */ emailVerified?: boolean; /** * The user's unhashed password. */ password?: string; /** * The user's primary phone number. */ phoneNumber?: string | null; /** * The user's photo URL. */ photoURL?: string | null; /** * The user's updated multi-factor related properties. */ multiFactor?: MultiFactorUpdateSettings; /** * Links this user to the specified provider. * * Linking a provider to an existing user account does not invalidate the * refresh token of that account. In other words, the existing account * would continue to be able to access resources, despite not having used * the newly linked provider to log in. If you wish to force the user to * authenticate with this new provider, you need to (a) revoke their * refresh token (see * https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens), * and (b) ensure no other authentication methods are present on this * account. */ providerToLink?: UserProvider; /** * Unlinks this user from the specified providers. */ providersToUnlink?: string[]; } /** * Interface representing base properties of a user-enrolled second factor for a * `CreateRequest`. */ interface BaseCreateMultiFactorInfoRequest { /** * The optional display name for an enrolled second factor. */ displayName?: string; /** * The type identifier of the second factor. For SMS second factors, this is `phone`. */ factorId: string; } /** * Interface representing a phone specific user-enrolled second factor for a * `CreateRequest`. */ interface CreatePhoneMultiFactorInfoRequest extends BaseCreateMultiFactorInfoRequest { /** * The phone number associated with a phone second factor. */ phoneNumber: string; } /** * Type representing the properties of a user-enrolled second factor * for a `CreateRequest`. */ type CreateMultiFactorInfoRequest = CreatePhoneMultiFactorInfoRequest; /** * Interface representing the properties to set on a new user record to be * created. */ interface CreateRequest extends UpdateRequest { /** * The user's `uid`. */ uid?: string; /** * The user's multi-factor related properties. */ multiFactor?: MultiFactorCreateSettings; } /** * Interface representing a decoded Firebase ID token, returned from the * {@link auth.Auth.verifyIdToken `verifyIdToken()`} method. * * Firebase ID tokens are OpenID Connect spec-compliant JSON Web Tokens (JWTs). * See the * [ID Token section of the OpenID Connect spec](http://openid.net/specs/openid-connect-core-1_0.html#IDToken) * for more information about the specific properties below. */ interface DecodedIdToken { /** * The audience for which this token is intended. * * This value is a string equal to your Firebase project ID, the unique * identifier for your Firebase project, which can be found in [your project's * settings](https://console.firebase.google.com/project/_/settings/general/android:com.random.android). */ aud: string; /** * Time, in seconds since the Unix epoch, when the end-user authentication * occurred. * * This value is not set when this particular ID token was created, but when the * user initially logged in to this session. In a single session, the Firebase * SDKs will refresh a user's ID tokens every hour. Each ID token will have a * different [`iat`](#iat) value, but the same `auth_time` value. */ auth_time: number; /** * The email of the user to whom the ID token belongs, if available. */ email?: string; /** * Whether or not the email of the user to whom the ID token belongs is * verified, provided the user has an email. */ email_verified?: boolean; /** * The ID token's expiration time, in seconds since the Unix epoch. That is, the * time at which this ID token expires and should no longer be considered valid. * * The Firebase SDKs transparently refresh ID tokens every hour, issuing a new * ID token with up to a one hour expiration. */ exp: number; /** * Information about the sign in event, including which sign in provider was * used and provider-specific identity details. * * This data is provided by the Firebase Authentication service and is a * reserved claim in the ID token. */ firebase: { /** * Provider-specific identity details corresponding * to the provider used to sign in the user. */ identities: { [key: string]: any; }; /** * The ID of the provider used to sign in the user. * One of `"anonymous"`, `"password"`, `"facebook.com"`, `"github.com"`, * `"google.com"`, `"twitter.com"`, `"apple.com"`, `"microsoft.com"`, * `"yahoo.com"`, `"phone"`, `"playgames.google.com"`, `"gc.apple.com"`, * or `"custom"`. * * Additional Identity Platform provider IDs include `"linkedin.com"`, * OIDC and SAML identity providers prefixed with `"saml."` and `"oidc."` * respectively. */ sign_in_provider: string; /** * The type identifier or `factorId` of the second factor, provided the * ID token was obtained from a multi-factor authenticated user. * For phone, this is `"phone"`. */ sign_in_second_factor?: string; /** * The `uid` of the second factor used to sign in, provided the * ID token was obtained from a multi-factor authenticated user. */ second_factor_identifier?: string; /** * The ID of the tenant the user belongs to, if available. */ tenant?: string; [key: string]: any; }; /** * The ID token's issued-at time, in seconds since the Unix epoch. That is, the * time at which this ID token was issued and should start to be considered * valid. * * The Firebase SDKs transparently refresh ID tokens every hour, issuing a new * ID token with a new issued-at time. If you want to get the time at which the * user session corresponding to the ID token initially occurred, see the * [`auth_time`](#auth_time) property. */ iat: number; /** * The issuer identifier for the issuer of the response. * * This value is a URL with the format * `https://securetoken.google.com/<PROJECT_ID>`, where `<PROJECT_ID>` is the * same project ID specified in the [`aud`](#aud) property. */ iss: string; /** * The phone number of the user to whom the ID token belongs, if available. */ phone_number?: string; /** * The photo URL for the user to whom the ID token belongs, if available. */ picture?: string; /** * The `uid` corresponding to the user who the ID token belonged to. * * As a convenience, this value is copied over to the [`uid`](#uid) property. */ sub: string; /** * The `uid` corresponding to the user who the ID token belonged to. * * This value is not actually in the JWT token claims itself. It is added as a * convenience, and is set as the value of the [`sub`](#sub) property. */ uid: string; [key: string]: any; } /** Represents the result of the {@link auth.Auth.getUsers} API. */ interface GetUsersResult { /** * Set of user records, corresponding to the set of users that were * requested. Only users that were found are listed here. The result set is * unordered. */ users: UserRecord[]; /** Set of identifiers that were requested, but not found. */ notFound: UserIdentifier[]; } /** * Interface representing the object returned from a * {@link auth.Auth.listUsers `listUsers()`} operation. Contains the list * of users for the current batch and the next page token if available. */ interface ListUsersResult { /** * The list of {@link auth.UserRecord `UserRecord`} objects for the * current downloaded batch. */ users: UserRecord[]; /** * The next page token if available. This is needed for the next batch download. */ pageToken?: string; } type HashAlgorithmType = 'SCRYPT' | 'STANDARD_SCRYPT' | 'HMAC_SHA512' | 'HMAC_SHA256' | 'HMAC_SHA1' | 'HMAC_MD5' | 'MD5' | 'PBKDF_SHA1' | 'BCRYPT' | 'PBKDF2_SHA256' | 'SHA512' | 'SHA256' | 'SHA1'; /** * Interface representing the user import options needed for * {@link auth.Auth.importUsers `importUsers()`} method. This is used to * provide the password hashing algorithm information. */ interface UserImportOptions { /** * The password hashing information. */ hash: { /** * The password hashing algorithm identifier. The following algorithm * identifiers are supported: * `SCRYPT`, `STANDARD_SCRYPT`, `HMAC_SHA512`, `HMAC_SHA256`, `HMAC_SHA1`, * `HMAC_MD5`, `MD5`, `PBKDF_SHA1`, `BCRYPT`, `PBKDF2_SHA256`, `SHA512`, * `SHA256` and `SHA1`. */ algorithm: HashAlgorithmType; /** * The signing key used in the hash algorithm in buffer bytes. * Required by hashing algorithms `SCRYPT`, `HMAC_SHA512`, `HMAC_SHA256`, * `HAMC_SHA1` and `HMAC_MD5`. */ key?: Buffer; /** * The salt separator in buffer bytes which is appended to salt when * verifying a password. This is only used by the `SCRYPT` algorithm. */ saltSeparator?: Buffer; /** * The number of rounds for hashing calculation. * Required for `SCRYPT`, `MD5`, `SHA512`, `SHA256`, `SHA1`, `PBKDF_SHA1` and * `PBKDF2_SHA256`. */ rounds?: number; /** * The memory cost required for `SCRYPT` algorithm, or the CPU/memory cost. * Required for `STANDARD_SCRYPT` algorithm. */ memoryCost?: number; /** * The parallelization of the hashing algorithm. Required for the * `STANDARD_SCRYPT` algorithm. */ parallelization?: number; /** * The block size (normally 8) of the hashing algorithm. Required for the * `STANDARD_SCRYPT` algorithm. */ blockSize?: number; /** * The derived key length of the hashing algorithm. Required for the * `STANDARD_SCRYPT` algorithm. */ derivedKeyLength?: number; }; } /** * Interface representing the response from the * {@link auth.Auth.importUsers `importUsers()`} method for batch * importing users to Firebase Auth. */ interface UserImportResult { /** * The number of user records that failed to import to Firebase Auth. */ failureCount: number; /** * The number of user records that successfully imported to Firebase Auth. */ successCount: number; /** * An array of errors corresponding to the provided users to import. The * length of this array is equal to [`failureCount`](#failureCount). */ errors: FirebaseArrayIndexError[]; } /** * Represents the result of the * {@link auth.Auth.deleteUsers `deleteUsers()`} * API. */ interface DeleteUsersResult { /** * The number of user records that failed to be deleted (possibly zero). */ failureCount: number; /** * The number of users that were deleted successfully (possibly zero). * Users that did not exist prior to calling `deleteUsers()` are * considered to be successfully deleted. */ successCount: number; /** * A list of `FirebaseArrayIndexError` instances describing the errors that * were encountered during the deletion. Length of this list is equal to * the return value of [`failureCount`](#failureCount). */ errors: FirebaseArrayIndexError[]; } /** * User metadata to include when importing a user. */ interface UserMetadataRequest { /** * The date the user last signed in, formatted as a UTC string. */ lastSignInTime?: string; /** * The date the user was created, formatted as a UTC string. */ creationTime?: string; } /** * User provider data to include when importing a user. */ interface UserProviderRequest { /** * The user identifier for the linked provider. */ uid: string; /** * The display name for the linked provider. */ displayName?: string; /** * The email for the linked provider. */ email?: string; /** * The phone number for the linked provider. */ phoneNumber?: string; /** * The photo URL for the linked provider. */ photoURL?: string; /** * The linked provider ID (for example, "google.com" for the Google provider). */ providerId: string; } /** * Interface representing a user to import to Firebase Auth via the * {@link auth.Auth.importUsers `importUsers()`} method. */ interface UserImportRecord { /** * The user's `uid`. */ uid: string; /** * The user's primary email, if set. */ email?: string; /** * Whether or not the user's primary email is verified. */ emailVerified?: boolean; /** * The user's display name. */ displayName?: string; /** * The user's primary phone number, if set. */ phoneNumber?: string; /** * The user's photo URL. */ photoURL?: string; /** * Whether or not the user is disabled: `true` for disabled; `false` for * enabled. */ disabled?: boolean; /** * Additional metadata about the user. */ metadata?: UserMetadataRequest; /** * An array of providers (for example, Google, Facebook) linked to the user. */ providerData?: UserProviderRequest[]; /** * The user's custom claims object if available, typically used to define * user roles and propagated to an authenticated user's ID token. */ customClaims?: { [key: string]: any; }; /** * The buffer of bytes representing the user's hashed password. * When a user is to be imported with a password hash, * {@link auth.UserImportOptions `UserImportOptions`} are required to be * specified to identify the hashing algorithm used to generate this hash. */ passwordHash?: Buffer; /** * The buffer of bytes representing the user's password salt. */ passwordSalt?: Buffer; /** * The identifier of the tenant where user is to be imported to. * When not provided in an `admin.auth.Auth` context, the user is uploaded to * the default parent project. * When not provided in an `admin.auth.TenantAwareAuth` context, the user is uploaded * to the tenant corresponding to that `TenantAwareAuth` instance's tenant ID. */ tenantId?: string; /** * The user's multi-factor related properties. */ multiFactor?: MultiFactorUpdateSettings; } /** * Interface representing the session cookie options needed for the * {@link auth.Auth.createSessionCookie `createSessionCookie()`} method. */ interface SessionCookieOptions { /** * The session cookie custom expiration in milliseconds. The minimum allowed is * 5 minutes and the maxium allowed is 2 weeks. */ expiresIn: number; } /** * This is the interface that defines the required continue/state URL with * optional Android and iOS bundle identifiers. */ interface ActionCodeSettings { /** * Defines the link continue/state URL, which has different meanings in * different contexts: * <ul> * <li>When the link is handled in the web action widgets, this is the deep * link in the `continueUrl` query parameter.</li> * <li>When the link is handled in the app directly, this is the `continueUrl` * query parameter in the deep link of the Dynamic Link.</li> * </ul> */ url: string; /** * Whether to open the link via a mobile app or a browser. * The default is false. When set to true, the action code link is sent * as a Universal Link or Android App Link and is opened by the app if * installed. In the false case, the code is sent to the web widget first * and then redirects to the app if installed. */ handleCodeInApp?: boolean; /** * Defines the iOS bundle ID. This will try to open the link in an iOS app if it * is installed. */ iOS?: { /** * Defines the required iOS bundle ID of the app where the link should be * handled if the application is already installed on the device. */ bundleId: string; }; /** * Defines the Android package name. This will try to open the link in an * android app if it is installed. If `installApp` is passed, it specifies * whether to install the Android app if the device supports it and the app is * not already installed. If this field is provided without a `packageName`, an * error is thrown explaining that the `packageName` must be provided in * conjunction with this field. If `minimumVersion` is specified, and an older * version of the app is installed, the user is taken to the Play Store to * upgrade the app. */ android?: { /** * Defines the required Android package name of the app where the link should be * handled if the Android app is installed. */ packageName: string; /** * Whether to install the Android app if the device supports it and the app is * not already installed. */ installApp?: boolean; /** * The Android minimum version if available. If the installed app is an older * version, the user is taken to the GOogle Play Store to upgrade the app. */ minimumVersion?: string; }; /** * Defines the dynamic link domain to use for the current link if it is to be * opened using Firebase Dynamic Links, as multiple dynamic link domains can be * configured per project. This field provides the ability to explicitly choose * configured per project. This fields provides the ability explicitly choose * one. If none is provided, the oldest domain is used by default. */ dynamicLinkDomain?: string; } /** * Interface representing a tenant configuration. * * Multi-tenancy support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, * see the [GCIP documentation](https://cloud.google.com/identity-platform) * * Before multi-tenancy can be used on a Google Cloud Identity Platform project, * tenants must be allowed on that project via the Cloud Console UI. * * A tenant configuration provides information such as the display name, tenant * identifier and email authentication configuration. * For OIDC/SAML provider configuration management, `TenantAwareAuth` instances should * be used instead of a `Tenant` to retrieve the list of configured IdPs on a tenant. * When configuring these providers, note that tenants will inherit * whitelisted domains and authenticated redirect URIs of their parent project. * * All other settings of a tenant will also be inherited. These will need to be managed * from the Cloud Console UI. */ interface Tenant { /** * The tenant identifier. */ tenantId: string; /** * The tenant display name. */ displayName?: string; /** * The email sign in provider configuration. */ emailSignInConfig?: { /** * Whether email provider is enabled. */ enabled: boolean; /** * Whether password is required for email sign-in. When not required, * email sign-in can be performed with password or via email link sign-in. */ passwordRequired?: boolean; }; /** * Whether the anonymous provider is enabled. */ anonymousSignInEnabled: boolean; /** * The multi-factor auth configuration on the current tenant. */ multiFactorConfig?: MultiFactorConfig; /** * The map containing the test phone number / code pairs for the tenant. */ testPhoneNumbers?: { [phoneNumber: string]: string; }; /** * @return A JSON-serializable representation of this object. */ toJSON(): object; } /** * Identifies a second factor type. */ type AuthFactorType = 'phone'; /** * Identifies a multi-factor configuration state. */ type MultiFactorConfigState = 'ENABLED' | 'DISABLED'; /** * Interface representing a multi-factor configuration. * This can be used to define whether multi-factor authentication is enabled * or disabled and the list of second factor challenges that are supported. */ interface MultiFactorConfig { /** * The multi-factor config state. */ state: MultiFactorConfigState; /** * The list of identifiers for enabled second factors. * Currently only ‘phone’ is supported. */ factorIds?: AuthFactorType[]; } /** * The email sign in configuration. */ interface EmailSignInProviderConfig { /** * Whether email provider is enabled. */ enabled: boolean; /** * Whether password is required for email sign-in. When not required, * email sign-in can be performed with password or via email link sign-in. */ passwordRequired?: boolean; } /** * Interface representing the properties to update on the provided tenant. */ interface UpdateTenantRequest { /** * The tenant display name. */ displayName?: string; /** * The email sign in configuration. */ emailSignInConfig?: EmailSignInProviderConfig; /** * Whether the anonymous provider is enabled. */ anonymousSignInEnabled?: boolean; /** * The multi-factor auth configuration to update on the tenant. */ multiFactorConfig?: MultiFactorConfig; /** * The updated map containing the test phone number / code pairs for the tenant. * Passing null clears the previously save phone number / code pairs. */ testPhoneNumbers?: { [phoneNumber: string]: string; } | null; } /** * Interface representing the properties to set on a new tenant. */ type CreateTenantRequest = UpdateTenantRequest; /** * Interface representing the object returned from a * {@link auth.TenantManager.listTenants `listTenants()`} * operation. * Contains the list of tenants for the current batch and the next page token if available. */ interface ListTenantsResult { /** * The list of {@link auth.Tenant `Tenant`} objects for the downloaded batch. */ tenants: Tenant[]; /** * The next page token if available. This is needed for the next batch download. */ pageToken?: string; } /** * The filter interface used for listing provider configurations. This is used * when specifying how to list configured identity providers via * {@link auth.Auth.listProviderConfigs `listProviderConfigs()`}. */ interface AuthProviderConfigFilter { /** * The Auth provider configuration filter. This can be either `saml` or `oidc`. * The former is used to look up SAML providers only, while the latter is used * for OIDC providers. */ type: 'saml' | 'oidc'; /** * The maximum number of results to return per page. The default and maximum is * 100. */ maxResults?: number; /** * The next page token. When not specified, the lookup starts from the beginning * of the list. */ pageToken?: string; } /** * The base Auth provider configuration interface. */ interface BaseAuthProviderConfig { /** * The provider ID defined by the developer. * For a SAML provider, this is always prefixed by `saml.`. * For an OIDC provider, this is always prefixed by `oidc.`. */ providerId: string; /** * The user-friendly display name to the current configuration. This name is * also used as the provider label in the Cloud Console. */ displayName?: string; /** * Whether the provider configuration is enabled or disabled. A user * cannot sign in using a disabled provider. */ enabled: boolean; } /** * The * [SAML](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) * Auth provider configuration interface. A SAML provider can be created via * {@link auth.Auth.createProviderConfig `createProviderConfig()`}. */ interface SAMLAuthProviderConfig extends BaseAuthProviderConfig { /** * The SAML IdP entity identifier. */ idpEntityId: string; /** * The SAML IdP SSO URL. This must be a valid URL. */ ssoURL: string; /** * The list of SAML IdP X.509 certificates issued by CA for this provider. * Multiple certificates are accepted to prevent outages during * IdP key rotation (for example ADFS rotates every 10 days). When the Auth * server receives a SAML response, it will match the SAML response with the * certificate on record. Otherwise the response is rejected. * Developers are expected to manage the certificate updates as keys are * rotated. */ x509Certificates: string[]; /** * The SAML relying party (service provider) entity ID. * This is defined by the developer but needs to be provided to the SAML IdP. */ rpEntityId: string; /** * This is fixed and must always be the same as the OAuth redirect URL * provisioned by Firebase Auth, * `https://project-id.firebaseapp.com/__/auth/handler` unless a custom * `authDomain` is used. * The callback URL should also be provided to the SAML IdP during * configuration. */ callbackURL?: string; } /** * The interface representing OIDC provider's response object for OAuth * authorization flow. * One of the following settings is required: * <ul> * <li>Set <code>code</code> to <code>true</code> for the code flow.</li> * <li>Set <code>idToken</code> to <code>true</code> for the ID token flow.</li> * </ul> */ interface OAuthResponseType { /** * Whether ID token is returned from IdP's authorization endpoint. */ idToken?: boolean; /** * Whether authorization code is returned from IdP's authorization endpoint. */ code?: boolean; } /** * The [OIDC](https://openid.net/specs/openid-connect-core-1_0-final.html) Auth * provider configuration interface. An OIDC provider can be created via * {@link auth.Auth.createProviderConfig `createProviderConfig()`}. */ interface OIDCAuthProviderConfig extends BaseAuthProviderConfig { /** * This is the required client ID used to confirm the audience of an OIDC * provider's * [ID token](https://openid.net/specs/openid-connect-core-1_0-final.html#IDToken). */ clientId: string; /** * This is the required provider issuer used to match the provider issuer of * the ID token and to determine the corresponding OIDC discovery document, eg. * [`/.well-known/openid-configuration`](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig). * This is needed for the following: * <ul> * <li>To verify the provided issuer.</li> * <li>Determine the authentication/authorization endpoint during the OAuth * `id_token` authentication flow.</li> * <li>To retrieve the public signing keys via `jwks_uri` to verify the OIDC * provider's ID token's signature.</li> * <li>To determine the claims_supported to construct the user attributes to be * returned in the additional user info response.</li> * </ul> * ID token validation will be performed as defined in the * [spec](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). */ issuer: string; /** * The OIDC provider's client secret to enable OIDC code flow. */ clientSecret?: string; /** * The OIDC provider's response object for OAuth authorization flow. */ responseType?: OAuthResponseType; } /** * The Auth provider configuration type. * {@link auth.Auth.createProviderConfig `createProviderConfig()`}. */ type AuthProviderConfig = SAMLAuthProviderConfig | OIDCAuthProviderConfig; /** * The request interface for updating a SAML Auth provider. This is used * when updating a SAML provider's configuration via * {@link auth.Auth.updateProviderConfig `updateProviderConfig()`}. */ interface SAMLUpdateAuthProviderRequest { /** * The SAML provider's updated display name. If not provided, the existing * configuration's value is not modified. */ displayName?: string; /** * Whether the SAML provider is enabled or not. If not provided, the existing * configuration's setting is not modified. */ enabled?: boolean; /** * The SAML provider's updated IdP entity ID. If not provided, the existing * configuration's value is not modified. */ idpEntityId?: string; /** * The SAML provider's updated SSO URL. If not provided, the existing * configuration's value is not modified. */ ssoURL?: string; /** * The SAML provider's updated list of X.509 certificated. If not provided, the * existing configuration list is not modified. */ x509Certificates?: string[]; /** * The SAML provider's updated RP entity ID. If not provided, the existing * configuration's value is not modified. */ rpEntityId?: string; /** * The SAML provider's callback URL. If not provided, the existing * configuration's value is not modified. */ callbackURL?: string; } /** * The request interface for updating an OIDC Auth provider. This is used * when updating an OIDC provider's configuration via * {@link auth.Auth.updateProviderConfig `updateProviderConfig()`}. */ interface OIDCUpdateAuthProviderRequest { /** * The OIDC provider's updated display name. If not provided, the existing * configuration's value is not modified. */ displayName?: string; /** * Whether the OIDC provider is enabled or not. If not provided, the existing * configuration's setting is not modified. */ enabled?: boolean; /** * The OIDC provider's updated client ID. If not provided, the existing * configuration's value is not modified. */ clientId?: string; /** * The OIDC provider's updated issuer. If not provided, the existing * configuration's value is not modified. */ issuer?: string; /** * The OIDC provider's client secret to enable OIDC code flow. * If not provided, the existing configuration's value is not modified. */ clientSecret?: string; /** * The OIDC provider's response object for OAuth authorization flow. */ responseType?: OAuthResponseType; } /** * The response interface for listing provider configs. This is only available * when listing all identity providers' configurations via * {@link auth.Auth.listProviderConfigs `listProviderConfigs()`}. */ interface ListProviderConfigResults { /** * The list of providers for the specified type in the current page. */ providerConfigs: AuthProviderConfig[]; /** * The next page token, if available. */ pageToken?: string; } type UpdateAuthProviderRequest = SAMLUpdateAuthProviderRequest | OIDCUpdateAuthProviderRequest; /** * Used for looking up an account by uid. * * See auth.getUsers() */ interface UidIdentifier { uid: string; } /** * Used for looking up an account by email. * * See auth.getUsers() */ interface EmailIdentifier { email: string; } /** * Used for looking up an account by phone number. * * See auth.getUsers() */ interface PhoneIdentifier { phoneNumber: string; } /** * Used for looking up an account by federated provider. * * See auth.getUsers() */ interface ProviderIdentifier { providerId: string; providerUid: string; } /** * Identifies a user to be looked up. */ type UserIdentifier = UidIdentifier | EmailIdentifier | PhoneIdentifier | ProviderIdentifier; interface BaseAuth { /** * Creates a new Firebase custom token (JWT) that can be sent back to a client * device to use to sign in with the client SDKs' `signInWithCustomToken()` * methods. (Tenant-aware instances will also embed the tenant ID in the * token.) * * See [Create Custom Tokens](/docs/auth/admin/create-custom-tokens) for code * samples and detailed documentation. * * @param uid The `uid` to use as the custom token's subject. * @param developerClaims Optional additional claims to include * in the custom token's payload. * * @return A promise fulfilled with a custom token for the * provided `uid` and payload. */ createCustomToken(uid: string, developerClaims?: object): Promise<string>; /** * Creates a new user. * * See [Create a user](/docs/auth/admin/manage-users#create_a_user) for code * samples and detailed documentation. * * @param properties The properties to set on the * new user record to be created. * * @return A promise fulfilled with the user * data corresponding to the newly created user. */ createUser(properties: CreateRequest): Promise<UserRecord>; /** * Deletes an existing user. * * See [Delete a user](/docs/auth/admin/manage-users#delete_a_user) for code * samples and detailed documentation. * * @param uid The `uid` corresponding to the user to delete. * * @return An empty promise fulfilled once the user has been * deleted. */ deleteUser(uid: string): Promise<void>; /** * Deletes the users specified by the given uids. * * Deleting a non-existing user won't generate an error (i.e. this method * is idempotent.) Non-existing users are considered to be successfully * deleted, and are therefore counted in the * `DeleteUsersResult.successCount` value. * * Only a maximum of 1000 identifiers may be supplied. If more than 1000 * identifiers are supplied, this method throws a FirebaseAuthError. * * This API is currently rate limited at the server to 1 QPS. If you exceed * this, you may get a quota exceeded error. Therefore, if you want to * delete more than 1000 users, you may need to add a delay to ensure you * don't go over this limit. * * @param uids The `uids` corresponding to the users to delete. * * @return A Promise that resolves to the total number of successful/failed * deletions, as well as the array of errors that corresponds to the * failed deletions. */ deleteUsers(uids: string[]): Promise<DeleteUsersResult>; /** * Gets the user data for the user corresponding to a given `uid`. * * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data) * for code samples and detailed documentation. * * @param uid The `uid` corresponding to the user whose data to fetch. * * @return A promise fulfilled with the user * data corresponding to the provided `uid`. */ getUser(uid: string): Promise<UserRecord>; /** * Gets the user data for the user corresponding to a given email. * * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data) * for code samples and detailed documentation. * * @param email The email corresponding to the user whose data to * fetch. * * @return A promise fulfilled with the user * data corresponding to the provided email. */ getUserByEmail(email: string): Promise<UserRecord>; /** * Gets the user data for the user corresponding to a given phone number. The * phone number has to conform to the E.164 specification. * * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data) * for code samples and detailed documentation. * * @param phoneNumber The phone number corresponding to the user whose * data to fetch. * * @return A promise fulfilled with the user * data corresponding to the provided phone number. */ getUserByPhoneNumber(phoneNumber: string): Promise<UserRecord>; /** * Gets the user data for the user corresponding to a given provider ID. * * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data) * for code samples and detailed documentation. * * @param providerId The provider ID, for example, "google.com" for the * Google provider. * @param uid The user identifier for the given provider. * * @return A promise fulfilled with the user data corresponding to the * given provider id. */ getUserByProviderUid(providerId: string, uid: string): Promise<UserRecord>; /** * Gets the user data corresponding to the specified identifiers. * * There are no ordering guarantees; in particular, the nth entry in the result list is not * guaranteed to correspond to the nth entry in the input parameters list. * * Only a maximum of 100 identifiers may be supplied. If more than 100 identifiers are supplied, * this method throws a FirebaseAuthError. * * @param identifiers The identifiers used to indicate which user records should be returned. * Must have <= 100 entries. * @return {Promise<GetUsersResult>} A promise that resolves to the corresponding user records. * @throws FirebaseAuthError If any of the identifiers are invalid or if more than 100 * identifiers are specified. */ getUsers(identifiers: UserIdentifier[]): Promise<GetUsersResult>; /** * Retrieves a list of users (single batch only) with a size of `maxResults` * starting from the offset as specified by `pageToken`. This is used to * retrieve all the users of a specified project in batches. * * See [List all users](/docs/auth/admin/manage-users#list_all_users) * for code samples and detailed documentation. * * @param maxResults The page size, 1000 if undefined. This is also * the maximum allowed limit. * @param pageToken The next page token. If not specified, returns * users starting without any offset. * @return A promise that resolves with * the current batch of downloaded users and the next page token. */ listUsers(maxResults?: number, pageToken?: string): Promise<ListUsersResult>; /** * Updates an existing user. * * See [Update a user](/docs/auth/admin/manage-users#update_a_user) for code * samples and detailed documentation. * * @param uid The `uid` corresponding to the user to update. * @param properties The properties to update on * the provided user. * * @return A promise fulfilled with the * updated user data. */ updateUser(uid: string, properties: UpdateRequest): Promise<UserRecord>; /** * Verifies a JWT auth token. Returns a promise with the token‘s claims. * Rejects the promise if the token cannot be verified. * If `checkRevoked` is set to true, first verifies whether the corresponding * user is disabled. * If yes, an `auth/user-disabled` error is thrown. * If no, verifies if the session corresponding to the ID token was revoked. * If the corresponding user's session was invalidated, an * `auth/id-token-revoked` error is thrown. * If not specified the check is not applied. * * See [Verify ID Tokens](/docs/auth/admin/verify-id-tokens) for code samples * and detailed documentation. * * @param idToken The ID token to verify. * @param checkRevoked Whether to check if the ID token was revoked. * This requires an extra request to the Firebase Auth backend to check * the `tokensValidAfterTime` time for the corresponding user. * When not specified, this additional check is not applied. * * @return A promise fulfilled with the * token's decoded claims if the ID token is valid; otherwise, a rejected * promise. */ verifyIdToken(idToken: string, checkRevoked?: boolean): Promise<DecodedIdToken>; /** * Sets additional developer claims on an existing user identified by the * provided `uid`, typically used to define user roles and levels of * access. These claims should propagate to all devices where the user is * already signed in (after token expiration or when token refresh is forced) * and the next time the user signs in. If a reserved OIDC claim name * is used (sub, iat, iss, etc), an error is thrown. They are set on the * authenticated user's ID token JWT. * * See * [Defining user roles and access levels](/docs/auth/admin/custom-claims) * for code samples and detailed documentation. * * @param uid The `uid` of the user to edit. * @param customUserClaims The developer claims to set. If null is * passed, existing custom claims are deleted. Passing a custom claims payload * larger than 1000 bytes will throw an error. Custom claims are added to the * user's ID token which is transmitted on every authenticated request. * For profile non-access related user attributes, use database or other * separate storage systems. * @return A promise that resolves when the operation completes * successfully. */ setCustomUserClaims(uid: string, customUserClaims: object | null): Promise<void>; /** * Revokes all refresh tokens for an existing user. * * This API will update the user's * {@link auth.UserRecord.tokensValidAfterTime `tokensValidAfterTime`} to * the current UTC. It is important that the server on which this is called has * its clock set correctly and synchronized. * * While this will revoke all sessions for a specified user and disable any * new ID tokens for existing sessions from getting minted, existing ID tokens * may remain active until their natural expiration (one hour). To verify that * ID tokens are revoked, use * {@link auth.Auth.verifyIdToken `verifyIdToken(idToken, true)`} * where `checkRevoked` is set to true. * * @param uid The `uid` corresponding to the user whose refresh tokens * are to be revoked. * * @return An empty promise fulfilled once the user's refresh * tokens have been revoked. */ revokeRefreshTokens(uid: string): Promise<void>; /** * Imports the provided list of users into Firebase Auth. * A maximum of 1000 users are allowed to be imported one at a time. * When importing users with passwords, * {@link auth.UserImportOptions `UserImportOptions`} are required to be * specified. * This operation is optimized for bulk imports and will ignore checks on `uid`, * `email` and other identifier uniqueness which could result in duplications. * * @param users The list of user records to import to Firebase Auth. * @param options The user import options, required when the users provided include * password credentials. * @return A promise that resolves when * the operation completes with the result of the import. This includes the * number of successful imports, the number of failed imports and their * corresponding errors. */ importUsers(users: UserImportRecord[], options?: UserImportOptions): Promise<UserImportResult>; /** * Creates a new Firebase session cookie with the specified options. The created * JWT string can be set as a server-side session cookie with a custom cookie * policy, and be used for session management. The session cookie JWT will have * the same payload claims as the provided ID token. * * See [Manage Session Cookies](/docs/auth/admin/manage-cookies) for code * samples and detailed documentation. * * @param idToken The Firebase ID token to exchange for a session * cookie. * @param sessionCookieOptions The session * cookie options which includes custom session duration. * * @return A promise that resolves on success with the * created session cookie. */ createSessionCookie(idToken: string, sessionCookieOptions: SessionCookieOptions): Promise<string>; /** * Verifies a Firebase session cookie. Returns a promise with the token’s claims. * Rejects the promise if the cookie could not be verified. * If `checkRevoked` is set to true, first verifies whether the corresponding * user is disabled: * If yes, an `auth/user-disabled` error is thrown. * If no, verifies if the session corresponding to the session cookie was * revoked. * If the corresponding user's session was invalidated, an * `auth/session-cookie-revoked` error is thrown. * If not specified the check is not performed. * * See [Verify Session Cookies](/docs/auth/admin/manage-cookies#verify_session_cookie_and_check_permissions) * for code samples and detailed documentation * * @param sessionCookie The session cookie to verify. * @param checkRevoked Whether to check if the session cookie was * revoked. This requires an extra request to the Firebase Auth backend to * check the `tokensValidAfterTime` time for the corresponding user. * When not specified, this additional check is not performed. * * @return A promise fulfilled with the * session cookie's decoded claims if the session cookie is valid; otherwise, * a rejected promise. */ verifySessionCookie(sessionCookie: string, checkRevoked?: boolean): Promise<DecodedIdToken>; /** * Generates the out of band email action link to reset a user's password. * The link is generated for the user with the specified email address. The * optional {@link auth.ActionCodeSettings `ActionCodeSettings`} object * defines whether the link is to be handled by a mobile app or browser and the * additional state information to be passed in the deep link, etc. * * @example * ```javascript * var actionCodeSettings = { * url: 'https://www.example.com/?email=user@example.com', * iOS: { * bundleId: 'com.example.ios' * }, * android: { * packageName: 'com.example.android', * installApp: true, * minimumVersion: '12' * }, * handleCodeInApp: true, * dynamicLinkDomain: 'custom.page.link' * }; * admin.auth() * .generatePasswordResetLink('user@example.com', actionCodeSettings) * .then(function(link) { * // The link was successfully generated. * }) * .catch(function(error) { * // Some error occurred, you can inspect the code: error.code * }); * ``` * * @param email The email address of the user whose password is to be * reset. * @param actionCodeSettings The action * code settings. If specified, the state/continue URL is set as the * "continueUrl" parameter in the password reset link. The default password * reset landing page will use this to display a link to go back to the app * if it is installed. * If the actionCodeSettings is not specified, no URL is appended to the * action URL. * The state URL provided must belong to a domain that is whitelisted by the * developer in the console. Otherwise an error is thrown. * Mobile app redirects are only applicable if the developer configures * and accepts the Firebase Dynamic Links terms of service. * The Android package name and iOS bundle ID are respected only if they * are configured in the same Firebase Auth project. * @return A promise that resolves with the generated link. */ generatePasswordResetLink(email: string, actionCodeSettings?: ActionCodeSettings): Promise<string>; /** * Generates the out of band email action link to verify the user's ownership * of the specified email. The * {@link auth.ActionCodeSettings `ActionCodeSettings`} object provided * as an argument to this method defines whether the link is to be handled by a * mobile app or browser along with additional state information to be passed in * the deep link, etc. * * @example * ```javascript * var actionCodeSettings = { * url: 'https://www.example.com/cart?email=user@example.com&cartId=123', * iOS: { * bundleId: 'com.example.ios' * }, * android: { * packageName: 'com.example.android', * installApp: true, * minimumVersion: '12' * }, * handleCodeInApp: true, * dynamicLinkDomain: 'custom.page.link' * }; * admin.auth() * .generateEmailVerificationLink('user@example.com', actionCodeSettings) * .then(function(link) { * // The link was successfully generated. * }) * .catch(function(error) { * // Some error occurred, you can inspect the code: error.code * }); * ``` * * @param email The email account to verify. * @param actionCodeSettings The action * code settings. If specified, the state/continue URL is set as the * "continueUrl" parameter in the email verification link. The default email * verification landing page will use this to display a link to go back to * the app if it is installed. * If the actionCodeSettings is not specified, no URL is appended to the * action URL. * The state URL provided must belong to a domain that is whitelisted by the * developer in the console. Otherwise an error is thrown. * Mobile app redirects are only applicable if the developer configures * and accepts the Firebase Dynamic Links terms of service. * The Android package name and iOS bundle ID are respected only if they * are configured in the same Firebase Auth project. * @return A promise that resolves with the generated link. */ generateEmailVerificationLink(email: string, actionCodeSettings?: ActionCodeSettings): Promise<string>; /** * Generates the out of band email action link to sign in or sign up the owner * of the specified email. The * {@link auth.ActionCodeSettings `ActionCodeSettings`} object provided * as an argument to this method defines whether the link is to be handled by a * mobile app or browser along with additional state information to be passed in * the deep link, etc. * * @example * ```javascript * var actionCodeSettings = { * // The URL to redirect to for sign-in completion. This is also the deep * // link for mobile redirects. The domain (www.example.com) for this URL * // must be whitelisted in the Firebase Console. * url: 'https://www.example.com/finishSignUp?cartId=1234', * iOS: { * bundleId: 'com.example.ios' * }, * android: { * packageName: 'com.example.android', * installApp: true, * minimumVersion: '12' * }, * // This must be true. * handleCodeInApp: true, * dynamicLinkDomain: 'custom.page.link' * }; * admin.auth() * .generateSignInWithEmailLink('user@example.com', actionCodeSettings) * .then(function(link) { * // The link was successfully generated. * }) * .catch(function(error) { * // Some error occurred, you can inspect the code: error.code * }); * ``` * * @param email The email account to sign in with. * @param actionCodeSettings The action * code settings. These settings provide Firebase with instructions on how * to construct the email link. This includes the sign in completion URL or * the deep link for redirects and the mobile apps to use when the * sign-in link is opened on an Android or iOS device. * Mobile app redirects are only applicable if the developer configures * and accepts the Firebase Dynamic Links terms of service. * The Android package name and iOS bundle ID are respected only if they * are configured in the same Firebase Auth project. * @return A promise that resolves with the generated link. */ generateSignInWithEmailLink(email: string, actionCodeSettings: ActionCodeSettings): Promise<string>; /** * Returns the list of existing provider configurations matching the filter * provided. At most, 100 provider configs can be listed at a time. * * SAML and OIDC provider support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, * see the [GCIP documentation](https://cloud.google.com/identity-platform). * * @param options The provider config filter to apply. * @return A promise that resolves with the list of provider configs meeting the * filter requirements. */ listProviderConfigs(options: AuthProviderConfigFilter): Promise<ListProviderConfigResults>; /** * Looks up an Auth provider configuration by the provided ID. * Returns a promise that resolves with the provider configuration * corresponding to the provider ID specified. If the specified ID does not * exist, an `auth/configuration-not-found` error is thrown. * * SAML and OIDC provider support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, * see the [GCIP documentation](https://cloud.google.com/identity-platform). * * @param providerId The provider ID corresponding to the provider * config to return. * @return A promise that resolves * with the configuration corresponding to the provided ID. */ getProviderConfig(providerId: string): Promise<AuthProviderConfig>; /** * Deletes the provider configuration corresponding to the provider ID passed. * If the specified ID does not exist, an `auth/configuration-not-found` error * is thrown. * * SAML and OIDC provider support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, * see the [GCIP documentation](https://cloud.google.com/identity-platform). * * @param providerId The provider ID corresponding to the provider * config to delete. * @return A promise that resolves on completion. */ deleteProviderConfig(providerId: string): Promise<void>; /** * Returns a promise that resolves with the updated `AuthProviderConfig` * corresponding to the provider ID specified. * If the specified ID does not exist, an `auth/configuration-not-found` error * is thrown. * * SAML and OIDC provider support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, * see the [GCIP documentation](https://cloud.google.com/identity-platform). * * @param providerId The provider ID corresponding to the provider * config to update. * @param updatedConfig The updated configuration. * @return A promise that resolves with the updated provider configuration. */ updateProviderConfig(providerId: string, updatedConfig: UpdateAuthProviderRequest): Promise<AuthProviderConfig>; /** * Returns a promise that resolves with the newly created `AuthProviderConfig` * when the new provider configuration is created. * * SAML and OIDC provider support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, * see the [GCIP documentation](https://cloud.google.com/identity-platform). * * @param config The provider configuration to create. * @return A promise that resolves with the created provider configuration. */ createProviderConfig(config: AuthProviderConfig): Promise<AuthProviderConfig>; } /** * Tenant-aware `Auth` interface used for managing users, configuring SAML/OIDC providers, * generating email links for password reset, email verification, etc for specific tenants. * * Multi-tenancy support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, * see the [GCIP documentation](https://cloud.google.com/identity-platform) * * Each tenant contains its own identity providers, settings and sets of users. * Using `TenantAwareAuth`, users for a specific tenant and corresponding OIDC/SAML * configurations can also be managed, ID tokens for users signed in to a specific tenant * can be verified, and email action links can also be generated for users belonging to the * tenant. * * `TenantAwareAuth` instances for a specific `tenantId` can be instantiated by calling * `auth.tenantManager().authForTenant(tenantId)`. */ interface TenantAwareAuth extends BaseAuth { /** * The tenant identifier corresponding to this `TenantAwareAuth` instance. * All calls to the user management APIs, OIDC/SAML provider management APIs, email link * generation APIs, etc will only be applied within the scope of this tenant. */ tenantId: string; } interface Auth extends BaseAuth { app: app.App; /** * @return The tenant manager instance associated with the current project. */ tenantManager(): TenantManager; } /** * Defines the tenant manager used to help manage tenant related operations. * This includes: * <ul> * <li>The ability to create, update, list, get and delete tenants for the underlying * project.</li> * <li>Getting a `TenantAwareAuth` instance for running Auth related operations * (user management, provider configuration management, token verification, * email link generation, etc) in the context of a specified tenant.</li> * </ul> */ interface TenantManager { /** * @param tenantId The tenant ID whose `TenantAwareAuth` instance is to be returned. * * @return The `TenantAwareAuth` instance corresponding to this tenant identifier. */ authForTenant(tenantId: string): TenantAwareAuth; /** * Gets the tenant configuration for the tenant corresponding to a given `tenantId`. * * @param tenantId The tenant identifier corresponding to the tenant whose data to fetch. * * @return A promise fulfilled with the tenant configuration to the provided `tenantId`. */ getTenant(tenantId: string): Promise<Tenant>; /** * Retrieves a list of tenants (single batch only) with a size of `maxResults` * starting from the offset as specified by `pageToken`. This is used to * retrieve all the tenants of a specified project in batches. * * @param maxResults The page size, 1000 if undefined. This is also * the maximum allowed limit. * @param pageToken The next page token. If not specified, returns * tenants starting without any offset. * * @return A promise that resolves with * a batch of downloaded tenants and the next page token. */ listTenants(maxResults?: number, pageToken?: string): Promise<ListTenantsResult>; /** * Deletes an existing tenant. * * @param tenantId The `tenantId` corresponding to the tenant to delete. * * @return An empty promise fulfilled once the tenant has been deleted. */ deleteTenant(tenantId: string): Promise<void>; /** * Creates a new tenant. * When creating new tenants, tenants that use separate billing and quota will require their * own project and must be defined as `full_service`. * * @param tenantOptions The properties to set on the new tenant configuration to be created. * * @return A promise fulfilled with the tenant configuration corresponding to the newly * created tenant. */ createTenant(tenantOptions: CreateTenantRequest): Promise<Tenant>; /** * Updates an existing tenant configuration. * * @param tenantId The `tenantId` corresponding to the tenant to delete. * @param tenantOptions The properties to update on the provided tenant. * * @return A promise fulfilled with the update tenant data. */ updateTenant(tenantId: string, tenantOptions: UpdateTenantRequest): Promise<Tenant>; } }
Back to File Manager