Implement password policy caching in auth object

* Add PasswordPolicy and PasswordValidationStatus public types

* Add public types to docs and implement AuthInternal password policy cache

* Add schema version mismatch error and tests

* Update error code in fetch test and add TODO for schema version handling

Author: ch5zzy

common/api-review/auth.api.md

@@ -562,6 +562,31 @@ export interface ParsedToken {
     'sub'?: string;
 }
 
+// @public
+export interface PasswordPolicy {
+    readonly allowedNonAlphanumericCharacters: string[];
+    readonly customStrengthOptions: {
+        readonly minPasswordLength?: number;
+        readonly maxPasswordLength?: number;
+        readonly containsLowercaseLetter?: boolean;
+        readonly containsUppercaseLetter?: boolean;
+        readonly containsNumericCharacter?: boolean;
+        readonly containsNonAlphanumericCharacter?: boolean;
+    };
+}
+
+// @public
+export interface PasswordValidationStatus {
+    readonly containsLowercaseLetter?: boolean;
+    readonly containsNonAlphanumericCharacter?: boolean;
+    readonly containsNumericCharacter?: boolean;
+    readonly containsUppercaseLetter?: boolean;
+    readonly isValid: boolean;
+    readonly meetsMaxPasswordLength?: boolean;
+    readonly meetsMinPasswordLength?: boolean;
+    readonly passwordPolicy: PasswordPolicy;
+}
+
 // @public
 export interface Persistence {
     readonly type: 'SESSION' | 'LOCAL' | 'NONE';

docs-devsite/auth.md

@@ -124,6 +124,8 @@ Firebase Authentication
 |  [MultiFactorUser](./auth.multifactoruser.md#multifactoruser_interface) | An interface that defines the multi-factor related properties and operations pertaining to a [User](./auth.user.md#user_interface)<!-- -->. |
 |  [OAuthCredentialOptions](./auth.oauthcredentialoptions.md#oauthcredentialoptions_interface) | Defines the options for initializing an [OAuthCredential](./auth.oauthcredential.md#oauthcredential_class)<!-- -->. |
 |  [ParsedToken](./auth.parsedtoken.md#parsedtoken_interface) | Interface representing a parsed ID token. |
+|  [PasswordPolicy](./auth.passwordpolicy.md#passwordpolicy_interface) | A structure specifying password policy requirements. |
+|  [PasswordValidationStatus](./auth.passwordvalidationstatus.md#passwordvalidationstatus_interface) | A structure indicating which password policy requirements were met or violated and what the requirements are. |
 |  [Persistence](./auth.persistence.md#persistence_interface) | An interface covering the possible persistence mechanism types. |
 |  [PhoneMultiFactorAssertion](./auth.phonemultifactorassertion.md#phonemultifactorassertion_interface) | The class for asserting ownership of a phone second factor. Provided by [PhoneMultiFactorGenerator.assertion()](./auth.phonemultifactorgenerator.md#phonemultifactorgeneratorassertion)<!-- -->. |
 |  [PhoneMultiFactorEnrollInfoOptions](./auth.phonemultifactorenrollinfooptions.md#phonemultifactorenrollinfooptions_interface) | Options used for enrolling a second factor. |

docs-devsite/auth.passwordpolicy.md

@@ -0,0 +1,53 @@
+Project: /docs/reference/js/_project.yaml
+Book: /docs/reference/_book.yaml
+page_type: reference
+
+{% comment %}
+DO NOT EDIT THIS FILE!
+This is generated by the JS SDK team, and any local changes will be
+overwritten. Changes should be made in the source code at
+https://github.com/firebase/firebase-js-sdk
+{% endcomment %}
+
+# PasswordPolicy interface
+A structure specifying password policy requirements.
+
+<b>Signature:</b>
+
+```typescript
+export interface PasswordPolicy 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [allowedNonAlphanumericCharacters](./auth.passwordpolicy.md#passwordpolicyallowednonalphanumericcharacters) | string\[\] | List of characters that are considered non-alphanumeric during validation. |
+|  [customStrengthOptions](./auth.passwordpolicy.md#passwordpolicycustomstrengthoptions) | { readonly minPasswordLength?: number; readonly maxPasswordLength?: number; readonly containsLowercaseLetter?: boolean; readonly containsUppercaseLetter?: boolean; readonly containsNumericCharacter?: boolean; readonly containsNonAlphanumericCharacter?: boolean; } | Requirements enforced by this password policy. |
+
+## PasswordPolicy.allowedNonAlphanumericCharacters
+
+List of characters that are considered non-alphanumeric during validation.
+
+<b>Signature:</b>
+
+```typescript
+readonly allowedNonAlphanumericCharacters: string[];
+```
+
+## PasswordPolicy.customStrengthOptions
+
+Requirements enforced by this password policy.
+
+<b>Signature:</b>
+
+```typescript
+readonly customStrengthOptions: {
+        readonly minPasswordLength?: number;
+        readonly maxPasswordLength?: number;
+        readonly containsLowercaseLetter?: boolean;
+        readonly containsUppercaseLetter?: boolean;
+        readonly containsNumericCharacter?: boolean;
+        readonly containsNonAlphanumericCharacter?: boolean;
+    };
+```

docs-devsite/auth.passwordvalidationstatus.md

@@ -0,0 +1,112 @@
+Project: /docs/reference/js/_project.yaml
+Book: /docs/reference/_book.yaml
+page_type: reference
+
+{% comment %}
+DO NOT EDIT THIS FILE!
+This is generated by the JS SDK team, and any local changes will be
+overwritten. Changes should be made in the source code at
+https://github.com/firebase/firebase-js-sdk
+{% endcomment %}
+
+# PasswordValidationStatus interface
+A structure indicating which password policy requirements were met or violated and what the requirements are.
+
+<b>Signature:</b>
+
+```typescript
+export interface PasswordValidationStatus 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [containsLowercaseLetter](./auth.passwordvalidationstatus.md#passwordvalidationstatuscontainslowercaseletter) | boolean | Whether the password contains a lowercase letter, if required. |
+|  [containsNonAlphanumericCharacter](./auth.passwordvalidationstatus.md#passwordvalidationstatuscontainsnonalphanumericcharacter) | boolean | Whether the password contains a non-alphanumeric character, if required. |
+|  [containsNumericCharacter](./auth.passwordvalidationstatus.md#passwordvalidationstatuscontainsnumericcharacter) | boolean | Whether the password contains a numeric character, if required. |
+|  [containsUppercaseLetter](./auth.passwordvalidationstatus.md#passwordvalidationstatuscontainsuppercaseletter) | boolean | Whether the password contains an uppercase letter, if required. |
+|  [isValid](./auth.passwordvalidationstatus.md#passwordvalidationstatusisvalid) | boolean | Whether the password meets all requirements. |
+|  [meetsMaxPasswordLength](./auth.passwordvalidationstatus.md#passwordvalidationstatusmeetsmaxpasswordlength) | boolean | Whether the password meets the maximum password length. |
+|  [meetsMinPasswordLength](./auth.passwordvalidationstatus.md#passwordvalidationstatusmeetsminpasswordlength) | boolean | Whether the password meets the minimum password length. |
+|  [passwordPolicy](./auth.passwordvalidationstatus.md#passwordvalidationstatuspasswordpolicy) | [PasswordPolicy](./auth.passwordpolicy.md#passwordpolicy_interface) | The policy used to validate the password. |
+
+## PasswordValidationStatus.containsLowercaseLetter
+
+Whether the password contains a lowercase letter, if required.
+
+<b>Signature:</b>
+
+```typescript
+readonly containsLowercaseLetter?: boolean;
+```
+
+## PasswordValidationStatus.containsNonAlphanumericCharacter
+
+Whether the password contains a non-alphanumeric character, if required.
+
+<b>Signature:</b>
+
+```typescript
+readonly containsNonAlphanumericCharacter?: boolean;
+```
+
+## PasswordValidationStatus.containsNumericCharacter
+
+Whether the password contains a numeric character, if required.
+
+<b>Signature:</b>
+
+```typescript
+readonly containsNumericCharacter?: boolean;
+```
+
+## PasswordValidationStatus.containsUppercaseLetter
+
+Whether the password contains an uppercase letter, if required.
+
+<b>Signature:</b>
+
+```typescript
+readonly containsUppercaseLetter?: boolean;
+```
+
+## PasswordValidationStatus.isValid
+
+Whether the password meets all requirements.
+
+<b>Signature:</b>
+
+```typescript
+readonly isValid: boolean;
+```
+
+## PasswordValidationStatus.meetsMaxPasswordLength
+
+Whether the password meets the maximum password length.
+
+<b>Signature:</b>
+
+```typescript
+readonly meetsMaxPasswordLength?: boolean;
+```
+
+## PasswordValidationStatus.meetsMinPasswordLength
+
+Whether the password meets the minimum password length.
+
+<b>Signature:</b>
+
+```typescript
+readonly meetsMinPasswordLength?: boolean;
+```
+
+## PasswordValidationStatus.passwordPolicy
+
+The policy used to validate the password.
+
+<b>Signature:</b>
+
+```typescript
+readonly passwordPolicy: PasswordPolicy;
+```

packages/auth/src/api/password_policy/get_password_policy.test.ts

@@ -71,10 +71,10 @@ describe('api/password_policy/getPasswordPolicy', () => {
       {
         error: {
           code: 400,
-          message: ServerError.INVALID_PROVIDER_ID,
+          message: ServerError.TOO_MANY_ATTEMPTS_TRY_LATER,
           errors: [
             {
-              message: ServerError.INVALID_PROVIDER_ID
+              message: ServerError.TOO_MANY_ATTEMPTS_TRY_LATER
             }
           ]
         }
@@ -84,7 +84,7 @@ describe('api/password_policy/getPasswordPolicy', () => {
 
     await expect(_getPasswordPolicy(auth)).to.be.rejectedWith(
       FirebaseError,
-      'Firebase: The specified provider ID is invalid. (auth/invalid-provider-id).'
+      'Firebase: We have blocked all requests from this device due to unusual activity. Try again later. (auth/too-many-requests).'
     );
   });
 });

packages/auth/src/core/auth/auth_impl.test.ts

@@ -786,4 +786,119 @@ describe('core/auth/auth_impl', () => {
       expect(auth._getRecaptchaConfig()).to.eql(cachedRecaptchaConfigOFF);
     });
   });
+
+  context('passwordPolicy', () => {
+    const TEST_ALLOWED_NON_ALPHANUMERIC_CHARS = ['!', '(', ')'];
+    const TEST_MIN_PASSWORD_LENGTH = 6;
+
+    const passwordPolicyResponse = {
+      customStrengthOptions: {
+        minPasswordLength: TEST_MIN_PASSWORD_LENGTH
+      },
+      allowedNonAlphanumericCharacters: TEST_ALLOWED_NON_ALPHANUMERIC_CHARS,
+      schemaVersion: 1
+    };
+    const passwordPolicyResponseRequireNumeric = {
+      customStrengthOptions: {
+        minPasswordLength: TEST_MIN_PASSWORD_LENGTH,
+        containsNumericCharacter: true
+      },
+      allowedNonAlphanumericCharacters: TEST_ALLOWED_NON_ALPHANUMERIC_CHARS,
+      schemaVersion: 1
+    };
+    const passwordPolicyResponseUnsupportedVersion = {
+      customStrengthOptions: {
+        maxPasswordLength: TEST_MIN_PASSWORD_LENGTH,
+        unsupportedPasswordPolicyProperty: 10
+      },
+      allowedNonAlphanumericCharacters: TEST_ALLOWED_NON_ALPHANUMERIC_CHARS,
+      schemaVersion: 0
+    };
+    const cachedPasswordPolicy = {
+      customStrengthOptions: {
+        minPasswordLength: TEST_MIN_PASSWORD_LENGTH
+      },
+      allowedNonAlphanumericCharacters: TEST_ALLOWED_NON_ALPHANUMERIC_CHARS
+    };
+    const cachedPasswordPolicyRequireNumeric = {
+      customStrengthOptions: {
+        minPasswordLength: TEST_MIN_PASSWORD_LENGTH,
+        containsNumericCharacter: true
+      },
+      allowedNonAlphanumericCharacters: TEST_ALLOWED_NON_ALPHANUMERIC_CHARS
+    };
+
+    beforeEach(async () => {
+      mockFetch.setUp();
+      mockEndpointWithParams(
+        Endpoint.GET_PASSWORD_POLICY,
+        {},
+        passwordPolicyResponse
+      );
+      mockEndpointWithParams(
+        Endpoint.GET_PASSWORD_POLICY,
+        {
+          tenantId: 'tenant-id'
+        },
+        passwordPolicyResponseRequireNumeric
+      );
+      mockEndpointWithParams(
+        Endpoint.GET_PASSWORD_POLICY,
+        {
+          tenantId: 'tenant-id-with-unsupported-policy-version'
+        },
+        passwordPolicyResponseUnsupportedVersion
+      );
+    });
+
+    afterEach(() => {
+      mockFetch.tearDown();
+    });
+
+    it('password policy should be set for project if tenant ID is null', async () => {
+      auth = await testAuth();
+      auth.tenantId = null;
+      await auth._updatePasswordPolicy();
+
+      expect(auth._getPasswordPolicy()).to.eql(cachedPasswordPolicy);
+    });
+
+    it('password policy should be set for tenant if tenant ID is not null', async () => {
+      auth = await testAuth();
+      auth.tenantId = 'tenant-id';
+      await auth._updatePasswordPolicy();
+
+      expect(auth._getPasswordPolicy()).to.eql(
+        cachedPasswordPolicyRequireNumeric
+      );
+    });
+
+    it('password policy should dynamically switch if tenant ID switches.', async () => {
+      auth = await testAuth();
+      auth.tenantId = null;
+      await auth._updatePasswordPolicy();
+
+      auth.tenantId = 'tenant-id';
+      await auth._updatePasswordPolicy();
+
+      auth.tenantId = null;
+      expect(auth._getPasswordPolicy()).to.eql(cachedPasswordPolicy);
+      auth.tenantId = 'tenant-id';
+      expect(auth._getPasswordPolicy()).to.eql(
+        cachedPasswordPolicyRequireNumeric
+      );
+      auth.tenantId = 'other-tenant-id';
+      expect(auth._getPasswordPolicy()).to.be.undefined;
+    });
+
+    it('password policy should not be set when the schema version is not supported', async () => {
+      auth = await testAuth();
+      auth.tenantId = 'tenant-id-with-unsupported-policy-version';
+      await expect(auth._updatePasswordPolicy()).to.be.rejectedWith(
+        AuthErrorCode.UNSUPPORTED_PASSWORD_POLICY_SCHEMA_VERSION
+      );
+
+      expect(auth._getPasswordPolicy()).to.be.undefined;
+    });
+  });
 });