Merge 99662da into f7cac56

Author: renkelvin

common/api-review/auth.api.md

@@ -227,8 +227,14 @@ export const AuthErrorCodes: {
     readonly WEAK_PASSWORD: "auth/weak-password";
     readonly WEB_STORAGE_UNSUPPORTED: "auth/web-storage-unsupported";
     readonly ALREADY_INITIALIZED: "auth/already-initialized";
-    readonly RECAPTCHA_CHECK_FAILED: "auth/recaptcha-check-failed";
     readonly RECAPTCHA_NOT_ENABLED: "auth/recaptcha-not-enabled";
+    readonly MISSING_RECAPTCHA_TOKEN: "auth/missing-recaptcha-token";
+    readonly INVALID_RECAPTCHA_TOKEN: "auth/invalid-recaptcha-token";
+    readonly INVALID_RECAPTCHA_ACTION: "auth/invalid-recaptcha-action";
+    readonly MISSING_CLIENT_TYPE: "auth/missing-client-type";
+    readonly MISSING_RECAPTCHA_VERSION: "auth/missing-recaptcha-version";
+    readonly INVALID_RECAPTCHA_VERSION: "auth/invalid-recaptcha-version";
+    readonly INVALID_REQ_TYPE: "auth/invalid-req-type";
 };
 
 // @public
@@ -665,11 +671,6 @@ export function reauthenticateWithPopup(user: User, provider: AuthProvider, reso
 // @public
 export function reauthenticateWithRedirect(user: User, provider: AuthProvider, resolver?: PopupRedirectResolver): Promise<never>;
 
-// @public (undocumented)
-export interface RecaptchaConfig {
-    emailPasswordEnabled: boolean;
-}
-
 // @public
 export interface RecaptchaParameters {
     // (undocumented)

docs-devsite/auth.md

@@ -130,7 +130,6 @@ Firebase Authentication
 |  [PhoneSingleFactorInfoOptions](./auth.phonesinglefactorinfooptions.md#phonesinglefactorinfooptions_interface) | Options used for single-factor sign-in. |
 |  [PopupRedirectResolver](./auth.popupredirectresolver.md#popupredirectresolver_interface) | A resolver used for handling DOM specific operations like [signInWithPopup()](./auth.md#signinwithpopup) or [signInWithRedirect()](./auth.md#signinwithredirect)<!-- -->. |
 |  [ReactNativeAsyncStorage](./auth.reactnativeasyncstorage.md#reactnativeasyncstorage_interface) | Interface for a supplied <code>AsyncStorage</code>. |
-|  [RecaptchaConfig](./auth.recaptchaconfig.md#recaptchaconfig_interface) |  |
 |  [RecaptchaParameters](./auth.recaptchaparameters.md#recaptchaparameters_interface) | Interface representing reCAPTCHA parameters.<!-- -->See the \[reCAPTCHA docs\](https://developers.google.com/recaptcha/docs/display\#render\_param) for the list of accepted parameters. All parameters are accepted except for <code>sitekey</code>: Firebase Auth provisions a reCAPTCHA for each project and will configure the site key upon rendering.<!-- -->For an invisible reCAPTCHA, set the <code>size</code> key to <code>invisible</code>. |
 |  [User](./auth.user.md#user_interface) | A user account. |
 |  [UserCredential](./auth.usercredential.md#usercredential_interface) | A structure containing a [User](./auth.user.md#user_interface)<!-- -->, the [OperationType](./auth.md#operationtype)<!-- -->, and the provider ID. |
@@ -1823,8 +1822,14 @@ AUTH_ERROR_CODES_MAP_DO_NOT_USE_INTERNALLY: {
     readonly WEAK_PASSWORD: "auth/weak-password";
     readonly WEB_STORAGE_UNSUPPORTED: "auth/web-storage-unsupported";
     readonly ALREADY_INITIALIZED: "auth/already-initialized";
-    readonly RECAPTCHA_CHECK_FAILED: "auth/recaptcha-check-failed";
     readonly RECAPTCHA_NOT_ENABLED: "auth/recaptcha-not-enabled";
+    readonly MISSING_RECAPTCHA_TOKEN: "auth/missing-recaptcha-token";
+    readonly INVALID_RECAPTCHA_TOKEN: "auth/invalid-recaptcha-token";
+    readonly INVALID_RECAPTCHA_ACTION: "auth/invalid-recaptcha-action";
+    readonly MISSING_CLIENT_TYPE: "auth/missing-client-type";
+    readonly MISSING_RECAPTCHA_VERSION: "auth/missing-recaptcha-version";
+    readonly INVALID_RECAPTCHA_VERSION: "auth/invalid-recaptcha-version";
+    readonly INVALID_REQ_TYPE: "auth/invalid-req-type";
 }
 ```
 

docs-devsite/auth.recaptchaconfig.md

@@ -23,7 +23,7 @@ import {
   _performApiRequest,
   _addTidIfNecessary
 } from '../index';
-import { Auth, RecaptchaConfig } from '../../model/public_types';
+import { Auth } from '../../model/public_types';
 
 interface GetRecaptchaParamResponse {
   recaptchaSiteKey?: string;
@@ -47,9 +47,14 @@ interface GetRecaptchaConfigRequest {
   version?: RecaptchaVersion;
 }
 
-interface GetRecaptchaConfigResponse {
-  recaptchaKey?: string;
-  recaptchaConfig?: RecaptchaConfig;
+interface RecaptchaEnforcementState {
+  provider: string;
+  enforcementState: string;
+}
+
+export interface GetRecaptchaConfigResponse {
+  recaptchaKey: string;
+  recaptchaEnforcementState: RecaptchaEnforcementState[];
 }
 
 export async function getRecaptchaConfig(

packages/auth/src/api/authentication/recaptcha.ts

@@ -91,16 +91,14 @@ export const enum ServerError {
   USER_DISABLED = 'USER_DISABLED',
   USER_NOT_FOUND = 'USER_NOT_FOUND',
   WEAK_PASSWORD = 'WEAK_PASSWORD',
-  INVALID_RECAPTCHA_SCORE = 'invalid-recaptcha-score',
+  RECAPTCHA_NOT_ENABLED = 'recaptcha-not-enabled',
   MISSING_RECAPTCHA_TOKEN = 'missing-recaptcha-token',
   INVALID_RECAPTCHA_TOKEN = 'invalid-recaptcha-token',
-  INVALID_RECAPTCHA_ACTION = 'invalide-recaptcha-action',
-  INVALID_RECAPTCHA_ENFORCEMENT_STATE = 'invalid-recaptcha-enforcement-state',
-  RECAPTCHA_NOT_ENABLED = 'recaptcha-not-enabled',
+  INVALID_RECAPTCHA_ACTION = 'invalid-recaptcha-action',
   MISSING_CLIENT_TYPE = 'missing-client-type',
   MISSING_RECAPTCHA_VERSION = 'missing-recaptcha-version',
-  INVALID_REQ_TYPE = 'invalid-req-type',
-  INVALID_RECAPTCHA_VERSION = 'invalid-recaptcha-version'
+  INVALID_RECAPTCHA_VERSION = 'invalid-recaptcha-version',
+  INVALID_REQ_TYPE = 'invalid-req-type'
 }
 
 /**
@@ -216,15 +214,15 @@ export const SERVER_ERROR_MAP: Partial<ServerErrorMap<ServerError>> = {
   [ServerError.BLOCKING_FUNCTION_ERROR_RESPONSE]: AuthErrorCode.INTERNAL_ERROR,
 
   // Recaptcha related errors.
-  [ServerError.INVALID_RECAPTCHA_SCORE]: AuthErrorCode.RECAPTCHA_CHECK_FAILED,
   [ServerError.RECAPTCHA_NOT_ENABLED]: AuthErrorCode.RECAPTCHA_NOT_ENABLED,
-  [ServerError.MISSING_RECAPTCHA_TOKEN]: AuthErrorCode.INTERNAL_ERROR,
-  [ServerError.INVALID_RECAPTCHA_TOKEN]: AuthErrorCode.INTERNAL_ERROR,
-  [ServerError.INVALID_RECAPTCHA_ACTION]: AuthErrorCode.INTERNAL_ERROR,
-  [ServerError.INVALID_RECAPTCHA_ENFORCEMENT_STATE]:
-    AuthErrorCode.INTERNAL_ERROR,
-  [ServerError.MISSING_CLIENT_TYPE]: AuthErrorCode.INTERNAL_ERROR,
-  [ServerError.MISSING_RECAPTCHA_VERSION]: AuthErrorCode.INTERNAL_ERROR,
-  [ServerError.INVALID_REQ_TYPE]: AuthErrorCode.INTERNAL_ERROR,
-  [ServerError.INVALID_RECAPTCHA_VERSION]: AuthErrorCode.INTERNAL_ERROR
+  [ServerError.MISSING_RECAPTCHA_TOKEN]: AuthErrorCode.MISSING_RECAPTCHA_TOKEN,
+  [ServerError.INVALID_RECAPTCHA_TOKEN]: AuthErrorCode.INVALID_RECAPTCHA_TOKEN,
+  [ServerError.INVALID_RECAPTCHA_ACTION]:
+    AuthErrorCode.INVALID_RECAPTCHA_ACTION,
+  [ServerError.MISSING_CLIENT_TYPE]: AuthErrorCode.MISSING_CLIENT_TYPE,
+  [ServerError.MISSING_RECAPTCHA_VERSION]:
+    AuthErrorCode.MISSING_RECAPTCHA_VERSION,
+  [ServerError.INVALID_RECAPTCHA_VERSION]:
+    AuthErrorCode.INVALID_RECAPTCHA_VERSION,
+  [ServerError.INVALID_REQ_TYPE]: AuthErrorCode.INVALID_REQ_TYPE
 };

packages/auth/src/api/errors.ts

@@ -22,7 +22,6 @@ import {
   AuthErrorMap,
   AuthSettings,
   EmulatorConfig,
-  RecaptchaConfig,
   NextOrObserver,
   Persistence,
   PopupRedirectResolver,
@@ -65,6 +64,7 @@ import { HttpHeader, RecaptchaClientType, RecaptchaVersion } from '../../api';
 import { getRecaptchaConfig } from '../../api/authentication/recaptcha';
 import { RecaptchaEnterpriseVerifier } from '../../platform_browser/recaptcha/recaptcha_enterprise_verifier';
 import { AuthMiddlewareQueue } from './middleware';
+import { RecaptchaConfig } from '../../platform_browser/recaptcha/recaptcha';
 
 interface AsyncAction {
   (): Promise<void>;
@@ -397,16 +397,14 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
       clientType: RecaptchaClientType.WEB,
       version: RecaptchaVersion.ENTERPRISE
     });
-    // TODO(chuanr): Confirm the response format when backend is ready
-    if (response.recaptchaConfig === undefined) {
-      throw new Error('recaptchaConfig undefined');
-    }
-    const config = response.recaptchaConfig;
-    if (this.tenantId) {
-      this._tenantRecaptchaConfigs[this.tenantId] = config;
-    } else {
+
+    const config = new RecaptchaConfig(response);
+    if (this.tenantId == null) {
       this._agentRecaptchaConfig = config;
+    } else {
+      this._tenantRecaptchaConfigs[this.tenantId] = config;
     }
+
     if (config.emailPasswordEnabled) {
       const verifier = new RecaptchaEnterpriseVerifier(this);
       void verifier.verify();

packages/auth/src/core/auth/auth_impl.ts

@@ -233,7 +233,7 @@ describe('core/credentials/email', () => {
               recaptchaConfig: { emailPasswordEnabled: true }
             }
           );
-          RecaptchaEnterpriseVerifier.agentSiteKey = 'wrong-site-key';
+          auth._agentRecaptchaConfig!.siteKey = 'wrong-site-key';
           await auth.initializeRecaptchaConfig();
 
           const idTokenResponse = await credential._getIdTokenResponse(auth);
@@ -252,7 +252,7 @@ describe('core/credentials/email', () => {
         });
 
         it('calls sign in with password with recaptcha verify failed', async () => {
-          RecaptchaEnterpriseVerifier.agentSiteKey = null;
+          auth._agentRecaptchaConfig = null;
           mockEndpointWithParams(
             Endpoint.GET_RECAPTCHA_CONFIG,
             {

packages/auth/src/core/credentials/email.test.ts

@@ -29,11 +29,10 @@ import {
 import { AuthInternal } from '../../model/auth';
 import { IdTokenResponse } from '../../model/id_token';
 import { AuthErrorCode } from '../errors';
-import { ServerError } from '../../api/errors';
 import { _fail } from '../util/assert';
 import { AuthCredential } from './auth_credential';
 import { injectRecaptchaFields } from '../../platform_browser/recaptcha/recaptcha_enterprise_verifier';
-import { RecaptchaActionName } from '../../api';
+import { RecaptchaActionName, RecaptchaClientType } from '../../api';
 /**
  * Interface that represents the credentials returned by {@link EmailAuthProvider} for
  * {@link ProviderId}.PASSWORD
@@ -121,7 +120,8 @@ export class EmailAuthCredential extends AuthCredential {
         const request: SignInWithPasswordRequest = {
           returnSecureToken: true,
           email: this._email,
-          password: this._password
+          password: this._password,
+          clientType: RecaptchaClientType.WEB
         };
         if (auth._getRecaptchaConfig()?.emailPasswordEnabled) {
           const requestWithRecaptcha = await injectRecaptchaFields(
@@ -132,7 +132,9 @@ export class EmailAuthCredential extends AuthCredential {
           return signInWithPassword(auth, requestWithRecaptcha);
         } else {
           return signInWithPassword(auth, request).catch(async error => {
-            if (error.code === `auth/${ServerError.MISSING_RECAPTCHA_TOKEN}`) {
+            if (
+              error.code === `auth/${AuthErrorCode.MISSING_RECAPTCHA_TOKEN}`
+            ) {
               console.log(
                 'Sign-in with email address and password is protected by reCAPTCHA for this project. Automatically triggering the reCAPTCHA flow and restarting the sign-in flow.'
               );

packages/auth/src/core/credentials/email.ts

@@ -124,8 +124,14 @@ export const enum AuthErrorCode {
   WEAK_PASSWORD = 'weak-password',
   WEB_STORAGE_UNSUPPORTED = 'web-storage-unsupported',
   ALREADY_INITIALIZED = 'already-initialized',
-  RECAPTCHA_CHECK_FAILED = 'recaptcha-check-failed',
-  RECAPTCHA_NOT_ENABLED = 'recaptcha-not-enabled'
+  RECAPTCHA_NOT_ENABLED = 'recaptcha-not-enabled',
+  MISSING_RECAPTCHA_TOKEN = 'missing-recaptcha-token',
+  INVALID_RECAPTCHA_TOKEN = 'invalid-recaptcha-token',
+  INVALID_RECAPTCHA_ACTION = 'invalid-recaptcha-action',
+  MISSING_CLIENT_TYPE = 'missing-client-type',
+  MISSING_RECAPTCHA_VERSION = 'missing-recaptcha-version',
+  INVALID_RECAPTCHA_VERSION = 'invalid-recaptcha-version',
+  INVALID_REQ_TYPE = 'invalid-req-type'
 }
 
 function _debugErrorMap(): ErrorMap<AuthErrorCode> {
@@ -359,10 +365,22 @@ function _debugErrorMap(): ErrorMap<AuthErrorCode> {
       'different options. To avoid this error, call initializeAuth() with the ' +
       'same options as when it was originally called, or call getAuth() to return the' +
       ' already initialized instance.',
-    [AuthErrorCode.RECAPTCHA_CHECK_FAILED]:
-      'The ReCAPTCHA assessment failed for this request.',
+    [AuthErrorCode.MISSING_RECAPTCHA_TOKEN]:
+      'The reCAPTCHA token is missing when sending request to the backend.',
+    [AuthErrorCode.INVALID_RECAPTCHA_TOKEN]:
+      'The reCAPTCHA token is invalid when sending request to the backend.',
+    [AuthErrorCode.INVALID_RECAPTCHA_ACTION]:
+      'The reCAPTCHA action is invalid when sending request to the backend.',
     [AuthErrorCode.RECAPTCHA_NOT_ENABLED]:
-      'reCAPTCHA integration is not enabled for this project.'
+      'reCAPTCHA integration is not enabled for this project.',
+    [AuthErrorCode.MISSING_CLIENT_TYPE]:
+      'The reCAPTCHA client type is missing when sending request to the backend.',
+    [AuthErrorCode.MISSING_RECAPTCHA_VERSION]:
+      'The reCAPTCHA version is missing when sending request to the backend.',
+    [AuthErrorCode.INVALID_REQ_TYPE]:
+      'The reCAPTCHA client type or version is invalid when retrieving the site key.',
+    [AuthErrorCode.INVALID_RECAPTCHA_VERSION]:
+      'The reCAPTCHA version is invalid when sending request to the backend.'
   };
 }
 
@@ -565,6 +583,12 @@ export const AUTH_ERROR_CODES_MAP_DO_NOT_USE_INTERNALLY = {
   WEAK_PASSWORD: 'auth/weak-password',
   WEB_STORAGE_UNSUPPORTED: 'auth/web-storage-unsupported',
   ALREADY_INITIALIZED: 'auth/already-initialized',
-  RECAPTCHA_CHECK_FAILED: 'auth/recaptcha-check-failed',
-  RECAPTCHA_NOT_ENABLED: 'auth/recaptcha-not-enabled'
+  RECAPTCHA_NOT_ENABLED: 'auth/recaptcha-not-enabled',
+  MISSING_RECAPTCHA_TOKEN: 'auth/missing-recaptcha-token',
+  INVALID_RECAPTCHA_TOKEN: 'auth/invalid-recaptcha-token',
+  INVALID_RECAPTCHA_ACTION: 'auth/invalid-recaptcha-action',
+  MISSING_CLIENT_TYPE: 'auth/missing-client-type',
+  MISSING_RECAPTCHA_VERSION: 'auth/missing-recaptcha-version',
+  INVALID_RECAPTCHA_VERSION: 'auth/invalid-recaptcha-version',
+  INVALID_REQ_TYPE: 'auth/invalid-req-type'
 } as const;

packages/auth/src/core/errors.ts

@@ -34,12 +34,11 @@ import { _setActionCodeSettingsOnRequest } from './action_code_settings';
 import { signInWithCredential } from './credential';
 import { _castAuth } from '../auth/auth_impl';
 import { AuthErrorCode } from '../errors';
-import { ServerError } from '../../api/errors';
 import { getModularInstance } from '@firebase/util';
 import { OperationType } from '../../model/enums';
 import { injectRecaptchaFields } from '../../platform_browser/recaptcha/recaptcha_enterprise_verifier';
 import { IdTokenResponse } from '../../model/id_token';
-import { RecaptchaActionName } from '../../api';
+import { RecaptchaActionName, RecaptchaClientType } from '../../api';
 
 /**
  * Sends a password reset email to the given email address.
@@ -81,7 +80,8 @@ export async function sendPasswordResetEmail(
   const authInternal = _castAuth(auth);
   const request: authentication.PasswordResetRequest = {
     requestType: ActionCodeOperation.PASSWORD_RESET,
-    email
+    email,
+    clientType: RecaptchaClientType.WEB
   };
   if (authInternal._getRecaptchaConfig()?.emailPasswordEnabled) {
     const requestWithRecaptcha = await injectRecaptchaFields(
@@ -112,7 +112,7 @@ export async function sendPasswordResetEmail(
     await authentication
       .sendPasswordResetEmail(authInternal, request)
       .catch(async error => {
-        if (error.code === `auth/${ServerError.MISSING_RECAPTCHA_TOKEN}`) {
+        if (error.code === `auth/${AuthErrorCode.MISSING_RECAPTCHA_TOKEN}`) {
           console.log(
             'Password resets are protected by reCAPTCHA for this project. Automatically triggering the reCAPTCHA flow and restarting the password reset flow.'
           );
@@ -284,7 +284,8 @@ export async function createUserWithEmailAndPassword(
   const request: SignUpRequest = {
     returnSecureToken: true,
     email,
-    password
+    password,
+    clientType: RecaptchaClientType.WEB
   };
   let signUpResponse: Promise<IdTokenResponse>;
   if (authInternal._getRecaptchaConfig()?.emailPasswordEnabled) {
@@ -296,7 +297,7 @@ export async function createUserWithEmailAndPassword(
     signUpResponse = signUp(authInternal, requestWithRecaptcha);
   } else {
     signUpResponse = signUp(authInternal, request).catch(async error => {
-      if (error.code === `auth/${ServerError.MISSING_RECAPTCHA_TOKEN}`) {
+      if (error.code === `auth/${AuthErrorCode.MISSING_RECAPTCHA_TOKEN}`) {
         console.log(
           'Sign-up is protected by reCAPTCHA for this project. Automatically triggering the reCAPTCHA flow and restarting the sign-up flow.'
         );

packages/auth/src/core/strategies/email_and_password.ts

@@ -266,7 +266,7 @@ describe('core/strategies/sendSignInLinkToEmail', () => {
         }
       );
 
-      RecaptchaEnterpriseVerifier.agentSiteKey = 'wrong-site-key';
+      auth._agentRecaptchaConfig!.siteKey = 'wrong-site-key';
       mockEndpointWithParams(
         Endpoint.GET_RECAPTCHA_CONFIG,
         {
@@ -292,7 +292,7 @@ describe('core/strategies/sendSignInLinkToEmail', () => {
     });
 
     it('calls send sign in link to email with recaptcha verify failed', async () => {
-      RecaptchaEnterpriseVerifier.agentSiteKey = null;
+      auth._agentRecaptchaConfig = null;
       mockEndpointWithParams(
         Endpoint.GET_RECAPTCHA_CONFIG,
         {