feat(auth): Implement getUserByProviderId

src/auth/auth-api-request.ts

@@ -468,7 +468,7 @@ export const FIREBASE_AUTH_DOWNLOAD_ACCOUNT = new ApiSettings('/accounts:batchGe
 export const FIREBASE_AUTH_GET_ACCOUNT_INFO = new ApiSettings('/accounts:lookup', 'POST')
   // Set request validator.
   .setRequestValidator((request: any) => {
-    if (!request.localId && !request.email && !request.phoneNumber) {
+    if (!request.localId && !request.email && !request.phoneNumber && !request.federatedUserId) {
       throw new FirebaseAuthError(
         AuthClientErrorCode.INTERNAL_ERROR,
         'INTERNAL ASSERT FAILED: Server request is missing user identifier');
@@ -811,6 +811,21 @@ export abstract class AbstractAuthRequestHandler {
     return this.invokeRequestHandler(this.getAuthUrlBuilder(), FIREBASE_AUTH_GET_ACCOUNT_INFO, request);
   }
 
+  public getAccountInfoByFederatedUid(federatedId: string, federatedUid: string): Promise<object> {
+    if (!validator.isNonEmptyString(federatedId) || !validator.isNonEmptyString(federatedUid)) {
+      throw new FirebaseAuthError(AuthClientErrorCode.INVALID_PROVIDER_ID);
+    }
+
+    const request = {
+      federatedUserId: [{
+        providerId: federatedId,
+        rawId: federatedUid,
+      }],
+    };
+
+    return this.invokeRequestHandler(this.getAuthUrlBuilder(), FIREBASE_AUTH_GET_ACCOUNT_INFO, request);
+  }
+
   /**
    * Exports the users (single batch only) with a size of maxResults and starting from
    * the offset as specified by pageToken.

src/auth/auth.ts

@@ -200,6 +200,36 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> {
       });
   }
 
+  /**
+   * Gets the user data for the user corresponding to a given provider id.
+   *
+   * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data)
+   * for code samples and detailed documentation.
+   *
+   * @param providerId The provider ID, for example, "google.com" for the
+   *   Google provider.
+   * @param providerUid The user identifier for the given provider.
+   *
+   * @return A promise fulfilled with the user data corresponding to the
+   *   given provider id.
+   */
+  public getUserByProviderUid(providerId: string, providerUid: string): Promise<UserRecord> {
+    // Although we don't really advertise it, we want to also handle
+    // non-federated idps with this call. So if we detect one of them, we'll
+    // reroute this request appropriately.
+    if (providerId === 'phone') {
+      return this.getUserByPhoneNumber(providerUid);
+    } else if (providerId === 'email') {
+      return this.getUserByEmail(providerUid);
+    }
+
+    return this.authRequestHandler.getAccountInfoByFederatedUid(providerId, providerUid)
+      .then((response: any) => {
+        // Returns the user record populated with server response.
+        return new UserRecord(response.users[0]);
+      });
+  }
+
   /**
    * Exports a batch of user accounts. Batch size is determined by the maxResults argument.
    * Starting point of the batch is determined by the pageToken argument.

src/index.d.ts

@@ -1530,6 +1530,21 @@ declare namespace admin.auth {
      */
     getUserByPhoneNumber(phoneNumber: string): Promise<admin.auth.UserRecord>;
 
+    /**
+     * Gets the user data for the user corresponding to a given provider id.
+     *
+     * See [Retrieve user data](/docs/auth/admin/manage-users#retrieve_user_data)
+     * for code samples and detailed documentation.
+     *
+     * @param providerId The provider ID, for example, "google.com" for the
+     *   Google provider.
+     * @param providerUid The user identifier for the given provider.
+     *
+     * @return A promise fulfilled with the user data corresponding to the
+     *   given provider id.
+     */
+    getUserByProviderUid(providerId: string, providerUid: string): Promise<admin.auth.UserRecord>;
+
     /**
      * Retrieves a list of users (single batch only) with a size of `maxResults`
      * starting from the offset as specified by `pageToken`. This is used to

test/integration/auth.spec.ts

@@ -168,6 +168,44 @@ describe('admin.auth', () => {
       });
   });
 
+  it('getUserByProviderUid() returns a user record with the matching provider id', async () => {
+    // TODO(rsgowman): Once we can link a provider id with a user, just do that
+    // here instead of creating a new user.
+    const importUser: admin.auth.UserImportRecord = {
+      uid: 'uid',
+      email: '[email protected]',
+      phoneNumber: '+15555550000',
+      emailVerified: true,
+      disabled: false,
+      metadata: {
+        lastSignInTime: 'Thu, 01 Jan 1970 00:00:00 UTC',
+        creationTime: 'Thu, 01 Jan 1970 00:00:00 UTC',
+        toJSON: () => { throw new Error('Unimplemented'); },
+      },
+      providerData: [{
+        displayName: 'User Name',
+        email: '[email protected]',
+        phoneNumber: '+15555550000',
+        photoURL: 'http://example.com/user',
+        toJSON: () => { throw new Error('Unimplemented'); },
+        providerId: 'google.com',
+        uid: 'google_uid',
+      }],
+    };
+
+    await safeDelete(importUser.uid);
+    await admin.auth().importUsers([importUser]);
+
+    try {
+      await admin.auth().getUserByProviderUid('google.com', 'google_uid')
+        .then((userRecord) => {
+          expect(userRecord.uid).to.equal(importUser.uid);
+        });
+    } finally {
+      await safeDelete(importUser.uid);
+    }
+  });
+
   it('listUsers() returns up to the specified number of users', () => {
     const promises: Array<Promise<admin.auth.UserRecord>> = [];
     uids.forEach((uid) => {
@@ -356,6 +394,11 @@ describe('admin.auth', () => {
       .should.eventually.be.rejected.and.have.property('code', 'auth/user-not-found');
   });
 
+  it('getUserByProviderUid() fails when called with a non-existing federated id', () => {
+    return admin.auth().getUserByProviderUid('google.com', nonexistentUid)
+      .should.eventually.be.rejected.and.have.property('code', 'auth/user-not-found');
+  });
+
   it('updateUser() fails when called with a non-existing UID', () => {
     return admin.auth().updateUser(nonexistentUid, {
       emailVerified: true,

test/unit/auth/auth.spec.ts

@@ -1130,6 +1130,120 @@ AUTH_CONFIGS.forEach((testConfig) => {
       });
     });
 
+    describe('getUserByProviderUid()', () => {
+      const federatedId = 'google.com';
+      const federatedUid = 'google_uid';
+      const tenantId = testConfig.supportsTenantManagement ? undefined : TENANT_ID;
+      const expectedGetAccountInfoResult = getValidGetAccountInfoResponse(tenantId);
+      const expectedUserRecord = getValidUserRecord(expectedGetAccountInfoResult);
+      const expectedError = new FirebaseAuthError(AuthClientErrorCode.USER_NOT_FOUND);
+
+      // Stubs used to simulate underlying api calls.
+      let stubs: sinon.SinonStub[] = [];
+      beforeEach(() => sinon.spy(validator, 'isEmail'));
+      afterEach(() => {
+        (validator.isEmail as any).restore();
+        _.forEach(stubs, (stub) => stub.restore());
+        stubs = [];
+      });
+
+      it('should be rejected given no federated id', () => {
+        expect(() => (auth as any).getUserByProviderUid())
+          .to.throw(FirebaseAuthError)
+          .with.property('code', 'auth/invalid-provider-id');
+      });
+
+      it('should be rejected given an invalid federated id', () => {
+        expect(() => auth.getUserByProviderUid('', 'uid'))
+          .to.throw(FirebaseAuthError)
+          .with.property('code', 'auth/invalid-provider-id');
+      });
+
+      it('should be rejected given an invalid federated uid', () => {
+        expect(() => auth.getUserByProviderUid('id', ''))
+          .to.throw(FirebaseAuthError)
+          .with.property('code', 'auth/invalid-provider-id');
+      });
+
+      it('should be rejected given an app which returns null access tokens', () => {
+        return nullAccessTokenAuth.getUserByProviderUid(federatedId, federatedUid)
+          .should.eventually.be.rejected.and.have.property('code', 'app/invalid-credential');
+      });
+
+      it('should be rejected given an app which returns invalid access tokens', () => {
+        return malformedAccessTokenAuth.getUserByProviderUid(federatedId, federatedUid)
+          .should.eventually.be.rejected.and.have.property('code', 'app/invalid-credential');
+      });
+
+      it('should be rejected given an app which fails to generate access tokens', () => {
+        return rejectedPromiseAccessTokenAuth.getUserByProviderUid(federatedId, federatedUid)
+          .should.eventually.be.rejected.and.have.property('code', 'app/invalid-credential');
+      });
+
+      it('should resolve with a UserRecord on success', () => {
+        // Stub getAccountInfoByEmail to return expected result.
+        const stub = sinon.stub(testConfig.RequestHandler.prototype, 'getAccountInfoByFederatedUid')
+          .resolves(expectedGetAccountInfoResult);
+        stubs.push(stub);
+        return auth.getUserByProviderUid(federatedId, federatedUid)
+          .then((userRecord) => {
+            // Confirm underlying API called with expected parameters.
+            expect(stub).to.have.been.calledOnce.and.calledWith(federatedId, federatedUid);
+            // Confirm expected user record response returned.
+            expect(userRecord).to.deep.equal(expectedUserRecord);
+          });
+      });
+
+      describe('non-federated providers', () => {
+        let invokeRequestHandlerStub: sinon.SinonStub;
+        beforeEach(() => {
+          invokeRequestHandlerStub = sinon.stub(testConfig.RequestHandler.prototype, 'invokeRequestHandler')
+            .resolves({
+              // nothing here is checked; we just need enough to not crash.
+              users: [{
+                localId: 1,
+              }],
+            });
+
+        });
+        afterEach(() => {
+          invokeRequestHandlerStub.restore();
+        });
+
+        it('phone lookups should use phoneNumber field', async () => {
+          await auth.getUserByProviderUid('phone', '+15555550001');
+          expect(invokeRequestHandlerStub).to.have.been.calledOnce.and.calledWith(
+            sinon.match.any, sinon.match.any, {
+              phoneNumber: ['+15555550001'],
+            });
+        });
+
+        it('email lookups should use email field', async () => {
+          await auth.getUserByProviderUid('email', '[email protected]');
+          expect(invokeRequestHandlerStub).to.have.been.calledOnce.and.calledWith(
+            sinon.match.any, sinon.match.any, {
+              email: ['[email protected]'],
+            });
+        });
+      });
+
+      it('should throw an error when the backend returns an error', () => {
+        // Stub getAccountInfoByFederatedUid to throw a backend error.
+        const stub = sinon.stub(testConfig.RequestHandler.prototype, 'getAccountInfoByFederatedUid')
+          .rejects(expectedError);
+        stubs.push(stub);
+        return auth.getUserByProviderUid(federatedId, federatedUid)
+          .then((userRecord) => {
+            throw new Error('Unexpected success');
+          }, (error) => {
+            // Confirm underlying API called with expected parameters.
+            expect(stub).to.have.been.calledOnce.and.calledWith(federatedId, federatedUid);
+            // Confirm expected error returned.
+            expect(error).to.equal(expectedError);
+          });
+      });
+    });
+
     describe('deleteUser()', () => {
       const uid = 'abcdefghijklmnopqrstuvwxyz';
       const expectedDeleteAccountResult = {kind: 'identitytoolkit#DeleteAccountResponse'};