Skip to content

feat(auth): Add ability to link a federated ID with the updateUser() method. #770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Feb 9, 2021
Merged

feat(auth): Add ability to link a federated ID with the updateUser() method. #770

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
59d93aa
Add ability to link a federated id with the updateUser() method.
rsgowman Jan 20, 2020
c79f42d
review feedback
rsgowman Jan 28, 2020
dfa1fce
more details on the docs
rsgowman Mar 19, 2020
fe88272
Merge remote-tracking branch 'origin/master' into rsgowman/link_by_fe…
rsgowman Dec 22, 2020
a04e175
providersToDelete -> providersToUnlink
rsgowman Dec 22, 2020
3393af3
add todo re refactoring
rsgowman Dec 22, 2020
ba5361f
Merge remote-tracking branch 'origin/master' into rsgowman/link_by_fe…
rsgowman Feb 4, 2021
a3f8f69
api-extractor
rsgowman Feb 4, 2021
af5d012
api-extractor in the right branch. :)
rsgowman Feb 4, 2021
37bd4e3
review feedback
rsgowman Feb 8, 2021
676b4a1
Merge remote-tracking branch 'origin/master' into rsgowman/link_by_fe…
rsgowman Feb 8, 2021
2167091
add back api-extractor's magic {}
rsgowman Feb 9, 2021
726cb85
Merge remote-tracking branch 'origin/master' into rsgowman/link_by_fe…
rsgowman Feb 9, 2021
7686113
doc nit
rsgowman Feb 9, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 49 additions & 5 deletions src/auth/auth-api-request.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,8 @@ function validateCreateEditRequest(request: any, uploadAccountRequest: boolean =
phoneNumber: true,
customAttributes: true,
validSince: true,
// Pass linkProviderUserInfo only for updates (i.e. not for uploads.)
linkProviderUserInfo: !uploadAccountRequest,
Copy link
Contributor

@nrsim nrsim Jan 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add deleteProvider as well?

Copy link
Member Author

@rsgowman rsgowman Jan 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's already present (line 263) since it was used previously to remove phone auth entries.

// Pass tenantId only for uploadAccount requests.
tenantId: uploadAccountRequest,
passwordHash: uploadAccountRequest,
Expand Down Expand Up @@ -410,6 +412,11 @@ function validateCreateEditRequest(request: any, uploadAccountRequest: boolean =
validateProviderUserInfo(providerUserInfoEntry);
});
}

// linkProviderUserInfo must be a (single) UserInfo value.
Copy link
Contributor

@nrsim nrsim Jan 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UserProvider?

Copy link
Member Author

@rsgowman rsgowman Jan 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

if (typeof request.linkProviderUserInfo !== 'undefined') {
validateProviderUserInfo(request.linkProviderUserInfo);
}
}


Expand Down Expand Up @@ -961,6 +968,31 @@ export abstract class AbstractAuthRequestHandler {
'Properties argument must be a non-null object.',
),
);
} else if (validator.isNonNullObject(properties.providerToLink)) {
Copy link
Contributor

@nrsim nrsim Feb 3, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aren't the validations at validateCreateEditRequest sufficient? Seems like the validation is added in two places.

Copy link
Member Author

@rsgowman rsgowman Dec 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Missed this comment, sorry!)

IIUC, the parameters are slightly different, so it doesn't quite work. (eg rawId). Some refactoring could be done though... I've added a TODO.

if (!validator.isNonEmptyString(properties.providerToLink.providerId)) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
'providerToLink.providerId of properties argument must be a non-empty string.');
}
if (!validator.isNonEmptyString(properties.providerToLink.uid)) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
'providerToLink.uid of properties argument must be a non-empty string.');
}
} else if (typeof properties.providersToDelete !== 'undefined') {
if (!validator.isNonEmptyArray(properties.providersToDelete)) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
'providersToDelete of properties argument must be a non-empty array of strings.');
}

properties.providersToDelete.forEach((providerId) => {
if (!validator.isNonEmptyString(providerId)) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
'providersToDelete of properties argument must be a non-empty array of strings.');
}
});
}

// Build the setAccountInfo request.
Expand Down Expand Up @@ -995,13 +1027,25 @@ export abstract class AbstractAuthRequestHandler {
// It will be removed from the backend request and an additional parameter
// deleteProvider: ['phone'] with an array of providerIds (phone in this case),
// will be passed.
// Currently this applies to phone provider only.
if (request.phoneNumber === null) {
request.deleteProvider = ['phone'];
request.deleteProvider ? request.deleteProvider.push('phone') : request.deleteProvider = ['phone'];
delete request.phoneNumber;
} else {
// Doesn't apply to other providers in admin SDK.
delete request.deleteProvider;
}

if (typeof(request.providerToLink) !== 'undefined') {
request.linkProviderUserInfo = deepCopy(request.providerToLink);
delete request.providerToLink;

request.linkProviderUserInfo.rawId = request.linkProviderUserInfo.uid;
delete request.linkProviderUserInfo.uid;
}

if (typeof(request.providersToDelete) !== 'undefined') {
if (!validator.isArray(request.deleteProvider)) {
Copy link
Contributor

@nrsim nrsim Jan 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this check redundant, considering the condition gets checked at validation?

Copy link
Member Author

@rsgowman rsgowman Jan 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deleteProvider might not yet exist. (Or technically, the end user could set it to anything they like if they're using javascript rather than typescript.)

Copy link
Contributor

@hiranya911 hiranya911 Feb 5, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will achieve the same result without the if condition I think:

request.deleteProvider = (request.deleteProvider || []).concat(request.providersToUnlink);

Copy link
Member Author

@rsgowman rsgowman Feb 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The user could set this value to anything they like which could interact badly:

request.deleteProvider = "foo"
request.providersToUnlink = [ "phone", "email" ]
request.deleteProvider = (request.deleteProvider || []).concat(request.providersToUnlink);
console.log(request.deleteProvider)
> ["foophone", "email"]

Such use would be pretty questionable since deleteProvider doesn't show up in the UpdateRequest interface... though that doesn't stop the user from setting it anyways for their own purposes. (Although we modify it here, we also take a copy first, so this won't impact the user's copy.) Given that, it seems easiest to just check to see if it's an array first.

Thinking about it a bit more though, another alternative would be to just set deleteProvider to undefined (or []) after we take the copy, thus ensuring any value that the user sets can't interfere with this value.

I've left it as is for now, though could switch to the alternative if you'd prefer.

request.deleteProvider = [];
}
request.deleteProvider = request.deleteProvider.concat(request.providersToDelete);
delete request.providersToDelete;
}

// Rewrite photoURL to photoUrl.
Expand Down
44 changes: 44 additions & 0 deletions src/auth/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
* limitations under the License.
*/

import {deepCopy} from '../utils/deep-copy';
import {UserRecord, CreateRequest, UpdateRequest} from './user-record';
import {FirebaseApp} from '../firebase-app';
import {FirebaseTokenGenerator, cryptoSignerFromApp} from './token-generator';
Expand Down Expand Up @@ -279,6 +280,49 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> {
* @return {Promise<UserRecord>} A promise that resolves with the modified user record.
*/
public updateUser(uid: string, properties: UpdateRequest): Promise<UserRecord> {
// Although we don't really advertise it, we want to also handle linking of
// non-federated idps with this call. So if we detect one of them, we'll
// adjust the properties parameter appropriately. This *does* imply that a
// conflict could arise, e.g. if the user provides a phoneNumber property,
// but also provides a providerToLink with a 'phone' provider id. In that
// case, we'll throw an error.
properties = deepCopy(properties);
if (validator.isNonNullObject(properties) && typeof properties.providerToLink !== 'undefined') {
if (properties.providerToLink.providerId === 'email') {
if (typeof properties.email !== 'undefined') {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
"Both UpdateRequest.email and UpdateRequest.providerToLink.providerId='email' were set. To "
+ 'link to the email/password provider, only specify the UpdateRequest.email field.');
}
properties.email = properties.providerToLink.uid;
delete properties.providerToLink;
} else if (properties.providerToLink.providerId === 'phone') {
if (typeof properties.phoneNumber !== 'undefined') {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
"Both UpdateRequest.phoneNumber and UpdateRequest.providerToLink.providerId='phone' were set. To "
+ 'link to a phone provider, only specify the UpdateRequest.phoneNumber field.');
}
properties.phoneNumber = properties.providerToLink.uid;
delete properties.providerToLink;
}
}
if (validator.isNonNullObject(properties) && typeof properties.providersToDelete !== 'undefined') {
if (properties.providersToDelete.indexOf('phone') !== -1) {
// If we've been told to unlink the phone provider both via setting
// phoneNumber to null *and* by setting providersToDelete to include
// 'phone', then we'll reject that. Though it might also be reasonable
// to relax this restriction and just unlink it.
if (properties.phoneNumber === null) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
"Both UpdateRequest.phoneNumber=null and UpdateRequest.providersToDelete=['phone'] were set. To "
+ 'unlink from a phone provider, only specify the UpdateRequest.phoneNumber=null field.');
}
}
}

return this.authRequestHandler.updateExistingAccount(uid, properties)
.then((existingUid) => {
// Return the corresponding user record.
Expand Down
37 changes: 37 additions & 0 deletions src/auth/user-record.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ export interface UpdateRequest {
password?: string;
phoneNumber?: string | null;
photoURL?: string | null;
providerToLink?: UserProvider;
providersToDelete?: string[];
}

/** Parameters for create user operation */
Expand Down Expand Up @@ -132,6 +134,41 @@ export class UserInfo {
}
}

/**
* Represents a user identity provider that can be associated with a Firebase user.
*/
interface UserProvider {
/**
* The user identifier for the linked provider.
*/
uid?: string;
Copy link
Contributor

@nrsim nrsim Jan 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

providerUid?

Copy link
Member Author

@rsgowman rsgowman Jan 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's just uid in the other ports. Combined with the interface name (which contains 'provider'), I think that's probably ok.


/**
* The display name for the linked provider.
*/
displayName?: string;

/**
* The email for the linked provider.
*/
email?: string;

/**
* The phone number for the linked provider.
*/
phoneNumber?: string;

/**
* The photo URL for the linked provider.
*/
photoURL?: string;

/**
* The linked provider ID (for example, "google.com" for the Google provider).
*/
providerId?: string;
}

/**
* User record class that defines the Firebase user object populated from
* the Firebase Auth getAccountInfo response.
Expand Down
46 changes: 46 additions & 0 deletions src/index.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -545,6 +545,42 @@ declare namespace admin.auth {
toJSON(): Object;
}

/**
* Represents a user identity provider that can be associated with a Firebase user.
*/
interface UserProvider {

/**
* The user identifier for the linked provider.
*/
uid?: string;

/**
* The display name for the linked provider.
*/
displayName?: string;

/**
* The email for the linked provider.
*/
email?: string;

/**
* The phone number for the linked provider.
*/
phoneNumber?: string;

/**
* The photo URL for the linked provider.
*/
photoURL?: string;

/**
* The linked provider ID (for example, "google.com" for the Google provider).
*/
providerId?: string;
}

/**
* Interface representing a user.
*/
Expand Down Expand Up @@ -686,6 +722,16 @@ declare namespace admin.auth {
* The user's photo URL.
*/
photoURL?: string | null;

/**
* Links this user to the specified federated provider.
*/
providerToLink?: UserProvider;

/**
* Unlinks this user from the specified federated providers.
Copy link
Contributor

@nrsim nrsim Jan 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/federated providers/providers?

Copy link
Member Author

@rsgowman rsgowman Jan 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. (Also above)

*/
providersToDelete?: string[];
}

/**
Expand Down
120 changes: 102 additions & 18 deletions test/integration/auth.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,22 +323,106 @@ describe('admin.auth', () => {
});
});

it('updateUser() updates the user record with the given parameters', () => {
const updatedDisplayName = 'Updated User ' + newUserUid;
return admin.auth().updateUser(newUserUid, {
email: updatedEmail,
phoneNumber: updatedPhone,
emailVerified: true,
displayName: updatedDisplayName,
})
.then((userRecord) => {
expect(userRecord.emailVerified).to.be.true;
expect(userRecord.displayName).to.equal(updatedDisplayName);
// Confirm expected email.
expect(userRecord.email).to.equal(updatedEmail);
// Confirm expected phone number.
expect(userRecord.phoneNumber).to.equal(updatedPhone);
describe('updateUser()', () => {
/**
* Creates a new user for testing purposes. The user's uid will be
* '$name_$tenRandomChars' and email will be
* '[email protected]'.
*/
// TODO(rsgowman): This function could usefully be employed throughout this file.
function createTestUser(name: string): Promise<admin.auth.UserRecord> {
const tenRandomChars = generateRandomString(10);
return admin.auth().createUser({
uid: name + '_' + tenRandomChars,
displayName: name,
email: name + '_' + tenRandomChars + '@example.com',
});
}

let updateUser: admin.auth.UserRecord;
before(async () => {
updateUser = await createTestUser('UpdateUser');
});

after(() => {
return safeDelete(updateUser.uid);
});

it('updates the user record with the given parameters', async () => {
const updatedDisplayName = 'Updated User ' + updateUser.uid;
const userRecord = await admin.auth().updateUser(updateUser.uid, {
email: updatedEmail,
phoneNumber: updatedPhone,
emailVerified: true,
displayName: updatedDisplayName,
});

expect(userRecord.emailVerified).to.be.true;
expect(userRecord.displayName).to.equal(updatedDisplayName);
// Confirm expected email.
expect(userRecord.email).to.equal(updatedEmail);
// Confirm expected phone number.
expect(userRecord.phoneNumber).to.equal(updatedPhone);
});

it('can link/unlink with a federated provider', async () => {
const federatedUid = 'google_uid_' + generateRandomString(10);
Copy link
Contributor

@nrsim nrsim Jan 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be changed to googleUid/googleFederatedUid, to avoid an unnecessary confusion between federatedUid and providerUid?

Copy link
Member Author

@rsgowman rsgowman Jan 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

let userRecord = await admin.auth().updateUser(updateUser.uid, {
providerToLink: {
providerId: 'google.com',
uid: federatedUid,
},
});

let providerUids = userRecord.providerData.map((userInfo) => userInfo.uid);
let providerIds = userRecord.providerData.map((userInfo) => userInfo.providerId);
expect(providerUids).to.deep.include(federatedUid);
expect(providerIds).to.deep.include('google.com');

userRecord = await admin.auth().updateUser(updateUser.uid, {
providersToDelete: ['google.com'],
});

providerUids = userRecord.providerData.map((userInfo) => userInfo.uid);
providerIds = userRecord.providerData.map((userInfo) => userInfo.providerId);
expect(providerUids).to.not.deep.include(federatedUid);
expect(providerIds).to.not.deep.include('google.com');
});

it('can unlink multiple providers at once, incl a non-federated provider', async () => {
await deletePhoneNumberUser('+15555550001');

const googleFederatedUid = 'google_uid_' + generateRandomString(10);
const facebookFederatedUid = 'facebook_uid_' + generateRandomString(10);

let userRecord = await admin.auth().updateUser(updateUser.uid, {
phoneNumber: '+15555550001',
providerToLink: {
providerId: 'google.com',
uid: googleFederatedUid,
},
});
userRecord = await admin.auth().updateUser(updateUser.uid, {
providerToLink: {
providerId: 'facebook.com',
uid: facebookFederatedUid,
},
});

let providerUids = userRecord.providerData.map((userInfo) => userInfo.uid);
let providerIds = userRecord.providerData.map((userInfo) => userInfo.providerId);
expect(providerUids).to.deep.include.members([googleFederatedUid, facebookFederatedUid, '+15555550001']);
expect(providerIds).to.deep.include.members(['google.com', 'facebook.com', 'phone']);

userRecord = await admin.auth().updateUser(updateUser.uid, {
providersToDelete: ['google.com', 'facebook.com', 'phone'],
});

providerUids = userRecord.providerData.map((userInfo) => userInfo.uid);
providerIds = userRecord.providerData.map((userInfo) => userInfo.providerId);
expect(providerUids).to.not.deep.include.members([googleFederatedUid, facebookFederatedUid, '+15555550001']);
expect(providerIds).to.not.deep.include.members(['google.com', 'facebook.com', 'phone']);
});
});

it('getUser() fails when called with a non-existing UID', () => {
Expand Down Expand Up @@ -1615,11 +1699,11 @@ function testImportAndSignInUser(
/**
* Helper function that deletes the user with the specified phone number
* if it exists.
* @param {string} phoneNumber The phone number of the user to delete.
* @return {Promise} A promise that resolves when the user is deleted
* @param phoneNumber The phone number of the user to delete.
* @return A promise that resolves when the user is deleted
* or is found not to exist.
*/
function deletePhoneNumberUser(phoneNumber: string) {
function deletePhoneNumberUser(phoneNumber: string): Promise<void> {
return admin.auth().getUserByPhoneNumber(phoneNumber)
.then((userRecord) => {
return safeDelete(userRecord.uid);
Expand Down
Loading