Create/Update tenant with ReCAPTCHA Config

etc/firebase-admin.auth.api.md

@@ -264,6 +264,34 @@ export interface ProviderIdentifier {
     providerUid: string;
 }
 
+// @public
+export type RecaptchaAction = 'BLOCK';
+
+// @public (undocumented)
+export interface RecaptchaConfig {
+    emailPasswordEnforcementState?: RecaptchaProviderEnforcementState;
+    managedRules?: RecaptchaManagedRule[];
+    recaptchaKeys?: RecaptchaKey[];
+}
+
+// @public
+export interface RecaptchaKey {
+    key: string;
+    type?: RecaptchaKeyClientType;
+}
+
+// @public
+export type RecaptchaKeyClientType = 'WEB';
+
+// @public
+export interface RecaptchaManagedRule {
+    action?: RecaptchaAction;
+    endScore: number;
+}
+
+// @public
+export type RecaptchaProviderEnforcementState = 'OFF' | 'AUDIT' | 'ENFORCE';
+
 // @public
 export interface SAMLAuthProviderConfig extends BaseAuthProviderConfig {
     callbackURL?: string;
@@ -296,6 +324,7 @@ export class Tenant {
     readonly displayName?: string;
     get emailSignInConfig(): EmailSignInProviderConfig | undefined;
     get multiFactorConfig(): MultiFactorConfig | undefined;
+    get recaptchaConfig(): RecaptchaConfig | undefined;
     readonly tenantId: string;
     readonly testPhoneNumbers?: {
         [phoneNumber: string]: string;
@@ -358,6 +387,8 @@ export interface UpdateTenantRequest {
     displayName?: string;
     emailSignInConfig?: EmailSignInProviderConfig;
     multiFactorConfig?: MultiFactorConfig;
+    // (undocumented)
+    recaptchaConfig?: RecaptchaConfig;
     testPhoneNumbers?: {
         [phoneNumber: string]: string;
     } | null;

src/auth/auth-config.ts

@@ -1480,6 +1480,54 @@ export interface RecaptchaManagedRule {
  action?: RecaptchaAction;
 }
 
+export class ManagedRuleAuth implements RecaptchaManagedRule{
+  public readonly endScore: number;
+  public readonly action: RecaptchaAction;
+
+  public static validate(options: RecaptchaManagedRule): void {
+    const validKeys = {
+      endScore: true,
+      action: true,
+    }
+    if (!validator.isNonNullObject(options)) {
+      throw new FirebaseAuthError(
+        AuthClientErrorCode.INVALID_CONFIG,
+        '"RecaptchaManagedRule" must be a non-null object.',
+      );
+    }
+    // Check for unsupported top level attributes.
+    for (const key in options) {
+      if (!(key in validKeys)) {
+        throw new FirebaseAuthError(
+          AuthClientErrorCode.INVALID_CONFIG,
+          `"${key}" is not a valid RecaptchaManagedRule parameter.`,
+        );
+      }
+    }
+
+    // Validate content.
+    if (typeof options.action !== 'undefined' &&
+        options.action !== 'BLOCK') {
+      throw new FirebaseAuthError(
+        AuthClientErrorCode.INVALID_CONFIG,
+        '"RecaptchaManagedRule.action" must be "BLOCK".',
+      );
+    }
+  }
+
+  constructor(response: RecaptchaManagedRule) {
+    if (typeof response.action === 'undefined') {
+      throw new FirebaseAuthError(
+        AuthClientErrorCode.INTERNAL_ERROR,
+        'INTERNAL ASSERT FAILED: Invalid provider-reCAPTCHA configuration response');
+    }
+    this.action = response.action;
+    if (response.endScore !== undefined) {
+      this.endScore = response.endScore;
+    }
+  }
+}
+
 /**
  * The key's platform type: only web supported now.
  */
@@ -1497,22 +1545,116 @@ export interface RecaptchaKey {
   /**
    * The reCAPTCHA site key.
    */
-   key: string;
+  key: string;
 }
 
 export interface RecaptchaConfig {
  /**
   * The enforcement state of email password provider.
   */
- emailPasswordEnforcementState?: RecaptchaProviderEnforcementState;
+  emailPasswordEnforcementState?: RecaptchaProviderEnforcementState;
 
  /**
   *  The reCAPTCHA managed rules.
   */
- managedRules: RecaptchaManagedRule[];
+  managedRules?: RecaptchaManagedRule[];
 
  /**
   * The reCAPTCHA keys.
   */
- recaptchaKeys?: RecaptchaKey[];
+  recaptchaKeys?: RecaptchaKey[];
+}
+
+export class RecaptchaAuthConfig implements RecaptchaConfig {
+  public readonly emailPasswordEnforcementState?: RecaptchaProviderEnforcementState;
+  public readonly managedRules?: RecaptchaManagedRule[];
+  public readonly recaptchaKeys?: RecaptchaKey[];
+
+  constructor(recaptchaConfig: RecaptchaConfig | undefined) {
+    if (recaptchaConfig?.emailPasswordEnforcementState !== undefined) {
+      this.emailPasswordEnforcementState = recaptchaConfig.emailPasswordEnforcementState;
+    }
+    if (recaptchaConfig?.managedRules !== undefined) {
+      this.managedRules = recaptchaConfig.managedRules;
+    }
+    if (recaptchaConfig?.recaptchaKeys !== undefined) {
+      this.recaptchaKeys = recaptchaConfig.recaptchaKeys;
+    }
+  }
+
+  public static validate(options: RecaptchaConfig): void {
+    const validKeys = {
+      emailPasswordEnforcementState: true,
+      managedRules: true,
+      recaptchaKeys: true,
+    };
+
+    if (!validator.isNonNullObject(options)) {
+      throw new FirebaseAuthError(
+        AuthClientErrorCode.INVALID_CONFIG,
+        '"RecaptchaConfig" must be a non-null object.',
+      );
+    }
+
+    for (const key in options) {
+      if (!(key in validKeys)) {
+        throw new FirebaseAuthError(
+          AuthClientErrorCode.INVALID_CONFIG,
+          `"${key}" is not a valid RecaptchaConfig parameter.`,
+        );
+      }
+    }
+
+    // Validation
+    if (options.emailPasswordEnforcementState !== undefined){
+      if (!validator.isNonEmptyString(options.emailPasswordEnforcementState)) {
+        throw new FirebaseAuthError(
+          AuthClientErrorCode.INVALID_ARGUMENT,
+          '"RecaptchaConfig.emailPasswordEnforcementState" must be a valid non-empty string.',)
+      }
+
+      if (options.emailPasswordEnforcementState !== 'OFF' &&
+        options.emailPasswordEnforcementState !== 'AUDIT' &&
+        options.emailPasswordEnforcementState !== 'ENFORCE') {
+        throw new FirebaseAuthError(
+          AuthClientErrorCode.INVALID_CONFIG,
+          '"RecaptchaConfig.emailPasswordEnforcementState" must be either "OFF", "AUDIT" or "ENFORCE".',
+        );
+      }
+    }
+
+    if (typeof options.managedRules !== 'undefined') {
+      // Validate array
+      if (!validator.isArray(options.managedRules)) {
+        throw new FirebaseAuthError(
+          AuthClientErrorCode.INVALID_CONFIG,
+          '"RecaptchaConfig.managedRules" must be an array of valid "RecaptchaManagedRule".',
+        );
+      }
+      // Validate each rule of the array
+      options.managedRules.forEach((managedRule) => {
+        ManagedRuleAuth.validate(managedRule);
+      });
+    }
+  }
+
+  public toJSON(): object {
+    const json: any = {
+      emailPasswordEnforcementState: this.emailPasswordEnforcementState,
+      managedRules: deepCopy(this.managedRules),
+      recaptchaKeys: deepCopy(this.recaptchaKeys)
+    }
+
+    if (typeof json.emailPasswordEnforcementState === 'undefined') {
+      delete json.emailPasswordEnforcementState;
+    }
+    if (typeof json.managedRules === 'undefined') {
+      delete json.managedRules;
+    }
+    if (typeof json.recaptchaKeys === 'undefined') {
+      delete json.recaptchaKeys;
+    }
+
+    return json;
+  }
 }

src/auth/index.ts

@@ -79,6 +79,12 @@ export {
   OAuthResponseType,
   OIDCAuthProviderConfig,
   OIDCUpdateAuthProviderRequest,
+  RecaptchaAction,
+  RecaptchaConfig,
+  RecaptchaKey,
+  RecaptchaKeyClientType,
+  RecaptchaManagedRule,
+  RecaptchaProviderEnforcementState,
   SAMLAuthProviderConfig,
   SAMLUpdateAuthProviderRequest,
   UserProvider,

src/auth/tenant.ts

@@ -21,7 +21,7 @@ import { AuthClientErrorCode, FirebaseAuthError } from '../utils/error';
 import {
   EmailSignInConfig, EmailSignInConfigServerRequest, MultiFactorAuthServerConfig,
   MultiFactorConfig, validateTestPhoneNumbers, EmailSignInProviderConfig,
-  MultiFactorAuthConfig,
+  MultiFactorAuthConfig, RecaptchaAuthConfig, RecaptchaConfig
 } from './auth-config';
 
 /**
@@ -54,6 +54,8 @@ export interface UpdateTenantRequest {
    * Passing null clears the previously save phone number / code pairs.
    */
   testPhoneNumbers?: { [phoneNumber: string]: string } | null;
+
+  recaptchaConfig?: RecaptchaConfig;
 }
 
 /**
@@ -68,6 +70,7 @@ export interface TenantOptionsServerRequest extends EmailSignInConfigServerReque
   enableAnonymousUser?: boolean;
   mfaConfig?: MultiFactorAuthServerConfig;
   testPhoneNumbers?: {[key: string]: string};
+  recaptchaConfig? : RecaptchaConfig;
 }
 
 /** The tenant server response interface. */
@@ -79,6 +82,7 @@ export interface TenantServerResponse {
   enableAnonymousUser?: boolean;
   mfaConfig?: MultiFactorAuthServerConfig;
   testPhoneNumbers?: {[key: string]: string};
+  recaptchaConfig? : RecaptchaConfig;
 }
 
 /**
@@ -123,6 +127,10 @@ export class Tenant {
   private readonly emailSignInConfig_?: EmailSignInConfig;
   private readonly multiFactorConfig_?: MultiFactorAuthConfig;
 
+  /*
+  * The map conatining the reCAPTCHA config.
+  */
+  private readonly recaptchaConfig_?: RecaptchaAuthConfig;
   /**
    * Builds the corresponding server request for a TenantOptions object.
    *
@@ -152,6 +160,9 @@ export class Tenant {
       // null will clear existing test phone numbers. Translate to empty object.
       request.testPhoneNumbers = tenantOptions.testPhoneNumbers ?? {};
     }
+    if (typeof tenantOptions.recaptchaConfig !== 'undefined') {
+      request.recaptchaConfig = tenantOptions.recaptchaConfig;
+    }
     return request;
   }
 
@@ -185,6 +196,7 @@ export class Tenant {
       anonymousSignInEnabled: true,
       multiFactorConfig: true,
       testPhoneNumbers: true,
+      recaptchaConfig: true
     };
     const label = createRequest ? 'CreateTenantRequest' : 'UpdateTenantRequest';
     if (!validator.isNonNullObject(request)) {
@@ -231,6 +243,10 @@ export class Tenant {
       // This will throw an error if invalid.
       MultiFactorAuthConfig.buildServerRequest(request.multiFactorConfig);
     }
+    // Validate reCAPTCHAConfig type if provided.
+    if (typeof request.recaptchaConfig !== 'undefined') {
+      RecaptchaAuthConfig.validate(request.recaptchaConfig);
+    }
   }
 
   /**
@@ -265,6 +281,9 @@ export class Tenant {
     if (typeof response.testPhoneNumbers !== 'undefined') {
       this.testPhoneNumbers = deepCopy(response.testPhoneNumbers || {});
     }
+    if (typeof response.recaptchaConfig !== 'undefined') {
+      this.recaptchaConfig_ = new RecaptchaAuthConfig(response.recaptchaConfig);
+    }
   }
 
   /**
@@ -281,6 +300,13 @@ export class Tenant {
     return this.multiFactorConfig_;
   }
 
+  /**
+   * The recaptcha config auth configuration of the current tenant.
+   */
+  get recaptchaConfig(): RecaptchaConfig | undefined {
+    return this.recaptchaConfig_;
+  }
+
   /**
    * Returns a JSON-serializable representation of this object.
    *
@@ -294,13 +320,17 @@ export class Tenant {
       multiFactorConfig: this.multiFactorConfig_?.toJSON(),
       anonymousSignInEnabled: this.anonymousSignInEnabled,
       testPhoneNumbers: this.testPhoneNumbers,
+      recaptchaConfig: this.recaptchaConfig_?.toJSON(),
     };
     if (typeof json.multiFactorConfig === 'undefined') {
       delete json.multiFactorConfig;
     }
     if (typeof json.testPhoneNumbers === 'undefined') {
       delete json.testPhoneNumbers;
     }
+    if (typeof json.recaptchaConfig === 'undefined') {
+      delete json.recaptchaConfig;
+    }
     return json;
   }
 }