feat: add identity triggers (#9)

Author: Lyokone

example/basic/lib/main.dart

@@ -317,6 +317,100 @@ void main(List<String> args) {
       },
     );
 
+    // ==========================================================================
+    // Identity Platform (Auth Blocking) trigger examples
+    // ==========================================================================
+
+    // Before user created - runs before a new user is created
+    firebase.identity.beforeUserCreated(
+      options: const BlockingOptions(
+        idToken: true,
+        accessToken: true,
+      ),
+      (AuthBlockingEvent event) async {
+        final user = event.data;
+        print('Before user created:');
+        print('  UID: ${user?.uid}');
+        print('  Email: ${user?.email}');
+        print('  Provider: ${event.additionalUserInfo?.providerId}');
+
+        // Example: Block users with certain email domains
+        final email = user?.email;
+        if (email != null && email.endsWith('@blocked.com')) {
+          throw PermissionDeniedError('Email domain not allowed');
+        }
+
+        // Example: Set custom claims based on email domain
+        if (email != null && email.endsWith('@admin.com')) {
+          return const BeforeCreateResponse(
+            customClaims: {'admin': true},
+          );
+        }
+
+        return null;
+      },
+    );
+
+    // Before user signed in - runs before a user signs in
+    firebase.identity.beforeUserSignedIn(
+      options: const BlockingOptions(
+        idToken: true,
+      ),
+      (AuthBlockingEvent event) async {
+        final user = event.data;
+        print('Before user signed in:');
+        print('  UID: ${user?.uid}');
+        print('  Email: ${user?.email}');
+        print('  IP Address: ${event.ipAddress}');
+
+        // Example: Add session claims for tracking
+        return BeforeSignInResponse(
+          sessionClaims: {
+            'lastLogin': DateTime.now().toIso8601String(),
+            'signInIp': event.ipAddress,
+          },
+        );
+      },
+    );
+
+    // Before email sent - runs before password reset or sign-in emails
+    firebase.identity.beforeEmailSent(
+      (AuthBlockingEvent event) async {
+        print('Before email sent:');
+        print('  Email Type: ${event.emailType?.value}');
+        print('  IP Address: ${event.ipAddress}');
+
+        // Example: Rate limit password reset emails
+        // In production, you'd check against a database
+        if (event.emailType == EmailType.passwordReset) {
+          // Could return BeforeEmailResponse(
+          //   recaptchaActionOverride: RecaptchaActionOptions.block,
+          // ) to block suspicious requests
+        }
+
+        return null;
+      },
+    );
+
+    // Before SMS sent - runs before MFA or sign-in SMS messages
+    firebase.identity.beforeSmsSent(
+      (AuthBlockingEvent event) async {
+        print('Before SMS sent:');
+        print('  SMS Type: ${event.smsType?.value}');
+        print('  Phone: ${event.additionalUserInfo?.phoneNumber}');
+
+        // Example: Block SMS to certain country codes
+        final phone = event.additionalUserInfo?.phoneNumber;
+        if (phone != null && phone.startsWith('+1900')) {
+          return const BeforeSmsResponse(
+            recaptchaActionOverride: RecaptchaActionOptions.block,
+          );
+        }
+
+        return null;
+      },
+    );
+
     print('Functions registered successfully!');
   });
 }

lib/builder.dart

@@ -36,6 +36,8 @@ class _TypeCheckers {
       TypeChecker.fromRuntime(ff.AppDistributionNamespace);
   static final performanceNamespace =
       TypeChecker.fromRuntime(ff.PerformanceNamespace);
+  static final identityNamespace =
+      TypeChecker.fromRuntime(ff.IdentityNamespace);
 }
 
 /// The main builder that generates functions.yaml.
@@ -179,6 +181,11 @@ class _FirebaseFunctionsVisitor extends RecursiveAstVisitor<void> {
       _extractPerformanceAlertFunction(node, methodName);
     }
 
+    // Check for Identity function declarations
+    if (target != null && _isIdentityNamespace(target)) {
+      _extractIdentityFunction(node, methodName);
+    }
+
     // Check for parameter definitions (top-level function calls with no target)
     if (target == null && _isParamDefinition(methodName)) {
       _extractParameterFromMethod(node, methodName);
@@ -325,6 +332,13 @@ class _FirebaseFunctionsVisitor extends RecursiveAstVisitor<void> {
     return _TypeCheckers.performanceNamespace.isExactlyType(staticType);
   }
 
+  /// Checks if the target is firebase.identity.
+  bool _isIdentityNamespace(Expression target) {
+    final staticType = target.staticType;
+    if (staticType == null) return false;
+    return _TypeCheckers.identityNamespace.isExactlyType(staticType);
+  }
+
   /// Checks if this is a parameter definition function.
   bool _isParamDefinition(String name) =>
       name == 'defineString' ||
@@ -585,6 +599,60 @@ class _FirebaseFunctionsVisitor extends RecursiveAstVisitor<void> {
     );
   }
 
+  /// Extracts an Identity function declaration.
+  void _extractIdentityFunction(MethodInvocation node, String methodName) {
+    // Map method names to event types
+    final eventType = switch (methodName) {
+      'beforeUserCreated' => 'beforeCreate',
+      'beforeUserSignedIn' => 'beforeSignIn',
+      'beforeEmailSent' => 'beforeSendEmail',
+      'beforeSmsSent' => 'beforeSendSms',
+      _ => null,
+    };
+
+    if (eventType == null) return;
+
+    // Extract options if present
+    final optionsArg = _findNamedArg(node, 'options');
+    bool? idToken;
+    bool? accessToken;
+    bool? refreshToken;
+
+    if (optionsArg is InstanceCreationExpression) {
+      idToken = _extractBoolField(optionsArg, 'idToken');
+      accessToken = _extractBoolField(optionsArg, 'accessToken');
+      refreshToken = _extractBoolField(optionsArg, 'refreshToken');
+    }
+
+    // Function name is the event type
+    final functionName = eventType;
+
+    endpoints[functionName] = _EndpointSpec(
+      name: functionName,
+      type: 'blocking',
+      blockingEventType: eventType,
+      idToken: idToken,
+      accessToken: accessToken,
+      refreshToken: refreshToken,
+      options: optionsArg is InstanceCreationExpression ? optionsArg : null,
+      variableToParamName: _variableToParamName,
+    );
+  }
+
+  /// Extracts a boolean field from an InstanceCreationExpression.
+  bool? _extractBoolField(InstanceCreationExpression node, String fieldName) {
+    final arg = node.argumentList.arguments
+        .whereType<NamedExpression>()
+        .where((e) => e.name.label.name == fieldName)
+        .map((e) => e.expression)
+        .firstOrNull;
+
+    if (arg is BooleanLiteral) {
+      return arg.value;
+    }
+    return null;
+  }
+
   /// Extracts alert type value from an expression.
   String? _extractAlertTypeValue(Expression expression) {
     if (expression is InstanceCreationExpression) {
@@ -816,11 +884,15 @@ class _EndpointSpec {
     this.instance,
     this.alertType,
     this.appId,
+    this.blockingEventType,
+    this.idToken,
+    this.accessToken,
+    this.refreshToken,
     this.options,
     this.variableToParamName = const {},
   });
   final String name;
-  // 'https', 'callable', 'pubsub', 'firestore', 'database', 'alert'
+  // 'https', 'callable', 'pubsub', 'firestore', 'database', 'alert', 'blocking'
   final String type;
   final String? topic; // For Pub/Sub functions
   final String? firestoreEventType; // For Firestore: onDocumentCreated, etc.
@@ -832,6 +904,10 @@ class _EndpointSpec {
   final String? instance; // For Database: database instance or '*'
   final String? alertType; // For Alerts: crashlytics.newFatalIssue, etc.
   final String? appId; // For Alerts: optional app ID filter
+  final String? blockingEventType; // For Identity: beforeCreate, etc.
+  final bool? idToken; // For Identity: pass ID token
+  final bool? accessToken; // For Identity: pass access token
+  final bool? refreshToken; // For Identity: pass refresh token
   final InstanceCreationExpression? options;
   final Map<String, String> variableToParamName;
 
@@ -1375,6 +1451,13 @@ String _generateYaml(
   buffer.writeln('requiredAPIs:');
   buffer.writeln('  - api: "cloudfunctions.googleapis.com"');
   buffer.writeln('    reason: "Required for Cloud Functions"');
+  // Add identitytoolkit API if there are blocking functions
+  final hasBlockingFunctions =
+      endpoints.values.any((e) => e.type == 'blocking');
+  if (hasBlockingFunctions) {
+    buffer.writeln('  - api: "identitytoolkit.googleapis.com"');
+    buffer.writeln('    reason: "Needed for auth blocking functions"');
+  }
   buffer.writeln();
 
   // Generate endpoints section
@@ -1578,6 +1661,30 @@ String _generateYaml(
           buffer.writeln('        appid: "${endpoint.appId}"');
         }
         buffer.writeln('      retry: false');
+      } else if (endpoint.type == 'blocking' &&
+          endpoint.blockingEventType != null) {
+        buffer.writeln('    blockingTrigger:');
+        buffer.writeln(
+          '      eventType: "providers/cloud.auth/eventTypes/user.${endpoint.blockingEventType}"',
+        );
+
+        // Only include token options for beforeCreate and beforeSignIn
+        final isAuthEvent = endpoint.blockingEventType == 'beforeCreate' ||
+            endpoint.blockingEventType == 'beforeSignIn';
+        if (isAuthEvent) {
+          buffer.writeln('      options:');
+          if (endpoint.idToken ?? false) {
+            buffer.writeln('        idToken: true');
+          }
+          if (endpoint.accessToken ?? false) {
+            buffer.writeln('        accessToken: true');
+          }
+          if (endpoint.refreshToken ?? false) {
+            buffer.writeln('        refreshToken: true');
+          }
+        } else {
+          buffer.writeln('      options: {}');
+        }
       }
     }
   }

lib/firebase_functions.dart

@@ -77,6 +77,8 @@ export 'src/firebase.dart' show Firebase;
 export 'src/firestore/firestore.dart';
 // HTTPS triggers
 export 'src/https/https.dart';
+// Identity triggers
+export 'src/identity/identity.dart';
 // Pub/Sub triggers
 export 'src/pubsub/pubsub.dart';
 // Core runtime

lib/src/firebase.dart

@@ -9,6 +9,7 @@ import 'alerts/alerts_namespace.dart';
 import 'database/database_namespace.dart';
 import 'firestore/firestore_namespace.dart';
 import 'https/https_namespace.dart';
+import 'identity/identity_namespace.dart';
 import 'pubsub/pubsub_namespace.dart';
 
 /// Main Firebase Functions instance.
@@ -81,6 +82,9 @@ class Firebase {
 
   /// Firebase Alerts namespace.
   AlertsNamespace get alerts => AlertsNamespace(this);
+
+  /// Identity Platform namespace.
+  IdentityNamespace get identity => IdentityNamespace(this);
 }
 
 /// Extension for internal function registration.