remove opts from beforeemail & decode user record only for beforeCreate and beforeSignIn

blidd-google · blidd-google · commit 9f7b83bfe6e7 · 2024-07-22T17:45:13.000-05:00
diff --git a/spec/v2/providers/identity.spec.ts b/spec/v2/providers/identity.spec.ts
@@ -26,6 +26,9 @@ import { onInit } from "../../../src/v2/core";
 import { MockRequest } from "../../fixtures/mockrequest";
 import { runHandler } from "../../helper";
 
+const IDENTITY_TOOLKIT_API = "identitytoolkit.googleapis.com";
+const REGION = "us-west1";
+
 const BEFORE_CREATE_TRIGGER = {
   eventType: "providers/cloud.auth/eventTypes/user.beforeCreate",
   options: {
@@ -46,18 +49,14 @@ const BEFORE_SIGN_IN_TRIGGER = {
 
 const BEFORE_EMAIL_TRIGGER = {
   eventType: "providers/cloud.auth/eventTypes/user.beforeSendEmail",
-  options: {
-    accessToken: false,
-    idToken: false,
-    refreshToken: false,
-  },
+  options: {},
 };
 
 const opts: identity.BlockingOptions = {
   accessToken: true,
   refreshToken: false,
   minInstances: 1,
-  region: "us-west1",
+  region: REGION,
 };
 
 describe("identity", () => {
@@ -73,7 +72,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
@@ -87,7 +86,7 @@ describe("identity", () => {
         platform: "gcfv2",
         labels: {},
         minInstances: 1,
-        region: ["us-west1"],
+        region: [REGION],
         blockingTrigger: {
           ...BEFORE_CREATE_TRIGGER,
           options: {
@@ -98,7 +97,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
@@ -138,7 +137,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
@@ -152,7 +151,7 @@ describe("identity", () => {
         platform: "gcfv2",
         labels: {},
         minInstances: 1,
-        region: ["us-west1"],
+        region: [REGION],
         blockingTrigger: {
           ...BEFORE_SIGN_IN_TRIGGER,
           options: {
@@ -163,7 +162,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
@@ -203,7 +202,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
@@ -218,7 +217,7 @@ describe("identity", () => {
       platform: "gcfv2",
       labels: {},
       minInstances: 1,
-      region: ["us-west1"],
+      region: [REGION],
       blockingTrigger: {
         ...BEFORE_EMAIL_TRIGGER,
         options: {
@@ -229,7 +228,7 @@ describe("identity", () => {
     });
     expect(fn.__requiredAPIs).to.deep.equal([
       {
-        api: "identitytoolkit.googleapis.com",
+        api: IDENTITY_TOOLKIT_API,
         reason: "Needed for auth blocking functions",
       },
     ]);
@@ -247,7 +246,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
@@ -264,7 +263,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
@@ -281,7 +280,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
@@ -295,7 +294,7 @@ describe("identity", () => {
         platform: "gcfv2",
         labels: {},
         minInstances: 1,
-        region: ["us-west1"],
+        region: [REGION],
         blockingTrigger: {
           ...BEFORE_CREATE_TRIGGER,
           options: {
@@ -306,7 +305,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
@@ -320,7 +319,7 @@ describe("identity", () => {
         platform: "gcfv2",
         labels: {},
         minInstances: 1,
-        region: ["us-west1"],
+        region: [REGION],
         blockingTrigger: {
           ...BEFORE_SIGN_IN_TRIGGER,
           options: {
@@ -331,7 +330,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
@@ -345,7 +344,7 @@ describe("identity", () => {
         platform: "gcfv2",
         labels: {},
         minInstances: 1,
-        region: ["us-west1"],
+        region: [REGION],
         blockingTrigger: {
           ...BEFORE_EMAIL_TRIGGER,
           options: {
@@ -356,7 +355,7 @@ describe("identity", () => {
       });
       expect(fn.__requiredAPIs).to.deep.equal([
         {
-          api: "identitytoolkit.googleapis.com",
+          api: IDENTITY_TOOLKIT_API,
           reason: "Needed for auth blocking functions",
         },
       ]);
diff --git a/src/common/providers/identity.ts b/src/common/providers/identity.ts
@@ -349,6 +349,7 @@ export interface AuthBlockingEvent extends AuthEventContext {
 /** The reCAPTCHA action options. */
 export type RecaptchaActionOptions = "ALLOW" | "BLOCK";
 
+/** The handler response type for `beforeEmailSent` blocking events */
 export interface BeforeEmailResponse {
   recaptchaActionOverride?: RecaptchaActionOptions;
 }
@@ -399,7 +400,6 @@ interface DecodedPayloadUserRecordEnrolledFactors {
 export interface DecodedPayloadUserRecord {
   uid: string;
   email?: string;
-  email_type?: string;
   email_verified?: boolean;
   phone_number?: string;
   display_name?: string;
@@ -476,8 +476,9 @@ export type HandlerV2 = (
   event: AuthBlockingEvent
 ) => MaybeAsync<BeforeCreateResponse | BeforeSignInResponse | BeforeEmailResponse | void>;
 
-export type AgnosticHandler = (HandlerV1 | HandlerV2) & {
-  platform: string;
+export type AuthBlockingEventHandler = (HandlerV1 | HandlerV2) & {
+  // Specify the GCF gen of the trigger that the auth blocking event handler was written for
+  platform: "gcfv1" | "gcfv2";
 };
 
 /**
@@ -846,7 +847,7 @@ export function getUpdateMask(authResponse?: BeforeCreateResponse | BeforeSignIn
 }
 
 /** @internal */
-export function wrapHandler(eventType: AuthBlockingEventType, handler: AgnosticHandler) {
+export function wrapHandler(eventType: AuthBlockingEventType, handler: AuthBlockingEventHandler) {
   return async (req: express.Request, res: express.Response): Promise<void> => {
     try {
       const projectId = process.env.GCLOUD_PROJECT;
@@ -867,7 +868,10 @@ export function wrapHandler(eventType: AuthBlockingEventType, handler: AgnosticH
         ? await auth.getAuth(getApp())._verifyAuthBlockingToken(req.body.data.jwt)
         : await auth.getAuth(getApp())._verifyAuthBlockingToken(req.body.data.jwt, "run.app");
       let authUserRecord: AuthUserRecord | undefined;
-      if (decodedPayload.user_record) {
+      if (
+        decodedPayload.event_type === "beforeCreate" ||
+        decodedPayload.event_type === "beforeSignIn"
+      ) {
         authUserRecord = parseAuthUserRecord(decodedPayload.user_record);
       }
       const authEventContext = parseAuthEventContext(decodedPayload, projectId);
diff --git a/src/v1/providers/auth.ts b/src/v1/providers/auth.ts
@@ -27,7 +27,6 @@ import {
   BeforeCreateResponse,
   BeforeEmailResponse,
   BeforeSignInResponse,
-  AgnosticHandler,
   HandlerV1,
   HttpsError,
   MaybeAsync,
@@ -204,7 +203,7 @@ export class UserBuilder {
     const idToken = this.userOptions?.blockingOptions?.idToken || false;
     const refreshToken = this.userOptions?.blockingOptions?.refreshToken || false;
 
-    const annotatedHandler: AgnosticHandler = Object.assign(handler, { platform: "gcfv1" });
+    const annotatedHandler = Object.assign(handler, { platform: "gcfv1" as const });
     const func: any = wrapHandler(eventType, annotatedHandler);
 
     const legacyEventType = `providers/cloud.auth/eventTypes/user.${eventType}`;
diff --git a/src/v2/providers/identity.ts b/src/v2/providers/identity.ts
@@ -36,7 +36,6 @@ import {
   HttpsError,
   wrapHandler,
   MaybeAsync,
-  AgnosticHandler,
 } from "../../common/providers/identity";
 import { BlockingFunction } from "../../v1/cloud-functions";
 import { wrapTraceContext } from "../trace";
@@ -243,7 +242,7 @@ export function beforeEmailSent(
  * @param handler - Event handler that is run before an email is sent to a user.
  */
 export function beforeEmailSent(
-  opts: BlockingOptions,
+  opts: Omit<BlockingOptions, "idToken" | "accessToken" | "refreshToken">,
   handler: (event: AuthBlockingEvent) => MaybeAsync<BeforeEmailResponse | void>
 ): BlockingFunction;
 
@@ -254,7 +253,7 @@ export function beforeEmailSent(
  */
 export function beforeEmailSent(
   optsOrHandler:
-    | BlockingOptions
+    | Omit<BlockingOptions, "idToken" | "accessToken" | "refreshToken">
     | ((event: AuthBlockingEvent) => MaybeAsync<BeforeEmailResponse | void>),
   handler?: (event: AuthBlockingEvent) => MaybeAsync<BeforeEmailResponse | void>
 ): BlockingFunction {
@@ -283,7 +282,7 @@ export function beforeOperation(
   // Create our own function that just calls the provided function so we know for sure that
   // handler takes one argument. This is something common/providers/identity depends on.
   // const wrappedHandler = (event: AuthBlockingEvent) => handler(event);
-  const annotatedHandler: AgnosticHandler = Object.assign(handler, { platform: "gcfv2" });
+  const annotatedHandler = Object.assign(handler, { platform: "gcfv2" as const });
   const func: any = wrapTraceContext(withInit(wrapHandler(eventType, annotatedHandler)));
 
   const legacyEventType = `providers/cloud.auth/eventTypes/user.${eventType}`;
