Merge master into release

Author: google-oss-bot

.changeset/afraid-waves-remember.md

@@ -0,0 +1,5 @@
+---
+"@firebase/auth": patch
+---
+
+Fix FetchProvider in non-browser environments, by trying to get the `fetch` implementation from not only `self` but also standard `globalThis`.

.changeset/flat-eagles-obey.md

@@ -0,0 +1,2 @@
+---
+---

.changeset/khaki-apricots-doubt.md

@@ -0,0 +1,6 @@
+---
+'@firebase/auth': patch
+---
+
+Create getProviderEnforcementState method to get reCAPTCHA Enterprise enforcement state of a provider.
+This is an internal code change preparing for future features.

.changeset/lucky-dragons-juggle.md

@@ -0,0 +1,5 @@
+---
+'@firebase/auth': patch
+---
+
+Create handleRecaptchaFlow helper method

.changeset/quick-otters-applaud.md

@@ -0,0 +1,5 @@
+---
+'@firebase/firestore': patch
+---
+
+Clarify method documentation.

.github/workflows/test-changed-firestore-integration.yml

@@ -16,6 +16,7 @@ jobs:
     - uses: 'google-github-actions/auth@v0'
       with:
         credentials_json: '${{ secrets.JSSDK_ACTIONS_SA_KEY }}'
+    
     # create composite indexes with Terraform
     - name: Setup Terraform 
       uses: hashicorp/setup-terraform@v2
@@ -29,8 +30,21 @@ jobs:
       if: github.event_name == 'pull_request'
       run: |
         cd packages/firestore
-        terraform apply -var-file=../../config/project.json -auto-approve
+
+        # Define a temporary file, redirect both stdout and stderr to it
+        output_file=$(mktemp)
+        if ! terraform apply -var-file=../../config/project.json -auto-approve > "$output_file" 2>&1 ; then
+          cat "$output_file"
+          if cat "$output_file" | grep -q "index already exists"; then
+            echo "==================================================================================="
+            echo -e "\e[93m\e[1mTerraform apply failed due to index already exists; We can safely ignore this error.\e[0m"
+            echo "==================================================================================="
+          fi
+          exit 1
+        fi
+        rm -f "$output_file"
       continue-on-error: true
+
     - name: Set up Node (16)
       uses: actions/setup-node@v3
       with:

.gitignore

@@ -97,4 +97,4 @@ toc/
 .terraform/*
 .terraform.lock.hcl
 *.tfstate
-*.tfstate.*
+*.tfstate.*

common/api-review/firestore.api.md

@@ -299,15 +299,15 @@ export function getDocsFromCache<AppModelType, DbModelType extends DocumentData>
 // @public
 export function getDocsFromServer<AppModelType, DbModelType extends DocumentData>(query: Query<AppModelType, DbModelType>): Promise<QuerySnapshot<AppModelType, DbModelType>>;
 
+// @public
+export function getFirestore(): Firestore;
+
 // @public
 export function getFirestore(app: FirebaseApp): Firestore;
 
 // @beta
 export function getFirestore(databaseId: string): Firestore;
 
-// @public
-export function getFirestore(): Firestore;
-
 // @beta
 export function getFirestore(app: FirebaseApp, databaseId: string): Firestore;
 

docs-devsite/app-check.md

@@ -155,7 +155,7 @@ export declare function onTokenChanged(appCheckInstance: AppCheck, onNext: (toke
 |  Parameter | Type | Description |
 |  --- | --- | --- |
 |  appCheckInstance | [AppCheck](./app-check.appcheck.md#appcheck_interface) | The App Check service instance. |
-|  onNext | (tokenResult: [AppCheckTokenResult](./app-check.appchecktokenresult.md#appchecktokenresult_interface)<!-- -->) =&gt; void | When the token changes, this function is called with aa [AppCheckTokenResult](./app-check.appchecktokenresult.md#appchecktokenresult_interface)<!-- -->. |
+|  onNext | (tokenResult: [AppCheckTokenResult](./app-check.appchecktokenresult.md#appchecktokenresult_interface)<!-- -->) =&gt; void | When the token changes, this function is called with an [AppCheckTokenResult](./app-check.appchecktokenresult.md#appchecktokenresult_interface)<!-- -->. |
 |  onError | (error: Error) =&gt; void | Optional. Called if there is an error thrown by the listener (the <code>onNext</code> function). |
 |  onCompletion | () =&gt; void | Currently unused, as the token stream is unending. |
 

docs-devsite/firestore_.md

@@ -17,7 +17,7 @@ https://github.com/firebase/firebase-js-sdk
 |  --- | --- |
 |  <b>function(app...)</b> |
 |  [getFirestore(app)](./firestore_.md#getfirestore) | Returns the existing default [Firestore](./firestore_.firestore.md#firestore_class) instance that is associated with the provided [FirebaseApp](./app.firebaseapp.md#firebaseapp_interface)<!-- -->. If no instance exists, initializes a new instance with default settings. |
-|  [getFirestore(app, databaseId)](./firestore_.md#getfirestore) | <b><i>(BETA)</i></b> Returns the existing default [Firestore](./firestore_.firestore.md#firestore_class) instance that is associated with the provided [FirebaseApp](./app.firebaseapp.md#firebaseapp_interface)<!-- -->. If no instance exists, initializes a new instance with default settings. |
+|  [getFirestore(app, databaseId)](./firestore_.md#getfirestore) | <b><i>(BETA)</i></b> Returns the existing named [Firestore](./firestore_.firestore.md#firestore_class) instance that is associated with the provided [FirebaseApp](./app.firebaseapp.md#firebaseapp_interface)<!-- -->. If no instance exists, initializes a new instance with default settings. |
 |  [initializeFirestore(app, settings, databaseId)](./firestore_.md#initializefirestore) | Initializes a new instance of [Firestore](./firestore_.firestore.md#firestore_class) with the provided settings. Can only be called before any other function, including [getFirestore()](./firestore_.md#getfirestore)<!-- -->. If the custom settings are empty, this function is equivalent to calling [getFirestore()](./firestore_.md#getfirestore)<!-- -->. |
 |  <b>function(firestore...)</b> |
 |  [clearIndexedDbPersistence(firestore)](./firestore_.md#clearindexeddbpersistence) | Clears the persistent storage. This includes pending writes and cached documents.<!-- -->Must be called while the [Firestore](./firestore_.firestore.md#firestore_class) instance is not started (after the app is terminated or when the app is first initialized). On startup, this function must be called before other functions (other than [initializeFirestore()](./firestore_.md#initializefirestore) or [getFirestore()](./firestore_.md#getfirestore)<!-- -->)). If the [Firestore](./firestore_.firestore.md#firestore_class) instance is still running, the promise will be rejected with the error code of <code>failed-precondition</code>.<!-- -->Note: <code>clearIndexedDbPersistence()</code> is primarily intended to help write reliable tests that use Cloud Firestore. It uses an efficient mechanism for dropping existing data but does not attempt to securely overwrite or otherwise make cached data unrecoverable. For applications that are sensitive to the disclosure of cached data in between user sessions, we strongly recommend not enabling persistence at all. |
@@ -49,7 +49,7 @@ https://github.com/firebase/firebase-js-sdk
 |  [persistentMultipleTabManager()](./firestore_.md#persistentmultipletabmanager) | Creates an instance of <code>PersistentMultipleTabManager</code>. |
 |  [serverTimestamp()](./firestore_.md#servertimestamp) | Returns a sentinel used with [setDoc()](./firestore_lite.md#setdoc) or [updateDoc()](./firestore_lite.md#updatedoc) to include a server-generated timestamp in the written data. |
 |  <b>function(databaseId...)</b> |
-|  [getFirestore(databaseId)](./firestore_.md#getfirestore) | <b><i>(BETA)</i></b> Returns the existing [Firestore](./firestore_.firestore.md#firestore_class) instance that is associated with the default [FirebaseApp](./app.firebaseapp.md#firebaseapp_interface)<!-- -->. If no instance exists, initializes a new instance with default settings. |
+|  [getFirestore(databaseId)](./firestore_.md#getfirestore) | <b><i>(BETA)</i></b> Returns the existing named [Firestore](./firestore_.firestore.md#firestore_class) instance that is associated with the default [FirebaseApp](./app.firebaseapp.md#firebaseapp_interface)<!-- -->. If no instance exists, initializes a new instance with default settings. |
 |  <b>function(elements...)</b> |
 |  [arrayRemove(elements)](./firestore_.md#arrayremove) | Returns a special value that can be used with [setDoc()](./firestore_.md#setdoc) or  that tells the server to remove the given elements from any array value that already exists on the server. All instances of each element specified will be removed from the array. If the field being modified is not already an array it will be overwritten with an empty array. |
 |  [arrayUnion(elements)](./firestore_.md#arrayunion) | Returns a special value that can be used with [setDoc()](./firestore_lite.md#setdoc) or [updateDoc()](./firestore_lite.md#updatedoc) that tells the server to union the given elements with any array value that already exists on the server. Each specified element that doesn't already exist in the array will be added to the end. If the field being modified is not already an array it will be overwritten with an array containing exactly the specified elements. |
@@ -240,14 +240,14 @@ export declare function getFirestore(app: FirebaseApp): Firestore;
 
 [Firestore](./firestore_.firestore.md#firestore_class)
 
-The [Firestore](./firestore_.firestore.md#firestore_class) instance of the provided app.
+The default [Firestore](./firestore_.firestore.md#firestore_class) instance of the provided app.
 
 ## getFirestore()
 
 > This API is provided as a preview for developers and may change based on feedback that we receive. Do not use this API in a production environment.
 > 
 
-Returns the existing default [Firestore](./firestore_.firestore.md#firestore_class) instance that is associated with the provided [FirebaseApp](./app.firebaseapp.md#firebaseapp_interface)<!-- -->. If no instance exists, initializes a new instance with default settings.
+Returns the existing named [Firestore](./firestore_.firestore.md#firestore_class) instance that is associated with the provided [FirebaseApp](./app.firebaseapp.md#firebaseapp_interface)<!-- -->. If no instance exists, initializes a new instance with default settings.
 
 <b>Signature:</b>
 
@@ -266,7 +266,7 @@ export declare function getFirestore(app: FirebaseApp, databaseId: string): Fire
 
 [Firestore](./firestore_.firestore.md#firestore_class)
 
-The [Firestore](./firestore_.firestore.md#firestore_class) instance of the provided app.
+The named [Firestore](./firestore_.firestore.md#firestore_class) instance of the provided app.
 
 ## initializeFirestore()
 
@@ -901,7 +901,7 @@ export declare function getFirestore(): Firestore;
 
 [Firestore](./firestore_.firestore.md#firestore_class)
 
-The [Firestore](./firestore_.firestore.md#firestore_class) instance of the provided app.
+The default [Firestore](./firestore_.firestore.md#firestore_class) instance of the default app.
 
 ## memoryEagerGarbageCollector()
 
@@ -947,7 +947,7 @@ export declare function serverTimestamp(): FieldValue;
 > This API is provided as a preview for developers and may change based on feedback that we receive. Do not use this API in a production environment.
 > 
 
-Returns the existing [Firestore](./firestore_.firestore.md#firestore_class) instance that is associated with the default [FirebaseApp](./app.firebaseapp.md#firebaseapp_interface)<!-- -->. If no instance exists, initializes a new instance with default settings.
+Returns the existing named [Firestore](./firestore_.firestore.md#firestore_class) instance that is associated with the default [FirebaseApp](./app.firebaseapp.md#firebaseapp_interface)<!-- -->. If no instance exists, initializes a new instance with default settings.
 
 <b>Signature:</b>
 
@@ -965,7 +965,7 @@ export declare function getFirestore(databaseId: string): Firestore;
 
 [Firestore](./firestore_.firestore.md#firestore_class)
 
-The [Firestore](./firestore_.firestore.md#firestore_class) instance of the provided app.
+The named [Firestore](./firestore_.firestore.md#firestore_class) instance of the default app.
 
 ## arrayRemove()
 

integration/firestore/gulpfile.js

@@ -42,6 +42,7 @@ function copyTests() {
     .src(
       [
         testBase + '/integration/api/*.ts',
+        testBase + '/integration/util/composite_index_test_helper.ts',
         testBase + '/integration/util/events_accumulator.ts',
         testBase + '/integration/util/helpers.ts',
         testBase + '/integration/util/settings.ts',

packages/app-check/src/api.ts

@@ -259,7 +259,7 @@ export function onTokenChanged(
  * the current token associated with this App Check instance changes.
  *
  * @param appCheckInstance - The App Check service instance.
- * @param onNext - When the token changes, this function is called with aa
+ * @param onNext - When the token changes, this function is called with an
  * {@link AppCheckTokenResult}.
  * @param onError - Optional. Called if there is an error thrown by the
  * listener (the `onNext` function).

packages/auth/src/api/authentication/recaptcha.ts

@@ -48,14 +48,14 @@ interface GetRecaptchaConfigRequest {
   version?: RecaptchaVersion;
 }
 
-interface RecaptchaEnforcementState {
+export interface RecaptchaEnforcementProviderState {
   provider: string;
   enforcementState: string;
 }
 
 export interface GetRecaptchaConfigResponse {
   recaptchaKey: string;
-  recaptchaEnforcementState: RecaptchaEnforcementState[];
+  recaptchaEnforcementState: RecaptchaEnforcementProviderState[];
 }
 
 export async function getRecaptchaConfig(

packages/auth/src/api/index.ts

@@ -87,6 +87,18 @@ export const enum RecaptchaActionName {
   SIGN_UP_PASSWORD = 'signUpPassword'
 }
 
+export const enum EnforcementState {
+  ENFORCE = 'ENFORCE',
+  AUDIT = 'AUDIT',
+  OFF = 'OFF',
+  ENFORCEMENT_STATE_UNSPECIFIED = 'ENFORCEMENT_STATE_UNSPECIFIED'
+}
+
+// Providers that have reCAPTCHA Enterprise support.
+export const enum RecaptchaProvider {
+  EMAIL_PASSWORD_PROVIDER = 'EMAIL_PASSWORD_PROVIDER'
+}
+
 export const DEFAULT_API_TIMEOUT_MS = new Delay(30_000, 60_000);
 
 export function _addTidIfNecessary<T extends { tenantId?: string }>(
@@ -245,6 +257,21 @@ export function _getFinalTarget(
   return _emulatorUrl(auth.config as ConfigInternal, base);
 }
 
+export function _parseEnforcementState(
+  enforcementStateStr: string
+): EnforcementState {
+  switch (enforcementStateStr) {
+    case 'ENFORCE':
+      return EnforcementState.ENFORCE;
+    case 'AUDIT':
+      return EnforcementState.AUDIT;
+    case 'OFF':
+      return EnforcementState.OFF;
+    default:
+      return EnforcementState.ENFORCEMENT_STATE_UNSPECIFIED;
+  }
+}
+
 class NetworkTimeout<T> {
   // Node timers and browser timers are fundamentally incompatible, but we
   // don't care about the value here

packages/auth/src/core/auth/auth_impl.test.ts

@@ -710,11 +710,21 @@ describe('core/auth/auth_impl', () => {
       ]
     };
     const cachedRecaptchaConfigEnforce = {
-      emailPasswordEnabled: true,
+      recaptchaEnforcementState: [
+        {
+          'enforcementState': 'ENFORCE',
+          'provider': 'EMAIL_PASSWORD_PROVIDER'
+        }
+      ],
       siteKey: 'site-key'
     };
     const cachedRecaptchaConfigOFF = {
-      emailPasswordEnabled: false,
+      recaptchaEnforcementState: [
+        {
+          'enforcementState': 'OFF',
+          'provider': 'EMAIL_PASSWORD_PROVIDER'
+        }
+      ],
       siteKey: 'site-key'
     };
 

packages/auth/src/core/credentials/email.ts

@@ -31,7 +31,7 @@ import { IdTokenResponse } from '../../model/id_token';
 import { AuthErrorCode } from '../errors';
 import { _fail } from '../util/assert';
 import { AuthCredential } from './auth_credential';
-import { injectRecaptchaFields } from '../../platform_browser/recaptcha/recaptcha_enterprise_verifier';
+import { handleRecaptchaFlow } from '../../platform_browser/recaptcha/recaptcha_enterprise_verifier';
 import { RecaptchaActionName, RecaptchaClientType } from '../../api';
 /**
  * Interface that represents the credentials returned by {@link EmailAuthProvider} for
@@ -123,32 +123,12 @@ export class EmailAuthCredential extends AuthCredential {
           password: this._password,
           clientType: RecaptchaClientType.WEB
         };
-        if (auth._getRecaptchaConfig()?.emailPasswordEnabled) {
-          const requestWithRecaptcha = await injectRecaptchaFields(
-            auth,
-            request,
-            RecaptchaActionName.SIGN_IN_WITH_PASSWORD
-          );
-          return signInWithPassword(auth, requestWithRecaptcha);
-        } else {
-          return signInWithPassword(auth, request).catch(async error => {
-            if (
-              error.code === `auth/${AuthErrorCode.MISSING_RECAPTCHA_TOKEN}`
-            ) {
-              console.log(
-                'Sign-in with email address and password is protected by reCAPTCHA for this project. Automatically triggering the reCAPTCHA flow and restarting the sign-in flow.'
-              );
-              const requestWithRecaptcha = await injectRecaptchaFields(
-                auth,
-                request,
-                RecaptchaActionName.SIGN_IN_WITH_PASSWORD
-              );
-              return signInWithPassword(auth, requestWithRecaptcha);
-            } else {
-              return Promise.reject(error);
-            }
-          });
-        }
+        return handleRecaptchaFlow(
+          auth,
+          request,
+          RecaptchaActionName.SIGN_IN_WITH_PASSWORD,
+          signInWithPassword
+        );
       case SignInMethod.EMAIL_LINK:
         return signInWithEmailLink(auth, {
           email: this._email,