Merge dev into master

auth/tenant_mgt_test.go

@@ -164,7 +164,7 @@ func TestTenantListUsers(t *testing.T) {
 	want := []*ExportedUserRecord{
 		{UserRecord: testUser, PasswordHash: "passwordhash1", PasswordSalt: "salt1"},
 		{UserRecord: testUser, PasswordHash: "passwordhash2", PasswordSalt: "salt2"},
-		{UserRecord: testUser, PasswordHash: "passwordhash3", PasswordSalt: "salt3"},
+		{UserRecord: testUserWithoutMFA, PasswordHash: "passwordhash3", PasswordSalt: "salt3"},
 	}
 
 	testIterator := func(iter *UserIterator, token string, req string) {

auth/user_mgt.go

@@ -57,6 +57,28 @@ type UserInfo struct {
 	UID        string `json:"rawId,omitempty"`
 }
 
+// multiFactorInfoResponse describes the `mfaInfo` of the user record API response
+type multiFactorInfoResponse struct {
+	MFAEnrollmentID string `json:"mfaEnrollmentId,omitempty"`
+	DisplayName     string `json:"displayName,omitempty"`
+	PhoneInfo       string `json:"phoneInfo,omitempty"`
+	EnrolledAt      string `json:"enrolledAt,omitempty"`
+}
+
+// MultiFactorInfo describes a user enrolled second phone factor.
+type MultiFactorInfo struct {
+	UID                 string
+	DisplayName         string
+	EnrollmentTimestamp int64
+	FactorID            string
+	PhoneNumber         string
+}
+
+// MultiFactorSettings describes the multi-factor related user settings.
+type MultiFactorSettings struct {
+	EnrolledFactors []*MultiFactorInfo
+}
+
 // UserMetadata contains additional metadata associated with a user account.
 // Timestamps are in milliseconds since epoch.
 type UserMetadata struct {
@@ -77,6 +99,7 @@ type UserRecord struct {
 	TokensValidAfterMillis int64 // milliseconds since epoch.
 	UserMetadata           *UserMetadata
 	TenantID               string
+	MultiFactor            *MultiFactorSettings
 }
 
 // UserToCreate is the parameter struct for the CreateUser function.
@@ -892,23 +915,24 @@ func (c *baseClient) GetUsers(
 }
 
 type userQueryResponse struct {
-	UID                string      `json:"localId,omitempty"`
-	DisplayName        string      `json:"displayName,omitempty"`
-	Email              string      `json:"email,omitempty"`
-	PhoneNumber        string      `json:"phoneNumber,omitempty"`
-	PhotoURL           string      `json:"photoUrl,omitempty"`
-	CreationTimestamp  int64       `json:"createdAt,string,omitempty"`
-	LastLogInTimestamp int64       `json:"lastLoginAt,string,omitempty"`
-	LastRefreshAt      string      `json:"lastRefreshAt,omitempty"`
-	ProviderID         string      `json:"providerId,omitempty"`
-	CustomAttributes   string      `json:"customAttributes,omitempty"`
-	Disabled           bool        `json:"disabled,omitempty"`
-	EmailVerified      bool        `json:"emailVerified,omitempty"`
-	ProviderUserInfo   []*UserInfo `json:"providerUserInfo,omitempty"`
-	PasswordHash       string      `json:"passwordHash,omitempty"`
-	PasswordSalt       string      `json:"salt,omitempty"`
-	TenantID           string      `json:"tenantId,omitempty"`
-	ValidSinceSeconds  int64       `json:"validSince,string,omitempty"`
+	UID                string                     `json:"localId,omitempty"`
+	DisplayName        string                     `json:"displayName,omitempty"`
+	Email              string                     `json:"email,omitempty"`
+	PhoneNumber        string                     `json:"phoneNumber,omitempty"`
+	PhotoURL           string                     `json:"photoUrl,omitempty"`
+	CreationTimestamp  int64                      `json:"createdAt,string,omitempty"`
+	LastLogInTimestamp int64                      `json:"lastLoginAt,string,omitempty"`
+	LastRefreshAt      string                     `json:"lastRefreshAt,omitempty"`
+	ProviderID         string                     `json:"providerId,omitempty"`
+	CustomAttributes   string                     `json:"customAttributes,omitempty"`
+	Disabled           bool                       `json:"disabled,omitempty"`
+	EmailVerified      bool                       `json:"emailVerified,omitempty"`
+	ProviderUserInfo   []*UserInfo                `json:"providerUserInfo,omitempty"`
+	PasswordHash       string                     `json:"passwordHash,omitempty"`
+	PasswordSalt       string                     `json:"salt,omitempty"`
+	TenantID           string                     `json:"tenantId,omitempty"`
+	ValidSinceSeconds  int64                      `json:"validSince,string,omitempty"`
+	MFAInfo            []*multiFactorInfoResponse `json:"mfaInfo,omitempty"`
 }
 
 func (r *userQueryResponse) makeUserRecord() (*UserRecord, error) {
@@ -948,6 +972,32 @@ func (r *userQueryResponse) makeExportedUserRecord() (*ExportedUserRecord, error
 		lastRefreshTimestamp = t.Unix() * 1000
 	}
 
+	// Map the MFA info to a slice of enrolled factors. Currently there is only
+	// support for PhoneMultiFactorInfo.
+	var enrolledFactors []*MultiFactorInfo
+	for _, factor := range r.MFAInfo {
+		var enrollmentTimestamp int64
+		if factor.EnrolledAt != "" {
+			t, err := time.Parse(time.RFC3339, factor.EnrolledAt)
+			if err != nil {
+				return nil, err
+			}
+			enrollmentTimestamp = t.Unix() * 1000
+		}
+
+		if factor.PhoneInfo == "" {
+			return nil, fmt.Errorf("unsupported multi-factor auth response: %#v", factor)
+		}
+
+		enrolledFactors = append(enrolledFactors, &MultiFactorInfo{
+			UID:                 factor.MFAEnrollmentID,
+			DisplayName:         factor.DisplayName,
+			EnrollmentTimestamp: enrollmentTimestamp,
+			FactorID:            "phone",
+			PhoneNumber:         factor.PhoneInfo,
+		})
+	}
+
 	return &ExportedUserRecord{
 		UserRecord: &UserRecord{
 			UserInfo: &UserInfo{
@@ -969,6 +1019,9 @@ func (r *userQueryResponse) makeExportedUserRecord() (*ExportedUserRecord, error
 				CreationTimestamp:    r.CreationTimestamp,
 				LastRefreshTimestamp: lastRefreshTimestamp,
 			},
+			MultiFactor: &MultiFactorSettings{
+				EnrolledFactors: enrolledFactors,
+			},
 		},
 		PasswordHash: hash,
 		PasswordSalt: r.PasswordSalt,

auth/user_mgt_test.go

@@ -44,8 +44,7 @@ var testUser = &UserRecord{
 		PhotoURL:    "http://www.example.com/testuser/photo.png",
 		ProviderID:  defaultProviderID,
 	},
-	Disabled: false,
-
+	Disabled:      false,
 	EmailVerified: true,
 	ProviderUserInfo: []*UserInfo{
 		{
@@ -67,6 +66,51 @@ var testUser = &UserRecord{
 	},
 	CustomClaims: map[string]interface{}{"admin": true, "package": "gold"},
 	TenantID:     "testTenant",
+	MultiFactor: &MultiFactorSettings{
+		EnrolledFactors: []*MultiFactorInfo{
+			{
+				UID:                 "0aaded3f-5e73-461d-aef9-37b48e3769be",
+				FactorID:            "phone",
+				EnrollmentTimestamp: 1614776780000,
+				PhoneNumber:         "+1234567890",
+				DisplayName:         "My MFA Phone",
+			},
+		},
+	},
+}
+
+var testUserWithoutMFA = &UserRecord{
+	UserInfo: &UserInfo{
+		UID:         "testusernomfa",
+		Email:       "testusernomfa@example.com",
+		PhoneNumber: "+1234567890",
+		DisplayName: "Test User Without MFA",
+		PhotoURL:    "http://www.example.com/testusernomfa/photo.png",
+		ProviderID:  defaultProviderID,
+	},
+	Disabled:      false,
+	EmailVerified: true,
+	ProviderUserInfo: []*UserInfo{
+		{
+			ProviderID:  "password",
+			DisplayName: "Test User Without MFA",
+			PhotoURL:    "http://www.example.com/testusernomfa/photo.png",
+			Email:       "testusernomfa@example.com",
+			UID:         "testuid",
+		}, {
+			ProviderID:  "phone",
+			PhoneNumber: "+1234567890",
+			UID:         "testuid",
+		},
+	},
+	TokensValidAfterMillis: 1494364393000,
+	UserMetadata: &UserMetadata{
+		CreationTimestamp:  1234567890000,
+		LastLogInTimestamp: 1233211232000,
+	},
+	CustomClaims: map[string]interface{}{"admin": true, "package": "gold"},
+	TenantID:     "testTenant",
+	MultiFactor:  &MultiFactorSettings{},
 }
 
 func TestGetUser(t *testing.T) {
@@ -501,7 +545,7 @@ func TestListUsers(t *testing.T) {
 	want := []*ExportedUserRecord{
 		{UserRecord: testUser, PasswordHash: "passwordhash1", PasswordSalt: "salt1"},
 		{UserRecord: testUser, PasswordHash: "passwordhash2", PasswordSalt: "salt2"},
-		{UserRecord: testUser, PasswordHash: "passwordhash3", PasswordSalt: "salt3"},
+		{UserRecord: testUserWithoutMFA, PasswordHash: "passwordhash3", PasswordSalt: "salt3"},
 	}
 
 	testIterator := func(iter *UserIterator, token string, req string) {
@@ -1596,6 +1640,14 @@ func TestMakeExportedUser(t *testing.T) {
 				PhoneNumber: "+1234567890",
 				UID:         "testuid",
 			}},
+		MFAInfo: []*multiFactorInfoResponse{
+			{
+				PhoneInfo:       "+1234567890",
+				MFAEnrollmentID: "0aaded3f-5e73-461d-aef9-37b48e3769be",
+				DisplayName:     "My MFA Phone",
+				EnrolledAt:      "2021-03-03T13:06:20.542896Z",
+			},
+		},
 	}
 
 	want := &ExportedUserRecord{
@@ -1620,6 +1672,22 @@ func TestMakeExportedUser(t *testing.T) {
 	}
 }
 
+func TestUnsupportedAuthFactor(t *testing.T) {
+	queryResponse := &userQueryResponse{
+		UID: "uid1",
+		MFAInfo: []*multiFactorInfoResponse{
+			{
+				MFAEnrollmentID: "enrollementId",
+			},
+		},
+	}
+
+	exported, err := queryResponse.makeExportedUserRecord()
+	if exported != nil || err == nil {
+		t.Errorf("makeExportedUserRecord() = (%v, %v); want = (nil, error)", exported, err)
+	}
+}
+
 func TestExportedUserRecordShouldClearRedacted(t *testing.T) {
 	queryResponse := &userQueryResponse{
 		UID:          "uid1",

firebase.go

@@ -38,7 +38,7 @@ import (
 var defaultAuthOverrides = make(map[string]interface{})
 
 // Version of the Firebase Go Admin SDK.
-const Version = "4.4.0"
+const Version = "4.5.0"
 
 // firebaseEnvName is the name of the environment variable with the Config.
 const firebaseEnvName = "FIREBASE_CONFIG"

go.mod

@@ -3,10 +3,9 @@ module firebase.google.com/go/v4
 go 1.11
 
 require (
-	cloud.google.com/go/firestore v1.1.1
-	cloud.google.com/go/storage v1.0.0
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	google.golang.org/api v0.17.0
-	google.golang.org/appengine v1.6.1
-	google.golang.org/grpc v1.29.1 // indirect
+	cloud.google.com/go/firestore v1.5.0
+	cloud.google.com/go/storage v1.10.0
+	golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99
+	google.golang.org/api v0.40.0
+	google.golang.org/appengine v1.6.7
 )