diff --git a/.changeset/selfish-donkeys-cheer.md b/.changeset/selfish-donkeys-cheer.md new file mode 100644 index 00000000000..7cf6946520c --- /dev/null +++ b/.changeset/selfish-donkeys-cheer.md @@ -0,0 +1,5 @@ +--- +'firebase': patch +--- + +Fix glob pattern to work with Node 20 and its NPM version. diff --git a/.changeset/thirty-otters-hug.md b/.changeset/thirty-otters-hug.md new file mode 100644 index 00000000000..6dd0c7e0059 --- /dev/null +++ b/.changeset/thirty-otters-hug.md @@ -0,0 +1,5 @@ +--- +'@firebase/auth': patch +--- + +Fix possible XSS vulnerability through **FIREBASE_DEFAULTS** settings. diff --git a/.changeset/violet-ways-judge.md b/.changeset/violet-ways-judge.md new file mode 100644 index 00000000000..a845151cc84 --- /dev/null +++ b/.changeset/violet-ways-judge.md @@ -0,0 +1,2 @@ +--- +--- diff --git a/.github/workflows/canary-deploy.yml b/.github/workflows/canary-deploy.yml index 02871078f44..73ce0044c1a 100644 --- a/.github/workflows/canary-deploy.yml +++ b/.github/workflows/canary-deploy.yml @@ -31,10 +31,10 @@ jobs: with: # Canary release script requires git history and tags. fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Yarn install run: yarn - name: Deploy canary diff --git a/.github/workflows/check-changeset.yml b/.github/workflows/check-changeset.yml index a851bb4793f..ca76fe7a76b 100644 --- a/.github/workflows/check-changeset.yml +++ b/.github/workflows/check-changeset.yml @@ -34,10 +34,10 @@ jobs: with: # This makes Actions fetch all Git history so check_changeset script can diff properly. fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Yarn install run: yarn - name: Run changeset script diff --git a/.github/workflows/check-docs.yml b/.github/workflows/check-docs.yml index 9c44c22214a..aefab2506e3 100644 --- a/.github/workflows/check-docs.yml +++ b/.github/workflows/check-docs.yml @@ -27,10 +27,10 @@ jobs: with: # get all history for the diff fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Yarn install run: yarn - name: Run doc generation (devsite docs) diff --git a/.github/workflows/check-pkg-paths.yml b/.github/workflows/check-pkg-paths.yml index 2182a3502c6..8ca54225e10 100644 --- a/.github/workflows/check-pkg-paths.yml +++ b/.github/workflows/check-pkg-paths.yml @@ -27,10 +27,10 @@ jobs: with: # This makes Actions fetch all Git history so run-changed script can diff properly. fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Yarn install run: yarn - name: Yarn build diff --git a/.github/workflows/deploy-config.yml b/.github/workflows/deploy-config.yml index ebb607c5417..cc8e5925302 100644 --- a/.github/workflows/deploy-config.yml +++ b/.github/workflows/deploy-config.yml @@ -34,10 +34,10 @@ jobs: with: # This makes Actions fetch all Git history so run-changed script can diff properly. fetch-depth: 0 - - name: Set up node (18) + - name: Set up node (20) uses: actions/setup-node@v3 with: - node-version: 18.x + node-version: 20.x - name: Yarn install run: yarn - name: Deploy project config if needed diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index d844e4e34ea..80a555f7840 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -36,10 +36,10 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@master - - name: Set up Node (18) + - name: Set up Node (20) uses: actions/setup-node@master with: - node-version: 18.x + node-version: 20.x - name: install Chrome stable run: | sudo apt-get update diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 1e77356832d..7434a9cab4c 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -31,10 +31,10 @@ jobs: with: # get all history for the diff fetch-depth: 0 - - name: Set up node (16) + - name: Set up node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Yarn install run: yarn - name: Run formatting script diff --git a/.github/workflows/health-metrics-pull-request.yml b/.github/workflows/health-metrics-pull-request.yml index 6bbfc8b93c2..45f1aa1ab44 100644 --- a/.github/workflows/health-metrics-pull-request.yml +++ b/.github/workflows/health-metrics-pull-request.yml @@ -41,7 +41,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - uses: 'google-github-actions/auth@v0' with: credentials_json: '${{ secrets.GCP_SA_KEY }}' @@ -58,7 +58,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - uses: 'google-github-actions/auth@v0' with: credentials_json: '${{ secrets.GCP_SA_KEY }}' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 50664c261cb..80851d9834a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -23,10 +23,10 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Set up node (16) + - name: Set up node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: yarn install run: yarn - name: yarn lint diff --git a/.github/workflows/prerelease-manual-deploy.yml b/.github/workflows/prerelease-manual-deploy.yml index a1b0af0e258..54f75383f95 100644 --- a/.github/workflows/prerelease-manual-deploy.yml +++ b/.github/workflows/prerelease-manual-deploy.yml @@ -34,10 +34,10 @@ jobs: with: # Canary release script requires git history and tags. fetch-depth: 0 - - name: Set up node (16) + - name: Set up node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Yarn install run: yarn - name: Deploy prerelease diff --git a/.github/workflows/release-log.yml b/.github/workflows/release-log.yml index 235a0d142ce..780e3e97b52 100644 --- a/.github/workflows/release-log.yml +++ b/.github/workflows/release-log.yml @@ -28,10 +28,10 @@ jobs: - name: Checkout Repo uses: actions/checkout@master - - name: Setup Node.js 16.x + - name: Setup Node.js 20.x uses: actions/setup-node@master with: - node-version: 16.x + node-version: 20.x - name: Get PR number and send to tracker. run: node scripts/ci/log-changesets.js diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 02dc8e3cef5..04ebbd8b926 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -32,10 +32,10 @@ jobs: # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits fetch-depth: 0 - - name: Setup Node.js 16.x + - name: Setup Node.js 20.x uses: actions/setup-node@master with: - node-version: 16.x + node-version: 20.x - name: Install Dependencies run: yarn diff --git a/.github/workflows/release-prod.yml b/.github/workflows/release-prod.yml index 684f405a9ac..09d1797ec4c 100644 --- a/.github/workflows/release-prod.yml +++ b/.github/workflows/release-prod.yml @@ -32,10 +32,10 @@ jobs: contents: write steps: - - name: Set up node (16) + - name: Set up node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Checkout release branch (with history) uses: actions/checkout@master with: diff --git a/.github/workflows/release-staging.yml b/.github/workflows/release-staging.yml index 5b0e2a7cb5f..6a687ed5ee2 100644 --- a/.github/workflows/release-staging.yml +++ b/.github/workflows/release-staging.yml @@ -46,10 +46,10 @@ jobs: # Block this workflow if run on a non-release branch. if: github.event.inputs.release-branch == 'release' || endsWith(github.event.inputs.release-branch, '-releasebranch') steps: - - name: Set up node (16) + - name: Set up node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Merge master into release uses: actions/github-script@v6 with: diff --git a/.github/workflows/release-tweet.yml b/.github/workflows/release-tweet.yml index af6379ceb18..edd2634637b 100644 --- a/.github/workflows/release-tweet.yml +++ b/.github/workflows/release-tweet.yml @@ -34,10 +34,10 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@master - - name: Setup Node.js 16.x + - name: Setup Node.js 20.x uses: actions/setup-node@master with: - node-version: 16.x + node-version: 20.x - name: Poll release notes page on devsite run: node scripts/ci/poll_release_notes.js env: diff --git a/.github/workflows/test-all.yml b/.github/workflows/test-all.yml index e72dca55c8b..fce2b722814 100644 --- a/.github/workflows/test-all.yml +++ b/.github/workflows/test-all.yml @@ -42,10 +42,10 @@ jobs: run: | npx @puppeteer/browsers install chrome@stable - uses: actions/checkout@v3 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Test setup and yarn install run: | cp config/ci.config.json config/project.json @@ -81,10 +81,10 @@ jobs: name: build.tar.gz - name: Unzip build artifact run: tar xf build.tar.gz - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Test setup and yarn install run: | cp config/ci.config.json config/project.json @@ -132,10 +132,10 @@ jobs: name: build.tar.gz - name: Unzip build artifact run: tar xf build.tar.gz - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Test setup and yarn install run: | cp config/ci.config.json config/project.json @@ -175,10 +175,10 @@ jobs: name: build.tar.gz - name: Unzip build artifact run: tar xf build.tar.gz - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Test setup and yarn install run: | cp config/ci.config.json config/project.json @@ -219,10 +219,10 @@ jobs: name: build.tar.gz - name: Unzip build artifact run: tar xf build.tar.gz - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - run: cp config/ci.config.json config/project.json - run: yarn - run: yarn build:${{ matrix.persistence }} diff --git a/.github/workflows/test-changed-auth.yml b/.github/workflows/test-changed-auth.yml index eafb3a2d556..d2f11f2bf2f 100644 --- a/.github/workflows/test-changed-auth.yml +++ b/.github/workflows/test-changed-auth.yml @@ -56,10 +56,10 @@ jobs: with: # This makes Actions fetch all Git history so run-changed script can diff properly. fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Test setup and yarn install run: | cp config/ci.config.json config/project.json @@ -88,10 +88,10 @@ jobs: with: # This makes Actions fetch all Git history so run-changed script can diff properly. fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Test setup and yarn install run: | cp config/ci.config.json config/project.json diff --git a/.github/workflows/test-changed-fcm-integration.yml b/.github/workflows/test-changed-fcm-integration.yml index bac3a772428..affb4639b1b 100644 --- a/.github/workflows/test-changed-fcm-integration.yml +++ b/.github/workflows/test-changed-fcm-integration.yml @@ -38,10 +38,10 @@ jobs: with: # This makes Actions fetch all Git history so run-changed script can diff properly. fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Test setup and yarn install run: | cp config/ci.config.json config/project.json diff --git a/.github/workflows/test-changed-firestore-integration.yml b/.github/workflows/test-changed-firestore-integration.yml index 106aef667e7..3cc14c99c55 100644 --- a/.github/workflows/test-changed-firestore-integration.yml +++ b/.github/workflows/test-changed-firestore-integration.yml @@ -63,10 +63,10 @@ jobs: rm -f "$output_file" continue-on-error: true - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: install Chrome stable run: | sudo apt-get update diff --git a/.github/workflows/test-changed-firestore.yml b/.github/workflows/test-changed-firestore.yml index c34e4e79dce..9f241898e0e 100644 --- a/.github/workflows/test-changed-firestore.yml +++ b/.github/workflows/test-changed-firestore.yml @@ -37,10 +37,10 @@ jobs: with: # This makes Actions fetch all Git history so run-changed script can diff properly. fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: install Chrome stable run: | sudo apt-get update @@ -84,10 +84,10 @@ jobs: needs: build if: ${{ needs.build.outputs.changed == 'true'}} steps: - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: install Chrome stable run: | sudo apt-get update @@ -112,10 +112,10 @@ jobs: needs: build if: ${{ needs.build.outputs.changed == 'true'}} steps: - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: install Chrome stable run: | sudo apt-get update @@ -142,10 +142,10 @@ jobs: needs: build if: ${{ github.event_name != 'pull_request' }} steps: - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: install Chrome stable run: | sudo apt-get update @@ -180,10 +180,10 @@ jobs: run: | sudo apt-get update sudo apt-get install firefox - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Download build archive uses: actions/download-artifact@v3 with: @@ -219,10 +219,10 @@ jobs: name: build.tar.gz - name: Unzip build artifact run: tar xf build.tar.gz - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Test setup and yarn install run: cp config/ci.config.json config/project.json - name: Run tests diff --git a/.github/workflows/test-changed-misc.yml b/.github/workflows/test-changed-misc.yml index 3e87f5f5584..e189ff4fecf 100644 --- a/.github/workflows/test-changed-misc.yml +++ b/.github/workflows/test-changed-misc.yml @@ -31,10 +31,10 @@ jobs: with: # This makes Actions fetch all Git history so run-changed script can diff properly. fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: install Chrome stable run: | sudo apt-get update diff --git a/.github/workflows/test-changed.yml b/.github/workflows/test-changed.yml index f0cf68f7315..ac45286b0c8 100644 --- a/.github/workflows/test-changed.yml +++ b/.github/workflows/test-changed.yml @@ -31,10 +31,10 @@ jobs: with: # This makes Actions fetch all Git history so run-changed script can diff properly. fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: install Chrome stable run: | sudo apt-get update @@ -60,10 +60,10 @@ jobs: uses: actions/checkout@master with: fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: install Firefox stable run: | sudo apt-get update diff --git a/.github/workflows/test-firebase-integration.yml b/.github/workflows/test-firebase-integration.yml index 9eb15ab78d2..f6b1eb3c4b3 100644 --- a/.github/workflows/test-firebase-integration.yml +++ b/.github/workflows/test-firebase-integration.yml @@ -31,10 +31,10 @@ jobs: with: # This makes Actions fetch all Git history so run-changed script can diff properly. fetch-depth: 0 - - name: Set up Node (16) + - name: Set up Node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: install Chrome stable run: | sudo apt-get update diff --git a/.github/workflows/update-api-reports.yml b/.github/workflows/update-api-reports.yml index e4f90c98607..f49c548e3cc 100644 --- a/.github/workflows/update-api-reports.yml +++ b/.github/workflows/update-api-reports.yml @@ -30,10 +30,10 @@ jobs: # checkout HEAD commit instead of merge commit ref: ${{ github.event.pull_request.head.ref }} token: ${{ github.token }} - - name: Set up node (16) + - name: Set up node (20) uses: actions/setup-node@v3 with: - node-version: 16.x + node-version: 20.x - name: Yarn install run: yarn - name: Update API reports diff --git a/packages/auth/src/core/auth/emulator.test.ts b/packages/auth/src/core/auth/emulator.test.ts index 8015aecee18..71a30883218 100644 --- a/packages/auth/src/core/auth/emulator.test.ts +++ b/packages/auth/src/core/auth/emulator.test.ts @@ -45,7 +45,7 @@ describe('core/auth/emulator', () => { fetch.setUp(); normalEndpoint = mockEndpoint(Endpoint.DELETE_ACCOUNT, {}); emulatorEndpoint = fetch.mock( - `http://localhost:2020/${endpointUrl(Endpoint.DELETE_ACCOUNT).replace( + `http://127.0.0.1:2020/${endpointUrl(Endpoint.DELETE_ACCOUNT).replace( /^.*:\/\//, '' )}`, @@ -70,46 +70,46 @@ describe('core/auth/emulator', () => { context('connectAuthEmulator', () => { it('fails if a network request has already been made', async () => { await user.delete(); - expect(() => connectAuthEmulator(auth, 'http://localhost:2020')).to.throw( + expect(() => connectAuthEmulator(auth, 'http://127.0.0.1:2020')).to.throw( FirebaseError, 'auth/emulator-config-failed' ); }); it('updates the endpoint appropriately', async () => { - connectAuthEmulator(auth, 'http://localhost:2020'); + connectAuthEmulator(auth, 'http://127.0.0.1:2020'); await user.delete(); expect(normalEndpoint.calls.length).to.eq(0); expect(emulatorEndpoint.calls.length).to.eq(1); }); it('updates the endpoint appropriately with trailing slash', async () => { - connectAuthEmulator(auth, 'http://localhost:2020/'); + connectAuthEmulator(auth, 'http://127.0.0.1:2020/'); await user.delete(); expect(normalEndpoint.calls.length).to.eq(0); expect(emulatorEndpoint.calls.length).to.eq(1); }); it('checks the scheme properly', () => { - expect(() => connectAuthEmulator(auth, 'http://localhost:2020')).not.to + expect(() => connectAuthEmulator(auth, 'http://127.0.0.1:2020')).not.to .throw; delete auth.config.emulator; - expect(() => connectAuthEmulator(auth, 'https://localhost:2020')).not.to + expect(() => connectAuthEmulator(auth, 'https://127.0.0.1:2020')).not.to .throw; delete auth.config.emulator; - expect(() => connectAuthEmulator(auth, 'ssh://localhost:2020')).to.throw( + expect(() => connectAuthEmulator(auth, 'ssh://127.0.0.1:2020')).to.throw( FirebaseError, 'auth/invalid-emulator-scheme' ); delete auth.config.emulator; - expect(() => connectAuthEmulator(auth, 'localhost:2020')).to.throw( + expect(() => connectAuthEmulator(auth, '127.0.0.1:2020')).to.throw( FirebaseError, 'auth/invalid-emulator-scheme' ); }); it('attaches a banner to the DOM', () => { - connectAuthEmulator(auth, 'http://localhost:2020'); + connectAuthEmulator(auth, 'http://127.0.0.1:2020'); if (typeof document !== 'undefined') { const el = document.querySelector('.firebase-emulator-warning')!; expect(el).not.to.be.null; @@ -122,7 +122,7 @@ describe('core/auth/emulator', () => { it('logs out a warning to the console', () => { sinon.stub(console, 'info'); - connectAuthEmulator(auth, 'http://localhost:2020'); + connectAuthEmulator(auth, 'http://127.0.0.1:2020'); expect(console.info).to.have.been.calledWith( 'WARNING: You are using the Auth Emulator,' + ' which is intended for local testing only. Do not use with' + @@ -132,7 +132,7 @@ describe('core/auth/emulator', () => { it('skips console info and has no banner if warnings disabled', () => { sinon.stub(console, 'info'); - connectAuthEmulator(auth, 'http://localhost:2020', { + connectAuthEmulator(auth, 'http://127.0.0.1:2020', { disableWarnings: true }); expect(console.info).not.to.have.been.called; @@ -142,10 +142,10 @@ describe('core/auth/emulator', () => { }); it('sets emulatorConfig on the Auth object', async () => { - connectAuthEmulator(auth, 'http://localhost:2020'); + connectAuthEmulator(auth, 'http://127.0.0.1:2020'); expect(auth.emulatorConfig).to.eql({ protocol: 'http', - host: 'localhost', + host: '127.0.0.1', port: 2020, options: { disableWarnings: false } }); diff --git a/packages/auth/src/core/util/emulator.test.ts b/packages/auth/src/core/util/emulator.test.ts index 65337681d5b..17a916917b1 100644 --- a/packages/auth/src/core/util/emulator.test.ts +++ b/packages/auth/src/core/util/emulator.test.ts @@ -23,23 +23,23 @@ import { _emulatorUrl } from './emulator'; describe('core/util/emulator', () => { const config: ConfigInternal = { emulator: { - url: 'http://localhost:4000/' + url: 'http://127.0.0.1:4000/' } } as ConfigInternal; it('builds the proper URL with no path', () => { - expect(_emulatorUrl(config)).to.eq('http://localhost:4000/'); + expect(_emulatorUrl(config)).to.eq('http://127.0.0.1:4000/'); }); it('builds the proper URL with a path', () => { expect(_emulatorUrl(config, '/test/path')).to.eq( - 'http://localhost:4000/test/path' + 'http://127.0.0.1:4000/test/path' ); }); it('builds the proper URL with a path missing separator', () => { expect(_emulatorUrl(config, 'test/path')).to.eq( - 'http://localhost:4000/test/path' + 'http://127.0.0.1:4000/test/path' ); }); }); diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts index 6399072d713..2d21c768454 100644 --- a/packages/auth/src/platform_browser/index.ts +++ b/packages/auth/src/platform_browser/index.ts @@ -89,9 +89,11 @@ export function getAuth(app: FirebaseApp = getApp()): Auth { ] }); - const authTokenSyncUrl = getExperimentalSetting('authTokenSyncURL'); - if (authTokenSyncUrl) { - const mintCookie = mintCookieFactory(authTokenSyncUrl); + const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL'); + // Don't allow urls (XSS possibility), only paths on the same domain + // (starting with '/') + if (authTokenSyncPath && authTokenSyncPath.startsWith('/')) { + const mintCookie = mintCookieFactory(authTokenSyncPath); beforeAuthStateChanged(auth, mintCookie, () => mintCookie(auth.currentUser) ); diff --git a/packages/firebase/package.json b/packages/firebase/package.json index 8a4cd25a02a..35425f5244d 100644 --- a/packages/firebase/package.json +++ b/packages/firebase/package.json @@ -16,7 +16,7 @@ "remote-config" ], "files": [ - "**/dist/", + "**/dist/**/*", "**/package.json", "/firebase*.js", "/firebase*.map", diff --git a/packages/firestore/test/integration/api/validation.test.ts b/packages/firestore/test/integration/api/validation.test.ts index 8260b53bb4f..eb0119b5d39 100644 --- a/packages/firestore/test/integration/api/validation.test.ts +++ b/packages/firestore/test/integration/api/validation.test.ts @@ -173,7 +173,7 @@ apiDescribe('Validation:', persistence => { () => { const db = newTestFirestore(newTestApp('test-project')); // Verify that this doesn't throw. - connectFirestoreEmulator(db, 'localhost', 9000); + connectFirestoreEmulator(db, '127.0.0.1', 9000); } ); @@ -185,7 +185,7 @@ apiDescribe('Validation:', persistence => { 'Firestore has already been started and its settings can no longer be changed.'; await setDoc(doc(db, 'foo/bar'), {}); - expect(() => connectFirestoreEmulator(db, 'localhost', 9000)).to.throw( + expect(() => connectFirestoreEmulator(db, '127.0.0.1', 9000)).to.throw( errorMsg ); } @@ -197,7 +197,7 @@ apiDescribe('Validation:', persistence => { () => { const db = newTestFirestore(newTestApp('test-project')); // Verify that this doesn't throw. - connectFirestoreEmulator(db, 'localhost', 9000, { + connectFirestoreEmulator(db, '127.0.0.1', 9000, { mockUserToken: { sub: 'foo' } }); } @@ -209,7 +209,7 @@ apiDescribe('Validation:', persistence => { () => { const db = newTestFirestore(newTestApp('test-project')); // Verify that this doesn't throw. - connectFirestoreEmulator(db, 'localhost', 9000, { + connectFirestoreEmulator(db, '127.0.0.1', 9000, { mockUserToken: 'my-mock-user-token' }); } @@ -222,7 +222,7 @@ apiDescribe('Validation:', persistence => { const errorMsg = "mockUserToken must contain 'sub' or 'user_id' field!"; expect(() => - connectFirestoreEmulator(db, 'localhost', 9000, { + connectFirestoreEmulator(db, '127.0.0.1', 9000, { mockUserToken: {} as any }) ).to.throw(errorMsg); diff --git a/packages/firestore/test/unit/api/database.test.ts b/packages/firestore/test/unit/api/database.test.ts index ddae011b3cb..9dcc7f5ae9d 100644 --- a/packages/firestore/test/unit/api/database.test.ts +++ b/packages/firestore/test/unit/api/database.test.ts @@ -547,9 +547,9 @@ describe('Settings', () => { it('gets settings from useEmulator', () => { // Use a new instance of Firestore in order to configure settings. const db = newTestFirestore(); - connectFirestoreEmulator(db, 'localhost', 9000); + connectFirestoreEmulator(db, '127.0.0.1', 9000); - expect(db._getSettings().host).to.equal('localhost:9000'); + expect(db._getSettings().host).to.equal('127.0.0.1:9000'); expect(db._getSettings().ssl).to.be.false; }); @@ -557,9 +557,9 @@ describe('Settings', () => { // Use a new instance of Firestore in order to configure settings. const db = newTestFirestore(); db._setSettings({ host: 'other.host' }); - connectFirestoreEmulator(db, 'localhost', 9000); + connectFirestoreEmulator(db, '127.0.0.1', 9000); - expect(db._getSettings().host).to.equal('localhost:9000'); + expect(db._getSettings().host).to.equal('127.0.0.1:9000'); expect(db._getSettings().ssl).to.be.false; }); @@ -567,7 +567,7 @@ describe('Settings', () => { // Use a new instance of Firestore in order to configure settings. const db = newTestFirestore(); const mockUserToken = { sub: 'foobar' }; - connectFirestoreEmulator(db, 'localhost', 9000, { mockUserToken }); + connectFirestoreEmulator(db, '127.0.0.1', 9000, { mockUserToken }); const credentials = db._authCredentials; expect(credentials).to.be.instanceOf(EmulatorAuthCredentialsProvider); @@ -579,7 +579,7 @@ describe('Settings', () => { it('sets credentials based on mockUserToken string', async () => { // Use a new instance of Firestore in order to configure settings. const db = newTestFirestore(); - connectFirestoreEmulator(db, 'localhost', 9000, { + connectFirestoreEmulator(db, '127.0.0.1', 9000, { mockUserToken: 'my-custom-mock-user-token' }); diff --git a/packages/rules-unit-testing/functions/package.json b/packages/rules-unit-testing/functions/package.json index c701103ae64..54fd69653b5 100644 --- a/packages/rules-unit-testing/functions/package.json +++ b/packages/rules-unit-testing/functions/package.json @@ -12,6 +12,6 @@ "firebase-functions": "3.24.1" }, "engines": { - "node": "16" + "node": ">=16" } } diff --git a/scripts/emulator-testing/emulators/emulator.ts b/scripts/emulator-testing/emulators/emulator.ts index d56226842eb..1295d413e4b 100644 --- a/scripts/emulator-testing/emulators/emulator.ts +++ b/scripts/emulator-testing/emulators/emulator.ts @@ -119,8 +119,8 @@ export abstract class Emulator { if (elapsed > timeout) { reject(`Emulator not ready after ${timeout}s. Exiting ...`); } else { - console.log(`Ping emulator at [http://localhost:${this.port}] ...`); - fetch(`http://localhost:${this.port}`).then( + console.log(`Ping emulator at [http://127.0.0.1:${this.port}] ...`); + fetch(`http://127.0.0.1:${this.port}`).then( () => { // Database and Firestore emulators will return 400 and 200 respectively. // As long as we get a response back, it means the emulator is ready.