Update all other endpoints that are impacted by multi-tenancy (#3795)

Any endpoints that use `tenantId` explicitly in the request path or in the request body are updated to account for `Tenant` settings and any other tenant specific logic in this PR. Some things to highlight

- Providers are disabled by default on tenant projects based on observable behavior on Cloud dashboard. Agent projects have settings default enabled to be consistent with existing behavior until project `Config` management is introduced
- Supported tenant operations are listed at go/firebase-tools-3795-tenantOps; all other endpoints throw errors when called with a `TenantProjectState`. Some endpoints are not explicitly listed but are supported on tenant projects including:
  - `getRecaptchaParams`
  - `createSessionCookie`
  - `grantToken`
- Some, but not all, emulator endpoints were modified to take `tenantId` as a query param to correctly retrieve `TenantProjectState`. Not all emulator endpoints were updated but should be - a `TODO` was added in `gen-auth-api-spec.ts` that will be addressed in a subsequent PR (this one was getting bloated)

Author: lisajian

scripts/gen-auth-api-spec.ts

@@ -305,6 +305,7 @@ function pushServersDownToEachPath(openapi3: any): void {
   });
 }
 
+// TODO(lisajian): add tenantId as query param for all emulator config endpoints
 function addEmulatorOperations(openapi3: any): void {
   openapi3.tags.push({ name: "emulator" });
   openapi3.paths["/emulator/v1/projects/{targetProjectId}/accounts"] = {
@@ -446,6 +447,46 @@ function addEmulatorOperations(openapi3: any): void {
       tags: ["emulator"],
     },
   };
+  openapi3.paths["/emulator/v1/projects/{targetProjectId}/tenants/{tenantId}/oobCodes"] = {
+    parameters: [
+      {
+        name: "targetProjectId",
+        in: "path",
+        description: "The ID of the Google Cloud project that the confirmation codes belongs to.",
+        required: true,
+        schema: {
+          type: "string",
+        },
+      },
+      {
+        name: "tenantId",
+        in: "path",
+        description:
+          "The ID of the Identity Platform tenant the accounts belongs to. If not specified, accounts on the Identity Platform project are returned.",
+        required: true,
+        schema: { type: "string" },
+      },
+    ],
+    servers: [{ url: "" }],
+    get: {
+      description: "List all pending confirmation codes for the project.",
+      operationId: "emulator.projects.oobCodes.list",
+      responses: {
+        "200": {
+          description: "Successful response",
+          content: {
+            "application/json": {
+              schema: {
+                $ref: "#/components/schemas/EmulatorV1ProjectsOobCodes",
+              },
+            },
+          },
+        },
+      },
+      security: [],
+      tags: ["emulator"],
+    },
+  };
   openapi3.components.schemas.EmulatorV1ProjectsOobCodes = {
     type: "object",
     description: "Details of all pending confirmation codes.",
@@ -496,6 +537,46 @@ function addEmulatorOperations(openapi3: any): void {
       tags: ["emulator"],
     },
   };
+  openapi3.paths["/emulator/v1/projects/{targetProjectId}/tenants/{tenantId}/verificationCodes"] = {
+    parameters: [
+      {
+        name: "targetProjectId",
+        in: "path",
+        description: "The ID of the Google Cloud project that the verification codes belongs to.",
+        required: true,
+        schema: {
+          type: "string",
+        },
+      },
+      {
+        name: "tenantId",
+        in: "path",
+        description:
+          "The ID of the Identity Platform tenant the accounts belongs to. If not specified, accounts on the Identity Platform project are returned.",
+        required: true,
+        schema: { type: "string" },
+      },
+    ],
+    servers: [{ url: "" }],
+    get: {
+      description: "List all pending phone verification codes for the project.",
+      operationId: "emulator.projects.verificationCodes.list",
+      responses: {
+        "200": {
+          description: "Successful response",
+          content: {
+            "application/json": {
+              schema: {
+                $ref: "#/components/schemas/EmulatorV1ProjectsOobCodes",
+              },
+            },
+          },
+        },
+      },
+      security: [],
+      tags: ["emulator"],
+    },
+  };
   openapi3.components.schemas.EmulatorV1ProjectsVerificationCodes = {
     type: "object",
     description: "Details of all pending verification codes.",

src/emulator/auth/apiSpec.js

@@ -3725,6 +3725,42 @@ export default {
         tags: ["emulator"],
       },
     },
+    "/emulator/v1/projects/{targetProjectId}/tenants/{tenantId}/oobCodes": {
+      parameters: [
+        {
+          name: "targetProjectId",
+          in: "path",
+          description: "The ID of the Google Cloud project that the confirmation codes belongs to.",
+          required: true,
+          schema: { type: "string" },
+        },
+        {
+          name: "tenantId",
+          in: "path",
+          description:
+            "The ID of the Identity Platform tenant the accounts belongs to. If not specified, accounts on the Identity Platform project are returned.",
+          required: true,
+          schema: { type: "string" },
+        },
+      ],
+      servers: [{ url: "" }],
+      get: {
+        description: "List all pending confirmation codes for the project.",
+        operationId: "emulator.projects.oobCodes.list",
+        responses: {
+          200: {
+            description: "Successful response",
+            content: {
+              "application/json": {
+                schema: { $ref: "#/components/schemas/EmulatorV1ProjectsOobCodes" },
+              },
+            },
+          },
+        },
+        security: [],
+        tags: ["emulator"],
+      },
+    },
     "/emulator/v1/projects/{targetProjectId}/verificationCodes": {
       parameters: [
         {
@@ -3753,6 +3789,42 @@ export default {
         tags: ["emulator"],
       },
     },
+    "/emulator/v1/projects/{targetProjectId}/tenants/{tenantId}/verificationCodes": {
+      parameters: [
+        {
+          name: "targetProjectId",
+          in: "path",
+          description: "The ID of the Google Cloud project that the verification codes belongs to.",
+          required: true,
+          schema: { type: "string" },
+        },
+        {
+          name: "tenantId",
+          in: "path",
+          description:
+            "The ID of the Identity Platform tenant the accounts belongs to. If not specified, accounts on the Identity Platform project are returned.",
+          required: true,
+          schema: { type: "string" },
+        },
+      ],
+      servers: [{ url: "" }],
+      get: {
+        description: "List all pending phone verification codes for the project.",
+        operationId: "emulator.projects.verificationCodes.list",
+        responses: {
+          200: {
+            description: "Successful response",
+            content: {
+              "application/json": {
+                schema: { $ref: "#/components/schemas/EmulatorV1ProjectsOobCodes" },
+              },
+            },
+          },
+        },
+        security: [],
+        tags: ["emulator"],
+      },
+    },
   },
   components: {
     schemas: {
@@ -6578,7 +6650,7 @@ export default {
           },
           bindings: {
             description:
-              "Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.",
+            "Associates a list of `members` to a `role`. Optionally, may specify a `condition` that determines how and when the `bindings` are applied. Each of the `bindings` must contain at least one member.",
             items: { $ref: "#/components/schemas/GoogleIamV1Binding" },
             type: "array",
           },

src/emulator/auth/handlers.ts

@@ -12,10 +12,13 @@ import { PROVIDERS_LIST_PLACEHOLDER, WIDGET_UI } from "./widget_ui";
  */
 export function registerHandlers(
   app: express.Express,
-  getProjectStateByApiKey: (apiKey: string) => ProjectState
+  getProjectStateByApiKey: (apiKey: string, tenantId?: string) => ProjectState
 ): void {
   app.get(`/emulator/action`, (req, res) => {
-    const { mode, oobCode, continueUrl, apiKey } = req.query as Record<string, string | undefined>;
+    const { mode, oobCode, continueUrl, apiKey, tenantId } = req.query as Record<
+      string,
+      string | undefined
+    >;
 
     if (!apiKey) {
       return res.status(400).json({
@@ -33,7 +36,7 @@ export function registerHandlers(
         },
       });
     }
-    const state = getProjectStateByApiKey(apiKey);
+    const state = getProjectStateByApiKey(apiKey, tenantId);
 
     switch (mode) {
       case "recoverEmail": {
@@ -169,14 +172,15 @@ export function registerHandlers(
     res.set("Content-Type", "text/html; charset=utf-8");
     const apiKey = req.query.apiKey as string | undefined;
     const providerId = req.query.providerId as string | undefined;
+    const tenantId = req.query.tenantId as string | undefined;
     if (!apiKey || !providerId) {
       return res.status(400).json({
         authEmulator: {
           error: "missing apiKey or providerId query parameters",
         },
       });
     }
-    const state = getProjectStateByApiKey(apiKey);
+    const state = getProjectStateByApiKey(apiKey, tenantId);
     const providerInfos = state.listProviderInfosByProviderId(providerId);
 
     const options = providerInfos