Edge case handling of tenant mfaConfig

Author: lisajian

src/emulator/auth/operations.ts

@@ -32,6 +32,7 @@ import {
   UsageMode,
   AgentProjectState,
   TenantProjectState,
+  MfaConfig,
 } from "./state";
 import { MfaEnrollments, Schemas } from "./types";
 
@@ -2692,14 +2693,22 @@ function createTenant(
     throw new InternalError("INTERNAL_ERROR: Can only create tenant in agent project", "INTERNAL");
   }
 
+  const mfaConfig = reqBody.mfaConfig ?? {};
+  if (!("state" in mfaConfig)) {
+    mfaConfig.state = "DISABLED";
+  }
+  if (!("enabledProviders" in mfaConfig)) {
+    mfaConfig.enabledProviders = [];
+  }
+
   // Default to production settings if unset
   const tenant = {
     displayName: reqBody.displayName,
     allowPasswordSignup: reqBody.allowPasswordSignup ?? false,
     enableEmailLinkSignin: reqBody.enableEmailLinkSignin ?? false,
     enableAnonymousUser: reqBody.enableAnonymousUser ?? false,
     disableAuth: reqBody.disableAuth ?? false,
-    mfaConfig: reqBody.mfaConfig ?? { state: "DISABLED" },
+    mfaConfig: mfaConfig as MfaConfig,
     tenantId: "", // Placeholder until one is generated
   };
 

src/emulator/auth/state.ts

@@ -753,16 +753,27 @@ export class TenantProjectState extends ProjectState {
     this.parentProject.deleteTenant(this.tenantId);
   }
 
-  updateTenant(update: Partial<Tenant>, updateMask: string | undefined): Tenant {
+  updateTenant(
+    update: Schemas["GoogleCloudIdentitytoolkitAdminV2Tenant"],
+    updateMask: string | undefined
+  ): Tenant {
     // Empty masks indicate a full update
     if (!updateMask) {
+      const mfaConfig = update.mfaConfig ?? {};
+      if (!("state" in mfaConfig)) {
+        mfaConfig.state = "DISABLED";
+      }
+      if (!("enabledProviders" in mfaConfig)) {
+        mfaConfig.enabledProviders = [];
+      }
+
       // Default to production defaults if unset
       this._tenantConfig = {
         tenantId: this.tenantId,
         name: this.tenantConfig.name,
         allowPasswordSignup: update.allowPasswordSignup ?? false,
         disableAuth: update.disableAuth ?? false,
-        mfaConfig: update.mfaConfig ?? {},
+        mfaConfig: mfaConfig as MfaConfig,
         enableAnonymousUser: update.enableAnonymousUser ?? false,
         enableEmailLinkSignin: update.enableEmailLinkSignin ?? false,
         displayName: update.displayName,
@@ -830,14 +841,17 @@ export type UserInfo = Omit<
   localId: string;
   providerUserInfo?: ProviderUserInfo[];
 };
-export type Tenant = MakeRequired<
-  Omit<Schemas["GoogleCloudIdentitytoolkitAdminV2Tenant"], "testPhoneNumbers">,
-  | "allowPasswordSignup"
-  | "disableAuth"
-  | "mfaConfig"
-  | "enableAnonymousUser"
-  | "enableEmailLinkSignin"
-> & { tenantId: string };
+export type MfaConfig = MakeRequired<
+  Schemas["GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfig"],
+  "enabledProviders" | "state"
+>;
+export type Tenant = Omit<
+  MakeRequired<
+    Schemas["GoogleCloudIdentitytoolkitAdminV2Tenant"],
+    "allowPasswordSignup" | "disableAuth" | "enableAnonymousUser" | "enableEmailLinkSignin"
+  >,
+  "testPhoneNumbers" | "mfaConfig"
+> & { tenantId: string; mfaConfig: MfaConfig };
 
 interface RefreshTokenRecord {
   localId: string;

src/test/emulators/auth/helpers.ts

@@ -5,7 +5,7 @@ import { expect, AssertionError } from "chai";
 import { IdpJwtPayload } from "../../../emulator/auth/operations";
 import { OobRecord, PhoneVerificationRecord, Tenant, UserInfo } from "../../../emulator/auth/state";
 import { TestAgent, PROJECT_ID } from "./setup";
-import { MfaEnrollments } from "../../../emulator/auth/types";
+import { MfaEnrollments, Schemas } from "../../../emulator/auth/types";
 
 export { PROJECT_ID };
 export const TEST_PHONE_NUMBER = "+15555550100";
@@ -407,7 +407,7 @@ export function deleteAccount(testAgent: TestAgent, reqBody: {}): Promise<string
 export function registerTenant(
   testAgent: TestAgent,
   projectId: string,
-  tenant?: Partial<Tenant>
+  tenant?: Schemas["GoogleCloudIdentitytoolkitAdminV2Tenant"]
 ): Promise<Tenant> {
   return testAgent
     .post(`/identitytoolkit.googleapis.com/v2/projects/${projectId}/tenants`)

src/test/emulators/auth/tenant.spec.ts

@@ -53,6 +53,7 @@ describeAuthEmulator("tenant management", ({ authApi }) => {
           expect(res.body.enableEmailLinkSignin).to.be.false;
           expect(res.body.mfaConfig).to.eql({
             state: "DISABLED",
+            enabledProviders: [],
           });
         });
     });
@@ -367,7 +368,10 @@ describeAuthEmulator("tenant management", ({ authApi }) => {
           expect(res.body.disableAuth).to.be.false;
           expect(res.body.enableAnonymousUser).to.be.false;
           expect(res.body.enableEmailLinkSignin).to.be.false;
-          expect(res.body.mfaConfig).to.eql({});
+          expect(res.body.mfaConfig).to.eql({
+            enabledProviders: [],
+            state: "DISABLED",
+          });
         });
     });
   });