refactor(auth)!: migrate to TypeScript and bring auth closer in alignment with firebase-js-sdk API

[russellwheatley]

Updated to main and re-pushed to verify things still work since we're not using a merge queue here

release notes will come from the commit, so here's the draft of the commit message pulled from the description:

---

BREAKING CHANGE: auth types now match firebase-js-sdk as closely as possible

Please see https://rnfirebase.io/migrating-to-v25 for help migrating if needed.

react-native-firebase has a goal to be a drop-in replacement for firebase-js-sdk, with native extensions and performance. It has always worked that way at the javascript level but the typescript types have been divergent.

We are fixing that as we refactor to typescript. Please bear with us as we get closer to our goal of react-native-firebase matching firebase-js-sdk both in functionality where possible, but also in exact typescript typing.

Specifics for Auth:

• aligned the modular TypeScript surface with the firebase-js-sdk, so modular types like Auth, User, UserCredential, ActionCodeInfo, MultiFactorResolver, and MultiFactorUser no longer use the deprecated FirebaseAuthTypes namespace types in their public signatures; TypeScript consumers should import the modular types directly from @react-native-firebase/auth.
• removed the modular initializeRecaptchaConfig export from @react-native-firebase/auth; RN Firebase uses native SDK phone-auth verification rather than the browser reCAPTCHA bootstrap flow.
• changed modular sendSignInLinkToEmail(auth, email, actionCodeSettings) so actionCodeSettings is required, matching the firebase-js-sdk modular signature.
• changed modular signInWithPhoneNumber(auth, phoneNumber, appVerifier?) so the old RNFB forceResend fourth argument is no longer part of the modular signature; use the RNFB-specific verifyPhoneNumber(...) helper for the native listener / force-resend flow.
• changed modular redirect helper typings for native auth provider flows: signInWithRedirect(...) and linkWithRedirect(...) now return Promise<UserCredential> because RN Firebase native provider flows resolve immediately with credentials instead of following the browser redirect contract.
• kept the namespaced FirebaseAuthTypes API for backwards compatibility, but marked it deprecated and separated it from the modular public types; consumers should prefer direct exported modular types going forward.
• adjusted namespaced type details during the split, including FirebaseAuthTypes.UserInfo nullable profile fields and firebase.auth().config now typed as Record<string, never> rather than Map<any, any>.
• aligned the enum-like Auth type shapes with Firebase JS SDK by moving ActionCodeOperation, FactorId, OperationType, ProviderId, and SignInMethod into packages/auth/lib/constants.ts, re-exporting them from modular.ts, and using SDK-style (typeof X)[keyof typeof X] references in types/auth.ts
• aligned connectAuthEmulator with the Firebase JS SDK declaration by making disableWarnings required when the optional options object is provided
• OAuthProvider now follows the Firebase JS SDK credential API. Consumers should create an OAuthProvider instance and call credential(options) instead of using the RNFB static helper.
• EmailAuthProvider.credential() and EmailAuthProvider.credentialWithLink() now return EmailAuthCredential-shaped objects aligned with the Firebase JS SDK.
• GithubAuthProvider.credential() now returns an SDK-aligned OAuthCredential shape. Existing token, secret, and providerId fields are still present for RNFB compatibility, but consumers can now use Firebase JS SDK-style fields
• GoogleAuthProvider.credential() now returns an SDK-aligned OAuthCredential shape and rejects calls where both idToken and accessToken are absent.
• TwitterAuthProvider.credential() now returns an SDK-style OAuthCredential with signInMethod, accessToken, and toJSON() fields. Existing token, secret, and providerId fields remain available, but consumers should prefer the Firebase JS SDK-compatible credential fields when reading or serializing credentials.
• Breaking change note: FacebookAuthProvider.credential() is now typed like the Firebase JS SDK and returns OAuthCredential. TypeScript consumers should call it with only the access token; existing runtime limited-login nonce behavior is preserved for RNFB, but the public typed API now follows the SDK-compatible single-argument credential factory.
• PhoneAuthProvider.verifyPhoneNumber() now supports the Firebase JS SDK single-factor signature and returns Promise for verification IDs. Single-factor TypeScript consumers should pass the app verifier argument for SDK parity; RNFB continues to ignore it on native because app verification is handled by the native SDKs.
• OAuthProvider now supports Firebase JS SDK-style credential deserialization via credentialFromJSON(). Serialized OAuth credentials must include providerId; invalid JSON or missing provider IDs now throw instead of being accepted.
• TotpMultiFactorGenerator now uses SDK-compatible TOTP assertion and default-app generateSecret() types. Consumers using the default auth instance can call generateSecret(session); consumers using a non-default native auth instance may continue passing generateSecret(session, auth)
• GithubAuthProvider now exposes Firebase JS SDK-compatible credential extraction helpers. On native RNFB these helpers return null because provider credentials are not available from native result/error objects; consumers should continue using GithubAuthProvider.credential(token) when they have an access token.
• FacebookAuthProvider now exposes SDK-compatible credential extraction helpers, but they always return null on native. Consumers should not rely on extracting Facebook OAuth credentials from native auth results or errors; keep any needed token from the original provider sign-in flow.
• GoogleAuthProvider now exposes SDK-compatible credential extraction helpers, but they always return null on native. Consumers should keep any Google token from the original provider sign-in flow rather than trying to extract it from native auth results or errors.
• TwitterAuthProvider now exposes SDK-compatible credential extraction helpers, but they always return null on native. Consumers should retain Twitter tokens from the original provider flow rather than extracting them from native auth results or errors.
• implemented auth.authStateReady(), auth.beforeAuthStateChanged(...), auth.emulatorConfig, and auth.updateCurrentUser(user) on the Auth instance; modular beforeAuthStateChanged and updateCurrentUser now delegate to the instance instead of throwing.
• added auth.tenantId setter (delegates to setTenantId) for firebase-js-sdk parity.
• documented that auth.config is typed for parity but returns {} at runtime because native iOS/Android Firebase Auth SDKs do not expose the web config object.
• made modular signInWithEmailLink(auth, email, emailLink?) third argument optional to match firebase-js-sdk.
• restored namespaced sendSignInLinkToEmail(email, settings?) default of {} when settings are omitted; modular API keeps required actionCodeSettings per firebase-js-sdk.
• credential classes (AuthCredential, EmailAuthCredential, OAuthCredential, PhoneAuthCredential) now mirror firebase-js-sdk with toJSON() and static fromJSON() where applicable, while retaining RNFB token/secret bridge fields.
• added OAuthProvider.credentialFromResult / credentialFromError and PhoneAuthProvider.credentialFromResult / credentialFromError null-returning stubs for API parity.
• fixed User.reauthenticateWithRedirect to call _setUserCredential again so currentUser updates after native provider reauthentication.
• modular multiFactor(user) uses the user's auth instance instead of getAuth() for secondary-app correctness.
• namespaced multiFactor(user) now enforces user.uid === currentUser.uid.
• modular return-shape normalization for UserCredential, checkActionCode, getAdditionalUserInfo, and signInWithPhoneNumber confirmation results.
• TotpSecret.generateQrCodeUrl() documented as async because it uses the React Native native bridge.

Related issues

No open issue specifically tracks modular multiFactor(user) using getAuth(); related historical discussion: #7339 (closed, native MFA with secondary Firebase apps).

Release Summary

Checklist

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
  • Yes
• My change supports the following platforms;
  • Android
  • iOS
  • Other (macOS, web)
• My change includes tests;
  • e2e tests added or updated in packages/**\e2e
  • jest tests added or updated in packages/**\__tests__
• I have updated TypeScript types that are affected by my change.
• This is a breaking change;
  • Yes
  • No

Test Plan

---

Think react-native-firebase is great? Please consider supporting the project with any of the below:

• 👉 Star this repo on GitHub ⭐️
• 👉 Follow React Native Firebase and Invertase on Twitter

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-native-firebase	Error		Apr 27, 2026 2:33pm

[gemini-code-assist]

Code Review

This pull request introduces the modular API for the Auth package and refactors the namespaced API with improved TypeScript support. Key updates include the integration of react-native-builder-bob for builds, a fix for a logic error in TOTP secret handling, and the addition of type comparison configurations. Feedback was provided to improve the clarity of an error message in the password validation logic and to refine the emulator URL parsing to handle missing ports more explicitly.

[github-actions]

Hello 👋, this PR has been opened for more than 14 days with no activity on it.

If you think this is a mistake please comment and ping a maintainer to get this merged ASAP! Thanks for contributing!

You have 7 days until this gets closed automatically