refactor(auth)!: migrate to TypeScript and bring auth closer in alignment with firebase-js-sdk API (#8991)

* refactor(auth): convert package sources to TypeScript
* test(ci): run iOS e2e on macos-26 to match local dev
* test(ios): target iPhone 17 simulator on macos-26 / Xcode latest
* fix: deep PR review and related fixes for type gaps
* fix(auth): final deep review pass, docs reorg/prep
* test(ios): additional instrumentation and mitigation for e2e orchestration flakes
* test: further e2e orchestration flake hardening
Fix usesLiveMetro() when DETOX_CONFIGURATION is unset in the Jet child and
retry the full Jet run after post-1006 session desync signals.

* test: mitigate two more test-specific e2e flakes

Harden RTDB listener e2e tests with native registration gates and make
Firestore emulator wipe retries validate HTTP responses.

* test: fix android coverage pull and adb reverse failure e2e flakes

Move Android native coverage pull to a post-Detox CI step with polling,
harden Detox adb reverse teardown, and make Jacoco/Codecov best-effort.

* fix(analytics, ios): fix infinite getSessionId wait, harden related e2e test
* test(android): use /mnt/avd for android emulator in e2e as intended

---------

Co-authored-by: Mike Hardy <github@mikehardy.net>

Author: russellwheatley

.github/scripts/compare-types/configs/auth.ts

@@ -0,0 +1,220 @@
+/**
+ * Known differences between the firebase-js-sdk @firebase/auth public
+ * API and the @react-native-firebase/auth modular API.
+ *
+ * Each entry must have a `name` and a `reason`. Any undocumented
+ * difference or stale entry will fail `yarn compare:types`.
+ *
+ * Platform shorthand used in reasons:
+ * - iOS/Android: native Firebase Auth SDK
+ * - Other/All: Other/Hermes + Other/Web (firebase-js-sdk JS bridge)
+ * - Other/Hermes: react-native-macos, Windows RN, etc. (no DOM)
+ * - Other/Web: true browser/DOM context
+ */
+
+import type { PackageConfig } from '../src/types';
+
+const config: PackageConfig = {
+  nameMapping: {},
+
+  missingInRN: [
+    {
+      name: 'initializeRecaptchaConfig',
+      reason:
+        'iOS/Android: native SDKs own phone verification. Other/Hermes: not applicable (no DOM). Other/Web: not implemented yet; firebase-js-sdk support is possible.',
+    },
+    {
+      name: 'AuthErrorCodes',
+      reason:
+        'iOS/Android: native auth error code strings. Other/All: not exported yet; firebase-js-sdk re-export is possible.',
+    },
+    {
+      name: 'browserCookiePersistence',
+      reason:
+        'iOS/Android: not applicable. Other/Hermes: not applicable. Other/Web: not exported yet; firebase-js-sdk browser persistence is possible.',
+    },
+    {
+      name: 'browserLocalPersistence',
+      reason:
+        'iOS/Android: not applicable. Other/Hermes: not applicable. Other/Web: not exported yet; firebase-js-sdk browser persistence is possible.',
+    },
+    {
+      name: 'browserPopupRedirectResolver',
+      reason:
+        'iOS/Android: native provider flows. Other/Hermes: not applicable. Other/Web: not exported yet; firebase-js-sdk popup/redirect resolver is possible.',
+    },
+    {
+      name: 'browserSessionPersistence',
+      reason:
+        'iOS/Android: not applicable. Other/Hermes: not applicable. Other/Web: not exported yet; firebase-js-sdk browser persistence is possible.',
+    },
+    {
+      name: 'debugErrorMap',
+      reason:
+        'iOS/Android: not exported. Other/All: not implemented yet; firebase-js-sdk error-map selection via initializeAuth is possible.',
+    },
+    {
+      name: 'indexedDBLocalPersistence',
+      reason:
+        'iOS/Android: not applicable. Other/Hermes: not applicable. Other/Web: not exported yet; firebase-js-sdk IndexedDB persistence is possible.',
+    },
+    {
+      name: 'inMemoryPersistence',
+      reason:
+        'iOS/Android: native SDKs manage persistence. Other/All: not exported yet; firebase-js-sdk inMemoryPersistence via initializeAuth is possible.',
+    },
+    {
+      name: 'prodErrorMap',
+      reason:
+        'iOS/Android: not exported. Other/All: not implemented yet; firebase-js-sdk error-map selection via initializeAuth is possible.',
+    },
+    {
+      name: 'ReactNativeAsyncStorage',
+      reason:
+        'iOS/Android: persistence delegated to native SDKs. Other/Hermes: not exported yet; firebase-js-sdk React Native persistence via initializeAuth is possible.',
+    },
+    {
+      name: 'RecaptchaParameters',
+      reason:
+        'iOS/Android: not applicable. Other/Hermes: not applicable. Other/Web: not exported; browser reCAPTCHA configuration only.',
+    },
+    {
+      name: 'RecaptchaVerifier',
+      reason:
+        'iOS/Android: native verification. Other/Hermes: not applicable (no DOM). Other/Web: not implemented yet; firebase-js-sdk RecaptchaVerifier is possible.',
+    },
+    {
+      name: 'SAMLAuthProvider',
+      reason:
+        'iOS/Android: not exported. Other/Hermes: not applicable. Other/Web: not exported yet; firebase-js-sdk SAML provider is possible.',
+    },
+  ],
+
+  extraInRN: [
+    {
+      name: 'AppleAuthProvider',
+      reason:
+        'Deprecated RN Firebase helper for Sign in with Apple. Prefer OAuthProvider("apple.com"). Retained for compatibility; firebase-js-sdk uses OAuthProvider only.',
+    },
+    {
+      name: 'NativeFirebaseAuthError',
+      reason:
+        'RN Firebase-specific native bridge auth error type used in place of the firebase-js-sdk AuthError export.',
+    },
+    {
+      name: 'OIDCAuthProvider',
+      reason:
+        'Deprecated RN Firebase OIDC helper. Prefer OAuthProvider("oidc.<suffix>"). Retained for compatibility; firebase-js-sdk uses OAuthProvider only.',
+    },
+    {
+      name: 'OIDCProvider',
+      reason:
+        'Deprecated with OIDCAuthProvider. Prefer OAuthProvider for OIDC flows.',
+    },
+    {
+      name: 'PhoneAuthState',
+      reason:
+        'RN Firebase-specific enum-like object describing native phone-auth listener states. iOS/Android only; Other uses js-sdk phone flows instead of verifyPhoneNumber().',
+    },
+    {
+      name: 'PhoneAuthListener',
+      reason:
+        'RN Firebase-specific listener object returned by verifyPhoneNumber(). iOS/Android only.',
+    },
+    {
+      name: 'PhoneAuthError',
+      reason:
+        'RN Firebase-specific phone verification error snapshot type used by native phone-auth listeners. iOS/Android only.',
+    },
+    {
+      name: 'PhoneAuthSnapshot',
+      reason:
+        'RN Firebase-specific phone verification snapshot type used by native phone-auth listeners. iOS/Android only.',
+    },
+    {
+      name: 'verifyPhoneNumber',
+      reason:
+        'RN Firebase-specific native phone verification listener flow. iOS/Android only; Other/All: use signInWithPhoneNumber / PhoneAuthProvider via js-sdk instead.',
+    },
+    {
+      name: 'setLanguageCode',
+      reason:
+        'RN Firebase modular helper for auth.languageCode. iOS/Android: native. Other/All: not delegated yet; firebase-js-sdk languageCode / useDeviceLanguage is possible.',
+    },
+    {
+      name: 'useUserAccessGroup',
+      reason:
+        'RN Firebase-specific iOS keychain sharing helper. iOS native only.',
+    },
+    {
+      name: 'getCustomAuthDomain',
+      reason:
+        'RN Firebase-specific native auth domain helper on iOS/Android. Other/All: auth.config from firebase-js-sdk may cover this instead (see auth.config in migration guide).',
+    },
+    {
+      name: 'AdditionalUserInfoNative',
+      reason:
+        'RN Firebase extension type: firebase-js-sdk AdditionalUserInfo core fields plus index signature for extra native bridge keys. Use when typing values from getAdditionalUserInfo or UserCredential.additionalUserInfo that may include provider-specific native fields.',
+    },
+  ],
+
+  differentShape: [
+    {
+      name: 'OAuthCredential',
+      reason:
+        'RN Firebase OAuthCredential exposes rawNonce for Apple / limited-login flows. OAuth 1.0 token secrets use the inherited AuthCredential.secret field (firebase-js-sdk optional secret on OAuthCredential).',
+    },
+    {
+      name: 'FacebookAuthProvider',
+      reason:
+        'RN Firebase exports an extra credential(token, secret) overload for Facebook limited-login nonce behaviour. firebase-js-sdk public types only declare credential(accessToken). credentialFromResult / credentialFromError always return null at runtime today (types match js-sdk). Same runtime applies to GoogleAuthProvider, GithubAuthProvider, TwitterAuthProvider, OAuthProvider, and PhoneAuthProvider — see those entries. iOS/Android: no native extraction planned. Other/Hermes: not delegated. Other/Web: future implementation should delegate to firebase-js-sdk in RNFBAuthModule — do not invest in native iOS/Android extraction.',
+    },
+    {
+      name: 'UserCredential',
+      reason:
+        'RN Firebase modular UserCredential includes optional enumerable additionalUserInfo (firebase-js-sdk core fields plus preserved native bridge keys). firebase-js-sdk keeps additionalUserInfo off the public UserCredential interface — use getAdditionalUserInfo there.',
+    },
+    {
+      name: 'isSignInWithEmailLink',
+      reason:
+        'iOS/Android: Promise<boolean> via native bridge. Other/All: not aligned yet; firebase-js-sdk synchronous boolean is possible on Other/Hermes and Other/Web.',
+    },
+    {
+      name: 'linkWithRedirect',
+      reason:
+        'iOS/Android: resolves immediately with UserCredential. Other/Hermes: not applicable (no DOM). Other/Web: not delegated yet; firebase-js-sdk redirect flow is possible.',
+    },
+    {
+      name: 'reauthenticateWithRedirect',
+      reason:
+        'iOS/Android: Promise<void> after native in-app provider flow. Other/Hermes: not applicable. Other/Web: not delegated yet; firebase-js-sdk redirect semantics are possible.',
+    },
+    {
+      name: 'signInWithRedirect',
+      reason:
+        'iOS/Android: resolves immediately with UserCredential. Other/Hermes: not applicable. Other/Web: not delegated yet; firebase-js-sdk redirect flow is possible.',
+    },
+    {
+      name: 'OAuthProvider',
+      reason:
+        'iOS/Android: retains toObject() and native bridge configuration helpers. Other/Hermes: scopes/custom parameters via js-sdk are possible. Other/Web: full js-sdk OAuthProvider surface is possible; toObject() remains iOS/Android bridge-only. credentialFromResult / credentialFromError always return null at runtime today (types match js-sdk). Same runtime applies to GoogleAuthProvider, GithubAuthProvider, TwitterAuthProvider, FacebookAuthProvider, and PhoneAuthProvider. Other/Web is the future delegation path via firebase-js-sdk; iOS/Android native extraction is not planned.',
+    },
+    {
+      name: 'PhoneAuthProvider',
+      reason:
+        'RN Firebase retains native multi-factor verifyPhoneNumber overloads for iOS/Android native bridge methods. MFA also works on Other via firebase-js-sdk through the web bridge (see tests/local-tests); this overload is an intentional RN extension, not a missing Other implementation. credentialFromResult / credentialFromError always return null at runtime today (types match js-sdk). Same runtime applies to GoogleAuthProvider, GithubAuthProvider, TwitterAuthProvider, FacebookAuthProvider, and OAuthProvider. Other/Web js-sdk delegation is the future path for non-null extraction.',
+    },
+    {
+      name: 'TotpMultiFactorGenerator',
+      reason:
+        'RN Firebase extension: optional Auth overload for non-default native Firebase apps. firebase-js-sdk uses the default app only.',
+    },
+    {
+      name: 'TotpSecret',
+      reason:
+        'iOS/Android: generateQrCodeUrl is Promise<string> via native bridge; openInOtpApp is an RN-only helper. Other/All: js-sdk synchronous generateQrCodeUrl is possible when MFA is supported on Other.',
+    },
+  ],
+};
+
+export default config;

.github/scripts/compare-types/src/registry.ts

@@ -18,11 +18,11 @@ import appCheckConfig from '../configs/app-check';
 import firestoreConfig from '../configs/firestore';
 import firestorePipelinesConfig from '../configs/firestore-pipelines';
 import remoteConfigConfig from '../configs/remote-config';
+import authConfig from '../configs/auth';
 import installationsConfig from '../configs/installations';
 import perfConfig from '../configs/perf-config';
 
-const SCRIPT_DIR = path.resolve(__dirname, '..');
-const REPO_ROOT = path.resolve(SCRIPT_DIR, '..', '..', '..');
+const REPO_ROOT = path.resolve(__dirname, '..', '..', '..', '..');
 
 export interface PackageEntry {
   /** Short name used in reports (e.g. "remote-config"). */
@@ -103,6 +103,41 @@ function optionalFirebasePackage(
 }
 
 export const packages: PackageEntry[] = [
+  {
+    name: 'auth',
+    firebaseSdkTypesPaths: [requiredFirebaseTypes('auth')],
+    rnFirebaseModularFiles: [
+      path.join(rnDist('auth'), 'types', 'auth.d.ts'),
+      path.join(rnDist('auth'), 'modular.d.ts'),
+    ],
+    rnFirebaseSupportFiles: [
+      path.join(rnDist('auth'), 'index.d.ts'),
+      path.join(rnDist('auth'), 'constants.d.ts'),
+      path.join(rnDist('auth'), 'namespaced.d.ts'),
+      path.join(rnDist('auth'), 'types', 'namespaced.d.ts'),
+      path.join(rnDist('auth'), 'types', 'internal.d.ts'),
+      path.join(rnDist('auth'), 'ConfirmationResult.d.ts'),
+      path.join(rnDist('auth'), 'MultiFactorResolver.d.ts'),
+      path.join(rnDist('auth'), 'PhoneAuthListener.d.ts'),
+      path.join(rnDist('auth'), 'PhoneMultiFactorGenerator.d.ts'),
+      path.join(rnDist('auth'), 'Settings.d.ts'),
+      path.join(rnDist('auth'), 'TotpMultiFactorGenerator.d.ts'),
+      path.join(rnDist('auth'), 'TotpSecret.d.ts'),
+      path.join(rnDist('auth'), 'User.d.ts'),
+      path.join(rnDist('auth'), 'getMultiFactorResolver.d.ts'),
+      path.join(rnDist('auth'), 'multiFactor.d.ts'),
+      path.join(rnDist('auth'), 'providers', 'AppleAuthProvider.d.ts'),
+      path.join(rnDist('auth'), 'providers', 'EmailAuthProvider.d.ts'),
+      path.join(rnDist('auth'), 'providers', 'FacebookAuthProvider.d.ts'),
+      path.join(rnDist('auth'), 'providers', 'GithubAuthProvider.d.ts'),
+      path.join(rnDist('auth'), 'providers', 'GoogleAuthProvider.d.ts'),
+      path.join(rnDist('auth'), 'providers', 'OAuthProvider.d.ts'),
+      path.join(rnDist('auth'), 'providers', 'OIDCAuthProvider.d.ts'),
+      path.join(rnDist('auth'), 'providers', 'PhoneAuthProvider.d.ts'),
+      path.join(rnDist('auth'), 'providers', 'TwitterAuthProvider.d.ts'),
+    ],
+    config: authConfig,
+  },
   {
     name: 'storage',
     firebaseSdkTypesPaths: [requiredFirebaseTypes('storage')],

.github/workflows/tests_e2e_android.yml

@@ -241,29 +241,36 @@ jobs:
           nohup sh -c "until false; do $ANDROID_HOME/platform-tools/adb shell input tap 100 800; sleep 0.2; done" &
         shell: bash
 
+      - name: Prepare AVD home on /mnt
+        # GitHub-hosted runners mount a ~74GB volume at /mnt. Set ANDROID_AVD_HOME before
+        # android-emulator-runner creates the AVD (pre-emulator-launch-script runs too late
+        # for ln -s ~/.android/avd to relocate an already-created AVD off root disk).
+        run: |
+          sudo mkdir -p /mnt/avd
+          sudo chown "$USER:$USER" /mnt/avd
+          df -h / /mnt
+
       - name: Detox Tests
         # https://github.com/reactivecircus/android-emulator-runner/releases
         uses: reactivecircus/android-emulator-runner@0a638108440efd5c7f980e6ba145dbcdd8f32009 # v2.37.0
         timeout-minutes: 45
+        env:
+          ANDROID_AVD_HOME: /mnt/avd
         with:
           api-level: ${{ matrix.api-level }}
           avd-name: TestingAVD
           target: ${{ matrix.target }}
           disable-spellchecker: true
           arch: ${{ matrix.arch }}
-          pre-emulator-launch-script: |
-            sudo mkdir /mnt/avd
-            sudo chown $USER:$USER /mnt/avd
-            mkdir -p $HOME/.android
-            ln -s /mnt/avd $HOME/.android/avd
           script: |
             $ANDROID_HOME/platform-tools/adb devices
             nohup sh -c "$ANDROID_HOME/platform-tools/adb logcat '*:D' > adb-log.txt" &
             yarn tests:android:test-cover --headless
-            yarn tests:android:test:jacoco-report
+            yarn tests:android:post-e2e-coverage
 
       # https://github.com/codecov/codecov-action/releases
       - uses: codecov/codecov-action@e53489f4d376d79066609109e7a95a29eb3740b1 # v7.0.0
+        continue-on-error: true
         with:
           verbose: true
 

.github/workflows/tests_e2e_ios.yml

@@ -313,7 +313,7 @@ jobs:
       - name: Pre-fetch Javascript bundle
         if: contains(matrix.buildmode, 'debug')
         run: |
-          nohup yarn tests:packager:jet-ci &
+          nohup yarn tests:packager:jet-ci > metro.log 2>&1 &
           printf 'Waiting for packager to come online'
           until curl --output /dev/null --silent --head --fail http://localhost:8081/status; do
             printf '.'
@@ -388,6 +388,15 @@ jobs:
           name: simulator-${{ matrix.buildmode }}-${{ matrix.iteration }}_log
           path: simulator.log
 
+      - name: Upload Metro log
+        # https://github.com/actions/upload-artifact/releases
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        continue-on-error: true
+        if: always() && contains(matrix.buildmode, 'debug')
+        with:
+          name: metro-${{ matrix.buildmode }}-${{ matrix.iteration }}_log
+          path: metro.log
+
       - name: Upload Screen Recording
         # https://github.com/actions/upload-artifact/releases
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1

.yarn/patches/detox-npm-20.51.0-3e13b6e309.patch

@@ -146,3 +146,28 @@ index 10743c87d17de135317e1bac3e65159b9872412f..abbb302307fbd5eabbbff875983f284a
    }
  }
 
+diff --git a/src/devices/common/drivers/android/exec/ADB.js b/src/devices/common/drivers/android/exec/ADB.js
+index 1111111111111111111111111111111111111111..2222222222222222222222222222222222222222 100644
+--- a/src/devices/common/drivers/android/exec/ADB.js
++++ b/src/devices/common/drivers/android/exec/ADB.js
+@@ -379,7 +379,19 @@ class ADB {
+   }
+ 
+   async reverseRemove(deviceId, port) {
+-    return this.adbCmd(deviceId, `reverse --remove tcp:${port}`);
++    try {
++      return await this.adbCmd(deviceId, `reverse --remove tcp:${port}`);
++    } catch (error) {
++      const details = `${error.stderr || ''} ${error.message || ''}`;
++      if (/listener .* not found/i.test(details)) {
++        log.warn(
++          { deviceId, port },
++          'Ignoring missing adb reverse listener during Detox teardown',
++        );
++        return;
++      }
++      throw error;
++    }
+   }
+ 
+   async emuKill(deviceId) {