refactor(auth)!: migrate to TypeScript and bring auth closer in alignment with firebase-js-sdk API

[russellwheatley]

Updated to main and re-pushed to verify things still work since we're not using a merge queue here

release notes will come from the commit, so here's the draft of the commit message pulled from the description:

---

BREAKING CHANGE: auth types now match firebase-js-sdk as closely as possible

Please see https://rnfirebase.io/migrating-to-v25 for help migrating if needed.

react-native-firebase has a goal to be a drop-in replacement for firebase-js-sdk, with native extensions and performance. It has always worked that way at the javascript level but the typescript types have been divergent.

We are fixing that as we refactor to typescript. Please bear with us as we get closer to our goal of react-native-firebase matching firebase-js-sdk both in functionality where possible, but also in exact typescript typing.

Specifics for Auth:

• aligned the modular TypeScript surface with the firebase-js-sdk, so modular types like Auth, User, UserCredential, ActionCodeInfo, MultiFactorResolver, and MultiFactorUser no longer use the deprecated FirebaseAuthTypes namespace types in their public signatures; TypeScript consumers should import the modular types directly from @react-native-firebase/auth.
• removed the modular initializeRecaptchaConfig export from @react-native-firebase/auth; RN Firebase uses native SDK phone-auth verification rather than the browser reCAPTCHA bootstrap flow.
• changed modular sendSignInLinkToEmail(auth, email, actionCodeSettings) so actionCodeSettings is required, matching the firebase-js-sdk modular signature.
• changed modular signInWithPhoneNumber(auth, phoneNumber, appVerifier?) so the old RNFB forceResend fourth argument is no longer part of the modular signature; use the RNFB-specific verifyPhoneNumber(...) helper for the native listener / force-resend flow.
• changed modular redirect helper typings for native auth provider flows: signInWithRedirect(...) and linkWithRedirect(...) now return Promise<UserCredential> because RN Firebase native provider flows resolve immediately with credentials instead of following the browser redirect contract.
• kept the namespaced FirebaseAuthTypes API for backwards compatibility, but marked it deprecated and separated it from the modular public types; consumers should prefer direct exported modular types going forward.
• adjusted namespaced type details during the split, including FirebaseAuthTypes.UserInfo nullable profile fields and firebase.auth().config now typed as Record<string, never> rather than Map<any, any>.
• aligned the enum-like Auth type shapes with Firebase JS SDK by moving ActionCodeOperation, FactorId, OperationType, ProviderId, and SignInMethod into packages/auth/lib/constants.ts, re-exporting them from modular.ts, and using SDK-style (typeof X)[keyof typeof X] references in types/auth.ts
• aligned connectAuthEmulator with the Firebase JS SDK declaration by making disableWarnings required when the optional options object is provided
• OAuthProvider now follows the Firebase JS SDK credential API. Consumers should create an OAuthProvider instance and call credential(options) instead of using the RNFB static helper.
• EmailAuthProvider.credential() and EmailAuthProvider.credentialWithLink() now return EmailAuthCredential-shaped objects aligned with the Firebase JS SDK.
• GithubAuthProvider.credential() now returns an SDK-aligned OAuthCredential shape. Existing token, secret, and providerId fields are still present for RNFB compatibility, but consumers can now use Firebase JS SDK-style fields
• GoogleAuthProvider.credential() now returns an SDK-aligned OAuthCredential shape and rejects calls where both idToken and accessToken are absent.
• TwitterAuthProvider.credential() now returns an SDK-style OAuthCredential with signInMethod, accessToken, and toJSON() fields. Existing token, secret, and providerId fields remain available, but consumers should prefer the Firebase JS SDK-compatible credential fields when reading or serializing credentials.
• Breaking change note: FacebookAuthProvider.credential() is now typed like the Firebase JS SDK and returns OAuthCredential. TypeScript consumers should call it with only the access token; existing runtime limited-login nonce behavior is preserved for RNFB, but the public typed API now follows the SDK-compatible single-argument credential factory.
• PhoneAuthProvider.verifyPhoneNumber() now supports the Firebase JS SDK single-factor signature and returns Promise for verification IDs. Single-factor TypeScript consumers should pass the app verifier argument for SDK parity; RNFB continues to ignore it on native because app verification is handled by the native SDKs.
• OAuthProvider now supports Firebase JS SDK-style credential deserialization via credentialFromJSON(). Serialized OAuth credentials must include providerId; invalid JSON or missing provider IDs now throw instead of being accepted.
• TotpMultiFactorGenerator now uses SDK-compatible TOTP assertion and default-app generateSecret() types. Consumers using the default auth instance can call generateSecret(session); consumers using a non-default native auth instance may continue passing generateSecret(session, auth)
• GithubAuthProvider now exposes Firebase JS SDK-compatible credential extraction helpers. On native RNFB these helpers return null because provider credentials are not available from native result/error objects; consumers should continue using GithubAuthProvider.credential(token) when they have an access token.
• FacebookAuthProvider now exposes SDK-compatible credential extraction helpers, but they always return null on native. Consumers should not rely on extracting Facebook OAuth credentials from native auth results or errors; keep any needed token from the original provider sign-in flow.
• GoogleAuthProvider now exposes SDK-compatible credential extraction helpers, but they always return null on native. Consumers should keep any Google token from the original provider sign-in flow rather than trying to extract it from native auth results or errors.
• TwitterAuthProvider now exposes SDK-compatible credential extraction helpers, but they always return null on native. Consumers should retain Twitter tokens from the original provider flow rather than extracting them from native auth results or errors.

Related issues

Release Summary

Checklist

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
  • Yes
• My change supports the following platforms;
  • Android
  • iOS
  • Other (macOS, web)
• My change includes tests;
  • e2e tests added or updated in packages/\*\*/e2e
  • jest tests added or updated in packages/\*\*/__tests__
• I have updated TypeScript types that are affected by my change.
• This is a breaking change;
  • Yes
  • No

Test Plan

---

Think react-native-firebase is great? Please consider supporting the project with any of the below:

• 👉 Star this repo on GitHub ⭐️
• 👉 Follow React Native Firebase and Invertase on Twitter

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-native-firebase	Error		Apr 27, 2026 2:33pm

[gemini-code-assist]

Code Review

This pull request introduces the modular API for the Auth package and refactors the namespaced API with improved TypeScript support. Key updates include the integration of react-native-builder-bob for builds, a fix for a logic error in TOTP secret handling, and the addition of type comparison configurations. Feedback was provided to improve the clarity of an error message in the password validation logic and to refine the emulator URL parsing to handle missing ports more explicitly.