First.

Author: jamesdaniels

packages/auth/src/api/index.ts

@@ -241,6 +241,9 @@ export async function _performSignInRequest<T, V extends IdTokenResponse>(
   request?: T,
   customErrorMap: Partial<ServerErrorMap<ServerError>> = {}
 ): Promise<V> {
+  // TODO(jamedaniels) if auth persistence is cookie, proxy through the server endpoint
+  //                   Q, do we want to allow signIn/Out to work normally on the server if cookie
+  //                   persistence is set and FirebaseServerApp authIdToken is not?
   const serverResponse = await _performApiRequest<T, V | IdTokenMfaResponse>(
     auth,
     method,

packages/auth/src/core/user/user_credential_impl.ts

@@ -44,6 +44,8 @@ export class UserCredentialImpl
     this.operationType = params.operationType;
   }
 
+  // TODO(jamesdaniels) fetch the user credential from the cookie and response returned from the
+  //                    proxy endpoint
   static async _fromIdTokenResponse(
     auth: AuthInternal,
     operationType: OperationType,

packages/auth/src/model/user.ts

@@ -62,6 +62,8 @@ export interface UserInternal extends User {
 
   auth: AuthInternal;
   providerId: ProviderId.FIREBASE;
+  // TODO(jamesdaniels): refreshToken should either be optional or a sentinel value for COOKIE
+  //                     persistence, if refresh token has an identifier maybe that?
   refreshToken: string;
   emailVerified: boolean;
   tenantId: string | null;