Combine auth_get_user and auth_list_users MCP tools (#9165)

* feat(mcp): Combine auth_get_user and auth_list_users tools

Combines the `auth_get_user` and `auth_list_users` MCP tools into a single `auth_get_users` tool.

This new tool has two optional arguments, `uids` and `emails`.
- When no arguments are provided, it behaves like `auth_list_users`.
- When either `emails` or `uids` is provided, it looks up users by the provided identifiers.

Removes unused variables and ensures that `passwordHash` and `salt` fields are consistently removed from all user objects returned by the tool.

* Formats

* Parallelize calls

* Small fixes

* npm format

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Joe Hanley <[email protected]>
Co-authored-by: Alexander Nohe <[email protected]>

Author: 3 people

src/mcp/tools/auth/get_user.spec.ts

@@ -0,0 +1,85 @@
+import { expect } from "chai";
+import * as sinon from "sinon";
+import { get_users } from "./get_users";
+import * as auth from "../../../gcp/auth";
+import { toContent } from "../../util";
+import { McpContext } from "../../types";
+
+describe("get_users tool", () => {
+  const projectId = "test-project";
+  const users = [
+    { uid: "uid1", email: "[email protected]", passwordHash: "hash", salt: "salt" },
+    { uid: "uid2", email: "[email protected]", passwordHash: "hash", salt: "salt" },
+  ];
+  const prunedUsers = [
+    { uid: "uid1", email: "[email protected]" },
+    { uid: "uid2", email: "[email protected]" },
+  ];
+
+  let findUserStub: sinon.SinonStub;
+  let listUsersStub: sinon.SinonStub;
+
+  beforeEach(() => {
+    findUserStub = sinon.stub(auth, "findUser");
+    listUsersStub = sinon.stub(auth, "listUsers");
+  });
+
+  afterEach(() => {
+    sinon.restore();
+  });
+
+  context("when no identifiers are provided", () => {
+    it("should list all users", async () => {
+      listUsersStub.resolves(users);
+      const result = await get_users.fn({}, { projectId } as McpContext);
+      expect(listUsersStub).to.be.calledWith(projectId, 100);
+      expect(result).to.deep.equal(toContent(prunedUsers));
+    });
+  });
+
+  context("when uids are provided", () => {
+    it("should get users by uid", async () => {
+      findUserStub.onFirstCall().resolves(users[0]);
+      findUserStub.onSecondCall().resolves(users[1]);
+      const result = await get_users.fn({ uids: ["uid1", "uid2"] }, { projectId } as McpContext);
+      expect(findUserStub).to.be.calledWith(projectId, undefined, undefined, "uid1");
+      expect(findUserStub).to.be.calledWith(projectId, undefined, undefined, "uid2");
+      expect(result).to.deep.equal(toContent(prunedUsers));
+    });
+
+    it("should handle not found users", async () => {
+      findUserStub.onFirstCall().resolves(users[0]);
+      findUserStub.onSecondCall().rejects(new Error("User not found"));
+      const result = await get_users.fn({ uids: ["uid1", "uid2"] }, { projectId } as McpContext);
+      expect(findUserStub).to.be.calledWith(projectId, undefined, undefined, "uid1");
+      expect(findUserStub).to.be.calledWith(projectId, undefined, undefined, "uid2");
+      expect(result).to.deep.equal(toContent([prunedUsers[0]]));
+    });
+  });
+
+  context("when emails are provided", () => {
+    it("should get users by email", async () => {
+      findUserStub.onFirstCall().resolves(users[0]);
+      findUserStub.onSecondCall().resolves(users[1]);
+      const result = await get_users.fn({ emails: ["[email protected]", "[email protected]"] }, {
+        projectId,
+      } as McpContext);
+      expect(findUserStub).to.be.calledWith(projectId, "[email protected]", undefined, undefined);
+      expect(findUserStub).to.be.calledWith(projectId, "[email protected]", undefined, undefined);
+      expect(result).to.deep.equal(toContent(prunedUsers));
+    });
+  });
+
+  context("when phone_numbers are provided", () => {
+    it("should get users by phone number", async () => {
+      findUserStub.onFirstCall().resolves(users[0]);
+      findUserStub.onSecondCall().resolves(users[1]);
+      const result = await get_users.fn({ phone_numbers: ["+11111111111", "+22222222222"] }, {
+        projectId,
+      } as McpContext);
+      expect(findUserStub).to.be.calledWith(projectId, undefined, "+11111111111", undefined);
+      expect(findUserStub).to.be.calledWith(projectId, undefined, "+22222222222", undefined);
+      expect(result).to.deep.equal(toContent(prunedUsers));
+    });
+  });
+});

src/mcp/tools/auth/get_user.ts

@@ -0,0 +1,62 @@
+import { z } from "zod";
+import { tool } from "../../tool";
+import { toContent } from "../../util";
+import { findUser, listUsers, UserInfo } from "../../../gcp/auth";
+
+export const get_users = tool(
+  {
+    name: "auth_get_users",
+    description: "Retrieves users based on a list of UIDs or a list of emails.",
+    inputSchema: z.object({
+      uids: z.array(z.string()).optional().describe("A list of user UIDs to retrieve."),
+      emails: z.array(z.string()).optional().describe("A list of user emails to retrieve."),
+      phone_numbers: z
+        .array(z.string())
+        .optional()
+        .describe("A list of user phone numbers to retrieve."),
+      limit: z
+        .number()
+        .optional()
+        .default(100)
+        .describe("The numbers of users to return. 500 is the upper limit. Defaults to 100."),
+    }),
+    annotations: {
+      title: "Get Firebase Auth Users",
+      readOnlyHint: true,
+    },
+    _meta: {
+      requiresAuth: true,
+      requiresProject: true,
+    },
+  },
+  async ({ uids, emails, phone_numbers, limit }, { projectId }) => {
+    const prune = (user: UserInfo) => {
+      // eslint-disable-next-line @typescript-eslint/no-unused-vars
+      const { passwordHash, salt, ...prunedUser } = user;
+      return prunedUser;
+    };
+    let users: UserInfo[] = [];
+    if (uids?.length) {
+      const promises = uids.map((uid) =>
+        findUser(projectId, undefined, undefined, uid).catch(() => null),
+      );
+      users.push(...(await Promise.all(promises)).filter((u): u is UserInfo => !!u));
+    }
+    if (emails?.length) {
+      const promises = emails.map((email) =>
+        findUser(projectId, email, undefined, undefined).catch(() => null),
+      );
+      users.push(...(await Promise.all(promises)).filter((u): u is UserInfo => !!u));
+    }
+    if (phone_numbers?.length) {
+      const promises = phone_numbers.map((phone) =>
+        findUser(projectId, undefined, phone, undefined).catch(() => null),
+      );
+      users.push(...(await Promise.all(promises)).filter((u): u is UserInfo => !!u));
+    }
+    if (!uids?.length && !emails?.length && !phone_numbers?.length) {
+      users = await listUsers(projectId, limit || 100);
+    }
+    return toContent(users.map(prune));
+  },
+);

src/mcp/tools/auth/get_users.spec.ts

@@ -1,14 +1,7 @@
 import { ServerTool } from "../../tool";
-import { get_user } from "./get_user";
+import { get_users } from "./get_users";
 import { disable_user } from "./disable_user";
 import { set_claim } from "./set_claims";
 import { set_sms_region_policy } from "./set_sms_region_policy";
-import { list_users } from "./list_users";
 
-export const authTools: ServerTool[] = [
-  get_user,
-  disable_user,
-  list_users,
-  set_claim,
-  set_sms_region_policy,
-];
+export const authTools: ServerTool[] = [get_users, disable_user, set_claim, set_sms_region_policy];