Is your feature request related to a problem? Please describe.
The Identity Toolkit accounts:sendOobCode endpoint supports a VERIFY_AND_CHANGE_EMAIL request type that generates an OOB link which, when followed, both verifies the new address and updates the user's email. This is the recommended way to implement a secure "change email" flow — the verification link is sent to the current address so the flow isn't vulnerable to a stolen session setting a new email without the original owner's knowledge.
The Python Admin SDK cannot generate these links today. firebase_admin/_auth_utils.py declares:
VALID_EMAIL_ACTION_TYPES = set(['VERIFY_EMAIL', 'EMAIL_SIGNIN', 'PASSWORD_RESET'])
validate_action_type() rejects 'VERIFY_AND_CHANGE_EMAIL' before the request is made, and there is no new_email parameter on generate_email_action_link to carry the target address.
Describe the solution you'd like
Mirror the API added to firebase-admin-node in firebase/firebase-admin-node#1633 (merged April 2022):
- Add
'VERIFY_AND_CHANGE_EMAIL' to VALID_EMAIL_ACTION_TYPES.
- Add an optional
new_email: str | None = None parameter to generate_email_action_link (and the corresponding Client / auth module methods), required when action_type == 'VERIFY_AND_CHANGE_EMAIL'.
- Include
newEmail in the accounts:sendOobCode payload when set.
For reference, the Node signature is:
generateEmailActionLink(requestType, email, actionCodeSettings?, newEmail?)
Describe alternatives you've considered
Calling accounts:sendOobCode directly through Client._user_manager._make_request(...) with {"requestType": "VERIFY_AND_CHANGE_EMAIL", "email": ..., "newEmail": ..., "returnOobLink": True, ...}, reusing firebase_admin._user_mgt.encode_action_code_settings for ActionCodeSettings serialization. This works but depends on SDK internals (private _user_manager, private _make_request, private encode_action_code_settings) and bypasses the SDK's validation and error mapping.
Additional context
Is your feature request related to a problem? Please describe.
The Identity Toolkit
accounts:sendOobCodeendpoint supports aVERIFY_AND_CHANGE_EMAILrequest type that generates an OOB link which, when followed, both verifies the new address and updates the user's email. This is the recommended way to implement a secure "change email" flow — the verification link is sent to the current address so the flow isn't vulnerable to a stolen session setting a new email without the original owner's knowledge.The Python Admin SDK cannot generate these links today.
firebase_admin/_auth_utils.pydeclares:validate_action_type()rejects'VERIFY_AND_CHANGE_EMAIL'before the request is made, and there is nonew_emailparameter ongenerate_email_action_linkto carry the target address.Describe the solution you'd like
Mirror the API added to firebase-admin-node in firebase/firebase-admin-node#1633 (merged April 2022):
'VERIFY_AND_CHANGE_EMAIL'toVALID_EMAIL_ACTION_TYPES.new_email: str | None = Noneparameter togenerate_email_action_link(and the correspondingClient/authmodule methods), required whenaction_type == 'VERIFY_AND_CHANGE_EMAIL'.newEmailin theaccounts:sendOobCodepayload when set.For reference, the Node signature is:
Describe alternatives you've considered
Calling
accounts:sendOobCodedirectly throughClient._user_manager._make_request(...)with{"requestType": "VERIFY_AND_CHANGE_EMAIL", "email": ..., "newEmail": ..., "returnOobLink": True, ...}, reusingfirebase_admin._user_mgt.encode_action_code_settingsforActionCodeSettingsserialization. This works but depends on SDK internals (private_user_manager, private_make_request, privateencode_action_code_settings) and bypasses the SDK's validation and error mapping.Additional context
requestTypeenum already includesVERIFY_AND_CHANGE_EMAIL; the REST surface is unchanged.firebase-admin7.4.0.