Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(auth): Fix credentials issue in createCustomToken() when using ADC #2801

Merged
merged 3 commits into from
Dec 12, 2024
Merged

fix(auth): Fix credentials issue in createCustomToken() when using ADC #2801

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dcda638
fix(auth): Fix service account issue in createToken() using ADC
lahirumaramba Dec 5, 2024
3b8d5a3
fix tests
lahirumaramba Dec 9, 2024
5ffd9e7
Merge branch 'master' into lm-fix-createtoken
lahirumaramba Dec 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 16 additions & 7 deletions src/utils/crypto-signer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import { AuthorizedHttpClient, HttpRequestConfig, HttpClient, RequestResponseErr

import { Algorithm } from 'jsonwebtoken';
import { ErrorInfo } from '../utils/error';
import * as utils from '../utils/index';
import * as validator from '../utils/validator';

const ALGORITHM_RS256: Algorithm = 'RS256' as const;
Expand Down Expand Up @@ -105,22 +106,23 @@ export class IAMSigner implements CryptoSigner {

private readonly httpClient: AuthorizedHttpClient;
private serviceAccountId?: string;
private app?: App;

constructor(httpClient: AuthorizedHttpClient, serviceAccountId?: string) {
constructor(httpClient: AuthorizedHttpClient, app?: App) {
if (!httpClient) {
throw new CryptoSignerError({
code: CryptoSignerErrorCode.INVALID_ARGUMENT,
message: 'INTERNAL ASSERT: Must provide a HTTP client to initialize IAMSigner.',
});
}
if (typeof serviceAccountId !== 'undefined' && !validator.isNonEmptyString(serviceAccountId)) {
if (app && (typeof app !== 'object' || app === null || !('options' in app))) {
throw new CryptoSignerError({
code: CryptoSignerErrorCode.INVALID_ARGUMENT,
message: 'INTERNAL ASSERT: Service account ID must be undefined or a non-empty string.',
message: 'INTERNAL ASSERT: Must provide a valid Firebase app instance.',
});
}
this.httpClient = httpClient;
this.serviceAccountId = serviceAccountId;
this.app = app;
}

/**
Expand Down Expand Up @@ -152,9 +154,16 @@ export class IAMSigner implements CryptoSigner {
/**
* @inheritDoc
*/
public getAccountId(): Promise<string> {
public async getAccountId(): Promise<string> {
if (validator.isNonEmptyString(this.serviceAccountId)) {
return Promise.resolve(this.serviceAccountId);
return this.serviceAccountId;
}
if (this.app) {
const accountId = await utils.findServiceAccountEmail(this.app!)
if (accountId) {
this.serviceAccountId = accountId;
return accountId;
}
}
const request: HttpRequestConfig = {
method: 'GET',
Expand Down Expand Up @@ -197,7 +206,7 @@ export function cryptoSignerFromApp(app: App): CryptoSigner {
return new ServiceAccountSigner(credential);
}

return new IAMSigner(new AuthorizedHttpClient(app as FirebaseApp), app.options.serviceAccountId);
return new IAMSigner(new AuthorizedHttpClient(app as FirebaseApp), app);
}

/**
Expand Down
12 changes: 6 additions & 6 deletions test/unit/utils/crypto-signer.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ describe('CryptoSigner', () => {
const input = Buffer.from('input');
const signRequest = {
method: 'POST',
url: 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test-service-account:signBlob',
url: 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/foo@project_id.iam.gserviceaccount.com:signBlob',
headers: {
Authorization: `Bearer ${mockAccessToken}`,
'X-Goog-Api-Client': getMetricsHeader()
Expand All @@ -120,7 +120,7 @@ describe('CryptoSigner', () => {
const expectedResult = utils.responseFrom(response);
stub = sinon.stub(HttpClient.prototype, 'send').resolves(expectedResult);
const requestHandler = new AuthorizedHttpClient(mockApp);
const signer = new IAMSigner(requestHandler, 'test-service-account');
const signer = new IAMSigner(requestHandler, mockApp);
return signer.sign(input).then((signature) => {
expect(signature.toString('base64')).to.equal(response.signedBlob);
expect(stub).to.have.been.calledOnce.and.calledWith(signRequest);
Expand All @@ -136,7 +136,7 @@ describe('CryptoSigner', () => {
});
stub = sinon.stub(HttpClient.prototype, 'send').rejects(expectedResult);
const requestHandler = new AuthorizedHttpClient(mockApp);
const signer = new IAMSigner(requestHandler, 'test-service-account');
const signer = new IAMSigner(requestHandler, mockApp);
return signer.sign(input).catch((err) => {
expect(err).to.be.instanceOf(CryptoSignerError);
expect(err.message).to.equal('Server responded with status 500.');
Expand All @@ -145,9 +145,9 @@ describe('CryptoSigner', () => {
});
});

it('should return the explicitly specified service account', () => {
const signer = new IAMSigner(new AuthorizedHttpClient(mockApp), 'test-service-account');
return signer.getAccountId().should.eventually.equal('test-service-account');
it('should return the service account from the app', () => {
const signer = new IAMSigner(new AuthorizedHttpClient(mockApp), mockApp);
return signer.getAccountId().should.eventually.equal('foo@project_id.iam.gserviceaccount.com');
});
});

Expand Down
Loading