Support for creating custom tokens without service account credentials #285
Conversation
|
Resolves #224 |
src/auth/auth.ts
Outdated
| @@ -26,6 +26,7 @@ import { | |||
|
|
|||
| import * as utils from '../utils/index'; | |||
| import * as validator from '../utils/validator'; | |||
| import { FirebaseTokenVerifier, newSessionCookieVerifier, newIdTokenVerifier } from './token-verifier'; | |||
There was a problem hiding this comment.
Rename newSessionCookieVerifier and newIdTokenVerifier to createSessionCookieVerifier and createIdTokenVerifier.
src/auth/token-generator.ts
Outdated
| ); | ||
| } | ||
|
|
||
| public sign(buffer: Buffer): Promise<Buffer> { |
There was a problem hiding this comment.
Add javadoc descriptions to all function declarations.
src/auth/token-generator.ts
Outdated
| * Cryptographically signs a buffer of data. | ||
| * | ||
| * @param {Buffer} buffer The data to be signed. | ||
| * @returns {Promise<object>} A promise that resolves with a base64-encoded signature. |
src/auth/token-generator.ts
Outdated
| * | ||
| * @returns {Promise<string>} A promise that resolves with a service account ID. | ||
| */ | ||
| getAccount(): Promise<string>; |
src/auth/token-verifier.ts
Outdated
| /** | ||
| * Creates a new FirebaseTokenVerifier to verify Firebase ID tokens. | ||
| * | ||
| * @param projectId Project ID string. |
There was a problem hiding this comment.
* @param {string} projectId Project ID string.
* @return {FirebaseTokenVerifier}
|
|
||
| it('resolves when underlying idTokenVerifier.verifyJWT() resolves with expected result', () => { | ||
| idTokenVerifier.verifyJWT.withArgs(idToken).returns(Promise.resolve(decodedIdToken)); | ||
| const auth = new Auth(mocks.app()); |
There was a problem hiding this comment.
same here. these tests should not depend on Auth.
There was a problem hiding this comment.
These tests basically check the verifyIdToken() and verifySessionCookie() methods on Auth. They are better off in auth.spec.
| }).to.throw('Must provide a HTTP client to initialize IAMSigner'); | ||
| }); | ||
|
|
||
| describe('explicit service account', () => { |
There was a problem hiding this comment.
'explicit service account id'
|
|
||
| describe('explicit service account', () => { | ||
| const response = {signature: Buffer.from('testsignature').toString('base64')}; | ||
| const input = Buffer.from('base64'); |
There was a problem hiding this comment.
first encoding argument of toString() and the second argument of Buffer.from is `base64' making this confusing. Change to 'base64string' or something different.
There was a problem hiding this comment.
Changed to input
| }); | ||
|
|
||
| describe('auto discovered service account', () => { | ||
| const input = Buffer.from('base64'); |
There was a problem hiding this comment.
Same here on 'base64' first argument.
| }); | ||
| }); | ||
|
|
||
| it('should return the discovered service account', () => { |
There was a problem hiding this comment.
Add a test when getAccount() rejects with an error and confirm expected error.
|
I'm posting a decoded custom token generated against the master branch and this branch for comparison. Notice that other than the order of some claims (which has no significance in JSON and JWT), nothing has changed. During the last code review round I noticed that the Tokens decoded via https://jwt.io/ JWT HeaderBefore: After: JWT BodyBefore: After: |
|
Resolves #224 |
Currently the SDK must be initialized with service account credentials in order to be able to call FirebaseAuth.createCustomToken(). With this PR, the SDK will attempt to sign custom tokens by calling the IAM service in the cloud when the service account credentials are not provided.
As a part of this implementation I'm also refactoring the existing
FirebaseTokenGeneratorabstraction by removing all the token verification logic out of it.go/firebase-admin-sign
go/firebase-admin-iam-sign