feat(auth): Support for verifying tenant-scoped session cookies (#232)

* feat(auth): Implemented support for verifying tenant-scoped session cookies

* fix: Removing unused test util method

Author: hiranya911

FirebaseAdmin/FirebaseAdmin.Tests/Auth/AuthBuilder.cs

@@ -66,6 +66,12 @@ private void PopulateArgs(AbstractFirebaseAuth.Args args, TestOptions options)
                 args.IdTokenVerifier = new Lazy<FirebaseTokenVerifier>(
                     this.CreateIdTokenVerifier());
             }
+
+            if (options.SessionCookieVerifier)
+            {
+                args.SessionCookieVerifier = new Lazy<FirebaseTokenVerifier>(
+                    this.CreateSessionCookieVerifier());
+            }
         }
 
         private FirebaseUserManager CreateUserManager(TestOptions options)
@@ -86,5 +92,11 @@ private FirebaseTokenVerifier CreateIdTokenVerifier()
             return FirebaseTokenVerifier.CreateIdTokenVerifier(
                 this.ProjectId, this.KeySource, this.Clock, this.TenantId);
         }
+
+        private FirebaseTokenVerifier CreateSessionCookieVerifier()
+        {
+            return FirebaseTokenVerifier.CreateSessionCookieVerifier(
+                this.ProjectId, this.KeySource, this.Clock, this.TenantId);
+        }
     }
 }

FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseAuthTest.cs

@@ -62,10 +62,9 @@ public async Task UseAfterDelete()
             app.Delete();
 
             Assert.Throws<InvalidOperationException>(() => auth.TokenFactory);
-            await Assert.ThrowsAsync<InvalidOperationException>(
-                async () => await auth.VerifyIdTokenAsync("user"));
-            await Assert.ThrowsAsync<InvalidOperationException>(
-                async () => await auth.SetCustomUserClaimsAsync("user", null));
+            Assert.Throws<InvalidOperationException>(() => auth.IdTokenVerifier);
+            Assert.Throws<InvalidOperationException>(() => auth.SessionCookieVerifier);
+            Assert.Throws<InvalidOperationException>(() => auth.UserManager);
             await Assert.ThrowsAsync<InvalidOperationException>(
                 async () => await auth.GetOidcProviderConfigAsync("oidc.provider"));
             Assert.Throws<InvalidOperationException>(() => auth.TenantManager);
@@ -84,6 +83,7 @@ public void NoTenantId()
 
             Assert.Null(auth.TokenFactory.TenantId);
             Assert.Null(auth.IdTokenVerifier.TenantId);
+            Assert.Null(auth.SessionCookieVerifier.TenantId);
             Assert.Null(auth.UserManager.TenantId);
         }
 

FirebaseAdmin/FirebaseAdmin.Tests/Auth/Jwt/IdTokenVerificationTest.cs

@@ -20,8 +20,6 @@
 using System.Threading.Tasks;
 using FirebaseAdmin.Auth.Tests;
 using FirebaseAdmin.Tests;
-using FirebaseAdmin.Util;
-using Google.Apis.Util;
 using Xunit;
 
 namespace FirebaseAdmin.Auth.Jwt.Tests
@@ -36,9 +34,6 @@ public class IdTokenVerificationTest
 
         private const long ClockSkewSeconds = 5 * 60;
 
-        private static readonly TestOptions WithIdTokenVerifier =
-            new TestOptions { IdTokenVerifier = true };
-
         [Theory]
         [MemberData(nameof(TestConfigs))]
         public async Task ValidToken(TestConfig config)
@@ -148,7 +143,7 @@ public async Task IncorrectAlgorithm(TestConfig config)
         [MemberData(nameof(TestConfigs))]
         public async Task Expired(TestConfig config)
         {
-            var expiryTime = TestConfig.Clock.UnixTimestamp() - (ClockSkewSeconds + 1);
+            var expiryTime = JwtTestUtils.Clock.UnixTimestamp() - (ClockSkewSeconds + 1);
             var payload = new Dictionary<string, object>()
             {
                 { "exp", expiryTime },
@@ -160,15 +155,15 @@ public async Task Expired(TestConfig config)
                 async () => await auth.VerifyIdTokenAsync(idToken));
 
             var expectedMessage = $"Firebase ID token expired at {expiryTime}. "
-                + $"Expected to be greater than {TestConfig.Clock.UnixTimestamp()}.";
+                + $"Expected to be greater than {JwtTestUtils.Clock.UnixTimestamp()}.";
             this.CheckException(exception, expectedMessage, AuthErrorCode.ExpiredIdToken);
         }
 
         [Theory]
         [MemberData(nameof(TestConfigs))]
         public async Task ExpiryTimeInAcceptableRange(TestConfig config)
         {
-            var expiryTimeSeconds = TestConfig.Clock.UnixTimestamp() - ClockSkewSeconds;
+            var expiryTimeSeconds = JwtTestUtils.Clock.UnixTimestamp() - ClockSkewSeconds;
             var payload = new Dictionary<string, object>()
             {
                 { "exp", expiryTimeSeconds },
@@ -178,15 +173,14 @@ public async Task ExpiryTimeInAcceptableRange(TestConfig config)
 
             var decoded = await auth.VerifyIdTokenAsync(idToken);
 
-            Assert.Equal("testuser", decoded.Uid);
-            Assert.Equal(expiryTimeSeconds, decoded.ExpirationTimeSeconds);
+            config.AssertFirebaseToken(decoded, payload);
         }
 
         [Theory]
         [MemberData(nameof(TestConfigs))]
         public async Task InvalidIssuedAt(TestConfig config)
         {
-            var issuedAt = TestConfig.Clock.UnixTimestamp() + (ClockSkewSeconds + 1);
+            var issuedAt = JwtTestUtils.Clock.UnixTimestamp() + (ClockSkewSeconds + 1);
             var payload = new Dictionary<string, object>()
             {
                 { "iat", issuedAt },
@@ -205,7 +199,7 @@ public async Task InvalidIssuedAt(TestConfig config)
         [MemberData(nameof(TestConfigs))]
         public async Task IssuedAtInAcceptableRange(TestConfig config)
         {
-            var issuedAtSeconds = TestConfig.Clock.UnixTimestamp() + ClockSkewSeconds;
+            var issuedAtSeconds = JwtTestUtils.Clock.UnixTimestamp() + ClockSkewSeconds;
             var payload = new Dictionary<string, object>()
             {
                 { "iat", issuedAtSeconds },
@@ -215,8 +209,7 @@ public async Task IssuedAtInAcceptableRange(TestConfig config)
 
             var decoded = await auth.VerifyIdTokenAsync(idToken);
 
-            Assert.Equal("testuser", decoded.Uid);
-            Assert.Equal(issuedAtSeconds, decoded.IssuedAtTimeSeconds);
+            config.AssertFirebaseToken(decoded, payload);
         }
 
         [Theory]
@@ -260,6 +253,21 @@ public async Task CustomToken(TestConfig config)
             this.CheckException(exception, expectedMessage);
         }
 
+        [Theory]
+        [MemberData(nameof(TestConfigs))]
+        public async Task SessionCookie(TestConfig config)
+        {
+            var tokenBuilder = JwtTestUtils.SessionCookieBuilder(config.TenantId);
+            var sessionCookie = await tokenBuilder.CreateTokenAsync();
+            var auth = config.CreateAuth();
+
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
+                async () => await auth.VerifyIdTokenAsync(sessionCookie));
+
+            var expectedMessage = "Firebase ID token has incorrect issuer (iss) claim.";
+            this.CheckException(exception, expectedMessage);
+        }
+
         [Theory]
         [MemberData(nameof(TestConfigs))]
         public async Task InvalidAudience(TestConfig config)
@@ -327,7 +335,7 @@ public async Task RevokedToken(TestConfig config)
                     ""users"": [
                         {{
                             ""localId"": ""testuser"",
-                            ""validSince"": {TestConfig.Clock.UnixTimestamp()}
+                            ""validSince"": {JwtTestUtils.Clock.UnixTimestamp()}
                         }}
                     ]
                 }}",
@@ -345,7 +353,7 @@ public async Task RevokedToken(TestConfig config)
             var expectedMessage = "Firebase ID token has been revoked.";
             this.CheckException(exception, expectedMessage, AuthErrorCode.RevokedIdToken);
             Assert.Equal(1, handler.Calls);
-            config.AssertRequest("accounts:lookup", handler.Requests[0]);
+            JwtTestUtils.AssertRevocationCheckRequest(config.TenantId, handler.Requests[0].Url);
         }
 
         [Theory]
@@ -369,7 +377,7 @@ public async Task ValidUnrevokedToken(TestConfig config)
 
             Assert.Equal("testuser", decoded.Uid);
             Assert.Equal(1, handler.Calls);
-            config.AssertRequest("accounts:lookup", handler.Requests[0]);
+            JwtTestUtils.AssertRevocationCheckRequest(config.TenantId, handler.Requests[0].Url);
         }
 
         [Theory]
@@ -395,7 +403,7 @@ public async Task CheckRevokedError(TestConfig config)
             Assert.Null(exception.InnerException);
             Assert.NotNull(exception.HttpResponse);
             Assert.Equal(1, handler.Calls);
-            config.AssertRequest("accounts:lookup", handler.Requests[0]);
+            JwtTestUtils.AssertRevocationCheckRequest(config.TenantId, handler.Requests[0].Url);
         }
 
         [Theory]
@@ -434,30 +442,6 @@ public async Task TenantIdMismatch(TestConfig config)
             this.CheckException(exception, expectedMessage, AuthErrorCode.TenantIdMismatch);
         }
 
-        // TODO(hkj): Remove the following method once the session cookie tests have been
-        // refactored.
-
-        /// <summary>
-        /// Creates a mock ID token for testing purposes. By default the created token has an issue
-        /// time 10 minutes ago, and an expirty time 50 minutes into the future. All header and
-        /// payload claims can be overridden if needed.
-        /// </summary>
-        internal static async Task<string> CreateTestTokenAsync(
-            Dictionary<string, object> headerOverrides = null,
-            Dictionary<string, object> payloadOverrides = null)
-        {
-            var tokenBuilder = new MockTokenBuilder
-                {
-                    ProjectId = TestConfig.ProjectId,
-                    Clock = TestConfig.Clock,
-                    Signer = JwtTestUtils.DefaultSigner,
-                    IssuerPrefix = "https://securetoken.google.com",
-                    Uid = "testuser",
-                };
-            return await tokenBuilder.CreateTokenAsync(
-                headerOverrides, payloadOverrides);
-        }
-
         private void CheckException(
             FirebaseAuthException exception,
             string prefix,
@@ -472,36 +456,17 @@ private void CheckException(
 
         public class TestConfig
         {
-            internal const string ProjectId = "test-project";
-
-            internal static readonly IClock Clock = new MockClock();
-
-            private readonly string tenantId;
             private readonly AuthBuilder authBuilder;
             private readonly MockTokenBuilder tokenBuilder;
 
             private TestConfig(string tenantId = null)
             {
-                this.tenantId = tenantId;
-                this.authBuilder = new AuthBuilder
-                {
-                    ProjectId = ProjectId,
-                    Clock = Clock,
-                    KeySource = JwtTestUtils.DefaultKeySource,
-                    RetryOptions = RetryOptions.NoBackOff,
-                    TenantId = tenantId,
-                };
-                this.tokenBuilder = new MockTokenBuilder
-                {
-                    ProjectId = ProjectId,
-                    Clock = Clock,
-                    Signer = JwtTestUtils.DefaultSigner,
-                    IssuerPrefix = "https://securetoken.google.com",
-                    Uid = "testuser",
-                    TenantId = this.tenantId,
-                };
+                this.tokenBuilder = JwtTestUtils.IdTokenBuilder(tenantId);
+                this.authBuilder = JwtTestUtils.AuthBuilderForTokenVerification(tenantId);
             }
 
+            public string TenantId => this.authBuilder.TenantId;
+
             public static TestConfig ForFirebaseAuth()
             {
                 return new TestConfig();
@@ -534,14 +499,6 @@ public void AssertFirebaseToken(
             {
                 this.tokenBuilder.AssertFirebaseToken(token, expectedClaims);
             }
-
-            internal void AssertRequest(
-                string expectedSuffix, MockMessageHandler.IncomingRequest request)
-            {
-                var tenantInfo = this.tenantId != null ? $"/tenants/{this.tenantId}" : string.Empty;
-                var expectedPath = $"/v1/projects/{ProjectId}{tenantInfo}/{expectedSuffix}";
-                Assert.Equal(expectedPath, request.Url.PathAndQuery);
-            }
         }
     }
 }

FirebaseAdmin/FirebaseAdmin.Tests/Auth/Jwt/JwtTestUtils.cs

@@ -12,25 +12,80 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+using System;
 using System.Collections.Generic;
 using System.Collections.Immutable;
 using System.IO;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
+using FirebaseAdmin.Auth.Tests;
+using FirebaseAdmin.Tests;
+using FirebaseAdmin.Util;
 using Google.Apis.Auth.OAuth2;
+using Google.Apis.Util;
+using Xunit;
 
 namespace FirebaseAdmin.Auth.Jwt.Tests
 {
     public sealed class JwtTestUtils
     {
+        internal const string ProjectId = "test-project";
+
+        internal static readonly IClock Clock = new MockClock();
+
         internal static readonly IPublicKeySource DefaultKeySource = new FileSystemPublicKeySource(
             "./resources/public_cert.pem");
 
         internal static readonly ISigner DefaultSigner = CreateTestSigner(
             "./resources/service_account.json");
 
+        public static AuthBuilder AuthBuilderForTokenVerification(string tenantId = null)
+        {
+            return new AuthBuilder
+            {
+                ProjectId = ProjectId,
+                Clock = Clock,
+                KeySource = DefaultKeySource,
+                RetryOptions = RetryOptions.NoBackOff,
+                TenantId = tenantId,
+            };
+        }
+
+        public static MockTokenBuilder IdTokenBuilder(string tenantId = null)
+        {
+            return new MockTokenBuilder
+            {
+                ProjectId = ProjectId,
+                Clock = Clock,
+                Signer = JwtTestUtils.DefaultSigner,
+                IssuerPrefix = "https://securetoken.google.com",
+                Uid = "testuser",
+                TenantId = tenantId,
+            };
+        }
+
+        public static MockTokenBuilder SessionCookieBuilder(string tenantId = null)
+        {
+            return new MockTokenBuilder
+            {
+                ProjectId = ProjectId,
+                Clock = Clock,
+                Signer = JwtTestUtils.DefaultSigner,
+                IssuerPrefix = "https://session.firebase.google.com",
+                Uid = "testuser",
+                TenantId = tenantId,
+            };
+        }
+
+        public static void AssertRevocationCheckRequest(string tenantId, Uri uri)
+        {
+            var tenantInfo = tenantId != null ? $"/tenants/{tenantId}" : string.Empty;
+            var expectedPath = $"/v1/projects/{ProjectId}{tenantInfo}/accounts:lookup";
+            Assert.Equal(expectedPath, uri.PathAndQuery);
+        }
+
         private static ISigner CreateTestSigner(string filePath)
         {
             var credential = GoogleCredential.FromFile(filePath);