fix(auth): Support verifying tenant ID tokens in FirebaseAuth (#475)

hiranya911 · web-flow · commit 062223d527c9 · 2020-08-31T10:51:26.000-07:00
* fix(auth): Support verifying tenant ID tokens in FirebaseAuth

* fix: Fixing the error message for null tenant ID
diff --git a/src/main/java/com/google/firebase/auth/FirebaseTokenVerifierImpl.java b/src/main/java/com/google/firebase/auth/FirebaseTokenVerifierImpl.java
@@ -71,7 +71,7 @@ private FirebaseTokenVerifierImpl(Builder builder) {
     this.docUrl = builder.docUrl;
     this.invalidTokenErrorCode = checkNotNull(builder.invalidTokenErrorCode);
     this.expiredTokenErrorCode = checkNotNull(builder.expiredTokenErrorCode);
-    this.tenantId = Strings.nullToEmpty(builder.tenantId);
+    this.tenantId = builder.tenantId;
   }
 
   /**
@@ -323,11 +323,11 @@ private boolean containsLegacyUidField(IdToken.Payload payload) {
   }
 
   private void checkTenantId(final FirebaseToken firebaseToken) throws FirebaseAuthException {
-    String tokenTenantId = Strings.nullToEmpty(firebaseToken.getTenantId());
-    if (!this.tenantId.equals(tokenTenantId)) {
+    String tokenTenantId = firebaseToken.getTenantId();
+    if (this.tenantId != null && !this.tenantId.equals(tokenTenantId)) {
       String message = String.format(
           "The tenant ID ('%s') of the token did not match the expected value ('%s')",
-          tokenTenantId,
+          Strings.nullToEmpty(tokenTenantId),
           tenantId);
       throw newException(message, AuthErrorCode.TENANT_ID_MISMATCH);
     }
diff --git a/src/test/java/com/google/firebase/FirebaseAppTest.java b/src/test/java/com/google/firebase/FirebaseAppTest.java
@@ -66,7 +66,7 @@
 import org.junit.Test;
 import org.mockito.Mockito;
 
-/** 
+/**
  * Unit tests for {@link com.google.firebase.FirebaseApp}.
  */
 public class FirebaseAppTest {
@@ -472,16 +472,16 @@ public void testAppWithAuthVariableOverrides() {
   public void testEmptyFirebaseConfigFile() {
     setFirebaseConfigEnvironmentVariable("firebase_config_empty.json");
     FirebaseApp.initializeApp();
-  }  
-  
+  }
+
   @Test
   public void testEmptyFirebaseConfigString() {
     setFirebaseConfigEnvironmentVariable("");
     FirebaseApp firebaseApp = FirebaseApp.initializeApp();
     assertNull(firebaseApp.getOptions().getProjectId());
     assertNull(firebaseApp.getOptions().getStorageBucket());
     assertNull(firebaseApp.getOptions().getDatabaseUrl());
-    assertTrue(firebaseApp.getOptions().getDatabaseAuthVariableOverride().isEmpty()); 
+    assertTrue(firebaseApp.getOptions().getDatabaseAuthVariableOverride().isEmpty());
   }
 
   @Test
@@ -542,20 +542,20 @@ public void testEnvironmentVariableIgnored() {
 
   @Test
   public void testValidFirebaseConfigString() {
-    setFirebaseConfigEnvironmentVariable("{" 
-        + "\"databaseAuthVariableOverride\": {" 
-        +   "\"uid\":" 
-        +   "\"testuser\"" 
-        + "}," 
-        + "\"databaseUrl\": \"https://hipster-chat.firebaseio.mock\"," 
-        + "\"projectId\": \"hipster-chat-mock\"," 
-        + "\"storageBucket\": \"hipster-chat.appspot.mock\"" 
+    setFirebaseConfigEnvironmentVariable("{"
+        + "\"databaseAuthVariableOverride\": {"
+        +   "\"uid\":"
+        +   "\"testuser\""
+        + "},"
+        + "\"databaseUrl\": \"https://hipster-chat.firebaseio.mock\","
+        + "\"projectId\": \"hipster-chat-mock\","
+        + "\"storageBucket\": \"hipster-chat.appspot.mock\""
         + "}");
     FirebaseApp firebaseApp = FirebaseApp.initializeApp();
     assertEquals("hipster-chat-mock", firebaseApp.getOptions().getProjectId());
     assertEquals("hipster-chat.appspot.mock", firebaseApp.getOptions().getStorageBucket());
     assertEquals("https://hipster-chat.firebaseio.mock", firebaseApp.getOptions().getDatabaseUrl());
-    assertEquals("testuser", 
+    assertEquals("testuser",
         firebaseApp.getOptions().getDatabaseAuthVariableOverride().get("uid"));
   }
 
diff --git a/src/test/java/com/google/firebase/auth/FirebaseTokenVerifierImplTest.java b/src/test/java/com/google/firebase/auth/FirebaseTokenVerifierImplTest.java
@@ -328,6 +328,17 @@ public void testMalformedToken() {
 
   @Test
   public void testVerifyTokenWithTenantId() throws FirebaseAuthException {
+    FirebaseTokenVerifierImpl verifier = fullyPopulatedBuilder().build();
+
+    FirebaseToken firebaseToken = verifier.verifyToken(createTokenWithTenantId("TENANT_1"));
+
+    assertEquals(TEST_TOKEN_ISSUER, firebaseToken.getIssuer());
+    assertEquals(TestTokenFactory.UID, firebaseToken.getUid());
+    assertEquals("TENANT_1", firebaseToken.getTenantId());
+  }
+
+  @Test
+  public void testVerifyTokenWithMatchingTenantId() throws FirebaseAuthException {
     FirebaseTokenVerifierImpl verifier = fullyPopulatedBuilder()
         .setTenantId("TENANT_1")
         .build();
@@ -341,11 +352,13 @@ public void testVerifyTokenWithTenantId() throws FirebaseAuthException {
 
   @Test
   public void testVerifyTokenDifferentTenantIds() {
-    try {
-      fullyPopulatedBuilder()
+    FirebaseTokenVerifierImpl verifier = fullyPopulatedBuilder()
         .setTenantId("TENANT_1")
-        .build()
-        .verifyToken(createTokenWithTenantId("TENANT_2"));
+        .build();
+    String token = createTokenWithTenantId("TENANT_2");
+
+    try {
+      verifier.verifyToken(token);
     } catch (FirebaseAuthException e) {
       assertEquals(AuthErrorCode.TENANT_ID_MISMATCH, e.getAuthErrorCode());
       assertEquals(
@@ -354,6 +367,23 @@ public void testVerifyTokenDifferentTenantIds() {
     }
   }
 
+  @Test
+  public void testVerifyTokenNoTenantId() {
+    FirebaseTokenVerifierImpl verifier = fullyPopulatedBuilder()
+        .setTenantId("TENANT_1")
+        .build();
+    String token = tokenFactory.createToken();
+
+    try {
+      verifier.verifyToken(token);
+    } catch (FirebaseAuthException e) {
+      assertEquals(AuthErrorCode.TENANT_ID_MISMATCH, e.getAuthErrorCode());
+      assertEquals(
+          "The tenant ID ('') of the token did not match the expected value ('TENANT_1')",
+          e.getMessage());
+    }
+  }
+
   @Test
   public void testVerifyTokenMissingTenantId() {
     try {
diff --git a/src/test/java/com/google/firebase/auth/multitenancy/TenantAwareFirebaseAuthIT.java b/src/test/java/com/google/firebase/auth/multitenancy/TenantAwareFirebaseAuthIT.java
@@ -261,6 +261,11 @@ public void testVerifyTokenWithWrongTenantAwareClient() throws Exception {
       assertEquals(AuthErrorCode.TENANT_ID_MISMATCH,
           ((FirebaseAuthException) e.getCause()).getAuthErrorCode());
     }
+
+    // Verifies with FirebaseAuth
+    FirebaseToken decoded = FirebaseAuth.getInstance().verifyIdToken(idToken);
+    assertEquals("user", decoded.getUid());
+    assertEquals(tenantId, decoded.getTenantId());
   }
 
   @Test

Original file line number	Diff line number	Diff line change
`@@ -261,6 +261,11 @@ public void testVerifyTokenWithWrongTenantAwareClient() throws Exception {`
`261`	`261`	`assertEquals(AuthErrorCode.TENANT_ID_MISMATCH,`
`262`	`262`	`((FirebaseAuthException) e.getCause()).getAuthErrorCode());`
`263`	`263`	`}`
	`264`	`+`
	`265`	`+ // Verifies with FirebaseAuth`
	`266`	`+ FirebaseToken decoded = FirebaseAuth.getInstance().verifyIdToken(idToken);`
	`267`	`+ assertEquals("user", decoded.getUid());`
	`268`	`+ assertEquals(tenantId, decoded.getTenantId());`
`264`	`269`	`}`
`265`	`270`
`266`	`271`	`@Test`