Async API to determine project ID (#715)

Author: hiranya911

src/auth/auth.ts

@@ -105,11 +105,8 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> {
   constructor(app: FirebaseApp, protected readonly authRequestHandler: T) {
     const cryptoSigner = cryptoSignerFromApp(app);
     this.tokenGenerator = new FirebaseTokenGenerator(cryptoSigner);
-
-    const projectId = utils.getProjectId(app);
-    const httpAgent = app.options.httpAgent;
-    this.sessionCookieVerifier = createSessionCookieVerifier(projectId, httpAgent);
-    this.idTokenVerifier = createIdTokenVerifier(projectId, httpAgent);
+    this.sessionCookieVerifier = createSessionCookieVerifier(app);
+    this.idTokenVerifier = createIdTokenVerifier(app);
   }
 
   /**

src/auth/token-verifier.ts

@@ -16,11 +16,12 @@
 
 import {AuthClientErrorCode, FirebaseAuthError, ErrorInfo} from '../utils/error';
 
+import * as util from '../utils/index';
 import * as validator from '../utils/validator';
 import * as jwt from 'jsonwebtoken';
 import { HttpClient, HttpRequestConfig, HttpError } from '../utils/api-request';
 import { DecodedIdToken } from './auth';
-import { Agent } from 'http';
+import { FirebaseApp } from '../firebase-app';
 
 // Audience to use for Firebase Auth Custom tokens
 const FIREBASE_AUDIENCE = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit';
@@ -75,9 +76,8 @@ export class FirebaseTokenVerifier {
   private readonly shortNameArticle: string;
 
   constructor(private clientCertUrl: string, private algorithm: string,
-              private issuer: string, private projectId: string | null,
-              private tokenInfo: FirebaseTokenInfo,
-              private readonly httpAgent?: Agent) {
+              private issuer: string, private tokenInfo: FirebaseTokenInfo,
+              private readonly app: FirebaseApp) {
     if (!validator.isURL(clientCertUrl)) {
       throw new FirebaseAuthError(
         AuthClientErrorCode.INVALID_ARGUMENT,
@@ -144,7 +144,14 @@ export class FirebaseTokenVerifier {
       );
     }
 
-    if (!validator.isNonEmptyString(this.projectId)) {
+    return util.findProjectId(this.app)
+      .then((projectId) => {
+        return this.verifyJWTWithProjectId(jwtToken, projectId);
+      });
+  }
+
+  private verifyJWTWithProjectId(jwtToken: string, projectId: string | null): Promise<DecodedIdToken> {
+    if (!validator.isNonEmptyString(projectId)) {
       throw new FirebaseAuthError(
         AuthClientErrorCode.INVALID_CREDENTIAL,
         `Must initialize app with a cert credential or set your Firebase project ID as the ` +
@@ -186,13 +193,13 @@ export class FirebaseTokenVerifier {
     } else if (header.alg !== this.algorithm) {
       errorMessage = `${this.tokenInfo.jwtName} has incorrect algorithm. Expected "` + this.algorithm + `" but got ` +
         `"` + header.alg + `".` + verifyJwtTokenDocsMessage;
-    } else if (payload.aud !== this.projectId) {
+    } else if (payload.aud !== projectId) {
       errorMessage = `${this.tokenInfo.jwtName} has incorrect "aud" (audience) claim. Expected "` +
-        this.projectId + `" but got "` + payload.aud + `".` + projectIdMatchMessage +
+        projectId + `" but got "` + payload.aud + `".` + projectIdMatchMessage +
         verifyJwtTokenDocsMessage;
-    } else if (payload.iss !== this.issuer + this.projectId) {
+    } else if (payload.iss !== this.issuer + projectId) {
       errorMessage = `${this.tokenInfo.jwtName} has incorrect "iss" (issuer) claim. Expected ` +
-        `"${this.issuer}"` + this.projectId + `" but got "` +
+        `"${this.issuer}"` + projectId + `" but got "` +
         payload.iss + `".` + projectIdMatchMessage + verifyJwtTokenDocsMessage;
     } else if (typeof payload.sub !== 'string') {
       errorMessage = `${this.tokenInfo.jwtName} has no "sub" (subject) claim.` + verifyJwtTokenDocsMessage;
@@ -284,7 +291,7 @@ export class FirebaseTokenVerifier {
     const request: HttpRequestConfig = {
       method: 'GET',
       url: this.clientCertUrl,
-      httpAgent: this.httpAgent,
+      httpAgent: this.app.options.httpAgent,
     };
     return client.send(request).then((resp) => {
       if (!resp.isJson() || resp.data.error) {
@@ -327,35 +334,31 @@ export class FirebaseTokenVerifier {
 /**
  * Creates a new FirebaseTokenVerifier to verify Firebase ID tokens.
  *
- * @param {string} projectId Project ID string.
- * @param {Agent} httpAgent Optional HTTP agent.
+ * @param {FirebaseApp} app Firebase app instance.
  * @return {FirebaseTokenVerifier}
  */
-export function createIdTokenVerifier(projectId: string | null, httpAgent?: Agent): FirebaseTokenVerifier {
+export function createIdTokenVerifier(app: FirebaseApp): FirebaseTokenVerifier {
   return new FirebaseTokenVerifier(
-      CLIENT_CERT_URL,
-      ALGORITHM_RS256,
-      'https://securetoken.google.com/',
-      projectId,
-      ID_TOKEN_INFO,
-      httpAgent,
+    CLIENT_CERT_URL,
+    ALGORITHM_RS256,
+    'https://securetoken.google.com/',
+    ID_TOKEN_INFO,
+    app,
   );
 }
 
 /**
  * Creates a new FirebaseTokenVerifier to verify Firebase session cookies.
  *
- * @param {string} projectId Project ID string.
- * @param {Agent} httpAgent Optional HTTP agent.
+ * @param {FirebaseApp} app Firebase app instance.
  * @return {FirebaseTokenVerifier}
  */
-export function createSessionCookieVerifier(projectId: string | null, httpAgent?: Agent): FirebaseTokenVerifier {
+export function createSessionCookieVerifier(app: FirebaseApp): FirebaseTokenVerifier {
   return new FirebaseTokenVerifier(
     SESSION_COOKIE_CERT_URL,
     ALGORITHM_RS256,
     'https://session.firebase.google.com/',
-    projectId,
     SESSION_COOKIE_INFO,
-    httpAgent,
+    app,
   );
 }

src/utils/index.ts

@@ -81,6 +81,20 @@ export function getProjectId(app: FirebaseApp): string | null {
   return null;
 }
 
+/**
+ * Determines the Google Cloud project ID associated with a Firebase app by examining
+ * the Firebase app options, credentials and the local environment in that order. This
+ * is an async wrapper of the getProjectId method. This enables us to migrate the rest
+ * of the SDK into asynchronously determining the current project ID. See b/143090254.
+ *
+ * @param {FirebaseApp} app A Firebase app to get the project ID from.
+ *
+ * @return {Promise<string | null>} A project ID string or null.
+ */
+export function findProjectId(app: FirebaseApp): Promise<string | null> {
+  return Promise.resolve(getProjectId(app));
+}
+
 /**
  * Encodes data using web-safe-base64.
  *

test/unit/auth/auth.spec.ts

@@ -387,22 +387,20 @@ AUTH_CONFIGS.forEach((testConfig) => {
       }
     });
 
-    it('verifyIdToken() should throw when project ID is not specified', () => {
+    it('verifyIdToken() should reject when project ID is not specified', () => {
       const mockCredentialAuth = testConfig.init(mocks.mockCredentialApp());
       const expected = 'Must initialize app with a cert credential or set your Firebase project ID ' +
         'as the GOOGLE_CLOUD_PROJECT environment variable to call verifyIdToken().';
-      expect(() => {
-        mockCredentialAuth.verifyIdToken(mocks.generateIdToken());
-      }).to.throw(expected);
+      return mockCredentialAuth.verifyIdToken(mocks.generateIdToken())
+        .should.eventually.be.rejectedWith(expected);
     });
 
-    it('verifySessionCookie() should throw when project ID is not specified', () => {
+    it('verifySessionCookie() should reject when project ID is not specified', () => {
       const mockCredentialAuth = testConfig.init(mocks.mockCredentialApp());
       const expected = 'Must initialize app with a cert credential or set your Firebase project ID ' +
         'as the GOOGLE_CLOUD_PROJECT environment variable to call verifySessionCookie().';
-      expect(() => {
-        mockCredentialAuth.verifySessionCookie(mocks.generateSessionCookie());
-      }).to.throw(expected);
+      return mockCredentialAuth.verifySessionCookie(mocks.generateSessionCookie())
+        .should.eventually.be.rejectedWith(expected);
     });
 
     describe('verifyIdToken()', () => {