Add support for FAC limited use tokens in HTTPS callables (#5000)

* Implementation of FAC limited-use tokens in callable functions SDK

* changelog

* copyright

* API txt

* PR feedback

* PR feeback

Author: sam-gc

firebase-functions/CHANGELOG.md

@@ -1,5 +1,5 @@
 # Unreleased
-
+* [changed] Added support for App Check limited-use tokens in HTTPS Callable Functions.
 
 # 20.3.0
 * [changed] Internal changes to ensure alignment with other SDK releases.

firebase-functions/api.txt

@@ -3,7 +3,9 @@ package com.google.firebase.functions {
 
   public class FirebaseFunctions {
     method @NonNull public com.google.firebase.functions.HttpsCallableReference getHttpsCallable(@NonNull String);
+    method @NonNull public com.google.firebase.functions.HttpsCallableReference getHttpsCallable(@NonNull String, @NonNull com.google.firebase.functions.HttpsCallableOptions);
     method @NonNull public com.google.firebase.functions.HttpsCallableReference getHttpsCallableFromUrl(@NonNull java.net.URL);
+    method @NonNull public com.google.firebase.functions.HttpsCallableReference getHttpsCallableFromUrl(@NonNull java.net.URL, @NonNull com.google.firebase.functions.HttpsCallableOptions);
     method @NonNull public static com.google.firebase.functions.FirebaseFunctions getInstance(@NonNull com.google.firebase.FirebaseApp, @NonNull String);
     method @NonNull public static com.google.firebase.functions.FirebaseFunctions getInstance(@NonNull com.google.firebase.FirebaseApp);
     method @NonNull public static com.google.firebase.functions.FirebaseFunctions getInstance(@NonNull String);
@@ -37,6 +39,17 @@ package com.google.firebase.functions {
     enum_constant public static final com.google.firebase.functions.FirebaseFunctionsException.Code UNKNOWN;
   }
 
+  public class HttpsCallableOptions {
+    method public boolean getLimitedUseAppCheckTokens();
+  }
+
+  public static class HttpsCallableOptions.Builder {
+    ctor public HttpsCallableOptions.Builder();
+    method @NonNull public com.google.firebase.functions.HttpsCallableOptions build();
+    method public boolean getLimitedUseAppCheckTokens();
+    method @NonNull public com.google.firebase.functions.HttpsCallableOptions.Builder setLimitedUseAppCheckTokens(boolean);
+  }
+
   public class HttpsCallableReference {
     method @NonNull public com.google.android.gms.tasks.Task<com.google.firebase.functions.HttpsCallableResult> call(@Nullable Object);
     method @NonNull public com.google.android.gms.tasks.Task<com.google.firebase.functions.HttpsCallableResult> call();

firebase-functions/src/androidTest/backend/functions/index.js

@@ -64,6 +64,12 @@ exports.appCheckTest = functions.https.onRequest((request, response) => {
   response.send({data: {}});
 });
 
+exports.appCheckLimitedUseTest = functions.https.onRequest((request, response) => {
+  assert.equal(request.get('X-Firebase-AppCheck'), 'appCheck-limited-use');
+  assert.deepEqual(request.body, {data: {}});
+  response.send({data: {}});
+});
+
 exports.nullTest = functions.https.onRequest((request, response) => {
   assert.deepEqual(request.body, {data: null});
   response.send({data: null});

firebase-functions/src/androidTest/java/com/google/firebase/functions/CallTest.java

@@ -88,7 +88,7 @@ public void testToken() throws InterruptedException, ExecutionException {
             app.getApplicationContext(),
             app.getOptions().getProjectId(),
             "us-central1",
-            () -> {
+            (unused) -> {
               HttpsCallableContext context = new HttpsCallableContext("token", null, null);
               return Tasks.forResult(context);
             },
@@ -110,7 +110,7 @@ public void testInstanceId() throws InterruptedException, ExecutionException {
             app.getApplicationContext(),
             app.getOptions().getProjectId(),
             "us-central1",
-            () -> {
+            (unused) -> {
               HttpsCallableContext context = new HttpsCallableContext(null, "iid", null);
               return Tasks.forResult(context);
             },
@@ -132,7 +132,7 @@ public void testAppCheck() throws InterruptedException, ExecutionException {
             app.getApplicationContext(),
             app.getOptions().getProjectId(),
             "us-central1",
-            () -> {
+            (unused) -> {
               HttpsCallableContext context = new HttpsCallableContext(null, null, "appCheck");
               return Tasks.forResult(context);
             },
@@ -146,6 +146,32 @@ public void testAppCheck() throws InterruptedException, ExecutionException {
     assertEquals(new HashMap<>(), actual);
   }
 
+  @Test
+  public void testAppCheckLimitedUse() throws InterruptedException, ExecutionException {
+    // Override the normal token provider to simulate FirebaseAuth being logged in.
+    FirebaseFunctions functions =
+        new FirebaseFunctions(
+            app.getApplicationContext(),
+            app.getOptions().getProjectId(),
+            "us-central1",
+            (unused) -> {
+              HttpsCallableContext context =
+                  new HttpsCallableContext(null, null, "appCheck-limited-use");
+              return Tasks.forResult(context);
+            },
+            TestOnlyExecutors.lite(),
+            TestOnlyExecutors.ui());
+
+    HttpsCallableReference function =
+        functions.getHttpsCallable(
+            "appCheckLimitedUseTest",
+            new HttpsCallableOptions.Builder().setLimitedUseAppCheckTokens(true).build());
+    Task<HttpsCallableResult> result = function.call(new HashMap<>());
+    Object actual = Tasks.await(result).getData();
+
+    assertEquals(new HashMap<>(), actual);
+  }
+
   @Test
   public void testNull() throws InterruptedException, ExecutionException {
     FirebaseFunctions functions = FirebaseFunctions.getInstance(app);

firebase-functions/src/androidTest/java/com/google/firebase/functions/FirebaseContextProviderTest.java

@@ -34,6 +34,8 @@ public class FirebaseContextProviderTest {
   private static final String AUTH_TOKEN = "authToken";
   private static final String IID_TOKEN = "iidToken";
   private static final String APP_CHECK_TOKEN = "appCheckToken";
+
+  private static final String APP_CHECK_LIMITED_USE_TOKEN = "appCheckLimitedUseToken";
   private static final String ERROR = "errorString";
 
   private static final InternalAuthProvider fixedAuthProvider =
@@ -46,9 +48,9 @@ public class FirebaseContextProviderTest {
   private static final FirebaseInstanceIdInternal fixedIidProvider =
       new TestFirebaseInstanceIdInternal(IID_TOKEN);
   private static final InteropAppCheckTokenProvider fixedAppCheckProvider =
-      new TestInteropAppCheckTokenProvider(APP_CHECK_TOKEN);
+      new TestInteropAppCheckTokenProvider(APP_CHECK_TOKEN, APP_CHECK_LIMITED_USE_TOKEN);
   private static final InteropAppCheckTokenProvider errorAppCheckProvider =
-      new TestInteropAppCheckTokenProvider(APP_CHECK_TOKEN, ERROR);
+      new TestInteropAppCheckTokenProvider(APP_CHECK_TOKEN, APP_CHECK_LIMITED_USE_TOKEN, ERROR);
 
   @Test
   public void getContext_whenAuthAndAppCheckAreNotAvailable_shouldContainOnlyIid()
@@ -60,7 +62,7 @@ public void getContext_whenAuthAndAppCheckAreNotAvailable_shouldContainOnlyIid()
             absentDeferred(),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isNull();
     assertThat(context.getAppCheckToken()).isNull();
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
@@ -76,7 +78,7 @@ public void getContext_whenOnlyAuthIsAvailable_shouldContainOnlyAuthTokenAndIid(
             absentDeferred(),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isEqualTo(AUTH_TOKEN);
     assertThat(context.getAppCheckToken()).isNull();
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
@@ -92,7 +94,7 @@ public void getContext_whenOnlyAppCheckIsAvailable_shouldContainOnlyAppCheckToke
             deferredOf(fixedAppCheckProvider),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isNull();
     assertThat(context.getAppCheckToken()).isEqualTo(APP_CHECK_TOKEN);
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
@@ -108,7 +110,7 @@ public void getContext_whenOnlyAuthIsAvailableAndNotSignedIn_shouldContainOnlyIi
             absentDeferred(),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isNull();
     assertThat(context.getAppCheckToken()).isNull();
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
@@ -124,12 +126,44 @@ public void getContext_whenOnlyAppCheckIsAvailableAndHasError_shouldContainOnlyI
             deferredOf(errorAppCheckProvider),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
+    assertThat(context.getAuthToken()).isNull();
+    assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
+    assertThat(context.getAppCheckToken()).isNull();
+  }
+
+  @Test
+  public void getContext_facLimitedUse_whenOnlyAppCheckIsAvailableAndHasError_shouldContainOnlyIid()
+      throws ExecutionException, InterruptedException {
+    FirebaseContextProvider contextProvider =
+        new FirebaseContextProvider(
+            absentProvider(),
+            providerOf(fixedIidProvider),
+            deferredOf(errorAppCheckProvider),
+            TestOnlyExecutors.lite());
+
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(true));
     assertThat(context.getAuthToken()).isNull();
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
     assertThat(context.getAppCheckToken()).isNull();
   }
 
+  @Test
+  public void getContext_facLimitedUse_whenOnlyAppCheckIsAvailable_shouldContainToken()
+      throws ExecutionException, InterruptedException {
+    FirebaseContextProvider contextProvider =
+        new FirebaseContextProvider(
+            absentProvider(),
+            providerOf(fixedIidProvider),
+            deferredOf(fixedAppCheckProvider),
+            TestOnlyExecutors.lite());
+
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(true));
+    assertThat(context.getAuthToken()).isNull();
+    assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
+    assertThat(context.getAppCheckToken()).isEqualTo(APP_CHECK_LIMITED_USE_TOKEN);
+  }
+
   @Test
   public void getContext_whenAuthAndAppCheckAreAvailable_shouldContainAuthAppCheckTokensAndIid()
       throws ExecutionException, InterruptedException {
@@ -140,7 +174,7 @@ public void getContext_whenAuthAndAppCheckAreAvailable_shouldContainAuthAppCheck
             deferredOf(fixedAppCheckProvider),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isEqualTo(AUTH_TOKEN);
     assertThat(context.getAppCheckToken()).isEqualTo(APP_CHECK_TOKEN);
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);

firebase-functions/src/androidTest/java/com/google/firebase/functions/TestInteropAppCheckTokenProvider.java

@@ -25,8 +25,9 @@
 
 public class TestInteropAppCheckTokenProvider implements InteropAppCheckTokenProvider {
   private final AppCheckTokenResult testToken;
+  private final AppCheckTokenResult testLimitedUseToken;
 
-  public TestInteropAppCheckTokenProvider(String testToken) {
+  public TestInteropAppCheckTokenProvider(String testToken, String testLimitedUseToken) {
     this.testToken =
         new AppCheckTokenResult() {
           @NonNull
@@ -35,6 +36,21 @@ public String getToken() {
             return testToken;
           }
 
+          @Nullable
+          @Override
+          public Exception getError() {
+            return null;
+          }
+        };
+
+    this.testLimitedUseToken =
+        new AppCheckTokenResult() {
+          @NonNull
+          @Override
+          public String getToken() {
+            return testLimitedUseToken;
+          }
+
           @Nullable
           @Override
           public Exception getError() {
@@ -43,7 +59,8 @@ public Exception getError() {
         };
   }
 
-  public TestInteropAppCheckTokenProvider(String testToken, String error) {
+  public TestInteropAppCheckTokenProvider(
+      String testToken, String testLimitedUseToken, String error) {
     this.testToken =
         new AppCheckTokenResult() {
           @NonNull
@@ -52,6 +69,20 @@ public String getToken() {
             return testToken;
           }
 
+          @Nullable
+          @Override
+          public Exception getError() {
+            return new FirebaseException(error);
+          }
+        };
+    this.testLimitedUseToken =
+        new AppCheckTokenResult() {
+          @NonNull
+          @Override
+          public String getToken() {
+            return testLimitedUseToken;
+          }
+
           @Nullable
           @Override
           public Exception getError() {
@@ -69,7 +100,7 @@ public Task<AppCheckTokenResult> getToken(boolean forceRefresh) {
   @NonNull
   @Override
   public Task<AppCheckTokenResult> getLimitedUseToken() {
-    return Tasks.forResult(testToken);
+    return Tasks.forResult(testLimitedUseToken);
   }
 
   @Override

firebase-functions/src/main/java/com/google/firebase/functions/ContextProvider.java

@@ -18,5 +18,5 @@
 
 /** The interface for getting metadata about the client. This is an interface for easier testing. */
 interface ContextProvider {
-  Task<HttpsCallableContext> getContext();
+  Task<HttpsCallableContext> getContext(boolean getLimitedUseAppCheckToken);
 }

firebase-functions/src/main/java/com/google/firebase/functions/FirebaseContextProvider.java

@@ -18,6 +18,7 @@
 import com.google.android.gms.tasks.Task;
 import com.google.android.gms.tasks.Tasks;
 import com.google.firebase.annotations.concurrent.Lightweight;
+import com.google.firebase.appcheck.AppCheckTokenResult;
 import com.google.firebase.appcheck.interop.InteropAppCheckTokenProvider;
 import com.google.firebase.auth.internal.InternalAuthProvider;
 import com.google.firebase.iid.internal.FirebaseInstanceIdInternal;
@@ -62,9 +63,9 @@ class FirebaseContextProvider implements ContextProvider {
   }
 
   @Override
-  public Task<HttpsCallableContext> getContext() {
+  public Task<HttpsCallableContext> getContext(boolean limitedUseAppCheckToken) {
     Task<String> authToken = getAuthToken();
-    Task<String> appCheckToken = getAppCheckToken();
+    Task<String> appCheckToken = getAppCheckToken(limitedUseAppCheckToken);
     return Tasks.whenAll(authToken, appCheckToken)
         .onSuccessTask(
             executor,
@@ -100,23 +101,23 @@ private Task<String> getAuthToken() {
             });
   }
 
-  private Task<String> getAppCheckToken() {
+  private Task<String> getAppCheckToken(boolean limitedUseAppCheckToken) {
     InteropAppCheckTokenProvider appCheck = appCheckRef.get();
     if (appCheck == null) {
       return Tasks.forResult(null);
     }
-    return appCheck
-        .getToken(false)
-        .onSuccessTask(
-            executor,
-            result -> {
-              if (result.getError() != null) {
-                // If there was an error getting the App Check token, do NOT send the placeholder
-                // token. Only valid App Check tokens should be sent to the functions backend.
-                Log.w(TAG, "Error getting App Check token. Error: " + result.getError());
-                return Tasks.forResult(null);
-              }
-              return Tasks.forResult(result.getToken());
-            });
+    Task<AppCheckTokenResult> tokenTask =
+        limitedUseAppCheckToken ? appCheck.getLimitedUseToken() : appCheck.getToken(false);
+    return tokenTask.onSuccessTask(
+        executor,
+        result -> {
+          if (result.getError() != null) {
+            // If there was an error getting the App Check token, do NOT send the placeholder
+            // token. Only valid App Check tokens should be sent to the functions backend.
+            Log.w(TAG, "Error getting App Check token. Error: " + result.getError());
+            return Tasks.forResult(null);
+          }
+          return Tasks.forResult(result.getToken());
+        });
   }
 }