Merge branch 'master' into firebase-sessions

Author: mrober

appcheck/firebase-appcheck-interop/src/main/java/com/google/firebase/appcheck/interop/InteropAppCheckTokenProvider.java

@@ -29,6 +29,15 @@ public interface InteropAppCheckTokenProvider {
   @NonNull
   Task<AppCheckTokenResult> getToken(boolean forceRefresh);
 
+  /**
+   * Requests an {@link AppCheckTokenResult} from the installed {@code AppCheckFactory}. This will
+   * always return a successful task, with an {@link AppCheckTokenResult} that contains either a
+   * valid token, or a dummy token and an error string. The token returned from this method will be
+   * a one-time use token.
+   */
+  @NonNull
+  Task<AppCheckTokenResult> getLimitedUseToken();
+
   /**
    * Registers a listener to changes in the token state. There can be more than one listener
    * registered at the same time for one or more FirebaseAppAuth instances. The listeners call back

appcheck/firebase-appcheck/CHANGELOG.md

@@ -1,5 +1,5 @@
 # Unreleased
-
+* [changed] Internal updates to allow Firebase SDKs to obtain limited-use tokens.
 
 # 17.0.0
 * [feature] Added [`getLimitedUseAppCheckToken()`](/docs/reference/android/com/google/firebase/appcheck/FirebaseAppCheck#getLimitedUseAppCheckToken())

appcheck/firebase-appcheck/firebase-appcheck.gradle

@@ -46,7 +46,7 @@ dependencies {
     implementation 'com.google.firebase:firebase-annotations:16.2.0'
     implementation 'com.google.firebase:firebase-common:20.3.1'
     implementation 'com.google.firebase:firebase-components:17.1.0'
-    implementation 'com.google.firebase:firebase-appcheck-interop:17.0.0'
+    implementation project(':appcheck:firebase-appcheck-interop')
     implementation 'com.google.android.gms:play-services-base:18.0.1'
     implementation 'com.google.android.gms:play-services-tasks:18.0.1'
 

appcheck/firebase-appcheck/src/main/java/com/google/firebase/appcheck/internal/DefaultFirebaseAppCheck.java

@@ -213,6 +213,28 @@ public Task<AppCheckTokenResult> getToken(boolean forceRefresh) {
         });
   }
 
+  @NonNull
+  @Override
+  public Task<AppCheckTokenResult> getLimitedUseToken() {
+    return getLimitedUseAppCheckToken()
+        .continueWithTask(
+            liteExecutor,
+            appCheckTokenTask -> {
+              if (appCheckTokenTask.isSuccessful()) {
+                return Tasks.forResult(
+                    DefaultAppCheckTokenResult.constructFromAppCheckToken(
+                        appCheckTokenTask.getResult()));
+              }
+              // If the token exchange failed, return a dummy token for integrators to attach
+              // in their headers.
+              return Tasks.forResult(
+                  DefaultAppCheckTokenResult.constructFromError(
+                      new FirebaseException(
+                          appCheckTokenTask.getException().getMessage(),
+                          appCheckTokenTask.getException())));
+            });
+  }
+
   @NonNull
   @Override
   public Task<AppCheckToken> getAppCheckToken(boolean forceRefresh) {

appcheck/firebase-appcheck/src/test/java/com/google/firebase/appcheck/internal/DefaultFirebaseAppCheckTest.java

@@ -235,6 +235,15 @@ public void testGetLimitedUseAppCheckToken_noFactoryInstalled_taskFails() throws
     assertThat(tokenTask.isSuccessful()).isFalse();
   }
 
+  @Test
+  public void testGetLimitedUseToken_noFactoryInstalled_returnResultWithError() throws Exception {
+    Task<AppCheckTokenResult> tokenTask = defaultFirebaseAppCheck.getLimitedUseToken();
+    assertThat(tokenTask.isComplete()).isTrue();
+    assertThat(tokenTask.isSuccessful()).isTrue();
+    assertThat(tokenTask.getResult().getToken()).isNotNull();
+    assertThat(tokenTask.getResult().getError()).isNotNull();
+  }
+
   @Test
   public void testGetToken_factoryInstalled_proxiesToAppCheckFactory() {
     defaultFirebaseAppCheck.installAppCheckProviderFactory(mockAppCheckProviderFactory);
@@ -422,4 +431,23 @@ public void testGetLimitedUseAppCheckToken_existingToken_requestsNewToken() {
 
     verify(mockAppCheckProvider).getToken();
   }
+
+  @Test
+  public void testGetLimitedUseToken_noExistingToken_requestsNewToken() {
+    defaultFirebaseAppCheck.installAppCheckProviderFactory(mockAppCheckProviderFactory);
+
+    defaultFirebaseAppCheck.getLimitedUseToken();
+
+    verify(mockAppCheckProvider).getToken();
+  }
+
+  @Test
+  public void testGetLimitedUseToken_existingToken_requestsNewToken() {
+    defaultFirebaseAppCheck.setCachedToken(validDefaultAppCheckToken);
+    defaultFirebaseAppCheck.installAppCheckProviderFactory(mockAppCheckProviderFactory);
+
+    defaultFirebaseAppCheck.getLimitedUseToken();
+
+    verify(mockAppCheckProvider).getToken();
+  }
 }

firebase-functions/CHANGELOG.md

@@ -1,5 +1,5 @@
 # Unreleased
-
+* [changed] Added support for App Check limited-use tokens in HTTPS Callable Functions.
 
 # 20.3.0
 * [changed] Internal changes to ensure alignment with other SDK releases.

firebase-functions/api.txt

@@ -3,7 +3,9 @@ package com.google.firebase.functions {
 
   public class FirebaseFunctions {
     method @NonNull public com.google.firebase.functions.HttpsCallableReference getHttpsCallable(@NonNull String);
+    method @NonNull public com.google.firebase.functions.HttpsCallableReference getHttpsCallable(@NonNull String, @NonNull com.google.firebase.functions.HttpsCallableOptions);
     method @NonNull public com.google.firebase.functions.HttpsCallableReference getHttpsCallableFromUrl(@NonNull java.net.URL);
+    method @NonNull public com.google.firebase.functions.HttpsCallableReference getHttpsCallableFromUrl(@NonNull java.net.URL, @NonNull com.google.firebase.functions.HttpsCallableOptions);
     method @NonNull public static com.google.firebase.functions.FirebaseFunctions getInstance(@NonNull com.google.firebase.FirebaseApp, @NonNull String);
     method @NonNull public static com.google.firebase.functions.FirebaseFunctions getInstance(@NonNull com.google.firebase.FirebaseApp);
     method @NonNull public static com.google.firebase.functions.FirebaseFunctions getInstance(@NonNull String);
@@ -37,6 +39,17 @@ package com.google.firebase.functions {
     enum_constant public static final com.google.firebase.functions.FirebaseFunctionsException.Code UNKNOWN;
   }
 
+  public class HttpsCallableOptions {
+    method public boolean getLimitedUseAppCheckTokens();
+  }
+
+  public static class HttpsCallableOptions.Builder {
+    ctor public HttpsCallableOptions.Builder();
+    method @NonNull public com.google.firebase.functions.HttpsCallableOptions build();
+    method public boolean getLimitedUseAppCheckTokens();
+    method @NonNull public com.google.firebase.functions.HttpsCallableOptions.Builder setLimitedUseAppCheckTokens(boolean);
+  }
+
   public class HttpsCallableReference {
     method @NonNull public com.google.android.gms.tasks.Task<com.google.firebase.functions.HttpsCallableResult> call(@Nullable Object);
     method @NonNull public com.google.android.gms.tasks.Task<com.google.firebase.functions.HttpsCallableResult> call();

firebase-functions/src/androidTest/backend/functions/index.js

@@ -64,6 +64,12 @@ exports.appCheckTest = functions.https.onRequest((request, response) => {
   response.send({data: {}});
 });
 
+exports.appCheckLimitedUseTest = functions.https.onRequest((request, response) => {
+  assert.equal(request.get('X-Firebase-AppCheck'), 'appCheck-limited-use');
+  assert.deepEqual(request.body, {data: {}});
+  response.send({data: {}});
+});
+
 exports.nullTest = functions.https.onRequest((request, response) => {
   assert.deepEqual(request.body, {data: null});
   response.send({data: null});

firebase-functions/src/androidTest/java/com/google/firebase/functions/CallTest.java

@@ -88,7 +88,7 @@ public void testToken() throws InterruptedException, ExecutionException {
             app.getApplicationContext(),
             app.getOptions().getProjectId(),
             "us-central1",
-            () -> {
+            (unused) -> {
               HttpsCallableContext context = new HttpsCallableContext("token", null, null);
               return Tasks.forResult(context);
             },
@@ -110,7 +110,7 @@ public void testInstanceId() throws InterruptedException, ExecutionException {
             app.getApplicationContext(),
             app.getOptions().getProjectId(),
             "us-central1",
-            () -> {
+            (unused) -> {
               HttpsCallableContext context = new HttpsCallableContext(null, "iid", null);
               return Tasks.forResult(context);
             },
@@ -132,7 +132,7 @@ public void testAppCheck() throws InterruptedException, ExecutionException {
             app.getApplicationContext(),
             app.getOptions().getProjectId(),
             "us-central1",
-            () -> {
+            (unused) -> {
               HttpsCallableContext context = new HttpsCallableContext(null, null, "appCheck");
               return Tasks.forResult(context);
             },
@@ -146,6 +146,32 @@ public void testAppCheck() throws InterruptedException, ExecutionException {
     assertEquals(new HashMap<>(), actual);
   }
 
+  @Test
+  public void testAppCheckLimitedUse() throws InterruptedException, ExecutionException {
+    // Override the normal token provider to simulate FirebaseAuth being logged in.
+    FirebaseFunctions functions =
+        new FirebaseFunctions(
+            app.getApplicationContext(),
+            app.getOptions().getProjectId(),
+            "us-central1",
+            (unused) -> {
+              HttpsCallableContext context =
+                  new HttpsCallableContext(null, null, "appCheck-limited-use");
+              return Tasks.forResult(context);
+            },
+            TestOnlyExecutors.lite(),
+            TestOnlyExecutors.ui());
+
+    HttpsCallableReference function =
+        functions.getHttpsCallable(
+            "appCheckLimitedUseTest",
+            new HttpsCallableOptions.Builder().setLimitedUseAppCheckTokens(true).build());
+    Task<HttpsCallableResult> result = function.call(new HashMap<>());
+    Object actual = Tasks.await(result).getData();
+
+    assertEquals(new HashMap<>(), actual);
+  }
+
   @Test
   public void testNull() throws InterruptedException, ExecutionException {
     FirebaseFunctions functions = FirebaseFunctions.getInstance(app);

firebase-functions/src/androidTest/java/com/google/firebase/functions/FirebaseContextProviderTest.java

@@ -34,6 +34,8 @@ public class FirebaseContextProviderTest {
   private static final String AUTH_TOKEN = "authToken";
   private static final String IID_TOKEN = "iidToken";
   private static final String APP_CHECK_TOKEN = "appCheckToken";
+
+  private static final String APP_CHECK_LIMITED_USE_TOKEN = "appCheckLimitedUseToken";
   private static final String ERROR = "errorString";
 
   private static final InternalAuthProvider fixedAuthProvider =
@@ -46,9 +48,9 @@ public class FirebaseContextProviderTest {
   private static final FirebaseInstanceIdInternal fixedIidProvider =
       new TestFirebaseInstanceIdInternal(IID_TOKEN);
   private static final InteropAppCheckTokenProvider fixedAppCheckProvider =
-      new TestInteropAppCheckTokenProvider(APP_CHECK_TOKEN);
+      new TestInteropAppCheckTokenProvider(APP_CHECK_TOKEN, APP_CHECK_LIMITED_USE_TOKEN);
   private static final InteropAppCheckTokenProvider errorAppCheckProvider =
-      new TestInteropAppCheckTokenProvider(APP_CHECK_TOKEN, ERROR);
+      new TestInteropAppCheckTokenProvider(APP_CHECK_TOKEN, APP_CHECK_LIMITED_USE_TOKEN, ERROR);
 
   @Test
   public void getContext_whenAuthAndAppCheckAreNotAvailable_shouldContainOnlyIid()
@@ -60,7 +62,7 @@ public void getContext_whenAuthAndAppCheckAreNotAvailable_shouldContainOnlyIid()
             absentDeferred(),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isNull();
     assertThat(context.getAppCheckToken()).isNull();
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
@@ -76,7 +78,7 @@ public void getContext_whenOnlyAuthIsAvailable_shouldContainOnlyAuthTokenAndIid(
             absentDeferred(),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isEqualTo(AUTH_TOKEN);
     assertThat(context.getAppCheckToken()).isNull();
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
@@ -92,7 +94,7 @@ public void getContext_whenOnlyAppCheckIsAvailable_shouldContainOnlyAppCheckToke
             deferredOf(fixedAppCheckProvider),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isNull();
     assertThat(context.getAppCheckToken()).isEqualTo(APP_CHECK_TOKEN);
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
@@ -108,7 +110,7 @@ public void getContext_whenOnlyAuthIsAvailableAndNotSignedIn_shouldContainOnlyIi
             absentDeferred(),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isNull();
     assertThat(context.getAppCheckToken()).isNull();
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
@@ -124,12 +126,44 @@ public void getContext_whenOnlyAppCheckIsAvailableAndHasError_shouldContainOnlyI
             deferredOf(errorAppCheckProvider),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
+    assertThat(context.getAuthToken()).isNull();
+    assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
+    assertThat(context.getAppCheckToken()).isNull();
+  }
+
+  @Test
+  public void getContext_facLimitedUse_whenOnlyAppCheckIsAvailableAndHasError_shouldContainOnlyIid()
+      throws ExecutionException, InterruptedException {
+    FirebaseContextProvider contextProvider =
+        new FirebaseContextProvider(
+            absentProvider(),
+            providerOf(fixedIidProvider),
+            deferredOf(errorAppCheckProvider),
+            TestOnlyExecutors.lite());
+
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(true));
     assertThat(context.getAuthToken()).isNull();
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
     assertThat(context.getAppCheckToken()).isNull();
   }
 
+  @Test
+  public void getContext_facLimitedUse_whenOnlyAppCheckIsAvailable_shouldContainToken()
+      throws ExecutionException, InterruptedException {
+    FirebaseContextProvider contextProvider =
+        new FirebaseContextProvider(
+            absentProvider(),
+            providerOf(fixedIidProvider),
+            deferredOf(fixedAppCheckProvider),
+            TestOnlyExecutors.lite());
+
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(true));
+    assertThat(context.getAuthToken()).isNull();
+    assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);
+    assertThat(context.getAppCheckToken()).isEqualTo(APP_CHECK_LIMITED_USE_TOKEN);
+  }
+
   @Test
   public void getContext_whenAuthAndAppCheckAreAvailable_shouldContainAuthAppCheckTokensAndIid()
       throws ExecutionException, InterruptedException {
@@ -140,7 +174,7 @@ public void getContext_whenAuthAndAppCheckAreAvailable_shouldContainAuthAppCheck
             deferredOf(fixedAppCheckProvider),
             TestOnlyExecutors.lite());
 
-    HttpsCallableContext context = Tasks.await(contextProvider.getContext());
+    HttpsCallableContext context = Tasks.await(contextProvider.getContext(false));
     assertThat(context.getAuthToken()).isEqualTo(AUTH_TOKEN);
     assertThat(context.getAppCheckToken()).isEqualTo(APP_CHECK_TOKEN);
     assertThat(context.getInstanceIdToken()).isEqualTo(IID_TOKEN);

firebase-functions/src/androidTest/java/com/google/firebase/functions/TestInteropAppCheckTokenProvider.java

@@ -25,8 +25,9 @@
 
 public class TestInteropAppCheckTokenProvider implements InteropAppCheckTokenProvider {
   private final AppCheckTokenResult testToken;
+  private final AppCheckTokenResult testLimitedUseToken;
 
-  public TestInteropAppCheckTokenProvider(String testToken) {
+  public TestInteropAppCheckTokenProvider(String testToken, String testLimitedUseToken) {
     this.testToken =
         new AppCheckTokenResult() {
           @NonNull
@@ -35,6 +36,21 @@ public String getToken() {
             return testToken;
           }
 
+          @Nullable
+          @Override
+          public Exception getError() {
+            return null;
+          }
+        };
+
+    this.testLimitedUseToken =
+        new AppCheckTokenResult() {
+          @NonNull
+          @Override
+          public String getToken() {
+            return testLimitedUseToken;
+          }
+
           @Nullable
           @Override
           public Exception getError() {
@@ -43,7 +59,8 @@ public Exception getError() {
         };
   }
 
-  public TestInteropAppCheckTokenProvider(String testToken, String error) {
+  public TestInteropAppCheckTokenProvider(
+      String testToken, String testLimitedUseToken, String error) {
     this.testToken =
         new AppCheckTokenResult() {
           @NonNull
@@ -52,6 +69,20 @@ public String getToken() {
             return testToken;
           }
 
+          @Nullable
+          @Override
+          public Exception getError() {
+            return new FirebaseException(error);
+          }
+        };
+    this.testLimitedUseToken =
+        new AppCheckTokenResult() {
+          @NonNull
+          @Override
+          public String getToken() {
+            return testLimitedUseToken;
+          }
+
           @Nullable
           @Override
           public Exception getError() {
@@ -66,6 +97,12 @@ public Task<AppCheckTokenResult> getToken(boolean forceRefresh) {
     return Tasks.forResult(testToken);
   }
 
+  @NonNull
+  @Override
+  public Task<AppCheckTokenResult> getLimitedUseToken() {
+    return Tasks.forResult(testLimitedUseToken);
+  }
+
   @Override
   public void addAppCheckTokenListener(@NonNull AppCheckTokenListener listener) {}