Add TTL formula

Author: hsubox76

packages/app-check/src/client.test.ts

@@ -74,7 +74,8 @@ describe('client', () => {
 
     expect(response).to.deep.equal({
       token: 'fake-appcheck-token',
-      expireTimeMillis: 3600
+      expireTimeMillis: 3600,
+      issuedAtTimeMillis: 0
     });
   });
 

packages/app-check/src/client.ts

@@ -22,8 +22,8 @@ import {
 } from './constants';
 import { FirebaseApp } from '@firebase/app-types';
 import { ERROR_FACTORY, AppCheckError } from './errors';
-import { AppCheckToken } from '@firebase/app-check-types';
 import { Provider } from '@firebase/component';
+import { AppCheckTokenInternal } from './state';
 
 /**
  * Response JSON returned from AppCheck server endpoint.
@@ -42,7 +42,7 @@ interface AppCheckRequest {
 export async function exchangeToken(
   { url, body }: AppCheckRequest,
   platformLoggerProvider: Provider<'platform-logger'>
-): Promise<AppCheckToken> {
+): Promise<AppCheckTokenInternal> {
   const headers: HeadersInit = {
     'Content-Type': 'application/json'
   };
@@ -95,9 +95,11 @@ export async function exchangeToken(
   }
   const timeToLiveAsNumber = Number(match[1]) * 1000;
 
+  const now = Date.now();
   return {
     token: responseBody.attestationToken,
-    expireTimeMillis: Date.now() + timeToLiveAsNumber
+    expireTimeMillis: now + timeToLiveAsNumber,
+    issuedAtTimeMillis: now
   };
 }
 

packages/app-check/src/indexeddb.ts

@@ -15,9 +15,9 @@
  * limitations under the License.
  */
 
-import { AppCheckToken } from '@firebase/app-check-types';
 import { FirebaseApp } from '@firebase/app-types';
 import { ERROR_FACTORY, AppCheckError } from './errors';
+import { AppCheckTokenInternal } from './state';
 const DB_NAME = 'firebase-app-check-database';
 const DB_VERSION = 1;
 const STORE_NAME = 'firebase-app-check-store';
@@ -74,13 +74,13 @@ function getDBPromise(): Promise<IDBDatabase> {
 
 export function readTokenFromIndexedDB(
   app: FirebaseApp
-): Promise<AppCheckToken | undefined> {
-  return read(computeKey(app)) as Promise<AppCheckToken | undefined>;
+): Promise<AppCheckTokenInternal | undefined> {
+  return read(computeKey(app)) as Promise<AppCheckTokenInternal | undefined>;
 }
 
 export function writeTokenToIndexedDB(
   app: FirebaseApp,
-  token: AppCheckToken
+  token: AppCheckTokenInternal
 ): Promise<void> {
   return write(computeKey(app), token);
 }

packages/app-check/src/internal-api.test.ts

@@ -59,12 +59,14 @@ describe('internal api', () => {
     const fakeRecaptchaToken = 'fake-recaptcha-token';
     const fakeRecaptchaAppCheckToken = {
       token: 'fake-recaptcha-app-check-token',
-      expireTimeMillis: 123
+      expireTimeMillis: 123,
+      issuedAtTimeMillis: 0
     };
 
     const fakeCachedAppCheckToken = {
       token: 'fake-cached-app-check-token',
-      expireTimeMillis: 123
+      expireTimeMillis: 123,
+      issuedAtTimeMillis: 0
     };
 
     it('uses customTokenProvider to get an AppCheck token', async () => {
@@ -318,7 +320,8 @@ describe('internal api', () => {
         ...getState(app),
         token: {
           token: `fake-memory-app-check-token`,
-          expireTimeMillis: 123
+          expireTimeMillis: 123,
+          issuedAtTimeMillis: 0
         }
       });
 
@@ -331,7 +334,8 @@ describe('internal api', () => {
       stub(storage, 'readTokenFromStorage').returns(
         Promise.resolve({
           token: `fake-cached-app-check-token`,
-          expireTimeMillis: 123
+          expireTimeMillis: 123,
+          issuedAtTimeMillis: 0
         })
       );
 

packages/app-check/src/internal-api.ts

@@ -21,8 +21,12 @@ import {
   AppCheckTokenResult,
   AppCheckTokenListener
 } from '@firebase/app-check-interop-types';
-import { AppCheckToken } from '@firebase/app-check-types';
-import { getDebugState, getState, setState } from './state';
+import {
+  AppCheckTokenInternal,
+  getDebugState,
+  getState,
+  setState
+} from './state';
 import { TOKEN_REFRESH_TIME } from './constants';
 import { Refresher } from './proactive-refresh';
 import { ensureActivated } from './util';
@@ -72,7 +76,7 @@ export async function getToken(
    * return the debug token directly
    */
   if (isDebugMode()) {
-    const tokenFromDebugExchange: AppCheckToken = await exchangeToken(
+    const tokenFromDebugExchange: AppCheckTokenInternal = await exchangeToken(
       getExchangeDebugTokenRequest(app, await getDebugToken()),
       platformLoggerProvider
     );
@@ -81,7 +85,7 @@ export async function getToken(
 
   const state = getState(app);
 
-  let token: AppCheckToken | undefined = state.token;
+  let token: AppCheckTokenInternal | undefined = state.token;
   let error: Error | undefined = undefined;
 
   /**
@@ -111,7 +115,8 @@ export async function getToken(
    */
   try {
     if (state.customProvider) {
-      token = await state.customProvider.getToken();
+      const customToken = await state.customProvider.getToken();
+      token = { ...customToken, issuedAtTimeMillis: Date.now() };
     } else {
       const attestedClaimsToken = await getReCAPTCHAToken(app).catch(_e => {
         // reCaptcha.execute() throws null which is not very descriptive.
@@ -258,12 +263,13 @@ function createTokenRefresher(
       const state = getState(app);
 
       if (state.token) {
-        return Math.max(
-          0,
-          state.token.expireTimeMillis -
-            Date.now() -
-            TOKEN_REFRESH_TIME.OFFSET_DURATION
-        );
+        // issuedAtTime + (50% * total TTL) + 5 minutes
+        const nextRefreshTimeMillis =
+          state.token.issuedAtTimeMillis +
+          (state.token.expireTimeMillis - state.token.issuedAtTimeMillis) *
+            0.5 +
+          5 * 60 * 1000;
+        return Math.max(0, nextRefreshTimeMillis - Date.now());
       } else {
         return 0;
       }
@@ -288,7 +294,7 @@ function notifyTokenListeners(
   }
 }
 
-function isValid(token: AppCheckToken): boolean {
+function isValid(token: AppCheckTokenInternal): boolean {
   return token.expireTimeMillis - Date.now() > 0;
 }
 

packages/app-check/src/state.ts

@@ -21,12 +21,16 @@ import { AppCheckTokenListener } from '@firebase/app-check-interop-types';
 import { Refresher } from './proactive-refresh';
 import { Deferred } from '@firebase/util';
 import { GreCAPTCHA } from './recaptcha';
+
+export interface AppCheckTokenInternal extends AppCheckToken {
+  issuedAtTimeMillis: number;
+}
 export interface AppCheckState {
   activated: boolean;
   tokenListeners: AppCheckTokenListener[];
   customProvider?: AppCheckProvider;
   siteKey?: string;
-  token?: AppCheckToken;
+  token?: AppCheckTokenInternal;
   tokenRefresher?: Refresher;
   reCAPTCHAState?: ReCAPTCHAState;
   isTokenAutoRefreshEnabled?: boolean;

packages/app-check/src/storage.test.ts

@@ -28,7 +28,8 @@ describe('Storage', () => {
   const app = getFakeApp();
   const fakeToken = {
     token: 'fake-app-check-token',
-    expireTimeMillis: 345
+    expireTimeMillis: 345,
+    issuedAtTimeMillis: 0
   };
 
   it('sets and gets appCheck token to indexeddb', async () => {

packages/app-check/src/storage.ts

@@ -15,7 +15,6 @@
  * limitations under the License.
  */
 
-import { AppCheckToken } from '@firebase/app-check-types';
 import { uuidv4 } from './util';
 import { FirebaseApp } from '@firebase/app-types';
 import { isIndexedDBAvailable } from '@firebase/util';
@@ -26,13 +25,14 @@ import {
   writeTokenToIndexedDB
 } from './indexeddb';
 import { logger } from './logger';
+import { AppCheckTokenInternal } from './state';
 
 /**
  * Always resolves. In case of an error reading from indexeddb, resolve with undefined
  */
 export async function readTokenFromStorage(
   app: FirebaseApp
-): Promise<AppCheckToken | undefined> {
+): Promise<AppCheckTokenInternal | undefined> {
   if (isIndexedDBAvailable()) {
     let token = undefined;
     try {
@@ -52,7 +52,7 @@ export async function readTokenFromStorage(
  */
 export function writeTokenToStorage(
   app: FirebaseApp,
-  token: AppCheckToken
+  token: AppCheckTokenInternal
 ): Promise<void> {
   if (isIndexedDBAvailable()) {
     return writeTokenToIndexedDB(app, token).catch(e => {