Implement revokeAccessToken

Author: NhienLam

common/api-review/auth.api.md

@@ -725,6 +725,9 @@ export class RecaptchaVerifier implements ApplicationVerifierInternal {
 // @public
 export function reload(user: User): Promise<void>;
 
+// @public
+export function revokeAccessToken(auth: Auth, token: string): Promise<void>;
+
 // Warning: (ae-forgotten-export) The symbol "FederatedAuthProvider" needs to be exported by the entry point index.d.ts
 //
 // @public

packages/auth/demo/src/index.js

@@ -73,7 +73,8 @@ import {
   browserPopupRedirectResolver,
   connectAuthEmulator,
   initializeRecaptchaConfig,
-  validatePassword
+  validatePassword,
+  revokeAccessToken
 } from '@firebase/auth';
 
 import { config } from './config';
@@ -1730,13 +1731,60 @@ function logAdditionalUserInfo(response) {
  * Deletes the user account.
  */
 function onDelete() {
-  activeUser()
-    ['delete']()
-    .then(() => {
-      log('User successfully deleted.');
-      alertSuccess('User successfully deleted.');
-      refreshUserData();
-    }, onAuthError);
+  var isAppleProviderLinked = false;
+
+  for (const provider of activeUser().providerData) {
+    console.log('provider.providerId: ' + provider.providerId);
+    if (provider.providerId == 'apple.com') {
+      isAppleProviderLinked = true;
+      break;
+    }
+  }
+
+  if (isAppleProviderLinked) {
+    revokeAppleTokenAndDeleteUser();
+  } else {
+    activeUser()
+      ['delete']()
+      .then(() => {
+        log('User successfully deleted.');
+        alertSuccess('User successfully deleted.');
+        refreshUserData();
+      }, onAuthError);
+  }
+}
+
+function revokeAppleTokenAndDeleteUser() {
+  // Re-auth then revoke the token
+  const provider = new OAuthProvider('apple.com');
+  provider.addScope('email');
+  provider.addScope('name');
+
+  const auth = getAuth();
+  // TODO: Make this pop up or redirect. Can't use signInWithPopupRedirect because we need `then`.
+  signInWithPopup(auth, provider).then(result => {
+    // The signed-in user info.
+    const user = result.user;
+    const credential = OAuthProvider.credentialFromResult(result);
+    const accessToken = credential.accessToken;
+
+    revokeAccessToken(auth, accessToken)
+      .then(() => {
+        log('Token successfully revoked.');
+
+        // Usual user deletion
+        activeUser()
+          ['delete']()
+          .then(() => {
+            log('User successfully deleted.');
+            alertSuccess('User successfully deleted.');
+            refreshUserData();
+          }, onAuthError);
+      })
+      .catch(error => {
+        console.log(error.message);
+      });
+  });
 }
 
 /**

packages/auth/src/api/authentication/token.ts

@@ -22,17 +22,26 @@ import { querystring } from '@firebase/util';
 import {
   _getFinalTarget,
   _performFetchWithErrorHandling,
+  _performApiRequest,
+  _addTidIfNecessary,
   HttpMethod,
-  HttpHeader
+  HttpHeader,
+  Endpoint
 } from '../index';
 import { FetchProvider } from '../../core/util/fetch_provider';
 import { Auth } from '../../model/public_types';
 import { AuthInternal } from '../../model/auth';
 
-export const enum Endpoint {
+export const enum Path {
   TOKEN = '/v1/token'
 }
 
+export const enum TokenType {
+  UNSPECIFIED = 'TOKEN_TYPE_UNSPECIFIED',
+  REFRESH_TOKEN = 'REFRESH_TOKEN',
+  ACCESS_TOKEN = 'ACCESS_TOKEN'
+}
+
 /** The server responses with snake_case; we convert to camelCase */
 interface RequestStsTokenServerResponse {
   access_token: string;
@@ -46,6 +55,17 @@ export interface RequestStsTokenResponse {
   refreshToken: string;
 }
 
+export interface RevokeTokenRequest {
+  provider_id: string;
+  tokenType: TokenType;
+  token: string;
+  idToken: string;
+  tenantId?: string;
+  redirectUri?: string;
+}
+
+export interface RevokeTokenResponse {}
+
 export async function requestStsToken(
   auth: Auth,
   refreshToken: string
@@ -63,7 +83,7 @@ export async function requestStsToken(
         const url = _getFinalTarget(
           auth,
           tokenApiHost,
-          Endpoint.TOKEN,
+          Path.TOKEN,
           `key=${apiKey}`
         );
 
@@ -85,3 +105,15 @@ export async function requestStsToken(
     refreshToken: response.refresh_token
   };
 }
+
+export async function revokeToken(
+  auth: Auth,
+  request: RevokeTokenRequest
+): Promise<RevokeTokenResponse> {
+  return _performApiRequest<RevokeTokenRequest, RevokeTokenResponse>(
+    auth,
+    HttpMethod.POST,
+    Endpoint.REVOKE_TOKEN,
+    _addTidIfNecessary(auth, request)
+  );
+}

packages/auth/src/api/index.ts

@@ -68,7 +68,8 @@ export const enum Endpoint {
   WITHDRAW_MFA = '/v2/accounts/mfaEnrollment:withdraw',
   GET_PROJECT_CONFIG = '/v1/projects',
   GET_RECAPTCHA_CONFIG = '/v2/recaptchaConfig',
-  GET_PASSWORD_POLICY = '/v2/passwordPolicy'
+  GET_PASSWORD_POLICY = '/v2/passwordPolicy',
+  REVOKE_TOKEN = '/v2/accounts:revokeToken'
 }
 
 export const enum RecaptchaClientType {

packages/auth/src/core/auth/auth_impl.ts

@@ -63,6 +63,7 @@ import { _getInstance } from '../util/instantiator';
 import { _getUserLanguage } from '../util/navigator';
 import { _getClientVersion } from '../util/version';
 import { HttpHeader } from '../../api';
+import { TokenType, revokeToken } from '../../api/authentication/token';
 import { AuthMiddlewareQueue } from './middleware';
 import { RecaptchaConfig } from '../../platform_browser/recaptcha/recaptcha';
 import { _logWarn } from '../util/log';
@@ -514,6 +515,22 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     });
   }
 
+  /**
+   * Revokes the given access token. Currently only supports Apple OAuth Access token.
+   */
+  async revokeAccessToken(token: string): Promise<void> {
+    if (this.currentUser) {
+      const idToken = await this.currentUser.getIdToken();
+      // Generalize this to accept other providers once supported.
+      const response = await revokeToken(this, {
+        provider_id: 'apple.com',
+        tokenType: TokenType.ACCESS_TOKEN,
+        token: token,
+        idToken: idToken
+      });
+    }
+  }
+
   toJSON(): object {
     return {
       apiKey: this.config.apiKey,

packages/auth/src/core/index.ts

@@ -245,6 +245,14 @@ export function signOut(auth: Auth): Promise<void> {
   return getModularInstance(auth).signOut();
 }
 
+/**
+ * Revokes the given access token. Currently only supports Apple OAuth Access token.
+ */
+export function revokeAccessToken(auth: Auth, token: string): Promise<void> {
+  const authInternal = _castAuth(auth);
+  return authInternal.revokeAccessToken(token);
+}
+
 export { initializeAuth } from './auth/initialize';
 export { connectAuthEmulator } from './auth/emulator';
 

packages/auth/src/model/auth.ts

@@ -105,4 +105,5 @@ export interface AuthInternal extends Auth {
   useDeviceLanguage(): void;
   signOut(): Promise<void>;
   validatePassword(password: string): Promise<PasswordValidationStatus>;
+  revokeAccessToken(token: string): Promise<void>;
 }