firebase · DellaBitta · Nov 22, 2024 · Dec 4, 2024 · Dec 4, 2024 · Dec 16, 2024
@@ -79,6 +79,7 @@ export interface FirebaseServerApp extends FirebaseApp {
 
 // @public
 export interface FirebaseServerAppSettings extends Omit<FirebaseAppSettings, 'name'> {
+    appCheckToken?: string;
     authIdToken?: string;
     releaseOnDeref?: object;
 }

@@ -31,7 +31,9 @@ export const enum AppError {
   IDB_WRITE = 'idb-set',
   IDB_DELETE = 'idb-delete',
   FINALIZATION_REGISTRY_NOT_SUPPORTED = 'finalization-registry-not-supported',
-  INVALID_SERVER_APP_ENVIRONMENT = 'invalid-server-app-environment'
+  INVALID_SERVER_APP_ENVIRONMENT = 'invalid-server-app-environment',
+  INVALID_SERVER_APP_TOKEN_FORMAT = 'invalid-server-app-token-format',
+  SERVER_APP_TOKEN_EXPIRED = 'server-app-token-expired'
 }
 
 const ERRORS: ErrorMap<AppError> = {
@@ -61,7 +63,11 @@ const ERRORS: ErrorMap<AppError> = {
   [AppError.FINALIZATION_REGISTRY_NOT_SUPPORTED]:
     'FirebaseServerApp deleteOnDeref field defined but the JS runtime does not support FinalizationRegistry.',
   [AppError.INVALID_SERVER_APP_ENVIRONMENT]:
-    'FirebaseServerApp is not for use in browser environments.'
+    'FirebaseServerApp is not for use in browser environments.',
+  [AppError.INVALID_SERVER_APP_TOKEN_FORMAT]:
+    'FirebaseServerApp {$tokenName} could not be parsed.',
+  [AppError.SERVER_APP_TOKEN_EXPIRED]:
+    'FirebaseServerApp {$tokenName} could not be parsed.'
 };
 
 interface ErrorParams {
@@ -75,6 +81,8 @@ interface ErrorParams {
   [AppError.IDB_WRITE]: { originalErrorMessage?: string };
   [AppError.IDB_DELETE]: { originalErrorMessage?: string };
   [AppError.FINALIZATION_REGISTRY_NOT_SUPPORTED]: { appName?: string };
+  [AppError.INVALID_SERVER_APP_TOKEN_FORMAT]: { tokenName: string };
+  [AppError.SERVER_APP_TOKEN_EXPIRED]: { tokenName: string };
 }
 
 export const ERROR_FACTORY = new ErrorFactory<AppError, ErrorParams>(

@@ -20,6 +20,21 @@ import '../test/setup';
 import { ComponentContainer } from '@firebase/component';
 import { FirebaseServerAppImpl } from './firebaseServerApp';
 import { FirebaseServerAppSettings } from './public-types';
+import { base64Encode } from '@firebase/util';
+
+const BASE64_DUMMY = base64Encode('dummystrings'); // encodes to ZHVtbXlzdHJpbmdz
+
+// Creates a three part dummy token with an expiration claim in the second part. The expration
+// time is based on the date offset provided.
+function createServerAppTokenWithOffset(daysOffset: number): string {
+  const timeInSeconds = Math.trunc(
+    new Date().setDate(new Date().getDate() + daysOffset) / 1000
+  );
+  const secondPart = JSON.stringify({ exp: timeInSeconds });
+  const token =
+    BASE64_DUMMY + '.' + base64Encode(secondPart) + '.' + BASE64_DUMMY;
+  return token;
+}
 
 describe('FirebaseServerApp', () => {
   it('has various accessors', () => {
@@ -155,4 +170,148 @@ describe('FirebaseServerApp', () => {
 
     expect(JSON.stringify(app)).to.eql(undefined);
   });
+
+  it('accepts a valid authIdToken expiration', () => {
+    const options = { apiKey: 'APIKEY' };
+    const authIdToken = createServerAppTokenWithOffset(/*daysOffset=*/ 1);
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      authIdToken
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+    }
+    expect(encounteredError).to.be.false;
+  });
+
+  it('throws when authIdToken has expired', () => {
+    const options = { apiKey: 'APIKEY' };
+    const authIdToken = createServerAppTokenWithOffset(/*daysOffset=*/ -1);
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      authIdToken
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+      expect((e as Error).toString()).to.contain(
+        'app/server-app-token-expired'
+      );
+    }
+    expect(encounteredError).to.be.true;
+  });
+
+  it('throws when authIdToken has too few parts', () => {
+    const options = { apiKey: 'APIKEY' };
+    const authIdToken = 'blah';
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      authIdToken: base64Encode(authIdToken)
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+      expect((e as Error).toString()).to.contain(
+        'Unexpected end of JSON input'
+      );
+    }
+    expect(encounteredError).to.be.true;
+  });
+
+  it('accepts a valid appCheckToken expiration', () => {
+    const options = { apiKey: 'APIKEY' };
+    const appCheckToken = createServerAppTokenWithOffset(/*daysOffset=*/ 1);
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      appCheckToken
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+    }
+    expect(encounteredError).to.be.false;
+  });
+
+  it('throws when appCheckToken has expired', () => {
+    const options = { apiKey: 'APIKEY' };
+    const appCheckToken = createServerAppTokenWithOffset(/*daysOffset=*/ -1);
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      appCheckToken
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+      expect((e as Error).toString()).to.contain(
+        'app/server-app-token-expired'
+      );
+    }
+    expect(encounteredError).to.be.true;
+  });
+
+  it('throws when appCheckToken has too few parts', () => {
+    const options = { apiKey: 'APIKEY' };
+    const appCheckToken = 'blah';
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      appCheckToken: base64Encode(appCheckToken)
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+      expect((e as Error).toString()).to.contain(
+        'Unexpected end of JSON input'
+      );
+    }
+    expect(encounteredError).to.be.true;
+  });
 });
@@ -26,6 +26,33 @@ import { ComponentContainer } from '@firebase/component';
 import { FirebaseAppImpl } from './firebaseApp';
 import { ERROR_FACTORY, AppError } from './errors';
 import { name as packageName, version } from '../package.json';
+import { base64Decode } from '@firebase/util';
+
+// Parse the token and check to see if the `exp` claim is in the future.
+// Throws an error if the token or claim could not be parsed, or if `exp` is in the past.
+function validateTokenTTL(base64Token: string, tokenName: string): void {
+  const secondPart = base64Decode(base64Token.split('.')[1]);
+  if (secondPart === null) {
+    throw ERROR_FACTORY.create(AppError.INVALID_SERVER_APP_TOKEN_FORMAT, {
+      tokenName
+    });
+  }
+  const expClaim = JSON.parse(secondPart).exp;
+  if (expClaim === undefined) {
+    throw ERROR_FACTORY.create(AppError.INVALID_SERVER_APP_TOKEN_FORMAT, {
+      tokenName
+    });
+  }
+  const exp = JSON.parse(secondPart).exp * 1000;
+  const now = new Date().getTime();
+  // const now = new Date(new Date().getDate() - 1).now()
+  const diff = exp - now;
+  if (diff <= 0) {
+    throw ERROR_FACTORY.create(AppError.SERVER_APP_TOKEN_EXPIRED, {
+      tokenName
+    });
+  }
+}
 
 export class FirebaseServerAppImpl
   extends FirebaseAppImpl
@@ -67,6 +94,16 @@ export class FirebaseServerAppImpl
       ...serverConfig
     };
 
+    // Validate the authIdtoken validation window.
+    if (this._serverConfig.authIdToken) {
+      validateTokenTTL(this._serverConfig.authIdToken, 'authIdToken');
+    }
+
+    // Validate the appCheckToken validation window.
+    if (this._serverConfig.appCheckToken) {
+      validateTokenTTL(this._serverConfig.appCheckToken, 'appCheckToken');
+    }
+
     this._finalizationRegistry = null;
     if (typeof FinalizationRegistry !== 'undefined') {
       this._finalizationRegistry = new FinalizationRegistry(() => {

@@ -196,6 +196,12 @@ export interface FirebaseServerAppSettings
    */
   authIdToken?: string;
 
+  /**
+   * An optional App Check token. If provided, the Firebase SDKs that use App Check will utilizze
+   * this App Check token in lieu of requiring an instance of App Check to be initialized.
+   */
+  appCheckToken?: string;
+
   /**
    * An optional object. If provided, the Firebase SDK uses a `FinalizationRegistry`
    * object to monitor the garbage collection status of the provided object. The

@@ -845,6 +845,9 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
   }
 
   async _getAppCheckToken(): Promise<string | undefined> {
+    if (_isFirebaseServerApp(this.app) && this.app.settings.appCheckToken) {
+      return this.app.settings.appCheckToken;
+    }
     const appCheckTokenResult = await this.appCheckServiceProvider
       .getImmediate({ optional: true })
       ?.getToken();

@@ -92,7 +92,7 @@ export class DataConnect {
   private _transportOptions?: TransportOptions;
   private _authTokenProvider?: AuthTokenProvider;
   _isUsingGeneratedSdk: boolean = false;
-  private _appCheckTokenProvider?: AppCheckTokenProvider;
+  private _appCheckTokenProvider: AppCheckTokenProvider;
   // @internal
   constructor(
     public readonly app: FirebaseApp,
@@ -149,12 +149,10 @@ export class DataConnect {
         this._authProvider
       );
     }
-    if (this._appCheckProvider) {
-      this._appCheckTokenProvider = new AppCheckTokenProvider(
-        this.app.name,
-        this._appCheckProvider
-      );
-    }
+    this._appCheckTokenProvider = new AppCheckTokenProvider(
+      this.app,
+      this._appCheckProvider
+    );
 
     this._initialized = true;
     this._transport = new this._transportClass(

@@ -15,6 +15,7 @@
  * limitations under the License.
  */
 
+import { FirebaseApp, _isFirebaseServerApp } from '@firebase/app';
 import {
   AppCheckInternalComponentName,
   AppCheckTokenListener,
@@ -29,10 +30,14 @@ import { Provider } from '@firebase/component';
  */
 export class AppCheckTokenProvider {
   private appCheck?: FirebaseAppCheckInternal;
+  private serverAppAppCheckToken?: string;
   constructor(
-    private appName_: string,
+    app: FirebaseApp,
     private appCheckProvider?: Provider<AppCheckInternalComponentName>
   ) {
+    if (_isFirebaseServerApp(app) && app.settings.appCheckToken) {
+      this.serverAppAppCheckToken = app.settings.appCheckToken;
+    }
     this.appCheck = appCheckProvider?.getImmediate({ optional: true });
     if (!this.appCheck) {
       void appCheckProvider
@@ -43,6 +48,10 @@ export class AppCheckTokenProvider {
   }
 
   getToken(forceRefresh?: boolean): Promise<AppCheckTokenResult> {
+    if (this.serverAppAppCheckToken) {
+      return Promise.resolve({ token: this.serverAppAppCheckToken });
+    }
+
     if (!this.appCheck) {
       return new Promise<AppCheckTokenResult>((resolve, reject) => {
         // Support delayed initialization of FirebaseAppCheck. This allows our

@@ -164,7 +164,7 @@ export function repoManagerDatabaseFromApp(
     repoInfo,
     app,
     authTokenProvider,
-    new AppCheckTokenProvider(app.name, appCheckProvider)
+    new AppCheckTokenProvider(app, appCheckProvider)
   );
   return new Database(repo, app);
 }