Adds support for Firebase Auth session management. #245
Conversation
This adds 2 new APIs: admin.auth().createSessionCookie(idToken: string, sessionCookieOptions: SessionCookieOptions): Promise<string> admin.auth().verifySessionCookie(sessionCookie: string, checkRevoked?: boolean): Promise<DecodedIdToken> Refactored token generator and split token verification to a new class FirebaseTokenVerifier so it can be used to also verify session cookies. Kept the same error handling for backward compatibility. In the process, ported the same tests to token verifier. Updated token generator ID token and session cookie verification to check token verifier is called underneath with the expected parameters. Added integration tests to test all common flows for session cookie creation and verification. Added mocks for session cookie JWTs. Fixed error in URL validator.
src/auth/auth-api-request.ts
Outdated
| // Set response validator. | ||
| .setResponseValidator((response: any) => { | ||
| // Response should always contain the session cookie. | ||
| if (!response.sessionCookie || !validator.isNonEmptyString(response.sessionCookie)) { |
There was a problem hiding this comment.
isNonEmptyString check should be sufficient here.
src/auth/auth-api-request.ts
Outdated
| * The session cookie JWT will have the same payload claims as the provided ID token. | ||
| * | ||
| * @param {string} idToken The Firebase ID token to exchange for a session cookie. | ||
| * @param {number} expiresIn The session cookie duration. |
There was a problem hiding this comment.
Please specify time unit.
src/auth/auth.ts
Outdated
| * verification. | ||
| */ | ||
| private verifyDecodedJWTNotRevoked( | ||
| decodedIdToken: DecodedIdToken, revocationError: FirebaseAuthError): Promise<DecodedIdToken> { |
There was a problem hiding this comment.
Nit: Perhaps just take the error code as the second argument? You can instantiate the FirebaseAuthError in this function. It is a little weird to pass an exception as an argument.
src/auth/auth.ts
Outdated
| */ | ||
| public createSessionCookie( | ||
| idToken: string, sessionCookieOptions: SessionCookieOptions): Promise<string> { | ||
| return this.authRequestHandler.createSessionCookie( |
There was a problem hiding this comment.
Should we validate the existence of expiresIn here and throw an error? (since it's a required field)
There was a problem hiding this comment.
Ok I added a check. Note this will return a rejected promise. We do this for all other APIs here. We don't directly throw an error and return a rejected promise after validation in auth-api-request.ts.
src/auth/auth.ts
Outdated
| public createSessionCookie( | ||
| idToken: string, sessionCookieOptions: SessionCookieOptions): Promise<string> { | ||
| return this.authRequestHandler.createSessionCookie( | ||
| idToken, sessionCookieOptions && sessionCookieOptions.expiresIn); |
There was a problem hiding this comment.
Why not just sessionCookieOptions.expiresIn?
There was a problem hiding this comment.
There is a risk that if sessionCookieOptions is passed as undefined, an error is thrown. So we have to keep this.
There was a problem hiding this comment.
Ok I changed it since I validate this above.
| @@ -318,6 +318,10 @@ export class AuthClientErrorCode { | |||
| code: 'claims-too-large', | |||
| message: 'Developer claims maximum payload size exceeded.', | |||
| }; | |||
| public static ID_TOKEN_EXPIRED = { | |||
There was a problem hiding this comment.
Are we referencing these constants anywhere?
There was a problem hiding this comment.
The backend error TOKEN_EXPIRED will map to this client facing error. I think you can see this error in action in the integration tests I added.
test/integration/auth.spec.ts
Outdated
| }) | ||
| .then((sessionCookie) => admin.auth().verifySessionCookie(sessionCookie)) | ||
| .then((decodedIdToken) => { | ||
| // Check for expected expiration with +/-2 seconds of variation. |
There was a problem hiding this comment.
Lets be on the safe side and use a 5s interval for tests.
test/integration/auth.spec.ts
Outdated
| return admin.auth().verifySessionCookie(currentSessionCookie, true) | ||
| .should.eventually.be.rejected.and.have.property('code', 'auth/session-cookie-revoked'); | ||
| }); | ||
| }).timeout(5000); |
There was a problem hiding this comment.
Can we drop .timeout(5000) calls now that we are setting it in package.json?
test/integration/auth.spec.ts
Outdated
| }); | ||
| }).timeout(5000); | ||
|
|
||
| it('fails when called with an invalid ID token', () => { |
There was a problem hiding this comment.
It's probably enough to have tests like these that do not make remote API calls as unit tests.
There was a problem hiding this comment.
Ok removed these 2 tests.
| .then((resp) => { | ||
| throw new Error('Unexpected success'); | ||
| }, (error) => { | ||
| expect(error).to.deep.equal(expectedError); |
There was a problem hiding this comment.
Does the error have some code that we can test here?
There was a problem hiding this comment.
The server will return the error code INVALID_ID_TOKEN which gets mapped to developer facing error AuthClientErrorCode.INVALID_ID_TOKEN. The deep equal assertion here should test for exact code match.
|
Thanks for the prompt review, @hiranya911 ! |
|
@bojeil-google I forgot to mention this in the code review. Please add an entry to the CHANGELOG file as part of this PR. |
|
I updated the changelog file. PTAL. |
This adds 2 new APIs:
admin.auth().createSessionCookie(idToken: string, sessionCookieOptions:
SessionCookieOptions): Promise
admin.auth().verifySessionCookie(sessionCookie: string, checkRevoked?:
boolean): Promise
Refactored token generator and split token verification to a new class
FirebaseTokenVerifier so it can be used to also verify session cookies.
Kept the same error handling for backward compatibility.
In the process, ported the same tests to token verifier.
Updated token generator ID token and session cookie verification to
check token verifier is called underneath with the expected parameters.
Added integration tests to test all common flows for session cookie
creation and verification.
Added mocks for session cookie JWTs.
Fixed error in URL validator.
Increased integration test timeout to 5 seconds from the default 2 seconds to accommodate user deletion throttling.