Skip to content

Improve token verification logic with Auth Emulator. #1148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Feb 4, 2021
Merged

Improve token verification logic with Auth Emulator. #1148

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
512fa4f
Improve token verification logic with Auth Emulator.
yuchenshi Jan 28, 2021
c5b68d3
Clean up comments.
yuchenshi Jan 28, 2021
2718b2c
Fix linting issues.
yuchenshi Jan 28, 2021
0c6eaef
Address review comments.
yuchenshi Jan 29, 2021
ce83e14
Use mock for auth emulator unit test.
yuchenshi Jan 29, 2021
6ba7fcf
Implement session cookies.
yuchenshi Jan 29, 2021
159e0b4
Call useEmulator() only once.
yuchenshi Feb 1, 2021
136f774
Update tests.
yuchenshi Feb 1, 2021
1cbc812
Delete unused test helper.
yuchenshi Feb 3, 2021
38c537e
Add unit tests for checking revocation.
yuchenshi Feb 3, 2021
263f885
Fix typo in test comments.
yuchenshi Feb 4, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 0 additions & 7 deletions test/integration/setup.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,6 @@ export let noServiceAccountApp: admin.app.App;
export let cmdArgs: any;

export const isEmulator = !!process.env.FIREBASE_EMULATOR_HUB;
export function skipForEmulator(): void {
before(function () {
if (isEmulator) {
this.skip();
}
});
}

before(() => {
let getCredential: () => {credential?: admin.credential.Credential};
Expand Down
65 changes: 65 additions & 0 deletions test/unit/auth/auth.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3193,16 +3193,22 @@ AUTH_CONFIGS.forEach((testConfig) => {
describe('auth emulator support', () => {

let mockAuth = testConfig.init(mocks.app());
const userRecord = getValidUserRecord(getValidGetAccountInfoResponse());
const validSince = new Date(userRecord.tokensValidAfterTime!);

const stubs: sinon.SinonStub[] = [];
let clock: sinon.SinonFakeTimers;

beforeEach(() => {
process.env.FIREBASE_AUTH_EMULATOR_HOST = '127.0.0.1:9099';
mockAuth = testConfig.init(mocks.app());
clock = sinon.useFakeTimers(validSince.getTime());
});

afterEach(() => {
_.forEach(stubs, (s) => s.restore());
delete process.env.FIREBASE_AUTH_EMULATOR_HOST;
clock.restore();
});

it('createCustomToken() generates an unsigned token', async () => {
Expand All @@ -3217,6 +3223,65 @@ AUTH_CONFIGS.forEach((testConfig) => {
jwt.verify(token, '', { algorithms: ['none'] });
});

it('verifyIdToken() should reject revoked ID tokens', () => {
const uid = userRecord.uid;
// One second before validSince.
const oneSecBeforeValidSince = Math.floor(validSince.getTime() / 1000 - 1);
const getUserStub = sinon.stub(testConfig.Auth.prototype, 'getUser')
.resolves(userRecord);
stubs.push(getUserStub);

const unsignedToken = mocks.generateIdToken({
algorithm: 'none',
subject: uid,
}, {
iat: oneSecBeforeValidSince,
auth_time: oneSecBeforeValidSince, // eslint-disable-line @typescript-eslint/camelcase
});

// verifyIdToken should force checking revocation in emulator mode,
// even if checkRevoked=false.
return mockAuth.verifyIdToken(unsignedToken, false)
.then(() => {
throw new Error('Unexpected success');
}, (error) => {
// Confirm expected error returned.
expect(error).to.have.property('code', 'auth/id-token-revoked');
// Confirm underlying API called with expected parameters.
expect(getUserStub).to.have.been.calledOnce.and.calledWith(uid);
});
});

it('verifySessionCookie() should reject revoked session cookies', () => {
const uid = userRecord.uid;
// One second before validSince.
const oneSecBeforeValidSince = Math.floor(validSince.getTime() / 1000 - 1);
const getUserStub = sinon.stub(testConfig.Auth.prototype, 'getUser')
.resolves(userRecord);
stubs.push(getUserStub);

const unsignedToken = mocks.generateIdToken({
algorithm: 'none',
subject: uid,
issuer: 'https://session.firebase.google.com/' + mocks.projectId,
}, {
iat: oneSecBeforeValidSince,
auth_time: oneSecBeforeValidSince, // eslint-disable-line @typescript-eslint/camelcase
});

// verifyIdToken should force checking revocation in emulator mode,
// even if checkRevoked=false.
return mockAuth.verifySessionCookie(unsignedToken, false)
.then(() => {
throw new Error('Unexpected success');
}, (error) => {
// Confirm expected error returned.
expect(error).to.have.property('code', 'auth/session-cookie-revoked');
// Confirm underlying API called with expected parameters.
expect(getUserStub).to.have.been.calledOnce.and.calledWith(uid);
});
});

it('verifyIdToken() rejects an unsigned token if auth emulator is unreachable', async () => {
const unsignedToken = mocks.generateIdToken({
algorithm: 'none'
Expand Down