address PR comments

lahirumaramba · lahirumaramba · commit 23505ebe7fcf · 2025-11-28T01:04:14.000Z
diff --git a/firebase_admin/app_check.py b/firebase_admin/app_check.py
@@ -18,9 +18,10 @@
 import jwt
 from jwt import PyJWKClient, ExpiredSignatureError, InvalidTokenError, DecodeError
 from jwt import InvalidAudienceError, InvalidIssuerError, InvalidSignatureError
+import requests
 from firebase_admin import _utils
 from firebase_admin import _http_client
-import requests
+from firebase_admin import exceptions
 
 _APP_CHECK_ATTRIBUTE = '_app_check'
 
@@ -106,9 +107,17 @@ def _verify_replay_protection(self, token: str) -> bool:
         body = {'app_check_token': token}
         try:
             response = self._http_client.body('post', path, json=body)
+            if not isinstance(response, dict):
+                raise exceptions.UnknownError(
+                    'Unexpected response from App Check service. '
+                    f'Expected a JSON object, but got {type(response).__name__}.')
             return response.get('alreadyConsumed', False)
         except requests.exceptions.RequestException as error:
             raise _utils.handle_platform_error_from_requests(error)
+        except ValueError as error:
+            raise exceptions.UnknownError(
+                'Unexpected response from App Check service. '
+                f'Error: {error}')
 
     def _has_valid_token_headers(self, headers: Any) -> None:
         """Checks whether the token has valid headers for App Check."""
diff --git a/tests/test_app_check.py b/tests/test_app_check.py
@@ -264,16 +264,63 @@ def test_verify_token_with_consume_network_error(self, mocker):
         mocker.patch("jwt.PyJWKClient.get_signing_key_from_jwt", return_value=PyJWK(signing_key))
         mocker.patch("jwt.get_unverified_header", return_value=JWT_PAYLOAD_SAMPLE.get("headers"))
         mock_http_client = mocker.patch("firebase_admin._http_client.JsonHttpClient")
-        mock_http_client.return_value.body.side_effect = requests.exceptions.RequestException("Network error")
-        
+        mock_http_client.return_value.body.side_effect = requests.exceptions.RequestException(
+            "Network error")
+
+        # Use a fresh app to ensure _AppCheckService is re-initialized with the mock
+        cred = testutils.MockCredential()
+        app = firebase_admin.initialize_app(
+            cred, {'projectId': PROJECT_ID}, name='test_consume_error')
+
+        try:
+            with pytest.raises(exceptions.UnknownError) as excinfo:
+                app_check.verify_token("encoded", app, consume=True)
+            assert str(excinfo.value) == (
+                "Unknown error while making a remote service call: Network error")
+        finally:
+            firebase_admin.delete_app(app)
+
+    def test_verify_token_with_consume_non_dict_response(self, mocker):
+        """Test verify_token with consume=True handles non-dict response."""
+        mocker.patch("jwt.decode", return_value=JWT_PAYLOAD_SAMPLE)
+        mocker.patch("jwt.PyJWKClient.get_signing_key_from_jwt", return_value=PyJWK(signing_key))
+        mocker.patch("jwt.get_unverified_header", return_value=JWT_PAYLOAD_SAMPLE.get("headers"))
+        mock_http_client = mocker.patch("firebase_admin._http_client.JsonHttpClient")
+        mock_http_client.return_value.body.return_value = ["not", "a", "dict"]
+
+        # Use a fresh app to ensure _AppCheckService is re-initialized with the mock
+        cred = testutils.MockCredential()
+        app = firebase_admin.initialize_app(
+            cred, {'projectId': PROJECT_ID}, name='test_consume_non_dict')
+
+        try:
+            with pytest.raises(exceptions.UnknownError) as excinfo:
+                app_check.verify_token("encoded", app, consume=True)
+            assert str(excinfo.value) == (
+                'Unexpected response from App Check service. '
+                'Expected a JSON object, but got list.')
+        finally:
+            firebase_admin.delete_app(app)
+
+    def test_verify_token_with_consume_malformed_json(self, mocker):
+        """Test verify_token with consume=True handles malformed JSON response."""
+        mocker.patch("jwt.decode", return_value=JWT_PAYLOAD_SAMPLE)
+        mocker.patch("jwt.PyJWKClient.get_signing_key_from_jwt", return_value=PyJWK(signing_key))
+        mocker.patch("jwt.get_unverified_header", return_value=JWT_PAYLOAD_SAMPLE.get("headers"))
+        mock_http_client = mocker.patch("firebase_admin._http_client.JsonHttpClient")
+        mock_http_client.return_value.body.side_effect = ValueError("Malformed JSON")
+
         # Use a fresh app to ensure _AppCheckService is re-initialized with the mock
         cred = testutils.MockCredential()
-        app = firebase_admin.initialize_app(cred, {'projectId': PROJECT_ID}, name='test_consume_error')
+        app = firebase_admin.initialize_app(
+            cred, {'projectId': PROJECT_ID}, name='test_consume_malformed_json')
 
         try:
             with pytest.raises(exceptions.UnknownError) as excinfo:
                 app_check.verify_token("encoded", app, consume=True)
-            assert str(excinfo.value) == "Unknown error while making a remote service call: Network error"
+            assert str(excinfo.value) == (
+                'Unexpected response from App Check service. '
+                'Error: Malformed JSON')
         finally:
             firebase_admin.delete_app(app)
 
