Token verification for the auth emulator

muru · muru · commit aacd27fac954 · 2021-03-05T17:24:57.000+09:00
diff --git a/firebase_admin/_token_gen.py b/firebase_admin/_token_gen.py
@@ -54,6 +54,16 @@
                         'service-accounts/default/email')
 
 
+class _EmulatedSigner(google.auth.crypt.Signer):
+    key_id = None
+
+    def __init__(self):
+        pass
+
+    def sign(self, message):
+        return b''
+
+
 class _SigningProvider:
     """Stores a reference to a google.auth.crypto.Signer."""
 
@@ -78,6 +88,10 @@ def from_iam(cls, request, google_cred, service_account):
         signer = iam.Signer(request, google_cred, service_account)
         return _SigningProvider(signer, service_account)
 
+    @classmethod
+    def for_emulator(cls):
+        return _SigningProvider(_EmulatedSigner(), 'firebase-auth-emulator@example.com')
+
 
 class TokenGenerator:
     """Generates custom tokens and session cookies."""
@@ -94,6 +108,8 @@ def __init__(self, app, http_client, url_override=None):
 
     def _init_signing_provider(self):
         """Initializes a signing provider by following the go/firebase-admin-sign protocol."""
+        if _auth_utils.is_emulated():
+            return _SigningProvider.for_emulator()
         # If the SDK was initialized with a service account, use it to sign bytes.
         google_cred = self.app.credential.get_credential()
         if isinstance(google_cred, google.oauth2.service_account.Credentials):
@@ -291,15 +307,15 @@ def verify(self, token, request):
             error_message = (
                 '{0} expects {1}, but was given a custom '
                 'token.'.format(self.operation, self.articled_short_name))
-        elif not header.get('kid'):
+        elif not _auth_utils.is_emulated() and not header.get('kid'):
             if header.get('alg') == 'HS256' and payload.get(
                     'v') == 0 and 'uid' in payload.get('d', {}):
                 error_message = (
                     '{0} expects {1}, but was given a legacy custom '
                     'token.'.format(self.operation, self.articled_short_name))
             else:
                 error_message = 'Firebase {0} has no "kid" claim.'.format(self.short_name)
-        elif header.get('alg') != 'RS256':
+        elif not _auth_utils.is_emulated() and header.get('alg') != 'RS256':
             error_message = (
                 'Firebase {0} has incorrect algorithm. Expected "RS256" but got '
                 '"{1}". {2}'.format(self.short_name, header.get('alg'), verify_id_token_msg))
@@ -329,6 +345,10 @@ def verify(self, token, request):
         if error_message:
             raise self._invalid_token_error(error_message)
 
+        if _auth_utils.is_emulated():
+            claims = jwt.decode(token, verify=False)
+            claims['uid'] = claims['sub']
+            return claims
         try:
             verified_claims = google.oauth2.id_token.verify_token(
                 token,
