Merge remote-tracking branch 'origin/master' into rsgowman/enable_anon_auth

Author: rsgowman

.github/ISSUE_TEMPLATE/general-bug-report.md

@@ -7,8 +7,6 @@ assignees: ''
 
 ---
 
-**Thank you for submitting your issue. We are operating at reduced capacity from Dec 18 2020 to Jan 4 2021. Please expect delayed responses. For more urgent requests please reach us via our  support channels https://firebase.google.com/support**
-
 ### [READ] Step 1: Are you in the right place?
 
   * For issues related to __the code in this repository__ file a Github issue.

.github/workflows/nightly.yml

@@ -0,0 +1,68 @@
+# Copyright 2021 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Nightly Builds
+
+on:
+  # Runs every day at 06:00 AM (PT) and 08:00 PM (PT) / 04:00 AM (UTC) and 02:00 PM (UTC)
+  schedule:
+    - cron: "0 4,14 * * *"
+
+jobs:
+  nightly:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout source for staging
+      uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.client_payload.ref || github.ref }}
+
+    - name: Set up Node.js
+      uses: actions/setup-node@v1
+      with:
+        node-version: 10.x
+
+    - name: Install and build
+      run: |
+        npm ci
+        npm run build
+        npm run build:tests
+
+    - name: Run unit tests
+      run: npm test
+
+    - name: Verify public API
+      run: npm run api-extractor
+
+    - name: Run integration tests
+      run: ./.github/scripts/run_integration_tests.sh
+      env:
+        FIREBASE_SERVICE_ACCT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCT_KEY }}
+        FIREBASE_API_KEY: ${{ secrets.FIREBASE_API_KEY }}
+
+    - name: Package release artifacts
+      run: |
+        npm pack
+        mkdir -p dist
+        cp *.tgz dist/
+
+    # Attach the packaged artifacts to the workflow output. These can be manually
+    # downloaded for later inspection if necessary.
+    - name: Archive artifacts
+      uses: actions/upload-artifact@v1
+      with:
+        name: dist
+        path: dist

CONTRIBUTING.md

@@ -146,7 +146,7 @@ following credentials from the project:
 2. *Web API key*: This is displayed in the "Settings > General" tab of the
    console. Copy it and save to a new text file at `test/resources/apikey.txt`.
 
-Then set up your Firebase/GCP project as follows:
+Then set up your Firebase/Google Cloud project as follows:
 
 1. Enable Firestore: Go to the Firebase Console, and select "Database" from
    the "Develop" menu. Click on the "Create database" button. You may choose
@@ -160,15 +160,15 @@ Then set up your Firebase/GCP project as follows:
    https://console.developers.google.com/apis/api/firebaseml.googleapis.com/overview)
    and make sure your project is selected. If the API is not already enabled, click Enable.
 4. Enable the IAM API: Go to the
-   [Google Cloud Platform Console](https://console.cloud.google.com) and make
-   sure your Firebase/GCP project is selected. Select "APIs & Services >
+   [Google Cloud Console](https://console.cloud.google.com) and make
+   sure your Firebase/Google Cloud project is selected. Select "APIs & Services >
    Dashboard" from the main menu, and click the "ENABLE APIS AND SERVICES"
    button. Search for and enable the "Identity and Access Management (IAM)
    API".
 5. Grant your service account the 'Firebase Authentication Admin' role. This is
    required to ensure that exported user records contain the password hashes of
    the user accounts:
-   1. Go to [Google Cloud Platform Console / IAM & admin](https://console.cloud.google.com/iam-admin).
+   1. Go to [Google Cloud Console / IAM & admin](https://console.cloud.google.com/iam-admin).
    2. Find your service account in the list, and click the 'pencil' icon to edit it's permissions.
    3. Click 'ADD ANOTHER ROLE' and choose 'Firebase Authentication Admin'.
    4. Click 'SAVE'.

package-lock.json

@@ -69,7 +69,7 @@
   },
   "devDependencies": {
     "@firebase/app": "^0.6.13",
-    "@firebase/auth": "^0.15.2",
+    "@firebase/auth": "^0.16.2",
     "@firebase/auth-types": "^0.10.1",
     "@microsoft/api-extractor": "^7.11.2",
     "@types/bcrypt": "^2.0.0",

package.json

@@ -2117,10 +2117,6 @@ function emulatorHost(): string | undefined {
 /**
  * When true the SDK should communicate with the Auth Emulator for all API
  * calls and also produce unsigned tokens.
- *
- * This alone does <b>NOT<b> short-circuit ID Token verification.
- * For security reasons that must be explicitly disabled through
- * setJwtVerificationEnabled(false);
  */
 export function useEmulator(): boolean {
   return !!emulatorHost();

src/auth/auth-api-request.ts

@@ -25,12 +25,11 @@ import {
   AbstractAuthRequestHandler, AuthRequestHandler, TenantAwareAuthRequestHandler, useEmulator,
 } from './auth-api-request';
 import { AuthClientErrorCode, FirebaseAuthError, ErrorInfo } from '../utils/error';
-import { FirebaseServiceInterface, FirebaseServiceInternalsInterface } from '../firebase-service';
 import * as utils from '../utils/index';
 import * as validator from '../utils/validator';
 import { auth } from './index';
 import {
-  FirebaseTokenVerifier, createSessionCookieVerifier, createIdTokenVerifier, ALGORITHM_RS256
+  FirebaseTokenVerifier, createSessionCookieVerifier, createIdTokenVerifier
 } from './token-verifier';
 import {
   SAMLConfig, OIDCConfig, OIDCConfigServerResponse, SAMLConfigServerResponse,
@@ -59,22 +58,6 @@ import BaseAuthInterface = auth.BaseAuth;
 import AuthInterface = auth.Auth;
 import TenantAwareAuthInterface = auth.TenantAwareAuth;
 
-/**
- * Internals of an Auth instance.
- */
-class AuthInternals implements FirebaseServiceInternalsInterface {
-  /**
-   * Deletes the service and its associated resources.
-   *
-   * @return {Promise<()>} An empty Promise that will be fulfilled when the service is deleted.
-   */
-  public delete(): Promise<void> {
-    // There are no resources to clean up
-    return Promise.resolve(undefined);
-  }
-}
-
-
 /**
  * Base Auth class. Mainly used for user management APIs.
  */
@@ -132,15 +115,16 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> implements BaseAuthI
    *     verification.
    */
   public verifyIdToken(idToken: string, checkRevoked = false): Promise<DecodedIdToken> {
-    return this.idTokenVerifier.verifyJWT(idToken)
+    const isEmulator = useEmulator();
+    return this.idTokenVerifier.verifyJWT(idToken, isEmulator)
       .then((decodedIdToken: DecodedIdToken) => {
         // Whether to check if the token was revoked.
-        if (!checkRevoked) {
-          return decodedIdToken;
+        if (checkRevoked || isEmulator) {
+          return this.verifyDecodedJWTNotRevoked(
+            decodedIdToken,
+            AuthClientErrorCode.ID_TOKEN_REVOKED);
         }
-        return this.verifyDecodedJWTNotRevoked(
-          decodedIdToken,
-          AuthClientErrorCode.ID_TOKEN_REVOKED);
+        return decodedIdToken;
       });
   }
 
@@ -460,15 +444,16 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> implements BaseAuthI
    */
   public verifySessionCookie(
     sessionCookie: string, checkRevoked = false): Promise<DecodedIdToken> {
-    return this.sessionCookieVerifier.verifyJWT(sessionCookie)
+    const isEmulator = useEmulator();
+    return this.sessionCookieVerifier.verifyJWT(sessionCookie, isEmulator)
       .then((decodedIdToken: DecodedIdToken) => {
         // Whether to check if the token was revoked.
-        if (!checkRevoked) {
-          return decodedIdToken;
+        if (checkRevoked || isEmulator) {
+          return this.verifyDecodedJWTNotRevoked(
+            decodedIdToken,
+            AuthClientErrorCode.SESSION_COOKIE_REVOKED);
         }
-        return this.verifyDecodedJWTNotRevoked(
-          decodedIdToken,
-          AuthClientErrorCode.SESSION_COOKIE_REVOKED);
+        return decodedIdToken;
       });
   }
 
@@ -692,28 +677,6 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> implements BaseAuthI
         return decodedIdToken;
       });
   }
-
-  /**
-   * Enable or disable ID token verification. This is used to safely short-circuit token verification with the
-   * Auth emulator. When disabled ONLY unsigned tokens will pass verification, production tokens will not pass.
-   *
-   * WARNING: This is a dangerous method that will compromise your app's security and break your app in
-   * production. Developers should never call this method, it is for internal testing use only.
-   *
-   * @internal
-   */
-  // @ts-expect-error: this method appears unused but is used privately.
-  private setJwtVerificationEnabled(enabled: boolean): void {
-    if (!enabled && !useEmulator()) {
-      // We only allow verification to be disabled in conjunction with
-      // the emulator environment variable.
-      throw new Error('This method is only available when connected to the Authentication emulator.');
-    }
-
-    const algorithm = enabled ? ALGORITHM_RS256 : 'none';
-    this.idTokenVerifier.setAlgorithm(algorithm);
-    this.sessionCookieVerifier.setAlgorithm(algorithm);
-  }
 }
 
 
@@ -820,10 +783,8 @@ export class TenantAwareAuth
  * Auth service bound to the provided app.
  * An Auth instance can have multiple tenants.
  */
-export class Auth extends BaseAuth<AuthRequestHandler>
-  implements FirebaseServiceInterface, AuthInterface {
+export class Auth extends BaseAuth<AuthRequestHandler> implements AuthInterface {
 
-  public INTERNAL: AuthInternals = new AuthInternals();
   private readonly tenantManager_: TenantManager;
   private readonly app_: FirebaseApp;