Migrate FAC code (#1245)

* Refactor CryptoSigner (#21)

* Refactor Crypto Signer

* Introduce new CryptoSignerError type

* reorder imports

* PR fixes

* PR clean up

* feat(fac): Implement the App Check API (#22)

* Implement the App Check API

* Add AppCheck public API (#23)

* Add AppCheck public API

* Add AppCheck public api unit tests

* Add FAC Verify Token API (#26)

* (feat): Add FAC Verify token API

- Re-try with all the keys when kid is not present in the token header.
- Add JWKS key fetcher
- Add public API for FAC verify token

* Add ref docs and unit tests

* PR fixes

* Update api extractor report

* Add more tests for token-verifier

* export jwks key pairs

* PR fixes

* More PR fixes

* Update src/app-check/index.ts

Co-authored-by: Kevin Cheung <[email protected]>

Co-authored-by: Kevin Cheung <[email protected]>

* Add App ID

Co-authored-by: Kevin Cheung <[email protected]>

Author: lahirumaramba

.github/scripts/run_integration_tests.sh

@@ -22,4 +22,6 @@ gpg --quiet --batch --yes --decrypt --passphrase="${FIREBASE_SERVICE_ACCT_KEY}"
 
 echo "${FIREBASE_API_KEY}" > test/resources/apikey.txt
 
+echo "${FIREBASE_APP_ID}" > test/resources/appid.txt
+
 npm run test:integration -- --updateRules --testMultiTenancy

.github/workflows/nightly.yml

@@ -55,6 +55,7 @@ jobs:
       env:
         FIREBASE_SERVICE_ACCT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCT_KEY }}
         FIREBASE_API_KEY: ${{ secrets.FIREBASE_API_KEY }}
+        FIREBASE_APP_ID: ${{ secrets.FIREBASE_APP_ID }}
 
     - name: Package release artifacts
       run: |

.github/workflows/release.yml

@@ -66,6 +66,7 @@ jobs:
       env:
         FIREBASE_SERVICE_ACCT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCT_KEY }}
         FIREBASE_API_KEY: ${{ secrets.FIREBASE_API_KEY }}
+        FIREBASE_APP_ID: ${{ secrets.FIREBASE_APP_ID }}
 
     - name: Package release artifacts
       run: |

.gitignore

@@ -14,6 +14,7 @@ node_modules/
 # Real key file should not be checked in
 test/resources/key.json
 test/resources/apikey.txt
+test/resources/appid.txt
 
 # Release tarballs should not be checked in
 firebase-admin-*.tgz

docgen/content-sources/node/toc.yaml

@@ -19,6 +19,18 @@ toc:
   - title: "App"
     path: /docs/reference/admin/node/admin.app.App-1
 
+- title: "admin.appCheck"
+  path: /docs/reference/admin/node/admin.appCheck
+  section:
+  - title: "AppCheck"
+    path: /docs/reference/admin/node/admin.appCheck.AppCheck-1
+  - title: "AppCheckToken"
+    path: /docs/reference/admin/node/admin.appCheck.AppCheckToken
+  - title: "DecodedAppCheckToken"
+    path: /docs/reference/admin/node/admin.appCheck.DecodedAppCheckToken
+  - title: "VerifyAppCheckTokenResponse"
+    path: /docs/reference/admin/node/admin.appCheck.VerifyAppCheckTokenResponse
+
 - title: "admin.auth"
   path: /docs/reference/admin/node/admin.auth
   section:

etc/firebase-admin.api.md

@@ -15,6 +15,8 @@ export function app(name?: string): app.App;
 // @public (undocumented)
 export namespace app {
     export interface App {
+        // (undocumented)
+        appCheck(): appCheck.AppCheck;
         // (undocumented)
         auth(): auth.Auth;
         // (undocumented)
@@ -41,6 +43,37 @@ export namespace app {
     }
 }
 
+// @public
+export function appCheck(app?: app.App): appCheck.AppCheck;
+
+// @public (undocumented)
+export namespace appCheck {
+    export interface AppCheck {
+        // (undocumented)
+        app: app.App;
+        createToken(appId: string): Promise<AppCheckToken>;
+        verifyToken(appCheckToken: string): Promise<VerifyAppCheckTokenResponse>;
+    }
+    export interface AppCheckToken {
+        token: string;
+        ttlMillis: number;
+    }
+    export interface DecodedAppCheckToken {
+        // (undocumented)
+        [key: string]: any;
+        app_id: string;
+        aud: string[];
+        exp: number;
+        iat: number;
+        iss: string;
+        sub: string;
+    }
+    export interface VerifyAppCheckTokenResponse {
+        appId: string;
+        token: appCheck.DecodedAppCheckToken;
+    }
+}
+
 // @public
 export interface AppOptions {
     credential?: credential.Credential;