Reduce App Check custom token exp to 5 mins (#1372)

lahirumaramba · web-flow · commit c2b126b3b18e · 2021-07-14T13:55:12.000-04:00
diff --git a/src/app-check/token-generator.ts b/src/app-check/token-generator.ts
@@ -30,8 +30,8 @@ import { HttpError } from '../utils/api-request';
 
 import AppCheckTokenOptions = appCheck.AppCheckTokenOptions;
 
-const ONE_HOUR_IN_SECONDS = 60 * 60;
-const ONE_MINUTE_IN_MILLIS = 60 * 1000;
+const ONE_MINUTE_IN_SECONDS = 60;
+const ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1000;
 const ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1000;
 
 // Audience to use for Firebase App Check Custom tokens
@@ -91,7 +91,7 @@ export class AppCheckTokenGenerator {
         // eslint-disable-next-line @typescript-eslint/camelcase
         app_id: appId,
         aud: FIREBASE_APP_CHECK_AUDIENCE,
-        exp: iat + ONE_HOUR_IN_SECONDS,
+        exp: iat + (ONE_MINUTE_IN_SECONDS * 5),
         iat,
         ...customOptions,
       };
diff --git a/test/unit/app-check/token-generator.spec.ts b/test/unit/app-check/token-generator.spec.ts
@@ -43,7 +43,7 @@ chai.use(chaiAsPromised);
 const expect = chai.expect;
 
 const ALGORITHM = 'RS256';
-const ONE_HOUR_IN_SECONDS = 60 * 60;
+const FIVE_MIN_IN_SECONDS = 60 * 5;
 const FIREBASE_APP_CHECK_AUDIENCE = 'https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1beta.TokenExchangeService';
 
 /**
@@ -184,7 +184,7 @@ describe('AppCheckTokenGenerator', () => {
             // eslint-disable-next-line @typescript-eslint/camelcase
             app_id: APP_ID,
             iat: 1,
-            exp: ONE_HOUR_IN_SECONDS + 1,
+            exp: FIVE_MIN_IN_SECONDS + 1,
             aud: FIREBASE_APP_CHECK_AUDIENCE,
             iss: mocks.certificateObject.client_email,
             sub: mocks.certificateObject.client_email,
@@ -205,7 +205,7 @@ describe('AppCheckTokenGenerator', () => {
               // eslint-disable-next-line @typescript-eslint/camelcase
               app_id: APP_ID,
               iat: 1,
-              exp: ONE_HOUR_IN_SECONDS + 1,
+              exp: FIVE_MIN_IN_SECONDS + 1,
               aud: FIREBASE_APP_CHECK_AUDIENCE,
               iss: mocks.certificateObject.client_email,
               sub: mocks.certificateObject.client_email,
@@ -233,7 +233,7 @@ describe('AppCheckTokenGenerator', () => {
               // eslint-disable-next-line @typescript-eslint/camelcase
               app_id: APP_ID,
               iat: 1,
-              exp: ONE_HOUR_IN_SECONDS + 1,
+              exp: FIVE_MIN_IN_SECONDS + 1,
               aud: FIREBASE_APP_CHECK_AUDIENCE,
               iss: mocks.certificateObject.client_email,
               sub: mocks.certificateObject.client_email,
@@ -275,15 +275,15 @@ describe('AppCheckTokenGenerator', () => {
         });
     });
 
-    it('should be fulfilled with a JWT which expires after one hour', () => {
+    it('should be fulfilled with a JWT which expires after five minutes', () => {
       clock = sinon.useFakeTimers(1000);
 
       let token: string;
       return tokenGenerator.createCustomToken(APP_ID)
         .then((result) => {
           token = result;
 
-          clock!.tick((ONE_HOUR_IN_SECONDS * 1000) - 1);
+          clock!.tick((FIVE_MIN_IN_SECONDS * 1000) - 1);
 
           // Token should still be valid
           return verifyToken(token, mocks.keyPairs[0].public);
