Scoping credentials to Firebase services (#23)

* Scoping credentials to Firebase services

* Fixed variable name

* Updated test to compare lists

Author: hiranya911

firebase_admin/credentials.py

@@ -23,7 +23,10 @@
 
 
 _request = requests.Request()
-
+_scopes = [
+    'https://www.googleapis.com/auth/firebase',
+    'https://www.googleapis.com/auth/userinfo.email'
+]
 
 AccessTokenInfo = collections.namedtuple(
     'AccessTokenInfo', ['access_token', 'expiry'])
@@ -67,7 +70,8 @@ def __init__(self, file_path):
                              '"type" field set to "{1}".'.format(file_path, self._CREDENTIAL_TYPE))
         self._project_id = json_data.get('project_id')
         try:
-            self._g_credential = service_account.Credentials.from_service_account_info(json_data)
+            self._g_credential = service_account.Credentials.from_service_account_info(
+                json_data, scopes=_scopes)
         except ValueError as error:
             raise ValueError('Failed to initialize a certificate credential from file "{0}". '
                              'Caused by: "{1}"'.format(file_path, error))
@@ -112,7 +116,7 @@ def __init__(self):
               credentials cannot be initialized in the current environment.
         """
         super(ApplicationDefault, self).__init__()
-        self._g_credential, self._project_id = google.auth.default()
+        self._g_credential, self._project_id = google.auth.default(scopes=_scopes)
 
     def get_access_token(self):
         """Fetches a Google OAuth2 access token using this application default credential.
@@ -166,7 +170,7 @@ def __init__(self, file_path):
         self._g_credential = credentials.Credentials(
             token=None, refresh_token=refresh_token,
             token_uri='https://accounts.google.com/o/oauth2/token',
-            client_id=client_id, client_secret=client_secret)
+            client_id=client_id, client_secret=client_secret, scopes=_scopes)
 
     @property
     def client_id(self):

tests/test_credentials.py

@@ -27,6 +27,11 @@
 from tests import testutils
 
 
+def check_scopes(g_credential):
+    assert isinstance(g_credential, google.auth.credentials.Scoped)
+    assert sorted(credentials._scopes) == sorted(g_credential.scopes)
+
+
 class TestCertificate(object):
 
     invalid_certs = {
@@ -46,6 +51,7 @@ def test_init_from_file(self):
         g_credential = credential.get_credential()
         assert isinstance(g_credential, service_account.Credentials)
         assert g_credential.token is None
+        check_scopes(g_credential)
 
         mock_response = {'access_token': 'mock_access_token', 'expires_in': 3600}
         credentials._request = testutils.MockRequest(200, json.dumps(mock_response))
@@ -82,6 +88,7 @@ def test_init(self, app_default): # pylint: disable=unused-argument
         g_credential = credential.get_credential()
         assert isinstance(g_credential, google.auth.credentials.Credentials)
         assert g_credential.token is None
+        check_scopes(g_credential)
 
         mock_response = {'access_token': 'mock_access_token', 'expires_in': 3600}
         credentials._request = testutils.MockRequest(200, json.dumps(mock_response))
@@ -108,6 +115,7 @@ def test_init_from_file(self):
         g_credential = credential.get_credential()
         assert isinstance(g_credential, gcredentials.Credentials)
         assert g_credential.token is None
+        check_scopes(g_credential)
 
         mock_response = {
             'access_token': 'mock_access_token',