Delegating token generation to the google.auth.credentials library (#43)

* Delegating token generation to the google.auth.credentials library

* Provided a default implementation for get_access_token()

* Updated API doc

Author: hiranya911

firebase_admin/__init__.py

@@ -30,7 +30,6 @@
 _clock = datetime.datetime.utcnow
 
 _DEFAULT_APP_NAME = '[DEFAULT]'
-_CLOCK_SKEW_SECONDS = 300
 
 
 def initialize_app(credential=None, options=None, name=_DEFAULT_APP_NAME):
@@ -182,7 +181,6 @@ def __init__(self, name, credential, options):
                              'with a valid credential instance.')
         self._credential = credential
         self._options = _AppOptions(options)
-        self._token = None
         self._lock = threading.RLock()
         self._services = {}
 
@@ -198,25 +196,6 @@ def credential(self):
     def options(self):
         return self._options
 
-    def _get_token(self):
-        """Returns an OAuth2 bearer token.
-
-        This method may return a cached token. But it handles cache invalidation, and therefore
-        is guaranteed to always return unexpired tokens.
-
-        Returns:
-          string: An unexpired OAuth2 token.
-        """
-        if not self._token_valid():
-            self._token = self._credential.get_access_token()
-        return self._token.access_token
-
-    def _token_valid(self):
-        if self._token is None:
-            return False
-        skewed_expiry = self._token.expiry - datetime.timedelta(seconds=_CLOCK_SKEW_SECONDS)
-        return _clock() < skewed_expiry
-
     def _get_service(self, name, initializer):
         """Returns the service instance identified by the given name.
 

firebase_admin/credentials.py

@@ -36,11 +36,17 @@ class Base(object):
     """Provides OAuth2 access tokens for accessing Firebase services."""
 
     def get_access_token(self):
-        """Fetches a Google OAuth2 access token using this credential instance."""
-        raise NotImplementedError
+        """Fetches a Google OAuth2 access token using this credential instance.
+
+        Returns:
+          AccessTokenInfo: An access token obtained using the credential.
+        """
+        google_cred = self.get_credential()
+        google_cred.refresh(_request)
+        return AccessTokenInfo(google_cred.token, google_cred.expiry)
 
     def get_credential(self):
-        """Returns the credential instance used for authentication."""
+        """Returns the Google credential instance used for authentication."""
         raise NotImplementedError
 
 
@@ -88,15 +94,6 @@ def signer(self):
     def service_account_email(self):
         return self._g_credential.service_account_email
 
-    def get_access_token(self):
-        """Fetches a Google OAuth2 access token using this certificate credential.
-
-        Returns:
-          AccessTokenInfo: An access token obtained using the credential.
-        """
-        self._g_credential.refresh(_request)
-        return AccessTokenInfo(self._g_credential.token, self._g_credential.expiry)
-
     def get_credential(self):
         """Returns the underlying Google credential.
 
@@ -118,15 +115,6 @@ def __init__(self):
         super(ApplicationDefault, self).__init__()
         self._g_credential, self._project_id = google.auth.default(scopes=_scopes)
 
-    def get_access_token(self):
-        """Fetches a Google OAuth2 access token using this application default credential.
-
-        Returns:
-          AccessTokenInfo: An access token obtained using the credential.
-        """
-        self._g_credential.refresh(_request)
-        return AccessTokenInfo(self._g_credential.token, self._g_credential.expiry)
-
     def get_credential(self):
         """Returns the underlying Google credential.
 
@@ -184,15 +172,6 @@ def client_secret(self):
     def refresh_token(self):
         return self._g_credential.refresh_token
 
-    def get_access_token(self):
-        """Fetches a Google OAuth2 access token using this refresh token credential.
-
-        Returns:
-          AccessTokenInfo: An access token obtained using the credential.
-        """
-        self._g_credential.refresh(_request)
-        return AccessTokenInfo(self._g_credential.token, self._g_credential.expiry)
-
     def get_credential(self):
         """Returns the underlying Google credential.
 

firebase_admin/db.py

@@ -25,6 +25,7 @@
 import numbers
 import sys
 
+from google.auth import transport
 import requests
 import six
 from six.moves import urllib
@@ -553,14 +554,12 @@ def __init__(self, **kwargs):
 
         Keyword Args:
           url: Firebase Realtime Database URL.
-          auth: An instance of requests.auth.AuthBase for authenticating outgoing HTTP requests.
           session: An HTTP session created using the requests module.
           auth_override: A dictionary representing auth variable overrides or None (optional).
               Defaults to empty dict, which provides admin privileges. A None value here provides
               un-authenticated guest privileges.
         """
         self._url = kwargs.pop('url')
-        self._auth = kwargs.pop('auth')
         self._session = kwargs.pop('session')
         auth_override = kwargs.pop('auth_override', {})
         if auth_override != {}:
@@ -591,9 +590,10 @@ def from_app(cls, app):
             raise ValueError('Invalid databaseAuthVariableOverride option: "{0}". Override '
                              'value must be a dict or None.'.format(auth_override))
 
-        session = requests.Session()
+        g_credential = app.credential.get_credential()
+        session = transport.requests.AuthorizedSession(g_credential)
         session.headers.update({'User-Agent': _USER_AGENT})
-        return _Client(url='https://{0}'.format(parsed.netloc), auth=_OAuth(app),
+        return _Client(url='https://{0}'.format(parsed.netloc),
                        session=session, auth_override=auth_override)
 
     def request(self, method, urlpath, **kwargs):
@@ -628,7 +628,7 @@ def _do_request(self, method, urlpath, **kwargs):
                 params = self._auth_override
             kwargs['params'] = params
         try:
-            resp = self._session.request(method, self._url + urlpath, auth=self._auth, **kwargs)
+            resp = self._session.request(method, self._url + urlpath, **kwargs)
             resp.raise_for_status()
             return resp
         except requests.exceptions.RequestException as error:
@@ -663,13 +663,3 @@ def close(self):
         self._session.close()
         self._auth = None
         self._url = None
-
-
-class _OAuth(requests.auth.AuthBase):
-    def __init__(self, app):
-        self._app = app
-
-    def __call__(self, req):
-        # pylint: disable=protected-access
-        req.headers['Authorization'] = 'Bearer {0}'.format(self._app._get_token())
-        return req

tests/test_app.py

@@ -13,8 +13,6 @@
 # limitations under the License.
 
 """Tests for firebase_admin.App."""
-import datetime
-import json
 import os
 
 import pytest
@@ -161,23 +159,3 @@ def test_app_delete(self, init_app):
             firebase_admin.get_app(init_app.name)
         with pytest.raises(ValueError):
             firebase_admin.delete_app(init_app)
-
-    def test_get_token(self, init_app):
-        mock_response = {'access_token': 'mock_access_token_1', 'expires_in': 3600}
-        credentials._request = testutils.MockRequest(200, json.dumps(mock_response))
-
-        assert init_app._get_token() == 'mock_access_token_1'
-
-        mock_response = {'access_token': 'mock_access_token_2', 'expires_in': 3600}
-        credentials._request = testutils.MockRequest(200, json.dumps(mock_response))
-
-        expiry = init_app._token.expiry
-        # should return same token from cache
-        firebase_admin._clock = lambda: expiry - datetime.timedelta(
-            seconds=firebase_admin._CLOCK_SKEW_SECONDS + 1)
-        assert init_app._get_token() == 'mock_access_token_1'
-
-        # should return new token from RPC call
-        firebase_admin._clock = lambda: expiry - datetime.timedelta(
-            seconds=firebase_admin._CLOCK_SKEW_SECONDS)
-        assert init_app._get_token() == 'mock_access_token_2'

tests/test_db.py

@@ -14,7 +14,6 @@
 
 """Tests for firebase_admin.db."""
 import collections
-import datetime
 import json
 import sys
 
@@ -47,12 +46,14 @@ def send(self, request, **kwargs):
 
 
 class MockCredential(credentials.Base):
-    def get_access_token(self):
-        expiry = datetime.datetime.utcnow() + datetime.timedelta(hours=24)
-        return credentials.AccessTokenInfo('mock-token', expiry)
+    """A mock Firebase credential implementation."""
+
+    def __init__(self):
+        self._g_credential = testutils.MockGoogleCredential()
 
     def get_credential(self):
-        return None
+        return self._g_credential
+
 
 class _Object(object):
     pass
@@ -402,15 +403,15 @@ def test_no_app(self):
             db.reference()
 
     def test_no_db_url(self):
-        firebase_admin.initialize_app(credentials.Base())
+        firebase_admin.initialize_app(MockCredential())
         with pytest.raises(ValueError):
             db.reference()
 
     @pytest.mark.parametrize('url', [
         'https://test.firebaseio.com', 'https://test.firebaseio.com/'
     ])
     def test_valid_db_url(self, url):
-        firebase_admin.initialize_app(credentials.Base(), {'databaseURL' : url})
+        firebase_admin.initialize_app(MockCredential(), {'databaseURL' : url})
         ref = db.reference()
         assert ref._client._url == 'https://test.firebaseio.com'
         assert ref._client._auth_override is None
@@ -420,13 +421,13 @@ def test_valid_db_url(self, url):
         True, False, 1, 0, dict(), list(), tuple(), _Object()
     ])
     def test_invalid_db_url(self, url):
-        firebase_admin.initialize_app(credentials.Base(), {'databaseURL' : url})
+        firebase_admin.initialize_app(MockCredential(), {'databaseURL' : url})
         with pytest.raises(ValueError):
             db.reference()
 
     @pytest.mark.parametrize('override', [{}, {'uid':'user1'}, None])
     def test_valid_auth_override(self, override):
-        firebase_admin.initialize_app(credentials.Base(), {
+        firebase_admin.initialize_app(MockCredential(), {
             'databaseURL' : 'https://test.firebaseio.com',
             'databaseAuthVariableOverride': override
         })
@@ -441,7 +442,7 @@ def test_valid_auth_override(self, override):
     @pytest.mark.parametrize('override', [
         '', 'foo', 0, 1, True, False, list(), tuple(), _Object()])
     def test_invalid_auth_override(self, override):
-        firebase_admin.initialize_app(credentials.Base(), {
+        firebase_admin.initialize_app(MockCredential(), {
             'databaseURL' : 'https://test.firebaseio.com',
             'databaseAuthVariableOverride': override
         })
@@ -450,12 +451,10 @@ def test_invalid_auth_override(self, override):
 
     def test_app_delete(self):
         app = firebase_admin.initialize_app(
-            credentials.Base(), {'databaseURL' : 'https://test.firebaseio.com'})
+            MockCredential(), {'databaseURL' : 'https://test.firebaseio.com'})
         ref = db.reference()
         assert ref is not None
-        assert ref._client._auth is not None
         firebase_admin.delete_app(app)
-        assert ref._client._auth is None
         with pytest.raises(ValueError):
             db.reference()
 

tests/testutils.py

@@ -15,6 +15,7 @@
 """Common utility classes and functions for testing."""
 import os
 
+from google.auth import credentials
 from google.auth import transport
 import firebase_admin
 
@@ -68,3 +69,9 @@ def __init__(self, status, response):
 
     def __call__(self, *args, **kwargs):
         return self.response
+
+
+class MockGoogleCredential(credentials.Credentials):
+    """A mock Google authentication credential."""
+    def refresh(self, request):
+        self.token = 'mock-token'