Add App Check token to headers of Auth requests

Author: lisajian

.changeset/brave-ducks-relax.md

@@ -0,0 +1,6 @@
+---
+'@firebase/auth': minor
+'@firebase/auth-compat': minor
+---
+
+App Check <> Auth integration

packages/auth-compat/src/auth.test.ts

@@ -24,7 +24,10 @@ import sinonChai from 'sinon-chai';
 import { Auth } from './auth';
 import { CompatPopupRedirectResolver } from './popup_redirect';
 import * as platform from './platform';
-import { FAKE_HEARTBEAT_CONTROLLER_PROVIDER } from '../test/helpers/helpers';
+import {
+  FAKE_APP_CHECK_CONTROLLER_PROVIDER,
+  FAKE_HEARTBEAT_CONTROLLER_PROVIDER
+} from '../test/helpers/helpers';
 
 use(sinonChai);
 
@@ -45,6 +48,7 @@ describe('auth compat', () => {
       underlyingAuth = new exp.AuthImpl(
         app,
         FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+        FAKE_APP_CHECK_CONTROLLER_PROVIDER,
         {
           apiKey: 'api-key'
         } as exp.ConfigInternal

packages/auth-compat/src/popup_redirect.test.ts

@@ -22,7 +22,10 @@ import * as exp from '@firebase/auth/internal';
 import * as platform from './platform';
 import { CompatPopupRedirectResolver } from './popup_redirect';
 import { FirebaseApp } from '@firebase/app-compat';
-import { FAKE_HEARTBEAT_CONTROLLER_PROVIDER } from '../test/helpers/helpers';
+import {
+  FAKE_APP_CHECK_CONTROLLER_PROVIDER,
+  FAKE_HEARTBEAT_CONTROLLER_PROVIDER
+} from '../test/helpers/helpers';
 
 use(sinonChai);
 
@@ -42,9 +45,14 @@ describe('popup_redirect/CompatPopupRedirectResolver', () => {
   beforeEach(() => {
     compatResolver = new CompatPopupRedirectResolver();
     const app = { options: { apiKey: 'api-key' } } as FirebaseApp;
-    auth = new exp.AuthImpl(app, FAKE_HEARTBEAT_CONTROLLER_PROVIDER, {
-      apiKey: 'api-key'
-    } as exp.ConfigInternal);
+    auth = new exp.AuthImpl(
+      app,
+      FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+      FAKE_APP_CHECK_CONTROLLER_PROVIDER,
+      {
+        apiKey: 'api-key'
+      } as exp.ConfigInternal
+    );
   });
 
   afterEach(() => {

packages/auth-compat/test/helpers/helpers.ts

@@ -34,6 +34,13 @@ export const FAKE_HEARTBEAT_CONTROLLER_PROVIDER = {
   }
 } as unknown as Provider<'heartbeat'>;
 
+// App Check is fully tested in core auth impl
+export const FAKE_APP_CHECK_CONTROLLER_PROVIDER = {
+  getImmediate(): undefined {
+    return undefined;
+  }
+} as unknown as Provider<'app-check-internal'>;
+
 export function initializeTestInstance(): void {
   firebase.initializeApp(getAppConfig());
   const stub = stubConsoleToSilenceEmulatorWarnings();

packages/auth/src/api/index.ts

@@ -42,7 +42,8 @@ export const enum HttpHeader {
   X_FIREBASE_LOCALE = 'X-Firebase-Locale',
   X_CLIENT_VERSION = 'X-Client-Version',
   X_FIREBASE_GMPID = 'X-Firebase-gmpid',
-  X_FIREBASE_CLIENT = 'X-Firebase-Client'
+  X_FIREBASE_CLIENT = 'X-Firebase-Client',
+  X_FIREBASE_APP_CHECK = 'X-Firebase-AppCheck'
 }
 
 export const enum Endpoint {

packages/auth/src/core/auth/auth_impl.test.ts

@@ -24,6 +24,8 @@ import { FirebaseApp } from '@firebase/app';
 import { FirebaseError } from '@firebase/util';
 
 import {
+  FAKE_APP_CHECK_CONTROLLER,
+  FAKE_APP_CHECK_CONTROLLER_PROVIDER,
   FAKE_HEARTBEAT_CONTROLLER,
   FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
   testAuth,
@@ -62,6 +64,7 @@ describe('core/auth/auth_impl', () => {
     const authImpl = new AuthImpl(
       FAKE_APP,
       FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+      FAKE_APP_CHECK_CONTROLLER_PROVIDER,
       {
         apiKey: FAKE_APP.options.apiKey!,
         apiHost: DefaultConfig.API_HOST,
@@ -582,6 +585,7 @@ describe('core/auth/auth_impl', () => {
       const authImpl = new AuthImpl(
         FAKE_APP,
         FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+        FAKE_APP_CHECK_CONTROLLER_PROVIDER,
         {
           apiKey: FAKE_APP.options.apiKey!,
           apiHost: DefaultConfig.API_HOST,
@@ -656,5 +660,33 @@ describe('core/auth/auth_impl', () => {
         'X-Client-Version': 'v'
       });
     });
+
+    it('adds the App Check token if available', async () => {
+      sinon
+        .stub(FAKE_APP_CHECK_CONTROLLER, 'getToken')
+        .returns(Promise.resolve({ token: 'fake-token' }));
+      expect(await auth._getAdditionalHeaders()).to.eql({
+        'X-Client-Version': 'v',
+        'X-Firebase-AppCheck': 'fake-token'
+      });
+    });
+
+    it('does not add the App Check token if none returned', async () => {
+      sinon
+        .stub(FAKE_APP_CHECK_CONTROLLER, 'getToken')
+        .returns(Promise.resolve({ token: '' }));
+      expect(await auth._getAdditionalHeaders()).to.eql({
+        'X-Client-Version': 'v'
+      });
+    });
+
+    it('does not add the App Check token if controller unavailable', async () => {
+      sinon
+        .stub(FAKE_APP_CHECK_CONTROLLER, 'getToken')
+        .returns(undefined as any);
+      expect(await auth._getAdditionalHeaders()).to.eql({
+        'X-Client-Version': 'v'
+      });
+    });
   });
 });

packages/auth/src/core/auth/auth_impl.ts

@@ -17,6 +17,7 @@
 
 import { _FirebaseService, FirebaseApp } from '@firebase/app';
 import { Provider } from '@firebase/component';
+import { AppCheckInternalComponentName } from '@firebase/app-check-interop-types';
 import {
   Auth,
   AuthErrorMap,
@@ -108,6 +109,7 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
   constructor(
     public readonly app: FirebaseApp,
     private readonly heartbeatServiceProvider: Provider<'heartbeat'>,
+    private readonly appCheckServiceProvider: Provider<AppCheckInternalComponentName>,
     public readonly config: ConfigInternal
   ) {
     this.name = app.name;
@@ -645,6 +647,20 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     if (heartbeatsHeader) {
       headers[HttpHeader.X_FIREBASE_CLIENT] = heartbeatsHeader;
     }
+
+    // If the App Check service exists, add the App Check token in the headers
+    const appCheckTokenResult = await this.appCheckServiceProvider
+      .getImmediate({ optional: true })
+      ?.getToken();
+    // TODO: What do we want to do if there is an error getting the token?
+    // Context: appCheck.getToken() will never throw even if an error happened.
+    // In the error case, a dummy token will be returned along with an error field describing
+    // the error. In general, we shouldn't care about the error condition and just use
+    // the token (actual or dummy) to send requests.
+    if (appCheckTokenResult?.token) {
+      headers[HttpHeader.X_FIREBASE_APP_CHECK] = appCheckTokenResult.token;
+    }
+
     return headers;
   }
 }

packages/auth/src/core/auth/register.ts

@@ -63,36 +63,38 @@ export function registerAuth(clientPlatform: ClientPlatform): void {
         const app = container.getProvider('app').getImmediate()!;
         const heartbeatServiceProvider =
           container.getProvider<'heartbeat'>('heartbeat');
+        const appCheckServiceProvider =
+          container.getProvider<'app-check-internal'>('app-check-internal');
         const { apiKey, authDomain } = app.options;
-        return ((app, heartbeatServiceProvider) => {
-          _assert(
-            apiKey && !apiKey.includes(':'),
-            AuthErrorCode.INVALID_API_KEY,
-            { appName: app.name }
-          );
-          // Auth domain is optional if IdP sign in isn't being used
-          _assert(!authDomain?.includes(':'), AuthErrorCode.ARGUMENT_ERROR, {
-            appName: app.name
-          });
-          const config: ConfigInternal = {
-            apiKey,
-            authDomain,
-            clientPlatform,
-            apiHost: DefaultConfig.API_HOST,
-            tokenApiHost: DefaultConfig.TOKEN_API_HOST,
-            apiScheme: DefaultConfig.API_SCHEME,
-            sdkClientVersion: _getClientVersion(clientPlatform)
-          };
 
-          const authInstance = new AuthImpl(
-            app,
-            heartbeatServiceProvider,
-            config
-          );
-          _initializeAuthInstance(authInstance, deps);
+        _assert(
+          apiKey && !apiKey.includes(':'),
+          AuthErrorCode.INVALID_API_KEY,
+          { appName: app.name }
+        );
+        // Auth domain is optional if IdP sign in isn't being used
+        _assert(!authDomain?.includes(':'), AuthErrorCode.ARGUMENT_ERROR, {
+          appName: app.name
+        });
+        const config: ConfigInternal = {
+          apiKey,
+          authDomain,
+          clientPlatform,
+          apiHost: DefaultConfig.API_HOST,
+          tokenApiHost: DefaultConfig.TOKEN_API_HOST,
+          apiScheme: DefaultConfig.API_SCHEME,
+          sdkClientVersion: _getClientVersion(clientPlatform)
+        };
+
+        const authInstance = new AuthImpl(
+          app,
+          heartbeatServiceProvider,
+          appCheckServiceProvider,
+          config
+        );
+        _initializeAuthInstance(authInstance, deps);
 
-          return authInstance;
-        })(app, heartbeatServiceProvider);
+        return authInstance;
       },
       ComponentType.PUBLIC
     )

packages/auth/src/platform_browser/auth.test.ts

@@ -29,6 +29,7 @@ import {
 import { OperationType } from '../model/enums';
 
 import {
+  FAKE_APP_CHECK_CONTROLLER_PROVIDER,
   FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
   testAuth,
   testUser
@@ -73,6 +74,7 @@ describe('core/auth/auth_impl', () => {
     const authImpl = new AuthImpl(
       FAKE_APP,
       FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+      FAKE_APP_CHECK_CONTROLLER_PROVIDER,
       {
         apiKey: FAKE_APP.options.apiKey!,
         apiHost: DefaultConfig.API_HOST,
@@ -141,15 +143,20 @@ describe('core/auth/initializeAuth', () => {
       authDomain = FAKE_APP.options.authDomain,
       blockMiddleware = false
     ): Promise<Auth> {
-      const auth = new AuthImpl(FAKE_APP, FAKE_HEARTBEAT_CONTROLLER_PROVIDER, {
-        apiKey: FAKE_APP.options.apiKey!,
-        apiHost: DefaultConfig.API_HOST,
-        apiScheme: DefaultConfig.API_SCHEME,
-        tokenApiHost: DefaultConfig.TOKEN_API_HOST,
-        authDomain,
-        clientPlatform: ClientPlatform.BROWSER,
-        sdkClientVersion: _getClientVersion(ClientPlatform.BROWSER)
-      });
+      const auth = new AuthImpl(
+        FAKE_APP,
+        FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+        FAKE_APP_CHECK_CONTROLLER_PROVIDER,
+        {
+          apiKey: FAKE_APP.options.apiKey!,
+          apiHost: DefaultConfig.API_HOST,
+          apiScheme: DefaultConfig.API_SCHEME,
+          tokenApiHost: DefaultConfig.TOKEN_API_HOST,
+          authDomain,
+          clientPlatform: ClientPlatform.BROWSER,
+          sdkClientVersion: _getClientVersion(ClientPlatform.BROWSER)
+        }
+      );
 
       _initializeAuthInstance(auth, {
         persistence,
@@ -378,6 +385,7 @@ describe('core/auth/initializeAuth', () => {
         const auth = new AuthImpl(
           FAKE_APP,
           FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+          FAKE_APP_CHECK_CONTROLLER_PROVIDER,
           {
             apiKey: FAKE_APP.options.apiKey!,
             apiHost: DefaultConfig.API_HOST,

packages/auth/test/helpers/mock_auth.ts

@@ -17,6 +17,7 @@
 
 import { FirebaseApp } from '@firebase/app';
 import { Provider } from '@firebase/component';
+import { AppCheckTokenResult } from '@firebase/app-check-interop-types';
 import { PopupRedirectResolver } from '../../src/model/public_types';
 import { debugErrorMap } from '../../src';
 
@@ -55,6 +56,19 @@ export const FAKE_HEARTBEAT_CONTROLLER_PROVIDER: Provider<'heartbeat'> = {
   }
 } as unknown as Provider<'heartbeat'>;
 
+export const FAKE_APP_CHECK_CONTROLLER = {
+  getToken: async () => {
+    return { token: '' } as AppCheckTokenResult;
+  }
+};
+
+export const FAKE_APP_CHECK_CONTROLLER_PROVIDER: Provider<'app-check-internal'> =
+  {
+    getImmediate(): typeof FAKE_APP_CHECK_CONTROLLER {
+      return FAKE_APP_CHECK_CONTROLLER;
+    }
+  } as unknown as Provider<'app-check-internal'>;
+
 export class MockPersistenceLayer extends InMemoryPersistence {
   lastObjectSet: PersistedBlob | null = null;
 
@@ -77,6 +91,7 @@ export async function testAuth(
   const auth: TestAuth = new AuthImpl(
     FAKE_APP,
     FAKE_HEARTBEAT_CONTROLLER_PROVIDER,
+    FAKE_APP_CHECK_CONTROLLER_PROVIDER,
     {
       apiKey: TEST_KEY,
       authDomain: TEST_AUTH_DOMAIN,