Add App Check token to FirebaseServerApp

.changeset/kind-pets-sin.md

@@ -0,0 +1,13 @@
+---
+'@firebase/app': minor
+'firebase': minor
+'@firebase/data-connect': patch
+'@firebase/firestore': patch
+'@firebase/functions': patch
+'@firebase/database': patch
+'@firebase/vertexai': patch
+'@firebase/storage': patch
+'@firebase/auth': patch
+---
+
+FirebaseServerApp may now be initalized with an App Check which will be used by SDKs in lieu of initializing an instance of App Check to get the current token. This should unblock the use of App Check enforced products in SSR environments.

common/api-review/app.api.md

@@ -79,6 +79,7 @@ export interface FirebaseServerApp extends FirebaseApp {
 
 // @public
 export interface FirebaseServerAppSettings extends Omit<FirebaseAppSettings, 'name'> {
+    appCheckToken?: string;
     authIdToken?: string;
     releaseOnDeref?: object;
 }

docs-devsite/app.firebaseserverappsettings.md

@@ -23,9 +23,20 @@ export interface FirebaseServerAppSettings extends Omit<FirebaseAppSettings, 'na
 
 |  Property | Type | Description |
 |  --- | --- | --- |
+|  [appCheckToken](./app.firebaseserverappsettings.md#firebaseserverappsettingsappchecktoken) | string | An optional App Check token. If provided, the Firebase SDKs that use App Check will utilizze this App Check token in lieu of requiring an instance of App Check to be initialized. |
 |  [authIdToken](./app.firebaseserverappsettings.md#firebaseserverappsettingsauthidtoken) | string | An optional Auth ID token used to resume a signed in user session from a client runtime environment.<!-- -->Invoking <code>getAuth</code> with a <code>FirebaseServerApp</code> configured with a validated <code>authIdToken</code> causes an automatic attempt to sign in the user that the <code>authIdToken</code> represents. The token needs to have been recently minted for this operation to succeed.<!-- -->If the token fails local verification, or if the Auth service has failed to validate it when the Auth SDK is initialized, then a warning is logged to the console and the Auth SDK will not sign in a user on initialization.<!-- -->If a user is successfully signed in, then the Auth instance's <code>onAuthStateChanged</code> callback is invoked with the <code>User</code> object as per standard Auth flows. However, <code>User</code> objects created via an <code>authIdToken</code> do not have a refresh token. Attempted <code>refreshToken</code> operations fail. |
 |  [releaseOnDeref](./app.firebaseserverappsettings.md#firebaseserverappsettingsreleaseonderef) | object | An optional object. If provided, the Firebase SDK uses a <code>FinalizationRegistry</code> object to monitor the garbage collection status of the provided object. The Firebase SDK releases its reference on the <code>FirebaseServerApp</code> instance when the provided <code>releaseOnDeref</code> object is garbage collected.<!-- -->You can use this field to reduce memory management overhead for your application. If provided, an app running in a SSR pass does not need to perform <code>FirebaseServerApp</code> cleanup, so long as the reference object is deleted (by falling out of SSR scope, for instance.)<!-- -->If an object is not provided then the application must clean up the <code>FirebaseServerApp</code> instance by invoking <code>deleteApp</code>.<!-- -->If the application provides an object in this parameter, but the application is executed in a JavaScript engine that predates the support of <code>FinalizationRegistry</code> (introduced in node v14.6.0, for instance), then an error is thrown at <code>FirebaseServerApp</code> initialization. |
 
+## FirebaseServerAppSettings.appCheckToken
+
+An optional App Check token. If provided, the Firebase SDKs that use App Check will utilizze this App Check token in lieu of requiring an instance of App Check to be initialized.
+
+<b>Signature:</b>
+
+```typescript
+appCheckToken?: string;
+```
+
 ## FirebaseServerAppSettings.authIdToken
 
 An optional Auth ID token used to resume a signed in user session from a client runtime environment.

packages/app/src/errors.ts

@@ -31,7 +31,9 @@ export const enum AppError {
   IDB_WRITE = 'idb-set',
   IDB_DELETE = 'idb-delete',
   FINALIZATION_REGISTRY_NOT_SUPPORTED = 'finalization-registry-not-supported',
-  INVALID_SERVER_APP_ENVIRONMENT = 'invalid-server-app-environment'
+  INVALID_SERVER_APP_ENVIRONMENT = 'invalid-server-app-environment',
+  INVALID_SERVER_APP_TOKEN_FORMAT = 'invalid-server-app-token-format',
+  SERVER_APP_TOKEN_EXPIRED = 'server-app-token-expired'
 }
 
 const ERRORS: ErrorMap<AppError> = {
@@ -61,7 +63,11 @@ const ERRORS: ErrorMap<AppError> = {
   [AppError.FINALIZATION_REGISTRY_NOT_SUPPORTED]:
     'FirebaseServerApp deleteOnDeref field defined but the JS runtime does not support FinalizationRegistry.',
   [AppError.INVALID_SERVER_APP_ENVIRONMENT]:
-    'FirebaseServerApp is not for use in browser environments.'
+    'FirebaseServerApp is not for use in browser environments.',
+  [AppError.INVALID_SERVER_APP_TOKEN_FORMAT]:
+    'FirebaseServerApp {$tokenName} could not be parsed.',
+  [AppError.SERVER_APP_TOKEN_EXPIRED]:
+    'FirebaseServerApp {$tokenName} could not be parsed.'
 };
 
 interface ErrorParams {
@@ -75,6 +81,8 @@ interface ErrorParams {
   [AppError.IDB_WRITE]: { originalErrorMessage?: string };
   [AppError.IDB_DELETE]: { originalErrorMessage?: string };
   [AppError.FINALIZATION_REGISTRY_NOT_SUPPORTED]: { appName?: string };
+  [AppError.INVALID_SERVER_APP_TOKEN_FORMAT]: { tokenName: string };
+  [AppError.SERVER_APP_TOKEN_EXPIRED]: { tokenName: string };
 }
 
 export const ERROR_FACTORY = new ErrorFactory<AppError, ErrorParams>(

packages/app/src/firebaseServerApp.test.ts

@@ -20,6 +20,21 @@ import '../test/setup';
 import { ComponentContainer } from '@firebase/component';
 import { FirebaseServerAppImpl } from './firebaseServerApp';
 import { FirebaseServerAppSettings } from './public-types';
+import { base64Encode } from '@firebase/util';
+
+const BASE64_DUMMY = base64Encode('dummystrings'); // encodes to ZHVtbXlzdHJpbmdz
+
+// Creates a three part dummy token with an expiration claim in the second part. The expration
+// time is based on the date offset provided.
+function createServerAppTokenWithOffset(daysOffset: number): string {
+  const timeInSeconds = Math.trunc(
+    new Date().setDate(new Date().getDate() + daysOffset) / 1000
+  );
+  const secondPart = JSON.stringify({ exp: timeInSeconds });
+  const token =
+    BASE64_DUMMY + '.' + base64Encode(secondPart) + '.' + BASE64_DUMMY;
+  return token;
+}
 
 describe('FirebaseServerApp', () => {
   it('has various accessors', () => {
@@ -155,4 +170,145 @@ describe('FirebaseServerApp', () => {
 
     expect(JSON.stringify(app)).to.eql(undefined);
   });
+
+  it('accepts a valid authIdToken expiration', () => {
+    const options = { apiKey: 'APIKEY' };
+    const authIdToken = createServerAppTokenWithOffset(/*daysOffset=*/ 1);
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      authIdToken
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+    }
+    expect(encounteredError).to.be.false;
+  });
+
+  it('throws when authIdToken has expired', () => {
+    const options = { apiKey: 'APIKEY' };
+    const authIdToken = createServerAppTokenWithOffset(/*daysOffset=*/ -1);
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      authIdToken
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+      expect((e as Error).toString()).to.contain(
+        'app/server-app-token-expired'
+      );
+    }
+    expect(encounteredError).to.be.true;
+  });
+
+  it('throws when authIdToken has too few parts', () => {
+    const options = { apiKey: 'APIKEY' };
+    const authIdToken = 'blah';
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      authIdToken: base64Encode(authIdToken)
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+    }
+    expect(encounteredError).to.be.true;
+  });
+
+  it('accepts a valid appCheckToken expiration', () => {
+    const options = { apiKey: 'APIKEY' };
+    const appCheckToken = createServerAppTokenWithOffset(/*daysOffset=*/ 1);
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      appCheckToken
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+    }
+    expect(encounteredError).to.be.false;
+  });
+
+  it('throws when appCheckToken has expired', () => {
+    const options = { apiKey: 'APIKEY' };
+    const appCheckToken = createServerAppTokenWithOffset(/*daysOffset=*/ -1);
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      appCheckToken
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+      expect((e as Error).toString()).to.contain(
+        'app/server-app-token-expired'
+      );
+    }
+    expect(encounteredError).to.be.true;
+  });
+
+  it('throws when appCheckToken has too few parts', () => {
+    const options = { apiKey: 'APIKEY' };
+    const appCheckToken = 'blah';
+    const serverAppSettings: FirebaseServerAppSettings = {
+      automaticDataCollectionEnabled: false,
+      releaseOnDeref: options,
+      appCheckToken: base64Encode(appCheckToken)
+    };
+    let encounteredError = false;
+    try {
+      new FirebaseServerAppImpl(
+        options,
+        serverAppSettings,
+        'testName',
+        new ComponentContainer('test')
+      );
+    } catch (e) {
+      encounteredError = true;
+      //expect((e as Error).toString()).to.contain(
+      //  'Unexpected end of JSON input'
+      //);
+    }
+    expect(encounteredError).to.be.true;
+  });
 });

packages/app/src/firebaseServerApp.ts

@@ -26,6 +26,33 @@ import { ComponentContainer } from '@firebase/component';
 import { FirebaseAppImpl } from './firebaseApp';
 import { ERROR_FACTORY, AppError } from './errors';
 import { name as packageName, version } from '../package.json';
+import { base64Decode } from '@firebase/util';
+
+// Parse the token and check to see if the `exp` claim is in the future.
+// Throws an error if the token or claim could not be parsed, or if `exp` is in the past.
+function validateTokenTTL(base64Token: string, tokenName: string): void {
+  const secondPart = base64Decode(base64Token.split('.')[1]);
+  if (secondPart === null) {
+    throw ERROR_FACTORY.create(AppError.INVALID_SERVER_APP_TOKEN_FORMAT, {
+      tokenName
+    });
+  }
+  const expClaim = JSON.parse(secondPart).exp;
+  if (expClaim === undefined) {
+    throw ERROR_FACTORY.create(AppError.INVALID_SERVER_APP_TOKEN_FORMAT, {
+      tokenName
+    });
+  }
+  const exp = JSON.parse(secondPart).exp * 1000;
+  const now = new Date().getTime();
+  // const now = new Date(new Date().getDate() - 1).now()
+  const diff = exp - now;
+  if (diff <= 0) {
+    throw ERROR_FACTORY.create(AppError.SERVER_APP_TOKEN_EXPIRED, {
+      tokenName
+    });
+  }
+}
 
 export class FirebaseServerAppImpl
   extends FirebaseAppImpl
@@ -67,6 +94,16 @@ export class FirebaseServerAppImpl
       ...serverConfig
     };
 
+    // Validate the authIdtoken validation window.
+    if (this._serverConfig.authIdToken) {
+      validateTokenTTL(this._serverConfig.authIdToken, 'authIdToken');
+    }
+
+    // Validate the appCheckToken validation window.
+    if (this._serverConfig.appCheckToken) {
+      validateTokenTTL(this._serverConfig.appCheckToken, 'appCheckToken');
+    }
+
     this._finalizationRegistry = null;
     if (typeof FinalizationRegistry !== 'undefined') {
       this._finalizationRegistry = new FinalizationRegistry(() => {

packages/app/src/public-types.ts

@@ -196,6 +196,12 @@ export interface FirebaseServerAppSettings
    */
   authIdToken?: string;
 
+  /**
+   * An optional App Check token. If provided, the Firebase SDKs that use App Check will utilizze
+   * this App Check token in lieu of requiring an instance of App Check to be initialized.
+   */
+  appCheckToken?: string;
+
   /**
    * An optional object. If provided, the Firebase SDK uses a `FinalizationRegistry`
    * object to monitor the garbage collection status of the provided object. The

packages/auth/src/core/auth/auth_impl.ts

@@ -845,6 +845,9 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
   }
 
   async _getAppCheckToken(): Promise<string | undefined> {
+    if (_isFirebaseServerApp(this.app) && this.app.settings.appCheckToken) {
+      return this.app.settings.appCheckToken;
+    }
     const appCheckTokenResult = await this.appCheckServiceProvider
       .getImmediate({ optional: true })
       ?.getToken();

packages/auth/test/integration/flows/firebaseserverapp.test.ts

@@ -166,37 +166,6 @@ describe('Integration test: Auth FirebaseServerApp tests', () => {
     await deleteApp(serverApp);
   });
 
-  it('invalid token does not sign in user', async () => {
-    if (isBrowser()) {
-      return;
-    }
-    const authIdToken = '{ invalid token }';
-    const firebaseServerAppSettings = { authIdToken };
-
-    const serverApp = initializeServerApp(
-      getAppConfig(),
-      firebaseServerAppSettings
-    );
-    const serverAppAuth = getTestInstanceForServerApp(serverApp);
-    expect(serverAppAuth.currentUser).to.be.null;
-
-    let numberServerLogins = 0;
-    onAuthStateChanged(serverAppAuth, serverAuthUser => {
-      if (serverAuthUser) {
-        numberServerLogins++;
-      }
-    });
-
-    await new Promise(resolve => {
-      setTimeout(resolve, signInWaitDuration);
-    });
-
-    expect(numberServerLogins).to.equal(0);
-    expect(serverAppAuth.currentUser).to.be.null;
-
-    await deleteApp(serverApp);
-  });
-
   it('signs in with email credentials user', async () => {
     if (isBrowser()) {
       return;

packages/data-connect/src/api/DataConnect.ts

@@ -92,7 +92,7 @@ export class DataConnect {
   private _transportOptions?: TransportOptions;
   private _authTokenProvider?: AuthTokenProvider;
   _isUsingGeneratedSdk: boolean = false;
-  private _appCheckTokenProvider?: AppCheckTokenProvider;
+  private _appCheckTokenProvider: AppCheckTokenProvider;
   // @internal
   constructor(
     public readonly app: FirebaseApp,
@@ -149,12 +149,10 @@ export class DataConnect {
         this._authProvider
       );
     }
-    if (this._appCheckProvider) {
-      this._appCheckTokenProvider = new AppCheckTokenProvider(
-        this.app.name,
-        this._appCheckProvider
-      );
-    }
+    this._appCheckTokenProvider = new AppCheckTokenProvider(
+      this.app,
+      this._appCheckProvider
+    );
 
     this._initialized = true;
     this._transport = new this._transportClass(