Support configuration of credentials with a config array (#202)

clemblanco · web-flow · commit 25f3214a48a0 · 2023-10-05T17:48:58.000+02:00
diff --git a/README.md b/README.md
@@ -21,6 +21,8 @@ Please read about the future of the Firebase Admin PHP SDK on the
 - [Installation](#installation)
   - [Laravel](#laravel)
 - [Configuration](#configuration)
+  - [Credentials with JSON files](#credentials-with-json-files)
+  - [Credentials with Arrays](#credentials-with-arrays)
 - [Usage](#usage)
   - [Multiple projects](#multiple-projects)
 - [Supported Versions](#supported-versions)
@@ -37,12 +39,6 @@ composer require kreait/laravel-firebase
 In order to access a Firebase project and its related services using a server SDK, requests must be authenticated.
 For server-to-server communication this is done with a Service Account.
 
-The package uses auto discovery for the default project to find the credentials needed for authenticating requests to
-the Firebase APIs by inspecting certain environment variables and looking into Google's well known path(s).
-
-If you don't want a service account to be auto-discovered, provide it by setting the `GOOGLE_APPLICATION_CREDENTIALS`
-environment variable or by adapting the package configuration.
-
 If you don't already have generated a Service Account, you can do so by following the instructions from the
 official documentation pages at https://firebase.google.com/docs/admin/setup#initialize_the_sdk.
 
@@ -64,6 +60,37 @@ by copying it to your local `config` directory or by defining the environment va
 php artisan vendor:publish --provider="Kreait\Laravel\Firebase\ServiceProvider" --tag=config
 ```
 
+### Credentials with JSON files
+
+The package uses auto discovery for the default project to find the credentials needed for authenticating requests to
+the Firebase APIs by inspecting certain environment variables and looking into Google's well known path(s).
+
+If you don't want a service account to be auto-discovered, provide it by setting the `FIREBASE_CREDENTIALS` or `GOOGLE_APPLICATION_CREDENTIALS` environment variable or by adapting the package configuration, like so for example:
+
+```.env
+FIREBASE_CREDENTIALS=storage/app/firebase-auth.json
+```
+
+### Credentials with Arrays
+
+If you prefer to have more control over the configuration items required to configure the credentials, you can also transpose the Service Account JSON file as an array within your `config/firebase.php` file.
+
+```php
+'credentials' => [
+    'type' => 'service_account',
+    'project_id' => 'some-project-123',
+    'private_key_id' => '123456789',
+    'private_key' => '-----BEGIN PRIVATE KEY-----\nFOO_BAR_123456789\n-----END PRIVATE KEY-----\n',
+    'client_email' => 'firebase-adminsdk-cwiuo@some-project-123.iam.gserviceaccount.com',
+    'client_id' => '123456789',
+    'auth_uri' => 'https://accounts.google.com/o/oauth2/auth',
+    'token_uri' => 'https://oauth2.googleapis.com/token',
+    'auth_provider_x509_cert_url' => 'https://www.googleapis.com/oauth2/v1/certs',
+    'client_x509_cert_url' => 'https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-cwiuo%40some-project-123.iam.gserviceaccount.com',
+    'universe_domain' => 'googleapis.com',
+],
+```
+
 ## Usage
 
 Once you have retrieved a component, please refer to the [documentation of the Firebase PHP Admin SDK](https://firebase-php.readthedocs.io)
@@ -96,7 +123,7 @@ Earlier versions will receive security fixes as long as their **lowest** SDK req
 can find the currently supported versions and support options in the [SDK's README](https://github.com/kreait/firebase-php).
 
 | Version | Initial Release | Supported SDK Versions | Supported Laravel Versions | Status      |
-|---------|-----------------|------------------------|----------------------------|-------------|
+| ------- | --------------- | ---------------------- | -------------------------- | ----------- |
 | `5.x`   | 13 Jan 2023     | `^7.0`                 | `^9.0`                     | Active      |
 | `4.x`   | 09 Jan 2022     | `^6.0`                 | `^8.0`                     | End of life |
 | `3.x`   | 01 Nov 2020     | `^5.24`                | `^6.0, ^7.0, ^8.0`         | End of life |
diff --git a/config/firebase.php b/config/firebase.php
@@ -46,9 +46,7 @@
              * first time you try to access a component of the Firebase Admin SDK.
              *
              */
-            'credentials' => [
-                'file' => env('FIREBASE_CREDENTIALS', env('GOOGLE_APPLICATION_CREDENTIALS')),
-            ],
+            'credentials' => env('FIREBASE_CREDENTIALS', env('GOOGLE_APPLICATION_CREDENTIALS')),
 
             /*
              * ------------------------------------------------------------------------
@@ -180,9 +178,7 @@
                  */
                 'timeout' => env('FIREBASE_HTTP_CLIENT_TIMEOUT'),
 
-                'guzzle_middlewares' => [
-
-                ]
+                'guzzle_middlewares' => [],
             ],
         ],
     ],
diff --git a/src/FirebaseProjectManager.php b/src/FirebaseProjectManager.php
@@ -47,7 +47,7 @@ protected function configuration(string $name): array
         return $config;
     }
 
-    protected function resolveCredentials(string $credentials): string
+    protected function resolveJsonCredentials(string $credentials): string
     {
         $isJsonString = \str_starts_with($credentials, '{');
         $isAbsoluteLinuxPath = \str_starts_with($credentials, '/');
@@ -68,10 +68,12 @@ protected function configure(string $name): FirebaseProject
             $factory = $factory->withTenantId($tenantId);
         }
 
-        if ($credentials = $config['credentials']['file'] ?? null) {
-            $resolvedCredentials = $this->resolveCredentials((string) $credentials);
+        if ($credentials = $config['credentials']['file'] ?? ($config['credentials'] ?? null)) {
+            if (is_string($credentials)) {
+                $credentials = $this->resolveJsonCredentials($credentials);
+            }
 
-            $factory = $factory->withServiceAccount($resolvedCredentials);
+            $factory = $factory->withServiceAccount($credentials);
         }
 
         if ($databaseUrl = $config['database']['url'] ?? null) {
@@ -97,8 +99,7 @@ protected function configure(string $name): FirebaseProject
 
             $factory = $factory
                 ->withVerifierCache($cache)
-                ->withAuthTokenCache($cache)
-            ;
+                ->withAuthTokenCache($cache);
         }
 
         if ($logChannel = $config['logging']['http_log_channel'] ?? null) {
diff --git a/tests/FirebaseProjectManagerTest.php b/tests/FirebaseProjectManagerTest.php
@@ -19,7 +19,7 @@ final class FirebaseProjectManagerTest extends TestCase
 {
     protected function defineEnvironment($app): void
     {
-        $app['config']->set('firebase.projects.app.credentials.file', __DIR__ . '/_fixtures/service_account.json');
+        $app['config']->set('firebase.projects.app.credentials', __DIR__ . '/_fixtures/service_account.json');
     }
 
     /**
@@ -66,7 +66,28 @@ public function calls_are_passed_to_default_project(): void
     /**
      * @test
      */
-    public function credentials_can_be_configured(): void
+    public function credentials_can_be_configured_using_a_json_file(): void
+    {
+        // Reference credentials
+        $credentialsPath = \realpath(__DIR__ . '/_fixtures/service_account.json');
+        $credentials = \json_decode(\file_get_contents($credentialsPath), true);
+
+        // Set configuration and retrieve project
+        $projectName = 'app';
+        $this->app->config->set('firebase.projects.' . $projectName . '.credentials', \realpath(__DIR__ . '/_fixtures/service_account.json'));
+        $factory = $this->factoryForProject($projectName);
+
+        // Retrieve service account
+        $serviceAccount = $this->getAccessibleProperty($factory, 'serviceAccount')->getValue($factory);
+
+        // Validate value
+        $this->assertSame($credentials, $serviceAccount);
+    }
+
+    /**
+     * @test
+     */
+    public function json_file_credentials_can_be_used_using_the_deprecated_configuration_entry(): void
     {
         // Reference credentials
         $credentialsPath = \realpath(__DIR__ . '/_fixtures/service_account.json');
@@ -84,6 +105,34 @@ public function credentials_can_be_configured(): void
         $this->assertSame($credentials, $serviceAccount);
     }
 
+    /**
+     * @test
+     */
+    public function credentials_can_be_configured_using_an_array(): void
+    {
+        // Set configuration and retrieve project
+        $projectName = 'app';
+        $this->app->config->set('firebase.projects.' . $projectName . '.credentials', $credentials = [
+            'type' => 'service_account',
+            'project_id' => 'project',
+            'private_key_id' => 'private_key_id',
+            'private_key' => '-----BEGIN PRIVATE KEY-----\nsome gibberish\n-----END PRIVATE KEY-----\n',
+            'client_email' => 'client@email.tld',
+            'client_id' => '1234567890',
+            'auth_uri' => 'https://some.google.tld/o/oauth2/auth',
+            'token_uri' => 'https://some.google.tld/o/oauth2/token',
+            'auth_provider_x509_cert_url' => 'https://some.google.tld/oauth2/v1/certs',
+            'client_x509_cert_url' => 'https://some.google.tld/robot/v1/metadata/x509/user%40project.iam.gserviceaccount.com',
+        ]);
+        $factory = $this->factoryForProject($projectName);
+
+        // Retrieve service account
+        $serviceAccount = $this->getAccessibleProperty($factory, 'serviceAccount')->getValue($factory);
+
+        // Validate value
+        $this->assertSame($credentials, $serviceAccount);
+    }
+
     /**
      * @test
      */
@@ -101,8 +150,8 @@ public function projects_can_have_different_credentials(): void
         $secondProjectName = 'another-app';
 
         // Set service accounts explicitly
-        $this->app->config->set('firebase.projects.' . $projectName . '.credentials.file', \realpath(__DIR__ . '/_fixtures/service_account.json'));
-        $this->app->config->set('firebase.projects.' . $secondProjectName . '.credentials.file', \realpath(__DIR__ . '/_fixtures/another_service_account.json'));
+        $this->app->config->set('firebase.projects.' . $projectName . '.credentials', \realpath(__DIR__ . '/_fixtures/service_account.json'));
+        $this->app->config->set('firebase.projects.' . $secondProjectName . '.credentials', \realpath(__DIR__ . '/_fixtures/another_service_account.json'));
 
         // Retrieve factories and service accounts
         $factory = $this->factoryForProject($projectName);
diff --git a/tests/ServiceProviderTest.php b/tests/ServiceProviderTest.php
@@ -16,7 +16,7 @@ final class ServiceProviderTest extends TestCase
      */
     public function it_provides_components(): void
     {
-        $this->app->config->set('firebase.projects.app.credentials.file', \realpath(__DIR__ . '/_fixtures/service_account.json'));
+        $this->app->config->set('firebase.projects.app.credentials', \realpath(__DIR__ . '/_fixtures/service_account.json'));
 
         $this->assertInstanceOf(Firebase\Contract\AppCheck::class, $this->app->make(Firebase\Contract\AppCheck::class));
         $this->assertInstanceOf(Firebase\Contract\Auth::class, $this->app->make(Firebase\Contract\Auth::class));

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ protected function configuration(string $name): array`
`47`	`47`	`return $config;`
`48`	`48`	`}`
`49`	`49`
`50`		`- protected function resolveCredentials(string $credentials): string`
	`50`	`+ protected function resolveJsonCredentials(string $credentials): string`
`51`	`51`	`{`
`52`	`52`	`$isJsonString = \str_starts_with($credentials, '{');`
`53`	`53`	`$isAbsoluteLinuxPath = \str_starts_with($credentials, '/');`
`@@ -68,10 +68,12 @@ protected function configure(string $name): FirebaseProject`
`68`	`68`	`$factory = $factory->withTenantId($tenantId);`
`69`	`69`	`}`
`70`	`70`
`71`		`- if ($credentials = $config['credentials']['file'] ?? null) {`
`72`		`- $resolvedCredentials = $this->resolveCredentials((string) $credentials);`
	`71`	`+ if ($credentials = $config['credentials']['file'] ?? ($config['credentials'] ?? null)) {`
	`72`	`+ if (is_string($credentials)) {`
	`73`	`+ $credentials = $this->resolveJsonCredentials($credentials);`
	`74`	`+ }`
`73`	`75`
`74`		`- $factory = $factory->withServiceAccount($resolvedCredentials);`
	`76`	`+ $factory = $factory->withServiceAccount($credentials);`
`75`	`77`	`}`
`76`	`78`
`77`	`79`	`if ($databaseUrl = $config['database']['url'] ?? null) {`
`@@ -97,8 +99,7 @@ protected function configure(string $name): FirebaseProject`
`97`	`99`
`98`	`100`	`$factory = $factory`
`99`	`101`	`->withVerifierCache($cache)`
`100`		`- ->withAuthTokenCache($cache)`
`101`		`- ;`
	`102`	`+ ->withAuthTokenCache($cache);`
`102`	`103`	`}`
`103`	`104`
`104`	`105`	`if ($logChannel = $config['logging']['http_log_channel'] ?? null) {`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ final class ServiceProviderTest extends TestCase`
`16`	`16`	`*/`
`17`	`17`	`public function it_provides_components(): void`
`18`	`18`	`{`
`19`		`- $this->app->config->set('firebase.projects.app.credentials.file', \realpath(__DIR__ . '/_fixtures/service_account.json'));`
	`19`	`+ $this->app->config->set('firebase.projects.app.credentials', \realpath(__DIR__ . '/_fixtures/service_account.json'));`
`20`	`20`
`21`	`21`	`$this->assertInstanceOf(Firebase\Contract\AppCheck::class, $this->app->make(Firebase\Contract\AppCheck::class));`
`22`	`22`	`$this->assertInstanceOf(Firebase\Contract\Auth::class, $this->app->make(Firebase\Contract\Auth::class));`