Support auth emulator via FIREBASE_AUTH_EMULATOR_HOST

Modeled on firebase/firebase-admin-go#414

Author: muru

firebase_admin/_auth_client.py

@@ -14,6 +14,7 @@
 
 """Firebase auth client sub module."""
 
+import os
 import time
 
 import firebase_admin
@@ -25,6 +26,8 @@
 from firebase_admin import _user_import
 from firebase_admin import _user_mgt
 
+_EMULATOR_HOST_ENV_VAR = 'FIREBASE_AUTH_EMULATOR_HOST'
+_DEFAULT_AUTH_URL = 'https://identitytoolkit.googleapis.com'
 
 class Client:
     """Firebase Authentication client scoped to a specific tenant."""
@@ -36,17 +39,39 @@ def __init__(self, app, tenant_id=None):
             2. set the project ID explicitly via Firebase App options, or
             3. set the project ID via the GOOGLE_CLOUD_PROJECT environment variable.""")
 
-        credential = app.credential.get_credential()
+        credential = None
         version_header = 'Python/Admin/{0}'.format(firebase_admin.__version__)
+        http_headers = {'X-Client-Version': version_header}
+        # Fallback to default endpoint URLs if an emulator isn't present.
+        id_toolkit_endpoints = {
+            "v1": None,
+            "v2beta1": None,
+        }
+
+        # If an emulator is present, check that the given value matches the expected format and set endpoint URLs to use
+        # the emulator. Also set a fake authorization token.
+        emulator_host = os.environ.get(_EMULATOR_HOST_ENV_VAR)
+        if emulator_host:
+            if '//' in emulator_host:
+                raise ValueError(
+                    'Invalid {0}: "{1}". It must follow format "host:port".'.format(
+                        _EMULATOR_HOST_ENV_VAR, emulator_host))
+            http_headers["Authorization"] = "Bearer owner"
+            base_url = "http://{0}/identitytoolkit.googleapis.com".format(emulator_host)
+            id_toolkit_endpoints["v1"] = base_url + "/v1"
+            id_toolkit_endpoints["v2beta1"] = base_url + "/v2beta1"
+        else:
+            credential = app.credential.get_credential()
+
         http_client = _http_client.JsonHttpClient(
-            credential=credential, headers={'X-Client-Version': version_header})
+            credential=credential, headers=http_headers)
 
         self._tenant_id = tenant_id
-        self._token_generator = _token_gen.TokenGenerator(app, http_client)
+        self._token_generator = _token_gen.TokenGenerator(app, http_client, id_toolkit_endpoints["v1"])
         self._token_verifier = _token_gen.TokenVerifier(app)
-        self._user_manager = _user_mgt.UserManager(http_client, app.project_id, tenant_id)
+        self._user_manager = _user_mgt.UserManager(http_client, app.project_id, tenant_id, id_toolkit_endpoints["v1"])
         self._provider_manager = _auth_providers.ProviderConfigClient(
-            http_client, app.project_id, tenant_id)
+            http_client, app.project_id, tenant_id, id_toolkit_endpoints["v2beta1"])
 
     @property
     def tenant_id(self):

firebase_admin/_auth_providers.py

@@ -166,9 +166,11 @@ class ProviderConfigClient:
 
     PROVIDER_CONFIG_URL = 'https://identitytoolkit.googleapis.com/v2beta1'
 
-    def __init__(self, http_client, project_id, tenant_id=None):
+    def __init__(self, http_client, project_id, tenant_id=None, provider_config_url=None):
         self.http_client = http_client
-        self.base_url = '{0}/projects/{1}'.format(self.PROVIDER_CONFIG_URL, project_id)
+        if not provider_config_url:
+            provider_config_url = self.PROVIDER_CONFIG_URL
+        self.base_url = '{0}/projects/{1}'.format(provider_config_url, project_id)
         if tenant_id:
             self.base_url += '/tenants/{0}'.format(tenant_id)
 

firebase_admin/_token_gen.py

@@ -84,11 +84,13 @@ class TokenGenerator:
 
     ID_TOOLKIT_URL = 'https://identitytoolkit.googleapis.com/v1'
 
-    def __init__(self, app, http_client):
+    def __init__(self, app, http_client, id_toolkit_url=None):
         self.app = app
         self.http_client = http_client
         self.request = transport.requests.Request()
-        self.base_url = '{0}/projects/{1}'.format(self.ID_TOOLKIT_URL, app.project_id)
+        if not id_toolkit_url:
+            id_toolkit_url = self.ID_TOOLKIT_URL 
+        self.base_url = '{0}/projects/{1}'.format(id_toolkit_url, app.project_id)
         self._signing_provider = None
 
     def _init_signing_provider(self):
@@ -198,7 +200,7 @@ def create_session_cookie(self, id_token, expires_in):
         url = '{0}:createSessionCookie'.format(self.base_url)
         payload = {
             'idToken': id_token,
-            'validDuration': expires_in,
+            'validDuration': str(expires_in),
         }
         try:
             body, http_resp = self.http_client.body_and_response('post', url, json=payload)

firebase_admin/_user_mgt.py

@@ -573,9 +573,11 @@ class UserManager:
 
     ID_TOOLKIT_URL = 'https://identitytoolkit.googleapis.com/v1'
 
-    def __init__(self, http_client, project_id, tenant_id=None):
+    def __init__(self, http_client, project_id, tenant_id=None, id_toolkit_url=None):
         self.http_client = http_client
-        self.base_url = '{0}/projects/{1}'.format(self.ID_TOOLKIT_URL, project_id)
+        if not id_toolkit_url:
+            id_toolkit_url = self.ID_TOOLKIT_URL
+        self.base_url = '{0}/projects/{1}'.format(id_toolkit_url, project_id)
         if tenant_id:
             self.base_url += '/tenants/{0}'.format(tenant_id)