[ServerApp] Update feature branch Auth implementation to use the authIdToken (#7944)

Add support for logging-in users with the FirebaseServerApp's authIdToken.

### Testing

Local project testing client-side created users, passing idTokens to serverApps, and logging in the user. Tested with multiple users and multiple instances of FirebaseServerApps w/ Auth.

CI tests (added integration tests).

### API Changes

N/A

Author: DellaBitta

common/api-review/app.api.md

@@ -77,6 +77,7 @@ export interface FirebaseServerApp extends FirebaseApp {
     authIdTokenVerified: () => Promise<void>;
     installationTokenVerified: () => Promise<void>;
     name: string;
+    readonly settings: FirebaseServerAppSettings;
 }
 
 // @public
@@ -119,6 +120,9 @@ export function initializeServerApp(options: FirebaseOptions | FirebaseApp, conf
 // @internal (undocumented)
 export function _isFirebaseApp(obj: FirebaseApp | FirebaseOptions): obj is FirebaseApp;
 
+// @internal (undocumented)
+export function _isFirebaseServerApp(obj: FirebaseApp | FirebaseServerApp): obj is FirebaseServerApp;
+
 // @public
 export function onLog(logCallback: LogCallback | null, options?: LogOptions): void;
 

docs-devsite/app.firebaseserverapp.md

@@ -29,6 +29,7 @@ export interface FirebaseServerApp extends FirebaseApp
 |  [authIdTokenVerified](./app.firebaseserverapp.md#firebaseserverappauthidtokenverified) | () =&gt; Promise&lt;void&gt; | Checks to see if the verification of the authIdToken provided to  has completed.<!-- -->It is recommend that your application awaits this promise if an authIdToken was provided during FirebaseServerApp initialization before invoking getAuth(). If an instance of Auth is created before the Auth ID Token is validated, then the token will not be used by that instance of the Auth SDK.<!-- -->The returned Promise is completed immediately if the optional authIdToken parameter was omitted from FirebaseServerApp initialization. |
 |  [installationTokenVerified](./app.firebaseserverapp.md#firebaseserverappinstallationtokenverified) | () =&gt; Promise&lt;void&gt; | Checks to see if the verification of the installationToken provided to  has completed.<!-- -->It is recommend that your application awaits this promise before initializing any Firebase products that use Firebase Installations. The Firebase SDKs will not use Installation Auth tokens that are determined to be invalid or those that have not yet completed validation.<!-- -->The returned Promise is completed immediately if the optional appCheckToken parameter was omitted from FirebaseServerApp initialization. |
 |  [name](./app.firebaseserverapp.md#firebaseserverappname) | string | There is no get for FirebaseServerApp, so the name is not relevant. However, it's declared here so that FirebaseServerApp conforms to the FirebaseApp interface declaration. Internally this string will always be empty for FirebaseServerApp instances. |
+|  [settings](./app.firebaseserverapp.md#firebaseserverappsettings) | [FirebaseServerAppSettings](./app.firebaseserverappsettings.md#firebaseserverappsettings_interface) | The (read-only) configuration settings for this server app. These are the original parameters given in [initializeServerApp()](./app.md#initializeserverapp_30ab697)<!-- -->. |
 
 ## FirebaseServerApp.appCheckTokenVerified
 
@@ -81,3 +82,23 @@ There is no get for FirebaseServerApp, so the name is not relevant. However, it'
 ```typescript
 name: string;
 ```
+
+## FirebaseServerApp.settings
+
+The (read-only) configuration settings for this server app. These are the original parameters given in [initializeServerApp()](./app.md#initializeserverapp_30ab697)<!-- -->.
+
+<b>Signature:</b>
+
+```typescript
+readonly settings: FirebaseServerAppSettings;
+```
+
+### Example
+
+
+```javascript
+const app = initializeServerApp(settings);
+console.log(app.settings.authIdToken === options.authIdToken);  // true
+
+```
+

packages/app/src/firebaseServerApp.ts

@@ -83,7 +83,7 @@ export class FirebaseServerAppImpl
     void deleteApp(serverApp);
   }
 
-  get serverAppConfig(): FirebaseServerAppSettings {
+  get settings(): FirebaseServerAppSettings {
     this.checkDestroyed();
     return this._serverConfig;
   }

packages/app/src/internal.ts

@@ -155,6 +155,20 @@ export function _isFirebaseApp(
   return (obj as FirebaseApp).options !== undefined;
 }
 
+/**
+ *
+ * @param obj - an object of type FirebaseApp.
+ *
+ * @returns true if the provided object is of type FirebaseServerAppImpl.
+ *
+ * @internal
+ */
+export function _isFirebaseServerApp(
+  obj: FirebaseApp | FirebaseServerApp
+): obj is FirebaseServerApp {
+  return (obj as FirebaseServerApp).authIdTokenVerified !== undefined;
+}
+
 /**
  * Test only
  *

packages/app/src/public-types.ts

@@ -132,6 +132,18 @@ export interface FirebaseServerApp extends FirebaseApp {
    * string will always be empty for FirebaseServerApp instances.
    */
   name: string;
+
+  /**
+   * The (read-only) configuration settings for this server app. These are the original
+   * parameters given in {@link (initializeServerApp:1) | initializeServerApp()}.
+   *
+   * @example
+   * ```javascript
+   * const app = initializeServerApp(settings);
+   * console.log(app.settings.authIdToken === options.authIdToken);  // true
+   * ```
+   */
+  readonly settings: FirebaseServerAppSettings;
 }
 
 /**

packages/auth/karma.conf.js

@@ -65,7 +65,8 @@ function getTestFiles(argv) {
       'src/**/*.test.ts',
       'test/helpers/**/*.test.ts',
       'test/integration/flows/anonymous.test.ts',
-      'test/integration/flows/email.test.ts'
+      'test/integration/flows/email.test.ts',
+      'test/integration/flows/firebaseserverapp.test.ts'
     ];
   }
 }

packages/auth/scripts/run_node_tests.ts

@@ -48,7 +48,9 @@ let testConfig = [
 ];
 
 if (argv.integration) {
-  testConfig = ['test/integration/flows/{email,anonymous}.test.ts'];
+  testConfig = [
+    'test/integration/flows/{email,anonymous,firebaseserverapp}.test.ts'
+  ];
   if (argv.local) {
     testConfig.push('test/integration/flows/*.local.test.ts');
   }

packages/auth/src/core/auth/auth_impl.ts

@@ -15,7 +15,11 @@
  * limitations under the License.
  */
 
-import { _FirebaseService, FirebaseApp } from '@firebase/app';
+import {
+  _isFirebaseServerApp,
+  _FirebaseService,
+  FirebaseApp
+} from '@firebase/app';
 import { Provider } from '@firebase/component';
 import { AppCheckInternalComponentName } from '@firebase/app-check-interop-types';
 import {
@@ -167,7 +171,11 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
         }
       }
 
-      await this.initializeCurrentUser(popupRedirectResolver);
+      // Skip loading users from persistence in FirebaseServerApp Auth instances.
+      if (!_isFirebaseServerApp(this.app)) {
+        await this.initializeCurrentUser(popupRedirectResolver);
+      }
+
       this.lastNotifiedUid = this.currentUser?.uid || null;
 
       if (this._deleted) {

packages/auth/src/core/auth/initialize.ts

@@ -15,15 +15,17 @@
  * limitations under the License.
  */
 
-import { _getProvider, FirebaseApp } from '@firebase/app';
+import { _getProvider, _isFirebaseServerApp, FirebaseApp } from '@firebase/app';
 import { deepEqual } from '@firebase/util';
 import { Auth, Dependencies } from '../../model/public_types';
 
 import { AuthErrorCode } from '../errors';
 import { PersistenceInternal } from '../persistence';
 import { _fail } from '../util/assert';
 import { _getInstance } from '../util/instantiator';
-import { AuthImpl } from './auth_impl';
+import { AuthImpl, _castAuth } from './auth_impl';
+import { UserImpl } from '../user/user_impl';
+import { getAccountInfo } from '../../api/account_management/account';
 
 /**
  * Initializes an {@link Auth} instance with fine-grained control over
@@ -65,9 +67,40 @@ export function initializeAuth(app: FirebaseApp, deps?: Dependencies): Auth {
 
   const auth = provider.initialize({ options: deps }) as AuthImpl;
 
+  if (_isFirebaseServerApp(app)) {
+    if (app.settings.authIdToken !== undefined) {
+      const idToken = app.settings.authIdToken;
+      // Start the auth operation in the next tick to allow a moment for the customer's app to
+      // attach an emulator, if desired.
+      setTimeout(() => void _loadUserFromIdToken(auth, idToken), 0);
+    }
+  }
+
   return auth;
 }
 
+export async function _loadUserFromIdToken(
+  auth: Auth,
+  idToken: string
+): Promise<void> {
+  try {
+    const response = await getAccountInfo(auth, { idToken });
+    const authInternal = _castAuth(auth);
+    await authInternal._initializationPromise;
+    const user = await UserImpl._fromGetAccountInfoResponse(
+      authInternal,
+      response,
+      idToken
+    );
+    await authInternal._updateCurrentUser(user);
+  } catch (err) {
+    console.warn(
+      'FirebaseServerApp could not login user with provided authIdToken: ',
+      err
+    );
+  }
+}
+
 export function _initializeAuthInstance(
   auth: AuthImpl,
   deps?: Dependencies

packages/auth/src/core/user/reload.ts

@@ -102,7 +102,7 @@ function mergeProviderData(
   return [...deduped, ...newData];
 }
 
-function extractProviderData(providers: ProviderUserInfo[]): UserInfo[] {
+export function extractProviderData(providers: ProviderUserInfo[]): UserInfo[] {
   return providers.map(({ providerId, ...provider }) => {
     return {
       providerId,

packages/auth/src/core/user/token_manager.test.ts

@@ -144,8 +144,35 @@ describe('core/user/token_manager', () => {
       });
     });
 
-    it('returns null if the refresh token is missing', async () => {
-      expect(await stsTokenManager.getToken(auth)).to.be.null;
+    it('returns non-null if the refresh token is missing but token still valid', async () => {
+      Object.assign(stsTokenManager, {
+        accessToken: 'token',
+        expirationTime: now + 100_000
+      });
+      const tokens = await stsTokenManager.getToken(auth, false);
+      expect(tokens).to.eql('token');
+    });
+
+    it('throws an error if the refresh token is missing and force refresh is true', async () => {
+      Object.assign(stsTokenManager, {
+        accessToken: 'token',
+        expirationTime: now + 100_000
+      });
+      await expect(stsTokenManager.getToken(auth, true)).to.be.rejectedWith(
+        FirebaseError,
+        "Firebase: The user's credential is no longer valid. The user must sign in again. (auth/user-token-expired)"
+      );
+    });
+
+    it('throws an error if the refresh token is missing and token is no longer valid', async () => {
+      Object.assign(stsTokenManager, {
+        accessToken: 'old-access-token',
+        expirationTime: now - 1
+      });
+      await expect(stsTokenManager.getToken(auth)).to.be.rejectedWith(
+        FirebaseError,
+        "Firebase: The user's credential is no longer valid. The user must sign in again. (auth/user-token-expired)"
+      );
     });
 
     it('throws an error if expired but refresh token is missing', async () => {

packages/auth/src/core/user/token_manager.ts

@@ -73,20 +73,22 @@ export class StsTokenManager {
     );
   }
 
+  updateFromIdToken(idToken: string): void {
+    _assert(idToken.length !== 0, AuthErrorCode.INTERNAL_ERROR);
+    const expiresIn = _tokenExpiresIn(idToken);
+    this.updateTokensAndExpiration(idToken, null, expiresIn);
+  }
+
   async getToken(
     auth: AuthInternal,
     forceRefresh = false
   ): Promise<string | null> {
-    _assert(
-      !this.accessToken || this.refreshToken,
-      auth,
-      AuthErrorCode.TOKEN_EXPIRED
-    );
-
     if (!forceRefresh && this.accessToken && !this.isExpired) {
       return this.accessToken;
     }
 
+    _assert(this.refreshToken, auth, AuthErrorCode.TOKEN_EXPIRED);
+
     if (this.refreshToken) {
       await this.refresh(auth, this.refreshToken!);
       return this.accessToken;
@@ -113,7 +115,7 @@ export class StsTokenManager {
 
   private updateTokensAndExpiration(
     accessToken: string,
-    refreshToken: string,
+    refreshToken: string | null,
     expiresInSec: number
   ): void {
     this.refreshToken = refreshToken || null;

packages/auth/src/core/user/user_impl.ts

@@ -15,11 +15,11 @@
  * limitations under the License.
  */
 
-import { IdTokenResult } from '../../model/public_types';
+import { IdTokenResult, UserInfo } from '../../model/public_types';
 import { NextFn } from '@firebase/util';
-
 import {
   APIUserInfo,
+  GetAccountInfoResponse,
   deleteAccount
 } from '../../api/account_management/account';
 import { FinalizeMfaResponse } from '../../api/authentication/mfa';
@@ -36,7 +36,7 @@ import { _assert } from '../util/assert';
 import { getIdTokenResult } from './id_token_result';
 import { _logoutIfInvalidated } from './invalidation';
 import { ProactiveRefresh } from './proactive_refresh';
-import { _reloadWithoutSaving, reload } from './reload';
+import { extractProviderData, _reloadWithoutSaving, reload } from './reload';
 import { StsTokenManager } from './token_manager';
 import { UserMetadata } from './user_metadata';
 import { ProviderId } from '../../model/enums';
@@ -333,4 +333,59 @@ export class UserImpl implements UserInternal {
     await _reloadWithoutSaving(user);
     return user;
   }
+
+  /**
+   * Initialize a User from an idToken server response
+   * @param auth
+   * @param idTokenResponse
+   */
+  static async _fromGetAccountInfoResponse(
+    auth: AuthInternal,
+    response: GetAccountInfoResponse,
+    idToken: string
+  ): Promise<UserInternal> {
+    const coreAccount = response.users[0];
+    _assert(coreAccount.localId !== undefined, AuthErrorCode.INTERNAL_ERROR);
+
+    const providerData: UserInfo[] =
+      coreAccount.providerUserInfo !== undefined
+        ? extractProviderData(coreAccount.providerUserInfo)
+        : [];
+
+    const isAnonymous =
+      !(coreAccount.email && coreAccount.passwordHash) && !providerData?.length;
+
+    const stsTokenManager = new StsTokenManager();
+    stsTokenManager.updateFromIdToken(idToken);
+
+    // Initialize the Firebase Auth user.
+    const user = new UserImpl({
+      uid: coreAccount.localId,
+      auth,
+      stsTokenManager,
+      isAnonymous
+    });
+
+    // update the user with data from the GetAccountInfo response.
+    const updates: Partial<UserInternal> = {
+      uid: coreAccount.localId,
+      displayName: coreAccount.displayName || null,
+      photoURL: coreAccount.photoUrl || null,
+      email: coreAccount.email || null,
+      emailVerified: coreAccount.emailVerified || false,
+      phoneNumber: coreAccount.phoneNumber || null,
+      tenantId: coreAccount.tenantId || null,
+      providerData,
+      metadata: new UserMetadata(
+        coreAccount.createdAt,
+        coreAccount.lastLoginAt
+      ),
+      isAnonymous:
+        !(coreAccount.email && coreAccount.passwordHash) &&
+        !providerData?.length
+    };
+
+    Object.assign(user, updates);
+    return user;
+  }
 }