Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Excluding certain event_types from processing uid #2370

Merged
merged 20 commits into from
Apr 15, 2024
Merged

chore: Excluding certain event_types from processing uid #2370

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
18a1959
adding optional param to token verifier
pragatimodi Nov 14, 2023
889db29
update _verifyAuthBlockingToken method
pragatimodi Nov 14, 2023
ed48636
fix lint
pragatimodi Nov 14, 2023
43f6df5
adding public definitions
pragatimodi Nov 14, 2023
4ed2e1a
add AuthBlockingEventType type
pragatimodi Nov 14, 2023
546649b
use decoded payload instead
pragatimodi Nov 15, 2023
123f001
Merge branch 'master' into token-verifier
pragatimodi Nov 27, 2023
887a956
remove debug statement
pragatimodi Jan 10, 2024
0cf726e
formatting
pragatimodi Jan 10, 2024
35fbb5a
Merge branch 'master' into token-verifier
pragatimodi Jan 10, 2024
7173788
add unit tests
pragatimodi Mar 18, 2024
f1a5246
unit test
pragatimodi Mar 18, 2024
67b09fd
unit test
pragatimodi Mar 18, 2024
5a41523
add comment per code review
pragatimodi Mar 18, 2024
0fde4d3
Merge branch 'master' into token-verifier
pragatimodi Mar 18, 2024
df42f44
Apply suggestions from code review
pragatimodi Mar 21, 2024
44b7584
fix unit test messages
pragatimodi Mar 21, 2024
dc3c825
fix lint
pragatimodi Mar 21, 2024
eef740a
Merge branch 'master' into token-verifier
pragatimodi Mar 26, 2024
0e7f413
Merge branch 'master' into token-verifier
lahirumaramba Apr 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions src/auth/token-verifier.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -529,13 +529,19 @@ export class FirebaseTokenVerifier {
errorMessage = `${this.tokenInfo.jwtName} has incorrect "iss" (issuer) claim. Expected ` +
`"${this.issuer}` + projectId + '" but got "' +
payload.iss + '".' + projectIdMatchMessage + verifyJwtTokenDocsMessage;
} else if (typeof payload.sub !== 'string') {
errorMessage = `${this.tokenInfo.jwtName} has no "sub" (subject) claim.` + verifyJwtTokenDocsMessage;
} else if (payload.sub === '') {
errorMessage = `${this.tokenInfo.jwtName} has an empty string "sub" (subject) claim.` + verifyJwtTokenDocsMessage;
} else if (payload.sub.length > 128) {
errorMessage = `${this.tokenInfo.jwtName} has "sub" (subject) claim longer than 128 characters.` +
verifyJwtTokenDocsMessage;
} else if (!(payload.event_type !== undefined &&
pragatimodi marked this conversation as resolved.
Show resolved Hide resolved
(payload.event_type === 'beforeSendSms' || payload.event_type === 'beforeSendEmail'))) {
// excluding `beforeSendSms` and `beforeSendEmail` from processing `sub` as there is no user record available.
// `sub` is the same as `uid` which is part of the user record.
if (typeof payload.sub !== 'string') {
errorMessage = `${this.tokenInfo.jwtName} has no "sub" (subject) claim.` + verifyJwtTokenDocsMessage;
} else if (payload.sub === '') {
errorMessage = `${this.tokenInfo.jwtName} has an empty "sub" (subject) claim.` +
verifyJwtTokenDocsMessage;
} else if (payload.sub.length > 128) {
errorMessage = `${this.tokenInfo.jwtName} has a "sub" (subject) claim longer than 128 characters.` +
verifyJwtTokenDocsMessage;
}
}
if (errorMessage) {
throw new FirebaseAuthError(AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
Expand Down
41 changes: 39 additions & 2 deletions test/unit/auth/token-verifier.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -341,7 +341,8 @@ describe('FirebaseTokenVerifier', () => {
});

return tokenVerifier.verifyJWT(mockIdToken)
.should.eventually.be.rejectedWith('Firebase ID token has "sub" (subject) claim longer than 128 characters');
.should.eventually.be.rejectedWith('Firebase ID token has a "sub" (subject) claim longer than 128 ' +
'characters');
});
});

Expand Down Expand Up @@ -659,7 +660,7 @@ describe('FirebaseTokenVerifier', () => {

return authBlockingTokenVerifier._verifyAuthBlockingToken(mockAuthBlockingToken, false, undefined)
.should.eventually.be.rejectedWith(
'Firebase Auth Blocking token has "sub" (subject) claim longer than 128 characters');
'Firebase Auth Blocking token has a "sub" (subject) claim longer than 128 characters');
});
});

Expand Down Expand Up @@ -780,5 +781,41 @@ describe('FirebaseTokenVerifier', () => {
await authBlockingTokenVerifier._verifyAuthBlockingToken(idTokenNoHeader, false, undefined)
.should.eventually.be.rejectedWith('Firebase Auth Blocking token has no "kid" claim.');
});

const eventTypesWithoutUid = ['beforeSendSms', 'beforeSendEmail'];
eventTypesWithoutUid.forEach((eventType) => {
it('should not throw error on invalid `sub` when event_type is "' + eventType + '"' , async () => {
const verifierStub = sinon.stub(PublicKeySignatureVerifier.prototype, 'verify')
.resolves();
stubs.push(verifierStub);

const mockAuthBlockingToken = mocks.generateAuthBlockingToken({
subject: ''
}, {
event_type: eventType,
});
return authBlockingTokenVerifier._verifyAuthBlockingToken(mockAuthBlockingToken, false, undefined)
.should.eventually.be.fulfilled;
});
});

const eventTypesWithUid = ['beforeCreate', 'beforeSignIn', undefined];
eventTypesWithUid.forEach((eventType) => {
it('should not throw error on invalid `sub` when event_type is "' + eventType + '"', async () => {
const verifierStub = sinon.stub(PublicKeySignatureVerifier.prototype, 'verify')
.resolves();
stubs.push(verifierStub);

const mockAuthBlockingToken = mocks.generateAuthBlockingToken({
subject: ''
}, {
event_type: eventType,
});
return authBlockingTokenVerifier._verifyAuthBlockingToken(mockAuthBlockingToken, false, undefined)
.should.eventually.be.rejectedWith('Firebase Auth Blocking token has an empty "sub" (subject) claim.' +
' See https://cloud.google.com/identity-platform/docs/blocking-functions for details on how to retrieve an' +
' Auth Blocking token.');
});
});
});
});
Loading