test: added missing integration tests for Auth, Messaging, Functions and Firestore apis (#195)

* test: add unit tests for AppCheck token creation and verification

* test: add unit tests for OIDC and SAML provider config operations

* test: add unit tests for Firestore terminate method

* test: add unit tests for ConditionMessage handling in messaging

* test: add unit tests for experimental URI handling in task queue

* fix(auth): disable checkHeaderType for JWT verification

Firebase session cookies omit the `typ` header claim. dart_jsonwebtoken
3.x added checkHeaderType=true as the default which rejects tokens without
`typ: "JWT"`, causing verifySessionCookie to always fail with an invalid
signature error. Disable the check since signature, issuer, audience, and
expiry are all validated independently.

* fix(auth): pass toJson() to generateUpdateMask for OIDC/SAML updates

generateUpdateMask expects a Map but was receiving a raw googleapis object,
causing it to return an empty list. An empty update mask sent to the PATCH
endpoint results in no fields being updated, so updateProviderConfig had no
effect. Calling toJson() first produces the Map that generateUpdateMask can
traverse.

* fix(storage): unset STORAGE_EMULATOR_HOST when running in production mode

The google_cloud_storage package reads STORAGE_EMULATOR_HOST via native
FFI (getenv), bypassing Dart zone overrides. If an emulator-mode Storage
instance runs first it sets the native env var, which then leaks into any
subsequent production Storage instance in the same process, causing
getDownloadURL to hit the emulator and return 404.

Add unsetNativeEnvironmentVariable and call it in Storage._ when not in
emulator mode to clear any previously set value.

* fix(app-check): include ttl claim in custom token when ttlMillis is set

The Firebase App Check exchangeCustomToken API reads the TTL for the
resulting token from the signed custom token's claims, not from the
exchange request body. The ttlMillis option was accepted but silently
dropped because token_generator.dart never wrote a ttl claim into the
JWT body.

* fix(test): add clientSecret to OIDC provider config test fixtures

OIDCAuthProviderConfig._validate requires clientSecret to be a non-empty
string when creating a provider config. The integration test fixtures were
missing this field, causing all OIDC createProviderConfig calls to throw.

* fix(test): use conventional placeholder for API key in auth emulator tests

Author: demolaf

packages/dart_firebase_admin/lib/src/app_check/token_generator.dart

@@ -43,6 +43,7 @@ class AppCheckTokenGenerator {
         'aud': firebaseAppCheckAudience,
         'exp': iat + (oneMinuteInSeconds * 5),
         'iat': iat,
+        if (options?.ttlMillis case final ttl?) 'ttl': '${ttl.inSeconds}s',
       };
 
       final token = '${_encodeSegment(header)}.${_encodeSegment(body)}';

packages/dart_firebase_admin/lib/src/auth/auth_request_handler.dart

@@ -218,7 +218,7 @@ abstract class _AbstractAuthRequestHandler {
       options,
       ignoreMissingFields: true,
     );
-    final updateMask = generateUpdateMask(request);
+    final updateMask = generateUpdateMask(request?.toJson());
 
     final response = await _httpClient.updateOAuthIdpConfig(
       request ?? auth2.GoogleCloudIdentitytoolkitAdminV2OAuthIdpConfig(),
@@ -252,7 +252,7 @@ abstract class _AbstractAuthRequestHandler {
       options,
       ignoreMissingFields: true,
     );
-    final updateMask = generateUpdateMask(request);
+    final updateMask = generateUpdateMask(request?.toJson());
     final response = await _httpClient.updateInboundSamlConfig(
       request ?? auth2.GoogleCloudIdentitytoolkitAdminV2InboundSamlConfig(),
       providerId,

packages/dart_firebase_admin/lib/src/storage/storage.dart

@@ -21,6 +21,10 @@ class Storage implements FirebaseService {
         );
       }
       setNativeEnvironmentVariable('STORAGE_EMULATOR_HOST', emulatorHost);
+    } else {
+      // Ensure no emulator host leaks into production GCS client from a
+      // previous emulator-mode Storage instance in the same process.
+      unsetNativeEnvironmentVariable('STORAGE_EMULATOR_HOST');
     }
     _delegate = gcs.Storage();
   }

packages/dart_firebase_admin/lib/src/utils/jwt.dart

@@ -192,7 +192,10 @@ class PublicKeySignatureVerifier implements SignatureVerifier {
       }
 
       try {
-        JWT.verify(token, key);
+        // Firebase session cookies omit the `typ` header claim, which
+        // dart_jsonwebtoken 3.x rejects by default. Disable the check here;
+        // signature, issuer, audience, and expiry are validated separately.
+        JWT.verify(token, key, checkHeaderType: false);
       } catch (e, stackTrace) {
         Error.throwWithStackTrace(
           JwtException(

packages/dart_firebase_admin/lib/src/utils/native_environment.dart

@@ -12,6 +12,11 @@ final int Function(Pointer<Utf8>, Pointer<Utf8>, int) _setenv =
       int Function(Pointer<Utf8>, Pointer<Utf8>, int)
     >('setenv');
 
+final int Function(Pointer<Utf8>) _unsetenv = DynamicLibrary.process()
+    .lookupFunction<Int32 Function(Pointer<Utf8>), int Function(Pointer<Utf8>)>(
+      'unsetenv',
+    );
+
 final int Function(Pointer<Utf16>, Pointer<Utf16>) _setEnvironmentVariableW =
     DynamicLibrary.open('kernel32.dll').lookupFunction<
       Int32 Function(Pointer<Utf16>, Pointer<Utf16>),
@@ -44,3 +49,19 @@ void setNativeEnvironmentVariable(String name, String value) {
     });
   }
 }
+
+@internal
+void unsetNativeEnvironmentVariable(String name) {
+  if (Platform.isWindows) {
+    using((arena) {
+      final namePtr = name.toNativeUtf16(allocator: arena);
+      // Passing NULL as the second argument deletes the variable on Windows
+      _setEnvironmentVariableW(namePtr, nullptr);
+    });
+  } else {
+    using((arena) {
+      final namePtr = name.toNativeUtf8(allocator: arena);
+      _unsetenv(namePtr);
+    });
+  }
+}

packages/dart_firebase_admin/test/integration/app_check/app_check_test.dart

@@ -0,0 +1,206 @@
+import 'dart:async';
+
+import 'package:dart_firebase_admin/app_check.dart';
+import 'package:dart_firebase_admin/src/app.dart';
+import 'package:test/test.dart';
+
+import '../../fixtures/helpers.dart';
+
+const _testAppId = '1:559949546715:android:13025aec6cc3243d0ab8fe';
+
+void main() {
+  group(
+    'AppCheck (Production)',
+    () {
+      group('createToken()', () {
+        test('returns a token with a non-empty JWT string', () {
+          return runZoned(() async {
+            final appName =
+                'prod-test-${DateTime.now().microsecondsSinceEpoch}';
+            final app = FirebaseApp.initializeApp(name: appName);
+            final appCheck = AppCheck.internal(app);
+
+            try {
+              final token = await appCheck.createToken(_testAppId);
+
+              expect(token.token, isNotEmpty);
+              // A JWT has exactly two dots
+              expect(token.token.split('.').length, equals(3));
+            } finally {
+              await app.close();
+            }
+          }, zoneValues: {envSymbol: prodEnv()});
+        });
+
+        test('returns ttlMillis within the valid range (30min–7days)', () {
+          return runZoned(() async {
+            final appName =
+                'prod-test-${DateTime.now().microsecondsSinceEpoch}';
+            final app = FirebaseApp.initializeApp(name: appName);
+            final appCheck = AppCheck.internal(app);
+
+            try {
+              final token = await appCheck.createToken(_testAppId);
+
+              expect(
+                token.ttlMillis,
+                greaterThanOrEqualTo(
+                  const Duration(minutes: 30).inMilliseconds,
+                ),
+              );
+              expect(
+                token.ttlMillis,
+                lessThanOrEqualTo(const Duration(days: 7).inMilliseconds),
+              );
+            } finally {
+              await app.close();
+            }
+          }, zoneValues: {envSymbol: prodEnv()});
+        });
+
+        test('honours a custom ttlMillis option', () {
+          return runZoned(() async {
+            final appName =
+                'prod-test-${DateTime.now().microsecondsSinceEpoch}';
+            final app = FirebaseApp.initializeApp(name: appName);
+            final appCheck = AppCheck.internal(app);
+
+            try {
+              const customTtl = Duration(hours: 2);
+              final token = await appCheck.createToken(
+                _testAppId,
+                AppCheckTokenOptions(ttlMillis: customTtl),
+              );
+
+              expect(token.token, isNotEmpty);
+              // Server rounds to the nearest second; allow ±1 second tolerance.
+              expect(token.ttlMillis, closeTo(customTtl.inMilliseconds, 1000));
+            } finally {
+              await app.close();
+            }
+          }, zoneValues: {envSymbol: prodEnv()});
+        });
+      });
+
+      group('verifyToken()', () {
+        test('returns decoded token with correct claims structure', () {
+          return runZoned(() async {
+            final appName =
+                'prod-test-${DateTime.now().microsecondsSinceEpoch}';
+            final app = FirebaseApp.initializeApp(name: appName);
+            final appCheck = AppCheck.internal(app);
+
+            try {
+              final token = await appCheck.createToken(_testAppId);
+              final result = await appCheck.verifyToken(token.token);
+
+              final decoded = result.token;
+              expect(result.appId, equals(_testAppId));
+              expect(decoded.sub, equals(_testAppId));
+              expect(
+                decoded.iss,
+                startsWith('https://firebaseappcheck.googleapis.com/'),
+              );
+              expect(decoded.aud, isNotEmpty);
+              expect(decoded.exp, greaterThan(decoded.iat));
+            } finally {
+              await app.close();
+            }
+          }, zoneValues: {envSymbol: prodEnv()});
+        });
+
+        test('sets alreadyConsumed to null when consume option is not set', () {
+          return runZoned(() async {
+            final appName =
+                'prod-test-${DateTime.now().microsecondsSinceEpoch}';
+            final app = FirebaseApp.initializeApp(name: appName);
+            final appCheck = AppCheck.internal(app);
+
+            try {
+              final token = await appCheck.createToken(_testAppId);
+              final result = await appCheck.verifyToken(token.token);
+
+              expect(result.alreadyConsumed, isNull);
+            } finally {
+              await app.close();
+            }
+          }, zoneValues: {envSymbol: prodEnv()});
+        });
+
+        test(
+          'sets alreadyConsumed to false on first consume, true on second',
+          () {
+            return runZoned(() async {
+              final appName =
+                  'prod-test-${DateTime.now().microsecondsSinceEpoch}';
+              final app = FirebaseApp.initializeApp(name: appName);
+              final appCheck = AppCheck.internal(app);
+
+              try {
+                final token = await appCheck.createToken(_testAppId);
+
+                final first = await appCheck.verifyToken(
+                  token.token,
+                  VerifyAppCheckTokenOptions()..consume = true,
+                );
+                expect(first.alreadyConsumed, isFalse);
+
+                final second = await appCheck.verifyToken(
+                  token.token,
+                  VerifyAppCheckTokenOptions()..consume = true,
+                );
+                expect(second.alreadyConsumed, isTrue);
+              } finally {
+                await app.close();
+              }
+            }, zoneValues: {envSymbol: prodEnv()});
+          },
+        );
+
+        test('throws FirebaseAppCheckException for an invalid token', () {
+          return runZoned(() async {
+            final appName =
+                'prod-test-${DateTime.now().microsecondsSinceEpoch}';
+            final app = FirebaseApp.initializeApp(name: appName);
+            final appCheck = AppCheck.internal(app);
+
+            try {
+              await expectLater(
+                () => appCheck.verifyToken('invalid.token.value'),
+                throwsA(isA<FirebaseAppCheckException>()),
+              );
+            } finally {
+              await app.close();
+            }
+          }, zoneValues: {envSymbol: prodEnv()});
+        });
+
+        test('throws FirebaseAppCheckException for a tampered token', () {
+          return runZoned(() async {
+            final appName =
+                'prod-test-${DateTime.now().microsecondsSinceEpoch}';
+            final app = FirebaseApp.initializeApp(name: appName);
+            final appCheck = AppCheck.internal(app);
+
+            try {
+              final token = await appCheck.createToken(_testAppId);
+              // Corrupt the signature portion of the JWT.
+              final parts = token.token.split('.');
+              final tampered = '${parts[0]}.${parts[1]}.invalidsignature';
+
+              await expectLater(
+                () => appCheck.verifyToken(tampered),
+                throwsA(isA<FirebaseAppCheckException>()),
+              );
+            } finally {
+              await app.close();
+            }
+          }, zoneValues: {envSymbol: prodEnv()});
+        });
+      });
+    },
+    skip: hasProdEnv
+        ? false
+        : 'Requires GOOGLE_APPLICATION_CREDENTIALS and RUN_PROD_TESTS=true',
+  );
+}