Fix Issues with verifyIdToken

packages/dart_firebase_admin/lib/src/auth/token_verifier.dart

@@ -79,9 +79,7 @@ class FirebaseTokenVerifier {
       isEmulator: isEmulator,
     );
 
-    final decodedIdToken = DecodedIdToken.fromMap(decoded.payload);
-    decodedIdToken.uid = decodedIdToken.sub;
-    return decodedIdToken;
+    return DecodedIdToken.fromMap(decoded.payload);
   }
 
   Future<DecodedToken> _decodeAndVerify(
@@ -249,6 +247,17 @@ class TokenProvider {
     required this.tenant,
   });
 
+  @internal
+  factory TokenProvider.fromMap(Map<dynamic, dynamic> map) {
+    return TokenProvider(
+      identities: map['identities']! as Map<String, Object?>,
+      signInProvider: map['sign_in_provider']! as String,
+      signInSecondFactor: map['sign_in_second_factor'] as String?,
+      secondFactorIdentifier: map['second_factor_identifier'] as String?,
+      tenant: map['tenant'] as String?,
+    );
+  }
+
   /// Provider-specific identity details corresponding
   /// to the provider used to sign in the user.
   Map<String, Object?> identities;
@@ -313,19 +322,13 @@ class DecodedIdToken {
       email: map['email'] as String?,
       emailVerified: map['email_verified'] as bool?,
       exp: map['exp']! as int,
-      firebase: TokenProvider(
-        identities: Map.from(map['firebase']! as Map),
-        signInProvider: map['sign_in_provider']! as String,
-        signInSecondFactor: map['sign_in_second_factor'] as String?,
-        secondFactorIdentifier: map['second_factor_identifier'] as String?,
-        tenant: map['tenant'] as String?,
-      ),
+      firebase: TokenProvider.fromMap(map['firebase']! as Map),
       iat: map['iat']! as int,
       iss: map['iss']! as String,
       phoneNumber: map['phone_number'] as String?,
       picture: map['picture'] as String?,
       sub: map['sub']! as String,
-      uid: map['uid']! as String,
+      uid: map['sub']! as String,
     );
   }
 

packages/dart_firebase_admin/lib/src/utils/jwt.dart

@@ -9,14 +9,28 @@ class EmulatorSignatureVerifier implements SignatureVerifier {
   @override
   Future<void> verify(String token) async {
     // Signature checks skipped for emulator; no need to fetch public keys.
+
     try {
-      verifyJwtSignature(
+      JWT.verify(
         token,
         SecretKey(''),
       );
+    } on JWTExpiredException catch (e, stackTrace) {
+      Error.throwWithStackTrace(
+        JwtError(
+          JwtErrorCode.tokenExpired,
+          'The provided token has expired. Get a fresh token from your '
+          'client app and try again.',
+        ),
+        stackTrace,
+      );
     } on JWTInvalidException catch (e) {
+      // Emulator tokens have "alg": "none"
+      if (e.message == 'unknown algorithm') return;
       if (e.message == 'invalid signature') return;
       rethrow;
+    } catch (_) {
+      // Invalid signature. Can be ignored when using emulator.
     }
   }
 }
@@ -122,11 +136,32 @@ class PublicKeySignatureVerifier implements SignatureVerifier {
           'no-matching-kid-error',
         );
       }
-      verifyJwtSignature(
-        token,
-        RSAPublicKey.cert(publicKey),
-        issueAt: Duration.zero, // Any past date should be valid
-      );
+
+      try {
+        JWT.verify(
+          token,
+          RSAPublicKey.cert(publicKey),
+          issueAt: Duration.zero, // Any past date should be valid
+        );
+      } on JWTExpiredException catch (e, stackTrace) {
+        Error.throwWithStackTrace(
+          JwtError(
+            JwtErrorCode.tokenExpired,
+            'The provided token has expired. Get a fresh token from your '
+            'client app and try again.',
+          ),
+          stackTrace,
+        );
+      } catch (e, stackTrace) {
+        Error.throwWithStackTrace(
+          JwtError(
+            JwtErrorCode.invalidSignature,
+            'Error while verifying signature of Firebase ID token: $e',
+          ),
+          stackTrace,
+        );
+      }
+
       // At this point most JWTException's should have been caught in
       // verifyJwtSignature, but we could still get some from JWT.decode above
     } on JWTException catch (e) {
@@ -140,46 +175,6 @@ class PublicKeySignatureVerifier implements SignatureVerifier {
 
 sealed class SecretOrPublicKey {}
 
-@internal
-void verifyJwtSignature(
-  String token,
-  JWTKey key, {
-  Duration? issueAt,
-  Audience? audience,
-  String? subject,
-  String? issuer,
-  String? jwtId,
-}) {
-  try {
-    JWT.verify(
-      token,
-      key,
-      issueAt: issueAt,
-      audience: audience,
-      subject: subject,
-      issuer: issuer,
-      jwtId: jwtId,
-    );
-  } on JWTExpiredException catch (e, stackTrace) {
-    Error.throwWithStackTrace(
-      JwtError(
-        JwtErrorCode.tokenExpired,
-        'The provided token has expired. Get a fresh token from your '
-        'client app and try again.',
-      ),
-      stackTrace,
-    );
-  } catch (e, stackTrace) {
-    Error.throwWithStackTrace(
-      JwtError(
-        JwtErrorCode.invalidSignature,
-        'Error while verifying signature of Firebase ID token: $e',
-      ),
-      stackTrace,
-    );
-  }
-}
-
 /// Jwt error code structure.
 class JwtError extends Error {
   JwtError(this.code, this.message);