Merge pull request #102 from firebase/hkj-idtoken-errors

feat(auth): Migrating ID token verification APIs to the new error handling scheme

Author: hiranya911

FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseTokenVerifierTest.cs

@@ -20,7 +20,6 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
-using FirebaseAdmin.Auth;
 using FirebaseAdmin.Tests;
 using Google.Apis.Auth.OAuth2;
 using Google.Apis.Util;
@@ -89,8 +88,10 @@ await Assert.ThrowsAsync<ArgumentException>(
         [Fact]
         public async Task MalformedToken()
         {
-            await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await TokenVerifier.VerifyTokenAsync("not-a-token"));
+
+            this.CheckException(exception, "Incorrect number of segments in ID token.");
         }
 
         [Fact]
@@ -101,8 +102,10 @@ public async Task NoKid()
                 { "kid", string.Empty },
             };
             var idToken = await CreateTestTokenAsync(headerOverrides: header);
-            await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
+
+            this.CheckException(exception, "Firebase ID token has no 'kid' claim.");
         }
 
         [Fact]
@@ -113,8 +116,10 @@ public async Task IncorrectKid()
                 { "kid", "incorrect-key-id" },
             };
             var idToken = await CreateTestTokenAsync(headerOverrides: header);
-            await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
+
+            this.CheckException(exception, "Failed to verify ID token signature.");
         }
 
         [Fact]
@@ -125,8 +130,12 @@ public async Task IncorrectAlgorithm()
                 { "alg", "HS256" },
             };
             var idToken = await CreateTestTokenAsync(headerOverrides: header);
-            await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
+
+            var expectedMessage = "Firebase ID token has incorrect algorithm."
+                + " Expected RS256 but got HS256.";
+            this.CheckException(exception, expectedMessage);
         }
 
         [Fact]
@@ -138,11 +147,12 @@ public async Task Expired()
                 { "exp", expiryTime },
             };
             var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            var exception = await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
+
             var expectedMessage = $"Firebase ID token expired at {expiryTime}. "
                 + $"Expected to be greater than {Clock.UnixTimestamp()}.";
-            Assert.Equal(expectedMessage, exception.Message);
+            this.CheckException(exception, expectedMessage, AuthErrorCode.ExpiredIdToken);
         }
 
         [Fact]
@@ -170,11 +180,11 @@ public async Task InvalidIssuedAt()
                 { "iat", issuedAt },
             };
             var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            var exception = await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
-            var expectedMessage = $"Firebase ID token issued at future timestamp {issuedAt}. "
-                + $"Expected to be less than {Clock.UnixTimestamp()}.";
-            Assert.Equal(expectedMessage, exception.Message);
+
+            var expectedMessage = $"Firebase ID token issued at future timestamp {issuedAt}.";
+            this.CheckException(exception, expectedMessage);
         }
 
         [Fact]
@@ -201,8 +211,11 @@ public async Task InvalidIssuer()
                 { "iss", "wrong-issuer" },
             };
             var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
+
+            var expectedMessage = "ID token has incorrect issuer (iss) claim.";
+            this.CheckException(exception, expectedMessage);
         }
 
         [Fact]
@@ -213,8 +226,12 @@ public async Task InvalidAudience()
                 { "aud", "wrong-audience" },
             };
             var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
+
+            var expectedMessage = "ID token has incorrect audience (aud) claim."
+                + " Expected test-project but got wrong-audience";
+            this.CheckException(exception, expectedMessage);
         }
 
         [Fact]
@@ -225,8 +242,11 @@ public async Task EmptySubject()
                 { "sub", string.Empty },
             };
             var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
+
+            var expectedMessage = "Firebase ID token has no or empty subject (sub) claim.";
+            this.CheckException(exception, expectedMessage);
         }
 
         [Fact]
@@ -237,8 +257,12 @@ public async Task LongSubject()
                 { "sub", new string('a', 129) },
             };
             var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            await Assert.ThrowsAsync<FirebaseException>(
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await TokenVerifier.VerifyTokenAsync(idToken));
+
+            var expectedMessage = "Firebase ID token has a subject claim longer than"
+                + " 128 characters.";
+            this.CheckException(exception, expectedMessage);
         }
 
         [Fact]
@@ -336,6 +360,18 @@ private static ISigner CreateTestSigner()
             var serviceAccount = (ServiceAccountCredential)credential.UnderlyingCredential;
             return new ServiceAccountSigner(serviceAccount);
         }
+
+        private void CheckException(
+            FirebaseAuthException exception,
+            string prefix,
+            AuthErrorCode errorCode = AuthErrorCode.InvalidIdToken)
+        {
+            Assert.Equal(ErrorCode.InvalidArgument, exception.ErrorCode);
+            Assert.StartsWith(prefix, exception.Message);
+            Assert.Equal(errorCode, exception.AuthErrorCode);
+            Assert.Null(exception.InnerException);
+            Assert.Null(exception.HttpResponse);
+        }
     }
 
     internal class FileSystemPublicKeySource : IPublicKeySource

FirebaseAdmin/FirebaseAdmin.Tests/Auth/HttpPublicKeySourceTest.cs

@@ -18,7 +18,6 @@
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Threading.Tasks;
-using FirebaseAdmin.Auth;
 using FirebaseAdmin.Tests;
 using Xunit;
 
@@ -111,8 +110,93 @@ public async Task HttpError()
             var clientFactory = new MockHttpClientFactory(handler);
             var keyManager = new HttpPublicKeySource(
                 "https://example.com/certs", clock, clientFactory);
-            await Assert.ThrowsAsync<FirebaseException>(
+
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
+                async () => await keyManager.GetPublicKeysAsync());
+
+            Assert.Equal(ErrorCode.Internal, exception.ErrorCode);
+            Assert.Equal(
+                "Unexpected HTTP response with status: 500 (InternalServerError)\ntest error",
+                exception.Message);
+            Assert.Equal(AuthErrorCode.CertificateFetchFailed, exception.AuthErrorCode);
+            Assert.NotNull(exception.HttpResponse);
+            Assert.Null(exception.InnerException);
+
+            Assert.Equal(1, handler.Calls);
+        }
+
+        [Fact]
+        public async Task NetworkError()
+        {
+            var clock = new MockClock();
+            var handler = new MockMessageHandler()
+            {
+                Exception = new HttpRequestException("Network error"),
+            };
+            var clientFactory = new MockHttpClientFactory(handler);
+            var keyManager = new HttpPublicKeySource(
+                "https://example.com/certs", clock, clientFactory);
+
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await keyManager.GetPublicKeysAsync());
+
+            Assert.Equal(ErrorCode.Unknown, exception.ErrorCode);
+            Assert.Equal(
+                "Failed to retrieve latest public keys. Unknown error while making a remote "
+                    + "service call: Network error",
+                exception.Message);
+            Assert.Equal(AuthErrorCode.CertificateFetchFailed, exception.AuthErrorCode);
+            Assert.Null(exception.HttpResponse);
+            Assert.Same(handler.Exception, exception.InnerException);
+
+            Assert.Equal(1, handler.Calls);
+        }
+
+        [Fact]
+        public async Task EmptyResponse()
+        {
+            var clock = new MockClock();
+            var handler = new MockMessageHandler()
+            {
+                Response = "{}",
+            };
+            var clientFactory = new MockHttpClientFactory(handler);
+            var keyManager = new HttpPublicKeySource(
+                "https://example.com/certs", clock, clientFactory);
+
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
+                async () => await keyManager.GetPublicKeysAsync());
+
+            Assert.Equal(ErrorCode.Unknown, exception.ErrorCode);
+            Assert.Equal("No public keys present in the response.", exception.Message);
+            Assert.Equal(AuthErrorCode.CertificateFetchFailed, exception.AuthErrorCode);
+            Assert.NotNull(exception.HttpResponse);
+            Assert.Null(exception.InnerException);
+
+            Assert.Equal(1, handler.Calls);
+        }
+
+        [Fact]
+        public async Task MalformedResponse()
+        {
+            var clock = new MockClock();
+            var handler = new MockMessageHandler()
+            {
+                Response = "not json",
+            };
+            var clientFactory = new MockHttpClientFactory(handler);
+            var keyManager = new HttpPublicKeySource(
+                "https://example.com/certs", clock, clientFactory);
+
+            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
+                async () => await keyManager.GetPublicKeysAsync());
+
+            Assert.Equal(ErrorCode.Unknown, exception.ErrorCode);
+            Assert.Equal("Failed to parse certificate response: not json.", exception.Message);
+            Assert.Equal(AuthErrorCode.CertificateFetchFailed, exception.AuthErrorCode);
+            Assert.NotNull(exception.HttpResponse);
+            Assert.NotNull(exception.InnerException);
+
             Assert.Equal(1, handler.Calls);
         }
     }

FirebaseAdmin/FirebaseAdmin/Auth/AuthErrorCode.cs

@@ -19,11 +19,26 @@ namespace FirebaseAdmin.Auth
     /// </summary>
     public enum AuthErrorCode
     {
+        /// <summary>
+        /// Failed to retrieve required public key certificates.
+        /// </summary>
+        CertificateFetchFailed,
+
         /// <summary>
         /// The user with the provided email already exists.
         /// </summary>
         EmailAlreadyExists,
 
+        /// <summary>
+        /// The specified ID token is expired.
+        /// </summary>
+        ExpiredIdToken,
+
+        /// <summary>
+        /// The specified ID token is invalid.
+        /// </summary>
+        InvalidIdToken,
+
         /// <summary>
         /// The user with the provided phone number already exists.
         /// </summary>

FirebaseAdmin/FirebaseAdmin/Auth/FirebaseAuth.cs

@@ -228,7 +228,7 @@ public async Task<string> CreateCustomTokenAsync(
         /// <returns>A task that completes with a <see cref="FirebaseToken"/> representing
         /// the verified and decoded ID token.</returns>
         /// <exception cref="ArgumentException">If ID token argument is null or empty.</exception>
-        /// <exception cref="FirebaseException">If the ID token fails to verify.</exception>
+        /// <exception cref="FirebaseAuthException">If the ID token fails to verify.</exception>
         /// <param name="idToken">A Firebase ID token string to parse and verify.</param>
         public async Task<FirebaseToken> VerifyIdTokenAsync(string idToken)
         {
@@ -249,7 +249,7 @@ public async Task<FirebaseToken> VerifyIdTokenAsync(string idToken)
         /// <returns>A task that completes with a <see cref="FirebaseToken"/> representing
         /// the verified and decoded ID token.</returns>
         /// <exception cref="ArgumentException">If ID token argument is null or empty.</exception>
-        /// <exception cref="FirebaseException">If the ID token fails to verify.</exception>
+        /// <exception cref="FirebaseAuthException">If the ID token fails to verify.</exception>
         /// <param name="idToken">A Firebase ID token string to parse and verify.</param>
         /// <param name="cancellationToken">A cancellation token to monitor the asynchronous
         /// operation.</param>

FirebaseAdmin/FirebaseAdmin/Auth/FirebaseTokenVerifier.cs

@@ -111,7 +111,7 @@ internal async Task<FirebaseToken> VerifyTokenAsync(
             string[] segments = token.Split('.');
             if (segments.Length != 3)
             {
-                throw new FirebaseException($"Incorrect number of segments in ${this.shortName}.");
+                throw this.CreateException($"Incorrect number of segments in {this.shortName}.");
             }
 
             var header = JwtUtils.Decode<JsonWebSignature.Header>(segments[0]);
@@ -122,6 +122,7 @@ internal async Task<FirebaseToken> VerifyTokenAsync(
                 + $"{this.shortName}.";
             var issuer = this.issuer + this.ProjectId;
             string error = null;
+            var errorCode = AuthErrorCode.InvalidIdToken;
             var currentTimeInSeconds = this.clock.UnixTimestamp();
 
             if (string.IsNullOrEmpty(header.KeyId))
@@ -166,6 +167,7 @@ internal async Task<FirebaseToken> VerifyTokenAsync(
             {
                 error = $"Firebase {this.shortName} expired at {payload.ExpirationTimeSeconds}. "
                     + $"Expected to be greater than {currentTimeInSeconds}.";
+                errorCode = AuthErrorCode.ExpiredIdToken;
             }
             else if (string.IsNullOrEmpty(payload.Subject))
             {
@@ -178,7 +180,7 @@ internal async Task<FirebaseToken> VerifyTokenAsync(
 
             if (error != null)
             {
-                throw new FirebaseException(error);
+                throw this.CreateException(error, errorCode);
             }
 
             await this.VerifySignatureAsync(segments, header.KeyId, cancellationToken)
@@ -233,8 +235,14 @@ private async Task VerifySignatureAsync(
             );
             if (!verified)
             {
-                throw new FirebaseException($"Failed to verify {this.shortName} signature.");
+                throw this.CreateException($"Failed to verify {this.shortName} signature.");
             }
         }
+
+        private FirebaseAuthException CreateException(
+            string message, AuthErrorCode errorCode = AuthErrorCode.InvalidIdToken)
+        {
+            return new FirebaseAuthException(ErrorCode.InvalidArgument, message, errorCode);
+        }
     }
 }