Migrating CreateCustomTokenAsync() APIs to the new error handling scheme (#105)

Author: hiranya911

FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseAuthTest.cs

@@ -20,8 +20,6 @@
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
-using FirebaseAdmin.Auth;
-using Google.Apis.Auth;
 using Google.Apis.Auth.OAuth2;
 using Xunit;
 
@@ -114,8 +112,15 @@ await Assert.ThrowsAsync<OperationCanceledException>(
         public async Task CreateCustomTokenInvalidCredential()
         {
             FirebaseApp.Create(new AppOptions() { Credential = MockCredential });
-            await Assert.ThrowsAsync<FirebaseException>(
+            var ex = await Assert.ThrowsAsync<InvalidOperationException>(
                 async () => await FirebaseAuth.DefaultInstance.CreateCustomTokenAsync("user1"));
+
+            var errorMessage = "Failed to determine service account ID. Make sure to initialize the SDK "
+                + "with service account credentials or specify a service account "
+                + "ID with iam.serviceAccounts.signBlob permission. Please refer to "
+                + "https://firebase.google.com/docs/auth/admin/create-custom-tokens for "
+                + "more details on creating custom tokens.";
+            Assert.Equal(errorMessage, ex.Message);
         }
 
         [Fact]

FirebaseAdmin/FirebaseAdmin.Tests/Auth/IAMSignerTest.cs

@@ -15,13 +15,10 @@
 using System;
 using System.Net;
 using System.Net.Http;
-using System.Net.Http.Headers;
 using System.Text;
-using System.Threading;
 using System.Threading.Tasks;
 using FirebaseAdmin.Tests;
 using Google.Apis.Auth.OAuth2;
-using Google.Apis.Http;
 using Google.Apis.Json;
 using Xunit;
 
@@ -69,12 +66,23 @@ public async Task AccountDiscoveryError()
                 };
             var factory = new MockHttpClientFactory(handler);
             var signer = new IAMSigner(factory, GoogleCredential.FromAccessToken("token"));
-            await Assert.ThrowsAsync<FirebaseException>(
+            var errorMessage = "Failed to determine service account ID. Make sure to initialize the SDK "
+                + "with service account credentials or specify a service account "
+                + "ID with iam.serviceAccounts.signBlob permission. Please refer to "
+                + "https://firebase.google.com/docs/auth/admin/create-custom-tokens for "
+                + "more details on creating custom tokens.";
+
+            var ex = await Assert.ThrowsAsync<InvalidOperationException>(
                 async () => await signer.GetKeyIdAsync());
             Assert.Equal(1, handler.Calls);
-            await Assert.ThrowsAsync<FirebaseException>(
+            Assert.Equal(errorMessage, ex.Message);
+            Assert.IsType<HttpRequestException>(ex.InnerException);
+
+            ex = await Assert.ThrowsAsync<InvalidOperationException>(
                 async () => await signer.GetKeyIdAsync());
             Assert.Equal(1, handler.Calls);
+            Assert.Equal(errorMessage, ex.Message);
+            Assert.IsType<HttpRequestException>(ex.InnerException);
         }
     }
 
@@ -117,9 +125,37 @@ public async Task WelformedSignError()
                 factory, GoogleCredential.FromAccessToken("token"), "test-service-account");
             Assert.Equal("test-service-account", await signer.GetKeyIdAsync());
             byte[] data = Encoding.UTF8.GetBytes("Hello world");
-            var ex = await Assert.ThrowsAsync<FirebaseException>(
+            var ex = await Assert.ThrowsAsync<FirebaseAuthException>(
+                async () => await signer.SignDataAsync(data));
+
+            Assert.Equal(ErrorCode.Internal, ex.ErrorCode);
+            Assert.Equal("test reason", ex.Message);
+            Assert.Null(ex.AuthErrorCode);
+            Assert.NotNull(ex.HttpResponse);
+            Assert.Null(ex.InnerException);
+        }
+
+        [Fact]
+        public async Task WelformedSignErrorWithCode()
+        {
+            var handler = new MockMessageHandler()
+                {
+                    StatusCode = HttpStatusCode.InternalServerError,
+                    Response = @"{""error"": {""message"": ""test reason"", ""status"": ""UNAVAILABLE""}}",
+                };
+            var factory = new MockHttpClientFactory(handler);
+            var signer = new FixedAccountIAMSigner(
+                factory, GoogleCredential.FromAccessToken("token"), "test-service-account");
+            Assert.Equal("test-service-account", await signer.GetKeyIdAsync());
+            byte[] data = Encoding.UTF8.GetBytes("Hello world");
+            var ex = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await signer.SignDataAsync(data));
+
+            Assert.Equal(ErrorCode.Unavailable, ex.ErrorCode);
             Assert.Equal("test reason", ex.Message);
+            Assert.Null(ex.AuthErrorCode);
+            Assert.NotNull(ex.HttpResponse);
+            Assert.Null(ex.InnerException);
         }
 
         [Fact]
@@ -135,9 +171,16 @@ public async Task UnexpectedSignError()
                 factory, GoogleCredential.FromAccessToken("token"), "test-service-account");
             Assert.Equal("test-service-account", await signer.GetKeyIdAsync());
             byte[] data = Encoding.UTF8.GetBytes("Hello world");
-            var ex = await Assert.ThrowsAsync<FirebaseException>(
+            var ex = await Assert.ThrowsAsync<FirebaseAuthException>(
                 async () => await signer.SignDataAsync(data));
-            Assert.Contains("not json", ex.Message);
+
+            Assert.Equal(ErrorCode.Internal, ex.ErrorCode);
+            Assert.Equal(
+                $"Unexpected HTTP response with status: 500 (InternalServerError)\nnot json",
+                ex.Message);
+            Assert.Null(ex.AuthErrorCode);
+            Assert.NotNull(ex.HttpResponse);
+            Assert.Null(ex.InnerException);
         }
     }
 }

FirebaseAdmin/FirebaseAdmin/Auth/FirebaseAuth.cs

@@ -105,7 +105,9 @@ public static FirebaseAuth GetAuth(FirebaseApp app)
         /// <returns>A task that completes with a Firebase custom token.</returns>
         /// <exception cref="ArgumentException">If <paramref name="uid"/> is null, empty or longer
         /// than 128 characters.</exception>
-        /// <exception cref="FirebaseException">If an error occurs while creating a custom
+        /// <exception cref="InvalidOperationException">If no service account can be discovered
+        /// from either the <see cref="AppOptions"/> or the deployment environment.</exception>
+        /// <exception cref="FirebaseAuthException">If an error occurs while creating a custom
         /// token.</exception>
         /// <param name="uid">The UID to store in the token. This identifies the user to other
         /// Firebase services (Realtime Database, Firebase Auth, etc.). Must not be longer than
@@ -142,7 +144,9 @@ public async Task<string> CreateCustomTokenAsync(string uid)
         /// <returns>A task that completes with a Firebase custom token.</returns>
         /// <exception cref="ArgumentException">If <paramref name="uid"/> is null, empty or longer
         /// than 128 characters.</exception>
-        /// <exception cref="FirebaseException">If an error occurs while creating a custom
+        /// <exception cref="InvalidOperationException">If no service account can be discovered
+        /// from either the <see cref="AppOptions"/> or the deployment environment.</exception>
+        /// <exception cref="FirebaseAuthException">If an error occurs while creating a custom
         /// token.</exception>
         /// <param name="uid">The UID to store in the token. This identifies the user to other
         /// Firebase services (Realtime Database, Firebase Auth, etc.). Must not be longer than
@@ -169,7 +173,9 @@ public async Task<string> CreateCustomTokenAsync(
         /// <exception cref="ArgumentException">If <paramref name="uid"/> is null, empty or longer
         /// than 128 characters. Or, if <paramref name="developerClaims"/> contains any standard
         /// JWT claims.</exception>
-        /// <exception cref="FirebaseException">If an error occurs while creating a custom
+        /// <exception cref="InvalidOperationException">If no service account can be discovered
+        /// from either the <see cref="AppOptions"/> or the deployment environment.</exception>
+        /// <exception cref="FirebaseAuthException">If an error occurs while creating a custom
         /// token.</exception>
         /// <param name="uid">The UID to store in the token. This identifies the user to other
         /// Firebase services (Realtime Database, Firebase Auth, etc.). Must not be longer than
@@ -197,7 +203,9 @@ public async Task<string> CreateCustomTokenAsync(
         /// <exception cref="ArgumentException">If <paramref name="uid"/> is null, empty or longer
         /// than 128 characters. Or, if <paramref name="developerClaims"/> contains any standard
         /// JWT claims.</exception>
-        /// <exception cref="FirebaseException">If an error occurs while creating a custom
+        /// <exception cref="InvalidOperationException">If no service account can be discovered
+        /// from either the <see cref="AppOptions"/> or the deployment environment.</exception>
+        /// <exception cref="FirebaseAuthException">If an error occurs while creating a custom
         /// token.</exception>
         /// <param name="uid">The UID to store in the token. This identifies the user to other
         /// Firebase services (Realtime Database, Firebase Auth, etc.). Must not be longer than

FirebaseAdmin/FirebaseAdmin/Auth/IAMSigner.cs

@@ -13,14 +13,13 @@
 // limitations under the License.
 
 using System;
-using System.Net;
 using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
+using FirebaseAdmin.Util;
 using Google.Apis.Auth.OAuth2;
 using Google.Apis.Http;
 using Google.Apis.Json;
-using Google.Apis.Util;
 
 namespace FirebaseAdmin.Auth
 {
@@ -38,14 +37,21 @@ internal class IAMSigner : ISigner
             "https://iam.googleapis.com/v1/projects/-/serviceAccounts/{0}:signBlob";
 
         private const string MetadataServerUrl =
-            "http://metadata/computeMetadata/v1/instance/service-accounts/default/email";
+            "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email";
 
-        private readonly ConfigurableHttpClient httpClient;
+        private readonly ErrorHandlingHttpClient<FirebaseAuthException> httpClient;
         private readonly Lazy<Task<string>> keyId;
 
         public IAMSigner(HttpClientFactory clientFactory, GoogleCredential credential)
         {
-            this.httpClient = clientFactory.CreateAuthorizedHttpClient(credential);
+            this.httpClient = new ErrorHandlingHttpClient<FirebaseAuthException>(
+                new ErrorHandlingHttpClientArgs<FirebaseAuthException>()
+                {
+                    HttpClientFactory = clientFactory,
+                    ErrorResponseHandler = IAMSignerErrorHandler.Instance,
+                    RequestExceptionHandler = AuthErrorHandler.Instance,
+                    DeserializeExceptionHandler = AuthErrorHandler.Instance,
+                });
             this.keyId = new Lazy<Task<string>>(
                 async () => await DiscoverServiceAccountIdAsync(clientFactory)
                     .ConfigureAwait(false), true);
@@ -55,25 +61,21 @@ public async Task<byte[]> SignDataAsync(
             byte[] data, CancellationToken cancellationToken = default(CancellationToken))
         {
             var keyId = await this.GetKeyIdAsync(cancellationToken).ConfigureAwait(false);
-            var url = string.Format(SignBlobUrl, keyId);
-            var request = new SignBlobRequest
+            var body = new SignBlobRequest
             {
                 BytesToSign = Convert.ToBase64String(data),
             };
-
-            try
-            {
-                var response = await this.httpClient.PostJsonAsync(url, request, cancellationToken)
-                    .ConfigureAwait(false);
-                var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
-                this.ThrowIfError(response, json);
-                var parsed = NewtonsoftJsonSerializer.Instance.Deserialize<SignBlobResponse>(json);
-                return Convert.FromBase64String(parsed.Signature);
-            }
-            catch (HttpRequestException e)
+            var request = new HttpRequestMessage()
             {
-                throw new FirebaseException("Error while calling the IAM service.", e);
-            }
+                Method = HttpMethod.Post,
+                RequestUri = new Uri(string.Format(SignBlobUrl, keyId)),
+                Content = NewtonsoftJsonSerializer.Instance.CreateJsonHttpContent(body),
+            };
+
+            var response = await this.httpClient
+                .SendAndDeserializeAsync<SignBlobResponse>(request, cancellationToken)
+                .ConfigureAwait(false);
+            return Convert.FromBase64String(response.Result.Signature);
         }
 
         public virtual async Task<string> GetKeyIdAsync(
@@ -85,7 +87,8 @@ public virtual async Task<string> GetKeyIdAsync(
             }
             catch (Exception e)
             {
-                throw new FirebaseException(
+                // Invalid configuration or environment error.
+                throw new InvalidOperationException(
                     "Failed to determine service account ID. Make sure to initialize the SDK "
                         + "with service account credentials or specify a service account "
                         + "ID with iam.serviceAccounts.signBlob permission. Please refer to "
@@ -105,38 +108,12 @@ private static async Task<string> DiscoverServiceAccountIdAsync(
             using (var client = clientFactory.CreateDefaultHttpClient())
             {
                 client.DefaultRequestHeaders.Add("Metadata-Flavor", "Google");
-                return await client.GetStringAsync(MetadataServerUrl).ConfigureAwait(false);
+                var resp = await client.GetAsync(MetadataServerUrl).ConfigureAwait(false);
+                resp.EnsureSuccessStatusCode();
+                return await resp.Content.ReadAsStringAsync().ConfigureAwait(false);
             }
         }
 
-        private void ThrowIfError(HttpResponseMessage response, string content)
-        {
-            if (response.IsSuccessStatusCode)
-            {
-                return;
-            }
-
-            string error = null;
-            try
-            {
-                var result = NewtonsoftJsonSerializer.Instance.Deserialize<SignBlobError>(content);
-                error = result?.Error.Message;
-            }
-            catch (Exception)
-            {
-                // Ignore any errors encountered while parsing the originl error.
-            }
-
-            if (string.IsNullOrEmpty(error))
-            {
-                error = "Response status code does not indicate success: "
-                    + $"{(int)response.StatusCode} ({response.StatusCode})"
-                    + $"{Environment.NewLine}{content}";
-            }
-
-            throw new FirebaseException(error);
-        }
-
         /// <summary>
         /// Represents the sign request sent to the remote IAM service.
         /// </summary>
@@ -155,22 +132,16 @@ internal class SignBlobResponse
             public string Signature { get; set; }
         }
 
-        /// <summary>
-        /// Represents an error response sent by the remote IAM service.
-        /// </summary>
-        private class SignBlobError
+        private class IAMSignerErrorHandler : PlatformErrorHandler<FirebaseAuthException>
         {
-            [Newtonsoft.Json.JsonProperty("error")]
-            public SignBlobErrorDetail Error { get; set; }
-        }
+            internal static readonly IAMSignerErrorHandler Instance = new IAMSignerErrorHandler();
 
-        /// <summary>
-        /// Represents the error details embedded in an IAM error response.
-        /// </summary>
-        private class SignBlobErrorDetail
-        {
-            [Newtonsoft.Json.JsonProperty("message")]
-            public string Message { get; set; }
+            private IAMSignerErrorHandler() { }
+
+            protected override FirebaseAuthException CreateException(FirebaseExceptionArgs args)
+            {
+                return new FirebaseAuthException(args.Code, args.Message, response: args.HttpResponse);
+            }
         }
     }
 }

FirebaseAdmin/FirebaseAdmin/FirebaseException.cs

@@ -22,12 +22,6 @@ namespace FirebaseAdmin
     /// </summary>
     public class FirebaseException : Exception
     {
-        internal FirebaseException(string message)
-        : base(message) { } // TODO: Remove this constructor
-
-        internal FirebaseException(string message, Exception inner)
-        : base(message, inner) { } // TODO: Remove this constructor
-
         internal FirebaseException(
             ErrorCode code,
             string message,
@@ -42,8 +36,12 @@ internal FirebaseException(
         /// <summary>
         /// Gets the platform-wide error code associated with this exception.
         /// </summary>
-        internal ErrorCode ErrorCode { get; private set; } // TODO: Expose this as public
+        public ErrorCode ErrorCode { get; private set; }
 
-        internal HttpResponseMessage HttpResponse { get; private set; }
+        /// <summary>
+        /// Gets the HTTP response that resulted in this exception. Null, if the exception was not
+        /// caused by an HTTP error response.
+        /// </summary>
+        public HttpResponseMessage HttpResponse { get; private set; }
     }
 }

FirebaseAdmin/FirebaseAdmin/Messaging/WebpushNotification.cs

@@ -164,7 +164,7 @@ private string DirectionString
                         this.Direction = Messaging.Direction.RightToLeft;
                         return;
                     default:
-                        throw new FirebaseException(
+                        throw new ArgumentException(
                             $"Invalid direction value: {value}. Only 'auto', 'rtl' and 'ltr' "
                             + "are allowed.");
                 }