feat(auth): Added revocation check support for VerifyIdTokenAsync() (#172)

* feat(auth): Added revocation check support for VerifyIdTokenAsync()

* Fixed a typo in internal method name

* Moving the new error code to the end of the enum

* Updated copyright year

Author: hiranya911

FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseAuthTest.cs

@@ -127,7 +127,7 @@ public async Task CreateCustomTokenInvalidCredential()
         public async Task VerifyIdTokenNoProjectId()
         {
             FirebaseApp.Create(new AppOptions() { Credential = MockCredential });
-            var idToken = await FirebaseTokenVerifierTest.CreateTestTokenAsync();
+            var idToken = await IdTokenVerificationTest.CreateTestTokenAsync();
             await Assert.ThrowsAsync<ArgumentException>(
                 async () => await FirebaseAuth.DefaultInstance.VerifyIdTokenAsync(idToken));
         }
@@ -142,7 +142,7 @@ public async Task VerifyIdTokenCancel()
             });
             var canceller = new CancellationTokenSource();
             canceller.Cancel();
-            var idToken = await FirebaseTokenVerifierTest.CreateTestTokenAsync();
+            var idToken = await IdTokenVerificationTest.CreateTestTokenAsync();
             await Assert.ThrowsAnyAsync<OperationCanceledException>(
                 async () => await FirebaseAuth.DefaultInstance.VerifyIdTokenAsync(
                     idToken, canceller.Token));

FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseTokenVerifierTest.cs

@@ -13,256 +13,24 @@
 // limitations under the License.
 
 using System;
-using System.Collections.Generic;
-using System.Collections.Immutable;
-using System.IO;
-using System.Security.Cryptography;
-using System.Security.Cryptography.X509Certificates;
-using System.Threading;
-using System.Threading.Tasks;
-using FirebaseAdmin.Tests;
 using Google.Apis.Auth.OAuth2;
-using Google.Apis.Util;
 using Xunit;
 
 namespace FirebaseAdmin.Auth.Tests
 {
     public class FirebaseTokenVerifierTest : IDisposable
     {
-        private const long ClockSkewSeconds = 5 * 60;
-
-        private static readonly IPublicKeySource KeySource = new FileSystemPublicKeySource(
-            "./resources/public_cert.pem");
-
-        private static readonly IClock Clock = new MockClock();
-
-        private static readonly ISigner Signer = CreateTestSigner();
-
-        private static readonly FirebaseTokenVerifier TokenVerifier = new FirebaseTokenVerifier(
-            new FirebaseTokenVerifierArgs()
-        {
-            ProjectId = "test-project",
-            ShortName = "ID token",
-            Operation = "VerifyIdTokenAsync()",
-            Url = "https://firebase.google.com/docs/auth/admin/verify-id-tokens",
-            Issuer = "https://securetoken.google.com/",
-            Clock = Clock,
-            PublicKeySource = KeySource,
-        });
-
         private static readonly GoogleCredential MockCredential =
             GoogleCredential.FromAccessToken("test-token");
 
         [Fact]
-        public async Task ValidToken()
-        {
-            var payload = new Dictionary<string, object>()
-            {
-                { "foo", "bar" },
-            };
-            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            var decoded = await TokenVerifier.VerifyTokenAsync(idToken);
-            Assert.Equal("testuser", decoded.Uid);
-            Assert.Equal("test-project", decoded.Audience);
-            Assert.Equal("testuser", decoded.Subject);
-
-            // The default test token created by CreateTestTokenAsync has an issue time 10 minutes
-            // ago, and an expiry time 50 minutes in the future.
-            Assert.Equal(Clock.UnixTimestamp() - (60 * 10), decoded.IssuedAtTimeSeconds);
-            Assert.Equal(Clock.UnixTimestamp() + (60 * 50), decoded.ExpirationTimeSeconds);
-            Assert.Single(decoded.Claims);
-            object value;
-            Assert.True(decoded.Claims.TryGetValue("foo", out value));
-            Assert.Equal("bar", value);
-        }
-
-        [Fact]
-        public async Task InvalidArgument()
-        {
-            await Assert.ThrowsAsync<ArgumentException>(
-                async () => await TokenVerifier.VerifyTokenAsync(null));
-            await Assert.ThrowsAsync<ArgumentException>(
-                async () => await TokenVerifier.VerifyTokenAsync(string.Empty));
-        }
-
-        [Fact]
-        public async Task MalformedToken()
-        {
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await TokenVerifier.VerifyTokenAsync("not-a-token"));
-
-            this.CheckException(exception, "Incorrect number of segments in ID token.");
-        }
-
-        [Fact]
-        public async Task NoKid()
-        {
-            var header = new Dictionary<string, object>()
-            {
-                { "kid", string.Empty },
-            };
-            var idToken = await CreateTestTokenAsync(headerOverrides: header);
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await TokenVerifier.VerifyTokenAsync(idToken));
-
-            this.CheckException(exception, "Firebase ID token has no 'kid' claim.");
-        }
-
-        [Fact]
-        public async Task IncorrectKid()
-        {
-            var header = new Dictionary<string, object>()
-            {
-                { "kid", "incorrect-key-id" },
-            };
-            var idToken = await CreateTestTokenAsync(headerOverrides: header);
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await TokenVerifier.VerifyTokenAsync(idToken));
-
-            this.CheckException(exception, "Failed to verify ID token signature.");
-        }
-
-        [Fact]
-        public async Task IncorrectAlgorithm()
-        {
-            var header = new Dictionary<string, object>()
-            {
-                { "alg", "HS256" },
-            };
-            var idToken = await CreateTestTokenAsync(headerOverrides: header);
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await TokenVerifier.VerifyTokenAsync(idToken));
-
-            var expectedMessage = "Firebase ID token has incorrect algorithm."
-                + " Expected RS256 but got HS256.";
-            this.CheckException(exception, expectedMessage);
-        }
-
-        [Fact]
-        public async Task Expired()
-        {
-            var expiryTime = Clock.UnixTimestamp() - (ClockSkewSeconds + 1);
-            var payload = new Dictionary<string, object>()
-            {
-                { "exp", expiryTime },
-            };
-            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await TokenVerifier.VerifyTokenAsync(idToken));
-
-            var expectedMessage = $"Firebase ID token expired at {expiryTime}. "
-                + $"Expected to be greater than {Clock.UnixTimestamp()}.";
-            this.CheckException(exception, expectedMessage, AuthErrorCode.ExpiredIdToken);
-        }
-
-        [Fact]
-        public async Task ExpiryTimeInAcceptableRange()
-        {
-            var expiryTimeSeconds = Clock.UnixTimestamp() - ClockSkewSeconds;
-            var payload = new Dictionary<string, object>()
-            {
-                { "exp", expiryTimeSeconds },
-            };
-            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-
-            var decoded = await TokenVerifier.VerifyTokenAsync(idToken);
-
-            Assert.Equal("testuser", decoded.Uid);
-            Assert.Equal(expiryTimeSeconds, decoded.ExpirationTimeSeconds);
-        }
-
-        [Fact]
-        public async Task InvalidIssuedAt()
-        {
-            var issuedAt = Clock.UnixTimestamp() + (ClockSkewSeconds + 1);
-            var payload = new Dictionary<string, object>()
-            {
-                { "iat", issuedAt },
-            };
-            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await TokenVerifier.VerifyTokenAsync(idToken));
-
-            var expectedMessage = $"Firebase ID token issued at future timestamp {issuedAt}.";
-            this.CheckException(exception, expectedMessage);
-        }
-
-        [Fact]
-        public async Task IssuedAtInAcceptableRange()
+        public void NoProjectId()
         {
-            var issuedAtSeconds = Clock.UnixTimestamp() + ClockSkewSeconds;
-            var payload = new Dictionary<string, object>()
-            {
-                { "iat", issuedAtSeconds },
-            };
-            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-
-            var decoded = await TokenVerifier.VerifyTokenAsync(idToken);
-
-            Assert.Equal("testuser", decoded.Uid);
-            Assert.Equal(issuedAtSeconds, decoded.IssuedAtTimeSeconds);
-        }
-
-        [Fact]
-        public async Task InvalidIssuer()
-        {
-            var payload = new Dictionary<string, object>()
-            {
-                { "iss", "wrong-issuer" },
-            };
-            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await TokenVerifier.VerifyTokenAsync(idToken));
-
-            var expectedMessage = "ID token has incorrect issuer (iss) claim.";
-            this.CheckException(exception, expectedMessage);
-        }
-
-        [Fact]
-        public async Task InvalidAudience()
-        {
-            var payload = new Dictionary<string, object>()
-            {
-                { "aud", "wrong-audience" },
-            };
-            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await TokenVerifier.VerifyTokenAsync(idToken));
-
-            var expectedMessage = "ID token has incorrect audience (aud) claim."
-                + " Expected test-project but got wrong-audience";
-            this.CheckException(exception, expectedMessage);
-        }
-
-        [Fact]
-        public async Task EmptySubject()
-        {
-            var payload = new Dictionary<string, object>()
-            {
-                { "sub", string.Empty },
-            };
-            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await TokenVerifier.VerifyTokenAsync(idToken));
-
-            var expectedMessage = "Firebase ID token has no or empty subject (sub) claim.";
-            this.CheckException(exception, expectedMessage);
-        }
-
-        [Fact]
-        public async Task LongSubject()
-        {
-            var payload = new Dictionary<string, object>()
+            var app = FirebaseApp.Create(new AppOptions()
             {
-                { "sub", new string('a', 129) },
-            };
-            var idToken = await CreateTestTokenAsync(payloadOverrides: payload);
-            var exception = await Assert.ThrowsAsync<FirebaseAuthException>(
-                async () => await TokenVerifier.VerifyTokenAsync(idToken));
-
-            var expectedMessage = "Firebase ID token has a subject claim longer than"
-                + " 128 characters.";
-            this.CheckException(exception, expectedMessage);
+                Credential = MockCredential,
+            });
+            Assert.Throws<ArgumentException>(() => FirebaseTokenVerifier.CreateIDTokenVerifier(app));
         }
 
         [Fact]
@@ -311,84 +79,5 @@ public void Dispose()
         {
             FirebaseApp.DeleteAll();
         }
-
-        /// <summary>
-        /// Creates a mock ID token for testing purposes. By default the created token has an issue
-        /// time 10 minutes ago, and an expirty time 50 minutes into the future. All header and
-        /// payload claims can be overridden if needed.
-        /// </summary>
-        internal static async Task<string> CreateTestTokenAsync(
-            Dictionary<string, object> headerOverrides = null,
-            Dictionary<string, object> payloadOverrides = null)
-        {
-            var header = new Dictionary<string, object>()
-            {
-                { "alg", "RS256" },
-                { "typ", "jwt" },
-                { "kid", "test-key-id" },
-            };
-            if (headerOverrides != null)
-            {
-                foreach (var entry in headerOverrides)
-                {
-                    header[entry.Key] = entry.Value;
-                }
-            }
-
-            var payload = new Dictionary<string, object>()
-            {
-                { "sub", "testuser" },
-                { "iss", "https://securetoken.google.com/test-project" },
-                { "aud", "test-project" },
-                { "iat", Clock.UnixTimestamp() - (60 * 10) },
-                { "exp", Clock.UnixTimestamp() + (60 * 50) },
-            };
-            if (payloadOverrides != null)
-            {
-                foreach (var entry in payloadOverrides)
-                {
-                    payload[entry.Key] = entry.Value;
-                }
-            }
-
-            return await JwtUtils.CreateSignedJwtAsync(header, payload, Signer);
-        }
-
-        private static ISigner CreateTestSigner()
-        {
-            var credential = GoogleCredential.FromFile("./resources/service_account.json");
-            var serviceAccount = (ServiceAccountCredential)credential.UnderlyingCredential;
-            return new ServiceAccountSigner(serviceAccount);
-        }
-
-        private void CheckException(
-            FirebaseAuthException exception,
-            string prefix,
-            AuthErrorCode errorCode = AuthErrorCode.InvalidIdToken)
-        {
-            Assert.Equal(ErrorCode.InvalidArgument, exception.ErrorCode);
-            Assert.StartsWith(prefix, exception.Message);
-            Assert.Equal(errorCode, exception.AuthErrorCode);
-            Assert.Null(exception.InnerException);
-            Assert.Null(exception.HttpResponse);
-        }
-    }
-
-    internal class FileSystemPublicKeySource : IPublicKeySource
-    {
-        private IReadOnlyList<PublicKey> rsa;
-
-        public FileSystemPublicKeySource(string file)
-        {
-            var x509cert = new X509Certificate2(File.ReadAllBytes(file));
-            var rsa = (RSA)x509cert.PublicKey.Key;
-            this.rsa = ImmutableList.Create(new PublicKey("test-key-id", rsa));
-        }
-
-        public Task<IReadOnlyList<PublicKey>> GetPublicKeysAsync(
-            CancellationToken cancellationToken)
-        {
-            return Task.FromResult(this.rsa);
-        }
     }
 }