auth: Add credential service (#1011)

Author: MathBunny

src/auth/token-generator.ts

@@ -15,7 +15,7 @@
  */
 
 import { FirebaseApp } from '../firebase-app';
-import { ServiceAccountCredential } from './credential';
+import { ServiceAccountCredential } from '../credential/credential';
 import { AuthClientErrorCode, FirebaseAuthError } from '../utils/error';
 import { AuthorizedHttpClient, HttpError, HttpRequestConfig, HttpClient } from '../utils/api-request';
 

src/credential.d.ts

@@ -0,0 +1,147 @@
+import * as _admin from './index.d';
+import { Agent } from 'http';
+
+export namespace admin.credential {
+  /**
+   * Interface that provides Google OAuth2 access tokens used to authenticate
+   * with Firebase services.
+   *
+   * In most cases, you will not need to implement this yourself and can instead
+   * use the default implementations provided by
+   * {@link admin.credential `admin.credential`}.
+   */
+  interface Credential {
+
+    /**
+     * Returns a Google OAuth2 access token object used to authenticate with
+     * Firebase services.
+     *
+     * This object contains the following properties:
+     * * `access_token` (`string`): The actual Google OAuth2 access token.
+     * * `expires_in` (`number`): The number of seconds from when the token was
+     *   issued that it expires.
+     *
+     * @return A Google OAuth2 access token object.
+     */
+    getAccessToken(): Promise<_admin.GoogleOAuthAccessToken>;
+  }
+
+
+  /**
+   * Returns a credential created from the
+   * {@link
+   *    https://developers.google.com/identity/protocols/application-default-credentials
+   *    Google Application Default Credentials}
+   * that grants admin access to Firebase services. This credential can be used
+   * in the call to
+   * {@link
+   *   https://firebase.google.com/docs/reference/admin/node/admin#.initializeApp
+   *  `admin.initializeApp()`}.
+   *
+   * Google Application Default Credentials are available on any Google
+   * infrastructure, such as Google App Engine and Google Compute Engine.
+   *
+   * See
+   * {@link
+   *   https://firebase.google.com/docs/admin/setup#initialize_the_sdk
+   *   Initialize the SDK}
+   * for more details.
+   *
+   * @example
+   * ```javascript
+   * admin.initializeApp({
+   *   credential: admin.credential.applicationDefault(),
+   *   databaseURL: "https://<DATABASE_NAME>.firebaseio.com"
+   * });
+   * ```
+   *
+   * @param {!Object=} httpAgent Optional [HTTP Agent](https://nodejs.org/api/http.html#http_class_http_agent)
+   *   to be used when retrieving access tokens from Google token servers.
+   *
+   * @return {!admin.credential.Credential} A credential authenticated via Google
+   *   Application Default Credentials that can be used to initialize an app.
+   */
+  function applicationDefault(httpAgent?: Agent): admin.credential.Credential;
+
+  /**
+   * Returns a credential created from the provided service account that grants
+   * admin access to Firebase services. This credential can be used in the call
+   * to
+   * {@link
+   *   https://firebase.google.com/docs/reference/admin/node/admin#.initializeApp
+   *   `admin.initializeApp()`}.
+   *
+   * See
+   * {@link
+   *   https://firebase.google.com/docs/admin/setup#initialize_the_sdk
+   *   Initialize the SDK}
+   * for more details.
+   *
+   * @example
+   * ```javascript
+   * // Providing a path to a service account key JSON file
+   * var serviceAccount = require("path/to/serviceAccountKey.json");
+   * admin.initializeApp({
+   *   credential: admin.credential.cert(serviceAccount),
+   *   databaseURL: "https://<DATABASE_NAME>.firebaseio.com"
+   * });
+   * ```
+   *
+   * @example
+   * ```javascript
+   * // Providing a service account object inline
+   * admin.initializeApp({
+   *   credential: admin.credential.cert({
+   *     projectId: "<PROJECT_ID>",
+   *     clientEmail: "foo@<PROJECT_ID>.iam.gserviceaccount.com",
+   *     privateKey: "-----BEGIN PRIVATE KEY-----<KEY>-----END PRIVATE KEY-----\n"
+   *   }),
+   *   databaseURL: "https://<DATABASE_NAME>.firebaseio.com"
+   * });
+   * ```
+   *
+   * @param serviceAccountPathOrObject The path to a service
+   *   account key JSON file or an object representing a service account key.
+   * @param httpAgent Optional [HTTP Agent](https://nodejs.org/api/http.html#http_class_http_agent)
+   *   to be used when retrieving access tokens from Google token servers.
+   *
+   * @return A credential authenticated via the
+   *   provided service account that can be used to initialize an app.
+   */
+  function cert(serviceAccountPathOrObject: string | _admin.ServiceAccount, httpAgent?: Agent): admin.credential.Credential;
+
+  /**
+   * Returns a credential created from the provided refresh token that grants
+   * admin access to Firebase services. This credential can be used in the call
+   * to
+   * {@link
+   *   https://firebase.google.com/docs/reference/admin/node/admin#.initializeApp
+   *   `admin.initializeApp()`}.
+   *
+   * See
+   * {@link
+   *   https://firebase.google.com/docs/admin/setup#initialize_the_sdk
+   *   Initialize the SDK}
+   * for more details.
+   *
+   * @example
+   * ```javascript
+   * // Providing a path to a refresh token JSON file
+   * var refreshToken = require("path/to/refreshToken.json");
+   * admin.initializeApp({
+   *   credential: admin.credential.refreshToken(refreshToken),
+   *   databaseURL: "https://<DATABASE_NAME>.firebaseio.com"
+   * });
+   * ```
+   *
+   * @param refreshTokenPathOrObject The path to a Google
+   *   OAuth2 refresh token JSON file or an object representing a Google OAuth2
+   *   refresh token.
+   * @param httpAgent Optional [HTTP Agent](https://nodejs.org/api/http.html#http_class_http_agent)
+   *   to be used when retrieving access tokens from Google token servers.
+   *
+   * @return A credential authenticated via the
+   *   provided service account that can be used to initialize an app.
+   */
+  function refreshToken(refreshTokenPathOrObject: string | object, httpAgent?: Agent): admin.credential.Credential;
+}

src/auth/credential.ts renamed to src/credential/credential.ts

@@ -53,6 +53,10 @@ const REFRESH_TOKEN_PATH = '/oauth2/v4/token';
 const ONE_HOUR_IN_SECONDS = 60 * 60;
 const JWT_ALGORITHM = 'RS256';
 
+let globalAppDefaultCred: Credential;
+const globalCertCreds: { [key: string]: ServiceAccountCredential } = {};
+const globalRefreshTokenCreds: { [key: string]: RefreshTokenCredential } = {};
+
 /**
  * Interface for Google OAuth 2.0 access tokens.
  */
@@ -64,12 +68,164 @@ export interface GoogleOAuthAccessToken {
 }
 
 /**
- * Interface for things that generate access tokens.
+ * Interface that provides Google OAuth2 access tokens used to authenticate
+ * with Firebase services.
+ *
+ * In most cases, you will not need to implement this yourself and can instead
+ * use the default implementations provided by
+ * {@link admin.credential `admin.credential`}.
  */
 export interface Credential {
+  /**
+   * Returns a Google OAuth2 access token object used to authenticate with
+   * Firebase services.
+   *
+   * This object contains the following properties:
+   * * `access_token` (`string`): The actual Google OAuth2 access token.
+   * * `expires_in` (`number`): The number of seconds from when the token was
+   *   issued that it expires.
+   *
+   * @return A Google OAuth2 access token object.
+   */
   getAccessToken(): Promise<GoogleOAuthAccessToken>;
 }
 
+/**
+ * Returns a credential created from the
+ * {@link
+ *    https://developers.google.com/identity/protocols/application-default-credentials
+ *    Google Application Default Credentials}
+ * that grants admin access to Firebase services. This credential can be used
+ * in the call to
+ * {@link
+ *   https://firebase.google.com/docs/reference/admin/node/admin#.initializeApp
+ *  `admin.initializeApp()`}.
+ *
+ * Google Application Default Credentials are available on any Google
+ * infrastructure, such as Google App Engine and Google Compute Engine.
+ *
+ * See
+ * {@link
+ *   https://firebase.google.com/docs/admin/setup#initialize_the_sdk
+ *   Initialize the SDK}
+ * for more details.
+ *
+ * @example
+ * ```javascript
+ * admin.initializeApp({
+ *   credential: admin.credential.applicationDefault(),
+ *   databaseURL: "https://<DATABASE_NAME>.firebaseio.com"
+ * });
+ * ```
+ *
+ * @param {!Object=} httpAgent Optional [HTTP Agent](https://nodejs.org/api/http.html#http_class_http_agent)
+ *   to be used when retrieving access tokens from Google token servers.
+ *
+ * @return {!admin.credential.Credential} A credential authenticated via Google
+ *   Application Default Credentials that can be used to initialize an app.
+ */
+export function applicationDefault(httpAgent?: Agent): Credential {
+  if (typeof globalAppDefaultCred === 'undefined') {
+    globalAppDefaultCred = getApplicationDefault(httpAgent);
+  }
+  return globalAppDefaultCred;
+}
+
+/**
+ * Returns a credential created from the provided service account that grants
+ * admin access to Firebase services. This credential can be used in the call
+ * to
+ * {@link
+ *   https://firebase.google.com/docs/reference/admin/node/admin#.initializeApp
+ *   `admin.initializeApp()`}.
+ *
+ * See
+ * {@link
+ *   https://firebase.google.com/docs/admin/setup#initialize_the_sdk
+ *   Initialize the SDK}
+ * for more details.
+ *
+ * @example
+ * ```javascript
+ * // Providing a path to a service account key JSON file
+ * var serviceAccount = require("path/to/serviceAccountKey.json");
+ * admin.initializeApp({
+ *   credential: admin.credential.cert(serviceAccount),
+ *   databaseURL: "https://<DATABASE_NAME>.firebaseio.com"
+ * });
+ * ```
+ *
+ * @example
+ * ```javascript
+ * // Providing a service account object inline
+ * admin.initializeApp({
+ *   credential: admin.credential.cert({
+ *     projectId: "<PROJECT_ID>",
+ *     clientEmail: "foo@<PROJECT_ID>.iam.gserviceaccount.com",
+ *     privateKey: "-----BEGIN PRIVATE KEY-----<KEY>-----END PRIVATE KEY-----\n"
+ *   }),
+ *   databaseURL: "https://<DATABASE_NAME>.firebaseio.com"
+ * });
+ * ```
+ *
+ * @param serviceAccountPathOrObject The path to a service
+ *   account key JSON file or an object representing a service account key.
+ * @param httpAgent Optional [HTTP Agent](https://nodejs.org/api/http.html#http_class_http_agent)
+ *   to be used when retrieving access tokens from Google token servers.
+ *
+ * @return A credential authenticated via the
+ *   provided service account that can be used to initialize an app.
+ */
+export function cert(serviceAccountPathOrObject: string | object, httpAgent?: Agent): Credential {
+  const stringifiedServiceAccount = JSON.stringify(serviceAccountPathOrObject);
+  if (!(stringifiedServiceAccount in globalCertCreds)) {
+    globalCertCreds[stringifiedServiceAccount] = new ServiceAccountCredential(serviceAccountPathOrObject, httpAgent);
+  }
+  return globalCertCreds[stringifiedServiceAccount];
+}
+
+/**
+ * Returns a credential created from the provided refresh token that grants
+ * admin access to Firebase services. This credential can be used in the call
+ * to
+ * {@link
+ *   https://firebase.google.com/docs/reference/admin/node/admin#.initializeApp
+ *   `admin.initializeApp()`}.
+ *
+ * See
+ * {@link
+ *   https://firebase.google.com/docs/admin/setup#initialize_the_sdk
+ *   Initialize the SDK}
+ * for more details.
+ *
+ * @example
+ * ```javascript
+ * // Providing a path to a refresh token JSON file
+ * var refreshToken = require("path/to/refreshToken.json");
+ * admin.initializeApp({
+ *   credential: admin.credential.refreshToken(refreshToken),
+ *   databaseURL: "https://<DATABASE_NAME>.firebaseio.com"
+ * });
+ * ```
+ *
+ * @param refreshTokenPathOrObject The path to a Google
+ *   OAuth2 refresh token JSON file or an object representing a Google OAuth2
+ *   refresh token.
+ * @param httpAgent Optional [HTTP Agent](https://nodejs.org/api/http.html#http_class_http_agent)
+ *   to be used when retrieving access tokens from Google token servers.
+ *
+ * @return A credential authenticated via the
+ *   provided service account that can be used to initialize an app.
+ */
+export function refreshToken(refreshTokenPathOrObject: string | object, httpAgent?: Agent): Credential {
+  const stringifiedRefreshToken = JSON.stringify(refreshTokenPathOrObject);
+  if (!(stringifiedRefreshToken in globalRefreshTokenCreds)) {
+    globalRefreshTokenCreds[stringifiedRefreshToken] = new RefreshTokenCredential(
+      refreshTokenPathOrObject, httpAgent);
+  }
+  return globalRefreshTokenCreds[stringifiedRefreshToken];
+}
+
 /**
  * Implementation of Credential that uses a service account.
  */

src/credential/index.ts

@@ -0,0 +1,35 @@
+/*!
+ * Copyright 2020 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import * as credentialApi from './credential';
+
+/**
+ * Temporarily, admin.credential is used as the namespace name because we
+ * cannot barrel re-export the contents from credential.ts, and we want it to
+ * match the namespacing in the re-export inside src/index.d.ts
+ */
+/* eslint-disable @typescript-eslint/no-namespace */
+export namespace admin.credential {
+  // See https://github.com/microsoft/TypeScript/issues/4336
+  /* eslint-disable @typescript-eslint/no-unused-vars */
+  // See https://github.com/typescript-eslint/typescript-eslint/issues/363
+  // Allows for exposing classes as interfaces in typings
+  /* eslint-disable @typescript-eslint/no-empty-interface */
+  export import Credential = credentialApi.Credential;
+  export const applicationDefault = credentialApi.applicationDefault;
+  export const cert = credentialApi.cert;
+  export const refreshToken = credentialApi.refreshToken;
+}

src/firebase-app.ts

@@ -14,7 +14,9 @@
  * limitations under the License.
  */
 
-import { Credential, GoogleOAuthAccessToken, getApplicationDefault } from './auth/credential';
+import {
+  Credential, GoogleOAuthAccessToken, getApplicationDefault
+} from './credential/credential';
 import * as validator from './utils/validator';
 import { deepCopy, deepExtend } from './utils/deep-copy';
 import { FirebaseServiceInterface } from './firebase-service';