fix: Set quota project ID for ADC human accounts

Author: lahirumaramba

src/app/credential-internal.ts

@@ -39,6 +39,7 @@ export class ApplicationDefaultCredential implements Credential {
   private readonly googleAuth: GoogleAuth;
   private authClient: AnyAuthClient;
   private projectId?: string;
+  private quotaProjectId?: string;
   private accountId?: string;
 
   constructor(httpAgent?: Agent) {
@@ -58,6 +59,7 @@ export class ApplicationDefaultCredential implements Credential {
     }
     await this.authClient.getAccessToken();
     const credentials = this.authClient.credentials;
+    this.quotaProjectId = this.authClient.quotaProjectId;
     return populateCredential(credentials);
   }
 
@@ -68,6 +70,13 @@ export class ApplicationDefaultCredential implements Credential {
     return Promise.resolve(this.projectId);
   }
 
+  public getQuotaProjectId(): string | undefined {
+    if (!this.quotaProjectId) {
+      this.quotaProjectId = this.authClient.quotaProjectId;
+    }
+    return this.quotaProjectId;
+  }
+
   public async isComputeEngineCredential(): Promise<boolean> {
     if (!this.authClient) {
       this.authClient = await this.googleAuth.getClient();

src/utils/api-request.ts

@@ -26,6 +26,7 @@ import url = require('url');
 import { EventEmitter } from 'events';
 import { Readable } from 'stream';
 import * as zlibmod from 'zlib';
+import { ApplicationDefaultCredential } from '../app/credential-internal';
 
 /** Http method type definition. */
 export type HttpMethod = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD';
@@ -1076,10 +1077,16 @@ export class AuthorizedHttpClient extends HttpClient {
       const authHeader = 'Authorization';
       requestCopy.headers[authHeader] = `Bearer ${token}`;
 
-      // Fix issue where firebase-admin does not specify quota project that is
-      // necessary for use when utilizing human account with ADC (RSDF)
-      if (!requestCopy.headers['x-goog-user-project'] && this.app.options.projectId) {
-        requestCopy.headers['x-goog-user-project'] = this.app.options.projectId
+      let quotaProjectId: string | undefined;
+      if (process.env.GOOGLE_CLOUD_QUOTA_PROJECT) {
+        quotaProjectId = process.env.GOOGLE_CLOUD_QUOTA_PROJECT;
+      }
+      else if (this.app.options.credential instanceof ApplicationDefaultCredential){
+        quotaProjectId = this.app.options.credential.getQuotaProjectId();
+      }
+
+      if (!requestCopy.headers['x-goog-user-project'] && validator.isNonEmptyString(quotaProjectId)) {
+        requestCopy.headers['x-goog-user-project'] = quotaProjectId;
       }
 
       if (!requestCopy.httpAgent && this.app.options.httpAgent) {

test/integration/setup.ts

@@ -19,7 +19,7 @@ import minimist = require('minimist');
 import path = require('path');
 import { random } from 'lodash';
 import {
-  App, Credential, GoogleOAuthAccessToken, cert, deleteApp, initializeApp,
+  App, Credential, GoogleOAuthAccessToken, applicationDefault, cert, deleteApp, initializeApp,
 } from '../../lib/app/index'
 
 // eslint-disable-next-line @typescript-eslint/no-var-requires
@@ -87,7 +87,8 @@ before(() => {
   storageBucket = projectId + '.appspot.com';
 
   defaultApp = initializeApp({
-    ...getCredential(),
+    //...getCredential(),
+    credential: applicationDefault(),
     projectId,
     databaseURL: databaseUrl,
     storageBucket,