App Check: optimize auto-refresh (#8232)

* App Attest provider: attestation sequence (#7971)

* App Attest provider: attestation sequence (#761)

* App Attest draft WIP

* FIRAppAttestProvider initializers

* ./scripts/style.sh

* FIRAppAttestProvider implementation draft

* Basic FIRAppAttestProviderTests and fixes

* style

* testGetTokenWhenAppAttestIsNotSupported

* More FIRAppAttestProviderTests

* Cleanup

* Remove unused file

* Availability annotations on DCAppAttestService category.

* Guard FIRAppAttestProvider with #if TARGET_OS_IOS

* Formatting

* Fix SPM

* app_check.yaml: Add diagnostics SPM builds

* fix yaml

* Fix Firebase-Package scheme bad merge

* Fix typo

* FIRAppAttestProvider: hide default init

* FIRAppAttestKeyIDStorage: methods placeholders

* Comments

* Fix updated block definition

* Implement app attest key ID storage (#8014)

* Implement FIRAppAttestKeyIDStorage

* Add FIRAppAttestKeyIDStorageTests

* Review [Draft]

* Style

* Docs updates

* Docs updates 2

* Review [Draft] 2

* Improve tests

* Improve test readability

* Improve test readability 2

* App Check App Attest workflow updates: initial handshake (#8032)

* Handshake adjustments (WIP)

* Introduce FIRAppAttestProviderState

* WIP: calculate attestation state

* WIP: calculate attestation state 2

* formatting

* Comments and moving code around

* Fix init in tests

* Fix state calculation flow

* Cleanup state calculation and fix tests.

* Cleanup and fixes.

* Comments

* formatting

* Fix import

* Typo fixes and additional comments

* FIRAppAttestInitialHandshakeResponse API

* Cleanup state calculation using FBLPromiseAwait

* Cleanup

* style

* FIRAppAttestArtifactStorage implementation and tests (#8041)

* Update comments

* FIRAppAttestArtifactStorage implementation and tests

* Fix init

* API docs

* Clean up storage in tests

* Comments

* Disable Keychain dependent tests for SPM

* Implement App Attest `getRandomChallenge` (#8033)

* Initial implementation

* Parse response body for challenge and stub test cases

* Review [Draft]

* Avoid encoding challenge again

* Add tests

* Revert "Avoid encoding challenge again" and add TODO

This reverts commit 69eb00d.

* Document tests; Add test

* Tests: Add URL validation check

* Review

* Define Exchange AppAttest Assertion for FAC token API (#8058)

* App Check App Attest: attestation request (#8059)

* App Attest provider API integration WIP

* update tests

* Draft attestation response parsing

* Attestation request draft

* style

* AppAttest Attestation API tests draft

* Error cases tests

* style

* Cleanup and API docs

* Merge fix

* Fix OCMock imports

* Fix nullability modifier

* Formatting

* comments

* App Check App Attest initial handshake adjustments (#8067)

* calculatre sha256 of random challenge for attestation

* Test app adjustments

* cleanup

* use trailing closures in the test app

* Implement API for ExchangeAppAttestAssertionRequest endpoint (#8065)

* Implement assertion exchange

* Tweak existing tests

* Add tests

* Rename JSON to better match gRPC  message

* Add HTTPBody helper

* Review

* Review 2

* Review 3

* App Check App Attest assertion flow (#8083)

* App Attest assertion workflow draft

* send request

* assertion flow tests

* style

* App Check: store App Attest artifact per key ID (#8097)

* Update artifact storage API and tests

* Artifact storage implementation update

* Save artifact for a key ID

* Style

* typos

* App Check: prevent concurrent token requests (#8117)

* App Attest multiple get token method invocation tests

* Ensure a single App Attest handshake sequence at the time

* FIRAppCheckTests: get token request merging tests

* FIRAppCheck: Ensure a single get token operation at the time

* formatting

* Test new request after merged requests

* Release finished operation promise

* Style

* Typos

* typo

* Request merging tests for error cases

* formatting

* Changelog

* App Check App Attest: handle attestation rejection (#8170)

* Remove/update outdated TODOs

* [WIP] Attestation rejection handling draft

* style

* retry tests draft

* reset key ID before retry

* Reset attestation

* test error and fixes

* style

* More details in the name

* Some debug logging

* style

* Use specific codes for log messages

* style

* Add FIRAppAttestProvider.h the umbrella header

* Add receivedAtDate property to the FAC token

* Update tests to check receivedAtDate field where important

* [WIP] Use FIRAppCheckTokenRefreshResult instead in the refresher API

* [WIP] Fix refgresher usage

* Update tests with new API, keep old logic

* Update tests with new logic

* WIP

* WIP

* Initial refresh tests and fixes.

* Add #import <TargetConditionals.h> where needed.

* Formatting

* Cleanup and test updates

* style

* Comments

* Cleanup and comments

* Fix catalyst

* Changelog

* Changelog version fix

* Typo

* Cleanup

* Typo

* Imports order

Co-authored-by: Nick Cooke <[email protected]>

Author: maksymmalyhin

FirebaseAppCheck/CHANGELOG.md

@@ -1,4 +1,5 @@
-# 8.1.0 -- M97
+# 8.2.0 -- M98
 - [added] Apple's App Attest attestation provider support. (#8133)
+- [changed] Token auto-refresh optimizations. (#8232)
 # v8.0.0 -- M95
 - [added] Firebase abuse reduction support SDK. (#7928, #7937, #7948)

FirebaseAppCheck/Sources/AppAttestProvider/DCAppAttestService+FIRAppAttestService.h

@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+#import <TargetConditionals.h>
+
 // Currently DCAppAttestService is available on iOS only.
 #if TARGET_OS_IOS && !TARGET_OS_MACCATALYST  // Catalyst should be possible with Xcode 12.5+
 

FirebaseAppCheck/Sources/AppAttestProvider/DCAppAttestService+FIRAppAttestService.m

@@ -17,7 +17,7 @@
 #import "FirebaseAppCheck/Sources/AppAttestProvider/DCAppAttestService+FIRAppAttestService.h"
 
 // Currently DCAppAttestService is available on iOS only.
-#if TARGET_OS_IOS
+#if TARGET_OS_IOS && !TARGET_OS_MACCATALYST  // Catalyst should be possible with Xcode 12.5+
 
 @implementation DCAppAttestService (FIRAppAttestService)
 

FirebaseAppCheck/Sources/Core/APIService/FIRAppCheckToken+APIResponse.m

@@ -15,6 +15,7 @@
  */
 
 #import "FirebaseAppCheck/Sources/Core/APIService/FIRAppCheckToken+APIResponse.h"
+#import "FirebaseAppCheck/Sources/Core/FIRAppCheckToken+Internal.h"
 
 #if __has_include(<FBLPromises/FBLPromises.h>)
 #import <FBLPromises/FBLPromises.h>
@@ -81,7 +82,7 @@ - (nullable instancetype)initWithResponseDict:(NSDictionary<NSString *, id> *)re
 
   NSDate *expirationDate = [requestDate dateByAddingTimeInterval:secondsToLive];
 
-  return [self initWithToken:token expirationDate:expirationDate];
+  return [self initWithToken:token expirationDate:expirationDate receivedAtDate:requestDate];
 }
 
 @end

FirebaseAppCheck/Sources/Core/FIRAppCheck.m

@@ -24,13 +24,14 @@
 
 #import "FirebaseAppCheck/Sources/Public/FirebaseAppCheck/FIRAppCheckProvider.h"
 #import "FirebaseAppCheck/Sources/Public/FirebaseAppCheck/FIRAppCheckProviderFactory.h"
-#import "FirebaseAppCheck/Sources/Public/FirebaseAppCheck/FIRAppCheckToken.h"
 
 #import "FirebaseAppCheck/Sources/Core/Errors/FIRAppCheckErrorUtil.h"
 #import "FirebaseAppCheck/Sources/Core/FIRAppCheckLogger.h"
 #import "FirebaseAppCheck/Sources/Core/FIRAppCheckSettings.h"
+#import "FirebaseAppCheck/Sources/Core/FIRAppCheckToken+Internal.h"
 #import "FirebaseAppCheck/Sources/Core/FIRAppCheckTokenResult.h"
 #import "FirebaseAppCheck/Sources/Core/Storage/FIRAppCheckStorage.h"
+#import "FirebaseAppCheck/Sources/Core/TokenRefresh/FIRAppCheckTokenRefreshResult.h"
 #import "FirebaseAppCheck/Sources/Core/TokenRefresh/FIRAppCheckTokenRefresher.h"
 
 #import "FirebaseAppCheck/Sources/Interop/FIRAppCheckInterop.h"
@@ -124,10 +125,10 @@ - (nullable instancetype)initWithApp:(FIRApp *)app {
       [[FIRAppCheckSettings alloc] initWithApp:app
                                    userDefault:[NSUserDefaults standardUserDefaults]
                                     mainBundle:[NSBundle mainBundle]];
+  FIRAppCheckTokenRefreshResult *refreshResult =
+      [[FIRAppCheckTokenRefreshResult alloc] initWithStatusNever];
   FIRAppCheckTokenRefresher *tokenRefresher =
-      [[FIRAppCheckTokenRefresher alloc] initWithTokenExpirationDate:[NSDate date]
-                                            tokenExpirationThreshold:kTokenExpirationThreshold
-                                                            settings:settings];
+      [[FIRAppCheckTokenRefresher alloc] initWithRefreshResult:refreshResult settings:settings];
 
   FIRAppCheckStorage *storage = [[FIRAppCheckStorage alloc] initWithAppName:app.name
                                                                       appID:app.options.googleAppID
@@ -306,7 +307,10 @@ - (nonnull NSString *)notificationTokenKey {
         // TODO: Make sure the self.tokenRefresher is updated only once. Currently the timer will be
         // updated twice in the case when the refresh triggered by self.tokenRefresher, but it
         // should be fine for now as it is a relatively cheap operation.
-        [self.tokenRefresher updateTokenExpirationDate:token.expirationDate];
+        __auto_type refreshResult = [[FIRAppCheckTokenRefreshResult alloc]
+            initWithStatusSuccessAndExpirationDate:token.expirationDate
+                                    receivedAtDate:token.receivedAtDate];
+        [self.tokenRefresher updateWithRefreshResult:refreshResult];
         [self postTokenUpdateNotificationWithToken:token];
         return token;
       });
@@ -317,11 +321,15 @@ - (nonnull NSString *)notificationTokenKey {
 - (void)periodicTokenRefreshWithCompletion:(FIRAppCheckTokenRefreshCompletion)completion {
   [self retrieveOrRefreshTokenForcingRefresh:NO]
       .then(^id _Nullable(FIRAppCheckToken *_Nullable token) {
-        completion(YES, token.expirationDate);
+        __auto_type refreshResult = [[FIRAppCheckTokenRefreshResult alloc]
+            initWithStatusSuccessAndExpirationDate:token.expirationDate
+                                    receivedAtDate:token.receivedAtDate];
+        completion(refreshResult);
         return nil;
       })
       .catch(^(NSError *error) {
-        completion(NO, nil);
+        __auto_type refreshResult = [[FIRAppCheckTokenRefreshResult alloc] initWithStatusFailure];
+        completion(refreshResult);
       });
 }
 

FirebaseAppCheck/Sources/Core/FIRAppCheckToken+Internal.h

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#import <Foundation/Foundation.h>
+
+#import "FirebaseAppCheck/Sources/Public/FirebaseAppCheck/FIRAppCheckToken.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface FIRAppCheckToken ()
+
+/// A date when the Firebase App Check token was received in the device's local time.
+@property(nonatomic) NSDate *receivedAtDate;
+
+/// The designated initializer.
+/// @param token A Firebase App Check token.
+/// @param expirationDate A Firebase App Check token expiration date in the device local time.
+/// @param receivedAtDate A date when the Firebase App Check token was received in the device's
+/// local time.
+- (instancetype)initWithToken:(NSString *)token
+               expirationDate:(NSDate *)expirationDate
+               receivedAtDate:(NSDate *)receivedAtDate NS_DESIGNATED_INITIALIZER;
+
+@end
+
+NS_ASSUME_NONNULL_END

FirebaseAppCheck/Sources/Core/FIRAppCheckToken.m

@@ -14,17 +14,28 @@
  * limitations under the License.
  */
 
-#import "FirebaseAppCheck/Sources/Public/FirebaseAppCheck/FIRAppCheckToken.h"
+#import "FirebaseAppCheck/Sources/Core/FIRAppCheckToken+Internal.h"
+
+NS_ASSUME_NONNULL_BEGIN
 
 @implementation FIRAppCheckToken
 
-- (instancetype)initWithToken:(NSString *)token expirationDate:(NSDate *)expirationDate {
+- (instancetype)initWithToken:(NSString *)token
+               expirationDate:(NSDate *)expirationDate
+               receivedAtDate:(NSDate *)receivedAtDate {
   self = [super init];
   if (self) {
     _token = [token copy];
     _expirationDate = expirationDate;
+    _receivedAtDate = receivedAtDate;
   }
   return self;
 }
 
+- (instancetype)initWithToken:(NSString *)token expirationDate:(NSDate *)expirationDate {
+  return [self initWithToken:token expirationDate:expirationDate receivedAtDate:[NSDate date]];
+}
+
 @end
+
+NS_ASSUME_NONNULL_END

FirebaseAppCheck/Sources/Core/Storage/FIRAppCheckStoredToken+FIRAppCheckToken.m

@@ -16,17 +16,20 @@
 
 #import "FirebaseAppCheck/Sources/Core/Storage/FIRAppCheckStoredToken+FIRAppCheckToken.h"
 
-#import "FirebaseAppCheck/Sources/Public/FirebaseAppCheck/FIRAppCheckToken.h"
+#import "FirebaseAppCheck/Sources/Core/FIRAppCheckToken+Internal.h"
 
 @implementation FIRAppCheckStoredToken (FIRAppCheckToken)
 
 - (void)updateWithToken:(FIRAppCheckToken *)token {
   self.token = token.token;
   self.expirationDate = token.expirationDate;
+  self.receivedAtDate = token.receivedAtDate;
 }
 
 - (FIRAppCheckToken *)appCheckToken {
-  return [[FIRAppCheckToken alloc] initWithToken:self.token expirationDate:self.expirationDate];
+  return [[FIRAppCheckToken alloc] initWithToken:self.token
+                                  expirationDate:self.expirationDate
+                                  receivedAtDate:self.receivedAtDate];
 }
 
 @end

FirebaseAppCheck/Sources/Core/Storage/FIRAppCheckStoredToken.h

@@ -22,10 +22,14 @@ NS_ASSUME_NONNULL_BEGIN
 
 @interface FIRAppCheckStoredToken : NSObject <NSSecureCoding>
 
-/// FAA token.
-@property(nonatomic, copy) NSString *token;
-/// FAA token expiration date in the device local time.
-@property(nonatomic, strong) NSDate *expirationDate;
+/// The Firebase App Check token.
+@property(nonatomic, copy, nullable) NSString *token;
+
+/// The Firebase App Check token expiration date in the device local time.
+@property(nonatomic, strong, nullable) NSDate *expirationDate;
+
+/// The date when the Firebase App Check token was received in the device's local time.
+@property(nonatomic, strong, nullable) NSDate *receivedAtDate;
 
 /// The version of local storage.
 @property(nonatomic, readonly) NSInteger storageVersion;

FirebaseAppCheck/Sources/Core/Storage/FIRAppCheckStoredToken.m

@@ -18,9 +18,10 @@
 
 static NSString *const kTokenKey = @"token";
 static NSString *const kExpirationDateKey = @"expirationDate";
+static NSString *const kReceivedAtDateKey = @"receivedAtDate";
 static NSString *const kStorageVersionKey = @"storageVersion";
 
-static const NSInteger kStorageVersion = 1;
+static const NSInteger kStorageVersion = 2;
 
 NS_ASSUME_NONNULL_BEGIN
 
@@ -37,19 +38,21 @@ + (BOOL)supportsSecureCoding {
 - (void)encodeWithCoder:(NSCoder *)coder {
   [coder encodeObject:self.token forKey:kTokenKey];
   [coder encodeObject:self.expirationDate forKey:kExpirationDateKey];
+  [coder encodeObject:self.receivedAtDate forKey:kReceivedAtDateKey];
   [coder encodeInteger:self.storageVersion forKey:kStorageVersionKey];
 }
 
 - (nullable instancetype)initWithCoder:(NSCoder *)coder {
   self = [super init];
   if (self) {
-    NSInteger storageVersion = [coder decodeIntegerForKey:kStorageVersionKey];
-    if (storageVersion > kStorageVersion) {
+    NSInteger decodedStorageVersion = [coder decodeIntegerForKey:kStorageVersionKey];
+    if (decodedStorageVersion > kStorageVersion) {
       // TODO: Log a message.
     }
 
     _token = [coder decodeObjectOfClass:[NSString class] forKey:kTokenKey];
     _expirationDate = [coder decodeObjectOfClass:[NSDate class] forKey:kExpirationDateKey];
+    _receivedAtDate = [coder decodeObjectOfClass:[NSDate class] forKey:kReceivedAtDateKey];
   }
   return self;
 }