Implement token revocation public api (#11001)

Author: renkelvin

FirebaseAuth/Sources/Auth/FIRAuth.m

@@ -47,6 +47,8 @@
 #import "FirebaseAuth/Sources/Backend/RPC/FIRGetOOBConfirmationCodeResponse.h"
 #import "FirebaseAuth/Sources/Backend/RPC/FIRResetPasswordRequest.h"
 #import "FirebaseAuth/Sources/Backend/RPC/FIRResetPasswordResponse.h"
+#import "FirebaseAuth/Sources/Backend/RPC/FIRRevokeTokenRequest.h"
+#import "FirebaseAuth/Sources/Backend/RPC/FIRRevokeTokenResponse.h"
 #import "FirebaseAuth/Sources/Backend/RPC/FIRSendVerificationCodeRequest.h"
 #import "FirebaseAuth/Sources/Backend/RPC/FIRSendVerificationCodeResponse.h"
 #import "FirebaseAuth/Sources/Backend/RPC/FIRSetAccountInfoRequest.h"
@@ -1544,6 +1546,34 @@ - (void)setAdditionalFrameworkMarker:(nullable NSString *)additionalFrameworkMar
   });
 }
 
+- (void)revokeTokenWithAuthorizationCode:(NSString *)authorizationCode
+                              completion:(nullable void (^)(NSError *_Nullable error))completion {
+  [self.currentUser
+      getIDTokenWithCompletion:^(NSString *_Nullable idToken, NSError *_Nullable error) {
+        if (completion) {
+          if (error) {
+            completion(error);
+            return;
+          }
+        }
+        FIRRevokeTokenRequest *request =
+            [[FIRRevokeTokenRequest alloc] initWithToken:authorizationCode
+                                                 idToken:idToken
+                                    requestConfiguration:self->_requestConfiguration];
+        [FIRAuthBackend
+            revokeToken:request
+               callback:^(FIRRevokeTokenResponse *_Nullable response, NSError *_Nullable error) {
+                 if (completion) {
+                   if (error) {
+                     completion(error);
+                   } else {
+                     completion(nil);
+                   }
+                 }
+               }];
+      }];
+}
+
 #if TARGET_OS_IOS
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wunused-property-ivar"

FirebaseAuth/Sources/Backend/FIRAuthBackend.h

@@ -54,6 +54,8 @@
 @class FIRSignInWithGameCenterResponse;
 @class FIRSignUpNewUserRequest;
 @class FIRSignUpNewUserResponse;
+@class FIRRevokeTokenRequest;
+@class FIRRevokeTokenResponse;
 
 @protocol FIRAuthBackendImplementation;
 @protocol FIRAuthBackendRPCIssuer;
@@ -220,6 +222,15 @@ typedef void (^FIRVerifyPhoneNumberResponseCallback)(
 typedef void (^FIRVerifyClientResponseCallback)(FIRVerifyClientResponse *_Nullable response,
                                                 NSError *_Nullable error);
 
+/** @typedef FIRRevokeTokenResponseCallback
+    @brief The type of block used to return the result of a call to the revokeToken endpoint.
+    @param response The received response, if any.
+    @param error The error which occurred, if any.
+    @remarks One of response or error will be non-nil.
+ */
+typedef void (^FIRRevokeTokenResponseCallback)(FIRRevokeTokenResponse *_Nullable response,
+                                               NSError *_Nullable error);
+
 /** @typedef FIRSignInWithGameCenterResponseCallback
     @brief The type of block used to return the result of a call to the SignInWithGameCenter
    endpoint.
@@ -414,8 +425,18 @@ typedef void (^FIRSignInWithGameCenterResponseCallback)(
  */
 + (void)verifyClient:(FIRVerifyClientRequest *)request
             callback:(FIRVerifyClientResponseCallback)callback;
+
 #endif
 
+/** @fn revokeToken:callback:
+    @brief Calls the revokeToken endpoint, which is responsible for revoking the given token
+        provided in the request parameters.
+    @param request The request parameters.
+    @param callback The callback.
+ */
++ (void)revokeToken:(FIRRevokeTokenRequest *)request
+           callback:(FIRRevokeTokenResponseCallback)callback;
+
 @end
 
 /** @protocol FIRAuthBackendRPCIssuer
@@ -578,8 +599,18 @@ typedef void (^FIRSignInWithGameCenterResponseCallback)(
  */
 - (void)verifyClient:(FIRVerifyClientRequest *)request
             callback:(FIRVerifyClientResponseCallback)callback;
+
 #endif
 
+/** @fn revokeToken:callback:
+    @brief Calls the revokeToken endpoint, which is responsible for revoking the given token
+        provided in the request parameters.
+    @param request The request parameters.
+    @param callback The callback.
+ */
+- (void)revokeToken:(FIRRevokeTokenRequest *)request
+           callback:(FIRRevokeTokenResponseCallback)callback;
+
 /** @fn SignInWithGameCenter:callback:
     @brief Calls the SignInWithGameCenter endpoint, which is responsible for authenticating a user
       who has Game Center credentials.

FirebaseAuth/Sources/Backend/FIRAuthBackend.m

@@ -44,6 +44,8 @@
 #import "FirebaseAuth/Sources/Backend/RPC/FIRGetProjectConfigResponse.h"
 #import "FirebaseAuth/Sources/Backend/RPC/FIRResetPasswordRequest.h"
 #import "FirebaseAuth/Sources/Backend/RPC/FIRResetPasswordResponse.h"
+#import "FirebaseAuth/Sources/Backend/RPC/FIRRevokeTokenRequest.h"
+#import "FirebaseAuth/Sources/Backend/RPC/FIRRevokeTokenResponse.h"
 #import "FirebaseAuth/Sources/Backend/RPC/FIRSecureTokenRequest.h"
 #import "FirebaseAuth/Sources/Backend/RPC/FIRSecureTokenResponse.h"
 #import "FirebaseAuth/Sources/Backend/RPC/FIRSendVerificationCodeRequest.h"
@@ -606,8 +608,14 @@ + (void)verifyPhoneNumber:(FIRVerifyPhoneNumberRequest *)request
 + (void)verifyClient:(id)request callback:(FIRVerifyClientResponseCallback)callback {
   [[self implementation] verifyClient:request callback:callback];
 }
+
 #endif
 
++ (void)revokeToken:(FIRRevokeTokenRequest *)request
+           callback:(FIRRevokeTokenResponseCallback)callback {
+  [[self implementation] revokeToken:request callback:callback];
+}
+
 + (void)resetPassword:(FIRResetPasswordRequest *)request
              callback:(FIRResetPasswordCallback)callback {
   [[self implementation] resetPassword:request callback:callback];
@@ -989,8 +997,25 @@ - (void)verifyClient:(id)request callback:(FIRVerifyClientResponseCallback)callb
                  callback(response, nil);
                }];
 }
+
 #endif
 
+- (void)revokeToken:(FIRRevokeTokenRequest *)request
+           callback:(FIRRevokeTokenResponseCallback)callback {
+  FIRRevokeTokenResponse *response = [[FIRRevokeTokenResponse alloc] init];
+  [self
+      postWithRequest:request
+             response:response
+             callback:^(NSError *error) {
+               if (error) {
+                 callback(nil, [FIRAuthErrorUtils
+                                   invalidCredentialErrorWithMessage:[error localizedDescription]]);
+                 return;
+               }
+               callback(response, nil);
+             }];
+}
+
 - (void)resetPassword:(FIRResetPasswordRequest *)request
              callback:(FIRResetPasswordCallback)callback {
   FIRResetPasswordResponse *response = [[FIRResetPasswordResponse alloc] init];

FirebaseAuth/Sources/Backend/RPC/FIRRevokeTokenRequest.h

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#import "FirebaseAuth/Sources/Backend/FIRAuthRPCRequest.h"
+#import "FirebaseAuth/Sources/Backend/FIRIdentityToolkitRequest.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface FIRRevokeTokenRequest : FIRIdentityToolkitRequest <FIRAuthRPCRequest>
+
+/** @property providerID
+    @brief The provider that issued the token to revoke.
+ */
+@property(nonatomic, copy, nullable) NSString *providerID;
+
+/** @property tokenType
+    @brief The type of the token to revoke.
+ */
+@property(nonatomic) NSInteger tokenType;
+
+/** @property token
+    @brief The token to be revoked.
+ */
+@property(nonatomic, copy, nullable) NSString *token;
+
+/** @property idToken
+    @brief The ID Token associated with this credential.
+ */
+@property(nonatomic, copy, nullable) NSString *idToken;
+
+/** @fn initWithEndpoint:requestConfiguration:
+    @brief Please use initWithToken:requestConfiguration: instead.
+ */
+- (nullable instancetype)initWithEndpoint:(NSString *)endpoint
+                     requestConfiguration:(FIRAuthRequestConfiguration *)requestConfiguration
+    NS_UNAVAILABLE;
+
+/** @fn initWithAppToken:isSandbox:requestConfiguration:
+    @brief Designated initializer.
+    @param token The token to be revoked.
+    @param idToken The id token associated with the current user.
+    @param requestConfiguration An object containing configurations to be added to the request.
+ */
+- (nullable instancetype)initWithToken:(NSString *)token
+                               idToken:(NSString *)idToken
+                  requestConfiguration:(FIRAuthRequestConfiguration *)requestConfiguration;
+
+@end
+
+NS_ASSUME_NONNULL_END

FirebaseAuth/Sources/Backend/RPC/FIRRevokeTokenRequest.m

@@ -0,0 +1,103 @@
+/*
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#import "FirebaseAuth/Sources/Backend/RPC/FIRRevokeTokenRequest.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+/** @var kRevokeTokenEndpoint
+    @brief The endpoint for the revokeToken request.
+ */
+static NSString *const kRevokeTokenEndpoint = @"accounts:revokeToken";
+
+/** @var kProviderIDKey
+    @brief The key for the provider that issued the token to revoke.
+ */
+static NSString *const kProviderIDKey = @"providerId";
+
+/** @var kTokenTypeKey
+    @brief The key for the type of the token to revoke.
+ */
+static NSString *const kTokenTypeKey = @"tokenType";
+
+/** @var kTokenKey
+    @brief The key for the token to be revoked.
+ */
+static NSString *const kTokenKey = @"token";
+
+/** @var kIDTokenKey
+    @brief The key for the ID Token associated with this credential.
+ */
+static NSString *const kIDTokenKey = @"idToken";
+
+typedef NS_ENUM(NSInteger, FIRTokenType) {
+  /** Indicates that the token type is unspecified.
+   */
+  FIRTokenTypeUnspecified = 0,
+
+  /** Indicates that the token type is refresh token.
+   */
+  FIRTokenTypeRefreshToken = 1,
+
+  /** Indicates that the token type is access token.
+   */
+  FIRTokenTypeAccessToken = 2,
+
+  /** Indicates that the token type is authorization code.
+   */
+  FIRTokenTypeAuthorizationCode = 3,
+};
+
+@implementation FIRRevokeTokenRequest
+
+- (nullable instancetype)initWithToken:(NSString *)token
+                               idToken:(NSString *)idToken
+                  requestConfiguration:(FIRAuthRequestConfiguration *)requestConfiguration {
+  self = [super initWithEndpoint:kRevokeTokenEndpoint
+            requestConfiguration:requestConfiguration
+             useIdentityPlatform:YES
+                      useStaging:NO];
+  if (self) {
+    // Apple and authorization code are the only provider and token type we support for now.
+    // Generalize this initializer to accept other providers and token types once supported.
+    _providerID = @"apple.com";
+    _tokenType = FIRTokenTypeAuthorizationCode;
+    _token = token;
+    _idToken = idToken;
+  }
+  return self;
+}
+
+- (nullable id)unencodedHTTPRequestBodyWithError:(NSError *__autoreleasing _Nullable *)error {
+  NSMutableDictionary *postBody = [NSMutableDictionary dictionary];
+  if (_providerID) {
+    postBody[kProviderIDKey] = _providerID;
+  }
+  if (_tokenType) {
+    postBody[kTokenTypeKey] = [NSNumber numberWithInteger:_tokenType].stringValue;
+  }
+  if (_token) {
+    postBody[kTokenKey] = _token;
+  }
+  if (_idToken) {
+    postBody[kIDTokenKey] = _idToken;
+  }
+  return [postBody copy];
+}
+
+@end
+
+NS_ASSUME_NONNULL_END

FirebaseAuth/Sources/Backend/RPC/FIRRevokeTokenResponse.h

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#import <Foundation/Foundation.h>
+
+#import "FirebaseAuth/Sources/Backend/FIRAuthRPCResponse.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface FIRRevokeTokenResponse : NSObject <FIRAuthRPCResponse>
+
+@end
+
+NS_ASSUME_NONNULL_END

FirebaseAuth/Sources/Backend/RPC/FIRRevokeTokenResponse.m

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#import "FirebaseAuth/Sources/Backend/RPC/FIRRevokeTokenResponse.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@implementation FIRRevokeTokenResponse
+
+- (BOOL)setWithDictionary:(NSDictionary *)dictionary error:(NSError *_Nullable *_Nullable)error {
+  return YES;
+}
+
+@end
+
+NS_ASSUME_NONNULL_END

FirebaseAuth/Sources/Public/FirebaseAuth/FIRAuth.h

@@ -850,6 +850,14 @@ NS_SWIFT_NAME(Auth)
  */
 - (BOOL)canHandleNotification:(NSDictionary *)userInfo API_UNAVAILABLE(macos, tvos, watchos);
 
+/** @fn revokeTokenWithAuthorizationCode:Completion
+    @brief Revoke the users token with authorization code.
+    @param completion (Optional) the block invoked when the request to revoke the token is
+        complete, or fails. Invoked asynchronously on the main thread in the future.
+ */
+- (void)revokeTokenWithAuthorizationCode:(NSString *)authorizationCode
+                              completion:(nullable void (^)(NSError *_Nullable error))completion;
+
 #pragma mark - User sharing
 
 /** @fn useUserAccessGroup:error: