Skip to content

Commit

Permalink
fix(auth): Fix credentials issue in createToken() when using ADC (#2801)
Browse files Browse the repository at this point in the history
* fix(auth): Fix service account issue in createToken() using ADC

* fix tests
  • Loading branch information
lahirumaramba authored Dec 12, 2024
1 parent 69d6494 commit 86094a7
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 13 deletions.
23 changes: 16 additions & 7 deletions src/utils/crypto-signer.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import { AuthorizedHttpClient, HttpRequestConfig, HttpClient, RequestResponseErr

import { Algorithm } from 'jsonwebtoken';
import { ErrorInfo } from '../utils/error';
import * as utils from '../utils/index';
import * as validator from '../utils/validator';

const ALGORITHM_RS256: Algorithm = 'RS256' as const;
Expand Down Expand Up @@ -105,22 +106,23 @@ export class IAMSigner implements CryptoSigner {

private readonly httpClient: AuthorizedHttpClient;
private serviceAccountId?: string;
private app?: App;

constructor(httpClient: AuthorizedHttpClient, serviceAccountId?: string) {
constructor(httpClient: AuthorizedHttpClient, app?: App) {
if (!httpClient) {
throw new CryptoSignerError({
code: CryptoSignerErrorCode.INVALID_ARGUMENT,
message: 'INTERNAL ASSERT: Must provide a HTTP client to initialize IAMSigner.',
});
}
if (typeof serviceAccountId !== 'undefined' && !validator.isNonEmptyString(serviceAccountId)) {
if (app && (typeof app !== 'object' || app === null || !('options' in app))) {
throw new CryptoSignerError({
code: CryptoSignerErrorCode.INVALID_ARGUMENT,
message: 'INTERNAL ASSERT: Service account ID must be undefined or a non-empty string.',
message: 'INTERNAL ASSERT: Must provide a valid Firebase app instance.',
});
}
this.httpClient = httpClient;
this.serviceAccountId = serviceAccountId;
this.app = app;
}

/**
Expand Down Expand Up @@ -152,9 +154,16 @@ export class IAMSigner implements CryptoSigner {
/**
* @inheritDoc
*/
public getAccountId(): Promise<string> {
public async getAccountId(): Promise<string> {
if (validator.isNonEmptyString(this.serviceAccountId)) {
return Promise.resolve(this.serviceAccountId);
return this.serviceAccountId;
}
if (this.app) {
const accountId = await utils.findServiceAccountEmail(this.app!)
if (accountId) {
this.serviceAccountId = accountId;
return accountId;
}
}
const request: HttpRequestConfig = {
method: 'GET',
Expand Down Expand Up @@ -197,7 +206,7 @@ export function cryptoSignerFromApp(app: App): CryptoSigner {
return new ServiceAccountSigner(credential);
}

return new IAMSigner(new AuthorizedHttpClient(app as FirebaseApp), app.options.serviceAccountId);
return new IAMSigner(new AuthorizedHttpClient(app as FirebaseApp), app);
}

/**
Expand Down
12 changes: 6 additions & 6 deletions test/unit/utils/crypto-signer.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ describe('CryptoSigner', () => {
const input = Buffer.from('input');
const signRequest = {
method: 'POST',
url: 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test-service-account:signBlob',
url: 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/foo@project_id.iam.gserviceaccount.com:signBlob',
headers: {
Authorization: `Bearer ${mockAccessToken}`,
'X-Goog-Api-Client': getMetricsHeader()
Expand All @@ -120,7 +120,7 @@ describe('CryptoSigner', () => {
const expectedResult = utils.responseFrom(response);
stub = sinon.stub(HttpClient.prototype, 'send').resolves(expectedResult);
const requestHandler = new AuthorizedHttpClient(mockApp);
const signer = new IAMSigner(requestHandler, 'test-service-account');
const signer = new IAMSigner(requestHandler, mockApp);
return signer.sign(input).then((signature) => {
expect(signature.toString('base64')).to.equal(response.signedBlob);
expect(stub).to.have.been.calledOnce.and.calledWith(signRequest);
Expand All @@ -136,7 +136,7 @@ describe('CryptoSigner', () => {
});
stub = sinon.stub(HttpClient.prototype, 'send').rejects(expectedResult);
const requestHandler = new AuthorizedHttpClient(mockApp);
const signer = new IAMSigner(requestHandler, 'test-service-account');
const signer = new IAMSigner(requestHandler, mockApp);
return signer.sign(input).catch((err) => {
expect(err).to.be.instanceOf(CryptoSignerError);
expect(err.message).to.equal('Server responded with status 500.');
Expand All @@ -145,9 +145,9 @@ describe('CryptoSigner', () => {
});
});

it('should return the explicitly specified service account', () => {
const signer = new IAMSigner(new AuthorizedHttpClient(mockApp), 'test-service-account');
return signer.getAccountId().should.eventually.equal('test-service-account');
it('should return the service account from the app', () => {
const signer = new IAMSigner(new AuthorizedHttpClient(mockApp), mockApp);
return signer.getAccountId().should.eventually.equal('foo@project_id.iam.gserviceaccount.com');
});
});

Expand Down

0 comments on commit 86094a7

Please sign in to comment.