Allow callable functions to skip token verification in debug mode (#983)

taeold · web-flow · commit 9c2142b3faf1 · 2021-10-27T23:29:52.000-07:00
To replace monkey-patching of the Firebase Functions SDK in the Functions Emulator ([code](https://github.com/firebase/firebase-tools/blob/c2feb0836f6f64236e117f2906ef6083840e212b/src/emulator/functionsEmulatorRuntime.ts#L401-L496)), we provide native support for bypassing token verification for `onCall` handlers. Using the new debug mode introduced in #992, Auth/App Check token included in the request will be decoded but no verified.
diff --git a/spec/common/providers/https.spec.ts b/spec/common/providers/https.spec.ts
@@ -1,18 +1,28 @@
 import { expect } from 'chai';
 import * as express from 'express';
 import * as firebase from 'firebase-admin';
+import * as sinon from 'sinon';
 
 import { apps as appsNamespace } from '../../../src/apps';
 import * as https from '../../../src/common/providers/https';
+import * as debug from '../../../src/common/debug';
 import * as mocks from '../../fixtures/credential/key.json';
 import {
   expectedResponseHeaders,
   generateAppCheckToken,
   generateIdToken,
+  generateUnsignedAppCheckToken,
+  generateUnsignedIdToken,
   mockFetchAppCheckPublicJwks,
   mockFetchPublicKeys,
   mockRequest,
 } from '../../fixtures/mockrequest';
+import {
+  CallableContext,
+  CallableRequest,
+  unsafeDecodeAppCheckToken,
+  unsafeDecodeIdToken,
+} from '../../../src/common/providers/https';
 
 /**
  * RunHandlerResult contains the data from an express.Response.
@@ -133,6 +143,64 @@ async function runTest(test: CallTest): Promise<any> {
   expect(responseV2.status).to.equal(test.expectedHttpResponse.status);
 }
 
+function checkAuthContext(
+  context: CallableContext,
+  projectId: string,
+  userId: string
+) {
+  expect(context.auth).to.not.be.undefined;
+  expect(context.auth).to.not.be.null;
+  expect(context.auth.uid).to.equal(userId);
+  expect(context.auth.token.uid).to.equal(userId);
+  expect(context.auth.token.sub).to.equal(userId);
+  expect(context.auth.token.aud).to.equal(projectId);
+  expect(context.instanceIdToken).to.be.undefined;
+}
+
+function checkAppCheckContext(
+  context: CallableContext,
+  projectId: string,
+  appId: string
+) {
+  expect(context.app).to.not.be.undefined;
+  expect(context.app).to.not.be.null;
+  expect(context.app.appId).to.equal(appId);
+  expect(context.app.token.app_id).to.be.equal(appId);
+  expect(context.app.token.sub).to.be.equal(appId);
+  expect(context.app.token.aud).to.be.deep.equal([`projects/${projectId}`]);
+  expect(context.auth).to.be.undefined;
+  expect(context.instanceIdToken).to.be.undefined;
+}
+
+function checkAuthRequest(
+  request: CallableRequest,
+  projectId: string,
+  userId: string
+) {
+  expect(request.auth).to.not.be.undefined;
+  expect(request.auth).to.not.be.null;
+  expect(request.auth.uid).to.equal(userId);
+  expect(request.auth.token.uid).to.equal(userId);
+  expect(request.auth.token.sub).to.equal(userId);
+  expect(request.auth.token.aud).to.equal(projectId);
+  expect(request.instanceIdToken).to.be.undefined;
+}
+
+function checkAppCheckRequest(
+  request: CallableRequest,
+  projectId: string,
+  appId: string
+) {
+  expect(request.app).to.not.be.undefined;
+  expect(request.app).to.not.be.null;
+  expect(request.app.appId).to.equal(appId);
+  expect(request.app.token.app_id).to.be.equal(appId);
+  expect(request.app.token.sub).to.be.equal(appId);
+  expect(request.app.token.aud).to.be.deep.equal([`projects/${projectId}`]);
+  expect(request.auth).to.be.undefined;
+  expect(request.instanceIdToken).to.be.undefined;
+}
+
 describe('onCallHandler', () => {
   let app: firebase.app.App;
 
@@ -354,23 +422,11 @@ describe('onCallHandler', () => {
       }),
       expectedData: null,
       callableFunction: (data, context) => {
-        expect(context.auth).to.not.be.undefined;
-        expect(context.auth).to.not.be.null;
-        expect(context.auth.uid).to.equal(mocks.user_id);
-        expect(context.auth.token.uid).to.equal(mocks.user_id);
-        expect(context.auth.token.sub).to.equal(mocks.user_id);
-        expect(context.auth.token.aud).to.equal(projectId);
-        expect(context.instanceIdToken).to.be.undefined;
+        checkAuthContext(context, projectId, mocks.user_id);
         return null;
       },
       callableFunction2: (request) => {
-        expect(request.auth).to.not.be.undefined;
-        expect(request.auth).to.not.be.null;
-        expect(request.auth.uid).to.equal(mocks.user_id);
-        expect(request.auth.token.uid).to.equal(mocks.user_id);
-        expect(request.auth.token.sub).to.equal(mocks.user_id);
-        expect(request.auth.token.aud).to.equal(projectId);
-        expect(request.instanceIdToken).to.be.undefined;
+        checkAuthRequest(request, projectId, mocks.user_id);
         return null;
       },
       expectedHttpResponse: {
@@ -383,9 +439,11 @@ describe('onCallHandler', () => {
   });
 
   it('should reject bad auth', async () => {
+    const projectId = appsNamespace().admin.options.projectId;
+    const idToken = generateUnsignedIdToken(projectId);
     await runTest({
       httpRequest: mockRequest(null, 'application/json', {
-        authorization: 'Bearer FAKE',
+        authorization: 'Bearer ' + idToken,
       }),
       expectedData: null,
       callableFunction: (data, context) => {
@@ -410,35 +468,17 @@ describe('onCallHandler', () => {
   it('should handle AppCheck token', async () => {
     const mock = mockFetchAppCheckPublicJwks();
     const projectId = appsNamespace().admin.options.projectId;
-    const appId = '1:65211879909:web:3ae38ef1cdcb2e01fe5f0c';
+    const appId = '123:web:abc';
     const appCheckToken = generateAppCheckToken(projectId, appId);
     await runTest({
       httpRequest: mockRequest(null, 'application/json', { appCheckToken }),
       expectedData: null,
       callableFunction: (data, context) => {
-        expect(context.app).to.not.be.undefined;
-        expect(context.app).to.not.be.null;
-        expect(context.app.appId).to.equal(appId);
-        expect(context.app.token.app_id).to.be.equal(appId);
-        expect(context.app.token.sub).to.be.equal(appId);
-        expect(context.app.token.aud).to.be.deep.equal([
-          `projects/${projectId}`,
-        ]);
-        expect(context.auth).to.be.undefined;
-        expect(context.instanceIdToken).to.be.undefined;
+        checkAppCheckContext(context, projectId, appId);
         return null;
       },
       callableFunction2: (request) => {
-        expect(request.app).to.not.be.undefined;
-        expect(request.app).to.not.be.null;
-        expect(request.app.appId).to.equal(appId);
-        expect(request.app.token.app_id).to.be.equal(appId);
-        expect(request.app.token.sub).to.be.equal(appId);
-        expect(request.app.token.aud).to.be.deep.equal([
-          `projects/${projectId}`,
-        ]);
-        expect(request.auth).to.be.undefined;
-        expect(request.instanceIdToken).to.be.undefined;
+        checkAppCheckRequest(request, projectId, appId);
         return null;
       },
       expectedHttpResponse: {
@@ -451,10 +491,11 @@ describe('onCallHandler', () => {
   });
 
   it('should reject bad AppCheck token', async () => {
+    const projectId = appsNamespace().admin.options.projectId;
+    const appId = '123:web:abc';
+    const appCheckToken = generateUnsignedAppCheckToken(projectId, appId);
     await runTest({
-      httpRequest: mockRequest(null, 'application/json', {
-        appCheckToken: 'FAKE',
-      }),
+      httpRequest: mockRequest(null, 'application/json', { appCheckToken }),
       expectedData: null,
       callableFunction: (data, context) => {
         return;
@@ -545,6 +586,66 @@ describe('onCallHandler', () => {
       },
     });
   });
+
+  describe('skip token verification debug mode support', () => {
+    before(() => {
+      sinon
+        .stub(debug, 'isDebugFeatureEnabled')
+        .withArgs('skipTokenVerification')
+        .returns(true);
+    });
+
+    after(() => {
+      sinon.verifyAndRestore();
+    });
+
+    it('should skip auth token verification', async () => {
+      const projectId = appsNamespace().admin.options.projectId;
+      const idToken = generateUnsignedIdToken(projectId);
+      await runTest({
+        httpRequest: mockRequest(null, 'application/json', {
+          authorization: 'Bearer ' + idToken,
+        }),
+        expectedData: null,
+        callableFunction: (data, context) => {
+          checkAuthContext(context, projectId, mocks.user_id);
+          return null;
+        },
+        callableFunction2: (request) => {
+          checkAuthRequest(request, projectId, mocks.user_id);
+          return null;
+        },
+        expectedHttpResponse: {
+          status: 200,
+          headers: expectedResponseHeaders,
+          body: { result: null },
+        },
+      });
+    });
+
+    it('should skip app check token verification', async () => {
+      const projectId = appsNamespace().admin.options.projectId;
+      const appId = '123:web:abc';
+      const appCheckToken = generateUnsignedAppCheckToken(projectId, appId);
+      await runTest({
+        httpRequest: mockRequest(null, 'application/json', { appCheckToken }),
+        expectedData: null,
+        callableFunction: (data, context) => {
+          checkAppCheckContext(context, projectId, appId);
+          return null;
+        },
+        callableFunction2: (request) => {
+          checkAppCheckRequest(request, projectId, appId);
+          return null;
+        },
+        expectedHttpResponse: {
+          status: 200,
+          headers: expectedResponseHeaders,
+          body: { result: null },
+        },
+      });
+    });
+  });
 });
 
 describe('encoding/decoding', () => {
@@ -670,3 +771,36 @@ describe('encoding/decoding', () => {
     expect(https.encode(() => 'foo')).to.deep.equal({});
   });
 });
+
+describe('decode tokens', () => {
+  const projectId = 'myproject';
+  const appId = '123:web:abc';
+
+  it('decodes valid Auth ID Token', () => {
+    const idToken = unsafeDecodeIdToken(generateIdToken(projectId));
+    expect(idToken.uid).to.equal(mocks.user_id);
+    expect(idToken.sub).to.equal(mocks.user_id);
+  });
+
+  it('decodes invalid Auth ID Token', () => {
+    const idToken = unsafeDecodeIdToken(generateUnsignedIdToken(projectId));
+    expect(idToken.uid).to.equal(mocks.user_id);
+    expect(idToken.sub).to.equal(mocks.user_id);
+  });
+
+  it('decodes valid App Check Token', () => {
+    const idToken = unsafeDecodeAppCheckToken(
+      generateAppCheckToken(projectId, appId)
+    );
+    expect(idToken.app_id).to.equal(appId);
+    expect(idToken.sub).to.equal(appId);
+  });
+
+  it('decodes invalid App Check Token', () => {
+    const idToken = unsafeDecodeAppCheckToken(
+      generateUnsignedAppCheckToken(projectId, appId)
+    );
+    expect(idToken.app_id).to.equal(appId);
+    expect(idToken.sub).to.equal(appId);
+  });
+});
diff --git a/spec/fixtures/mockrequest.ts b/spec/fixtures/mockrequest.ts
@@ -85,6 +85,20 @@ export function generateIdToken(projectId: string): string {
   return jwt.sign(claims, mockKey.private_key, options);
 }
 
+/**
+ * Generates a mocked, unsigned Firebase ID token.
+ */
+export function generateUnsignedIdToken(projectId: string): string {
+  return [
+    { alg: 'RS256', typ: 'JWT' },
+    { aud: projectId, sub: mockKey.user_id },
+    'Invalid signature',
+  ]
+    .map((str) => JSON.stringify(str))
+    .map((str) => Buffer.from(str).toString('base64'))
+    .join('.');
+}
+
 /**
  * Mocks out the http request used by the firebase-admin SDK to get the jwks for
  * verifying an AppCheck token.
@@ -121,3 +135,20 @@ export function generateAppCheckToken(
   };
   return jwt.sign(claims, jwkToPem(mockJWK, { private: true }), options);
 }
+
+/**
+ * Generates a mocked, unsigned AppCheck token.
+ */
+export function generateUnsignedAppCheckToken(
+  projectId: string,
+  appId: string
+): string {
+  return [
+    { alg: 'RS256', typ: 'JWT' },
+    { aud: [`projects/${projectId}`], sub: appId },
+    'Invalid signature',
+  ]
+    .map((component) => JSON.stringify(component))
+    .map((str) => Buffer.from(str).toString('base64'))
+    .join('.');
+}
diff --git a/src/common/debug.ts b/src/common/debug.ts
@@ -24,7 +24,7 @@
 const debugMode = process.env.FIREBASE_DEBUG_MODE === 'true';
 
 interface DebugFeatures {
-  skipCallableTokenVerification?: boolean;
+  skipTokenVerification?: boolean;
 }
 
 function loadDebugFeatures(): DebugFeatures {
diff --git a/src/common/providers/https.ts b/src/common/providers/https.ts

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@`
`24`	`24`	`const debugMode = process.env.FIREBASE_DEBUG_MODE === 'true';`
`25`	`25`
`26`	`26`	`interface DebugFeatures {`
`27`		`- skipCallableTokenVerification?: boolean;`
	`27`	`+ skipTokenVerification?: boolean;`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`function loadDebugFeatures(): DebugFeatures {`