Implement getToken method for Regional Auth Interop

docs-devsite/_toc.yaml

@@ -246,6 +246,8 @@ toc:
     path: /docs/reference/js/auth.emulatorconfig.md
   - title: FacebookAuthProvider
     path: /docs/reference/js/auth.facebookauthprovider.md
+  - title: FirebaseToken
+    path: /docs/reference/js/auth.firebasetoken.md
   - title: GithubAuthProvider
     path: /docs/reference/js/auth.githubauthprovider.md
   - title: GoogleAuthProvider

docs-devsite/auth.auth.md

@@ -28,6 +28,7 @@ export interface Auth
 |  [config](./auth.auth.md#authconfig) | [Config](./auth.config.md#config_interface) | The [Config](./auth.config.md#config_interface) used to initialize this instance. |
 |  [currentUser](./auth.auth.md#authcurrentuser) | [User](./auth.user.md#user_interface) \| null | The currently signed-in user (or null). |
 |  [emulatorConfig](./auth.auth.md#authemulatorconfig) | [EmulatorConfig](./auth.emulatorconfig.md#emulatorconfig_interface) \| null | The current emulator configuration (or null). |
+|  [firebaseToken](./auth.auth.md#authfirebasetoken) | [FirebaseToken](./auth.firebasetoken.md#firebasetoken_interface) \| null | The token response initialized via [exchangeToken()](./auth.md#exchangetoken_b6b1871) endpoint. |
 |  [languageCode](./auth.auth.md#authlanguagecode) | string \| null | The [Auth](./auth.auth.md#auth_interface) instance's language code. |
 |  [name](./auth.auth.md#authname) | string | The name of the app associated with the <code>Auth</code> service instance. |
 |  [settings](./auth.auth.md#authsettings) | [AuthSettings](./auth.authsettings.md#authsettings_interface) | The [Auth](./auth.auth.md#auth_interface) instance's settings. |
@@ -87,6 +88,18 @@ The current emulator configuration (or null).
 readonly emulatorConfig: EmulatorConfig | null;
 ```
 
+## Auth.firebaseToken
+
+The token response initialized via [exchangeToken()](./auth.md#exchangetoken_b6b1871) endpoint.
+
+This field is only supported for [Auth](./auth.auth.md#auth_interface) instance that have defined [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface)<!-- -->.
+
+<b>Signature:</b>
+
+```typescript
+readonly firebaseToken: FirebaseToken | null;
+```
+
 ## Auth.languageCode
 
 The [Auth](./auth.auth.md#auth_interface) instance's language code.

docs-devsite/auth.firebasetoken.md

@@ -0,0 +1,40 @@
+Project: /docs/reference/js/_project.yaml
+Book: /docs/reference/_book.yaml
+page_type: reference
+
+{% comment %}
+DO NOT EDIT THIS FILE!
+This is generated by the JS SDK team, and any local changes will be
+overwritten. Changes should be made in the source code at
+https://github.com/firebase/firebase-js-sdk
+{% endcomment %}
+
+# FirebaseToken interface
+<b>Signature:</b>
+
+```typescript
+export interface FirebaseToken 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [expirationTime](./auth.firebasetoken.md#firebasetokenexpirationtime) | number |  |
+|  [token](./auth.firebasetoken.md#firebasetokentoken) | string |  |
+
+## FirebaseToken.expirationTime
+
+<b>Signature:</b>
+
+```typescript
+readonly expirationTime: number;
+```
+
+## FirebaseToken.token
+
+<b>Signature:</b>
+
+```typescript
+readonly token: string;
+```

docs-devsite/auth.md

@@ -118,6 +118,7 @@ Firebase Authentication
 |  [ConfirmationResult](./auth.confirmationresult.md#confirmationresult_interface) | A result from a phone number sign-in, link, or reauthenticate call. |
 |  [Dependencies](./auth.dependencies.md#dependencies_interface) | The dependencies that can be used to initialize an [Auth](./auth.auth.md#auth_interface) instance. |
 |  [EmulatorConfig](./auth.emulatorconfig.md#emulatorconfig_interface) | Configuration of Firebase Authentication Emulator. |
+|  [FirebaseToken](./auth.firebasetoken.md#firebasetoken_interface) |  |
 |  [IdTokenResult](./auth.idtokenresult.md#idtokenresult_interface) | Interface representing ID token result obtained from [User.getIdTokenResult()](./auth.user.md#usergetidtokenresult)<!-- -->. |
 |  [MultiFactorAssertion](./auth.multifactorassertion.md#multifactorassertion_interface) | The base class for asserting ownership of a second factor. |
 |  [MultiFactorError](./auth.multifactorerror.md#multifactorerror_interface) | The error thrown when the user needs to provide a second factor to sign in successfully. |

packages/auth-interop-types/index.d.ts

@@ -21,6 +21,7 @@ export interface FirebaseAuthTokenData {
 
 export interface FirebaseAuthInternal {
   getToken(refreshToken?: boolean): Promise<FirebaseAuthTokenData | null>;
+  getFirebaseToken(): Promise<FirebaseAuthTokenData | null>;
   getUid(): string | null;
   addAuthTokenListener(fn: (token: string | null) => void): void;
   removeAuthTokenListener(fn: (token: string | null) => void): void;

packages/auth/src/api/authentication/exchange_token.ts

@@ -27,8 +27,10 @@ export interface ExchangeTokenRequest {
 }
 
 export interface ExchangeTokenResponse {
+  // The firebase access token (JWT signed by Firebase Auth).
   accessToken: string;
-  expiresIn?: string;
+  // The time when the access token expires.
+  expiresIn: number;
 }
 
 export async function exchangeToken(

packages/auth/src/core/auth/auth_impl.ts

@@ -37,7 +37,8 @@ import {
   NextFn,
   Unsubscribe,
   PasswordValidationStatus,
-  TenantConfig
+  TenantConfig,
+  FirebaseToken
 } from '../../model/public_types';
 import {
   createSubscribe,
@@ -100,6 +101,7 @@ export const enum DefaultConfig {
 export class AuthImpl implements AuthInternal, _FirebaseService {
   currentUser: User | null = null;
   emulatorConfig: EmulatorConfig | null = null;
+  firebaseToken: FirebaseToken | null = null;
   private operations = Promise.resolve();
   private persistenceManager?: PersistenceUserManager;
   private redirectPersistenceManager?: PersistenceUserManager;
@@ -455,6 +457,12 @@ export class AuthImpl implements AuthInternal, _FirebaseService {
     });
   }
 
+  async _updateFirebaseToken(
+    firebaseToken: FirebaseToken | null
+  ): Promise<void> {
+    this.firebaseToken = firebaseToken;
+  }
+
   async signOut(): Promise<void> {
     if (_isFirebaseServerApp(this.app)) {
       return Promise.reject(

packages/auth/src/core/auth/firebase_internal.test.ts

@@ -20,7 +20,11 @@ import { expect, use } from 'chai';
 import * as sinon from 'sinon';
 import chaiAsPromised from 'chai-as-promised';
 
-import { testAuth, testUser } from '../../../test/helpers/mock_auth';
+import {
+  regionalTestAuth,
+  testAuth,
+  testUser
+} from '../../../test/helpers/mock_auth';
 import { AuthInternal } from '../../model/auth';
 import { UserInternal } from '../../model/user';
 import { AuthInterop } from './firebase_internal';
@@ -37,6 +41,9 @@ describe('core/auth/firebase_internal', () => {
 
   afterEach(() => {
     sinon.restore();
+    delete (auth as unknown as Record<string, unknown>)[
+      '_initializationPromise'
+    ];
   });
 
   context('getUid', () => {
@@ -215,3 +222,57 @@ describe('core/auth/firebase_internal', () => {
     });
   });
 });
+
+describe('core/auth/firebase_internal - Regional Firebase Auth', () => {
+  let regionalAuth: AuthInternal;
+  let regionalAuthInternal: AuthInterop;
+  let now: number;
+  beforeEach(async () => {
+    regionalAuth = await regionalTestAuth();
+    regionalAuthInternal = new AuthInterop(regionalAuth);
+    now = Date.now();
+    sinon.stub(Date, 'now').returns(now);
+  });
+
+  afterEach(() => {
+    sinon.restore();
+  });
+
+  context('getFirebaseToken', () => {
+    it('returns null if firebase token is undefined', async () => {
+      expect(await regionalAuthInternal.getFirebaseToken()).to.be.null;
+    });
+
+    it('returns the id token correctly', async () => {
+      await regionalAuth._updateFirebaseToken({
+        token: 'access-token',
+        expirationTime: now + 300_000
+      });
+      expect(await regionalAuthInternal.getFirebaseToken()).to.eql({
+        accessToken: 'access-token'
+      });
+    });
+
+    it('logs out the the id token expires in next 30 seconds', async () => {
+      expect(await regionalAuthInternal.getFirebaseToken()).to.be.null;
+    });
+
+    it('logs out if token has expired', async () => {
+      await regionalAuth._updateFirebaseToken({
+        token: 'access-token',
+        expirationTime: now - 5_000
+      });
+      expect(await regionalAuthInternal.getFirebaseToken()).to.null;
+      expect(regionalAuth.firebaseToken).to.null;
+    });
+
+    it('logs out if token is expiring in next 5 seconds', async () => {
+      await regionalAuth._updateFirebaseToken({
+        token: 'access-token',
+        expirationTime: now + 5_000
+      });
+      expect(await regionalAuthInternal.getFirebaseToken()).to.null;
+      expect(regionalAuth.firebaseToken).to.null;
+    });
+  });
+});

packages/auth/src/core/auth/firebase_internal.ts

@@ -28,6 +28,7 @@ interface TokenListener {
 }
 
 export class AuthInterop implements FirebaseAuthInternal {
+  private readonly TOKEN_EXPIRATION_BUFFER = 30_000;
   private readonly internalListeners: Map<TokenListener, Unsubscribe> =
     new Map();
 
@@ -51,6 +52,27 @@ export class AuthInterop implements FirebaseAuthInternal {
     return { accessToken };
   }
 
+  async getFirebaseToken(): Promise<{ accessToken: string } | null> {
+    this.assertAuthConfigured();
+    await this.auth._initializationPromise;
+    this.assertRegionalAuthConfigured();
+    if (!this.auth.firebaseToken) {
+      return null;
+    }
+
+    if (
+      !this.auth.firebaseToken.expirationTime ||
+      Date.now() >
+        this.auth.firebaseToken.expirationTime - this.TOKEN_EXPIRATION_BUFFER
+    ) {
+      await this.auth._updateFirebaseToken(null);
+      return null;
+    }
+
+    const accessToken = await this.auth.firebaseToken.token;
+    return { accessToken };
+  }
+
   addAuthTokenListener(listener: TokenListener): void {
     this.assertAuthConfigured();
     if (this.internalListeners.has(listener)) {
@@ -85,6 +107,10 @@ export class AuthInterop implements FirebaseAuthInternal {
     );
   }
 
+  private assertRegionalAuthConfigured(): void {
+    _assert(this.auth.tenantConfig, AuthErrorCode.OPERATION_NOT_ALLOWED);
+  }
+
   private updateProactiveRefresh(): void {
     if (this.internalListeners.size > 0) {
       this.auth._startProactiveRefresh();

packages/auth/src/core/strategies/exchange_token.test.ts

@@ -24,6 +24,7 @@ import {
   testAuth,
   TestAuth
 } from '../../../test/helpers/mock_auth';
+import * as sinon from 'sinon';
 import * as mockFetch from '../../../test/helpers/mock_fetch';
 import { HttpHeader, RegionalEndpoint } from '../../api';
 import { exchangeToken } from './exhange_token';
@@ -35,19 +36,23 @@ use(chaiAsPromised);
 describe('core/strategies/exchangeToken', () => {
   let auth: TestAuth;
   let regionalAuth: TestAuth;
+  let now: number;
 
   beforeEach(async () => {
     auth = await testAuth();
     regionalAuth = await regionalTestAuth();
     mockFetch.setUp();
+    now = Date.now();
+    sinon.stub(Date, 'now').returns(now);
   });
   afterEach(mockFetch.tearDown);
+  afterEach(() => sinon.restore());
 
   it('should return a valid access token for Regional Auth', async () => {
     const mock = mockRegionalEndpointWithParent(
       RegionalEndpoint.EXCHANGE_TOKEN,
       'projects/test-project-id/locations/us/tenants/tenant-1/idpConfigs/idp-config',
-      { accessToken: 'outbound-token', expiresIn: '1000' }
+      { accessToken: 'outbound-token', expiresIn: 10 }
     );
 
     const accessToken = await exchangeToken(
@@ -65,6 +70,8 @@ describe('core/strategies/exchangeToken', () => {
     expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
       'application/json'
     );
+    expect(regionalAuth.firebaseToken?.token).to.equal('outbound-token');
+    expect(regionalAuth.firebaseToken?.expirationTime).to.equal(now + 10_000);
   });
 
   it('throws exception for default Auth', async () => {
@@ -106,5 +113,6 @@ describe('core/strategies/exchangeToken', () => {
     expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
       'application/json'
     );
+    expect(regionalAuth.firebaseToken).is.null;
   });
 });

packages/auth/src/core/strategies/exhange_token.ts

@@ -54,7 +54,12 @@ export async function exchangeToken(
     parent: buildParent(auth, idpConfigId),
     token: customToken
   });
-  // TODO(sammansi): Write token to the Auth object passed.
+  if (token) {
+    await authInternal._updateFirebaseToken({
+      token: token.accessToken,
+      expirationTime: Date.now() + token.expiresIn * 1000
+    });
+  }
   return token.accessToken;
 }
 

packages/auth/src/model/auth.ts

@@ -20,6 +20,7 @@ import {
   AuthSettings,
   Config,
   EmulatorConfig,
+  FirebaseToken,
   PasswordPolicy,
   PasswordValidationStatus,
   PopupRedirectResolver,
@@ -75,6 +76,7 @@ export interface AuthInternal extends Auth {
   _initializationPromise: Promise<void> | null;
   _persistenceManagerAvailable: Promise<void>;
   _updateCurrentUser(user: UserInternal | null): Promise<void>;
+  _updateFirebaseToken(firebaseToken: FirebaseToken | null): Promise<void>;
 
   _onStorageEvent(): void;
 

packages/auth/src/model/public_types.ts

@@ -334,6 +334,14 @@ export interface Auth {
    * {@link @firebase/app#FirebaseServerApp}.
    */
   signOut(): Promise<void>;
+  /**
+   * The token response initialized via {@link exchangeToken} endpoint.
+   *
+   * @remarks
+   * This field is only supported for {@link Auth} instance that have defined
+   * {@link TenantConfig}.
+   */
+  readonly firebaseToken: FirebaseToken | null;
 }
 
 /**
@@ -966,6 +974,13 @@ export interface ReactNativeAsyncStorage {
   removeItem(key: string): Promise<void>;
 }
 
+export interface FirebaseToken {
+  // The firebase access token (JWT signed by Firebase Auth).
+  readonly token: string;
+  // The time when the access token expires.
+  readonly expirationTime: number;
+}
+
 /**
  * A user account.
  *