Add support for Data Connect Impersonation

jonathanedey · jonathanedey · commit a99f8b28d79f · 2025-02-10T09:52:58.000-05:00
diff --git a/src/data-connect/data-connect-api-client-internal.ts b/src/data-connect/data-connect-api-client-internal.ts
@@ -106,6 +106,7 @@ export class DataConnectApiClient {
       query,
       ...(options?.variables && { variables: options?.variables }),
       ...(options?.operationName && { operationName: options?.operationName }),
+      ...(options?.impersonate && { extensions: { impersonate: options?.impersonate } }),
     };
     return this.getUrl(host, this.connectorConfig.location, this.connectorConfig.serviceId, endpoint)
       .then(async (url) => {
diff --git a/src/data-connect/data-connect-api.ts b/src/data-connect/data-connect-api.ts
@@ -15,6 +15,8 @@
  * limitations under the License.
  */
 
+import { DecodedIdToken } from '../auth/token-verifier';
+
 /**
  * Interface representing a Data Connect connector configuration.
  */
@@ -53,4 +55,49 @@ export interface GraphqlOptions<Variables> {
    * The name of the GraphQL operation. Required only if `query` contains multiple operations.
    */
   operationName?: string;
+
+  /**
+   * If set, impersonate a request with given Firebase Auth context and evaluate the auth
+   * policies on the operation. If omitted, bypass any defined auth policies.
+   */
+  impersonate?: ImpersonateAuthenticated | ImpersonateUnauthenticated;
+}
+
+/**
+ * Interface representing the impersonation of an authenticated user.
+ */
+export interface ImpersonateAuthenticated {
+  /**
+   * Evaluate the auth policy with a customized JWT auth token. Should follow the Firebase Auth token format.
+   * https://firebase.google.com/docs/rules/rules-and-auth
+   * 
+   * 
+   * {@link DecodedIdToken}
+   * 
+   * @example A verified user may have the following `authClaims`:
+   * ```json
+   * { "sub": "uid", "email_verified": true }
+   * ```
+   */
+  authClaims: Partial<DecodedIdToken>;
+
+  /**
+   * Both `authClaims` and `unauthenticated` are mutually exclusive fields and should not be both set.
+   */
+  unauthenticated?: never;
+}
+
+/**
+ * Interface representing the impersonation of an unauthenticated user.
+ */
+export interface ImpersonateUnauthenticated {
+  /**
+   * Both `authClaims` and `unauthenticated` are mutually exclusive fields and should not be both set.
+   */
+  authClaims?: never;
+
+  /**
+   * Evaluates the auth policy as an unauthenticated request. Can only be set to true.
+   */
+  unauthenticated: true;
 }
