Add recaptcha enterprise provider

Author: hsubox76

packages/app-check/src/api.ts

@@ -43,7 +43,11 @@ declare module '@firebase/component' {
   }
 }
 
-export { ReCaptchaV3Provider, CustomProvider } from './providers';
+export {
+  ReCaptchaV3Provider,
+  CustomProvider,
+  ReCaptchaEnterpriseProvider
+} from './providers';
 
 /**
  * Activate App Check for the given app. Can be called only once per app.

packages/app-check/src/client.test.ts

@@ -51,6 +51,23 @@ describe('client', () => {
     });
   });
 
+  it('creates exchange recaptcha enterprise token request correctly', () => {
+    const request = getExchangeRecaptchaTokenRequest(
+      app,
+      'fake-recaptcha-token',
+      true
+    );
+    const { projectId, appId, apiKey } = app.options;
+
+    expect(request).to.deep.equal({
+      url: `${BASE_ENDPOINT}/projects/${projectId}/apps/${appId}:exchangeRecaptchaToken?key=${apiKey}`,
+      body: {
+        // eslint-disable-next-line camelcase
+        recaptcha_enterprise_token: 'fake-recaptcha-token'
+      }
+    });
+  });
+
   it('returns a AppCheck token', async () => {
     // To get a consistent expireTime/issuedAtTime.
     const clock = useFakeTimers();

packages/app-check/src/client.ts

@@ -105,15 +105,16 @@ export async function exchangeToken(
 
 export function getExchangeRecaptchaTokenRequest(
   app: FirebaseApp,
-  reCAPTCHAToken: string
+  reCAPTCHAToken: string,
+  isEnterprise: boolean = false
 ): AppCheckRequest {
   const { projectId, appId, apiKey } = app.options;
+  const fieldName = isEnterprise ? 'recaptcha_enterprise_token' : 'recaptcha_token';
 
   return {
     url: `${BASE_ENDPOINT}/projects/${projectId}/apps/${appId}:${EXCHANGE_RECAPTCHA_TOKEN_METHOD}?key=${apiKey}`,
     body: {
-      // eslint-disable-next-line
-      recaptcha_token: reCAPTCHAToken
+      [fieldName]: reCAPTCHAToken
     }
   };
 }

packages/app-check/src/providers.ts

@@ -88,6 +88,67 @@ export class ReCaptchaV3Provider implements AppCheckProvider {
   }
 }
 
+/**
+ * App Check provider that can obtain a reCAPTCHA Enterprise token and exchange it
+ * for an App Check token.
+ *
+ * @public
+ */
+export class ReCaptchaEnterpriseProvider implements AppCheckProvider {
+  private _app?: FirebaseApp;
+  private _platformLoggerProvider?: Provider<'platform-logger'>;
+  /**
+   * Create a ReCaptchaV3Provider instance.
+   * @param siteKey - ReCAPTCHA V3 siteKey.
+   */
+  constructor(private _siteKey: string) {}
+
+  /**
+   * Returns an App Check token.
+   * @internal
+   */
+  async getToken(): Promise<AppCheckTokenInternal> {
+    if (!this._app || !this._platformLoggerProvider) {
+      // This should only occur if user has not called initializeAppCheck().
+      // We don't have an appName to provide if so.
+      // This should already be caught in the top level `getToken()` function.
+      throw ERROR_FACTORY.create(AppCheckError.USE_BEFORE_ACTIVATION, {
+        appName: ''
+      });
+    }
+    const attestedClaimsToken = await getReCAPTCHAToken(this._app).catch(_e => {
+      // reCaptcha.execute() throws null which is not very descriptive.
+      throw ERROR_FACTORY.create(AppCheckError.RECAPTCHA_ERROR);
+    });
+    return exchangeToken(
+      getExchangeRecaptchaTokenRequest(this._app, attestedClaimsToken, true),
+      this._platformLoggerProvider
+    );
+  }
+
+  /**
+   * @internal
+   */
+  initialize(app: FirebaseApp): void {
+    this._app = app;
+    this._platformLoggerProvider = _getProvider(app, 'platform-logger');
+    initializeRecaptcha(app, this._siteKey, true).catch(() => {
+      /* we don't care about the initialization result */
+    });
+  }
+
+  /**
+   * @internal
+   */
+  isEqual(otherProvider: unknown): boolean {
+    if (otherProvider instanceof ReCaptchaEnterpriseProvider) {
+      return this._siteKey === otherProvider._siteKey;
+    } else {
+      return false;
+    }
+  }
+}
+
 /**
  * Custom provider class.
  * @public

packages/app-check/src/public-types.ts

@@ -16,7 +16,11 @@
  */
 
 import { FirebaseApp } from '@firebase/app';
-import { CustomProvider, ReCaptchaV3Provider } from './providers';
+import {
+  CustomProvider,
+  ReCaptchaEnterpriseProvider,
+  ReCaptchaV3Provider
+} from './providers';
 export { Unsubscribe, PartialObserver } from '@firebase/util';
 
 /**
@@ -56,7 +60,7 @@ export interface AppCheckOptions {
   /**
    * reCAPTCHA provider or custom provider.
    */
-  provider: CustomProvider | ReCaptchaV3Provider;
+  provider: CustomProvider | ReCaptchaV3Provider | ReCaptchaEnterpriseProvider;
   /**
    * If set to true, enables automatic background refresh of App Check token.
    */

packages/app-check/src/recaptcha.test.ts

@@ -26,12 +26,12 @@ import {
   findgreCAPTCHAScriptsOnPage,
   FAKE_SITE_KEY
 } from '../test/util';
-import { initialize, getToken } from './recaptcha';
+import { initialize, getToken, GreCAPTCHATopLevel } from './recaptcha';
 import * as utils from './util';
 import { getState } from './state';
 import { Deferred } from '@firebase/util';
 import { initializeAppCheck } from './api';
-import { ReCaptchaV3Provider } from './providers';
+import { ReCaptchaEnterpriseProvider, ReCaptchaV3Provider } from './providers';
 
 describe('recaptcha', () => {
   let app: FirebaseApp;
@@ -45,9 +45,9 @@ describe('recaptcha', () => {
     return deleteApp(app);
   });
 
-  describe('initialize()', () => {
+  describe('initialize() - V3', () => {
     it('sets reCAPTCHAState', async () => {
-      self.grecaptcha = getFakeGreCAPTCHA();
+      self.grecaptcha = getFakeGreCAPTCHA() as GreCAPTCHATopLevel;
       expect(getState(app).reCAPTCHAState).to.equal(undefined);
       await initialize(app, FAKE_SITE_KEY);
       expect(getState(app).reCAPTCHAState?.initialized).to.be.instanceof(
@@ -75,7 +75,7 @@ describe('recaptcha', () => {
     it('creates invisible widget', async () => {
       const grecaptchaFake = getFakeGreCAPTCHA();
       const renderStub = stub(grecaptchaFake, 'render').callThrough();
-      self.grecaptcha = grecaptchaFake;
+      self.grecaptcha = grecaptchaFake as GreCAPTCHATopLevel;
 
       await initialize(app, FAKE_SITE_KEY);
 
@@ -88,7 +88,50 @@ describe('recaptcha', () => {
     });
   });
 
-  describe('getToken()', () => {
+  describe('initialize() - Enterprise', () => {
+    it('sets reCAPTCHAState', async () => {
+      self.grecaptcha = getFakeGreCAPTCHA() as GreCAPTCHATopLevel;
+      expect(getState(app).reCAPTCHAState).to.equal(undefined);
+      await initialize(app, FAKE_SITE_KEY, true);
+      expect(getState(app).reCAPTCHAState?.initialized).to.be.instanceof(
+        Deferred
+      );
+    });
+
+    it('loads reCAPTCHA script if it was not loaded already', async () => {
+      const fakeRecaptcha = getFakeGreCAPTCHA();
+      let count = 0;
+      stub(utils, 'getRecaptcha').callsFake(() => {
+        count++;
+        if (count === 1) {
+          return undefined;
+        }
+
+        return fakeRecaptcha;
+      });
+
+      expect(findgreCAPTCHAScriptsOnPage().length).to.equal(0);
+      await initialize(app, FAKE_SITE_KEY, true);
+      expect(findgreCAPTCHAScriptsOnPage().length).to.equal(1);
+    });
+
+    it('creates invisible widget', async () => {
+      const grecaptchaFake = getFakeGreCAPTCHA() as GreCAPTCHATopLevel;
+      const renderStub = stub(grecaptchaFake.enterprise, 'render').callThrough();
+      self.grecaptcha = grecaptchaFake;
+
+      await initialize(app, FAKE_SITE_KEY, true);
+
+      expect(renderStub).to.be.calledWith(`fire_app_check_${app.name}`, {
+        sitekey: FAKE_SITE_KEY,
+        size: 'invisible'
+      });
+
+      expect(getState(app).reCAPTCHAState?.widgetId).to.equal('fake_widget_1');
+    });
+  });
+
+  describe('getToken() - V3', () => {
     it('throws if AppCheck has not been activated yet', () => {
       return expect(getToken(app)).to.eventually.rejectedWith(
         /appCheck\/use-before-activation/
@@ -100,7 +143,7 @@ describe('recaptcha', () => {
       const executeStub = stub(grecaptchaFake, 'execute').returns(
         Promise.resolve('fake-recaptcha-token')
       );
-      self.grecaptcha = grecaptchaFake;
+      self.grecaptcha = grecaptchaFake as GreCAPTCHATopLevel;
       initializeAppCheck(app, {
         provider: new ReCaptchaV3Provider(FAKE_SITE_KEY)
       });
@@ -116,7 +159,7 @@ describe('recaptcha', () => {
       stub(grecaptchaFake, 'execute').returns(
         Promise.resolve('fake-recaptcha-token')
       );
-      self.grecaptcha = grecaptchaFake;
+      self.grecaptcha = grecaptchaFake as GreCAPTCHATopLevel;
       initializeAppCheck(app, {
         provider: new ReCaptchaV3Provider(FAKE_SITE_KEY)
       });
@@ -125,4 +168,36 @@ describe('recaptcha', () => {
       expect(token).to.equal('fake-recaptcha-token');
     });
   });
+
+  describe('getToken() - Enterprise', () => {
+    it('calls recaptcha.execute with correct widgetId', async () => {
+      const grecaptchaFake = getFakeGreCAPTCHA() as GreCAPTCHATopLevel;
+      const executeStub = stub(grecaptchaFake.enterprise, 'execute').returns(
+        Promise.resolve('fake-recaptcha-token')
+      );
+      self.grecaptcha = grecaptchaFake;
+      initializeAppCheck(app, {
+        provider: new ReCaptchaEnterpriseProvider(FAKE_SITE_KEY)
+      });
+      await getToken(app);
+
+      expect(executeStub).to.have.been.calledWith('fake_widget_1', {
+        action: 'fire_app_check'
+      });
+    });
+
+    it('resolves with token returned by recaptcha.execute', async () => {
+      const grecaptchaFake = getFakeGreCAPTCHA() as GreCAPTCHATopLevel;
+      stub(grecaptchaFake.enterprise, 'execute').returns(
+        Promise.resolve('fake-recaptcha-token')
+      );
+      self.grecaptcha = grecaptchaFake;
+      initializeAppCheck(app, {
+        provider: new ReCaptchaEnterpriseProvider(FAKE_SITE_KEY)
+      });
+      const token = await getToken(app);
+
+      expect(token).to.equal('fake-recaptcha-token');
+    });
+  });
 });

packages/app-check/src/recaptcha.ts

@@ -24,7 +24,8 @@ export const RECAPTCHA_URL = 'https://www.google.com/recaptcha/api.js';
 
 export function initialize(
   app: FirebaseApp,
-  siteKey: string
+  siteKey: string,
+  isEnterprise: boolean = false
 ): Promise<GreCAPTCHA> {
   const state = getState(app);
   const initialized = new Deferred<GreCAPTCHA>();
@@ -38,10 +39,10 @@ export function initialize(
 
   document.body.appendChild(invisibleDiv);
 
-  const grecaptcha = getRecaptcha();
+  const grecaptcha = getRecaptcha(isEnterprise);
   if (!grecaptcha) {
     loadReCAPTCHAScript(() => {
-      const grecaptcha = getRecaptcha();
+      const grecaptcha = getRecaptcha(isEnterprise);
 
       if (!grecaptcha) {
         // it shouldn't happen.
@@ -120,10 +121,14 @@ function loadReCAPTCHAScript(onload: () => void): void {
 
 declare global {
   interface Window {
-    grecaptcha: GreCAPTCHA | undefined;
+    grecaptcha: GreCAPTCHATopLevel | undefined;
   }
 }
 
+export interface GreCAPTCHATopLevel extends GreCAPTCHA {
+  enterprise: GreCAPTCHA;
+}
+
 export interface GreCAPTCHA {
   ready: (callback: () => void) => void;
   execute: (siteKey: string, options: { action: string }) => Promise<string>;

packages/app-check/src/util.ts

@@ -20,7 +20,10 @@ import { getState } from './state';
 import { ERROR_FACTORY, AppCheckError } from './errors';
 import { FirebaseApp } from '@firebase/app';
 
-export function getRecaptcha(): GreCAPTCHA | undefined {
+export function getRecaptcha(isEnterprise: boolean = false): GreCAPTCHA | undefined {
+  if (isEnterprise) {
+    return self.grecaptcha?.enterprise;
+  }
   return self.grecaptcha;
 }
 

packages/app-check/test/util.ts

@@ -16,7 +16,11 @@
  */
 
 import { FirebaseApp, initializeApp, _registerComponent } from '@firebase/app';
-import { GreCAPTCHA, RECAPTCHA_URL } from '../src/recaptcha';
+import {
+  GreCAPTCHA,
+  GreCAPTCHATopLevel,
+  RECAPTCHA_URL
+} from '../src/recaptcha';
 import {
   Provider,
   ComponentContainer,
@@ -102,12 +106,19 @@ export function getFakePlatformLoggingProvider(
   return container.getProvider('platform-logger');
 }
 
-export function getFakeGreCAPTCHA(): GreCAPTCHA {
-  return {
+export function getFakeGreCAPTCHA(
+  isTopLevel: boolean = true
+): GreCAPTCHATopLevel | GreCAPTCHA {
+  const greCaptchaTopLevel: GreCAPTCHA = {
     ready: callback => callback(),
     render: (_container, _parameters) => 'fake_widget_1',
     execute: (_siteKey, _options) => Promise.resolve('fake_recaptcha_token')
   };
+  if (isTopLevel) {
+    (greCaptchaTopLevel as GreCAPTCHATopLevel).enterprise =
+      getFakeGreCAPTCHA(false);
+  }
+  return greCaptchaTopLevel;
 }
 
 /**