Add iat to fake access token payload (#1022)

ryanpbrewster · web-flow · commit 86c8077a011c · 2018-07-20T15:55:42.000-07:00
* Add iat to fake access token payload

* [AUTOMATED]: Prettier Code Styling

* Simpler tests

* [AUTOMATED]: Prettier Code Styling

* Do not clobber iat
diff --git a/packages/testing/src/api/index.ts b/packages/testing/src/api/index.ts
@@ -20,18 +20,26 @@ import * as fs from 'fs';
 import { FirebaseApp, FirebaseOptions } from '@firebase/app-types';
 import { base64 } from '@firebase/util';
 
+/** The default url for the local database emulator. */
 const DBURL = 'http://localhost:9000';
-
-class FakeCredentials {
-  getAccessToken() {
-    return Promise.resolve({
-      expires_in: 1000000,
-      access_token: 'owner'
-    });
-  }
-  getCertificate() {
-    return null;
-  }
+/** Passing this in tells the emulator to treat you as an admin. */
+const ADMIN_TOKEN = 'owner';
+/** Create an unsecured JWT for the given auth payload. See https://tools.ietf.org/html/rfc7519#section-6. */
+function createUnsecuredJwt(auth: object): string {
+  // Unsecured JWTs use "none" as the algorithm.
+  const header = {
+    alg: 'none',
+    kid: 'fakekid'
+  };
+  // Ensure that the auth payload has a value for 'iat'.
+  (auth as any).iat = (auth as any).iat || 0;
+  // Unsecured JWTs use the empty string as a signature.
+  const signature = '';
+  return [
+    base64.encodeString(JSON.stringify(header), /*webSafe=*/ false),
+    base64.encodeString(JSON.stringify(auth), /*webSafe=*/ false),
+    signature
+  ].join('.');
 }
 
 export function apps(): (FirebaseApp | null)[] {
@@ -41,41 +49,56 @@ export function apps(): (FirebaseApp | null)[] {
 export type AppOptions = {
   databaseName?: string;
   projectId?: string;
-  auth: object;
+  auth?: object;
 };
+/** Construct a FirebaseApp authenticated with options.auth. */
 export function initializeTestApp(options: AppOptions): FirebaseApp {
-  let appOptions: FirebaseOptions;
-  if ('databaseName' in options) {
+  return initializeApp(
+    options.auth ? createUnsecuredJwt(options.auth) : null,
+    options.databaseName,
+    options.projectId
+  );
+}
+
+export type AdminAppOptions = {
+  databaseName?: string;
+  projectId?: string;
+};
+/** Construct a FirebaseApp authenticated as an admin user. */
+export function initializeAdminApp(options: AdminAppOptions): FirebaseApp {
+  return initializeApp(ADMIN_TOKEN, options.databaseName, options.projectId);
+}
+
+function initializeApp(
+  accessToken?: string,
+  databaseName?: string,
+  projectId?: string
+): FirebaseApp {
+  let appOptions: FirebaseOptions = {};
+  if (databaseName) {
     appOptions = {
-      databaseURL: DBURL + '?ns=' + options.databaseName
+      databaseURL: DBURL + '?ns=' + databaseName
     };
-  } else if ('projectId' in options) {
+  } else if (projectId) {
     appOptions = {
-      projectId: options.projectId
+      projectId: projectId
     };
   } else {
     throw new Error('neither databaseName or projectId were specified');
   }
-  const header = {
-    alg: 'RS256',
-    kid: 'fakekid'
-  };
-  const fakeToken = [
-    base64.encodeString(JSON.stringify(header), /*webSafe=*/ false),
-    base64.encodeString(JSON.stringify(options.auth), /*webSafe=*/ false),
-    'fakesignature'
-  ].join('.');
   const appName = 'app-' + new Date().getTime() + '-' + Math.random();
-  const app = firebase.initializeApp(appOptions, appName);
+  let app = firebase.initializeApp(appOptions, appName);
   // hijacking INTERNAL.getToken to bypass FirebaseAuth and allows specifying of auth headers
-  (app as any).INTERNAL.getToken = () =>
-    Promise.resolve({ accessToken: fakeToken });
+  if (accessToken) {
+    (app as any).INTERNAL.getToken = () =>
+      Promise.resolve({ accessToken: accessToken });
+  }
   return app;
 }
 
 export type LoadDatabaseRulesOptions = {
-  databaseName: String;
-  rules: String;
+  databaseName: string;
+  rules: string;
   rulesPath: fs.PathLike;
 };
 export function loadDatabaseRules(options: LoadDatabaseRulesOptions): void {
diff --git a/packages/testing/test/database.test.ts b/packages/testing/test/database.test.ts
@@ -47,56 +47,35 @@ describe('Testing Module Tests', function() {
     });
   });
 
-  it('initializeTestApp() with DatabaseAppOptions uses specified auth.', async function() {
-    let app = firebase.initializeTestApp({
+  it('initializeTestApp() with auth=null does not set access token', async function() {
+    const app = firebase.initializeTestApp({
       projectId: 'foo',
-      auth: {}
+      auth: null
     });
-    let token = await (app as any).INTERNAL.getToken();
-    expect(token).to.have.any.keys('accessToken');
-    let claims = base64.decodeString(
-      token.accessToken.split('.')[1],
-      /*webSafe=*/ false
-    );
-    expect(claims).to.equal('{}');
-
-    app = firebase.initializeTestApp({
-      projectId: 'foo',
-      auth: { uid: 'alice' }
-    });
-    token = await (app as any).INTERNAL.getToken();
-    expect(token).to.have.any.keys('accessToken');
-    claims = base64.decodeString(
-      token.accessToken.split('.')[1],
-      /*webSafe=*/ false
-    );
-    expect(claims).to.equal('{"uid":"alice"}');
+    const token = await (app as any).INTERNAL.getToken();
+    expect(token).to.be.null;
   });
 
-  it('initializeTestApp() with FirestoreAppOptions uses specified auth.', async function() {
-    let app = firebase.initializeTestApp({
+  it('initializeTestApp() with auth sets the correct access token', async function() {
+    const auth = { uid: 'alice' };
+    const app = firebase.initializeTestApp({
       projectId: 'foo',
-      auth: {}
+      auth: auth
     });
-    let token = await (app as any).INTERNAL.getToken();
-    expect(token).to.have.any.keys('accessToken');
-    let claims = base64.decodeString(
-      token.accessToken.split('.')[1],
-      /*webSafe=*/ false
+    const token = await (app as any).INTERNAL.getToken();
+    expect(token).to.have.keys('accessToken');
+    const claims = JSON.parse(
+      base64.decodeString(token.accessToken.split('.')[1], /*webSafe=*/ false)
     );
-    expect(claims).to.equal('{}');
+    // We add an 'iat' field.
+    expect(claims).to.deep.equal({ uid: auth.uid, iat: 0 });
+  });
 
-    app = firebase.initializeTestApp({
-      projectId: 'foo',
-      auth: { uid: 'alice' }
-    });
-    token = await (app as any).INTERNAL.getToken();
-    expect(token).to.have.any.keys('accessToken');
-    claims = base64.decodeString(
-      token.accessToken.split('.')[1],
-      /*webSafe=*/ false
-    );
-    expect(claims).to.equal('{"uid":"alice"}');
+  it('initializeAdminApp() sets the access token to "owner"', async function() {
+    const app = firebase.initializeAdminApp({ projectId: 'foo' });
+    const token = await (app as any).INTERNAL.getToken();
+    expect(token).to.have.keys('accessToken');
+    expect(token.accessToken).to.be.string('owner');
   });
 
   it('loadDatabaseRules() throws if no databaseName or rulesPath', async function() {
