Revoke Refresh Tokens #133
Conversation
hiranya911
left a comment
hiranya911
left a comment
There was a problem hiding this comment.
Mostly good. Few changes needed.
| String uid = firebaseToken.getUid(); | ||
| UserRecord user = userManager.getUserById(uid); | ||
| if (user.getTokensValidAfterTimestamp() | ||
| > ((long)firebaseToken.getClaims().get("iat")) * 1000) { |
There was a problem hiding this comment.
Extract to a separate line for clarity
| String uid = firebaseToken.getUid(); | ||
| UserRecord user = userManager.getUserById(uid); | ||
| if (user.getTokensValidAfterTimestamp() | ||
| > ((long)firebaseToken.getClaims().get("iat")) * 1000) { |
There was a problem hiding this comment.
Nit: Add space between (long) and firebaseToken
| UserRecord user = userManager.getUserById(uid); | ||
| if (user.getTokensValidAfterTimestamp() | ||
| > ((long)firebaseToken.getClaims().get("iat")) * 1000) { | ||
| throw new FirebaseAuthException("id-token-revoked", "Firebase auth token revoked"); |
There was a problem hiding this comment.
Add package-level constant for the error code
| * Revokes all refresh tokens for the specified user. | ||
| * | ||
| * <p>In addition to revoking all refresh tokens for a user, all ID tokens issued | ||
| * before revocation will also be revoked at the Auth backend. Any request with an |
There was a problem hiding this comment.
I believe this is incorrect. Please align with the documentation of Node.js SDK.
| * associated with this FirebaseAuth instance (which by default is extracted from your service | ||
| * account) | ||
| * | ||
| * <p>If a request was made to check revoked, the issued-at property of the token (like all |
There was a problem hiding this comment.
Way too much implementation details here. Just mention something like: "If checkRevoked is true, additionally checks if the token has been revoked."
| } | ||
|
|
||
| @Test | ||
| public void testVerifyIDToken() throws Exception { |
| assertEquals("user_ver", decoded.getUid()); | ||
| decoded = auth.verifyIdTokenAsync(idToken, true).get(); | ||
| assertEquals("user_ver", decoded.getUid()); | ||
| Thread.sleep(1100); |
| fail("expecting exception"); | ||
| } catch (ExecutionException e) { | ||
| assertTrue(e.getCause() instanceof FirebaseAuthException); | ||
| assertEquals("id-token-revoked", ((FirebaseAuthException) e.getCause()).getErrorCode()); |
There was a problem hiding this comment.
Test against the package constant when you have it.
| import com.google.api.client.json.JsonFactory; | ||
| import com.google.common.collect.ImmutableList; | ||
| import com.google.common.collect.ImmutableMap; | ||
| import com.google.firebase.auth.UserRecord.UpdateRequest; |
There was a problem hiding this comment.
Changes in this file seem unnecessary (just imports)?
On the other hand, why don't we have unit tests for the change in UserRecord class?
|
|
||
| @Test | ||
| public void testVerifyIDToken() throws Exception { | ||
| String customToken = auth.createCustomTokenAsync("user_ver").get(); |
There was a problem hiding this comment.
Use "user2" or something to be consistent with other tests.
hiranya911
left a comment
hiranya911
left a comment
There was a problem hiding this comment.
LGTM with some nits. Please address them prior to merging.
| * <p>In addition to revoking all refresh tokens for a user, all ID tokens issued | ||
| * before revocation will also be revoked at the Auth backend. Any request with an | ||
| * ID token generated before revocation will be rejected with a token expired error. | ||
| * <p>Updates the user's tokensValidAfterTimestamp to the current UTC second expressed in |
| * parsed version of the token from which the UID and other claims in the token can be inspected. | ||
| * If the token is invalid, the future throws an exception indicating the failure. | ||
| * | ||
| * <p>This does not check whether a token has been revoked, |
There was a problem hiding this comment.
has been revoked. See....
|
|
||
| /** | ||
| * Returns the timestamp beginning with which tokens are valid in seconds since the epoch. | ||
| * Returns the timestamp beginning with which tokens are valid in milliseconds since the epoch. |
There was a problem hiding this comment.
Returns a timestamp in milliseconds since epoch, truncated down to the closest second. Tokens minted before this timestamp are considered invalid.
| private static void checkValidSince(long epochSeconds) { | ||
| checkArgument(epochSeconds > 0, | ||
| "validSince must be greater than 0 in seconds since the epoch: " | ||
| + Long.toString(epochSeconds)); |
|
|
||
| private static void checkValidSince(long epochSeconds) { | ||
| checkArgument(epochSeconds > 0, | ||
| "validSince must be greater than 0 in seconds since the epoch: " |
There was a problem hiding this comment.
Formatting/indentation messed up here.
| // expected | ||
| } | ||
| } | ||
| } |
| UserRecord user = userManager.getUserById(uid); | ||
| long issuedAt = (long) firebaseToken.getClaims().get("iat"); | ||
| if (user.getTokensValidAfterTimestamp() > issuedAt * 1000) { | ||
| throw new FirebaseAuthException(FirebaseUserManager.ID_TOKEN_REVOKED_ERROR, |
|
|
||
| private Task<Void> revokeRefreshTokens(String uid) { | ||
| checkNotDestroyed(); | ||
| final UpdateRequest request = new UpdateRequest(uid).setValidSince( |
There was a problem hiding this comment.
Nit:
int currentTimeSeconds = (int) (System.currentTimeMillis() / 1000);
2 participants
initial PR, adding comments.