@firebase/app-check 0.5.1 → 0.5.2

package/dist/esm/index.esm2017.js

@@ -1,6 +1,6 @@
 import { _getProvider, getApp, _registerComponent, registerVersion } from '@firebase/app';
 import { Component } from '@firebase/component';
-import { Deferred, ErrorFactory, isIndexedDBAvailable, getGlobal, base64, issuedAtTime, getModularInstance } from '@firebase/util';
+import { Deferred, ErrorFactory, isIndexedDBAvailable, getGlobal, base64, issuedAtTime, calculateBackoffMillis, getModularInstance } from '@firebase/util';
 import { Logger } from '@firebase/logger';
 
 /**
@@ -73,7 +73,11 @@ const TOKEN_REFRESH_TIME = {
      * This is the maximum retrial wait, currently 16 minutes.
      */
     RETRIAL_MAX_WAIT: 16 * 60 * 1000
-};
+};
+/**
+ * One day in millis, for certain error code backoffs.
+ */
+const ONE_DAY = 24 * 60 * 60 * 1000;
 
 /**
  * @license
@@ -214,7 +218,8 @@ const ERRORS = {
     ["storage-open" /* STORAGE_OPEN */]: 'Error thrown when opening storage. Original error: {$originalErrorMessage}.',
     ["storage-get" /* STORAGE_GET */]: 'Error thrown when reading from storage. Original error: {$originalErrorMessage}.',
     ["storage-set" /* STORAGE_WRITE */]: 'Error thrown when writing to storage. Original error: {$originalErrorMessage}.',
-    ["recaptcha-error" /* RECAPTCHA_ERROR */]: 'ReCAPTCHA error.'
+    ["recaptcha-error" /* RECAPTCHA_ERROR */]: 'ReCAPTCHA error.',
+    ["throttled" /* THROTTLED */]: `Requests throttled due to {$httpStatus} error. Attempts allowed again after {$time}`
 };
 const ERROR_FACTORY = new ErrorFactory('appCheck', 'AppCheck', ERRORS);
 
@@ -256,6 +261,28 @@ function uuidv4() {
         const r = (Math.random() * 16) | 0, v = c === 'x' ? r : (r & 0x3) | 0x8;
         return v.toString(16);
     });
+}
+function getDurationString(durationInMillis) {
+    const totalSeconds = Math.round(durationInMillis / 1000);
+    const days = Math.floor(totalSeconds / (3600 * 24));
+    const hours = Math.floor((totalSeconds - days * 3600 * 24) / 3600);
+    const minutes = Math.floor((totalSeconds - days * 3600 * 24 - hours * 3600) / 60);
+    const seconds = totalSeconds - days * 3600 * 24 - hours * 3600 - minutes * 60;
+    let result = '';
+    if (days) {
+        result += pad(days) + 'd:';
+    }
+    if (hours) {
+        result += pad(hours) + 'h:';
+    }
+    result += pad(minutes) + 'm:' + pad(seconds) + 's';
+    return result;
+}
+function pad(value) {
+    if (value === 0) {
+        return '00';
+    }
+    return value >= 10 ? value.toString() : '0' + value;
 }
 
 /**
@@ -673,9 +700,6 @@ async function getToken$2(appCheck, forceRefresh = false) {
         const cachedToken = await state.cachedTokenPromise;
         if (cachedToken && isValid(cachedToken)) {
             token = cachedToken;
-            setState(app, Object.assign(Object.assign({}, state), { token }));
-            // notify all listeners with the cached token
-            notifyTokenListeners(app, { token: token.token });
         }
     }
     // Return the cached token (from either memory or indexedDB) if it's valid
@@ -684,13 +708,25 @@ async function getToken$2(appCheck, forceRefresh = false) {
             token: token.token
         };
     }
+    // Only set to true if this `getToken()` call is making the actual
+    // REST call to the exchange endpoint, versus waiting for an already
+    // in-flight call (see debug and regular exchange endpoint paths below)
+    let shouldCallListeners = false;
     /**
      * DEBUG MODE
      * If debug mode is set, and there is no cached token, fetch a new App
      * Check token using the debug token, and return it directly.
      */
     if (isDebugMode()) {
-        const tokenFromDebugExchange = await exchangeToken(getExchangeDebugTokenRequest(app, await getDebugToken()), appCheck.platformLoggerProvider);
+        // Avoid making another call to the exchange endpoint if one is in flight.
+        if (!state.exchangeTokenPromise) {
+            state.exchangeTokenPromise = exchangeToken(getExchangeDebugTokenRequest(app, await getDebugToken()), appCheck.platformLoggerProvider).then(token => {
+                state.exchangeTokenPromise = undefined;
+                return token;
+            });
+            shouldCallListeners = true;
+        }
+        const tokenFromDebugExchange = await state.exchangeTokenPromise;
         // Write debug token to indexedDB.
         await writeTokenToStorage(app, tokenFromDebugExchange);
         // Write debug token to state.
@@ -701,14 +737,29 @@ async function getToken$2(appCheck, forceRefresh = false) {
      * request a new token
      */
     try {
-        // state.provider is populated in initializeAppCheck()
-        // ensureActivated() at the top of this function checks that
-        // initializeAppCheck() has been called.
-        token = await state.provider.getToken();
+        // Avoid making another call to the exchange endpoint if one is in flight.
+        if (!state.exchangeTokenPromise) {
+            // state.provider is populated in initializeAppCheck()
+            // ensureActivated() at the top of this function checks that
+            // initializeAppCheck() has been called.
+            state.exchangeTokenPromise = state.provider.getToken().then(token => {
+                state.exchangeTokenPromise = undefined;
+                return token;
+            });
+            shouldCallListeners = true;
+        }
+        token = await state.exchangeTokenPromise;
     }
     catch (e) {
-        // `getToken()` should never throw, but logging error text to console will aid debugging.
-        logger.error(e);
+        if (e.code === `appCheck/${"throttled" /* THROTTLED */}`) {
+            // Warn if throttled, but do not treat it as an error.
+            logger.warn(e.message);
+        }
+        else {
+            // `getToken()` should never throw, but logging error text to console will aid debugging.
+            logger.error(e);
+        }
+        // Always save error to be added to dummy token.
         error = e;
     }
     let interopTokenResult;
@@ -726,7 +777,9 @@ async function getToken$2(appCheck, forceRefresh = false) {
         setState(app, Object.assign(Object.assign({}, state), { token }));
         await writeTokenToStorage(app, token);
     }
-    notifyTokenListeners(app, interopTokenResult);
+    if (shouldCallListeners) {
+        notifyTokenListeners(app, interopTokenResult);
+    }
     return interopTokenResult;
 }
 function addTokenListener(appCheck, type, listener, onError) {
@@ -737,44 +790,31 @@ function addTokenListener(appCheck, type, listener, onError) {
         error: onError,
         type
     };
-    const newState = Object.assign(Object.assign({}, state), { tokenObservers: [...state.tokenObservers, tokenObserver] });
-    /**
-     * Invoke the listener with the valid token, then start the token refresher
-     */
-    if (!newState.tokenRefresher) {
-        const tokenRefresher = createTokenRefresher(appCheck);
-        newState.tokenRefresher = tokenRefresher;
-    }
-    // Create the refresher but don't start it if `isTokenAutoRefreshEnabled`
-    // is not true.
-    if (!newState.tokenRefresher.isRunning() && state.isTokenAutoRefreshEnabled) {
-        newState.tokenRefresher.start();
-    }
+    setState(app, Object.assign(Object.assign({}, state), { tokenObservers: [...state.tokenObservers, tokenObserver] }));
     // Invoke the listener async immediately if there is a valid token
     // in memory.
     if (state.token && isValid(state.token)) {
         const validToken = state.token;
         Promise.resolve()
-            .then(() => listener({ token: validToken.token }))
-            .catch(() => {
-            /* we don't care about exceptions thrown in listeners */
-        });
-    }
-    else if (state.token == null) {
-        // Only check cache if there was no token. If the token was invalid,
-        // skip this and rely on exchange endpoint.
-        void state
-            .cachedTokenPromise // Storage token promise. Always populated in `activate()`.
-            .then(cachedToken => {
-            if (cachedToken && isValid(cachedToken)) {
-                listener({ token: cachedToken.token });
-            }
+            .then(() => {
+            listener({ token: validToken.token });
+            initTokenRefresher(appCheck);
         })
             .catch(() => {
-            /** Ignore errors in listeners. */
+            /* we don't care about exceptions thrown in listeners */
         });
     }
-    setState(app, newState);
+    /**
+     * Wait for any cached token promise to resolve before starting the token
+     * refresher. The refresher checks to see if there is an existing token
+     * in state and calls the exchange endpoint if not. We should first let the
+     * IndexedDB check have a chance to populate state if it can.
+     *
+     * Listener call isn't needed here because cachedTokenPromise will call any
+     * listeners that exist when it resolves.
+     */
+    // state.cachedTokenPromise is always populated in `activate()`.
+    void state.cachedTokenPromise.then(() => initTokenRefresher(appCheck));
 }
 function removeTokenListener(app, listener) {
     const state = getState(app);
@@ -786,6 +826,23 @@ function removeTokenListener(app, listener) {
     }
     setState(app, Object.assign(Object.assign({}, state), { tokenObservers: newObservers }));
 }
+/**
+ * Logic to create and start refresher as needed.
+ */
+function initTokenRefresher(appCheck) {
+    const { app } = appCheck;
+    const state = getState(app);
+    // Create the refresher but don't start it if `isTokenAutoRefreshEnabled`
+    // is not true.
+    let refresher = state.tokenRefresher;
+    if (!refresher) {
+        refresher = createTokenRefresher(appCheck);
+        setState(app, Object.assign(Object.assign({}, state), { tokenRefresher: refresher }));
+    }
+    if (!refresher.isRunning() && state.isTokenAutoRefreshEnabled) {
+        refresher.start();
+    }
+}
 function createTokenRefresher(appCheck) {
     const { app } = appCheck;
     return new Refresher(
@@ -807,7 +864,6 @@ function createTokenRefresher(appCheck) {
             throw result.error;
         }
     }, () => {
-        // TODO: when should we retry?
         return true;
     }, () => {
         const state = getState(app);
@@ -903,7 +959,7 @@ function internalFactory(appCheck) {
 }
 
 const name = "@firebase/app-check";
-const version = "0.5.1";
+const version = "0.5.2";
 
 /**
  * @license
@@ -1061,19 +1117,44 @@ class ReCaptchaV3Provider {
      */
     constructor(_siteKey) {
         this._siteKey = _siteKey;
+        /**
+         * Throttle requests on certain error codes to prevent too many retries
+         * in a short time.
+         */
+        this._throttleData = null;
     }
     /**
      * Returns an App Check token.
      * @internal
      */
     async getToken() {
+        var _a;
+        throwIfThrottled(this._throttleData);
         // Top-level `getToken()` has already checked that App Check is initialized
         // and therefore this._app and this._platformLoggerProvider are available.
         const attestedClaimsToken = await getToken$1(this._app).catch(_e => {
             // reCaptcha.execute() throws null which is not very descriptive.
             throw ERROR_FACTORY.create("recaptcha-error" /* RECAPTCHA_ERROR */);
         });
-        return exchangeToken(getExchangeRecaptchaV3TokenRequest(this._app, attestedClaimsToken), this._platformLoggerProvider);
+        let result;
+        try {
+            result = await exchangeToken(getExchangeRecaptchaV3TokenRequest(this._app, attestedClaimsToken), this._platformLoggerProvider);
+        }
+        catch (e) {
+            if (e.code === "fetch-status-error" /* FETCH_STATUS_ERROR */) {
+                this._throttleData = setBackoff(Number((_a = e.customData) === null || _a === void 0 ? void 0 : _a.httpStatus), this._throttleData);
+                throw ERROR_FACTORY.create("throttled" /* THROTTLED */, {
+                    time: getDurationString(this._throttleData.allowRequestsAfter - Date.now()),
+                    httpStatus: this._throttleData.httpStatus
+                });
+            }
+            else {
+                throw e;
+            }
+        }
+        // If successful, clear throttle data.
+        this._throttleData = null;
+        return result;
     }
     /**
      * @internal
@@ -1110,19 +1191,44 @@ class ReCaptchaEnterpriseProvider {
      */
     constructor(_siteKey) {
         this._siteKey = _siteKey;
+        /**
+         * Throttle requests on certain error codes to prevent too many retries
+         * in a short time.
+         */
+        this._throttleData = null;
     }
     /**
      * Returns an App Check token.
      * @internal
      */
     async getToken() {
+        var _a;
+        throwIfThrottled(this._throttleData);
         // Top-level `getToken()` has already checked that App Check is initialized
         // and therefore this._app and this._platformLoggerProvider are available.
         const attestedClaimsToken = await getToken$1(this._app).catch(_e => {
             // reCaptcha.execute() throws null which is not very descriptive.
             throw ERROR_FACTORY.create("recaptcha-error" /* RECAPTCHA_ERROR */);
         });
-        return exchangeToken(getExchangeRecaptchaEnterpriseTokenRequest(this._app, attestedClaimsToken), this._platformLoggerProvider);
+        let result;
+        try {
+            result = await exchangeToken(getExchangeRecaptchaEnterpriseTokenRequest(this._app, attestedClaimsToken), this._platformLoggerProvider);
+        }
+        catch (e) {
+            if (e.code === "fetch-status-error" /* FETCH_STATUS_ERROR */) {
+                this._throttleData = setBackoff(Number((_a = e.customData) === null || _a === void 0 ? void 0 : _a.httpStatus), this._throttleData);
+                throw ERROR_FACTORY.create("throttled" /* THROTTLED */, {
+                    time: getDurationString(this._throttleData.allowRequestsAfter - Date.now()),
+                    httpStatus: this._throttleData.httpStatus
+                });
+            }
+            else {
+                throw e;
+            }
+        }
+        // If successful, clear throttle data.
+        this._throttleData = null;
+        return result;
     }
     /**
      * @internal
@@ -1190,6 +1296,57 @@ class CustomProvider {
             return false;
         }
     }
+}
+/**
+ * Set throttle data to block requests until after a certain time
+ * depending on the failed request's status code.
+ * @param httpStatus - Status code of failed request.
+ * @param throttleData - `ThrottleData` object containing previous throttle
+ * data state.
+ * @returns Data about current throttle state and expiration time.
+ */
+function setBackoff(httpStatus, throttleData) {
+    /**
+     * Block retries for 1 day for the following error codes:
+     *
+     * 404: Likely malformed URL.
+     *
+     * 403:
+     * - Attestation failed
+     * - Wrong API key
+     * - Project deleted
+     */
+    if (httpStatus === 404 || httpStatus === 403) {
+        return {
+            backoffCount: 1,
+            allowRequestsAfter: Date.now() + ONE_DAY,
+            httpStatus
+        };
+    }
+    else {
+        /**
+         * For all other error codes, the time when it is ok to retry again
+         * is based on exponential backoff.
+         */
+        const backoffCount = throttleData ? throttleData.backoffCount : 0;
+        const backoffMillis = calculateBackoffMillis(backoffCount, 1000, 2);
+        return {
+            backoffCount: backoffCount + 1,
+            allowRequestsAfter: Date.now() + backoffMillis,
+            httpStatus
+        };
+    }
+}
+function throwIfThrottled(throttleData) {
+    if (throttleData) {
+        if (Date.now() - throttleData.allowRequestsAfter <= 0) {
+            // If before, throw.
+            throw ERROR_FACTORY.create("throttled" /* THROTTLED */, {
+                time: getDurationString(throttleData.allowRequestsAfter - Date.now()),
+                httpStatus: throttleData.httpStatus
+            });
+        }
+    }
 }
 
 /**
@@ -1245,6 +1402,17 @@ function initializeAppCheck(app = getApp(), options) {
     }
     const appCheck = provider.initialize({ options });
     _activate(app, options.provider, options.isTokenAutoRefreshEnabled);
+    // If isTokenAutoRefreshEnabled is false, do not send any requests to the
+    // exchange endpoint without an explicit call from the user either directly
+    // or through another Firebase library (storage, functions, etc.)
+    if (getState(app).isTokenAutoRefreshEnabled) {
+        // Adding a listener will start the refresher and fetch a token if needed.
+        // This gets a token ready and prevents a delay when an internal library
+        // requests the token.
+        // Listener function does not need to do anything, its base functionality
+        // of calling getToken() already fetches token and writes it to memory/storage.
+        addTokenListener(appCheck, "INTERNAL" /* INTERNAL */, () => { });
+    }
     return appCheck;
 }
 /**
@@ -1264,6 +1432,8 @@ function _activate(app, provider, isTokenAutoRefreshEnabled) {
     newState.cachedTokenPromise = readTokenFromStorage(app).then(cachedToken => {
         if (cachedToken && isValid(cachedToken)) {
             setState(app, Object.assign(Object.assign({}, getState(app)), { token: cachedToken }));
+            // notify all listeners with the cached token
+            notifyTokenListeners(app, { token: cachedToken.token });
         }
         return cachedToken;
     });