firebase-functions 3.15.5 → 3.17.0

package/lib/common/providers/https.js

@@ -21,12 +21,14 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.onCallHandler = exports.decode = exports.encode = exports.HttpsError = void 0;
+exports.onDispatchHandler = exports.onCallHandler = exports.unsafeDecodeAppCheckToken = exports.unsafeDecodeIdToken = exports.decode = exports.encode = exports.HttpsError = void 0;
 const cors = require("cors");
 const logger = require("../../logger");
 // TODO(inlined): Decide whether we want to un-version apps or whether we want a
 // different strategy
 const apps_1 = require("../../apps");
+const debug_1 = require("../../common/debug");
+const JWT_REGEX = /^[a-zA-Z0-9\-_=]+?\.[a-zA-Z0-9\-_=]+?\.([a-zA-Z0-9\-_=]+)?$/;
 /**
  * Standard error codes and HTTP statuses for different ways a request can fail,
  * as defined by:
@@ -148,7 +150,7 @@ function encode(data) {
     if (Array.isArray(data)) {
         return data.map(encode);
     }
-    if (typeof data === 'object') {
+    if (typeof data === 'object' || typeof data === 'function') {
         // Sadly we don't have Object.fromEntries in Node 10, so we can't use a single
         // list comprehension
         const obj = {};
@@ -206,6 +208,53 @@ function decode(data) {
     return data;
 }
 exports.decode = decode;
+function unsafeDecodeToken(token) {
+    if (!JWT_REGEX.test(token)) {
+        return {};
+    }
+    const components = token
+        .split('.')
+        .map((s) => Buffer.from(s, 'base64').toString());
+    let payload = components[1];
+    if (typeof payload === 'string') {
+        try {
+            const obj = JSON.parse(payload);
+            if (typeof obj === 'object') {
+                payload = obj;
+            }
+        }
+        catch (e) { }
+    }
+    return payload;
+}
+/**
+ * Decode, but not verify, a Auth ID token.
+ *
+ * Do not use in production. Token should always be verified using the Admin SDK.
+ *
+ * This is exposed only for testing.
+ */
+/** @internal */
+function unsafeDecodeIdToken(token) {
+    const decoded = unsafeDecodeToken(token);
+    decoded.uid = decoded.sub;
+    return decoded;
+}
+exports.unsafeDecodeIdToken = unsafeDecodeIdToken;
+/**
+ * Decode, but not verify, an App Check token.
+ *
+ * Do not use in production. Token should always be verified using the Admin SDK.
+ *
+ * This is exposed only for testing.
+ */
+/** @internal */
+function unsafeDecodeAppCheckToken(token) {
+    const decoded = unsafeDecodeToken(token);
+    decoded.app_id = decoded.sub;
+    return decoded;
+}
+exports.unsafeDecodeAppCheckToken = unsafeDecodeAppCheckToken;
 /**
  * Check and verify tokens included in the requests. Once verified, tokens
  * are injected into the callable context.
@@ -214,53 +263,20 @@ exports.decode = decode;
  * @param {CallableContext} ctx - Context to be sent to callable function handler.
  * @return {CallableTokenStatus} Status of the token verifications.
  */
-/** @hidden */
+/** @internal */
 async function checkTokens(req, ctx) {
     const verifications = {
-        app: 'MISSING',
-        auth: 'MISSING',
+        app: 'INVALID',
+        auth: 'INVALID',
     };
-    const appCheck = req.header('X-Firebase-AppCheck');
-    if (appCheck) {
-        verifications.app = 'INVALID';
-        try {
-            if (!(0, apps_1.apps)().admin.appCheck) {
-                throw new Error('Cannot validate AppCheck token. Please update Firebase Admin SDK to >= v9.8.0');
-            }
-            const appCheckToken = await (0, apps_1.apps)()
-                .admin.appCheck()
-                .verifyToken(appCheck);
-            ctx.app = {
-                appId: appCheckToken.appId,
-                token: appCheckToken.token,
-            };
-            verifications.app = 'VALID';
-        }
-        catch (err) {
-            logger.warn('Failed to validate AppCheck token.', err);
-        }
-    }
-    const authorization = req.header('Authorization');
-    if (authorization) {
-        verifications.auth = 'INVALID';
-        const match = authorization.match(/^Bearer (.*)$/);
-        if (match) {
-            const idToken = match[1];
-            try {
-                const authToken = await (0, apps_1.apps)()
-                    .admin.auth()
-                    .verifyIdToken(idToken);
-                verifications.auth = 'VALID';
-                ctx.auth = {
-                    uid: authToken.uid,
-                    token: authToken,
-                };
-            }
-            catch (err) {
-                logger.warn('Failed to validate auth token.', err);
-            }
-        }
-    }
+    await Promise.all([
+        Promise.resolve().then(async () => {
+            verifications.auth = await checkAuthToken(req, ctx);
+        }),
+        Promise.resolve().then(async () => {
+            verifications.app = await checkAppCheckToken(req, ctx);
+        }),
+    ]);
     const logPayload = {
         verifications,
         'logging.googleapis.com/labels': {
@@ -282,13 +298,72 @@ async function checkTokens(req, ctx) {
     }
     return verifications;
 }
-/** @hidden */
+/** @interanl */
+async function checkAuthToken(req, ctx) {
+    const authorization = req.header('Authorization');
+    if (!authorization) {
+        return 'MISSING';
+    }
+    const match = authorization.match(/^Bearer (.*)$/);
+    if (match) {
+        const idToken = match[1];
+        try {
+            let authToken;
+            if ((0, debug_1.isDebugFeatureEnabled)('skipTokenVerification')) {
+                authToken = unsafeDecodeIdToken(idToken);
+            }
+            else {
+                authToken = await (0, apps_1.apps)()
+                    .admin.auth()
+                    .verifyIdToken(idToken);
+            }
+            ctx.auth = {
+                uid: authToken.uid,
+                token: authToken,
+            };
+            return 'VALID';
+        }
+        catch (err) {
+            logger.warn('Failed to validate auth token.', err);
+            return 'INVALID';
+        }
+    }
+}
+/** @internal */
+async function checkAppCheckToken(req, ctx) {
+    const appCheck = req.header('X-Firebase-AppCheck');
+    if (!appCheck) {
+        return 'MISSING';
+    }
+    try {
+        if (!(0, apps_1.apps)().admin.appCheck) {
+            throw new Error('Cannot validate AppCheck token. Please update Firebase Admin SDK to >= v9.8.0');
+        }
+        let appCheckData;
+        if ((0, debug_1.isDebugFeatureEnabled)('skipTokenVerification')) {
+            const decodedToken = unsafeDecodeAppCheckToken(appCheck);
+            appCheckData = { appId: decodedToken.app_id, token: decodedToken };
+        }
+        else {
+            appCheckData = await (0, apps_1.apps)()
+                .admin.appCheck()
+                .verifyToken(appCheck);
+        }
+        ctx.app = appCheckData;
+        return 'VALID';
+    }
+    catch (err) {
+        logger.warn('Failed to validate AppCheck token.', err);
+        return 'INVALID';
+    }
+}
+/** @internal */
 function onCallHandler(options, handler) {
-    const wrapped = wrapOnCallHandler(handler);
+    const wrapped = wrapOnCallHandler(options, handler);
     return (req, res) => {
         return new Promise((resolve) => {
             res.on('finish', resolve);
-            cors(options)(req, res, () => {
+            cors(options.cors)(req, res, () => {
                 resolve(wrapped(req, res));
             });
         });
@@ -296,7 +371,7 @@ function onCallHandler(options, handler) {
 }
 exports.onCallHandler = onCallHandler;
 /** @internal */
-function wrapOnCallHandler(handler) {
+function wrapOnCallHandler(options, handler) {
     return async (req, res) => {
         try {
             if (!isValidRequest(req)) {
@@ -305,7 +380,10 @@ function wrapOnCallHandler(handler) {
             }
             const context = { rawRequest: req };
             const tokenStatus = await checkTokens(req, context);
-            if (tokenStatus.app === 'INVALID' || tokenStatus.auth === 'INVALID') {
+            if (tokenStatus.auth === 'INVALID') {
+                throw new HttpsError('unauthenticated', 'Unauthenticated');
+            }
+            if (tokenStatus.app === 'INVALID' && !options.allowInvalidAppCheckToken) {
                 throw new HttpsError('unauthenticated', 'Unauthenticated');
             }
             const instanceId = req.header('Firebase-Instance-ID-Token');
@@ -348,3 +426,45 @@ function wrapOnCallHandler(handler) {
         }
     };
 }
+/** @internal */
+function onDispatchHandler(handler) {
+    return async (req, res) => {
+        try {
+            if (!isValidRequest(req)) {
+                logger.error('Invalid request, unable to process.');
+                throw new HttpsError('invalid-argument', 'Bad Request');
+            }
+            const context = {};
+            const status = await checkAuthToken(req, context);
+            // Note: this should never happen since task queue functions are guarded by IAM.
+            if (status === 'INVALID') {
+                throw new HttpsError('unauthenticated', 'Unauthenticated');
+            }
+            const data = decode(req.body.data);
+            if (handler.length === 2) {
+                await handler(data, context);
+            }
+            else {
+                const arg = {
+                    ...context,
+                    data,
+                };
+                // For some reason the type system isn't picking up that the handler
+                // is a one argument function.
+                await handler(arg);
+            }
+            res.status(204).end();
+        }
+        catch (err) {
+            if (!(err instanceof HttpsError)) {
+                // This doesn't count as an 'explicit' error.
+                logger.error('Unhandled error', err);
+                err = new HttpsError('internal', 'INTERNAL');
+            }
+            const { status } = err.httpErrorCode;
+            const body = { error: err.toJSON() };
+            res.status(status).send(body);
+        }
+    };
+}
+exports.onDispatchHandler = onDispatchHandler;

package/lib/common/providers/identity.d.ts

@@ -0,0 +1,29 @@
+import * as firebase from 'firebase-admin';
+/**
+ * The UserRecord passed to Cloud Functions is the same UserRecord that is returned by the Firebase Admin
+ * SDK.
+ */
+export declare type UserRecord = firebase.auth.UserRecord;
+/**
+ * UserInfo that is part of the UserRecord
+ */
+export declare type UserInfo = firebase.auth.UserInfo;
+/**
+ * Helper class to create the user metadata in a UserRecord object
+ */
+export declare class UserRecordMetadata implements firebase.auth.UserMetadata {
+    creationTime: string;
+    lastSignInTime: string;
+    constructor(creationTime: string, lastSignInTime: string);
+    /** Returns a plain JavaScript object with the properties of UserRecordMetadata. */
+    toJSON(): {
+        creationTime: string;
+        lastSignInTime: string;
+    };
+}
+/**
+ * Helper function that creates a UserRecord Class from data sent over the wire.
+ * @param wireData data sent over the wire
+ * @returns an instance of UserRecord with correct toJSON functions
+ */
+export declare function userRecordConstructor(wireData: Object): UserRecord;

package/lib/common/providers/identity.js

@@ -0,0 +1,96 @@
+"use strict";
+// The MIT License (MIT)
+//
+// Copyright (c) 2022 Firebase
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.userRecordConstructor = exports.UserRecordMetadata = void 0;
+const _ = require("lodash");
+/**
+ * Helper class to create the user metadata in a UserRecord object
+ */
+class UserRecordMetadata {
+    constructor(creationTime, lastSignInTime) {
+        this.creationTime = creationTime;
+        this.lastSignInTime = lastSignInTime;
+    }
+    /** Returns a plain JavaScript object with the properties of UserRecordMetadata. */
+    toJSON() {
+        return {
+            creationTime: this.creationTime,
+            lastSignInTime: this.lastSignInTime,
+        };
+    }
+}
+exports.UserRecordMetadata = UserRecordMetadata;
+/**
+ * Helper function that creates a UserRecord Class from data sent over the wire.
+ * @param wireData data sent over the wire
+ * @returns an instance of UserRecord with correct toJSON functions
+ */
+function userRecordConstructor(wireData) {
+    // Falsey values from the wire format proto get lost when converted to JSON, this adds them back.
+    const falseyValues = {
+        email: null,
+        emailVerified: false,
+        displayName: null,
+        photoURL: null,
+        phoneNumber: null,
+        disabled: false,
+        providerData: [],
+        customClaims: {},
+        passwordSalt: null,
+        passwordHash: null,
+        tokensValidAfterTime: null,
+    };
+    const record = _.assign({}, falseyValues, wireData);
+    const meta = _.get(record, 'metadata');
+    if (meta) {
+        _.set(record, 'metadata', new UserRecordMetadata(meta.createdAt || meta.creationTime, meta.lastSignedInAt || meta.lastSignInTime));
+    }
+    else {
+        _.set(record, 'metadata', new UserRecordMetadata(null, null));
+    }
+    _.forEach(record.providerData, (entry) => {
+        _.set(entry, 'toJSON', () => {
+            return entry;
+        });
+    });
+    _.set(record, 'toJSON', () => {
+        const json = _.pick(record, [
+            'uid',
+            'email',
+            'emailVerified',
+            'displayName',
+            'photoURL',
+            'phoneNumber',
+            'disabled',
+            'passwordHash',
+            'passwordSalt',
+            'tokensValidAfterTime',
+        ]);
+        json.metadata = _.get(record, 'metadata').toJSON();
+        json.customClaims = _.cloneDeep(record.customClaims);
+        json.providerData = _.map(record.providerData, (entry) => entry.toJSON());
+        return json;
+    });
+    return record;
+}
+exports.userRecordConstructor = userRecordConstructor;

package/lib/function-builder.d.ts

@@ -77,7 +77,13 @@ export declare class FunctionBuilder {
          * Declares a callable method for clients to call using a Firebase SDK.
          * @param handler A method that takes a data and context and returns a value.
          */
-        onCall: (handler: (data: any, context: https.CallableContext) => any | Promise<any>) => import("./cloud-functions").TriggerAnnotated & ((req: express.Request<import("express-serve-static-core").ParamsDictionary>, resp: express.Response<any>) => void | Promise<void>) & import("./cloud-functions").Runnable<any>;
+        onCall: (handler: (data: any, context: https.CallableContext) => any | Promise<any>) => import("./cloud-functions").TriggerAnnotated & import("./cloud-functions").EndpointAnnotated & ((req: express.Request<import("express-serve-static-core").ParamsDictionary>, resp: express.Response<any>) => void | Promise<void>) & import("./cloud-functions").Runnable<any>;
+        /**
+         * Declares a task queue function for clients to call using a Firebase Admin SDK.
+         * @param options Configurations for the task queue function.
+         */
+        /** @hidden */
+        taskQueue: (options?: https.TaskQueueOptions) => https.TaskQueueBuilder;
     };
     get database(): {
         /**

package/lib/function-builder.js

@@ -231,6 +231,14 @@ class FunctionBuilder {
              * @param handler A method that takes a data and context and returns a value.
              */
             onCall: (handler) => https._onCallWithOptions(handler, this.options),
+            /**
+             * Declares a task queue function for clients to call using a Firebase Admin SDK.
+             * @param options Configurations for the task queue function.
+             */
+            /** @hidden */
+            taskQueue: (options) => {
+                return new https.TaskQueueBuilder(options, this.options);
+            },
         };
     }
     get database() {

package/lib/function-configuration.d.ts

@@ -98,6 +98,7 @@ export interface RuntimeOptions {
      * Invoker to set access control on https functions.
      */
     invoker?: 'public' | 'private' | string | string[];
+    allowInvalidAppCheckToken?: boolean;
 }
 export interface DeploymentOptions extends RuntimeOptions {
     regions?: Array<typeof SUPPORTED_REGIONS[number] | string>;

package/lib/handler-builder.d.ts

@@ -22,7 +22,7 @@ export declare class HandlerBuilder {
     constructor();
     /**
      * Create a handler for HTTPS events.
-    
+  
      * `onRequest` handles an HTTPS request and has the same signature as an Express app.
      *
      * @example
@@ -40,6 +40,10 @@ export declare class HandlerBuilder {
     get https(): {
         onRequest: (handler: (req: express.Request, resp: express.Response) => void) => HttpsFunction;
         onCall: (handler: (data: any, context: https.CallableContext) => any | Promise<any>) => HttpsFunction;
+        /** @hidden */
+        readonly taskQueue: {
+            onEnqueue(handler: (data: any, context: https.TaskContext) => void | Promise<void>): https.TaskQueueFunction;
+        };
     };
     /**
      * Create a handler for Firebase Realtime Database events.
@@ -57,7 +61,7 @@ export declare class HandlerBuilder {
      * ```javascript
      * exports.myFunction = functions.handler.database.ref.onUpdate((change, context) => { ... })
      * ```
-    
+  
      * `ref.onDelete` handles the deletion of existing data.
      *
      * @example
@@ -88,14 +92,14 @@ export declare class HandlerBuilder {
      * ```javascript
      * exports.myFunction = functions.handler.firestore.document.onCreate((snap, context) => { ... })
      * ```
-     
+  
      * `document.onUpdate` handles updates to existing documents.
      *
      * @example
      * ```javascript
      * exports.myFunction = functions.handler.firestore.document.onUpdate((change, context) => { ... })
      * ```
-     
+  
      * `document.onDelete` handles the deletion of existing documents.
      *
      * @example
@@ -103,7 +107,7 @@ export declare class HandlerBuilder {
      * exports.myFunction = functions.handler.firestore.document.onDelete((snap, context) =>
      * { ... })
      * ```
-     
+  
      * `document.onWrite` handles the creation, update, or deletion of documents.
      *
      * @example
@@ -123,7 +127,7 @@ export declare class HandlerBuilder {
      * Create a handler for Firebase Remote Config events.
   
      * `remoteConfig.onUpdate` handles events that update a Remote Config template.
-   
+  
      * @example
      * ```javascript
      * exports.myFunction = functions.handler.remoteConfig.onUpdate() => { ... })
@@ -134,9 +138,9 @@ export declare class HandlerBuilder {
     };
     /**
      * Create a handler for Google Analytics events.
-     
+  
      * `event.onLog` handles the logging of Analytics conversion events.
-   
+  
      * @example
      * ```javascript
      * exports.myFunction = functions.handler.analytics.event.onLog((event) => { ... })
@@ -154,14 +158,14 @@ export declare class HandlerBuilder {
      * ```javascript
      * exports.myFunction = functions.handler.storage.object.onArchive((object) => { ... })
      * ```
-     
+  
      * `object.onDelete` handles the deletion of Storage objects.
      *
      * @example
      * ```javascript
      * exports.myFunction = functions.handler.storage.object.onDelete((object) => { ... })
      * ```
-     
+  
      * `object.onFinalize` handles the creation of Storage objects.
      *
      * @example
@@ -169,7 +173,7 @@ export declare class HandlerBuilder {
      * exports.myFunction = functions.handler.storage.object.onFinalize((object) =>
      * { ... })
      * ```
-     
+  
      * `object.onMetadataUpdate` handles changes to the metadata of existing Storage objects.
      *
      * @example
@@ -191,7 +195,7 @@ export declare class HandlerBuilder {
      * ```javascript
      * exports.myFunction = functions.handler.pubsub.topic.onPublish((message) => { ... })
      * ```
-     
+  
      * `schedule.onPublish` handles messages published to a Pub/Sub topic on a schedule.
      *
      * @example
@@ -212,14 +216,14 @@ export declare class HandlerBuilder {
      * ```javascript
      * exports.myFunction = functions.handler.auth.user.onCreate((user) => { ... })
      * ```
-     
+  
      * `user.onDelete` handles the deletion of users.
      *
      * @example
      * ```javascript
      * exports.myFunction = functions.handler.auth.user.onDelete((user => { ... })
      * ```
-     
+  
      */
     get auth(): {
         readonly user: auth.UserBuilder;
@@ -228,7 +232,7 @@ export declare class HandlerBuilder {
      * Create a handler for Firebase Test Lab events.
   
      * `testMatrix.onComplete` handles the completion of a test matrix.
-   
+  
      * @example
      * ```javascript
      * exports.myFunction = functions.handler.testLab.testMatrix.onComplete((testMatrix) => { ... })