firebase-functions 4.3.1 → 4.4.1

package/lib/common/providers/database.js

@@ -136,7 +136,7 @@ class DataSnapshot {
      */
     exists() {
         const val = this.val();
-        if (!val || val === null) {
+        if (typeof val === "undefined" || val === null) {
             return false;
         }
         if (typeof val === "object" && Object.keys(val).length === 0) {

package/lib/common/providers/https.d.ts

@@ -12,8 +12,25 @@ export interface Request extends express.Request {
  * The interface for AppCheck tokens verified in Callable functions
  */
 export interface AppCheckData {
+    /**
+     * The app ID of a Firebase App attested by the App Check token.
+     */
     appId: string;
+    /**
+     * Decoded App Check token.
+     */
     token: DecodedAppCheckToken;
+    /**
+     * Indicates if the token has been consumed.
+     *
+     * @remarks
+     * `false` value indicates that this is the first time the App Check service has seen this token and marked the
+     * token as consumed for future use of the token.
+     *
+     * `true` value indicates the token has previously been marked as consumed by the App Check service. In this case,
+     *  consider taking extra precautions, such as rejecting the request or requiring additional security checks.
+     */
+    alreadyConsumed?: boolean;
 }
 /**
  * The interface for Auth tokens verified in Callable functions

package/lib/common/providers/https.js

@@ -276,7 +276,7 @@ exports.unsafeDecodeAppCheckToken = unsafeDecodeAppCheckToken;
  * @returns {CallableTokenStatus} Status of the token verifications.
  */
 /** @internal */
-async function checkTokens(req, ctx) {
+async function checkTokens(req, ctx, options) {
     const verifications = {
         app: "INVALID",
         auth: "INVALID",
@@ -286,7 +286,7 @@ async function checkTokens(req, ctx) {
             verifications.auth = await checkAuthToken(req, ctx);
         }),
         Promise.resolve().then(async () => {
-            verifications.app = await checkAppCheckToken(req, ctx);
+            verifications.app = await checkAppCheckToken(req, ctx, options);
         }),
     ]);
     const logPayload = {
@@ -342,25 +342,45 @@ async function checkAuthToken(req, ctx) {
 }
 exports.checkAuthToken = checkAuthToken;
 /** @internal */
-async function checkAppCheckToken(req, ctx) {
-    const appCheck = req.header("X-Firebase-AppCheck");
-    if (!appCheck) {
+async function checkAppCheckToken(req, ctx, options) {
+    var _a;
+    const appCheckToken = req.header("X-Firebase-AppCheck");
+    if (!appCheckToken) {
         return "MISSING";
     }
     try {
         let appCheckData;
         if ((0, debug_1.isDebugFeatureEnabled)("skipTokenVerification")) {
-            const decodedToken = unsafeDecodeAppCheckToken(appCheck);
+            const decodedToken = unsafeDecodeAppCheckToken(appCheckToken);
             appCheckData = { appId: decodedToken.app_id, token: decodedToken };
+            if (options.consumeAppCheckToken) {
+                appCheckData.alreadyConsumed = false;
+            }
         }
         else {
-            appCheckData = await (0, app_check_1.getAppCheck)((0, app_1.getApp)()).verifyToken(appCheck);
+            const appCheck = (0, app_check_1.getAppCheck)((0, app_1.getApp)());
+            if (options.consumeAppCheckToken) {
+                if (((_a = appCheck.verifyToken) === null || _a === void 0 ? void 0 : _a.length) === 1) {
+                    const errorMsg = "Unsupported version of the Admin SDK." +
+                        " App Check token will not be consumed." +
+                        " Please upgrade the firebase-admin to the latest version.";
+                    logger.error(errorMsg);
+                    throw new HttpsError("internal", "Internal Error");
+                }
+                appCheckData = await (0, app_check_1.getAppCheck)((0, app_1.getApp)()).verifyToken(appCheckToken, { consume: true });
+            }
+            else {
+                appCheckData = await (0, app_check_1.getAppCheck)((0, app_1.getApp)()).verifyToken(appCheckToken);
+            }
         }
         ctx.app = appCheckData;
         return "VALID";
     }
     catch (err) {
         logger.warn("Failed to validate AppCheck token.", err);
+        if (err instanceof HttpsError) {
+            throw err;
+        }
         return "INVALID";
     }
 }
@@ -409,7 +429,7 @@ function wrapOnCallHandler(options, handler) {
                     delete context.rawRequest.headers[exports.ORIGINAL_AUTH_HEADER];
                 }
             }
-            const tokenStatus = await checkTokens(req, context);
+            const tokenStatus = await checkTokens(req, context, options);
             if (tokenStatus.auth === "INVALID") {
                 throw new HttpsError("unauthenticated", "Unauthenticated");
             }

package/lib/logger/index.js

@@ -129,12 +129,15 @@ function entryFromArgs(severity, args) {
     if (severity === "ERROR" && !args.find((arg) => arg instanceof Error)) {
         message = new Error(message).stack || message;
     }
-    return {
+    const out = {
         "logging.googleapis.com/trace": (ctx === null || ctx === void 0 ? void 0 : ctx.traceId)
             ? `projects/${process.env.GCLOUD_PROJECT}/traces/${ctx.traceId}`
             : undefined,
         ...entry,
         severity,
-        message,
     };
+    if (message) {
+        out.message = message;
+    }
+    return out;
 }

package/lib/v1/function-configuration.d.ts

@@ -172,6 +172,29 @@ export interface RuntimeOptions {
      * When false, requests with invalid tokens set context.app to undefiend.
      */
     enforceAppCheck?: boolean;
+    /**
+     * Determines whether Firebase App Check token is consumed on request. Defaults to false.
+     *
+     * @remarks
+     * Set this to true to enable the App Check replay protection feature by consuming the App Check token on callable
+     * request. Tokens that are found to be already consumed will have request.app.alreadyConsumed property set true.
+     *
+     *
+     * Tokens are only considered to be consumed if it is sent to the App Check service by setting this option to true.
+     * Other uses of the token do not consume it.
+     *
+     * This replay protection feature requires an additional network call to the App Check backend and forces the clients
+     * to obtain a fresh attestation from the chosen attestation providers. This can therefore negatively impact
+     * performance and can potentially deplete your attestation providers' quotas faster. Use this feature only for
+     * protecting low volume, security critical, or expensive operations.
+     *
+     * This option does not affect the enforceAppCheck option. Setting the latter to true will cause the callable function
+     * to automatically respond with a 401 Unauthorized status code when request includes an invalid App Check token.
+     * When request includes valid but consumed App Check tokens, requests will not be automatically rejected. Instead,
+     * the request.app.alreadyConsumed property will be set to true and pass the execution to the handler code for making
+     * further decisions, such as requiring additional security checks or rejecting the request.
+     */
+    consumeAppCheckToken?: boolean;
     /**
      * Controls whether function configuration modified outside of function source is preserved. Defaults to false.
      *

package/lib/v1/providers/https.js

@@ -74,6 +74,7 @@ function _onCallWithOptions(handler, options) {
     const fixedLen = (data, context) => handler(data, context);
     const func = (0, https_1.onCallHandler)({
         enforceAppCheck: options.enforceAppCheck,
+        consumeAppCheckToken: options.consumeAppCheckToken,
         cors: { origin: true, methods: "POST" },
     }, fixedLen);
     func.__trigger = {

package/lib/v2/options.d.ts

@@ -5,7 +5,7 @@ export { RESET_VALUE } from "../common/options";
 /**
  * List of all regions supported by Cloud Functions v2
  */
-export type SupportedRegion = "asia-northeast1" | "europe-north1" | "europe-west1" | "europe-west4" | "us-central1" | "us-east1" | "us-west1";
+export type SupportedRegion = "asia-east1" | "asia-northeast1" | "asia-northeast2" | "europe-north1" | "europe-west1" | "europe-west4" | "us-central1" | "us-east1" | "us-east4" | "us-west1" | "asia-east2" | "asia-northeast3" | "asia-southeast1" | "asia-southeast2" | "asia-south1" | "australia-southeast1" | "europe-central2" | "europe-west2" | "europe-west3" | "europe-west6" | "northamerica-northeast1" | "southamerica-east1" | "us-west2" | "us-west3" | "us-west4";
 /**
  * List of available memory options supported by Cloud Functions.
  */
@@ -111,7 +111,7 @@ export interface GlobalOptions {
      * @remarks
      * When true, requests with invalid tokens autorespond with a 401
      * (Unauthorized) error.
-     * When false, requests with invalid tokens set event.app to undefiend.
+     * When false, requests with invalid tokens set event.app to undefined.
      */
     enforceAppCheck?: boolean;
     /**

package/lib/v2/providers/alerts/alerts.d.ts

@@ -31,7 +31,7 @@ export interface AlertEvent<T> extends CloudEvent<FirebaseAlertData<T>> {
     data: FirebaseAlertData<T>;
 }
 /** The underlying alert type of the Firebase Alerts provider. */
-export type AlertType = "crashlytics.newFatalIssue" | "crashlytics.newNonfatalIssue" | "crashlytics.regression" | "crashlytics.stabilityDigest" | "crashlytics.velocity" | "crashlytics.newAnrIssue" | "billing.planUpdate" | "billing.automatedPlanUpdate" | "appDistribution.newTesterIosDevice" | "appDistribution.inAppFeedback" | "performance.threshold" | string;
+export type AlertType = "crashlytics.newFatalIssue" | "crashlytics.newNonfatalIssue" | "crashlytics.regression" | "crashlytics.stabilityDigest" | "crashlytics.velocity" | "crashlytics.newAnrIssue" | "billing.planUpdate" | "billing.planAutomatedUpdate" | "appDistribution.newTesterIosDevice" | "appDistribution.inAppFeedback" | "performance.threshold" | string;
 /**
  * Configuration for Firebase Alert functions.
  */

package/lib/v2/providers/https.d.ts

@@ -109,6 +109,29 @@ export interface CallableOptions extends HttpsOptions {
      * When false, requests with invalid tokens set event.app to undefiend.
      */
     enforceAppCheck?: boolean;
+    /**
+     * Determines whether Firebase App Check token is consumed on request. Defaults to false.
+     *
+     * @remarks
+     * Set this to true to enable the App Check replay protection feature by consuming the App Check token on callable
+     * request. Tokens that are found to be already consumed will have request.app.alreadyConsumed property set true.
+     *
+     *
+     * Tokens are only considered to be consumed if it is sent to the App Check service by setting this option to true.
+     * Other uses of the token do not consume it.
+     *
+     * This replay protection feature requires an additional network call to the App Check backend and forces the clients
+     * to obtain a fresh attestation from the chosen attestation providers. This can therefore negatively impact
+     * performance and can potentially deplete your attestation providers' quotas faster. Use this feature only for
+     * protecting low volume, security critical, or expensive operations.
+     *
+     * This option does not affect the enforceAppCheck option. Setting the latter to true will cause the callable function
+     * to automatically respond with a 401 Unauthorized status code when request includes an invalid App Check token.
+     * When request includes valid but consumed App Check tokens, requests will not be automatically rejected. Instead,
+     * the request.app.alreadyConsumed property will be set to true and pass the execution to the handler code for making
+     * further decisions, such as requiring additional security checks or rejecting the request.
+     */
+    consumeAppCheckToken?: boolean;
 }
 /**
  * Handles HTTPS requests.

package/lib/v2/providers/https.js

@@ -119,6 +119,7 @@ function onCall(optsOrHandler, handler) {
     const func = (0, https_1.onCallHandler)({
         cors: { origin, methods: "POST" },
         enforceAppCheck: (_a = opts.enforceAppCheck) !== null && _a !== void 0 ? _a : options.getGlobalOptions().enforceAppCheck,
+        consumeAppCheckToken: opts.consumeAppCheckToken,
     }, fixedLen);
     Object.defineProperty(func, "__trigger", {
         get: () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "firebase-functions",
-  "version": "4.3.1",
+  "version": "4.4.1",
   "description": "Firebase SDK for Cloud Functions",
   "keywords": [
     "firebase",
@@ -225,7 +225,7 @@
     "eslint-config-prettier": "^8.3.0",
     "eslint-plugin-jsdoc": "^39.2.9",
     "eslint-plugin-prettier": "^4.0.0",
-    "firebase-admin": "^10.3.0",
+    "firebase-admin": "^11.8.0",
     "js-yaml": "^3.13.1",
     "jsdom": "^16.2.1",
     "jsonwebtoken": "^9.0.0",