Move to enforceAppCheck option (#1145)

inlined · web-flow · commit 0b47d40c351f · 2022-06-24T16:45:10.000-07:00
diff --git a/spec/common/providers/https.spec.ts b/spec/common/providers/https.spec.ts
@@ -370,6 +370,10 @@ describe('onCallHandler', () => {
     const appCheckToken = generateUnsignedAppCheckToken(projectId, appId);
     await runCallableTest({
       httpRequest: mockRequest(null, 'application/json', { appCheckToken }),
+      callableOption: {
+        cors: { origin: true, methods: 'POST' },
+        enforceAppCheck: true,
+      },
       expectedData: null,
       callableFunction: (data, context) => {
         return;
@@ -390,7 +394,7 @@ describe('onCallHandler', () => {
     });
   });
 
-  it('should handle bad AppCheck token with callable option', async () => {
+  it('should handle bad AppCheck token with enforcement disabled', async () => {
     await runCallableTest({
       httpRequest: mockRequest(null, 'application/json', {
         appCheckToken: 'FAKE',
@@ -404,7 +408,7 @@ describe('onCallHandler', () => {
       },
       callableOption: {
         cors: { origin: true, methods: 'POST' },
-        allowInvalidAppCheckToken: true,
+        enforceAppCheck: false,
       },
       expectedHttpResponse: {
         status: 200,
@@ -414,6 +418,64 @@ describe('onCallHandler', () => {
     });
   });
 
+  it('should handle bad AppCheck token with enforcement enabled', async () => {
+    await runCallableTest({
+      httpRequest: mockRequest(null, 'application/json', {
+        appCheckToken: 'FAKE',
+      }),
+      expectedData: null,
+      callableFunction: (data, context) => {
+        return;
+      },
+      callableFunction2: (request) => {
+        return;
+      },
+      callableOption: {
+        cors: { origin: true, methods: 'POST' },
+        enforceAppCheck: true,
+      },
+      expectedHttpResponse: {
+        status: 401,
+        headers: expectedResponseHeaders,
+        body: {
+          error: {
+            message: 'Unauthenticated',
+            status: 'UNAUTHENTICATED',
+          },
+        },
+      },
+    });
+  });
+
+  it('should handle no AppCheck token with enforcement enabled', async () => {
+    await runCallableTest({
+      httpRequest: mockRequest(null, 'application/json', {
+        appCheckToken: 'MISSING',
+      }),
+      expectedData: null,
+      callableFunction: (data, context) => {
+        return;
+      },
+      callableFunction2: (request) => {
+        return;
+      },
+      callableOption: {
+        cors: { origin: true, methods: 'POST' },
+        enforceAppCheck: true,
+      },
+      expectedHttpResponse: {
+        status: 401,
+        headers: expectedResponseHeaders,
+        body: {
+          error: {
+            message: 'Unauthenticated',
+            status: 'UNAUTHENTICATED',
+          },
+        },
+      },
+    });
+  });
+
   it('should handle instance id', async () => {
     await runCallableTest({
       httpRequest: mockRequest(null, 'application/json', {
diff --git a/src/common/providers/https.ts b/src/common/providers/https.ts
@@ -643,7 +643,7 @@ type v2CallableHandler<Req, Res> = (request: CallableRequest<Req>) => Res;
 /** @internal **/
 export interface CallableOptions {
   cors: cors.CorsOptions;
-  allowInvalidAppCheckToken?: boolean;
+  enforceAppCheck?: boolean;
 }
 
 /** @internal */
@@ -679,7 +679,16 @@ function wrapOnCallHandler<Req = any, Res = any>(
       if (tokenStatus.auth === 'INVALID') {
         throw new HttpsError('unauthenticated', 'Unauthenticated');
       }
-      if (tokenStatus.app === 'INVALID' && !options.allowInvalidAppCheckToken) {
+      if (tokenStatus.app === 'INVALID') {
+        if (options.enforceAppCheck) {
+          throw new HttpsError('unauthenticated', 'Unauthenticated');
+        } else {
+          logger.warn(
+            'Allowing request with invalid AppCheck token because enforcement is disabled'
+          );
+        }
+      }
+      if (tokenStatus.app === 'MISSING' && options.enforceAppCheck) {
         throw new HttpsError('unauthenticated', 'Unauthenticated');
       }
 
diff --git a/src/function-builder.ts b/src/function-builder.ts
@@ -242,6 +242,13 @@ function assertRuntimeOptionsValid(runtimeOptions: RuntimeOptions): boolean {
     }
   }
 
+  if ('allowInvalidAppCheckToken' in runtimeOptions) {
+    throw new Error(
+      'runWith option "allowInvalidAppCheckToken" has been inverted and ' +
+        'renamed "enforceAppCheck"'
+    );
+  }
+
   return true;
 }
 
diff --git a/src/function-configuration.ts b/src/function-configuration.ts
@@ -161,15 +161,18 @@ export interface RuntimeOptions {
    */
   invoker?: 'public' | 'private' | string | string[];
 
-  /*
-   * Allow requests with invalid App Check tokens on callable functions.
-   */
-  allowInvalidAppCheckToken?: boolean;
-
   /*
    * Secrets to bind to a function instance.
    */
   secrets?: string[];
+
+  /**
+   * Determines whether Firebase AppCheck is enforced.
+   * When true, requests with invalid tokens autorespond with a 401
+   * (Unauthorized) error.
+   * When false, requests with invalid tokens set context.app to undefiend.
+   */
+  enforceAppCheck?: boolean;
 }
 
 export interface DeploymentOptions extends RuntimeOptions {
diff --git a/src/providers/https.ts b/src/providers/https.ts
@@ -110,7 +110,7 @@ export function _onCallWithOptions(
     handler(data, context);
   const func: any = onCallHandler(
     {
-      allowInvalidAppCheckToken: options.allowInvalidAppCheckToken,
+      enforceAppCheck: options.enforceAppCheck,
       cors: { origin: true, methods: 'POST' },
     },
     fixedLen
diff --git a/src/v2/options.ts b/src/v2/options.ts
@@ -189,6 +189,14 @@ export interface GlobalOptions {
    * Secrets to bind to a function.
    */
   secrets?: string[];
+
+  /**
+   * Determines whether Firebase AppCheck is enforced.
+   * When true, requests with invalid tokens autorespond with a 401
+   * (Unauthorized) error.
+   * When false, requests with invalid tokens set event.app to undefiend.
+   */
+  enforceAppCheck?: boolean;
 }
 
 let globalOptions: GlobalOptions | undefined;
@@ -216,7 +224,8 @@ export function getGlobalOptions(): GlobalOptions {
 /**
  * Additional fields that can be set on any event-handling Cloud Function.
  */
-export interface EventHandlerOptions extends GlobalOptions {
+export interface EventHandlerOptions
+  extends Omit<GlobalOptions, 'enforceAppCheck'> {
   /** Whether failed executions should be delivered again. */
   retry?: boolean;
 }
diff --git a/src/v2/providers/https.ts b/src/v2/providers/https.ts
@@ -44,7 +44,7 @@ import { GlobalOptions, SupportedRegion } from '../options';
 export { Request, CallableRequest, FunctionsErrorCode, HttpsError };
 
 /**
- * Options that can be set on an individual HTTPS function.
+ * Options that can be set on an onRequest HTTPS function.
  */
 export interface HttpsOptions extends Omit<GlobalOptions, 'region'> {
   /** HTTP functions can override global options and can specify multiple regions to deploy to. */
@@ -150,6 +150,19 @@ export interface HttpsOptions extends Omit<GlobalOptions, 'region'> {
   retry?: boolean;
 }
 
+/**
+ * Options that can be set on a callable HTTPS function.
+ */
+export interface CallableOptions extends HttpsOptions {
+  /**
+   * Determines whether Firebase AppCheck is enforced.
+   * When true, requests with invalid tokens autorespond with a 401
+   * (Unauthorized) error.
+   * When false, requests with invalid tokens set event.app to undefiend.
+   */
+  enforceAppCheck?: boolean;
+}
+
 /**
  * Handles HTTPS requests.
  */
@@ -298,7 +311,7 @@ export function onRequest(
  * @returns A function that you can export and deploy.
  */
 export function onCall<T = any, Return = any | Promise<any>>(
-  opts: HttpsOptions,
+  opts: CallableOptions,
   handler: (request: CallableRequest<T>) => Return
 ): CallableFunction<T, Return>;
 /**
@@ -310,15 +323,15 @@ export function onCall<T = any, Return = any | Promise<any>>(
   handler: (request: CallableRequest<T>) => Return
 ): CallableFunction<T, Return>;
 export function onCall<T = any, Return = any | Promise<any>>(
-  optsOrHandler: HttpsOptions | ((request: CallableRequest<T>) => Return),
+  optsOrHandler: CallableOptions | ((request: CallableRequest<T>) => Return),
   handler?: (request: CallableRequest<T>) => Return
 ): CallableFunction<T, Return> {
-  let opts: HttpsOptions;
+  let opts: CallableOptions;
   if (arguments.length == 1) {
     opts = {};
     handler = optsOrHandler as (request: CallableRequest<T>) => Return;
   } else {
-    opts = optsOrHandler as HttpsOptions;
+    opts = optsOrHandler as CallableOptions;
   }
 
   const origin = isDebugFeatureEnabled('enableCors')
@@ -331,7 +344,11 @@ export function onCall<T = any, Return = any | Promise<any>>(
   // fix the length to prevent api versions from being mismatched.
   const fixedLen = (req: CallableRequest<T>) => handler(req);
   const func: any = onCallHandler(
-    { cors: { origin, methods: 'POST' } },
+    {
+      cors: { origin, methods: 'POST' },
+      enforceAppCheck:
+        opts.enforceAppCheck ?? options.getGlobalOptions().enforceAppCheck,
+    },
     fixedLen
   );
 

Original file line number	Diff line number	Diff line change
`@@ -242,6 +242,13 @@ function assertRuntimeOptionsValid(runtimeOptions: RuntimeOptions): boolean {`
`242`	`242`	`}`
`243`	`243`	`}`
`244`	`244`
	`245`	`+ if ('allowInvalidAppCheckToken' in runtimeOptions) {`
	`246`	`+ throw new Error(`
	`247`	`+ 'runWith option "allowInvalidAppCheckToken" has been inverted and ' +`
	`248`	`+ 'renamed "enforceAppCheck"'`
	`249`	`+ );`
	`250`	`+ }`
	`251`	`+`
`245`	`252`	`return true;`
`246`	`253`	`}`
`247`	`254`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ export function _onCallWithOptions(`
`110`	`110`	`handler(data, context);`
`111`	`111`	`const func: any = onCallHandler(`
`112`	`112`	`{`
`113`		`- allowInvalidAppCheckToken: options.allowInvalidAppCheckToken,`
	`113`	`+ enforceAppCheck: options.enforceAppCheck,`
`114`	`114`	`cors: { origin: true, methods: 'POST' },`
`115`	`115`	`},`
`116`	`116`	`fixedLen`