Caching Public Keys for ID Token and Cookie Verification (#150)

* Re-organizing auth unit tests

* Moving _request to TokenVerifier class

* Updated tests

* Caching public certificates used to verify ID tokens and session cookies

Author: hiranya911

firebase_admin/_token_gen.py

@@ -17,6 +17,7 @@
 import datetime
 import time
 
+import cachecontrol
 import requests
 import six
 from google.auth import jwt
@@ -150,23 +151,24 @@ class TokenVerifier(object):
     """Verifies ID tokens and session cookies."""
 
     def __init__(self, app):
-        self.request = transport.requests.Request()
-        self._id_token_verifier = _JWTVerifier(
+        session = cachecontrol.CacheControl(requests.Session())
+        self.request = transport.requests.Request(session=session)
+        self.id_token_verifier = _JWTVerifier(
             project_id=app.project_id, short_name='ID token',
             operation='verify_id_token()',
             doc_url='https://firebase.google.com/docs/auth/admin/verify-id-tokens',
             cert_url=ID_TOKEN_CERT_URI, issuer=ID_TOKEN_ISSUER_PREFIX)
-        self._cookie_verifier = _JWTVerifier(
+        self.cookie_verifier = _JWTVerifier(
             project_id=app.project_id, short_name='session cookie',
             operation='verify_session_cookie()',
             doc_url='https://firebase.google.com/docs/auth/admin/verify-id-tokens',
             cert_url=COOKIE_CERT_URI, issuer=COOKIE_ISSUER_PREFIX)
 
     def verify_id_token(self, id_token):
-        return self._id_token_verifier.verify(id_token, self.request)
+        return self.id_token_verifier.verify(id_token, self.request)
 
     def verify_session_cookie(self, cookie):
-        return self._cookie_verifier.verify(cookie, self.request)
+        return self.cookie_verifier.verify(cookie, self.request)
 
 
 class _JWTVerifier(object):

requirements.txt

@@ -1,8 +1,10 @@
 pylint == 1.6.4
 pytest >= 3.0.6
 pytest-cov >= 2.4.0
+pytest-localserver >= 0.4.1
 tox >= 2.6.0
 
+cachecontrol >= 0.12.4
 google-auth >= 1.3.0
 google-cloud-firestore >= 0.27.0
 google-cloud-storage >= 1.2.0

setup.py

@@ -37,6 +37,7 @@
 long_description = ('The Firebase Admin Python SDK enables server-side (backend) Python developers '
                     'to integrate Firebase into their services and applications.')
 install_requires = [
+    'cachecontrol>=0.12.4',
     'google-auth>=1.3.0',
     'google-cloud-firestore>=0.27.0',
     'google-cloud-storage>=1.2.0',

tests/test_token_gen.py

@@ -24,6 +24,7 @@
 from google.auth import jwt
 import google.oauth2.id_token
 import pytest
+from pytest_localserver import plugin
 import six
 
 import firebase_admin
@@ -44,6 +45,9 @@
 INVALID_STRINGS = [None, '', 0, 1, True, False, list(), tuple(), dict()]
 INVALID_BOOLS = [None, '', 'foo', 0, 1, list(), tuple(), dict()]
 
+# Fixture for mocking a HTTP server
+httpserver = plugin.httpserver
+
 
 def _merge_jwt_claims(defaults, overrides):
     defaults.update(overrides)
@@ -452,3 +456,19 @@ def test_certificate_request_failure(self, user_mgt_app):
         _overwrite_cert_request(user_mgt_app, testutils.MockRequest(404, 'not found'))
         with pytest.raises(exceptions.TransportError):
             auth.verify_session_cookie(TEST_SESSION_COOKIE, app=user_mgt_app)
+
+
+class TestCertificateCaching(object):
+
+    def test_certificate_caching(self, user_mgt_app, httpserver):
+        httpserver.serve_content(MOCK_PUBLIC_CERTS, 200, headers={'Cache-Control': 'max-age=3600'})
+        verifier = _token_gen.TokenVerifier(user_mgt_app)
+        verifier.cookie_verifier.cert_url = httpserver.url
+        verifier.id_token_verifier.cert_url = httpserver.url
+        verifier.verify_session_cookie(TEST_SESSION_COOKIE)
+        assert len(httpserver.requests) == 1
+        # Subsequent requests should not fetch certs from the server
+        verifier.verify_session_cookie(TEST_SESSION_COOKIE)
+        assert len(httpserver.requests) == 1
+        verifier.verify_id_token(TEST_ID_TOKEN)
+        assert len(httpserver.requests) == 1