Improve auth policy configuration for callable functions.

Author: taeold

spec/v2/providers/https.spec.ts

@@ -30,12 +30,11 @@ import { expectedResponseHeaders, MockRequest } from "../../fixtures/mockrequest
 import { runHandler } from "../../helper";
 import { FULL_ENDPOINT, MINIMAL_V2_ENDPOINT, FULL_OPTIONS, FULL_TRIGGER } from "./fixtures";
 import { onInit } from "../../../src/v2/core";
-import { Handler } from "express";
 import { genkit } from "genkit";
 
 function request(args: {
   data?: any;
-  auth?: Record<string, string>;
+  auth?: Record<string, any>;
   headers?: Record<string, string>;
   method?: MockRequest["method"];
 }): any {
@@ -526,34 +525,92 @@ describe("onCall", () => {
       expect(anonResp.status).to.equal(403);
     });
 
-    it("should check hasClaim", async () => {
-      const anyValue = https.onCall(
-        {
-          authPolicy: https.hasClaim("meaning"),
-        },
-        () => "HHGTTG"
-      );
-      const specificValue = https.onCall(
-        {
-          authPolicy: https.hasClaim("meaning", "42"),
-        },
-        () => "HHGTG"
-      );
-
-      const cases: Array<{ fn: Handler; auth?: Record<string, string>; status: number }> = [
-        { fn: anyValue, auth: { meaning: "42" }, status: 200 },
-        { fn: anyValue, auth: { meaning: "43" }, status: 200 },
-        { fn: anyValue, auth: { order: "66" }, status: 403 },
-        { fn: anyValue, status: 403 },
-        { fn: specificValue, auth: { meaning: "42" }, status: 200 },
-        { fn: specificValue, auth: { meaning: "43" }, status: 403 },
-        { fn: specificValue, auth: { order: "66" }, status: 403 },
-        { fn: specificValue, status: 403 },
-      ];
-      for (const test of cases) {
-        const resp = await runHandler(test.fn, request({ auth: test.auth }));
-        expect(resp.status).to.equal(test.status);
-      }
+    describe("hasClaim", () => {
+      it("should check single claim with specific value", async () => {
+        const func = https.onCall(
+          {
+            authPolicy: https.hasClaim("meaning", "42"),
+          },
+          () => true
+        );
+        const validResp = await runHandler(func, request({ auth: { meaning: "42" } }));
+        expect(validResp.status).to.equal(200);
+
+        const noClaimResp = await runHandler(func, request({ auth: {} }));
+        expect(noClaimResp.status).to.equal(403);
+      });
+
+      it("should check single claim with default value (true)", async () => {
+        const func = https.onCall(
+          {
+            authPolicy: https.hasClaim("admin"),
+          },
+          () => true
+        );
+        const validResp = await runHandler(func, request({ auth: { admin: true } }));
+        expect(validResp.status).to.equal(200);
+
+        const wrongTypeResp = await runHandler(func, request({ auth: { admin: "true" } }));
+        expect(wrongTypeResp.status).to.equal(403);
+
+        const falseResp = await runHandler(func, request({ auth: { admin: false } }));
+        expect(falseResp.status).to.equal(403);
+
+        const noClaimResp = await runHandler(func, request({ auth: {} }));
+        expect(noClaimResp.status).to.equal(403);
+      });
+
+      it("should check multiple claims with default value (true)", async () => {
+        const func = https.onCall(
+          {
+            authPolicy: https.hasClaim(["pro", "eap"]),
+          },
+          () => true
+        );
+        const validResp = await runHandler(func, request({ auth: { pro: true, eap: true } }));
+        expect(validResp.status).to.equal(200);
+
+        const missingResp = await runHandler(func, request({ auth: { pro: true } }));
+        expect(missingResp.status).to.equal(403);
+
+        const wrongTypeResp = await runHandler(
+          func,
+          request({ auth: { pro: "true", eap: "true" } })
+        );
+        expect(wrongTypeResp.status).to.equal(403);
+
+        const noClaimResp = await runHandler(func, request({ auth: {} }));
+        expect(noClaimResp.status).to.equal(403);
+      });
+
+      it("should check multiple claims with specific values", async () => {
+        const func = https.onCall(
+          {
+            authPolicy: https.hasClaim({
+              meaning: 42,
+              animal: "dolphin",
+            }),
+          },
+          () => true
+        );
+        const validResp = await runHandler(
+          func,
+          request({ auth: { meaning: 42, animal: "dolphin" } })
+        );
+        expect(validResp.status).to.equal(200);
+
+        const wrongTypeResp = await runHandler(
+          func,
+          request({ auth: { meaning: "42", animal: "dolphin" } })
+        );
+        expect(wrongTypeResp.status).to.equal(403);
+
+        const missingResp = await runHandler(func, request({ auth: { meaing: 42 } }));
+        expect(missingResp.status).to.equal(403);
+
+        const noClaimResp = await runHandler(func, request({ auth: {} }));
+        expect(noClaimResp.status).to.equal(403);
+      });
     });
 
     it("can be any callback", async () => {
@@ -569,6 +626,24 @@ describe("onCall", () => {
       const accessDenied = await runHandler(divTwo, request({ data: 1 }));
       expect(accessDenied.status).to.equal(403);
     });
+
+    it("should check emailVerified", async () => {
+      const func = https.onCall(
+        {
+          authPolicy: https.emailVerified(),
+        },
+        () => 42
+      );
+
+      const verifiedResp = await runHandler(func, request({ auth: { email_verified: true } }));
+      expect(verifiedResp.status).to.equal(200);
+
+      const unverifiedResp = await runHandler(func, request({ auth: { email_verified: false } }));
+      expect(unverifiedResp.status).to.equal(403);
+
+      const noAuthResp = await runHandler(func, request({ auth: {} }));
+      expect(noAuthResp.status).to.equal(403);
+    });
   });
 });
 

src/common/providers/https.ts

@@ -846,9 +846,13 @@ function wrapOnCallHandler<Req = any, Res = any, Stream = unknown>(
 
       const data: Req = decode(req.body.data);
       if (options.authPolicy) {
-        const authorized = await options.authPolicy(context.auth ?? null, data);
-        if (!authorized) {
-          throw new HttpsError("permission-denied", "Permission Denied");
+        try {
+          const authorized = await options.authPolicy(context.auth ?? null, data);
+          if (!authorized) {
+            throw new HttpsError("permission-denied", "Permission Denied");
+          }
+        } catch (e: unknown) {
+          throw new HttpsError("permission-denied", (e as any).message || "Permission Denied");
         }
       }
       let result: Res;

src/v2/providers/https.ts

@@ -165,6 +165,12 @@ export interface HttpsOptions extends Omit<GlobalOptions, "region" | "enforceApp
   invoker?: "public" | "private" | string | string[];
 }
 
+/**
+ *
+   Callback function to run before processing a request for callable functions to authorize the request.
+ */
+export type AuthPolicy<T = any> = (auth: AuthData | null, data: T) => boolean | Promise<boolean>;
+
 /**
  * Options that can be set on a callable HTTPS function.
  */
@@ -212,34 +218,73 @@ export interface CallableOptions<T = any> extends HttpsOptions {
   /**
    * Callback for whether a request is authorized.
    *
-   * Designed to allow reusable auth policies to be passed as an options object. Two built-in reusable policies exist:
-   * isSignedIn and hasClaim.
+   * Designed to allow reusable auth policies to be passed as an options object.
    */
-  authPolicy?: (auth: AuthData | null, data: T) => boolean | Promise<boolean>;
+  authPolicy?: AuthPolicy<T>;
 }
 
 /**
  * An auth policy that requires a user to be signed in.
  */
-export const isSignedIn =
-  () =>
-  (auth: AuthData | null): boolean =>
-    !!auth;
+export function isSignedIn(): AuthPolicy {
+  return (auth: AuthData | null): boolean => {
+    if (!auth) {
+      throw new Error("Must be signed in");
+    }
+    return true;
+  };
+}
 
+export function hasClaim(claim: string, value?: string): AuthPolicy;
+export function hasClaim(claims: string[]): AuthPolicy;
+export function hasClaim(claims: Record<string, unknown>): AuthPolicy;
 /**
- * An auth policy that requires a user to be both signed in and have a specific claim (optionally with a specific value)
+ * An auth policy that requires a user to be both signed in and have a specific claims (optionally with a specific value)
  */
-export const hasClaim =
-  (claim: string, value?: string) =>
-  (auth: AuthData | null): boolean => {
+export function hasClaim(
+  claimOrClaims: string | string[] | Record<string, unknown>,
+  value?: string
+): AuthPolicy {
+  let claimsToCheck: Record<string, unknown> = {};
+
+  if (typeof claimOrClaims === "string") {
+    claimsToCheck[claimOrClaims] = value ?? true;
+  } else if (Array.isArray(claimOrClaims)) {
+    for (const claim of claimOrClaims) {
+      claimsToCheck[claim] = true;
+    }
+  } else {
+    claimsToCheck = claimOrClaims;
+  }
+
+  return (auth: AuthData | null): boolean => {
     if (!auth) {
-      return false;
+      throw new Error("Must be signed in");
     }
-    if (!(claim in auth.token)) {
-      return false;
+    for (const claim of Object.keys(claimsToCheck)) {
+      if (!(claim in auth.token)) {
+        throw new Error(`Missing claim '${claim}'`);
+      }
+      if (auth.token[claim] !== claimsToCheck[claim]) {
+        throw new Error(`Missing claim '${claim}' with value '${value}'`);
+      }
+    }
+    return true;
+  };
+}
+
+/**
+ * An auth policy that requires a user to be both signed in and have email verified
+ */
+export function emailVerified(): AuthPolicy {
+  return (auth: AuthData | null): boolean | Promise<boolean> => {
+    if (!auth) {
+      throw new Error("Must be signed in");
     }
-    return !value || auth.token[claim] === value;
+    console.log(auth)
+    return hasClaim("email_verified")(auth, undefined);
   };
+}
 
 /**
  * Handles HTTPS requests.