Implement exchangeToken public api

mansisampat · mansisampat · commit f46d09d193f4 · 2025-05-14T18:06:28.000+05:30
diff --git a/common/api-review/auth.api.md b/common/api-review/auth.api.md
@@ -364,6 +364,9 @@ export interface EmulatorConfig {
 
 export { ErrorFn }
 
+// @public (undocumented)
+export function exchangeToken(auth: Auth, idpConfigId: string, customToken: string): Promise<string>;
+
 // Warning: (ae-forgotten-export) The symbol "BaseOAuthProvider" needs to be exported by the entry point index.d.ts
 //
 // @public
diff --git a/docs-devsite/auth.md b/docs-devsite/auth.md
@@ -28,6 +28,7 @@ Firebase Authentication
 |  [confirmPasswordReset(auth, oobCode, newPassword)](./auth.md#confirmpasswordreset_749dad8) | Completes the password reset process, given a confirmation code and new password. |
 |  [connectAuthEmulator(auth, url, options)](./auth.md#connectauthemulator_657c7e5) | Changes the [Auth](./auth.auth.md#auth_interface) instance to communicate with the Firebase Auth Emulator, instead of production Firebase Auth services. |
 |  [createUserWithEmailAndPassword(auth, email, password)](./auth.md#createuserwithemailandpassword_21ad33b) | Creates a new user account associated with the specified email address and password. |
+|  [exchangeToken(auth, idpConfigId, customToken)](./auth.md#exchangetoken_b6b1871) |  |
 |  [fetchSignInMethodsForEmail(auth, email)](./auth.md#fetchsigninmethodsforemail_efb3887) | Gets the list of possible sign in methods for the given email address. This method returns an empty list when [Email Enumeration Protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection) is enabled, irrespective of the number of authentication methods available for the given email. |
 |  [getMultiFactorResolver(auth, error)](./auth.md#getmultifactorresolver_201ba61) | Provides a [MultiFactorResolver](./auth.multifactorresolver.md#multifactorresolver_interface) suitable for completion of a multi-factor flow. |
 |  [getRedirectResult(auth, resolver)](./auth.md#getredirectresult_c35dc1f) | Returns a [UserCredential](./auth.usercredential.md#usercredential_interface) from the redirect-based sign-in flow. |
@@ -405,6 +406,26 @@ export declare function createUserWithEmailAndPassword(auth: Auth, email: string
 
 Promise&lt;[UserCredential](./auth.usercredential.md#usercredential_interface)<!-- -->&gt;
 
+### exchangeToken(auth, idpConfigId, customToken) {:#exchangetoken_b6b1871}
+
+<b>Signature:</b>
+
+```typescript
+export declare function exchangeToken(auth: Auth, idpConfigId: string, customToken: string): Promise<string>;
+```
+
+#### Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  auth | [Auth](./auth.auth.md#auth_interface) |  |
+|  idpConfigId | string |  |
+|  customToken | string |  |
+
+<b>Returns:</b>
+
+Promise&lt;string&gt;
+
 ### fetchSignInMethodsForEmail(auth, email) {:#fetchsigninmethodsforemail_efb3887}
 
 Gets the list of possible sign in methods for the given email address. This method returns an empty list when [Email Enumeration Protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection) is enabled, irrespective of the number of authentication methods available for the given email.
diff --git a/packages/auth/src/api/authentication/exchange_token.test.ts b/packages/auth/src/api/authentication/exchange_token.test.ts
@@ -0,0 +1,92 @@
+/**
+ * @license
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { expect, use } from 'chai';
+import chaiAsPromised from 'chai-as-promised';
+
+import { regionalTestAuth, testAuth, TestAuth } from '../../../test/helpers/mock_auth';
+import * as mockFetch from '../../../test/helpers/mock_fetch';
+import { mockRegionalEndpointWithParent } from '../../../test/helpers/api/helper';
+import { exchangeToken } from './exchange_token';
+import { HttpHeader, RegionalEndpoint } from '..';
+import { FirebaseError } from '@firebase/util';
+import { ServerError } from '../errors';
+
+use(chaiAsPromised);
+
+describe('api/authentication/exchange_token', () => {
+  let auth: TestAuth;
+  let regionalAuth: TestAuth;
+  const request = {
+    parent: "test-parent",
+    token: "custom-token"
+  };
+
+  beforeEach(async () => {
+    auth = await testAuth();
+    regionalAuth = await regionalTestAuth();
+    mockFetch.setUp();
+  });
+
+  afterEach(mockFetch.tearDown);
+
+    it('returns accesss token for Regional Auth', async() => {
+    const mock = mockRegionalEndpointWithParent(RegionalEndpoint.EXCHANGE_TOKEN,
+      "test-parent",
+      {accessToken: "outbound-token"}
+    );
+
+    const response = await exchangeToken(regionalAuth, request);
+    expect(response.accessToken).equal("outbound-token");
+    expect(mock.calls[0].request).to.eql({parent: "test-parent", token: "custom-token"});
+    expect(mock.calls[0].method).to.eq('POST');
+    expect(mock.calls[0].headers!.get(HttpHeader.CONTENT_TYPE)).to.eq(
+          'application/json');
+  });
+
+  it('throws exception for default Auth', async() => {
+    await expect(exchangeToken(auth, request)).to.be.rejectedWith(
+      FirebaseError,
+      'Firebase: Operations not allowed for the auth object initialized. (auth/operation-not-allowed).'
+    );
+  });
+
+  it('should handle errors', async () => {
+      const mock = mockRegionalEndpointWithParent(
+        RegionalEndpoint.EXCHANGE_TOKEN,
+        "test-parent",
+        {
+          error: {
+            code: 400,
+            message: ServerError.INVALID_CUSTOM_TOKEN,
+            errors: [
+              {
+                message: ServerError.INVALID_CUSTOM_TOKEN
+              }
+            ]
+          }
+        },
+        400
+      );
+  
+      await expect(exchangeToken(regionalAuth, request)).to.be.rejectedWith(
+        FirebaseError,
+        '(auth/invalid-custom-token).'
+      );
+      expect(mock.calls[0].request).to.eql(request);
+    });
+});
diff --git a/packages/auth/src/api/authentication/exchange_token.ts b/packages/auth/src/api/authentication/exchange_token.ts
@@ -0,0 +1,48 @@
+/**
+ * @license
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import {
+  RegionalEndpoint,
+  HttpMethod,
+  _performRegionalApiRequest
+} from '../index';
+import { Auth } from '../../model/public_types';
+
+export interface ExchangeTokenRequest {
+  parent: string;
+  token: string;
+}
+
+export interface ExchangeTokenRespose {
+  accessToken: string;
+}
+
+export async function exchangeToken(
+  auth: Auth,
+  request: ExchangeTokenRequest
+): Promise<ExchangeTokenRespose> {
+  return _performRegionalApiRequest<
+    ExchangeTokenRequest,
+    ExchangeTokenRespose
+  >(
+    auth,
+    HttpMethod.POST,
+    RegionalEndpoint.EXCHANGE_TOKEN,
+    request,
+    {},
+    request.parent
+  );
+}
diff --git a/packages/auth/src/api/index.test.ts b/packages/auth/src/api/index.test.ts
@@ -36,6 +36,7 @@ import { ConfigInternal } from '../model/auth';
 import {
   _getFinalTarget,
   _performApiRequest,
+  _performRegionalApiRequest,
   DEFAULT_API_TIMEOUT_MS,
   Endpoint,
   RegionalEndpoint,
@@ -606,7 +607,7 @@ describe('api/_performApiRequest', () => {
   context('throws Operation not allowed exception', () => {
     it('when tenantConfig is not initialized and Regional Endpoint is used', async () => {
       await expect(
-        _performApiRequest<typeof request, typeof serverResponse>(
+        _performRegionalApiRequest<typeof request, typeof serverResponse>(
           auth,
           HttpMethod.POST,
           RegionalEndpoint.EXCHANGE_TOKEN,
diff --git a/packages/auth/src/api/index.ts b/packages/auth/src/api/index.ts
@@ -81,8 +81,11 @@ export enum Endpoint {
   REVOKE_TOKEN = '/v2/accounts:revokeToken'
 }
 
+export const EXCHANGE_TOKEN_PARENT =
+  'projects/${projectId}/locations/${location}/tenants/${tenantId}/idpConfigs/${idpConfigId}';
+
 export enum RegionalEndpoint {
-  EXCHANGE_TOKEN = 'v2/${body.parent}:exchangeOidcToken'
+  EXCHANGE_TOKEN = ':exchangeOidcToken'
 }
 
 const CookieAuthProxiedEndpoints: string[] = [
@@ -141,24 +144,91 @@ export function _addTidIfNecessary<T extends { tenantId?: string }>(
   return request;
 }
 
+function isRegionalAuthInitialized(auth: Auth): boolean {
+  return !!auth.tenantConfig;
+}
+
+async function createFetchArgs<T>(
+  auth: Auth,
+  method: HttpMethod,
+  request?: T
+): Promise<RequestInit> {
+  let body = {};
+  let params = {};
+  if (request) {
+    if (method === HttpMethod.GET) {
+      params = request;
+    } else {
+      body = {
+        body: JSON.stringify(request)
+      };
+    }
+  }
+
+  const headers = await (auth as AuthInternal)._getAdditionalHeaders();
+  headers[HttpHeader.CONTENT_TYPE] = 'application/json';
+
+  if (auth.languageCode) {
+    headers[HttpHeader.X_FIREBASE_LOCALE] = auth.languageCode;
+  }
+
+  const fetchArgs: RequestInit = {
+    method,
+    headers,
+    ...body
+  };
+
+  /* Security-conscious server-side frameworks tend to have built in mitigations for referrer
+     problems". See the Cloudflare GitHub issue #487: Error: The 'referrerPolicy' field on
+     'RequestInitializerDict' is not implemented."
+     https://github.com/cloudflare/next-on-pages/issues/487 */
+  if (!isCloudflareWorker()) {
+    fetchArgs.referrerPolicy = 'no-referrer';
+  }
+
+  if (auth.emulatorConfig && isCloudWorkstation(auth.emulatorConfig.host)) {
+    fetchArgs.credentials = 'include';
+  }
+  return fetchArgs;
+}
+
+export async function _performRegionalApiRequest<T, V>(
+  auth: Auth,
+  method: HttpMethod,
+  path: RegionalEndpoint,
+  request?: T,
+  customErrorMap: Partial<ServerErrorMap<ServerError>> = {},
+  parent?: string
+): Promise<V> {
+  if (!isRegionalAuthInitialized(auth)) {
+    throw _operationNotSupportedForInitializedAuthInstance(auth);
+  }
+  return _performFetchWithErrorHandling(auth, customErrorMap, async () => {
+    let fullyQualifiedPath = `${parent}${path}`;
+    const fetchArgs = await createFetchArgs<T>(auth, method, request);
+    return FetchProvider.fetch()(
+      `${auth.config.apiScheme}://${auth.config.apiHost}${fullyQualifiedPath}`,
+      fetchArgs
+    );
+  });
+}
+
 export async function _performApiRequest<T, V>(
   auth: Auth,
   method: HttpMethod,
-  path: Endpoint | RegionalEndpoint,
+  path: Endpoint,
   request?: T,
   customErrorMap: Partial<ServerErrorMap<ServerError>> = {}
 ): Promise<V> {
-  _assertValidEndpointForAuth(auth, path);
+  if (isRegionalAuthInitialized(auth)) {
+    throw _operationNotSupportedForInitializedAuthInstance(auth);
+  }
   return _performFetchWithErrorHandling(auth, customErrorMap, async () => {
-    let body = {};
+    const fetchArgs = await createFetchArgs<T>(auth, method, request);
     let params = {};
     if (request) {
       if (method === HttpMethod.GET) {
         params = request;
-      } else {
-        body = {
-          body: JSON.stringify(request)
-        };
       }
     }
 
@@ -167,31 +237,6 @@ export async function _performApiRequest<T, V>(
       ...params
     }).slice(1);
 
-    const headers = await (auth as AuthInternal)._getAdditionalHeaders();
-    headers[HttpHeader.CONTENT_TYPE] = 'application/json';
-
-    if (auth.languageCode) {
-      headers[HttpHeader.X_FIREBASE_LOCALE] = auth.languageCode;
-    }
-
-    const fetchArgs: RequestInit = {
-      method,
-      headers,
-      ...body
-    };
-
-    /* Security-conscious server-side frameworks tend to have built in mitigations for referrer
-       problems". See the Cloudflare GitHub issue #487: Error: The 'referrerPolicy' field on
-       'RequestInitializerDict' is not implemented."
-       https://github.com/cloudflare/next-on-pages/issues/487 */
-    if (!isCloudflareWorker()) {
-      fetchArgs.referrerPolicy = 'no-referrer';
-    }
-
-    if (auth.emulatorConfig && isCloudWorkstation(auth.emulatorConfig.host)) {
-      fetchArgs.credentials = 'include';
-    }
-
     return FetchProvider.fetch()(
       await _getFinalTarget(auth, auth.config.apiHost, path, query),
       fetchArgs
@@ -287,7 +332,7 @@ export async function _getFinalTarget(
   auth: Auth,
   host: string,
   path: string,
-  query: string
+  query?: string
 ): Promise<string> {
   const base = `${host}${path}?${query}`;
 
@@ -332,15 +377,14 @@ function _assertValidEndpointForAuth(
   auth: Auth,
   path: Endpoint | RegionalEndpoint
 ): void {
-  if (
-    !auth.tenantConfig &&
-    Object.values(RegionalEndpoint).includes(path as RegionalEndpoint)
-  ) {
-    throw _operationNotSupportedForInitializedAuthInstance(auth);
-  }
-
-  if (auth.tenantConfig && Object.values(Endpoint).includes(path as Endpoint)) {
-    throw _operationNotSupportedForInitializedAuthInstance(auth);
+  if (isRegionalAuthInitialized(auth)) {
+    if (Object.values(Endpoint).includes(path as Endpoint)) {
+      throw _operationNotSupportedForInitializedAuthInstance(auth);
+    }
+  } else {
+    if (Object.values(RegionalEndpoint).includes(path as RegionalEndpoint)) {
+      throw _operationNotSupportedForInitializedAuthInstance(auth);
+    }
   }
 }
 
diff --git a/packages/auth/src/core/auth/auth_impl.ts b/packages/auth/src/core/auth/auth_impl.ts
@@ -93,7 +93,7 @@ export const enum DefaultConfig {
   TOKEN_API_HOST = 'securetoken.googleapis.com',
   API_HOST = 'identitytoolkit.googleapis.com',
   API_SCHEME = 'https',
-  REGIONAL_API_HOST = 'identityplatform.googleapis.com'
+  REGIONAL_API_HOST = 'identityplatform.googleapis.com/v2alpha/'
 }
 
 export class AuthImpl implements AuthInternal, _FirebaseService {
diff --git a/packages/auth/src/core/index.ts b/packages/auth/src/core/index.ts
@@ -315,6 +315,7 @@ export {
   sendEmailVerification,
   verifyBeforeUpdateEmail
 } from './strategies/email';
+export { exchangeToken } from './strategies/exhange_token';
 
 // core
 export { ActionCodeURL, parseActionCodeURL } from './action_code_url';
diff --git a/packages/auth/src/core/strategies/exchange_token.test.ts b/packages/auth/src/core/strategies/exchange_token.test.ts
diff --git a/packages/auth/src/core/strategies/exhange_token.ts b/packages/auth/src/core/strategies/exhange_token.ts
diff --git a/packages/auth/test/helpers/api/helper.ts b/packages/auth/test/helpers/api/helper.ts
diff --git a/packages/auth/test/helpers/mock_auth.ts b/packages/auth/test/helpers/mock_auth.ts

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ export const enum DefaultConfig {`
`93`	`93`	`TOKEN_API_HOST = 'securetoken.googleapis.com',`
`94`	`94`	`API_HOST = 'identitytoolkit.googleapis.com',`
`95`	`95`	`API_SCHEME = 'https',`
`96`		`- REGIONAL_API_HOST = 'identityplatform.googleapis.com'`
	`96`	`+ REGIONAL_API_HOST = 'identityplatform.googleapis.com/v2alpha/'`
`97`	`97`	`}`
`98`	`98`
`99`	`99`	`export class AuthImpl implements AuthInternal, _FirebaseService {`