[Functions] Pass placeholder app check tokens on error (#14467)

ncooke3 · web-flow · commit 918d77dd4cce · 2025-02-19T12:17:08.000-05:00
diff --git a/FirebaseFunctions/Sources/Internal/FunctionsContext.swift b/FirebaseFunctions/Sources/Internal/FunctionsContext.swift
@@ -56,9 +56,9 @@ struct FunctionsContextProvider {
   private func getAppCheckToken(options: HTTPSCallableOptions?) async -> String? {
     guard
       options?.requireLimitedUseAppCheckTokens != true,
-      let tokenResult = await appCheck?.getToken(forcingRefresh: false),
-      tokenResult.error == nil
+      let tokenResult = await appCheck?.getToken(forcingRefresh: false)
     else { return nil }
+    // The placeholder token should be used in the case of App Check error.
     return tokenResult.token
   }
 
@@ -77,8 +77,7 @@ struct FunctionsContextProvider {
       }
 
       limitedUseTokenClosure { tokenResult in
-        // Make sure there’s no error and the token is valid:
-        guard tokenResult.error == nil else { return continuation.resume(returning: nil) }
+        // The placeholder token should be used in the case of App Check error.
         continuation.resume(returning: tokenResult.token)
       }
     }
@@ -111,21 +110,17 @@ struct FunctionsContextProvider {
         // If it’s not implemented, we still need to leave the dispatch group.
         if let limitedUseTokenClosure = appCheck.getLimitedUseToken {
           limitedUseTokenClosure { tokenResult in
-            // Send only valid token to functions.
-            if tokenResult.error == nil {
-              limitedUseAppCheckToken = tokenResult.token
-            }
+            // In the case of an error, the token will be the placeholder token.
+            limitedUseAppCheckToken = tokenResult.token
             dispatchGroup.leave()
           }
         } else {
           dispatchGroup.leave()
         }
       } else {
         appCheck.getToken(forcingRefresh: false) { tokenResult in
-          // Send only valid token to functions.
-          if tokenResult.error == nil {
-            appCheckToken = tokenResult.token
-          }
+          // In the case of an error, the token will be the placeholder token.
+          appCheckToken = tokenResult.token
           dispatchGroup.leave()
         }
       }
diff --git a/FirebaseFunctions/Tests/Unit/ContextProviderTests.swift b/FirebaseFunctions/Tests/Unit/ContextProviderTests.swift
@@ -32,6 +32,12 @@ class ContextProviderTests: XCTestCase {
                                                         code: -1,
                                                         userInfo: nil
                                                       ))
+  let appCheckLimitedUseTokenError = FIRAppCheckTokenResultFake(token: "limited use token",
+                                                                error: NSError(
+                                                                  domain: "testAppCheckError",
+                                                                  code: -1,
+                                                                  userInfo: nil
+                                                                ))
   let appCheckTokenSuccess = FIRAppCheckTokenResultFake(token: "valid_token", error: nil)
   let messagingFake = FIRMessagingInteropFake()
 
@@ -143,8 +149,20 @@ class ContextProviderTests: XCTestCase {
 
     XCTAssertNil(context.authToken)
     XCTAssertNil(context.fcmToken)
-    // Don't expect any token in the case of App Check error.
-    XCTAssertNil(context.appCheckToken)
+    // Expect placeholder token in the case of App Check error.
+    XCTAssertEqual(context.appCheckToken, appCheckFake.tokenResult.token)
+  }
+
+  func testAsyncContextWithAppCheckOnlyError_LimitedUseToken() async throws {
+    appCheckFake.limitedUseTokenResult = appCheckLimitedUseTokenError
+    let provider = FunctionsContextProvider(auth: nil, messaging: nil, appCheck: appCheckFake)
+
+    let context = try await provider.context(options: .init(requireLimitedUseAppCheckTokens: true))
+
+    XCTAssertNil(context.authToken)
+    XCTAssertNil(context.fcmToken)
+    // Expect placeholder token in the case of App Check error.
+    XCTAssertEqual(context.limitedUseAppCheckToken, appCheckFake.limitedUseTokenResult.token)
   }
 
   func testContextWithAppCheckOnlyError() {
@@ -156,8 +174,24 @@ class ContextProviderTests: XCTestCase {
       XCTAssertNil(error)
       XCTAssertNil(context.authToken)
       XCTAssertNil(context.fcmToken)
-      // Don't expect any token in the case of App Check error.
-      XCTAssertNil(context.appCheckToken)
+      // Expect placeholder token in the case of App Check error.
+      XCTAssertEqual(context.appCheckToken, self.appCheckFake.tokenResult.token)
+      expectation.fulfill()
+    }
+    waitForExpectations(timeout: 0.1)
+  }
+
+  func testContextWithAppCheckOnlyError_LimitedUseToken() {
+    appCheckFake.limitedUseTokenResult = appCheckLimitedUseTokenError
+    let provider = FunctionsContextProvider(auth: nil, messaging: nil, appCheck: appCheckFake)
+    let expectation = expectation(description: "Verify bad app check token")
+    provider.getContext(options: .init(requireLimitedUseAppCheckTokens: true)) { context, error in
+      XCTAssertNotNil(context)
+      XCTAssertNil(error)
+      XCTAssertNil(context.authToken)
+      XCTAssertNil(context.fcmToken)
+      // Expect placeholder token in the case of App Check error.
+      XCTAssertEqual(context.limitedUseAppCheckToken, self.appCheckFake.limitedUseTokenResult.token)
       expectation.fulfill()
     }
     waitForExpectations(timeout: 0.1)
@@ -264,8 +298,30 @@ class ContextProviderTests: XCTestCase {
       XCTAssertEqual(error as NSError?, authError)
       XCTAssertNil(context.authToken)
       XCTAssertEqual(context.fcmToken, self.messagingFake.fcmToken)
-      // Don't expect any token in the case of App Check error.
-      XCTAssertNil(context.appCheckToken)
+      // Expect placeholder token in the case of App Check error.
+      XCTAssertEqual(context.appCheckToken, self.appCheckFake.tokenResult.token)
+      expectation.fulfill()
+    }
+    waitForExpectations(timeout: 0.1)
+  }
+
+  func testAllContextsAuthAndAppCheckError_LimitedUseToken() {
+    appCheckFake.limitedUseTokenResult = appCheckLimitedUseTokenError
+    let authError = NSError(domain: "com.functions.tests", code: 4, userInfo: nil)
+    let auth = FIRAuthInteropFake(token: nil, userID: "userID", error: authError)
+    let provider = FunctionsContextProvider(
+      auth: auth,
+      messaging: messagingFake,
+      appCheck: appCheckFake
+    )
+    let expectation = expectation(description: "All contexts with errors")
+    provider.getContext(options: .init(requireLimitedUseAppCheckTokens: true)) { context, error in
+      XCTAssertNotNil(context)
+      XCTAssertEqual(error as NSError?, authError)
+      XCTAssertNil(context.authToken)
+      XCTAssertEqual(context.fcmToken, self.messagingFake.fcmToken)
+      // Expect placeholder token in the case of App Check error.
+      XCTAssertEqual(context.limitedUseAppCheckToken, self.appCheckFake.limitedUseTokenResult.token)
       expectation.fulfill()
     }
     waitForExpectations(timeout: 0.1)
diff --git a/FirebaseFunctions/Tests/Unit/FunctionsTests.swift b/FirebaseFunctions/Tests/Unit/FunctionsTests.swift
@@ -215,18 +215,22 @@ class FunctionsTests: XCTestCase {
     waitForExpectations(timeout: 1.5)
   }
 
-  func testCallFunctionWhenLimitedUseAppCheckTokenCannotBeGeneratedThenCallWithoutToken() {
+  func testCallFunctionWhenLimitedUseAppCheckTokenCannotBeGeneratedThenCallWithPlaceholderToken() {
     // Given
     appCheckFake.limitedUseTokenResult = FIRAppCheckTokenResultFake(
-      token: "dummy token",
+      token: "limited use token",
       error: NSError(domain: #function, code: -1)
     )
 
     let httpRequestExpectation = expectation(description: "HTTPRequestExpectation")
     fetcherService.testBlock = { fetcherToTest, testResponse in
       // Assert that header does not contain an AppCheck token.
-      fetcherToTest.request?.allHTTPHeaderFields?.forEach { key, _ in
-        XCTAssertNotEqual(key, "X-Firebase-AppCheck")
+      do {
+        let appCheckHeader = try XCTUnwrap(fetcherToTest.request?
+          .allHTTPHeaderFields?["X-Firebase-AppCheck"])
+        XCTAssertEqual(appCheckHeader, self.appCheckFake.limitedUseTokenResult.token)
+      } catch {
+        XCTFail("Unexpected failure: \(error)")
       }
 
       testResponse(nil, "{\"data\":\"May the force be with you!\"}".data(using: .utf8), nil)

Original file line number	Diff line number	Diff line change
`@@ -56,9 +56,9 @@ struct FunctionsContextProvider {`
`56`	`56`	`private func getAppCheckToken(options: HTTPSCallableOptions?) async -> String? {`
`57`	`57`	`guard`
`58`	`58`	`options?.requireLimitedUseAppCheckTokens != true,`
`59`		`- let tokenResult = await appCheck?.getToken(forcingRefresh: false),`
`60`		`- tokenResult.error == nil`
	`59`	`+ let tokenResult = await appCheck?.getToken(forcingRefresh: false)`
`61`	`60`	`else { return nil }`
	`61`	`+ // The placeholder token should be used in the case of App Check error.`
`62`	`62`	`return tokenResult.token`
`63`	`63`	`}`
`64`	`64`
`@@ -77,8 +77,7 @@ struct FunctionsContextProvider {`
`77`	`77`	`}`
`78`	`78`
`79`	`79`	`limitedUseTokenClosure { tokenResult in`
`80`		`- // Make sure there’s no error and the token is valid:`
`81`		`- guard tokenResult.error == nil else { return continuation.resume(returning: nil) }`
	`80`	`+ // The placeholder token should be used in the case of App Check error.`
`82`	`81`	`continuation.resume(returning: tokenResult.token)`
`83`	`82`	`}`
`84`	`83`	`}`
`@@ -111,21 +110,17 @@ struct FunctionsContextProvider {`
`111`	`110`	`// If it’s not implemented, we still need to leave the dispatch group.`
`112`	`111`	`if let limitedUseTokenClosure = appCheck.getLimitedUseToken {`
`113`	`112`	`limitedUseTokenClosure { tokenResult in`
`114`		`- // Send only valid token to functions.`
`115`		`- if tokenResult.error == nil {`
`116`		`- limitedUseAppCheckToken = tokenResult.token`
`117`		`- }`
	`113`	`+ // In the case of an error, the token will be the placeholder token.`
	`114`	`+ limitedUseAppCheckToken = tokenResult.token`
`118`	`115`	`dispatchGroup.leave()`
`119`	`116`	`}`
`120`	`117`	`} else {`
`121`	`118`	`dispatchGroup.leave()`
`122`	`119`	`}`
`123`	`120`	`} else {`
`124`	`121`	`appCheck.getToken(forcingRefresh: false) { tokenResult in`
`125`		`- // Send only valid token to functions.`
`126`		`- if tokenResult.error == nil {`
`127`		`- appCheckToken = tokenResult.token`
`128`		`- }`
	`122`	`+ // In the case of an error, the token will be the placeholder token.`
	`123`	`+ appCheckToken = tokenResult.token`
`129`	`124`	`dispatchGroup.leave()`
`130`	`125`	`}`
`131`	`126`	`}`