Closed maku693 closed 3 years ago
@maky693 thank you for the contribution! General approach LGTM but assigning to @hiranya911 for Go / Admin SDK review.
@hiranya911 - as a user waiting for this feature, my 2c worth is that although token verification emulation is necessary for complete end-to-end testing, making it possible to talk to the emulator at all in this manner is still useful to release as-is, since it unblocks testing of a variety of workflows
@hiranya911 - as a user waiting for this feature, my 2c worth is that although token verification emulation is necessary for complete end-to-end testing, making it possible to talk to the emulator at all in this manner is still useful to release as-is, since it unblocks testing of a variety of workflows
Agreed, this would be a huge win for me.
I'd propose a middle ground where we release a version first, where everything works but token verification panics with "not implemented" for now when the env var is set. This should ensure that SDK don't call production APIs in emulator mode and also minimize any confusion caused by the SDK verifying signatures using production public keys. (This idea can also apply to the Python SDK, using thrown exceptions instead of panics.)
@yuchenshi I like that idea! SGTM
Yeah, I like that too. Any chance we can get this PR updated to incorporate that change?
Thank you for review! I'll update this PR this weekend.
@yuchenshi Is the point of the change to prevent calling production APIs in emulator mode? If so, not just the token verifier but also the signer and the tenant manager should panic at API calls, correct?
For createCustomToken
etc., when FIREBASE_AUTH_EMULATOR_HOST
is set, the SDK should create unsigned tokens (i.e. the signature part being an empty string), which are in turn accepted by the Auth Emulator. In other words, signer should be short-circuited and there should not be any outgoing network call at all (no signBlob
etc.).
Auth Emulator doesn't support multi-tenancy (at least for now) and I'm indifferent whether the SDK should panic or forward them to the Auth Emulator which rejects such requests. I'm fine as long as they won't reach production.
Ah, I understand. I'll update not to sign tokens.
If
FIREBASE_AUTH_EMULATOR_HOST
is set, auth API request will be sent to the host according to the environment variable.Discussion
409
Reflecting the comment on the issue, the behavior of signers and token verifiers are unchanged.Now the signer is replaced to
emulatedSigner
, and token verifiers panic when the environment variable is set. https://github.com/firebase/firebase-admin-go/pull/414#issuecomment-754931543 https://github.com/firebase/firebase-admin-go/pull/414#issuecomment-758166352RELEASE NOTE: The Admin SDK now supports the Firebase emulator. Developers can configure the SDK to run against the emulator by setting the
FIREBASE_AUTH_EMULATOR_HOST
environment variable.