security: enforce project-specific issuer validation in PhoneNumberVerification

lahirumaramba · lahirumaramba · commit 969fca5f186f · 2026-05-05T14:21:09.000-04:00
diff --git a/src/main/java/com/google/firebase/phonenumberverification/internal/FirebasePhoneNumberVerificationTokenVerifier.java b/src/main/java/com/google/firebase/phonenumberverification/internal/FirebasePhoneNumberVerificationTokenVerifier.java
@@ -141,6 +141,12 @@ private void verifyClaims(JWTClaimsSet claims) throws FirebasePhoneNumberVerific
           "Firebase Phone Number Verification token has no 'iss' (issuer) claim.");
     }
 
+    String expectedIssuer = "https://fpnv.googleapis.com/projects/" + this.projectId;
+    if (!expectedIssuer.equals(issuer)) {
+      throw new FirebasePhoneNumberVerificationException(FirebasePhoneNumberVerificationErrorCode.INVALID_TOKEN,
+          "Firebase Phone Number Verification token has an incorrect 'iss' (issuer) claim.");
+    }
+
     if (claims.getAudience().isEmpty() || !claims.getAudience().contains(issuer)) {
       throw new FirebasePhoneNumberVerificationException(FirebasePhoneNumberVerificationErrorCode.INVALID_TOKEN,
           "Invalid audience. Expected to contain: " + issuer + " but found: " + claims.getAudience()
diff --git a/src/test/java/com/google/firebase/phonenumberverification/internal/FirebasePhoneNumberVerificationTokenVerifierTest.java b/src/test/java/com/google/firebase/phonenumberverification/internal/FirebasePhoneNumberVerificationTokenVerifierTest.java
@@ -446,4 +446,24 @@ public void testCreateJwtProcessor_HandlesException() throws Exception {
       assertTrue(cause.getCause() instanceof MalformedURLException);
     }
   }
+
+  @Test
+  public void testVerifyToken_Claims_InvalidIssuerProject() throws Exception {
+    JWTClaimsSet badIssuerClaims = new JWTClaimsSet.Builder()
+        .issuer("https://fpnv.googleapis.com/projects/attacker-project-id")
+        .audience("https://fpnv.googleapis.com/projects/attacker-project-id")
+        .subject(subject)
+        .expirationTime(new Date(System.currentTimeMillis() + 10000))
+        .build();
+
+    String tokenString = createToken(header, badIssuerClaims);
+    when(mockJwtProcessor.process(any(SignedJWT.class), any())).thenReturn(badIssuerClaims);
+
+    FirebasePhoneNumberVerificationException e = assertThrows(FirebasePhoneNumberVerificationException.class, () ->
+        verifier.verifyToken(tokenString)
+    );
+
+    assertEquals(FirebasePhoneNumberVerificationErrorCode.INVALID_TOKEN, e.getPhoneNumberVerificationErrorCode());
+    assertTrue(e.getMessage().contains("incorrect 'iss' (issuer) claim"));
+  }
 }
