Limited Use Tokens in Functions

[AustinBenoit]

Description

Provide details of the change, and generalize the change in the PR title above.

Add support for limited use tokens in firebase functions.

---

Testing

Describe how you've tested these changes. Link any manually triggered Integration tests or CPP binary SDK Packaging Github Action workflows, if applicable.

Added new integrations test and tested on Macos, Android and iOS

Android:

iOS:

MacOs:

---

Type of Change

Place an x the applicable box:

• Bug fix. Add the issue # below if applicable.
• New feature. A non-breaking change which adds functionality.
• Other, such as a build process or documentation change.

---

Notes

• Bug fixes and feature changes require an update to the Release Notes section of release_build_files/readme.md.
• Read the contribution guidelines CONTRIBUTING.md.
• Changes to the public API require an internal API review. If you'd like to help us make Firebase APIs better, please propose your change in a feature request so that we can discuss it together.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances Firebase Functions by integrating support for limited-use App Check tokens. This feature provides an additional layer of security, specifically for replay protection, by allowing requests to callable functions to be made with tokens that are valid for a single use. The changes involve updating the API to accept new options, modifying internal token handling mechanisms, and ensuring compatibility across all supported platforms.

Highlights

• Limited Use App Check Tokens: Introduced the HttpsCallableOptions struct, allowing developers to specify whether a callable function request should utilize a limited-use App Check token for enhanced security, particularly against replay attacks.
• API Extension: Extended the public Functions API with overloaded GetHttpsCallable and GetHttpsCallableFromURL methods that accept the new HttpsCallableOptions.
• Cross-Platform Implementation: Implemented the logic for fetching and applying limited-use App Check tokens across desktop, Android, and iOS platforms, ensuring consistent behavior.
• Integration Testing: Added new integration tests to thoroughly verify the functionality of calling Firebase Functions with limited-use App Check tokens.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• app/src/function_registry.h
  • Added FnAppCheckGetLimitedUseTokenAsync to the FunctionId enum.
• app_check/src/common/common.h
  • Added kAppCheckFnGetLimitedUseAppCheckStringInternal to the AppCheckFn enum.
• app_check/src/desktop/app_check_desktop.cc
  • Implemented GetLimitedUseAppCheckTokenStringInternal to fetch limited-use App Check tokens.
  • Registered and unregistered FnAppCheckGetLimitedUseTokenAsync with the function registry.
• app_check/src/desktop/app_check_desktop.h
  • Declared GetLimitedUseAppCheckTokenStringInternal and its static registry function.
• functions/integration_test/src/integration_test.cc
  • Added two new integration tests to verify calling functions with limited-use App Check tokens.
• functions/src/android/functions_android.cc
  • Defined new JNI method lookups for GetHttpsCallable and GetHttpsCallableFromURL that accept HttpsCallableOptions.
  • Added JNI method lookups for HttpsCallableOptions$Builder methods.
• functions/src/android/functions_android.h
  • Declared overloaded GetHttpsCallable and GetHttpsCallableFromURL methods that accept HttpsCallableOptions.
• functions/src/common/functions.cc
  • Implemented new GetHttpsCallable and GetHttpsCallableFromURL overloads to pass HttpsCallableOptions to the internal implementation.
• functions/src/desktop/callable_reference_desktop.cc
  • Modified constructors and assignment operators to store HttpsCallableOptions.
  • Updated the Call method to conditionally use limited-use App Check tokens based on the provided options.
• functions/src/desktop/callable_reference_desktop.h
  • Updated the constructor to accept HttpsCallableOptions.
  • Added a options_ member to store HttpsCallableOptions.
• functions/src/desktop/functions_desktop.cc
  • Implemented new GetHttpsCallable and GetHttpsCallableFromURL overloads to create HttpsCallableReferenceInternal instances with HttpsCallableOptions.
• functions/src/desktop/functions_desktop.h
  • Declared new GetHttpsCallable and GetHttpsCallableFromURL overloads that accept HttpsCallableOptions.
• functions/src/include/firebase/functions.h
  • Added public API overloads for GetHttpsCallable and GetHttpsCallableFromURL that include HttpsCallableOptions.
• functions/src/include/firebase/functions/callable_reference.h
  • Defined the HttpsCallableOptions struct, including the limited_use_app_check_token field.
• functions/src/ios/functions_ios.h
  • Declared new GetHttpsCallable and GetHttpsCallableFromURL overloads that accept HttpsCallableOptions.
• functions/src/ios/functions_ios.mm
  • Implemented new GetHttpsCallable and GetHttpsCallableFromURL overloads, translating HttpsCallableOptions to FIRHTTPSCallableOptions for iOS.
• release_build_files/readme.md
  • Updated the "Upcoming" release notes to mention the addition of limited use tokens in Functions.

Activity

• New integration tests were added to validate the functionality of limited-use App Check tokens with Firebase Functions.
• The changes were manually tested on macOS, Android, and iOS platforms, with screenshots provided for verification.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds support for limited-use App Check tokens in Firebase Functions across Android, iOS, and desktop platforms. While the core implementation appears solid, a critical security vulnerability has been identified: the new GetHttpsCallableFromURL functions across all platforms lack URL validation. This could lead to sensitive information leakage (e.g., Firebase Auth and App Check tokens) if user-controlled or insecure (HTTP) URLs are passed. It is highly recommended to enforce HTTPS and implement URL validation to ensure requests are only sent to trusted destinations. Furthermore, there are a couple of suggestions to improve the readability of the JNI code in the Android implementation.

[gemini-code-assist]

The function GetHttpsCallableFromURL accepts an arbitrary URL and passes it to HttpsCallableReferenceInternal. When Call() is invoked, the SDK automatically attaches sensitive Firebase Auth tokens (Authorization: Bearer <token>) and App Check tokens (X-Firebase-AppCheck: <token>) to the request. If a developer passes a user-controlled URL, an attacker could steal these tokens. Additionally, the SDK does not enforce HTTPS, allowing tokens to be leaked over plaintext if an http:// URL is used.

Recommendation: Validate that the URL uses the https:// protocol and, if possible, restrict it to trusted Firebase domains.

[gemini-code-assist]

The Android implementation of GetHttpsCallableFromURL lacks validation for the provided URL string. It directly converts the input to a java.net.URL and uses it to create a reference that will include sensitive Auth and App Check tokens in its requests. This poses a risk of sensitive information leakage if the URL is user-controlled or uses an insecure protocol.

Recommendation: Implement validation to ensure the URL is secure (HTTPS) and points to a trusted destination.

[gemini-code-assist]

The iOS implementation of GetHttpsCallableFromURL does not validate the provided URL before passing it to the underlying native SDK. This inherits the same risks of SSRF and sensitive token leakage (Auth and App Check tokens) as the other platforms if the URL is not properly vetted.

Recommendation: Ensure the URL uses HTTPS and is validated against a list of trusted domains before use.

[gemini-code-assist]

The way JNI local references are managed here for the builder pattern is a bit confusing. Reusing the builder variable makes it harder to track the lifecycle of the references. Consider using a separate variable for each step of the builder chain to improve readability and maintainability.

  jobject builder = env->NewObject(
      callable_options_builder::GetClass(),
      callable_options_builder::GetMethodId(callable_options_builder::kBuilderConstructor));
  jobject builder_with_token = env->CallObjectMethod(
      builder,
      callable_options_builder::GetMethodId(callable_options_builder::kSetLimitedUseAppCheckTokens),
      options.limited_use_app_check_token);
  jobject java_options = env->CallObjectMethod(
      builder_with_token,
      callable_options_builder::GetMethodId(callable_options_builder::kBuild));
  env->DeleteLocalRef(builder);
  env->DeleteLocalRef(builder_with_token);

[gemini-code-assist]

Similar to the comment above, the JNI local reference management for the builder pattern here is a bit confusing. Using separate variables for each step of the builder chain would improve readability.

  jobject builder = env->NewObject(
      callable_options_builder::GetClass(),
      callable_options_builder::GetMethodId(callable_options_builder::kBuilderConstructor));
  jobject builder_with_token = env->CallObjectMethod(
      builder,
      callable_options_builder::GetMethodId(callable_options_builder::kSetLimitedUseAppCheckTokens),
      options.limited_use_app_check_token);
  jobject java_options = env->CallObjectMethod(
      builder_with_token,
      callable_options_builder::GetMethodId(callable_options_builder::kBuild));
  env->DeleteLocalRef(builder);
  env->DeleteLocalRef(builder_with_token);