Migrating Auth API to the new Identity Toolkit endpoint

hardikns · hardikns · commit 056c3e24ea48 · 2019-02-05T00:24:50.000+05:30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Unreleased
 
--
+- [added] Migrated the `FirebaseAuth` user management API to the
+  new Identity Toolkit endpoint.
 
 # v2.15.1
 
diff --git a/firebase_admin/_user_mgt.py b/firebase_admin/_user_mgt.py
@@ -394,7 +394,7 @@ def get_user(self, **kwargs):
             raise TypeError('Unsupported keyword arguments: {0}.'.format(kwargs))
 
         try:
-            response = self._client.body('post', 'getAccountInfo', json=payload)
+            response = self._client.body('post', '/accounts:lookup', json=payload)
         except requests.exceptions.RequestException as error:
             msg = 'Failed to get user by {0}: {1}.'.format(key_type, key)
             self._handle_http_error(INTERNAL_ERROR, msg, error)
@@ -421,7 +421,7 @@ def list_users(self, page_token=None, max_results=MAX_LIST_USERS_RESULTS):
         if page_token:
             payload['nextPageToken'] = page_token
         try:
-            return self._client.body('post', 'downloadAccount', json=payload)
+            return self._client.body('get', '/accounts:batchGet', json=payload)
         except requests.exceptions.RequestException as error:
             self._handle_http_error(USER_DOWNLOAD_ERROR, 'Failed to download user accounts.', error)
 
@@ -440,7 +440,7 @@ def create_user(self, uid=None, display_name=None, email=None, phone_number=None
         }
         payload = {k: v for k, v in payload.items() if v is not None}
         try:
-            response = self._client.body('post', 'signupNewUser', json=payload)
+            response = self._client.body('post', '/accounts', json=payload)
         except requests.exceptions.RequestException as error:
             self._handle_http_error(USER_CREATE_ERROR, 'Failed to create new user.', error)
         else:
@@ -490,7 +490,7 @@ def update_user(self, uid, display_name=_UNSPECIFIED, email=None, phone_number=_
 
         payload = {k: v for k, v in payload.items() if v is not None}
         try:
-            response = self._client.body('post', 'setAccountInfo', json=payload)
+            response = self._client.body('post', '/accounts:update', json=payload)
         except requests.exceptions.RequestException as error:
             self._handle_http_error(
                 USER_UPDATE_ERROR, 'Failed to update user: {0}.'.format(uid), error)
@@ -503,7 +503,7 @@ def delete_user(self, uid):
         """Deletes the user identified by the specified user ID."""
         _auth_utils.validate_uid(uid, required=True)
         try:
-            response = self._client.body('post', 'deleteAccount', json={'localId' : uid})
+            response = self._client.body('post', '/accounts:delete', json={'localId' : uid})
         except requests.exceptions.RequestException as error:
             self._handle_http_error(
                 USER_DELETE_ERROR, 'Failed to delete user: {0}.'.format(uid), error)
@@ -529,7 +529,7 @@ def import_users(self, users, hash_alg=None):
                 raise ValueError('A UserImportHash is required to import users with passwords.')
             payload.update(hash_alg.to_dict())
         try:
-            response = self._client.body('post', 'uploadAccount', json=payload)
+            response = self._client.body('post', '/accounts:batchCreate', json=payload)
         except requests.exceptions.RequestException as error:
             self._handle_http_error(USER_IMPORT_ERROR, 'Failed to import users.', error)
         else:
diff --git a/firebase_admin/auth.py b/firebase_admin/auth.py
@@ -466,13 +466,19 @@ def __init__(self, code, message, error=None):
 class _AuthService(object):
     """Firebase Authentication service."""
 
-    ID_TOOLKIT_URL = 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/'
+    ID_TOOLKIT_URL = 'https://identitytoolkit.googleapis.com/v1/projects/'
 
     def __init__(self, app):
         credential = app.credential.get_credential()
         version_header = 'Python/Admin/{0}'.format(firebase_admin.__version__)
+
+        if not app.project_id:
+            raise ValueError("Project ID is required to access the auth service. Use a service account credential or "
+            + "set the project ID explicitly via FirebaseOptions. Alternatively you can also "
+            + "set the project ID via the GOOGLE_CLOUD_PROJECT environment variable.")
+
         client = _http_client.JsonHttpClient(
-            credential=credential, base_url=self.ID_TOOLKIT_URL,
+            credential=credential, base_url=self.ID_TOOLKIT_URL + app.project_id,
             headers={'X-Client-Version': version_header})
         self._token_generator = _token_gen.TokenGenerator(app, client)
         self._token_verifier = _token_gen.TokenVerifier(app)
diff --git a/tests/test_token_gen.py b/tests/test_token_gen.py
@@ -199,7 +199,7 @@ def test_noncert_credential(self, user_mgt_app):
             auth.create_custom_token(MOCK_UID, app=user_mgt_app)
 
     def test_sign_with_iam(self):
-        options = {'serviceAccountId': 'test-service-account'}
+        options = {'serviceAccountId': 'test-service-account', 'projectId': 'mock-project-id'}
         app = firebase_admin.initialize_app(
             testutils.MockCredential(), name='iam-signer-app', options=options)
         try:
@@ -213,7 +213,7 @@ def test_sign_with_iam(self):
             firebase_admin.delete_app(app)
 
     def test_sign_with_iam_error(self):
-        options = {'serviceAccountId': 'test-service-account'}
+        options = {'serviceAccountId': 'test-service-account', 'projectId': 'mock-project-id'}
         app = firebase_admin.initialize_app(
             testutils.MockCredential(), name='iam-signer-app', options=options)
         try:
@@ -228,7 +228,9 @@ def test_sign_with_iam_error(self):
 
     def test_sign_with_discovered_service_account(self):
         request = testutils.MockRequest(200, 'discovered-service-account')
-        app = firebase_admin.initialize_app(testutils.MockCredential(), name='iam-signer-app')
+        options = {'projectId': 'mock-project-id'}
+        app = firebase_admin.initialize_app(testutils.MockCredential(), name='iam-signer-app',
+                                            options=options)
         try:
             _overwrite_iam_request(app, request)
             # Force initialization of the signing provider. This will invoke the Metadata service.
@@ -248,7 +250,9 @@ def test_sign_with_discovered_service_account(self):
 
     def test_sign_with_discovery_failure(self):
         request = testutils.MockFailedRequest(Exception('test error'))
-        app = firebase_admin.initialize_app(testutils.MockCredential(), name='iam-signer-app')
+        options = {'projectId': 'mock-project-id'}
+        app = firebase_admin.initialize_app(testutils.MockCredential(), name='iam-signer-app',
+                                            options=options)
         try:
             _overwrite_iam_request(app, request)
             with pytest.raises(ValueError) as excinfo:
@@ -409,12 +413,6 @@ def test_project_id_env_var(self, env_var_app):
         claims = auth.verify_id_token(TEST_ID_TOKEN, env_var_app)
         assert claims['admin'] is True
 
-    @pytest.mark.parametrize('env_var_app', [{}], indirect=True)
-    def test_no_project_id(self, env_var_app):
-        _overwrite_cert_request(env_var_app, MOCK_REQUEST)
-        with pytest.raises(ValueError):
-            auth.verify_id_token(TEST_ID_TOKEN, env_var_app)
-
     def test_custom_token(self, auth_app):
         id_token = auth.create_custom_token(MOCK_UID, app=auth_app)
         _overwrite_cert_request(auth_app, MOCK_REQUEST)
@@ -515,12 +513,6 @@ def test_project_id_env_var(self, env_var_app):
         claims = auth.verify_session_cookie(TEST_SESSION_COOKIE, app=env_var_app)
         assert claims['admin'] is True
 
-    @pytest.mark.parametrize('env_var_app', [{}], indirect=True)
-    def test_no_project_id(self, env_var_app):
-        _overwrite_cert_request(env_var_app, MOCK_REQUEST)
-        with pytest.raises(ValueError):
-            auth.verify_session_cookie(TEST_SESSION_COOKIE, app=env_var_app)
-
     def test_custom_token(self, auth_app):
         custom_token = auth.create_custom_token(MOCK_UID, app=auth_app)
         _overwrite_cert_request(auth_app, MOCK_REQUEST)
diff --git a/tests/test_user_mgt.py b/tests/test_user_mgt.py
@@ -87,6 +87,14 @@ def _check_user_record(user, expected_uid='testuser'):
     assert provider.provider_id == 'phone'
 
 
+class TestAuthServiceInitialization(object):
+
+    def test_fail_on_no_project_id(self):
+        app = firebase_admin.initialize_app(testutils.MockCredential(), name='userMgt2')
+        with pytest.raises(ValueError):
+            auth._get_auth_service(app)
+        firebase_admin.delete_app(app)
+
 class TestUserRecord(object):
 
     # Input dict must be non-empty, and must not contain unsupported keys.
