Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat(appcheck): Add consumable token verification support#921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
lahirumaramba wants to merge5 commits intomain
base:main
Choose a base branch
Loading
fromlm-appcheck-consume-tokens

Conversation

@lahirumaramba
Copy link
Member

This PR adds support for App Check token consumption (replay protection) to theapp_check.verify_token() API

@lahirumarambalahirumaramba added release-note release:stageStage a release candidate labelsNov 28, 2025
@gemini-code-assist
Copy link

Summary of Changes

Hello@lahirumaramba, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant security enhancement to the Firebase Admin SDK's App Check functionality. It allows developers to enable replay protection for App Check tokens by providing a newconsume option in theverify_token API. This ensures that tokens, once verified, can be marked as consumed on the backend, preventing malicious actors from reusing them in subsequent requests and bolstering the integrity of client-server interactions.

Highlights

  • App Check Token Consumption: Theapp_check.verify_token() API now supports an optionalconsume parameter to enable replay protection for App Check tokens.
  • HTTP Client Integration: An internal HTTP client (_http_client.JsonHttpClient) has been integrated into the_AppCheckService to facilitate communication with the App Check backend for token consumption.
  • Replay Protection Logic: A new private method,_verify_replay_protection, was added to handle the API call to the App Check backend to check and consume tokens, returning analreadyConsumed status.
  • Claims Augmentation: Whenconsume is set toTrue, the verified token claims will now include analready_consumed boolean field indicating if the token was previously used.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on ourdocumentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either/gemini <command> or@gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

FeatureCommandDescription
Code Review/gemini reviewPerforms a code review for the current pull request in its current state.
Pull Request Summary/gemini summaryProvides a summary of the current pull request in its current state.
Comment@gemini-code-assistResponds in comments when explicitly tagged, both in pull request comments and review comments.
Help/gemini helpDisplays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a.gemini/ folder in the base of the repository. Detailed instructions can be foundhere.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on@gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign uphere.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with theGemini Code Assist IDE Extension.

Footnotes

  1. Review thePrivacy Notices,Generative AI Prohibited Use Policy,Terms of Service, and learn how to configure Gemini Code Assist in GitHubhere. Gemini can make mistakes, so double check it anduse code with caution.

Copy link

@gemini-code-assistgemini-code-assistbot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Code Review

This PR adds support for App Check token consumption. The changes look good, but there are a few important issues to address. The new network call to verify token consumption has an incorrectly constructed URL and lacks error handling for network failures, which could lead to runtime crashes. I've also suggested a minor refactoring for maintainability and an additional test case for robustness. Please see the detailed comments.

@lahirumaramba
Copy link
MemberAuthor

lahirumaramba commentedNov 28, 2025
edited
Loading

@gemini-code-assist review

Copy link

@gemini-code-assistgemini-code-assistbot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Code Review

This pull request adds support for App Check token consumption for replay protection by introducing aconsume flag to theverify_token API. The implementation is straightforward and includes relevant unit tests for the success and network error paths. My main feedback is to improve the error handling in the new_verify_replay_protection method to gracefully handle malformed or unexpected responses from the App Check service, which could otherwise lead to unhandled exceptions. I've also suggested adding test cases to cover these scenarios.

@lahirumaramba
Copy link
MemberAuthor

@gemini-code-assist review

Copy link

@gemini-code-assistgemini-code-assistbot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Code Review

This pull request adds support for App Check token consumption, which provides replay protection. The changes introduce aconsume flag to theverify_token API. When set toTrue, it makes an additional backend call to verify the token's consumption status and mark it as consumed. The implementation is clean, with good error handling for the new network call. The accompanying tests are thorough, covering the happy path and various error scenarios like network issues and malformed responses. I have one suggestion to refactor the new tests to reduce code duplication.

@lahirumaramba
Copy link
MemberAuthor

@gemini-code-assist review

Copy link

@gemini-code-assistgemini-code-assistbot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Code Review

This pull request introduces support for App Check token consumption, which is a valuable feature for replay protection. The implementation is clean and follows the existing patterns in the codebase. The addition of a newconsume parameter toverify_token is backwards-compatible. The changes are well-tested, with new unit tests covering success, network error, and malformed response scenarios. I have one minor suggestion to improve the robustness of parsing the API response.

raiseexceptions.UnknownError(
'Unexpected response from App Check service. '
f'Expected a JSON object, but got{type(response).__name__}.')
returnresponse.get('alreadyConsumed',False)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

medium

The current implementationresponse.get('alreadyConsumed', False) is not fully robust. If thealreadyConsumed key is present in the API response but its value is not a boolean (e.g.,None), this function would return that non-boolean value. This could lead to unexpected behavior for consumers ofverify_token.

To ensure this function always returns a boolean, it's safer to explicitly check for the value beingTrue.

Suggested change
returnresponse.get('alreadyConsumed',False)
returnresponse.get('alreadyConsumed')isTrue

jonathanedey reacted with thumbs up emoji
Copy link
Contributor

@jonathanedeyjonathanedey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

LGTM, Thanks!

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@jonathanedeyjonathanedeyjonathanedey approved these changes

@weixifanweixifanAwaiting requested review from weixifan

+1 more reviewer

@gemini-code-assistgemini-code-assist[bot]gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jonathanedeyjonathanedey

Labels

release:stageStage a release candidaterelease-note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lahirumaramba@jonathanedey
[8]ページ先頭
©2009-2025 Movatter.jp