Add replay protection feature

agbaraka · agbaraka · commit ed9b1fb9944c · 2024-09-08T15:00:36.000+03:00
diff --git a/appcheck/appcheck.go b/appcheck/appcheck.go
@@ -16,8 +16,12 @@
 package appcheck
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
+	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
@@ -45,6 +49,8 @@ var (
 	ErrTokenIssuer = errors.New("token has incorrect issuer")
 	// ErrTokenSubject is returned when the token subject is empty or missing.
 	ErrTokenSubject = errors.New("token has empty or missing subject")
+	// ErrTokenAlreadyConsumed is returned when the token is already consumed
+	ErrTokenAlreadyConsumed = errors.New("token already consumed")
 )
 
 // DecodedAppCheckToken represents a verified App Check token.
@@ -64,8 +70,9 @@ type DecodedAppCheckToken struct {
 
 // Client is the interface for the Firebase App Check service.
 type Client struct {
-	projectID string
-	jwks      *keyfunc.JWKS
+	projectID              string
+	jwks                   *keyfunc.JWKS
+	verifyAppCheckTokenURL string
 }
 
 // NewClient creates a new instance of the Firebase App Check Client.
@@ -83,8 +90,9 @@ func NewClient(ctx context.Context, conf *internal.AppCheckConfig) (*Client, err
 	}
 
 	return &Client{
-		projectID: conf.ProjectID,
-		jwks:      jwks,
+		projectID:              conf.ProjectID,
+		jwks:                   jwks,
+		verifyAppCheckTokenURL: fmt.Sprintf("%sv1beta/projects/%s:verifyAppCheckToken", appCheckIssuer, conf.ProjectID),
 	}, nil
 }
 
@@ -166,6 +174,38 @@ func (c *Client) VerifyToken(token string) (*DecodedAppCheckToken, error) {
 	return &appCheckToken, nil
 }
 
+func (c *Client) VerifyTokenWithReplayProtection(token string) (*DecodedAppCheckToken, error) {
+	decodedAppCheckToken, err := c.VerifyToken(token)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to verify token: %v", err)
+	}
+
+	bodyReader := bytes.NewReader([]byte(fmt.Sprintf(`{"app_check_token":%s}`, token)))
+
+	resp, err := http.Post(c.verifyAppCheckTokenURL, "application/json", bodyReader)
+
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+
+	var rb struct {
+		AlreadyConsumed bool `json:"alreadyConsumed"`
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&rb); err != nil {
+		return nil, err
+	}
+
+	if rb.AlreadyConsumed {
+		return decodedAppCheckToken, ErrTokenAlreadyConsumed
+	}
+
+	return decodedAppCheckToken, nil
+}
+
 func contains(s []string, str string) bool {
 	for _, v := range s {
 		if v == str {
diff --git a/appcheck/appcheck_test.go b/appcheck/appcheck_test.go
@@ -17,6 +17,80 @@ import (
 	"github.com/google/go-cmp/cmp"
 )
 
+func TestVerifyTokenWithReplayProtection(t *testing.T) {
+
+	projectID := "project_id"
+
+	ts, err := setupFakeJWKS()
+	if err != nil {
+		t.Fatalf("error setting up fake JWKS server: %v", err)
+	}
+	defer ts.Close()
+
+	privateKey, err := loadPrivateKey()
+	if err != nil {
+		t.Fatalf("error loading private key: %v", err)
+	}
+
+	JWKSUrl = ts.URL
+	mockTime := time.Now()
+
+	jwtToken := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
+		Issuer:    appCheckIssuer,
+		Audience:  jwt.ClaimStrings([]string{"projects/" + projectID}),
+		Subject:   "12345678:app:ID",
+		ExpiresAt: jwt.NewNumericDate(mockTime.Add(time.Hour)),
+		IssuedAt:  jwt.NewNumericDate(mockTime),
+		NotBefore: jwt.NewNumericDate(mockTime.Add(-1 * time.Hour)),
+	})
+
+	// kid matches the key ID in testdata/mock.jwks.json,
+	// which is the public key matching to the private key
+	// in testdata/appcheck_pk.pem.
+	jwtToken.Header["kid"] = "FGQdnRlzAmKyKr6-Hg_kMQrBkj_H6i6ADnBQz4OI6BU"
+
+	token, err := jwtToken.SignedString(privateKey)
+
+	if err != nil {
+		t.Fatalf("failed to sign token: %v", err)
+	}
+
+	appCheckVerifyTestsTable := []struct {
+		label              string
+		mockServerResponse string
+		expectedError      error
+	}{
+		{label: "testWhenAlreadyConsumedResponseIsTrue", mockServerResponse: `{"alreadyConsumed": true}`, expectedError: ErrTokenAlreadyConsumed},
+		{label: "testWhenAlreadyConsumedResponseIsFalse", mockServerResponse: `{"alreadyConsumed": false}`, expectedError: nil},
+	}
+
+	for _, tt := range appCheckVerifyTestsTable {
+
+		t.Run(tt.label, func(t *testing.T) {
+			appCheckVerifyMockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.Write([]byte(tt.mockServerResponse))
+			}))
+
+			client, err := NewClient(context.Background(), &internal.AppCheckConfig{
+				ProjectID: projectID,
+			})
+
+			if err != nil {
+				t.Fatalf("error creating new client: %v", err)
+			}
+
+			client.verifyAppCheckTokenURL = appCheckVerifyMockServer.URL
+
+			_, err = client.VerifyTokenWithReplayProtection(token)
+
+			if !errors.Is(err, tt.expectedError) {
+				t.Errorf("failed to verify token; Expected: %v, but got: %v", tt.expectedError, err)
+			}
+		})
+
+	}
+}
+
 func TestVerifyTokenHasValidClaims(t *testing.T) {
 	ts, err := setupFakeJWKS()
 	if err != nil {
