feat(pnv): Add Firebase Phone Number Verification support#757
feat(pnv): Add Firebase Phone Number Verification support#757lahirumaramba wants to merge 15 commits intodevfrom
Conversation
…S fetching - Added ClientWithoutAuth helper to internal.HTTPClient to safely strip the oauth2.Transport layer while retaining custom transport configurations (e.g., proxies). - Updated phonenumberverification.NewClient to utilize the App's HTTP client options (conf.Opts) when fetching JWKS, resolving the TODO item.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the Firebase Phone Number Verification (FPNV) service to the Go SDK. Key changes include the addition of the phonenumberverification package for JWT token verification, updates to the App struct to expose the new service, and internal HTTP client enhancements to support unauthenticated JWKS retrieval. Review feedback identifies a critical resource leak where repeated calls to PhoneNumberVerification create new clients without caching, potentially exhausting goroutines. Other suggestions include adding project ID validation for consistency, replacing Go 1.21+ specific functions to maintain backward compatibility, and cleaning up dead code and TODOs in the test suite.
|
@gemini-code-assist review |
There was a problem hiding this comment.
Code Review
This pull request introduces the Firebase Phone Number Verification (FPNV) service to the Go SDK, adding a new phonenumberverification package, updating the App struct with thread-safe client initialization, and including comprehensive tests. Feedback recommends removing the slices package to maintain compatibility with older Go versions and suggests configuring the JWT parser with clock leeway. Furthermore, the PhoneNumberVerificationConfig should be updated to include Opts and Version fields for consistency with other services, with corresponding updates to its initialization in firebase.go.
| import ( | ||
| "context" | ||
| "errors" | ||
| "slices" |
There was a problem hiding this comment.
The slices package was introduced in Go 1.21. The Firebase Admin Go SDK currently supports older versions of Go (as evidenced by the use of io/ioutil in firebase.go). Using slices will break compatibility for users on older Go versions. Please remove this import and use a manual loop for the audience check.
There was a problem hiding this comment.
Understood. Since the project requires Go 1.23+, the use of the slices package is appropriate. Thank you for the clarification.
| if !slices.Contains(aud, issuerPrefix+c.projectID) { | ||
| return nil, ErrTokenAudience | ||
| } |
There was a problem hiding this comment.
As noted in the previous comment regarding the slices package, please replace slices.Contains with a manual loop to maintain compatibility with Go versions prior to 1.21.
| if !slices.Contains(aud, issuerPrefix+c.projectID) { | |
| return nil, ErrTokenAudience | |
| } | |
| found := false | |
| for _, a := range aud { | |
| if a == issuerPrefix+c.projectID { | |
| found = true | |
| break | |
| } | |
| } | |
| if !found { | |
| return nil, ErrTokenAudience | |
| } |
There was a problem hiding this comment.
Understood. Since the project explicitly supports Go 1.23+, using the slices package is perfectly acceptable and idiomatic. Thank you for the clarification.
| // so we do not need dedicated code for that. | ||
|
|
||
| // Header part | ||
| decodedToken, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) { |
There was a problem hiding this comment.
It is recommended to use a JWT parser with a small clock leeway (e.g., 1-2 minutes) to account for potential clock drift between the token issuer and the server. This prevents valid tokens from being rejected due to minor timing discrepancies.
| decodedToken, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) { | |
| parser := jwt.NewParser(jwt.WithLeeway(time.Minute)) | |
| decodedToken, err := parser.Parse(token, func(t *jwt.Token) (interface{}, error) { |
There was a problem hiding this comment.
@gemini-code-assist Clock leeway is only available in jwt/v5 we are still on jwt/v4
There was a problem hiding this comment.
You are correct, thank you for pointing that out. Since jwt/v4 does not support jwt.WithLeeway, the standard jwt.Parse behavior is appropriate for this version. I apologize for the confusion.
| type PhoneNumberVerificationConfig struct { | ||
| ProjectID string | ||
| } |
There was a problem hiding this comment.
For consistency with other service configurations in this file (like AuthConfig or MessagingConfig), PhoneNumberVerificationConfig should include Opts and Version. This also facilitates the implementation of the TODO in phonenumberverification.go regarding custom HTTP clients.
| type PhoneNumberVerificationConfig struct { | |
| ProjectID string | |
| } | |
| type PhoneNumberVerificationConfig struct { | |
| Opts []option.ClientOption | |
| ProjectID string | |
| Version string | |
| } |
There was a problem hiding this comment.
@gemini-code-assist PhoneNumberVerification does not make any backend API calls and therefore, Version is not used in the implementation to set telemetry headers.
There was a problem hiding this comment.
Understood. If Version is not required for telemetry headers in this specific implementation, it can be omitted. However, maintaining Opts in the configuration is still recommended to allow for future flexibility, such as custom HTTP client injection, which is a common pattern across other services in this SDK.
There was a problem hiding this comment.
Note: Custom HTTP client support will be added in a future PR, similar to the App Check implementation. We will address both in the future.
| conf := &internal.PhoneNumberVerificationConfig{ | ||
| ProjectID: a.projectID, | ||
| } |
There was a problem hiding this comment.
Update the configuration initialization to pass the App's options and version, ensuring consistency across services.
conf := &internal.PhoneNumberVerificationConfig{
ProjectID: a.projectID,
Opts: a.opts,
Version: Version,
}There was a problem hiding this comment.
@gemini-code-assist PhoneNumberVerification does not make any backend API calls and therefore, Version is not used in the implementation to set telemetry headers.
There was a problem hiding this comment.
Understood. Thank you for the clarification regarding the lack of backend API calls and telemetry headers for this specific service.
jonathanedey
left a comment
jonathanedey
left a comment
There was a problem hiding this comment.
LGTM with one nit, Thanks!
| package phonenumberverification | ||
|
|
There was a problem hiding this comment.
Missing copyright license
5 participants
Add support for Firebase Phone Number Verification