feat(auth): Add auth emulator support via the FIREBASE_AUTH_EMULATOR_HOST environment variable.#531
Conversation
cc @brianrodri who may be interested in this. |
@yuchenshi At the time I started work on this I thought the Google people were going to rework how those are handled. Now that the firebase CLI is supposed to work OK with session cookies, I'll try to include it in integration tests (which I'd held off on) and see what else needs to be fixed here. |
I really appreciate it. firebase/firebase-admin-node#1148 has some integration tests that you can draw inspiration from and it shows the desired behavior for verifying ID tokens. |
There was a problem hiding this comment.
Thanks for the PR @muru. Looks mostly good. I've pointed out a few things that can be improved.
hiranya911 changed the title 
keramblock commented Feb 24, 2021
@muru sorry for disturbance, but could you please take a look? I really wait for that MR =) |
muruforce-pushed the add-auth-emulator-support branch 2 times, most recently from 26132bc to 0586230Compare@keramblock thanks for the nudge. I have fixed the issues noted by @hiranya911 , but haven't gotten the integration tests to work. I'll try those again over the weekend. |
muruforce-pushed the add-auth-emulator-support branch 8 times, most recently from d5020ef to 0720435Compare
@muru the last set of commits have broken the CI. I'd recommend reverting the breaking commits, and doing the bare minimal necessary to address the earlier code review feedback. Any other new capabilities (e.g. emulator based testing), can be implemented in separate future PRs. |
@hiranya911 porting the token verification code from firebase/firebase-admin-node#1148 breaks a few unit tests. Since that should probably be included with this PR, would it be fine if I marked those tests for skipping when tested with the emulator? And while I am it, I could do the same for integration tests too. |
Ideally we shouldn't have to skip any unit tests. We can live without emulator-based integration tests for now (that work is on hold in Node.js at firebase/firebase-admin-node#1155 due to some problems). |
muruforce-pushed the add-auth-emulator-support branch 3 times, most recently from 17e28e6 to 14d1c01Compare@hiranya911 what you say is correct, but shouldn't matter here, since emulation is set in the second/final iteration (https://github.com/firebase/firebase-admin-python/pull/531/files#diff-81622636c5d10b6ab40396c608887473086a43b94621195117193ab81a4b5cdaR166 - These tests broke due to the changes made to token validation to fit the emulator (aacd27f) - they were supposed to raise an exception but didn't. Note that all tests ran perfectly fine before that. |
I'm debugging the tests in your branch and I can clearly see that tests that shouldn't be running in the emulator mode, picking up the emulator mode from another fixture. The test case Basically we can no longer reason about when a test case may or may not see the env variable, since other fixtures may be running in the background, waiting to be cleaned up at the end of the module. |
Ah, I hadn't noticed that, thanks! I'll look into how that can be fixed - maybe have an existing value of the environment variable override the fixture parameters. |
I think the easiest solution would be to change the fixture scope to |
With function-scoped fixtures (plus a few other minor modifications), these are all the remaining test failures: It's unfortunate our implementation doesn't handle expired emulated tokens correctly (this is because we bypass the JWT verification step entirely for emulated tokens). But this might be ok. I'm fine with skipping the above tests if we must. |
muruforce-pushed the add-auth-emulator-support branch 3 times, most recently from b7601f6 to b779263Compare@hiranya911 I removed the integration test and modified the fixtures to use the Also, I opted against using a module-level variable for |
There was a problem hiding this comment.
Thanks for making the changes @muru. I think this looks pretty reasonable. I've left some comments on how to further clean up and reduce some of the code duplication.
muruforce-pushed the add-auth-emulator-support branch 5 times, most recently from 1d817f5 to 7183f67CompareThere was a problem hiding this comment.
Thanks @muru. This looks great! I only had a few minor comments, and we can merge once those are addressed.
To minimize modification of tests, the app fixture and instrumentation have been modified to use a global dict of URLs, which are then monkey-patched based on fixture parameters. Essentially, all tests using the app fixture are run twice, once with the emulated endpoint and once without.
muruforce-pushed the add-auth-emulator-support branch from 7183f67 to ba9196fCompareWhere possible, tests are modified to account for the current behaviour in emulator mode (e.g., invalid or expired tokens or cookies still work). Fixtures were changed to function scope to avoid problems caused by overlap when some fixtures being in emulator mode and some in normal mode concurrently.
muruforce-pushed the add-auth-emulator-support branch from ba9196f to 1e65c84CompareThere was a problem hiding this comment.
Thanks @muru for patiently working through all the comments. This LGTM 👍
Discussion
Closes#503, by adding support for the authentication emulator via the
FIREBASE_AUTH_EMULATOR_HOSTenvironment variable.Additionally, I added a change that shouldn't break anything, but does make the SDK work better with the emulator, fixing the equivalent of firebase/firebase-admin-node#1084. I ran into this while testing these changes in a project, and I feel it should be part of "supporting" the emulator, but I am open to putting it in a separate PR if it doesn't belong.
Testing
API Changes
None, except insofar that the
FIREBASE_AUTH_EMULATOR_HOSTenvironment variable becomes part of the API.