firebase-php/src/AppCheck/ApiClient.php at b3b679e639cd77d0c2d1b7471296f758a344c219 · beste/firebase-php · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<?php

declare(strict_types=1);

namespace Kreait\Firebase\AppCheck;

use Beste\Json;
use GuzzleHttp\ClientInterface;
use Kreait\Firebase\Exception\AppCheck\AppCheckError;
use Kreait\Firebase\Exception\AppCheckApiExceptionConverter;
use Kreait\Firebase\Exception\AppCheckException;
use Psr\Http\Message\ResponseInterface;
use SensitiveParameter;
use Throwable;
use function is_bool;

/**
 * @internal
 *
 * @phpstan-import-type AppCheckTokenShape from AppCheckToken
 */
final readonly class ApiClient
{
    public function __construct(
        private ClientInterface $client,
        private AppCheckApiExceptionConverter $errorHandler,
    ) {
    }

    /**
     * @throws AppCheckException
     *
     * @return AppCheckTokenShape
     */
    public function exchangeCustomToken(string $appId, string $customToken): array
    {
        $response = $this->post('apps/'.$appId.':exchangeCustomToken', [
            'headers' => [
                'Content-Type' => 'application/json; UTF-8',
            ],
            'body' => Json::encode([
                'customToken' => $customToken,
            ]),
        ]);

        /** @var AppCheckTokenShape $decoded */
        $decoded = Json::decode((string) $response->getBody(), true);

        return $decoded;
    }

    /**
     * @param non-empty-string $projectId
     *
     * @throws AppCheckException
     */
    public function verifyReplayProtection(#[SensitiveParameter] string $token, string $projectId): bool
    {
        $response = $this->post(
            'https://firebaseappcheck.googleapis.com/v1beta/projects/'.$projectId.':verifyAppCheckToken',
            [
                'headers' => [
                    'Content-Type' => 'application/json; UTF-8',
                ],
                'body' => Json::encode([
                    'app_check_token' => $token,
                ]),
            ],
        );

        /** @var array{alreadyConsumed?: mixed} $decoded */
        $decoded = Json::decode((string) $response->getBody(), true);

        $alreadyConsumed = $decoded['alreadyConsumed'] ?? false;

        if (!is_bool($alreadyConsumed)) {
            throw new AppCheckError('The App Check API returned an invalid "alreadyConsumed" value.');
        }

        return $alreadyConsumed;
    }

    /**
     * @param non-empty-string $path
     * @param array<string, mixed>|null $options
     * @throws AppCheckException
     */
    private function post(string $path, ?array $options = null): ResponseInterface
    {
        $options ??= [];

        try {
            return $this->client->request('POST', $path, $options);
        } catch (Throwable $e) {
            throw $this->errorHandler->convertException($e);
        }
    }
}