fix: Throw error on user disabled and check revoked set true

firebase · xil222 · Aug 16, 2021 · Aug 4, 2021 · Aug 5, 2021 · Aug 10, 2021
commit c5dbbb5394ab6959fd56f7c24957eeeb8d987d6f
diff --git a/src/auth/auth.ts b/src/auth/auth.ts
@@ -105,10 +105,13 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> implements BaseAuthI
 
   /**
    * Verifies a JWT auth token. Returns a Promise with the tokens claims. Rejects
-   * the promise if the token could not be verified. If checkRevoked is set to true,
-   * verifies if the session corresponding to the ID token was revoked. If the corresponding
-   * user's session was invalidated, an auth/id-token-revoked error is thrown. If not specified
-   * the check is not applied.
+   * the promise if the token could not be verified.
+   * If checkRevoked is set to true, first verifies whether the corresponding userinfo.disabled
+   * is true:
+   * If yes, an auth/user-disabled error is thrown.
+   * If no, verifies if the session corresponding to the ID token was revoked.
+   * If the corresponding user's session was invalidated, an auth/id-token-revoked error is thrown.
+   * If not specified the check is not applied.
    *
    * @param {string} idToken The JWT to verify.
    * @param {boolean=} checkRevoked Whether to check if the ID token is revoked.
@@ -121,6 +124,20 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> implements BaseAuthI
       .then((decodedIdToken: DecodedIdToken) => {
         // Whether to check if the token was revoked.
         if (checkRevoked || isEmulator) {
+          // Whether user has been disabled.
+          if (checkRevoked) {
+            const uid = decodedIdToken.uid;
+            return this.getUser(uid)
+              .then((userInfo: UserRecord) => {
+                if (userInfo.disabled) {
+                  throw new FirebaseAuthError(
+                    AuthClientErrorCode.USER_DISABLED, 'The user account has been disabled by an administrator');
+                } 
+                return this.verifyDecodedJWTNotRevoked(
+                  decodedIdToken,
+                  AuthClientErrorCode.ID_TOKEN_REVOKED);
+              });
+          }
           return this.verifyDecodedJWTNotRevoked(
             decodedIdToken,
             AuthClientErrorCode.ID_TOKEN_REVOKED);
@@ -507,10 +524,14 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> implements BaseAuthI
 
   /**
    * Verifies a Firebase session cookie. Returns a Promise with the tokens claims. Rejects
-   * the promise if the token could not be verified. If checkRevoked is set to true,
-   * verifies if the session corresponding to the session cookie was revoked. If the corresponding
-   * user's session was invalidated, an auth/session-cookie-revoked error is thrown. If not
-   * specified the check is not performed.
+   * the promise if the token could not be verified. 
+   * If checkRevoked is set to true, first verifies whether the corresponding userinfo.disabled
+   * is true:
+   * If yes, an auth/user-disabled error is thrown.
+   * If no, verifies if the session corresponding to the ID token was revoked.
+   * If the corresponding user's session was invalidated, an auth/session-cookie-revoked error
+   * is thrown.
+   * If not specified the check is not performed.
    *
    * @param {string} sessionCookie The session cookie to verify.
    * @param {boolean=} checkRevoked Whether to check if the session cookie is revoked.
@@ -524,6 +545,20 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> implements BaseAuthI
       .then((decodedIdToken: DecodedIdToken) => {
         // Whether to check if the token was revoked.
         if (checkRevoked || isEmulator) {
+          // Whether user has been disabled.
+          if (checkRevoked) {
+            const uid = decodedIdToken.uid;
+            return this.getUser(uid)
+              .then((userInfo: UserRecord) => {
+                if (userInfo.disabled) {
+                  throw new FirebaseAuthError(
+                    AuthClientErrorCode.USER_DISABLED, 'The user account has been disabled by an administrator');
+                } 
+                return this.verifyDecodedJWTNotRevoked(
+                  decodedIdToken,
+                  AuthClientErrorCode.SESSION_COOKIE_REVOKED);
+              });
+          }          
           return this.verifyDecodedJWTNotRevoked(
             decodedIdToken,
             AuthClientErrorCode.SESSION_COOKIE_REVOKED);

diff --git a/src/utils/error.ts b/src/utils/error.ts
@@ -721,6 +721,10 @@ export class AuthClientErrorCode {
     code: 'not-found',
     message: 'The requested resource was not found.',
   };
+  public static USER_DISABLED = {
+    code: 'user-disabled',
+    message: 'The user account has been disabled by an administrator.',
+  }
   public static USER_NOT_DISABLED = {
     code: 'user-not-disabled',
     message: 'The user must be disabled in order to bulk delete it (or you must pass force=true).',

diff --git a/test/integration/auth.spec.ts b/test/integration/auth.spec.ts
@@ -833,53 +833,120 @@ describe('admin.auth', () => {
       });
   });
 
-  it('verifyIdToken() fails when called with an invalid token', () => {
-    return admin.auth().verifyIdToken('invalid-token')
-      .should.eventually.be.rejected.and.have.property('code', 'auth/argument-error');
-  });
+  describe('verifyIdToken()', () => {
+    const uid = generateRandomString(20).toLowerCase();
+    const email = uid + '@example.com';
+    const password = 'password';
+    const userData = {
+      uid,
+      email,
+      emailVerified: false,
+      password,
+    };
+
+    // Create the test user before running this suite of tests.
+    before(() => {
+      return admin.auth().createUser(userData);
+    });
+
+    // Sign out after each test.
+    afterEach(() => {
+      return clientAuth().signOut();
+    });
+
+    after(() => {
+      return safeDelete(uid);
+    });
 
-  if (authEmulatorHost) {
-    describe('Auth emulator support', () => {
-      const uid = 'authEmulatorUser';
-      before(() => {
-        return admin.auth().createUser({
-          uid,
-          email: '[email protected]',
-          password: 'p4ssword',
+    it('verifyIdToken() fails when called with an invalid token', () => {
+      return admin.auth().verifyIdToken('invalid-token')
+        .should.eventually.be.rejected.and.have.property('code', 'auth/argument-error');
+    });
+
+    it('verifyIdToken() fails with checkRevoked set to true and corresponding user disabled', () => {
+      let currentIdToken: string;
+      return clientAuth().signInWithEmailAndPassword(email, password)
+        .then((result) => {
+          expect(result.user).to.exist;
+          expect(result.user!.email).to.equal(email);
+          return result.user!.getIdToken()
+        })
+        .then((idToken) => {
+          currentIdToken = idToken;
+          return admin.auth().verifyIdToken(currentIdToken, true)
+        })
+        .then((decodedIdToken) => {
+          expect(decodedIdToken.uid).to.equal(uid);
+          expect(decodedIdToken.email).to.equal(email);
+          return admin.auth().updateUser(uid, { disabled: true })
+        })
+        .then((userRecord) => {
+          // Ensure disabled field has been updated.
+          expect(userRecord.uid).to.equal(uid);
+          expect(userRecord.email).to.equal(email);
+          expect(userRecord.disabled).to.equal(true);
+          return clientAuth().signInWithEmailAndPassword(email, password)
+        })
+        .then((result) => {
+          expect(result.user).to.exist;
+          expect(result.user!.email).to.equal(email);
+          return result.user!.getIdToken()
+        })
+        .then((idToken) => {
+          // Ensure idToken is the same before verifying.
+          expect(currentIdToken).to.equal(idToken);
+          return admin.auth().verifyIdToken(idToken, true)
+        })
+        .then(() => {
+          throw new Error('Unexpected success');
+        }, (error) => {
+          expect(error).to.have.property('code', 'auth/user-disabled');
         });
-      });
-      after(() => {
-        return admin.auth().deleteUser(uid);
-      });
+    });
 
-      it('verifyIdToken() succeeds when called with an unsigned token', () => {
-        const unsignedToken = mocks.generateIdToken({
-          algorithm: 'none',
-          audience: projectId,
-          issuer: 'https://securetoken.google.com/' + projectId,
-          subject: uid,
+    if (authEmulatorHost) {
+      describe('Auth emulator support', () => {
+        const uid = 'authEmulatorUser';
+        before(() => {
+          return admin.auth().createUser({
+            uid,
+            email: '[email protected]',
+            password: 'p4ssword',
+          });
+        });
+        after(() => {
+          return admin.auth().deleteUser(uid);
         });
-        return admin.auth().verifyIdToken(unsignedToken);
-      });
 
-      it('verifyIdToken() fails when called with a token with wrong project', () => {
-        const unsignedToken = mocks.generateIdToken({ algorithm: 'none', audience: 'nosuch' });
-        return admin.auth().verifyIdToken(unsignedToken)
-          .should.eventually.be.rejected.and.have.property('code', 'auth/argument-error');
-      });
+        it('verifyIdToken() succeeds when called with an unsigned token', () => {
+          const unsignedToken = mocks.generateIdToken({
+            algorithm: 'none',
+            audience: projectId,
+            issuer: 'https://securetoken.google.com/' + projectId,
+            subject: uid,
+          });
+          return admin.auth().verifyIdToken(unsignedToken);
+        });
 
-      it('verifyIdToken() fails when called with a token that does not belong to a user', () => {
-        const unsignedToken = mocks.generateIdToken({
-          algorithm: 'none',
-          audience: projectId,
-          issuer: 'https://securetoken.google.com/' + projectId,
-          subject: 'nosuch',
+        it('verifyIdToken() fails when called with a token with wrong project', () => {
+          const unsignedToken = mocks.generateIdToken({ algorithm: 'none', audience: 'nosuch' });
+          return admin.auth().verifyIdToken(unsignedToken)
+            .should.eventually.be.rejected.and.have.property('code', 'auth/argument-error');
+        });
+
+        it('verifyIdToken() fails when called with a token that does not belong to a user', () => {
+          const unsignedToken = mocks.generateIdToken({
+            algorithm: 'none',
+            audience: projectId,
+            issuer: 'https://securetoken.google.com/' + projectId,
+            subject: 'nosuch',
+          });
+          return admin.auth().verifyIdToken(unsignedToken)
+            .should.eventually.be.rejected.and.have.property('code', 'auth/user-not-found');
         });
-        return admin.auth().verifyIdToken(unsignedToken)
-          .should.eventually.be.rejected.and.have.property('code', 'auth/user-not-found');
       });
-    });
-  }
+    }
+  });
 
   describe('Link operations', () => {
     const uid = generateRandomString(20).toLowerCase();
@@ -1982,6 +2049,50 @@ describe('admin.auth', () => {
             .should.eventually.be.rejected.and.have.property('code', 'auth/argument-error');
         });
     });
+
+    it('fails with checkRevoked set to true and corresponding user disabled', () => {
+      const expiresIn = 24 * 60 * 60 * 1000;
+      let currentIdToken: string;
+      let currentCustomToken: string;
+      let currentSessioncookie: string;
+      return admin.auth().createCustomToken(uid, { admin: true, groupId: '1234' })
+        .then((customToken) => {
+          currentCustomToken = customToken;
+          return clientAuth().signInWithCustomToken(customToken)
+        })
+        .then(({ user }) => {
+          expect(user).to.exist;
+          return user!.getIdToken();
+        })
+        .then((idToken) => {
+          currentIdToken = idToken;
+          return admin.auth().verifyIdToken(idToken);
+        }).then((decodedIdTokenClaims) => {
+          expect(decodedIdTokenClaims.uid).to.be.equal(uid);
+          // One day long session cookie.
+          return admin.auth().createSessionCookie(currentIdToken, { expiresIn });
+        })
+        .then((sessionCookie) => {
+          currentSessioncookie = sessionCookie;
+          admin.auth().verifySessionCookie(sessionCookie, true)
+        })
+        .then(() => {
+          return admin.auth().updateUser(uid, { disabled : true });
+        })
+        .then((userRecord) => {
+          // Ensure disabled field has been updated.
+          expect(userRecord.uid).to.equal(uid);
+          expect(userRecord.disabled).to.equal(true);
+          return clientAuth().signInWithCustomToken(currentCustomToken)
+        }).then(() => {
+          admin.auth().verifySessionCookie(currentSessioncookie, true)
+        })
+        .then(() => {
+          throw new Error('Unexpected success');
+        }, (error) => {
+          expect(error).to.have.property('code', 'auth/user-disabled');
+        });
+    });
   });
 
   describe('importUsers()', () => {