firebase · xil222 · Aug 16, 2021 · Aug 4, 2021 · Aug 5, 2021 · Aug 10, 2021
diff --git a/src/auth/auth.ts b/src/auth/auth.ts
@@ -104,19 +104,20 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> implements BaseAuthI
   }
 
   /**
-   * Verifies a JWT auth token. Returns a Promise with the tokens claims. Rejects
-   * the promise if the token could not be verified.
-   * If checkRevoked is set to true, first verifies whether the corresponding userinfo.disabled
-   * is true:
+   * Verifies a JWT auth token. Returns a Promise with the tokens claims.
+   * Rejects the promise if the token could not be verified.
+   * If checkRevoked is set to true, first verifies whether the corresponding
+   * user is disabled.
    * If yes, an auth/user-disabled error is thrown.
    * If no, verifies if the session corresponding to the ID token was revoked.
-   * If the corresponding user's session was invalidated, an auth/id-token-revoked error is thrown.
+   * If the corresponding user's session was invalidated, an
+   * auth/id-token-revoked error is thrown.
    * If not specified the check is not applied.
    *
    * @param {string} idToken The JWT to verify.
    * @param {boolean=} checkRevoked Whether to check if the ID token is revoked.
-   * @return {Promise<DecodedIdToken>} A Promise that will be fulfilled after a successful
-   *     verification.
+   * @return {Promise<DecodedIdToken>} A Promise that will be fulfilled after
+   *   a successful verification.
    */
   public verifyIdToken(idToken: string, checkRevoked = false): Promise<DecodedIdToken> {
     const isEmulator = useEmulator();
@@ -509,28 +510,30 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> implements BaseAuthI
   }
 
   /**
-   * Verifies a Firebase session cookie. Returns a Promise with the tokens claims. Rejects
-   * the promise if the cookie could not be verified. 
-   * If checkRevoked is set to true, first verifies whether the corresponding userinfo.disabled
-   * is true:
+   * Verifies a Firebase session cookie. Returns a Promise with the tokens claims.
+   * Rejects the promise if the cookie could not be verified. 
+   * If checkRevoked is set to true, first verifies whether the corresponding
+   * user is true:
    * If yes, an auth/user-disabled error is thrown.
-   * If no, verifies if the session corresponding to the session cookie was revoked.
-   * If the corresponding user's session was invalidated, an auth/session-cookie-revoked error
-   * is thrown.
+   * If no, verifies if the session corresponding to the session cookie was
+   * revoked.
+   * If the corresponding user's session was invalidated, an
+   * auth/session-cookie-revoked error is thrown.
    * If not specified the check is not performed.
    *
    * @param {string} sessionCookie The session cookie to verify.
-   * @param {boolean=} checkRevoked Whether to check if the session cookie is revoked.
-   * @return {Promise<DecodedIdToken>} A Promise that will be fulfilled after a successful
-   *     verification.
+   * @param {boolean=} checkRevoked Whether to check if the session cookie is
+   *     revoked.
+   * @return {Promise<DecodedIdToken>} A Promise that will be fulfilled after
+   *     a successful verification.
    */
   public verifySessionCookie(
     sessionCookie: string, checkRevoked = false): Promise<DecodedIdToken> {
     const isEmulator = useEmulator();
     return this.sessionCookieVerifier.verifyJWT(sessionCookie, isEmulator)
       .then((decodedIdToken: DecodedIdToken) => {
         // Whether to check if the cookie was revoked.
-        if (checkRevoked || isEmulator) {         
+        if (checkRevoked || isEmulator) {
           return this.verifyDecodedJWTNotRevokedOrDisabled(
             decodedIdToken,
             AuthClientErrorCode.SESSION_COOKIE_REVOKED);
@@ -748,7 +751,7 @@ export class BaseAuth<T extends AbstractAuthRequestHandler> implements BaseAuthI
         if (user.disabled) {
           throw new FirebaseAuthError(
             AuthClientErrorCode.USER_DISABLED,
-            'The user account has been disabled by an administrator');
+            'The user record is disabled.');
         }
         // If no tokens valid after time available, token is not revoked.
         if (user.tokensValidAfterTime) {

diff --git a/test/integration/auth.spec.ts b/test/integration/auth.spec.ts
@@ -890,6 +890,7 @@ describe('admin.auth', () => {
           return admin.auth().verifyIdToken(currentIdToken, true);
         })
         .then((decodedIdToken) => {
+          expect(decodedIdToken.sub).to.equal(uid);
           expect(decodedIdToken.uid).to.equal(uid);
           expect(decodedIdToken.email).to.equal(email);
           return admin.auth().updateUser(uid, { disabled: true });
@@ -901,7 +902,10 @@ describe('admin.auth', () => {
           expect(userRecord.disabled).to.equal(true);
           return admin.auth().verifyIdToken(currentIdToken, false);
         })
-        .then(() => {
+        .then((decodedIdToken) => {
+          expect(decodedIdToken.sub).to.equal(uid);
+          expect(decodedIdToken.uid).to.equal(uid);
+          expect(decodedIdToken.email).to.equal(email);
           return admin.auth().verifyIdToken(currentIdToken, true);
         })
         .then(() => {
@@ -2081,15 +2085,19 @@ describe('admin.auth', () => {
           currentSessioncookie = sessionCookie;
           return admin.auth().verifySessionCookie(sessionCookie, true);
         })
-        .then(() => {
+        .then((decodedIdToken) => {
+          expect(decodedIdToken.sub).to.equal(uid);
+          expect(decodedIdToken.uid).to.equal(uid);
           return admin.auth().updateUser(uid, { disabled : true });
         })
         .then((userRecord) => {
           // Ensure disabled field has been updated.
           expect(userRecord.uid).to.equal(uid);
           expect(userRecord.disabled).to.equal(true);
           return admin.auth().verifySessionCookie(currentSessioncookie, false);
-        }).then(() => {
+        }).then((decodedIdToken) => {
+          expect(decodedIdToken.sub).to.equal(uid);
+          expect(decodedIdToken.uid).to.equal(uid);
           return admin.auth().verifySessionCookie(currentSessioncookie, true);
         })
         .then(() => {

diff --git a/test/unit/auth/auth.spec.ts b/test/unit/auth/auth.spec.ts
@@ -865,7 +865,7 @@ AUTH_CONFIGS.forEach((testConfig) => {
           .resolves(expectedUserRecordDisabled);
         expect(expectedUserRecordDisabled.disabled).to.be.equal(true);
         stubs.push(getUserStub);
-        return auth.verifyIdToken(mockSessionCookie, true)
+        return auth.verifySessionCookie(mockSessionCookie, true)
           .then(() => {
             throw new Error('Unexpected success');
           }, (error) => {
@@ -3534,9 +3534,9 @@ AUTH_CONFIGS.forEach((testConfig) => {
     });
 
     describe('auth emulator support', () => {
-
       let mockAuth = testConfig.init(mocks.app());
-      const userRecord = getValidUserRecord(getValidGetAccountInfoResponse());
+      const expectedAccountInfoResponse = getValidGetAccountInfoResponse();
+      const userRecord = getValidUserRecord(expectedAccountInfoResponse);
       const validSince = new Date(userRecord.tokensValidAfterTime!);
 
       const stubs: sinon.SinonStub[] = [];
@@ -3595,6 +3595,39 @@ AUTH_CONFIGS.forEach((testConfig) => {
           });
       });
 
+      it('verifyIdToken() should reject user disabled before ID tokens revoked', () => {
+        // One second before validSince.
+        const expectedAccountInfoResponseUserDisabled = Object.assign({}, expectedAccountInfoResponse);
+        expectedAccountInfoResponseUserDisabled.users[0].disabled = true;
+        const expectedUserRecordDisabled = getValidUserRecord(expectedAccountInfoResponseUserDisabled);
+        const validSince = new Date(expectedUserRecordDisabled.tokensValidAfterTime!);
+        const oneSecBeforeValidSince = Math.floor(validSince.getTime() / 1000 - 1);
+        const getUserStub = sinon.stub(testConfig.Auth.prototype, 'getUser')
+          .resolves(expectedUserRecordDisabled);
+        expect(expectedUserRecordDisabled.disabled).to.be.equal(true);
+        stubs.push(getUserStub);
+
+        const unsignedToken = mocks.generateIdToken({
+          algorithm: 'none',
+          subject: expectedUserRecordDisabled.uid,
+        }, {
+          iat: oneSecBeforeValidSince,
+          auth_time: oneSecBeforeValidSince, // eslint-disable-line @typescript-eslint/camelcase
+        });
+
+        // verifyIdToken should force checking revocation in emulator mode,
+        // even if checkRevoked=false.
+        return mockAuth.verifyIdToken(unsignedToken, false)
+          .then(() => {
+            throw new Error('Unexpected success');
+          }, (error) => {
+            // Confirm expected error returned.
+            expect(error).to.have.property('code', 'auth/user-disabled');
+            // Confirm underlying API called with expected parameters.
+            expect(getUserStub).to.have.been.calledOnce.and.calledWith(expectedUserRecordDisabled.uid);
+          });
+      });
+
       it('verifySessionCookie() should reject revoked session cookies', () => {
         const uid = userRecord.uid;
         // One second before validSince.
@@ -3625,6 +3658,39 @@ AUTH_CONFIGS.forEach((testConfig) => {
           });
       });
 
+
+      it('verifySessionCookie() should reject user disabled before ID tokens revoked', () =>  {
+        // One second before validSince.
+        const expectedAccountInfoResponseUserDisabled = Object.assign({}, expectedAccountInfoResponse);
+        expectedAccountInfoResponseUserDisabled.users[0].disabled = true;
+        const expectedUserRecordDisabled = getValidUserRecord(expectedAccountInfoResponseUserDisabled);
+        const validSince = new Date(expectedUserRecordDisabled.tokensValidAfterTime!);
+        const oneSecBeforeValidSince = Math.floor(validSince.getTime() / 1000 - 1);
+        const getUserStub = sinon.stub(testConfig.Auth.prototype, 'getUser')
+          .resolves(expectedUserRecordDisabled);
+        expect(expectedUserRecordDisabled.disabled).to.be.equal(true);
+        stubs.push(getUserStub);
+
+        const unsignedToken = mocks.generateIdToken({
+          algorithm: 'none',
+          subject: expectedUserRecordDisabled.uid,
+          issuer: 'https://session.firebase.google.com/' + mocks.projectId,
+        }, {
+          iat: oneSecBeforeValidSince,
+          auth_time: oneSecBeforeValidSince, // eslint-disable-line @typescript-eslint/camelcase
+        });
+
+        return auth.verifySessionCookie(unsignedToken, true)
+          .then(() => {
+            throw new Error('Unexpected success');
+          }, (error) => {
+            // Confirm underlying API called with expected parameters.
+            expect(getUserStub).to.have.been.calledOnce.and.calledWith(expectedUserRecordDisabled.uid);
+            // Confirm expected error returned.
+            expect(error).to.have.property('code', 'auth/user-disabled');
+          });        
+      });
+
       it('verifyIdToken() rejects an unsigned token if auth emulator is unreachable', async () => {
         const unsignedToken = mocks.generateIdToken({
           algorithm: 'none'