feat(appcheck): Add support for minting limited use tokens

lahirumaramba · lahirumaramba · commit f142d515e51e · 2025-11-28T23:03:11.000Z
diff --git a/etc/firebase-admin.app-check.api.md b/etc/firebase-admin.app-check.api.md
@@ -24,6 +24,7 @@ export interface AppCheckToken {
 
 // @public
 export interface AppCheckTokenOptions {
+    limitedUse?: boolean;
     ttlMillis?: number;
 }
 
diff --git a/src/app-check/app-check-api-client-internal.ts b/src/app-check/app-check-api-client-internal.ts
@@ -58,7 +58,11 @@ export class AppCheckApiClient {
    * @param appId - The mobile App ID.
    * @returns A promise that fulfills with a `AppCheckToken`.
    */
-  public exchangeToken(customToken: string, appId: string): Promise<AppCheckToken> {
+  public exchangeToken(
+    customToken: string,
+    appId: string,
+    limitedUse?: boolean
+  ): Promise<AppCheckToken> {
     if (!validator.isNonEmptyString(appId)) {
       throw new FirebaseAppCheckError(
         'invalid-argument',
@@ -75,7 +79,10 @@ export class AppCheckApiClient {
           method: 'POST',
           url,
           headers: FIREBASE_APP_CHECK_CONFIG_HEADERS,
-          data: { customToken }
+          data: {
+            customToken,
+            limitedUse,
+          }
         };
         return this.httpClient.send(request);
       })
diff --git a/src/app-check/app-check-api.ts b/src/app-check/app-check-api.ts
@@ -39,6 +39,14 @@ export interface AppCheckTokenOptions {
    * be valid. This value must be between 30 minutes and 7 days, inclusive.
    */
   ttlMillis?: number;
+
+  /**
+   * Specifies whether this attestation is for use in a *limited use* (`true`)
+   * or *session based* (`false`) context. To enable this attestation to be used
+   * with the *replay protection* feature, set this to `true`. The default value
+   * is `false`.
+   */
+  limitedUse?: boolean;
 }
 
 /**
diff --git a/src/app-check/app-check.ts b/src/app-check/app-check.ts
@@ -68,7 +68,7 @@ export class AppCheck {
   public createToken(appId: string, options?: AppCheckTokenOptions): Promise<AppCheckToken> {
     return this.tokenGenerator.createCustomToken(appId, options)
       .then((customToken) => {
-        return this.client.exchangeToken(customToken, appId);
+        return this.client.exchangeToken(customToken, appId, options?.limitedUse);
       });
   }
 
diff --git a/test/integration/app-check.spec.ts b/test/integration/app-check.spec.ts
@@ -53,7 +53,20 @@ describe('admin.appCheck', () => {
           expect(token).to.have.keys(['token', 'ttlMillis']);
           expect(token.token).to.be.a('string').and.to.not.be.empty;
           expect(token.ttlMillis).to.be.a('number');
-          expect(token.ttlMillis).to.equals(3600000);
+          expect(token.ttlMillis).to.equals(3600000); // 1 hour
+        });
+    });
+
+    it('should succeed with a vaild limited use token', function () {
+      if (!appId) {
+        this.skip();
+      }
+      return admin.appCheck().createToken(appId as string, { limitedUse: true })
+        .then((token) => {
+          expect(token).to.have.keys(['token', 'ttlMillis']);
+          expect(token.token).to.be.a('string').and.to.not.be.empty;
+          expect(token.ttlMillis).to.be.a('number');
+          expect(token.ttlMillis).to.equals(300000); // 5 minutes
         });
     });
 
diff --git a/test/unit/app-check/app-check-api-client-internal.spec.ts b/test/unit/app-check/app-check-api-client-internal.spec.ts
@@ -21,6 +21,7 @@ import * as _ from 'lodash';
 import * as chai from 'chai';
 import * as sinon from 'sinon';
 import { HttpClient } from '../../../src/utils/api-request';
+import * as sinonChai from 'sinon-chai';
 import * as utils from '../utils';
 import * as mocks from '../../resources/mocks';
 import { getMetricsHeader, getSdkVersion } from '../../../src/utils';
@@ -31,6 +32,7 @@ import { FirebaseAppError } from '../../../src/utils/error';
 import { deepCopy } from '../../../src/utils/deep-copy';
 
 const expect = chai.expect;
+chai.use(sinonChai);
 
 describe('AppCheckApiClient', () => {
 
@@ -210,7 +212,31 @@ describe('AppCheckApiClient', () => {
             method: 'POST',
             url: `https://firebaseappcheck.googleapis.com/v1/projects/test-project/apps/${APP_ID}:exchangeCustomToken`,
             headers: EXPECTED_HEADERS,
-            data: { customToken: TEST_TOKEN_TO_EXCHANGE }
+            data: {
+              customToken: TEST_TOKEN_TO_EXCHANGE,
+              limitedUse: undefined,
+            }
+          });
+        });
+    });
+
+    it('should resolve with the App Check token on success with limitedUse', () => {
+      const stub = sinon
+        .stub(HttpClient.prototype, 'send')
+        .resolves(utils.responseFrom(TEST_RESPONSE, 200));
+      stubs.push(stub);
+      return apiClient.exchangeToken(TEST_TOKEN_TO_EXCHANGE, APP_ID, true)
+        .then((resp) => {
+          expect(resp.token).to.deep.equal(TEST_RESPONSE.token);
+          expect(resp.ttlMillis).to.deep.equal(3000);
+          expect(stub).to.have.been.calledOnce.and.calledWith({
+            method: 'POST',
+            url: `https://firebaseappcheck.googleapis.com/v1/projects/test-project/apps/${APP_ID}:exchangeCustomToken`,
+            headers: EXPECTED_HEADERS,
+            data: {
+              customToken: TEST_TOKEN_TO_EXCHANGE,
+              limitedUse: true,
+            }
           });
         });
     });
diff --git a/test/unit/app-check/app-check.spec.ts b/test/unit/app-check/app-check.spec.ts
@@ -20,6 +20,7 @@
 import * as _ from 'lodash';
 import * as chai from 'chai';
 import * as sinon from 'sinon';
+import * as sinonChai from 'sinon-chai';
 import * as mocks from '../../resources/mocks';
 
 import { FirebaseApp } from '../../../src/app/firebase-app';
@@ -31,6 +32,7 @@ import { ServiceAccountSigner } from '../../../src/utils/crypto-signer';
 import { AppCheckTokenVerifier } from '../../../src/app-check/token-verifier';
 
 const expect = chai.expect;
+chai.use(sinonChai);
 
 describe('AppCheck', () => {
 
@@ -168,6 +170,20 @@ describe('AppCheck', () => {
           expect(token.ttlMillis).equals(3000);
         });
     });
+
+    it('should resolve with AppCheckToken on success with limitedUse', () => {
+      const response = { token: 'token', ttlMillis: 3000 };
+      const stub = sinon
+        .stub(AppCheckApiClient.prototype, 'exchangeToken')
+        .resolves(response);
+      stubs.push(stub);
+      return appCheck.createToken(APP_ID, { limitedUse: true })
+        .then((token) => {
+          expect(token.token).equals('token');
+          expect(token.ttlMillis).equals(3000);
+          expect(stub).to.have.been.calledOnce.and.calledWith(sinon.match.string, APP_ID, true);
+        });
+    });
   });
 
   describe('verifyToken', () => {

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ export interface AppCheckToken {`
`24`	`24`
`25`	`25`	`// @public`
`26`	`26`	`export interface AppCheckTokenOptions {`
	`27`	`+ limitedUse?: boolean;`
`27`	`28`	`ttlMillis?: number;`
`28`	`29`	`}`
`29`	`30`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ export class AppCheck {`
`68`	`68`	`public createToken(appId: string, options?: AppCheckTokenOptions): Promise<AppCheckToken> {`
`69`	`69`	`return this.tokenGenerator.createCustomToken(appId, options)`
`70`	`70`	`.then((customToken) => {`
`71`		`- return this.client.exchangeToken(customToken, appId);`
	`71`	`+ return this.client.exchangeToken(customToken, appId, options?.limitedUse);`
`72`	`72`	`});`
`73`	`73`	`}`
`74`	`74`