Forem: Anton Krasov The latest articles on Forem by Anton Krasov (@antonkrasov). https://forem.com/antonkrasov https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F859624%2F48f90172-e3f5-43e9-9dc0-90f39fc4dbc1.jpeg Forem: Anton Krasov https://forem.com/antonkrasov en How to test an API expecting Firebase token Anton Krasov Mon, 09 May 2022 03:10:24 +0000 https://forem.com/antonkrasov/how-to-test-an-api-expecting-firebase-token-gid https://forem.com/antonkrasov/how-to-test-an-api-expecting-firebase-token-gid <h2> Problem </h2> <p>Let's say you are developing a backend API and you are protecting it with firebase tokens. This saves lots of development time on the frontend (mobile or web) just because Firebase Auth SDK does all the heavy lifting for token generation, refresh, etc, as well as on the backend for the exact same reason. But when you want to test this API with Postman or any other REST client you may face a problem, how to get the same token as the client receives from the Firebase SDK?</p> <p>One of the ways to do it is to launch a client app and grab a token from there. Personally, I wasted lots of time doing this.</p> <h2> Better Solution </h2> <p>There is a way better option for doing it, and I was surprised by how easy it is. All we need to do is to use Firebase Auth REST API (<a href="https://firebase.google.com/docs/reference/rest/auth" rel="noopener noreferrer">https://firebase.google.com/docs/reference/rest/auth</a>). It provides simple API calls we can use to manage our Firebase users as well as tokens.</p> <h2> Example </h2> <p>Let’s see by example how we can do it, I created a sample firebase project and deployed a simple cloud function:</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="kd">const</span> <span class="nx">functions</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">firebase-functions</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">serviceAccount</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">./service-account.json</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">initializeApp</span><span class="p">,</span> <span class="nx">cert</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">firebase-admin/app</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getAuth</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">firebase-admin/auth</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">initializeApp</span><span class="p">({</span> <span class="na">credential</span><span class="p">:</span> <span class="nf">cert</span><span class="p">(</span><span class="nx">serviceAccount</span><span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">getAuth</span><span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">protectedEndpoint</span> <span class="o">=</span> <span class="nx">functions</span><span class="p">.</span><span class="nx">https</span><span class="p">.</span><span class="nf">onRequest</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">xApiToken</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-api-token</span><span class="dl">'</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">decodedToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nf">verifyIdToken</span><span class="p">(</span><span class="nx">xApiToken</span><span class="p">)</span> <span class="nx">response</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="nx">decodedToken</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">ex</span><span class="p">)</span> <span class="p">{</span> <span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">'x-api-token' header is required!</span><span class="dl">"</span> <span class="p">})</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Let's try to call it via cURL:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ~ curl https://us-central1-givemefirebasetoken-sample.cloudfunctions.net/protectedEndpoint <span class="o">{</span><span class="s2">"error"</span>:<span class="s2">"'x-api-token' header is required!"</span><span class="o">}</span>% </code></pre> </div> <p>As expected we got our error, because <code>auth.verifyIdToken()</code> failed.</p> <p>Now let’s try to get the token via Rest API. The first thing we will need is an API_KEY for our Firebase project. The easiest way to get it is to create a Web app in your firebase console. Next, you’ll see your API_KEY in it. Here is an example from my sample project:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl0zwggo5dwun50c5bi8l.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl0zwggo5dwun50c5bi8l.png" alt="Image description"></a></p> <p>After we have our <code>apiKey</code> we can start making calls to the firebase, link to the detailed API reference: <a href="https://firebase.google.com/docs/reference/rest/auth" rel="noopener noreferrer">https://firebase.google.com/docs/reference/rest/auth</a></p> <p>Personally I use 3 methods:</p> <ul> <li>Sign up with email / password (<a href="https://firebase.google.com/docs/reference/rest/auth#section-create-email-password" rel="noopener noreferrer">https://firebase.google.com/docs/reference/rest/auth#section-create-email-password</a>)</li> <li>Sign in with email / password (<a href="https://firebase.google.com/docs/reference/rest/auth#section-sign-in-email-password" rel="noopener noreferrer">https://firebase.google.com/docs/reference/rest/auth#section-sign-in-email-password</a>)</li> <li>Delete account (<a href="https://firebase.google.com/docs/reference/rest/auth#section-delete-account" rel="noopener noreferrer">https://firebase.google.com/docs/reference/rest/auth#section-delete-account</a>)</li> </ul> <p><code>Delete</code> is useful if we want to create a new user each time, we can use it in our autotests. So our flow would be like this:</p> <ol> <li>Sign Up with email/password.</li> <li>Run API tests.</li> <li>Delete user.</li> </ol> <p>Ok, let’s create a new user with API request:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--location</span> <span class="nt">--request</span> POST <span class="s1">'https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=AIzaSyAHV1eUu8EqCSUeycofXqfL******'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/json'</span> <span class="se">\</span> <span class="nt">--data-raw</span> <span class="s1">'{ "email": "anton.krasov@gmail.com", "password": "******", "returnSecureToken": true }'</span> </code></pre> </div> <p>Our response should look like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="o">{</span> <span class="s2">"kind"</span>: <span class="s2">"identitytoolkit#SignupNewUserResponse"</span>, <span class="s2">"idToken"</span>: <span class="s2">"eyJhbGciOiJSUzI1NiIsImtpZ....gkULJig1ypXaA"</span>, <span class="s2">"email"</span>: <span class="s2">"anton.krasov@gmail.com"</span>, <span class="s2">"refreshToken"</span>: <span class="s2">"AIwUaOkfNuMg8Kdatx-Hy8_5Ti0sm....-dKiN0CGkDfX1ch5f69g5Y5K"</span>, <span class="s2">"expiresIn"</span>: <span class="s2">"3600"</span>, <span class="s2">"localId"</span>: <span class="s2">"aoiC7bM0v....ueGMRegf1k2"</span> <span class="o">}</span> </code></pre> </div> <p><code>idToken</code> is exactly the same token we will receive from our Firebase Auth SDK.</p> <p><code>localId</code> is our new user Id.</p> <p>Just remember that you need to have <code>Email/Password</code> auth provider enabled in your <code>Authentication</code> settings:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg5k4ygte8ngbqo62mh39.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg5k4ygte8ngbqo62mh39.png" alt="Image description"></a></p> <p>Now, we have an <code>idToken</code> let’s try to execute our sample call again:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--location</span> <span class="nt">--request</span> GET <span class="s1">'https://us-central1-givemefirebasetoken-sample.cloudfunctions.net/protectedEndpoint'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'x-api-token: eyJhbGciOiJSUzI1NiIsImtpZ....09HlrF49MRWo9qq0_c6UiMHdBZUavNXyuFyjC85dpSxJrNtJSwH5OQa22dIwdbNmfMqz6ljAivIkjw5aX2GrF5ViFCdp4Tew5iw'</span> </code></pre> </div> <p>and we got our <code>decodedToken</code> in response:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="o">{</span><span class="s2">"decodedToken"</span>:<span class="o">{</span><span class="s2">"iss"</span>:<span class="s2">"https://securetoken.google.com/givemefirebasetoken-sample"</span>,<span class="s2">"aud"</span>:<span class="s2">"givemefirebasetoken-sample"</span>,<span class="s2">"auth_time"</span>:1651977397,<span class="s2">"user_id"</span>:<span class="s2">"aoiC7bM0vFQTMPj24ueGMRegf1k2"</span>,<span class="s2">"sub"</span>:<span class="s2">"aoiC7bM0vFQTMPj24ueGMRegf1k2"</span>,<span class="s2">"iat"</span>:1651977397,<span class="s2">"exp"</span>:1651980997,<span class="s2">"email"</span>:<span class="s2">"anton.krasov@gmail.com"</span>,<span class="s2">"email_verified"</span>:false,<span class="s2">"firebase"</span>:<span class="o">{</span><span class="s2">"identities"</span>:<span class="o">{</span><span class="s2">"email"</span>:[<span class="s2">"anton.krasov@gmail.com"</span><span class="o">]}</span>,<span class="s2">"sign_in_provider"</span>:<span class="s2">"password"</span><span class="o">}</span>,<span class="s2">"uid"</span>:<span class="s2">"aoiC7bM0vFQTMPj24ueGMRegf1k2"</span><span class="o">}}</span> </code></pre> </div> <h2> Leverage Postman Environments </h2> <p>Now we know the API calls we need to execute to get the user’s info, let’s leverage postman variables and environments (<a href="https://learning.postman.com/docs/sending-requests/variables/" rel="noopener noreferrer">https://learning.postman.com/docs/sending-requests/variables/</a>) to store the token and use it with our own backend API calls.</p> <p>First thing, let’s create env and setup variables we need:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flzil0lrmbzghj5uht3xs.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flzil0lrmbzghj5uht3xs.png" alt="Image description"></a></p> <p>Variables are pretty self explanatory ;)</p> <p>Now, let’s create our <code>accounts:signUp</code> request, and execute it:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpev4copoxbrai1n4h5lu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpev4copoxbrai1n4h5lu.png" alt="Image description"></a></p> <p>Now, once we receive our token, let’s save it in our environment using <code>Tests</code> tab (<a href="https://learning.postman.com/docs/writing-scripts/test-scripts/" rel="noopener noreferrer">https://learning.postman.com/docs/writing-scripts/test-scripts/</a>):</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="kd">var</span> <span class="nx">jsonData</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">responseBody</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">.</span><span class="nx">idToken</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">be</span><span class="p">.</span><span class="nf">a</span><span class="p">(</span><span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">);</span> <span class="nx">postman</span><span class="p">.</span><span class="nf">setEnvironmentVariable</span><span class="p">(</span><span class="dl">"</span><span class="s2">firebaseIdToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">jsonData</span><span class="p">.</span><span class="nx">idToken</span><span class="p">);</span> </code></pre> </div> <p>On the second line, we also validate that we have <code>idToken</code> and it’s a string. This is required to prevent setting up the wrong <code>firebaseIdToken</code> env var if our request failed. Let’s say you called <code>accounts:signUp</code> request twice and got an error from the firebase saying that the user already exists.</p> <p>Now, after the execution we'll have our token in our env, and we can use it in our own API calls.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvls0ki3hhoednq8mge7e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvls0ki3hhoednq8mge7e.png" alt="Image description"></a></p> <h2> Automatic token retrieval </h2> <p>Postman has a nice feature called <code>pre-request scripts:</code> <a href="https://learning.postman.com/docs/writing-scripts/pre-request-scripts/" rel="noopener noreferrer">https://learning.postman.com/docs/writing-scripts/pre-request-scripts/</a></p> <p>We can use it to automate retrieving of our token and setting of our env, and the best thing about it is that we can create a pre-request script <strong>for the whole collection</strong>! This means that we won't need to call any of the firebase requests manually.</p> <p>Here is an example script: </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="kd">const</span> <span class="nx">firebaseApiKey</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">firebaseApiKey</span><span class="dl">"</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">firebaseTestUserEmail</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">firebaseTestUserEmail</span><span class="dl">"</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">firebaseTestUserPassword</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">firebaseTestUserPassword</span><span class="dl">"</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">url</span><span class="p">:</span> <span class="s2">`https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=</span><span class="p">${</span><span class="nx">firebaseApiKey</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">header</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">*/*</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">raw</span><span class="dl">'</span><span class="p">,</span> <span class="na">raw</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">:</span> <span class="nx">firebaseTestUserEmail</span><span class="p">,</span> <span class="dl">"</span><span class="s2">password</span><span class="dl">"</span><span class="p">:</span> <span class="nx">firebaseTestUserPassword</span><span class="p">,</span> <span class="dl">"</span><span class="s2">returnSecureToken</span><span class="dl">"</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">}</span> <span class="p">};</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">sendRequest</span><span class="p">(</span><span class="nx">options</span><span class="p">,</span> <span class="nf">function </span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">respData</span> <span class="o">=</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">firebaseIdToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">respData</span><span class="p">.</span><span class="nx">idToken</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">firebaseUID</span><span class="dl">"</span><span class="p">,</span> <span class="nx">respData</span><span class="p">.</span><span class="nx">localId</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> firebase postman tutorial backend