anhiliate
diff --git a/‎CHANGELOG.md‎
Lines changed: 8 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎pom.xml‎
Lines changed: 7 additions & 0 deletions b/‎pom.xml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/main/java/com/google/firebase/auth/FirebaseAuth.java‎
Lines changed: 111 additions & 27 deletions b/‎src/main/java/com/google/firebase/auth/FirebaseAuth.java‎
Lines changed: 111 additions & 27 deletions
diff --git a/‎src/main/java/com/google/firebase/auth/FirebaseUserManager.java‎
Lines changed: 15 additions & 0 deletions b/‎src/main/java/com/google/firebase/auth/FirebaseUserManager.java‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎src/main/java/com/google/firebase/auth/SessionCookieOptions.java‎
Lines changed: 76 additions & 0 deletions b/‎src/main/java/com/google/firebase/auth/SessionCookieOptions.java‎
Lines changed: 76 additions & 0 deletions
diff --git a/‎src/main/java/com/google/firebase/auth/internal/FirebaseTokenFactory.java‎
Lines changed: 1 addition & 1 deletion b/‎src/main/java/com/google/firebase/auth/internal/FirebaseTokenFactory.java‎
Lines changed: 1 addition & 1 deletion
@@ -1,12 +1,19 @@
 # Unreleased
 
+- [added] A new `FirebaseAuth.createSessionCookieAsync()` method for
+  creating a long-lived session cookie given a valid ID token.
+- [added] A new `FirebaseAuth.verifySessionCookieAsync()` method for
+  verifying a given cookie string is valid.
 - [fixed] Upgraded Cloud Firestore dependency version to 0.44.0-beta.
 - [fixed] Upgraded Cloud Storage dependency version to 1.26.0.
 - [fixed] Upgraded Netty dependency version to 4.1.22.
 
 # v5.10.0
 
-
+- [fixed] Using the `HttpTransport` specified at `FirebaseOptions` in
+  `GooglePublicKeysManager`. This enables developers to use a custom
+  transport to fetch public keys when verifying ID tokens and session
+  cookies.
 - [added] Connection timeout and read timeout for HTTP/REST connections
   can now be configured via `FirebaseOptions.Builder` at app
   initialization.
 
@@ -471,5 +471,12 @@
             <version>4.12</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <!-- Used for some snippets -->
+            <groupId>javax.ws.rs</groupId>
+            <artifactId>javax.ws.rs-api</artifactId>
+            <version>2.0</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>
@@ -20,7 +20,6 @@
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;
 
-import com.google.api.client.googleapis.auth.oauth2.GooglePublicKeysManager;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.util.Clock;
 import com.google.api.core.ApiFuture;
@@ -36,7 +35,9 @@
 import com.google.firebase.auth.UserRecord.UpdateRequest;
 import com.google.firebase.auth.internal.FirebaseTokenFactory;
 import com.google.firebase.auth.internal.FirebaseTokenVerifier;
+import com.google.firebase.auth.internal.KeyManagers;
 import com.google.firebase.internal.FirebaseService;
+import com.google.firebase.internal.NonNull;
 import com.google.firebase.internal.Nullable;
 import com.google.firebase.internal.TaskToApiFuture;
 import com.google.firebase.tasks.Task;
@@ -54,10 +55,10 @@
  */
 public class FirebaseAuth {
 
-  private final GooglePublicKeysManager googlePublicKeysManager;
   private final Clock clock;
 
   private final FirebaseApp firebaseApp;
+  private final KeyManagers keyManagers;
   private final GoogleCredentials credentials;
   private final String projectId;
   private final JsonFactory jsonFactory;
@@ -66,21 +67,17 @@ public class FirebaseAuth {
   private final Object lock;
 
   private FirebaseAuth(FirebaseApp firebaseApp) {
-    this(firebaseApp,
-         FirebaseTokenVerifier.buildGooglePublicKeysManager(
-                 firebaseApp.getOptions().getHttpTransport()),
-         Clock.SYSTEM);
+    this(firebaseApp, KeyManagers.getDefault(firebaseApp, Clock.SYSTEM), Clock.SYSTEM);
   }
 
   /**
    * Constructor for injecting a GooglePublicKeysManager, which is used to verify tokens are
    * correctly signed. This should only be used for testing to override the default key manager.
    */
   @VisibleForTesting
-  FirebaseAuth(
-      FirebaseApp firebaseApp, GooglePublicKeysManager googlePublicKeysManager, Clock clock) {
+  FirebaseAuth(FirebaseApp firebaseApp, KeyManagers keyManagers, Clock clock) {
     this.firebaseApp = checkNotNull(firebaseApp);
-    this.googlePublicKeysManager = checkNotNull(googlePublicKeysManager);
+    this.keyManagers = checkNotNull(keyManagers);
     this.clock = checkNotNull(clock);
     this.credentials = ImplFirebaseTrampolines.getCredentials(firebaseApp);
     this.projectId = ImplFirebaseTrampolines.getProjectId(firebaseApp);
@@ -114,6 +111,106 @@ public static synchronized FirebaseAuth getInstance(FirebaseApp app) {
     return service.getInstance();
   }
 
+  private Task<String> createSessionCookie(
+      final String idToken, final SessionCookieOptions options) {
+    checkNotDestroyed();
+    checkArgument(!Strings.isNullOrEmpty(idToken), "idToken must not be null or empty");
+    checkNotNull(options, "options must not be null");
+    return call(new Callable<String>() {
+      @Override
+      public String call() throws Exception {
+        return userManager.createSessionCookie(idToken, options);
+      }
+    });
+  }
+
+  /**
+   * Creates a new Firebase session cookie from the given ID token and options. The returned JWT
+   * can be set as a server-side session cookie with a custom cookie policy.
+   *
+   * @param idToken The Firebase ID token to exchange for a session cookie.
+   * @param options Additional options required to create the cookie.
+   * @return An {@code ApiFuture} which will complete successfully with a session cookie string.
+   *     If an error occurs while generating the cookie or if the specified ID token is invalid,
+   *     the future throws a {@link FirebaseAuthException}.
+   * @throws IllegalArgumentException If the ID token is null or empty, or if options is null.
+   */
+  public ApiFuture<String> createSessionCookieAsync(
+      @NonNull String idToken, @NonNull SessionCookieOptions options) {
+    return new TaskToApiFuture<>(createSessionCookie(idToken, options));
+  }
+
+  /**
+   * Parses and verifies a Firebase session cookie.
+   *
+   * <p>If verified successfully, the returned {@code ApiFuture} completes with a parsed version of
+   * the cookie from which the UID and the other claims can be read. If the cookie is invalid,
+   * the future throws an exception indicating the failure.
+   *
+   * <p>This method does not check whether the cookie has been revoked. See
+   * {@link #verifySessionCookieAsync(String, boolean)}.
+   *
+   * @param cookie A Firebase session cookie string to verify and parse.
+   * @return An {@code ApiFuture} which will complete successfully with the parsed cookie, or
+   *     unsuccessfully with the failure Exception.
+   */
+  public ApiFuture<FirebaseToken> verifySessionCookieAsync(String cookie) {
+    return new TaskToApiFuture<>(verifySessionCookie(cookie, false));
+  }
+
+  /**
+   * Parses and verifies a Firebase session cookie.
+   *
+   * <p>If {@code checkRevoked} is true, additionally verifies that the cookie has not been
+   * revoked.
+   *
+   * <p>If verified successfully, the returned {@code ApiFuture} completes with a parsed version of
+   * the cookie from which the UID and the other claims can be read. If the cookie is invalid or
+   * has been revoked while {@code checkRevoked} is true, the future throws an exception indicating
+   * the failure.
+   *
+   * @param cookie A Firebase session cookie string to verify and parse.
+   * @param checkRevoked A boolean indicating whether to check if the cookie was explicitly
+   *     revoked.
+   * @return An {@code ApiFuture} which will complete successfully with the parsed cookie, or
+   *     unsuccessfully with the failure Exception.
+   */
+  public ApiFuture<FirebaseToken> verifySessionCookieAsync(String cookie, boolean checkRevoked) {
+    return new TaskToApiFuture<>(verifySessionCookie(cookie, checkRevoked));
+  }
+
+  private Task<FirebaseToken> verifySessionCookie(final String cookie, final boolean checkRevoked) {
+    checkNotDestroyed();
+    checkState(!Strings.isNullOrEmpty(projectId),
+        "Must initialize FirebaseApp with a project ID to call verifySessionCookie()");
+    return call(new Callable<FirebaseToken>() {
+      @Override
+      public FirebaseToken call() throws Exception {
+        FirebaseTokenVerifier firebaseTokenVerifier =
+            FirebaseTokenVerifier.createSessionCookieVerifier(projectId, keyManagers, clock);
+        FirebaseToken firebaseToken = FirebaseToken.parse(jsonFactory, cookie);
+        // This will throw a FirebaseAuthException with details on how the token is invalid.
+        firebaseTokenVerifier.verifyTokenAndSignature(firebaseToken.getToken());
+
+        if (checkRevoked) {
+          checkRevoked(firebaseToken, "session cookie",
+              FirebaseUserManager.SESSION_COOKIE_REVOKED_ERROR);
+        }
+        return firebaseToken;
+      }
+    });
+  }
+
+  private void checkRevoked(
+      FirebaseToken firebaseToken, String label, String errorCode) throws FirebaseAuthException {
+    String uid = firebaseToken.getUid();
+    UserRecord user = userManager.getUserById(uid);
+    long issuedAt = (long) firebaseToken.getClaims().get("iat");
+    if (user.getTokensValidAfterTimestamp() > issuedAt * 1000) {
+      throw new FirebaseAuthException(errorCode, "Firebase " + label + " revoked");
+    }
+  }
+
   /**
    * Similar to {@link #createCustomTokenAsync(String)}, but returns a {@link Task}.
    *
@@ -212,27 +309,14 @@ private Task<FirebaseToken> verifyIdToken(final String token, final boolean chec
     return call(new Callable<FirebaseToken>() {
       @Override
       public FirebaseToken call() throws Exception {
-
         FirebaseTokenVerifier firebaseTokenVerifier =
-            new FirebaseTokenVerifier.Builder()
-                .setProjectId(projectId)
-                .setPublicKeysManager(googlePublicKeysManager)
-                .setClock(clock)
-                .build();
-
+            FirebaseTokenVerifier.createIdTokenVerifier(projectId, keyManagers, clock);
         FirebaseToken firebaseToken = FirebaseToken.parse(jsonFactory, token);
-
         // This will throw a FirebaseAuthException with details on how the token is invalid.
         firebaseTokenVerifier.verifyTokenAndSignature(firebaseToken.getToken());
-        
+
         if (checkRevoked) {
-          String uid = firebaseToken.getUid();
-          UserRecord user = userManager.getUserById(uid);
-          long issuedAt = (long) firebaseToken.getClaims().get("iat");
-          if (user.getTokensValidAfterTimestamp() > issuedAt * 1000) {
-              throw new FirebaseAuthException(FirebaseUserManager.ID_TOKEN_REVOKED_ERROR,
-                                              "Firebase auth token revoked");
-          }        
+          checkRevoked(firebaseToken, "auth token", FirebaseUserManager.ID_TOKEN_REVOKED_ERROR);
         }       
         return firebaseToken;
       }
@@ -241,7 +325,7 @@ public FirebaseToken call() throws Exception {
 
   private Task<Void> revokeRefreshTokens(String uid) {
     checkNotDestroyed();
-    int currentTimeSeconds = (int) (System.currentTimeMillis() / 1000);
+    long currentTimeSeconds = System.currentTimeMillis() / 1000L;
     final UpdateRequest request = new UpdateRequest(uid).setValidSince(currentTimeSeconds);
     return call(new Callable<Void>() {
       @Override
@@ -320,7 +404,7 @@ public ApiFuture<FirebaseToken> verifyIdTokenAsync(final String token) {
    * failure.
    *
    * @param token A Firebase ID Token to verify and parse.
-   * @param checkRevoked A boolean denoting whether to check if the tokens were revoked.
+   * @param checkRevoked A boolean indicating whether to check if the tokens were revoked.
    * @return An {@code ApiFuture} which will complete successfully with the parsed token, or
    *     unsuccessfully with the failure Exception.
    */
 
@@ -60,6 +60,7 @@ class FirebaseUserManager {
   static final String USER_NOT_FOUND_ERROR = "user-not-found";
   static final String INTERNAL_ERROR = "internal-error";
   static final String ID_TOKEN_REVOKED_ERROR = "id-token-revoked";
+  static final String SESSION_COOKIE_REVOKED_ERROR = "session-cookie-revoked";
 
   // Map of server-side error codes to SDK error codes.
   // SDK error codes defined at: https://firebase.google.com/docs/auth/admin/errors
@@ -194,6 +195,20 @@ DownloadAccountResponse listUsers(int maxResults, String pageToken) throws Fireb
     return response;
   }
 
+  String createSessionCookie(String idToken,
+      SessionCookieOptions options) throws FirebaseAuthException {
+    final Map<String, Object> payload = ImmutableMap.<String, Object>of(
+        "idToken", idToken, "validDuration", options.getExpiresInSeconds());
+    GenericJson response = post("createSessionCookie", payload, GenericJson.class);
+    if (response != null) {
+      String cookie = (String) response.get("sessionCookie");
+      if (!Strings.isNullOrEmpty(cookie)) {
+        return cookie;
+      }
+    }
+    throw new FirebaseAuthException(INTERNAL_ERROR, "Failed to create session cookie");
+  }
+
   private <T> T post(String path, Object content, Class<T> clazz) throws FirebaseAuthException {
     checkArgument(!Strings.isNullOrEmpty(path), "path must not be null or empty");
     checkNotNull(content, "content must not be null");
 
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.firebase.auth;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+import java.util.concurrent.TimeUnit;
+
+/**
+ * A set of additional options that can be passed to
+ * {@link FirebaseAuth#createSessionCookieAsync(String, SessionCookieOptions)}.
+ */
+public class SessionCookieOptions {
+
+  private final long expiresIn;
+
+  private SessionCookieOptions(Builder builder) {
+    checkArgument(builder.expiresIn > TimeUnit.MINUTES.toMillis(5),
+        "expiresIn duration must be at least 5 minutes");
+    checkArgument(builder.expiresIn < TimeUnit.DAYS.toMillis(14),
+        "expiresIn duration must be at most 14 days");
+    this.expiresIn = builder.expiresIn;
+  }
+
+  long getExpiresInSeconds() {
+    return TimeUnit.MILLISECONDS.toSeconds(expiresIn);
+  }
+
+  /**
+   * Creates a new {@link Builder}.
+   */
+  public static Builder builder() {
+    return new Builder();
+  }
+
+  public static class Builder {
+
+    private long expiresIn;
+
+    private Builder() {}
+
+    /**
+     * Sets the duration until the cookie is expired in milliseconds. Must be between 5 minutes
+     * and 14 days.
+     *
+     * @param expiresInMillis Time duration in milliseconds.
+     * @return This builder.
+     */
+    public Builder setExpiresIn(long expiresInMillis) {
+      this.expiresIn = expiresInMillis;
+      return this;
+    }
+
+    /**
+     * Creates a new {@link SessionCookieOptions} instance.
+     */
+    public SessionCookieOptions build() {
+      return new SessionCookieOptions(this);
+    }
+  }
+
+}
@@ -83,7 +83,7 @@ public String createSignedCustomAuthTokenForUser(
       for (String key : developerClaims.keySet()) {
         if (reservedNames.contains(key)) {
           throw new IllegalArgumentException(
-              String.format("developer_claims can not contain a reserved key: %s", key));
+              String.format("developerClaims must not contain a reserved key: %s", key));
         }
       }
       GenericJson jsonObject = new GenericJson();
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ public String createSignedCustomAuthTokenForUser(`
`83`	`83`	`for (String key : developerClaims.keySet()) {`
`84`	`84`	`if (reservedNames.contains(key)) {`
`85`	`85`	`throw new IllegalArgumentException(`
`86`		`- String.format("developer_claims can not contain a reserved key: %s", key));`
	`86`	`+ String.format("developerClaims must not contain a reserved key: %s", key));`
`87`	`87`	`}`
`88`	`88`	`}`
`89`	`89`	`GenericJson jsonObject = new GenericJson();`