Merge dev into master

.github/scripts/run_all_tests.sh

@@ -22,4 +22,4 @@ gpg --quiet --batch --yes --decrypt --passphrase="${FIREBASE_SERVICE_ACCT_KEY}"
 
 echo "${FIREBASE_API_KEY}" > testdata/integration_apikey.txt
 
-go test -v -race firebase.google.com/go/...
+go test -v -race ./...

.github/workflows/ci.yml

@@ -2,41 +2,33 @@ name: Continuous Integration
 on: pull_request
 jobs:
 
-  build:
-    name: Build
+  module:
+    name: Module build
     runs-on: ubuntu-latest
-    env:
-        GOPATH: ${{ github.workspace }}/go
     strategy:
       matrix:
         go: [1.12, 1.13, 1.14]
-    steps:
 
+    steps:
     - name: Set up Go ${{ matrix.go }}
       uses: actions/setup-go@v1
       with:
         go-version: ${{ matrix.go }}
-      id: go
 
-    - name: Check out code into GOPATH
+    - name: Check out code
       uses: actions/checkout@v2
-      with:
-        path: go/src/firebase.google.com/go
-
-    - name: Get dependencies
-      run: go get -t -v $(go list ./... | grep -v integration)
 
     - name: Run Linter
       run: |
-        go get golang.org/x/lint/golint
-        $GOPATH/bin/golint -set_exit_status firebase.google.com/go/...
+        go get -u golang.org/x/lint/golint
+        GOLINT=`go list -f {{.Target}} golang.org/x/lint/golint`
+        $GOLINT -set_exit_status ./...
 
     - name: Run Unit Tests
       if: success() || failure()
-      run: go test -v -race -test.short firebase.google.com/go/...
+      run: go test -v -race -test.short ./...
 
     - name: Run Formatter
-      working-directory: ./go/src/firebase.google.com/go
       run: |
         if [[ ! -z "$(gofmt -l -s .)" ]]; then
           echo "Go code is not formatted:"
@@ -45,4 +37,27 @@ jobs:
         fi
 
     - name: Run Static Analyzer
-      run: go vet -v firebase.google.com/go/...
+      run: go vet -v ./...
+
+  gopath:
+    name: Gopath build
+    runs-on: ubuntu-latest
+    env:
+      GOPATH: ${{ github.workspace }}/go
+
+    steps:
+    - name: Set up Go 1.12
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.12
+
+    - name: Check out code into GOPATH
+      uses: actions/checkout@v2
+      with:
+        path: go/src/firebase.google.com/go
+
+    - name: Get dependencies
+      run: go get -t -v $(go list ./... | grep -v integration)
+
+    - name: Run Unit Tests
+      run: go test -v -race -test.short firebase.google.com/go/...

.github/workflows/release.yml

@@ -36,34 +36,26 @@ jobs:
 
     runs-on: ubuntu-latest
 
-    env:
-      GOPATH: ${{ github.workspace }}/go
-
     # When manually triggering the build, the requester can specify a target branch or a tag
     # via the 'ref' client parameter.
     steps:
-    - name: Check out code into GOPATH
-      uses: actions/checkout@v2
-      with:
-        path: go/src/firebase.google.com/go
-        ref: ${{ github.event.client_payload.ref || github.ref }}
-
     - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.11
+        go-version: 1.12
 
-    - name: Get dependencies
-      run: go get -t -v $(go list ./... | grep -v integration)
+    - name: Check out code
+      uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.client_payload.ref || github.ref }}
 
     - name: Run Linter
       run: |
-        echo
-        go get golang.org/x/lint/golint
-        $GOPATH/bin/golint -set_exit_status firebase.google.com/go/...
+        go get -u golang.org/x/lint/golint
+        GOLINT=`go list -f {{.Target}} golang.org/x/lint/golint`
+        $GOLINT -set_exit_status ./...
 
     - name: Run Tests
-      working-directory: ./go/src/firebase.google.com/go
       run: ./.github/scripts/run_all_tests.sh
       env:
         FIREBASE_SERVICE_ACCT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCT_KEY }}

README.md

@@ -41,9 +41,9 @@ requests, code review feedback, and also pull requests.
 
 ## Supported Go Versions
 
-We support Go v1.11 and higher.
+We support Go v1.12 and higher.
 [Continuous integration](https://github.com/firebase/firebase-admin-go/actions) system
-tests the code on Go v1.11 through v1.13.
+tests the code on Go v1.12 through v1.14.
 
 ## Documentation
 

auth/auth.go

@@ -23,13 +23,19 @@ import (
 	"strings"
 	"time"
 
-	"firebase.google.com/go/internal"
+	"firebase.google.com/go/v4/internal"
 	"google.golang.org/api/transport"
 )
 
 const (
+	authErrorCode    = "authErrorCode"
 	firebaseAudience = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
 	oneHourInSeconds = 3600
+
+	// SDK-generated error codes
+	idTokenRevoked       = "ID_TOKEN_REVOKED"
+	sessionCookieRevoked = "SESSION_COOKIE_REVOKED"
+	tenantIDMismatch     = "TENANT_ID_MISMATCH"
 )
 
 var reservedClaims = []string{
@@ -102,7 +108,6 @@ func NewClient(ctx context.Context, conf *internal.AuthConfig) (*Client, error)
 
 	hc := internal.WithDefaultRetryConfig(transport)
 	hc.CreateErrFn = handleHTTPError
-	hc.SuccessFn = internal.HasSuccessStatus
 	hc.Opts = []internal.HTTPOption{
 		internal.WithHeader("X-Client-Version", fmt.Sprintf("Go/Admin/%s", conf.Version)),
 	}
@@ -261,12 +266,23 @@ func (c *baseClient) withTenantID(tenantID string) *baseClient {
 func (c *baseClient) VerifyIDToken(ctx context.Context, idToken string) (*Token, error) {
 	decoded, err := c.idTokenVerifier.VerifyToken(ctx, idToken)
 	if err == nil && c.tenantID != "" && c.tenantID != decoded.Firebase.Tenant {
-		return nil, internal.Errorf(tenantIDMismatch, "invalid tenant id: %q", decoded.Firebase.Tenant)
+		return nil, &internal.FirebaseError{
+			ErrorCode: internal.InvalidArgument,
+			String:    fmt.Sprintf("invalid tenant id: %q", decoded.Firebase.Tenant),
+			Ext: map[string]interface{}{
+				authErrorCode: tenantIDMismatch,
+			},
+		}
 	}
 
 	return decoded, err
 }
 
+// IsTenantIDMismatch checks if the given error was due to a mismatched tenant ID in a JWT.
+func IsTenantIDMismatch(err error) bool {
+	return hasAuthErrorCode(err, tenantIDMismatch)
+}
+
 // VerifyIDTokenAndCheckRevoked verifies the provided ID token, and additionally checks that the
 // token has not been revoked.
 //
@@ -284,12 +300,27 @@ func (c *baseClient) VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken s
 	if err != nil {
 		return nil, err
 	}
+
 	if revoked {
-		return nil, internal.Error(idTokenRevoked, "ID token has been revoked")
+		return nil, &internal.FirebaseError{
+			ErrorCode: internal.InvalidArgument,
+			String:    "ID token has been revoked",
+			Ext: map[string]interface{}{
+				authErrorCode: idTokenRevoked,
+			},
+		}
 	}
+
 	return decoded, nil
 }
 
+// IsIDTokenRevoked checks if the given error was due to a revoked ID token.
+//
+// When IsIDTokenRevoked returns true, IsIDTokenInvalid is guranteed to return true.
+func IsIDTokenRevoked(err error) bool {
+	return hasAuthErrorCode(err, idTokenRevoked)
+}
+
 // VerifySessionCookie verifies the signature and payload of the provided Firebase session cookie.
 //
 // VerifySessionCookie accepts a signed JWT token string, and verifies that it is current, issued for the
@@ -324,12 +355,27 @@ func (c *Client) VerifySessionCookieAndCheckRevoked(ctx context.Context, session
 	if err != nil {
 		return nil, err
 	}
+
 	if revoked {
-		return nil, internal.Error(sessionCookieRevoked, "session cookie has been revoked")
+		return nil, &internal.FirebaseError{
+			ErrorCode: internal.InvalidArgument,
+			String:    "session cookie has been revoked",
+			Ext: map[string]interface{}{
+				authErrorCode: sessionCookieRevoked,
+			},
+		}
 	}
+
 	return decoded, nil
 }
 
+// IsSessionCookieRevoked checks if the given error was due to a revoked session cookie.
+//
+// When IsSessionCookieRevoked returns true, IsSessionCookieInvalid is guranteed to return true.
+func IsSessionCookieRevoked(err error) bool {
+	return hasAuthErrorCode(err, sessionCookieRevoked)
+}
+
 func (c *baseClient) checkRevoked(ctx context.Context, token *Token) (bool, error) {
 	user, err := c.GetUser(ctx, token.UID)
 	if err != nil {
@@ -338,3 +384,13 @@ func (c *baseClient) checkRevoked(ctx context.Context, token *Token) (bool, erro
 
 	return token.IssuedAt*1000 < user.TokensValidAfterMillis, nil
 }
+
+func hasAuthErrorCode(err error, code string) bool {
+	fe, ok := err.(*internal.FirebaseError)
+	if !ok {
+		return false
+	}
+
+	got, ok := fe.Ext[authErrorCode]
+	return ok && got == code
+}

auth/auth_appengine.go

@@ -19,7 +19,7 @@ package auth
 import (
 	"context"
 
-	"firebase.google.com/go/internal"
+	"firebase.google.com/go/v4/internal"
 	"google.golang.org/appengine"
 )
 

auth/auth_std.go

@@ -14,12 +14,12 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package auth // import "firebase.google.com/go/auth"
+package auth
 
 import (
 	"context"
 
-	"firebase.google.com/go/internal"
+	"firebase.google.com/go/v4/internal"
 )
 
 func newCryptoSigner(ctx context.Context, conf *internal.AuthConfig) (cryptoSigner, error) {