Decode UTF-8 in ID Token. Fix #4174. (#4357)

* Decode UTF-8 in ID Token. Fix #4174.

* Create fluffy-carrots-jam.md

.changeset/fluffy-carrots-jam.md

@@ -0,0 +1,5 @@
+---
+"@firebase/auth": patch
+---
+
+Decode UTF-8 in ID Token. Fix #4174.

packages/auth/gulpfile.js

@@ -1,6 +1,6 @@
 /**
  * @license
- * Copyright 2017 Google Inc.
+ * Copyright 2017 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -114,7 +114,7 @@ gulp.task('serve', () => {
   );
   app.use(express.static(__dirname));
 
-  app.listen(4000);
+  app.listen(4001);
 });
 
 gulp.task('default', gulp.parallel('cjs', 'esm'));

packages/auth/protractor_spec.js

@@ -1,6 +1,6 @@
 /**
  * @license
- * Copyright 2017 Google Inc.
+ * Copyright 2017 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,7 @@
 
 var allTests = require('./generated/all_tests');
 
-var TEST_SERVER = 'http://localhost:4000';
+var TEST_SERVER = 'http://localhost:4001';
 
 var FLAKY_TEST_RETRIAL = 3;
 

packages/auth/src/idtoken.js

@@ -21,6 +21,7 @@
 
 goog.provide('fireauth.IdToken');
 
+goog.require('goog.crypt');
 goog.require('goog.crypt.base64');
 
 
@@ -244,7 +245,9 @@ fireauth.IdToken.parseIdTokenClaims = function(tokenString) {
     jsonInfo += '.';
   }
   try {
-    const token = JSON.parse(goog.crypt.base64.decodeString(jsonInfo, true));
+    const decodedClaims = goog.crypt.utf8ByteArrayToString(
+        goog.crypt.base64.decodeStringToByteArray(jsonInfo));
+    const token = JSON.parse(decodedClaims);
     return /** @type {?Object} */ (token);
   } catch (e) {}
   return null;

packages/auth/test/idtoken_test.js

@@ -147,6 +147,34 @@ var tokenCustomClaim = 'HEAD.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5j' +
     'bl9pbl9wcm92aWRlciI6InBhc3N3b3JkIn19.SIGNATURE';
 
 
+// "iss": "https://securetoken.google.com/projectId",
+// "name": "John Doe",
+// "role": "Админ",  // <---- Note non-ascii characters here
+// "aud": "projectId",
+// "auth_time": 1522715325,
+// "sub": "nep2uwNCK4PqjvoKjb0InVJHlGi1",
+// "iat": 1522776807,
+// "exp": 1522780575,
+// "email": "testuser@gmail.com",
+// "email_verified": true,
+// "firebase": {
+//   "identities": {
+//     "email": [
+//       "testuser@gmail.com"
+//     ]
+//   },
+//   "sign_in_provider": "custom"
+// }
+var tokenCustomClaimWithUnicodeChar = 'HEAD.eyJpc3MiOiJodHRwczovL3NlY3VyZXRv' +
+    'a2VuLmdvb2dsZS5jb20vcHJvamVjdElkIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6ItC' +
+    'Q0LTQvNC40L0iLCJhdWQiOiJwcm9qZWN0SWQiLCJhdXRoX3RpbWUiOjE1MjI3MTUzMjUsIn' +
+    'N1YiI6Im5lcDJ1d05DSzRQcWp2b0tqYjBJblZKSGxHaTEiLCJpYXQiOjE1MjI3NzY4MDcsI' +
+    'mV4cCI6MTUyMjc4MDU3NSwiZW1haWwiOiJ0ZXN0dXNlckBnbWFpbC5jb20iLCJlbWFpbF92' +
+    'ZXJpZmllZCI6dHJ1ZSwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJlbWFpbCI6WyJ0ZXN' +
+    '0dXNlckBnbWFpbC5jb20iXX0sInNpZ25faW5fcHJvdmlkZXIiOiJjdXN0b20ifX0=.SIGNA' +
+    'TURE';
+
+
 // "iss": "https://securetoken.google.com/projectId",
 // "name": "John Doe",
 // "aud": "projectId",
@@ -405,3 +433,31 @@ function testParseIdTokenClaims_customClaims() {
       },
       tokenJSON);
 }
+
+
+function testParseIdTokenClaims_tokenCustomClaimWithUnicodeChar() {
+  const tokenJSON = fireauth.IdToken.parseIdTokenClaims(
+      tokenCustomClaimWithUnicodeChar);
+  assertObjectEquals(
+      {
+        'iss': 'https://securetoken.google.com/projectId',
+        'name': 'John Doe',
+        'role': 'Админ',
+        'aud': 'projectId',
+        'auth_time': 1522715325,
+        'sub': 'nep2uwNCK4PqjvoKjb0InVJHlGi1',
+        'iat': 1522776807,
+        'exp': 1522780575,
+        'email': "testuser@gmail.com",
+        'email_verified': true,
+        'firebase': {
+          'identities': {
+            'email': [
+              'testuser@gmail.com'
+            ]
+          },
+          'sign_in_provider': 'custom'
+        }
+      },
+      tokenJSON);
+}