Make Extensions TOS calls best effort (#6167)

* Starting to make TOS checks and acceptance best effort

* Fixing fallthrough behavior

* changelog

CHANGELOG.md

@@ -1 +1,2 @@
+- Fixed an issue where extension instances could not be deployed when authenticated as a service account (#6060).
 - Fixed `glob` usage in Next.js utility function to detect images in `app` directory (#6166)

src/apiv2.ts

@@ -282,11 +282,7 @@ export class Client {
     if (accessToken) {
       return accessToken;
     }
-    // TODO: remove the as any once auth.js is migrated to auth.ts
-    interface AccessToken {
-      access_token: string;
-    }
-    const data = (await auth.getAccessToken(refreshToken, [])) as AccessToken;
+    const data = await auth.getAccessToken(refreshToken, []);
     return data.access_token;
   }
 

src/auth.ts

@@ -702,8 +702,8 @@ async function refreshTokens(
   }
 }
 
-export async function getAccessToken(refreshToken: string, authScopes: string[]) {
-  if (haveValidTokens(refreshToken, authScopes)) {
+export async function getAccessToken(refreshToken: string, authScopes: string[]): Promise<Tokens> {
+  if (haveValidTokens(refreshToken, authScopes) && lastAccessToken) {
     return lastAccessToken;
   }
 

src/extensions/tos.ts

@@ -63,54 +63,72 @@ export async function acceptPublisherTOS(
 export async function acceptLatestPublisherTOS(
   options: { force?: boolean; nonInteractive?: boolean },
   projectId: string
-): Promise<PublisherTOS> {
-  logger.debug(`Checking if latest publisher TOS has been accepted by ${projectId}...`);
-  const currentAcceptance = await getPublisherTOSStatus(projectId);
-  if (currentAcceptance.lastAcceptedVersion) {
+): Promise<PublisherTOS | undefined> {
+  try {
+    logger.debug(`Checking if latest publisher TOS has been accepted by ${projectId}...`);
+    const currentAcceptance = await getPublisherTOSStatus(projectId);
+    if (currentAcceptance.lastAcceptedVersion) {
+      logger.debug(
+        `Already accepted version ${currentAcceptance.lastAcceptedVersion} of Extensions publisher TOS.`
+      );
+      return currentAcceptance;
+    } else {
+      // Display link to TOS, prompt for acceptance
+      const tosLink = extensionsTosUrl("publisher");
+      logger.info(
+        `To continue, you must accept the Firebase Extensions Publisher Terms of Service: ${tosLink}`
+      );
+      if (
+        await confirm({
+          ...options,
+          message: "Do you accept the Firebase Extensions Publisher Terms of Service?",
+        })
+      ) {
+        return acceptPublisherTOS(projectId, currentAcceptance.latestTosVersion);
+      }
+    }
+  } catch (err: any) {
+    // This is a best effort check. When authenticated via a service account instead of OAuth, we cannot
+    // make calls to a private API. The extensions backend will also check TOS acceptance at instance CRUD time.
     logger.debug(
-      `Already accepted version ${currentAcceptance.lastAcceptedVersion} of Extensions publisher TOS.`
-    );
-    return currentAcceptance;
-  } else {
-    // Display link to TOS, prompt for acceptance
-    const tosLink = extensionsTosUrl("publisher");
-    logger.info(
-      `To continue, you must accept the Firebase Extensions Publisher Terms of Service: ${tosLink}`
+      `Error when checking Publisher TOS for ${projectId}. This is expected if authenticated via a service account: ${err}`
     );
-    if (
-      await confirm({
-        ...options,
-        message: "Do you accept the Firebase Extensions Publisher Terms of Service?",
-      })
-    ) {
-      return acceptPublisherTOS(projectId, currentAcceptance.latestTosVersion);
-    }
-    throw new FirebaseError("You must accept the terms of service to continue.");
+    return;
   }
+  throw new FirebaseError("You must accept the terms of service to continue.");
 }
 
 export async function acceptLatestAppDeveloperTOS(
   options: { force?: boolean; nonInteractive?: boolean },
   projectId: string,
   instanceIds: string[]
 ): Promise<AppDevTOS[]> {
-  logger.debug(`Checking if latest AppDeveloper TOS has been accepted by ${projectId}...`);
-  displayDeveloperTOSWarning();
-  const currentAcceptance = await getAppDeveloperTOSStatus(projectId);
-  if (currentAcceptance.lastAcceptedVersion) {
-    logger.debug(`User Terms of Service aready accepted on project ${projectId}.`);
-  } else if (
-    !(await confirm({
-      ...options,
-      message: "Do you accept the Firebase Extensions User Terms of Service?",
-    }))
-  ) {
-    throw new FirebaseError("You must accept the terms of service to continue.");
+  try {
+    logger.debug(`Checking if latest AppDeveloper TOS has been accepted by ${projectId}...`);
+    displayDeveloperTOSWarning();
+    const currentAcceptance = await getAppDeveloperTOSStatus(projectId);
+    if (currentAcceptance.lastAcceptedVersion) {
+      logger.debug(`User Terms of Service aready accepted on project ${projectId}.`);
+    } else if (
+      !(await confirm({
+        ...options,
+        message: "Do you accept the Firebase Extensions User Terms of Service?",
+      }))
+    ) {
+      throw new FirebaseError("You must accept the terms of service to continue.");
+    }
+    const tosPromises = instanceIds.map((instanceId) => {
+      return acceptAppDeveloperTOS(projectId, currentAcceptance.latestTosVersion, instanceId);
+    });
+    return Promise.all(tosPromises);
+  } catch (err: any) {
+    // This is a best effort check. When authenticated via a service account instead of OAuth, we cannot
+    // make calls to a private API. The extensions backend will also check TOS acceptance at instance CRUD time.
+    logger.debug(
+      `Error when checking App Developer TOS for ${projectId}. This is expected if authenticated via a service account: ${err}`
+    );
+    return [];
   }
-  const tosPromises = instanceIds.map((instanceId) => {
-    return acceptAppDeveloperTOS(projectId, currentAcceptance.latestTosVersion, instanceId);
-  });
-  return Promise.all(tosPromises);
 }
 
 export function displayDeveloperTOSWarning(): void {