draft pr for callable functions

Author: aiwenisevan

FirebaseAppCheck/Interop/FIRAppCheckInterop.h

@@ -31,6 +31,10 @@ NS_SWIFT_NAME(AppCheckInterop) @protocol FIRAppCheckInterop
                     completion:(FIRAppCheckTokenHandlerInterop)handler
     NS_SWIFT_NAME(getToken(forcingRefresh:completion:));
 
+/// Retrieve a new limited-use Firebase App Check token
+- (void)getLimitedUseTokenWithCompletion:(FIRAppCheckTokenHandlerInterop)handler
+    NS_SWIFT_NAME(getLimitedUseToken(completion:));
+
 /// A notification with the specified name is sent to the default notification center
 /// (`NotificationCenter.default`) each time a Firebase app check token is refreshed.
 /// The user info dictionary contains `-[self notificationTokenKey]` and

FirebaseAppCheck/Sources/Core/FIRAppCheck.m

@@ -234,6 +234,21 @@ - (void)getTokenForcingRefresh:(BOOL)forcingRefresh
       });
 }
 
+- (void)getLimitedUseTokenWithCompletion:(FIRAppCheckTokenHandlerInterop)handler {
+  [self retrieveLimitedUseToken]
+      .then(^id _Nullable(FIRAppCheckToken *token) {
+        FIRAppCheckTokenResult *result = [[FIRAppCheckTokenResult alloc] initWithToken:token.token
+                                                                                 error:nil];
+        handler(result);
+        return result;
+      })
+      .catch(^(NSError *_Nonnull error) {
+        FIRAppCheckTokenResult *result =
+            [[FIRAppCheckTokenResult alloc] initWithToken:kDummyFACTokenValue error:error];
+        handler(result);
+      });
+}
+
 - (nonnull NSString *)tokenDidChangeNotificationName {
   return FIRAppCheckAppCheckTokenDidChangeNotification;
 }

FirebaseFunctions/Sources/Functions.swift

@@ -59,6 +59,9 @@ internal enum FunctionsConstants {
   /// The region to use for all function references.
   internal let region: String
 
+  /// The boolean to decide if getLimitedUseToken() is generated
+  internal var useLimitedUseAppCheckToken: Bool = false
+
   // MARK: - Public APIs
 
   /**
@@ -139,11 +142,19 @@ internal enum FunctionsConstants {
    * Creates a reference to the Callable HTTPS trigger with the given name.
    * - Parameter name The name of the Callable HTTPS trigger.
    */
-  @objc(HTTPSCallableWithName:) open func httpsCallable(_ name: String) -> HTTPSCallable {
+  @objc(HTTPSCallableWithName:useLimitedUseAppCheckToken:) open func httpsCallable(_ name: String,
+                                                                                   useLimitedUseAppCheckToken: Bool =
+                                                                                     false)
+    -> HTTPSCallable {
+    self.useLimitedUseAppCheckToken = useLimitedUseAppCheckToken
     return HTTPSCallable(functions: self, name: name)
   }
 
-  @objc(HTTPSCallableWithURL:) open func httpsCallable(_ url: URL) -> HTTPSCallable {
+  @objc(HTTPSCallableWithURL:useLimitedUseAppCheckToken:) open func httpsCallable(_ url: URL,
+                                                                                  useLimitedUseAppCheckToken: Bool =
+                                                                                    false)
+    -> HTTPSCallable {
+    self.useLimitedUseAppCheckToken = useLimitedUseAppCheckToken
     return HTTPSCallable(functions: self, url: url)
   }
 
@@ -157,14 +168,19 @@ internal enum FunctionsConstants {
   /// - Returns: A reference to an HTTPS-callable Cloud Function that can be used to make Cloud Functions invocations.
   open func httpsCallable<Request: Encodable,
     Response: Decodable>(_ name: String,
+                         useLimitedUseAppCheckToken: Bool,
                          requestAs: Request.Type = Request.self,
                          responseAs: Response.Type = Response.self,
                          encoder: FirebaseDataEncoder = FirebaseDataEncoder(
                          ),
                          decoder: FirebaseDataDecoder = FirebaseDataDecoder(
                          ))
     -> Callable<Request, Response> {
-    return Callable(callable: httpsCallable(name), encoder: encoder, decoder: decoder)
+    return Callable(
+      callable: httpsCallable(name, useLimitedUseAppCheckToken: useLimitedUseAppCheckToken),
+      encoder: encoder,
+      decoder: decoder
+    )
   }
 
   /// Creates a reference to the Callable HTTPS trigger with the given name, the type of an `Encodable`
@@ -177,14 +193,19 @@ internal enum FunctionsConstants {
   /// - Returns: A reference to an HTTPS-callable Cloud Function that can be used to make Cloud Functions invocations.
   open func httpsCallable<Request: Encodable,
     Response: Decodable>(_ url: URL,
+                         useLimitedUseAppCheckToken: Bool,
                          requestAs: Request.Type = Request.self,
                          responseAs: Response.Type = Response.self,
                          encoder: FirebaseDataEncoder = FirebaseDataEncoder(
                          ),
                          decoder: FirebaseDataDecoder = FirebaseDataDecoder(
                          ))
     -> Callable<Request, Response> {
-    return Callable(callable: httpsCallable(url), encoder: encoder, decoder: decoder)
+    return Callable(
+      callable: httpsCallable(url, useLimitedUseAppCheckToken: useLimitedUseAppCheckToken),
+      encoder: encoder,
+      decoder: decoder
+    )
   }
 
   /**
@@ -353,8 +374,20 @@ internal enum FunctionsConstants {
       fetcher.setRequestValue(fcmToken, forHTTPHeaderField: Constants.fcmTokenHeader)
     }
 
-    if let appCheckToken = context.appCheckToken {
-      fetcher.setRequestValue(appCheckToken, forHTTPHeaderField: Constants.appCheckTokenHeader)
+    if useLimitedUseAppCheckToken == true {
+      if let appCheckToken = context.limitedUseAppCheckToken {
+        fetcher.setRequestValue(
+          appCheckToken,
+          forHTTPHeaderField: Constants.appCheckTokenHeader
+        )
+      }
+    } else {
+      if let appCheckToken = context.appCheckToken {
+        fetcher.setRequestValue(
+          appCheckToken,
+          forHTTPHeaderField: Constants.appCheckTokenHeader
+        )
+      }
     }
 
     // Override normal security rules if this is a local test.

FirebaseFunctions/Sources/Internal/FunctionsContext.swift

@@ -22,11 +22,14 @@ internal class FunctionsContext: NSObject {
   let authToken: String?
   let fcmToken: String?
   let appCheckToken: String?
+  let limitedUseAppCheckToken: String?
 
-  init(authToken: String?, fcmToken: String?, appCheckToken: String?) {
+  init(authToken: String?, fcmToken: String?, appCheckToken: String?,
+       limitedUseAppCheckToken: String?) {
     self.authToken = authToken
     self.fcmToken = fcmToken
     self.appCheckToken = appCheckToken
+    self.limitedUseAppCheckToken = limitedUseAppCheckToken
   }
 }
 
@@ -54,6 +57,7 @@ internal class FunctionsContextProvider: NSObject {
     var authToken: String?
     var appCheckToken: String?
     var error: Error?
+    var limitedUseAppCheckToken: String?
 
     if let auth = auth {
       dispatchGroup.enter()
@@ -77,10 +81,23 @@ internal class FunctionsContextProvider: NSObject {
       }
     }
 
+    if let appCheck = appCheck {
+      dispatchGroup.enter()
+
+      appCheck.getLimitedUseToken { tokenResult in
+        // Send only valid token to functions.
+        if tokenResult.error == nil {
+          appCheckToken = tokenResult.token
+        }
+        dispatchGroup.leave()
+      }
+    }
+
     dispatchGroup.notify(queue: .main) {
       let context = FunctionsContext(authToken: authToken,
                                      fcmToken: self.messaging?.fcmToken,
-                                     appCheckToken: appCheckToken)
+                                     appCheckToken: appCheckToken,
+                                     limitedUseAppCheckToken: limitedUseAppCheckToken)
       completion(context, error)
     }
   }