Fix Issues with verifyIdToken

packages/dart_firebase_admin/lib/src/auth/token_verifier.dart

@@ -79,9 +79,7 @@ class FirebaseTokenVerifier {
       isEmulator: isEmulator,
     );
 
-    final decodedIdToken = DecodedIdToken.fromMap(decoded.payload);
-    decodedIdToken.uid = decodedIdToken.sub;
-    return decodedIdToken;
+    return DecodedIdToken.fromMap(decoded.payload);
   }
 
   Future<DecodedToken> _decodeAndVerify(
@@ -249,6 +247,17 @@ class TokenProvider {
     required this.tenant,
   });
 
+  @internal
+  factory TokenProvider.fromMap(Map<dynamic, dynamic> map) {
+    return TokenProvider(
+      identities: map['identities']! as Map<String, Object?>,
+      signInProvider: map['sign_in_provider']! as String,
+      signInSecondFactor: map['sign_in_second_factor'] as String?,
+      secondFactorIdentifier: map['second_factor_identifier'] as String?,
+      tenant: map['tenant'] as String?,
+    );
+  }
+
   /// Provider-specific identity details corresponding
   /// to the provider used to sign in the user.
   Map<String, Object?> identities;
@@ -313,19 +322,13 @@ class DecodedIdToken {
       email: map['email'] as String?,
       emailVerified: map['email_verified'] as bool?,
       exp: map['exp']! as int,
-      firebase: TokenProvider(
-        identities: Map.from(map['firebase']! as Map),
-        signInProvider: map['sign_in_provider']! as String,
-        signInSecondFactor: map['sign_in_second_factor'] as String?,
-        secondFactorIdentifier: map['second_factor_identifier'] as String?,
-        tenant: map['tenant'] as String?,
-      ),
+      firebase: TokenProvider.fromMap(map['firebase']! as Map),
       iat: map['iat']! as int,
       iss: map['iss']! as String,
       phoneNumber: map['phone_number'] as String?,
       picture: map['picture'] as String?,
       sub: map['sub']! as String,
-      uid: map['uid']! as String,
+      uid: map['sub']! as String,
     );
   }
 

packages/dart_firebase_admin/lib/src/utils/jwt.dart

@@ -9,12 +9,15 @@ class EmulatorSignatureVerifier implements SignatureVerifier {
   @override
   Future<void> verify(String token) async {
     // Signature checks skipped for emulator; no need to fetch public keys.
+
     try {
       verifyJwtSignature(
         token,
         SecretKey(''),
       );
     } on JWTInvalidException catch (e) {
+      // Emulator tokens have "alg": "none"
+      if (e.message == 'unknown algorithm') return;
       if (e.message == 'invalid signature') return;
       rethrow;
     }
@@ -122,11 +125,23 @@ class PublicKeySignatureVerifier implements SignatureVerifier {
           'no-matching-kid-error',
         );
       }
-      verifyJwtSignature(
-        token,
-        RSAPublicKey.cert(publicKey),
-        issueAt: Duration.zero, // Any past date should be valid
-      );
+
+      try {
+        verifyJwtSignature(
+          token,
+          RSAPublicKey.cert(publicKey),
+          issueAt: Duration.zero, // Any past date should be valid
+        );
+      } catch (e, stackTrace) {
+        Error.throwWithStackTrace(
+          JwtError(
+            JwtErrorCode.invalidSignature,
+            'Error while verifying signature of Firebase ID token: $e',
+          ),
+          stackTrace,
+        );
+      }
+
       // At this point most JWTException's should have been caught in
       // verifyJwtSignature, but we could still get some from JWT.decode above
     } on JWTException catch (e) {
@@ -169,14 +184,6 @@ void verifyJwtSignature(
       ),
       stackTrace,
     );
-  } catch (e, stackTrace) {
-    Error.throwWithStackTrace(
-      JwtError(
-        JwtErrorCode.invalidSignature,
-        'Error while verifying signature of Firebase ID token: $e',
-      ),
-      stackTrace,
-    );
   }
 }
 

packages/dart_firebase_admin/test/auth/token_verifier_test.dart

@@ -0,0 +1,52 @@
+import 'package:dart_firebase_admin/src/auth.dart';
+import 'package:test/test.dart';
+
+void main() {
+  group('DecodedIdToken', () {
+    test('.fromMap', () async {
+      final idToken = DecodedIdToken.fromMap(
+        {
+          'aud': 'mock-aud',
+          'auth_time': 1,
+          'email': 'mock-email',
+          'email_verified': true,
+          'exp': 1,
+          'firebase': {
+            'identities': {
+              'email': 'mock-email',
+            },
+            'sign_in_provider': 'mock-sign-in-provider',
+            'sign_in_second_factor': 'mock-sign-in-second-factor',
+            'second_factor_identifier': 'mock-second-factor-identifier',
+            'tenant': 'mock-tenant',
+          },
+          'iat': 1,
+          'iss': 'mock-iss',
+          'phone_number': 'mock-phone-number',
+          'picture': 'mock-picture',
+          'sub': 'mock-sub',
+          'uid': 'mock-sub',
+        },
+      );
+      expect(idToken.aud, 'mock-aud');
+      expect(idToken.authTime, DateTime.fromMillisecondsSinceEpoch(1000));
+      expect(idToken.email, 'mock-email');
+      expect(idToken.emailVerified, true);
+      expect(idToken.exp, 1);
+      expect(idToken.firebase.identities, {'email': 'mock-email'});
+      expect(idToken.firebase.signInProvider, 'mock-sign-in-provider');
+      expect(idToken.firebase.signInSecondFactor, 'mock-sign-in-second-factor');
+      expect(
+        idToken.firebase.secondFactorIdentifier,
+        'mock-second-factor-identifier',
+      );
+      expect(idToken.firebase.tenant, 'mock-tenant');
+      expect(idToken.iat, 1);
+      expect(idToken.iss, 'mock-iss');
+      expect(idToken.phoneNumber, 'mock-phone-number');
+      expect(idToken.picture, 'mock-picture');
+      expect(idToken.sub, 'mock-sub');
+      expect(idToken.uid, 'mock-sub');
+    });
+  });
+}