CyberSys
diff --git a/‎.github/workflows/ci.yml
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/ci.yml
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/release.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎CONTRIBUTING.md
Lines changed: 89 additions & 38 deletions b/‎CONTRIBUTING.md
Lines changed: 89 additions & 38 deletions
diff --git a/‎README.md
Lines changed: 2 additions & 1 deletion b/‎README.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎firebase_admin/__about__.py
Lines changed: 1 addition & 1 deletion b/‎firebase_admin/__about__.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎firebase_admin/__init__.py
Lines changed: 3 additions & 2 deletions b/‎firebase_admin/__init__.py
Lines changed: 3 additions & 2 deletions
diff --git a/‎firebase_admin/_auth_client.py
Lines changed: 4 additions & 2 deletions b/‎firebase_admin/_auth_client.py
Lines changed: 4 additions & 2 deletions
diff --git a/‎firebase_admin/_token_gen.py
Lines changed: 12 additions & 6 deletions b/‎firebase_admin/_token_gen.py
Lines changed: 12 additions & 6 deletions
diff --git a/‎firebase_admin/_user_mgt.py
Lines changed: 1 addition & 1 deletion b/‎firebase_admin/_user_mgt.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎firebase_admin/app_check.py
Lines changed: 10 additions & 4 deletions b/‎firebase_admin/app_check.py
Lines changed: 10 additions & 4 deletions
diff --git a/‎firebase_admin/auth.py
Lines changed: 9 additions & 5 deletions b/‎firebase_admin/auth.py
Lines changed: 9 additions & 5 deletions
diff --git a/‎firebase_admin/firestore.py
Lines changed: 1 addition & 1 deletion b/‎firebase_admin/firestore.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎integration/test_auth.py
Lines changed: 1 addition & 0 deletions b/‎integration/test_auth.py
Lines changed: 1 addition & 0 deletions
@@ -11,7 +11,7 @@ jobs:
         python: ['3.7', '3.8', '3.9', '3.10', 'pypy3.8']
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Python ${{ matrix.python }}
       uses: actions/setup-python@v4
       with:
@@ -22,10 +22,10 @@ jobs:
         pip install -r requirements.txt
     - name: Test with pytest
       run: pytest
-    - name: Set up Node.js 16
-      uses: actions/setup-node@v1
+    - name: Set up Node.js 20
+      uses: actions/setup-node@v4
       with:
         node-version: 16.x
+        node-version: 20
     - name: Run integration tests against emulator
       run: |
         npm install -g firebase-tools
@@ -34,7 +34,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Python 3.7
       uses: actions/setup-python@v4
       with:
 
@@ -87,7 +87,7 @@ jobs:
     #   3. with the label 'release:publish', and
     #   4. the title prefix '[chore] Release '.
     if: github.event.pull_request.merged &&
-      github.ref == 'master' &&
+      github.ref == 'refs/heads/master' &&
       contains(github.event.pull_request.labels.*.name, 'release:publish') &&
       startsWith(github.event.pull_request.title, '[chore] Release ')
 
 
@@ -162,44 +162,95 @@ pytest --cov=firebase_admin --cov=tests
 
 ### Integration Testing
 
-A suite of integration tests are available under the `integration/` directory.
-These tests are designed to run against an actual Firebase project. Create a new
-project in the [Firebase Console](https://console.firebase.google.com), if you
-do not already have one suitable for running the tests aginst. Then obtain the
-following credentials from the project:
-
-1. *Service account certificate*: This can be downloaded as a JSON file from
-   the "Settings > Service Accounts" tab of the Firebase console. Copy the
-   file into the repo so it's available at `cert.json`.
-2. *Web API key*: This is displayed in the "Settings > General" tab of the
-   console. Copy it and save to a new text file at `apikey.txt`.
-
-Then set up your Firebase/GCP project as follows:
-
-1. Enable Firestore: Go to the Firebase Console, and select "Database" from
-   the "Develop" menu. Click on the "Create database" button. You may choose
-   to set up Firestore either in the locked mode or in the test mode.
-2. Enable password auth: Select "Authentication" from the "Develop" menu in
-   Firebase Console. Select the "Sign-in method" tab, and enable the
-   "Email/Password" sign-in method, including the Email link (passwordless
-   sign-in) option.
-3. Enable the Firebase ML API: Go to the
-   [Google Developers Console](
-   https://console.developers.google.com/apis/api/firebaseml.googleapis.com/overview)
-   and make sure your project is selected. If the API is not already enabled, click Enable.
-4. Enable the IAM API: Go to the
-   [Google Cloud Platform Console](https://console.cloud.google.com) and make
-   sure your Firebase/GCP project is selected. Select "APIs & Services >
-   Dashboard" from the main menu, and click the "ENABLE APIS AND SERVICES"
-   button. Search for and enable the "Identity and Access Management (IAM)
-   API".
-5. Grant your service account the 'Firebase Authentication Admin' role. This is
-   required to ensure that exported user records contain the password hashes of
-   the user accounts:
-   1. Go to [Google Cloud Platform Console / IAM & admin](https://console.cloud.google.com/iam-admin).
-   2. Find your service account in the list, and click the 'pencil' icon to edit it's permissions.
-   3. Click 'ADD ANOTHER ROLE' and choose 'Firebase Authentication Admin'.
-   4. Click 'SAVE'.
+
+Integration tests are executed against a real life Firebase project. If you do not already
+have one suitable for running the tests against, you can create a new project in the
+[Firebase Console](https://console.firebase.google.com) following the setup guide below.
+If you already have a Firebase project, you'll need to obtain credentials to communicate and
+authorize access to your Firebase project:
+
+
+1. Service account certificate: This allows access to your Firebase project through a service account
+which is required for all integration tests. This can be downloaded as a JSON file from the 
+**Settings > Service Accounts** tab of the Firebase console when you click the
+**Generate new private key** button. Copy the file into the repo so it's available at `cert.json`.
+   > **Note:** Service accounts should be carefully managed and their keys should never be stored in publicly accessible source code or repositories.
+
+
+2. Web API key: This allows for Auth sign-in needed for some Authentication and Tenant Management
+integration tests. This is displayed in the **Settings > General** tab of the Firebase console
+after enabling Authentication as described in the steps below. Copy it and save to a new text
+file at `apikey.txt`.
+
+
+Set up your Firebase project as follows:
+
+
+1. Enable Authentication:
+   1. Go to the Firebase Console, and select **Authentication** from the **Build** menu.
+   2. Click on **Get Started**.
+   3. Select **Sign-in method > Add new provider > Email/Password** then enable both the
+   **Email/Password** and **Email link (passwordless sign-in)** options.
+
+
+2. Enable Firestore:
+   1. Go to the Firebase Console, and select **Firestore Database** from the **Build** menu.
+   2. Click on the **Create database** button. You can choose to set up Firestore either in
+   the production mode or in the test mode.
+
+
+3. Enable Realtime Database:
+   1. Go to the Firebase Console, and select **Realtime Database** from the **Build** menu.
+   2. Click on the **Create Database** button. You can choose to set up the Realtime Database
+   either in the locked mode or in the test mode.
+
+   > **Note:** Integration tests are not run against the default Realtime Database reference and are
+   instead run against a database created at `https://{PROJECT_ID}.firebaseio.com`.
+   This second Realtime Database reference is created in the following steps.
+
+   3. In the **Data** tab click on the kebab menu (3 dots) and select **Create Database**.
+   4. Enter your Project ID (Found in the **General** tab in **Account Settings**) as the
+   **Realtime Database reference**. Again, you can choose to set up the Realtime Database
+   either in the locked mode or in the test mode.
+
+
+4. Enable Storage:
+   1. Go to the Firebase Console, and select **Storage** from the **Build** menu.
+   2. Click on the **Get started** button. You can choose to set up Cloud Storage
+   either in the production mode or in the test mode.
+
+
+5. Enable the Firebase ML API:
+   1. Go to the
+   [Google Cloud console | Firebase ML API](https://console.cloud.google.com/apis/api/firebaseml.googleapis.com/overview)
+   and make sure your project is selected.
+   2. If the API is not already enabled, click **Enable**.
+
+
+6. Enable the IAM API:
+   1. Go to the [Google Cloud console](https://console.cloud.google.com)
+   and make sure your Firebase project is selected.
+   2. Select **APIs & Services** from the main menu, and click the
+   **ENABLE APIS AND SERVICES** button.
+   3. Search for and enable **Identity and Access Management (IAM) API** by Google Enterprise API.
+
+
+7. Enable Tenant Management:
+   1. Go to
+   [Google Cloud console | Identity Platform](https://console.cloud.google.com/customer-identity/)
+   and if it is not already enabled, click **Enable**.
+   2. Then
+   [enable multi-tenancy](https://cloud.google.com/identity-platform/docs/multi-tenancy-quickstart#enabling_multi-tenancy)
+   for your project.
+
+
+8. Ensure your service account has the **Firebase Authentication Admin** role. This is required
+to ensure that exported user records contain the password hashes of the user accounts:
+   1. Go to [Google Cloud console | IAM & admin](https://console.cloud.google.com/iam-admin).
+   2. Find your service account in the list. If not added click the pencil icon to edit its
+   permissions.
+   3. Click **ADD ANOTHER ROLE** and choose **Firebase Authentication Admin**.
+   4. Click **SAVE**.
 
 
 Now you can invoke the integration test suite as follows:
 
@@ -43,7 +43,8 @@ requests, code review feedback, and also pull requests.
 
 ## Supported Python Versions
 
-We currently support Python 3.7+. Firebase
+We currently support Python 3.7+. However, Python 3.7 support is deprecated,
+and developers are strongly advised to use Python 3.8 or higher. Firebase
 Admin Python SDK is also tested on PyPy and
 [Google App Engine](https://cloud.google.com/appengine/) environments.
 
 
@@ -14,7 +14,7 @@
 
 """About information (version, etc) for Firebase Admin SDK."""
 
-__version__ = '6.2.0'
+__version__ = '6.3.0'
 __title__ = 'firebase_admin'
 __author__ = 'Firebase'
 __license__ = 'Apache License 2.0'
 
@@ -50,8 +50,9 @@ def initialize_app(credential=None, options=None, name=_DEFAULT_APP_NAME):
           Google Application Default Credentials are used.
       options: A dictionary of configuration options (optional). Supported options include
           ``databaseURL``, ``storageBucket``, ``projectId``, ``databaseAuthVariableOverride``,
-          ``serviceAccountId`` and ``httpTimeout``. If ``httpTimeout`` is not set, the SDK
-          uses a default timeout of 120 seconds.
+          ``serviceAccountId`` and ``httpTimeout``. If ``httpTimeout`` is not set, the SDK uses
+          a default timeout of 120 seconds.
+
       name: Name of the app (optional).
     Returns:
       App: A newly initialized instance of App.
 
@@ -92,7 +92,7 @@ def create_custom_token(self, uid, developer_claims=None):
         return self._token_generator.create_custom_token(
             uid, developer_claims, tenant_id=self.tenant_id)
 
-    def verify_id_token(self, id_token, check_revoked=False):
+    def verify_id_token(self, id_token, check_revoked=False, clock_skew_seconds=0):
         """Verifies the signature and data for the provided JWT.
 
         Accepts a signed token string, verifies that it is current, was issued
@@ -102,6 +102,8 @@ def verify_id_token(self, id_token, check_revoked=False):
             id_token: A string of the encoded JWT.
             check_revoked: Boolean, If true, checks whether the token has been revoked or
                 the user disabled (optional).
+            clock_skew_seconds: The number of seconds to tolerate when checking the token.
+                Must be between 0-60. Defaults to 0.
 
         Returns:
             dict: A dictionary of key-value pairs parsed from the decoded JWT.
@@ -124,7 +126,7 @@ def verify_id_token(self, id_token, check_revoked=False):
             raise ValueError('Illegal check_revoked argument. Argument must be of type '
                              ' bool, but given "{0}".'.format(type(check_revoked)))
 
-        verified_claims = self._token_verifier.verify_id_token(id_token)
+        verified_claims = self._token_verifier.verify_id_token(id_token, clock_skew_seconds)
         if self.tenant_id:
             token_tenant_id = verified_claims.get('firebase', {}).get('tenant')
             if self.tenant_id != token_tenant_id:
 
@@ -289,11 +289,11 @@ def __init__(self, app):
             invalid_token_error=InvalidSessionCookieError,
             expired_token_error=ExpiredSessionCookieError)
 
-    def verify_id_token(self, id_token):
-        return self.id_token_verifier.verify(id_token, self.request)
+    def verify_id_token(self, id_token, clock_skew_seconds=0):
+        return self.id_token_verifier.verify(id_token, self.request, clock_skew_seconds)
 
-    def verify_session_cookie(self, cookie):
-        return self.cookie_verifier.verify(cookie, self.request)
+    def verify_session_cookie(self, cookie, clock_skew_seconds=0):
+        return self.cookie_verifier.verify(cookie, self.request, clock_skew_seconds)
 
 
 class _JWTVerifier:
@@ -313,7 +313,7 @@ def __init__(self, **kwargs):
         self._invalid_token_error = kwargs.pop('invalid_token_error')
         self._expired_token_error = kwargs.pop('expired_token_error')
 
-    def verify(self, token, request):
+    def verify(self, token, request, clock_skew_seconds=0):
         """Verifies the signature and data for the provided JWT."""
         token = token.encode('utf-8') if isinstance(token, str) else token
         if not isinstance(token, bytes) or not token:
@@ -328,6 +328,11 @@ def verify(self, token, request):
                 'or set your Firebase project ID as an app option. Alternatively set the '
                 'GOOGLE_CLOUD_PROJECT environment variable.'.format(self.operation))
 
+        if clock_skew_seconds < 0 or clock_skew_seconds > 60:
+            raise ValueError(
+                'Illegal clock_skew_seconds value: {0}. Must be between 0 and 60, inclusive.'
+                .format(clock_skew_seconds))
+
         header, payload = self._decode_unverified(token)
         issuer = payload.get('iss')
         audience = payload.get('aud')
@@ -393,7 +398,8 @@ def verify(self, token, request):
                     token,
                     request=request,
                     audience=self.project_id,
-                    certs_url=self.cert_url)
+                    certs_url=self.cert_url,
+                    clock_skew_in_seconds=clock_skew_seconds)
             verified_claims['uid'] = verified_claims['sub']
             return verified_claims
         except google.auth.exceptions.TransportError as error:
 
@@ -540,7 +540,7 @@ def encode_action_code_settings(settings):
         if not isinstance(settings.ios_bundle_id, str):
             raise ValueError('Invalid value provided for ios_bundle_id: {0}'
                              .format(settings.ios_bundle_id))
-        parameters['iosBundleId'] = settings.ios_bundle_id
+        parameters['iOSBundleId'] = settings.ios_bundle_id
 
     # android_* attributes
     if (settings.android_minimum_version or settings.android_install_app) \
 
@@ -16,7 +16,7 @@
 
 from typing import Any, Dict
 import jwt
-from jwt import PyJWKClient, ExpiredSignatureError, InvalidTokenError
+from jwt import PyJWKClient, ExpiredSignatureError, InvalidTokenError, DecodeError
 from jwt import InvalidAudienceError, InvalidIssuerError, InvalidSignatureError
 from firebase_admin import _utils
 
@@ -38,6 +38,7 @@ def verify_token(token: str, app=None) -> Dict[str, Any]:
     Raises:
         ValueError: If the app's ``project_id`` is invalid or unspecified,
         or if the token's headers or payload are invalid.
+        PyJWKClientError: If PyJWKClient fails to fetch a valid signing key.
     """
     return _get_app_check_service(app).verify_token(token)
 
@@ -71,9 +72,14 @@ def verify_token(self, token: str) -> Dict[str, Any]:
         # Obtain the Firebase App Check Public Keys
         # Note: It is not recommended to hard code these keys as they rotate,
         # but you should cache them for up to 6 hours.
-        signing_key = self._jwks_client.get_signing_key_from_jwt(token)
-        self._has_valid_token_headers(jwt.get_unverified_header(token))
-        verified_claims = self._decode_and_verify(token, signing_key.key)
+        try:
+            signing_key = self._jwks_client.get_signing_key_from_jwt(token)
+            self._has_valid_token_headers(jwt.get_unverified_header(token))
+            verified_claims = self._decode_and_verify(token, signing_key.key)
+        except (InvalidTokenError, DecodeError) as exception:
+            raise ValueError(
+                f'Verifying App Check token failed. Error: {exception}'
+                )
 
         verified_claims['app_id'] = verified_claims.get('sub')
         return verified_claims
 
@@ -191,7 +191,7 @@ def create_custom_token(uid, developer_claims=None, app=None):
     return client.create_custom_token(uid, developer_claims)
 
 
-def verify_id_token(id_token, app=None, check_revoked=False):
+def verify_id_token(id_token, app=None, check_revoked=False, clock_skew_seconds=0):
     """Verifies the signature and data for the provided JWT.
 
     Accepts a signed token string, verifies that it is current, and issued
@@ -202,7 +202,8 @@ def verify_id_token(id_token, app=None, check_revoked=False):
         app: An App instance (optional).
         check_revoked: Boolean, If true, checks whether the token has been revoked or
             the user disabled (optional).
-
+        clock_skew_seconds: The number of seconds to tolerate when checking the token.
+            Must be between 0-60. Defaults to 0.
     Returns:
         dict: A dictionary of key-value pairs parsed from the decoded JWT.
 
@@ -217,7 +218,8 @@ def verify_id_token(id_token, app=None, check_revoked=False):
             record is disabled.
     """
     client = _get_client(app)
-    return client.verify_id_token(id_token, check_revoked=check_revoked)
+    return client.verify_id_token(
+        id_token, check_revoked=check_revoked, clock_skew_seconds=clock_skew_seconds)
 
 
 def create_session_cookie(id_token, expires_in, app=None):
@@ -243,7 +245,7 @@ def create_session_cookie(id_token, expires_in, app=None):
     return client._token_generator.create_session_cookie(id_token, expires_in)
 
 
-def verify_session_cookie(session_cookie, check_revoked=False, app=None):
+def verify_session_cookie(session_cookie, check_revoked=False, app=None, clock_skew_seconds=0):
     """Verifies a Firebase session cookie.
 
     Accepts a session cookie string, verifies that it is current, and issued
@@ -254,6 +256,7 @@ def verify_session_cookie(session_cookie, check_revoked=False, app=None):
         check_revoked: Boolean, if true, checks whether the cookie has been revoked or the
             user disabled (optional).
         app: An App instance (optional).
+        clock_skew_seconds: The number of seconds to tolerate when checking the cookie.
 
     Returns:
         dict: A dictionary of key-value pairs parsed from the decoded JWT.
@@ -270,7 +273,8 @@ def verify_session_cookie(session_cookie, check_revoked=False, app=None):
     """
     client = _get_client(app)
     # pylint: disable=protected-access
-    verified_claims = client._token_verifier.verify_session_cookie(session_cookie)
+    verified_claims = client._token_verifier.verify_session_cookie(
+        session_cookie, clock_skew_seconds)
     if check_revoked:
         client._check_jwt_revoked_or_disabled(
             verified_claims, RevokedSessionCookieError, 'session cookie')
 
@@ -34,7 +34,7 @@
 _FIRESTORE_ATTRIBUTE = '_firestore'
 
 
-def client(app=None):
+def client(app=None) -> firestore.Client:
     """Returns a client that can be used to interact with Google Cloud Firestore.
 
     Args:
 
@@ -617,6 +617,7 @@ def test_verify_session_cookie_revoked(new_user, api_key):
     claims = auth.verify_session_cookie(session_cookie, check_revoked=True)
     assert claims['iat'] * 1000 >= user.tokens_valid_after_timestamp
 
+
 def test_verify_session_cookie_disabled(new_user, api_key):
     custom_token = auth.create_custom_token(new_user.uid)
     id_token = _sign_in(custom_token, api_key)