SHavanonda
diff --git a/‎firebase_admin/_auth_utils.py
Lines changed: 22 additions & 0 deletions b/‎firebase_admin/_auth_utils.py
Lines changed: 22 additions & 0 deletions
diff --git a/‎firebase_admin/_token_gen.py
Lines changed: 36 additions & 34 deletions b/‎firebase_admin/_token_gen.py
Lines changed: 36 additions & 34 deletions
diff --git a/‎firebase_admin/_user_mgt.py
Lines changed: 7 additions & 27 deletions b/‎firebase_admin/_user_mgt.py
Lines changed: 7 additions & 27 deletions
diff --git a/‎firebase_admin/auth.py
Lines changed: 2 additions & 8 deletions b/‎firebase_admin/auth.py
Lines changed: 2 additions & 8 deletions
diff --git a/‎tests/test_token_gen.py
Lines changed: 16 additions & 8 deletions b/‎tests/test_token_gen.py
Lines changed: 16 additions & 8 deletions
@@ -202,3 +202,25 @@ def __init__(self, code, message, cause=None, http_response=None, auth_error_cod
     @property
     def auth_error_code(self):
         return self._auth_error_code
+
+
+_ERROR_CODE_MAPPINGS = {
+        'CLAIMS_TOO_LARGE': exceptions.INVALID_ARGUMENT,
+        'INVALID_EMAIL': exceptions.INVALID_ARGUMENT,
+        'INSUFFICIENT_PERMISSION': exceptions.PERMISSION_DENIED,
+        'OPERATION_NOT_ALLOWED': exceptions.PERMISSION_DENIED,
+        'PERMISSION_DENIED': exceptions.PERMISSION_DENIED,
+        'USER_NOT_FOUND': exceptions.NOT_FOUND,
+        'DUPLICATE_EMAIL': exceptions.ALREADY_EXISTS,
+    }
+
+
+def handle_http_error(msg, error):
+    response_payload = {}
+    if error.response is not None:
+        response_payload = error.response.json()
+        msg += '\n Server response: {0}'.format(error.response.content.decode())
+    server_code = response_payload.get('error', {}).get('message')
+    canonical_code = _ERROR_CODE_MAPPINGS.get(server_code, exceptions.UNKNOWN)
+    raise FirebaseAuthError(
+        canonical_code, msg, cause=error, http_response=error.response, auth_error_code=server_code)
@@ -20,14 +20,17 @@
 import cachecontrol
 import requests
 import six
+import google.auth.exceptions
 from google.auth import credentials
-from google.auth import exceptions
 from google.auth import iam
 from google.auth import jwt
 from google.auth import transport
 import google.oauth2.id_token
 import google.oauth2.service_account
 
+from firebase_admin import exceptions
+from firebase_admin import _auth_utils
+
 
 # ID token constants
 ID_TOKEN_ISSUER_PREFIX = 'https://securetoken.google.com/'
@@ -52,17 +55,8 @@
                         'default/email')
 
 # Error codes
-COOKIE_CREATE_ERROR = 'COOKIE_CREATE_ERROR'
-TOKEN_SIGN_ERROR = 'TOKEN_SIGN_ERROR'
-
-
-class ApiCallError(Exception):
-    """Represents an Exception encountered while invoking the ID toolkit API."""
-
-    def __init__(self, code, message, error=None):
-        Exception.__init__(self, message)
-        self.code = code
-        self.detail = error
+TOKEN_SIGN_FAILED = 'TOKEN_SIGN_FAILED'
+CERTIFICATE_FETCH_FAILED = 'CERTIFICATE_FETCH_FAILED'
 
 
 class _SigningProvider(object):
@@ -177,9 +171,12 @@ def create_custom_token(self, uid, developer_claims=None):
             payload['claims'] = developer_claims
         try:
             return jwt.encode(signing_provider.signer, payload)
-        except exceptions.TransportError as error:
-            msg = 'Failed to sign custom token. {0}'.format(error)
-            raise ApiCallError(TOKEN_SIGN_ERROR, msg, error)
+        except google.auth.exceptions.TransportError as error:
+            raise _auth_utils.FirebaseAuthError(
+                exceptions.UNKNOWN,
+                'Failed to sign custom token. {0}'.format(error),
+                cause=error,
+                auth_error_code=TOKEN_SIGN_FAILED)
 
 
     def create_session_cookie(self, id_token, expires_in):
@@ -206,20 +203,17 @@ def create_session_cookie(self, id_token, expires_in):
             'validDuration': expires_in,
         }
         try:
-            response = self.client.body('post', ':createSessionCookie', json=payload)
+            body, response = self.client.body_and_response('post', ':createSessionCookie', json=payload)
         except requests.exceptions.RequestException as error:
-            self._handle_http_error(COOKIE_CREATE_ERROR, 'Failed to create session cookie', error)
+            _auth_utils.handle_http_error('Failed to create session cookie', error)
         else:
-            if not response or not response.get('sessionCookie'):
-                raise ApiCallError(COOKIE_CREATE_ERROR, 'Failed to create session cookie.')
-            return response.get('sessionCookie')
-
-    def _handle_http_error(self, code, msg, error):
-        if error.response is not None:
-            msg += '\nServer response: {0}'.format(error.response.content.decode())
-        else:
-            msg += '\nReason: {0}'.format(error)
-        raise ApiCallError(code, msg, error)
+            if not body or not body.get('sessionCookie'):
+                raise _auth_utils.FirebaseAuthError(
+                    exceptions.UNKNOWN,
+                    'Failed to create session cookie.',
+                    http_response=response,
+                    auth_error_code='UNEXPECTED_RESPONSE')
+            return body.get('sessionCookie')
 
 
 class TokenVerifier(object):
@@ -332,10 +326,18 @@ def verify(self, token, request):
         if error_message:
             raise ValueError(error_message)
 
-        verified_claims = google.oauth2.id_token.verify_token(
-            token,
-            request=request,
-            audience=self.project_id,
-            certs_url=self.cert_url)
-        verified_claims['uid'] = verified_claims['sub']
-        return verified_claims
+        try:
+            verified_claims = google.oauth2.id_token.verify_token(
+                token,
+                request=request,
+                audience=self.project_id,
+                certs_url=self.cert_url)
+            verified_claims['uid'] = verified_claims['sub']
+            return verified_claims
+        except google.auth.exceptions.TransportError as error:
+            raise _auth_utils.FirebaseAuthError(
+                exceptions.UNKNOWN,
+                'Failed to fetch public key certificates. {0}'.format(error),
+                cause=error,
+                auth_error_code=CERTIFICATE_FETCH_FAILED)
+
@@ -469,7 +469,7 @@ def get_user(self, **kwargs):
             body, response = self._client.body_and_response('post', '/accounts:lookup', json=payload)
         except requests.exceptions.RequestException as error:
             msg = 'Failed to get user by {0}: {1}.'.format(key_type, key)
-            self._handle_http_error(msg, error)
+            _auth_utils.handle_http_error(msg, error)
         else:
             if not body or not body.get('users'):
                 raise _auth_utils.FirebaseAuthError(
@@ -497,7 +497,7 @@ def list_users(self, page_token=None, max_results=MAX_LIST_USERS_RESULTS):
         try:
             return self._client.body('get', '/accounts:batchGet', params=payload)
         except requests.exceptions.RequestException as error:
-            self._handle_http_error('Failed to download user accounts.', error)
+            _auth_utils.handle_http_error('Failed to download user accounts.', error)
 
     def create_user(self, uid=None, display_name=None, email=None, phone_number=None,
                     photo_url=None, password=None, disabled=None, email_verified=None):
@@ -516,7 +516,7 @@ def create_user(self, uid=None, display_name=None, email=None, phone_number=None
         try:
             body, response = self._client.body_and_response('post', '/accounts', json=payload)
         except requests.exceptions.RequestException as error:
-            self._handle_http_error('Failed to create new user.', error)
+            _auth_utils.handle_http_error('Failed to create new user.', error)
         else:
             if not body or not body.get('localId'):
                 raise _auth_utils.FirebaseAuthError(
@@ -570,7 +570,7 @@ def update_user(self, uid, display_name=_UNSPECIFIED, email=None, phone_number=_
         try:
             body, response = self._client.body_and_response('post', '/accounts:update', json=payload)
         except requests.exceptions.RequestException as error:
-            self._handle_http_error('Failed to update user: {0}.'.format(uid), error)
+            _auth_utils.handle_http_error('Failed to update user: {0}.'.format(uid), error)
         else:
             if not body or not body.get('localId'):
                 raise _auth_utils.FirebaseAuthError(
@@ -586,7 +586,7 @@ def delete_user(self, uid):
         try:
             body, response = self._client.body_and_response('post', '/accounts:delete', json={'localId' : uid})
         except requests.exceptions.RequestException as error:
-            self._handle_http_error('Failed to delete user: {0}.'.format(uid), error)
+            _auth_utils.handle_http_error('Failed to delete user: {0}.'.format(uid), error)
         else:
             if not body or not body.get('kind'):
                 raise _auth_utils.FirebaseAuthError(
@@ -615,7 +615,7 @@ def import_users(self, users, hash_alg=None):
         try:
             body, response = self._client.body_and_response('post', '/accounts:batchCreate', json=payload)
         except requests.exceptions.RequestException as error:
-            self._handle_http_error('Failed to import users.', error)
+            _auth_utils.handle_http_error('Failed to import users.', error)
         else:
             if not isinstance(body, dict):
                 raise _auth_utils.FirebaseAuthError(
@@ -653,7 +653,7 @@ def generate_email_action_link(self, action_type, email, action_code_settings=No
         try:
             body, response = self._client.body_and_response('post', '/accounts:sendOobCode', json=payload)
         except requests.exceptions.RequestException as error:
-            self._handle_http_error('Failed to generate link.', error)
+            _auth_utils.handle_http_error('Failed to generate link.', error)
         else:
             if not body or not body.get('oobLink'):
                 raise _auth_utils.FirebaseAuthError(
@@ -663,26 +663,6 @@ def generate_email_action_link(self, action_type, email, action_code_settings=No
                     auth_error_code=UNEXPECTED_RESPONSE)
             return body.get('oobLink')
 
-    _ERROR_CODE_MAPPINGS = {
-        'CLAIMS_TOO_LARGE': exceptions.INVALID_ARGUMENT,
-        'INVALID_EMAIL': exceptions.INVALID_ARGUMENT,
-        'INSUFFICIENT_PERMISSION': exceptions.PERMISSION_DENIED,
-        'OPERATION_NOT_ALLOWED': exceptions.PERMISSION_DENIED,
-        'PERMISSION_DENIED': exceptions.PERMISSION_DENIED,
-        'USER_NOT_FOUND': exceptions.NOT_FOUND,
-        'DUPLICATE_EMAIL': exceptions.ALREADY_EXISTS,
-    }
-
-    def _handle_http_error(self, msg, error):
-        response_payload = {}
-        if error.response is not None:
-            response_payload = error.response.json()
-            msg += '\n Server response: {0}'.format(error.response.content.decode())
-        server_code = response_payload.get('error', {}).get('message')
-        canonical_code = self._ERROR_CODE_MAPPINGS.get(server_code, exceptions.UNKNOWN)
-        raise _auth_utils.FirebaseAuthError(
-            canonical_code, msg, cause=error, http_response=error.response, auth_error_code=server_code)
-
 
 class _UserIterator(object):
     """An iterator that allows iterating over user accounts, one at a time.
 
@@ -128,10 +128,7 @@ def create_custom_token(uid, developer_claims=None, app=None):
         AuthError: If an error occurs while creating the token using the remote IAM service.
     """
     token_generator = _get_auth_service(app).token_generator
-    try:
-        return token_generator.create_custom_token(uid, developer_claims)
-    except _token_gen.ApiCallError as error:
-        raise FirebaseAuthError(error.code, str(error), cause=error)
+    return token_generator.create_custom_token(uid, developer_claims)
 
 
 def verify_id_token(id_token, app=None, check_revoked=False):
@@ -183,10 +180,7 @@ def create_session_cookie(id_token, expires_in, app=None):
         AuthError: If an error occurs while creating the cookie.
     """
     token_generator = _get_auth_service(app).token_generator
-    try:
-        return token_generator.create_session_cookie(id_token, expires_in)
-    except _token_gen.ApiCallError as error:
-        raise FirebaseAuthError(error.code, str(error), cause=error)
+    return token_generator.create_session_cookie(id_token, expires_in)
 
 
 def verify_session_cookie(session_cookie, check_revoked=False, app=None):
 
@@ -21,7 +21,6 @@
 import time
 
 from google.auth import crypt
-from google.auth import exceptions
 from google.auth import jwt
 import google.oauth2.id_token
 import pytest
@@ -31,6 +30,7 @@
 import firebase_admin
 from firebase_admin import auth
 from firebase_admin import credentials
+from firebase_admin import exceptions
 from firebase_admin import _token_gen
 from tests import testutils
 
@@ -221,7 +221,8 @@ def test_sign_with_iam_error(self):
             _overwrite_iam_request(app, testutils.MockRequest(403, iam_resp))
             with pytest.raises(auth.FirebaseAuthError) as excinfo:
                 auth.create_custom_token(MOCK_UID, app=app)
-            assert excinfo.value.code == _token_gen.TOKEN_SIGN_ERROR
+            assert excinfo.value.code == exceptions.UNKNOWN
+            assert excinfo.value._auth_error_code == _token_gen.TOKEN_SIGN_FAILED
             assert iam_resp in str(excinfo.value)
         finally:
             firebase_admin.delete_app(app)
@@ -298,17 +299,18 @@ def test_valid_args(self, user_mgt_app, expires_in):
         assert request == {'idToken' : 'id_token', 'validDuration': 3600}
 
     def test_error(self, user_mgt_app):
-        _instrument_user_manager(user_mgt_app, 500, '{"error":"test"}')
+        test_response = '{"error":{"message": "test"}}'
+        _instrument_user_manager(user_mgt_app, 500, test_response)
         with pytest.raises(auth.FirebaseAuthError) as excinfo:
             auth.create_session_cookie('id_token', expires_in=3600, app=user_mgt_app)
-        assert excinfo.value.code == _token_gen.COOKIE_CREATE_ERROR
-        assert '{"error":"test"}' in str(excinfo.value)
+        assert excinfo.value.code == exceptions.UNKNOWN
+        assert test_response in str(excinfo.value)
 
     def test_unexpected_response(self, user_mgt_app):
         _instrument_user_manager(user_mgt_app, 200, '{}')
         with pytest.raises(auth.FirebaseAuthError) as excinfo:
             auth.create_session_cookie('id_token', expires_in=3600, app=user_mgt_app)
-        assert excinfo.value.code == _token_gen.COOKIE_CREATE_ERROR
+        assert excinfo.value.code == exceptions.UNKNOWN
         assert 'Failed to create session cookie' in str(excinfo.value)
 
 
         _instrument_user_manager(user_mgt_app, 200, revoked_tokens)
         with pytest.raises(auth.FirebaseAuthError) as excinfo:
             auth.verify_id_token(id_token, app=user_mgt_app, check_revoked=True)
+        assert excinfo.value.code == exceptions.INVALID_ARGUMENT
         assert excinfo.value.auth_error_code == 'ID_TOKEN_REVOKED'
         assert str(excinfo.value) == 'The Firebase ID token has been revoked.'
 
@@ -421,8 +424,10 @@ def test_custom_token(self, auth_app):
 
     def test_certificate_request_failure(self, user_mgt_app):
         _overwrite_cert_request(user_mgt_app, testutils.MockRequest(404, 'not found'))
-        with pytest.raises(exceptions.TransportError):
+        with pytest.raises(auth.FirebaseAuthError) as excinfo:
             auth.verify_id_token(TEST_ID_TOKEN, app=user_mgt_app)
+        assert excinfo.value.code == exceptions.UNKNOWN
+        assert excinfo.value.auth_error_code == 'CERTIFICATE_FETCH_FAILED'
 
 
 class TestVerifySessionCookie(object):
@@ -479,6 +484,7 @@ def test_revoked_cookie_check_revoked(self, user_mgt_app, revoked_tokens, cookie
         _instrument_user_manager(user_mgt_app, 200, revoked_tokens)
         with pytest.raises(auth.FirebaseAuthError) as excinfo:
             auth.verify_session_cookie(cookie, app=user_mgt_app, check_revoked=True)
+        assert excinfo.value.code == exceptions.INVALID_ARGUMENT
         assert excinfo.value.auth_error_code == 'SESSION_COOKIE_REVOKED'
         assert str(excinfo.value) == 'The Firebase session cookie has been revoked.'
 
@@ -521,8 +527,10 @@ def test_custom_token(self, auth_app):
 
     def test_certificate_request_failure(self, user_mgt_app):
         _overwrite_cert_request(user_mgt_app, testutils.MockRequest(404, 'not found'))
-        with pytest.raises(exceptions.TransportError):
+        with pytest.raises(auth.FirebaseAuthError) as excinfo:
             auth.verify_session_cookie(TEST_SESSION_COOKIE, app=user_mgt_app)
+        assert excinfo.value.code == exceptions.UNKNOWN
+        assert excinfo.value.auth_error_code == 'CERTIFICATE_FETCH_FAILED'
 
 
 class TestCertificateCaching(object):