[CP-9405] app authorization token

.env.example

@@ -98,3 +98,10 @@ NEWSLETTER_PORTAL_ID=
 
 # Optional
 NEWSLETTER_FORM_ID=
+
+# Base64 encoded Firebase config
+FIREBASE_CONFIG=
+
+# Required for ID token registration
+# ID service URL
+ID_SERVICE_URL=

package.json

@@ -7,9 +7,9 @@
     "start": "yarn dev",
     "build:inpage": "webpack --config webpack.inpage.js",
     "dev:inpage": "webpack -w --config webpack.inpage.js",
-    "build": "yarn run build:inpage --mode=production && webpack --config webpack.prod.js",
-    "build:alpha": "yarn run build:inpage --mode=production && webpack --config webpack.alpha.js",
-    "dev": "yarn run build:inpage && webpack -w --config webpack.dev.js",
+    "build": "yarn run patch-package && yarn run build:inpage --mode=production && webpack --config webpack.prod.js",
+    "build:alpha": "yarn run patch-package && yarn run build:inpage --mode=production && webpack --config webpack.alpha.js",
+    "dev": "yarn run patch-package && yarn run build:inpage && webpack -w --config webpack.dev.js",
     "lint": "eslint --fix -c ./.eslintrc.js \"src/**/*.ts*\"",
     "typecheck": "yarn tsc --skipLibCheck --noEmit",
     "postinstall": "husky install && patch-package",
@@ -75,6 +75,7 @@
     "eth-rpc-errors": "4.0.3",
     "ethers": "6.8.1",
     "events": "3.3.0",
+    "firebase": "11.0.1",
     "fireblocks-sdk": "5.20.0",
     "i18next": "21.9.2",
     "i18next-http-backend": "1.4.4",
@@ -259,7 +260,8 @@
       "@avalabs/avalanche-module>@avalabs/core-wallets-sdk>hdkey>secp256k1": false,
       "@avalabs/avalanche-module>@avalabs/vm-module-types>@avalabs/core-wallets-sdk>@avalabs/hw-app-avalanche>@ledgerhq/hw-app-eth>@ledgerhq/domain-service>eip55>keccak": false,
       "@avalabs/avalanche-module>@avalabs/vm-module-types>@avalabs/core-wallets-sdk>@ledgerhq/hw-app-btc>bitcoinjs-lib>bip32>tiny-secp256k1": false,
-      "@avalabs/avalanche-module>@avalabs/vm-module-types>@avalabs/core-wallets-sdk>hdkey>secp256k1": false
+      "@avalabs/avalanche-module>@avalabs/vm-module-types>@avalabs/core-wallets-sdk>hdkey>secp256k1": false,
+      "firebase>@firebase/firestore>@grpc/grpc-js>@grpc/proto-loader>protobufjs": false
     }
   }
 }

patches/@firebase+messaging+0.12.13.patch

@@ -0,0 +1,13 @@
+diff --git a/node_modules/@firebase/messaging/dist/esm/index.esm2017.js b/node_modules/@firebase/messaging/dist/esm/index.esm2017.js
+index 612f735..070ea56 100644
+--- a/node_modules/@firebase/messaging/dist/esm/index.esm2017.js
++++ b/node_modules/@firebase/messaging/dist/esm/index.esm2017.js
+@@ -565,7 +565,7 @@ async function getPushSubscription(swRegistration, vapidKey) {
+         return subscription;
+     }
+     return swRegistration.pushManager.subscribe({
+-        userVisibleOnly: true,
++        userVisibleOnly: false,
+         // Chrome <= 75 doesn't support base64-encoded VAPID key. For backward compatibility, VAPID key
+         // submitted to pushManager#subscribe must be of type Uint8Array.
+         applicationServerKey: base64ToArray(vapidKey)

src/background/runtime/BackgroundRuntime.ts

@@ -6,6 +6,7 @@ import { LockService } from '@src/background/services/lock/LockService';
 import { OnboardingService } from '@src/background/services/onboarding/OnboardingService';
 import { ModuleManager } from '../vmModules/ModuleManager';
 import { BridgeService } from '../services/bridge/BridgeService';
+import { AppCheckService } from '@src/background/services/appcheck/AppCheckService';
 
 @singleton()
 export class BackgroundRuntime {
@@ -15,7 +16,8 @@ export class BackgroundRuntime {
     private onboardingService: OnboardingService,
     // we try to fetch the bridge configs as soon as possible
     private bridgeService: BridgeService,
-    private moduleManager: ModuleManager
+    private moduleManager: ModuleManager,
+    private appCheckService: AppCheckService
   ) {}
 
   activate() {
@@ -28,6 +30,7 @@ export class BackgroundRuntime {
     this.lockService.activate();
     this.onboardingService.activate();
     this.moduleManager.activate();
+    this.appCheckService.activate();
   }
 
   private onInstalled() {

src/background/services/appcheck/AppCheckService.test.ts

@@ -0,0 +1,187 @@
+import {
+  AppCheck,
+  CustomProvider,
+  initializeAppCheck,
+  setTokenAutoRefreshEnabled,
+} from 'firebase/app-check';
+import { FirebaseService } from '../firebase/FirebaseService';
+import { FcmMessageEvents, FirebaseEvents } from '../firebase/models';
+import {
+  AppCheckService,
+  WAIT_FOR_CHALLENGE_ATTEMPT_COUNT,
+  WAIT_FOR_CHALLENGE_DELAY_MS,
+} from './AppCheckService';
+import registerForChallenge from './utils/registerForChallenge';
+import { ChallengeTypes } from './models';
+import { MessagePayload } from 'firebase/messaging/sw';
+import solveChallenge from './utils/solveChallenge';
+import verifyChallenge from './utils/verifyChallenge';
+
+jest.mock('firebase/app-check');
+jest.mock('./utils/registerForChallenge');
+jest.mock('./utils/verifyChallenge');
+jest.mock('./utils/solveChallenge');
+
+describe('AppCheckService', () => {
+  let appCheckService: AppCheckService;
+  let firebaseService: FirebaseService;
+
+  beforeEach(() => {
+    jest.resetAllMocks();
+
+    firebaseService = {
+      isFcmInitialized: true,
+      getFirebaseApp: () => ({ name: 'test' }),
+      getFcmToken: jest.fn().mockReturnValue('fcmToken'),
+      addFcmMessageListener: jest.fn(),
+      addFirebaseEventListener: jest.fn(),
+    } as unknown as FirebaseService;
+
+    appCheckService = new AppCheckService(firebaseService);
+    appCheckService.activate();
+  });
+
+  it('subscribes for events on activation correctly', () => {
+    expect(firebaseService.addFcmMessageListener).toHaveBeenCalledWith(
+      FcmMessageEvents.ID_CHALLENGE,
+      expect.any(Function)
+    );
+
+    expect(firebaseService.addFirebaseEventListener).toHaveBeenCalledTimes(2);
+    expect(firebaseService.addFirebaseEventListener).toHaveBeenNthCalledWith(
+      1,
+      FirebaseEvents.FCM_INITIALIZED,
+      expect.any(Function)
+    );
+    expect(firebaseService.addFirebaseEventListener).toHaveBeenNthCalledWith(
+      2,
+      FirebaseEvents.FCM_TERMINATED,
+      expect.any(Function)
+    );
+  });
+
+  const appCheckMock = { app: { name: 'test' } } as AppCheck;
+
+  beforeEach(() => {
+    jest.useFakeTimers();
+    jest.mocked(initializeAppCheck).mockReturnValue(appCheckMock);
+
+    // simulate FCM_INITIALIZED event
+    jest.mocked(firebaseService.addFirebaseEventListener).mock.calls[0]?.[1]();
+  });
+
+  afterEach(() => {
+    jest.useRealTimers();
+  });
+
+  it('initializes appcheck correctly', () => {
+    expect(setTokenAutoRefreshEnabled).not.toHaveBeenCalled();
+    expect(initializeAppCheck).toHaveBeenCalledWith(
+      { name: 'test' },
+      {
+        provider: expect.any(CustomProvider),
+        isTokenAutoRefreshEnabled: true,
+      }
+    );
+
+    // simulate FCM_INITIALIZED event (second time)
+    jest.mocked(firebaseService.addFirebaseEventListener).mock.calls[0]?.[1]();
+
+    expect(initializeAppCheck).toHaveBeenCalledTimes(1);
+    expect(setTokenAutoRefreshEnabled).toHaveBeenCalledWith(appCheckMock, true);
+  });
+
+  it('terminates appcheck correctly', () => {
+    expect(setTokenAutoRefreshEnabled).not.toHaveBeenCalled();
+    expect(initializeAppCheck).toHaveBeenCalledWith(
+      { name: 'test' },
+      {
+        provider: expect.any(CustomProvider),
+        isTokenAutoRefreshEnabled: true,
+      }
+    );
+
+    // simulate FCM_TERMINATED event
+    jest.mocked(firebaseService.addFirebaseEventListener).mock.calls[1]?.[1]();
+
+    expect(setTokenAutoRefreshEnabled).toHaveBeenCalledWith(
+      appCheckMock,
+      false
+    );
+  });
+
+  describe('getToken', () => {
+    it('throws when FCM is not initialized', async () => {
+      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+      // @ts-ignore
+      firebaseService.isFcmInitialized = false;
+      await expect(
+        jest.mocked(CustomProvider).mock.calls[0]?.[0].getToken()
+      ).rejects.toThrow('fcm is not initialized');
+    });
+
+    it('throws when FCM token is missing', async () => {
+      jest.mocked(firebaseService.getFcmToken).mockReturnValueOnce(undefined);
+      await expect(
+        jest.mocked(CustomProvider).mock.calls[0]?.[0].getToken()
+      ).rejects.toThrow('fcm token is missing');
+    });
+
+    it('throws a timeout error when challenge is not received in time', async () => {
+      jest
+        .mocked(CustomProvider)
+        .mock.calls[0]?.[0].getToken()
+        .catch((err) => {
+          expect(err).toBe('timeout');
+        });
+
+      for (let i = 0; i <= WAIT_FOR_CHALLENGE_ATTEMPT_COUNT; i++) {
+        jest.advanceTimersByTime(WAIT_FOR_CHALLENGE_DELAY_MS);
+        await Promise.resolve();
+      }
+    });
+
+    it('generates a token correctly', async () => {
+      jest.mocked(crypto.randomUUID).mockReturnValue('1-2-3-4-5');
+      jest.mocked(solveChallenge).mockResolvedValueOnce('solution');
+      jest
+        .mocked(verifyChallenge)
+        .mockResolvedValueOnce({ token: 'token', exp: 1234 });
+
+      const promise = jest.mocked(CustomProvider).mock.calls[0]?.[0].getToken();
+
+      // trigger ID_CHALLENGE event
+      jest.mocked(firebaseService.addFcmMessageListener).mock.calls[0]?.[1]({
+        data: {
+          requestId: crypto.randomUUID(),
+          registrationId: 'registrationId',
+          type: ChallengeTypes.BASIC,
+          event: FcmMessageEvents.ID_CHALLENGE,
+          details: '{}',
+        },
+      } as unknown as MessagePayload);
+
+      await Promise.resolve();
+      jest.advanceTimersByTime(1000);
+      await Promise.resolve();
+
+      await expect(promise).resolves.toStrictEqual({
+        token: 'token',
+        expireTimeMillis: 1234,
+      });
+
+      expect(registerForChallenge).toHaveBeenCalledWith({
+        token: 'fcmToken',
+        requestId: crypto.randomUUID(),
+      });
+      expect(solveChallenge).toHaveBeenCalledWith({
+        type: ChallengeTypes.BASIC,
+        challengeDetails: '{}',
+      });
+      expect(verifyChallenge).toHaveBeenCalledWith({
+        registrationId: 'registrationId',
+        solution: 'solution',
+      });
+    });
+  });
+});