[google_sign_in] Enable FedCM for web. Use token expiration. #5225
Conversation
ditman
force-pushed
the
gsi-web-use-fedcm
branch
from
668441f to
28d04f2
Compare
This comment was marked as resolved.
This comment was marked as resolved.
|
Internally confirmed that it's OK that we flip this switch on for our users (b/301259123#comment5). The more, the merrier. |
| @@ -265,6 +282,8 @@ class GisSdkClient { | |||
| // This function returns the currently signed-in [GoogleSignInUserData]. | |||
| // | |||
| // It'll do a request to the People API (if needed). | |||
| // | |||
| // @Deprecated | |||
There was a problem hiding this comment.
Why is a private method deprecated?
There was a problem hiding this comment.
I added these because I don't want to forget about removing these when actually removing the signIn method, but this should probably be an issue + proper TODO.
I'll create the issue right away and link it properly.
There was a problem hiding this comment.
Linked these breadcrumbs to this issue:
| if (_lastCredentialResponse != null) { | ||
| final DateTime? expiration = utils | ||
| .getCredentialResponseExpirationTimestamp(_lastCredentialResponse); | ||
| isSignedIn = expiration?.isAfter(DateTime.now()) ?? false; |
There was a problem hiding this comment.
So a missing expiration field would indicate that it's already expired? Naively (not knowing the API surface) I would expect that if expiration is optional, then not having it should yield a true result here, so maybe a comment would be helpful?
There was a problem hiding this comment.
I'm going to document this a little bit further, but in this case, if the CredentialResponse payload cannot be decoded, is null, or doesn't contain an "exp" claim, we assume that the token is bad, and thus the user is not authenticated.
In a valid Google ID Token, the "exp" claim should always be provided:
https://developers.google.com/identity/openid-connect/openid-connect#an-id-tokens-payload
packages/google_sign_in/google_sign_in_web/lib/src/gis_client.dart
Outdated
Show resolved
Hide resolved
| @@ -74,10 +77,24 @@ GoogleSignInUserData? gisResponsesToUserData( | |||
| id: payload['sub']! as String, | |||
| displayName: payload['name'] as String?, | |||
| photoUrl: payload['picture'] as String?, | |||
| idToken: credentialResponse.credential, | |||
| idToken: credentialResponse!.credential, | |||
There was a problem hiding this comment.
This is conceptually removed enough from the code that ensures that the ! is safe (it's in another method) that I worry about someone changing that code later and this becoming a crash. Couldn't it just be credentialResponse?.credential so it's safe, since it's a nullable field?
There was a problem hiding this comment.
Yes, in this case payload != null implies credentialResponse != null but as you said, the connection is pretty vague.
I think what I really want here is an assertion that (credentialResponse?.credential != null) before returning the GoogleSignInUserData, that way I'm expressing in code that the credential must NOT be null before returning a GoogleSignInUserData.
|
Thanks for the review! I'll address the comments shortly! |
ditman
force-pushed
the
gsi-web-use-fedcm
branch
from
28d04f2 to
9560921
Compare
|
I'll land this now, and talk to the Cocoon ppl. |
flutter/packages@6ad40b9...33c2b4e 2023-11-02 ditman@gmail.com [google_sign_in] Enable FedCM for web. Use token expiration. (flutter/packages#5225) 2023-11-01 ditman@gmail.com [video_player_web] Listen to loadedmetadata event from video element. (flutter/packages#5289) 2023-11-01 stuartmorgan@google.com [local_auth] Update iOS to Pigeon 13 (flutter/packages#5269) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages-flutter-autoroll Please CC flutter-ecosystem@google.com,rmistry@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Flutter: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
* main: (59 commits) [pointer_interceptor] Move pointer_interceptor to sub folder (flutter#5291) [webview_flutter] Update iOS to Pigeon 13 (flutter#5271) [repo] Adjust error message layout for repo checks (flutter#5241) [in_app_pur]: Bump org.json:json from 20230618 to 20231013 in /packages/in_app_purchase/in_app_purchase/example/android/app (flutter#5153) Roll Flutter from f5a9835 to 5a6a322 (15 revisions) (flutter#5345) [google_sign_in_ios] Upgrade GoogleSignIn iOS SDK to 7.0 (flutter#5240) Roll Flutter from 29b2516 to f5a9835 (101 revisions) (flutter#5341) [pigeon]: Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.10 to 1.9.20 in /packages/pigeon/platform_tests/test_plugin/android (flutter#5334) [flutter_markdown] Strip leading whitespace from list items (flutter#5294) [two_dimensional_scrollables] Add borderRadius support to TableSpanDecoration (flutter#5184) [go_router] Adds an ability to add a custom codec for serializing/des… (flutter#5288) [go_router] Fixes crashes when dynamically updates routing tables wit… (flutter#5242) [camerax] Fix `_getResolutionSelectorFromPreset` NPE (flutter#5287) [go_router]Fixes the problem what pathParameters is null in redirect when the Router is recreated. (flutter#5258) [google_sign_in] Fix Obj-C formatting bug (flutter#5310) Fix mounted checks (flutter#5305) [flutter_image] [flutter_markdown] Do not use dynamic in an == operator override (flutter#5298) [google_sign_in] Enable FedCM for web. Use token expiration. (flutter#5225) [video_player_web] Listen to loadedmetadata event from video element. (flutter#5289) [local_auth] Update iOS to Pigeon 13 (flutter#5269) ... # Conflicts: # packages/webview_flutter/webview_flutter_wkwebview/ios/Classes/FWFWebViewHostApi.m
…#5225) * Enables [**FedCM API**](https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API) on compatible browsers. * The GIS JS SDK falls-back to the JS implementation on browsers that don't support the new standard. See [migration instructions](https://developers.google.com/identity/gsi/web/guides/fedcm-migration)). * Uses the supplied token expiration information to **more accurately compute `isSignedIn()` and `canAccessScopes(scopes)`**. * This does not handle the case where users sign in/out in another tab or from outside the web app, that's still something that needs to be checked server-side. * **Deprecates the `signIn()` method on the web.** * Users should migrate to a combination of `renderButton()` and `silentSignIn()`, as described [here](https://pub.dev/packages/google_sign_in_web#migrating-to-v011-and-v012-google-identity-services). ### Issues * FedCM: * Fixes flutter/flutter#133703 (once rebuilt/redeployed) * Fixes `b/301259123` * Token expiration: * Unblocks `b/245740319` ### Testing * Added a few unit tests * Manually verified token expiration: https://dit-gis-test.web.app
isSignedIn()andcanAccessScopes(scopes).signIn()method on the web.renderButton()andsilentSignIn(), as described here.Issues
b/301259123b/245740319Testing
Pre-launch Checklist
dart format.)[shared_preferences]pubspec.yamlwith an appropriate new version according to the pub versioning philosophy, or this PR is exempt from version changes.CHANGELOG.mdto add a description of the change, following repository CHANGELOG style.///).If you need help, consider asking for advice on the #hackers-new channel on Discord.