[AppCheck] Add getLimitedUseToken support to AppCheckProvider (#8204)

Introduced the getLimitedUseToken() method to the AppCheckProvider
interface and implemented it across the debug, Play Integrity, and
reCAPTCHA Enterprise providers. The implementation ensures that token
exchange requests include a "limited_use" flag, allowing for the
generation of short-lived, single-use App Check tokens.

Verified manually using debug provider

Author: rlazo

appcheck/firebase-appcheck-debug-testing/CHANGELOG.md

@@ -1,5 +1,7 @@
 # Unreleased
 
+- [unchanged] Updated to keep [app_check] SDK versions aligned.
+
 # 19.0.2
 
 - [unchanged] Updated to keep [app_check] SDK versions aligned.

appcheck/firebase-appcheck-debug-testing/gradle.properties

@@ -1,2 +1,2 @@
-version=19.0.3
+version=19.1.0
 latestReleasedVersion=19.0.2

appcheck/firebase-appcheck-debug/CHANGELOG.md

@@ -1,5 +1,7 @@
 # Unreleased
 
+- [fixed] Fixed issue preventing limited use tokens from being correctly generated. (#8204)
+
 # 19.0.2
 
 - [unchanged] Updated to keep [app_check] SDK versions aligned.

appcheck/firebase-appcheck-debug/gradle.properties

@@ -1,2 +1,2 @@
-version=19.0.3
+version=19.1.0
 latestReleasedVersion=19.0.2

appcheck/firebase-appcheck-debug/src/main/java/com/google/firebase/appcheck/debug/internal/DebugAppCheckProvider.java

@@ -110,11 +110,22 @@ static Task<String> determineDebugSecret(
   @NonNull
   @Override
   public Task<AppCheckToken> getToken() {
+    return getToken(/* isLimitedUseToken= */ false);
+  }
+
+  @NonNull
+  @Override
+  public Task<AppCheckToken> getLimitedUseToken() {
+    return getToken(/* isLimitedUseToken= */ true);
+  }
+
+  private Task<AppCheckToken> getToken(boolean isLimitedUseToken) {
     return debugSecretTask
         .onSuccessTask(
             liteExecutor,
             debugSecret -> {
-              ExchangeDebugTokenRequest request = new ExchangeDebugTokenRequest(debugSecret);
+              ExchangeDebugTokenRequest request =
+                  new ExchangeDebugTokenRequest(debugSecret, isLimitedUseToken);
               return Tasks.call(
                   blockingExecutor,
                   () ->

appcheck/firebase-appcheck-debug/src/main/java/com/google/firebase/appcheck/debug/internal/ExchangeDebugTokenRequest.java

@@ -25,18 +25,23 @@
  */
 public class ExchangeDebugTokenRequest {
   @VisibleForTesting static final String DEBUG_TOKEN_KEY = "debugToken";
+  @VisibleForTesting static final String LIMITED_USE_TOKEN_KEY = "limited_use";
 
   private final String debugToken;
+  private final boolean isLimitedUseToken;
 
-  public ExchangeDebugTokenRequest(@NonNull String debugToken) {
+  public ExchangeDebugTokenRequest(@NonNull String debugToken, boolean isLimitedUseToken) {
     this.debugToken = debugToken;
+    this.isLimitedUseToken = isLimitedUseToken;
   }
 
   @NonNull
   public String toJsonString() throws JSONException {
     JSONObject jsonObject = new JSONObject();
     jsonObject.put(DEBUG_TOKEN_KEY, debugToken);
-
+    if (isLimitedUseToken) {
+      jsonObject.put(LIMITED_USE_TOKEN_KEY, true);
+    }
     return jsonObject.toString();
   }
 }

appcheck/firebase-appcheck-debug/src/test/java/com/google/firebase/appcheck/debug/internal/DebugAppCheckProviderTest.java

@@ -36,10 +36,13 @@
 import com.google.firebase.concurrent.TestOnlyExecutors;
 import java.io.IOException;
 import java.util.concurrent.Executor;
+import org.json.JSONObject;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
+import org.mockito.Captor;
 import org.mockito.Mock;
 import org.mockito.MockitoAnnotations;
 import org.robolectric.RobolectricTestRunner;
@@ -70,6 +73,7 @@ public class DebugAppCheckProviderTest {
   @Mock NetworkClient mockNetworkClient;
   @Mock RetryManager mockRetryManager;
   @Mock AppCheckTokenResponse mockAppCheckTokenResponse;
+  @Captor ArgumentCaptor<byte[]> requestBytesCaptor;
 
   private StorageHelper storageHelper;
   private SharedPreferences sharedPreferences;
@@ -173,4 +177,31 @@ public void exchangeDebugToken_onFailure_setsTaskException() throws Exception {
     Exception exception = task.getException();
     assertThat(exception).isInstanceOf(IOException.class);
   }
+
+  @Test
+  public void getLimitedUseToken_onSuccess_setsTaskResult() throws Exception {
+    when(mockNetworkClient.exchangeAttestationForAppCheckToken(
+            any(), eq(NetworkClient.DEBUG), eq(mockRetryManager)))
+        .thenReturn(mockAppCheckTokenResponse);
+    when(mockAppCheckTokenResponse.getToken()).thenReturn(APP_CHECK_TOKEN);
+    when(mockAppCheckTokenResponse.getTimeToLive()).thenReturn(TIME_TO_LIVE);
+
+    DebugAppCheckProvider provider =
+        new DebugAppCheckProvider(
+            DEBUG_SECRET, mockNetworkClient, liteExecutor, blockingExecutor, mockRetryManager);
+    Task<AppCheckToken> task = provider.getLimitedUseToken();
+
+    verify(mockNetworkClient)
+        .exchangeAttestationForAppCheckToken(
+            requestBytesCaptor.capture(), eq(NetworkClient.DEBUG), eq(mockRetryManager));
+
+    byte[] capturedBytes = requestBytesCaptor.getValue();
+    JSONObject jsonObject = new JSONObject(new String(capturedBytes, "UTF-8"));
+    assertThat(jsonObject.opt(ExchangeDebugTokenRequest.DEBUG_TOKEN_KEY)).isEqualTo(DEBUG_SECRET);
+    assertThat(jsonObject.opt(ExchangeDebugTokenRequest.LIMITED_USE_TOKEN_KEY)).isEqualTo(true);
+
+    AppCheckToken token = task.getResult();
+    assertThat(token).isInstanceOf(DefaultAppCheckToken.class);
+    assertThat(token.getToken()).isEqualTo(APP_CHECK_TOKEN);
+  }
 }

appcheck/firebase-appcheck-debug/src/test/java/com/google/firebase/appcheck/debug/internal/ExchangeDebugTokenRequestTest.java

@@ -29,12 +29,26 @@ public class ExchangeDebugTokenRequestTest {
   @Test
   public void toJsonString_expectSerialized() throws Exception {
     ExchangeDebugTokenRequest exchangeDebugTokenRequest =
-        new ExchangeDebugTokenRequest(DEBUG_TOKEN);
+        new ExchangeDebugTokenRequest(DEBUG_TOKEN, false);
 
     String jsonString = exchangeDebugTokenRequest.toJsonString();
     JSONObject jsonObject = new JSONObject(jsonString);
 
     assertThat(jsonObject.getString(ExchangeDebugTokenRequest.DEBUG_TOKEN_KEY))
         .isEqualTo(DEBUG_TOKEN);
+    assertThat(jsonObject.opt(ExchangeDebugTokenRequest.LIMITED_USE_TOKEN_KEY)).isNull();
+  }
+
+  @Test
+  public void toJsonString_limitedUse_expectSerialized() throws Exception {
+    ExchangeDebugTokenRequest exchangeDebugTokenRequest =
+        new ExchangeDebugTokenRequest(DEBUG_TOKEN, true);
+
+    String jsonString = exchangeDebugTokenRequest.toJsonString();
+    JSONObject jsonObject = new JSONObject(jsonString);
+
+    assertThat(jsonObject.getString(ExchangeDebugTokenRequest.DEBUG_TOKEN_KEY))
+        .isEqualTo(DEBUG_TOKEN);
+    assertThat(jsonObject.getBoolean(ExchangeDebugTokenRequest.LIMITED_USE_TOKEN_KEY)).isTrue();
   }
 }

appcheck/firebase-appcheck-playintegrity/CHANGELOG.md

@@ -1,5 +1,7 @@
 # Unreleased
 
+- [fixed] Fixed issue preventing limited use tokens from being correctly generated. (#8204)
+
 # 19.0.2
 
 - [unchanged] Updated to keep [app_check] SDK versions aligned.

appcheck/firebase-appcheck-playintegrity/gradle.properties

@@ -1,2 +1,2 @@
-version=19.0.3
+version=19.1.0
 latestReleasedVersion=19.0.2