feat: update code and tests

Author: boikoa-gl

src/main/java/com/google/firebase/fpnv/FirebasePnvException.java

@@ -57,4 +57,4 @@ public FirebasePnvException(
   public FirebasePnvErrorCode getFpnvErrorCode() {
     return errorCode;
   }
-}
+}

src/main/java/com/google/firebase/fpnv/FirebasePnvToken.java

@@ -20,6 +20,7 @@
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
+import com.nimbusds.jwt.JWTClaimsSet;
 import java.util.List;
 import java.util.Map;
 
@@ -29,6 +30,11 @@
 public class FirebasePnvToken {
   private final Map<String, Object> claims;
 
+  /**
+   * Create an instance of {@link FirebasePnvToken} from {@link JWTClaimsSet} claims.
+   *
+   * @param claims Map claims.
+   */
   public FirebasePnvToken(Map<String, Object> claims) {
     checkArgument(claims != null && claims.containsKey("sub"),
         "Claims map must at least contain sub");
@@ -71,14 +77,14 @@ public List<String> getAudience() {
    * Returns the expiration time in seconds since the Unix epoch.
    */
   public long getExpirationTime() {
-    return ((java.util.Date) claims.get("exp")).getTime();
+    return ((java.util.Date) claims.get("exp")).getTime() / 1000L;
   }
 
   /**
    * Returns the issued-at time in seconds since the Unix epoch.
    */
   public long getIssuedAt() {
-    return ((java.util.Date) claims.get("iat")).getTime();
+    return ((java.util.Date) claims.get("iat")).getTime() / 1000L;
   }
 
   /**
@@ -87,4 +93,4 @@ public long getIssuedAt() {
   public Map<String, Object> getClaims() {
     return claims;
   }
-}
+}

src/main/java/com/google/firebase/fpnv/internal/FirebasePnvTokenVerifier.java

@@ -40,7 +40,6 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.text.ParseException;
-import java.util.Date;
 import java.util.Objects;
 
 /**
@@ -64,11 +63,11 @@ public FirebasePnvTokenVerifier(FirebaseApp app) {
   }
 
   /**
-   * Main method that do.
-   * - Explicitly verify the header
-   * - Verify Signature and Structure
-   * - Verify Claims (Issuer, Audience, Expiration)
-   * - Construct Token Object
+   * Main method that performs the following verification steps:
+   * - Explicitly verifies the header
+   * - Verifies signature and structure
+   * - Verifies claims (e.g. issuer, audience, expiration)
+   * - Constructs a token object upon successful verification
    *
    * @param token String input data
    * @return {@link FirebasePnvToken}
@@ -104,10 +103,18 @@ public FirebasePnvToken verifyToken(String token) throws FirebasePnvException {
           "FPNV token has expired.",
           e
       );
-    } catch (BadJOSEException | JOSEException e) {
-      throw new FirebasePnvException(FirebasePnvErrorCode.SERVICE_ERROR,
+    } catch (BadJOSEException e) {
+      throw new FirebasePnvException(
+          FirebasePnvErrorCode.INVALID_TOKEN,
           "Check your project: " + projectId + ". "
-              + e.getMessage(),
+          + "FPNV token is invalid: " + e.getMessage(),
+          e
+      );
+    } catch (JOSEException e) {
+      throw new FirebasePnvException(
+          FirebasePnvErrorCode.INTERNAL_ERROR,
+          "Check your project: " + projectId + ". "
+          + "Failed to verify FPNV token signature: " + e.getMessage(),
           e
       );
     }
@@ -121,7 +128,6 @@ private void verifyHeader(JWSHeader header) throws FirebasePnvException {
           "FPNV has incorrect 'algorithm'. Expected " + JWSAlgorithm.ES256.getName()
               + " but got " + header.getAlgorithm());
     }
-
     // Check Key ID (kid)
     if (Strings.isNullOrEmpty(header.getKeyID())) {
       throw new FirebasePnvException(
@@ -141,6 +147,7 @@ private void verifyHeader(JWSHeader header) throws FirebasePnvException {
   }
 
   private void verifyClaims(JWTClaimsSet claims) throws FirebasePnvException {
+    checkArgument(!Objects.isNull(claims), "JWTClaimsSet claims must not be null");
     // Verify Issuer
     String issuer = claims.getIssuer();
 

src/test/java/com/google/firebase/fpnv/FirebasePnvErrorCodeTest.java

@@ -31,4 +31,4 @@ public void testEnum() {
     assertNotNull(FirebasePnvErrorCode.valueOf("INTERNAL_ERROR"));
     assertNotNull(FirebasePnvErrorCode.valueOf("SERVICE_ERROR"));
   }
-}
+}

src/test/java/com/google/firebase/fpnv/FirebasePnvTest.java

@@ -113,4 +113,4 @@ public void testVerifyToken_PropagatesException() throws FirebasePnvException {
     );
     assertEquals(FirebasePnvErrorCode.INVALID_TOKEN, e.getFpnvErrorCode());
   }
-}
+}

src/test/java/com/google/firebase/fpnv/FpnvTokenVerifierTest.java

@@ -30,6 +30,7 @@
 import com.google.firebase.internal.FirebaseProcessEnvironment;
 import com.google.firebase.testing.ServiceAccount;
 import com.google.firebase.testing.TestUtils;
+import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JOSEObjectType;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
@@ -39,6 +40,7 @@
 import com.nimbusds.jose.jwk.Curve;
 import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
+import com.nimbusds.jose.proc.BadJOSEException;
 import com.nimbusds.jose.proc.SecurityContext;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
@@ -56,10 +58,11 @@
 import org.mockito.MockitoAnnotations;
 
 public class FpnvTokenVerifierTest {
+  private static final String PROJECT_ID = "mock-project-id";
   private static final FirebaseOptions firebaseOptions = FirebaseOptions.builder()
+      .setProjectId(PROJECT_ID)
       .setCredentials(TestUtils.getCertCredential(ServiceAccount.OWNER.asStream()))
       .build();
-  private static final String PROJECT_ID = "mock-project-id";
   private static final String ISSUER = "https://fpnv.googleapis.com/projects/" + PROJECT_ID;
   private static final String[] AUD = new String[]{
       ISSUER,
@@ -73,6 +76,7 @@ public class FpnvTokenVerifierTest {
   private KeyPair rsaKeyPair;
   private ECKey ecKey;
   private JWSHeader header;
+  private JWTClaimsSet claims;
 
   @Before
   public void setUp() throws Exception {
@@ -99,6 +103,15 @@ public void setUp() throws Exception {
         .keyID(ecKey.getKeyID())
         .type(JOSEObjectType.JWT)
         .build();
+
+    // Create a valid JWTClaimsSet
+    claims = new JWTClaimsSet.Builder()
+        .issuer(ISSUER)
+        .audience(Arrays.asList(AUD))
+        .subject("+15551234567")
+        .issueTime(new Date())
+        .expirationTime(new Date(System.currentTimeMillis() + 10000))
+        .build();
   }
 
   @After
@@ -124,18 +137,15 @@ private String createToken(JWSHeader header, JWTClaimsSet claims) throws Excepti
   }
 
   @Test
-  public void testVerifyToken_Success() throws Exception {
-    Date now = new Date();
-    Date exp = new Date(now.getTime() + 3600 * 1000); // 1 hour valid
-
-    JWTClaimsSet claims = new JWTClaimsSet.Builder()
-        .issuer(ISSUER)
-        .audience(Arrays.asList(AUD))
-        .subject("+15551234567")
-        .issueTime(now)
-        .expirationTime(exp)
-        .build();
+  public void testVerifyToken_NullOrEmptyToken() {
+    IllegalArgumentException e = assertThrows(IllegalArgumentException.class, () ->
+        verifier.verifyToken("")
+    );
+    assertTrue(e.getMessage().contains("FPNV token must not be null"));
+  }
 
+  @Test
+  public void testVerifyToken_Success() throws Exception {
     String tokenString = createToken(header, claims);
 
     // 1. Mock the processor to return these claims (skipping real signature verification)
@@ -167,6 +177,25 @@ public void testVerifyToken_Header_WrongAlgorithm() throws Exception {
     assertTrue(e.getMessage().contains("algorithm"));
   }
 
+  @Test
+  public void testVerifyToken_Header_WrongTyp() throws Exception {
+    JWSHeader header = new JWSHeader
+        .Builder(JWSAlgorithm.ES256)
+        .keyID(ecKey.getKeyID())
+        .type(JOSEObjectType.JOSE)
+        .build();
+    JWTClaimsSet claims = new JWTClaimsSet.Builder().build();
+
+    String tokenString = createToken(header, claims);
+
+    FirebasePnvException e = assertThrows(FirebasePnvException.class, () ->
+        verifier.verifyToken(tokenString)
+    );
+
+    assertEquals(FirebasePnvErrorCode.INVALID_ARGUMENT, e.getFpnvErrorCode());
+    assertTrue(e.getMessage().contains("has incorrect 'typ'"));
+  }
+
   @Test
   public void testVerifyToken_Header_MissingKeyId() throws Exception {
     // ES256 but missing 'kid'
@@ -195,7 +224,6 @@ public void testVerifyToken_Claims_Expired() throws Exception {
     String tokenString = createToken(header, claims);
     ExpiredJWTException error = new ExpiredJWTException("Bad token");
 
-    // Mock processor returning the expired claims
     when(mockJwtProcessor.process(any(SignedJWT.class), any())).thenThrow(error);
 
     FirebasePnvException e = assertThrows(FirebasePnvException.class, () ->
@@ -243,4 +271,57 @@ public void testVerifyToken_Claims_NoSubject() throws Exception {
     assertEquals(FirebasePnvErrorCode.INVALID_TOKEN, e.getFpnvErrorCode());
     assertTrue(e.getMessage().contains("Token has an empty 'sub' (phone number)"));
   }
+
+  @Test
+  public void testVerifyToken_ParseException() {
+    FirebasePnvException e = assertThrows(FirebasePnvException.class, () ->
+        verifier.verifyToken(" ")
+    );
+    assertEquals(FirebasePnvErrorCode.INVALID_TOKEN, e.getFpnvErrorCode());
+    assertTrue(e.getMessage().contains("Failed to parse JWT token"));
+  }
+
+  @Test
+  public void testVerifyToken_BadJOSEException() throws Exception {
+    String tokenString = createToken(header, claims);
+    String errorMessage = "BadJOSEException";
+    BadJOSEException error = new BadJOSEException(errorMessage);
+
+    when(mockJwtProcessor.process(any(SignedJWT.class), any())).thenThrow(error);
+
+    FirebasePnvException e = assertThrows(FirebasePnvException.class, () ->
+        verifier.verifyToken(tokenString)
+    );
+
+    assertEquals(FirebasePnvErrorCode.INVALID_TOKEN, e.getFpnvErrorCode());
+    assertEquals(
+        "Check your project: "
+            + PROJECT_ID
+            + ". FPNV token is invalid: "
+            + errorMessage,
+        e.getMessage()
+    );
+  }
+
+  @Test
+  public void testVerifyToken_JOSEException() throws Exception {
+    String tokenString = createToken(header, claims);
+    String errorMessage = "JOSEException";
+    JOSEException error = new JOSEException(errorMessage);
+
+    when(mockJwtProcessor.process(any(SignedJWT.class), any())).thenThrow(error);
+
+    FirebasePnvException e = assertThrows(FirebasePnvException.class, () ->
+        verifier.verifyToken(tokenString)
+    );
+
+    assertEquals(FirebasePnvErrorCode.INTERNAL_ERROR, e.getFpnvErrorCode());
+    assertEquals(
+        "Check your project: "
+            + PROJECT_ID
+            + ". Failed to verify FPNV token signature: "
+            + errorMessage,
+        e.getMessage()
+    );
+  }
 }