feat: add FPNV

[boikoa-gl]

Hey there! So you want to contribute to a Firebase SDK?
Before you file this pull request, please read these guidelines:

Discussion

• Read the contribution guidelines (CONTRIBUTING.md).
• If this has been discussed in an issue, make sure to link to the issue here.
  If not, go file an issue about this before creating a pull request to discuss.

Testing

• Make sure all existing tests in the repository pass after your change.
• If you fixed a bug or added a feature, add a new test to cover your code.

API Changes

• At this time we cannot accept changes that affect the public API. If you'd like to help
  us make Firebase APIs better, please propose your change in an issue so that we
  can discuss it together.

[gemini-code-assist]

Summary of Changes

Hello @boikoa-gl, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request lays the foundational structure for a new Firebase Phone Number Verification (FPNV) service within the firebase_admin package. It establishes the dedicated module file and defines its high-level purpose, setting the stage for the future implementation of JWT verification functionalities.

Highlights

• New Feature Introduction: A new module firebase_admin/fpnv.py has been added to introduce the Firebase Phone Number Verification (FPNV) service. This module is intended to house functions for verifying JWTs used for authenticating against Firebase services.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new file, fpnv.py, to support the upcoming Firebase Phone Number Verification (FPNV) feature. The file is currently a placeholder with a module docstring. I've suggested a small improvement to the docstring to make its purpose clearer and distinguish it from the existing auth module, which also handles JWT verification.

[boikoa-gl]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a new Firebase Phone Number Verification (FPNV) service, including a client for verifying FPNV JWTs. My review focuses on improving security, correctness, and robustness. I've identified a critical security vulnerability in the token validation logic that needs to be addressed. Additionally, there are suggestions to improve exception handling, fix a bug in a validator function, and a reminder to complete the implementation of the FpnvToken class. Most importantly, this new feature lacks any tests, which is a critical omission that must be rectified before merging.

[boikoa-gl]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a new module for Firebase Phone Number Verification (FPNV). The implementation looks solid, with good separation of concerns and error handling. I've identified a couple of minor areas for improvement in the core logic, such as removing unnecessary or redundant code. The main area of concern is in the testing strategy. The tests for token verification are heavily mocked and do not cover the actual cryptographic signature validation, which is a critical part of this feature. I've left a high-severity comment with suggestions on how to add a more robust integration-style test. I've also pointed out some unused variables in the test code.

[gemini-code-assist]

The tests for token verification rely heavily on mocking, including jwt.decode. This means the actual cryptographic signature verification is never tested. For a security-critical feature like this, it's crucial to have at least one integration-style test that performs an end-to-end verification.

Consider adding a test that:

1. Generates a real ES256 key pair.
2. Creates a JWT and signs it with the private key.
3. Mocks the JWKS endpoint to return the corresponding public key.
4. Calls verify_token and asserts success, without mocking jwt.decode or the cryptographic aspects of PyJWKClient.