feat(authentication): add useCredentialManager option for Google Sign-In (#859)

* feat(authentication): add useCredentialManager option for Google Sign-In

Add definitions for SignInWithGoogleOptions.

* feat(authentication): add useCredentialManager option for Google Sign-In

Enable legacy google sign in on Android.

* feat(authentication): add useCredentialManager option for Google Sign-In

Generate changeset.

* feat(authentication): add useCredentialManager option for Google Sign-In

Refactor userCredential logic.

Author: ebarooni

.changeset/mighty-windows-guess.md

@@ -0,0 +1,5 @@
+---
+'@capacitor-firebase/authentication': minor
+---
+
+feat(android): add option to disable the new Android Credential Manager

packages/authentication/README.md

@@ -1292,14 +1292,14 @@ Starts the GitHub sign-in flow.
 ### signInWithGoogle(...)
 
 ```typescript
-signInWithGoogle(options?: SignInWithOAuthOptions | undefined) => Promise<SignInResult>
+signInWithGoogle(options?: SignInWithGoogleOptions | undefined) => Promise<SignInResult>
 ```
 
 Starts the Google sign-in flow.
 
-| Param         | Type                                                                      |
-| ------------- | ------------------------------------------------------------------------- |
-| **`options`** | <code><a href="#signinwithoauthoptions">SignInWithOAuthOptions</a></code> |
+| Param         | Type                                                                        |
+| ------------- | --------------------------------------------------------------------------- |
+| **`options`** | <code><a href="#signinwithgoogleoptions">SignInWithGoogleOptions</a></code> |
 
 **Returns:** <code>Promise&lt;<a href="#signinresult">SignInResult</a>&gt;</code>
 
@@ -2040,6 +2040,13 @@ An interface covering the possible persistence mechanism types.
 | **`skipNativeAuth`** | <code>boolean</code> | Whether the plugin should skip the native authentication or not. Only needed if you want to use the Firebase JavaScript SDK. This value overwrites the configrations value of the `skipNativeAuth` option. If no value is set, the configuration value is used. **Note that the plugin may behave differently across the platforms.** `skipNativeAuth` cannot be used in combination with `signInWithCustomToken`, `createUserWithEmailAndPassword` or `signInWithEmailAndPassword`. Only available for Android and iOS. | 1.1.0 |
 
 
+#### SignInWithGoogleOptions
+
+| Prop                       | Type                 | Description                                                                       | Default           | Since |
+| -------------------------- | -------------------- | --------------------------------------------------------------------------------- | ----------------- | ----- |
+| **`useCredentialManager`** | <code>boolean</code> | Whether to use the Credential Manager API to sign in. Only available for Android. | <code>true</code> | 7.2.0 |
+
+
 #### UnlinkResult
 
 | Prop       | Type                                          | Description                                               | Since |

packages/authentication/android/src/main/java/io/capawesome/capacitorjs/plugins/firebase/authentication/FirebaseAuthentication.java

@@ -609,6 +609,14 @@ public void startActivityForResult(final PluginCall call, Intent intent, String
         plugin.startActivityForResult(call, intent, callbackName);
     }
 
+    public void handleGoogleAuthProviderSignInActivityResult(@NonNull final PluginCall call, @NonNull ActivityResult result) {
+        googleAuthProviderHandler.handleOnActivityResult(call, result, false);
+    }
+
+    public void handleGoogleAuthProviderLinkActivityResult(@NonNull final PluginCall call, @NonNull ActivityResult result) {
+        googleAuthProviderHandler.handleOnActivityResult(call, result, true);
+    }
+
     public void handlePlayGamesAuthProviderSignInActivityResult(@NonNull final PluginCall call, @NonNull ActivityResult result) {
         playGamesAuthProviderHandler.handleOnActivityResult(call, result, false);
     }

packages/authentication/android/src/main/java/io/capawesome/capacitorjs/plugins/firebase/authentication/FirebaseAuthenticationPlugin.java

@@ -1019,6 +1019,22 @@ protected void handleOnActivityResult(int requestCode, int resultCode, @Nullable
         implementation.handleOnActivityResult(requestCode, resultCode, data);
     }
 
+    @ActivityCallback
+    private void handleGoogleAuthProviderSignInActivityResult(@Nullable PluginCall call, @Nullable ActivityResult result) {
+        if (call == null || result == null) {
+            return;
+        }
+        implementation.handleGoogleAuthProviderSignInActivityResult(call, result);
+    }
+
+    @ActivityCallback
+    private void handleGoogleAuthProviderLinkActivityResult(@Nullable PluginCall call, @Nullable ActivityResult result) {
+        if (call == null || result == null) {
+            return;
+        }
+        implementation.handleGoogleAuthProviderLinkActivityResult(call, result);
+    }
+
     @ActivityCallback
     private void handlePlayGamesAuthProviderSignInActivityResult(@Nullable PluginCall call, @Nullable ActivityResult result) {
         if (call == null || result == null) {

packages/authentication/android/src/main/java/io/capawesome/capacitorjs/plugins/firebase/authentication/handlers/GoogleAuthProviderHandler.java

@@ -21,11 +21,18 @@
 import com.getcapacitor.JSArray;
 import com.getcapacitor.Logger;
 import com.getcapacitor.PluginCall;
+import com.google.android.gms.auth.GoogleAuthException;
+import com.google.android.gms.auth.GoogleAuthUtil;
 import com.google.android.gms.auth.api.identity.AuthorizationRequest;
 import com.google.android.gms.auth.api.identity.AuthorizationResult;
 import com.google.android.gms.auth.api.identity.Identity;
+import com.google.android.gms.auth.api.signin.GoogleSignIn;
+import com.google.android.gms.auth.api.signin.GoogleSignInAccount;
+import com.google.android.gms.auth.api.signin.GoogleSignInClient;
+import com.google.android.gms.auth.api.signin.GoogleSignInOptions;
 import com.google.android.gms.common.api.ApiException;
 import com.google.android.gms.common.api.Scope;
+import com.google.android.gms.tasks.Task;
 import com.google.android.libraries.identity.googleid.GetGoogleIdOption;
 import com.google.android.libraries.identity.googleid.GoogleIdTokenCredential;
 import com.google.firebase.auth.AuthCredential;
@@ -34,6 +41,7 @@
 import io.capawesome.capacitorjs.plugins.firebase.authentication.FirebaseAuthenticationPlugin;
 import io.capawesome.capacitorjs.plugins.firebase.authentication.R;
 import io.capawesome.capacitorjs.plugins.firebase.authentication.interfaces.NonEmptyCallback;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.Executor;
@@ -43,6 +51,7 @@
 public class GoogleAuthProviderHandler {
 
     private FirebaseAuthentication pluginImplementation;
+    private GoogleSignInClient mGoogleSignInClient;
 
     @Nullable
     private AuthCredential lastAuthCredential;
@@ -57,6 +66,7 @@ public class GoogleAuthProviderHandler {
 
     public GoogleAuthProviderHandler(FirebaseAuthentication pluginImplementation) {
         this.pluginImplementation = pluginImplementation;
+        this.mGoogleSignInClient = buildGoogleSignInClient();
     }
 
     public void handleActivityResult(@NonNull ActivityResult result) {
@@ -75,6 +85,53 @@ public void handleActivityResult(@NonNull ActivityResult result) {
         }
     }
 
+    public void handleOnActivityResult(@NonNull final PluginCall call, @NonNull ActivityResult result, boolean isLink) {
+        Intent data = result.getData();
+        Task<GoogleSignInAccount> task = GoogleSignIn.getSignedInAccountFromIntent(data);
+        try {
+            GoogleSignInAccount account = task.getResult(ApiException.class);
+            String idToken = account.getIdToken();
+            String serverAuthCode = account.getServerAuthCode();
+            AuthCredential credential = GoogleAuthProvider.getCredential(idToken, null);
+
+            new Thread(() -> {
+                String accessToken = null;
+                List<String> scopes = new ArrayList<>();
+                scopes.add("oauth2:email");
+                scopes.addAll(getScopesAsList(call));
+
+                try {
+                    accessToken = GoogleAuthUtil.getToken(
+                        mGoogleSignInClient.getApplicationContext(),
+                        account.getAccount(),
+                        String.join(" ", scopes)
+                    );
+                    // Clears local cache after every login attempt
+                    // to ensure permissions changes elsewhere are reflected in future tokens
+                    GoogleAuthUtil.clearToken(mGoogleSignInClient.getApplicationContext(), accessToken);
+                } catch (IOException | GoogleAuthException exception) {
+                    if (isLink) {
+                        pluginImplementation.handleFailedLink(call, null, exception);
+                    } else {
+                        pluginImplementation.handleFailedSignIn(call, null, exception);
+                    }
+                    return;
+                }
+                if (isLink) {
+                    pluginImplementation.handleSuccessfulLink(call, credential, idToken, null, accessToken, serverAuthCode);
+                } else {
+                    pluginImplementation.handleSuccessfulSignIn(call, credential, idToken, null, accessToken, serverAuthCode, null);
+                }
+            }).start();
+        } catch (ApiException exception) {
+            if (isLink) {
+                pluginImplementation.handleFailedLink(call, null, exception);
+            } else {
+                pluginImplementation.handleFailedSignIn(call, null, exception);
+            }
+        }
+    }
+
     public void handleAuthorizationResult(@NonNull AuthorizationResult authorizationResult) {
         if (lastCall == null) {
             return;
@@ -105,12 +162,32 @@ public void handleAuthorizationResultError(@NonNull Exception exception) {
         lastIdToken = null;
     }
 
+    public void signIn(final PluginCall call) {
+        signInOrLink(call, false);
+    }
+
     public void link(final PluginCall call) {
         signInOrLink(call, true);
     }
 
-    public void signIn(final PluginCall call) {
-        signInOrLink(call, false);
+    private GoogleSignInClient buildGoogleSignInClient() {
+        return buildGoogleSignInClient(null);
+    }
+
+    private GoogleSignInClient buildGoogleSignInClient(@Nullable PluginCall call) {
+        GoogleSignInOptions.Builder googleSignInOptionsBuilder = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
+            .requestIdToken(pluginImplementation.getPlugin().getContext().getString(R.string.default_web_client_id))
+            .requestServerAuthCode(pluginImplementation.getPlugin().getContext().getString(R.string.default_web_client_id))
+            .requestEmail();
+
+        if (call != null) {
+            List<String> scopeList = getScopesAsList(call);
+            for (String scope : scopeList) {
+                googleSignInOptionsBuilder = googleSignInOptionsBuilder.requestScopes(new Scope(scope));
+            }
+        }
+
+        return GoogleSignIn.getClient(pluginImplementation.getPlugin().getActivity(), googleSignInOptionsBuilder.build());
     }
 
     public void signOut() {
@@ -151,6 +228,19 @@ private List<Scope> buildScopeList(@NonNull PluginCall call) {
         return scopeList;
     }
 
+    private List<String> getScopesAsList(@NonNull PluginCall call) {
+        List<String> scopeList = new ArrayList<>();
+        JSArray scopes = call.getArray("scopes");
+        if (scopes != null) {
+            try {
+                scopeList = scopes.toList();
+            } catch (JSONException exception) {
+                Log.e(FirebaseAuthenticationPlugin.TAG, "getScopesAsList failed.", exception);
+            }
+        }
+        return scopeList;
+    }
+
     private void handleGetCredentialError(final PluginCall call, final boolean isLink, final GetCredentialException exception) {
         if (isLink) {
             pluginImplementation.handleFailedLink(call, null, exception);
@@ -205,32 +295,46 @@ public void error(Exception exception) {
     }
 
     private void signInOrLink(final PluginCall call, final boolean isLink) {
-        Executor executor = Executors.newSingleThreadExecutor();
-        GetGoogleIdOption googleIdOption = new GetGoogleIdOption.Builder()
-            // Your server's client ID, not your Android client ID
-            .setServerClientId(pluginImplementation.getPlugin().getContext().getString(R.string.default_web_client_id))
-            // Show all accounts on the device (not just the accounts that have been used previously)
-            .setFilterByAuthorizedAccounts(false)
-            .build();
-        GetCredentialRequest request = new GetCredentialRequest.Builder().addCredentialOption(googleIdOption).build();
-        CredentialManager credentialManager = CredentialManager.create(pluginImplementation.getPlugin().getActivity());
-        credentialManager.getCredentialAsync(
-            pluginImplementation.getPlugin().getContext(),
-            request,
-            null,
-            executor,
-            new CredentialManagerCallback<GetCredentialResponse, GetCredentialException>() {
-                @Override
-                public void onResult(GetCredentialResponse response) {
-                    handleGetCredentialResult(call, isLink, response);
-                }
+        Boolean useCredentialManagerRaw = call.getBoolean("useCredentialManager");
+        boolean useCredentialManager = (useCredentialManagerRaw != null) ? useCredentialManagerRaw : true;
 
-                @Override
-                public void onError(@NonNull GetCredentialException exception) {
-                    handleGetCredentialError(call, isLink, exception);
+        if (useCredentialManager) {
+            Executor executor = Executors.newSingleThreadExecutor();
+            GetGoogleIdOption googleIdOption = new GetGoogleIdOption.Builder()
+                // Your server's client ID, not your Android client ID
+                .setServerClientId(pluginImplementation.getPlugin().getContext().getString(R.string.default_web_client_id))
+                // Show all accounts on the device (not just the accounts that have been used previously)
+                .setFilterByAuthorizedAccounts(false)
+                .build();
+            GetCredentialRequest request = new GetCredentialRequest.Builder().addCredentialOption(googleIdOption).build();
+            CredentialManager credentialManager = CredentialManager.create(pluginImplementation.getPlugin().getActivity());
+            credentialManager.getCredentialAsync(
+                pluginImplementation.getPlugin().getContext(),
+                request,
+                null,
+                executor,
+                new CredentialManagerCallback<GetCredentialResponse, GetCredentialException>() {
+                    @Override
+                    public void onResult(GetCredentialResponse response) {
+                        handleGetCredentialResult(call, isLink, response);
+                    }
+
+                    @Override
+                    public void onError(@NonNull GetCredentialException exception) {
+                        handleGetCredentialError(call, isLink, exception);
+                    }
                 }
+            );
+        } else {
+            mGoogleSignInClient = buildGoogleSignInClient(call);
+            Intent signInIntent = mGoogleSignInClient.getSignInIntent();
+
+            if (isLink) {
+                pluginImplementation.startActivityForResult(call, signInIntent, "handleGoogleAuthProviderLinkActivityResult");
+            } else {
+                pluginImplementation.startActivityForResult(call, signInIntent, "handleGoogleAuthProviderSignInActivityResult");
             }
-        );
+        }
     }
 
     /**

packages/authentication/src/definitions.ts

@@ -377,7 +377,7 @@ export interface FirebaseAuthenticationPlugin {
    *
    * @since 0.1.0
    */
-  signInWithGoogle(options?: SignInWithOAuthOptions): Promise<SignInResult>;
+  signInWithGoogle(options?: SignInWithGoogleOptions): Promise<SignInResult>;
   /**
    * Starts the Microsoft sign-in flow.
    *
@@ -1041,6 +1041,21 @@ export interface SignInWithFacebookOptions extends SignInWithOAuthOptions {
   useLimitedLogin?: boolean;
 }
 
+/**
+ * @since 7.2.0
+ */
+export interface SignInWithGoogleOptions extends SignInWithOAuthOptions {
+  /**
+   * Whether to use the Credential Manager API to sign in.
+   *
+   * Only available for Android.
+   *
+   * @since 7.2.0
+   * @default true
+   */
+  useCredentialManager?: boolean;
+}
+
 /**
  * @since 7.2.0
  */

packages/authentication/src/web.ts

@@ -93,6 +93,7 @@ import type {
   SignInWithCustomTokenOptions,
   SignInWithEmailAndPasswordOptions,
   SignInWithEmailLinkOptions,
+  SignInWithGoogleOptions,
   SignInWithOAuthOptions,
   SignInWithOpenIdConnectOptions,
   SignInWithPhoneNumberOptions,
@@ -586,7 +587,7 @@ export class FirebaseAuthenticationWeb
   }
 
   public async signInWithGoogle(
-    options?: SignInWithOAuthOptions,
+    options?: SignInWithGoogleOptions,
   ): Promise<SignInResult> {
     const provider = new GoogleAuthProvider();
     this.applySignInOptions(options || {}, provider);