@@ -10,11 +10,20 @@ abstract class IFirebaseAuthenticator {
1010Future <String ?> getAccessToken ();
1111}
1212
13+ /// {@template firebase_authenticator}
1314/// A concrete implementation of [IFirebaseAuthenticator] that uses a
1415/// two-legged OAuth flow to obtain an access token from Google.
16+ ///
17+ /// This service is responsible for generating a signed JWT using the service
18+ /// account credentials and exchanging it for a short-lived OAuth2 access token
19+ /// that can be used to authenticate with Google APIs, such as the Firebase
20+ /// Cloud Messaging (FCM) v1 API.
21+ /// {@endtemplate}
1522class FirebaseAuthenticator implements IFirebaseAuthenticator {
23+ /// {@macro firebase_authenticator}
1624 /// Creates an instance of [FirebaseAuthenticator] .
1725FirebaseAuthenticator ({required Logger log}) : _log = log {
26+ // This internal HttpClient is used exclusively for the token exchange.
1827 // This internal HttpClient is used exclusively for the token exchange.
1928 // It does not have an auth interceptor, which is crucial to prevent
2029 // an infinite loop.
@@ -28,13 +37,16 @@ class FirebaseAuthenticator implements IFirebaseAuthenticator {
2837 late final HttpClient _tokenClient;
2938
3039 @override
40+ /// Retrieves a short-lived OAuth2 access token for Firebase.
3141Future <String ?> getAccessToken () async {
3242 _log.info ('Requesting new Firebase access token...' );
3343 try {
3444 // Step 1: Create and sign the JWT.
3545 final pem = EnvironmentConfig .firebasePrivateKey! .replaceAll (r'\n' , '\n ' );
3646 final privateKey = RSAPrivateKey (pem);
3747 final jwt = JWT (
48+ // The 'scope' claim defines the permissions the access token will have.
49+ // 'cloud-platform' is a broad scope suitable for many Google Cloud APIs.
3850 {'scope' : 'https://www.googleapis.com/auth/cloud-platform' },
3951 issuer: EnvironmentConfig .firebaseClientEmail,
4052 audience: Audience .one ('https://oauth2.googleapis.com/token' ),
0 commit comments