Feature Request: Allow configuring callable functions to use checkRevoked in its call to verifyIdToken

[johangu]

Related issues

N/A

[REQUIRED] Version info

node: 16.17.1

firebase-functions: 3.24.0

firebase-tools: 11.10.0

firebase-admin: 11.0.1

[REQUIRED] Test case

module.exports = functions.https.onCall(async (data, context) =>  true)

[REQUIRED] Steps to reproduce

Revoke the users refresh token an call the above function

[REQUIRED] Expected behavior

I should have an option to make sure the function calls verifyIdToken with checkRevoked = true so a user with a revoked token is unable to call the functions.
The only call I can find happens here and has no way of passing checkRevoked = true as it's defaulted to false:

firebase-functions/src/common/providers/https.ts

Line 591 in ffa3a57

authToken = await getAuth(getApp()).verifyIdToken(idToken);

[REQUIRED] Actual behavior

A user with a revoked token can call the function just fine as long as the expiry of the ID token hasn't passed.

Were you able to successfully deploy your functions?

N/A

[njoshi22]

Is there any progress on this?