feat: support FIREBASE_CREDENTIALS_JSON env var + improve error handling

firebase_app_check.py

@@ -1,4 +1,5 @@
 import os
+import json
 from typing import Optional
 
 try:
@@ -7,9 +8,9 @@ try:
     # App Check verification is available in newer firebase_admin versions
     try:
         from firebase_admin import app_check
-    except Exception:  # pragma: no cover
+    except ImportError:
         app_check = None
-except Exception:  # pragma: no cover
+except ImportError:
     firebase_admin = None
     credentials = None
     app_check = None
@@ -19,9 +20,11 @@ _initialized = False
 def initialize_firebase() -> bool:
     """Initialize Firebase Admin SDK from env.
 
-    Env vars:
-    - FIREBASE_CREDENTIALS: path to service account json
-    - FIREBASE_PROJECT_ID: optional project override
+    Supports two ways to provide credentials:
+    1. FIREBASE_CREDENTIALS_JSON: Full JSON content as string
+    2. FIREBASE_CREDENTIALS: Path to service account JSON file
+    
+    Optional: FIREBASE_PROJECT_ID to override project ID
     """
     global _initialized
     if _initialized:
@@ -35,22 +38,37 @@ def initialize_firebase() -> bool:
         _initialized = True
         return True
 
+    # Try JSON content first (for Hugging Face secrets)
+    cred_json = os.getenv("FIREBASE_CREDENTIALS_JSON")
+    if cred_json:
+        try:
+            cred_dict = json.loads(cred_json)
+            cred = credentials.Certificate(cred_dict)
+            firebase_admin.initialize_app(cred, {
+                "projectId": os.getenv("FIREBASE_PROJECT_ID") or cred_dict.get("project_id")
+            })
+            _initialized = True
+            return True
+        except Exception as e:
+            print(f"Warning: Failed to initialize Firebase from JSON: {e}")
+    
+    # Fallback to file path
     cred_path = os.getenv("FIREBASE_CREDENTIALS")
-    if not cred_path or not os.path.exists(cred_path):
-        return False
-
-    try:
-        cred = credentials.Certificate(cred_path)
-        firebase_admin.initialize_app(cred, {
-            "projectId": os.getenv("FIREBASE_PROJECT_ID")
-        })
-        _initialized = True
-        return True
-    except Exception:
-        return False
+    if cred_path and os.path.exists(cred_path):
+        try:
+            cred = credentials.Certificate(cred_path)
+            firebase_admin.initialize_app(cred, {
+                "projectId": os.getenv("FIREBASE_PROJECT_ID")
+            })
+            _initialized = True
+            return True
+        except Exception as e:
+            print(f"Warning: Failed to initialize Firebase from file: {e}")
+    
+    return False
 
 def verify_app_check_token(token: Optional[str]) -> bool:
-    """Verify Firebase App Check token if module is available.
+    """Verify Firebase App Check token.
 
     Returns True if verification succeeds. If App Check is not available or
     not initialized, returns False to indicate verification not possible.
@@ -58,16 +76,22 @@ def verify_app_check_token(token: Optional[str]) -> bool:
     if not token:
         return False
 
+    # If App Check module is not available, skip verification
     if app_check is None:
+        print("Warning: Firebase App Check module not available")
         return False
 
     if not initialize_firebase():
+        print("Warning: Firebase not initialized, skipping App Check verification")
         return False
 
     try:
-        app_check.verify_token(token)
-        return True
-    except Exception:
+        # Verify the App Check token
+        # Note: verify_token() returns decoded token claims if valid, raises exception if invalid
+        decoded_token = app_check.verify_token(token)
+        return decoded_token is not None
+    except Exception as e:
+        print(f"Warning: App Check token verification failed: {e}")
         return False