IssueTracker

Motivation

I want to be able to test a pubsub push subscription locally. In order to fully test this, I need to test the JWT verification as well.

Currently, when using the emulator, there is no Authorization header sent with the push request to my backend. This is despite setting oidcToken in the pushConfig (node client lib). I would expect to either receive an error somewhere, or receive an Authorization header. This is also not documented anywhere, unless I've missed it.

Full use-case

I have front-end functionality to upload a file from frontend. I am sending a Cloud Storage signed upload URL from the backend to the frontend. The URL is baked with relevant metadata for the file to be uploaded. When the upload is complete, Cloud Storage will send a notification to a Pub/Sub topic, which has a Push subscription set up to my backend. Once the message hits my backend, the JWT token is validated to make sure this is really from Pub/Sub, and the upload is registered in my DB with the aforementioned metadata.

Went testing this locally, I use a pull subscription to replay the message through a locally running Pub/Sub Emulator. Everything works, except for the missing Authentication header. This means I cannot know if the token is being validated correctly unless I deploy the application and test it live.

Implementation

When setting the oidcToken property, it's implied that you want a token to be sent with the push request. A token should be able to be generated from the local application-default credentials, as I understand it.

Here is an example of a configuration, that I think should warrant sending an Authorization header with the request:

const sub = topic.subscription("media-upload-sub");
if (!(await sub.exists())[0]) {
  sub.create({
    pushConfig: {
      pushEndpoint: "http://localhost:3000/api/register-gcs-upload",
      oidcToken: {
        serviceAccountEmail: process.env.GCP_SERVICE_ACCOUNT_EMAIL
      }
    }
  });
}