Add AppCheck Interop for Firestore (#8749)

CMakeLists.txt

@@ -261,6 +261,7 @@ if(FIREBASE_IOS_BUILD_TESTS)
   enable_testing()
 endif()
 
+add_subdirectory(FirebaseAppCheck/Sources/Interop/)
 add_subdirectory(FirebaseCore)
 add_subdirectory(Firestore)
 add_subdirectory(Interop/Auth)

FirebaseAppCheck/Sources/Interop/CMakeLists.txt

@@ -0,0 +1,27 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if(NOT APPLE)
+  return()
+endif()
+
+file(GLOB headers *.h)
+firebase_ios_generate_dummy_source(FirebaseAppCheckInterop sources)
+
+firebase_ios_add_framework(
+  FirebaseAppCheckInterop DISABLE_STRICT_WARNINGS EXCLUDE_FROM_ALL
+  ${headers} ${sources}
+)
+
+firebase_ios_framework_public_headers(FirebaseAppCheckInterop ${headers})

FirebaseFirestore.podspec

@@ -42,6 +42,7 @@ Google Cloud Firestore is a NoSQL document database built for automatic scaling,
   # version wins in the global header map. The benefit of keeping them here is
   # that "quick open" by filename in Xcode will continue to work.
   s.source_files = [
+    'FirebaseAppCheck/Sources/Interop/*.h',
     'FirebaseCore/Sources/Private/*.h',
     'Firestore/Source/Public/FirebaseFirestore/*.h',
     'Firestore/Source/**/*.{m,mm}',

Firestore/Example/Firestore.xcodeproj/project.pbxproj

@@ -167,6 +167,7 @@
 		227CFA0B2A01884C277E4F1D /* hashing_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 54511E8D209805F8005BD28F /* hashing_test.cc */; };
 		229D1A9381F698D71F229471 /* string_win_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 79507DF8378D3C42F5B36268 /* string_win_test.cc */; };
 		22A00AC39CAB3426A943E037 /* query.pb.cc in Sources */ = {isa = PBXBuildFile; fileRef = 544129D621C2DDC800EFB9CC /* query.pb.cc */; };
+		22C0AD64F510FE696633B53A /* fake_auth_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = 156FFE30DBD1152C5CECE166 /* fake_auth_credentials_provider.cc */; };
 		23C04A637090E438461E4E70 /* latlng.pb.cc in Sources */ = {isa = PBXBuildFile; fileRef = 618BBE9220B89AAC00B5BCE7 /* latlng.pb.cc */; };
 		23EFC681986488B033C2B318 /* leveldb_opener_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 75860CD13AF47EB1EA39EC2F /* leveldb_opener_test.cc */; };
 		248DE4F56DD938F4DBCCF39B /* bundle_reader_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 6ECAF7DE28A19C69DF386D88 /* bundle_reader_test.cc */; };
@@ -233,8 +234,8 @@
 		31A396C81A107D1DEFDF4A34 /* serializer_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 61F72C5520BC48FD001A68CB /* serializer_test.cc */; };
 		31BDB4CB0E7458C650A77ED0 /* FIRFirestoreTests.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5467FAFF203E56F8009C9584 /* FIRFirestoreTests.mm */; };
 		31D8E3D925FA3F70AA20ACCE /* FSTMockDatastore.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5492E02D20213FFC00B64F25 /* FSTMockDatastore.mm */; };
+		31DD9D84A942297E5FDD9222 /* fake_auth_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = 156FFE30DBD1152C5CECE166 /* fake_auth_credentials_provider.cc */; };
 		32030FA5B4BE6ABDFF2F974E /* bundle_spec_test.json in Resources */ = {isa = PBXBuildFile; fileRef = 79EAA9F7B1B9592B5F053923 /* bundle_spec_test.json */; };
-		32204CC85B7C8902B6631FD6 /* fake_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = DCC17AF218430D8BB28DD197 /* fake_credentials_provider.cc */; };
 		32A95242C56A1A230231DB6A /* testutil.cc in Sources */ = {isa = PBXBuildFile; fileRef = 54A0352820A3B3BD003E0143 /* testutil.cc */; };
 		32B0739404FA588608E1F41A /* CodableTimestampTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 7B65C996438B84DBC7616640 /* CodableTimestampTests.swift */; };
 		32F022CB75AEE48CDDAF2982 /* mutation_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = C8522DE226C467C54E6788D8 /* mutation_test.cc */; };
@@ -375,7 +376,6 @@
 		5150E9F256E6E82D6F3CB3F1 /* bundle_cache_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = F7FC06E0A47D393DE1759AE1 /* bundle_cache_test.cc */; };
 		518BF03D57FBAD7C632D18F8 /* FIRQueryUnitTests.mm in Sources */ = {isa = PBXBuildFile; fileRef = FF73B39D04D1760190E6B84A /* FIRQueryUnitTests.mm */; };
 		52967C3DD7896BFA48840488 /* byte_string_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 5342CDDB137B4E93E2E85CCA /* byte_string_test.cc */; };
-		52F01010E717E4419D714FA7 /* fake_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = DCC17AF218430D8BB28DD197 /* fake_credentials_provider.cc */; };
 		53AB47E44D897C81A94031F6 /* write.pb.cc in Sources */ = {isa = PBXBuildFile; fileRef = 544129D921C2DDC800EFB9CC /* write.pb.cc */; };
 		53BBB5CDED453F923ADD08D2 /* stream_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 5B5414D28802BC76FDADABD6 /* stream_test.cc */; };
 		53F449F69DF8A3ABC711FD59 /* secure_random_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 54740A531FC913E500713A1A /* secure_random_test.cc */; };
@@ -675,7 +675,6 @@
 		75D124966E727829A5F99249 /* FIRTypeTests.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5492E071202154D600B64F25 /* FIRTypeTests.mm */; };
 		76A5447D76F060E996555109 /* task_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 899FC22684B0F7BEEAE13527 /* task_test.cc */; };
 		7731E564468645A4A62E2A3C /* leveldb_key_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 54995F6E205B6E12004EFFA0 /* leveldb_key_test.cc */; };
-		777C50D28F3AAC44D0C66924 /* fake_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = DCC17AF218430D8BB28DD197 /* fake_credentials_provider.cc */; };
 		77BB66DD17A8E6545DE22E0B /* remote_document_cache_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 7EB299CF85034F09CFD6F3FD /* remote_document_cache_test.cc */; };
 		77C459976DCF7503AEE18F7F /* leveldb_bundle_cache_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 8E9CD82E60893DDD7757B798 /* leveldb_bundle_cache_test.cc */; };
 		77D3CF0BE43BC67B9A26B06D /* FIRFieldPathTests.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5492E04C202154AA00B64F25 /* FIRFieldPathTests.mm */; };
@@ -796,6 +795,7 @@
 		93E5620E3884A431A14500B0 /* document_key_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = B6152AD5202A5385000E5744 /* document_key_test.cc */; };
 		94854FAEAEA75A1AC77A0515 /* memory_bundle_cache_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = AB4AB1388538CD3CB19EB028 /* memory_bundle_cache_test.cc */; };
 		94BBB23B93E449D03FA34F87 /* mutation_queue_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 3068AA9DFBBA86C1FE2A946E /* mutation_queue_test.cc */; };
+		959A4C4475CBC6E57833748D /* fake_auth_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = 156FFE30DBD1152C5CECE166 /* fake_auth_credentials_provider.cc */; };
 		95C0F55813DA51E6B8C439E1 /* status_apple_test.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5493A423225F9990006DE7BA /* status_apple_test.mm */; };
 		95CE3F5265B9BB7297EE5A6B /* lru_garbage_collector_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 277EAACC4DD7C21332E8496A /* lru_garbage_collector_test.cc */; };
 		95DCD082374F871A86EF905F /* to_string_apple_test.mm in Sources */ = {isa = PBXBuildFile; fileRef = B68B1E002213A764008977EF /* to_string_apple_test.mm */; };
@@ -842,6 +842,7 @@
 		A1F57CC739211F64F2E9232D /* hard_assert_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 444B7AB3F5A2929070CB1363 /* hard_assert_test.cc */; };
 		A215078DBFBB5A4F4DADE8A9 /* leveldb_index_manager_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 166CE73C03AB4366AAC5201C /* leveldb_index_manager_test.cc */; };
 		A21819C437C3C80450D7EEEE /* writer_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = BC3C788D290A935C353CEAA1 /* writer_test.cc */; };
+		A2424F8C6C20274298D5161D /* fake_auth_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = 156FFE30DBD1152C5CECE166 /* fake_auth_credentials_provider.cc */; };
 		A25FF76DEF542E01A2DF3B0E /* time_testing.cc in Sources */ = {isa = PBXBuildFile; fileRef = 5497CB76229DECDE000FB92F /* time_testing.cc */; };
 		A27096F764227BC73526FED3 /* leveldb_remote_document_cache_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 0840319686A223CC4AD3FAB1 /* leveldb_remote_document_cache_test.cc */; };
 		A27908A198E1D2230C1801AC /* bundle_serializer_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = B5C2A94EE24E60543F62CC35 /* bundle_serializer_test.cc */; };
@@ -858,7 +859,6 @@
 		A5B8C273593D1BB6E8AE4CBA /* view_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = C7429071B33BDF80A7FA2F8A /* view_test.cc */; };
 		A602E6C7C8B243BB767D251C /* leveldb_index_manager_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 166CE73C03AB4366AAC5201C /* leveldb_index_manager_test.cc */; };
 		A61BB461F3E5822175F81719 /* memory_remote_document_cache_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 1CA9800A53669EFBFFB824E3 /* memory_remote_document_cache_test.cc */; };
-		A62CDCEBE56E37FBB085CFF9 /* fake_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = DCC17AF218430D8BB28DD197 /* fake_credentials_provider.cc */; };
 		A6A916A7DEA41EE29FD13508 /* watch_change_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 2D7472BC70C024D736FF74D9 /* watch_change_test.cc */; };
 		A6A9946A006AA87240B37E31 /* defer_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 8ABAC2E0402213D837F73DC3 /* defer_test.cc */; };
 		A6D57EC3A0BF39060705ED29 /* string_format_apple_test.mm in Sources */ = {isa = PBXBuildFile; fileRef = 9CFD366B783AE27B9E79EE7A /* string_format_apple_test.mm */; };
@@ -919,9 +919,9 @@
 		B0B779769926304268200015 /* query_spec_test.json in Resources */ = {isa = PBXBuildFile; fileRef = 731541602214AFFA0037F4DC /* query_spec_test.json */; };
 		B0D10C3451EDFB016A6EAF03 /* writer_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = BC3C788D290A935C353CEAA1 /* writer_test.cc */; };
 		B15D17049414E2F5AE72C9C6 /* memory_local_store_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = F6CA0C5638AB6627CB5B4CF4 /* memory_local_store_test.cc */; };
+		B18466F8D352BA4842317EF4 /* fake_auth_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = 156FFE30DBD1152C5CECE166 /* fake_auth_credentials_provider.cc */; };
 		B192F30DECA8C28007F9B1D0 /* array_sorted_map_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 54EB764C202277B30088B8F3 /* array_sorted_map_test.cc */; };
 		B1A4D8A731EC0A0B16CC411A /* append_only_list_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 5477CDE922EE71C8000FCC1E /* append_only_list_test.cc */; };
-		B1D9133BE9A4EBC42ABE246C /* fake_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = DCC17AF218430D8BB28DD197 /* fake_credentials_provider.cc */; };
 		B220E091D8F4E6DE1EA44F57 /* executor_libdispatch_test.mm in Sources */ = {isa = PBXBuildFile; fileRef = B6FB4689208F9B9100554BA2 /* executor_libdispatch_test.mm */; };
 		B235E260EA0DCB7BAC04F69B /* field_path_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = B686F2AD2023DDB20028D6BE /* field_path_test.cc */; };
 		B28ACC69EB1F232AE612E77B /* async_testing.cc in Sources */ = {isa = PBXBuildFile; fileRef = 872C92ABD71B12784A1C5520 /* async_testing.cc */; };
@@ -970,7 +970,6 @@
 		B844B264311E18051B1671ED /* value_util_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 40F9D09063A07F710811A84F /* value_util_test.cc */; };
 		B896E5DE1CC27347FAC009C3 /* BasicCompileTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = DE0761F61F2FE68D003233AF /* BasicCompileTests.swift */; };
 		B921A4F35B58925D958DD9A6 /* reference_set_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 132E32997D781B896672D30A /* reference_set_test.cc */; };
-		B94A967AAB5C9ECC0CB06706 /* fake_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = DCC17AF218430D8BB28DD197 /* fake_credentials_provider.cc */; };
 		B9706A5CD29195A613CF4147 /* bundle_reader_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 6ECAF7DE28A19C69DF386D88 /* bundle_reader_test.cc */; };
 		B99452AB7E16B72D1C01FBBC /* datastore_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 3167BD972EFF8EC636530E59 /* datastore_test.cc */; };
 		BA0BB02821F1949783C8AA50 /* FIRCollectionReferenceTests.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5492E045202154AA00B64F25 /* FIRCollectionReferenceTests.mm */; };
@@ -1084,6 +1083,7 @@
 		D658E6DA5A218E08810E1688 /* byte_string_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 5342CDDB137B4E93E2E85CCA /* byte_string_test.cc */; };
 		D6962E598CEDABA312D87760 /* bundle_reader_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 6ECAF7DE28A19C69DF386D88 /* bundle_reader_test.cc */; };
 		D69B97FF4C065EACEDD91886 /* FSTSyncEngineTestDriver.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5492E02E20213FFC00B64F25 /* FSTSyncEngineTestDriver.mm */; };
+		D6ABCD1DF44DE81659943CF7 /* fake_auth_credentials_provider.cc in Sources */ = {isa = PBXBuildFile; fileRef = 156FFE30DBD1152C5CECE166 /* fake_auth_credentials_provider.cc */; };
 		D6DE74259F5C0CCA010D6A0D /* grpc_stream_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = B6BBE42F21262CF400C6A53E /* grpc_stream_test.cc */; };
 		D6E0E54CD1640E726900828A /* document_key_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = B6152AD5202A5385000E5744 /* document_key_test.cc */; };
 		D711B3F495923680B6FC2FC6 /* object_value_test.cc in Sources */ = {isa = PBXBuildFile; fileRef = 214877F52A705012D6720CA0 /* object_value_test.cc */; };
@@ -1328,6 +1328,7 @@
 		1277F98C20D2DF0867496976 /* Pods-Firestore_IntegrationTests_iOS.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Firestore_IntegrationTests_iOS.debug.xcconfig"; path = "Pods/Target Support Files/Pods-Firestore_IntegrationTests_iOS/Pods-Firestore_IntegrationTests_iOS.debug.xcconfig"; sourceTree = "<group>"; };
 		12F4357299652983A615F886 /* LICENSE */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text; name = LICENSE; path = ../LICENSE; sourceTree = "<group>"; };
 		132E32997D781B896672D30A /* reference_set_test.cc */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = reference_set_test.cc; sourceTree = "<group>"; };
+		156FFE30DBD1152C5CECE166 /* fake_auth_credentials_provider.cc */ = {isa = PBXFileReference; includeInIndex = 1; path = fake_auth_credentials_provider.cc; sourceTree = "<group>"; };
 		166CE73C03AB4366AAC5201C /* leveldb_index_manager_test.cc */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.cpp.cpp; path = leveldb_index_manager_test.cc; sourceTree = "<group>"; };
 		1B342370EAE3AA02393E33EB /* cc_compilation_test.cc */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.cpp.cpp; name = cc_compilation_test.cc; path = api/cc_compilation_test.cc; sourceTree = "<group>"; };
 		1CA9800A53669EFBFFB824E3 /* memory_remote_document_cache_test.cc */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.cpp.cpp; path = memory_remote_document_cache_test.cc; sourceTree = "<group>"; };
@@ -1475,7 +1476,6 @@
 		5C7942B6244F4C416B11B86C /* leveldb_mutation_queue_test.cc */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.cpp.cpp; path = leveldb_mutation_queue_test.cc; sourceTree = "<group>"; };
 		5CAE131920FFFED600BE9A4A /* Firestore_Benchmarks_iOS.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = Firestore_Benchmarks_iOS.xctest; sourceTree = BUILT_PRODUCTS_DIR; };
 		5CAE131D20FFFED600BE9A4A /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
-		5CF1D440ECD488305F0AE2AC /* fake_credentials_provider.h */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.c.h; path = fake_credentials_provider.h; sourceTree = "<group>"; };
 		5FF903AEFA7A3284660FA4C5 /* leveldb_local_store_test.cc */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.cpp.cpp; path = leveldb_local_store_test.cc; sourceTree = "<group>"; };
 		6003F58A195388D20070C39A /* Firestore_Example_iOS.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = Firestore_Example_iOS.app; sourceTree = BUILT_PRODUCTS_DIR; };
 		6003F58D195388D20070C39A /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
@@ -1644,7 +1644,6 @@
 		DAFF0D0021E64AC40062958F /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
 		DAFF0D0221E64AC40062958F /* macOS.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = macOS.entitlements; sourceTree = "<group>"; };
 		DB5A1E760451189DA36028B3 /* memory_index_manager_test.cc */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.cpp.cpp; path = memory_index_manager_test.cc; sourceTree = "<group>"; };
-		DCC17AF218430D8BB28DD197 /* fake_credentials_provider.cc */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.cpp.cpp; path = fake_credentials_provider.cc; sourceTree = "<group>"; };
 		DE03B2E91F2149D600A30B9C /* Firestore_IntegrationTests_iOS.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = Firestore_IntegrationTests_iOS.xctest; sourceTree = BUILT_PRODUCTS_DIR; };
 		DE0761F61F2FE68D003233AF /* BasicCompileTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = BasicCompileTests.swift; sourceTree = "<group>"; };
 		DE51B1881F0D48AC0013853F /* FSTHelpers.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = FSTHelpers.h; sourceTree = "<group>"; };
@@ -1660,6 +1659,7 @@
 		E8551D6C6FB0B1BACE9E5BAD /* field_filter_test.cc */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.cpp.cpp; path = field_filter_test.cc; sourceTree = "<group>"; };
 		ECEBABC7E7B693BE808A1052 /* Pods_Firestore_IntegrationTests_iOS.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_Firestore_IntegrationTests_iOS.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		EF83ACD5E1E9F25845A9ACED /* leveldb_migrations_test.cc */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.cpp.cpp; path = leveldb_migrations_test.cc; sourceTree = "<group>"; };
+		F11144CFB04250693F4D7B13 /* fake_auth_credentials_provider.h */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.c.h; path = fake_auth_credentials_provider.h; sourceTree = "<group>"; };
 		F354C0FE92645B56A6C6FD44 /* Pods-Firestore_IntegrationTests_iOS.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Firestore_IntegrationTests_iOS.release.xcconfig"; path = "Pods/Target Support Files/Pods-Firestore_IntegrationTests_iOS/Pods-Firestore_IntegrationTests_iOS.release.xcconfig"; sourceTree = "<group>"; };
 		F51859B394D01C0C507282F1 /* filesystem_test.cc */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.cpp.cpp; path = filesystem_test.cc; sourceTree = "<group>"; };
 		F694C3CE4B77B3C0FA4BBA53 /* Pods_Firestore_Benchmarks_iOS.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_Firestore_Benchmarks_iOS.framework; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -1863,8 +1863,8 @@
 				9098A0C535096F2EE9C35DE0 /* create_noop_connectivity_monitor.h */,
 				3167BD972EFF8EC636530E59 /* datastore_test.cc */,
 				B6D1B68420E2AB1A00B35856 /* exponential_backoff_test.cc */,
-				DCC17AF218430D8BB28DD197 /* fake_credentials_provider.cc */,
-				5CF1D440ECD488305F0AE2AC /* fake_credentials_provider.h */,
+				156FFE30DBD1152C5CECE166 /* fake_auth_credentials_provider.cc */,
+				F11144CFB04250693F4D7B13 /* fake_auth_credentials_provider.h */,
 				71140E5D09C6E76F7C71B2FC /* fake_target_metadata_provider.cc */,
 				52756B7624904C36FBB56000 /* fake_target_metadata_provider.h */,
 				B6D9649021544D4F00EB9CFB /* grpc_connection_test.cc */,
@@ -3485,7 +3485,7 @@
 				E7D415B8717701B952C344E5 /* executor_std_test.cc in Sources */,
 				470A37727BBF516B05ED276A /* executor_test.cc in Sources */,
 				2E0BBA7E627EB240BA11B0D0 /* exponential_backoff_test.cc in Sources */,
-				B1D9133BE9A4EBC42ABE246C /* fake_credentials_provider.cc in Sources */,
+				B18466F8D352BA4842317EF4 /* fake_auth_credentials_provider.cc in Sources */,
 				9009C285F418EA80C46CF06B /* fake_target_metadata_provider.cc in Sources */,
 				401BBE4D4572EEBAA80E0B89 /* field_filter_test.cc in Sources */,
 				07B1E8C62772758BC82FEBEE /* field_mask_test.cc in Sources */,
@@ -3675,7 +3675,7 @@
 				BAB43C839445782040657239 /* executor_std_test.cc in Sources */,
 				3A7CB01751697ED599F2D9A1 /* executor_test.cc in Sources */,
 				EF3518F84255BAF3EBD317F6 /* exponential_backoff_test.cc in Sources */,
-				52F01010E717E4419D714FA7 /* fake_credentials_provider.cc in Sources */,
+				31DD9D84A942297E5FDD9222 /* fake_auth_credentials_provider.cc in Sources */,
 				4DAFC3A3FD5E96910A517320 /* fake_target_metadata_provider.cc in Sources */,
 				6369DE4E258556FE3382DD78 /* field_filter_test.cc in Sources */,
 				ED4E2AC80CAF2A8FDDAC3DEE /* field_mask_test.cc in Sources */,
@@ -3878,7 +3878,7 @@
 				AECCD9663BB3DC52199F954A /* executor_std_test.cc in Sources */,
 				18F644E6AA98E6D6F3F1F809 /* executor_test.cc in Sources */,
 				6938575C8B5E6FE0D562547A /* exponential_backoff_test.cc in Sources */,
-				B94A967AAB5C9ECC0CB06706 /* fake_credentials_provider.cc in Sources */,
+				D6ABCD1DF44DE81659943CF7 /* fake_auth_credentials_provider.cc in Sources */,
 				258B372CF33B7E7984BBA659 /* fake_target_metadata_provider.cc in Sources */,
 				DF27137C8EA7D095D68851B4 /* field_filter_test.cc in Sources */,
 				F272A8C41D2353700A11D1FB /* field_mask_test.cc in Sources */,
@@ -4081,7 +4081,7 @@
 				17DFF30CF61D87883986E8B6 /* executor_std_test.cc in Sources */,
 				814724DE70EFC3DDF439CD78 /* executor_test.cc in Sources */,
 				BD6CC8614970A3D7D2CF0D49 /* exponential_backoff_test.cc in Sources */,
-				32204CC85B7C8902B6631FD6 /* fake_credentials_provider.cc in Sources */,
+				A2424F8C6C20274298D5161D /* fake_auth_credentials_provider.cc in Sources */,
 				4D2655C5675D83205C3749DC /* fake_target_metadata_provider.cc in Sources */,
 				0B071E9044CEEF666D829354 /* field_filter_test.cc in Sources */,
 				A1563EFEB021936D3FFE07E3 /* field_mask_test.cc in Sources */,
@@ -4281,7 +4281,7 @@
 				B6FB468F208F9BAE00554BA2 /* executor_std_test.cc in Sources */,
 				B6FB4690208F9BB300554BA2 /* executor_test.cc in Sources */,
 				B6D1B68520E2AB1B00B35856 /* exponential_backoff_test.cc in Sources */,
-				A62CDCEBE56E37FBB085CFF9 /* fake_credentials_provider.cc in Sources */,
+				959A4C4475CBC6E57833748D /* fake_auth_credentials_provider.cc in Sources */,
 				FAE5DA6ED3E1842DC21453EE /* fake_target_metadata_provider.cc in Sources */,
 				047F5209AB055A884D795B8A /* field_filter_test.cc in Sources */,
 				549CCA5720A36E1F00BCEB75 /* field_mask_test.cc in Sources */,
@@ -4503,7 +4503,7 @@
 				125B1048ECB755C2106802EB /* executor_std_test.cc in Sources */,
 				DABB9FB61B1733F985CBF713 /* executor_test.cc in Sources */,
 				7BCF050BA04537B0E7D44730 /* exponential_backoff_test.cc in Sources */,
-				777C50D28F3AAC44D0C66924 /* fake_credentials_provider.cc in Sources */,
+				22C0AD64F510FE696633B53A /* fake_auth_credentials_provider.cc in Sources */,
 				BA1C5EAE87393D8E60F5AE6D /* fake_target_metadata_provider.cc in Sources */,
 				97729B53698C0E52EB165003 /* field_filter_test.cc in Sources */,
 				6A40835DB2C02B9F07C02E88 /* field_mask_test.cc in Sources */,

Firestore/Example/Tests/Integration/FSTDatastoreTests.mm

@@ -59,7 +59,7 @@ namespace testutil = firebase::firestore::testutil;
 
 using firebase::Timestamp;
 using firebase::firestore::core::DatabaseInfo;
-using firebase::firestore::credentials::EmptyCredentialsProvider;
+using firebase::firestore::credentials::EmptyAuthCredentialsProvider;
 using firebase::firestore::credentials::User;
 using firebase::firestore::google_firestore_v1_Value;
 using firebase::firestore::local::LocalStore;
@@ -248,7 +248,7 @@ class RemoteStoreEventCapture : public RemoteStoreCallback {
   _connectivityMonitor = CreateNoOpConnectivityMonitor();
   _firebaseMetadataProvider = CreateFirebaseMetadataProviderNoOp();
   _datastore = std::make_shared<Datastore>(
-      _databaseInfo, _testWorkerQueue, std::make_shared<EmptyCredentialsProvider>(),
+      _databaseInfo, _testWorkerQueue, std::make_shared<EmptyAuthCredentialsProvider>(),
       _connectivityMonitor.get(), _firebaseMetadataProvider.get());
 
   _persistence = MemoryPersistence::WithEagerGarbageCollector();

Firestore/Example/Tests/SpecTests/FSTMockDatastore.h

@@ -39,7 +39,7 @@ class MockDatastore : public Datastore {
  public:
   MockDatastore(const core::DatabaseInfo& database_info,
                 const std::shared_ptr<util::AsyncQueue>& worker_queue,
-                std::shared_ptr<credentials::CredentialsProvider> credentials,
+                std::shared_ptr<credentials::AuthCredentialsProvider> credentials,
                 ConnectivityMonitor* connectivity_monitor,
                 FirebaseMetadataProvider* firebase_metadata_provider);
 
@@ -96,7 +96,7 @@ class MockDatastore : public Datastore {
   // reduces the number of test-only methods in `Datastore`.
   const core::DatabaseInfo* database_info_ = nullptr;
   std::shared_ptr<util::AsyncQueue> worker_queue_;
-  std::shared_ptr<credentials::CredentialsProvider> credentials_;
+  std::shared_ptr<credentials::AuthCredentialsProvider> credentials_;
 
   std::shared_ptr<MockWatchStream> watch_stream_;
   std::shared_ptr<MockWriteStream> write_stream_;

Firestore/Example/Tests/SpecTests/FSTMockDatastore.mm

@@ -43,7 +43,7 @@
 NS_ASSUME_NONNULL_BEGIN
 
 using firebase::firestore::core::DatabaseInfo;
-using firebase::firestore::credentials::CredentialsProvider;
+using firebase::firestore::credentials::AuthCredentialsProvider;
 using firebase::firestore::credentials::EmptyCredentialsProvider;
 using firebase::firestore::local::TargetData;
 using firebase::firestore::model::DatabaseId;
@@ -68,7 +68,7 @@ namespace remote {
 class MockWatchStream : public WatchStream {
  public:
   MockWatchStream(const std::shared_ptr<AsyncQueue>& worker_queue,
-                  std::shared_ptr<CredentialsProvider> credentials_provider,
+                  std::shared_ptr<AuthCredentialsProvider> credentials_provider,
                   Serializer serializer,
                   GrpcConnection* grpc_connection,
                   WatchStreamCallback* callback,
@@ -160,7 +160,7 @@ class MockWatchStream : public WatchStream {
 class MockWriteStream : public WriteStream {
  public:
   MockWriteStream(const std::shared_ptr<AsyncQueue>& worker_queue,
-                  std::shared_ptr<CredentialsProvider> credentials_provider,
+                  std::shared_ptr<AuthCredentialsProvider> credentials_provider,
                   Serializer serializer,
                   GrpcConnection* grpc_connection,
                   WriteStreamCallback* callback,
@@ -244,7 +244,7 @@ class MockWriteStream : public WriteStream {
 
 MockDatastore::MockDatastore(const core::DatabaseInfo& database_info,
                              const std::shared_ptr<util::AsyncQueue>& worker_queue,
-                             std::shared_ptr<credentials::CredentialsProvider> credentials,
+                             std::shared_ptr<credentials::AuthCredentialsProvider> credentials,
                              ConnectivityMonitor* connectivity_monitor,
                              FirebaseMetadataProvider* firebase_metadata_provider)
     : Datastore{database_info, worker_queue, credentials, connectivity_monitor,

Firestore/Example/Tests/SpecTests/FSTSyncEngineTestDriver.mm

@@ -73,7 +73,7 @@ using firebase::firestore::core::Query;
 using firebase::firestore::core::QueryListener;
 using firebase::firestore::core::SyncEngine;
 using firebase::firestore::core::ViewSnapshot;
-using firebase::firestore::credentials::EmptyCredentialsProvider;
+using firebase::firestore::credentials::EmptyAuthCredentialsProvider;
 using firebase::firestore::credentials::HashUser;
 using firebase::firestore::credentials::User;
 using firebase::firestore::local::QueryEngine;
@@ -232,7 +232,7 @@ NS_ASSUME_NONNULL_BEGIN
     _firebaseMetadataProvider = CreateFirebaseMetadataProviderNoOp();
 
     _datastore = std::make_shared<MockDatastore>(
-        _databaseInfo, _workerQueue, std::make_shared<EmptyCredentialsProvider>(),
+        _databaseInfo, _workerQueue, std::make_shared<EmptyAuthCredentialsProvider>(),
         _connectivityMonitor.get(), _firebaseMetadataProvider.get());
     _remoteStore = absl::make_unique<RemoteStore>(
         _localStore.get(), _datastore, _workerQueue, _connectivityMonitor.get(),

Firestore/Example/Tests/Util/FSTIntegrationTestCase.mm

@@ -55,6 +55,7 @@
 namespace util = firebase::firestore::util;
 
 using firebase::firestore::core::DatabaseInfo;
+using firebase::firestore::credentials::AuthToken;
 using firebase::firestore::credentials::CredentialChangeListener;
 using firebase::firestore::credentials::EmptyCredentialsProvider;
 using firebase::firestore::credentials::User;
@@ -85,9 +86,9 @@ static bool runningAgainstEmulator = false;
 
 // Behaves the same as `EmptyCredentialsProvider` except it can also trigger a user
 // change.
-class FakeCredentialsProvider : public EmptyCredentialsProvider {
+class FakeCredentialsProvider : public EmptyCredentialsProvider<AuthToken, User> {
  public:
-  void SetCredentialChangeListener(CredentialChangeListener changeListener) override {
+  void SetCredentialChangeListener(CredentialChangeListener<User> changeListener) override {
     if (changeListener) {
       listener_ = std::move(changeListener);
       listener_(User::Unauthenticated());
@@ -101,7 +102,7 @@ class FakeCredentialsProvider : public EmptyCredentialsProvider {
   }
 
  private:
-  CredentialChangeListener listener_;
+  CredentialChangeListener<User> listener_;
 };
 
 @implementation FSTIntegrationTestCase {

Firestore/Source/API/FIRFirestore+Internal.h

@@ -56,15 +56,16 @@ NS_ASSUME_NONNULL_BEGIN
  * Initializes a Firestore object with all the required parameters directly. This exists so that
  * tests can create FIRFirestore objects without needing FIRApp.
  */
-- (instancetype)
-          initWithDatabaseID:(model::DatabaseId)databaseID
-              persistenceKey:(std::string)persistenceKey
-         credentialsProvider:(std::shared_ptr<credentials::CredentialsProvider>)credentialsProvider
-                 workerQueue:(std::shared_ptr<firebase::firestore::util::AsyncQueue>)workerQueue
-    firebaseMetadataProvider:
-        (std::unique_ptr<remote::FirebaseMetadataProvider>)firebaseMetadataProvider
-                 firebaseApp:(FIRApp *)app
-            instanceRegistry:(nullable id<FSTFirestoreInstanceRegistry>)registry;
+- (instancetype)initWithDatabaseID:(model::DatabaseId)databaseID
+                    persistenceKey:(std::string)persistenceKey
+               credentialsProvider:
+                   (std::shared_ptr<credentials::AuthCredentialsProvider>)credentialsProvider
+                       workerQueue:
+                           (std::shared_ptr<firebase::firestore::util::AsyncQueue>)workerQueue
+          firebaseMetadataProvider:
+              (std::unique_ptr<remote::FirebaseMetadataProvider>)firebaseMetadataProvider
+                       firebaseApp:(FIRApp *)app
+                  instanceRegistry:(nullable id<FSTFirestoreInstanceRegistry>)registry;
 @end
 
 /** Internal FIRFirestore API we don't want exposed in our public header files. */

Firestore/Source/API/FIRFirestore.mm

@@ -62,7 +62,7 @@ using firebase::firestore::api::DocumentReference;
 using firebase::firestore::api::Firestore;
 using firebase::firestore::api::ListenerRegistration;
 using firebase::firestore::core::EventListener;
-using firebase::firestore::credentials::CredentialsProvider;
+using firebase::firestore::credentials::AuthCredentialsProvider;
 using firebase::firestore::model::DatabaseId;
 using firebase::firestore::remote::FirebaseMetadataProvider;
 using firebase::firestore::util::AsyncQueue;
@@ -142,7 +142,7 @@ NS_ASSUME_NONNULL_BEGIN
 
 - (instancetype)initWithDatabaseID:(model::DatabaseId)databaseID
                     persistenceKey:(std::string)persistenceKey
-               credentialsProvider:(std::shared_ptr<CredentialsProvider>)credentialsProvider
+               credentialsProvider:(std::shared_ptr<AuthCredentialsProvider>)credentialsProvider
                        workerQueue:(std::shared_ptr<AsyncQueue>)workerQueue
           firebaseMetadataProvider:
               (std::unique_ptr<FirebaseMetadataProvider>)firebaseMetadataProvider

Firestore/Source/API/FSTFirestoreComponent.mm

@@ -27,7 +27,7 @@
 #include "Firestore/core/include/firebase/firestore/firestore_version.h"
 #include "Firestore/core/src/api/firestore.h"
 #include "Firestore/core/src/credentials/credentials_provider.h"
-#include "Firestore/core/src/credentials/firebase_credentials_provider_apple.h"
+#include "Firestore/core/src/credentials/firebase_auth_credentials_provider_apple.h"
 #include "Firestore/core/src/remote/firebase_metadata_provider.h"
 #include "Firestore/core/src/remote/firebase_metadata_provider_apple.h"
 #include "Firestore/core/src/util/async_queue.h"
@@ -37,7 +37,7 @@
 #include "absl/memory/memory.h"
 
 using firebase::firestore::credentials::CredentialsProvider;
-using firebase::firestore::credentials::FirebaseCredentialsProvider;
+using firebase::firestore::credentials::FirebaseAuthCredentialsProvider;
 using firebase::firestore::remote::FirebaseMetadataProviderApple;
 using firebase::firestore::util::AsyncQueue;
 using firebase::firestore::util::Executor;
@@ -98,7 +98,7 @@ NS_ASSUME_NONNULL_BEGIN
       auto workerQueue = AsyncQueue::Create(std::move(executor));
 
       id<FIRAuthInterop> auth = FIR_COMPONENT(FIRAuthInterop, self.app.container);
-      auto credentialsProvider = std::make_shared<FirebaseCredentialsProvider>(self.app, auth);
+      auto credentialsProvider = std::make_shared<FirebaseAuthCredentialsProvider>(self.app, auth);
 
       auto firebaseMetadataProvider = absl::make_unique<FirebaseMetadataProviderApple>(self.app);
 

Firestore/core/CMakeLists.txt

@@ -212,7 +212,8 @@ firebase_ios_glob(
 if(APPLE)
   firebase_ios_glob(
     core_sources APPEND
-    src/credentials/firebase_credentials_provider_apple.*
+    src/credentials/firebase_app_check_credentials_provider_apple.*
+    src/credentials/firebase_auth_credentials_provider_apple.*
     src/remote/connectivity_monitor_apple.mm
     src/remote/firebase_metadata_provider_apple.mm
   )

Firestore/core/src/api/firestore.cc

@@ -46,7 +46,7 @@ namespace api {
 using core::AsyncEventListener;
 using core::DatabaseInfo;
 using core::FirestoreClient;
-using credentials::CredentialsProvider;
+using credentials::AuthCredentialsProvider;
 using local::LevelDbPersistence;
 using model::ResourcePath;
 using remote::FirebaseMetadataProvider;
@@ -59,7 +59,7 @@ using util::Status;
 Firestore::Firestore(
     model::DatabaseId database_id,
     std::string persistence_key,
-    std::shared_ptr<CredentialsProvider> credentials_provider,
+    std::shared_ptr<AuthCredentialsProvider> credentials_provider,
     std::shared_ptr<AsyncQueue> worker_queue,
     std::unique_ptr<FirebaseMetadataProvider> firebase_metadata_provider,
     void* extension)

Firestore/core/src/api/firestore.h

@@ -25,6 +25,7 @@
 #include "Firestore/core/src/api/load_bundle_task.h"
 #include "Firestore/core/src/api/settings.h"
 #include "Firestore/core/src/core/core_fwd.h"
+#include "Firestore/core/src/credentials/credentials_fwd.h"
 #include "Firestore/core/src/model/database_id.h"
 #include "Firestore/core/src/util/byte_stream.h"
 #include "Firestore/core/src/util/status_fwd.h"
@@ -32,10 +33,6 @@
 namespace firebase {
 namespace firestore {
 
-namespace credentials {
-class CredentialsProvider;
-}  // namespace credentials
-
 namespace remote {
 class FirebaseMetadataProvider;
 }  // namespace remote
@@ -53,14 +50,14 @@ class Firestore : public std::enable_shared_from_this<Firestore> {
  public:
   Firestore() = default;
 
-  Firestore(
-      model::DatabaseId database_id,
-      std::string persistence_key,
-      std::shared_ptr<credentials::CredentialsProvider> credentials_provider,
-      std::shared_ptr<util::AsyncQueue> worker_queue,
-      std::unique_ptr<remote::FirebaseMetadataProvider>
-          firebase_metadata_provider,
-      void* extension);
+  Firestore(model::DatabaseId database_id,
+            std::string persistence_key,
+            std::shared_ptr<credentials::AuthCredentialsProvider>
+                credentials_provider,
+            std::shared_ptr<util::AsyncQueue> worker_queue,
+            std::unique_ptr<remote::FirebaseMetadataProvider>
+                firebase_metadata_provider,
+            void* extension);
 
   ~Firestore();
 
@@ -119,7 +116,7 @@ class Firestore : public std::enable_shared_from_this<Firestore> {
   core::DatabaseInfo MakeDatabaseInfo() const;
 
   model::DatabaseId database_id_;
-  std::shared_ptr<credentials::CredentialsProvider> credentials_provider_;
+  std::shared_ptr<credentials::AuthCredentialsProvider> credentials_provider_;
   std::string persistence_key_;
 
   std::shared_ptr<util::Executor> user_executor_;

Firestore/core/src/core/firestore_client.cc

@@ -72,7 +72,7 @@ using api::QuerySnapshot;
 using api::QuerySnapshotListener;
 using api::Settings;
 using api::SnapshotMetadata;
-using credentials::CredentialsProvider;
+using credentials::AuthCredentialsProvider;
 using credentials::User;
 using firestore::Error;
 using local::LevelDbOpener;
@@ -106,7 +106,7 @@ static const size_t kMaxConcurrentLimboResolutions = 100;
 std::shared_ptr<FirestoreClient> FirestoreClient::Create(
     const DatabaseInfo& database_info,
     const api::Settings& settings,
-    std::shared_ptr<CredentialsProvider> credentials_provider,
+    std::shared_ptr<AuthCredentialsProvider> credentials_provider,
     std::shared_ptr<Executor> user_executor,
     std::shared_ptr<AsyncQueue> worker_queue,
     std::unique_ptr<FirebaseMetadataProvider> firebase_metadata_provider) {
@@ -152,7 +152,7 @@ std::shared_ptr<FirestoreClient> FirestoreClient::Create(
 
 FirestoreClient::FirestoreClient(
     const DatabaseInfo& database_info,
-    std::shared_ptr<CredentialsProvider> credentials_provider,
+    std::shared_ptr<AuthCredentialsProvider> credentials_provider,
     std::shared_ptr<Executor> user_executor,
     std::shared_ptr<AsyncQueue> worker_queue,
     std::unique_ptr<FirebaseMetadataProvider> firebase_metadata_provider)

Firestore/core/src/core/firestore_client.h

@@ -26,6 +26,7 @@
 #include "Firestore/core/src/bundle/bundle_serializer.h"
 #include "Firestore/core/src/core/core_fwd.h"
 #include "Firestore/core/src/core/database_info.h"
+#include "Firestore/core/src/credentials/credentials_fwd.h"
 #include "Firestore/core/src/model/database_id.h"
 #include "Firestore/core/src/util/async_queue.h"
 #include "Firestore/core/src/util/byte_stream.h"
@@ -38,11 +39,6 @@
 namespace firebase {
 namespace firestore {
 
-namespace credentials {
-class CredentialsProvider;
-class User;
-}  // namespace credentials
-
 namespace local {
 class LocalStore;
 class LruDelegate;
@@ -80,7 +76,8 @@ class FirestoreClient : public std::enable_shared_from_this<FirestoreClient> {
   static std::shared_ptr<FirestoreClient> Create(
       const DatabaseInfo& database_info,
       const api::Settings& settings,
-      std::shared_ptr<credentials::CredentialsProvider> credentials_provider,
+      std::shared_ptr<credentials::AuthCredentialsProvider>
+          credentials_provider,
       std::shared_ptr<util::Executor> user_executor,
       std::shared_ptr<util::AsyncQueue> worker_queue,
       std::unique_ptr<remote::FirebaseMetadataProvider>
@@ -188,13 +185,13 @@ class FirestoreClient : public std::enable_shared_from_this<FirestoreClient> {
   bool is_terminated() const;
 
  private:
-  FirestoreClient(
-      const DatabaseInfo& database_info,
-      std::shared_ptr<credentials::CredentialsProvider> credentials_provider,
-      std::shared_ptr<util::Executor> user_executor,
-      std::shared_ptr<util::AsyncQueue> worker_queue,
-      std::unique_ptr<remote::FirebaseMetadataProvider>
-          firebase_metadata_provider);
+  FirestoreClient(const DatabaseInfo& database_info,
+                  std::shared_ptr<credentials::AuthCredentialsProvider>
+                      credentials_provider,
+                  std::shared_ptr<util::Executor> user_executor,
+                  std::shared_ptr<util::AsyncQueue> worker_queue,
+                  std::unique_ptr<remote::FirebaseMetadataProvider>
+                      firebase_metadata_provider);
 
   void Initialize(const credentials::User& user, const api::Settings& settings);
 
@@ -205,7 +202,7 @@ class FirestoreClient : public std::enable_shared_from_this<FirestoreClient> {
   void ScheduleLruGarbageCollection();
 
   DatabaseInfo database_info_;
-  std::shared_ptr<credentials::CredentialsProvider> credentials_provider_;
+  std::shared_ptr<credentials::AuthCredentialsProvider> credentials_provider_;
   /**
    * Async queue responsible for all of our internal processing. When we get
    * incoming work from the user (via public API) or the network (incoming gRPC

Firestore/core/src/credentials/auth_token.cc

@@ -24,6 +24,9 @@ namespace firebase {
 namespace firestore {
 namespace credentials {
 
+AuthToken::AuthToken() : token_{}, user_{User::Unauthenticated()} {
+}
+
 AuthToken::AuthToken(std::string token, User user)
     : token_{std::move(token)}, user_{std::move(user)} {
 }
@@ -34,8 +37,7 @@ const std::string& AuthToken::token() const {
 }
 
 const AuthToken& AuthToken::Unauthenticated() {
-  static const AuthToken kUnauthenticatedToken(std::string{},
-                                               User::Unauthenticated());
+  static const AuthToken kUnauthenticatedToken{};
   return kUnauthenticatedToken;
 }
 

Firestore/core/src/credentials/auth_token.h

@@ -40,6 +40,8 @@ namespace credentials {
 // TODO(zxu123): Make this support token-type for desktop workflow.
 class AuthToken {
  public:
+  AuthToken();
+
   AuthToken(std::string token, User user);
 
   /** The actual raw token. */

Firestore/core/src/credentials/credentials_fwd.h

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FIRESTORE_CORE_SRC_CREDENTIALS_CREDENTIALS_FWD_H_
+#define FIRESTORE_CORE_SRC_CREDENTIALS_CREDENTIALS_FWD_H_
+
+#include <string>
+
+namespace firebase {
+namespace firestore {
+namespace credentials {
+
+class AuthToken;
+
+template <class TokenType, class ValueType>
+class CredentialsProvider;
+
+template <class TokenType, class ValueType>
+class EmptyCredentialsProvider;
+
+class User;
+
+using AuthCredentialsProvider = CredentialsProvider<AuthToken, User>;
+using AppCheckCredentialsProvider =
+    CredentialsProvider<std::string, std::string>;
+
+using EmptyAuthCredentialsProvider = EmptyCredentialsProvider<AuthToken, User>;
+using EmptyAppCheckCredentialsProvider =
+    EmptyCredentialsProvider<std::string, std::string>;
+
+}  // namespace credentials
+}  // namespace firestore
+}  // namespace firebase
+
+#endif  // FIRESTORE_CORE_SRC_CREDENTIALS_CREDENTIALS_FWD_H_

Firestore/core/src/credentials/credentials_provider.h

@@ -31,22 +31,27 @@ namespace firestore {
 namespace credentials {
 
 // `TokenErrorListener` is a listener that gets a token or an error.
-using TokenListener = std::function<void(util::StatusOr<AuthToken>)>;
+template <class TokenType>
+using TokenListener = std::function<void(util::StatusOr<TokenType>)>;
 
 // Listener notified with a credential change.
-using CredentialChangeListener = std::function<void(User user)>;
+template <class ValueType>
+using CredentialChangeListener = std::function<void(ValueType)>;
 
 /**
- * Provides methods for getting and listening to authentication credentials.
+ * Provides methods for getting the uid and token for the current user and
+ * listen for changes.
  */
+template <class TokenType, class ValueType>
 class CredentialsProvider {
  public:
-  CredentialsProvider();
+  CredentialsProvider() : change_listener_(nullptr) {
+  }
 
-  virtual ~CredentialsProvider();
+  virtual ~CredentialsProvider() = default;
 
-  /** Requests the current token. */
-  virtual void GetToken(TokenListener completion) = 0;
+  /** Requests token for the current user. */
+  virtual void GetToken(TokenListener<TokenType> completion) = 0;
 
   /**
    * Marks the last retrieved token as invalid, making the next `GetToken`
@@ -57,22 +62,22 @@ class CredentialsProvider {
   /**
    * Sets the listener to be notified of credential changes (sign-in /
    * sign-out, token changes). It is immediately called once with the initial
-   * credential.
+   * user.
    *
    * Call with nullptr to remove previous listener.
    */
   virtual void SetCredentialChangeListener(
-      CredentialChangeListener change_listener) = 0;
+      CredentialChangeListener<ValueType> change_listener) = 0;
 
  protected:
   /**
    * A listener to be notified of credential changes (sign-in / sign-out, token
-   * changes). It is immediately called once with the initial credential.
+   * changes). It is immediately called once with the initial user.
    *
    * Note that this block will be called back on an arbitrary thread that is not
    * the normal Firestore worker thread.
    */
-  CredentialChangeListener change_listener_;
+  CredentialChangeListener<ValueType> change_listener_;
 };
 
 }  // namespace credentials

Firestore/core/src/credentials/empty_credentials_provider.cc

@@ -1,43 +0,0 @@
-/*
- * Copyright 2018 Google
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "Firestore/core/src/credentials/empty_credentials_provider.h"
-
-namespace firebase {
-namespace firestore {
-namespace credentials {
-
-void EmptyCredentialsProvider::GetToken(TokenListener completion) {
-  if (completion) {
-    // Unauthenticated token will force the GRPC fallback to use default
-    // settings.
-    completion(AuthToken::Unauthenticated());
-  }
-}
-
-void EmptyCredentialsProvider::SetCredentialChangeListener(
-    CredentialChangeListener change_listener) {
-  if (change_listener) {
-    change_listener(User::Unauthenticated());
-  }
-}
-
-void EmptyCredentialsProvider::InvalidateToken() {
-}
-
-}  // namespace credentials
-}  // namespace firestore
-}  // namespace firebase

Firestore/core/src/credentials/empty_credentials_provider.h

@@ -24,12 +24,27 @@ namespace firestore {
 namespace credentials {
 
 /** `EmptyCredentialsProvider` always yields an empty token. */
-class EmptyCredentialsProvider : public CredentialsProvider {
+template <class TokenType, class ValueType>
+class EmptyCredentialsProvider
+    : public CredentialsProvider<TokenType, ValueType> {
  public:
-  void GetToken(TokenListener completion) override;
-  void InvalidateToken() override;
+  void GetToken(TokenListener<TokenType> completion) override {
+    if (completion) {
+      // Unauthenticated token will force the GRPC fallback to use default
+      // settings.
+      completion(TokenType{});
+    }
+  }
+
+  void InvalidateToken() override {
+  }
+
   void SetCredentialChangeListener(
-      CredentialChangeListener change_listener) override;
+      CredentialChangeListener<ValueType> change_listener) override {
+    if (change_listener) {
+      change_listener(ValueType{});
+    }
+  }
 };
 
 }  // namespace credentials

Firestore/core/src/credentials/firebase_app_check_credentials_provider_apple.h

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FIRESTORE_CORE_SRC_CREDENTIALS_FIREBASE_APP_CHECK_CREDENTIALS_PROVIDER_APPLE_H_
+#define FIRESTORE_CORE_SRC_CREDENTIALS_FIREBASE_APP_CHECK_CREDENTIALS_PROVIDER_APPLE_H_
+
+#if !defined(__OBJC__)
+#error "This header only supports Objective-C++."
+#endif  // !defined(__OBJC__)
+
+#import <Foundation/Foundation.h>
+
+#include <memory>
+#include <mutex>  // NOLINT(build/c++11)
+#include <string>
+#include <utility>
+
+#include "Firestore/core/src/credentials/credentials_provider.h"
+
+namespace firebase {
+namespace firestore {
+namespace credentials {
+
+class FirebaseAppCheckCredentialsProvider
+    : public CredentialsProvider<std::string, std::string> {
+ public:
+  FirebaseAppCheckCredentialsProvider();
+
+  ~FirebaseAppCheckCredentialsProvider() override;
+
+  void GetToken(TokenListener<std::string> completion) override;
+
+  void SetCredentialChangeListener(
+      CredentialChangeListener<std::string> change_listener) override;
+
+  void InvalidateToken() override;
+};
+
+}  // namespace credentials
+}  // namespace firestore
+}  // namespace firebase
+
+#endif  // FIRESTORE_CORE_SRC_CREDENTIALS_FIREBASE_APP_CHECK_CREDENTIALS_PROVIDER_APPLE_H_

Firestore/core/src/credentials/credentials_provider.cc → Firestore/core/src/credentials/firebase_app_check_credentials_provider_apple.mm

@@ -1,5 +1,5 @@
 /*
- * Copyright 2018 Google
+ * Copyright 2021 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,16 +14,27 @@
  * limitations under the License.
  */
 
-#include "Firestore/core/src/credentials/credentials_provider.h"
+#include "Firestore/core/src/credentials/firebase_app_check_credentials_provider_apple.h"
 
 namespace firebase {
 namespace firestore {
 namespace credentials {
 
-CredentialsProvider::CredentialsProvider() : change_listener_(nullptr) {
+FirebaseAppCheckCredentialsProvider::FirebaseAppCheckCredentialsProvider() {
 }
 
-CredentialsProvider::~CredentialsProvider() = default;
+FirebaseAppCheckCredentialsProvider::~FirebaseAppCheckCredentialsProvider() {
+}
+
+void FirebaseAppCheckCredentialsProvider::GetToken(TokenListener<std::string>) {
+}
+
+void FirebaseAppCheckCredentialsProvider::InvalidateToken() {
+}
+
+void FirebaseAppCheckCredentialsProvider::SetCredentialChangeListener(
+    CredentialChangeListener<std::string>) {
+}
 
 }  // namespace credentials
 }  // namespace firestore

Firestore/core/src/credentials/firebase_credentials_provider_apple.h → Firestore/core/src/credentials/firebase_auth_credentials_provider_apple.h

@@ -14,8 +14,8 @@
  * limitations under the License.
  */
 
-#ifndef FIRESTORE_CORE_SRC_CREDENTIALS_FIREBASE_CREDENTIALS_PROVIDER_APPLE_H_
-#define FIRESTORE_CORE_SRC_CREDENTIALS_FIREBASE_CREDENTIALS_PROVIDER_APPLE_H_
+#ifndef FIRESTORE_CORE_SRC_CREDENTIALS_FIREBASE_AUTH_CREDENTIALS_PROVIDER_APPLE_H_
+#define FIRESTORE_CORE_SRC_CREDENTIALS_FIREBASE_AUTH_CREDENTIALS_PROVIDER_APPLE_H_
 
 #if !defined(__OBJC__)
 #error "This header only supports Objective-C++."
@@ -52,7 +52,8 @@ namespace credentials {
  *
  * For non-Apple desktop build, this is right now just a stub.
  */
-class FirebaseCredentialsProvider : public CredentialsProvider {
+class FirebaseAuthCredentialsProvider
+    : public CredentialsProvider<AuthToken, User> {
  public:
   // TODO(zxu123): Provide a ctor to accept the C++ Firebase Games App, which
   // deals all platforms. Right now, only works for FIRApp*.
@@ -63,14 +64,15 @@ class FirebaseCredentialsProvider : public CredentialsProvider {
    *            received.
    * @param auth The auth instance from which to get credentials.
    */
-  explicit FirebaseCredentialsProvider(FIRApp* app, id<FIRAuthInterop> auth);
+  explicit FirebaseAuthCredentialsProvider(FIRApp* app,
+                                           id<FIRAuthInterop> auth);
 
-  ~FirebaseCredentialsProvider() override;
+  ~FirebaseAuthCredentialsProvider() override;
 
-  void GetToken(TokenListener completion) override;
+  void GetToken(TokenListener<AuthToken> completion) override;
 
   void SetCredentialChangeListener(
-      CredentialChangeListener change_listener) override;
+      CredentialChangeListener<User> change_listener) override;
 
   void InvalidateToken() override;
 
@@ -119,4 +121,4 @@ class FirebaseCredentialsProvider : public CredentialsProvider {
 }  // namespace firestore
 }  // namespace firebase
 
-#endif  // FIRESTORE_CORE_SRC_CREDENTIALS_FIREBASE_CREDENTIALS_PROVIDER_APPLE_H_
+#endif  // FIRESTORE_CORE_SRC_CREDENTIALS_FIREBASE_AUTH_CREDENTIALS_PROVIDER_APPLE_H_

Firestore/core/src/credentials/firebase_credentials_provider_apple.mm → Firestore/core/src/credentials/firebase_auth_credentials_provider_apple.mm

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-#include "Firestore/core/src/credentials/firebase_credentials_provider_apple.h"
+#include "Firestore/core/src/credentials/firebase_auth_credentials_provider_apple.h"
 
 #import "FirebaseCore/Sources/Private/FirebaseCoreInternal.h"
 #import "Interop/Auth/Public/FIRAuthInterop.h"
@@ -28,7 +28,7 @@ namespace firebase {
 namespace firestore {
 namespace credentials {
 
-FirebaseCredentialsProvider::FirebaseCredentialsProvider(
+FirebaseAuthCredentialsProvider::FirebaseAuthCredentialsProvider(
     FIRApp* app, id<FIRAuthInterop> auth) {
   contents_ =
       std::make_shared<Contents>(app, auth, User::FromUid([auth getUserID]));
@@ -58,14 +58,14 @@ FirebaseCredentialsProvider::FirebaseCredentialsProvider(
                     user_info[FIRAuthStateDidChangeInternalNotificationUIDKey];
                 contents->current_user = User::FromUid(user_id);
                 contents->token_counter++;
-                CredentialChangeListener listener = change_listener_;
+                CredentialChangeListener<User> listener = change_listener_;
                 if (listener) {
                   listener(contents->current_user);
                 }
               }];
 }
 
-FirebaseCredentialsProvider::~FirebaseCredentialsProvider() {
+FirebaseAuthCredentialsProvider::~FirebaseAuthCredentialsProvider() {
   if (auth_listener_handle_) {
     // Even though iOS 9 (and later) and macOS 10.11 (and later) keep a weak
     // reference to the observer so we could avoid this removeObserver call, we
@@ -74,7 +74,8 @@ FirebaseCredentialsProvider::~FirebaseCredentialsProvider() {
   }
 }
 
-void FirebaseCredentialsProvider::GetToken(TokenListener completion) {
+void FirebaseAuthCredentialsProvider::GetToken(
+    TokenListener<AuthToken> completion) {
   HARD_ASSERT(auth_listener_handle_,
               "GetToken cannot be called after listener removed.");
 
@@ -128,12 +129,12 @@ void FirebaseCredentialsProvider::GetToken(TokenListener completion) {
   contents_->force_refresh = false;
 }
 
-void FirebaseCredentialsProvider::InvalidateToken() {
+void FirebaseAuthCredentialsProvider::InvalidateToken() {
   contents_->force_refresh = true;
 }
 
-void FirebaseCredentialsProvider::SetCredentialChangeListener(
-    CredentialChangeListener change_listener) {
+void FirebaseAuthCredentialsProvider::SetCredentialChangeListener(
+    CredentialChangeListener<User> change_listener) {
   std::unique_lock<std::mutex> lock(contents_->mutex);
   if (change_listener) {
     HARD_ASSERT(!change_listener_, "set change_listener twice!");

Firestore/core/src/remote/datastore.cc

@@ -50,8 +50,8 @@ namespace remote {
 namespace {
 
 using core::DatabaseInfo;
+using credentials::AuthCredentialsProvider;
 using credentials::AuthToken;
-using credentials::CredentialsProvider;
 using model::DocumentKey;
 using model::Mutation;
 using util::AsyncQueue;
@@ -91,7 +91,7 @@ void LogGrpcCallFinished(absl::string_view rpc_name,
 
 Datastore::Datastore(const DatabaseInfo& database_info,
                      const std::shared_ptr<AsyncQueue>& worker_queue,
-                     std::shared_ptr<CredentialsProvider> credentials,
+                     std::shared_ptr<AuthCredentialsProvider> credentials,
                      ConnectivityMonitor* connectivity_monitor,
                      FirebaseMetadataProvider* firebase_metadata_provider)
     : worker_queue_{NOT_NULL(worker_queue)},

Firestore/core/src/remote/datastore.h

@@ -73,7 +73,7 @@ class Datastore : public std::enable_shared_from_this<Datastore> {
 
   Datastore(const core::DatabaseInfo& database_info,
             const std::shared_ptr<util::AsyncQueue>& worker_queue,
-            std::shared_ptr<credentials::CredentialsProvider> credentials,
+            std::shared_ptr<credentials::AuthCredentialsProvider> credentials,
             ConnectivityMonitor* connectivity_monitor,
             FirebaseMetadataProvider* firebase_metadata_provider);
 
@@ -180,7 +180,7 @@ class Datastore : public std::enable_shared_from_this<Datastore> {
   bool is_shut_down_ = false;
 
   std::shared_ptr<util::AsyncQueue> worker_queue_;
-  std::shared_ptr<credentials::CredentialsProvider> credentials_;
+  std::shared_ptr<credentials::AuthCredentialsProvider> credentials_;
 
   // A separate executor dedicated to polling gRPC completion queue (which is
   // shared for all spawned gRPC streams and calls).

Firestore/core/src/remote/stream.cc

@@ -34,6 +34,7 @@ namespace {
 
 using credentials::AuthToken;
 using credentials::CredentialsProvider;
+using credentials::User;
 using util::AsyncQueue;
 using util::LogIsDebugEnabled;
 using util::Status;
@@ -41,6 +42,8 @@ using util::StatusOr;
 using util::StringFormat;
 using util::TimerId;
 
+using AuthCredentialsProvider = CredentialsProvider<AuthToken, User>;
+
 /**
  * Initial backoff time after an error.
  * Set to 1s according to https://cloud.google.com/apis/design/errors.
@@ -54,7 +57,7 @@ const AsyncQueue::Milliseconds kIdleTimeout{std::chrono::seconds(60)};
 }  // namespace
 
 Stream::Stream(const std::shared_ptr<AsyncQueue>& worker_queue,
-               std::shared_ptr<CredentialsProvider> credentials_provider,
+               std::shared_ptr<AuthCredentialsProvider> credentials_provider,
                GrpcConnection* grpc_connection,
                TimerId backoff_timer_id,
                TimerId idle_timer_id)

Firestore/core/src/remote/stream.h

@@ -21,6 +21,7 @@
 #include <string>
 
 #include "Firestore/core/src/credentials/auth_token.h"
+#include "Firestore/core/src/credentials/credentials_fwd.h"
 #include "Firestore/core/src/credentials/credentials_provider.h"
 #include "Firestore/core/src/remote/exponential_backoff.h"
 #include "Firestore/core/src/remote/grpc_completion.h"
@@ -119,7 +120,8 @@ class Stream : public GrpcStreamObserver,
   };
 
   Stream(const std::shared_ptr<util::AsyncQueue>& worker_queue,
-         std::shared_ptr<credentials::CredentialsProvider> credentials_provider,
+         std::shared_ptr<credentials::AuthCredentialsProvider>
+             credentials_provider,
          GrpcConnection* grpc_connection,
          util::TimerId backoff_timer_id,
          util::TimerId idle_timer_id);
@@ -226,7 +228,7 @@ class Stream : public GrpcStreamObserver,
 
   std::unique_ptr<GrpcStream> grpc_stream_;
 
-  std::shared_ptr<credentials::CredentialsProvider> credentials_provider_;
+  std::shared_ptr<credentials::AuthCredentialsProvider> credentials_provider_;
   std::shared_ptr<util::AsyncQueue> worker_queue_;
   GrpcConnection* grpc_connection_ = nullptr;
 

Firestore/core/src/remote/watch_stream.cc

@@ -30,8 +30,8 @@ namespace firebase {
 namespace firestore {
 namespace remote {
 
+using credentials::AuthCredentialsProvider;
 using credentials::AuthToken;
-using credentials::CredentialsProvider;
 using local::TargetData;
 using model::TargetId;
 using remote::ByteBufferReader;
@@ -41,7 +41,7 @@ using util::TimerId;
 
 WatchStream::WatchStream(
     const std::shared_ptr<AsyncQueue>& async_queue,
-    std::shared_ptr<CredentialsProvider> credentials_provider,
+    std::shared_ptr<AuthCredentialsProvider> credentials_provider,
     Serializer serializer,
     GrpcConnection* grpc_connection,
     WatchStreamCallback* callback)

Firestore/core/src/remote/watch_stream.h

@@ -83,12 +83,12 @@ class WatchStreamCallback {
  */
 class WatchStream : public Stream {
  public:
-  WatchStream(
-      const std::shared_ptr<util::AsyncQueue>& async_queue,
-      std::shared_ptr<credentials::CredentialsProvider> credentials_provider,
-      Serializer serializer,
-      GrpcConnection* grpc_connection,
-      WatchStreamCallback* callback);
+  WatchStream(const std::shared_ptr<util::AsyncQueue>& async_queue,
+              std::shared_ptr<credentials::AuthCredentialsProvider>
+                  credentials_provider,
+              Serializer serializer,
+              GrpcConnection* grpc_connection,
+              WatchStreamCallback* callback);
 
   /**
    * Registers interest in the results of the given query. If the query includes

Firestore/core/src/remote/write_stream.cc

@@ -30,8 +30,8 @@ namespace firebase {
 namespace firestore {
 namespace remote {
 
+using credentials::AuthCredentialsProvider;
 using credentials::AuthToken;
-using credentials::CredentialsProvider;
 using model::Mutation;
 using nanopb::ByteString;
 using nanopb::Message;
@@ -42,7 +42,7 @@ using util::TimerId;
 
 WriteStream::WriteStream(
     const std::shared_ptr<AsyncQueue>& async_queue,
-    std::shared_ptr<CredentialsProvider> credentials_provider,
+    std::shared_ptr<AuthCredentialsProvider> credentials_provider,
     Serializer serializer,
     GrpcConnection* grpc_connection,
     WriteStreamCallback* callback)

Firestore/core/src/remote/write_stream.h

@@ -92,12 +92,12 @@ class WriteStreamCallback {
  */
 class WriteStream : public Stream {
  public:
-  WriteStream(
-      const std::shared_ptr<util::AsyncQueue>& async_queue,
-      std::shared_ptr<credentials::CredentialsProvider> credentials_provider,
-      Serializer serializer,
-      GrpcConnection* grpc_connection,
-      WriteStreamCallback* callback);
+  WriteStream(const std::shared_ptr<util::AsyncQueue>& async_queue,
+              std::shared_ptr<credentials::AuthCredentialsProvider>
+                  credentials_provider,
+              Serializer serializer,
+              GrpcConnection* grpc_connection,
+              WriteStreamCallback* callback);
 
   void set_last_stream_token(nanopb::ByteString token);
   /**

Firestore/core/test/unit/credentials/credentials_provider_test.cc

@@ -26,9 +26,8 @@ namespace credentials {
 #define UNUSED(x) (void)(x)
 
 TEST(CredentialsProvider, Typedef) {
-  TokenListener token_listener = [](util::StatusOr<AuthToken> token) {
-    UNUSED(token);
-  };
+  TokenListener<AuthToken> token_listener =
+      [](util::StatusOr<AuthToken> token) { UNUSED(token); };
   EXPECT_NE(nullptr, token_listener);
   EXPECT_TRUE(token_listener);
 
@@ -36,7 +35,7 @@ TEST(CredentialsProvider, Typedef) {
   EXPECT_EQ(nullptr, token_listener);
   EXPECT_FALSE(token_listener);
 
-  CredentialChangeListener user_change_listener = [](User user) {
+  CredentialChangeListener<User> user_change_listener = [](User user) {
     UNUSED(user);
   };
   EXPECT_NE(nullptr, user_change_listener);

Firestore/core/test/unit/credentials/empty_credentials_provider_test.cc

@@ -15,6 +15,7 @@
  */
 
 #include "Firestore/core/src/credentials/empty_credentials_provider.h"
+#include "Firestore/core/src/credentials/credentials_fwd.h"
 
 #include "Firestore/core/src/util/statusor.h"
 #include "gtest/gtest.h"
@@ -23,8 +24,8 @@ namespace firebase {
 namespace firestore {
 namespace credentials {
 
-TEST(EmptyCredentialsProvider, GetToken) {
-  EmptyCredentialsProvider credentials_provider;
+TEST(EmptyAuthCredentialsProvider, GetToken) {
+  EmptyAuthCredentialsProvider credentials_provider;
   credentials_provider.GetToken([](util::StatusOr<AuthToken> result) {
     EXPECT_TRUE(result.ok());
     const AuthToken& token = result.ValueOrDie();
@@ -35,8 +36,8 @@ TEST(EmptyCredentialsProvider, GetToken) {
   });
 }
 
-TEST(EmptyCredentialsProvider, SetListener) {
-  EmptyCredentialsProvider credentials_provider;
+TEST(EmptyAuthCredentialsProvider, SetListener) {
+  EmptyAuthCredentialsProvider credentials_provider;
   credentials_provider.SetCredentialChangeListener([](User user) {
     EXPECT_EQ("", user.uid());
     EXPECT_FALSE(user.is_authenticated());
@@ -46,7 +47,7 @@ TEST(EmptyCredentialsProvider, SetListener) {
 }
 
 TEST(EmptyCredentialsProvider, InvalidateToken) {
-  EmptyCredentialsProvider credentials_provider;
+  EmptyAuthCredentialsProvider credentials_provider;
   credentials_provider.InvalidateToken();
   credentials_provider.GetToken(
       [](util::StatusOr<AuthToken> result) { EXPECT_TRUE(result.ok()); });

Firestore/core/test/unit/credentials/firebase_credentials_provider_test.mm

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-#include "Firestore/core/src/credentials/firebase_credentials_provider_apple.h"
+#include "Firestore/core/src/credentials/firebase_auth_credentials_provider_apple.h"
 
 #include <chrono>  // NOLINT(build/c++11)
 #include <future>  // NOLINT(build/c++11)
@@ -76,7 +76,7 @@ TEST(FirebaseCredentialsProviderTest, GetTokenNoProvider) {
   auto token_promise = std::make_shared<std::promise<AuthToken>>();
 
   FIRApp* app = testutil::AppForUnitTesting();
-  FirebaseCredentialsProvider credentials_provider(app, nil);
+  FirebaseAuthCredentialsProvider credentials_provider(app, nil);
   credentials_provider.GetToken(
       [token_promise](util::StatusOr<AuthToken> result) {
         EXPECT_TRUE(result.ok());
@@ -100,7 +100,7 @@ TEST(FirebaseCredentialsProviderTest, GetTokenNoProvider) {
 TEST(FirebaseCredentialsProviderTest, GetTokenUnauthenticated) {
   FIRApp* app = testutil::AppForUnitTesting();
   FSTAuthFake* auth = [[FSTAuthFake alloc] initWithToken:nil uid:nil];
-  FirebaseCredentialsProvider credentials_provider(app, auth);
+  FirebaseAuthCredentialsProvider credentials_provider(app, auth);
   credentials_provider.GetToken([](util::StatusOr<AuthToken> result) {
     EXPECT_TRUE(result.ok());
     const AuthToken& token = result.ValueOrDie();
@@ -115,7 +115,7 @@ TEST(FirebaseCredentialsProviderTest, GetToken) {
   FIRApp* app = testutil::AppForUnitTesting();
   FSTAuthFake* auth = [[FSTAuthFake alloc] initWithToken:@"token for fake uid"
                                                      uid:@"fake uid"];
-  FirebaseCredentialsProvider credentials_provider(app, auth);
+  FirebaseAuthCredentialsProvider credentials_provider(app, auth);
   credentials_provider.GetToken([](util::StatusOr<AuthToken> result) {
     EXPECT_TRUE(result.ok());
     const AuthToken& token = result.ValueOrDie();
@@ -130,7 +130,7 @@ TEST(FirebaseCredentialsProviderTest, SetListener) {
   FIRApp* app = testutil::AppForUnitTesting();
   FSTAuthFake* auth = [[FSTAuthFake alloc] initWithToken:@"default token"
                                                      uid:@"fake uid"];
-  FirebaseCredentialsProvider credentials_provider(app, auth);
+  FirebaseAuthCredentialsProvider credentials_provider(app, auth);
   credentials_provider.SetCredentialChangeListener([](User user) {
     EXPECT_EQ("fake uid", user.uid());
     EXPECT_TRUE(user.is_authenticated());
@@ -143,7 +143,7 @@ TEST(FirebaseCredentialsProviderTest, InvalidateToken) {
   FIRApp* app = testutil::AppForUnitTesting();
   FSTAuthFake* auth = [[FSTAuthFake alloc] initWithToken:@"token for fake uid"
                                                      uid:@"fake uid"];
-  FirebaseCredentialsProvider credentials_provider(app, auth);
+  FirebaseAuthCredentialsProvider credentials_provider(app, auth);
   credentials_provider.InvalidateToken();
   credentials_provider.GetToken([&auth](util::StatusOr<AuthToken> result) {
     EXPECT_TRUE(result.ok());

Firestore/core/test/unit/remote/datastore_test.cc

@@ -36,7 +36,7 @@
 #include "Firestore/core/src/util/statusor.h"
 #include "Firestore/core/src/util/string_apple.h"
 #include "Firestore/core/test/unit/remote/create_noop_connectivity_monitor.h"
-#include "Firestore/core/test/unit/remote/fake_credentials_provider.h"
+#include "Firestore/core/test/unit/remote/fake_auth_credentials_provider.h"
 #include "Firestore/core/test/unit/remote/grpc_stream_tester.h"
 #include "Firestore/core/test/unit/testutil/async_testing.h"
 #include "Firestore/core/test/unit/testutil/testutil.h"
@@ -52,7 +52,7 @@ namespace remote {
 namespace {
 
 using core::DatabaseInfo;
-using credentials::CredentialsProvider;
+using credentials::AuthCredentialsProvider;
 using model::DatabaseId;
 using model::Document;
 using nanopb::MakeArray;
@@ -106,7 +106,7 @@ class FakeDatastore : public Datastore {
 std::shared_ptr<FakeDatastore> CreateDatastore(
     const DatabaseInfo& database_info,
     const std::shared_ptr<AsyncQueue>& worker_queue,
-    std::shared_ptr<CredentialsProvider> credentials,
+    std::shared_ptr<AuthCredentialsProvider> credentials,
     ConnectivityMonitor* connectivity_monitor,
     FirebaseMetadataProvider* firebase_metadata_provider) {
   return std::make_shared<FakeDatastore>(database_info, worker_queue,
@@ -162,8 +162,8 @@ class DatastoreTest : public testing::Test {
 
   bool is_shut_down = false;
   DatabaseInfo database_info;
-  std::shared_ptr<FakeCredentialsProvider> credentials =
-      std::make_shared<FakeCredentialsProvider>();
+  std::shared_ptr<FakeAuthCredentialsProvider> credentials =
+      std::make_shared<FakeAuthCredentialsProvider>();
 
   std::shared_ptr<AsyncQueue> worker_queue;
   std::unique_ptr<ConnectivityMonitor> connectivity_monitor;

Firestore/core/test/unit/remote/fake_credentials_provider.cc → Firestore/core/test/unit/remote/fake_auth_credentials_provider.cc

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-#include "Firestore/core/test/unit/remote/fake_credentials_provider.h"
+#include "Firestore/core/test/unit/remote/fake_auth_credentials_provider.h"
 
 #include <utility>
 
@@ -26,10 +26,11 @@ namespace firebase {
 namespace firestore {
 namespace remote {
 
-using credentials::EmptyCredentialsProvider;
+using credentials::EmptyAuthCredentialsProvider;
 using credentials::TokenListener;
 
-void FakeCredentialsProvider::GetToken(TokenListener completion) {
+void FakeAuthCredentialsProvider::GetToken(
+    TokenListener<credentials::AuthToken> completion) {
   observed_states_.push_back("GetToken");
 
   if (delay_get_token_) {
@@ -43,25 +44,25 @@ void FakeCredentialsProvider::GetToken(TokenListener completion) {
       completion(util::Status{Error::kErrorUnknown, ""});
     }
   } else {
-    EmptyCredentialsProvider::GetToken(std::move(completion));
+    EmptyAuthCredentialsProvider::GetToken(std::move(completion));
   }
 }
 
-void FakeCredentialsProvider::InvalidateToken() {
+void FakeAuthCredentialsProvider::InvalidateToken() {
   observed_states_.push_back("InvalidateToken");
-  EmptyCredentialsProvider::InvalidateToken();
+  EmptyAuthCredentialsProvider::InvalidateToken();
 }
 
-void FakeCredentialsProvider::DelayGetToken() {
+void FakeAuthCredentialsProvider::DelayGetToken() {
   delay_get_token_ = true;
 }
 
-void FakeCredentialsProvider::InvokeGetToken() {
+void FakeAuthCredentialsProvider::InvokeGetToken() {
   delay_get_token_ = false;
-  EmptyCredentialsProvider::GetToken(std::move(delayed_token_listener_));
+  EmptyAuthCredentialsProvider::GetToken(std::move(delayed_token_listener_));
 }
 
-void FakeCredentialsProvider::FailGetToken() {
+void FakeAuthCredentialsProvider::FailGetToken() {
   fail_get_token_ = true;
 }
 

Firestore/core/test/unit/remote/fake_credentials_provider.h → Firestore/core/test/unit/remote/fake_auth_credentials_provider.h

@@ -14,21 +14,25 @@
  * limitations under the License.
  */
 
-#ifndef FIRESTORE_CORE_TEST_UNIT_REMOTE_FAKE_CREDENTIALS_PROVIDER_H_
-#define FIRESTORE_CORE_TEST_UNIT_REMOTE_FAKE_CREDENTIALS_PROVIDER_H_
+#ifndef FIRESTORE_CORE_TEST_UNIT_REMOTE_FAKE_AUTH_CREDENTIALS_PROVIDER_H_
+#define FIRESTORE_CORE_TEST_UNIT_REMOTE_FAKE_AUTH_CREDENTIALS_PROVIDER_H_
 
 #include <string>
 #include <vector>
 
+#include "Firestore/core/src/credentials/credentials_fwd.h"
 #include "Firestore/core/src/credentials/empty_credentials_provider.h"
 
 namespace firebase {
 namespace firestore {
 namespace remote {
 
-class FakeCredentialsProvider : public credentials::EmptyCredentialsProvider {
+class FakeAuthCredentialsProvider
+    : public credentials::EmptyCredentialsProvider<credentials::AuthToken,
+                                                   credentials::User> {
  public:
-  void GetToken(credentials::TokenListener completion) override;
+  void GetToken(
+      credentials::TokenListener<credentials::AuthToken> completion) override;
   void InvalidateToken() override;
 
   // `GetToken` will not invoke the completion immediately -- invoke it manually
@@ -47,11 +51,11 @@ class FakeCredentialsProvider : public credentials::EmptyCredentialsProvider {
   std::vector<std::string> observed_states_;
   bool fail_get_token_ = false;
   bool delay_get_token_ = false;
-  credentials::TokenListener delayed_token_listener_;
+  credentials::TokenListener<credentials::AuthToken> delayed_token_listener_;
 };
 
 }  // namespace remote
 }  // namespace firestore
 }  // namespace firebase
 
-#endif  // FIRESTORE_CORE_TEST_UNIT_REMOTE_FAKE_CREDENTIALS_PROVIDER_H_
+#endif  // FIRESTORE_CORE_TEST_UNIT_REMOTE_FAKE_AUTH_CREDENTIALS_PROVIDER_H_

Firestore/core/test/unit/remote/stream_test.cc

@@ -28,7 +28,7 @@
 #include "Firestore/core/src/remote/grpc_stream.h"
 #include "Firestore/core/src/util/async_queue.h"
 #include "Firestore/core/test/unit/remote/create_noop_connectivity_monitor.h"
-#include "Firestore/core/test/unit/remote/fake_credentials_provider.h"
+#include "Firestore/core/test/unit/remote/fake_auth_credentials_provider.h"
 #include "Firestore/core/test/unit/remote/grpc_stream_tester.h"
 #include "Firestore/core/test/unit/testutil/async_testing.h"
 #include "absl/memory/memory.h"
@@ -45,8 +45,8 @@ namespace firestore {
 namespace remote {
 namespace {
 
+using credentials::AuthCredentialsProvider;
 using credentials::AuthToken;
-using credentials::CredentialsProvider;
 using util::AsyncQueue;
 using util::StringFormat;
 using util::TimerId;
@@ -60,7 +60,7 @@ class TestStream : public Stream {
  public:
   TestStream(const std::shared_ptr<AsyncQueue>& worker_queue,
              GrpcStreamTester* tester,
-             std::shared_ptr<CredentialsProvider> credentials_provider)
+             std::shared_ptr<AuthCredentialsProvider> credentials_provider)
       : Stream{worker_queue, credentials_provider,
                /*GrpcConnection=*/nullptr, kBackoffTimerId, kIdleTimerId},
         tester_{tester} {
@@ -140,7 +140,7 @@ class StreamTest : public testing::Test {
       : worker_queue{testutil::AsyncQueueForTesting()},
         connectivity_monitor{CreateNoOpConnectivityMonitor()},
         tester{worker_queue, connectivity_monitor.get()},
-        credentials{std::make_shared<FakeCredentialsProvider>()},
+        credentials{std::make_shared<FakeAuthCredentialsProvider>()},
         firestore_stream{
             std::make_shared<TestStream>(worker_queue, &tester, credentials)} {
   }
@@ -186,7 +186,7 @@ class StreamTest : public testing::Test {
   std::unique_ptr<ConnectivityMonitor> connectivity_monitor;
   GrpcStreamTester tester;
 
-  std::shared_ptr<FakeCredentialsProvider> credentials;
+  std::shared_ptr<FakeAuthCredentialsProvider> credentials;
   std::shared_ptr<TestStream> firestore_stream;
 };
 

scripts/health_metrics/code_coverage_file_list.json

@@ -7,6 +7,13 @@
       "\\.github/workflows/abtesting\\.yml"
     ]
   },
+  {
+    "sdk": "appcheck",
+    "filePatterns": [
+      "^FirebaseAppCheck.*",
+      "\\.github/workflows/app_check\\.yml"
+    ]
+  },
   {
     "sdk": "auth",
     "filePatterns": [
@@ -36,6 +43,7 @@
     "sdk": "firestore",
     "filePatterns": [
       "^Firestore/.*",
+      "FirebaseAppCheck/Sources/Interop/[^/]+\\.h",
       "Interop/Auth/Public/[^/]+\\.h",
       "FirebaseCore/Sources/Private",
       "FirebaseCore/Sources/Public",