From c77608e173685d2c882a9515bae6e5699b91d54f Mon Sep 17 00:00:00 2001
From: Jonathan Edey <145066863+jonathanedey@users.noreply.github.com>
Date: Wed, 15 Nov 2023 15:19:58 -0500
Subject: [PATCH] fix: Add `PyJWKClientError` to raised errors documentation
 and handle possible uncaught errors. (#733)

* fix: Add PyJWKClientError to raised error documentaion and handle possible uncaught errors

* fix: grammar
---
 firebase_admin/app_check.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/firebase_admin/app_check.py b/firebase_admin/app_check.py
index 91b0c4c31..6bc10b2f4 100644
--- a/firebase_admin/app_check.py
+++ b/firebase_admin/app_check.py
@@ -16,7 +16,7 @@
 
 from typing import Any, Dict
 import jwt
-from jwt import PyJWKClient, ExpiredSignatureError, InvalidTokenError
+from jwt import PyJWKClient, ExpiredSignatureError, InvalidTokenError, DecodeError
 from jwt import InvalidAudienceError, InvalidIssuerError, InvalidSignatureError
 from firebase_admin import _utils
 
@@ -38,6 +38,7 @@ def verify_token(token: str, app=None) -> Dict[str, Any]:
     Raises:
         ValueError: If the app's ``project_id`` is invalid or unspecified,
         or if the token's headers or payload are invalid.
+        PyJWKClientError: If PyJWKClient fails to fetch a valid signing key.
     """
     return _get_app_check_service(app).verify_token(token)
 
@@ -71,9 +72,14 @@ def verify_token(self, token: str) -> Dict[str, Any]:
         # Obtain the Firebase App Check Public Keys
         # Note: It is not recommended to hard code these keys as they rotate,
         # but you should cache them for up to 6 hours.
-        signing_key = self._jwks_client.get_signing_key_from_jwt(token)
-        self._has_valid_token_headers(jwt.get_unverified_header(token))
-        verified_claims = self._decode_and_verify(token, signing_key.key)
+        try:
+            signing_key = self._jwks_client.get_signing_key_from_jwt(token)
+            self._has_valid_token_headers(jwt.get_unverified_header(token))
+            verified_claims = self._decode_and_verify(token, signing_key.key)
+        except (InvalidTokenError, DecodeError) as exception:
+            raise ValueError(
+                f'Verifying App Check token failed. Error: {exception}'
+                )
 
         verified_claims['app_id'] = verified_claims.get('sub')
         return verified_claims