firebase-admin-sdk 0.1.0

data/lib/firebase/admin/auth/error.rb

@@ -0,0 +1,23 @@
+module Firebase
+  module Admin
+    module Auth
+      # A base class for errors raised by the admin sdk auth client.
+      class Error < Firebase::Admin::Error; end
+
+      # Raised when a request for certificates fails.
+      class CertificateRequestError < Error; end
+
+      # Raised when certificate is invalid.
+      class InvalidCertificateError < Error; end
+
+      # Raised when id token verification fails.
+      class InvalidTokenError < Error; end
+
+      # Raised when id token verification fails because the token is expired.
+      class ExpiredTokenError < Error; end
+
+      # Raised when a user cannot be created.
+      class CreateUserError < Error; end
+    end
+  end
+end

data/lib/firebase/admin/auth/token_verifier.rb

@@ -0,0 +1,114 @@
+require "jwt"
+require "openssl/x509"
+
+module Firebase
+  module Admin
+    module Auth
+      # Base class for verifying Firebase JWTs.
+      class JWTVerifier
+        # Initializes a new verifier.
+        #
+        # @param [Firebase::Admin::App] app
+        #   The Firebase app to verify tokens for.
+        # @param [String] certificates_url
+        #   The url to load public key certificates used during token verification.
+        def initialize(app, certificates_url)
+          @project_id = app.project_id
+          @certificates = CertificatesFetcher.new(certificates_url)
+        end
+
+        # Verifies a Firebase ID token.
+        #
+        # @param [String] token A Firebase JWT ID token.
+        # @param [Boolean] is_emulator skips signature verification if true.
+        # @return [Hash] the verified claims.
+        def verify(token, is_emulator: false)
+          payload = decode(token, is_emulator).first
+          sub = payload["sub"]
+          raise JWT::InvalidSubError, "Invalid subject." unless sub.is_a?(String) && !sub.empty?
+          payload["uid"] = sub
+          payload
+        rescue JWT::ExpiredSignature => e
+          raise expired_error, e.message
+        rescue JWT::DecodeError => e
+          raise invalid_error, e.message
+        end
+
+        # Override in subclasses to set the issuer
+        def issuer
+          raise NotImplementedError
+        end
+
+        def invalid_error
+          raise NotImplementedError
+        end
+
+        def expired_error
+          raise NotImplementedError
+        end
+
+        private
+
+        def decode_options
+          {
+            iss: issuer,
+            aud: @project_id,
+            algorithm: "RS256",
+            verify_iat: true,
+            verify_iss: true,
+            verify_aud: true
+          }
+        end
+
+        def find_key(header)
+          return nil unless header["kid"].is_a?(String)
+          certificate = @certificates.fetch_certificates![header["kid"]]
+          OpenSSL::X509::Certificate.new(certificate).public_key unless certificate.nil?
+        rescue OpenSSL::X509::CertificateError => e
+          raise InvalidCertificateError, e.message
+        end
+
+        def decode(token, is_emulator)
+          return decode_unsigned(token) if is_emulator
+          JWT.decode(token, nil, true, decode_options) do |header|
+            find_key(header)
+          end
+        end
+
+        def decode_unsigned(token)
+          raise InvalidTokenError, "token must not be nil" unless token
+          raise InvalidTokenError, "token must be a string" unless token.is_a?(String)
+          raise InvalidTokenError, "The auth emulator only accepts unsigned ID tokens." if token.split(".").length == 3
+          options = decode_options.merge({algorithm: "none"})
+          JWT.decode(token, nil, false, options)
+        end
+      end
+
+      # Verifier for Firebase ID tokens.
+      class IDTokenVerifier < JWTVerifier
+        CERTIFICATES_URI =
+          "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
+
+        # Initializes a new [IDTokenVerifier].
+        #
+        # @param [Firebase::Admin::App] app
+        #   The Firebase app to verify tokens for.
+        def initialize(app)
+          super(app, CERTIFICATES_URI)
+        end
+
+        def issuer
+          "https://securetoken.google.com/#{@project_id}"
+        end
+
+        def invalid_error
+          InvalidTokenError
+        end
+
+        def expired_error
+          ExpiredTokenError
+        end
+      end
+    end
+  end
+end

data/lib/firebase/admin/auth/user_info.rb

@@ -0,0 +1,60 @@
+require "json"
+
+module Firebase
+  module Admin
+    module Auth
+      # Standard profile information for a user.
+      #
+      # Also used to expose profile information returned by an identity provider.
+      class UserInfo
+        # Constructs a new UserInfo.
+        #
+        # @param [Hash] data
+        #   A hash of profile information
+        def initialize(data)
+          @data = data || {}
+        end
+
+        # Gets the ID of this user.
+        def uid
+          @data["rawId"]
+        end
+
+        # Gets the display name of this user.
+        def display_name
+          @data["displayName"]
+        end
+
+        # Gets the email address associated with this user.
+        def email
+          @data["email"]
+        end
+
+        # Gets the phone number associated with this user.
+        def phone_number
+          @data["phoneNumber"]
+        end
+
+        # Gets the photo url of this user.
+        def photo_url
+          @data["photoUrl"]
+        end
+
+        # Gets the id of the identity provider.
+        #
+        # This can be a short domain name (e.g. google.com), or the identity of an OpenID
+        # identity provider.
+        def provider_id
+          @data["providerId"]
+        end
+
+        # Converts the object into a hash.
+        #
+        # @return [Hash]
+        def to_h
+          @data.dup
+        end
+      end
+    end
+  end
+end

data/lib/firebase/admin/auth/user_manager.rb

@@ -0,0 +1,92 @@
+module Firebase
+  module Admin
+    module Auth
+      # Base url for the Google Identity Toolkit
+      ID_TOOLKIT_URL = "https://identitytoolkit.googleapis.com/v1"
+
+      # Provides methods for interacting with the Google Identity Toolkit
+      class UserManager
+        # Initializes a UserManager.
+        #
+        # @param [String] project_id The Firebase project id.
+        # @param [Credentials] credentials The credentials to authenticate with.
+        # @param [String, nil] url_override The base url to override with.
+        def initialize(project_id, credentials, url_override = nil)
+          uri = "#{url_override || ID_TOOLKIT_URL}/"
+          @project_id = project_id
+          @client = Firebase::Admin::Internal::HTTPClient.new(uri: uri, credentials: credentials)
+        end
+
+        # Creates a new user account with the specified properties.
+        #
+        # @param [String, nil] uid The id to assign to the newly created user.
+        # @param [String, nil] display_name The user’s display name.
+        # @param [String, nil] email The user’s primary email.
+        # @param [Boolean, nil] email_verified A boolean indicating whether or not the user’s primary email is verified.
+        # @param [String, nil] phone_number The user’s primary phone number.
+        # @param [String, nil] photo_url The user’s photo URL.
+        # @param [String, nil] password The user’s raw, unhashed password.
+        # @param [Boolean, nil] disabled A boolean indicating whether or not the user account is disabled.
+        #
+        # @raise [CreateUserError] if a user cannot be created.
+        #
+        # @return [UserRecord]
+        def create_user(uid: nil, display_name: nil, email: nil, email_verified: nil, phone_number: nil, photo_url: nil, password: nil, disabled: nil)
+          payload = {
+            localId: validate_uid(uid),
+            displayName: validate_display_name(display_name),
+            email: validate_email(email),
+            phoneNumber: validate_phone_number(phone_number),
+            photoUrl: validate_photo_url(photo_url),
+            password: validate_password(password),
+            emailVerified: to_boolean(email_verified),
+            disabled: to_boolean(disabled)
+          }.compact
+          res = @client.post(with_path("accounts"), payload).body
+          uid = res&.fetch("localId")
+          raise CreateUserError, "failed to create user #{res}" if uid.nil?
+          get_user_by(uid: uid)
+        end
+
+        # Gets the user corresponding to the provided key
+        #
+        # @param [Hash] query Query parameters to search for a user by.
+        # @option query [String] :uid A user id.
+        # @option query [String] :email An email address.
+        # @option query [String] :phone_number A phone number.
+        #
+        # @return [UserRecord] A user or nil if not found
+        def get_user_by(query)
+          if (uid = query[:uid])
+            payload = {localId: Array(validate_uid(uid, required: true))}
+          elsif (email = query[:email])
+            payload = {email: Array(validate_email(email, required: true))}
+          elsif (phone_number = query[:phone_number])
+            payload = {phoneNumber: Array(validate_phone_number(phone_number, required: true))}
+          else
+            raise ArgumentError, "Unsupported query: #{query}"
+          end
+          res = @client.post(with_path("accounts:lookup"), payload).body
+          users = res["users"] if res
+          UserRecord.new(users[0]) if users.is_a?(Array) && users.length > 0
+        end
+
+        # Deletes the user corresponding to the specified user id.
+        #
+        # @param [String] uid
+        #   The id of the user.
+        def delete_user(uid)
+          @client.post(with_path("accounts:delete"), {localId: validate_uid(uid, required: true)})
+        end
+
+        private
+
+        def with_path(path)
+          "projects/#{@project_id}/#{path}"
+        end
+
+        include Utils
+      end
+    end
+  end
+end

data/lib/firebase/admin/auth/user_record.rb

@@ -0,0 +1,70 @@
+require "json"
+
+module Firebase
+  module Admin
+    module Auth
+      # A Firebase User account
+      class UserRecord < UserInfo
+        # Gets the ID of this user.
+        def uid
+          @data["localId"]
+        end
+
+        # Gets the id of the identity provider.
+        #
+        # Always firebase for user accounts.
+        def provider_id
+          "firebase"
+        end
+
+        def email_verified?
+          !!@data["emailVerified"]
+        end
+
+        def disabled?
+          !!@data["disabled"]
+        end
+
+        # Gets the time, in milliseconds since the epoch, before which tokens are invalid.
+        #
+        # @note truncated to 1 second accuracy.
+        #
+        # @return [Numeric]
+        #   Timestamp in milliseconds since the epoch, truncated to the second.
+        #   All tokens issued before that time are considered revoked.
+        def tokens_valid_after_timestamp
+          raise NotImplementedError
+        end
+
+        # Gets additional metadata associated with this user.
+        #
+        # @return [UserMetadata]
+        def user_metadata
+          raise NotImplementedError
+        end
+
+        # Gets a list of (UserInfo) instances.
+        #
+        # Each object represents an identity from an identity provider that is linked to this user.
+        #
+        # @return [Array of UserInfo]
+        def provider_data
+          providers = @data["providerUserInfo"] || []
+          providers.to_a.map { |p| UserInfo.new(p) }
+        end
+
+        # Gets any custom claims set on this user account.
+        def custom_claims
+          claims = @data["customAttributes"]
+          parsed = JSON.parse(claims) unless claims.nil?
+          parsed if parsed.is_a?(Hash) && !parsed.empty?
+        end
+
+        # Returns the tenant ID of this user.
+        def tenant_id
+          raise NotImplementedError
+        end
+      end
+    end
+  end
+end

data/lib/firebase/admin/auth/utils.rb

@@ -0,0 +1,93 @@
+module Firebase
+  module Admin
+    module Auth
+      module Utils
+        AUTH_EMULATOR_HOST_VAR = "FIREBASE_AUTH_EMULATOR_HOST"
+
+        INVALID_CHARS_PATTERN = /[^a-z0-9:\/?#\[\\\]@!$&'()*+,;=.\-_~%]/i
+        HOSTNAME_PATTERN = /^[a-zA-Z0-9]+[\w-]*([.]?[a-zA-Z0-9]+[\w-]*)*$/
+        PATHNAME_PATTERN = /^(\/[\w\-.~!$'()*+,;=:@%]+)*\/?$/
+
+        def validate_uid(uid, required: false)
+          return nil if uid.nil? && !required
+          raise ArgumentError, "uid must be a string" unless uid.is_a?(String)
+          raise ArgumentError, "uid must be non-empty with no more than 128 chars" unless uid.length.between?(1, 128)
+          uid
+        end
+
+        def validate_email(email, required: false)
+          return nil if email.nil? && !required
+          raise ArgumentError, "email must be a non-empty string" unless email.is_a?(String) && !email.empty?
+          parts = email.split("@")
+          raise ArgumentError, "email is malformed #{email}" unless parts.length == 2 && !parts[0].empty? && !parts[1].empty?
+          email
+        end
+
+        def validate_phone_number(phone_number, required: false)
+          return nil if phone_number.nil? && !required
+          raise ArgumentError, "phone_number must be a non-empty string" unless phone_number.is_a?(String)
+          raise ArgumentError, "phone_number must be an E.164 identifier" unless phone_number.match?(/^\+\d{1,14}$/)
+          phone_number
+        end
+
+        def validate_password(password, required: false)
+          return nil if password.nil? && !required
+          raise ArgumentError, "password must a string" unless password.is_a?(String)
+          raise ArgumentError, "password must be at least 6 characters long" unless password.length >= 6
+          password
+        end
+
+        def validate_photo_url(url, required: false)
+          return nil if url.nil? && !required
+          raise ArgumentError, "photo_url must be a valid url" unless url.is_a?(String) && !url.empty?
+          raise ArgumentError, "photo_url must be a valid url" unless validate_url(url)
+          url
+        end
+
+        def validate_display_name(name, required: false)
+          return nil if name.nil? && !required
+          raise ArgumentError, "display_name must be a non-empty string" unless name.is_a?(String) && !name.empty?
+          name
+        end
+
+        def to_boolean(val)
+          !!val unless val.nil?
+        end
+
+        module_function
+
+        def validate_url(url)
+          return false unless url.is_a?(String) && !url.empty? && !url.match?(INVALID_CHARS_PATTERN)
+          begin
+            uri = URI.parse(url)
+            return false unless %w[https http].include?(uri.scheme)
+            return false unless uri.hostname&.match?(HOSTNAME_PATTERN)
+            return false unless uri.path.empty? || uri.path == "/" || uri.path.match?(PATHNAME_PATTERN)
+            true
+          rescue
+            false
+          end
+        end
+
+        def get_emulator_host
+          emulator_host = ENV[AUTH_EMULATOR_HOST_VAR]&.strip
+          return nil unless emulator_host && !emulator_host.empty?
+          if emulator_host.include?("//")
+            msg = "Invalid #{AUTH_EMULATOR_HOST_VAR}: \"#{emulator_host}\". It must follow the format \"host:post\""
+            raise ArgumentError, msg
+          end
+          emulator_host
+        end
+
+        def get_emulator_v1_url
+          return nil unless (emulator_host = get_emulator_host)
+          "http://#{emulator_host}/identitytoolkit.googleapis.com/v1"
+        end
+
+        def is_emulated?
+          !!get_emulator_host
+        end
+      end
+    end
+  end
+end