firebase-authentication 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 26d45db46a0e99567b9f9b67c0eb991327cc99a4dc58ff978161b8f293620885
-  data.tar.gz: 6396f770c206014c435df545bde268e2f9199d1fb6a3388d8496828be0cb7d7e
+  metadata.gz: 52f63a09db5325c16fef42a13e248799767c1b9378af29a029e4ed5e7532b004
+  data.tar.gz: da4d219fc4d98dabf25e86ec4944188dc8e45f00bb9182fb2dabd03866db797a
 SHA512:
-  metadata.gz: 51b81400b334dbdc648bf76d3e2bb1ddbedd2d694d98b8fa7b99af2001e3c82318edb7798f0557c85bd51a82a33189432b72ddb2c56555ee7bc95402e97ddd42
-  data.tar.gz: '042855574e77b4a107a3fd03020502b6846e1e5d9b76052a657fbc0bf3a99b045376ff0d3bce726b2ecacd263aadd05484daa7c1129fc3b8e232ea3d7282c9a1'
+  metadata.gz: 7051a16c7a466845d33617a9cf0b9ea1f9413d66fa0da1eb57d8a574e9d4360838ad4e976484862f9f377fcfdb761047a657236e7e66badc4545ba7b1fbc6c88
+  data.tar.gz: b4f2ba99ba8758e6e056df2f42787e211e230d25aedde1a76548b852e2ba336416c74bd9ae42e26c0eb92e73243d6b301c5c8fb2d478139e11e68243fc95d3e0

data/.rubocop.yml

@@ -33,6 +33,9 @@ Layout/LineLength:
   Exclude:
     - "lib/firebase/**/*"
 
+Metrics/AbcSize:
+  Max: 30
+
 Metrics/MethodLength:
   Max: 20
   Exclude:

data/Gemfile

@@ -3,6 +3,7 @@ source "https://rubygems.org"
 # Specify your gem's dependencies in firebase_auth_for_ruby.gemspec
 gemspec
 
+gem "dotenv-rails"
 gem "jwt"
 gem "rails", "~> 6.1.4"
 gem "rake"

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    firebase-authentication (0.1.0)
+    firebase-authentication (0.2.0)
 
 GEM
   remote: https://rubygems.org/
@@ -70,6 +70,10 @@ GEM
     concurrent-ruby (1.1.9)
     crass (1.0.6)
     diff-lcs (1.4.4)
+    dotenv (2.7.6)
+    dotenv-rails (2.7.6)
+      dotenv (= 2.7.6)
+      railties (>= 3.2)
     erubi (1.10.0)
     globalid (0.5.2)
       activesupport (>= 5.0)
@@ -172,6 +176,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  dotenv-rails
   firebase-authentication!
   jwt
   rails (~> 6.1.4)

data/lib/firebase/authentication/version.rb

@@ -1,5 +1,5 @@
 module Firebase
   module Authentication
-    VERSION = "0.2.0".freeze
+    VERSION = "0.3.0".freeze
   end
 end

data/lib/firebase/authentication.rb

@@ -1,10 +1,123 @@
 require_relative "authentication/version"
-require_relative "authentication/config"
 require_relative "authentication/service"
 
 module Firebase
   module Authentication
-    class Error < StandardError; end
-    # Your code goes here...
+    ALGORITHM = "RS256".freeze
+    ISSUER_BASE_URL = "https://securetoken.google.com/".freeze
+    CLIENT_CERT_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com".freeze
+
+    class << self
+      def verify(token)
+        Rails.logger.info "#{self.class.name}\##{__method__} called."
+        Rails.logger.info token
+        raise "id token must be a String" unless token.is_a?(String)
+
+        full_decoded_token = _decode_token(token)
+
+        err_msg = _validate_jwt(full_decoded_token)
+        raise err_msg if err_msg
+
+        public_key = _fetch_public_keys[full_decoded_token[:header]["kid"]]
+        unless public_key
+          raise 'Firebase ID token has "kid" claim which does not correspond to a known public key.'\
+                "Most likely the ID token is expired, so get a fresh token from your client app and try again."
+        end
+
+        certificate = OpenSSL::X509::Certificate.new(public_key)
+        decoded_token = _decode_token(token, certificate.public_key, verify: true, options: { algorithm: ALGORITHM, verify_iat: true })
+
+        {
+          "uid" => decoded_token[:payload]["sub"],
+          "decoded_token" => decoded_token
+        }
+      end
+
+      def create_custom_token(uid, claims = {})
+        private_key = OpenSSL::PKey::RSA.new Global.firebase.private_key.gsub('\\n', "\n")
+        service_account_email = Global.firebase.client_email
+        now_seconds = Time.now.to_i
+        payload = { iss: service_account_email,
+                    sub: service_account_email,
+                    aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+                    iat: now_seconds,
+                    exp: now_seconds + (60 * 60),
+                    uid: uid,
+                    claims: claims }
+        JWT.encode payload, private_key, "RS256"
+      end
+
+      private
+
+      def _decode_token(token, key = nil, verify: false, options: {})
+        Rails.logger.info "#{self.class.name}\##{__method__} called."
+        begin
+          decoded_token = JWT.decode(token, key, verify, options)
+        rescue JWT::ExpiredSignature => e
+          raise "Firebase ID token has expired. Get a fresh token from your client app and try again. #{e.message}"
+        rescue JWT::InvalidAudError, JWT::DecodeError, JWT::VerificationError => e
+          raise "Firebase JWT Error. #{e.message}"
+        rescue StandardError => e
+          raise "Firebase ID token has invalid signature. #{e.message}"
+        end
+
+        {
+          payload: decoded_token[0],
+          header: decoded_token[1]
+        }
+      end
+
+      def _fetch_public_keys
+        Rails.logger.info "#{self.class.name}\##{__method__} called."
+        uri = URI.parse(CLIENT_CERT_URL)
+        https = Net::HTTP.new(uri.host, uri.port)
+        https.use_ssl = true
+
+        res = https.start do
+          https.get(uri.request_uri)
+        end
+        data = JSON.parse(res.body)
+
+        if data["error"]
+          msg = "Error fetching public keys for Google certs: #{data["error"]}"
+          msg += " (#{res["error_description"]})" if data["error_description"]
+
+          raise msg
+        end
+
+        data
+      end
+
+      def _validate_jwt(json)
+        Rails.logger.info "#{self.class.name}\##{__method__} called."
+        error = _validate_jwt_header(json[:header])
+        error || _validate_jwt_payload(json[:payload])
+      end
+
+      def _validate_jwt_header(header)
+        Rails.logger.info "#{self.class.name}\##{__method__} called."
+        return 'Firebase ID token has no "kid" claim.' unless header["kid"]
+
+        return "Firebase ID token has incorrect algorithm. Expected \"#{ALGORITHM}\" but got \"#{header["alg"]}\"."\
+        unless header["alg"] == ALGORITHM
+      end
+
+      def _validate_jwt_payload(payload)
+        Rails.logger.info "#{self.class.name}\##{__method__} called."
+        project_id = ENV.fetch("FIREBASE_PROJECT_ID")
+        unless payload["aud"] == project_id
+          return "Firebase ID token has incorrect \'aud\' (audience) claim. Expected \"#{project_id}\" but got \"#{payload["aud"]}\"."
+        end
+
+        issuer = ISSUER_BASE_URL + project_id
+        unless payload["iss"] == issuer
+          return "Firebase ID token has incorrect \'iss\' (issuer) claim. Expected \"#{issuer}\" but got \"#{payload["iss"]}\"."
+        end
+
+        return 'Firebase ID token has no "sub" (subject) claim.' unless payload["sub"].is_a?(String)
+        return 'Firebase ID token has an empty string "sub" (subject) claim.' if payload["sub"].empty?
+        return 'Firebase ID token has "sub" (subject) claim longer than 128 characters.' if payload["sub"].size > 128
+      end
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: firebase-authentication
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - shuntagami
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-10-03 00:00:00.000000000 Z
+date: 2021-10-07 00:00:00.000000000 Z
 dependencies: []
 description:
 email: