RubyGems - firebase-id-token - Versions diffs - 0.0.2 - Mend

firebase-id-token 0.0.2

Files changed (3) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d89290464d362ff7e59e9058263abefe82915661
+  data.tar.gz: 0fc67807f0f9d7538a64252594cd8476702aba35
+SHA512:
+  metadata.gz: 50ebce4492b3eae49194b537839fa4776a28a81422b95c4a9f501cec52285995d683213f2051d99f0fbf1e39dbfb4bc140bab72d59be1715da5b9ba59b18874e
+  data.tar.gz: 3986fed0aec5ccae0cf2b0b483c2424a87f702d8294d2261b63165001a9a60974b508899ec43921917b77b8e0aa5295097b465b6c8f32cf62567439e5caaa837

data/lib/firebase-id-token.rb ADDED

@@ -0,0 +1,170 @@
+# encoding: utf-8
+# Copyright 2012 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+# Validates strings alleged to be ID Tokens issued by Google; if validation
+#  succeeds, returns the decoded ID Token as a hash.
+# It's a good idea to keep an instance of this class around for a long time,
+#  because it caches the keys, performs validation statically, and only
+#  refreshes from Google when required (once per day by default)
+#
+# @author Tim Bray, adapted from code by Bob Aman
+require 'multi_json'
+require 'jwt'
+require 'openssl'
+require 'net/http'
+module FirebaseIDToken
+  class CertificateError < StandardError; end
+  class ValidationError < StandardError; end
+  class ExpiredTokenError < ValidationError; end
+  class SignatureError < ValidationError; end
+  class InvalidIssuerError < ValidationError; end
+  class AudienceMismatchError < ValidationError; end
+  class ClientIDMismatchError < ValidationError; end
+  class Validator
+    FIREBASE_CERTS_URI = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'
+    FIREBASE_CERTS_EXPIRY = 86400 # 1 day
+    FIREBASE_ISSUERS_PREFIX = 'https://securetoken.google.com/'
+    def initialize(keyopts = {})
+      if keyopts[:x509_cert]
+        @certs_mode = :literal
+        @certs = { :_ => keyopts[:x509_cert] }
+      # elsif keyopts[:jwk_uri]  # TODO
+      #   @certs_mode = :jwk
+      #   @certs = {}
+      else
+        @certs_mode = :old_skool
+        @certs = {}
+      end
+      @certs_expiry = keyopts.fetch(:expiry, FIREBASE_CERTS_EXPIRY)
+    end
+    ##
+    # If it validates, returns a hash with the JWT payload from the ID Token.
+    #  You have to provide an "aud" value, which must match the
+    #  token's field with that name.
+    #  Furthermore the tokens field "iss" must be
+    #  "https://securetoken.google.com/<aud>"
+    #
+    # If something fails, raises an error
+    #
+    # @param [String] token
+    #   The string form of the token
+    # @param [String] aud
+    #   The required audience value
+    #
+    # @return [Hash] The decoded ID token
+    def check(token, aud)
+      payload = check_cached_certs(token, aud)
+      unless payload
+        # no certs worked, might've expired, refresh
+        if refresh_certs
+          payload = check_cached_certs(token, aud)
+          unless payload
+            raise SignatureError, 'Token not verified as issued by Firebase'
+          end
+        else
+          raise CertificateError, 'Unable to retrieve Firebase public keys'
+        end
+      end
+      payload
+    end
+    private
+    # tries to validate the token against each cached cert.
+    # Returns the token payload or raises a ValidationError or
+    #  nil, which means none of the certs validated.
+    def check_cached_certs(token, aud)
+      payload = nil
+      # find first public key that validates this token
+      @certs.detect do |key, cert|
+        begin
+          public_key = cert.public_key
+          decoded_token = JWT.decode(token, public_key, true, { :algorithm => 'RS256' })
+          payload = decoded_token.first
+          payload
+        rescue JWT::ExpiredSignature
+          raise ExpiredTokenError, 'Token signature is expired'
+        rescue JWT::DecodeError => e
+          nil # go on, try the next cert
+        end
+      end
+      if payload
+        if !(payload.has_key?('aud') && payload['aud'] == aud)
+          raise AudienceMismatchError, 'Token audience mismatch'
+        end
+        if FIREBASE_ISSUERS_PREFIX + aud != payload['iss']
+          raise InvalidIssuerError, 'Token issuer mismatch'
+        end
+        payload
+      else
+        nil
+      end
+    end
+    # returns false if there was a problem
+    def refresh_certs
+      case @certs_mode
+      when :literal
+        true # no-op
+      when :old_skool
+        old_skool_refresh_certs
+      end
+    end
+    def old_skool_refresh_certs
+      return true unless certs_cache_expired?
+      uri = URI(FIREBASE_CERTS_URI)
+      get = Net::HTTP::Get.new uri.request_uri
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true
+      res = http.request(get)
+      if res.is_a?(Net::HTTPSuccess)
+        new_certs = Hash[MultiJson.load(res.body).map do |key, cert|
+                           [key, OpenSSL::X509::Certificate.new(cert)]
+                         end]
+        @certs.merge! new_certs
+        @certs_last_refresh = Time.now
+        true
+      else
+        false
+      end
+    end
+    def certs_cache_expired?
+      if defined? @certs_last_refresh
+        Time.now > @certs_last_refresh + @certs_expiry
+      else
+        true
+      end
+    end
+  end
+end

metadata ADDED

@@ -0,0 +1,128 @@
+--- !ruby/object:Gem::Specification
+name: firebase-id-token
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Daniel Arnreich
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2017-04-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: fakeweb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Firebase ID Token utilities; currently just a parser/checker
+email: daniel@arnreich.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/firebase-id-token.rb
+homepage: https://github.com/darnreich/firebase-id-token
+licenses:
+- APACHE-2.0
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.5.1
+signing_key:
+specification_version: 4
+summary: Firebase ID Token utilities
+test_files: []