firebase-verifier 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9b177ce09f0ee70dc1152afeaf1c3c103921ca2bc4c1b4149f4b87a68b9d3c61
+  data.tar.gz: 20214dd3e882de788fc5e61a92f1c2148228f567873fdeb4a210ee6aba5828fc
+SHA512:
+  metadata.gz: 4f3b1a1fc559f4315f9b93dae117624e70650016343b5bfc0fc1f80bbb8962ddedaa3e799cd0c666383d9c2d0a80d8bdc9820eb23dd8fc69d839a856fe8c5964
+  data.tar.gz: 5298cfb493e98980c3de2552d821f12a5fb81f563e54f6768106283f5ceeb549480a689fc82551e5a6ad074daeee195ef364146450d6445004e8403a3ba375d1

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in firebase-verifier.gemspec
+gemspec
+
+gem "rake", "~> 13.0"

data/README.md

@@ -0,0 +1,39 @@
+# Firebase::Verifier
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/firebase/verifier`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Install the gem and add to the application's Gemfile by executing:
+
+    $ bundle add firebase-verifier
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+    $ gem install firebase-verifier
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Deployment
+
+Build the gem:
+
+    $ gem build firebase-verifier.gemspec
+
+Deploy the gem:
+
+    $ gem push firebase-verifier-0.1.0.gem
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/firebase-verifier.

data/Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+task default: %i[]

data/lib/firebase-verifier/verifier/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module FirebaseVerifier
+  module Verifier
+    VERSION = "0.1.0"
+  end
+end

data/lib/firebase-verifier/verifier.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require_relative "verifier/version"
+require 'net/http'
+require 'json'
+require 'jwt'
+
+module FirebaseVerifier
+  module Verifier
+    class Error < StandardError; end
+    VALID_JWT_PUBLIC_KEYS_RESPONSE_CACHE_KEY = "firebase_jwt_public_keys_cache_key"
+    JWT_ALGORITHM = 'RS256'
+
+    def initialize(firebase_project_id)
+      @firebase_project_id = firebase_project_id
+    end
+
+    def decode(id_token)
+      payload, header = decode_jwt_token(id_token, @firebase_project_id)
+
+      alg = header['alg']
+      raise "Invalid access token 'alg' header (#{alg}). Must be '#{JWT_ALGORITHM}'." unless alg == JWT_ALGORITHM
+
+      typ = header['typ']
+      raise "Invalid access token 'typ' header (#{typ}). Must be 'JWT'." unless typ == 'JWT'
+
+      iss = payload['iss']
+      issuer = "https://securetoken.google.com/#{@firebase_project_id}"
+      raise "Invalid access token 'iss' payload (#{iss}). Must be '#{issuer}'." unless iss == issuer
+
+      exp = payload['exp']
+      raise "Invalid access token 'exp' payload (#{exp}). Token has expired." unless Time.at(exp) > Time.now
+
+      aud = payload['aud']
+      audience = @firebase_project_id
+      raise "Invalid access token 'aud' payload (#{aud}). Must be '#{audience}'." unless aud == audience
+
+      kid = header['kid']
+      valid_public_keys = retrieve_and_cache_jwt_valid_public_keys
+      raise "Invalid access token 'kid' header, do not correspond to valid public keys." unless valid_public_keys.keys.include?(kid)
+
+      sub = payload['sub']
+      raise "Invalid access token. 'Subject' (sub) must be a non-empty string." if sub.nil? || sub.empty?
+
+      payload
+    end
+
+    private
+
+    def decode_jwt_token(firebase_jwt_token, firebase_project_id)
+      public_key = nil
+      custom_options = {
+        verify_iat: true,
+        verify_aud: true,
+        aud: firebase_project_id,
+        verify_iss: true,
+        iss: "https://securetoken.google.com/#{firebase_project_id}"
+      }
+
+      custom_options[:algorithm] = JWT_ALGORITHM unless public_key.nil?
+
+      begin
+        decoded_token = JWT.decode(firebase_jwt_token, public_key, !public_key.nil?, custom_options)
+      rescue JWT::ExpiredSignature
+        return nil, "Invalid access token. 'Expiration time' (exp) must be in the future."
+      rescue JWT::InvalidIatError
+        return nil, "Invalid access token. 'Issued-at time' (iat) must be in the past."
+      rescue JWT::InvalidAudError
+        return nil, "Invalid access token. 'Audience' (aud) must be your Firebase project ID, the unique identifier for your Firebase project."
+      rescue JWT::InvalidIssuerError
+        return nil, "Invalid access token. 'Issuer' (iss) Must be 'https://securetoken.google.com/<projectId>', where <projectId> is your Firebase project ID."
+      rescue JWT::VerificationError
+        return nil, "Invalid access token. Signature verification failed."
+      end
+
+      return decoded_token
+    end
+
+    def retrieve_and_cache_jwt_valid_public_keys
+      valid_public_keys = Rails.cache.read(VALID_JWT_PUBLIC_KEYS_RESPONSE_CACHE_KEY)
+      if valid_public_keys.nil?
+        uri = URI("https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com")
+        response = Net::HTTP.get_response(uri)
+
+        if response.code != '200'
+          raise "Something went wrong: can't obtain valid JWT public keys from Google."
+        end
+
+        valid_public_keys = JSON.parse(response.body)
+
+        cc = response["cache-control"]
+        max_age = cc[/max-age=(\d+?),/m, 1]
+
+        Rails.cache.write(VALID_JWT_PUBLIC_KEYS_RESPONSE_CACHE_KEY, valid_public_keys, :expires_in => max_age.to_i)
+      end
+
+      valid_public_keys
+    end
+  end
+end

data/sig/firebase-verifier/verifier.rbs

@@ -0,0 +1,6 @@
+module Firebase
+  module Verifier
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,53 @@
+--- !ruby/object:Gem::Specification
+name: firebase-verifier
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- KuruStudio
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2024-06-13 00:00:00.000000000 Z
+dependencies: []
+description: Verifier of Firebase Token. This is used to extract important details
+  in a Firebase Token.
+email:
+- mail@kuru.studio
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- Rakefile
+- lib/firebase-verifier/verifier.rb
+- lib/firebase-verifier/verifier/version.rb
+- sig/firebase-verifier/verifier.rbs
+homepage: https://kuru.studio
+licenses: []
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://kuru.studio
+  source_code_uri: https://github.com/kuru-studio/firebase-verifier
+  changelog_uri: https://kuru.studio
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key:
+specification_version: 4
+summary: Verifier of Firebase Token
+test_files: []