firebase_token_auth 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 0b8bb47628efe00351023a731bcc1d839aa731c79195c4248dec9cce886c4863
4
+ data.tar.gz: 44126b4a7a3fababeccb799edf9a09706da7064b01aaa79a39889149df186dbd
5
+ SHA512:
6
+ metadata.gz: bd940772d542601ba17e1a776be82b88ff70e01b568125498a0554e91b5eede3e81157bef226373257b80612f41711b501053f43368e1f6a99e17fe53e79b1d2
7
+ data.tar.gz: a286c00748d9e31f14e38de4b6a2e4deaed0117f9b4eeabc186d30cc5fcb24c692f5cd2097d3c28120ffc269480b5957c3b7407baf920505a0ae26aa5ced9454
@@ -0,0 +1,14 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /_yardoc/
4
+ /coverage/
5
+ /doc/
6
+ /pkg/
7
+ /spec/reports/
8
+ /tmp/
9
+ /vendor/bundle
10
+
11
+ # rspec failure tracking
12
+ .rspec_status
13
+
14
+ Gemfile.lock
data/.rspec ADDED
@@ -0,0 +1,3 @@
1
+ --format documentation
2
+ --color
3
+ --require spec_helper
@@ -0,0 +1,11 @@
1
+ Style/FrozenStringLiteralComment:
2
+ Enabled: false
3
+
4
+ Metrics/LineLength:
5
+ Enabled: false
6
+
7
+ Style/Documentation:
8
+ Enabled: false
9
+
10
+ Layout/IndentationConsistency:
11
+ EnforcedStyle: indented_internal_methods
@@ -0,0 +1,6 @@
1
+ ---
2
+ language: ruby
3
+ cache: bundler
4
+ rvm:
5
+ - 2.7.0
6
+ before_install: gem install bundler -v 2.1.4
data/Gemfile ADDED
@@ -0,0 +1,8 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in firebase_token_auth.gemspec
4
+ gemspec
5
+
6
+ gem 'pry-byebug'
7
+ gem 'rake', '~> 12.0'
8
+ gem 'rspec', '~> 3.0'
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2020 Takayuki Miyahara
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
@@ -0,0 +1,40 @@
1
+ # FirebaseTokenAuth
2
+
3
+ Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/firebase_token_auth`. To experiment with that code, run `bin/console` for an interactive prompt.
4
+
5
+ TODO: Delete this and the text above, and describe your gem
6
+
7
+ ## Installation
8
+
9
+ Add this line to your application's Gemfile:
10
+
11
+ ```ruby
12
+ gem 'firebase_token_auth'
13
+ ```
14
+
15
+ And then execute:
16
+
17
+ $ bundle install
18
+
19
+ Or install it yourself as:
20
+
21
+ $ gem install firebase_token_auth
22
+
23
+ ## Usage
24
+
25
+ TODO: Write usage instructions here
26
+
27
+ ## Development
28
+
29
+ After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
30
+
31
+ To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
32
+
33
+ ## Contributing
34
+
35
+ Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/firebase_token_auth.
36
+
37
+
38
+ ## License
39
+
40
+ The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
@@ -0,0 +1,6 @@
1
+ require "bundler/gem_tasks"
2
+ require "rspec/core/rake_task"
3
+
4
+ RSpec::Core::RakeTask.new(:spec)
5
+
6
+ task :default => :spec
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "firebase_token_auth"
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ # require "pry"
11
+ # Pry.start
12
+
13
+ require "irb"
14
+ IRB.start(__FILE__)
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,29 @@
1
+ require_relative 'lib/firebase_token_auth/version'
2
+
3
+ Gem::Specification.new do |spec|
4
+ spec.name = 'firebase_token_auth'
5
+ spec.version = FirebaseTokenAuth::VERSION
6
+ spec.authors = ['miyataka']
7
+ spec.email = ['voyager.3taka28@gmail.com']
8
+
9
+ spec.summary = 'Firebase Authentication API wrapper for serverside. It support custom token auth.'
10
+ spec.description = 'Firebase Authentication API wrapper for serverside. It support custom token auth. Of course it has id_token verify feature.'
11
+ spec.homepage = 'https://github.com/miyataka/firebase_token_auth'
12
+ spec.license = 'MIT'
13
+ spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
14
+
15
+ spec.metadata['homepage_uri'] = spec.homepage
16
+ spec.metadata['source_code_uri'] = spec.homepage
17
+
18
+ # Specify which files should be added to the gem when it is released.
19
+ # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
20
+ spec.files = Dir.chdir(File.expand_path(__dir__)) do
21
+ `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
22
+ end
23
+ spec.bindir = 'exe'
24
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
25
+ spec.require_paths = ['lib']
26
+
27
+ spec.add_dependency 'google-api-client'
28
+ spec.add_dependency 'jwt'
29
+ end
@@ -0,0 +1,25 @@
1
+ require 'firebase_token_auth/version'
2
+
3
+ require 'firebase_token_auth/configuration'
4
+ require 'firebase_token_auth/client'
5
+
6
+ require 'pry-byebug'
7
+
8
+ module FirebaseTokenAuth
9
+ class Error < StandardError; end
10
+
11
+ class << self
12
+ def build
13
+ @client = ::FirebaseTokenAuth::Client.new(configuration)
14
+ end
15
+ alias new build
16
+ end
17
+
18
+ def self.configuration
19
+ @configuration ||= Configuration.new
20
+ end
21
+
22
+ def self.configure(&block)
23
+ yield(configuration(&block))
24
+ end
25
+ end
@@ -0,0 +1,17 @@
1
+ require 'google/apis/identitytoolkit_v3'
2
+
3
+ module FirebaseTokenAuth
4
+ class AdminClient
5
+ attr_accessor :service
6
+
7
+ def initialize(configuration)
8
+ @service = Google::Apis::IdentitytoolkitV3::IdentityToolkitService.new
9
+ @service.authorization = configuration.auth
10
+ end
11
+
12
+ def get_account_info(params)
13
+ request = Google::Apis::IdentitytoolkitV3::GetAccountInfoRequest.new(**params)
14
+ service.get_account_info(request)
15
+ end
16
+ end
17
+ end
@@ -0,0 +1,67 @@
1
+ require 'json'
2
+ require 'openssl'
3
+ require 'jwt'
4
+
5
+ require 'firebase_token_auth/public_key_manager'
6
+ require 'firebase_token_auth/validator'
7
+ require 'firebase_token_auth/admin_client'
8
+
9
+ module FirebaseTokenAuth
10
+ ALGORITHM = 'RS256'.freeze
11
+
12
+ IdToken = Struct.new(:payload, :header)
13
+ IdTokenResult = Struct.new(:uid, :id_token)
14
+
15
+ class Client
16
+ CUSTOM_TOKEN_AUD = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit'.freeze
17
+
18
+ attr_accessor :configuration, :public_key_manager, :validator
19
+
20
+ def initialize(configuration)
21
+ @configuration = configuration
22
+ @configuration.prepare
23
+ @public_key_manager = PublicKeyManager.new
24
+ @validator = Validator.new
25
+ end
26
+
27
+ def verify_id_token(id_token, options = {})
28
+ raise if id_token.nil? || id_token.empty?
29
+
30
+ public_key_id, decoded_jwt = validator.extract_kid(id_token)
31
+ public_key_manager.refresh_publickeys!
32
+ validator.validate(configuration.project_id, decoded_jwt)
33
+ default_options = { algorithm: ALGORITHM, verify_iat: true, verify_expiration: true, exp_leeway: configuration.exp_leeway }
34
+ jwt = JWT.decode(id_token, public_key_manager.public_keys[public_key_id].public_key, true, default_options.merge!(options))
35
+ IdTokenResult.new(jwt[0]['sub'], IdToken.new(jwt[0], jwt[1]))
36
+ end
37
+
38
+ def create_custom_token(uid, additional_claims = nil)
39
+ # TODO: implement Error
40
+ raise unless configuration.configured_for_custom_token?
41
+
42
+ now_seconds = Time.now.to_i
43
+ payload = { iss: configuration.client_email,
44
+ sub: configuration.client_email,
45
+ aud: CUSTOM_TOKEN_AUD,
46
+ iat: now_seconds,
47
+ exp: now_seconds + (60 * 60),
48
+ uid: uid }
49
+ payload.merge!({ claim: additional_claims }) if additional_claims
50
+ JWT.encode(payload, configuration.private_key, ALGORITHM)
51
+ end
52
+
53
+ def user_search_by_email(email)
54
+ admin_client.get_account_info({ email: [email] })&.users&.map(&:to_h)
55
+ end
56
+
57
+ def user_search_by_uid(uid)
58
+ admin_client.get_account_info({ local_id: [uid] })&.users&.map(&:to_h)
59
+ end
60
+
61
+ private
62
+
63
+ def admin_client
64
+ @admin_client ||= FirebaseTokenAuth::AdminClient.new(configuration)
65
+ end
66
+ end
67
+ end
@@ -0,0 +1,57 @@
1
+ require 'google/apis/identitytoolkit_v3'
2
+ require 'openssl'
3
+
4
+ module FirebaseTokenAuth
5
+ class Configuration
6
+ attr_accessor :project_id, :json_key_io, :exp_leeway, :private_key, :client_email, :scope, :auth
7
+
8
+ def initialize
9
+ @project_id = nil
10
+ @exp_leeway = 60 * 60 * 24 * 7
11
+ @scope = ['https://www.googleapis.com/auth/identitytoolkit']
12
+
13
+ # if you want to create custom_token,
14
+ # you need credentials which a) json_key_io or b) admin_email and admin_private_key
15
+
16
+ # set file path or StringIO
17
+ @json_key_io = nil
18
+
19
+ # Or set these
20
+ # ENV['GOOGLE_ACCOUNT_TYPE'] = 'service_account'
21
+ # ENV['GOOGLE_CLIENT_ID'] = '000000000000000000000'
22
+ # ENV['GOOGLE_CLIENT_EMAIL'] = 'xxxx@xxxx.iam.gserviceaccount.com'
23
+ # ENV['GOOGLE_PRIVATE_KEY'] = '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n'
24
+ end
25
+
26
+ def prepare
27
+ # TODO: implement error
28
+ raise unless project_id
29
+ return unless configured_for_custom_token?
30
+
31
+ @auth = if json_key_io
32
+ io = json_key_io.respond_to?(:read) ? json_key_io : File.open(json_key_io)
33
+ Google::Auth::ServiceAccountCredentials.make_creds(
34
+ json_key_io: io,
35
+ scope: scope
36
+ )
37
+ else
38
+ # from ENV
39
+ Google::Auth::ServiceAccountCredentials.make_creds(scope: scope)
40
+ end
41
+
42
+ if json_key_io
43
+ json_io = json_key_io.respond_to?(:read) ? json_key_io : File.open(json_key_io)
44
+ parsed = JSON.parse(json_io.read)
45
+ @private_key = OpenSSL::PKey::RSA.new(parsed['private_key'])
46
+ @client_email = parsed['client_email']
47
+ else
48
+ @private_key = OpenSSL::PKey::RSA.new(ENV['GOOGLE_PRIVATE_KEY'])
49
+ @client_email = ENV['GOOGLE_CLIENT_EMAIL']
50
+ end
51
+ end
52
+
53
+ def configured_for_custom_token?
54
+ json_key_io || (ENV['GOOGLE_PRIVATE_KEY'] && ENV['GOOGLE_CLIENT_EMAIL'])
55
+ end
56
+ end
57
+ end
@@ -0,0 +1,35 @@
1
+ require 'openssl'
2
+ require 'net/http'
3
+
4
+ module FirebaseTokenAuth
5
+ class PublicKeyManager
6
+ PUBLIC_KEY_URL = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'.freeze
7
+ attr_accessor :public_keys, :expire_time
8
+
9
+ def initialize
10
+ fetch_publickeys_hash
11
+ end
12
+
13
+ def refresh_publickeys!
14
+ return unless expired?
15
+
16
+ fetch_publickeys_hash
17
+ end
18
+
19
+ private
20
+
21
+ def fetch_publickeys_hash
22
+ res = Net::HTTP.get_response(URI(PUBLIC_KEY_URL))
23
+ @public_keys = JSON.parse(res.body).transform_values! { |v| OpenSSL::X509::Certificate.new(v) }
24
+ @expire_time = cache_control_header_to_expire_time(res['Cache-Control'])
25
+ end
26
+
27
+ def expired?
28
+ @expire_time.to_i > Time.now.to_i
29
+ end
30
+
31
+ def cache_control_header_to_expire_time(cache_control_header)
32
+ Time.now.to_i + cache_control_header.match(/max-age=([0-9]*)/)[1].to_i
33
+ end
34
+ end
35
+ end
@@ -0,0 +1,24 @@
1
+ module FirebaseTokenAuth
2
+ class Validator
3
+ ISSUER_BASE_URL = 'https://securetoken.google.com/'.freeze
4
+
5
+ def validate(project_id, decoded_jwt)
6
+ # ref. https://github.com/firebase/firebase-admin-node/blob/488f9318350c6b46af2e93b99907b9a02f170029/src/auth/token-verifier.ts
7
+ payload = decoded_jwt[0]
8
+ header = decoded_jwt[1]
9
+ issuer = ISSUER_BASE_URL + project_id
10
+ raise unless header['kid']
11
+ raise unless header['alg'] == ALGORITHM
12
+ raise unless payload['aud'] == project_id
13
+ raise unless payload['iss'] == issuer
14
+ raise unless payload['sub'].is_a?(String)
15
+ raise if payload['sub'].empty?
16
+ raise if payload['sub'].size > 128
17
+ end
18
+
19
+ def extract_kid(id_token)
20
+ decoded = JWT.decode(id_token, nil, false, algorithm: ALGORITHM)
21
+ [decoded[1]['kid'], decoded]
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,3 @@
1
+ module FirebaseTokenAuth
2
+ VERSION = '0.1.0'.freeze
3
+ end
metadata ADDED
@@ -0,0 +1,93 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: firebase_token_auth
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - miyataka
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2020-07-08 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: google-api-client
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: '0'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ">="
25
+ - !ruby/object:Gem::Version
26
+ version: '0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: jwt
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
41
+ description: Firebase Authentication API wrapper for serverside. It support custom
42
+ token auth. Of course it has id_token verify feature.
43
+ email:
44
+ - voyager.3taka28@gmail.com
45
+ executables: []
46
+ extensions: []
47
+ extra_rdoc_files: []
48
+ files:
49
+ - ".gitignore"
50
+ - ".rspec"
51
+ - ".rubocop.yml"
52
+ - ".travis.yml"
53
+ - Gemfile
54
+ - LICENSE.txt
55
+ - README.md
56
+ - Rakefile
57
+ - bin/console
58
+ - bin/setup
59
+ - firebase_token_auth.gemspec
60
+ - lib/firebase_token_auth.rb
61
+ - lib/firebase_token_auth/admin_client.rb
62
+ - lib/firebase_token_auth/client.rb
63
+ - lib/firebase_token_auth/configuration.rb
64
+ - lib/firebase_token_auth/public_key_manager.rb
65
+ - lib/firebase_token_auth/validator.rb
66
+ - lib/firebase_token_auth/version.rb
67
+ homepage: https://github.com/miyataka/firebase_token_auth
68
+ licenses:
69
+ - MIT
70
+ metadata:
71
+ homepage_uri: https://github.com/miyataka/firebase_token_auth
72
+ source_code_uri: https://github.com/miyataka/firebase_token_auth
73
+ post_install_message:
74
+ rdoc_options: []
75
+ require_paths:
76
+ - lib
77
+ required_ruby_version: !ruby/object:Gem::Requirement
78
+ requirements:
79
+ - - ">="
80
+ - !ruby/object:Gem::Version
81
+ version: 2.3.0
82
+ required_rubygems_version: !ruby/object:Gem::Requirement
83
+ requirements:
84
+ - - ">="
85
+ - !ruby/object:Gem::Version
86
+ version: '0'
87
+ requirements: []
88
+ rubygems_version: 3.1.2
89
+ signing_key:
90
+ specification_version: 4
91
+ summary: Firebase Authentication API wrapper for serverside. It support custom token
92
+ auth.
93
+ test_files: []