firebase_token_auth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 0b8bb47628efe00351023a731bcc1d839aa731c79195c4248dec9cce886c4863
+  data.tar.gz: 44126b4a7a3fababeccb799edf9a09706da7064b01aaa79a39889149df186dbd
+SHA512:
+  metadata.gz: bd940772d542601ba17e1a776be82b88ff70e01b568125498a0554e91b5eede3e81157bef226373257b80612f41711b501053f43368e1f6a99e17fe53e79b1d2
+  data.tar.gz: a286c00748d9e31f14e38de4b6a2e4deaed0117f9b4eeabc186d30cc5fcb24c692f5cd2097d3c28120ffc269480b5957c3b7407baf920505a0ae26aa5ced9454

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/vendor/bundle
+
+# rspec failure tracking
+.rspec_status
+
+Gemfile.lock

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,11 @@
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Metrics/LineLength:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Layout/IndentationConsistency:
+  EnforcedStyle: indented_internal_methods

data/.travis.yml

@@ -0,0 +1,6 @@
+---
+language: ruby
+cache: bundler
+rvm:
+  - 2.7.0
+before_install: gem install bundler -v 2.1.4

data/Gemfile

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in firebase_token_auth.gemspec
+gemspec
+
+gem 'pry-byebug'
+gem 'rake', '~> 12.0'
+gem 'rspec', '~> 3.0'

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Takayuki Miyahara
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,40 @@
+# FirebaseTokenAuth
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/firebase_token_auth`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'firebase_token_auth'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install firebase_token_auth
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/firebase_token_auth.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "firebase_token_auth"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/firebase_token_auth.gemspec

@@ -0,0 +1,29 @@
+require_relative 'lib/firebase_token_auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'firebase_token_auth'
+  spec.version       = FirebaseTokenAuth::VERSION
+  spec.authors       = ['miyataka']
+  spec.email         = ['voyager.3taka28@gmail.com']
+
+  spec.summary       = 'Firebase Authentication API wrapper for serverside. It support custom token auth.'
+  spec.description   = 'Firebase Authentication API wrapper for serverside. It support custom token auth. Of course it has id_token verify feature.'
+  spec.homepage      = 'https://github.com/miyataka/firebase_token_auth'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = spec.homepage
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'google-api-client'
+  spec.add_dependency 'jwt'
+end

data/lib/firebase_token_auth.rb

@@ -0,0 +1,25 @@
+require 'firebase_token_auth/version'
+
+require 'firebase_token_auth/configuration'
+require 'firebase_token_auth/client'
+
+require 'pry-byebug'
+
+module FirebaseTokenAuth
+  class Error < StandardError; end
+
+  class << self
+    def build
+      @client = ::FirebaseTokenAuth::Client.new(configuration)
+    end
+    alias new build
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.configure(&block)
+    yield(configuration(&block))
+  end
+end

data/lib/firebase_token_auth/admin_client.rb

@@ -0,0 +1,17 @@
+require 'google/apis/identitytoolkit_v3'
+
+module FirebaseTokenAuth
+  class AdminClient
+    attr_accessor :service
+
+    def initialize(configuration)
+      @service = Google::Apis::IdentitytoolkitV3::IdentityToolkitService.new
+      @service.authorization = configuration.auth
+    end
+
+    def get_account_info(params)
+      request = Google::Apis::IdentitytoolkitV3::GetAccountInfoRequest.new(**params)
+      service.get_account_info(request)
+    end
+  end
+end

data/lib/firebase_token_auth/client.rb

@@ -0,0 +1,67 @@
+require 'json'
+require 'openssl'
+require 'jwt'
+
+require 'firebase_token_auth/public_key_manager'
+require 'firebase_token_auth/validator'
+require 'firebase_token_auth/admin_client'
+
+module FirebaseTokenAuth
+  ALGORITHM = 'RS256'.freeze
+
+  IdToken = Struct.new(:payload, :header)
+  IdTokenResult = Struct.new(:uid, :id_token)
+
+  class Client
+    CUSTOM_TOKEN_AUD = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit'.freeze
+
+    attr_accessor :configuration, :public_key_manager, :validator
+
+    def initialize(configuration)
+      @configuration = configuration
+      @configuration.prepare
+      @public_key_manager = PublicKeyManager.new
+      @validator = Validator.new
+    end
+
+    def verify_id_token(id_token, options = {})
+      raise if id_token.nil? || id_token.empty?
+
+      public_key_id, decoded_jwt = validator.extract_kid(id_token)
+      public_key_manager.refresh_publickeys!
+      validator.validate(configuration.project_id, decoded_jwt)
+      default_options = { algorithm: ALGORITHM, verify_iat: true, verify_expiration: true, exp_leeway: configuration.exp_leeway }
+      jwt = JWT.decode(id_token, public_key_manager.public_keys[public_key_id].public_key, true, default_options.merge!(options))
+      IdTokenResult.new(jwt[0]['sub'], IdToken.new(jwt[0], jwt[1]))
+    end
+
+    def create_custom_token(uid, additional_claims = nil)
+      # TODO: implement Error
+      raise unless configuration.configured_for_custom_token?
+
+      now_seconds = Time.now.to_i
+      payload = { iss: configuration.client_email,
+                  sub: configuration.client_email,
+                  aud: CUSTOM_TOKEN_AUD,
+                  iat: now_seconds,
+                  exp: now_seconds + (60 * 60),
+                  uid: uid }
+      payload.merge!({ claim: additional_claims }) if additional_claims
+      JWT.encode(payload, configuration.private_key, ALGORITHM)
+    end
+
+    def user_search_by_email(email)
+      admin_client.get_account_info({ email: [email] })&.users&.map(&:to_h)
+    end
+
+    def user_search_by_uid(uid)
+      admin_client.get_account_info({ local_id: [uid] })&.users&.map(&:to_h)
+    end
+
+    private
+
+      def admin_client
+        @admin_client ||= FirebaseTokenAuth::AdminClient.new(configuration)
+      end
+  end
+end

data/lib/firebase_token_auth/configuration.rb

@@ -0,0 +1,57 @@
+require 'google/apis/identitytoolkit_v3'
+require 'openssl'
+
+module FirebaseTokenAuth
+  class Configuration
+    attr_accessor :project_id, :json_key_io, :exp_leeway, :private_key, :client_email, :scope, :auth
+
+    def initialize
+      @project_id = nil
+      @exp_leeway = 60 * 60 * 24 * 7
+      @scope = ['https://www.googleapis.com/auth/identitytoolkit']
+
+      # if you want to create custom_token,
+      # you need credentials which a) json_key_io or b) admin_email and admin_private_key
+
+      # set file path or StringIO
+      @json_key_io = nil
+
+      # Or set these
+      # ENV['GOOGLE_ACCOUNT_TYPE'] = 'service_account'
+      # ENV['GOOGLE_CLIENT_ID'] = '000000000000000000000'
+      # ENV['GOOGLE_CLIENT_EMAIL'] = 'xxxx@xxxx.iam.gserviceaccount.com'
+      # ENV['GOOGLE_PRIVATE_KEY'] = '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n'
+    end
+
+    def prepare
+      # TODO: implement error
+      raise unless project_id
+      return unless configured_for_custom_token?
+
+      @auth = if json_key_io
+                io = json_key_io.respond_to?(:read) ? json_key_io : File.open(json_key_io)
+                Google::Auth::ServiceAccountCredentials.make_creds(
+                  json_key_io: io,
+                  scope: scope
+                )
+              else
+                # from ENV
+                Google::Auth::ServiceAccountCredentials.make_creds(scope: scope)
+              end
+
+      if json_key_io
+        json_io = json_key_io.respond_to?(:read) ? json_key_io : File.open(json_key_io)
+        parsed = JSON.parse(json_io.read)
+        @private_key = OpenSSL::PKey::RSA.new(parsed['private_key'])
+        @client_email = parsed['client_email']
+      else
+        @private_key = OpenSSL::PKey::RSA.new(ENV['GOOGLE_PRIVATE_KEY'])
+        @client_email = ENV['GOOGLE_CLIENT_EMAIL']
+      end
+    end
+
+    def configured_for_custom_token?
+      json_key_io || (ENV['GOOGLE_PRIVATE_KEY'] && ENV['GOOGLE_CLIENT_EMAIL'])
+    end
+  end
+end

data/lib/firebase_token_auth/public_key_manager.rb

@@ -0,0 +1,35 @@
+require 'openssl'
+require 'net/http'
+
+module FirebaseTokenAuth
+  class PublicKeyManager
+    PUBLIC_KEY_URL = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'.freeze
+    attr_accessor :public_keys, :expire_time
+
+    def initialize
+      fetch_publickeys_hash
+    end
+
+    def refresh_publickeys!
+      return unless expired?
+
+      fetch_publickeys_hash
+    end
+
+    private
+
+      def fetch_publickeys_hash
+        res = Net::HTTP.get_response(URI(PUBLIC_KEY_URL))
+        @public_keys = JSON.parse(res.body).transform_values! { |v| OpenSSL::X509::Certificate.new(v) }
+        @expire_time = cache_control_header_to_expire_time(res['Cache-Control'])
+      end
+
+      def expired?
+        @expire_time.to_i > Time.now.to_i
+      end
+
+      def cache_control_header_to_expire_time(cache_control_header)
+        Time.now.to_i + cache_control_header.match(/max-age=([0-9]*)/)[1].to_i
+      end
+  end
+end

data/lib/firebase_token_auth/validator.rb

@@ -0,0 +1,24 @@
+module FirebaseTokenAuth
+  class Validator
+    ISSUER_BASE_URL = 'https://securetoken.google.com/'.freeze
+
+    def validate(project_id, decoded_jwt)
+      # ref. https://github.com/firebase/firebase-admin-node/blob/488f9318350c6b46af2e93b99907b9a02f170029/src/auth/token-verifier.ts
+      payload = decoded_jwt[0]
+      header = decoded_jwt[1]
+      issuer = ISSUER_BASE_URL + project_id
+      raise unless header['kid']
+      raise unless header['alg'] == ALGORITHM
+      raise unless payload['aud'] == project_id
+      raise unless payload['iss'] == issuer
+      raise unless payload['sub'].is_a?(String)
+      raise if payload['sub'].empty?
+      raise if payload['sub'].size > 128
+    end
+
+    def extract_kid(id_token)
+      decoded = JWT.decode(id_token, nil, false, algorithm: ALGORITHM)
+      [decoded[1]['kid'], decoded]
+    end
+  end
+end

data/lib/firebase_token_auth/version.rb

@@ -0,0 +1,3 @@
+module FirebaseTokenAuth
+  VERSION = '0.1.0'.freeze
+end

metadata

@@ -0,0 +1,93 @@
+--- !ruby/object:Gem::Specification
+name: firebase_token_auth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- miyataka
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2020-07-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: google-api-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Firebase Authentication API wrapper for serverside. It support custom
+  token auth. Of course it has id_token verify feature.
+email:
+- voyager.3taka28@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- firebase_token_auth.gemspec
+- lib/firebase_token_auth.rb
+- lib/firebase_token_auth/admin_client.rb
+- lib/firebase_token_auth/client.rb
+- lib/firebase_token_auth/configuration.rb
+- lib/firebase_token_auth/public_key_manager.rb
+- lib/firebase_token_auth/validator.rb
+- lib/firebase_token_auth/version.rb
+homepage: https://github.com/miyataka/firebase_token_auth
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/miyataka/firebase_token_auth
+  source_code_uri: https://github.com/miyataka/firebase_token_auth
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key:
+specification_version: 4
+summary: Firebase Authentication API wrapper for serverside. It support custom token
+  auth.
+test_files: []