firebase_token_auth 0.9.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca7bb6f1b60938f8c7f4d37120e1cea83bb8b6a09ed2b1094a69f8f89649fc18
-  data.tar.gz: 1d3adda763efeed626ed051b654dbba735e38af56c59d970e4b72d99ff4661d5
+  metadata.gz: dff32ef2301d4eb08f46ac3bd840f4c3e9adf5cd7f37c59c79d53b0dfbccdf1b
+  data.tar.gz: 5102df68ce6e5f516d044c4af295c92030a50fa226fd510cac996e72a36553f8
 SHA512:
-  metadata.gz: c9c8edc8f21d3702239d1b4cc82b4c586c595147e99de741c089a5c25ad23ef5e8fc8b5dcb6b91ea59ca97e4b50858ed1572b67aebc4b26d3ba9aa5b1ce22281
-  data.tar.gz: 3aeb0e99cb6684b7a2f54b47e834aa4613011399ea82ad7e1d5a7b0fb34f61fe77955b06fba76d5ab56093c6a2ebc7e7146895f37d79e711972a724e1ce909ae
+  metadata.gz: f659ddb2edf477b495a2be519cef6c96b5c083737521c60016a80bfa28264a67b4a8a054d12b1be929d1e0dc56ab033a504451efb36887bbb2770a2be0700707
+  data.tar.gz: 6d15331ff417a6fc5d1c45ebfbb44e830ea95aebf3535b6930bb61f045322fc55c79be42975ae8003c0f264985ba0506d00b981c89a395a16a50f1c2333318fb

data/.gitignore

@@ -12,3 +12,4 @@
 .rspec_status
 
 Gemfile.lock
+.ruby-version

data/README.md

@@ -1,8 +1,9 @@
 # FirebaseTokenAuth
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/firebase_token_auth`. To experiment with that code, run `bin/console` for an interactive prompt.
-
-TODO: Delete this and the text above, and describe your gem
+FirebaseTokenAuth is an Firebase Auth Client. It supports below.
+- verify id_token method
+- create custom token
+- fetch user info by uid/email
 
 ## Installation
 
@@ -22,17 +23,106 @@ Or install it yourself as:
 
 ## Usage
 
-TODO: Write usage instructions here
+on Rails, config/initializers/firebase_token_auth.rb
+```ruby
+FirebaseTokenAuth.configure do |config|
+  ## for id_token_verify
+  # firebase web console => project settings => general => project ID
+  config.project_id = "your_project_id" # required
+
+  # firebase web console => project settings => service account => firebase admin sdk => generate new private key
+  # pass string of path to credential file to config.json_key_io
+  config.json_key_io = "#{Rails.root}/path/to/service_account_credentials.json"
+  # Or content of json key file wrapped with StringIO
+  # config.json_key_io = StringIO.new('{ ... }')
+
+  # Or set environment variables
+  # ENV['GOOGLE_ACCOUNT_TYPE'] = 'service_account'
+  # ENV['GOOGLE_CLIENT_ID'] = '000000000000000000000'
+  # ENV['GOOGLE_CLIENT_EMAIL'] = 'xxxx@xxxx.iam.gserviceaccount.com'
+  # ENV['GOOGLE_PRIVATE_KEY'] = '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n\'
+end
+```
+for more detail. see [here](https://github.com/googleapis/google-auth-library-ruby#example-service-account).
 
-## Development
+### token verify
+```ruby
+require 'firebase_token_auth'
+
+FirebaseTokenAuth.configure do |config|
+  config.project_id = 'your_project_id'
+end
+
+client = Firebase.build
+result = client.verify_id_token(id_token)
+
+puts result.uid
+# => "hMPHt8RyDpOsHi1oH5XaVirSYyq2"
+
+puts result.id_token.payload # you can see decoded id_token payload
+# => {"iss"=>"https://securetoken.google.com/<your_project_id>",
+#  "aud"=>"<your_project_id>",
+#  "auth_time"=>1594494935,
+#  "user_id"=>"hMPHt8RyDpOsHi1oH5XaVirSYyq2",
+#  "sub"=>"hMPHt8RyDpOsHi1oH5XaVirSYyq2",
+#  "iat"=>1594494935,
+#  "exp"=>1594498535,
+#  "email"=>"<your_user_email>",
+#  "email_verified"=>false,
+#  "firebase"=>{"identities"=>{"email"=>["<your_user_email>"]}, "sign_in_provider"=>"custom"}}
+
+puts result.id_token.header
+# => {"alg"=>"RS256", "kid"=>"7623e10a045140f1cfd4be0466cf80352b59f81e", "typ"=>"JWT"}
+```
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+### custom token create
+```ruby
+require 'firebase_token_auth'
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+FirebaseTokenAuth.configure do |config|
+  config.project_id = 'your_project_id'
+  config.json_key_io = "#{Rails.root}/path/to/service_account_credentials.json"
+end
+
+client = FirebaseTokenAuth.new
+c_token = client.create_custom_token(test_uid)
+puts c_token
+# => "eyJhbGciOXXX.eyJpc3MiOiJmaXJlYmFzXXXX.v7y7LoBXXXXX" # dummy
+```
+
+### fetch users info from firebase
+```ruby
+require 'firebase_token_auth'
+
+FirebaseTokenAuth.configure do |config|
+  config.project_id = 'your_project_id'
+  config.json_key_io = "#{Rails.root}/path/to/service_account_credentials.json"
+end
+
+client = FirebaseTokenAuth.new
+result = client.user_search_by_email(test_user_email)
+# result = client.user_search_by_uid(test_uid)
+puts result
+# => [{:created_at=>1594132097140,
+#   :custom_auth=>true,
+#   :disabled=>false,
+#   :email=>"<your_user_email>",
+#   :email_verified=>false,
+#   :last_login_at=>1594495792373,
+#   :local_id=>"hMPHt8RyDpOsHi1oH5XaVirSYyq2",
+#   :password_hash=>"REDACTED",
+#   :password_updated_at=>1594132097140,
+#   :provider_user_info=>
+#    [{:email=>"<your_user_email>",
+#      :federated_id=>"<your_user_email>",
+#      :provider_id=>"password",
+#      :raw_id=>"<your_user_email>"}],
+#   :valid_since=>1594132097}]
+```
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/firebase_token_auth.
+Bug reports and pull requests are welcome on GitHub at https://github.com/miyataka/firebase_token_auth.
 
 
 ## License

data/lib/firebase_token_auth/client.rb

@@ -5,6 +5,7 @@ require 'jwt'
 require 'firebase_token_auth/public_key_manager'
 require 'firebase_token_auth/validator'
 require 'firebase_token_auth/admin_client'
+require 'firebase_token_auth/exceptions'
 
 module FirebaseTokenAuth
   ALGORITHM = 'RS256'.freeze
@@ -25,7 +26,7 @@ module FirebaseTokenAuth
     end
 
     def verify_id_token(id_token, options = {})
-      raise if id_token.nil? || id_token.empty?
+      raise ArgumentError, 'Firebase ID token must not null or blank strings.' if id_token.nil? || id_token.empty?
 
       public_key_id, decoded_jwt = validator.extract_kid(id_token)
       public_key_manager.refresh_publickeys!
@@ -36,8 +37,7 @@ module FirebaseTokenAuth
     end
 
     def create_custom_token(uid, additional_claims = nil)
-      # TODO: implement Error
-      raise unless configuration.configured_for_custom_token?
+      raise ConfigurationError, 'To create custom token, You must configure credentials via json or environmental variables.' unless configuration.configured_for_custom_token?
 
       now_seconds = Time.now.to_i
       payload = { iss: configuration.client_email,

data/lib/firebase_token_auth/configuration.rb

@@ -24,8 +24,7 @@ module FirebaseTokenAuth
     end
 
     def prepare
-      # TODO: implement error
-      raise unless project_id
+      raise ConfigurationError, 'project_id is required to use firebase_token_auth gem.' unless project_id
       return unless configured_for_custom_token?
 
       @auth = if json_key_io

data/lib/firebase_token_auth/exceptions.rb

@@ -0,0 +1,104 @@
+module FirebaseTokenAuth
+  class APIError < StandardError; end
+  class NetworkError < APIError; end
+
+  class HttpError < APIError
+    attr_reader :response
+
+    def initialize(message, response)
+      super(message)
+      @response = response
+    end
+  end
+
+  class ClientError < HttpError; end
+
+  class BadRequest                  < ClientError; end # status: 400
+  class Unauthorized                < ClientError; end # status: 401
+  class PaymentRequired             < ClientError; end # status: 402
+  class Forbidden                   < ClientError; end # status: 403
+  class NotFound                    < ClientError; end # status: 404
+  class MethodNotAllowed            < ClientError; end # status: 405
+  class NotAcceptable               < ClientError; end # status: 406
+  class ProxyAuthenticationRequired < ClientError; end # status: 407
+  class RequestTimeout              < ClientError; end # status: 408
+  class Conflict                    < ClientError; end # status: 409
+  class Gone                        < ClientError; end # status: 410
+  class LengthRequired              < ClientError; end # status: 411
+  class PreconditionFailed          < ClientError; end # status: 412
+  class PayloadTooLarge             < ClientError; end # status: 413
+  class URITooLong                  < ClientError; end # status: 414
+  class UnsupportedMediaType        < ClientError; end # status: 415
+  class RangeNotSatisfiable         < ClientError; end # status: 416
+  class ExpectationFailed           < ClientError; end # status: 417
+  class ImaTeapot                   < ClientError; end # status: 418
+  class MisdirectedRequest          < ClientError; end # status: 421
+  class UnprocessableEntity         < ClientError; end # status: 422
+  class Locked                      < ClientError; end # status: 423
+  class FailedDependency            < ClientError; end # status: 424
+  class UpgradeRequired             < ClientError; end # status: 426
+  class PreconditionRequired        < ClientError; end # status: 428
+  class TooManyRequests             < ClientError; end # status: 429
+  class RequestHeaderFieldsTooLarge < ClientError; end # status: 431
+  class UnavailableForLegalReasons  < ClientError; end # status: 451
+
+  class ServerError < HttpError; end
+
+  class InternalServerError           < ServerError; end # status: 500
+  class NotImplemented                < ServerError; end # status: 501
+  class BadGateway                    < ServerError; end # status: 502
+  class ServiceUnavailable            < ServerError; end # status: 503
+  class GatewayTimeout                < ServerError; end # status: 504
+  class HTTPVersionNotSupported       < ServerError; end # status: 505
+  class VariantAlsoNegotiates         < ServerError; end # status: 506
+  class InsufficientStorage           < ServerError; end # status: 507
+  class LoopDetected                  < ServerError; end # status: 508
+  class NotExtended                   < ServerError; end # status: 510
+  class NetworkAuthenticationRequired < ServerError; end # status: 511
+
+  STATUS_TO_EXCEPTION_MAPPING = {
+    '400' => BadRequest,
+    '401' => Unauthorized,
+    '402' => PaymentRequired,
+    '403' => Forbidden,
+    '404' => NotFound,
+    '405' => MethodNotAllowed,
+    '406' => NotAcceptable,
+    '407' => ProxyAuthenticationRequired,
+    '408' => RequestTimeout,
+    '409' => Conflict,
+    '410' => Gone,
+    '411' => LengthRequired,
+    '412' => PreconditionFailed,
+    '413' => PayloadTooLarge,
+    '414' => URITooLong,
+    '415' => UnsupportedMediaType,
+    '416' => RangeNotSatisfiable,
+    '417' => ExpectationFailed,
+    '418' => ImaTeapot,
+    '421' => MisdirectedRequest,
+    '422' => UnprocessableEntity,
+    '423' => Locked,
+    '424' => FailedDependency,
+    '426' => UpgradeRequired,
+    '428' => PreconditionRequired,
+    '429' => TooManyRequests,
+    '431' => RequestHeaderFieldsTooLarge,
+    '451' => UnavailableForLegalReasons,
+    '500' => InternalServerError,
+    '501' => NotImplemented,
+    '502' => BadGateway,
+    '503' => ServiceUnavailable,
+    '504' => GatewayTimeout,
+    '505' => HTTPVersionNotSupported,
+    '506' => VariantAlsoNegotiates,
+    '507' => InsufficientStorage,
+    '508' => LoopDetected,
+    '510' => NotExtended,
+    '511' => NetworkAuthenticationRequired
+  }.freeze
+
+  class ValidationError < StandardError; end
+  class ConfigurationError < StandardError; end
+  class ArgumentError < StandardError; end
+end

data/lib/firebase_token_auth/public_key_manager.rb

@@ -19,7 +19,7 @@ module FirebaseTokenAuth
     private
 
       def fetch_publickeys_hash
-        res = Net::HTTP.get_response(URI(PUBLIC_KEY_URL))
+        res = exception_handler(Net::HTTP.get_response(URI(PUBLIC_KEY_URL)))
         @public_keys = JSON.parse(res.body).transform_values! { |v| OpenSSL::X509::Certificate.new(v) }
         @expire_time = cache_control_header_to_expire_time(res['Cache-Control'])
       end
@@ -31,5 +31,12 @@ module FirebaseTokenAuth
       def cache_control_header_to_expire_time(cache_control_header)
         Time.now.to_i + cache_control_header.match(/max-age=([0-9]*)/)[1].to_i
       end
+
+      def exception_handler(response)
+        error = STATUS_TO_EXCEPTION_MAPPING[response.code]
+        raise error.new("Receieved an error response #{response.code} #{error.to_s.split('::').last}: #{response.body}", response) if error
+
+        response
+      end
   end
 end

data/lib/firebase_token_auth/validator.rb

@@ -7,13 +7,13 @@ module FirebaseTokenAuth
       payload = decoded_jwt[0]
       header = decoded_jwt[1]
       issuer = ISSUER_BASE_URL + project_id
-      raise unless header['kid']
-      raise unless header['alg'] == ALGORITHM
-      raise unless payload['aud'] == project_id
-      raise unless payload['iss'] == issuer
-      raise unless payload['sub'].is_a?(String)
-      raise if payload['sub'].empty?
-      raise if payload['sub'].size > 128
+      raise ValidationError, 'Firebase ID token has no "kid" claim.' unless header['kid']
+      raise ValidationError, "Firebase ID token has incorrect algorithm. Expected \"#{ALGORITHM}\" but got \"#{header['alg']}\"." unless header['alg'] == ALGORITHM
+      raise ValidationError, "Firebase ID token has incorrect \"aud\" (audience) claim. Expected \"#{project_id}\" but got \"#{payload['aud']}\"." unless payload['aud'] == project_id
+      raise ValidationError, "Firebase ID token has \"iss\" (issuer) claim. Expected \"#{issuer}\" but got \"#{payload['iss']}\"." unless payload['iss'] == issuer
+      raise ValidationError, 'Firebase ID token has no "sub" (subject) claim.' unless payload['sub'].is_a?(String)
+      raise ValidationError, 'Firebase ID token has an empty string "sub" (subject) claim.' if payload['sub'].empty?
+      raise ValidationError, 'Firebase ID token has "sub" (subject) claim longer than 128 characters.' if payload['sub'].size > 128
     end
 
     def extract_kid(id_token)

data/lib/firebase_token_auth/version.rb

@@ -1,3 +1,3 @@
 module FirebaseTokenAuth
-  VERSION = '0.9.0'.freeze
+  VERSION = '1.0.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: firebase_token_auth
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 1.0.0
 platform: ruby
 authors:
 - miyataka
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-07-08 00:00:00.000000000 Z
+date: 2020-08-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: google-api-client
@@ -61,6 +61,7 @@ files:
 - lib/firebase_token_auth/admin_client.rb
 - lib/firebase_token_auth/client.rb
 - lib/firebase_token_auth/configuration.rb
+- lib/firebase_token_auth/exceptions.rb
 - lib/firebase_token_auth/public_key_manager.rb
 - lib/firebase_token_auth/validator.rb
 - lib/firebase_token_auth/version.rb
@@ -85,7 +86,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: Firebase Authentication API wrapper for serverside. It support custom token