firejwt 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e2ce9afa07e3b55c8dd86005870feb273078005bf10ab81a319203710e09ad80
+  data.tar.gz: 2dbeeb89fa9fec159adf5955b5179180be97a5ca01fb3893699ac77e1c6e92e3
+SHA512:
+  metadata.gz: 6b1a070b01a9ed1a22b27f014aafb82cd2e0633021f3988c42a23f37068648e4296c30d2f66e17cb002f2b6d7af9210441e2e3b1621c562d8a24f0aa7f077165
+  data.tar.gz: 5cb2523c0648ee29f77a27fdd1bf67c3142c572256dd1a47989fe3969173718262447e3ae314e06698421d2299eb5fc993e79fb97d25a882a37b184e37423372

data/.gitignore

@@ -0,0 +1,2 @@
+*~
+.rubocop-*

data/.rubocop.yml

@@ -0,0 +1,5 @@
+inherit_from:
+  - https://gitlab.com/bsm/misc/raw/master/rubocop/default.yml
+
+AllCops:
+  TargetRubyVersion: "2.5"

data/.travis.yml

@@ -0,0 +1,20 @@
+matrix:
+  include:
+    - language: ruby
+      rvm:
+        - 2.7
+      before_install:
+        - gem install bundler
+    - language: ruby
+      rvm:
+        - 2.6
+      before_install:
+        - gem install bundler
+    - language: ruby
+      rvm:
+        - 2.5
+      before_install:
+        - gem install bundler
+    - language: go
+      go:
+        - 1.13.x

data/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+gemspec
+
+group :development do
+  gem 'solargraph'
+end

data/Gemfile.lock

@@ -0,0 +1,91 @@
+PATH
+  remote: .
+  specs:
+    firejwt (0.1.0)
+      jwt
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    ast (2.4.0)
+    backport (1.1.2)
+    benchmark (0.1.0)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    diff-lcs (1.3)
+    e2mmap (0.1.0)
+    hashdiff (1.0.0)
+    jaro_winkler (1.5.4)
+    jwt (2.2.1)
+    maruku (0.7.3)
+    mini_portile2 (2.4.0)
+    nokogiri (1.10.7)
+      mini_portile2 (~> 2.4.0)
+    parallel (1.19.1)
+    parser (2.7.0.2)
+      ast (~> 2.4.0)
+    public_suffix (4.0.3)
+    rainbow (3.0.0)
+    rake (13.0.1)
+    reverse_markdown (1.4.0)
+      nokogiri
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
+    rspec-expectations (3.9.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.2)
+    rubocop (0.79.0)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.7.0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 1.7)
+    ruby-progressbar (1.10.1)
+    safe_yaml (1.0.5)
+    solargraph (0.38.4)
+      backport (~> 1.1)
+      benchmark
+      bundler (>= 1.17.2)
+      e2mmap
+      jaro_winkler (~> 1.5)
+      maruku (~> 0.7, >= 0.7.3)
+      nokogiri (~> 1.9, >= 1.9.1)
+      parser (~> 2.3)
+      reverse_markdown (~> 1.0, >= 1.0.5)
+      rubocop (~> 0.52)
+      thor (~> 1.0)
+      tilt (~> 2.0)
+      yard (~> 0.9)
+    thor (1.0.1)
+    tilt (2.0.10)
+    unicode-display_width (1.6.1)
+    webmock (3.8.0)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+    yard (0.9.24)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  firejwt!
+  rake
+  rspec
+  rubocop
+  solargraph
+  webmock
+
+BUNDLED WITH
+   2.1.2

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright 2020 Black Square Media Ltd
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/Makefile

@@ -0,0 +1,7 @@
+default: vet test
+
+test:
+	go test ./...
+
+vet:
+	go vet ./...

data/README.md

@@ -0,0 +1,51 @@
+# FireJWT
+
+[![Build Status](https://travis-ci.org/bsm/firejwt.png?branch=master)](https://travis-ci.org/bsm/firejwt)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+
+Decode and validate [Google Firebase](https://firebase.google.com/) JWT tokens with [Ruby](https://www.ruby-lang.org/) and [Go](https://golang.org/).
+
+## Usage
+
+**Ruby**:
+
+```ruby
+require 'firejwt'
+
+# Init a validator
+validator = FireJWT::Validator.new
+
+# Decode a token
+token = begin
+  validator.decode('eyJh...YbQ') # => {'sub' => 'me@example.com', 'aud' => 'my-audience'}
+rescue JWT::DecodeError
+  nil
+end
+```
+
+**Go**:
+
+```go
+package main
+
+import (
+  "log"
+
+  "github.com/bsm/firejwt"
+)
+
+func main() {
+  vr, err := firejwt.New(nil)
+  if err != nil {
+    log.Fatalln(err)
+  }
+  defer vr.Stop()
+
+  tk, err := vr.Decode("eyJh...YbQ")
+  if err != nil {
+    log.Fatalln(err)
+  }
+
+  log.Println(tk.Claims) // => {"sub": "me@example.com", "aud": "my-audience"}
+}
+```

data/Rakefile

@@ -0,0 +1,9 @@
+require 'bundler/setup'
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new(:rubocop)
+
+task default: %i[spec rubocop]

data/firejwt.gemspec

@@ -0,0 +1,21 @@
+Gem::Specification.new do |s|
+  s.name          = 'firejwt'
+  s.version       = '0.1.0'
+  s.authors       = ['Black Square Media Ltd']
+  s.email         = ['info@blacksquaremedia.com']
+  s.summary       = %(Firebase JWT validation)
+  s.description   = %()
+  s.homepage      = 'https://github.com/bsm/firejwt'
+  s.license       = 'Apache-2.0'
+
+  s.files         = `git ls-files -z`.split("\x0").reject {|f| f.match(%r{^spec/}) }
+  s.test_files    = `git ls-files -z -- spec/*`.split("\x0")
+  s.require_paths = ['lib']
+  s.required_ruby_version = '>= 2.5'
+
+  s.add_dependency 'jwt'
+  s.add_development_dependency 'rake'
+  s.add_development_dependency 'rspec'
+  s.add_development_dependency 'rubocop'
+  s.add_development_dependency 'webmock'
+end

data/firejwt.go

@@ -0,0 +1,137 @@
+package firejwt
+
+import (
+	"context"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"log"
+	"net/http"
+	"sync/atomic"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+)
+
+// Validator validates Firebase JWTs
+type Validator struct {
+	opt *Options
+	htc http.Client
+
+	cancel  context.CancelFunc
+	keyset  atomic.Value
+	expires int64
+}
+
+// New issues a new Validator.
+func New(opt *Options) (*Validator, error) {
+	v := &Validator{opt: opt.norm()}
+	if err := v.Refresh(); err != nil {
+		return nil, err
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	v.cancel = cancel
+	go v.loop(ctx)
+
+	return v, nil
+}
+
+// Stop stops the validator updates.
+func (v *Validator) Stop() {
+	v.cancel()
+}
+
+// Decode decodes the token
+func (v *Validator) Decode(tokenString string) (*jwt.Token, error) {
+	return jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+		kid, ok := token.Header["kid"].(string)
+		if !ok {
+			return nil, fmt.Errorf("missing kid header")
+		}
+
+		key, ok := v.keyset.Load().(map[string]publicKey)[kid]
+		if !ok {
+			return nil, fmt.Errorf("unknown kid header %s", kid)
+		}
+
+		return key.PublicKey, nil
+	})
+}
+
+// ExpTime returns the expiration time.
+func (v *Validator) ExpTime() time.Time {
+	return time.Unix(atomic.LoadInt64(&v.expires), 0)
+}
+
+// Refresh retrieves the latest keys.
+func (v *Validator) Refresh() error {
+	resp, err := v.htc.Get(v.opt.URL)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	exp, err := time.Parse(time.RFC1123, resp.Header.Get("Expires"))
+	if err != nil {
+		return err
+	}
+
+	var keyset map[string]publicKey
+	if err := json.NewDecoder(resp.Body).Decode(&keyset); err != nil {
+		return err
+	}
+
+	v.keyset.Store(keyset)
+	atomic.StoreInt64(&v.expires, exp.Unix())
+	return nil
+}
+
+func (v *Validator) loop(ctx context.Context) {
+	t := time.NewTimer(time.Minute)
+	defer t.Stop()
+
+	for {
+		d := v.ExpTime().Sub(time.Now()) - time.Hour
+		if d < time.Minute {
+			d = time.Minute
+		}
+		t.Reset(d)
+
+		select {
+		case <-ctx.Done():
+			return
+		case <-t.C:
+			if err := v.Refresh(); err != nil {
+				log.Printf("[firejwt] failed to refresh keyset: %v", err)
+			}
+		}
+	}
+}
+
+// --------------------------------------------------------------------
+
+type publicKey struct {
+	*rsa.PublicKey
+}
+
+func (k *publicKey) UnmarshalText(data []byte) error {
+	block, _ := pem.Decode(data)
+	if block == nil {
+		return fmt.Errorf("invalid certificate")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return err
+	}
+
+	if cert.PublicKeyAlgorithm != x509.RSA {
+		return fmt.Errorf("unexpected public key algorithm: %s", cert.PublicKeyAlgorithm)
+	}
+
+	*k = publicKey{PublicKey: cert.PublicKey.(*rsa.PublicKey)}
+	return nil
+}

data/firejwt_test.go

@@ -0,0 +1,104 @@
+package firejwt_test
+
+import (
+	"crypto/rsa"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/bsm/firejwt"
+	"github.com/dgrijalva/jwt-go"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Validator", func() {
+	var subject *firejwt.Validator
+	var server *httptest.Server
+
+	const kid = "e5a91d9f39fa4de254a1e89df00f05b7e248b985"
+
+	decode := func(method jwt.SigningMethod, claims *jwt.StandardClaims) (*jwt.Token, error) {
+		src := jwt.NewWithClaims(method, claims)
+		src.Header["kid"] = kid
+
+		str, err := src.SignedString(privKey)
+		Expect(err).NotTo(HaveOccurred())
+
+		return subject.Decode(str)
+	}
+
+	BeforeEach(func() {
+		server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.Header().Set("expires", "Mon, 20 Jan 2020 23:40:59 GMT")
+			json.NewEncoder(w).Encode(map[string]string{
+				kid: string(certPEM),
+			})
+		}))
+
+		var err error
+		subject, err = firejwt.New(&firejwt.Options{URL: server.URL})
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	AfterEach(func() {
+		subject.Stop()
+	})
+
+	It("should refresh on init", func() {
+		Expect(subject.ExpTime()).To(BeTemporally("==", time.Date(2020, 1, 20, 23, 40, 59, 0, time.UTC)))
+	})
+
+	It("should decode tokens", func() {
+		token, err := decode(jwt.SigningMethodRS256, &jwt.StandardClaims{
+			Subject:   "me@example.com",
+			Audience:  "you",
+			Issuer:    "me",
+			ExpiresAt: time.Now().Add(time.Hour).Unix(),
+		})
+		Expect(err).NotTo(HaveOccurred())
+		Expect(token.Valid).To(BeTrue())
+		Expect(token.Claims).To(HaveKeyWithValue("sub", "me@example.com"))
+	})
+
+	It("should reject bad tokens", func() {
+		_, err := subject.Decode("BADTOKEN")
+		Expect(err).To(MatchError(`token contains an invalid number of segments`))
+	})
+
+	It("should reject expired tokens", func() {
+		_, err := decode(jwt.SigningMethodRS256, &jwt.StandardClaims{
+			Subject:   "me@example.com",
+			ExpiresAt: time.Now().Add(-time.Minute).Unix(),
+		})
+		Expect(err).To(MatchError(`Token is expired`))
+	})
+})
+
+func TestSuite(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "firejwt")
+}
+
+// --------------------------------------------------------------------
+
+var (
+	certPEM []byte
+	privKey *rsa.PrivateKey
+)
+
+var _ = BeforeSuite(func() {
+	var err error
+
+	certPEM, err = ioutil.ReadFile("testdata/cert.pem")
+	Expect(err).NotTo(HaveOccurred())
+
+	privPEM, err := ioutil.ReadFile("testdata/priv.pem")
+	Expect(err).NotTo(HaveOccurred())
+
+	privKey, err = jwt.ParseRSAPrivateKeyFromPEM(privPEM)
+	Expect(err).NotTo(HaveOccurred())
+})

data/go.mod

@@ -0,0 +1,12 @@
+module github.com/bsm/firejwt
+
+go 1.13
+
+require (
+	github.com/bsm/bfs v0.9.0
+	github.com/bsm/feedx v0.9.2
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/golang/protobuf v1.3.2
+	github.com/onsi/ginkgo v1.11.0
+	github.com/onsi/gomega v1.8.1
+)

data/go.sum

@@ -0,0 +1,61 @@
+github.com/bmatcuk/doublestar v1.1.5/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
+github.com/bmatcuk/doublestar v1.2.2 h1:oC24CykoSAB8zd7XgruHo33E0cHJf/WhQA/7BeXj+x0=
+github.com/bmatcuk/doublestar v1.2.2/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
+github.com/bsm/bfs v0.8.1/go.mod h1:cVv0jyqUY/jbHoG/WYPuWvOaOhW/HZ4jl7/JMlypvAE=
+github.com/bsm/bfs v0.9.0 h1:7sUB3a5ZzzhBlCELY+2pqCaI6MbO7F2a0jhIgHihhFs=
+github.com/bsm/bfs v0.9.0/go.mod h1:N3md8kQvlteRDcfc8tqw759yW98dhj+6seWEVcg4CmM=
+github.com/bsm/feedx v0.9.2 h1:9Af+bc6vvnPpli2D3Re4spwdKxox8kKjmnmE4qPICIc=
+github.com/bsm/feedx v0.9.2/go.mod h1:63cqu0wUcW6RwIbhOnW27K8XluiOfdqnKFTVTroqNHI=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw=
+github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.8.1 h1:C5Dqfs/LeauYDX0jJXIe2SWmwCbGzx9yF8C8xy3Lh34=
+github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191007182048-72f939374954 h1:JGZucVF/L/TotR719NbujzadOZ2AgnYlqphQGHDCKaU=
+golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191008105621-543471e840be h1:QAcqgptGM8IQBC9K/RC4o+O9YmqEm0diQn9QmZw/0mU=
+golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

data/lib/firejwt.rb

@@ -0,0 +1,14 @@
+module FireJWT
+  autoload :KeySet, 'firejwt/key_set'
+  autoload :Validator, 'firejwt/validator'
+
+  class Token < Hash
+    attr_reader :header
+
+    def initialize(payload, header)
+      super()
+      update(payload)
+      @header = header
+    end
+  end
+end

data/lib/firejwt/key_set.rb

@@ -0,0 +1,53 @@
+require 'time'
+require 'json'
+require 'uri'
+require 'openssl'
+
+module FireJWT
+  class KeySet < Hash
+    URL = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'.freeze
+
+    attr_reader :expires_at
+
+    def initialize(url: URL)
+      super()
+
+      @url = URI(url)
+      expire!
+      refresh!
+    end
+
+    def get(key)
+      refresh! if expired?
+      self[key]
+    end
+
+    def refresh!(limit = 5)
+      resp = Net::HTTP.get_response(@url)
+      unless resp.is_a?(Net::HTTPOK)
+        raise "Server responded with #{resp.code}" if limit < 1
+
+        refresh!(limit - 1)
+      end
+
+      raise ArgumentError, 'Expires header not included in the response' unless resp['expires']
+
+      @expires_at = Time.httpdate(resp['expires'])
+      JSON.parse(resp.body).each do |kid, cert|
+        store kid, OpenSSL::X509::Certificate.new(cert).public_key
+      end
+    end
+
+    def expire!
+      @expires_at = Time.at(0)
+    end
+
+    def expired?
+      @expires_at < Time.now
+    end
+
+    def expires_soon?
+      @expires_at < (Time.now + 600)
+    end
+  end
+end

data/lib/firejwt/validator.rb

@@ -0,0 +1,48 @@
+require 'json'
+require 'jwt'
+require 'net/http'
+
+module FireJWT
+  class Validator
+    # @param [Hash] opts
+    # @option opts [String] :algorithm the expected algorithm. Default: RS256.
+    # @option opts [String] :aud verify the audience claim against the given value. Default: nil (= do not validate).
+    # @option opts [String] :iss verify the issuer claim against the given value. Default: nil (= do not verify).
+    # @option opts [String] :sub verify the subject claim against the given value. Default: nil (= do not verify).
+    # @option opts [Boolean] :verify_iat verify the issued at claim. Default: false.
+    # @option opts [Integer] :exp_leeway expiration leeway in seconds. Default: none.
+    def initialize(**opts)
+      @defaults = norm_opts(opts.dup)
+      @keys = KeySet.new
+    end
+
+    # @param [String] token the token string
+    # @param [Hash] opts options
+    # @option opts [Boolean] :allow_expired allow expired tokens. Default: false.
+    # @option opts [String] :algorithm the expected algorithm. Default: RS256.
+    # @option opts [String] :aud verify the audience claim against the given value. Default: nil (= do not validate).
+    # @option opts [String] :iss verify the issuer claim against the given value. Default: nil (= do not verify).
+    # @option opts [String] :sub verify the subject claim against the given value. Default: nil (= do not verify).
+    # @option opts [Boolean] :verify_iat verify the issued at claim. Default: false.
+    # @option opts [Integer] :exp_leeway expiration leeway in seconds. Default: none.
+    # @return [FireJWT::Token] the token
+    # @raises [JWT::DecodeError] validation errors
+    def decode(token, allow_expired: false, **opts)
+      opts = norm_opts(@defaults.merge(opts))
+      payload, header = JWT.decode token, nil, !allow_expired, opts do |header|
+        @keys.get(header['kid'])
+      end
+      Token.new(payload, header)
+    end
+
+    private
+
+    def norm_opts(opts)
+      opts[:verify_aud] = !opts.key?(:aud) unless opts.key?(:verify_aud)
+      opts[:verify_iss] = !opts.key?(:iss) unless opts.key?(:verify_iss)
+      opts[:verify_sub] = !opts.key?(:sub) unless opts.key?(:verify_sub)
+      opts[:algorithm] ||= 'RS256'
+      opts
+    end
+  end
+end

data/opt.go

@@ -0,0 +1,20 @@
+package firejwt
+
+// Options contains optional configuration for the Validator.
+type Options struct {
+	// Custom KID URL
+	URL string
+}
+
+func (o *Options) norm() *Options {
+	var o2 Options
+	if o != nil {
+		o2 = *o
+	}
+
+	if o2.URL == "" {
+		o2.URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
+	}
+
+	return &o2
+}

data/spec/firejwt/key_set_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+RSpec.describe FireJWT::KeySet do
+  let! :keys_request do
+    stub_request(:get, described_class::URL.to_s).to_return(
+      status: 200,
+      headers: { expires: (Time.now + 3600).httpdate },
+      body: MOCK_RESPONSE.to_json,
+    )
+  end
+
+  it 'should init' do
+    expect(subject).to include(
+      MOCK_KID => instance_of(OpenSSL::PKey::RSA),
+    )
+    expect(subject.expires_at).to be_within(10).of(Time.now + 3600)
+    expect(subject).not_to be_expired
+  end
+
+  it 'should retrieve keys' do
+    expect(subject.get('BAD')).to be_nil
+    expect(subject.get(MOCK_KID)).to be_instance_of(OpenSSL::PKey::RSA)
+  end
+
+  it 'should check/update expiration status' do
+    expect(subject).not_to be_expired
+    subject.expire!
+    expect(subject).to be_expired
+  end
+end

data/spec/firejwt/validator_spec.rb

@@ -0,0 +1,59 @@
+require 'spec_helper'
+
+RSpec.describe FireJWT::Validator do
+  let! :keys_request do
+    stub_request(:get, FireJWT::KeySet::URL.to_s).to_return(
+      status: 200,
+      headers: { expires: (Time.now + 3600).httpdate },
+      body: MOCK_RESPONSE.to_json,
+    )
+  end
+
+  let :exp_time do
+    Time.now.to_i + 3600
+  end
+
+  let :token do
+    payload = {
+      sub: 'me@example.com',
+      aud: 'you',
+      iss: 'me',
+      exp: exp_time,
+    }
+    JWT.encode payload, MOCK_RSA, 'RS256', kid: MOCK_KID
+  end
+
+  it 'should decode' do
+    decoded = subject.decode(token)
+    expect(decoded).to be_instance_of(FireJWT::Token)
+    expect(decoded).to eq(
+      'sub' => 'me@example.com',
+      'aud' => 'you',
+      'iss' => 'me',
+      'exp' => exp_time,
+    )
+    expect(decoded.header).to eq(
+      'alg' => 'RS256',
+      'kid' => 'e5a91d9f39fa4de254a1e89df00f05b7e248b985',
+    )
+  end
+
+  it 'should reject bad tokens' do
+    expect { subject.decode('BAD') }.to raise_error(JWT::DecodeError)
+  end
+
+  it 'should verify audiences' do
+    expect(subject.decode(token, aud: 'you')).to be_instance_of(FireJWT::Token)
+    expect { subject.decode(token, aud: 'other') }.to raise_error(JWT::InvalidAudError)
+  end
+
+  it 'should verify issuers' do
+    expect(subject.decode(token, iss: 'me')).to be_instance_of(FireJWT::Token)
+    expect { subject.decode(token, iss: 'other') }.to raise_error(JWT::InvalidIssuerError)
+  end
+
+  it 'should verify subjects' do
+    expect(subject.decode(token, sub: 'me@example.com')).to be_instance_of(FireJWT::Token)
+    expect { subject.decode(token, sub: 'other') }.to raise_error(JWT::InvalidSubError)
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,11 @@
+require 'rspec'
+require 'firejwt'
+require 'webmock/rspec'
+
+WebMock.disable_net_connect!
+
+MOCK_KID = 'e5a91d9f39fa4de254a1e89df00f05b7e248b985'.freeze
+MOCK_RSA = OpenSSL::PKey::RSA.new File.read(File.expand_path('../testdata/priv.pem', __dir__))
+MOCK_RESPONSE = {
+  MOCK_KID => File.read(File.expand_path('../testdata/cert.pem', __dir__)),
+}.freeze

data/testdata/cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDlzCCAn+gAwIBAgIUO5f7OhG0b1i6ped8/d0hRruQ7ccwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEbMBkGA1UECgwSQmxh
+Y2sgU3F1YXJlIE1lZGlhMR0wGwYDVQQDDBRibGFja3NxdWFyZW1lZGlhLmNvbTAg
+Fw0yMDAxMjIxNTI5NDJaGA8yMTE5MTIyOTE1Mjk0MlowWjELMAkGA1UEBhMCR0Ix
+DzANBgNVBAgMBkxvbmRvbjEbMBkGA1UECgwSQmxhY2sgU3F1YXJlIE1lZGlhMR0w
+GwYDVQQDDBRibGFja3NxdWFyZW1lZGlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMY6tyEp1lExQFxMa3znxjbIHYsSwl4t9NVQzeOibbMbI3Go
+eiyuGhnJVhPNycvsDpkJVF7Q/FB4i2OesxcerRo5VYopOA77XDmyeCZ9E6Q5ELXc
+i2QWJcRIXZk6EujwGTEQouYoaosNYLMz5NQ7rVdTpa5wgLlys5RatfcNR9nOL1Mr
+it5/HrEbgQB8JCKPQA41DIhymI6MqtkPop2spLU2i809sh+Lk5vRCmkhH7A0SNaN
+YPKLfI731dnTRqQHBFP5N3UBzSS/tCfeCwezmk+rkaV9zZpUkZ8XmuvOCG9PUe2u
+C5Zq3ziA0QD+fn6bOlLFsZJx3aKEtSEavU/YRjsCAwEAAaNTMFEwHQYDVR0OBBYE
+FIrrQ2gBVTfCJUeUNdxazBCQvdnJMB8GA1UdIwQYMBaAFIrrQ2gBVTfCJUeUNdxa
+zBCQvdnJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAMW3up1k
+ENUlySp/XYhwsa4mJEsba0LIyJO0/X6LKAPl0qnVmlHY5fC3j/kCx5MyjQVsHZCQ
+l2vZPAJDF/XE8uC4CHc4ig7RSRCDeiK0M766z9agZwUaQOgR2XqwkM2wLAtvnUpF
+c4KgolHedFZRobk+pwlvpoyl9k3W8nDsMdI3I6EgBJvFhVGXiAL2kFILIyiBX5TN
+rTiMEER+Fd5WEfQpsXukBWsibWwqE7ZP940z2oOVfggakZIPrgaTRWJhAIKUEt4n
+QvWjvRVEdr5L7PKxoOiPnz592Cojb/DXtS0Bu71lraVHHsMsIu1QFlclAOI5bBI1
+4TfOw5ufs75LxDE=
+-----END CERTIFICATE-----

data/testdata/priv.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDGOrchKdZRMUBc
+TGt858Y2yB2LEsJeLfTVUM3jom2zGyNxqHosrhoZyVYTzcnL7A6ZCVRe0PxQeItj
+nrMXHq0aOVWKKTgO+1w5sngmfROkORC13ItkFiXESF2ZOhLo8BkxEKLmKGqLDWCz
+M+TUO61XU6WucIC5crOUWrX3DUfZzi9TK4refx6xG4EAfCQij0AONQyIcpiOjKrZ
+D6KdrKS1NovNPbIfi5Ob0QppIR+wNEjWjWDyi3yO99XZ00akBwRT+Td1Ac0kv7Qn
+3gsHs5pPq5Glfc2aVJGfF5rrzghvT1HtrguWat84gNEA/n5+mzpSxbGScd2ihLUh
+Gr1P2EY7AgMBAAECggEAaXiYM6cFB1JDQljO4DiZ+E/lmDe0/1NIb698vN+RqriH
+1VOlHdzMumerywG1mzDQW5DhOUnM1iwtTiYEeAq0Y72Zy9c+oooPeguBbkkiiEBs
+qbbc27YFBjjSxFJn+VS2sqp9YiSi+7V0fCTiXiIaitpQz03Az+s9rXPOWdLRJgtj
+4XEUrsMu+Ejz3YhOWH6kCZfWqa9nAy3mUi8/x+cFaEBMFfcZZJYcfvjMmwoKaAR9
+24u7JGEnpLfV/wEwLtSS+ABynpT+HJtU9s7K3Jbe+Bd1g0qYtcbhIaNhg1rhV6sc
+AglO5UO4p9Egr9UgcG8tbvYAcZtaaDADjND2f8wIsQKBgQD2qlWdF9HW9F2klNZY
+WdkgtdDh0MAZW5VAfXvN+60tdE2tqOAnj7oWjxWhGL5GK0wqhApn/tADQF5rrbqq
+eoQJcmxbI8fNBXstirLlUS8FZVijkBr9LdAJDY/5xM2BgsDaauSIikmNWnZImILN
+EtGF5UoE3TfIOUl988ylwejQxwKBgQDNuyNwpdTtNIMoJwR9ANZzY8HFEeUmAnYi
+ZSsvMJRm1Bhk/WNB+Ib2uIAQu2RScuYMjjOTauXzsRFqHz1eJ759+3hfhJsJOoYL
+hj//8Bei4vbttgDzg4d2ovg2DGDyJph0J5wtpW6VON9Ym4mnmezQJfsCzEBh8Vr2
+XBElv1cS7QKBgHHq6s05Yf0PMGxBHNkC7ccwkP6pRP6xEDYPfez8jddPPky0kIlU
+1JF0lX2oCsAnYO7FunSa9wB5auH6AxqWqIIgaTCSTsU+AcxfoQ1NOBUa4BvyArTo
+wopbzCGDJZHpjB2TfmYcz6lLnRMb9FS3mzJmWY/zhr6eznUv8lSfQGGjAoGAd980
+dSyK9nOEgF7LpLJaQf28J8GXjSAeCUh9cw+RSKEIXb+ul//hU9yI8jbd65R7KpGo
+x5qfxfBEP1tYfIYX3nwp1S4Ez8nD1O8yV0Rj4UrxqexEfZ8DzUKD8aogyrdmWTfD
+Lm2YE2aB7LUj7f4oF9gpe6XbVbY11Bos+5uTdrkCgYB331Fptm1CPC3DnudvcVUB
+HwDZ7xMENdTQyx6WZX4SvjiFa8vWS1bq7TZhwIotLLerP0tQS7zP58wVDmyVWqz0
+2hvnZrJDZYlB9qD/rCfhHjM5FO7GEXhxh8nKHFUHivoh1n2DG9oxjUEDbg61jjwz
+erRo6a3govRlEGXVFkC4dA==
+-----END PRIVATE KEY-----

metadata

@@ -0,0 +1,140 @@
+--- !ruby/object:Gem::Specification
+name: firejwt
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Black Square Media Ltd
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-01-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: ''
+email:
+- info@blacksquaremedia.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop-https---gitlab-com-bsm-misc-raw-master-rubocop-default-yml"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- Makefile
+- README.md
+- Rakefile
+- firejwt.gemspec
+- firejwt.go
+- firejwt_test.go
+- go.mod
+- go.sum
+- lib/firejwt.rb
+- lib/firejwt/key_set.rb
+- lib/firejwt/validator.rb
+- opt.go
+- spec/firejwt/key_set_spec.rb
+- spec/firejwt/validator_spec.rb
+- spec/spec_helper.rb
+- testdata/cert.pem
+- testdata/priv.pem
+homepage: https://github.com/bsm/firejwt
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.5'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: Firebase JWT validation
+test_files:
+- spec/firejwt/key_set_spec.rb
+- spec/firejwt/validator_spec.rb
+- spec/spec_helper.rb