RubyGems - firejwt - Versions diffs - 0.1.0 → 0.3.1 - Mend

firejwt 0.1.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

checksums.yaml +4 -4
data/.github/workflows/test.yml +54 -0
data/.gitignore +1 -0
data/.rubocop.yml +9 -2
data/Gemfile +0 -4
data/Gemfile.lock +70 -61
data/LICENSE +198 -10
data/Makefile +3 -3
data/README.md +5 -5
data/ext_test.go +6 -0
data/firejwt.gemspec +2 -2
data/firejwt.go +99 -21
data/firejwt_test.go +138 -33
data/go.mod +2 -5
data/go.sum +4 -59
data/lib/firejwt.rb +1 -1
data/lib/firejwt/{key_set.rb → certificates.rb} +12 -6
data/lib/firejwt/validator.rb +33 -31
data/spec/firejwt/{key_set_spec.rb → certificates_spec.rb} +10 -10
data/spec/firejwt/validator_spec.rb +59 -32
data/spec/spec_helper.rb +31 -5
metadata +9 -12
data/.travis.yml +0 -20
data/opt.go +0 -20
data/testdata/cert.pem +0 -22
data/testdata/priv.pem +0 -28

data/Makefile CHANGED Viewed

@@ -1,7 +1,7 @@
-default: vet test
+default: test
 test:
 	go test ./...
-vet:
-	go vet ./...
+staticcheck:
+	staticcheck ./...

data/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # FireJWT
-[![Build Status](https://travis-ci.org/bsm/firejwt.png?branch=master)](https://travis-ci.org/bsm/firejwt)
+[![Test](https://github.com/bsm/firejwt/actions/workflows/test.yml/badge.svg)](https://github.com/bsm/firejwt/actions/workflows/test.yml)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 Decode and validate [Google Firebase](https://firebase.google.com/) JWT tokens with [Ruby](https://www.ruby-lang.org/) and [Go](https://golang.org/).
@@ -13,11 +13,11 @@ Decode and validate [Google Firebase](https://firebase.google.com/) JWT tokens w
 require 'firejwt'
 # Init a validator
-validator = FireJWT::Validator.new
+validator = FireJWT::Validator.new 'my-project'
 # Decode a token
 token = begin
-  validator.decode('eyJh...YbQ') # => {'sub' => 'me@example.com', 'aud' => 'my-audience'}
+  validator.decode('eyJh...YbQ') # => {'sub' => 'me@example.com', 'aud' => 'my-project'}
 rescue JWT::DecodeError
   nil
 end
@@ -35,7 +35,7 @@ import (
 )
 func main() {
-  vr, err := firejwt.New(nil)
+  vr, err := firejwt.New("my-project")
   if err != nil {
     log.Fatalln(err)
   }
@@ -46,6 +46,6 @@ func main() {
     log.Fatalln(err)
   }
-  log.Println(tk.Claims) // => {"sub": "me@example.com", "aud": "my-audience"}
+  log.Println(tk.Claims) // => {"sub": "me@example.com", "aud": "my-project"}
 }
 ```

data/ext_test.go ADDED Viewed

@@ -0,0 +1,6 @@
+package firejwt
+// Mocked creates a validator with a mock URL
+func Mocked(url string) (*Validator, error) {
+	return newValidator("mock-project", url)
+}

data/firejwt.gemspec CHANGED Viewed

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name          = 'firejwt'
-  s.version       = '0.1.0'
+  s.version       = '0.3.1'
   s.authors       = ['Black Square Media Ltd']
   s.email         = ['info@blacksquaremedia.com']
   s.summary       = %(Firebase JWT validation)
@@ -16,6 +16,6 @@ Gem::Specification.new do |s|
   s.add_dependency 'jwt'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec'
-  s.add_development_dependency 'rubocop'
+  s.add_development_dependency 'rubocop-bsm'
   s.add_development_dependency 'webmock'
 end

data/firejwt.go CHANGED Viewed

@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"log"
 	"net/http"
@@ -15,19 +16,32 @@ import (
 	"github.com/dgrijalva/jwt-go"
 )
+const defaultURL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
 // Validator validates Firebase JWTs
 type Validator struct {
-	opt *Options
-	htc http.Client
+	audience string
+	issuer   string
+	url      string
+	htc      http.Client
 	cancel  context.CancelFunc
 	keyset  atomic.Value
 	expires int64
 }
-// New issues a new Validator.
-func New(opt *Options) (*Validator, error) {
-	v := &Validator{opt: opt.norm()}
+// New issues a new Validator with a projectID, a unique identifier for your
+// Firebase project, which can be found in the URL of that project's console.
+func New(projectID string) (*Validator, error) {
+	return newValidator(projectID, defaultURL)
+}
+func newValidator(projectID, url string) (*Validator, error) {
+	v := &Validator{
+		audience: projectID,
+		issuer:   "https://securetoken.google.com/" + projectID,
+		url:      url,
+	}
 	if err := v.Refresh(); err != nil {
 		return nil, err
 	}
@@ -45,20 +59,15 @@ func (v *Validator) Stop() {
 }
 // Decode decodes the token
-func (v *Validator) Decode(tokenString string) (*jwt.Token, error) {
-	return jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-		kid, ok := token.Header["kid"].(string)
-		if !ok {
-			return nil, fmt.Errorf("missing kid header")
-		}
-		key, ok := v.keyset.Load().(map[string]publicKey)[kid]
-		if !ok {
-			return nil, fmt.Errorf("unknown kid header %s", kid)
-		}
-		return key.PublicKey, nil
-	})
+func (v *Validator) Decode(tokenString string) (*Claims, error) {
+	claims := new(Claims)
+	token, err := jwt.ParseWithClaims(tokenString, claims, v.verify)
+	if err != nil {
+		return nil, err
+	} else if !token.Valid {
+		return nil, errTokenInvalid
+	}
+	return claims, nil
 }
 // ExpTime returns the expiration time.
@@ -68,7 +77,7 @@ func (v *Validator) ExpTime() time.Time {
 // Refresh retrieves the latest keys.
 func (v *Validator) Refresh() error {
-	resp, err := v.htc.Get(v.opt.URL)
+	resp, err := v.htc.Get(v.url)
 	if err != nil {
 		return err
 	}
@@ -89,12 +98,51 @@ func (v *Validator) Refresh() error {
 	return nil
 }
+var (
+	errKIDMissing   = errors.New("missing kid header")
+	errExpired      = errors.New("token has expired")
+	errIssuedFuture = errors.New("issued in the future")
+	errNoSubject    = errors.New("subject is missing")
+	errAuthFuture   = errors.New("auth-time in the future")
+	errTokenInvalid = errors.New("token is invalid")
+)
+func (v *Validator) verify(token *jwt.Token) (interface{}, error) {
+	kid, ok := token.Header["kid"].(string)
+	if !ok {
+		return nil, errKIDMissing
+	}
+	key, ok := v.keyset.Load().(map[string]publicKey)[kid]
+	if !ok {
+		return nil, fmt.Errorf("invalid kid header %q", kid)
+	}
+	now := time.Now().Unix()
+	claims := token.Claims.(*Claims)
+	if claims.Audience != v.audience {
+		return nil, fmt.Errorf("invalid audience claim %q", claims.Audience)
+	} else if claims.Issuer != v.issuer {
+		return nil, fmt.Errorf("invalid issuer claim %q", claims.Issuer)
+	} else if claims.Subject == "" {
+		return nil, errNoSubject
+	} else if claims.ExpiresAt <= now {
+		return nil, errExpired
+	} else if claims.IssuedAt > now {
+		return nil, errIssuedFuture
+	} else if claims.AuthAt > now {
+		return nil, errAuthFuture
+	}
+	return key.PublicKey, nil
+}
 func (v *Validator) loop(ctx context.Context) {
 	t := time.NewTimer(time.Minute)
 	defer t.Stop()
 	for {
-		d := v.ExpTime().Sub(time.Now()) - time.Hour
+		d := time.Until(v.ExpTime()) - time.Hour
 		if d < time.Minute {
 			d = time.Minute
 		}
@@ -135,3 +183,33 @@ func (k *publicKey) UnmarshalText(data []byte) error {
 	*k = publicKey{PublicKey: cert.PublicKey.(*rsa.PublicKey)}
 	return nil
 }
+// --------------------------------------------------------------------
+// Claims are included in the token.
+type Claims struct {
+	Subject   string `json:"sub,omitempty"`
+	Audience  string `json:"aud,omitempty"`
+	Issuer    string `json:"iss,omitempty"`
+	IssuedAt  int64  `json:"iat,omitempty"`
+	ExpiresAt int64  `json:"exp,omitempty"`
+	Name          string         `json:"name,omitempty"`
+	Picture       string         `json:"picture,omitempty"`
+	UserID        string         `json:"user_id,omitempty"`
+	AuthAt        int64          `json:"auth_time,omitempty"`
+	Email         string         `json:"email,omitempty"`
+	EmailVerified bool           `json:"email_verified"`
+	Firebase      *FirebaseClaim `json:"firebase,omitempty"`
+}
+// FirebaseClaim represents firebase specific claim.
+type FirebaseClaim struct {
+	SignInProvider string              `json:"sign_in_provider,omitempty"`
+	Identities     map[string][]string `json:"identities,omitempty"`
+}
+// Valid implements the jwt.Claims interface.
+func (c *Claims) Valid() error {
+	return nil
+}

data/firejwt_test.go CHANGED Viewed

@@ -1,50 +1,57 @@
 package firejwt_test
 import (
+	"bytes"
+	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/hex"
 	"encoding/json"
-	"io/ioutil"
+	"encoding/pem"
+	"math/big"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 	"github.com/bsm/firejwt"
+	. "github.com/bsm/ginkgo"
+	. "github.com/bsm/gomega"
 	"github.com/dgrijalva/jwt-go"
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
 )
 var _ = Describe("Validator", func() {
 	var subject *firejwt.Validator
 	var server *httptest.Server
+	var seeds *firejwt.Claims
-	const kid = "e5a91d9f39fa4de254a1e89df00f05b7e248b985"
+	generate := func() string {
+		token := jwt.NewWithClaims(jwt.SigningMethodRS256, seeds)
+		token.Header["kid"] = certKID
-	decode := func(method jwt.SigningMethod, claims *jwt.StandardClaims) (*jwt.Token, error) {
-		src := jwt.NewWithClaims(method, claims)
-		src.Header["kid"] = kid
-		str, err := src.SignedString(privKey)
+		data, err := token.SignedString(privKey)
 		Expect(err).NotTo(HaveOccurred())
-		return subject.Decode(str)
+		return data
 	}
 	BeforeEach(func() {
 		server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 			w.Header().Set("expires", "Mon, 20 Jan 2020 23:40:59 GMT")
 			json.NewEncoder(w).Encode(map[string]string{
-				kid: string(certPEM),
+				certKID: string(certPEM),
 			})
 		}))
+		seeds = mockClaims(time.Now().Unix())
 		var err error
-		subject, err = firejwt.New(&firejwt.Options{URL: server.URL})
+		subject, err = firejwt.Mocked(server.URL)
 		Expect(err).NotTo(HaveOccurred())
 	})
 	AfterEach(func() {
+		server.Close()
 		subject.Stop()
 	})
@@ -53,28 +60,83 @@ var _ = Describe("Validator", func() {
 	})
 	It("should decode tokens", func() {
-		token, err := decode(jwt.SigningMethodRS256, &jwt.StandardClaims{
-			Subject:   "me@example.com",
-			Audience:  "you",
-			Issuer:    "me",
-			ExpiresAt: time.Now().Add(time.Hour).Unix(),
-		})
+		claims, err := subject.Decode(generate())
 		Expect(err).NotTo(HaveOccurred())
-		Expect(token.Valid).To(BeTrue())
-		Expect(token.Claims).To(HaveKeyWithValue("sub", "me@example.com"))
+		Expect(claims).To(Equal(seeds))
 	})
 	It("should reject bad tokens", func() {
-		_, err := subject.Decode("BADTOKEN")
+		_, err := subject.Decode("BAD")
 		Expect(err).To(MatchError(`token contains an invalid number of segments`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+	It("should verify exp", func() {
+		seeds.ExpiresAt = time.Now().Unix() - 1
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`token has expired`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+	It("should verify iat", func() {
+		seeds.IssuedAt = time.Now().Unix() + 1
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`issued in the future`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
 	})
-	It("should reject expired tokens", func() {
-		_, err := decode(jwt.SigningMethodRS256, &jwt.StandardClaims{
-			Subject:   "me@example.com",
-			ExpiresAt: time.Now().Add(-time.Minute).Unix(),
-		})
-		Expect(err).To(MatchError(`Token is expired`))
+	It("should verify aud", func() {
+		seeds.Audience = "other"
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`invalid audience claim "other"`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+	It("should verify iss", func() {
+		seeds.Issuer = "other"
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`invalid issuer claim "other"`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+	It("should verify sub", func() {
+		seeds.Subject = ""
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`subject is missing`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+	It("should verify auth time", func() {
+		seeds.AuthAt = time.Now().Unix() + 1
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`auth-time in the future`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+})
+var _ = Describe("Claims", func() {
+	It("should be JWT compatible", func() {
+		subject := mockClaims(1515151515)
+		Expect(json.Marshal(subject)).To(MatchJSON(`{
+			"name": "Me",
+			"picture": "https://test.host/me.jpg",
+			"sub": "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
+			"user_id": "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
+			"aud": "mock-project",
+			"iss": "https://securetoken.google.com/mock-project",
+			"iat": 1515149715,
+			"exp": 1515155115,
+			"auth_time": 1515151515,
+			"email": "me@example.com",
+			"email_verified": true,
+			"firebase": {
+				"sign_in_provider": "google.com",
+				"identities": {
+					"google.com": ["123123123123123123123"],
+					"email": ["me@example.com"]
+				}
+			}
+		}`))
 	})
 })
@@ -86,19 +148,62 @@ func TestSuite(t *testing.T) {
 // --------------------------------------------------------------------
 var (
-	certPEM []byte
+	certKID string
+	certPEM string
 	privKey *rsa.PrivateKey
 )
 var _ = BeforeSuite(func() {
+	// seed private key
 	var err error
-	certPEM, err = ioutil.ReadFile("testdata/cert.pem")
+	privKey, err = rsa.GenerateKey(rand.Reader, 2048)
 	Expect(err).NotTo(HaveOccurred())
-	privPEM, err := ioutil.ReadFile("testdata/priv.pem")
+	// seed certificate
+	now := time.Now()
+	template := x509.Certificate{
+		SerialNumber:          big.NewInt(2605014480174073526),
+		Subject:               pkix.Name{CommonName: "securetoken.system.gserviceaccount.com"},
+		NotBefore:             now,
+		NotAfter:              now.Add(23775 * time.Minute),
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+	}
+	cert, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
 	Expect(err).NotTo(HaveOccurred())
-	privKey, err = jwt.ParseRSAPrivateKeyFromPEM(privPEM)
+	// calculate key ID
+	kh := sha1.New()
+	_, err = kh.Write(cert)
 	Expect(err).NotTo(HaveOccurred())
+	certKID = hex.EncodeToString(kh.Sum(nil))
+	// convert to PEM
+	buf := new(bytes.Buffer)
+	Expect(pem.Encode(buf, &pem.Block{Type: "CERTIFICATE", Bytes: cert})).To(Succeed())
+	certPEM = buf.String()
 })
+func mockClaims(now int64) *firejwt.Claims {
+	return &firejwt.Claims{
+		Name:          "Me",
+		Picture:       "https://test.host/me.jpg",
+		Subject:       "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
+		UserID:        "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
+		Audience:      "mock-project",
+		Issuer:        "https://securetoken.google.com/mock-project",
+		IssuedAt:      now - 1800,
+		ExpiresAt:     now + 3600,
+		AuthAt:        now,
+		Email:         "me@example.com",
+		EmailVerified: true,
+		Firebase: &firejwt.FirebaseClaim{
+			SignInProvider: "google.com",
+			Identities: map[string][]string{
+				"google.com": {"123123123123123123123"},
+				"email":      {"me@example.com"},
+			},
+		},
+	}
+}