firejwt 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1f6b26968a9c1544b8a72fce5e0320c274bc47a80f6dd6c03dadd75ca932ae4f
-  data.tar.gz: 74dd23cd6b76f1f051607a0bcf352d6a6ca51fa52fa31db1d6f3c824be6c0739
+  metadata.gz: 22a3cbe836d5c04927447040ffdc8580f0a8863798dc1089e3e4fa6940989b0f
+  data.tar.gz: 886dbe43fee7a2132259c1997018e711a08e54e53366a461efc77516c6893bfc
 SHA512:
-  metadata.gz: 35bc306bb1ae2ff4c20b7deb9b57894db1bc67c6841e221c97c2ea2a27c3c9d9dbdfa10699364e5dd8dd2655721d693ab15b77b9ad410293af1393d472db0cab
-  data.tar.gz: da26ad61964ac2ae8519b70da1eb2cf236456d3af8b974403dda6e252abdb4031b9c8f1a880d3ea3a2303c3d16f5baf46fd0d84e848cef7450d80f1a77cdb305
+  metadata.gz: de05062161e6489c4c074b786a4125a2c412d3b4641b23e91c18f3e6f734993e81ea98eea4a0775259f10183c9872597e84e2a3d944c405bd6ea38d3edd82862
+  data.tar.gz: c62208610c25313796a7a663dcad304c7568293a9096bce5c26b9d0de493fb90eedc159cc8047864f9eb7ca028caa4361c508b276ff2733bb7662e13b96e9a25

data/.travis.yml

@@ -17,4 +17,7 @@ matrix:
         - gem install bundler
     - language: go
       go:
-        - 1.13.x
+        - 1.15.x
+    - language: go
+      go:
+        - 1.14.x

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    firejwt (0.1.2)
+    firejwt (0.2.0)
       jwt
 
 GEM
@@ -10,24 +10,23 @@ GEM
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     ast (2.4.1)
-    crack (0.4.3)
-      safe_yaml (~> 1.0.0)
-    diff-lcs (1.3)
+    crack (0.4.4)
+    diff-lcs (1.4.4)
     hashdiff (1.0.1)
-    jwt (2.2.1)
-    parallel (1.19.1)
-    parser (2.7.1.3)
-      ast (~> 2.4.0)
-    public_suffix (4.0.5)
+    jwt (2.2.2)
+    parallel (1.19.2)
+    parser (2.7.1.5)
+      ast (~> 2.4.1)
+    public_suffix (4.0.6)
     rainbow (3.0.0)
     rake (13.0.1)
-    regexp_parser (1.7.1)
+    regexp_parser (1.8.1)
     rexml (3.2.4)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
       rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.2)
+    rspec-core (3.9.3)
       rspec-support (~> 3.9.3)
     rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
@@ -36,21 +35,20 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-support (3.9.3)
-    rubocop (0.85.1)
+    rubocop (0.92.0)
       parallel (~> 1.10)
-      parser (>= 2.7.0.1)
+      parser (>= 2.7.1.5)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.7)
       rexml
-      rubocop-ast (>= 0.0.3)
+      rubocop-ast (>= 0.5.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (0.0.3)
-      parser (>= 2.7.0.1)
+    rubocop-ast (0.7.1)
+      parser (>= 2.7.1.5)
     ruby-progressbar (1.10.1)
-    safe_yaml (1.0.5)
     unicode-display_width (1.7.0)
-    webmock (3.8.3)
+    webmock (3.9.1)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)

data/README.md

@@ -13,11 +13,11 @@ Decode and validate [Google Firebase](https://firebase.google.com/) JWT tokens w
 require 'firejwt'
 
 # Init a validator
-validator = FireJWT::Validator.new
+validator = FireJWT::Validator.new 'my-project'
 
 # Decode a token
 token = begin
-  validator.decode('eyJh...YbQ') # => {'sub' => 'me@example.com', 'aud' => 'my-audience'}
+  validator.decode('eyJh...YbQ') # => {'sub' => 'me@example.com', 'aud' => 'my-project'}
 rescue JWT::DecodeError
   nil
 end
@@ -35,7 +35,7 @@ import (
 )
 
 func main() {
-  vr, err := firejwt.New(nil)
+  vr, err := firejwt.New("my-project")
   if err != nil {
     log.Fatalln(err)
   }
@@ -46,6 +46,6 @@ func main() {
     log.Fatalln(err)
   }
 
-  log.Println(tk.Claims) // => {"sub": "me@example.com", "aud": "my-audience"}
+  log.Println(tk.Claims) // => {"sub": "me@example.com", "aud": "my-project"}
 }
 ```

data/ext_test.go

@@ -0,0 +1,6 @@
+package firejwt
+
+// Mocked creates a validator with a mock URL
+func Mocked(url string) (*Validator, error) {
+	return newValidator("mock-project", url)
+}

data/firejwt.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name          = 'firejwt'
-  s.version       = '0.1.2'
+  s.version       = '0.2.0'
   s.authors       = ['Black Square Media Ltd']
   s.email         = ['info@blacksquaremedia.com']
   s.summary       = %(Firebase JWT validation)

data/firejwt.go

@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"log"
 	"net/http"
@@ -15,19 +16,32 @@ import (
 	"github.com/dgrijalva/jwt-go"
 )
 
+const defaultURL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
+
 // Validator validates Firebase JWTs
 type Validator struct {
-	opt *Options
-	htc http.Client
+	audience string
+	issuer   string
+	url      string
+	htc      http.Client
 
 	cancel  context.CancelFunc
 	keyset  atomic.Value
 	expires int64
 }
 
-// New issues a new Validator.
-func New(opt *Options) (*Validator, error) {
-	v := &Validator{opt: opt.norm()}
+// New issues a new Validator with a projectID, a unique identifier for your
+// Firebase project, which can be found in the URL of that project's console.
+func New(projectID string) (*Validator, error) {
+	return newValidator(projectID, defaultURL)
+}
+
+func newValidator(projectID, url string) (*Validator, error) {
+	v := &Validator{
+		audience: projectID,
+		issuer:   "https://securetoken.google.com/" + projectID,
+		url:      url,
+	}
 	if err := v.Refresh(); err != nil {
 		return nil, err
 	}
@@ -46,19 +60,7 @@ func (v *Validator) Stop() {
 
 // Decode decodes the token
 func (v *Validator) Decode(tokenString string) (*jwt.Token, error) {
-	return jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-		kid, ok := token.Header["kid"].(string)
-		if !ok {
-			return nil, fmt.Errorf("missing kid header")
-		}
-
-		key, ok := v.keyset.Load().(map[string]publicKey)[kid]
-		if !ok {
-			return nil, fmt.Errorf("unknown kid header %s", kid)
-		}
-
-		return key.PublicKey, nil
-	})
+	return jwt.ParseWithClaims(tokenString, new(Claims), v.verify)
 }
 
 // ExpTime returns the expiration time.
@@ -68,7 +70,7 @@ func (v *Validator) ExpTime() time.Time {
 
 // Refresh retrieves the latest keys.
 func (v *Validator) Refresh() error {
-	resp, err := v.htc.Get(v.opt.URL)
+	resp, err := v.htc.Get(v.url)
 	if err != nil {
 		return err
 	}
@@ -89,12 +91,50 @@ func (v *Validator) Refresh() error {
 	return nil
 }
 
+var (
+	errKIDMissing   = errors.New("missing kid header")
+	errExpired      = errors.New("token has expired")
+	errIssuedFuture = errors.New("issued in the future")
+	errNoSubject    = errors.New("subject is missing")
+	errAuthFuture   = errors.New("auth-time in the future")
+)
+
+func (v *Validator) verify(token *jwt.Token) (interface{}, error) {
+	kid, ok := token.Header["kid"].(string)
+	if !ok {
+		return nil, errKIDMissing
+	}
+
+	key, ok := v.keyset.Load().(map[string]publicKey)[kid]
+	if !ok {
+		return nil, fmt.Errorf("invalid kid header %q", kid)
+	}
+
+	now := time.Now().Unix()
+	claims := token.Claims.(*Claims)
+	if claims.Audience != v.audience {
+		return nil, fmt.Errorf("invalid audience claim %q", claims.Audience)
+	} else if claims.Issuer != v.issuer {
+		return nil, fmt.Errorf("invalid issuer claim %q", claims.Issuer)
+	} else if claims.Subject == "" {
+		return nil, errNoSubject
+	} else if claims.ExpiresAt <= now {
+		return nil, errExpired
+	} else if claims.IssuedAt > now {
+		return nil, errIssuedFuture
+	} else if claims.AuthAt > now {
+		return nil, errAuthFuture
+	}
+
+	return key.PublicKey, nil
+}
+
 func (v *Validator) loop(ctx context.Context) {
 	t := time.NewTimer(time.Minute)
 	defer t.Stop()
 
 	for {
-		d := v.ExpTime().Sub(time.Now()) - time.Hour
+		d := time.Until(v.ExpTime()) - time.Hour
 		if d < time.Minute {
 			d = time.Minute
 		}
@@ -135,3 +175,33 @@ func (k *publicKey) UnmarshalText(data []byte) error {
 	*k = publicKey{PublicKey: cert.PublicKey.(*rsa.PublicKey)}
 	return nil
 }
+
+// --------------------------------------------------------------------
+
+// Claims are included in the token.
+type Claims struct {
+	Subject   string `json:"sub,omitempty"`
+	Audience  string `json:"aud,omitempty"`
+	Issuer    string `json:"iss,omitempty"`
+	IssuedAt  int64  `json:"iat,omitempty"`
+	ExpiresAt int64  `json:"exp,omitempty"`
+
+	Name          string         `json:"name,omitempty"`
+	Picture       string         `json:"picture,omitempty"`
+	UserID        string         `json:"user_id,omitempty"`
+	AuthAt        int64          `json:"auth_time,omitempty"`
+	Email         string         `json:"email,omitempty"`
+	EmailVerified bool           `json:"email_verified"`
+	Firebase      *FirebaseClaim `json:"firebase,omitempty"`
+}
+
+// FirebaseClaim represents firebase specific claim.
+type FirebaseClaim struct {
+	SignInProvider string              `json:"sign_in_provider,omitempty"`
+	Identities     map[string][]string `json:"identities,omitempty"`
+}
+
+// Valid implements the jwt.Claims interface.
+func (c *Claims) Valid() error {
+	return nil
+}

data/firejwt_test.go

@@ -1,9 +1,16 @@
 package firejwt_test
 
 import (
+	"bytes"
+	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/hex"
 	"encoding/json"
-	"io/ioutil"
+	"encoding/pem"
+	"math/big"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -18,33 +25,33 @@ import (
 var _ = Describe("Validator", func() {
 	var subject *firejwt.Validator
 	var server *httptest.Server
+	var claims *firejwt.Claims
 
-	const kid = "e5a91d9f39fa4de254a1e89df00f05b7e248b985"
+	generate := func() string {
+		token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+		token.Header["kid"] = certKID
 
-	decode := func(method jwt.SigningMethod, claims *jwt.StandardClaims) (*jwt.Token, error) {
-		src := jwt.NewWithClaims(method, claims)
-		src.Header["kid"] = kid
-
-		str, err := src.SignedString(privKey)
+		data, err := token.SignedString(privKey)
 		Expect(err).NotTo(HaveOccurred())
-
-		return subject.Decode(str)
+		return data
 	}
 
 	BeforeEach(func() {
 		server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 			w.Header().Set("expires", "Mon, 20 Jan 2020 23:40:59 GMT")
 			json.NewEncoder(w).Encode(map[string]string{
-				kid: string(certPEM),
+				certKID: string(certPEM),
 			})
 		}))
+		claims = mockClaims(time.Now().Unix())
 
 		var err error
-		subject, err = firejwt.New(&firejwt.Options{URL: server.URL})
+		subject, err = firejwt.Mocked(server.URL)
 		Expect(err).NotTo(HaveOccurred())
 	})
 
 	AfterEach(func() {
+		server.Close()
 		subject.Stop()
 	})
 
@@ -53,28 +60,84 @@ var _ = Describe("Validator", func() {
 	})
 
 	It("should decode tokens", func() {
-		token, err := decode(jwt.SigningMethodRS256, &jwt.StandardClaims{
-			Subject:   "me@example.com",
-			Audience:  "you",
-			Issuer:    "me",
-			ExpiresAt: time.Now().Add(time.Hour).Unix(),
-		})
+		token, err := subject.Decode(generate())
 		Expect(err).NotTo(HaveOccurred())
 		Expect(token.Valid).To(BeTrue())
-		Expect(token.Claims).To(HaveKeyWithValue("sub", "me@example.com"))
+		Expect(token.Claims).To(Equal(claims))
 	})
 
 	It("should reject bad tokens", func() {
-		_, err := subject.Decode("BADTOKEN")
+		_, err := subject.Decode("BAD")
 		Expect(err).To(MatchError(`token contains an invalid number of segments`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+
+	It("should verify exp", func() {
+		claims.ExpiresAt = time.Now().Unix() - 1
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`token has expired`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+
+	It("should verify iat", func() {
+		claims.IssuedAt = time.Now().Unix() + 1
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`issued in the future`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
 	})
 
-	It("should reject expired tokens", func() {
-		_, err := decode(jwt.SigningMethodRS256, &jwt.StandardClaims{
-			Subject:   "me@example.com",
-			ExpiresAt: time.Now().Add(-time.Minute).Unix(),
-		})
-		Expect(err).To(MatchError(`Token is expired`))
+	It("should verify aud", func() {
+		claims.Audience = "other"
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`invalid audience claim "other"`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+
+	It("should verify iss", func() {
+		claims.Issuer = "other"
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`invalid issuer claim "other"`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+
+	It("should verify sub", func() {
+		claims.Subject = ""
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`subject is missing`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+
+	It("should verify auth time", func() {
+		claims.AuthAt = time.Now().Unix() + 1
+		_, err := subject.Decode(generate())
+		Expect(err).To(MatchError(`auth-time in the future`))
+		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
+	})
+})
+
+var _ = Describe("Claims", func() {
+	It("should be JWT compatible", func() {
+		claims := mockClaims(1515151515)
+		Expect(json.Marshal(claims)).To(MatchJSON(`{
+			"name": "Me",
+			"picture": "https://test.host/me.jpg",
+			"sub": "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
+			"user_id": "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
+			"aud": "mock-project",
+			"iss": "https://securetoken.google.com/mock-project",
+			"iat": 1515149715,
+			"exp": 1515155115,
+			"auth_time": 1515151515,
+			"email": "me@example.com",
+			"email_verified": true,
+			"firebase": {
+				"sign_in_provider": "google.com",
+				"identities": {
+					"google.com": ["123123123123123123123"],
+					"email": ["me@example.com"]
+				}
+			}
+		}`))
 	})
 })
 
@@ -86,19 +149,62 @@ func TestSuite(t *testing.T) {
 // --------------------------------------------------------------------
 
 var (
-	certPEM []byte
+	certKID string
+	certPEM string
 	privKey *rsa.PrivateKey
 )
 
 var _ = BeforeSuite(func() {
+	// seed private key
 	var err error
-
-	certPEM, err = ioutil.ReadFile("testdata/cert.pem")
+	privKey, err = rsa.GenerateKey(rand.Reader, 2048)
 	Expect(err).NotTo(HaveOccurred())
 
-	privPEM, err := ioutil.ReadFile("testdata/priv.pem")
+	// seed certificate
+	now := time.Now()
+	template := x509.Certificate{
+		SerialNumber:          big.NewInt(2605014480174073526),
+		Subject:               pkix.Name{CommonName: "securetoken.system.gserviceaccount.com"},
+		NotBefore:             now,
+		NotAfter:              now.Add(23775 * time.Minute),
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+	}
+	cert, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
 	Expect(err).NotTo(HaveOccurred())
 
-	privKey, err = jwt.ParseRSAPrivateKeyFromPEM(privPEM)
+	// calculate key ID
+	kh := sha1.New()
+	_, err = kh.Write(cert)
 	Expect(err).NotTo(HaveOccurred())
+	certKID = hex.EncodeToString(kh.Sum(nil))
+
+	// convert to PEM
+	buf := new(bytes.Buffer)
+	Expect(pem.Encode(buf, &pem.Block{Type: "CERTIFICATE", Bytes: cert})).To(Succeed())
+	certPEM = buf.String()
 })
+
+func mockClaims(now int64) *firejwt.Claims {
+	return &firejwt.Claims{
+		Name:          "Me",
+		Picture:       "https://test.host/me.jpg",
+		Subject:       "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
+		UserID:        "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
+		Audience:      "mock-project",
+		Issuer:        "https://securetoken.google.com/mock-project",
+		IssuedAt:      now - 1800,
+		ExpiresAt:     now + 3600,
+		AuthAt:        now,
+		Email:         "me@example.com",
+		EmailVerified: true,
+		Firebase: &firejwt.FirebaseClaim{
+			SignInProvider: "google.com",
+			Identities: map[string][]string{
+				"google.com": {"123123123123123123123"},
+				"email":      {"me@example.com"},
+			},
+		},
+	}
+}

data/lib/firejwt.rb

@@ -1,5 +1,5 @@
 module FireJWT
-  autoload :KeySet, 'firejwt/key_set'
+  autoload :Certificates, 'firejwt/certificates'
   autoload :Validator, 'firejwt/validator'
 
   class Token < Hash

data/lib/firejwt/{key_set.rb → certificates.rb}

@@ -4,7 +4,7 @@ require 'uri'
 require 'openssl'
 
 module FireJWT
-  class KeySet < Hash
+  class Certificates
     URL = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'.freeze
 
     attr_reader :expires_at
@@ -12,14 +12,17 @@ module FireJWT
     def initialize(url: URL)
       super()
 
-      @url = URI(url)
+      @url  = URI(url)
+      @keys = {}
+
       expire!
       refresh!
     end
 
-    def get(key)
+    def get(kid)
       refresh! if expired?
-      self[key]
+
+      @keys[kid]
     end
 
     def refresh!(limit = 5)
@@ -33,8 +36,11 @@ module FireJWT
       raise ArgumentError, 'Expires header not included in the response' unless resp['expires']
 
       @expires_at = Time.httpdate(resp['expires'])
-      JSON.parse(resp.body).each do |kid, cert|
-        store kid, OpenSSL::X509::Certificate.new(cert).public_key
+      @keys.clear
+
+      JSON.parse(resp.body).each do |kid, pem|
+        cert = OpenSSL::X509::Certificate.new(pem)
+        @keys.store kid, cert.public_key
       end
     end
 

data/lib/firejwt/validator.rb

@@ -3,46 +3,48 @@ require 'jwt'
 require 'net/http'
 
 module FireJWT
+  class InvalidAuthTimeError < JWT::DecodeError; end
+
+  # Validator validates tokens applying guidelines outlined in
+  # https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library.
   class Validator
-    # @param [Hash] opts
-    # @option opts [String] :algorithm the expected algorithm. Default: RS256.
-    # @option opts [String] :aud verify the audience claim against the given value. Default: nil (= do not validate).
-    # @option opts [String] :iss verify the issuer claim against the given value. Default: nil (= do not verify).
-    # @option opts [String] :sub verify the subject claim against the given value. Default: nil (= do not verify).
-    # @option opts [Boolean] :verify_iat verify the issued at claim. Default: false.
-    # @option opts [Integer] :exp_leeway expiration leeway in seconds. Default: none.
-    def initialize(**opts)
-      @defaults = opts.dup
-      @keys = KeySet.new
+    # @param [String] project_id the unique identifier for your Firebase project, which can be found in the URL of that project's console.
+    def initialize(project_id)
+      project_id = project_id.to_s
+
+      @certs = Certificates.new
+      @opts  = {
+        algorithms: %w[RS256].freeze,
+
+        # exp must be in the future, iat must be in the past
+        verify_expiration: true,
+        verify_iat: true,
+
+        # aud must be your Firebase project ID
+        verify_aud: true, aud: project_id,
+
+        # iss must be "https://securetoken.google.com/<projectId>"
+        verify_iss:  true, iss: "https://securetoken.google.com/#{project_id}",
+      }
     end
 
     # @param [String] token the token string
-    # @param [Hash] opts options
-    # @option opts [Boolean] :allow_expired allow expired tokens. Default: false.
-    # @option opts [String] :algorithm the expected algorithm. Default: RS256.
-    # @option opts [String] :aud verify the audience claim against the given value. Default: nil (= do not validate).
-    # @option opts [String] :iss verify the issuer claim against the given value. Default: nil (= do not verify).
-    # @option opts [String] :sub verify the subject claim against the given value. Default: nil (= do not verify).
-    # @option opts [Boolean] :verify_iat verify the issued at claim. Default: false.
-    # @option opts [Integer] :exp_leeway expiration leeway in seconds. Default: none.
     # @return [FireJWT::Token] the token
     # @raises [JWT::DecodeError] validation errors
-    def decode(token, allow_expired: false, **opts)
-      opts = norm_opts(@defaults.merge(opts))
-      payload, header = JWT.decode token, nil, !allow_expired, opts do |header|
-        @keys.get(header['kid'])
+    def decode(token)
+      payload, header = JWT.decode token, nil, true, **@opts do |header|
+        @certs.get(header['kid'])
       end
-      Token.new(payload, header)
-    end
 
-    private
+      # sub must be a non-empty string
+      sub = payload['sub']
+      raise(JWT::InvalidSubError, 'Invalid subject. Expected non-empty string') unless sub.is_a?(String) && !sub.empty?
 
-    def norm_opts(opts)
-      opts[:verify_aud] = opts.key?(:aud) unless opts.key?(:verify_aud)
-      opts[:verify_iss] = opts.key?(:iss) unless opts.key?(:verify_iss)
-      opts[:verify_sub] = opts.key?(:sub) unless opts.key?(:verify_sub)
-      opts[:algorithm] ||= 'RS256'
-      opts
+      # auth_time must be in the past
+      aut = payload['auth_time']
+      raise(InvalidAuthTimeError, 'Invalid auth_time') if !aut.is_a?(Numeric) || aut.to_f > Time.now.to_f
+
+      Token.new(payload, header)
     end
   end
 end

data/spec/firejwt/{key_set_spec.rb → certificates_spec.rb}

@@ -1,25 +1,24 @@
 require 'spec_helper'
 
-RSpec.describe FireJWT::KeySet do
-  let! :keys_request do
+RSpec.describe FireJWT::Certificates do
+  let(:cert) { MockCert.new }
+
+  let! :http_request do
     stub_request(:get, described_class::URL.to_s).to_return(
       status: 200,
       headers: { expires: (Time.now + 3600).httpdate },
-      body: MOCK_RESPONSE.to_json,
+      body: cert.to_json,
     )
   end
 
   it 'should init' do
-    expect(subject).to include(
-      MOCK_KID => instance_of(OpenSSL::PKey::RSA),
-    )
     expect(subject.expires_at).to be_within(10).of(Time.now + 3600)
     expect(subject).not_to be_expired
   end
 
   it 'should retrieve keys' do
     expect(subject.get('BAD')).to be_nil
-    expect(subject.get(MOCK_KID)).to be_instance_of(OpenSSL::PKey::RSA)
+    expect(subject.get(cert.kid)).to be_instance_of(OpenSSL::PKey::RSA)
   end
 
   it 'should check/update expiration status' do

data/spec/firejwt/validator_spec.rb

@@ -1,71 +1,85 @@
 require 'spec_helper'
 
 RSpec.describe FireJWT::Validator do
-  let! :keys_request do
-    stub_request(:get, FireJWT::KeySet::URL.to_s).to_return(
+  let! :http_request do
+    stub_request(:get, FireJWT::Certificates::URL.to_s).to_return(
       status: 200,
       headers: { expires: (Time.now + 3600).httpdate },
-      body: MOCK_RESPONSE.to_json,
+      body: cert.to_json,
     )
   end
 
-  let :exp_time do
-    Time.now.to_i + 3600
-  end
-
-  let :token do
-    payload = {
-      sub: 'me@example.com',
-      aud: 'you',
-      iss: 'me',
-      exp: exp_time,
+  let :payload do
+    now = Time.now.to_i
+    {
+      'name'           => 'Me',
+      'picture'        => 'https://test.host/me.jpg',
+      'sub'            => 'MDYwNDQwNjUtYWQ0ZC00ZDkwLThl',
+      'user_id'        => 'MDYwNDQwNjUtYWQ0ZC00ZDkwLThl',
+      'aud'            => project_id,
+      'iss'            => 'https://securetoken.google.com/' << project_id,
+      'iat'            => now - 1800,
+      'exp'            => now + 3600,
+      'auth_time'      => now,
+      'email'          => 'me@example.com',
+      'email_verified' => true,
+      'firebase'       => {
+        'sign_in_provider' => 'google.com',
+        'identities'       => {
+          'google.com' => ['123123123123123123123'],
+          'email'      => ['me@example.com'],
+        },
+      },
     }
-    JWT.encode payload, MOCK_RSA, 'RS256', kid: MOCK_KID
   end
 
+  let(:cert)       { MockCert.new }
+  let(:project_id) { 'mock-project' }
+  let(:token)      { JWT.encode payload, cert.pkey, 'RS256', kid: cert.kid }
+
+  subject          { described_class.new(project_id) }
+
   it 'should decode' do
     decoded = subject.decode(token)
     expect(decoded).to be_instance_of(FireJWT::Token)
-    expect(decoded).to eq(
-      'sub' => 'me@example.com',
-      'aud' => 'you',
-      'iss' => 'me',
-      'exp' => exp_time,
-    )
+    expect(decoded).to eq(payload)
     expect(decoded.header).to eq(
       'alg' => 'RS256',
-      'kid' => 'e5a91d9f39fa4de254a1e89df00f05b7e248b985',
+      'kid' => cert.kid,
     )
   end
 
-  it 'should normalize options' do
-    expect(JWT).to receive(:decode).with(
-      instance_of(String),
-      nil,
-      true,
-      algorithm: 'RS256',
-      verify_aud: false,
-      verify_iss: false,
-      verify_sub: false,
-    ).and_return([{}, {}])
-    subject.decode(token)
-  end
   it 'should reject bad tokens' do
     expect { subject.decode('BAD') }.to raise_error(JWT::DecodeError)
   end
 
-  it 'should verify audiences' do
-    expect(subject.decode(token, aud: 'you')).to be_instance_of(FireJWT::Token)
-    expect { subject.decode(token, aud: 'other') }.to raise_error(JWT::InvalidAudError)
+  it 'should verify exp' do
+    payload['exp'] = Time.now.to_i - 1
+    expect { subject.decode(token) }.to raise_error(JWT::ExpiredSignature)
+  end
+
+  it 'should verify iat' do
+    payload['iat'] = Time.now.to_i + 10
+    expect { subject.decode(token) }.to raise_error(JWT::InvalidIatError)
+  end
+
+  it 'should verify aud' do
+    payload['aud'] = 'other'
+    expect { subject.decode(token) }.to raise_error(JWT::InvalidAudError)
+  end
+
+  it 'should verify iss' do
+    payload['iss'] = 'other'
+    expect { subject.decode(token) }.to raise_error(JWT::InvalidIssuerError)
   end
 
-  it 'should verify issuers' do
-    expect(subject.decode(token, iss: 'me')).to be_instance_of(FireJWT::Token)
-    expect { subject.decode(token, iss: 'other') }.to raise_error(JWT::InvalidIssuerError)
+  it 'should verify sub' do
+    payload['sub'] = ''
+    expect { subject.decode(token) }.to raise_error(JWT::InvalidSubError)
   end
 
-  it 'should verify subjects' do
-    expect(subject.decode(token, sub: 'me@example.com')).to be_instance_of(FireJWT::Token)
-    expect { subject.decode(token, sub: 'other') }.to raise_error(JWT::InvalidSubError)
+  it 'should verify auth_time' do
+    payload['auth_time'] = Time.now.to_i + 10
+    expect { subject.decode(token) }.to raise_error(FireJWT::InvalidAuthTimeError)
   end
 end

data/spec/spec_helper.rb

@@ -4,8 +4,34 @@ require 'webmock/rspec'
 
 WebMock.disable_net_connect!
 
-MOCK_KID = 'e5a91d9f39fa4de254a1e89df00f05b7e248b985'.freeze
-MOCK_RSA = OpenSSL::PKey::RSA.new File.read(File.expand_path('../testdata/priv.pem', __dir__))
-MOCK_RESPONSE = {
-  MOCK_KID => File.read(File.expand_path('../testdata/cert.pem', __dir__)),
-}.freeze
+class MockCert
+  attr_reader :cert, :pkey
+
+  def initialize
+    @pkey = OpenSSL::PKey::RSA.new 2048
+    @cert = OpenSSL::X509::Certificate.new
+    @cert.version = 2
+    @cert.serial = 2605014480174073526
+    @cert.subject = OpenSSL::X509::Name.parse('/CN=securetoken.system.gserviceaccount.com')
+    @cert.issuer = @cert.subject
+    @cert.public_key = @pkey.public_key
+    @cert.not_before = Time.now
+    @cert.not_after = @cert.not_before + 3600
+
+    exts = OpenSSL::X509::ExtensionFactory.new
+    exts.subject_certificate = cert
+    exts.issuer_certificate = cert
+    @cert.add_extension(exts.create_extension('basicConstraints', 'CA:FALSE', true))
+    @cert.add_extension(exts.create_extension('keyUsage', 'Digital Signature', true))
+    @cert.add_extension(exts.create_extension('extendedKeyUsage', 'TLS Web Client Authentication', true))
+    @cert.sign(@pkey, OpenSSL::Digest.new('SHA256'))
+  end
+
+  def kid
+    @kid ||= Digest::SHA1.hexdigest(@cert.to_der)
+  end
+
+  def to_json(*)
+    { kid => @cert }.to_json
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: firejwt
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Black Square Media Ltd
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-11 00:00:00.000000000 Z
+date: 2020-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -96,20 +96,18 @@ files:
 - Makefile
 - README.md
 - Rakefile
+- ext_test.go
 - firejwt.gemspec
 - firejwt.go
 - firejwt_test.go
 - go.mod
 - go.sum
 - lib/firejwt.rb
-- lib/firejwt/key_set.rb
+- lib/firejwt/certificates.rb
 - lib/firejwt/validator.rb
-- opt.go
-- spec/firejwt/key_set_spec.rb
+- spec/firejwt/certificates_spec.rb
 - spec/firejwt/validator_spec.rb
 - spec/spec_helper.rb
-- testdata/cert.pem
-- testdata/priv.pem
 homepage: https://github.com/bsm/firejwt
 licenses:
 - Apache-2.0
@@ -129,11 +127,11 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Firebase JWT validation
 test_files:
-- spec/firejwt/key_set_spec.rb
+- spec/firejwt/certificates_spec.rb
 - spec/firejwt/validator_spec.rb
 - spec/spec_helper.rb

data/opt.go

@@ -1,20 +0,0 @@
-package firejwt
-
-// Options contains optional configuration for the Validator.
-type Options struct {
-	// Custom KID URL
-	URL string
-}
-
-func (o *Options) norm() *Options {
-	var o2 Options
-	if o != nil {
-		o2 = *o
-	}
-
-	if o2.URL == "" {
-		o2.URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
-	}
-
-	return &o2
-}

data/testdata/cert.pem

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDlzCCAn+gAwIBAgIUO5f7OhG0b1i6ped8/d0hRruQ7ccwDQYJKoZIhvcNAQEL
-BQAwWjELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEbMBkGA1UECgwSQmxh
-Y2sgU3F1YXJlIE1lZGlhMR0wGwYDVQQDDBRibGFja3NxdWFyZW1lZGlhLmNvbTAg
-Fw0yMDAxMjIxNTI5NDJaGA8yMTE5MTIyOTE1Mjk0MlowWjELMAkGA1UEBhMCR0Ix
-DzANBgNVBAgMBkxvbmRvbjEbMBkGA1UECgwSQmxhY2sgU3F1YXJlIE1lZGlhMR0w
-GwYDVQQDDBRibGFja3NxdWFyZW1lZGlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAMY6tyEp1lExQFxMa3znxjbIHYsSwl4t9NVQzeOibbMbI3Go
-eiyuGhnJVhPNycvsDpkJVF7Q/FB4i2OesxcerRo5VYopOA77XDmyeCZ9E6Q5ELXc
-i2QWJcRIXZk6EujwGTEQouYoaosNYLMz5NQ7rVdTpa5wgLlys5RatfcNR9nOL1Mr
-it5/HrEbgQB8JCKPQA41DIhymI6MqtkPop2spLU2i809sh+Lk5vRCmkhH7A0SNaN
-YPKLfI731dnTRqQHBFP5N3UBzSS/tCfeCwezmk+rkaV9zZpUkZ8XmuvOCG9PUe2u
-C5Zq3ziA0QD+fn6bOlLFsZJx3aKEtSEavU/YRjsCAwEAAaNTMFEwHQYDVR0OBBYE
-FIrrQ2gBVTfCJUeUNdxazBCQvdnJMB8GA1UdIwQYMBaAFIrrQ2gBVTfCJUeUNdxa
-zBCQvdnJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAMW3up1k
-ENUlySp/XYhwsa4mJEsba0LIyJO0/X6LKAPl0qnVmlHY5fC3j/kCx5MyjQVsHZCQ
-l2vZPAJDF/XE8uC4CHc4ig7RSRCDeiK0M766z9agZwUaQOgR2XqwkM2wLAtvnUpF
-c4KgolHedFZRobk+pwlvpoyl9k3W8nDsMdI3I6EgBJvFhVGXiAL2kFILIyiBX5TN
-rTiMEER+Fd5WEfQpsXukBWsibWwqE7ZP940z2oOVfggakZIPrgaTRWJhAIKUEt4n
-QvWjvRVEdr5L7PKxoOiPnz592Cojb/DXtS0Bu71lraVHHsMsIu1QFlclAOI5bBI1
-4TfOw5ufs75LxDE=
------END CERTIFICATE-----

data/testdata/priv.pem

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDGOrchKdZRMUBc
-TGt858Y2yB2LEsJeLfTVUM3jom2zGyNxqHosrhoZyVYTzcnL7A6ZCVRe0PxQeItj
-nrMXHq0aOVWKKTgO+1w5sngmfROkORC13ItkFiXESF2ZOhLo8BkxEKLmKGqLDWCz
-M+TUO61XU6WucIC5crOUWrX3DUfZzi9TK4refx6xG4EAfCQij0AONQyIcpiOjKrZ
-D6KdrKS1NovNPbIfi5Ob0QppIR+wNEjWjWDyi3yO99XZ00akBwRT+Td1Ac0kv7Qn
-3gsHs5pPq5Glfc2aVJGfF5rrzghvT1HtrguWat84gNEA/n5+mzpSxbGScd2ihLUh
-Gr1P2EY7AgMBAAECggEAaXiYM6cFB1JDQljO4DiZ+E/lmDe0/1NIb698vN+RqriH
-1VOlHdzMumerywG1mzDQW5DhOUnM1iwtTiYEeAq0Y72Zy9c+oooPeguBbkkiiEBs
-qbbc27YFBjjSxFJn+VS2sqp9YiSi+7V0fCTiXiIaitpQz03Az+s9rXPOWdLRJgtj
-4XEUrsMu+Ejz3YhOWH6kCZfWqa9nAy3mUi8/x+cFaEBMFfcZZJYcfvjMmwoKaAR9
-24u7JGEnpLfV/wEwLtSS+ABynpT+HJtU9s7K3Jbe+Bd1g0qYtcbhIaNhg1rhV6sc
-AglO5UO4p9Egr9UgcG8tbvYAcZtaaDADjND2f8wIsQKBgQD2qlWdF9HW9F2klNZY
-WdkgtdDh0MAZW5VAfXvN+60tdE2tqOAnj7oWjxWhGL5GK0wqhApn/tADQF5rrbqq
-eoQJcmxbI8fNBXstirLlUS8FZVijkBr9LdAJDY/5xM2BgsDaauSIikmNWnZImILN
-EtGF5UoE3TfIOUl988ylwejQxwKBgQDNuyNwpdTtNIMoJwR9ANZzY8HFEeUmAnYi
-ZSsvMJRm1Bhk/WNB+Ib2uIAQu2RScuYMjjOTauXzsRFqHz1eJ759+3hfhJsJOoYL
-hj//8Bei4vbttgDzg4d2ovg2DGDyJph0J5wtpW6VON9Ym4mnmezQJfsCzEBh8Vr2
-XBElv1cS7QKBgHHq6s05Yf0PMGxBHNkC7ccwkP6pRP6xEDYPfez8jddPPky0kIlU
-1JF0lX2oCsAnYO7FunSa9wB5auH6AxqWqIIgaTCSTsU+AcxfoQ1NOBUa4BvyArTo
-wopbzCGDJZHpjB2TfmYcz6lLnRMb9FS3mzJmWY/zhr6eznUv8lSfQGGjAoGAd980
-dSyK9nOEgF7LpLJaQf28J8GXjSAeCUh9cw+RSKEIXb+ul//hU9yI8jbd65R7KpGo
-x5qfxfBEP1tYfIYX3nwp1S4Ez8nD1O8yV0Rj4UrxqexEfZ8DzUKD8aogyrdmWTfD
-Lm2YE2aB7LUj7f4oF9gpe6XbVbY11Bos+5uTdrkCgYB331Fptm1CPC3DnudvcVUB
-HwDZ7xMENdTQyx6WZX4SvjiFa8vWS1bq7TZhwIotLLerP0tQS7zP58wVDmyVWqz0
-2hvnZrJDZYlB9qD/rCfhHjM5FO7GEXhxh8nKHFUHivoh1n2DG9oxjUEDbg61jjwz
-erRo6a3govRlEGXVFkC4dA==
------END PRIVATE KEY-----