firejwt 0.1.2 → 0.3.2

data/go.sum

@@ -1,43 +1,6 @@
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw=
-github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v1.8.1 h1:C5Dqfs/LeauYDX0jJXIe2SWmwCbGzx9yF8C8xy3Lh34=
-github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20191007182048-72f939374954 h1:JGZucVF/L/TotR719NbujzadOZ2AgnYlqphQGHDCKaU=
-golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20191008105621-543471e840be h1:QAcqgptGM8IQBC9K/RC4o+O9YmqEm0diQn9QmZw/0mU=
-golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+github.com/bsm/ginkgo v1.16.1 h1:jp1v1dbmbGZDWmnGXDTN+XK3U1fTTNja9xYa7VBI0l0=
+github.com/bsm/ginkgo v1.16.1/go.mod h1:RabIZLzOCPghgHJKUqHZpqrQETA5AnF4aCSIYy5C1bk=
+github.com/bsm/gomega v1.11.0 h1:wg9DVGPETNZLIbMsseneMV1a7uo/x+wsCyNXdEcifDI=
+github.com/bsm/gomega v1.11.0/go.mod h1:JifAceMQ4crZIWYUKrlGcmbN3bqHogVTADMD2ATsbwk=
+github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
+github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=

data/lib/firejwt.rb

@@ -1,5 +1,5 @@
 module FireJWT
-  autoload :KeySet, 'firejwt/key_set'
+  autoload :Certificates, 'firejwt/certificates'
   autoload :Validator, 'firejwt/validator'
 
   class Token < Hash

data/lib/firejwt/{key_set.rb → certificates.rb}

@@ -4,7 +4,7 @@ require 'uri'
 require 'openssl'
 
 module FireJWT
-  class KeySet < Hash
+  class Certificates
     URL = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'.freeze
 
     attr_reader :expires_at
@@ -12,14 +12,17 @@ module FireJWT
     def initialize(url: URL)
       super()
 
-      @url = URI(url)
+      @url  = URI(url)
+      @keys = {}
+
       expire!
       refresh!
     end
 
-    def get(key)
+    def get(kid)
       refresh! if expired?
-      self[key]
+
+      @keys[kid]
     end
 
     def refresh!(limit = 5)
@@ -33,8 +36,11 @@ module FireJWT
       raise ArgumentError, 'Expires header not included in the response' unless resp['expires']
 
       @expires_at = Time.httpdate(resp['expires'])
-      JSON.parse(resp.body).each do |kid, cert|
-        store kid, OpenSSL::X509::Certificate.new(cert).public_key
+      @keys.clear
+
+      JSON.parse(resp.body).each do |kid, pem|
+        cert = OpenSSL::X509::Certificate.new(pem)
+        @keys.store kid, cert.public_key
       end
     end
 

data/lib/firejwt/validator.rb

@@ -3,46 +3,48 @@ require 'jwt'
 require 'net/http'
 
 module FireJWT
+  class InvalidAuthTimeError < JWT::DecodeError; end
+
+  # Validator validates tokens applying guidelines outlined in
+  # https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library.
   class Validator
-    # @param [Hash] opts
-    # @option opts [String] :algorithm the expected algorithm. Default: RS256.
-    # @option opts [String] :aud verify the audience claim against the given value. Default: nil (= do not validate).
-    # @option opts [String] :iss verify the issuer claim against the given value. Default: nil (= do not verify).
-    # @option opts [String] :sub verify the subject claim against the given value. Default: nil (= do not verify).
-    # @option opts [Boolean] :verify_iat verify the issued at claim. Default: false.
-    # @option opts [Integer] :exp_leeway expiration leeway in seconds. Default: none.
-    def initialize(**opts)
-      @defaults = opts.dup
-      @keys = KeySet.new
+    # @param [String] project_id the unique identifier for your Firebase project, which can be found in the URL of that project's console.
+    def initialize(project_id)
+      project_id = project_id.to_s
+
+      @certs = Certificates.new
+      @opts  = {
+        algorithms: %w[RS256].freeze,
+
+        # exp must be in the future, iat must be in the past
+        verify_expiration: true,
+        verify_iat: true,
+
+        # aud must be your Firebase project ID
+        verify_aud: true, aud: project_id,
+
+        # iss must be "https://securetoken.google.com/<projectId>"
+        verify_iss:  true, iss: "https://securetoken.google.com/#{project_id}",
+      }
     end
 
     # @param [String] token the token string
-    # @param [Hash] opts options
-    # @option opts [Boolean] :allow_expired allow expired tokens. Default: false.
-    # @option opts [String] :algorithm the expected algorithm. Default: RS256.
-    # @option opts [String] :aud verify the audience claim against the given value. Default: nil (= do not validate).
-    # @option opts [String] :iss verify the issuer claim against the given value. Default: nil (= do not verify).
-    # @option opts [String] :sub verify the subject claim against the given value. Default: nil (= do not verify).
-    # @option opts [Boolean] :verify_iat verify the issued at claim. Default: false.
-    # @option opts [Integer] :exp_leeway expiration leeway in seconds. Default: none.
     # @return [FireJWT::Token] the token
     # @raises [JWT::DecodeError] validation errors
-    def decode(token, allow_expired: false, **opts)
-      opts = norm_opts(@defaults.merge(opts))
-      payload, header = JWT.decode token, nil, !allow_expired, opts do |header|
-        @keys.get(header['kid'])
+    def decode(token)
+      payload, header = JWT.decode token, nil, true, **@opts do |header|
+        @certs.get(header['kid'])
       end
-      Token.new(payload, header)
-    end
 
-    private
+      # sub must be a non-empty string
+      sub = payload['sub']
+      raise(JWT::InvalidSubError, 'Invalid subject. Expected non-empty string') unless sub.is_a?(String) && !sub.empty?
 
-    def norm_opts(opts)
-      opts[:verify_aud] = opts.key?(:aud) unless opts.key?(:verify_aud)
-      opts[:verify_iss] = opts.key?(:iss) unless opts.key?(:verify_iss)
-      opts[:verify_sub] = opts.key?(:sub) unless opts.key?(:verify_sub)
-      opts[:algorithm] ||= 'RS256'
-      opts
+      # auth_time must be in the past
+      aut = payload['auth_time']
+      raise(InvalidAuthTimeError, 'Invalid auth_time') if !aut.is_a?(Numeric) || aut.to_f > Time.now.to_f
+
+      Token.new(payload, header)
     end
   end
 end

data/spec/firejwt/{key_set_spec.rb → certificates_spec.rb}

@@ -1,28 +1,28 @@
 require 'spec_helper'
 
-RSpec.describe FireJWT::KeySet do
-  let! :keys_request do
+RSpec.describe FireJWT::Certificates do
+  let(:cert) { MockCert.new }
+
+  let! :http_request do
     stub_request(:get, described_class::URL.to_s).to_return(
       status: 200,
       headers: { expires: (Time.now + 3600).httpdate },
-      body: MOCK_RESPONSE.to_json,
+      body: cert.to_json,
     )
   end
 
-  it 'should init' do
-    expect(subject).to include(
-      MOCK_KID => instance_of(OpenSSL::PKey::RSA),
-    )
+  it 'inits' do
     expect(subject.expires_at).to be_within(10).of(Time.now + 3600)
     expect(subject).not_to be_expired
+    expect(http_request).to have_been_made
   end
 
-  it 'should retrieve keys' do
+  it 'retrieves keys' do
     expect(subject.get('BAD')).to be_nil
-    expect(subject.get(MOCK_KID)).to be_instance_of(OpenSSL::PKey::RSA)
+    expect(subject.get(cert.kid)).to be_instance_of(OpenSSL::PKey::RSA)
   end
 
-  it 'should check/update expiration status' do
+  it 'check/updates expiration status' do
     expect(subject).not_to be_expired
     subject.expire!
     expect(subject).to be_expired

data/spec/firejwt/validator_spec.rb

@@ -1,71 +1,86 @@
 require 'spec_helper'
 
 RSpec.describe FireJWT::Validator do
-  let! :keys_request do
-    stub_request(:get, FireJWT::KeySet::URL.to_s).to_return(
+  subject { described_class.new(project_id) }
+
+  let! :http_request do
+    stub_request(:get, FireJWT::Certificates::URL.to_s).to_return(
       status: 200,
       headers: { expires: (Time.now + 3600).httpdate },
-      body: MOCK_RESPONSE.to_json,
+      body: cert.to_json,
     )
   end
 
-  let :exp_time do
-    Time.now.to_i + 3600
-  end
-
-  let :token do
-    payload = {
-      sub: 'me@example.com',
-      aud: 'you',
-      iss: 'me',
-      exp: exp_time,
+  let :payload do
+    now = Time.now.to_i
+    {
+      'name'           => 'Me',
+      'picture'        => 'https://test.host/me.jpg',
+      'sub'            => 'MDYwNDQwNjUtYWQ0ZC00ZDkwLThl',
+      'user_id'        => 'MDYwNDQwNjUtYWQ0ZC00ZDkwLThl',
+      'aud'            => project_id,
+      'iss'            => 'https://securetoken.google.com/' << project_id,
+      'iat'            => now - 1800,
+      'exp'            => now + 3600,
+      'auth_time'      => now,
+      'email'          => 'me@example.com',
+      'email_verified' => true,
+      'firebase'       => {
+        'sign_in_provider' => 'google.com',
+        'identities'       => {
+          'google.com' => ['123123123123123123123'],
+          'email'      => ['me@example.com'],
+        },
+      },
     }
-    JWT.encode payload, MOCK_RSA, 'RS256', kid: MOCK_KID
   end
 
-  it 'should decode' do
+  let(:cert)       { MockCert.new }
+  let(:project_id) { 'mock-project' }
+  let(:token)      { JWT.encode payload, cert.pkey, 'RS256', kid: cert.kid }
+
+  it 'decodes' do
     decoded = subject.decode(token)
     expect(decoded).to be_instance_of(FireJWT::Token)
-    expect(decoded).to eq(
-      'sub' => 'me@example.com',
-      'aud' => 'you',
-      'iss' => 'me',
-      'exp' => exp_time,
-    )
+    expect(decoded).to eq(payload)
     expect(decoded.header).to eq(
       'alg' => 'RS256',
-      'kid' => 'e5a91d9f39fa4de254a1e89df00f05b7e248b985',
+      'kid' => cert.kid,
     )
+    expect(http_request).to have_been_made
   end
 
-  it 'should normalize options' do
-    expect(JWT).to receive(:decode).with(
-      instance_of(String),
-      nil,
-      true,
-      algorithm: 'RS256',
-      verify_aud: false,
-      verify_iss: false,
-      verify_sub: false,
-    ).and_return([{}, {}])
-    subject.decode(token)
-  end
-  it 'should reject bad tokens' do
+  it 'rejects bad tokens' do
     expect { subject.decode('BAD') }.to raise_error(JWT::DecodeError)
   end
 
-  it 'should verify audiences' do
-    expect(subject.decode(token, aud: 'you')).to be_instance_of(FireJWT::Token)
-    expect { subject.decode(token, aud: 'other') }.to raise_error(JWT::InvalidAudError)
+  it 'verifies exp' do
+    payload['exp'] = Time.now.to_i - 1
+    expect { subject.decode(token) }.to raise_error(JWT::ExpiredSignature)
+  end
+
+  it 'verifies iat' do
+    payload['iat'] = Time.now.to_i + 10
+    expect { subject.decode(token) }.to raise_error(JWT::InvalidIatError)
+  end
+
+  it 'verifies aud' do
+    payload['aud'] = 'other'
+    expect { subject.decode(token) }.to raise_error(JWT::InvalidAudError)
+  end
+
+  it 'verifies iss' do
+    payload['iss'] = 'other'
+    expect { subject.decode(token) }.to raise_error(JWT::InvalidIssuerError)
   end
 
-  it 'should verify issuers' do
-    expect(subject.decode(token, iss: 'me')).to be_instance_of(FireJWT::Token)
-    expect { subject.decode(token, iss: 'other') }.to raise_error(JWT::InvalidIssuerError)
+  it 'verifies sub' do
+    payload['sub'] = ''
+    expect { subject.decode(token) }.to raise_error(JWT::InvalidSubError)
   end
 
-  it 'should verify subjects' do
-    expect(subject.decode(token, sub: 'me@example.com')).to be_instance_of(FireJWT::Token)
-    expect { subject.decode(token, sub: 'other') }.to raise_error(JWT::InvalidSubError)
+  it 'verifies auth_time' do
+    payload['auth_time'] = Time.now.to_i + 10
+    expect { subject.decode(token) }.to raise_error(FireJWT::InvalidAuthTimeError)
   end
 end

data/spec/spec_helper.rb

@@ -4,8 +4,34 @@ require 'webmock/rspec'
 
 WebMock.disable_net_connect!
 
-MOCK_KID = 'e5a91d9f39fa4de254a1e89df00f05b7e248b985'.freeze
-MOCK_RSA = OpenSSL::PKey::RSA.new File.read(File.expand_path('../testdata/priv.pem', __dir__))
-MOCK_RESPONSE = {
-  MOCK_KID => File.read(File.expand_path('../testdata/cert.pem', __dir__)),
-}.freeze
+class MockCert
+  attr_reader :cert, :pkey
+
+  def initialize
+    @pkey = OpenSSL::PKey::RSA.new 2048
+    @cert = OpenSSL::X509::Certificate.new
+    @cert.version = 2
+    @cert.serial = 2605014480174073526
+    @cert.subject = OpenSSL::X509::Name.parse('/CN=securetoken.system.gserviceaccount.com')
+    @cert.issuer = @cert.subject
+    @cert.public_key = @pkey.public_key
+    @cert.not_before = Time.now
+    @cert.not_after = @cert.not_before + 3600
+
+    exts = OpenSSL::X509::ExtensionFactory.new
+    exts.subject_certificate = cert
+    exts.issuer_certificate = cert
+    @cert.add_extension(exts.create_extension('basicConstraints', 'CA:FALSE', true))
+    @cert.add_extension(exts.create_extension('keyUsage', 'Digital Signature', true))
+    @cert.add_extension(exts.create_extension('extendedKeyUsage', 'TLS Web Client Authentication', true))
+    @cert.sign(@pkey, OpenSSL::Digest.new('SHA256'))
+  end
+
+  def kid
+    @kid ||= Digest::SHA1.hexdigest(@cert.to_der)
+  end
+
+  def to_json(*)
+    { kid => @cert }.to_json
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: firejwt
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.3.2
 platform: ruby
 authors:
 - Black Square Media Ltd
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-11 00:00:00.000000000 Z
+date: 2021-07-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -53,7 +53,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: rubocop-bsm
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -87,29 +87,28 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/lint.yml"
+- ".github/workflows/test.yml"
 - ".gitignore"
 - ".rubocop.yml"
-- ".travis.yml"
 - Gemfile
 - Gemfile.lock
 - LICENSE
 - Makefile
 - README.md
 - Rakefile
+- ext_test.go
 - firejwt.gemspec
 - firejwt.go
 - firejwt_test.go
 - go.mod
 - go.sum
 - lib/firejwt.rb
-- lib/firejwt/key_set.rb
+- lib/firejwt/certificates.rb
 - lib/firejwt/validator.rb
-- opt.go
-- spec/firejwt/key_set_spec.rb
+- spec/firejwt/certificates_spec.rb
 - spec/firejwt/validator_spec.rb
 - spec/spec_helper.rb
-- testdata/cert.pem
-- testdata/priv.pem
 homepage: https://github.com/bsm/firejwt
 licenses:
 - Apache-2.0
@@ -129,11 +128,11 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.15
 signing_key: 
 specification_version: 4
 summary: Firebase JWT validation
 test_files:
-- spec/firejwt/key_set_spec.rb
+- spec/firejwt/certificates_spec.rb
 - spec/firejwt/validator_spec.rb
 - spec/spec_helper.rb