rack-firebase 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3dcb76b9dd459436772a9058c79c1fda81de49e4b1ce0c76e74e6611a96718d3
-  data.tar.gz: 9e15447178511fe28a6e367ae2a1ce97fd7c4664d416cca36a507b90055a3e6c
+  metadata.gz: 8e56bf82dd7ed836213b95db8e833c94c06c020ba654d4d132c7659dbc30ffbc
+  data.tar.gz: 888ed5477400ef8ba5f5deb9650076b5d2d88554fc750c7e888a8a7780f56267
 SHA512:
-  metadata.gz: 9786153f3cc1e21470bf30df88b1cb06c54dbf4f5f3f1e12d738dee189e373da35b2a98e3f8e03ca558cbd33735a7e828f25cdaf529f87c874991b94d6702d97
-  data.tar.gz: 910c6ab79bf38b4634278f5710ba42de25a9f81bba5bd3a8590bfcd8671a6a3e30b157ea5e9db974245c87119e774799132034a5c4a14c289a7564fafc0e5dff
+  metadata.gz: be204dc9f7da121a6c72d3f34ad8d74f767e55ac25d357cd9b96588a980501620af57b4678d952f5803f2487f1d456f2d3b06995b94451f4e1f37d21ae078277
+  data.tar.gz: 87b20058c4410c576c0fadc2127c91c9860d16419a8b5bd3cae854e41ff1c613d728d66fb1341d5561ac32b5d8d29ff6c72528340fa812f0c976d2156f5d3c47

data/README.md

@@ -1,6 +1,6 @@
 # Rack Firebase Middleware
 
-[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](code_of_conduct.md)
+[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](code_of_conduct.md) [![Gem Version](https://badge.fury.io/rb/rack-firebase.svg)](https://rubygems.org/gems/rack-firebase)
 
 
 A rack middleware for verifying ID tokens from Google's Firebase. It provides token decoding and verification using [Firebase's 3rd Party Verification constraints](https://firebase.google.com/docs/auth/admin/verify-id-tokens?hl=en&authuser=3#verify_id_tokens_using_a_third-party_jwt_library).
@@ -70,6 +70,85 @@ end
 
 From here, you can invoke `authenticate_user!` to ensure the token subject is actually a user in your application and use `current_user` to scope your requests or handle more granular authorization.
 
+### Testing
+
+In order to test your authenticated routes, you'll need to provide a valid token in the authorization header.
+
+Since Firebase typically issues signed tokens using their certificates, this can make it difficult to test your authenticated routes with valid tokens.
+
+As such, some test helpers are provided to help faciliate automated testing.
+
+> Note: For manual testing, it is recommended to create a test-specific user in your Firebase project and test the full authentication flow with your routes.
+
+#### Mocking requests for public keys
+
+There are two options for mocking the requests from Google; choose the one that best fits your testing library and needs:
+
+1. Explicitly start and stop firebase mocks, or
+2. Wrap each example that needs to be mocked.
+
+```ruby
+# Require the test helpers
+require "rack/firebase/test_helpers"
+
+describe "your request specs" do
+  # Explicitly mock before/after
+  before { Rack::Firebase::TestHelpers.mock_start }
+  after { Rack::Firebase::TestHelpers.mock_end }
+
+  # Or wrap each example
+  # This is for RSpec only! Use setup/teardown or before/after with the explicit mock for Minitest.
+  around(:example) do |example|
+    Rack::Firebase::TestHelpers.mock_signature_verification do
+      example.run
+    end
+  end
+end
+```
+
+Optionally, you can pass minutes as a number to `mock_start` to overwrite when the cache key should be refreshed. By default, this is set to `5000`, or approximately 83 minutes.
+
+#### Generating Tokens
+
+A test helper is provided that will generate a valid token and add it to your request headers for your specs.
+
+```ruby
+# Require the test helpers
+require "rack/firebase/test_helpers"
+
+it "tests something" do
+  user = fetch_user() # this presumes your user has a `uid`!
+  headers = { "Accept" => "application/json", "Content-Type" => "application/json" }
+
+  # This will generate a valid token and add it to your headers
+  auth_headers = Rack::Firebase::TestHelpers.auth_headers(headers, user.uid)
+
+  get "/", headers: auth_headers
+
+  expect(last_response).to be_ok
+end
+```
+
+##### Customizing
+
+By default, the token will be created using the first project ID provided in your configuration. If your app is configured for multiple projects and you wish to test one of the other projects, you can optionally add the `aud` to the arguments:
+
+```ruby
+Rack::Firebase::TestHelpers.auth_headers(headers, user.uid, aud: "different-project")
+```
+
+There is a fourth arg that takes a hash of options that will let you alter the payload.
+
+> Caution: it is possible for provided options to produce invalid tokens.
+
+| argument | description | default |
+| --- | --- | --- |
+| email | User's email address used for authentication. Added to the payload as `email` and included in the array of email identities in `firebase.identities.email` | test@test.com |
+| verified | Denotes if the email used to sign in is verified by the user | false |
+| auth_time | The last authentication time recorded by Google | Current time |
+| iat | Denotes the time the token was issued. When iat is provided, but not an auth time, the auth time is also set to the iat time. | Current time |
+| exp | Denotes when the token expires | Current time + 5000 |
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub.

data/lib/rack/firebase/configuration.rb

@@ -1,7 +1,7 @@
 module Rack
   module Firebase
     class Configuration
-      attr_accessor :project_ids
+      attr_accessor :project_ids, :public_routes
 
       def initialize
         reset!
@@ -9,6 +9,7 @@ module Rack
 
       def reset!
         @project_ids = []
+        @public_routes = []
       end
     end
   end

data/lib/rack/firebase/error.rb

@@ -1,6 +1,7 @@
 module Rack
   module Firebase
     class InvalidSubError < StandardError; end
+
     class InvalidAuthTimeError < StandardError; end
   end
 end

data/lib/rack/firebase/middleware.rb

@@ -4,8 +4,6 @@ require "net/http"
 module Rack
   module Firebase
     class Middleware
-      ALG = "RS256".freeze
-      CERTIFICATE_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com".freeze
       USER_UID = "firebase.user.uid"
 
       def initialize(app)
@@ -18,39 +16,37 @@ module Rack
       end
 
       def call(env)
-        token = AuthorizationHeader.read_token(env)
-        decoded_token, _ = JWT.decode(
-          token, nil, true,
-          {
-            jwks: jwt_loader,
-            algorithm: ALG,
-            verify_iat: true,
-            verify_aud: true, aud: config.project_ids,
-            verify_iss: true, iss: firebase_issuers
-          }
-        )
+        path = env.fetch("PATH_INFO", "no-match")
+        if config.public_routes.none? { |r| r.match(path) }
+          begin
+            token = AuthorizationHeader.read_token(env)
+            decoded_token = TokenDecoder.new.call(token)
 
-        raise Rack::Firebase::InvalidSubError.new("Invalid subject") if decoded_token["sub"].nil? || decoded_token["sub"] == ""
-        raise Rack::Firebase::InvalidAuthTimeError.new("Invalid auth time") unless decoded_token["auth_time"] <= Time.now.to_i
+            raise Rack::Firebase::InvalidSubError.new("Invalid subject") if decoded_token["sub"].nil? || decoded_token["sub"] == ""
+            raise Rack::Firebase::InvalidAuthTimeError.new("Invalid auth time") unless decoded_token["auth_time"] <= Time.now.to_i
 
-        env[USER_UID] = decoded_token["sub"]
-        @app.call(env)
-      rescue JWT::JWKError => error # Issues with fetched JWKs
-        error_responder.call(error, "unauthorized")
-      rescue JWT::ExpiredSignature => error # Token has expired
-        error_responder.call(error, "expired")
-      rescue JWT::InvalidIatError => error # invalid issued at claim (iat)
-        error_responder.call(error, "unauthorized")
-      rescue JWT::InvalidIssuerError => error # invalid issuer
-        error_responder.call(error, "unauthorized")
-      rescue JWT::InvalidAudError => error # invalid audience
-        error_responder.call(error, "unauthorized")
-      rescue JWT::DecodeError => error # General JWT error
-        error_responder.call(error, "unauthorized")
-      rescue Rack::Firebase::InvalidSubError => error # subject is empty or missing
-        error_responder.call(error, "unauthorized")
-      rescue Rack::Firebase::InvalidAuthTimeError => error # auth time is in the future
-        error_responder.call(error, "unauthorized")
+            env[USER_UID] = decoded_token["sub"]
+            @app.call(env)
+          rescue JWT::JWKError => error # Issues with fetched JWKs
+            error_responder.call(error, "unauthorized")
+          rescue JWT::ExpiredSignature => error # Token has expired
+            error_responder.call(error, "expired")
+          rescue JWT::InvalidIatError => error # invalid issued at claim (iat)
+            error_responder.call(error, "unauthorized")
+          rescue JWT::InvalidIssuerError => error # invalid issuer
+            error_responder.call(error, "unauthorized")
+          rescue JWT::InvalidAudError => error # invalid audience
+            error_responder.call(error, "unauthorized")
+          rescue JWT::DecodeError => error # General JWT error
+            error_responder.call(error, "unauthorized")
+          rescue Rack::Firebase::InvalidSubError => error # subject is empty or missing
+            error_responder.call(error, "unauthorized")
+          rescue Rack::Firebase::InvalidAuthTimeError => error # auth time is in the future
+            error_responder.call(error, "unauthorized")
+          end
+        else
+          @app.call(env)
+        end
       end
 
       private

data/lib/rack/firebase/test_helpers.rb

@@ -0,0 +1,57 @@
+module Rack
+  module Firebase
+    module TestHelpers
+      def self.auth_headers(headers, uid, aud: nil, options: {})
+        cached_current_time = Time.now.to_i
+        aud ||= Rack::Firebase.configuration.project_ids.first
+
+        payload = {
+          iss: "https://securetoken.google.com/#{aud}",
+          aud: aud,
+          auth_time: options[:auth_time] || options[:iat] || cached_current_time,
+          user_id: uid,
+          sub: uid,
+          iat: options[:iat] || cached_current_time,
+          exp: options[:exp] || cached_current_time + 5000,
+          email: options[:email] || "test@test.com",
+          email_verified: !!options[:verified],
+          firebase: {
+            identities: {
+              email: [
+                options[:email],
+                "test@test.com"
+              ]
+            },
+            sign_in_provider: "password"
+          }
+        }
+        token = JWT.encode(payload, secret_key, Rack::Firebase::ALG, kid: "1234567890")
+        headers = headers.dup
+        headers["Authorization"] = "Bearer #{token}"
+        headers
+      end
+
+      def self.mock_start(expires_in = 5000)
+        Rack::Firebase.instance_variable_set(:@cached_keys, [JWT::JWK::RSA.new(secret_key.public_key, kid: "1234567890")])
+        Rack::Firebase.instance_variable_set(:@refresh_cache_by, Time.now.to_i + expires_in)
+      end
+
+      def self.mock_signature_verification
+        mock_start
+        yield
+        mock_end
+      end
+
+      def self.mock_end
+        Rack::Firebase.instance_variable_set(:@cached_keys, nil)
+        Rack::Firebase.instance_variable_set(:@refresh_cache_by, nil)
+      end
+
+      private_class_method
+
+      def self.secret_key
+        @secret_key ||= OpenSSL::PKey::RSA.generate(2048)
+      end
+    end
+  end
+end

data/lib/rack/firebase/token_decoder.rb

@@ -0,0 +1,35 @@
+require "jwt"
+require "net/http"
+require "rack/firebase"
+
+module Rack
+  module Firebase
+    class TokenDecoder
+      attr_accessor :config, :jwt_loader
+
+      def initialize
+        @jwt_loader = FIREBASE_KEY_LOADER
+        @config = Rack::Firebase.configuration
+      end
+
+      def call(token)
+        JWT.decode(
+          token, nil, true,
+          {
+            jwks: jwt_loader,
+            algorithm: ALG,
+            verify_iat: true,
+            verify_aud: true, aud: config.project_ids,
+            verify_iss: true, iss: firebase_issuers
+          }
+        )[0]
+      end
+
+      def firebase_issuers
+        config.project_ids.map { |project_id|
+          "https://securetoken.google.com/#{project_id}"
+        }
+      end
+    end
+  end
+end

data/lib/rack/firebase/version.rb

@@ -1,5 +1,5 @@
 module Rack
   module Firebase
-    VERSION = "0.1.0"
+    VERSION = "0.3.0"
   end
 end

data/lib/rack/firebase.rb

@@ -14,8 +14,31 @@ module Rack
     def self.configure
       yield configuration
     end
+
+    ALG = "RS256".freeze
+    CERTIFICATE_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com".freeze
+    FIREBASE_KEY_LOADER = lambda do |options|
+      if options[:kid_not_found] || (@refresh_cache_by.to_i < Time.now.to_i + 3600)
+        @cached_keys = nil
+      end
+
+      @cached_keys ||= begin
+        response = ::Net::HTTP.get_response(URI(CERTIFICATE_URL))
+        cache_control = response["Cache-Control"]
+
+        expires_in = cache_control.match(/max-age=([0-9]+)/).captures.first.to_i
+        @refresh_cache_by = Time.now.to_i + expires_in
+
+        json = JSON.parse(response.body)
+        json.map do |kid, cert_string|
+          key = OpenSSL::X509::Certificate.new(cert_string).public_key
+          JWT::JWK::RSA.new(key, kid: kid)
+        end
+      end
+    end
   end
 end
 require "rack/firebase/error"
 require "rack/firebase/authorization_header"
+require "rack/firebase/token_decoder"
 require "rack/firebase/middleware"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-firebase
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Laura Mosher
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-12-31 00:00:00.000000000 Z
+date: 2023-01-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.14'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.14'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.0
+        version: 1.20.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.0
+        version: 1.20.0
 description: A simple, lightweight Rack middleware to verify Firebase tokens.
 email: laura@mosher.tech
 executables: []
@@ -121,6 +121,8 @@ files:
 - lib/rack/firebase/configuration.rb
 - lib/rack/firebase/error.rb
 - lib/rack/firebase/middleware.rb
+- lib/rack/firebase/test_helpers.rb
+- lib/rack/firebase/token_decoder.rb
 - lib/rack/firebase/version.rb
 homepage: https://github.com/lauramosher/rack-firebase
 licenses:
@@ -141,7 +143,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.4.1
 signing_key: 
 specification_version: 4
 summary: Verify Firebase ID Tokens in Middleware