Skip to content

Adding in alpha interface for blocking token verification #1635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Apr 19, 2022
Merged

Adding in alpha interface for blocking token verification #1635

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
1ab860d
adding in alpha interface
colerogers Apr 7, 2022
18b8504
adding token verifier & unit tests
colerogers Apr 8, 2022
b66ec5d
Merge remote-tracking branch 'origin/master' into colerogers.blocking…
colerogers Apr 8, 2022
a281b9b
remove old ref
colerogers Apr 8, 2022
80c0587
adding exports
colerogers Apr 12, 2022
5645a12
Merge remote-tracking branch 'origin/master' into colerogers.blocking…
colerogers Apr 13, 2022
2a93113
address pr comments
colerogers Apr 13, 2022
b540b1c
Merge branch 'master' into colerogers.blocking-tokens
colerogers Apr 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions src/auth/base-auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import { FirebaseTokenGenerator, EmulatedSigner, handleCryptoSignerError } from
import {
FirebaseTokenVerifier, createSessionCookieVerifier, createIdTokenVerifier,
DecodedIdToken,
DecodedAuthBlockingToken,
} from './token-verifier';
import {
AuthProviderConfig, SAMLAuthProviderConfig, AuthProviderConfigFilter, ListProviderConfigResults,
Expand Down Expand Up @@ -1055,6 +1056,20 @@ export abstract class BaseAuth {
return Promise.reject(new FirebaseAuthError(AuthClientErrorCode.INVALID_PROVIDER_ID));
}

/* eslint-disable */
/** @alpha */
public _verifyAuthBlockingToken(
token: string,
audience?: string
): Promise<DecodedAuthBlockingToken> {
const isEmulator = useEmulator();
return this.idTokenVerifier._verifyAuthBlockingToken(token, isEmulator, audience)
.then((decodedIdToken: DecodedAuthBlockingToken) => {
return decodedIdToken;
});
}
/* eslint-enable */

/**
* Verifies the decoded Firebase issued JWT is not revoked or disabled. Returns a promise that
* resolves with the decoded claims on success. Rejects the promise with revocation error if revoked
Expand Down
122 changes: 117 additions & 5 deletions src/auth/token-verifier.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,82 @@ export interface DecodedIdToken {
[key: string]: any;
}

/** @alpha */
interface DecodedAuthBlockingSharedUserInfo {
uid: string;
display_name?: string;
email?: string;
photo_url?: string;
phone_number?: string;
}

/** @alpha */
interface DecodedAuthBlockingMetadata {
creation_time?: number;
last_sign_in_time?: number;
}

/** @alpha */
interface DecodedAuthBlockingUserInfo extends DecodedAuthBlockingSharedUserInfo {
provider_id: string;
}

/** @alpha */
interface DecodedAuthBlockingMfaInfo {
uid: string;
display_name?: string;
phone_number?: string;
enrollment_time?: string;
factor_id?: string;
}

/** @alpha */
interface DecodedAuthBlockingEnrolledFactors {
enrolled_factors?: DecodedAuthBlockingMfaInfo[];
}

/** @alpha */
interface DecodedAuthBlockingUserRecord extends DecodedAuthBlockingSharedUserInfo {
email_verified?: boolean;
disabled?: boolean;
metadata?: DecodedAuthBlockingMetadata;
password_hash?: string;
password_salt?: string;
provider_data?: DecodedAuthBlockingUserInfo[];
multi_factor?: DecodedAuthBlockingEnrolledFactors;
custom_claims?: any;
tokens_valid_after_time?: number;
tenant_id?: string;
[key: string]: any;
}

/** @alpha */
export interface DecodedAuthBlockingToken {
aud: string;
exp: number;
iat: number;
iss: string;
sub: string;
event_id: string;
event_type: string;
ip_address: string;
user_agent?: string;
locale?: string;
sign_in_method?: string;
user_record?: DecodedAuthBlockingUserRecord;
tenant_id?: string;
raw_user_info?: string;
sign_in_attributes?: {
[key: string]: any;
};
oauth_id_token?: string;
oauth_access_token?: string;
oauth_refresh_token?: string;
oauth_token_secret?: string;
oauth_expires_in?: number;
[key: string]: any;
}

// Audience to use for Firebase Auth Custom tokens
const FIREBASE_AUDIENCE = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit';

Expand Down Expand Up @@ -320,6 +396,34 @@ export class FirebaseTokenVerifier {
});
}

/* eslint-disable */
/** @alpha */
public _verifyAuthBlockingToken(
jwtToken: string,
isEmulator: boolean,
audience?: string): Promise<DecodedAuthBlockingToken> {
if (!validator.isString(jwtToken)) {
throw new FirebaseAuthError(
AuthClientErrorCode.INVALID_ARGUMENT,
`First argument to ${this.tokenInfo.verifyApiName} must be a ${this.tokenInfo.jwtName} string.`,
);
}

return this.ensureProjectId()
.then((projectId) => {
if (!audience) {
audience = `${projectId}.cloudfunctions.net/`;
}
return this.decodeAndVerify(jwtToken, projectId, isEmulator, audience);
})
.then((decoded) => {
const decodedIdToken = decoded.payload as DecodedAuthBlockingToken;
decodedIdToken.uid = decodedIdToken.sub;
return decodedIdToken;
});
}
/* eslint-enable */

private ensureProjectId(): Promise<string> {
return util.findProjectId(this.app)
.then((projectId) => {
Expand All @@ -334,10 +438,14 @@ export class FirebaseTokenVerifier {
})
}

private decodeAndVerify(token: string, projectId: string, isEmulator: boolean): Promise<DecodedToken> {
private decodeAndVerify(
token: string,
projectId: string,
isEmulator: boolean,
audience?: string): Promise<DecodedToken> {
return this.safeDecode(token)
.then((decodedToken) => {
this.verifyContent(decodedToken, projectId, isEmulator);
this.verifyContent(decodedToken, projectId, isEmulator, audience);
return this.verifySignature(token, isEmulator)
.then(() => decodedToken);
});
Expand Down Expand Up @@ -369,7 +477,8 @@ export class FirebaseTokenVerifier {
private verifyContent(
fullDecodedToken: DecodedToken,
projectId: string | null,
isEmulator: boolean): void {
isEmulator: boolean,
audience: string | undefined): void {
const header = fullDecodedToken && fullDecodedToken.header;
const payload = fullDecodedToken && fullDecodedToken.payload;

Expand Down Expand Up @@ -397,9 +506,12 @@ export class FirebaseTokenVerifier {
} else if (!isEmulator && header.alg !== ALGORITHM_RS256) {
errorMessage = `${this.tokenInfo.jwtName} has incorrect algorithm. Expected "` + ALGORITHM_RS256 + '" but got ' +
'"' + header.alg + '".' + verifyJwtTokenDocsMessage;
} else if (payload.aud !== projectId) {
} else if (audience && !(payload.aud as string).includes(audience)) {
errorMessage = `${this.tokenInfo.jwtName} has incorrect "aud" (audience) claim. Expected "` +
audience + '" but got "' + payload.aud + '".' + verifyJwtTokenDocsMessage;
} else if (!audience && payload.aud !== projectId) {
errorMessage = `${this.tokenInfo.jwtName} has incorrect "aud" (audience) claim. Expected "` +
projectId + '" but got "' + payload.aud + '".' + projectIdMatchMessage +
projectId + '" but got "' + payload.aud + '".' + projectIdMatchMessage +
verifyJwtTokenDocsMessage;
} else if (payload.iss !== this.issuer + projectId) {
errorMessage = `${this.tokenInfo.jwtName} has incorrect "iss" (issuer) claim. Expected ` +
Expand Down