Class: FirebaseIDToken::Validator

Inherits:

Object

• Object
• FirebaseIDToken::Validator

Defined in:

lib/firebase-id-token.rb

Constant Summary

FIREBASE_CERTS_URI =

'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'

FIREBASE_CERTS_EXPIRY =

1 day

86400

FIREBASE_ISSUERS_PREFIX =

'https://securetoken.google.com/'

Instance Method Summary

• #check(token, aud) ⇒ Hash

  If it validates, returns a hash with the JWT payload from the ID Token.

• #initialize(keyopts = {}) ⇒ Validator constructor

  A new instance of Validator.

Constructor Details

#initialize(keyopts = {}) ⇒ Validator

Returns a new instance of Validator.

# File 'lib/firebase-id-token.rb', line 46

def initialize(keyopts = {})
  if keyopts[:x509_cert]
    @certs_mode = :literal
    @certs = { :_ => keyopts[:x509_cert] }
  # elsif keyopts[:jwk_uri]  # TODO
  #   @certs_mode = :jwk
  #   @certs = {}
  else
    @certs_mode = :old_skool
    @certs = {}
  end

  @certs_expiry = keyopts.fetch(:expiry, FIREBASE_CERTS_EXPIRY)
end

Instance Method Details

#check(token, aud) ⇒ Hash

If it validates, returns a hash with the JWT payload from the ID Token.

You have to provide an "aud" value, which must match the
token's field with that name.
Furthermore the tokens field "iss" must be
"https://securetoken.google.com/<aud>"

If something fails, raises an error

Parameters:

• token (String) —

  The string form of the token

• aud (String) —

  The required audience value

Returns:

• (Hash) —

  The decoded ID token

# File 'lib/firebase-id-token.rb', line 76

def check(token, aud)
  payload = check_cached_certs(token, aud)

  unless payload
    # no certs worked, might've expired, refresh
    if refresh_certs
      payload = check_cached_certs(token, aud)

      unless payload
        raise SignatureError, 'Token not verified as issued by Firebase'
      end
    else
      raise CertificateError, 'Unable to retrieve Firebase public keys'
    end
  end

  payload
end