Class: FirebaseIdToken::Signature

Inherits:

Object

• Object
• FirebaseIdToken::Signature

Defined in:

lib/firebase_id_token/signature.rb

Overview

Deals with verifying if a given Firebase ID Token is signed by one of the Google's x509 certificates that Firebase uses.

Also checks if the resulting JWT payload hash matches with:

• exp Expiration time
• iat Issued at time
• User's Firebase Project ID
• Non-empty UID

Verifying a Firebase ID Token

Be sure to configure the gem to set your Firebase Project ID and a Redis server before move any forward.

See the README for a complete guide.

WARNING: Trying to verify a token without any certificate saved in Redis certificates database raises a Exceptions::NoCertificatesError.

Examples:

FirebaseIdToken::Signature.verify(thrusty_token)
=> {"iss"=>"https://securetoken.google.com/your-project-id", [...]}

FirebaseIdToken::Signature.verify(fake_token)
=> nil

See Also:

• #verify

Constant Summary

JWT_DEFAULTS =

Pre-default JWT algorithm parameters as recommended here.

{ algorithm: 'RS256', verify_iat: true }

Instance Attribute Summary

• #firebase_id_token_certificates ⇒ Object

  Returns the value of attribute firebase_id_token_certificates.

Class Method Summary

• .verify(jwt_token, raise_error: false) ⇒ nil, Hash

  Returns the decoded JWT hash payload of the Firebase ID Token if the signature in the token matches with one of the certificates downloaded by Certificates.request, returns nil otherwise.

• .verify!(jwt_token) ⇒ Hash

  Equivalent to .verify(jwt_token, raise_error: true).

Instance Method Summary

• #initialize(jwt_token, raise_error: false) ⇒ Signature constructor

  Loads attributes: :project_ids from Configuration, and :kid, :jwt_token from the related jwt_token.

• #verify ⇒ Object

Constructor Details

#initialize(jwt_token, raise_error: false) ⇒ Signature

Loads attributes: :project_ids from Configuration, and :kid, :jwt_token from the related jwt_token.

Parameters:

• jwt_token (String) —

  Firebase ID Token

# File 'lib/firebase_id_token/signature.rb', line 71

def initialize(jwt_token, raise_error: false)
  @raise_error = raise_error
  @project_ids = FirebaseIdToken.configuration.project_ids
  @kid = extract_kid(jwt_token)
  @jwt_token = jwt_token
  @firebase_id_token_certificates = FirebaseIdToken.configuration.certificates
end

Instance Attribute Details

#firebase_id_token_certificates ⇒ Object

Returns the value of attribute firebase_id_token_certificates.

# File 'lib/firebase_id_token/signature.rb', line 66

def firebase_id_token_certificates
  @firebase_id_token_certificates
end

Class Method Details

.verify(jwt_token, raise_error: false) ⇒ nil, Hash

Returns the decoded JWT hash payload of the Firebase ID Token if the signature in the token matches with one of the certificates downloaded by Certificates.request, returns nil otherwise.

It will also return nil when it fails in checking if all the required JWT fields are valid, as recommended here by Firebase official documentation.

Note that it will raise a Exceptions::NoCertificatesError if the Redis certificates database is empty. Ensure to call Certificates.request before, ideally in a background job if you are using Rails.

If you would like this to raise and error, rather than silently failing, you can with the raise_error parameter. Example:

FirebaseIdToken::Signature .verify(token, raise_error: Rails.env.development?)

Parameters:

• raise_error (Boolean) (defaults to: false) —

  default: false

Returns:

• (nil, Hash)

# File 'lib/firebase_id_token/signature.rb', line 54

def self.verify(jwt_token, raise_error: false)
  new(jwt_token, raise_error: raise_error).verify
end

.verify!(jwt_token) ⇒ Hash

Equivalent to .verify(jwt_token, raise_error: true).

Returns:

• (Hash)

See Also:

• {Signature{Signature.verify}

# File 'lib/firebase_id_token/signature.rb', line 62

def self.verify!(jwt_token)
  new(jwt_token, raise_error: true).verify
end

Instance Method Details

#verify ⇒ Object

See Also:

• verify

# File 'lib/firebase_id_token/signature.rb', line 80

def verify
  var_name = :_firebase_id_token_cert
  Thread.current[var_name] ||= {
    cert: nil,
    expires_at: Time.now.utc - 1
  }

  if Thread.current[var_name][:expires_at] <= Time.now.utc
    Thread.current[var_name] = {
      cert: firebase_id_token_certificates.find(@kid, raise_error: @raise_error),
      expires_at: Time.now.utc + firebase_id_token_certificates.ttl
    }
  end

  certificate = Thread.current[var_name][:cert]
  return unless certificate

  payload = decode_jwt_payload(@jwt_token, certificate.public_key)
  authorize payload
end