Class: FirebaseIdToken::Signature

Inherits:
Object
  • Object
show all
Defined in:
lib/firebase_id_token/signature.rb

Overview

Deals with verifying if a given Firebase ID Token is signed by one of the Google's x509 certificates that Firebase uses.

Also checks if the resulting JWT payload hash matches with:

  • exp Expiration time
  • iat Issued at time
  • User's Firebase Project ID
  • Non-empty UID

Verifying a Firebase ID Token

Be sure to configure the gem to set your Firebase Project ID and a Redis server before move any forward.

See the README for a complete guide.

WARNING: Trying to verify a token without any certificate saved in Redis certificates database raises a Exceptions::NoCertificatesError.

Examples:

FirebaseIdToken::Signature.verify(thrusty_token)
=> {"iss"=>"https://securetoken.google.com/your-project-id", [...]}

FirebaseIdToken::Signature.verify(fake_token)
=> nil

See Also:

Constant Summary collapse

JWT_DEFAULTS =

Pre-default JWT algorithm parameters as recommended here.

{ algorithm: 'RS256', verify_iat: true }

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(jwt_token, raise_error: false) ⇒ Signature

Loads attributes: :project_ids from Configuration, and :kid, :jwt_token from the related jwt_token.

Parameters:

  • jwt_token (String)

    Firebase ID Token



71
72
73
74
75
76
77
 
# File 'lib/firebase_id_token/signature.rb', line 71

def initialize(jwt_token, raise_error: false)
  @raise_error = raise_error
  @project_ids = FirebaseIdToken.configuration.project_ids
  @kid = extract_kid(jwt_token)
  @jwt_token = jwt_token
  @firebase_id_token_certificates = FirebaseIdToken.configuration.certificates
end

Instance Attribute Details

#firebase_id_token_certificatesObject

Returns the value of attribute firebase_id_token_certificates.



66
67
68
 
# File 'lib/firebase_id_token/signature.rb', line 66

def firebase_id_token_certificates
  @firebase_id_token_certificates
end

Class Method Details

.verify(jwt_token, raise_error: false) ⇒ nil, Hash

Returns the decoded JWT hash payload of the Firebase ID Token if the signature in the token matches with one of the certificates downloaded by Certificates.request, returns nil otherwise.

It will also return nil when it fails in checking if all the required JWT fields are valid, as recommended here by Firebase official documentation.

Note that it will raise a Exceptions::NoCertificatesError if the Redis certificates database is empty. Ensure to call Certificates.request before, ideally in a background job if you are using Rails.

If you would like this to raise and error, rather than silently failing, you can with the raise_error parameter. Example:

FirebaseIdToken::Signature .verify(token, raise_error: Rails.env.development?)

Parameters:

  • raise_error (Boolean) (defaults to: false)

    default: false

Returns:

  • (nil, Hash) 


54
55
56
 
# File 'lib/firebase_id_token/signature.rb', line 54

def self.verify(jwt_token, raise_error: false)
  new(jwt_token, raise_error: raise_error).verify
end

.verify!(jwt_token) ⇒ Hash

Equivalent to .verify(jwt_token, raise_error: true).

Returns:

  • (Hash)

See Also:

  • {Signature{Signature.verify}


62
63
64
 
# File 'lib/firebase_id_token/signature.rb', line 62

def self.verify!(jwt_token)
  new(jwt_token, raise_error: true).verify
end

Instance Method Details

#verifyObject

See Also:



80
81
82
83
84
85
86
 
# File 'lib/firebase_id_token/signature.rb', line 80

def verify
  certificate = firebase_id_token_certificates.find(@kid, raise_error: @raise_error)
  return unless certificate

  payload = decode_jwt_payload(@jwt_token, certificate.public_key)
  authorize payload
end