Auth#verifyIdToken always throws unimplemented error

[zacharypuulsedev]

Version 0.3.0

I know it's an early build, so just drawing attention to a blocking feature for wider adoption. We use verifyIdToken to verify requests from clients before performing requests using admin functionality or firestore.

Unfortunately, I don't have enough familiarity with the jwt spec and library design to understand what the jwtKey and other missing params are at src/utils/jwt.dart:100.

Issue:
Auth#verifyIdToken always throws unimplemented error.

Reproduce:

final FirebaseAdminApp admin =  await FirebaseAdminInitialization(container).initialize();
final auth = Auth(admin);
final idToken = await auth.verifyIdToken(jwt);
await admin.close();

StackTrace:

#0      PublicKeySignatureVerifier.verify (package:dart_firebase_admin/src/utils/jwt.dart:100)
#1      FirebaseTokenVerifier._verifySignature (package:dart_firebase_admin/src/auth/token_verifier.dart:119)
#2      FirebaseTokenVerifier._decodeAndVerify (package:dart_firebase_admin/src/auth/token_verifier.dart:101)
<asynchronous suspension>
#3      FirebaseTokenVerifier.verifyJWT (package:dart_firebase_admin/src/auth/token_verifier.dart:76)
<asynchronous suspension>
#4      _BaseAuth.verifyIdToken (package:dart_firebase_admin/src/auth/base_auth.dart:360)

[niklasbartsch]

You are not alone ➕

[niklasbartsch]

@zacharypuulsedev does it work with a different version?

[zacharypuulsedev]

@zacharypuulsedev does it work with a different version?
From this v0.2 commit, it's not implemented there

[rrousselGit]

I'll look into it. Looks like an oversight

[markbreuss]

This Feature is blocking us as well to use this package at the Moment. We would also be open to sponsorship if this helps someone to dedicate more time on this.

[guccisekspir]

same

[Fraa-124]

@rrousselGit, this issue and #16 are preventing the use of the Firebase Admin Dart package.

[labrom]

Should the verifyIdToken check mark be removed from the README in the meantime?

[lukepighetti]

Should the verifyIdToken check mark be removed from the README in the meantime?

#53

[lukepighetti]

I'm using this for now! https://pub.dev/packages/validate_firebase_auth

has the added benefit of not needing a service account json file. just the project id. i cannot comment on the security

import 'package:sep_server/di.dart';
import 'package:validate_firebase_auth/validate_firebase_auth.dart';

class AuthService {
  final validator = FirebaseAuthValidator();

  Future<void> initialize() async {
    await validator.init(projectId: di.config.fbProjectId);
  }

  Future<bool> tokenValid(String? token) async {
    if (token == null) return false;
    final idToken = await validator.validate(token);
    return !idToken.expired;
  }
}

extension on IdToken {
  DateTime get looseExpiry => claims.expiry.add(Duration(hours: 6));
  bool get expired => DateTime.now().isAfter(looseExpiry);
}