Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Implement verify method #48

Closed
wants to merge 4 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions packages/dart_firebase_admin/lib/src/auth/token_verifier.dart
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,7 @@ class DecodedIdToken {

@internal
factory DecodedIdToken.fromMap(Map<String, Object?> map) {
final firebaseMap = Map<String, Object?>.from(map['firebase']! as Map);
return DecodedIdToken(
aud: map['aud']! as String,
authTime: DateTime.fromMillisecondsSinceEpoch(
Expand All @@ -314,11 +315,12 @@ class DecodedIdToken {
emailVerified: map['email_verified'] as bool?,
exp: map['exp']! as int,
firebase: TokenProvider(
identities: Map.from(map['firebase']! as Map),
signInProvider: map['sign_in_provider']! as String,
signInSecondFactor: map['sign_in_second_factor'] as String?,
secondFactorIdentifier: map['second_factor_identifier'] as String?,
tenant: map['tenant'] as String?,
identities: firebaseMap,
signInProvider: firebaseMap['sign_in_provider']! as String,
signInSecondFactor: firebaseMap['sign_in_second_factor'] as String?,
secondFactorIdentifier:
firebaseMap['second_factor_identifier'] as String?,
tenant: firebaseMap['tenant'] as String?,
),
iat: map['iat']! as int,
iss: map['iss']! as String,
Expand Down
40 changes: 36 additions & 4 deletions packages/dart_firebase_admin/lib/src/utils/jwt.dart
Original file line number Diff line number Diff line change
Expand Up @@ -96,9 +96,40 @@ class PublicKeySignatureVerifier implements SignatureVerifier {
final KeyFetcher keyFetcher;

@override
Future<bool> verify(String token) {
throw UnimplementedError();
// verifyJwtSignature(token);
Future<void> verify(String token) async {
try {
final jwt = JWT.decode(token);
final kid = jwt.header?['kid'] as String?;

if (kid == null) {
throw JwtError(
JwtErrorCode.noKidInHeader,
'no-kid-in-header-error',
);
}

final publicKeys = await keyFetcher.fetchPublicKeys();
final publicKey = publicKeys[kid];

if (publicKey == null) {
throw JwtError(
JwtErrorCode.noMatchingKid,
'no-matching-kid-error',
);
}
JWT.verify(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at what needs to be verified from https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library:

  • audience: already verified in FirebaseTokenVerifier._verifyContent()
  • issuer: already verified in FirebaseTokenVerifier._verifyContent()
  • sub: presence already verified in FirebaseTokenVerifier._verifyContent()
  • exp: unless I missed something, doesn't seem to be verified, but JWT.verify() will take care of it (this should be documented because for the sake of consistency we would have wanted to verify it in _verifyContent())
  • iat: doesn't seem to be verified either, JWT.verify() has the issueAt parameter but the way it handles it and verifies the token's iat confuses me, so I would actually recommend checking it in _verifyContent()

So in summary, the use of JWT.verify() without any parameter in the proposed implementation is consistent with the existing implementation, assuming 'iat' is verified in _verifyContent().

I would recommend removing the existing verifyJwtSignature() function and the commented-out line that invokes it.

token,
RSAPublicKey.cert(publicKey),
);
} on JWTExpiredException {
throw JwtError(
JwtErrorCode.tokenExpired,
'The provided token has expired. Get a fresh token from your client app and try again.',
);
} on JWTException catch (e) {
// TODO: Handle specific JWTException types to provide detailed error messages.
throw JwtError(JwtErrorCode.unknown, e.message);
}
}
}

Expand Down Expand Up @@ -160,7 +191,8 @@ enum JwtErrorCode {
invalidSignature('invalid-token'),
noMatchingKid('no-matching-kid-error'),
noKidInHeader('no-kid-error'),
keyFetchError('key-fetch-error');
keyFetchError('key-fetch-error'),
unknown('unknown');

const JwtErrorCode(this.value);

Expand Down
Loading