honojs-middleware/packages/firebase-auth/src/index.ts

import { getCookie } from 'hono/cookie'
import type { KeyStorer, FirebaseIdToken } from 'firebase-auth-cloudflare-workers'
import { Auth, WorkersKVStoreSingle } from 'firebase-auth-cloudflare-workers'
import type { Context, MiddlewareHandler } from 'hono'
import { HTTPException } from 'hono/http-exception'

export type VerifyFirebaseAuthEnv = {
  PUBLIC_JWK_CACHE_KEY?: string | undefined
  PUBLIC_JWK_CACHE_KV?: KVNamespace | undefined
  FIREBASE_AUTH_EMULATOR_HOST: string | undefined
}

export interface VerifyFirebaseAuthConfig {
  projectId: string
  authorizationHeaderKey?: string
  keyStore?: KeyStorer
  keyStoreInitializer?: (c: Context) => KeyStorer
  disableErrorLog?: boolean
  firebaseEmulatorHost?: string
}

const defaultKVStoreJWKCacheKey = 'verify-firebase-auth-cached-public-key'
const defaultKeyStoreInitializer = (c: Context<{ Bindings: VerifyFirebaseAuthEnv }>): KeyStorer => {
  if (c.env.PUBLIC_JWK_CACHE_KV === undefined) {
    const res = new Response('Not Implemented', {
      status: 501,
    })
    throw new HTTPException(res.status, { res })
  }
  return WorkersKVStoreSingle.getOrInitialize(
    c.env.PUBLIC_JWK_CACHE_KEY ?? defaultKVStoreJWKCacheKey,
    c.env.PUBLIC_JWK_CACHE_KV
  )
}

export const verifyFirebaseAuth = (userConfig: VerifyFirebaseAuthConfig): MiddlewareHandler => {
  const config = {
    projectId: userConfig.projectId,
    authorizationHeaderKey: userConfig.authorizationHeaderKey ?? 'Authorization',
    keyStore: userConfig.keyStore,
    keyStoreInitializer: userConfig.keyStoreInitializer ?? defaultKeyStoreInitializer,
    disableErrorLog: userConfig.disableErrorLog,
    firebaseEmulatorHost: userConfig.firebaseEmulatorHost,
  } satisfies VerifyFirebaseAuthConfig

  // TODO(codehex): will be supported
  const checkRevoked = false

  return async (c, next) => {
    const authorization = c.req.raw.headers.get(config.authorizationHeaderKey)
    if (authorization === null) {
      const res = new Response('Bad Request', {
        status: 400,
      })
      throw new HTTPException(res.status, { res, message: 'authorization header is empty' })
    }
    const jwt = authorization.replace(/Bearer\s+/i, '')
    const auth = Auth.getOrInitialize(
      config.projectId,
      config.keyStore ?? config.keyStoreInitializer(c)
    )

    try {
      const idToken = await auth.verifyIdToken(jwt, checkRevoked, {
        FIREBASE_AUTH_EMULATOR_HOST:
          config.firebaseEmulatorHost ?? c.env.FIREBASE_AUTH_EMULATOR_HOST,
      })
      setFirebaseToken(c, idToken)
    } catch (err) {
      if (!userConfig.disableErrorLog) {
        console.error({
          message: 'failed to verify the requested firebase token',
          err,
        })
      }

      const res = new Response('Unauthorized', {
        status: 401,
      })
      throw new HTTPException(res.status, {
        res,
        message: `failed to verify the requested firebase token: ${String(err)}`,
      })
    }
    await next()
  }
}

const idTokenContextKey = 'firebase-auth-cloudflare-id-token-key'

const setFirebaseToken = (c: Context, idToken: FirebaseIdToken) => c.set(idTokenContextKey, idToken)

export const getFirebaseToken = (c: Context): FirebaseIdToken | null => {
  const idToken = c.get(idTokenContextKey)
  if (!idToken) {
    return null
  }
  return idToken
}

export interface VerifySessionCookieFirebaseAuthConfig {
  projectId: string
  cookieName?: string
  keyStore?: KeyStorer
  keyStoreInitializer?: (c: Context) => KeyStorer
  firebaseEmulatorHost?: string
  redirects: {
    signIn: string
  }
}

export const verifySessionCookieFirebaseAuth = (
  userConfig: VerifySessionCookieFirebaseAuthConfig
): MiddlewareHandler => {
  const config = {
    projectId: userConfig.projectId,
    cookieName: userConfig.cookieName ?? 'session',
    keyStore: userConfig.keyStore,
    keyStoreInitializer: userConfig.keyStoreInitializer ?? defaultKeyStoreInitializer,
    firebaseEmulatorHost: userConfig.firebaseEmulatorHost,
    redirects: userConfig.redirects,
  } satisfies VerifySessionCookieFirebaseAuthConfig

  // TODO(codehex): will be supported
  const checkRevoked = false

  return async (c, next) => {
    const auth = Auth.getOrInitialize(
      config.projectId,
      config.keyStore ?? config.keyStoreInitializer(c)
    )
    const session = getCookie(c, config.cookieName)
    if (session === undefined) {
      const res = c.redirect(config.redirects.signIn)
      throw new HTTPException(res.status, { res, message: 'session is empty' })
    }

    try {
      const idToken = await auth.verifySessionCookie(session, checkRevoked, {
        FIREBASE_AUTH_EMULATOR_HOST:
          config.firebaseEmulatorHost ?? c.env.FIREBASE_AUTH_EMULATOR_HOST,
      })
      setFirebaseToken(c, idToken)
    } catch (err) {
      const res = c.redirect(config.redirects.signIn)
      throw new HTTPException(res.status, {
        res,
        message: `failed to verify the requested firebase token: ${String(err)}`,
      })
    }
    await next()
  }
}
feat(firebase-auth): added a new middleware to verify session with firebase-auth (#402) * fix(firebase-auth): updated firebase-auth-cloudflare-workers * add(firebase-auth): added a new `verifySessionCookieFirebaseAuth` middleware to verify w/ session cookie 2024-02-24 21:35:24 +08:00			`import { getCookie } from 'hono/cookie'`
feat(firebase-auth): support Hono v3 (#60) * feat(firebase-auth): support Hono v3 * add changeset 2023-03-06 19:24:49 +08:00			`import type { KeyStorer, FirebaseIdToken } from 'firebase-auth-cloudflare-workers'`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`import { Auth, WorkersKVStoreSingle } from 'firebase-auth-cloudflare-workers'`
			`import type { Context, MiddlewareHandler } from 'hono'`
fix(firebase-auth): throw HTTPException instead of reponse null (#191) * fix(firebase-auth): throw HTTPException instead of reponse null * added changeset 2023-10-05 21:42:21 +08:00			`import { HTTPException } from 'hono/http-exception'`
Initial commit 2022-07-23 22:56:20 +08:00
feat(firebase-auth): support Hono v3 (#60) * feat(firebase-auth): support Hono v3 * add changeset 2023-03-06 19:24:49 +08:00			`export type VerifyFirebaseAuthEnv = {`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`PUBLIC_JWK_CACHE_KEY?: string \| undefined`
			`PUBLIC_JWK_CACHE_KV?: KVNamespace \| undefined`
feat(firebase-auth): support Hono v3 (#60) * feat(firebase-auth): support Hono v3 * add changeset 2023-03-06 19:24:49 +08:00			`FIREBASE_AUTH_EMULATOR_HOST: string \| undefined`
Initial commit 2022-07-23 22:56:20 +08:00			`}`
initial commit 2022-07-28 13:58:54 +08:00
			`export interface VerifyFirebaseAuthConfig {`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`projectId: string`
			`authorizationHeaderKey?: string`
			`keyStore?: KeyStorer`
			`keyStoreInitializer?: (c: Context) => KeyStorer`
			`disableErrorLog?: boolean`
			`firebaseEmulatorHost?: string`
initial commit 2022-07-28 13:58:54 +08:00			`}`

setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`const defaultKVStoreJWKCacheKey = 'verify-firebase-auth-cached-public-key'`
fixed firebase-auth for #247 (#248) * chore: npx yarn-deduplicate && yarn install * chore(firebase-auth): Update package deps and test * chore(firebase-auth): update hono version * fix(firebase-auth): responds 501 when PUBLIC_JWK_CACHE_KV is undefined in defaultKeyStoreInitializer function 2023-11-12 08:50:13 +08:00			`const defaultKeyStoreInitializer = (c: Context<{ Bindings: VerifyFirebaseAuthEnv }>): KeyStorer => {`
			`if (c.env.PUBLIC_JWK_CACHE_KV === undefined) {`
			`const res = new Response('Not Implemented', {`
			`status: 501,`
			`})`
feat(firebase-auth): added a new middleware to verify session with firebase-auth (#402) * fix(firebase-auth): updated firebase-auth-cloudflare-workers * add(firebase-auth): added a new `verifySessionCookieFirebaseAuth` middleware to verify w/ session cookie 2024-02-24 21:35:24 +08:00			`throw new HTTPException(res.status, { res })`
fixed firebase-auth for #247 (#248) * chore: npx yarn-deduplicate && yarn install * chore(firebase-auth): Update package deps and test * chore(firebase-auth): update hono version * fix(firebase-auth): responds 501 when PUBLIC_JWK_CACHE_KV is undefined in defaultKeyStoreInitializer function 2023-11-12 08:50:13 +08:00			`}`
initial commit 2022-07-28 13:58:54 +08:00			`return WorkersKVStoreSingle.getOrInitialize(`
			`c.env.PUBLIC_JWK_CACHE_KEY ?? defaultKVStoreJWKCacheKey,`
			`c.env.PUBLIC_JWK_CACHE_KV`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`)`
			`}`

			`export const verifyFirebaseAuth = (userConfig: VerifyFirebaseAuthConfig): MiddlewareHandler => {`
initial commit 2022-07-28 13:58:54 +08:00			`const config = {`
			`projectId: userConfig.projectId,`
feat(firebase-auth): added a new middleware to verify session with firebase-auth (#402) * fix(firebase-auth): updated firebase-auth-cloudflare-workers * add(firebase-auth): added a new `verifySessionCookieFirebaseAuth` middleware to verify w/ session cookie 2024-02-24 21:35:24 +08:00			`authorizationHeaderKey: userConfig.authorizationHeaderKey ?? 'Authorization',`
			`keyStore: userConfig.keyStore,`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`keyStoreInitializer: userConfig.keyStoreInitializer ?? defaultKeyStoreInitializer,`
initial commit 2022-07-28 13:58:54 +08:00			`disableErrorLog: userConfig.disableErrorLog,`
fixed to support service worker syntax 2022-07-29 22:03:09 +08:00			`firebaseEmulatorHost: userConfig.firebaseEmulatorHost,`
feat(firebase-auth): added a new middleware to verify session with firebase-auth (#402) * fix(firebase-auth): updated firebase-auth-cloudflare-workers * add(firebase-auth): added a new `verifySessionCookieFirebaseAuth` middleware to verify w/ session cookie 2024-02-24 21:35:24 +08:00			`} satisfies VerifyFirebaseAuthConfig`

			`// TODO(codehex): will be supported`
			`const checkRevoked = false`
initial commit 2022-07-28 13:58:54 +08:00
			`return async (c, next) => {`
feat(firebase-auth): added a new middleware to verify session with firebase-auth (#402) * fix(firebase-auth): updated firebase-auth-cloudflare-workers * add(firebase-auth): added a new `verifySessionCookieFirebaseAuth` middleware to verify w/ session cookie 2024-02-24 21:35:24 +08:00			`const authorization = c.req.raw.headers.get(config.authorizationHeaderKey)`
initial commit 2022-07-28 13:58:54 +08:00			`if (authorization === null) {`
fix(firebase-auth): throw HTTPException for bad request (#194) 2023-10-06 15:48:22 +08:00			`const res = new Response('Bad Request', {`
initial commit 2022-07-28 13:58:54 +08:00			`status: 400,`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`})`
feat(firebase-auth): added a new middleware to verify session with firebase-auth (#402) * fix(firebase-auth): updated firebase-auth-cloudflare-workers * add(firebase-auth): added a new `verifySessionCookieFirebaseAuth` middleware to verify w/ session cookie 2024-02-24 21:35:24 +08:00			`throw new HTTPException(res.status, { res, message: 'authorization header is empty' })`
initial commit 2022-07-28 13:58:54 +08:00			`}`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`const jwt = authorization.replace(/Bearer\s+/i, '')`
initial commit 2022-07-28 13:58:54 +08:00			`const auth = Auth.getOrInitialize(`
			`config.projectId,`
feat(firebase-auth): added a new middleware to verify session with firebase-auth (#402) * fix(firebase-auth): updated firebase-auth-cloudflare-workers * add(firebase-auth): added a new `verifySessionCookieFirebaseAuth` middleware to verify w/ session cookie 2024-02-24 21:35:24 +08:00			`config.keyStore ?? config.keyStoreInitializer(c)`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`)`
initial commit 2022-07-28 13:58:54 +08:00
			`try {`
feat(firebase-auth): added a new middleware to verify session with firebase-auth (#402) * fix(firebase-auth): updated firebase-auth-cloudflare-workers * add(firebase-auth): added a new `verifySessionCookieFirebaseAuth` middleware to verify w/ session cookie 2024-02-24 21:35:24 +08:00			`const idToken = await auth.verifyIdToken(jwt, checkRevoked, {`
fixed to support service worker syntax 2022-07-29 22:03:09 +08:00			`FIREBASE_AUTH_EMULATOR_HOST:`
			`config.firebaseEmulatorHost ?? c.env.FIREBASE_AUTH_EMULATOR_HOST,`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`})`
			`setFirebaseToken(c, idToken)`
initial commit 2022-07-28 13:58:54 +08:00			`} catch (err) {`
			`if (!userConfig.disableErrorLog) {`
			`console.error({`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`message: 'failed to verify the requested firebase token',`
initial commit 2022-07-28 13:58:54 +08:00			`err,`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`})`
initial commit 2022-07-28 13:58:54 +08:00			`}`
fix(firebase-auth): throw HTTPException instead of reponse null (#191) * fix(firebase-auth): throw HTTPException instead of reponse null * added changeset 2023-10-05 21:42:21 +08:00
			`const res = new Response('Unauthorized', {`
initial commit 2022-07-28 13:58:54 +08:00			`status: 401,`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`})`
feat(firebase-auth): added a new middleware to verify session with firebase-auth (#402) * fix(firebase-auth): updated firebase-auth-cloudflare-workers * add(firebase-auth): added a new `verifySessionCookieFirebaseAuth` middleware to verify w/ session cookie 2024-02-24 21:35:24 +08:00			`throw new HTTPException(res.status, {`
			`res,`
			message: `failed to verify the requested firebase token: ${String(err)}`,
			`})`
initial commit 2022-07-28 13:58:54 +08:00			`}`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`await next()`
			`}`
			`}`
initial commit 2022-07-28 13:58:54 +08:00
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`const idTokenContextKey = 'firebase-auth-cloudflare-id-token-key'`
initial commit 2022-07-28 13:58:54 +08:00
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`const setFirebaseToken = (c: Context, idToken: FirebaseIdToken) => c.set(idTokenContextKey, idToken)`
initial commit 2022-07-28 13:58:54 +08:00
			`export const getFirebaseToken = (c: Context): FirebaseIdToken \| null => {`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`const idToken = c.get(idTokenContextKey)`
chore: add lint rule and format (#367) * chore: add lint rule and format * fix ci * add typescript * yarn install * add `@cloudflare/workers-types` 2024-01-29 21:53:43 +08:00			`if (!idToken) {`
			`return null`
			`}`
setup Firebase Auth middleware 2023-02-04 19:20:42 +08:00			`return idToken`
			`}`
feat(firebase-auth): added a new middleware to verify session with firebase-auth (#402) * fix(firebase-auth): updated firebase-auth-cloudflare-workers * add(firebase-auth): added a new `verifySessionCookieFirebaseAuth` middleware to verify w/ session cookie 2024-02-24 21:35:24 +08:00
			`export interface VerifySessionCookieFirebaseAuthConfig {`
			`projectId: string`
			`cookieName?: string`
			`keyStore?: KeyStorer`
			`keyStoreInitializer?: (c: Context) => KeyStorer`
			`firebaseEmulatorHost?: string`
			`redirects: {`
			`signIn: string`
			`}`
			`}`

			`export const verifySessionCookieFirebaseAuth = (`
			`userConfig: VerifySessionCookieFirebaseAuthConfig`
			`): MiddlewareHandler => {`
			`const config = {`
			`projectId: userConfig.projectId,`
			`cookieName: userConfig.cookieName ?? 'session',`
			`keyStore: userConfig.keyStore,`
			`keyStoreInitializer: userConfig.keyStoreInitializer ?? defaultKeyStoreInitializer,`
			`firebaseEmulatorHost: userConfig.firebaseEmulatorHost,`
			`redirects: userConfig.redirects,`
			`} satisfies VerifySessionCookieFirebaseAuthConfig`

			`// TODO(codehex): will be supported`
			`const checkRevoked = false`

			`return async (c, next) => {`
			`const auth = Auth.getOrInitialize(`
			`config.projectId,`
			`config.keyStore ?? config.keyStoreInitializer(c)`
			`)`
			`const session = getCookie(c, config.cookieName)`
			`if (session === undefined) {`
			`const res = c.redirect(config.redirects.signIn)`
			`throw new HTTPException(res.status, { res, message: 'session is empty' })`
			`}`

			`try {`
			`const idToken = await auth.verifySessionCookie(session, checkRevoked, {`
			`FIREBASE_AUTH_EMULATOR_HOST:`
			`config.firebaseEmulatorHost ?? c.env.FIREBASE_AUTH_EMULATOR_HOST,`
			`})`
			`setFirebaseToken(c, idToken)`
			`} catch (err) {`
			`const res = c.redirect(config.redirects.signIn)`
			`throw new HTTPException(res.status, {`
			`res,`
			message: `failed to verify the requested firebase token: ${String(err)}`,
			`})`
			`}`
			`await next()`
			`}`
			`}`