initial commit

.github/workflows/ci.yml

@@ -12,16 +12,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v2
         with:
-          node-version: 16.x
+          node-version: 18.x
       - run: yarn install --frozen-lockfile
       - run: yarn build
       - run: yarn test
-
-  deno:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: denoland/setup-deno@v1
-        with:
-          deno-version: v1.x
-      - run: deno test deno_test

.gitignore

@@ -4,4 +4,6 @@ node_modules
 .yarn/*
 
 # for debug or playing
-sandbox
+sandbox
+
+*.log

deno_dist/README.md

@@ -1,41 +0,0 @@
-# Hello middleware for Hono
-
-An example project of the third-party middleware for [Hono](https://github.com/honojs/hono).
-This middleware add `X-Message` header to the Response.
-
-## Usage
-
-```ts
-import { hello } from '@honojs/hello'
-import { Hono } from 'hono'
-
-const app = new Hono()
-
-app.use('*', hello('Hello!! Hono!!'))
-app.get('/', (c) => c.text('foo'))
-
-export default app
-```
-
-## Deno
-
-```ts
-import { serve } from 'https://deno.land/std/http/server.ts'
-import { hello } from 'https://deno.land/x/hono_hello/mod.ts'
-import { Hono } from 'https://deno.land/x/hono/mod.ts'
-
-const app = new Hono()
-
-app.use('*', hello('Hello!! Hono!!'))
-app.get('/', (c) => c.text('foo'))
-
-serve(app.fetch)
-```
-
-## Author
-
-Yusuke Wada <https://github.com/yusukebe>
-
-## License
-
-MIT

deno_dist/index.ts

@@ -1,8 +0,0 @@
-import { Context, Next, Handler } from 'https://raw.githubusercontent.com/honojs/hono/v2.0.2/deno_dist/mod.ts'
-
-export const hello = (message: string = 'Hello'): Handler => {
-  return async (c: Context, next: Next) => {
-    await next()
-    c.res.headers.append('X-Message', message)
-  }
-}

deno_dist/mod.ts

@@ -1 +0,0 @@
-export * from "./index.ts";

deno_test/.vscode/settings.json

@@ -1,3 +0,0 @@
-{
-  "deno.enable": true
-}

deno_test/deps.ts

@@ -1,2 +0,0 @@
-export { assert, assertEquals } from 'https://deno.land/std@0.148.0/testing/asserts.ts'
-export { Hono } from 'https://deno.land/x/hono@v2.0.2/mod.ts'

deno_test/index.test.ts

@@ -1,15 +0,0 @@
-import { hello } from '../deno_dist/mod.ts'
-import { assertEquals, Hono } from './deps.ts'
-
-// Test just only minimal patterns.
-// Because others are tested well in Cloudflare Workers environment already.
-
-Deno.test('Hello Middleware', async () => {
-  const app = new Hono()
-  app.use('/hello/*', hello())
-  app.get('/hello/foo', (c) => c.text('foo'))
-
-  let res = await app.request('http://localhost/hello/foo')
-  assertEquals(res.status, 200)
-  assertEquals(res.headers.get('X-Message'), 'Hello')
-})

firebase.json

@@ -0,0 +1,10 @@
+{
+  "emulators": {
+    "auth": {
+      "port": 9099
+    },
+    "ui": {
+      "enabled": true
+    }
+  }
+}

jest.config.js

@@ -1,7 +1,21 @@
 module.exports = {
-  testMatch: ['**/test/**/*.+(ts|tsx|js)', '**/src/**/(*.)+(spec|test).+(ts|tsx|js)'],
+  testMatch: [
+    "**/test/**/*.+(ts|tsx|js)",
+    "**/src/**/(*.)+(spec|test).+(ts|tsx|js)",
+  ],
   transform: {
-    '^.+\\.(ts|tsx)$': 'ts-jest',
+    "^.+\\.(ts|tsx)$": "ts-jest",
   },
-  testEnvironment: 'miniflare',
-}
+  testEnvironment: "miniflare",
+  testEnvironmentOptions: {
+    vars: {
+      FIREBASE_AUTH_EMULATOR_HOST: "127.0.0.1:9099",
+      PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
+    },
+    bindings: {
+      FIREBASE_AUTH_EMULATOR_HOST: "127.0.0.1:9099",
+      PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
+    },
+    kvNamespaces: ["PUBLIC_JWK_CACHE_KV"],
+  },
+};

package.json

@@ -1,19 +1,17 @@
 {
-  "name": "@honojs/hello",
-  "version": "0.0.6",
-  "description": "An example of third-party middleware for Hono",
+  "name": "@honojs/firebase-auth",
+  "version": "0.1.0",
+  "description": "A third-party firebase auth middleware for Hono",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "files": [
     "dist"
   ],
   "scripts": {
+    "start-firebase-emulator": "firebase emulators:start --project example-project12345",
     "test": "jest",
-    "test:deno": "deno test deno_test",
-    "test:all": "yarn test && yarn test:deno",
-    "denoify": "rimraf deno_dist && denoify",
-    "build": "rimraf dist && tsc",
-    "prerelease": "yarn denoify && yarn build && yarn test:all",
+    "build": "tsc",
+    "prerelease": "yarn build",
     "release": "yarn publish"
   },
   "license": "MIT",
@@ -22,23 +20,22 @@
     "url": "https://github.com/honojs/middleware-template.git"
   },
   "homepage": "https://github.com/honojs/middleware-template",
-  "author": "Yusuke Wada <yusuke@kamawada.com> (https://github.com/yusukebe)",
+  "author": "codehex",
   "publishConfig": {
     "registry": "https://registry.npmjs.org",
     "access": "public"
   },
   "dependencies": {
+    "firebase-auth-cloudflare-workers": "^1.0.0",
     "hono": "^2.0.2"
   },
   "devDependencies": {
-    "@cloudflare/workers-types": "^3.14.0",
+    "@cloudflare/workers-types": "^3.14.1",
     "@types/jest": "^28.1.4",
-    "denoify": "^0.11.1",
     "jest": "^28.1.2",
     "jest-environment-miniflare": "^2.6.0",
     "prettier": "^2.7.1",
-    "rimraf": "^3.0.2",
     "ts-jest": "^28.0.5",
     "typescript": "^4.7.4"
   }
-}
+}

src/index.ts

@@ -1,8 +1,84 @@
-import { Context, Next, Handler } from 'hono'
+import { Context, Handler } from "hono";
+import {
+  EmulatorEnv,
+  Auth,
+  WorkersKVStoreSingle,
+  KeyStorer,
+  FirebaseIdToken,
+} from "firebase-auth-cloudflare-workers";
 
-export const hello = (message: string = 'Hello'): Handler => {
-  return async (c: Context, next: Next) => {
-    await next()
-    c.res.headers.append('X-Message', message)
-  }
+export interface VerifyFirebaseAuthEnv extends EmulatorEnv {
+  PUBLIC_JWK_CACHE_KEY?: string | undefined;
+  PUBLIC_JWK_CACHE_KV?: KVNamespace | undefined;
 }
+
+export interface VerifyFirebaseAuthConfig {
+  projectId: string;
+  authorizationHeaderKey?: string;
+  keyStore?: KeyStorer;
+  keyStoreInitializer?: (c: Context) => KeyStorer;
+  disableErrorLog?: boolean;
+}
+
+const defaultKVStoreJWKCacheKey = "verify-firebase-auth-cached-public-key";
+const defaultKeyStoreInitializer = (c: Context): KeyStorer => {
+  return WorkersKVStoreSingle.getOrInitialize(
+    c.env.PUBLIC_JWK_CACHE_KEY ?? defaultKVStoreJWKCacheKey,
+    c.env.PUBLIC_JWK_CACHE_KV
+  );
+};
+
+export const verifyFirebaseAuth = (
+  userConfig: VerifyFirebaseAuthConfig
+): Handler<string, VerifyFirebaseAuthEnv> => {
+  const config = {
+    projectId: userConfig.projectId,
+    AuthorizationHeaderKey:
+      userConfig.authorizationHeaderKey ?? "Authorization",
+    KeyStore: userConfig.keyStore,
+    keyStoreInitializer:
+      userConfig.keyStoreInitializer ?? defaultKeyStoreInitializer,
+    disableErrorLog: userConfig.disableErrorLog,
+  };
+
+  return async (c, next) => {
+    const authorization = c.req.headers.get(config.AuthorizationHeaderKey);
+    if (authorization === null) {
+      return new Response(null, {
+        status: 400,
+      });
+    }
+    const jwt = authorization.replace(/Bearer\s+/i, "");
+    const auth = Auth.getOrInitialize(
+      config.projectId,
+      config.KeyStore ?? config.keyStoreInitializer(c)
+    );
+
+    try {
+      const idToken = await auth.verifyIdToken(jwt, c.env);
+      setFirebaseToken(c, idToken);
+    } catch (err) {
+      if (!userConfig.disableErrorLog) {
+        console.error({
+          message: "failed to verify the requested firebase token",
+          err,
+        });
+      }
+      return new Response(null, {
+        status: 401,
+      });
+    }
+    await next();
+  };
+};
+
+const idTokenContextKey = "firebase-auth-cloudflare-id-token-key";
+
+const setFirebaseToken = (c: Context, idToken: FirebaseIdToken) =>
+  c.set(idTokenContextKey, idToken);
+
+export const getFirebaseToken = (c: Context): FirebaseIdToken | null => {
+  const idToken = c.get(idTokenContextKey);
+  if (!idToken) return null;
+  return idToken;
+};

test/index.test.ts

@@ -1,26 +1,283 @@
-import { Hono } from 'hono'
-import { hello } from '../src'
+import { getFirebaseToken } from "./../src/index";
+import { Auth, KeyStorer } from "firebase-auth-cloudflare-workers";
+import { Hono } from "hono";
+import { VerifyFirebaseAuthEnv, verifyFirebaseAuth } from "../src";
 
-describe('Hello middleware', () => {
-  const app = new Hono()
+describe("verifyFirebaseAuth middleware", () => {
+  const emulatorHost = "127.0.0.1:9099";
+  const validProjectId = "example-project12345"; // see package.json
 
-  app.use('/hello/*', hello())
-  app.get('/hello/foo', (c) => c.text('foo'))
+  // @ts-ignore
+  const { PUBLIC_JWK_CACHE_KV } = getMiniflareBindings();
 
-  app.use('/x/*', hello('X'))
-  app.get('/x/foo', (c) => c.text('foo'))
+  let user: signUpResponse;
 
-  it('Should be hello message', async () => {
-    const res = await app.request('http://localhost/hello/foo')
-    expect(res).not.toBeNull()
-    expect(res.status).toBe(200)
-    expect(res.headers.get('X-Message')).toBe('Hello')
-  })
+  beforeAll(async () => {
+    await deleteAccountEmulator(emulatorHost, validProjectId);
 
-  it('Should be X', async () => {
-    const res = await app.request('http://localhost/x/foo')
-    expect(res).not.toBeNull()
-    expect(res.status).toBe(200)
-    expect(res.headers.get('X-Message')).toBe('X')
-  })
-})
+    user = await signUpEmulator(emulatorHost, {
+      email: "codehex@hono.js",
+      password: "honojs",
+    });
+
+    await sleep(1000); // wait for iat
+  });
+
+  test.each([
+    [
+      "valid case, should be 200",
+      {
+        headerKey: "Authorization",
+        env: {
+          FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
+          PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
+          PUBLIC_JWK_CACHE_KV,
+        },
+        config: {
+          projectId: validProjectId,
+        },
+        wantStatus: 200,
+      },
+    ],
+    [
+      "valid specified headerKey, should be 200",
+      {
+        headerKey: "X-Authorization",
+        env: {
+          FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
+          PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
+          PUBLIC_JWK_CACHE_KV,
+        },
+        config: {
+          projectId: validProjectId,
+          authorizationHeaderKey: "X-Authorization",
+        },
+        wantStatus: 200,
+      },
+    ],
+    [
+      "invalid authorization header, should be 400",
+      {
+        headerKey: "X-Authorization",
+        env: {
+          FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
+          PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
+          PUBLIC_JWK_CACHE_KV,
+        },
+        config: {
+          projectId: validProjectId, // see package.json
+          // No specified header key.
+        },
+        wantStatus: 400,
+      },
+    ],
+    [
+      "invalid project ID, should be 401",
+      {
+        headerKey: "Authorization",
+        env: {
+          FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
+          PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
+          PUBLIC_JWK_CACHE_KV,
+        },
+        config: {
+          projectId: "invalid-projectId",
+        },
+        wantStatus: 401,
+      },
+    ],
+  ])("%s", async (_, { headerKey, env, config, wantStatus }) => {
+    const app = new Hono<VerifyFirebaseAuthEnv>();
+
+    resetAuth();
+
+    app.use(
+      "*",
+      verifyFirebaseAuth({
+        ...config,
+        disableErrorLog: true,
+      })
+    );
+    app.get("/hello", (c) => c.text("OK"));
+
+    const req = new Request("http://localhost/hello", {
+      headers: {
+        [headerKey]: `Bearer ${user.idToken}`,
+      },
+    });
+
+    const res = await app.fetch(req, env);
+
+    expect(res).not.toBeNull();
+    expect(res.status).toBe(wantStatus);
+  });
+
+  test("specified keyStore is used", async () => {
+    const testingJWT = generateDummyJWT();
+
+    const nopKeyStore = new NopKeyStore();
+    const getSpy = jest.spyOn(nopKeyStore, "get");
+    const putSpy = jest.spyOn(nopKeyStore, "put");
+
+    const app = new Hono<VerifyFirebaseAuthEnv>();
+
+    resetAuth();
+
+    app.use(
+      "*",
+      verifyFirebaseAuth({
+        projectId: validProjectId,
+        keyStore: nopKeyStore,
+        disableErrorLog: true,
+      })
+    );
+    app.get("/hello", (c) => c.text("OK"));
+
+    const req = new Request("http://localhost/hello", {
+      headers: {
+        Authorization: `Bearer ${testingJWT}`,
+      },
+    });
+
+    // not use firebase emulator to check using key store
+    const res = await app.fetch(req, {
+      FIREBASE_AUTH_EMULATOR_HOST: undefined,
+    });
+
+    expect(res).not.toBeNull();
+    expect(res.status).toBe(401);
+    expect(getSpy).toHaveBeenCalled();
+    expect(putSpy).toHaveBeenCalled();
+  });
+
+  test("usable id-token in main handler", async () => {
+    const testingJWT = generateDummyJWT();
+
+    const nopKeyStore = new NopKeyStore();
+    const app = new Hono<VerifyFirebaseAuthEnv>();
+
+    resetAuth();
+
+    app.use(
+      "*",
+      verifyFirebaseAuth({
+        projectId: validProjectId,
+        keyStore: nopKeyStore,
+        disableErrorLog: true,
+      })
+    );
+    app.get("/hello", (c) => c.json(getFirebaseToken(c)));
+
+    const req = new Request("http://localhost/hello", {
+      headers: {
+        Authorization: `Bearer ${testingJWT}`,
+      },
+    });
+
+    const res = await app.fetch(req, {
+      FIREBASE_AUTH_EMULATOR_HOST: emulatorHost,
+    });
+
+    expect(res).not.toBeNull();
+    expect(res.status).toBe(200);
+
+    const json = await res.json<{ aud: string; email: string }>();
+    expect(json.aud).toBe(validProjectId);
+    expect(json.email).toBe("codehex@example.com");
+  });
+});
+
+class NopKeyStore implements KeyStorer {
+  constructor() {}
+  get(): Promise<null> {
+    return new Promise((resolve) => resolve(null));
+  }
+  put(): Promise<void> {
+    return new Promise((resolve) => resolve());
+  }
+}
+
+const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms));
+
+// magic to reset state of static object for "firebase-auth-cloudflare-workers"
+const resetAuth = () => delete Auth["instance"];
+
+const generateDummyJWT = () => {
+  const header = JSON.stringify({
+    alg: "RS256",
+    kid: "kid",
+    typ: "JWT",
+  });
+  const now = Math.floor(Date.now() / 1000);
+  const payload = JSON.stringify({
+    iss: `https://securetoken.google.com/example-project12345`,
+    aud: "example-project12345",
+    auth_time: now - 1000,
+    user_id: "t1aLdTkAs0S0J0P6TNbjwbmry5B3",
+    sub: "t1aLdTkAs0S0J0P6TNbjwbmry5B3",
+    iat: now - 1000,
+    exp: now + 3000, // + 3s
+    email: "codehex@example.com",
+    email_verified: false,
+    firebase: {
+      identities: {
+        email: ["codehex@example.com"],
+      },
+      sign_in_provider: "password",
+    },
+  });
+  return `${btoa(header)}.${btoa(payload)}.`;
+};
+
+interface EmailPassword {
+  email: string;
+  password: string;
+}
+
+export interface signUpResponse {
+  kind: string;
+  localId: string;
+  email: string;
+  idToken: string;
+  refreshToken: string;
+  expiresIn: string;
+}
+
+const signUpEmulator = async (
+  emulatorHost: string,
+  body: EmailPassword
+): Promise<signUpResponse> => {
+  // http://localhost:9099/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy
+  const url = `http://${emulatorHost}/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy`;
+  const resp = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify({
+      ...body,
+      returnSecureToken: true,
+    }),
+  });
+  if (resp.status !== 200) {
+    console.log({ status: resp.status });
+    throw new Error("error");
+  }
+  return await resp.json();
+};
+
+const deleteAccountEmulator = async (
+  emulatorHost: string,
+  projectId: string
+): Promise<void> => {
+  // https://firebase.google.com/docs/reference/rest/auth#section-auth-emulator-clearaccounts
+  const url = `http://${emulatorHost}/emulator/v1/projects/${projectId}/accounts`;
+  const resp = await fetch(url, {
+    method: "DELETE",
+  });
+  if (resp.status !== 200) {
+    console.log({ status: resp.status });
+    throw new Error("error when clear accounts");
+  }
+  return;
+};