suimeng
/
honojs-middleware
mirror of https://github.com/honojs/middleware.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #34 from honojs/moving-firebase-auth 

Moving firebase auth
pull/35/head
Yusuke Wada 2023-02-04 20:28:21 +09:00 committed by GitHub
parent a66d22abb9 617b582bc3
commit 2f18bb5e84
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 3837 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.changeset/angry-cougars-smash.md 100644
View File

@ -0,0 +1,5 @@
---
'@hono/firebase-auth': minor
---
Rename `@honojs/firebase-auth` to `@hono/firebase-auth`.

1
.eslintrc.js
View File

@ -38,6 +38,7 @@ module.exports = defineConfig({
{ {
types: { types: {
Function: false, Function: false,
'{}': false,
}, },
}, },
], ],

25
.github/workflows/ci-firebase-auth.yml vendored 100644
View File

@ -0,0 +1,25 @@
name: ci-firebase-auth
on:
push:
branches: [main]
paths:
- 'packages/firebase-auth/**'
pull_request:
branches: ['*']
paths:
- 'packages/firebase-auth/**'
jobs:
ci:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./packages/firebase-auth
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 18.x
- run: yarn install --frozen-lockfile
- run: yarn build
- run: yarn test-with-emulator

1
package.json
View File

@ -11,6 +11,7 @@
"build:qwik-city": "yarn workspace @hono/qwik-city build", "build:qwik-city": "yarn workspace @hono/qwik-city build",
"build:graphql-server": "yarn workspace @hono/graphql-server build", "build:graphql-server": "yarn workspace @hono/graphql-server build",
"build:sentry": "yarn workspace @hono/sentry build", "build:sentry": "yarn workspace @hono/sentry build",
"build:firebase-auth": "yarn workspace @hono/firebase-auth build",
"build": "run-p build:*" "build": "run-p build:*"
}, },
"license": "MIT", "license": "MIT",

120
packages/firebase-auth/README.md 100644
View File

@ -0,0 +1,120 @@
# Hono Firebase Auth middleware for Cloudflare Workers.
## Moving
Firebase Auth Middleware `@honojs/firebase-auth` is renamed to `@hono/firebase-auth`.
`@honojs/firebase-auth` is not maintained, please use `@hono/firebase-auth`.
Also, for Deno, you can use import with `npm:` prefix like `npm:@hono/firebase-auth`.
---
This is a Firebase Auth middleware library for [Hono](https://github.com/honojs/hono) which is used [firebase-auth-cloudflare-workers](https://github.com/Code-Hex/firebase-auth-cloudflare-workers).
Currently only Cloudflare Workers are supported officially. However, it may work in other environments as well, so please let us know in an issue if it works.
## Synopsis
### Module Worker Syntax (recommend)
```ts
import { Hono } from "hono";
import { VerifyFirebaseAuthConfig, VerifyFirebaseAuthEnv, verifyFirebaseAuth, getFirebaseToken } from "@hono/firebase-auth";
const config: VerifyFirebaseAuthConfig = {
// specify your firebase project ID.
projectId: "your-project-id",
}
// Or you can specify here the extended VerifyFirebaseAuthEnv type.
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
// set middleware
app.use("*", verifyFirebaseAuth(config));
app.get("/hello", (c) => {
const idToken = getFirebaseToken(c) // get id-token object.
return c.json(idToken)
});
export default app
```
### Service Worker Syntax
```ts
import { Hono } from "hono";
import { VerifyFirebaseAuthConfig, verifyFirebaseAuth, getFirebaseToken } from "@hono/firebase-auth";
const config: VerifyFirebaseAuthConfig = {
// specify your firebase project ID.
projectId: "your-project-id",
// this is optional. but required in this mode.
keyStore: WorkersKVStoreSingle.getOrInitialize(
PUBLIC_JWK_CACHE_KEY,
PUBLIC_JWK_CACHE_KV
),
// this is also optional. But in this mode, you can only specify here.
firebaseEmulatorHost: FIREBASE_AUTH_EMULATOR_HOST,
}
const app = new Hono()
// set middleware
app.use("*", verifyFirebaseAuth(config));
app.get("/hello", (c) => {
const idToken = getFirebaseToken(c) // get id-token object.
return c.json(idToken)
});
app.fire()
```
## Config (`VerifyFirebaseAuthConfig`)
### `projectId: string` (**required**)
This field indicates your firebase project ID.
### `authorizationHeaderKey?: string` (optional)
Based on this configuration, the JWT created by firebase auth is looked for in the HTTP headers. The default is "Authorization".
### `keyStore?: KeyStorer` (optional)
This is used to cache the public key used to validate the Firebase ID token (JWT). This KeyStorer type has been defined in [firebase-auth-cloudflare-workers](https://github.com/Code-Hex/firebase-auth-cloudflare-workers/tree/main#keystorer) library.
If you don't specify the field, this library uses [WorkersKVStoreSingle](https://github.com/Code-Hex/firebase-auth-cloudflare-workers/tree/main#workerskvstoresinglegetorinitializecachekey-string-cfkvnamespace-kvnamespace-workerskvstoresingle) instead. You must fill in the fields defined in `VerifyFirebaseAuthEnv`.
### `keyStoreInitializer?: (c: Context) => KeyStorer` (optional)
Use this when initializing KeyStorer and environment variables, etc. are required.
If you don't specify the field, this library uses [WorkersKVStoreSingle](https://github.com/Code-Hex/firebase-auth-cloudflare-workers/tree/main#workerskvstoresinglegetorinitializecachekey-string-cfkvnamespace-kvnamespace-workerskvstoresingle) instead. You must fill in the fields defined in `VerifyFirebaseAuthEnv`.
### `disableErrorLog?: boolean` (optional)
Throws an exception if JWT validation fails. By default, this is output to the error log, but if you don't expect it, use this.
### `firebaseEmulatorHost?: string` (optional)
You can specify a host for the Firebase Auth emulator. This config is mainly used when **Service Worker Syntax** is used.
If not specified, check the [`FIREBASE_AUTH_EMULATOR_HOST` environment variable obtained from the request](https://github.com/Code-Hex/firebase-auth-cloudflare-workers#emulatorenv).
## Author
codehex <https://github.com/Code-Hex>
## License
MIT
## Contribution
If you are interested, send me PR would be greatly appreciated!
To test this code in your local environment, execute the following command.
```
$ yarn test-with-emulator
```

10
packages/firebase-auth/firebase.json 100644
View File

@ -0,0 +1,10 @@
{
"emulators": {
"auth": {
"port": 9099
},
"ui": {
"enabled": true
}
}
}

1
packages/firebase-auth/jest.config.js 100644
View File

@ -0,0 +1 @@
module.exports = require('../../jest.config.js')

47
packages/firebase-auth/package.json 100644
View File

@ -0,0 +1,47 @@
{
"name": "@hono/firebase-auth",
"version": "1.0.2",
"description": "A third-party firebase auth middleware for Hono",
"main": "dist/index.js",
"types": "dist/index.d.ts",
"files": [
"dist"
],
"scripts": {
"start-firebase-emulator": "firebase emulators:start --project example-project12345",
"test-with-emulator": "firebase emulators:exec --project example-project12345 'jest'",
"test": "jest",
"build": "tsc",
"prerelease": "yarn build",
"release": "yarn publish"
},
"license": "MIT",
"repository": {
"type": "git",
"url": "https://github.com/honojs/middleware.git"
},
"homepage": "https://github.com/honojs/middleware",
"author": "codehex",
"private": false,
"publishConfig": {
"registry": "https://registry.npmjs.org",
"access": "public"
},
"dependencies": {
"firebase-auth-cloudflare-workers": "^1.0.0"
},
"peerDependencies": {
"hono": "^2.7.2"
},
"devDependencies": {
"hono": "^2.7.2",
"@cloudflare/workers-types": "^3.14.1",
"@types/jest": "^28.1.4",
"firebase-tools": "^11.4.0",
"jest": "^28.1.2",
"jest-environment-miniflare": "^2.6.0",
"prettier": "^2.7.1",
"ts-jest": "^28.0.5",
"typescript": "^4.7.4"
}
}

85
packages/firebase-auth/src/index.ts 100644
View File

@ -0,0 +1,85 @@
import type { EmulatorEnv, KeyStorer, FirebaseIdToken } from 'firebase-auth-cloudflare-workers'
import { Auth, WorkersKVStoreSingle } from 'firebase-auth-cloudflare-workers'
import type { Context, MiddlewareHandler } from 'hono'
export interface VerifyFirebaseAuthEnv extends EmulatorEnv {
PUBLIC_JWK_CACHE_KEY?: string | undefined
PUBLIC_JWK_CACHE_KV?: KVNamespace | undefined
}
export interface VerifyFirebaseAuthConfig {
projectId: string
authorizationHeaderKey?: string
keyStore?: KeyStorer
keyStoreInitializer?: (c: Context) => KeyStorer
disableErrorLog?: boolean
firebaseEmulatorHost?: string
}
const defaultKVStoreJWKCacheKey = 'verify-firebase-auth-cached-public-key'
const defaultKeyStoreInitializer = (c: Context): KeyStorer => {
return WorkersKVStoreSingle.getOrInitialize(
c.env.PUBLIC_JWK_CACHE_KEY ?? defaultKVStoreJWKCacheKey,
c.env.PUBLIC_JWK_CACHE_KV
)
}
type Env = {
Bindings: {
FIREBASE_AUTH_EMULATOR_HOST: string
}
}
export const verifyFirebaseAuth = (userConfig: VerifyFirebaseAuthConfig): MiddlewareHandler => {
const config = {
projectId: userConfig.projectId,
AuthorizationHeaderKey: userConfig.authorizationHeaderKey ?? 'Authorization',
KeyStore: userConfig.keyStore,
keyStoreInitializer: userConfig.keyStoreInitializer ?? defaultKeyStoreInitializer,
disableErrorLog: userConfig.disableErrorLog,
firebaseEmulatorHost: userConfig.firebaseEmulatorHost,
}
return async (c, next) => {
const authorization = c.req.headers.get(config.AuthorizationHeaderKey)
if (authorization === null) {
return new Response(null, {
status: 400,
})
}
const jwt = authorization.replace(/Bearer\s+/i, '')
const auth = Auth.getOrInitialize(
config.projectId,
config.KeyStore ?? config.keyStoreInitializer(c)
)
try {
const idToken = await auth.verifyIdToken(jwt, {
FIREBASE_AUTH_EMULATOR_HOST:
config.firebaseEmulatorHost ?? c.env.FIREBASE_AUTH_EMULATOR_HOST,
})
setFirebaseToken(c, idToken)
} catch (err) {
if (!userConfig.disableErrorLog) {
console.error({
message: 'failed to verify the requested firebase token',
err,
})
}
return new Response(null, {
status: 401,
})
}
await next()
}
}
const idTokenContextKey = 'firebase-auth-cloudflare-id-token-key'
const setFirebaseToken = (c: Context, idToken: FirebaseIdToken) => c.set(idTokenContextKey, idToken)
export const getFirebaseToken = (c: Context): FirebaseIdToken | null => {
const idToken = c.get(idTokenContextKey)
if (!idToken) return null
return idToken
}

322
packages/firebase-auth/test/index.test.ts 100644
View File

@ -0,0 +1,322 @@
import type { KeyStorer } from 'firebase-auth-cloudflare-workers'
import { Auth, WorkersKVStoreSingle } from 'firebase-auth-cloudflare-workers'
import { Hono } from 'hono'
import type { VerifyFirebaseAuthEnv } from '../src'
import { verifyFirebaseAuth, getFirebaseToken } from '../src'
describe('verifyFirebaseAuth middleware', () => {
const emulatorHost = '127.0.0.1:9099'
const validProjectId = 'example-project12345' // see package.json
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
// @ts-ignore
const { PUBLIC_JWK_CACHE_KV } = getMiniflareBindings()
let user: signUpResponse
beforeAll(async () => {
await deleteAccountEmulator(emulatorHost, validProjectId)
user = await signUpEmulator(emulatorHost, {
email: 'codehex@hono.js',
password: 'honojs',
})
await sleep(1000) // wait for iat
})
describe('service worker syntax', () => {
test('valid case, should be 200', async () => {
const app = new Hono()
resetAuth()
// This is assumed to be obtained from an environment variable.
const PUBLIC_JWK_CACHE_KEY = 'testing-cache-key'
app.use(
'*',
verifyFirebaseAuth({
projectId: validProjectId,
keyStore: WorkersKVStoreSingle.getOrInitialize(PUBLIC_JWK_CACHE_KEY, PUBLIC_JWK_CACHE_KV),
disableErrorLog: true,
firebaseEmulatorHost: emulatorHost,
})
)
app.get('/hello', (c) => c.json(getFirebaseToken(c)))
const req = new Request('http://localhost/hello', {
headers: {
Authorization: `Bearer ${user.idToken}`,
},
})
const res = await app.request(req)
expect(res).not.toBeNull()
expect(res.status).toBe(200)
const json = await res.json<{ aud: string; email: string }>()
expect(json.aud).toBe(validProjectId)
expect(json.email).toBe('codehex@hono.js')
})
})
describe('module worker syntax', () => {
test.each([
[
'valid case, should be 200',
{
headerKey: 'Authorization',
env: {
FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
PUBLIC_JWK_CACHE_KV,
},
config: {
projectId: validProjectId,
},
wantStatus: 200,
},
],
[
'valid specified headerKey, should be 200',
{
headerKey: 'X-Authorization',
env: {
FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
PUBLIC_JWK_CACHE_KV,
},
config: {
projectId: validProjectId,
authorizationHeaderKey: 'X-Authorization',
},
wantStatus: 200,
},
],
[
'invalid authorization header, should be 400',
{
headerKey: 'X-Authorization',
env: {
FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
PUBLIC_JWK_CACHE_KV,
},
config: {
projectId: validProjectId, // see package.json
// No specified header key.
},
wantStatus: 400,
},
],
[
'invalid project ID, should be 401',
{
headerKey: 'Authorization',
env: {
FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
PUBLIC_JWK_CACHE_KV,
},
config: {
projectId: 'invalid-projectId',
},
wantStatus: 401,
},
],
])('%s', async (_, { headerKey, env, config, wantStatus }) => {
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
resetAuth()
app.use(
'*',
verifyFirebaseAuth({
...config,
disableErrorLog: true,
})
)
app.get('/hello', (c) => c.text('OK'))
const req = new Request('http://localhost/hello', {
headers: {
[headerKey]: `Bearer ${user.idToken}`,
},
})
const res = await app.fetch(req, env)
expect(res).not.toBeNull()
expect(res.status).toBe(wantStatus)
})
test('specified keyStore is used', async () => {
const testingJWT = generateDummyJWT()
const nopKeyStore = new NopKeyStore()
const getSpy = jest.spyOn(nopKeyStore, 'get')
const putSpy = jest.spyOn(nopKeyStore, 'put')
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
resetAuth()
app.use(
'*',
verifyFirebaseAuth({
projectId: validProjectId,
keyStore: nopKeyStore,
disableErrorLog: true,
})
)
app.get('/hello', (c) => c.text('OK'))
const req = new Request('http://localhost/hello', {
headers: {
Authorization: `Bearer ${testingJWT}`,
},
})
// not use firebase emulator to check using key store
const res = await app.fetch(req, {
FIREBASE_AUTH_EMULATOR_HOST: undefined,
})
expect(res).not.toBeNull()
expect(res.status).toBe(401)
expect(getSpy).toHaveBeenCalled()
expect(putSpy).toHaveBeenCalled()
})
test('usable id-token in main handler', async () => {
const testingJWT = generateDummyJWT()
const nopKeyStore = new NopKeyStore()
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
resetAuth()
app.use(
'*',
verifyFirebaseAuth({
projectId: validProjectId,
keyStore: nopKeyStore,
disableErrorLog: true,
})
)
app.get('/hello', (c) => c.json(getFirebaseToken(c)))
const req = new Request('http://localhost/hello', {
headers: {
Authorization: `Bearer ${testingJWT}`,
},
})
const res = await app.fetch(req, {
FIREBASE_AUTH_EMULATOR_HOST: emulatorHost,
})
expect(res).not.toBeNull()
expect(res.status).toBe(200)
const json = await res.json<{ aud: string; email: string }>()
expect(json.aud).toBe(validProjectId)
expect(json.email).toBe('codehex@hono.js')
})
})
})
class NopKeyStore implements KeyStorer {
// eslint-disable-next-line @typescript-eslint/no-empty-function
constructor() {}
get(): Promise<null> {
return new Promise((resolve) => resolve(null))
}
put(): Promise<void> {
return new Promise((resolve) => resolve())
}
}
const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms))
// magic to reset state of static object for "firebase-auth-cloudflare-workers"
const resetAuth = () => delete Auth['instance']
const generateDummyJWT = () => {
const header = JSON.stringify({
alg: 'RS256',
kid: 'kid',
typ: 'JWT',
})
const now = Math.floor(Date.now() / 1000)
const payload = JSON.stringify({
iss: 'https://securetoken.google.com/example-project12345',
aud: 'example-project12345',
auth_time: now - 1000,
user_id: 't1aLdTkAs0S0J0P6TNbjwbmry5B3',
sub: 't1aLdTkAs0S0J0P6TNbjwbmry5B3',
iat: now - 1000,
exp: now + 3000, // + 3s
email: 'codehex@hono.js',
email_verified: false,
firebase: {
identities: {
email: ['codehex@hono.js'],
},
sign_in_provider: 'password',
},
})
return `${btoa(header)}.${btoa(payload)}.`
}
interface EmailPassword {
email: string
password: string
}
export interface signUpResponse {
kind: string
localId: string
email: string
idToken: string
refreshToken: string
expiresIn: string
}
const signUpEmulator = async (
emulatorHost: string,
body: EmailPassword
): Promise<signUpResponse> => {
// http://localhost:9099/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy
const url = `http://${emulatorHost}/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy`
const resp = await fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
...body,
returnSecureToken: true,
}),
})
if (resp.status !== 200) {
console.log({ status: resp.status })
throw new Error('error')
}
return await resp.json()
}
const deleteAccountEmulator = async (emulatorHost: string, projectId: string): Promise<void> => {
// https://firebase.google.com/docs/reference/rest/auth#section-auth-emulator-clearaccounts
const url = `http://${emulatorHost}/emulator/v1/projects/${projectId}/accounts`
const resp = await fetch(url, {
method: 'DELETE',
})
if (resp.status !== 200) {
console.log({ status: resp.status })
throw new Error('error when clear accounts')
}
return
}

10
packages/firebase-auth/tsconfig.json 100644
View File

@ -0,0 +1,10 @@
{
"extends": "../../tsconfig.json",
"compilerOptions": {
"rootDir": "./src",
"outDir": "./dist",
},
"include": [
"src/**/*.ts"
],
}

3268
yarn.lock
View File

File diff suppressed because it is too large Load Diff