Merge pull request #34 from honojs/moving-firebase-auth

Moving firebase auth

.changeset/angry-cougars-smash.md

@@ -0,0 +1,5 @@
+---
+'@hono/firebase-auth': minor
+---
+
+Rename `@honojs/firebase-auth` to `@hono/firebase-auth`.

.eslintrc.js

@@ -38,6 +38,7 @@ module.exports = defineConfig({
       {
         types: {
           Function: false,
+          '{}': false,
         },
       },
     ],

.github/workflows/ci-firebase-auth.yml

@@ -0,0 +1,25 @@
+name: ci-firebase-auth
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'packages/firebase-auth/**'
+  pull_request:
+    branches: ['*']
+    paths:
+      - 'packages/firebase-auth/**'
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./packages/firebase-auth
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 18.x
+      - run: yarn install --frozen-lockfile
+      - run: yarn build
+      - run: yarn test-with-emulator

package.json

@@ -11,6 +11,7 @@
     "build:qwik-city": "yarn workspace @hono/qwik-city build",
     "build:graphql-server": "yarn workspace @hono/graphql-server build",
     "build:sentry": "yarn workspace @hono/sentry build",
+    "build:firebase-auth": "yarn workspace @hono/firebase-auth build",
     "build": "run-p build:*"
   },
   "license": "MIT",

packages/firebase-auth/README.md

@@ -0,0 +1,120 @@
+# Hono Firebase Auth middleware for Cloudflare Workers.
+
+## Moving
+
+Firebase Auth Middleware `@honojs/firebase-auth` is renamed to `@hono/firebase-auth`.
+`@honojs/firebase-auth` is not maintained, please use `@hono/firebase-auth`.
+Also, for Deno, you can use import with `npm:` prefix like `npm:@hono/firebase-auth`.
+
+---
+
+This is a Firebase Auth middleware library for [Hono](https://github.com/honojs/hono) which is used [firebase-auth-cloudflare-workers](https://github.com/Code-Hex/firebase-auth-cloudflare-workers).
+
+Currently only Cloudflare Workers are supported officially. However, it may work in other environments as well, so please let us know in an issue if it works.
+
+## Synopsis
+
+### Module Worker Syntax (recommend)
+
+```ts
+import { Hono } from "hono";
+import { VerifyFirebaseAuthConfig, VerifyFirebaseAuthEnv, verifyFirebaseAuth, getFirebaseToken } from "@hono/firebase-auth";
+
+const config: VerifyFirebaseAuthConfig = {
+  // specify your firebase project ID.
+  projectId: "your-project-id",
+}
+
+// Or you can specify here the extended VerifyFirebaseAuthEnv type.
+const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
+
+// set middleware
+app.use("*", verifyFirebaseAuth(config));
+app.get("/hello", (c) => {
+  const idToken = getFirebaseToken(c) // get id-token object.
+  return c.json(idToken)
+});
+
+export default app
+```
+
+### Service Worker Syntax
+
+```ts
+import { Hono } from "hono";
+import { VerifyFirebaseAuthConfig, verifyFirebaseAuth, getFirebaseToken } from "@hono/firebase-auth";
+
+const config: VerifyFirebaseAuthConfig = {
+  // specify your firebase project ID.
+  projectId: "your-project-id",
+  // this is optional. but required in this mode.
+  keyStore: WorkersKVStoreSingle.getOrInitialize(
+    PUBLIC_JWK_CACHE_KEY,
+    PUBLIC_JWK_CACHE_KV
+  ),
+  // this is also optional. But in this mode, you can only specify here.
+  firebaseEmulatorHost: FIREBASE_AUTH_EMULATOR_HOST,
+}
+
+const app = new Hono()
+
+// set middleware
+app.use("*", verifyFirebaseAuth(config));
+app.get("/hello", (c) => {
+  const idToken = getFirebaseToken(c) // get id-token object.
+  return c.json(idToken)
+});
+
+app.fire()
+```
+
+
+## Config (`VerifyFirebaseAuthConfig`)
+
+### `projectId: string` (**required**)
+
+This field indicates your firebase project ID.
+
+### `authorizationHeaderKey?: string` (optional)
+
+Based on this configuration, the JWT created by firebase auth is looked for in the HTTP headers. The default is "Authorization".
+
+### `keyStore?: KeyStorer` (optional)
+
+This is used to cache the public key used to validate the Firebase ID token (JWT). This KeyStorer type has been defined in [firebase-auth-cloudflare-workers](https://github.com/Code-Hex/firebase-auth-cloudflare-workers/tree/main#keystorer) library. 
+
+If you don't specify the field, this library uses [WorkersKVStoreSingle](https://github.com/Code-Hex/firebase-auth-cloudflare-workers/tree/main#workerskvstoresinglegetorinitializecachekey-string-cfkvnamespace-kvnamespace-workerskvstoresingle) instead. You must fill in the fields defined in `VerifyFirebaseAuthEnv`.
+
+### `keyStoreInitializer?: (c: Context) => KeyStorer` (optional)
+
+Use this when initializing KeyStorer and environment variables, etc. are required.
+
+If you don't specify the field, this library uses [WorkersKVStoreSingle](https://github.com/Code-Hex/firebase-auth-cloudflare-workers/tree/main#workerskvstoresinglegetorinitializecachekey-string-cfkvnamespace-kvnamespace-workerskvstoresingle) instead. You must fill in the fields defined in `VerifyFirebaseAuthEnv`.
+
+### `disableErrorLog?: boolean` (optional)
+
+Throws an exception if JWT validation fails. By default, this is output to the error log, but if you don't expect it, use this.
+
+### `firebaseEmulatorHost?: string` (optional)
+
+You can specify a host for the Firebase Auth emulator. This config is mainly used when **Service Worker Syntax** is used.
+
+If not specified, check the [`FIREBASE_AUTH_EMULATOR_HOST` environment variable obtained from the request](https://github.com/Code-Hex/firebase-auth-cloudflare-workers#emulatorenv).
+
+## Author
+
+codehex <https://github.com/Code-Hex>
+
+## License
+
+MIT
+
+## Contribution
+
+If you are interested, send me PR would be greatly appreciated!
+
+To test this code in your local environment, execute the following command.
+
+```
+$ yarn test-with-emulator
+```

packages/firebase-auth/firebase.json

@@ -0,0 +1,10 @@
+{
+  "emulators": {
+    "auth": {
+      "port": 9099
+    },
+    "ui": {
+      "enabled": true
+    }
+  }
+}

packages/firebase-auth/jest.config.js

@@ -0,0 +1 @@
+module.exports = require('../../jest.config.js')

packages/firebase-auth/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "@hono/firebase-auth",
+  "version": "1.0.2",
+  "description": "A third-party firebase auth middleware for Hono",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "start-firebase-emulator": "firebase emulators:start --project example-project12345",
+    "test-with-emulator": "firebase emulators:exec --project example-project12345 'jest'",
+    "test": "jest",
+    "build": "tsc",
+    "prerelease": "yarn build",
+    "release": "yarn publish"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/honojs/middleware.git"
+  },
+  "homepage": "https://github.com/honojs/middleware",
+  "author": "codehex",
+  "private": false,
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "dependencies": {
+    "firebase-auth-cloudflare-workers": "^1.0.0"
+  },
+  "peerDependencies": {
+    "hono": "^2.7.2"
+  },
+  "devDependencies": {
+    "hono": "^2.7.2",
+    "@cloudflare/workers-types": "^3.14.1",
+    "@types/jest": "^28.1.4",
+    "firebase-tools": "^11.4.0",
+    "jest": "^28.1.2",
+    "jest-environment-miniflare": "^2.6.0",
+    "prettier": "^2.7.1",
+    "ts-jest": "^28.0.5",
+    "typescript": "^4.7.4"
+  }
+}

packages/firebase-auth/src/index.ts

@@ -0,0 +1,85 @@
+import type { EmulatorEnv, KeyStorer, FirebaseIdToken } from 'firebase-auth-cloudflare-workers'
+import { Auth, WorkersKVStoreSingle } from 'firebase-auth-cloudflare-workers'
+import type { Context, MiddlewareHandler } from 'hono'
+
+export interface VerifyFirebaseAuthEnv extends EmulatorEnv {
+  PUBLIC_JWK_CACHE_KEY?: string | undefined
+  PUBLIC_JWK_CACHE_KV?: KVNamespace | undefined
+}
+
+export interface VerifyFirebaseAuthConfig {
+  projectId: string
+  authorizationHeaderKey?: string
+  keyStore?: KeyStorer
+  keyStoreInitializer?: (c: Context) => KeyStorer
+  disableErrorLog?: boolean
+  firebaseEmulatorHost?: string
+}
+
+const defaultKVStoreJWKCacheKey = 'verify-firebase-auth-cached-public-key'
+const defaultKeyStoreInitializer = (c: Context): KeyStorer => {
+  return WorkersKVStoreSingle.getOrInitialize(
+    c.env.PUBLIC_JWK_CACHE_KEY ?? defaultKVStoreJWKCacheKey,
+    c.env.PUBLIC_JWK_CACHE_KV
+  )
+}
+
+type Env = {
+  Bindings: {
+    FIREBASE_AUTH_EMULATOR_HOST: string
+  }
+}
+
+export const verifyFirebaseAuth = (userConfig: VerifyFirebaseAuthConfig): MiddlewareHandler => {
+  const config = {
+    projectId: userConfig.projectId,
+    AuthorizationHeaderKey: userConfig.authorizationHeaderKey ?? 'Authorization',
+    KeyStore: userConfig.keyStore,
+    keyStoreInitializer: userConfig.keyStoreInitializer ?? defaultKeyStoreInitializer,
+    disableErrorLog: userConfig.disableErrorLog,
+    firebaseEmulatorHost: userConfig.firebaseEmulatorHost,
+  }
+
+  return async (c, next) => {
+    const authorization = c.req.headers.get(config.AuthorizationHeaderKey)
+    if (authorization === null) {
+      return new Response(null, {
+        status: 400,
+      })
+    }
+    const jwt = authorization.replace(/Bearer\s+/i, '')
+    const auth = Auth.getOrInitialize(
+      config.projectId,
+      config.KeyStore ?? config.keyStoreInitializer(c)
+    )
+
+    try {
+      const idToken = await auth.verifyIdToken(jwt, {
+        FIREBASE_AUTH_EMULATOR_HOST:
+          config.firebaseEmulatorHost ?? c.env.FIREBASE_AUTH_EMULATOR_HOST,
+      })
+      setFirebaseToken(c, idToken)
+    } catch (err) {
+      if (!userConfig.disableErrorLog) {
+        console.error({
+          message: 'failed to verify the requested firebase token',
+          err,
+        })
+      }
+      return new Response(null, {
+        status: 401,
+      })
+    }
+    await next()
+  }
+}
+
+const idTokenContextKey = 'firebase-auth-cloudflare-id-token-key'
+
+const setFirebaseToken = (c: Context, idToken: FirebaseIdToken) => c.set(idTokenContextKey, idToken)
+
+export const getFirebaseToken = (c: Context): FirebaseIdToken | null => {
+  const idToken = c.get(idTokenContextKey)
+  if (!idToken) return null
+  return idToken
+}

packages/firebase-auth/test/index.test.ts

@@ -0,0 +1,322 @@
+import type { KeyStorer } from 'firebase-auth-cloudflare-workers'
+import { Auth, WorkersKVStoreSingle } from 'firebase-auth-cloudflare-workers'
+import { Hono } from 'hono'
+import type { VerifyFirebaseAuthEnv } from '../src'
+import { verifyFirebaseAuth, getFirebaseToken } from '../src'
+
+describe('verifyFirebaseAuth middleware', () => {
+  const emulatorHost = '127.0.0.1:9099'
+  const validProjectId = 'example-project12345' // see package.json
+
+  // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+  // @ts-ignore
+  const { PUBLIC_JWK_CACHE_KV } = getMiniflareBindings()
+
+  let user: signUpResponse
+
+  beforeAll(async () => {
+    await deleteAccountEmulator(emulatorHost, validProjectId)
+
+    user = await signUpEmulator(emulatorHost, {
+      email: 'codehex@hono.js',
+      password: 'honojs',
+    })
+
+    await sleep(1000) // wait for iat
+  })
+
+  describe('service worker syntax', () => {
+    test('valid case, should be 200', async () => {
+      const app = new Hono()
+
+      resetAuth()
+
+      // This is assumed to be obtained from an environment variable.
+      const PUBLIC_JWK_CACHE_KEY = 'testing-cache-key'
+
+      app.use(
+        '*',
+        verifyFirebaseAuth({
+          projectId: validProjectId,
+          keyStore: WorkersKVStoreSingle.getOrInitialize(PUBLIC_JWK_CACHE_KEY, PUBLIC_JWK_CACHE_KV),
+          disableErrorLog: true,
+          firebaseEmulatorHost: emulatorHost,
+        })
+      )
+      app.get('/hello', (c) => c.json(getFirebaseToken(c)))
+
+      const req = new Request('http://localhost/hello', {
+        headers: {
+          Authorization: `Bearer ${user.idToken}`,
+        },
+      })
+
+      const res = await app.request(req)
+
+      expect(res).not.toBeNull()
+      expect(res.status).toBe(200)
+
+      const json = await res.json<{ aud: string; email: string }>()
+      expect(json.aud).toBe(validProjectId)
+      expect(json.email).toBe('codehex@hono.js')
+    })
+  })
+
+  describe('module worker syntax', () => {
+    test.each([
+      [
+        'valid case, should be 200',
+        {
+          headerKey: 'Authorization',
+          env: {
+            FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
+            PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
+            PUBLIC_JWK_CACHE_KV,
+          },
+          config: {
+            projectId: validProjectId,
+          },
+          wantStatus: 200,
+        },
+      ],
+      [
+        'valid specified headerKey, should be 200',
+        {
+          headerKey: 'X-Authorization',
+          env: {
+            FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
+            PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
+            PUBLIC_JWK_CACHE_KV,
+          },
+          config: {
+            projectId: validProjectId,
+            authorizationHeaderKey: 'X-Authorization',
+          },
+          wantStatus: 200,
+        },
+      ],
+      [
+        'invalid authorization header, should be 400',
+        {
+          headerKey: 'X-Authorization',
+          env: {
+            FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
+            PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
+            PUBLIC_JWK_CACHE_KV,
+          },
+          config: {
+            projectId: validProjectId, // see package.json
+            // No specified header key.
+          },
+          wantStatus: 400,
+        },
+      ],
+      [
+        'invalid project ID, should be 401',
+        {
+          headerKey: 'Authorization',
+          env: {
+            FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
+            PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
+            PUBLIC_JWK_CACHE_KV,
+          },
+          config: {
+            projectId: 'invalid-projectId',
+          },
+          wantStatus: 401,
+        },
+      ],
+    ])('%s', async (_, { headerKey, env, config, wantStatus }) => {
+      const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
+
+      resetAuth()
+
+      app.use(
+        '*',
+        verifyFirebaseAuth({
+          ...config,
+          disableErrorLog: true,
+        })
+      )
+      app.get('/hello', (c) => c.text('OK'))
+
+      const req = new Request('http://localhost/hello', {
+        headers: {
+          [headerKey]: `Bearer ${user.idToken}`,
+        },
+      })
+
+      const res = await app.fetch(req, env)
+
+      expect(res).not.toBeNull()
+      expect(res.status).toBe(wantStatus)
+    })
+
+    test('specified keyStore is used', async () => {
+      const testingJWT = generateDummyJWT()
+
+      const nopKeyStore = new NopKeyStore()
+      const getSpy = jest.spyOn(nopKeyStore, 'get')
+      const putSpy = jest.spyOn(nopKeyStore, 'put')
+
+      const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
+
+      resetAuth()
+
+      app.use(
+        '*',
+        verifyFirebaseAuth({
+          projectId: validProjectId,
+          keyStore: nopKeyStore,
+          disableErrorLog: true,
+        })
+      )
+      app.get('/hello', (c) => c.text('OK'))
+
+      const req = new Request('http://localhost/hello', {
+        headers: {
+          Authorization: `Bearer ${testingJWT}`,
+        },
+      })
+
+      // not use firebase emulator to check using key store
+      const res = await app.fetch(req, {
+        FIREBASE_AUTH_EMULATOR_HOST: undefined,
+      })
+
+      expect(res).not.toBeNull()
+      expect(res.status).toBe(401)
+      expect(getSpy).toHaveBeenCalled()
+      expect(putSpy).toHaveBeenCalled()
+    })
+
+    test('usable id-token in main handler', async () => {
+      const testingJWT = generateDummyJWT()
+
+      const nopKeyStore = new NopKeyStore()
+      const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
+
+      resetAuth()
+
+      app.use(
+        '*',
+        verifyFirebaseAuth({
+          projectId: validProjectId,
+          keyStore: nopKeyStore,
+          disableErrorLog: true,
+        })
+      )
+      app.get('/hello', (c) => c.json(getFirebaseToken(c)))
+
+      const req = new Request('http://localhost/hello', {
+        headers: {
+          Authorization: `Bearer ${testingJWT}`,
+        },
+      })
+
+      const res = await app.fetch(req, {
+        FIREBASE_AUTH_EMULATOR_HOST: emulatorHost,
+      })
+
+      expect(res).not.toBeNull()
+      expect(res.status).toBe(200)
+
+      const json = await res.json<{ aud: string; email: string }>()
+      expect(json.aud).toBe(validProjectId)
+      expect(json.email).toBe('codehex@hono.js')
+    })
+  })
+})
+
+class NopKeyStore implements KeyStorer {
+  // eslint-disable-next-line @typescript-eslint/no-empty-function
+  constructor() {}
+  get(): Promise<null> {
+    return new Promise((resolve) => resolve(null))
+  }
+  put(): Promise<void> {
+    return new Promise((resolve) => resolve())
+  }
+}
+
+const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms))
+
+// magic to reset state of static object for "firebase-auth-cloudflare-workers"
+const resetAuth = () => delete Auth['instance']
+
+const generateDummyJWT = () => {
+  const header = JSON.stringify({
+    alg: 'RS256',
+    kid: 'kid',
+    typ: 'JWT',
+  })
+  const now = Math.floor(Date.now() / 1000)
+  const payload = JSON.stringify({
+    iss: 'https://securetoken.google.com/example-project12345',
+    aud: 'example-project12345',
+    auth_time: now - 1000,
+    user_id: 't1aLdTkAs0S0J0P6TNbjwbmry5B3',
+    sub: 't1aLdTkAs0S0J0P6TNbjwbmry5B3',
+    iat: now - 1000,
+    exp: now + 3000, // + 3s
+    email: 'codehex@hono.js',
+    email_verified: false,
+    firebase: {
+      identities: {
+        email: ['codehex@hono.js'],
+      },
+      sign_in_provider: 'password',
+    },
+  })
+  return `${btoa(header)}.${btoa(payload)}.`
+}
+
+interface EmailPassword {
+  email: string
+  password: string
+}
+
+export interface signUpResponse {
+  kind: string
+  localId: string
+  email: string
+  idToken: string
+  refreshToken: string
+  expiresIn: string
+}
+
+const signUpEmulator = async (
+  emulatorHost: string,
+  body: EmailPassword
+): Promise<signUpResponse> => {
+  // http://localhost:9099/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy
+  const url = `http://${emulatorHost}/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy`
+  const resp = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      ...body,
+      returnSecureToken: true,
+    }),
+  })
+  if (resp.status !== 200) {
+    console.log({ status: resp.status })
+    throw new Error('error')
+  }
+  return await resp.json()
+}
+
+const deleteAccountEmulator = async (emulatorHost: string, projectId: string): Promise<void> => {
+  // https://firebase.google.com/docs/reference/rest/auth#section-auth-emulator-clearaccounts
+  const url = `http://${emulatorHost}/emulator/v1/projects/${projectId}/accounts`
+  const resp = await fetch(url, {
+    method: 'DELETE',
+  })
+  if (resp.status !== 200) {
+    console.log({ status: resp.status })
+    throw new Error('error when clear accounts')
+  }
+  return
+}

packages/firebase-auth/tsconfig.json

@@ -0,0 +1,10 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "rootDir": "./src",
+    "outDir": "./dist",
+  },
+  "include": [
+    "src/**/*.ts"
+  ],
+}