suimeng
/
honojs-middleware
mirror of https://github.com/honojs/middleware.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add 'packages/firebase-auth/' from commit '421edc09f84fa61c3b69da14515d87e5960af9a1' 

git-subtree-dir: packages/firebase-auth
git-subtree-mainline: a66d22abb9
git-subtree-split: 421edc09f8
pull/34/head
Yusuke Wada 2023-02-04 20:02:56 +09:00
parent a66d22abb9 421edc09f8
commit 6fd67b0a1a
11 changed files with 7363 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
packages/firebase-auth/.github/workflows/ci.yml vendored 100644
View File

@ -0,0 +1,18 @@
name: ci
on:
push:
branches: [main]
pull_request:
branches: ['*']
jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 18.x
- run: yarn install --frozen-lockfile
- run: yarn build
- run: yarn test-with-emulator

11
packages/firebase-auth/.github/workflows/issues.yml vendored 100644
View File

@ -0,0 +1,11 @@
name: 'good first issue'
on: [issues]
jobs:
labels:
runs-on: ubuntu-latest
steps:
- uses: Code-Hex/first-label-interaction@v1.0.2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
issue-labels: '["good first issue"]'

9
packages/firebase-auth/.gitignore vendored 100644
View File

@ -0,0 +1,9 @@
dist
node_modules
.yarn/*
# for debug or playing
sandbox
*.log

120
packages/firebase-auth/README.md 100644
View File

@ -0,0 +1,120 @@
# Hono Firebase Auth middleware for Cloudflare Workers.
## Moving
Firebase Auth Middleware `@honojs/firebase-auth` is renamed to `@hono/firebase-auth`.
`@honojs/firebase-auth` is not maintained, please use `@hono/firebase-auth`.
Also, for Deno, you can use import with `npm:` prefix like `npm:@hono/firebase-auth`.
---
This is a Firebase Auth middleware library for [Hono](https://github.com/honojs/hono) which is used [firebase-auth-cloudflare-workers](https://github.com/Code-Hex/firebase-auth-cloudflare-workers).
Currently only Cloudflare Workers are supported officially. However, it may work in other environments as well, so please let us know in an issue if it works.
## Synopsis
### Module Worker Syntax (recommend)
```ts
import { Hono } from "hono";
import { VerifyFirebaseAuthConfig, VerifyFirebaseAuthEnv, verifyFirebaseAuth, getFirebaseToken } from "@hono/firebase-auth";
const config: VerifyFirebaseAuthConfig = {
// specify your firebase project ID.
projectId: "your-project-id",
}
// Or you can specify here the extended VerifyFirebaseAuthEnv type.
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
// set middleware
app.use("*", verifyFirebaseAuth(config));
app.get("/hello", (c) => {
const idToken = getFirebaseToken(c) // get id-token object.
return c.json(idToken)
});
export default app
```
### Service Worker Syntax
```ts
import { Hono } from "hono";
import { VerifyFirebaseAuthConfig, verifyFirebaseAuth, getFirebaseToken } from "@hono/firebase-auth";
const config: VerifyFirebaseAuthConfig = {
// specify your firebase project ID.
projectId: "your-project-id",
// this is optional. but required in this mode.
keyStore: WorkersKVStoreSingle.getOrInitialize(
PUBLIC_JWK_CACHE_KEY,
PUBLIC_JWK_CACHE_KV
),
// this is also optional. But in this mode, you can only specify here.
firebaseEmulatorHost: FIREBASE_AUTH_EMULATOR_HOST,
}
const app = new Hono()
// set middleware
app.use("*", verifyFirebaseAuth(config));
app.get("/hello", (c) => {
const idToken = getFirebaseToken(c) // get id-token object.
return c.json(idToken)
});
app.fire()
```
## Config (`VerifyFirebaseAuthConfig`)
### `projectId: string` (**required**)
This field indicates your firebase project ID.
### `authorizationHeaderKey?: string` (optional)
Based on this configuration, the JWT created by firebase auth is looked for in the HTTP headers. The default is "Authorization".
### `keyStore?: KeyStorer` (optional)
This is used to cache the public key used to validate the Firebase ID token (JWT). This KeyStorer type has been defined in [firebase-auth-cloudflare-workers](https://github.com/Code-Hex/firebase-auth-cloudflare-workers/tree/main#keystorer) library.
If you don't specify the field, this library uses [WorkersKVStoreSingle](https://github.com/Code-Hex/firebase-auth-cloudflare-workers/tree/main#workerskvstoresinglegetorinitializecachekey-string-cfkvnamespace-kvnamespace-workerskvstoresingle) instead. You must fill in the fields defined in `VerifyFirebaseAuthEnv`.
### `keyStoreInitializer?: (c: Context) => KeyStorer` (optional)
Use this when initializing KeyStorer and environment variables, etc. are required.
If you don't specify the field, this library uses [WorkersKVStoreSingle](https://github.com/Code-Hex/firebase-auth-cloudflare-workers/tree/main#workerskvstoresinglegetorinitializecachekey-string-cfkvnamespace-kvnamespace-workerskvstoresingle) instead. You must fill in the fields defined in `VerifyFirebaseAuthEnv`.
### `disableErrorLog?: boolean` (optional)
Throws an exception if JWT validation fails. By default, this is output to the error log, but if you don't expect it, use this.
### `firebaseEmulatorHost?: string` (optional)
You can specify a host for the Firebase Auth emulator. This config is mainly used when **Service Worker Syntax** is used.
If not specified, check the [`FIREBASE_AUTH_EMULATOR_HOST` environment variable obtained from the request](https://github.com/Code-Hex/firebase-auth-cloudflare-workers#emulatorenv).
## Author
codehex <https://github.com/Code-Hex>
## License
MIT
## Contribution
If you are interested, send me PR would be greatly appreciated!
To test this code in your local environment, execute the following command.
```
$ yarn test-with-emulator
```

10
packages/firebase-auth/firebase.json 100644
View File

@ -0,0 +1,10 @@
{
"emulators": {
"auth": {
"port": 9099
},
"ui": {
"enabled": true
}
}
}

13
packages/firebase-auth/jest.config.js 100644
View File

@ -0,0 +1,13 @@
module.exports = {
testMatch: [
"**/test/**/*.+(ts|tsx|js)",
"**/src/**/(*.)+(spec|test).+(ts|tsx|js)",
],
transform: {
"^.+\\.(ts|tsx)$": "ts-jest",
},
testEnvironment: "miniflare",
testEnvironmentOptions: {
kvNamespaces: ["PUBLIC_JWK_CACHE_KV"],
},
};

44
packages/firebase-auth/package.json 100644
View File

@ -0,0 +1,44 @@
{
"name": "@honojs/firebase-auth",
"version": "1.0.2",
"description": "A third-party firebase auth middleware for Hono",
"main": "dist/index.js",
"types": "dist/index.d.ts",
"files": [
"dist"
],
"scripts": {
"start-firebase-emulator": "firebase emulators:start --project example-project12345",
"test-with-emulator": "firebase emulators:exec --project example-project12345 'jest'",
"test": "jest",
"build": "tsc",
"prerelease": "yarn build",
"release": "yarn publish"
},
"license": "MIT",
"repository": {
"type": "git",
"url": "https://github.com/honojs/firebase-auth.git"
},
"homepage": "https://github.com/honojs/firebase-auth",
"author": "codehex",
"private": false,
"publishConfig": {
"registry": "https://registry.npmjs.org",
"access": "public"
},
"dependencies": {
"firebase-auth-cloudflare-workers": "^1.0.0",
"hono": "^2.1.3"
},
"devDependencies": {
"@cloudflare/workers-types": "^3.14.1",
"@types/jest": "^28.1.4",
"firebase-tools": "^11.4.0",
"jest": "^28.1.2",
"jest-environment-miniflare": "^2.6.0",
"prettier": "^2.7.1",
"ts-jest": "^28.0.5",
"typescript": "^4.7.4"
}
}

89
packages/firebase-auth/src/index.ts 100644
View File

@ -0,0 +1,89 @@
import { Context, Handler } from "hono";
import {
EmulatorEnv,
Auth,
WorkersKVStoreSingle,
KeyStorer,
FirebaseIdToken,
} from "firebase-auth-cloudflare-workers";
export interface VerifyFirebaseAuthEnv extends EmulatorEnv {
PUBLIC_JWK_CACHE_KEY?: string | undefined;
PUBLIC_JWK_CACHE_KV?: KVNamespace | undefined;
}
export interface VerifyFirebaseAuthConfig {
projectId: string;
authorizationHeaderKey?: string;
keyStore?: KeyStorer;
keyStoreInitializer?: (c: Context) => KeyStorer;
disableErrorLog?: boolean;
firebaseEmulatorHost?: string;
}
const defaultKVStoreJWKCacheKey = "verify-firebase-auth-cached-public-key";
const defaultKeyStoreInitializer = (c: Context): KeyStorer => {
return WorkersKVStoreSingle.getOrInitialize(
c.env.PUBLIC_JWK_CACHE_KEY ?? defaultKVStoreJWKCacheKey,
c.env.PUBLIC_JWK_CACHE_KV
);
};
export const verifyFirebaseAuth = (
userConfig: VerifyFirebaseAuthConfig
): Handler => {
const config = {
projectId: userConfig.projectId,
AuthorizationHeaderKey:
userConfig.authorizationHeaderKey ?? "Authorization",
KeyStore: userConfig.keyStore,
keyStoreInitializer:
userConfig.keyStoreInitializer ?? defaultKeyStoreInitializer,
disableErrorLog: userConfig.disableErrorLog,
firebaseEmulatorHost: userConfig.firebaseEmulatorHost,
};
return async (c, next) => {
const authorization = c.req.headers.get(config.AuthorizationHeaderKey);
if (authorization === null) {
return new Response(null, {
status: 400,
});
}
const jwt = authorization.replace(/Bearer\s+/i, "");
const auth = Auth.getOrInitialize(
config.projectId,
config.KeyStore ?? config.keyStoreInitializer(c)
);
try {
const idToken = await auth.verifyIdToken(jwt, {
FIREBASE_AUTH_EMULATOR_HOST:
config.firebaseEmulatorHost ?? c.env.FIREBASE_AUTH_EMULATOR_HOST,
});
setFirebaseToken(c, idToken);
} catch (err) {
if (!userConfig.disableErrorLog) {
console.error({
message: "failed to verify the requested firebase token",
err,
});
}
return new Response(null, {
status: 401,
});
}
await next();
};
};
const idTokenContextKey = "firebase-auth-cloudflare-id-token-key";
const setFirebaseToken = (c: Context, idToken: FirebaseIdToken) =>
c.set(idTokenContextKey, idToken);
export const getFirebaseToken = (c: Context): FirebaseIdToken | null => {
const idToken = c.get(idTokenContextKey);
if (!idToken) return null;
return idToken;
};

332
packages/firebase-auth/test/index.test.ts 100644
View File

@ -0,0 +1,332 @@
import {
Auth,
KeyStorer,
WorkersKVStoreSingle,
} from "firebase-auth-cloudflare-workers";
import { Hono } from "hono";
import {
VerifyFirebaseAuthEnv,
verifyFirebaseAuth,
getFirebaseToken,
} from "../src";
describe("verifyFirebaseAuth middleware", () => {
const emulatorHost = "127.0.0.1:9099";
const validProjectId = "example-project12345"; // see package.json
// @ts-ignore
const { PUBLIC_JWK_CACHE_KV } = getMiniflareBindings();
let user: signUpResponse;
beforeAll(async () => {
await deleteAccountEmulator(emulatorHost, validProjectId);
user = await signUpEmulator(emulatorHost, {
email: "codehex@hono.js",
password: "honojs",
});
await sleep(1000); // wait for iat
});
describe("service worker syntax", () => {
test("valid case, should be 200", async () => {
const app = new Hono();
resetAuth();
// This is assumed to be obtained from an environment variable.
const PUBLIC_JWK_CACHE_KEY = "testing-cache-key";
app.use(
"*",
verifyFirebaseAuth({
projectId: validProjectId,
keyStore: WorkersKVStoreSingle.getOrInitialize(
PUBLIC_JWK_CACHE_KEY,
PUBLIC_JWK_CACHE_KV
),
disableErrorLog: true,
firebaseEmulatorHost: emulatorHost,
})
);
app.get("/hello", (c) => c.json(getFirebaseToken(c)));
const req = new Request("http://localhost/hello", {
headers: {
Authorization: `Bearer ${user.idToken}`,
},
});
const res = await app.request(req);
expect(res).not.toBeNull();
expect(res.status).toBe(200);
const json = await res.json<{ aud: string; email: string }>();
expect(json.aud).toBe(validProjectId);
expect(json.email).toBe("codehex@hono.js");
});
});
describe("module worker syntax", () => {
test.each([
[
"valid case, should be 200",
{
headerKey: "Authorization",
env: {
FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
PUBLIC_JWK_CACHE_KV,
},
config: {
projectId: validProjectId,
},
wantStatus: 200,
},
],
[
"valid specified headerKey, should be 200",
{
headerKey: "X-Authorization",
env: {
FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
PUBLIC_JWK_CACHE_KV,
},
config: {
projectId: validProjectId,
authorizationHeaderKey: "X-Authorization",
},
wantStatus: 200,
},
],
[
"invalid authorization header, should be 400",
{
headerKey: "X-Authorization",
env: {
FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
PUBLIC_JWK_CACHE_KV,
},
config: {
projectId: validProjectId, // see package.json
// No specified header key.
},
wantStatus: 400,
},
],
[
"invalid project ID, should be 401",
{
headerKey: "Authorization",
env: {
FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
PUBLIC_JWK_CACHE_KV,
},
config: {
projectId: "invalid-projectId",
},
wantStatus: 401,
},
],
])("%s", async (_, { headerKey, env, config, wantStatus }) => {
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>();
resetAuth();
app.use(
"*",
verifyFirebaseAuth({
...config,
disableErrorLog: true,
})
);
app.get("/hello", (c) => c.text("OK"));
const req = new Request("http://localhost/hello", {
headers: {
[headerKey]: `Bearer ${user.idToken}`,
},
});
const res = await app.fetch(req, env);
expect(res).not.toBeNull();
expect(res.status).toBe(wantStatus);
});
test("specified keyStore is used", async () => {
const testingJWT = generateDummyJWT();
const nopKeyStore = new NopKeyStore();
const getSpy = jest.spyOn(nopKeyStore, "get");
const putSpy = jest.spyOn(nopKeyStore, "put");
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>();
resetAuth();
app.use(
"*",
verifyFirebaseAuth({
projectId: validProjectId,
keyStore: nopKeyStore,
disableErrorLog: true,
})
);
app.get("/hello", (c) => c.text("OK"));
const req = new Request("http://localhost/hello", {
headers: {
Authorization: `Bearer ${testingJWT}`,
},
});
// not use firebase emulator to check using key store
const res = await app.fetch(req, {
FIREBASE_AUTH_EMULATOR_HOST: undefined,
});
expect(res).not.toBeNull();
expect(res.status).toBe(401);
expect(getSpy).toHaveBeenCalled();
expect(putSpy).toHaveBeenCalled();
});
test("usable id-token in main handler", async () => {
const testingJWT = generateDummyJWT();
const nopKeyStore = new NopKeyStore();
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>();
resetAuth();
app.use(
"*",
verifyFirebaseAuth({
projectId: validProjectId,
keyStore: nopKeyStore,
disableErrorLog: true,
})
);
app.get("/hello", (c) => c.json(getFirebaseToken(c)));
const req = new Request("http://localhost/hello", {
headers: {
Authorization: `Bearer ${testingJWT}`,
},
});
const res = await app.fetch(req, {
FIREBASE_AUTH_EMULATOR_HOST: emulatorHost,
});
expect(res).not.toBeNull();
expect(res.status).toBe(200);
const json = await res.json<{ aud: string; email: string }>();
expect(json.aud).toBe(validProjectId);
expect(json.email).toBe("codehex@hono.js");
});
});
});
class NopKeyStore implements KeyStorer {
constructor() {}
get(): Promise<null> {
return new Promise((resolve) => resolve(null));
}
put(): Promise<void> {
return new Promise((resolve) => resolve());
}
}
const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms));
// magic to reset state of static object for "firebase-auth-cloudflare-workers"
const resetAuth = () => delete Auth["instance"];
const generateDummyJWT = () => {
const header = JSON.stringify({
alg: "RS256",
kid: "kid",
typ: "JWT",
});
const now = Math.floor(Date.now() / 1000);
const payload = JSON.stringify({
iss: `https://securetoken.google.com/example-project12345`,
aud: "example-project12345",
auth_time: now - 1000,
user_id: "t1aLdTkAs0S0J0P6TNbjwbmry5B3",
sub: "t1aLdTkAs0S0J0P6TNbjwbmry5B3",
iat: now - 1000,
exp: now + 3000, // + 3s
email: "codehex@hono.js",
email_verified: false,
firebase: {
identities: {
email: ["codehex@hono.js"],
},
sign_in_provider: "password",
},
});
return `${btoa(header)}.${btoa(payload)}.`;
};
interface EmailPassword {
email: string;
password: string;
}
export interface signUpResponse {
kind: string;
localId: string;
email: string;
idToken: string;
refreshToken: string;
expiresIn: string;
}
const signUpEmulator = async (
emulatorHost: string,
body: EmailPassword
): Promise<signUpResponse> => {
// http://localhost:9099/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy
const url = `http://${emulatorHost}/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy`;
const resp = await fetch(url, {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
...body,
returnSecureToken: true,
}),
});
if (resp.status !== 200) {
console.log({ status: resp.status });
throw new Error("error");
}
return await resp.json();
};
const deleteAccountEmulator = async (
emulatorHost: string,
projectId: string
): Promise<void> => {
// https://firebase.google.com/docs/reference/rest/auth#section-auth-emulator-clearaccounts
const url = `http://${emulatorHost}/emulator/v1/projects/${projectId}/accounts`;
const resp = await fetch(url, {
method: "DELETE",
});
if (resp.status !== 200) {
console.log({ status: resp.status });
throw new Error("error when clear accounts");
}
return;
};

26
packages/firebase-auth/tsconfig.json 100644
View File

@ -0,0 +1,26 @@
{
"compilerOptions": {
"target": "es2020",
"module": "commonjs",
"declaration": true,
"moduleResolution": "Node",
"esModuleInterop": true,
"forceConsistentCasingInFileNames": true,
"strict": true,
"skipLibCheck": true,
"strictPropertyInitialization": true,
"strictNullChecks": true,
"noUnusedLocals": true,
"noUnusedParameters": true,
"types": [
"jest",
"node",
"@cloudflare/workers-types"
],
"rootDir": "./src",
"outDir": "./dist",
},
"include": [
"src/**/*.ts"
],
}

6691
packages/firebase-auth/yarn.lock 100644
View File

File diff suppressed because it is too large Load Diff