suimeng
/
honojs-middleware
mirror of https://github.com/honojs/middleware.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

setup Firebase Auth middleware

pull/34/head
Yusuke Wada 2023-02-04 20:20:42 +09:00
parent 6fd67b0a1a
commit e0f68909ea
12 changed files with 3421 additions and 7010 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.eslintrc.js
View File

@ -38,6 +38,7 @@ module.exports = defineConfig({
{
types: {
Function: false,
'{}': false,
},
},
],

9
packages/firebase-auth/.github/workflows/ci.yml → .github/workflows/ci-firebase-auth.yml vendored
View File

@ -1,13 +1,20 @@
name: ci
name: ci-firebase-auth
on:
push:
branches: [main]
paths:
- 'packages/firebase-auth/**'
pull_request:
branches: ['*']
paths:
- 'packages/firebase-auth/**'
jobs:
ci:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./packages/firebase-auth
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2

1
package.json
View File

@ -11,6 +11,7 @@
"build:qwik-city": "yarn workspace @hono/qwik-city build",
"build:graphql-server": "yarn workspace @hono/graphql-server build",
"build:sentry": "yarn workspace @hono/sentry build",
"build:firebase-auth": "yarn workspace @hono/firebase-auth build",
"build": "run-p build:*"
},
"license": "MIT",

11
packages/firebase-auth/.github/workflows/issues.yml vendored
View File

@ -1,11 +0,0 @@
name: 'good first issue'
on: [issues]
jobs:
labels:
runs-on: ubuntu-latest
steps:
- uses: Code-Hex/first-label-interaction@v1.0.2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
issue-labels: '["good first issue"]'

9
packages/firebase-auth/.gitignore vendored
View File

@ -1,9 +0,0 @@
dist
node_modules
.yarn/*
# for debug or playing
sandbox
*.log

14
packages/firebase-auth/jest.config.js
View File

@ -1,13 +1 @@
module.exports = {
testMatch: [
"**/test/**/*.+(ts|tsx|js)",
"**/src/**/(*.)+(spec|test).+(ts|tsx|js)",
],
transform: {
"^.+\\.(ts|tsx)$": "ts-jest",
},
testEnvironment: "miniflare",
testEnvironmentOptions: {
kvNamespaces: ["PUBLIC_JWK_CACHE_KV"],
},
};
module.exports = require('../../jest.config.js')

15
packages/firebase-auth/package.json
View File

@ -1,5 +1,5 @@
{
"name": "@honojs/firebase-auth",
"name": "@hono/firebase-auth",
"version": "1.0.2",
"description": "A third-party firebase auth middleware for Hono",
"main": "dist/index.js",
@ -18,9 +18,9 @@
"license": "MIT",
"repository": {
"type": "git",
"url": "https://github.com/honojs/firebase-auth.git"
"url": "https://github.com/honojs/middleware.git"
},
"homepage": "https://github.com/honojs/firebase-auth",
"homepage": "https://github.com/honojs/middleware",
"author": "codehex",
"private": false,
"publishConfig": {
@ -28,10 +28,13 @@
"access": "public"
},
"dependencies": {
"firebase-auth-cloudflare-workers": "^1.0.0",
"hono": "^2.1.3"
"firebase-auth-cloudflare-workers": "^1.0.0"
},
"peerDependencies": {
"hono": "^2.7.2"
},
"devDependencies": {
"hono": "^2.7.2",
"@cloudflare/workers-types": "^3.14.1",
"@types/jest": "^28.1.4",
"firebase-tools": "^11.4.0",
@ -41,4 +44,4 @@
"ts-jest": "^28.0.5",
"typescript": "^4.7.4"
}
}
}

88
packages/firebase-auth/src/index.ts
View File

@ -1,89 +1,85 @@
import { Context, Handler } from "hono";
import {
EmulatorEnv,
Auth,
WorkersKVStoreSingle,
KeyStorer,
FirebaseIdToken,
} from "firebase-auth-cloudflare-workers";
import type { EmulatorEnv, KeyStorer, FirebaseIdToken } from 'firebase-auth-cloudflare-workers'
import { Auth, WorkersKVStoreSingle } from 'firebase-auth-cloudflare-workers'
import type { Context, MiddlewareHandler } from 'hono'
export interface VerifyFirebaseAuthEnv extends EmulatorEnv {
PUBLIC_JWK_CACHE_KEY?: string | undefined;
PUBLIC_JWK_CACHE_KV?: KVNamespace | undefined;
PUBLIC_JWK_CACHE_KEY?: string | undefined
PUBLIC_JWK_CACHE_KV?: KVNamespace | undefined
}
export interface VerifyFirebaseAuthConfig {
projectId: string;
authorizationHeaderKey?: string;
keyStore?: KeyStorer;
keyStoreInitializer?: (c: Context) => KeyStorer;
disableErrorLog?: boolean;
firebaseEmulatorHost?: string;
projectId: string
authorizationHeaderKey?: string
keyStore?: KeyStorer
keyStoreInitializer?: (c: Context) => KeyStorer
disableErrorLog?: boolean
firebaseEmulatorHost?: string
}
const defaultKVStoreJWKCacheKey = "verify-firebase-auth-cached-public-key";
const defaultKVStoreJWKCacheKey = 'verify-firebase-auth-cached-public-key'
const defaultKeyStoreInitializer = (c: Context): KeyStorer => {
return WorkersKVStoreSingle.getOrInitialize(
c.env.PUBLIC_JWK_CACHE_KEY ?? defaultKVStoreJWKCacheKey,
c.env.PUBLIC_JWK_CACHE_KV
);
};
)
}
export const verifyFirebaseAuth = (
userConfig: VerifyFirebaseAuthConfig
): Handler => {
type Env = {
Bindings: {
FIREBASE_AUTH_EMULATOR_HOST: string
}
}
export const verifyFirebaseAuth = (userConfig: VerifyFirebaseAuthConfig): MiddlewareHandler => {
const config = {
projectId: userConfig.projectId,
AuthorizationHeaderKey:
userConfig.authorizationHeaderKey ?? "Authorization",
AuthorizationHeaderKey: userConfig.authorizationHeaderKey ?? 'Authorization',
KeyStore: userConfig.keyStore,
keyStoreInitializer:
userConfig.keyStoreInitializer ?? defaultKeyStoreInitializer,
keyStoreInitializer: userConfig.keyStoreInitializer ?? defaultKeyStoreInitializer,
disableErrorLog: userConfig.disableErrorLog,
firebaseEmulatorHost: userConfig.firebaseEmulatorHost,
};
}
return async (c, next) => {
const authorization = c.req.headers.get(config.AuthorizationHeaderKey);
const authorization = c.req.headers.get(config.AuthorizationHeaderKey)
if (authorization === null) {
return new Response(null, {
status: 400,
});
})
}
const jwt = authorization.replace(/Bearer\s+/i, "");
const jwt = authorization.replace(/Bearer\s+/i, '')
const auth = Auth.getOrInitialize(
config.projectId,
config.KeyStore ?? config.keyStoreInitializer(c)
);
)
try {
const idToken = await auth.verifyIdToken(jwt, {
FIREBASE_AUTH_EMULATOR_HOST:
config.firebaseEmulatorHost ?? c.env.FIREBASE_AUTH_EMULATOR_HOST,
});
setFirebaseToken(c, idToken);
})
setFirebaseToken(c, idToken)
} catch (err) {
if (!userConfig.disableErrorLog) {
console.error({
message: "failed to verify the requested firebase token",
message: 'failed to verify the requested firebase token',
err,
});
})
}
return new Response(null, {
status: 401,
});
})
}
await next();
};
};
await next()
}
}
const idTokenContextKey = "firebase-auth-cloudflare-id-token-key";
const idTokenContextKey = 'firebase-auth-cloudflare-id-token-key'
const setFirebaseToken = (c: Context, idToken: FirebaseIdToken) =>
c.set(idTokenContextKey, idToken);
const setFirebaseToken = (c: Context, idToken: FirebaseIdToken) => c.set(idTokenContextKey, idToken)
export const getFirebaseToken = (c: Context): FirebaseIdToken | null => {
const idToken = c.get(idTokenContextKey);
if (!idToken) return null;
return idToken;
};
const idToken = c.get(idTokenContextKey)
if (!idToken) return null
return idToken
}

306
packages/firebase-auth/test/index.test.ts
View File

@ -1,84 +1,76 @@
import {
Auth,
KeyStorer,
WorkersKVStoreSingle,
} from "firebase-auth-cloudflare-workers";
import { Hono } from "hono";
import {
VerifyFirebaseAuthEnv,
verifyFirebaseAuth,
getFirebaseToken,
} from "../src";
import type { KeyStorer } from 'firebase-auth-cloudflare-workers'
import { Auth, WorkersKVStoreSingle } from 'firebase-auth-cloudflare-workers'
import { Hono } from 'hono'
import type { VerifyFirebaseAuthEnv } from '../src'
import { verifyFirebaseAuth, getFirebaseToken } from '../src'
describe("verifyFirebaseAuth middleware", () => {
const emulatorHost = "127.0.0.1:9099";
const validProjectId = "example-project12345"; // see package.json
describe('verifyFirebaseAuth middleware', () => {
const emulatorHost = '127.0.0.1:9099'
const validProjectId = 'example-project12345' // see package.json
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
// @ts-ignore
const { PUBLIC_JWK_CACHE_KV } = getMiniflareBindings();
const { PUBLIC_JWK_CACHE_KV } = getMiniflareBindings()
let user: signUpResponse;
let user: signUpResponse
beforeAll(async () => {
await deleteAccountEmulator(emulatorHost, validProjectId);
await deleteAccountEmulator(emulatorHost, validProjectId)
user = await signUpEmulator(emulatorHost, {
email: "codehex@hono.js",
password: "honojs",
});
email: 'codehex@hono.js',
password: 'honojs',
})
await sleep(1000); // wait for iat
});
await sleep(1000) // wait for iat
})
describe("service worker syntax", () => {
test("valid case, should be 200", async () => {
const app = new Hono();
describe('service worker syntax', () => {
test('valid case, should be 200', async () => {
const app = new Hono()
resetAuth();
resetAuth()
// This is assumed to be obtained from an environment variable.
const PUBLIC_JWK_CACHE_KEY = "testing-cache-key";
const PUBLIC_JWK_CACHE_KEY = 'testing-cache-key'
app.use(
"*",
'*',
verifyFirebaseAuth({
projectId: validProjectId,
keyStore: WorkersKVStoreSingle.getOrInitialize(
PUBLIC_JWK_CACHE_KEY,
PUBLIC_JWK_CACHE_KV
),
keyStore: WorkersKVStoreSingle.getOrInitialize(PUBLIC_JWK_CACHE_KEY, PUBLIC_JWK_CACHE_KV),
disableErrorLog: true,
firebaseEmulatorHost: emulatorHost,
})
);
app.get("/hello", (c) => c.json(getFirebaseToken(c)));
)
app.get('/hello', (c) => c.json(getFirebaseToken(c)))
const req = new Request("http://localhost/hello", {
const req = new Request('http://localhost/hello', {
headers: {
Authorization: `Bearer ${user.idToken}`,
},
});
})
const res = await app.request(req);
const res = await app.request(req)
expect(res).not.toBeNull();
expect(res.status).toBe(200);
expect(res).not.toBeNull()
expect(res.status).toBe(200)
const json = await res.json<{ aud: string; email: string }>();
expect(json.aud).toBe(validProjectId);
expect(json.email).toBe("codehex@hono.js");
});
});
const json = await res.json<{ aud: string; email: string }>()
expect(json.aud).toBe(validProjectId)
expect(json.email).toBe('codehex@hono.js')
})
})
describe("module worker syntax", () => {
describe('module worker syntax', () => {
test.each([
[
"valid case, should be 200",
'valid case, should be 200',
{
headerKey: "Authorization",
headerKey: 'Authorization',
env: {
FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
PUBLIC_JWK_CACHE_KV,
},
config: {
@ -88,28 +80,28 @@ describe("verifyFirebaseAuth middleware", () => {
},
],
[
"valid specified headerKey, should be 200",
'valid specified headerKey, should be 200',
{
headerKey: "X-Authorization",
headerKey: 'X-Authorization',
env: {
FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
PUBLIC_JWK_CACHE_KV,
},
config: {
projectId: validProjectId,
authorizationHeaderKey: "X-Authorization",
authorizationHeaderKey: 'X-Authorization',
},
wantStatus: 200,
},
],
[
"invalid authorization header, should be 400",
'invalid authorization header, should be 400',
{
headerKey: "X-Authorization",
headerKey: 'X-Authorization',
env: {
FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
PUBLIC_JWK_CACHE_KV,
},
config: {
@ -120,176 +112,177 @@ describe("verifyFirebaseAuth middleware", () => {
},
],
[
"invalid project ID, should be 401",
'invalid project ID, should be 401',
{
headerKey: "Authorization",
headerKey: 'Authorization',
env: {
FIREBASE_AUTH_EMULATOR_HOST: "localhost:9099",
PUBLIC_JWK_CACHE_KEY: "testing-cache-key",
FIREBASE_AUTH_EMULATOR_HOST: 'localhost:9099',
PUBLIC_JWK_CACHE_KEY: 'testing-cache-key',
PUBLIC_JWK_CACHE_KV,
},
config: {
projectId: "invalid-projectId",
projectId: 'invalid-projectId',
},
wantStatus: 401,
},
],
])("%s", async (_, { headerKey, env, config, wantStatus }) => {
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>();
])('%s', async (_, { headerKey, env, config, wantStatus }) => {
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
resetAuth();
resetAuth()
app.use(
"*",
'*',
verifyFirebaseAuth({
...config,
disableErrorLog: true,
})
);
app.get("/hello", (c) => c.text("OK"));
)
app.get('/hello', (c) => c.text('OK'))
const req = new Request("http://localhost/hello", {
const req = new Request('http://localhost/hello', {
headers: {
[headerKey]: `Bearer ${user.idToken}`,
},
});
})
const res = await app.fetch(req, env);
const res = await app.fetch(req, env)
expect(res).not.toBeNull();
expect(res.status).toBe(wantStatus);
});
expect(res).not.toBeNull()
expect(res.status).toBe(wantStatus)
})
test("specified keyStore is used", async () => {
const testingJWT = generateDummyJWT();
test('specified keyStore is used', async () => {
const testingJWT = generateDummyJWT()
const nopKeyStore = new NopKeyStore();
const getSpy = jest.spyOn(nopKeyStore, "get");
const putSpy = jest.spyOn(nopKeyStore, "put");
const nopKeyStore = new NopKeyStore()
const getSpy = jest.spyOn(nopKeyStore, 'get')
const putSpy = jest.spyOn(nopKeyStore, 'put')
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>();
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
resetAuth();
resetAuth()
app.use(
"*",
'*',
verifyFirebaseAuth({
projectId: validProjectId,
keyStore: nopKeyStore,
disableErrorLog: true,
})
);
app.get("/hello", (c) => c.text("OK"));
)
app.get('/hello', (c) => c.text('OK'))
const req = new Request("http://localhost/hello", {
const req = new Request('http://localhost/hello', {
headers: {
Authorization: `Bearer ${testingJWT}`,
},
});
})
// not use firebase emulator to check using key store
const res = await app.fetch(req, {
FIREBASE_AUTH_EMULATOR_HOST: undefined,
});
})
expect(res).not.toBeNull();
expect(res.status).toBe(401);
expect(getSpy).toHaveBeenCalled();
expect(putSpy).toHaveBeenCalled();
});
expect(res).not.toBeNull()
expect(res.status).toBe(401)
expect(getSpy).toHaveBeenCalled()
expect(putSpy).toHaveBeenCalled()
})
test("usable id-token in main handler", async () => {
const testingJWT = generateDummyJWT();
test('usable id-token in main handler', async () => {
const testingJWT = generateDummyJWT()
const nopKeyStore = new NopKeyStore();
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>();
const nopKeyStore = new NopKeyStore()
const app = new Hono<{ Bindings: VerifyFirebaseAuthEnv }>()
resetAuth();
resetAuth()
app.use(
"*",
'*',
verifyFirebaseAuth({
projectId: validProjectId,
keyStore: nopKeyStore,
disableErrorLog: true,
})
);
app.get("/hello", (c) => c.json(getFirebaseToken(c)));
)
app.get('/hello', (c) => c.json(getFirebaseToken(c)))
const req = new Request("http://localhost/hello", {
const req = new Request('http://localhost/hello', {
headers: {
Authorization: `Bearer ${testingJWT}`,
},
});
})
const res = await app.fetch(req, {
FIREBASE_AUTH_EMULATOR_HOST: emulatorHost,
});
})
expect(res).not.toBeNull();
expect(res.status).toBe(200);
expect(res).not.toBeNull()
expect(res.status).toBe(200)
const json = await res.json<{ aud: string; email: string }>();
expect(json.aud).toBe(validProjectId);
expect(json.email).toBe("codehex@hono.js");
});
});
});
const json = await res.json<{ aud: string; email: string }>()
expect(json.aud).toBe(validProjectId)
expect(json.email).toBe('codehex@hono.js')
})
})
})
class NopKeyStore implements KeyStorer {
// eslint-disable-next-line @typescript-eslint/no-empty-function
constructor() {}
get(): Promise<null> {
return new Promise((resolve) => resolve(null));
return new Promise((resolve) => resolve(null))
}
put(): Promise<void> {
return new Promise((resolve) => resolve());
return new Promise((resolve) => resolve())
}
}
const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms));
const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms))
// magic to reset state of static object for "firebase-auth-cloudflare-workers"
const resetAuth = () => delete Auth["instance"];
const resetAuth = () => delete Auth['instance']
const generateDummyJWT = () => {
const header = JSON.stringify({
alg: "RS256",
kid: "kid",
typ: "JWT",
});
const now = Math.floor(Date.now() / 1000);
alg: 'RS256',
kid: 'kid',
typ: 'JWT',
})
const now = Math.floor(Date.now() / 1000)
const payload = JSON.stringify({
iss: `https://securetoken.google.com/example-project12345`,
aud: "example-project12345",
iss: 'https://securetoken.google.com/example-project12345',
aud: 'example-project12345',
auth_time: now - 1000,
user_id: "t1aLdTkAs0S0J0P6TNbjwbmry5B3",
sub: "t1aLdTkAs0S0J0P6TNbjwbmry5B3",
user_id: 't1aLdTkAs0S0J0P6TNbjwbmry5B3',
sub: 't1aLdTkAs0S0J0P6TNbjwbmry5B3',
iat: now - 1000,
exp: now + 3000, // + 3s
email: "codehex@hono.js",
email: 'codehex@hono.js',
email_verified: false,
firebase: {
identities: {
email: ["codehex@hono.js"],
email: ['codehex@hono.js'],
},
sign_in_provider: "password",
sign_in_provider: 'password',
},
});
return `${btoa(header)}.${btoa(payload)}.`;
};
})
return `${btoa(header)}.${btoa(payload)}.`
}
interface EmailPassword {
email: string;
password: string;
email: string
password: string
}
export interface signUpResponse {
kind: string;
localId: string;
email: string;
idToken: string;
refreshToken: string;
expiresIn: string;
kind: string
localId: string
email: string
idToken: string
refreshToken: string
expiresIn: string
}
const signUpEmulator = async (
@ -297,36 +290,33 @@ const signUpEmulator = async (
body: EmailPassword
): Promise<signUpResponse> => {
// http://localhost:9099/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy
const url = `http://${emulatorHost}/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy`;
const url = `http://${emulatorHost}/identitytoolkit.googleapis.com/v1/accounts:signUp?key=dummy`
const resp = await fetch(url, {
method: "POST",
method: 'POST',
headers: {
"Content-Type": "application/json",
'Content-Type': 'application/json',
},
body: JSON.stringify({
...body,
returnSecureToken: true,
}),
});
})
if (resp.status !== 200) {
console.log({ status: resp.status });
throw new Error("error");
console.log({ status: resp.status })
throw new Error('error')
}
return await resp.json();
};
return await resp.json()
}
const deleteAccountEmulator = async (
emulatorHost: string,
projectId: string
): Promise<void> => {
const deleteAccountEmulator = async (emulatorHost: string, projectId: string): Promise<void> => {
// https://firebase.google.com/docs/reference/rest/auth#section-auth-emulator-clearaccounts
const url = `http://${emulatorHost}/emulator/v1/projects/${projectId}/accounts`;
const url = `http://${emulatorHost}/emulator/v1/projects/${projectId}/accounts`
const resp = await fetch(url, {
method: "DELETE",
});
method: 'DELETE',
})
if (resp.status !== 200) {
console.log({ status: resp.status });
throw new Error("error when clear accounts");
console.log({ status: resp.status })
throw new Error('error when clear accounts')
}
return;
};
return
}

18
packages/firebase-auth/tsconfig.json
View File

@ -1,22 +1,6 @@
{
"extends": "../../tsconfig.json",
"compilerOptions": {
"target": "es2020",
"module": "commonjs",
"declaration": true,
"moduleResolution": "Node",
"esModuleInterop": true,
"forceConsistentCasingInFileNames": true,
"strict": true,
"skipLibCheck": true,
"strictPropertyInitialization": true,
"strictNullChecks": true,
"noUnusedLocals": true,
"noUnusedParameters": true,
"types": [
"jest",
"node",
"@cloudflare/workers-types"
],
"rootDir": "./src",
"outDir": "./dist",
},

6691
packages/firebase-auth/yarn.lock
View File

File diff suppressed because it is too large Load Diff

3268
yarn.lock
View File

File diff suppressed because it is too large Load Diff