Class: Eld::Authenticator

Inherits:

Object

• Object
• Eld::Authenticator

Defined in:

lib/eld/authenticator.rb

Constant Summary

GOOGLE_ISS =

"https://securetoken.google.com"

Instance Method Summary

• #authenticate(token) ⇒ Object
• #decode_token(token, public_key) ⇒ Object
• #handle_error(_error) ⇒ Object
• #initialize(firebase_id:) ⇒ Authenticator constructor

  Glossary: #.

• #respond(decoded_token) ⇒ Object
• #valid_firebase_id?(decoded_token) ⇒ Boolean
• #valid_sub?(decoded_token) ⇒ Boolean
• #valid_token?(decoded_token) ⇒ Boolean

Constructor Details

#initialize(firebase_id:) ⇒ Authenticator

Glossary: #

exp Expiration time Must be in the future. The time is measured in seconds since the UNIX epoch. iat Issued-at time Must be in the past. The time is measured in seconds since the UNIX epoch. aud Audience Must be your Firebase project ID, the unique identifier for your Firebase project, which can be found in the URL of that project’s console. iss Issuer Must be “securetoken.google.com/<projectId>”, where <projectId> is the same project ID used for aud above. sub Subject Must be a non-empty string and must be the uid of the user or device. auth_time Authentication time Must be in the past. The time when the user authenticated.

# File 'lib/eld/authenticator.rb', line 23

def initialize(firebase_id:)
  @firebase_id = Array(firebase_id)
end

Instance Method Details

#authenticate(token) ⇒ Object

# File 'lib/eld/authenticator.rb', line 27

def authenticate(token)
  return false if token.nil? || token.empty?

  kid = JWT.decode(token, nil, false).last["kid"]

  certificate = Eld::Certificate.find(kid)

  decoded_token = decode_token(token, certificate.public_key)

  valid_token?(decoded_token) && respond(decoded_token)
rescue JWT::DecodeError => e
  handle_error(e)
end

#decode_token(token, public_key) ⇒ Object

# File 'lib/eld/authenticator.rb', line 41

def decode_token(token, public_key)
  JWT.decode(
    token,
    public_key,
    true,
    algorithm: "RS256",
    verify_expiration: false # we verify this manually
  ).first
end

#handle_error(_error) ⇒ Object

# File 'lib/eld/authenticator.rb', line 78

def handle_error(_error)
  false
end

#respond(decoded_token) ⇒ Object

# File 'lib/eld/authenticator.rb', line 74

def respond(decoded_token)
  decoded_token
end

#valid_firebase_id?(decoded_token) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/eld/authenticator.rb', line 68

def valid_firebase_id?(decoded_token)
  @firebase_id.any? do |id|
    decoded_token["aud"] == id && decoded_token["iss"] == "#{GOOGLE_ISS}/#{id}"
  end
end

#valid_sub?(decoded_token) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/eld/authenticator.rb', line 62

def valid_sub?(decoded_token)
  !decoded_token["sub"].nil? &&
  !decoded_token["sub"].empty? &&
  decoded_token["sub"] == decoded_token["user_id"]
end

#valid_token?(decoded_token) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/eld/authenticator.rb', line 51

def valid_token?(decoded_token)
  current_time = Time.now.utc.to_i

  !decoded_token.empty? &&
  decoded_token["exp"].to_i > current_time &&
  decoded_token["iat"].to_i < current_time &&
  decoded_token["auth_time"].to_i < current_time &&
  valid_sub?(decoded_token) &&
  valid_firebase_id?(decoded_token)
end