Class: FirebaseIdToken::Signature

Inherits:
Object
  • Object
show all
Defined in:
lib/firebase_id_token/signature.rb

Overview

Deals with verifying if a given Firebase ID Token is signed by one of the Google's x509 certificates that Firebase uses.

Also checks if the resulting JWT payload hash matches with:

  • exp Expiration time
  • iat Issued at time
  • User's Firebase Project ID
  • Non-empty UID

Verifying a Firebase ID Token

Be sure to configure the gem to set your Firebase Project ID and a Redis server before move any forward.

See the README for a complete guide.

WARNING: Trying to verify a token without any certificate saved in Redis certificates database raises a Exceptions::NoCertificatesError.

Examples:

FirebaseIdToken::Signature.verify(thrusty_token)
=> {"iss"=>"https://securetoken.google.com/your-project-id", [...]}

FirebaseIdToken::Signature.verify(fake_token)
=> nil

See Also:

Constant Summary collapse

JWT_DEFAULTS =

Pre-default JWT algorithm parameters as recommended here.

{ algorithm: 'RS256', verify_iat: true }

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(jwt_token) ⇒ Signature

Loads attributes: :project_ids from Configuration, and :kid, :jwt_token from the related jwt_token.

Parameters:

  • jwt_token (String)

    Firebase ID Token


53
54
55
56
57
# File 'lib/firebase_id_token/signature.rb', line 53

def initialize(jwt_token)
  @project_ids = FirebaseIdToken.configuration.project_ids
  @kid = extract_kid(jwt_token)
  @jwt_token = jwt_token
end

Class Method Details

.verify(jwt_token) ⇒ nil, Hash

Returns the decoded JWT hash payload of the Firebase ID Token if the signature in the token matches with one of the certificates downloaded by Certificates.request, returns nil otherwise.

It will also return nil when it fails in checking if all the required JWT fields are valid, as recommended here by Firebase official documentation.

Note that it will raise a Exceptions::NoCertificatesError if the Redis certificates database is empty. Ensure to call Certificates.request before, ideally in a background job if you are using Rails.

Returns:

  • (nil, Hash)

46
47
48
# File 'lib/firebase_id_token/signature.rb', line 46

def self.verify(jwt_token)
  new(jwt_token).verify
end

Instance Method Details

#verifyObject

See Also:


60
61
62
63
64
65
66
# File 'lib/firebase_id_token/signature.rb', line 60

def verify
  certificate = FirebaseIdToken::Certificates.find(@kid)
  if certificate
    payload = decode_jwt_payload(@jwt_token, certificate.public_key)
    authorize payload
  end
end