class FirebaseTokenAuth::Validator

Constants

ISSUER_BASE_URL

Public Instance Methods

extract_kid(id_token) click to toggle source
# File lib/firebase_token_auth/validator.rb, line 19
def extract_kid(id_token)
  decoded = JWT.decode(id_token, nil, false, algorithm: ALGORITHM)
  [decoded[1]['kid'], decoded]
end
validate(project_id, decoded_jwt) click to toggle source
# File lib/firebase_token_auth/validator.rb, line 5
def validate(project_id, decoded_jwt)
  # ref. https://github.com/firebase/firebase-admin-node/blob/488f9318350c6b46af2e93b99907b9a02f170029/src/auth/token-verifier.ts
  payload = decoded_jwt[0]
  header = decoded_jwt[1]
  issuer = ISSUER_BASE_URL + project_id
  raise ValidationError, 'Firebase ID token has no "kid" claim.' unless header['kid']
  raise ValidationError, "Firebase ID token has incorrect algorithm. Expected \"#{ALGORITHM}\" but got \"#{header['alg']}\"." unless header['alg'] == ALGORITHM
  raise ValidationError, "Firebase ID token has incorrect \"aud\" (audience) claim. Expected \"#{project_id}\" but got \"#{payload['aud']}\"." unless payload['aud'] == project_id
  raise ValidationError, "Firebase ID token has \"iss\" (issuer) claim. Expected \"#{issuer}\" but got \"#{payload['iss']}\"." unless payload['iss'] == issuer
  raise ValidationError, 'Firebase ID token has no "sub" (subject) claim.' unless payload['sub'].is_a?(String)
  raise ValidationError, 'Firebase ID token has an empty string "sub" (subject) claim.' if payload['sub'].empty?
  raise ValidationError, 'Firebase ID token has "sub" (subject) claim longer than 128 characters.' if payload['sub'].size > 128
end