codebase/integrating-firebase-authentication-with-spring-security [BAEL-8543] (#17466)

* adding module skeleton

* adding firebase auth configuration bean

* externalizing configuration properties

* adding firebase auth client for login

* adding user account creation functionality

* adding security configuration

* adding user record retrieve functionality

* exposing API endpoints

* fix: user-id extraction in auth filter

* adding API exception handler

* adding live tests

* removing @ConfigurationProperties

* updating FirebaseAuthClient

* moving codebase to gcp-firebase module

* incorporating review comments

* adding refresh token functionality

* adding refresh token test cases

* returning custom error message from auth filter

* minor polishing

Author: hardikSinghBehl

gcp-firebase/pom.xml

@@ -21,6 +21,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-configuration-processor</artifactId>
@@ -37,6 +41,11 @@
             <version>${instancio.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -53,6 +62,7 @@
 
     <properties>
         <java.version>17</java.version>
+        <spring-boot.version>3.3.0</spring-boot.version>
         <firebase-admin.version>9.3.0</firebase-admin.version>
         <instancio.version>5.0.1</instancio.version>
     </properties>

gcp-firebase/src/main/java/com/baeldung/gcp/firebase/auth/AccountAlreadyExistsException.java

@@ -0,0 +1,12 @@
+package com.baeldung.gcp.firebase.auth;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.server.ResponseStatusException;
+
+public class AccountAlreadyExistsException extends ResponseStatusException {
+
+    public AccountAlreadyExistsException(String reason) {
+        super(HttpStatus.CONFLICT, reason);
+    }
+
+}

gcp-firebase/src/main/java/com/baeldung/gcp/firebase/auth/ApiExceptionHandler.java

@@ -0,0 +1,33 @@
+package com.baeldung.gcp.firebase.auth;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ProblemDetail;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+import org.springframework.web.server.ResponseStatusException;
+import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
+
+@RestControllerAdvice
+public class ApiExceptionHandler extends ResponseEntityExceptionHandler {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(ApiExceptionHandler.class);
+
+    @ExceptionHandler(ResponseStatusException.class)
+    public ProblemDetail handle(ResponseStatusException exception) {
+        log(exception);
+        return ProblemDetail.forStatusAndDetail(exception.getStatusCode(), exception.getReason());
+    }
+
+    @ExceptionHandler(Exception.class)
+    public ProblemDetail handle(Exception exception) {
+        log(exception);
+        return ProblemDetail.forStatusAndDetail(HttpStatus.NOT_IMPLEMENTED, "Something went wrong.");
+    }
+
+    private void log(Exception exception) {
+        LOGGER.error("Exception encountered: {}", exception.getMessage(), exception);
+    }
+
+}

gcp-firebase/src/main/java/com/baeldung/gcp/firebase/auth/Application.java

@@ -0,0 +1,13 @@
+package com.baeldung.gcp.firebase.auth;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Application {
+
+    public static void main(String[] args) {
+        SpringApplication.run(Application.class, args);
+    }
+
+}

gcp-firebase/src/main/java/com/baeldung/gcp/firebase/auth/AuthenticatedUserIdProvider.java

@@ -0,0 +1,20 @@
+package com.baeldung.gcp.firebase.auth;
+
+import java.util.Optional;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+
+@Component
+public class AuthenticatedUserIdProvider {
+
+    public String getUserId() {
+        return Optional.ofNullable(SecurityContextHolder.getContext().getAuthentication())
+            .map(Authentication::getPrincipal)
+            .filter(String.class::isInstance)
+            .map(String.class::cast)
+            .orElseThrow(IllegalStateException::new);
+    }
+
+}

gcp-firebase/src/main/java/com/baeldung/gcp/firebase/auth/FirebaseAuthClient.java

@@ -0,0 +1,87 @@
+package com.baeldung.gcp.firebase.auth;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.MediaType;
+import org.springframework.stereotype.Component;
+import org.springframework.web.client.HttpClientErrorException;
+import org.springframework.web.client.RestClient;
+
+@Component
+public class FirebaseAuthClient {
+
+    private static final String API_KEY_PARAM = "key";
+    private static final String REFRESH_TOKEN_GRANT_TYPE = "refresh_token";
+
+    private static final String INVALID_CREDENTIALS_ERROR = "INVALID_LOGIN_CREDENTIALS";
+    private static final String INVALID_REFRESH_TOKEN_ERROR = "INVALID_REFRESH_TOKEN";
+
+    private static final String SIGN_IN_BASE_URL = "https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword";
+    private static final String REFRESH_TOKEN_BASE_URL = "https://securetoken.googleapis.com/v1/token";
+
+    private final String webApiKey;
+
+    public FirebaseAuthClient(@Value("${com.baeldung.firebase.web-api-key}") String webApiKey) {
+        this.webApiKey = webApiKey;
+    }
+
+    public FirebaseSignInResponse login(String emailId, String password) {
+        FirebaseSignInRequest requestBody = new FirebaseSignInRequest(emailId, password, true);
+        return sendSignInRequest(requestBody);
+    }
+
+    public RefreshTokenResponse exchangeRefreshToken(String refreshToken) {
+        RefreshTokenRequest requestBody = new RefreshTokenRequest(REFRESH_TOKEN_GRANT_TYPE, refreshToken);
+        return sendRefreshTokenRequest(requestBody);
+    }
+
+    private FirebaseSignInResponse sendSignInRequest(FirebaseSignInRequest firebaseSignInRequest) {
+        try {
+            return RestClient.create(SIGN_IN_BASE_URL)
+                .post()
+                .uri(uriBuilder -> uriBuilder
+                    .queryParam(API_KEY_PARAM, webApiKey)
+                    .build())
+                .body(firebaseSignInRequest)
+                .contentType(MediaType.APPLICATION_JSON)
+                .retrieve()
+                .body(FirebaseSignInResponse.class);
+        } catch (HttpClientErrorException exception) {
+            if (exception.getResponseBodyAsString().contains(INVALID_CREDENTIALS_ERROR)) {
+                throw new InvalidLoginCredentialsException("Invalid login credentials provided");
+            }
+            throw exception;
+        }
+    }
+
+    private RefreshTokenResponse sendRefreshTokenRequest(RefreshTokenRequest refreshTokenRequest) {
+        try {
+            return RestClient.create(REFRESH_TOKEN_BASE_URL)
+                .post()
+                .uri(uriBuilder -> uriBuilder
+                    .queryParam(API_KEY_PARAM, webApiKey)
+                    .build())
+                .body(refreshTokenRequest)
+                .contentType(MediaType.APPLICATION_JSON)
+                .retrieve()
+                .body(RefreshTokenResponse.class);
+        } catch (HttpClientErrorException exception) {
+            if (exception.getResponseBodyAsString().contains(INVALID_REFRESH_TOKEN_ERROR)) {
+                throw new InvalidRefreshTokenException("Invalid refresh token provided");
+            }
+            throw exception;
+        }
+    }
+
+    record FirebaseSignInRequest(String email, String password, boolean returnSecureToken) {
+    }
+
+    record FirebaseSignInResponse(String idToken, String refreshToken) {
+    }
+
+    record RefreshTokenRequest(String grant_type, String refresh_token) {
+    }
+
+    record RefreshTokenResponse(String id_token) {
+    }
+
+}

gcp-firebase/src/main/java/com/baeldung/gcp/firebase/auth/FirebaseAuthConfiguration.java

@@ -0,0 +1,37 @@
+package com.baeldung.gcp.firebase.auth;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.Resource;
+
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.firebase.FirebaseApp;
+import com.google.firebase.FirebaseOptions;
+import com.google.firebase.auth.FirebaseAuth;
+
+@Configuration
+public class FirebaseAuthConfiguration {
+
+    @Value("classpath:/private-key.json")
+    private Resource privateKey;
+
+    @Bean
+    public FirebaseApp firebaseApp() throws IOException {
+        InputStream credentials = new ByteArrayInputStream(privateKey.getContentAsByteArray());
+        FirebaseOptions firebaseOptions = FirebaseOptions.builder()
+            .setCredentials(GoogleCredentials.fromStream(credentials))
+            .build();
+        return FirebaseApp.initializeApp(firebaseOptions);
+    }
+
+    @Bean
+    public FirebaseAuth firebaseAuth(FirebaseApp firebaseApp) {
+        return FirebaseAuth.getInstance(firebaseApp);
+    }
+
+}

gcp-firebase/src/main/java/com/baeldung/gcp/firebase/auth/InvalidLoginCredentialsException.java

@@ -0,0 +1,12 @@
+package com.baeldung.gcp.firebase.auth;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.server.ResponseStatusException;
+
+public class InvalidLoginCredentialsException extends ResponseStatusException {
+
+    public InvalidLoginCredentialsException(String reason) {
+        super(HttpStatus.UNAUTHORIZED, reason);
+    }
+
+}

gcp-firebase/src/main/java/com/baeldung/gcp/firebase/auth/InvalidRefreshTokenException.java

@@ -0,0 +1,12 @@
+package com.baeldung.gcp.firebase.auth;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.server.ResponseStatusException;
+
+public class InvalidRefreshTokenException extends ResponseStatusException {
+
+    public InvalidRefreshTokenException(String reason) {
+        super(HttpStatus.FORBIDDEN, reason);
+    }
+
+}

gcp-firebase/src/main/java/com/baeldung/gcp/firebase/auth/SecurityConfiguration.java

@@ -0,0 +1,35 @@
+package com.baeldung.gcp.firebase.auth;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@Configuration
+public class SecurityConfiguration {
+
+    private static final String[] WHITELISTED_API_ENDPOINTS = { "/user", "/user/login", "/user/refresh-token" };
+
+    private final TokenAuthenticationFilter tokenAuthenticationFilter;
+
+    public SecurityConfiguration(TokenAuthenticationFilter tokenAuthenticationFilter) {
+        this.tokenAuthenticationFilter = tokenAuthenticationFilter;
+    }
+
+    @Bean
+    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
+        http
+            .authorizeHttpRequests(authManager -> {
+                authManager.requestMatchers(HttpMethod.POST, WHITELISTED_API_ENDPOINTS)
+                    .permitAll()
+                    .anyRequest()
+                    .authenticated();
+            })
+            .addFilterBefore(tokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
+
+        return http.build();
+    }
+
+}

gcp-firebase/src/main/java/com/baeldung/gcp/firebase/auth/TokenAuthenticationFilter.java

@@ -0,0 +1,80 @@
+package com.baeldung.gcp.firebase.auth;
+
+import java.io.IOException;
+import java.util.Optional;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ProblemDetail;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.firebase.auth.FirebaseAuth;
+import com.google.firebase.auth.FirebaseAuthException;
+import com.google.firebase.auth.FirebaseToken;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+@Component
+public class TokenAuthenticationFilter extends OncePerRequestFilter {
+
+    private static final String BEARER_PREFIX = "Bearer ";
+    private static final String USER_ID_CLAIM = "user_id";
+    private static final String AUTHORIZATION_HEADER = "Authorization";
+
+    private final FirebaseAuth firebaseAuth;
+    private final ObjectMapper objectMapper;
+
+    public TokenAuthenticationFilter(FirebaseAuth firebaseAuth, ObjectMapper objectMapper) {
+        this.firebaseAuth = firebaseAuth;
+        this.objectMapper = objectMapper;
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws IOException, ServletException {
+        String authorizationHeader = request.getHeader(AUTHORIZATION_HEADER);
+
+        if (authorizationHeader != null && authorizationHeader.startsWith(BEARER_PREFIX)) {
+            String token = authorizationHeader.replace(BEARER_PREFIX, "");
+            Optional<String> userId = extractUserIdFromToken(token);
+
+            if (userId.isPresent()) {
+                var authentication = new UsernamePasswordAuthenticationToken(userId.get(), null, null);
+                authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
+                SecurityContextHolder.getContext().setAuthentication(authentication);
+            } else {
+                setAuthErrorDetails(response);
+                return;
+            }
+        }
+        filterChain.doFilter(request, response);
+    }
+
+    private Optional<String> extractUserIdFromToken(String token) {
+        try {
+            FirebaseToken firebaseToken = firebaseAuth.verifyIdToken(token, true);
+            String userId = String.valueOf(firebaseToken.getClaims().get(USER_ID_CLAIM));
+            return Optional.of(userId);
+        } catch (FirebaseAuthException exception) {
+            return Optional.empty();
+        }
+    }
+
+    private void setAuthErrorDetails(HttpServletResponse response) throws JsonProcessingException, IOException {
+        HttpStatus unauthorized = HttpStatus.UNAUTHORIZED;
+        response.setStatus(unauthorized.value());
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        ProblemDetail problemDetail = ProblemDetail.forStatusAndDetail(unauthorized, "Authentication failure: Token missing, invalid or expired");
+        response.getWriter().write(objectMapper.writeValueAsString(problemDetail));
+    }
+
+}