Initial commit

Author: CaptainCodeman

.gitignore

@@ -0,0 +1 @@
+app/firebase-credentials.json

app/app.go

@@ -0,0 +1,73 @@
+package main
+
+import (
+	"net/http"
+
+	"github.com/captaincodeman/go-firebase"
+	"github.com/rs/cors"
+	"google.golang.org/appengine"
+	"google.golang.org/appengine/log"
+)
+
+var auth *firebase.Auth
+
+func init() {
+	// default firebase app, uses firebase-credentials.json file
+	fb, _ := firebase.New()
+	auth = fb.Auth()
+
+	// for calling remotely from our front-end
+	c := cors.New(cors.Options{
+		AllowedOrigins: []string{"*"},
+		AllowedHeaders: []string{"Authorization"},
+	})
+	mux := c.Handler(http.HandlerFunc(handler))
+	http.Handle("/", mux)
+}
+
+func handler(w http.ResponseWriter, r *http.Request) {
+	ctx := appengine.NewContext(r)
+
+	// allow authorization token to be sent in querystring (which
+	// would avoid a CORS preflight OPTIONS request) or using the
+	// Authorization http header (in the format "Bearer token")
+	authorization, err := firebase.AuthorizationFromRequest(r)
+	if err != nil {
+		log.Errorf(ctx, "AuthorizationFromRequest %v", err)
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		return
+	}
+
+	// check that it's valid
+	token, err := auth.VerifyIDToken(ctx, authorization)
+	if err != nil {
+		log.Errorf(ctx, "VerifyIDToken %v", err)
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// get the firebase user id
+	userID, _ := token.UID()
+
+	// Here is where we'd lookup the user and set the custom claims
+	// that we want to be added to the token we're going to produce
+	developerClaims := make(firebase.Claims)
+	developerClaims["uid"] = 1 // our internal system id
+	developerClaims["roles"] = []string{
+		"admin",
+		"operator",
+	}
+
+	// mint a custom token
+	tokenString, err := auth.CreateCustomToken(userID, &developerClaims)
+	if err != nil {
+		log.Errorf(ctx, "CreateCustomToken %v", err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// TODO: set headers for no-cacheability
+
+	// write it as text
+	w.Write([]byte(tokenString))
+}

app/app.yaml

@@ -0,0 +1,9 @@
+project: captain-codeman
+service: auth
+version: 20161120
+runtime: go
+api_version: go1
+
+handlers:
+- url: /.*
+  script: _go_app

appengine_hook.go

@@ -0,0 +1,20 @@
+// +build appengine
+
+// App Engine hooks.
+
+package firebase
+
+import (
+	"net/http"
+
+	"golang.org/x/net/context"
+	"google.golang.org/appengine/urlfetch"
+)
+
+func init() {
+	RegisterContextClientFunc(contextClientAppEngine)
+}
+
+func contextClientAppEngine(ctx context.Context) (*http.Client, error) {
+	return urlfetch.Client(ctx), nil
+}

auth.go

@@ -0,0 +1,25 @@
+package firebase
+
+import (
+	"time"
+
+	"github.com/SermoDigital/jose/jwt"
+)
+
+const (
+	// Audience to use for Firebase Auth Custom tokens
+	firebaseAudienceURL = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
+
+	// expiry leeway.
+	acceptableExpSkew = 300 * time.Second
+)
+
+type (
+	claims struct {
+		jwt.Claims
+	}
+
+	Auth struct {
+		app *App
+	}
+)

certs.go

@@ -0,0 +1,147 @@
+package firebase
+
+import (
+	"fmt"
+	"io"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"net/http"
+
+	"golang.org/x/net/context"
+)
+
+const (
+	defaultCertsCacheTime = 1 * time.Hour
+
+	// URL containing the public keys for the Google certs
+	clientCertURL = "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"
+)
+
+type (
+	certificateStore struct {
+		sync.RWMutex
+		url   string
+		certs map[string]*x509.Certificate
+		exp   time.Time
+	}
+)
+
+var (
+	certs *certificateStore
+)
+
+func init() {
+	certs = newCertificateStore("")
+}
+
+func newCertificateStore(url string) *certificateStore {
+	if url == "" {
+		url = clientCertURL
+	}
+	return &certificateStore{
+		url: url,
+	}
+}
+
+func (c *certificateStore) Get(ctx context.Context, kid string) (*x509.Certificate, error) {
+	if err := c.ensureLoaded(ctx); err != nil {
+		return nil, err
+	}
+
+	c.RLock()
+	defer c.RUnlock()
+
+	cert, found := c.certs[kid]
+	if !found {
+		return nil, fmt.Errorf("certificate not found for key ID: %s", kid)
+	}
+	return cert, nil
+}
+
+func (c *certificateStore) ensureLoaded(ctx context.Context) error {
+	c.RLock()
+	if c.exp.After(clock.Now()) {
+		c.RUnlock()
+		return nil
+	}
+	c.RUnlock()
+
+	certs, cacheTime, err := c.download(ctx)
+	if err != nil {
+		return err
+	}
+
+	c.Lock()
+	defer c.Unlock()
+	c.certs = certs
+	c.exp = clock.Now().Add(cacheTime)
+	return nil
+}
+
+// TODO: pass in transport, provide appengine stub to automatically get it from context
+func (c *certificateStore) download(ctx context.Context) (map[string]*x509.Certificate, time.Duration, error) {
+	client, err := ContextClient(ctx)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	resp, err := client.Get(c.url)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, 0, fmt.Errorf("download %s fails: %s", c.url, resp.Status)
+	}
+	certs, err := parse(resp.Body)
+	if err != nil {
+		return nil, 0, err
+	}
+	return certs, cacheTime(resp), nil
+}
+
+// parse parses the certificates response in JSON format.
+// The response has the format:
+// {
+//   "kid1": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----",
+//   "kid2": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----",
+// }
+func parse(r io.Reader) (map[string]*x509.Certificate, error) {
+	m := make(map[string]string)
+	dec := json.NewDecoder(r)
+	if err := dec.Decode(&m); err != nil {
+		return nil, err
+	}
+	certs := make(map[string]*x509.Certificate)
+	for k, v := range m {
+		block, _ := pem.Decode([]byte(v))
+		c, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		certs[k] = c
+	}
+	return certs, nil
+}
+
+// cacheTime extracts the cache time from the HTTP response header.
+// A default cache time is returned if extraction fails.
+func cacheTime(resp *http.Response) time.Duration {
+	cc := strings.Split(resp.Header.Get("Cache-Control"), ",")
+	const maxAge = "max-age="
+	for _, c := range cc {
+		c = strings.TrimSpace(c)
+		if strings.HasPrefix(c, maxAge) {
+			if d, err := strconv.Atoi(c[len(maxAge):]); err == nil {
+				return time.Duration(d) * time.Second
+			}
+		}
+	}
+	return defaultCertsCacheTime
+}

certs_test.go

@@ -0,0 +1,34 @@
+package firebase
+
+import (
+	"testing"
+	"time"
+
+	"google.golang.org/appengine/aetest"
+)
+
+func TestCertificateStore(t *testing.T) {
+	ctx, done, err := aetest.NewContext()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer done()
+
+	store := newCertificateStore("")
+
+	cert, err := store.Get(ctx, "09712c9531f921fce0118dba9441de0ed4f408f7")
+	if err != nil {
+		t.Error(err)
+	}
+	t.Logf("cert 1 %v", cert.AuthorityKeyId)
+
+	nowFunc = func() time.Time {
+		return time.Date(2000, 12, 15, 17, 8, 00, 0, time.UTC)
+	}
+
+	cert, err = store.Get(ctx, "09712c9531f921fce0118dba9441de0ed4f408f7")
+	if err != nil {
+		t.Error(err)
+	}
+	t.Logf("cert 2 %v", cert.AuthorityKeyId)
+}

claims.go

@@ -0,0 +1,6 @@
+package firebase
+
+// Claims to be stored in a custom token (and made available to security rules
+// in Database, Storage, etc.).  These must be serializable to JSON
+// (e.g. contains only Maps, Arrays, Strings, Booleans, Numbers, etc.).
+type Claims map[string]interface{}

config.go

@@ -0,0 +1,44 @@
+package firebase
+
+type (
+	// Config stores firebase app configuration settings
+	Config struct {
+		Name            string
+		Credentials     *Credentials
+		CredentialsPath string
+	}
+
+	// Option is the signature for configuration options
+	Option func(*Config) error
+)
+
+func defaultConfig() *Config {
+	return &Config{
+		Name:            defaultAppName,
+		CredentialsPath: "firebase-credentials.json",
+	}
+}
+
+// WithName sets the name of the app
+func WithName(name string) func(*Config) error {
+	return func(c *Config) error {
+		c.Name = normalizeName(name)
+		return nil
+	}
+}
+
+// WithCredentialsPath sets the path to load credentials from
+func WithCredentialsPath(path string) func(*Config) error {
+	return func(c *Config) error {
+		c.CredentialsPath = path
+		return nil
+	}
+}
+
+// WithCredentials sets the credentials
+func WithCredentials(creds *Credentials) func(*Config) error {
+	return func(c *Config) error {
+		c.Credentials = creds
+		return nil
+	}
+}