Initial commit

Nickforall · Nickforall · commit d81f868fa7ac · 2021-01-08T18:07:31.000+01:00
diff --git a/.formatter.exs b/.formatter.exs
@@ -0,0 +1,4 @@
+# Used by "mix format"
+[
+  inputs: ["{mix,.formatter}.exs", "{config,lib,test}/**/*.{ex,exs}"]
+]
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,30 @@
+# The directory Mix will write compiled artifacts to.
+/_build/
+
+# If you run "mix test --cover", coverage assets end up here.
+/cover/
+
+# The directory Mix downloads your dependencies sources to.
+/deps/
+
+# Where third-party dependencies like ExDoc output generated docs.
+/doc/
+
+# Ignore .fetch files in case you like to edit your project deps locally.
+/.fetch
+
+# If the VM crashes, it generates a dump, let's ignore it too.
+erl_crash.dump
+
+# Also ignore archive artifacts (built via "mix archive.build").
+*.ez
+
+# Ignore package tarball (built via "mix hex.build").
+ex_firebase_auth-*.tar
+
+
+# Temporary files for e.g. tests
+/tmp
+
+# elixir language server
+.elixir_ls/
diff --git a/README.md b/README.md
@@ -0,0 +1,26 @@
+# ExFirebaseAuth
+
+ExFirebaseAuth is a library that handles ID tokens from Firebase, which is useful for using Firebase's auth solution because Firebase does not have an Elixir SDK for auth themselves.
+
+## Installation
+
+If [available in Hex](https://hex.pm/docs/publish), the package can be installed
+by adding `ex_firebase_auth` to your list of dependencies in `mix.exs`:
+
+```elixir
+def deps do
+  [
+    {:ex_firebase_auth, "~> 0.1.0"}
+  ]
+end
+```
+
+And add the Firebase auth issuer name for your project to your `config.exs`.
+
+```elixir
+config :ex_firebase_auth, :issuer, "https://securetoken.google.com/hoody-16c66"
+```
+
+Documentation can be generated with [ExDoc](https://github.com/elixir-lang/ex_doc)
+and published on [HexDocs](https://hexdocs.pm). Once published, the docs can
+be found at [https://hexdocs.pm/ex_firebase_auth](https://hexdocs.pm/ex_firebase_auth).
diff --git a/lib/ex_firebase_auth.ex b/lib/ex_firebase_auth.ex
@@ -0,0 +1,22 @@
+defmodule ExFirebaseAuth do
+  # See http://elixir-lang.org/docs/stable/elixir/Application.html
+  # for more information on OTP Applications
+  @moduledoc false
+
+  use Application
+
+  def start(_type, _args) do
+    import Supervisor.Spec, warn: false
+
+    # Define workers and child supervisors to be supervised
+    children = [
+      {Finch, name: ExFirebaseAuthFinch},
+      {ExFirebaseAuth.KeyStore, name: ExFirebaseAuth.KeyStore}
+    ]
+
+    # See http://elixir-lang.org/docs/stable/elixir/Supervisor.html
+    # for other strategies and supported options
+    opts = [strategy: :one_for_one, name: ExFirebaseAuth.Supervisor]
+    Supervisor.start_link(children, opts)
+  end
+end
diff --git a/lib/key_store.ex b/lib/key_store.ex
@@ -0,0 +1,63 @@
+defmodule ExFirebaseAuth.KeyStore do
+  @moduledoc false
+
+  use GenServer, restart: :transient
+
+  require Logger
+
+  @endpoint_url "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
+
+  def start_link(_) do
+    GenServer.start_link(__MODULE__, %{}, name: ExFirebaseAuth.KeyStore)
+  end
+
+  def init(_) do
+    case fetch_certificates() do
+      # when we could not fetch certs initially the application cannot run because all Auth will fail
+      :error -> {:stop, "Initial certificate fetch failed"}
+      {:ok, data} -> {:ok, data}
+    end
+  end
+
+  # When the refresh `info` is sent, we want to fetch the certificates
+  def handle_info(:refresh, state) do
+    case fetch_certificates() do
+      # keep trying with a lower interval, until then keep the old state
+      :error ->
+        Logger.warn("Fetching firebase auth certificates failed, using old state and retrying...")
+        schedule_refresh(10)
+        {:noreply, state}
+
+      # if everything went okay, refresh at the regular interval and store the returned keys in state
+      {:ok, jsondata} ->
+        Logger.debug("Fetched new firebase auth certificates")
+        schedule_refresh()
+        {:noreply, jsondata}
+    end
+  end
+
+  # Use a {:get, id} call to get the JWK struct of the certificate with the given key id. Returns nil if not found
+  # Usage: `GenServer.call(ExFirebaseAuth.KeyStore, {:get, keyid})`
+  def handle_call({:get, key_id}, _from, state) do
+    case Map.get(state, key_id) do
+      nil -> {:reply, nil, state}
+      key -> {:reply, JOSE.JWK.from_pem(key), state}
+    end
+  end
+
+  defp schedule_refresh(after_s \\ 3600) do
+    Process.send_after(self(), :refresh, after_s * 1000)
+  end
+
+  # Fetch certificates from google's endpoint
+  defp fetch_certificates do
+    with {:ok, %Finch.Response{body: body}} <-
+           Finch.build(:get, @endpoint_url) |> Finch.request(ExFirebaseAuthFinch),
+         {:ok, jsondata} <- Jason.decode(body) do
+      {:ok, jsondata}
+    else
+      _ ->
+        :error
+    end
+  end
+end
diff --git a/lib/token.ex b/lib/token.ex
@@ -0,0 +1,33 @@
+defmodule ExFirebaseAuth.Token do
+  defp get_public_key(keyid) do
+    GenServer.call(ExFirebaseAuth.KeyStore, {:get, keyid})
+  end
+
+  @spec verify_token(binary) ::
+          {:error, binary} | {:ok, binary(), JOSE.JWT.t()}
+  @doc """
+  Verifies a token agains google's public keys. Returns {:ok, sub, data} if successful. {:error, _} otherwise.
+  """
+  def verify_token(token_string) do
+    issuer = Application.fetch_env!(:ex_firebase_auth, :issuer)
+
+    with {:jwtheader, %{fields: %{"kid" => kid}}} <-
+           {:jwtheader, JOSE.JWT.peek_protected(token_string)},
+         # read key from store
+         {:key, %JOSE.JWK{} = key} <- {:key, get_public_key(kid)},
+         # check if verify returns true and issuer matches
+         {:verify, {true, %{fields: %{"iss" => ^issuer, "sub" => sub}} = data, _}} <-
+           {:verify, JOSE.JWT.verify(key, token_string)} do
+      {:ok, sub, data}
+    else
+      {:jwtheader, _} ->
+        {:error, "Invalid JWT header, `kid` missing"}
+
+      {:key, _} ->
+        {:error, "Public key retrieved from google could not be parsed"}
+
+      {:verify, _} ->
+        {:error, "None of public keys matched auth token's key ids"}
+    end
+  end
+end
diff --git a/mix.exs b/mix.exs
@@ -0,0 +1,31 @@
+defmodule ExFirebaseAuth.MixProject do
+  use Mix.Project
+
+  def project do
+    [
+      app: :ex_firebase_auth,
+      version: "0.1.0",
+      elixir: "~> 1.11",
+      start_permanent: Mix.env() == :prod,
+      deps: deps()
+    ]
+  end
+
+  # Run "mix help compile.app" to learn about applications.
+  def application do
+    [
+      mod: {ExFirebaseAuth, []},
+      extra_applications: [:logger],
+      registered: [ExFirebaseAuth.KeyStore]
+    ]
+  end
+
+  # Run "mix help deps" to learn about dependencies.
+  defp deps do
+    [
+      {:jose, "~> 1.10"},
+      {:finch, "~> 0.3.1"},
+      {:jason, "~> 1.2.2"}
+    ]
+  end
+end
diff --git a/mix.lock b/mix.lock
@@ -0,0 +1,10 @@
+%{
+  "castore": {:hex, :castore, "0.1.8", "1b61eaba71bb755b756ac42d4741f4122f8beddb92456a84126d6177ec0af1fc", [:mix], [], "hexpm", "23ab8305baadb057bc689adc0088309f808cb2247dc9a48b87849bb1d242bb6c"},
+  "finch": {:hex, :finch, "0.3.2", "993dddb23cd9b50ad395ed994b317c7ce2c095e6017ffd5a5b65abdb5b7e5d1c", [:mix], [{:castore, "~> 0.1.5", [hex: :castore, repo: "hexpm", optional: false]}, {:mint, "~> 1.0", [hex: :mint, repo: "hexpm", optional: false]}, {:nimble_options, "~> 0.2.0", [hex: :nimble_options, repo: "hexpm", optional: false]}, {:nimble_pool, "~> 0.1.0", [hex: :nimble_pool, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "85be155ad3f6a1d806610f2b83e054d3201dc2fd1c4e97d47f40687ad877193a"},
+  "jason": {:hex, :jason, "1.2.2", "ba43e3f2709fd1aa1dce90aaabfd039d000469c05c56f0b8e31978e03fa39052", [:mix], [{:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "18a228f5f0058ee183f29f9eae0805c6e59d61c3b006760668d8d18ff0d12179"},
+  "jose": {:hex, :jose, "1.11.1", "59da64010c69aad6cde2f5b9248b896b84472e99bd18f246085b7b9fe435dcdb", [:mix, :rebar3], [], "hexpm", "078f6c9fb3cd2f4cfafc972c814261a7d1e8d2b3685c0a76eb87e158efff1ac5"},
+  "mint": {:hex, :mint, "1.2.0", "65e9d75c60c456a5fb1b800febb88f061f56157d103d755b99fcaeaeb3e956f3", [:mix], [{:castore, "~> 0.1.0", [hex: :castore, repo: "hexpm", optional: true]}], "hexpm", "19cbb3a5be91b7df4a35377ba94b26199481a541add055cf5d1d4299b55125ab"},
+  "nimble_options": {:hex, :nimble_options, "0.2.1", "7eac99688c2544d4cc3ace36ee8f2bf4d738c14d031bd1e1193aab096309d488", [:mix], [], "hexpm", "ca48293609306791ce2634818d849b7defe09330adb7e4e1118a0bc59bed1cf4"},
+  "nimble_pool": {:hex, :nimble_pool, "0.1.0", "ffa9d5be27eee2b00b0c634eb649aa27f97b39186fec3c493716c2a33e784ec6", [:mix], [], "hexpm", "343a1eaa620ddcf3430a83f39f2af499fe2370390d4f785cd475b4df5acaf3f9"},
+  "telemetry": {:hex, :telemetry, "0.4.2", "2808c992455e08d6177322f14d3bdb6b625fbcfd233a73505870d8738a2f4599", [:rebar3], [], "hexpm", "2d1419bd9dda6a206d7b5852179511722e2b18812310d304620c7bd92a13fcef"},
+}
diff --git a/test/ex_firebase_auth_test.exs b/test/ex_firebase_auth_test.exs
@@ -0,0 +1,3 @@
+defmodule ExFirebaseAuthTest do
+  use ExUnit.Case
+end
diff --git a/test/test_helper.exs b/test/test_helper.exs
@@ -0,0 +1 @@
+ExUnit.start()

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+defmodule ExFirebaseAuthTest do`
	`2`	`+ use ExUnit.Case`
	`3`	`+end`