added login with session cookie example

Author: Code-Hex

example/index.ts

@@ -1,5 +1,8 @@
 import { Hono } from 'hono';
-import { Auth, emulatorHost, WorkersKVStoreSingle } from '../src';
+import { getCookie, setCookie } from 'hono/cookie';
+import { csrf } from 'hono/csrf';
+import { html } from 'hono/html';
+import { Auth, EmulatorCredential, emulatorHost, WorkersKVStoreSingle } from '../src';
 
 type Env = {
   EMAIL_ADDRESS: string;
@@ -52,4 +55,142 @@ app.post('/verify-header', async c => {
   });
 });
 
+app.use('/admin/*', csrf());
+
+app.get('/admin/login', async c => {
+  const content = await html`<html>
+    <head>
+      <meta charset="UTF-8" />
+      <title>Login</title>
+    </head>
+    <body>
+      <h1>Login Page</h1>
+      <button id="sign-in" type="button">Sign-In</button>
+      <script type="module">
+        // See https://firebase.google.com/docs/auth/admin/manage-cookies
+        //
+        import { initializeApp } from 'https://www.gstatic.com/firebasejs/10.5.0/firebase-app.js';
+        import $ from 'https://cdn.skypack.dev/jquery';
+        // Add Firebase products that you want to use
+        import {
+          getAuth,
+          signInWithEmailAndPassword,
+          onAuthStateChanged,
+          connectAuthEmulator,
+          signOut,
+          setPersistence,
+          inMemoryPersistence,
+        } from 'https://www.gstatic.com/firebasejs/10.5.0/firebase-auth.js';
+        const app = initializeApp({
+          apiKey: 'test1234',
+          authDomain: 'test',
+          projectId: 'project12345',
+        });
+        const auth = getAuth(app);
+        connectAuthEmulator(auth, 'http://127.0.0.1:9099');
+        setPersistence(auth, inMemoryPersistence);
+
+        /**
+         * @param {string} name The cookie name.
+         * @return {?string} The corresponding cookie value to lookup.
+         */
+        function getCookie(name) {
+          const v = document.cookie.match('(^|;) ?' + name + '=([^;]*)(;|$)');
+          return v ? v[2] : null;
+        }
+
+        /**
+         * @param {string} url The session login endpoint.
+         * @param {string} idToken The ID token to post to backend.
+         * @return {any} A jQuery promise that resolves on completion.
+         */
+        function postIdTokenToSessionLogin(url, idToken) {
+          // POST to session login endpoint.
+          return $.ajax({
+            type: 'POST',
+            url: url,
+            data: JSON.stringify({ idToken: idToken }),
+            contentType: 'application/json',
+          });
+        }
+
+        $('#sign-in').on('click', function () {
+          console.log('clicked');
+
+          signInWithEmailAndPassword(auth, '[email protected]', 'test1234')
+            .then(({ user }) => {
+              // Get the user's ID token as it is needed to exchange for a session cookie.
+              const idToken = user.accessToken;
+              // Session login endpoint is queried and the session cookie is set.
+              // CSRF protection should be taken into account.
+              // ...
+              const csrfToken = getCookie('csrfToken');
+              return postIdTokenToSessionLogin('/admin/login_session', idToken, csrfToken);
+            })
+            .then(() => {
+              // A page redirect would suffice as the persistence is set to NONE.
+              return signOut(auth);
+            })
+            .then(() => {
+              window.location.assign('/admin/profile');
+            });
+        });
+      </script>
+    </body>
+  </html>`;
+  return c.html(content);
+});
+
+app.post('/admin/login_session', async c => {
+  const json = await c.req.json();
+  const idToken = json.idToken;
+  if (!idToken || typeof idToken !== 'string') {
+    return c.json({ message: 'invalid idToken' }, 400);
+  }
+  // Set session expiration to 5 days.
+  const expiresIn = 60 * 60 * 24 * 5 * 1000;
+  // Create the session cookie. This will also verify the ID token in the process.
+  // The session cookie will have the same claims as the ID token.
+  // To only allow session cookie setting on recent sign-in, auth_time in ID token
+  // can be checked to ensure user was recently signed in before creating a session cookie.
+  const auth = Auth.getOrInitialize(
+    c.env.PROJECT_ID,
+    WorkersKVStoreSingle.getOrInitialize(c.env.PUBLIC_JWK_CACHE_KEY, c.env.PUBLIC_JWK_CACHE_KV),
+    new EmulatorCredential() // You MUST use ServiceAccountCredential in real world
+  );
+  const sessionCookie = await auth.createSessionCookie(
+    idToken,
+    {
+      expiresIn,
+    },
+    c.env // This valus must be removed in real world
+  );
+  setCookie(c, 'session', sessionCookie, {
+    maxAge: expiresIn,
+    httpOnly: true,
+    // secure: true // set this in real world
+  });
+  return c.json({ message: 'success' });
+});
+
+app.get('/admin/profile', async c => {
+  const session = getCookie(c, 'session') ?? '';
+
+  const auth = Auth.getOrInitialize(
+    c.env.PROJECT_ID,
+    WorkersKVStoreSingle.getOrInitialize(c.env.PUBLIC_JWK_CACHE_KEY, c.env.PUBLIC_JWK_CACHE_KV),
+    new EmulatorCredential() // You MUST use ServiceAccountCredential in real world
+  );
+
+  try {
+    const decodedToken = await auth.verifySessionCookie(
+      session,
+      c.env // This valus must be removed in real world
+    );
+    return c.json(decodedToken);
+  } catch (err) {
+    return c.redirect('/admin/login');
+  }
+});
+
 export default app;

src/index.ts

@@ -3,6 +3,7 @@ import type { Credential } from './credential';
 import type { KeyStorer } from './key-store';
 import { WorkersKVStore } from './key-store';
 
+export { type Credential, ServiceAccountCredential, EmulatorCredential } from './credential';
 export { emulatorHost, useEmulator } from './emulator';
 export type { KeyStorer };
 export type { EmulatorEnv } from './emulator';