added verifySessionCookie

Author: Code-Hex

src/auth.ts

@@ -2,14 +2,16 @@ import type { EmulatorEnv } from './emulator';
 import { useEmulator } from './emulator';
 import type { KeyStorer } from './key-store';
 import type { FirebaseIdToken, FirebaseTokenVerifier } from './token-verifier';
-import { createIdTokenVerifier } from './token-verifier';
+import { createIdTokenVerifier, createSessionCookieVerifier } from './token-verifier';
 
 export class BaseAuth {
   /** @internal */
   protected readonly idTokenVerifier: FirebaseTokenVerifier;
+  protected readonly sessionCookieVerifier: FirebaseTokenVerifier;
 
   constructor(projectId: string, keyStore: KeyStorer) {
     this.idTokenVerifier = createIdTokenVerifier(projectId, keyStore);
+    this.sessionCookieVerifier = createSessionCookieVerifier(projectId, keyStore);
   }
 
   /**
@@ -28,4 +30,30 @@ export class BaseAuth {
     const isEmulator = useEmulator(env);
     return this.idTokenVerifier.verifyJWT(idToken, isEmulator);
   }
+
+  /**
+   * Verifies a Firebase session cookie. Returns a Promise with the cookie claims.
+   * Rejects the promise if the cookie could not be verified.
+   *
+   * If `checkRevoked` is set to true, first verifies whether the corresponding
+   * user is disabled: If yes, an `auth/user-disabled` error is thrown. If no,
+   * verifies if the session corresponding to the session cookie was revoked.
+   * If the corresponding user's session was invalidated, an
+   * `auth/session-cookie-revoked` error is thrown. If not specified the check
+   * is not performed.
+   *
+   * See {@link https://firebase.google.com/docs/auth/admin/manage-cookies#verify_session_cookie_and_check_permissions |
+   * Verify Session Cookies}
+   * for code samples and detailed documentation
+   *
+   * @param sessionCookie - The session cookie to verify.
+   *
+   * @returns A promise fulfilled with the
+   *   session cookie's decoded claims if the session cookie is valid; otherwise,
+   *   a rejected promise.
+   */
+  public verifySessionCookie(sessionCookie: string, env?: EmulatorEnv): Promise<FirebaseIdToken> {
+    const isEmulator = useEmulator(env);
+    return this.sessionCookieVerifier.verifyJWT(sessionCookie, isEmulator);
+  }
 }

src/errors.ts

@@ -67,6 +67,10 @@ export class AuthClientErrorCode {
     code: 'user-disabled',
     message: 'The user record is disabled.',
   };
+  public static SESSION_COOKIE_EXPIRED = {
+    code: 'session-cookie-expired',
+    message: 'The Firebase session cookie is expired.',
+  };
 }
 
 /**

src/token-verifier.ts

@@ -405,16 +405,60 @@ export const ID_TOKEN_INFO: FirebaseTokenInfo = {
  */
 export function createIdTokenVerifier(projectID: string, keyStorer: KeyStorer): FirebaseTokenVerifier {
   const signatureVerifier = PublicKeySignatureVerifier.withCertificateUrl(CLIENT_JWK_URL, keyStorer);
-  return createFirebaseTokenVerifier(signatureVerifier, projectID);
+  return baseCreateIdTokenVerifier(signatureVerifier, projectID);
 }
 
 /**
  * @internal
  * @returns FirebaseTokenVerifier
  */
-export function createFirebaseTokenVerifier(
+export function baseCreateIdTokenVerifier(
   signatureVerifier: SignatureVerifier,
   projectID: string
 ): FirebaseTokenVerifier {
   return new FirebaseTokenVerifier(signatureVerifier, projectID, 'https://securetoken.google.com/', ID_TOKEN_INFO);
 }
+
+// URL containing the public keys for Firebase session cookies.
+const SESSION_COOKIE_CERT_URL = 'https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys';
+
+/**
+ * User facing token information related to the Firebase session cookie.
+ *
+ * @internal
+ */
+export const SESSION_COOKIE_INFO: FirebaseTokenInfo = {
+  url: 'https://firebase.google.com/docs/auth/admin/manage-cookies',
+  verifyApiName: 'verifySessionCookie()',
+  jwtName: 'Firebase session cookie',
+  shortName: 'session cookie',
+  expiredErrorCode: AuthClientErrorCode.SESSION_COOKIE_EXPIRED,
+};
+
+/**
+ * Creates a new FirebaseTokenVerifier to verify Firebase session cookies.
+ *
+ * @internal
+ * @param app - Firebase app instance.
+ * @returns FirebaseTokenVerifier
+ */
+export function createSessionCookieVerifier(projectID: string, keyStorer: KeyStorer): FirebaseTokenVerifier {
+  const signatureVerifier = PublicKeySignatureVerifier.withCertificateUrl(SESSION_COOKIE_CERT_URL, keyStorer);
+  return baseCreateSessionCookieVerifier(signatureVerifier, projectID);
+}
+
+/**
+ * @internal
+ * @returns FirebaseTokenVerifier
+ */
+export function baseCreateSessionCookieVerifier(
+  signatureVerifier: SignatureVerifier,
+  projectID: string
+): FirebaseTokenVerifier {
+  return new FirebaseTokenVerifier(
+    signatureVerifier,
+    projectID,
+    'https://session.firebase.google.com/',
+    SESSION_COOKIE_INFO
+  );
+}

tests/firebase-utils.ts

@@ -0,0 +1,67 @@
+import { PublicKeySignatureVerifier } from '../src/jws-verifier';
+import type { FirebaseIdToken } from '../src/token-verifier';
+import { signJWT, genTime, genIss, TestingKeyFetcher } from './jwk-utils';
+
+export const projectId = 'projectId1234';
+export const userId = 'userId12345';
+
+export async function generateIdToken(
+  currentTimestamp?: number,
+  overrides?: Partial<FirebaseIdToken>
+): Promise<FirebaseIdToken> {
+  const now = currentTimestamp ?? genTime(Date.now());
+  return Object.assign(
+    {
+      aud: projectId,
+      exp: now + 9999,
+      iat: now - 10000, // -10s
+      iss: genIss(projectId),
+      sub: userId,
+      auth_time: now - 20000, // -20s
+      uid: userId,
+      firebase: {
+        identities: {},
+        sign_in_provider: 'google.com',
+      },
+    } satisfies FirebaseIdToken,
+    overrides
+  );
+}
+
+export async function generateSessionCookie(
+  currentTimestamp?: number,
+  overrides?: Partial<FirebaseIdToken>
+): Promise<FirebaseIdToken> {
+  const now = currentTimestamp ?? genTime(Date.now());
+  return Object.assign(
+    {
+      aud: projectId,
+      exp: now + 9999,
+      iat: now - 10000, // -10s
+      iss: 'https://session.firebase.google.com/' + projectId,
+      sub: userId,
+      auth_time: now - 20000, // -20s
+      uid: userId,
+      firebase: {
+        identities: {},
+        sign_in_provider: 'google.com',
+      },
+    } satisfies FirebaseIdToken,
+    overrides
+  );
+}
+
+interface SignVerifyPair {
+  jwt: string;
+  verifier: PublicKeySignatureVerifier;
+}
+
+export async function createTestingSignVerifyPair(payload: FirebaseIdToken): Promise<SignVerifyPair> {
+  const kid = 'aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd';
+  const testingKeyFetcher = await TestingKeyFetcher.withKeyPairGeneration(kid);
+  const jwt = await signJWT(kid, payload, testingKeyFetcher.getPrivateKey());
+  return {
+    jwt,
+    verifier: new PublicKeySignatureVerifier(testingKeyFetcher),
+  };
+}

tests/token-verifier.test.ts

@@ -1,113 +1,96 @@
 import { describe, it, expect } from 'vitest';
 import { PublicKeySignatureVerifier, rs256alg } from '../src/jws-verifier';
-import type { FirebaseIdToken } from '../src/token-verifier';
-import { createFirebaseTokenVerifier, FIREBASE_AUDIENCE } from '../src/token-verifier';
-import { genIss, genTime, signJWT, TestingKeyFetcher } from './jwk-utils';
+import { FIREBASE_AUDIENCE, baseCreateIdTokenVerifier, baseCreateSessionCookieVerifier } from '../src/token-verifier';
+import { createTestingSignVerifyPair, generateIdToken, generateSessionCookie, projectId } from './firebase-utils';
+import { genTime, signJWT, TestingKeyFetcher } from './jwk-utils';
 
 describe('FirebaseTokenVerifier', () => {
-  const kid = 'kid123456';
-  const projectId = 'projectId1234';
-  const currentTimestamp = genTime(Date.now());
-  const userId = 'userId12345';
-  const payload: FirebaseIdToken = {
-    aud: projectId,
-    exp: currentTimestamp + 9999,
-    iat: currentTimestamp - 10000, // -10s
-    iss: genIss(projectId),
-    sub: userId,
-    auth_time: currentTimestamp - 20000, // -20s
-    uid: userId,
-    firebase: {
-      identities: {},
-      sign_in_provider: 'google.com',
+  const testCases = [
+    {
+      name: 'createIdTokenVerifier',
+      tokenGenerator: generateIdToken,
+      firebaseTokenVerifier: baseCreateIdTokenVerifier,
     },
-  };
-
-  it.each([
-    ['valid without firebase emulator', payload],
-    [
-      'valid custom token without firebase emulator',
-      {
-        ...payload,
-        aud: FIREBASE_AUDIENCE,
-      },
-    ],
-  ])('%s', async (_, payload) => {
-    const testingKeyFetcher = await TestingKeyFetcher.withKeyPairGeneration(kid);
-    const jwt = await signJWT(kid, payload, testingKeyFetcher.getPrivateKey());
-
-    const verifier = new PublicKeySignatureVerifier(testingKeyFetcher);
-    const ftv = createFirebaseTokenVerifier(verifier, projectId);
-    const token = await ftv.verifyJWT(jwt, false);
+    {
+      name: 'createSessionCookieVerifier',
+      tokenGenerator: generateSessionCookie,
+      firebaseTokenVerifier: baseCreateSessionCookieVerifier,
+    },
+  ];
+  for (const tc of testCases) {
+    describe(tc.name, () => {
+      const currentTimestamp = genTime(Date.now());
 
-    expect(token).toStrictEqual(payload);
-  });
+      it.each([
+        ['valid without firebase emulator', tc.tokenGenerator(currentTimestamp)],
+        [
+          'valid custom token without firebase emulator',
+          tc.tokenGenerator(currentTimestamp, { aud: FIREBASE_AUDIENCE }),
+        ],
+      ])('%s', async (_, promise) => {
+        const payload = await promise;
+        const pair = await createTestingSignVerifyPair(payload);
+        const ftv = tc.firebaseTokenVerifier(pair.verifier, projectId);
+        const token = await ftv.verifyJWT(pair.jwt, false);
 
-  it('valid with firebase emulator', async () => {
-    const testingKeyFetcher = await TestingKeyFetcher.withKeyPairGeneration(kid);
+        expect(token).toStrictEqual(payload);
+      });
 
-    // sign as invalid private key with fetched public key
-    const keyPair = await crypto.subtle.generateKey(rs256alg, true, ['sign', 'verify']);
+      it.each([
+        ['aud', tc.tokenGenerator(currentTimestamp, { aud: 'unknown' }), 'has incorrect "aud" (audience) claim.'],
+        [
+          'iss',
+          tc.tokenGenerator(currentTimestamp, {
+            iss: projectId, // set just projectId
+          }),
+          'has incorrect "iss" (issuer) claim.',
+        ],
+        [
+          'sub',
+          tc.tokenGenerator(currentTimestamp, {
+            sub: 'x'.repeat(129),
+          }),
+          'has "sub" (subject) claim longer than 128 characters.',
+        ],
+        [
+          'auth_time',
+          tc.tokenGenerator(currentTimestamp, {
+            auth_time: undefined,
+          }),
+          'has no "auth_time" claim.',
+        ],
+        [
+          'auth_time is in future',
+          tc.tokenGenerator(currentTimestamp, {
+            auth_time: currentTimestamp + 3000, // +3s
+          }),
+          'has incorrect "auth_time" claim.',
+        ],
+      ])('invalid verifyPayload %s', async (_, promise, wantContainMsg) => {
+        const payload = await promise;
+        const pair = await createTestingSignVerifyPair(payload);
+        const ftv = tc.firebaseTokenVerifier(pair.verifier, projectId);
+        expect(() => ftv.verifyJWT(pair.jwt, false)).rejects.toThrowError(wantContainMsg);
+      });
 
-    // set with invalid kid because jwt does not contain kid which issued from firebase emulator.
-    const jwt = await signJWT('invalid-kid', payload, keyPair.privateKey);
+      it('valid with firebase emulator', async () => {
+        const payload = await tc.tokenGenerator(currentTimestamp);
+        const testingKeyFetcher = await TestingKeyFetcher.withKeyPairGeneration('valid-kid');
 
-    const verifier = new PublicKeySignatureVerifier(testingKeyFetcher);
-    const ftv = createFirebaseTokenVerifier(verifier, projectId);
+        // sign as invalid private key with fetched public key
+        const keyPair = await crypto.subtle.generateKey(rs256alg, true, ['sign', 'verify']);
 
-    // firebase emulator ignores signature verification step.
-    const token = await ftv.verifyJWT(jwt, true);
+        // set with invalid kid because jwt does not contain kid which issued from firebase emulator.
+        const jwt = await signJWT('invalid-kid', payload, keyPair.privateKey);
 
-    expect(token).toStrictEqual(payload);
-  });
+        const verifier = new PublicKeySignatureVerifier(testingKeyFetcher);
+        const ftv = tc.firebaseTokenVerifier(verifier, projectId);
 
-  it.each([
-    [
-      'aud',
-      {
-        ...payload,
-        aud: 'unknown',
-      },
-      'has incorrect "aud" (audience) claim.',
-    ],
-    [
-      'iss',
-      {
-        ...payload,
-        iss: projectId, // set just projectId
-      },
-      'has incorrect "iss" (issuer) claim.',
-    ],
-    [
-      'sub',
-      {
-        ...payload,
-        sub: 'x'.repeat(129),
-      },
-      'has "sub" (subject) claim longer than 128 characters.',
-    ],
-    [
-      'auth_time',
-      {
-        ...payload,
-        auth_time: undefined,
-      },
-      'has no "auth_time" claim.',
-    ],
-    [
-      'auth_time is in future',
-      {
-        ...payload,
-        auth_time: currentTimestamp + 3000, // +3s
-      },
-      'has incorrect "auth_time" claim.',
-    ],
-  ])('invalid verifyPayload %s', async (_, payload, wantContainMsg) => {
-    const testingKeyFetcher = await TestingKeyFetcher.withKeyPairGeneration(kid);
-    const jwt = await signJWT(kid, payload, testingKeyFetcher.getPrivateKey());
+        // firebase emulator ignores signature verification step.
+        const token = await ftv.verifyJWT(jwt, true);
 
-    const verifier = new PublicKeySignatureVerifier(testingKeyFetcher);
-    const ftv = createFirebaseTokenVerifier(verifier, projectId);
-    expect(() => ftv.verifyJWT(jwt, false)).rejects.toThrowError(wantContainMsg);
-  });
+        expect(token).toStrictEqual(payload);
+      });
+    });
+  }
 });