added key-store.ts

Author: Code-Hex

src/auth.ts

@@ -1,4 +1,5 @@
 import { Env, useEmulator } from "./emulator";
+import { KeyStorer } from "./key-store";
 import {
   createIdTokenVerifier,
   FirebaseIdToken,
@@ -11,13 +12,11 @@ export class BaseAuth {
 
   constructor(
     projectId: string,
-    cacheKey: string,
-    cfPublicKeyCacheNamespace: KVNamespace
+    keyStore: KeyStorer,
   ) {
     this.idTokenVerifier = createIdTokenVerifier(
       projectId,
-      cacheKey,
-      cfPublicKeyCacheNamespace
+      keyStore
     );
   }
 

src/index.ts

@@ -1,35 +1,39 @@
 import { BaseAuth } from "./auth"
-
+import { WorkersKVStore, KeyStorer } from "./key-store";
 
 export {
   emulatorHost,
   useEmulator
 } from "./emulator"
+export type { KeyStorer }
 export type { Env } from './emulator'
 
 export class Auth extends BaseAuth {
   private static instance?: Auth;
 
-  private constructor(
-    projectId: string,
-    cacheKey: string,
-    cfPublicKeyCacheNamespace: KVNamespace
-  ) {
-    super(projectId, cacheKey, cfPublicKeyCacheNamespace)
+  private constructor(projectId: string, keyStore: KeyStorer) {
+    super(projectId, keyStore)
   }
 
-  static getOrInitialize(
-    projectId: string,
-    cacheKey: string,
-    cfPublicKeyCacheNamespace: KVNamespace
-  ): Auth {
+  static getOrInitialize(projectId: string, keyStore: KeyStorer): Auth {
     if (!Auth.instance) {
-      Auth.instance = new Auth(
-        projectId,
-        cacheKey,
-        cfPublicKeyCacheNamespace,
-      )
+      Auth.instance = new Auth(projectId, keyStore)
     }
     return Auth.instance
   }
 }
+
+export class WorkersKVStoreSingle extends WorkersKVStore {
+  private static instance?: WorkersKVStoreSingle;
+
+  private constructor(cacheKey: string, cfKVNamespace: KVNamespace) {
+    super(cacheKey, cfKVNamespace)
+  }
+
+  static getOrInitialize(cacheKey: string, cfKVNamespace: KVNamespace): WorkersKVStoreSingle {
+    if (!WorkersKVStoreSingle.instance) {
+      WorkersKVStoreSingle.instance = new WorkersKVStoreSingle(cacheKey, cfKVNamespace)
+    }
+    return WorkersKVStoreSingle.instance
+  }
+}

src/jwk-fetcher.ts

@@ -1,4 +1,5 @@
 import { JsonWebKeyWithKid } from "./jwt-decoder";
+import { KeyStorer } from "./key-store";
 import { isArray, isNonNullObject, isURL } from "./validator";
 
 export interface KeyFetcher {
@@ -18,20 +19,16 @@ const isJWKMetadata = (value: any): value is JWKMetadata =>
 export class UrlKeyFetcher implements KeyFetcher {
   constructor(
     private readonly fetcher: Fetcher,
-    private readonly cacheKey: string,
-    private readonly cfKVNamespace: KVNamespace
-  ) {}
+    private readonly keyStorer: KeyStorer,
+  ) { }
 
   /**
    * Fetches the public keys for the Google certs.
    *
    * @returns A promise fulfilled with public keys for the Google certs.
    */
   public async fetchPublicKeys(): Promise<Array<JsonWebKeyWithKid>> {
-    const publicKeys = await this.cfKVNamespace.get<Array<JsonWebKeyWithKid>>(
-      this.cacheKey,
-      "json"
-    );
+    const publicKeys = await this.keyStorer.get<Array<JsonWebKeyWithKid>>();
     if (publicKeys === null || typeof publicKeys !== "object") {
       return await this.refresh();
     }
@@ -58,12 +55,9 @@ export class UrlKeyFetcher implements KeyFetcher {
     // store the public keys cache in the KV store.
     const maxAge = parseMaxAge(cacheControlHeader)
     if (!isNaN(maxAge)) {
-      this.cfKVNamespace.put(
-        this.cacheKey,
+      await this.keyStorer.put(
         JSON.stringify(publicKeys.keys),
-        {
-          expirationTtl: maxAge,
-        }
+        maxAge,
       );
     }
 

src/jws-verifier.ts

@@ -1,6 +1,7 @@
 import { JwtError, JwtErrorCode } from "./errors";
 import { HTTPFetcher, KeyFetcher, UrlKeyFetcher } from "./jwk-fetcher";
 import { JsonWebKeyWithKid, RS256Token } from "./jwt-decoder";
+import { KeyStorer } from "./key-store";
 import { isNonNullObject } from "./validator";
 
 // https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library
@@ -28,12 +29,11 @@ export class PublicKeySignatureVerifier implements SignatureVerifier {
 
   public static withCertificateUrl(
     clientCertUrl: string,
-    cacheKey: string,
-    cfKVNamespace: KVNamespace
+    keyStorer: KeyStorer,
   ): PublicKeySignatureVerifier {
     const fetcher = new HTTPFetcher(clientCertUrl)
     return new PublicKeySignatureVerifier(
-      new UrlKeyFetcher(fetcher, cacheKey, cfKVNamespace)
+      new UrlKeyFetcher(fetcher, keyStorer)
     );
   }
 

src/key-store.ts

@@ -0,0 +1,31 @@
+export interface KeyStorer {
+  get<ExpectedValue = unknown>(): Promise<ExpectedValue | null>;
+  put(value: string, expirationTtl: number): Promise<void>;
+}
+
+/**
+ * Class to get or store fetched public keys from a client certificates URL.
+ */
+export class WorkersKVStore implements KeyStorer {
+  constructor(
+    private readonly cacheKey: string,
+    private readonly cfKVNamespace: KVNamespace
+  ) {}
+
+  public async get<ExpectedValue = unknown>(): Promise<ExpectedValue | null> {
+    return await this.cfKVNamespace.get<ExpectedValue>(
+      this.cacheKey,
+      "json"
+    );
+  }
+
+  public async put(value: string, expirationTtl: number): Promise<void> {
+    await this.cfKVNamespace.put(
+      this.cacheKey,
+      value,
+      {
+        expirationTtl,
+      }
+    );
+  }
+}

src/token-verifier.ts

@@ -7,6 +7,7 @@ import {
 } from "./errors";
 import { EmulatorSignatureVerifier, PublicKeySignatureVerifier, SignatureVerifier } from "./jws-verifier";
 import { DecodedPayload, RS256Token } from "./jwt-decoder";
+import { KeyStorer } from "./key-store";
 import { isNonEmptyString, isNonNullObject, isString, isURL } from "./validator";
 
 // Audience to use for Firebase Auth Custom tokens
@@ -454,13 +455,11 @@ export const ID_TOKEN_INFO: FirebaseTokenInfo = {
  */
 export function createIdTokenVerifier(
   projectID: string,
-  cacheKey: string,
-  cfPublicKeyCacheNamespace: KVNamespace
+  keyStorer: KeyStorer
 ): FirebaseTokenVerifier {
   const signatureVerifier = PublicKeySignatureVerifier.withCertificateUrl(
     CLIENT_JWK_URL,
-    cacheKey,
-    cfPublicKeyCacheNamespace
+    keyStorer
   );
   return createFirebaseTokenVerifier(signatureVerifier, projectID)
 }

tests/jwk-fetcher.test.ts

@@ -1,4 +1,5 @@
 import { Fetcher, parseMaxAge, UrlKeyFetcher } from "../src/jwk-fetcher"
+import { WorkersKVStore } from "../src/key-store";
 
 class HTTPMockFetcher implements Fetcher {
   constructor(private readonly response: Response) { }
@@ -62,8 +63,7 @@ describe("UrlKeyFetcher", () => {
     )
     const urlKeyFetcher = new UrlKeyFetcher(
       mockedFetcher,
-      cacheKey,
-      TEST_NAMESPACE,
+      new WorkersKVStore(cacheKey, TEST_NAMESPACE),
     )
 
     const httpFetcherSpy = jest.spyOn(mockedFetcher, "fetch")
@@ -96,8 +96,7 @@ describe("UrlKeyFetcher", () => {
     )
     const urlKeyFetcher = new UrlKeyFetcher(
       mockedFetcher,
-      cacheKey,
-      TEST_NAMESPACE,
+      new WorkersKVStore(cacheKey, TEST_NAMESPACE),
     )
 
     const httpFetcherSpy = jest.spyOn(mockedFetcher, "fetch")
@@ -123,8 +122,7 @@ describe("UrlKeyFetcher", () => {
     )
     const urlKeyFetcher = new UrlKeyFetcher(
       mockedFetcher,
-      cacheKey,
-      TEST_NAMESPACE,
+      new WorkersKVStore(cacheKey, TEST_NAMESPACE),
     )
 
     expect(() => urlKeyFetcher.fetchPublicKeys()).rejects.toThrowError(
@@ -141,8 +139,7 @@ describe("UrlKeyFetcher", () => {
     )
     const urlKeyFetcher = new UrlKeyFetcher(
       mockedFetcher,
-      cacheKey,
-      TEST_NAMESPACE,
+      new WorkersKVStore(cacheKey, TEST_NAMESPACE),
     )
 
     expect(() => urlKeyFetcher.fetchPublicKeys()).rejects.toThrowError(