1 |
|
2 | "use strict";
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 | Object.defineProperty(exports, "__esModule", { value: true });
|
19 | exports.AppCheckTokenVerifier = void 0;
|
20 | var validator = require("../utils/validator");
|
21 | var util = require("../utils/index");
|
22 | var app_check_api_client_internal_1 = require("./app-check-api-client-internal");
|
23 | var jwt_1 = require("../utils/jwt");
|
24 | var APP_CHECK_ISSUER = 'https://firebaseappcheck.googleapis.com/';
|
25 | var JWKS_URL = 'https://firebaseappcheck.googleapis.com/v1beta/jwks';
|
26 |
|
27 |
|
28 |
|
29 |
|
30 |
|
31 | var AppCheckTokenVerifier = (function () {
|
32 | function AppCheckTokenVerifier(app) {
|
33 | this.app = app;
|
34 | this.signatureVerifier = jwt_1.PublicKeySignatureVerifier.withJwksUrl(JWKS_URL);
|
35 | }
|
36 | |
37 |
|
38 |
|
39 |
|
40 |
|
41 |
|
42 | AppCheckTokenVerifier.prototype.verifyToken = function (token) {
|
43 | var _this = this;
|
44 | if (!validator.isString(token)) {
|
45 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'App check token must be a non-null string.');
|
46 | }
|
47 | return this.ensureProjectId()
|
48 | .then(function (projectId) {
|
49 | return _this.decodeAndVerify(token, projectId);
|
50 | })
|
51 | .then(function (decoded) {
|
52 | var decodedAppCheckToken = decoded.payload;
|
53 |
|
54 | decodedAppCheckToken.app_id = decodedAppCheckToken.sub;
|
55 | return decodedAppCheckToken;
|
56 | });
|
57 | };
|
58 | AppCheckTokenVerifier.prototype.ensureProjectId = function () {
|
59 | return util.findProjectId(this.app)
|
60 | .then(function (projectId) {
|
61 | if (!validator.isNonEmptyString(projectId)) {
|
62 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-credential', 'Must initialize app with a cert credential or set your Firebase project ID as the ' +
|
63 | 'GOOGLE_CLOUD_PROJECT environment variable to verify an App Check token.');
|
64 | }
|
65 | return projectId;
|
66 | });
|
67 | };
|
68 | AppCheckTokenVerifier.prototype.decodeAndVerify = function (token, projectId) {
|
69 | var _this = this;
|
70 | return this.safeDecode(token)
|
71 | .then(function (decodedToken) {
|
72 | _this.verifyContent(decodedToken, projectId);
|
73 | return _this.verifySignature(token)
|
74 | .then(function () { return decodedToken; });
|
75 | });
|
76 | };
|
77 | AppCheckTokenVerifier.prototype.safeDecode = function (jwtToken) {
|
78 | return jwt_1.decodeJwt(jwtToken)
|
79 | .catch(function () {
|
80 | var errorMessage = 'Decoding App Check token failed. Make sure you passed ' +
|
81 | 'the entire string JWT which represents the Firebase App Check token.';
|
82 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
|
83 | });
|
84 | };
|
85 | |
86 |
|
87 |
|
88 |
|
89 |
|
90 |
|
91 | AppCheckTokenVerifier.prototype.verifyContent = function (fullDecodedToken, projectId) {
|
92 | var header = fullDecodedToken.header;
|
93 | var payload = fullDecodedToken.payload;
|
94 | var projectIdMatchMessage = ' Make sure the App Check token comes from the same ' +
|
95 | 'Firebase project as the service account used to authenticate this SDK.';
|
96 | var scopedProjectId = "projects/" + projectId;
|
97 | var errorMessage;
|
98 | if (header.alg !== jwt_1.ALGORITHM_RS256) {
|
99 | errorMessage = 'The provided App Check token has incorrect algorithm. Expected "' +
|
100 | jwt_1.ALGORITHM_RS256 + '" but got ' + '"' + header.alg + '".';
|
101 | }
|
102 | else if (!validator.isNonEmptyArray(payload.aud) || !payload.aud.includes(scopedProjectId)) {
|
103 | errorMessage = 'The provided App Check token has incorrect "aud" (audience) claim. Expected "' +
|
104 | scopedProjectId + '" but got "' + payload.aud + '".' + projectIdMatchMessage;
|
105 | }
|
106 | else if (typeof payload.iss !== 'string' || !payload.iss.startsWith(APP_CHECK_ISSUER)) {
|
107 | errorMessage = 'The provided App Check token has incorrect "iss" (issuer) claim.';
|
108 | }
|
109 | else if (typeof payload.sub !== 'string') {
|
110 | errorMessage = 'The provided App Check token has no "sub" (subject) claim.';
|
111 | }
|
112 | else if (payload.sub === '') {
|
113 | errorMessage = 'The provided App Check token has an empty string "sub" (subject) claim.';
|
114 | }
|
115 | if (errorMessage) {
|
116 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
|
117 | }
|
118 | };
|
119 | AppCheckTokenVerifier.prototype.verifySignature = function (jwtToken) {
|
120 | var _this = this;
|
121 | return this.signatureVerifier.verify(jwtToken)
|
122 | .catch(function (error) {
|
123 | throw _this.mapJwtErrorToAppCheckError(error);
|
124 | });
|
125 | };
|
126 | |
127 |
|
128 |
|
129 |
|
130 |
|
131 |
|
132 | AppCheckTokenVerifier.prototype.mapJwtErrorToAppCheckError = function (error) {
|
133 | if (error.code === jwt_1.JwtErrorCode.TOKEN_EXPIRED) {
|
134 | var errorMessage = 'The provided App Check token has expired. Get a fresh App Check token' +
|
135 | ' from your client app and try again.';
|
136 | return new app_check_api_client_internal_1.FirebaseAppCheckError('app-check-token-expired', errorMessage);
|
137 | }
|
138 | else if (error.code === jwt_1.JwtErrorCode.INVALID_SIGNATURE) {
|
139 | var errorMessage = 'The provided App Check token has invalid signature.';
|
140 | return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
|
141 | }
|
142 | else if (error.code === jwt_1.JwtErrorCode.NO_MATCHING_KID) {
|
143 | var errorMessage = 'The provided App Check token has "kid" claim which does not ' +
|
144 | 'correspond to a known public key. Most likely the provided App Check token ' +
|
145 | 'is expired, so get a fresh token from your client app and try again.';
|
146 | return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
|
147 | }
|
148 | return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', error.message);
|
149 | };
|
150 | return AppCheckTokenVerifier;
|
151 | }());
|
152 | exports.AppCheckTokenVerifier = AppCheckTokenVerifier;
|