UNPKG

firebase-admin/lib/auth/token-generator.js

Version:

9.02 kBJavaScriptView Raw

1/*! firebase-admin v10.0.0 */
2"use strict";
3/*!
* @license
* Copyright 2017 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*   http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
19Object.defineProperty(exports, "__esModule", { value: true });
20exports.handleCryptoSignerError = exports.FirebaseTokenGenerator = exports.EmulatedSigner = exports.BLACKLISTED_CLAIMS = void 0;
21var error_1 = require("../utils/error");
22var crypto_signer_1 = require("../utils/crypto-signer");
23var validator = require("../utils/validator");
24var utils_1 = require("../utils");
25var ALGORITHM_NONE = 'none';
26var ONE_HOUR_IN_SECONDS = 60 * 60;
27// List of blacklisted claims which cannot be provided when creating a custom token
28exports.BLACKLISTED_CLAIMS = [
  'acr', 'amr', 'at_hash', 'aud', 'auth_time', 'azp', 'cnf', 'c_hash', 'exp', 'iat', 'iss', 'jti',
  'nbf', 'nonce',
31];
32// Audience to use for Firebase Auth Custom tokens
33var FIREBASE_AUDIENCE = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit';
34/**
* A CryptoSigner implementation that is used when communicating with the Auth emulator.
* It produces unsigned tokens.
*/
38var EmulatedSigner = /** @class */ (function () {
  function EmulatedSigner() {
      this.algorithm = ALGORITHM_NONE;
  }
  /**
   * @inheritDoc
   */
  // eslint-disable-next-line @typescript-eslint/no-unused-vars
  EmulatedSigner.prototype.sign = function (buffer) {
      return Promise.resolve(Buffer.from(''));
  };
  /**
   * @inheritDoc
   */
  EmulatedSigner.prototype.getAccountId = function () {
      return Promise.resolve('firebase-auth-emulator@example.com');
  };
  return EmulatedSigner;
56}());
57exports.EmulatedSigner = EmulatedSigner;
58/**
* Class for generating different types of Firebase Auth tokens (JWTs).
*
* @internal
*/
63var FirebaseTokenGenerator = /** @class */ (function () {
  /**
   * @param tenantId - The tenant ID to use for the generated Firebase Auth
   *     Custom token. If absent, then no tenant ID claim will be set in the
   *     resulting JWT.
   */
  function FirebaseTokenGenerator(signer, tenantId) {
      this.tenantId = tenantId;
      if (!validator.isNonNullObject(signer)) {
          throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'INTERNAL ASSERT: Must provide a CryptoSigner to use FirebaseTokenGenerator.');
      }
      if (typeof this.tenantId !== 'undefined' && !validator.isNonEmptyString(this.tenantId)) {
          throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '`tenantId` argument must be a non-empty string.');
      }
      this.signer = signer;
  }
  /**
   * Creates a new Firebase Auth Custom token.
   *
   * @param uid - The user ID to use for the generated Firebase Auth Custom token.
   * @param developerClaims - Optional developer claims to include in the generated Firebase
   *     Auth Custom token.
   * @returns A Promise fulfilled with a Firebase Auth Custom token signed with a
   *     service account key and containing the provided payload.
   */
  FirebaseTokenGenerator.prototype.createCustomToken = function (uid, developerClaims) {
      var _this = this;
      var errorMessage;
      if (!validator.isNonEmptyString(uid)) {
          errorMessage = '`uid` argument must be a non-empty string uid.';
      }
      else if (uid.length > 128) {
          errorMessage = '`uid` argument must a uid with less than or equal to 128 characters.';
      }
      else if (!this.isDeveloperClaimsValid_(developerClaims)) {
          errorMessage = '`developerClaims` argument must be a valid, non-null object containing the developer claims.';
      }
      if (errorMessage) {
          throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
      }
      var claims = {};
      if (typeof developerClaims !== 'undefined') {
          for (var key in developerClaims) {
              /* istanbul ignore else */
              if (Object.prototype.hasOwnProperty.call(developerClaims, key)) {
                  if (exports.BLACKLISTED_CLAIMS.indexOf(key) !== -1) {
                      throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Developer claim \"" + key + "\" is reserved and cannot be specified.");
                  }
                  claims[key] = developerClaims[key];
              }
          }
      }
      return this.signer.getAccountId().then(function (account) {
          var header = {
              alg: _this.signer.algorithm,
              typ: 'JWT',
          };
          var iat = Math.floor(Date.now() / 1000);
          var body = {
              aud: FIREBASE_AUDIENCE,
              iat: iat,
              exp: iat + ONE_HOUR_IN_SECONDS,
              iss: account,
              sub: account,
              uid: uid,
          };
          if (_this.tenantId) {
              // eslint-disable-next-line @typescript-eslint/camelcase
              body.tenant_id = _this.tenantId;
          }
          if (Object.keys(claims).length > 0) {
              body.claims = claims;
          }
          var token = _this.encodeSegment(header) + "." + _this.encodeSegment(body);
          var signPromise = _this.signer.sign(Buffer.from(token));
          return Promise.all([token, signPromise]);
      }).then(function (_a) {
          var token = _a[0], signature = _a[1];
          return token + "." + _this.encodeSegment(signature);
      }).catch(function (err) {
          throw handleCryptoSignerError(err);
      });
  };
  FirebaseTokenGenerator.prototype.encodeSegment = function (segment) {
      var buffer = (segment instanceof Buffer) ? segment : Buffer.from(JSON.stringify(segment));
      return utils_1.toWebSafeBase64(buffer).replace(/=+$/, '');
  };
  /**
   * Returns whether or not the provided developer claims are valid.
   *
   * @param developerClaims - Optional developer claims to validate.
   * @returns True if the provided claims are valid; otherwise, false.
   */
  FirebaseTokenGenerator.prototype.isDeveloperClaimsValid_ = function (developerClaims) {
      if (typeof developerClaims === 'undefined') {
          return true;
      }
      return validator.isNonNullObject(developerClaims);
  };
  return FirebaseTokenGenerator;
163}());
164exports.FirebaseTokenGenerator = FirebaseTokenGenerator;
165/**
* Creates a new FirebaseAuthError by extracting the error code, message and other relevant
* details from a CryptoSignerError.
*
* @param err - The Error to convert into a FirebaseAuthError error
* @returns A Firebase Auth error that can be returned to the user.
*/
172function handleCryptoSignerError(err) {
  if (!(err instanceof crypto_signer_1.CryptoSignerError)) {
      return err;
  }
  if (err.code === crypto_signer_1.CryptoSignerErrorCode.SERVER_ERROR && validator.isNonNullObject(err.cause)) {
      var httpError = err.cause;
      var errorResponse = httpError.response.data;
      if (validator.isNonNullObject(errorResponse) && errorResponse.error) {
          var errorCode = errorResponse.error.status;
          var description = 'Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens ' +
              'for more details on how to use and troubleshoot this feature.';
          var errorMsg = errorResponse.error.message + "; " + description;
          return error_1.FirebaseAuthError.fromServerError(errorCode, errorMsg, errorResponse);
      }
      return new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'Error returned from server: ' + errorResponse + '. Additionally, an ' +
          'internal error occurred while attempting to extract the ' +
          'errorcode from the error.');
  }
  return new error_1.FirebaseAuthError(mapToAuthClientErrorCode(err.code), err.message);
191}
192exports.handleCryptoSignerError = handleCryptoSignerError;
193function mapToAuthClientErrorCode(code) {
  switch (code) {
      case crypto_signer_1.CryptoSignerErrorCode.INVALID_CREDENTIAL:
          return error_1.AuthClientErrorCode.INVALID_CREDENTIAL;
      case crypto_signer_1.CryptoSignerErrorCode.INVALID_ARGUMENT:
          return error_1.AuthClientErrorCode.INVALID_ARGUMENT;
      default:
          return error_1.AuthClientErrorCode.INTERNAL_ERROR;
  }
202}

1	`/! firebase-admin v10.0.0 /`
2	`"use strict";`
3	`/*!`
4	`* @license`
5	`* Copyright 2017 Google Inc.`
6	`*`
7	`* Licensed under the Apache License, Version 2.0 (the "License");`
8	`* you may not use this file except in compliance with the License.`
9	`* You may obtain a copy of the License at`
10	`*`
11	`* http://www.apache.org/licenses/LICENSE-2.0`
12	`*`
13	`* Unless required by applicable law or agreed to in writing, software`
14	`* distributed under the License is distributed on an "AS IS" BASIS,`
15	`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
16	`* See the License for the specific language governing permissions and`
17	`* limitations under the License.`
18	`*/`
19	`Object.defineProperty(exports, "__esModule", { value: true });`
20	`exports.handleCryptoSignerError = exports.FirebaseTokenGenerator = exports.EmulatedSigner = exports.BLACKLISTED_CLAIMS = void 0;`
21	`var error_1 = require("../utils/error");`
22	`var crypto_signer_1 = require("../utils/crypto-signer");`
23	`var validator = require("../utils/validator");`
24	`var utils_1 = require("../utils");`
25	`var ALGORITHM_NONE = 'none';`
26	`var ONE_HOUR_IN_SECONDS = 60 * 60;`
27	`// List of blacklisted claims which cannot be provided when creating a custom token`
28	`exports.BLACKLISTED_CLAIMS = [`
29	`'acr', 'amr', 'at_hash', 'aud', 'auth_time', 'azp', 'cnf', 'c_hash', 'exp', 'iat', 'iss', 'jti',`
30	`'nbf', 'nonce',`
31	`];`
32	`// Audience to use for Firebase Auth Custom tokens`
33	`var FIREBASE_AUDIENCE = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit';`
34	`/**`
35	`* A CryptoSigner implementation that is used when communicating with the Auth emulator.`
36	`* It produces unsigned tokens.`
37	`*/`
38	`var EmulatedSigner = /** @class */ (function () {`
39	`function EmulatedSigner() {`
40	`this.algorithm = ALGORITHM_NONE;`
41	`}`
42	`/**`
43	`* @inheritDoc`
44	`*/`
45	`// eslint-disable-next-line @typescript-eslint/no-unused-vars`
46	`EmulatedSigner.prototype.sign = function (buffer) {`
47	`return Promise.resolve(Buffer.from(''));`
48	`};`
49	`/**`
50	`* @inheritDoc`
51	`*/`
52	`EmulatedSigner.prototype.getAccountId = function () {`
53	`return Promise.resolve('firebase-auth-emulator@example.com');`
54	`};`
55	`return EmulatedSigner;`
56	`}());`
57	`exports.EmulatedSigner = EmulatedSigner;`
58	`/**`
59	`* Class for generating different types of Firebase Auth tokens (JWTs).`
60	`*`
61	`* @internal`
62	`*/`
63	`var FirebaseTokenGenerator = /** @class */ (function () {`
64	`/**`
65	`* @param tenantId - The tenant ID to use for the generated Firebase Auth`
66	`* Custom token. If absent, then no tenant ID claim will be set in the`
67	`* resulting JWT.`
68	`*/`
69	`function FirebaseTokenGenerator(signer, tenantId) {`
70	`this.tenantId = tenantId;`
71	`if (!validator.isNonNullObject(signer)) {`
72	`throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'INTERNAL ASSERT: Must provide a CryptoSigner to use FirebaseTokenGenerator.');`
73	`}`
74	`if (typeof this.tenantId !== 'undefined' && !validator.isNonEmptyString(this.tenantId)) {`
75	throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, '`tenantId` argument must be a non-empty string.');
76	`}`
77	`this.signer = signer;`
78	`}`
79	`/**`
80	`* Creates a new Firebase Auth Custom token.`
81	`*`
82	`* @param uid - The user ID to use for the generated Firebase Auth Custom token.`
83	`* @param developerClaims - Optional developer claims to include in the generated Firebase`
84	`* Auth Custom token.`
85	`* @returns A Promise fulfilled with a Firebase Auth Custom token signed with a`
86	`* service account key and containing the provided payload.`
87	`*/`
88	`FirebaseTokenGenerator.prototype.createCustomToken = function (uid, developerClaims) {`
89	`var _this = this;`
90	`var errorMessage;`
91	`if (!validator.isNonEmptyString(uid)) {`
92	errorMessage = '`uid` argument must be a non-empty string uid.';
93	`}`
94	`else if (uid.length > 128) {`
95	errorMessage = '`uid` argument must a uid with less than or equal to 128 characters.';
96	`}`
97	`else if (!this.isDeveloperClaimsValid_(developerClaims)) {`
98	errorMessage = '`developerClaims` argument must be a valid, non-null object containing the developer claims.';
99	`}`
100	`if (errorMessage) {`
101	`throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);`
102	`}`
103	`var claims = {};`
104	`if (typeof developerClaims !== 'undefined') {`
105	`for (var key in developerClaims) {`
106	`/* istanbul ignore else */`
107	`if (Object.prototype.hasOwnProperty.call(developerClaims, key)) {`
108	`if (exports.BLACKLISTED_CLAIMS.indexOf(key) !== -1) {`
109	`throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "Developer claim \"" + key + "\" is reserved and cannot be specified.");`
110	`}`
111	`claims[key] = developerClaims[key];`
112	`}`
113	`}`
114	`}`
115	`return this.signer.getAccountId().then(function (account) {`
116	`var header = {`
117	`alg: _this.signer.algorithm,`
118	`typ: 'JWT',`
119	`};`
120	`var iat = Math.floor(Date.now() / 1000);`
121	`var body = {`
122	`aud: FIREBASE_AUDIENCE,`
123	`iat: iat,`
124	`exp: iat + ONE_HOUR_IN_SECONDS,`
125	`iss: account,`
126	`sub: account,`
127	`uid: uid,`
128	`};`
129	`if (_this.tenantId) {`
130	`// eslint-disable-next-line @typescript-eslint/camelcase`
131	`body.tenant_id = _this.tenantId;`
132	`}`
133	`if (Object.keys(claims).length > 0) {`
134	`body.claims = claims;`
135	`}`
136	`var token = _this.encodeSegment(header) + "." + _this.encodeSegment(body);`
137	`var signPromise = _this.signer.sign(Buffer.from(token));`
138	`return Promise.all([token, signPromise]);`
139	`}).then(function (_a) {`
140	`var token = _a[0], signature = _a[1];`
141	`return token + "." + _this.encodeSegment(signature);`
142	`}).catch(function (err) {`
143	`throw handleCryptoSignerError(err);`
144	`});`
145	`};`
146	`FirebaseTokenGenerator.prototype.encodeSegment = function (segment) {`
147	`var buffer = (segment instanceof Buffer) ? segment : Buffer.from(JSON.stringify(segment));`
148	`return utils_1.toWebSafeBase64(buffer).replace(/=+$/, '');`
149	`};`
150	`/**`
151	`* Returns whether or not the provided developer claims are valid.`
152	`*`
153	`* @param developerClaims - Optional developer claims to validate.`
154	`* @returns True if the provided claims are valid; otherwise, false.`
155	`*/`
156	`FirebaseTokenGenerator.prototype.isDeveloperClaimsValid_ = function (developerClaims) {`
157	`if (typeof developerClaims === 'undefined') {`
158	`return true;`
159	`}`
160	`return validator.isNonNullObject(developerClaims);`
161	`};`
162	`return FirebaseTokenGenerator;`
163	`}());`
164	`exports.FirebaseTokenGenerator = FirebaseTokenGenerator;`
165	`/**`
166	`* Creates a new FirebaseAuthError by extracting the error code, message and other relevant`
167	`* details from a CryptoSignerError.`
168	`*`
169	`* @param err - The Error to convert into a FirebaseAuthError error`
170	`* @returns A Firebase Auth error that can be returned to the user.`
171	`*/`
172	`function handleCryptoSignerError(err) {`
173	`if (!(err instanceof crypto_signer_1.CryptoSignerError)) {`
174	`return err;`
175	`}`
176	`if (err.code === crypto_signer_1.CryptoSignerErrorCode.SERVER_ERROR && validator.isNonNullObject(err.cause)) {`
177	`var httpError = err.cause;`
178	`var errorResponse = httpError.response.data;`
179	`if (validator.isNonNullObject(errorResponse) && errorResponse.error) {`
180	`var errorCode = errorResponse.error.status;`
181	`var description = 'Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens ' +`
182	`'for more details on how to use and troubleshoot this feature.';`
183	`var errorMsg = errorResponse.error.message + "; " + description;`
184	`return error_1.FirebaseAuthError.fromServerError(errorCode, errorMsg, errorResponse);`
185	`}`
186	`return new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'Error returned from server: ' + errorResponse + '. Additionally, an ' +`
187	`'internal error occurred while attempting to extract the ' +`
188	`'errorcode from the error.');`
189	`}`
190	`return new error_1.FirebaseAuthError(mapToAuthClientErrorCode(err.code), err.message);`
191	`}`
192	`exports.handleCryptoSignerError = handleCryptoSignerError;`
193	`function mapToAuthClientErrorCode(code) {`
194	`switch (code) {`
195	`case crypto_signer_1.CryptoSignerErrorCode.INVALID_CREDENTIAL:`
196	`return error_1.AuthClientErrorCode.INVALID_CREDENTIAL;`
197	`case crypto_signer_1.CryptoSignerErrorCode.INVALID_ARGUMENT:`
198	`return error_1.AuthClientErrorCode.INVALID_ARGUMENT;`
199	`default:`
200	`return error_1.AuthClientErrorCode.INTERNAL_ERROR;`
201	`}`
202	`}`