1 |
|
2 | "use strict";
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 | Object.defineProperty(exports, "__esModule", { value: true });
|
19 | exports.AppCheckTokenVerifier = void 0;
|
20 | var validator = require("../utils/validator");
|
21 | var util = require("../utils/index");
|
22 | var app_check_api_client_internal_1 = require("./app-check-api-client-internal");
|
23 | var jwt_1 = require("../utils/jwt");
|
24 | var APP_CHECK_ISSUER = 'https://firebaseappcheck.googleapis.com/';
|
25 | var JWKS_URL = 'https://firebaseappcheck.googleapis.com/v1beta/jwks';
|
26 |
|
27 |
|
28 |
|
29 |
|
30 |
|
31 | var AppCheckTokenVerifier = (function () {
|
32 | function AppCheckTokenVerifier(app) {
|
33 | this.app = app;
|
34 | this.signatureVerifier = jwt_1.PublicKeySignatureVerifier.withJwksUrl(JWKS_URL);
|
35 | }
|
36 | |
37 |
|
38 |
|
39 |
|
40 |
|
41 |
|
42 | AppCheckTokenVerifier.prototype.verifyToken = function (token) {
|
43 | var _this = this;
|
44 | if (!validator.isString(token)) {
|
45 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'App check token must be a non-null string.');
|
46 | }
|
47 | return this.ensureProjectId()
|
48 | .then(function (projectId) {
|
49 | return _this.decodeAndVerify(token, projectId);
|
50 | })
|
51 | .then(function (decoded) {
|
52 | var decodedAppCheckToken = decoded.payload;
|
53 | decodedAppCheckToken.app_id = decodedAppCheckToken.sub;
|
54 | return decodedAppCheckToken;
|
55 | });
|
56 | };
|
57 | AppCheckTokenVerifier.prototype.ensureProjectId = function () {
|
58 | return util.findProjectId(this.app)
|
59 | .then(function (projectId) {
|
60 | if (!validator.isNonEmptyString(projectId)) {
|
61 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-credential', 'Must initialize app with a cert credential or set your Firebase project ID as the ' +
|
62 | 'GOOGLE_CLOUD_PROJECT environment variable to verify an App Check token.');
|
63 | }
|
64 | return projectId;
|
65 | });
|
66 | };
|
67 | AppCheckTokenVerifier.prototype.decodeAndVerify = function (token, projectId) {
|
68 | var _this = this;
|
69 | return this.safeDecode(token)
|
70 | .then(function (decodedToken) {
|
71 | _this.verifyContent(decodedToken, projectId);
|
72 | return _this.verifySignature(token)
|
73 | .then(function () { return decodedToken; });
|
74 | });
|
75 | };
|
76 | AppCheckTokenVerifier.prototype.safeDecode = function (jwtToken) {
|
77 | return jwt_1.decodeJwt(jwtToken)
|
78 | .catch(function () {
|
79 | var errorMessage = 'Decoding App Check token failed. Make sure you passed ' +
|
80 | 'the entire string JWT which represents the Firebase App Check token.';
|
81 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
|
82 | });
|
83 | };
|
84 | |
85 |
|
86 |
|
87 |
|
88 |
|
89 |
|
90 | AppCheckTokenVerifier.prototype.verifyContent = function (fullDecodedToken, projectId) {
|
91 | var header = fullDecodedToken.header;
|
92 | var payload = fullDecodedToken.payload;
|
93 | var projectIdMatchMessage = ' Make sure the App Check token comes from the same ' +
|
94 | 'Firebase project as the service account used to authenticate this SDK.';
|
95 | var scopedProjectId = "projects/" + projectId;
|
96 | var errorMessage;
|
97 | if (header.alg !== jwt_1.ALGORITHM_RS256) {
|
98 | errorMessage = 'The provided App Check token has incorrect algorithm. Expected "' +
|
99 | jwt_1.ALGORITHM_RS256 + '" but got ' + '"' + header.alg + '".';
|
100 | }
|
101 | else if (!validator.isNonEmptyArray(payload.aud) || !payload.aud.includes(scopedProjectId)) {
|
102 | errorMessage = 'The provided App Check token has incorrect "aud" (audience) claim. Expected "' +
|
103 | scopedProjectId + '" but got "' + payload.aud + '".' + projectIdMatchMessage;
|
104 | }
|
105 | else if (typeof payload.iss !== 'string' || !payload.iss.startsWith(APP_CHECK_ISSUER)) {
|
106 | errorMessage = 'The provided App Check token has incorrect "iss" (issuer) claim.';
|
107 | }
|
108 | else if (typeof payload.sub !== 'string') {
|
109 | errorMessage = 'The provided App Check token has no "sub" (subject) claim.';
|
110 | }
|
111 | else if (payload.sub === '') {
|
112 | errorMessage = 'The provided App Check token has an empty string "sub" (subject) claim.';
|
113 | }
|
114 | if (errorMessage) {
|
115 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
|
116 | }
|
117 | };
|
118 | AppCheckTokenVerifier.prototype.verifySignature = function (jwtToken) {
|
119 | var _this = this;
|
120 | return this.signatureVerifier.verify(jwtToken)
|
121 | .catch(function (error) {
|
122 | throw _this.mapJwtErrorToAppCheckError(error);
|
123 | });
|
124 | };
|
125 | |
126 |
|
127 |
|
128 |
|
129 |
|
130 |
|
131 | AppCheckTokenVerifier.prototype.mapJwtErrorToAppCheckError = function (error) {
|
132 | if (error.code === jwt_1.JwtErrorCode.TOKEN_EXPIRED) {
|
133 | var errorMessage = 'The provided App Check token has expired. Get a fresh App Check token' +
|
134 | ' from your client app and try again.';
|
135 | return new app_check_api_client_internal_1.FirebaseAppCheckError('app-check-token-expired', errorMessage);
|
136 | }
|
137 | else if (error.code === jwt_1.JwtErrorCode.INVALID_SIGNATURE) {
|
138 | var errorMessage = 'The provided App Check token has invalid signature.';
|
139 | return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
|
140 | }
|
141 | else if (error.code === jwt_1.JwtErrorCode.NO_MATCHING_KID) {
|
142 | var errorMessage = 'The provided App Check token has "kid" claim which does not ' +
|
143 | 'correspond to a known public key. Most likely the provided App Check token ' +
|
144 | 'is expired, so get a fresh token from your client app and try again.';
|
145 | return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
|
146 | }
|
147 | return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', error.message);
|
148 | };
|
149 | return AppCheckTokenVerifier;
|
150 | }());
|
151 | exports.AppCheckTokenVerifier = AppCheckTokenVerifier;
|