UNPKG

@marplex/flarebase-auth

Version:

Firebase/Admin auth SDK for Cloudflare Workers

github.com/Marplex/flarebase-auth

Marplex/flarebase-auth

49 lines 3.94 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import { decodeProtectedHeader, importPKCS8, importX509, jwtVerify, SignJWT, } from 'jose'; /** * Get an OAuth 2.0 token from google authentication apis using * a service account * @param serviceAccountEmail Email of the service account * @param privateKey Private key of the service account * @param scope scope to request * @returns OAuth 2.0 token */ export async function getAuthToken(serviceAccountEmail, privateKey, scope) { const ecPrivateKey = await importPKCS8(privateKey, 'RS256'); const jwt = await new SignJWT({ scope: scope }) .setProtectedHeader({ alg: 'RS256' }) .setIssuer(serviceAccountEmail) .setAudience('https://oauth2.googleapis.com/token') .setExpirationTime('1h') .setIssuedAt() .sign(ecPrivateKey); const response = await fetch('https://oauth2.googleapis.com/token', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Cache-Control': 'no-cache', Host: 'oauth2.googleapis.com', }, body: `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=${jwt}`, }); const oauth = await response.json(); return oauth.access_token; } /** * Verifies an Identity Platform ID token. * If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected. * @param idToken An Identity Platform ID token */ export async function verifyIdToken(idToken) { //Fetch public keys //TODO: Public keys should be cached until they expire const res = await fetch('https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'); const data = await res.json(); //Get the correct publicKey from the key id const header = decodeProtectedHeader(idToken); const certificate = data[header.kid]; const publicKey = await importX509(certificate, 'RS256'); //Verify JWT with public key const { payload } = await jwtVerify(idToken, publicKey); return payload; } //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ29vZ2xlLW9hdXRoLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9nb29nbGUtb2F1dGgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUNMLHFCQUFxQixFQUNyQixXQUFXLEVBQ1gsVUFBVSxFQUVWLFNBQVMsRUFDVCxPQUFPLEdBQ1IsTUFBTSxNQUFNLENBQUM7QUFFZDs7Ozs7OztHQU9HO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxZQUFZLENBQ2hDLG1CQUEyQixFQUMzQixVQUFrQixFQUNsQixLQUFhO0lBRWIsTUFBTSxZQUFZLEdBQUcsTUFBTSxXQUFXLENBQUMsVUFBVSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBRTVELE1BQU0sR0FBRyxHQUFHLE1BQU0sSUFBSSxPQUFPLENBQUMsRUFBRSxLQUFLLEVBQUUsS0FBSyxFQUFFLENBQUM7U0FDNUMsa0JBQWtCLENBQUMsRUFBRSxHQUFHLEVBQUUsT0FBTyxFQUFFLENBQUM7U0FDcEMsU0FBUyxDQUFDLG1CQUFtQixDQUFDO1NBQzlCLFdBQVcsQ0FBQyxxQ0FBcUMsQ0FBQztTQUNsRCxpQkFBaUIsQ0FBQyxJQUFJLENBQUM7U0FDdkIsV0FBVyxFQUFFO1NBQ2IsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDO0lBRXRCLE1BQU0sUUFBUSxHQUFHLE1BQU0sS0FBSyxDQUFDLHFDQUFxQyxFQUFFO1FBQ2xFLE1BQU0sRUFBRSxNQUFNO1FBQ2QsT0FBTyxFQUFFO1lBQ1AsY0FBYyxFQUFFLG1DQUFtQztZQUNuRCxlQUFlLEVBQUUsVUFBVTtZQUMzQixJQUFJLEVBQUUsdUJBQXVCO1NBQzlCO1FBQ0QsSUFBSSxFQUFFLG9FQUFvRSxHQUFHLEVBQUU7S0FDaEYsQ0FBQyxDQUFDO0lBRUgsTUFBTSxLQUFLLEdBQUcsTUFBTSxRQUFRLENBQUMsSUFBSSxFQUFFLENBQUM7SUFDcEMsT0FBTyxLQUFLLENBQUMsWUFBWSxDQUFDO0FBQzVCLENBQUM7QUFFRDs7OztHQUlHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxhQUFhLENBQUMsT0FBZTtJQUNqRCxtQkFBbUI7SUFDbkIsc0RBQXNEO0lBQ3RELE1BQU0sR0FBRyxHQUFHLE1BQU0sS0FBSyxDQUNyQiwwRkFBMEYsQ0FDM0YsQ0FBQztJQUNGLE1BQU0sSUFBSSxHQUFHLE1BQU0sR0FBRyxDQUFDLElBQUksRUFBRSxDQUFDO0lBRTlCLDJDQUEyQztJQUMzQyxNQUFNLE1BQU0sR0FBRyxxQkFBcUIsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUM5QyxNQUFNLFdBQVcsR0FBRyxJQUFJLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ3JDLE1BQU0sU0FBUyxHQUFHLE1BQU0sVUFBVSxDQUFDLFdBQVcsRUFBRSxPQUFPLENBQUMsQ0FBQztJQUV6RCw0QkFBNEI7SUFDNUIsTUFBTSxFQUFFLE9BQU8sRUFBRSxHQUFHLE1BQU0sU0FBUyxDQUFDLE9BQU8sRUFBRSxTQUFTLENBQUMsQ0FBQztJQUN4RCxPQUFPLE9BQU8sQ0FBQztBQUNqQixDQUFDIn0=