UNPKG

firebase-auth-cloudflare-workers

Version:

Zero-dependencies firebase auth library for Cloudflare Workers.

226 lines (225 loc) 8.38 kB
import type { ErrorInfo } from './errors'; import type { SignatureVerifier } from './jws-verifier'; import type { KeyStorer } from './key-store'; export declare const FIREBASE_AUDIENCE = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"; /** * Interface representing a decoded Firebase ID token, returned from the * {@link BaseAuth.verifyIdToken} method. * * Firebase ID tokens are OpenID Connect spec-compliant JSON Web Tokens (JWTs). * See the * [ID Token section of the OpenID Connect spec](http://openid.net/specs/openid-connect-core-1_0.html#IDToken) * for more information about the specific properties below. */ export interface FirebaseIdToken { /** * The audience for which this token is intended. * * This value is a string equal to your Firebase project ID, the unique * identifier for your Firebase project, which can be found in [your project's * settings](https://console.firebase.google.com/project/_/settings/general/android:com.random.android). */ aud: string; /** * Time, in seconds since the Unix epoch, when the end-user authentication * occurred. * * This value is not set when this particular ID token was created, but when the * user initially logged in to this session. In a single session, the Firebase * SDKs will refresh a user's ID tokens every hour. Each ID token will have a * different [`iat`](#iat) value, but the same `auth_time` value. */ auth_time: number; /** * The email of the user to whom the ID token belongs, if available. */ email?: string; /** * Whether or not the email of the user to whom the ID token belongs is * verified, provided the user has an email. */ email_verified?: boolean; /** * The ID token's expiration time, in seconds since the Unix epoch. That is, the * time at which this ID token expires and should no longer be considered valid. * * The Firebase SDKs transparently refresh ID tokens every hour, issuing a new * ID token with up to a one hour expiration. */ exp: number; /** * Information about the sign in event, including which sign in provider was * used and provider-specific identity details. * * This data is provided by the Firebase Authentication service and is a * reserved claim in the ID token. */ firebase: { /** * Provider-specific identity details corresponding * to the provider used to sign in the user. */ identities: { [key: string]: any; }; /** * The ID of the provider used to sign in the user. * One of `"anonymous"`, `"password"`, `"facebook.com"`, `"github.com"`, * `"google.com"`, `"twitter.com"`, `"apple.com"`, `"microsoft.com"`, * `"yahoo.com"`, `"phone"`, `"playgames.google.com"`, `"gc.apple.com"`, * or `"custom"`. * * Additional Identity Platform provider IDs include `"linkedin.com"`, * OIDC and SAML identity providers prefixed with `"saml."` and `"oidc."` * respectively. */ sign_in_provider: string; /** * The type identifier or `factorId` of the second factor, provided the * ID token was obtained from a multi-factor authenticated user. * For phone, this is `"phone"`. */ sign_in_second_factor?: string; /** * The `uid` of the second factor used to sign in, provided the * ID token was obtained from a multi-factor authenticated user. */ second_factor_identifier?: string; /** * The ID of the tenant the user belongs to, if available. */ tenant?: string; [key: string]: any; }; /** * The ID token's issued-at time, in seconds since the Unix epoch. That is, the * time at which this ID token was issued and should start to be considered * valid. * * The Firebase SDKs transparently refresh ID tokens every hour, issuing a new * ID token with a new issued-at time. If you want to get the time at which the * user session corresponding to the ID token initially occurred, see the * [`auth_time`](#auth_time) property. */ iat: number; /** * The issuer identifier for the issuer of the response. * * This value is a URL with the format * `https://securetoken.google.com/<PROJECT_ID>`, where `<PROJECT_ID>` is the * same project ID specified in the [`aud`](#aud) property. */ iss: string; /** * The phone number of the user to whom the ID token belongs, if available. */ phone_number?: string; /** * The photo URL for the user to whom the ID token belongs, if available. */ picture?: string; /** * The `uid` corresponding to the user who the ID token belonged to. * * As a convenience, this value is copied over to the [`uid`](#uid) property. */ sub: string; /** * The `uid` corresponding to the user who the ID token belonged to. * * This value is not actually in the JWT token claims itself. It is added as a * convenience, and is set as the value of the [`sub`](#sub) property. */ uid: string; /** * Other arbitrary claims included in the ID token. */ [key: string]: any; } /** * Class for verifying general purpose Firebase JWTs. This verifies ID tokens and session cookies. * * @internal */ export declare class FirebaseTokenVerifier { private readonly signatureVerifier; private projectId; private issuer; private tokenInfo; private readonly shortNameArticle; constructor(signatureVerifier: SignatureVerifier, projectId: string, issuer: string, tokenInfo: FirebaseTokenInfo); /** * Verifies the format and signature of a Firebase Auth JWT token. * * @param jwtToken - The Firebase Auth JWT token to verify. * @param isEmulator - Whether to accept Auth Emulator tokens. * @param clockSkewSeconds - The number of seconds to tolerate when checking the token's iat. Must be between 0-60, and an integer. Defualts to 0. * @returns A promise fulfilled with the decoded claims of the Firebase Auth ID token. */ verifyJWT(jwtToken: string, isEmulator?: boolean, clockSkewSeconds?: number): Promise<FirebaseIdToken>; private decodeAndVerify; private safeDecode; private verifyPayload; private verifySignature; /** * Maps JwtError to FirebaseAuthError * * @param error - JwtError to be mapped. * @returns FirebaseAuthError or Error instance. */ private mapJwtErrorToAuthError; } /** * Interface that defines token related user facing information. * * @internal */ export interface FirebaseTokenInfo { /** Documentation URL. */ url: string; /** verify API name. */ verifyApiName: string; /** The JWT full name. */ jwtName: string; /** The JWT short name. */ shortName: string; /** JWT Expiration error code. */ expiredErrorCode: ErrorInfo; } /** * User facing token information related to the Firebase ID token. * * @internal */ export declare const ID_TOKEN_INFO: FirebaseTokenInfo; /** * Creates a new FirebaseTokenVerifier to verify Firebase ID tokens. * * @internal * @returns FirebaseTokenVerifier */ export declare function createIdTokenVerifier(projectID: string, keyStorer: KeyStorer): FirebaseTokenVerifier; /** * @internal * @returns FirebaseTokenVerifier */ export declare function baseCreateIdTokenVerifier(signatureVerifier: SignatureVerifier, projectID: string): FirebaseTokenVerifier; /** * User facing token information related to the Firebase session cookie. * * @internal */ export declare const SESSION_COOKIE_INFO: FirebaseTokenInfo; /** * Creates a new FirebaseTokenVerifier to verify Firebase session cookies. * * @internal * @param app - Firebase app instance. * @returns FirebaseTokenVerifier */ export declare function createSessionCookieVerifier(projectID: string, keyStorer: KeyStorer): FirebaseTokenVerifier; /** * @internal * @returns FirebaseTokenVerifier */ export declare function baseCreateSessionCookieVerifier(signatureVerifier: SignatureVerifier, projectID: string): FirebaseTokenVerifier;