firebase-admin-python/firebase_admin/auth.py at master · jwngr/firebase-admin-python

History

279 lines (223 loc) · 10.7 KB

Raw

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

# http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

"""Firebase Authentication module.

This module contains helper methods and utilities for minting and verifying

JWTs used for authenticating against Firebase services.

"""

import os

import threading

import time

from google.auth import jwt

from google.auth.transport import requests

import google.oauth2.id_token

import six

from firebase_admin import credentials

from firebase_admin import utils

_auth_lock = threading.Lock()

"""Provided for overriding during tests."""

_request = requests.Request()

_AUTH_ATTRIBUTE = '_auth'

GCLOUD_PROJECT_ENV_VAR = 'GCLOUD_PROJECT'

def _get_token_generator(app):

"""Returns a _TokenGenerator instance for an App.

If the App already has a _TokenGenerator associated with it, simply returns

it. Otherwise creates a new _TokenGenerator, and adds it to the App before

returning it.

Args:

app: A Firebase App instance (or None to use the default App).

Returns:

_TokenGenerator: A _TokenGenerator for the specified App instance.

Raises:

ValueError: If the app argument is invalid.

"""

return utils.get_app_service(app, _AUTH_ATTRIBUTE, _TokenGenerator)

def create_custom_token(uid, developer_claims=None, app=None):

"""Builds and signs a Firebase custom auth token.

Args:

uid: ID of the user for whom the token is created.

developer_claims: A dictionary of claims to be included in the token

(optional).

app: An App instance (optional).

Returns:

string: A token minted from the input parameters.

Raises:

ValueError: If input parameters are invalid.

"""

token_generator = _get_token_generator(app)

return token_generator.create_custom_token(uid, developer_claims)

def verify_id_token(id_token, app=None):

"""Verifies the signature and data for the provided JWT.

Accepts a signed token string, verifies that it is current, and issued

to this project, and that it was correctly signed by Google.

Args:

id_token: A string of the encoded JWT.

app: An App instance (optional).

Returns:

dict: A dictionary of key-value pairs parsed from the decoded JWT.

Raises:

ValueError: If the JWT was found to be invalid, or if the App was not

initialized with a credentials.Certificate.

"""

token_generator = _get_token_generator(app)

return token_generator.verify_id_token(id_token)

class _TokenGenerator(object):

"""Generates custom tokens, and validates ID tokens."""

FIREBASE_CERT_URI = ('https://www.googleapis.com/robot/v1/metadata/x509/'

'securetoken@system.gserviceaccount.com')

ISSUER_PREFIX = 'https://securetoken.google.com/'

MAX_TOKEN_LIFETIME_SECONDS = 3600 # One Hour, in Seconds

FIREBASE_AUDIENCE = ('https://identitytoolkit.googleapis.com/google.'

'identity.identitytoolkit.v1.IdentityToolkit')

# Key names we don't allow to appear in the developer_claims.

_RESERVED_CLAIMS_ = set([

'acr', 'amr', 'at_hash', 'aud', 'auth_time', 'azp', 'cnf', 'c_hash',

'exp', 'firebase', 'iat', 'iss', 'jti', 'nbf', 'nonce', 'sub'

])

def __init__(self, app):

"""Initializes FirebaseAuth from a FirebaseApp instance.

Args:

app: A FirebaseApp instance.

"""

self._app = app

def create_custom_token(self, uid, developer_claims=None):

"""Builds and signs a FirebaseCustomAuthToken.

Args:

uid: ID of the user for whom the token is created.

developer_claims: A dictionary of claims to be included in the token.

Returns:

string: A token string minted from the input parameters.

Raises:

ValueError: If input parameters are invalid.

"""

if not isinstance(self._app.credential, credentials.Certificate):

raise ValueError(

'Must initialize Firebase App with a certificate credential '

'to call create_custom_token().')

if developer_claims is not None:

if not isinstance(developer_claims, dict):

raise ValueError('developer_claims must be a dictionary')

disallowed_keys = set(developer_claims.keys()

) & self._RESERVED_CLAIMS_

if disallowed_keys:

if len(disallowed_keys) > 1:

error_message = ('Developer claims {0} are reserved and '

'cannot be specified.'.format(

', '.join(disallowed_keys)))

else:

error_message = ('Developer claim {0} is reserved and '

'cannot be specified.'.format(

', '.join(disallowed_keys)))

raise ValueError(error_message)

if not uid or not isinstance(uid, six.string_types) or len(uid) > 128:

raise ValueError('uid must be a string between 1 and 128 characters.')

now = int(time.time())

payload = {

'iss': self._app.credential.service_account_email,

'sub': self._app.credential.service_account_email,

'aud': self.FIREBASE_AUDIENCE,

'uid': uid,

'iat': now,

'exp': now + self.MAX_TOKEN_LIFETIME_SECONDS,

}

if developer_claims is not None:

payload['claims'] = developer_claims

return jwt.encode(self._app.credential.signer, payload)

def verify_id_token(self, id_token):

"""Verifies the signature and data for the provided JWT.

Accepts a signed token string, verifies that is the current, and issued

to this project, and that it was correctly signed by Google.

Args:

id_token: A string of the encoded JWT.

Returns:

dict: A dictionary of key-value pairs parsed from the decoded JWT.

Raises:

ValueError: The JWT was found to be invalid, or the app was not initialized with a

credentials.Certificate instance.

"""

if not id_token:

raise ValueError('Illegal ID token provided: {0}. ID token must be a non-empty '

'string.'.format(id_token))

if isinstance(id_token, six.text_type):

id_token = id_token.encode('ascii')

if not isinstance(id_token, six.binary_type):

raise ValueError('Illegal ID token provided: {0}. ID token must be a non-empty '

'string.'.format(id_token))

try:

project_id = self._app.credential.project_id

if project_id is None:

project_id = os.environ.get(GCLOUD_PROJECT_ENV_VAR)

except AttributeError:

project_id = os.environ.get(GCLOUD_PROJECT_ENV_VAR)

if not project_id:

raise ValueError('Failed to ascertain project ID from the credential or the '

'environment. Must initialize app with a credentials.Certificate or '

'set your Firebase project ID as the GCLOUD_PROJECT environment '

'variable to call verify_id_token().')

header = jwt.decode_header(id_token)

payload = jwt.decode(id_token, verify=False)

issuer = payload.get('iss')

audience = payload.get('aud')

subject = payload.get('sub')

expected_issuer = self.ISSUER_PREFIX + project_id

project_id_match_msg = ('Make sure the ID token comes from the same'

' Firebase project as the service account used'

' to authenticate this SDK.')

verify_id_token_msg = (

'See https://firebase.google.com/docs/auth/admin/verify-id-tokens'

' for details on how to retrieve an ID token.')

error_message = None

if not header.get('kid'):

if audience == self.FIREBASE_AUDIENCE:

error_message = ('verify_id_token() expects an ID token, but '

'was given a custom token.')

elif header.get('alg') == 'HS256' and payload.get(

'v') is 0 and 'uid' in payload.get('d', {}):

error_message = ('verify_id_token() expects an ID token, but '

'was given a legacy custom token.')

else:

error_message = 'Firebase ID token has no "kid" claim.'

elif header.get('alg') != 'RS256':

error_message = ('Firebase ID token has incorrect algorithm. '

'Expected "RS256" but got "{0}". {1}'.format(

header.get('alg'), verify_id_token_msg))

elif audience != project_id:

error_message = (

'Firebase ID token has incorrect "aud" (audience) claim. '

'Expected "{0}" but got "{1}". {2} {3}'.format(

project_id, audience, project_id_match_msg,

verify_id_token_msg))

elif issuer != expected_issuer:

error_message = ('Firebase ID token has incorrect "iss" (issuer) '

'claim. Expected "{0}" but got "{1}". {2} {3}'

.format(expected_issuer, issuer,

project_id_match_msg,

verify_id_token_msg))

elif subject is None or not isinstance(subject, six.string_types):

error_message = ('Firebase ID token has no "sub" (subject) '

'claim. ') + verify_id_token_msg

elif not subject:

error_message = ('Firebase ID token has an empty string "sub" '

'(subject) claim. ') + verify_id_token_msg

elif len(subject) > 128:

error_message = ('Firebase ID token has a "sub" (subject) '

'claim longer than 128 '

'characters. ') + verify_id_token_msg

if error_message:

raise ValueError(error_message)

verified_claims = google.oauth2.id_token.verify_firebase_token(

id_token,

request=_request,

audience=project_id)

verified_claims['uid'] = verified_claims['sub']

return verified_claims

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FilesExpand file tree

auth.py

Latest commit

History

auth.py

File metadata and controls