/*! firebase-admin v12.1.1 */
"use strict";
/*!
* Copyright 2021 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
Object.defineProperty(exports, "__esModule", { value: true });
exports.AppCheckTokenVerifier = void 0;
const validator = require("../utils/validator");
const util = require("../utils/index");
const app_check_api_client_internal_1 = require("./app-check-api-client-internal");
const jwt_1 = require("../utils/jwt");
const APP_CHECK_ISSUER = 'https://firebaseappcheck.googleapis.com/';
const JWKS_URL = 'https://firebaseappcheck.googleapis.com/v1/jwks';
/**
* Class for verifying Firebase App Check tokens.
*
* @internal
*/
class AppCheckTokenVerifier {
constructor(app) {
this.app = app;
this.signatureVerifier = jwt_1.PublicKeySignatureVerifier.withJwksUrl(JWKS_URL);
}
/**
* Verifies the format and signature of a Firebase App Check token.
*
* @param token - The Firebase Auth JWT token to verify.
* @returns A promise fulfilled with the decoded claims of the Firebase App Check token.
*/
verifyToken(token) {
if (!validator.isString(token)) {
throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'App check token must be a non-null string.');
}
return this.ensureProjectId()
.then((projectId) => {
return this.decodeAndVerify(token, projectId);
})
.then((decoded) => {
const decodedAppCheckToken = decoded.payload;
decodedAppCheckToken.app_id = decodedAppCheckToken.sub;
return decodedAppCheckToken;
});
}
ensureProjectId() {
return util.findProjectId(this.app)
.then((projectId) => {
if (!validator.isNonEmptyString(projectId)) {
throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-credential', 'Must initialize app with a cert credential or set your Firebase project ID as the ' +
'GOOGLE_CLOUD_PROJECT environment variable to verify an App Check token.');
}
return projectId;
});
}
decodeAndVerify(token, projectId) {
return this.safeDecode(token)
.then((decodedToken) => {
this.verifyContent(decodedToken, projectId);
return this.verifySignature(token)
.then(() => decodedToken);
});
}
safeDecode(jwtToken) {
return (0, jwt_1.decodeJwt)(jwtToken)
.catch(() => {
const errorMessage = 'Decoding App Check token failed. Make sure you passed ' +
'the entire string JWT which represents the Firebase App Check token.';
throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
});
}
/**
* Verifies the content of a Firebase App Check JWT.
*
* @param fullDecodedToken - The decoded JWT.
* @param projectId - The Firebase Project Id.
*/
verifyContent(fullDecodedToken, projectId) {
const header = fullDecodedToken.header;
const payload = fullDecodedToken.payload;
const projectIdMatchMessage = ' Make sure the App Check token comes from the same ' +
'Firebase project as the service account used to authenticate this SDK.';
const scopedProjectId = `projects/${projectId}`;
let errorMessage;
if (header.alg !== jwt_1.ALGORITHM_RS256) {
errorMessage = 'The provided App Check token has incorrect algorithm. Expected "' +
jwt_1.ALGORITHM_RS256 + '" but got ' + '"' + header.alg + '".';
}
else if (!validator.isNonEmptyArray(payload.aud) || !payload.aud.includes(scopedProjectId)) {
errorMessage = 'The provided App Check token has incorrect "aud" (audience) claim. Expected "' +
scopedProjectId + '" but got "' + payload.aud + '".' + projectIdMatchMessage;
}
else if (typeof payload.iss !== 'string' || !payload.iss.startsWith(APP_CHECK_ISSUER)) {
errorMessage = 'The provided App Check token has incorrect "iss" (issuer) claim.';
}
else if (typeof payload.sub !== 'string') {
errorMessage = 'The provided App Check token has no "sub" (subject) claim.';
}
else if (payload.sub === '') {
errorMessage = 'The provided App Check token has an empty string "sub" (subject) claim.';
}
if (errorMessage) {
throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
}
}
verifySignature(jwtToken) {
return this.signatureVerifier.verify(jwtToken)
.catch((error) => {
throw this.mapJwtErrorToAppCheckError(error);
});
}
/**
* Maps JwtError to FirebaseAppCheckError
*
* @param error - JwtError to be mapped.
* @returns FirebaseAppCheckError instance.
*/
mapJwtErrorToAppCheckError(error) {
if (error.code === jwt_1.JwtErrorCode.TOKEN_EXPIRED) {
const errorMessage = 'The provided App Check token has expired. Get a fresh App Check token' +
' from your client app and try again.';
return new app_check_api_client_internal_1.FirebaseAppCheckError('app-check-token-expired', errorMessage);
}
else if (error.code === jwt_1.JwtErrorCode.INVALID_SIGNATURE) {
const errorMessage = 'The provided App Check token has invalid signature.';
return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
}
else if (error.code === jwt_1.JwtErrorCode.NO_MATCHING_KID) {
const errorMessage = 'The provided App Check token has "kid" claim which does not ' +
'correspond to a known public key. Most likely the provided App Check token ' +
'is expired, so get a fresh token from your client app and try again.';
return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', errorMessage);
}
return new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', error.message);
}
}
exports.AppCheckTokenVerifier = AppCheckTokenVerifier;