如何在Vercel边缘函数中验证Firebase Auth id令牌?

g6baxovj  于 2023-03-24  发布在  其他
关注(0)|答案(1)|浏览(164)

Vercel边缘函数不支持Firebase admin SDK,因此我如何验证客户端请求并从id令牌获取Firebase用户对象(uid、电子邮件、名称、自定义声明)?
有一个介绍(https://firebase.google.com/docs/auth/admin/verify-id-tokens)使用第三方库来验证id令牌,但仅此而已。

fdbelqdn

fdbelqdn1#

下面的库模块使用jose来处理令牌的验证。它是徒手编写的,所以可以预料到拼写错误。该模块公开了两个方法:verifyIdToken(req: NextRequest, firebaseIdToken: string)(出错时拒绝)和verifyIdTokenWithInlineError(req: NextRequest, firebaseIdToken: string)(从不拒绝,而是在返回的对象中返回错误)。

**注意:**此代码当前不会与Firebase Auth签入以查看令牌是否已被吊销。

// lib/verify-jwt.ts
import * as jose from 'jose';

// Builds a callback function that makes API calls to the given endpoint
// only once the last response expires, otherwise a fresh call is made.
const buildCachedFetch = (src: string) => {
  let _cache = false,
    expiresAt = 0,
    init = async () => {
      const nowMS = Date.now(),
        res = await fetch(src);
      if (!res.ok) {
        const err = new Error("Unexpected response status code: " + res.status);
        err.res = res;
        throw err;
      }
      expiresAt = nowMS + (Number(/max-age=(\d+)/.exec(res.headers.get('cache-control'))?.[1] || 0) * 1000);
      return res.json();
    },
    refresh = () => {
      expiresAt = 0;
      _cache = init();
      _cache.catch(() => _cache = null);
      return _cache
    };
  
  return (forceRefresh?: boolean) => {
    return !forceRefresh && _cache && (expiresAt === 0 || expiresAt > Date.now())
      ? _cache
      : refresh()
  }
}

// build the callback to fetch the authentication certificates
const fetchAuthKeyStore = buildCachedFetch("https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com");

// Defines a callback to pass to the JWT verifier to resolve the appropriate public key
const authKeyResolver = async ({ alg: string, kid: string }) => {
  const keyStore = await fetchAuthKeyStore();
  if (!(kid in keyStore)) throw new Error("unexpected kid in auth token")
  return jose.importX509(keyStore[kid], alg);
};

// Verifies the Authorization header and returns the decoded ID token. Errors
// will reject the Promise chain.
export const verifyIdToken = async (req: NextRequest, firebaseProjectId: string) => {
  const jwt = /^bearer (.*)$/i.exec(req.headers.get('authorization'));
  
  if (!jwt) throw new Error("Unauthorised");
  
  const result = jose.jwtVerify(jwt, authKeyResolver, {
    audience: firebaseProjectId,
    issuer: `https://securetoken.google.com/${firebaseProjectId}`
  });
  
  result.payload.uid = result.payload.sub; // see https://firebase.google.com/docs/reference/admin/node/firebase-admin.auth.decodedidtoken.md#decodedidtokenuid
  
  return result;
}

// Verifies the Authorization header and returns the decoded ID token. Errors
// are returned in the return object instead of rejecting the Promise chain.
export const verifyIdTokenWithInlineError = (req: NextRequest, firebaseProjectId: string) => {
  return verifyIdToken(req, firebaseProjectId)
    .catch((error) => ({ error, payload: null, protectedHeader: null }));
}

使用Vercel的hello.ts示例作为基础,您可以这样使用它:

// pages/api/hello.ts
import { NextRequest, NextResponse } from 'next/server';
import { verifyIdTokenWithInlineError } from '../../lib/verify-jwt';

export const config = {
  runtime: 'edge', // this is a pre-requisite
  regions: ['iad1'], // only execute this function on iad1
};

const FIREBASE_PROJECT_ID = "<your-project-id>";

export default async (req: NextRequest) => {
  const { error, payload } = await verifyIdTokenWithInlineError(req, FIREBASE_PROJECT_ID);
  
  if (error) {
    return NextResponse.status(403).json({
      error: "You must be authenticated.",
    });
  }

  // if here, a valid auth token was provided. `payload` contains some
  // user info.

  return NextResponse.json({
    name: `Hello ${payload.name}! I'm an Edge Function!`,
  });
};

相关问题