PR fixes

Author: lahirumaramba

src/auth/token-verifier.ts

@@ -17,10 +17,9 @@
 import { AuthClientErrorCode, FirebaseAuthError, ErrorInfo } from '../utils/error';
 import * as util from '../utils/index';
 import * as validator from '../utils/validator';
-import * as jwt from 'jsonwebtoken';
 import { 
   DecodedToken, decodeJwt, JwtError, JwtErrorCode,
-  EmulatorSignatureVerifier, PublicKeySignatureVerifier, UrlKeyFetcher,
+  EmulatorSignatureVerifier, PublicKeySignatureVerifier,
 } from '../utils/jwt';
 import { FirebaseApp } from '../firebase-app';
 import { auth } from './index';
@@ -39,6 +38,8 @@ const CLIENT_CERT_URL = 'https://www.googleapis.com/robot/v1/metadata/x509/secur
 // URL containing the public keys for Firebase session cookies. This will be updated to a different URL soon.
 const SESSION_COOKIE_CERT_URL = 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys';
 
+const EMULATOR_VERIFIER = new EmulatorSignatureVerifier();
+
 /** User facing token information related to the Firebase ID token. */
 export const ID_TOKEN_INFO: FirebaseTokenInfo = {
   url: 'https://firebase.google.com/docs/auth/admin/verify-id-tokens',
@@ -78,20 +79,14 @@ export class FirebaseTokenVerifier {
   private readonly shortNameArticle: string;
   private readonly signatureVerifier: PublicKeySignatureVerifier;
 
-  constructor(clientCertUrl: string, private algorithm: jwt.Algorithm,
-              private issuer: string, private tokenInfo: FirebaseTokenInfo,
+  constructor(clientCertUrl: string, private issuer: string, private tokenInfo: FirebaseTokenInfo,
               private readonly app: FirebaseApp) {
 
     if (!validator.isURL(clientCertUrl)) {
       throw new FirebaseAuthError(
         AuthClientErrorCode.INVALID_ARGUMENT,
         'The provided public client certificate URL is an invalid URL.',
       );
-    } else if (!validator.isNonEmptyString(algorithm)) {
-      throw new FirebaseAuthError(
-        AuthClientErrorCode.INVALID_ARGUMENT,
-        'The provided JWT algorithm is an empty string.',
-      );
     } else if (!validator.isURL(issuer)) {
       throw new FirebaseAuthError(
         AuthClientErrorCode.INVALID_ARGUMENT,
@@ -130,19 +125,18 @@ export class FirebaseTokenVerifier {
     }
     this.shortNameArticle = tokenInfo.shortName.charAt(0).match(/[aeiou]/i) ? 'an' : 'a';
 
-    this.signatureVerifier = new PublicKeySignatureVerifier(
-      new UrlKeyFetcher(clientCertUrl, app.options.httpAgent));
+    this.signatureVerifier =
+      PublicKeySignatureVerifier.withCertificateUrl(clientCertUrl, app.options.httpAgent);
 
     // For backward compatibility, the project ID is validated in the verification call.
   }
 
   /**
    * Verifies the format and signature of a Firebase Auth JWT token.
    *
-   * @param {string} jwtToken The Firebase Auth JWT token to verify.
-   * @param {boolean=} isEmulator Whether to accept Auth Emulator tokens.
-   * @return {Promise<DecodedIdToken>} A promise fulfilled with the decoded claims of the Firebase Auth ID
-   *                           token.
+   * @param jwtToken The Firebase Auth JWT token to verify.
+   * @param isEmulator Whether to accept Auth Emulator tokens.
+   * @return A promise fulfilled with the decoded claims of the Firebase Auth ID token.
    */
   public verifyJWT(jwtToken: string, isEmulator = false): Promise<DecodedIdToken> {
     if (!validator.isString(jwtToken)) {
@@ -178,26 +172,17 @@ export class FirebaseTokenVerifier {
   }
 
   private decodeAndVerify(token: string, projectId: string, isEmulator: boolean): Promise<DecodedToken> {
-    return this.verifyContent(token, projectId, isEmulator)
-      .then((decoded) => {
+    return this.safeDecode(token)
+      .then((decodedToken) => {
+        this.verifyContent(decodedToken, projectId, isEmulator);
         return this.verifySignature(token, isEmulator)
-          .then(() => decoded);
+          .then(() => decodedToken);
       });
   }
 
-  private verifyContent(token: string, projectId: string, isEmulator: boolean): Promise<DecodedToken> {
-    return this.safeDecode(token).then((decodedToken) => {
-      this.validateTokenContent(decodedToken, projectId, isEmulator);
-      return Promise.resolve(decodedToken);
-    });
-  }
-
   private safeDecode(jwtToken: string): Promise<DecodedToken> {
     return decodeJwt(jwtToken)
-      .catch((err) => {
-        if (!(err instanceof JwtError)) {
-          throw err;
-        }
+      .catch((err: JwtError) => {
         if (err.code == JwtErrorCode.INVALID_ARGUMENT) {
           const verifyJwtTokenDocsMessage = ` See ${this.tokenInfo.url} ` +
             `for details on how to retrieve ${this.shortNameArticle} ${this.tokenInfo.shortName}.`;
@@ -211,7 +196,7 @@ export class FirebaseTokenVerifier {
       });
   }
 
-  private validateTokenContent(
+  private verifyContent(
     fullDecodedToken: DecodedToken,
     projectId: string | null,
     isEmulator: boolean): void {
@@ -240,8 +225,8 @@ export class FirebaseTokenVerifier {
       }
 
       errorMessage += verifyJwtTokenDocsMessage;
-    } else if (!isEmulator && header.alg !== this.algorithm) {
-      errorMessage = `${this.tokenInfo.jwtName} has incorrect algorithm. Expected "` + this.algorithm + '" but got ' +
+    } else if (!isEmulator && header.alg !== ALGORITHM_RS256) {
+      errorMessage = `${this.tokenInfo.jwtName} has incorrect algorithm. Expected "` + ALGORITHM_RS256 + '" but got ' +
         '"' + header.alg + '".' + verifyJwtTokenDocsMessage;
     } else if (payload.aud !== projectId) {
       errorMessage = `${this.tokenInfo.jwtName} has incorrect "aud" (audience) claim. Expected "` +
@@ -266,7 +251,7 @@ export class FirebaseTokenVerifier {
 
   private verifySignature(jwtToken: string, isEmulator: boolean):
     Promise<void> {
-    const verifier = isEmulator ? new EmulatorSignatureVerifier() : this.signatureVerifier;
+    const verifier = isEmulator ? EMULATOR_VERIFIER : this.signatureVerifier;
     return verifier.verify(jwtToken)
       .catch((error) => {
         throw this.mapJwtErrorToAuthError(error);
@@ -285,11 +270,11 @@ export class FirebaseTokenVerifier {
         verifyJwtTokenDocsMessage;
       return new FirebaseAuthError(this.tokenInfo.expiredErrorCode, errorMessage);
     }
-    else if (error.code === JwtErrorCode.INVALID_TOKEN) {
+    else if (error.code === JwtErrorCode.INVALID_SIGNATURE) {
       const errorMessage = `${this.tokenInfo.jwtName} has invalid signature.` + verifyJwtTokenDocsMessage;
       return new FirebaseAuthError(AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
     }
-    else if (error.code === JwtErrorCode.NO_MATCHING_KID) {
+    else if (error.code === JwtErrorCode.KEY_FETCH_ERROR) {
       const errorMessage = `${this.tokenInfo.jwtName} has "kid" claim which does not ` +
         `correspond to a known public key. Most likely the ${this.tokenInfo.shortName} ` +
         'is expired, so get a fresh token from your client app and try again.';
@@ -302,13 +287,12 @@ export class FirebaseTokenVerifier {
 /**
  * Creates a new FirebaseTokenVerifier to verify Firebase ID tokens.
  *
- * @param {FirebaseApp} app Firebase app instance.
- * @return {FirebaseTokenVerifier}
+ * @param app Firebase app instance.
+ * @return FirebaseTokenVerifier
  */
 export function createIdTokenVerifier(app: FirebaseApp): FirebaseTokenVerifier {
   return new FirebaseTokenVerifier(
     CLIENT_CERT_URL,
-    ALGORITHM_RS256,
     'https://securetoken.google.com/',
     ID_TOKEN_INFO,
     app
@@ -318,13 +302,12 @@ export function createIdTokenVerifier(app: FirebaseApp): FirebaseTokenVerifier {
 /**
  * Creates a new FirebaseTokenVerifier to verify Firebase session cookies.
  *
- * @param {FirebaseApp} app Firebase app instance.
- * @return {FirebaseTokenVerifier}
+ * @param app Firebase app instance.
+ * @return FirebaseTokenVerifier
  */
 export function createSessionCookieVerifier(app: FirebaseApp): FirebaseTokenVerifier {
   return new FirebaseTokenVerifier(
     SESSION_COOKIE_CERT_URL,
-    ALGORITHM_RS256,
     'https://session.firebase.google.com/',
     SESSION_COOKIE_INFO,
     app

src/utils/jwt.ts

@@ -19,6 +19,16 @@ import * as jwt from 'jsonwebtoken';
 import { HttpClient, HttpRequestConfig, HttpError } from '../utils/api-request';
 import { Agent } from 'http';
 
+const ALGORITHM_RS256: jwt.Algorithm = 'RS256' as const;
+
+// `jsonwebtoken` converts errors from the `getKey` callback to its own `JsonWebTokenError` type
+// and prefixes the error message with the following. Use the prefix to identify errors thrown
+// from the key provider callback.
+// https://github.com/auth0/node-jsonwebtoken/blob/d71e383862fc735991fd2e759181480f066bf138/verify.js#L96
+const JWT_CALLBACK_ERROR_PREFIX = 'error in secret or public key callback: ';
+
+const NO_MATCHING_KID_ERROR_MESSAGE = 'no-matching-kid-error';
+
 export type Dictionary = {[key: string]: any}
 
 export type DecodedToken = {
@@ -34,9 +44,9 @@ interface KeyFetcher {
   fetchPublicKeys(): Promise<{ [key: string]: string }>;
 }
 
-export class UrlKeyFetcher implements KeyFetcher {
+class UrlKeyFetcher implements KeyFetcher {
   private publicKeys: { [key: string]: string };
-  private publicKeysExpireAt: number;
+  private publicKeysExpireAt = 0;
 
   constructor(private clientCertUrl: string, private readonly httpAgent?: Agent) {
     if (!validator.isURL(clientCertUrl)) {
@@ -59,10 +69,7 @@ export class UrlKeyFetcher implements KeyFetcher {
   }
 
   private shouldRefresh(): boolean {
-    const publicKeysExist = (typeof this.publicKeys !== 'undefined');
-    const publicKeysExpiredExists = (typeof this.publicKeysExpireAt !== 'undefined');
-    const publicKeysStillValid = (publicKeysExpiredExists && Date.now() < this.publicKeysExpireAt);
-    return !(publicKeysExist && publicKeysStillValid);
+    return !this.publicKeys || this.publicKeysExpireAt <= Date.now();
   }
 
   private refresh(): Promise<{ [key: string]: string }> {
@@ -78,6 +85,8 @@ export class UrlKeyFetcher implements KeyFetcher {
         // error responses.
         throw new HttpError(resp);
       }
+      // reset expire at from previous set of keys.
+      this.publicKeysExpireAt = 0;
       if (Object.prototype.hasOwnProperty.call(resp.headers, 'cache-control')) {
         const cacheControlHeader: string = resp.headers['cache-control'];
         const parts = cacheControlHeader.split(',');
@@ -103,7 +112,7 @@ export class UrlKeyFetcher implements KeyFetcher {
         } else {
           errorMessage += `${resp.text}`;
         }
-        throw new JwtError(JwtErrorCode.INTERNAL_ERROR, errorMessage);
+        throw new Error(errorMessage);
       }
       throw err;
     });
@@ -114,21 +123,18 @@ export class UrlKeyFetcher implements KeyFetcher {
  * Verifies JWT signature with a public key.
  */
 export class PublicKeySignatureVerifier implements SignatureVerifier {
-  constructor(private keyFetcher: UrlKeyFetcher) {
+  constructor(private keyFetcher: KeyFetcher) {
     if (!validator.isNonNullObject(keyFetcher)) {
       throw new Error('The provided key fetcher is not an object or null.');
     }
   }
 
+  public static withCertificateUrl(clientCertUrl: string, httpAgent?: Agent): PublicKeySignatureVerifier {
+    return new PublicKeySignatureVerifier(new UrlKeyFetcher(clientCertUrl, httpAgent));
+  }
+
   public verify(token: string): Promise<void> {
-    const ALGORITHM_RS256: jwt.Algorithm = 'RS256' as const;
-    const error = new JwtError(JwtErrorCode.INVALID_TOKEN,
-      'The provided token has invalid signature.');
-    return isSignatureValid(token, getKeyCallback(this.keyFetcher),
-      { algorithms: [ALGORITHM_RS256] })
-      .then(isValid => {
-        return isValid ? Promise.resolve() : Promise.reject(error);
-      });
+    return verifyJwtSignature(token, getKeyCallback(this.keyFetcher), { algorithms: [ALGORITHM_RS256] });
   }
 }
 
@@ -150,40 +156,34 @@ function getKeyCallback(fetcher: KeyFetcher): jwt.GetPublicKeyOrSecret {
 
 export class EmulatorSignatureVerifier implements SignatureVerifier {
   public verify(token: string): Promise<void> {
-    const error = new JwtError(JwtErrorCode.INVALID_TOKEN,
-      'The provided token has invalid signature.');
-
     // Signature checks skipped for emulator; no need to fetch public keys.
-    return isSignatureValid(token, '')
-      .then(isValid => {
-        return isValid ? Promise.resolve() : Promise.reject(error);
-      });
+    return verifyJwtSignature(token, '');
   }
 }
 
-function isSignatureValid(token: string, secretOrPublicKey: jwt.Secret | jwt.GetPublicKeyOrSecret,
-  options?: jwt.VerifyOptions): Promise<boolean> {
+function verifyJwtSignature(token: string, secretOrPublicKey: jwt.Secret | jwt.GetPublicKeyOrSecret,
+  options?: jwt.VerifyOptions): Promise<void> {
   return new Promise((resolve, reject) => {
     jwt.verify(token, secretOrPublicKey, options,
       (error: jwt.VerifyErrors | null) => {
         if (!error) {
-          return resolve(true);
+          return resolve();
         }
         if (error.name === 'TokenExpiredError') {
           return reject(new JwtError(JwtErrorCode.TOKEN_EXPIRED,
             'The provided token has expired. Get a fresh token from your ' +
             'client app and try again.'));
         } else if (error.name === 'JsonWebTokenError') {
-          const prefix = 'error in secret or public key callback: ';
-          if (error.message && error.message.includes(prefix)) {
-            const message = error.message.split(prefix).pop() || 'Error fetching public keys.';
-            const code = (message === NO_MATCHING_KID_ERROR_MESSAGE) ? JwtErrorCode.NO_MATCHING_KID :
+          if (error.message && error.message.includes(JWT_CALLBACK_ERROR_PREFIX)) {
+            const message = error.message.split(JWT_CALLBACK_ERROR_PREFIX).pop() || 'Error fetching public keys.';
+            const code = (message === NO_MATCHING_KID_ERROR_MESSAGE) ? JwtErrorCode.KEY_FETCH_ERROR :
               JwtErrorCode.INVALID_ARGUMENT;
             return reject(new JwtError(code, message));
           }
-          return resolve(false);
+          return reject(new JwtError(JwtErrorCode.INVALID_SIGNATURE,
+            'The provided token has invalid signature.'));
         }
-        return reject(new JwtError(JwtErrorCode.INVALID_TOKEN, error.message));
+        return reject(new JwtError(JwtErrorCode.INVALID_SIGNATURE, error.message));
       });
   });
 }
@@ -232,9 +232,6 @@ export enum JwtErrorCode {
   INVALID_ARGUMENT = 'invalid-argument',
   INVALID_CREDENTIAL = 'invalid-credential',
   TOKEN_EXPIRED = 'token-expired',
-  INVALID_TOKEN = 'invalid-token',
-  NO_MATCHING_KID = 'no-matching-kid-error',
-  INTERNAL_ERROR = 'internal-error',
+  INVALID_SIGNATURE = 'invalid-token',
+  KEY_FETCH_ERROR = 'no-matching-kid-error',
 }
-
-const NO_MATCHING_KID_ERROR_MESSAGE = 'no-matching-kid-error';