Skip to content

feat(appcheck): Add App Check token verification #484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 20 commits into from
Oct 26, 2022
Merged

feat(appcheck): Add App Check token verification #484

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
350ea01
Initial appcheck.verify implementation.
bamnet Feb 4, 2022
ce26936
Return an actual token.
bamnet Feb 4, 2022
1ec1d36
Cleanup errors, comments, and more!
bamnet Feb 4, 2022
95152c9
Initial set of app check unit tests.
bamnet Feb 6, 2022
2d8b282
Add and reorganize a few more tests.
bamnet Feb 6, 2022
556e159
Fix lint errors by adding more comments.
bamnet Feb 9, 2022
a7f816a
Fix missing go-cmp module.
bamnet Feb 9, 2022
1e355b7
Fix updated variable name.
bamnet Feb 9, 2022
ff376a1
Merge remote-tracking branch 'upstream/dev' into dev
bamnet Mar 9, 2022
d07a8fd
Merge remote-tracking branch 'upstream/dev' into dev
bamnet Mar 25, 2022
0562523
Fix go-cmp dependency.
bamnet Mar 25, 2022
2b44507
Merge remote-tracking branch 'upstream/dev' into dev
bamnet Apr 11, 2022
99d7f81
Merge remote-tracking branch 'upstream/dev' into dev
bamnet Oct 21, 2022
607af6d
Doc and formatting feedback from @ lahirumaramba.
bamnet Oct 21, 2022
05f10c6
ioutil is deprecated as of Go 1.16.
bamnet Oct 21, 2022
690adc7
Cache keys for 6 hours.
bamnet Oct 21, 2022
1ac4a71
Switch to DecodedAppCheckToken.
bamnet Oct 21, 2022
4e87e6e
Remove JWKSUrl config option.
bamnet Oct 21, 2022
6f0f304
Small doc & naming tweaks.
bamnet Oct 21, 2022
82bdca3
Tweak capitalization of verifies
bamnet Oct 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
176 changes: 176 additions & 0 deletions appcheck/appcheck.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,176 @@
// Copyright 2022 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package appcheck provides functionality for verifying App Check tokens.
package appcheck

import (
"context"
"errors"
"strings"
"time"

"github.com/MicahParks/keyfunc"
"github.com/golang-jwt/jwt/v4"

"firebase.google.com/go/v4/internal"
)

// JWKSUrl is the URL of the JWKS used to verify App Check tokens.
var JWKSUrl = "https://firebaseappcheck.googleapis.com/v1beta/jwks"

const appCheckIssuer = "https://firebaseappcheck.googleapis.com/"

var (
// ErrIncorrectAlgorithm is returned when the token is signed with a non-RSA256 algorithm.
ErrIncorrectAlgorithm = errors.New("token has incorrect algorithm")
// ErrTokenType is returned when the token is not a JWT.
ErrTokenType = errors.New("token has incorrect type")
// ErrTokenClaims is returned when the token claims cannot be decoded.
ErrTokenClaims = errors.New("token has incorrect claims")
// ErrTokenAudience is returned when the token audience does not match the current project.
ErrTokenAudience = errors.New("token has incorrect audience")
// ErrTokenIssuer is returned when the token issuer does not match Firebase's App Check service.
ErrTokenIssuer = errors.New("token has incorrect issuer")
// ErrTokenSubject is returned when the token subject is empty or missing.
ErrTokenSubject = errors.New("token has empty or missing subject")
)

// DecodedAppCheckToken represents a verified App Check token.
//
// DecodedAppCheckToken provides typed accessors to the common JWT fields such as Audience (aud)
// and ExpiresAt (exp). Additionally it provides an AppID field, which indicates the application ID to which this
// token belongs. Any additional JWT claims can be accessed via the Claims map of DecodedAppCheckToken.
type DecodedAppCheckToken struct {
Issuer string
Subject string
Audience []string
ExpiresAt time.Time
IssuedAt time.Time
AppID string
Claims map[string]interface{}
}

// Client is the interface for the Firebase App Check service.
type Client struct {
projectID string
jwks *keyfunc.JWKS
}

// NewClient creates a new instance of the Firebase App Check Client.
//
// This function can only be invoked from within the SDK. Client applications should access the
// the App Check service through firebase.App.
func NewClient(ctx context.Context, conf *internal.AppCheckConfig) (*Client, error) {
// TODO: Add support for overriding the HTTP client using the App one.
jwks, err := keyfunc.Get(JWKSUrl, keyfunc.Options{
Ctx: ctx,
RefreshInterval: 6 * time.Hour,
})
if err != nil {
return nil, err
}

return &Client{
projectID: conf.ProjectID,
jwks: jwks,
}, nil
}

// VerifyToken verifies the given App Check token.
//
// VerifyToken considers an App Check token string to be valid if all the following conditions are met:
// - The token string is a valid RS256 JWT.
// - The JWT contains valid issuer (iss) and audience (aud) claims that match the issuerPrefix
// and projectID of the tokenVerifier.
// - The JWT contains a valid subject (sub) claim.
// - The JWT is not expired, and it has been issued some time in the past.
// - The JWT is signed by a Firebase App Check backend server as determined by the keySource.
//
// If any of the above conditions are not met, an error is returned. Otherwise a pointer to a
// decoded App Check token is returned.
func (c *Client) VerifyToken(token string) (*DecodedAppCheckToken, error) {
// References for checks:
// https://firebase.googleblog.com/2021/10/protecting-backends-with-app-check.html
// https://github.com/firebase/firebase-admin-node/blob/master/src/app-check/token-verifier.ts#L106

// The standard JWT parser also validates the expiration of the token
// so we do not need dedicated code for that.
decodedToken, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
if t.Header["alg"] != "RS256" {
return nil, ErrIncorrectAlgorithm
}
if t.Header["typ"] != "JWT" {
return nil, ErrTokenType
}
return c.jwks.Keyfunc(t)
})
if err != nil {
return nil, err
}

claims, ok := decodedToken.Claims.(jwt.MapClaims)
if !ok {
return nil, ErrTokenClaims
}

rawAud := claims["aud"].([]interface{})
aud := []string{}
for _, v := range rawAud {
aud = append(aud, v.(string))
}

if !contains(aud, "projects/"+c.projectID) {
return nil, ErrTokenAudience
}

// We check the prefix to make sure this token was issued
// by the Firebase App Check service, but we do not check the
// Project Number suffix because the Golang SDK only has project ID.
//
// This is consistent with the Firebase Admin Node SDK.
if !strings.HasPrefix(claims["iss"].(string), appCheckIssuer) {
return nil, ErrTokenIssuer
}

if val, ok := claims["sub"].(string); !ok || val == "" {
return nil, ErrTokenSubject
}

appCheckToken := DecodedAppCheckToken{
Issuer: claims["iss"].(string),
Subject: claims["sub"].(string),
Audience: aud,
ExpiresAt: time.Unix(int64(claims["exp"].(float64)), 0),
IssuedAt: time.Unix(int64(claims["iat"].(float64)), 0),
AppID: claims["sub"].(string),
}

// Remove all the claims we've already parsed.
for _, usedClaim := range []string{"iss", "sub", "aud", "exp", "iat", "sub"} {
delete(claims, usedClaim)
}
appCheckToken.Claims = claims

return &appCheckToken, nil
}

func contains(s []string, str string) bool {
for _, v := range s {
if v == str {
return true
}
}
return false
}
Loading