Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set up ng-dev auth and service #720

Closed
wants to merge 8 commits into from
Prev Previous commit
Next Next commit
fixup! feat(apps): create ng-dev token functions
josephperrott committed Jul 15, 2022
commit ce59899746efe154986eaad0ececa09f0730fd4a
2 changes: 1 addition & 1 deletion apps/functions/BUILD.bazel
Original file line number Diff line number Diff line change
@@ -18,8 +18,8 @@ ts_library(
],
deps = [
"//apps/functions/githubWebhook",
"//apps/functions/ng-dev",
"@npm//firebase-admin",
"@npm//firebase-functions",
],
)

3 changes: 1 addition & 2 deletions apps/functions/index.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
export * from './githubWebhook/index.js';
export * from './ng-dev/index.js';
import * as functions from 'firebase-functions';
import * as admin from 'firebase-admin';

admin.initializeApp({...functions.firebaseConfig()});
admin.initializeApp();
2 changes: 2 additions & 0 deletions apps/functions/ng-dev/BUILD.bazel
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ ts_library(
"//apps/functions:__pkg__",
],
deps = [
":lib",
],
josephperrott marked this conversation as resolved.
Show resolved Hide resolved
)

@@ -23,5 +24,6 @@ ts_library(
"//apps/shared/models:server",
"@npm//@octokit/webhooks-types",
"@npm//firebase-admin",
"@npm//firebase-functions",
],
)
25 changes: 18 additions & 7 deletions apps/functions/ng-dev/ng-dev-token.ts
Original file line number Diff line number Diff line change
@@ -4,20 +4,31 @@ import {CallableContext} from 'firebase-functions/lib/providers/https';

/**
* Request a short lived ng-dev token. If granted, we rely on session cookies as this token. The token
devversion marked this conversation as resolved.
Show resolved Hide resolved
josephperrott marked this conversation as resolved.
Show resolved Hide resolved
* is to be used for all requests to the ng-dev service.
*/
export const ngDevTokenRequest = functions.https.onCall(
async ({idToken}: {idToken: string}, context: CallableContext) => {
if (!context.auth) {
// Throwing an HttpsError so that the client gets the error details.
throw new functions.https.HttpsError(
'failed-precondition',
'Requesting an ngDevToken requires being authenticated first.',
'unauthenticated',
'Requesting an ng-dev token requires authentication',
);
}
const {auth_time} = await admin.auth().verifyIdToken(idToken, /* checkRevoked */ true);

// Only allow creation if the user signed in in the last minute. We use one minute, as this
// token should be immediately requested upon login, rather than using a long lived session.
if (new Date().getTime() / 1000 - auth_time > 1 * 60) {
throw new functions.https.HttpsError(
'permission-denied',
'ng-dev tokens must be requested within one minute of verifying login',
);
}

/** Twenty hours in ms. */
const twentyHours = 1000 * 60 * 60 * 20;
josephperrott marked this conversation as resolved.
Show resolved Hide resolved

return await admin.auth().createSessionCookie(idToken, {expiresIn: twentyHours});
return admin.auth().createSessionCookie(idToken, {expiresIn: twentyHours});
},
);

@@ -33,14 +44,14 @@ export const ngDevRevokeToken = functions.https.onCall(async ({token}: {token: s
await admin
.auth()
.verifySessionCookie(token)
.then((claims: admin.auth.DecodedIdToken) => {
return admin.auth().revokeRefreshTokens(claims.uid);
.then((decodedToken: admin.auth.DecodedIdToken) => {
return admin.auth().revokeRefreshTokens(decodedToken.uid);
});
});

/**
* Verify a ng-dev token is still valid.
*/
async function validateToken({token}: {token: string}) {
return !!(token && (await admin.auth().verifySessionCookie(token, true)));
return !!(token && (await admin.auth().verifySessionCookie(token, /* checkRevoked */ true)));
}