add: firebase admin sdk token verification

client generates token after sucessful login,
sends the token to server for jwt token creation
                    ↓
server through admin sdk, validates that token,
then proceedes to generate jwt token, else
unauthorized error.
                    ↓
client uses that token to make req to server.

Author: aghontpi

.example.env

@@ -11,3 +11,5 @@ COLLECTION=''
 RATE_LIMIT_WINDOW_MS=10
 RATE_LIMIT_MAX=5
 JWT_SECRET='placeholder-secret'
+FIREBASE_DATABASE_URL=''
+FIREBAE_SERVICE_ACCOUNT=''

.gitignore

@@ -5,4 +5,5 @@ logs/
 debug.log
 yarn-error.log
 .env
-/cache/
+/cache/
+serviceAccou*

package.json

@@ -54,6 +54,7 @@
     "express-handlebars": "^5.2.0",
     "express-jwt": "^6.0.0",
     "express-rate-limit": "^5.2.3",
+    "firebase-admin": "^9.11.0",
     "jsonwebtoken": "^8.5.1",
     "mongodb": "^3.6.2",
     "morgan": "^1.10.0",

src/app.ts

@@ -6,14 +6,16 @@ import bodyParser from 'body-parser';
 import exphbs from 'express-handlebars';
 import lusca from 'lusca';
 import jwt from 'express-jwt';
+import * as admin from 'firebase-admin';
 
-import { JWT_SECRET, PORT } from './util/secrets';
+import { FIREBASE_DATABASE, JWT_SECRET, PORT } from './util/secrets';
 import * as homeController from './controllers/home';
 import * as apiController from './controllers/api';
 import * as unmatchedController from './controllers/unmatched';
 import * as authenticationController from './controllers/auth';
 import { limitrequest } from './util/ratelimit';
 import { unauthorizedErrorMiddleware } from './middleware/error.middleware';
+import { serviceAccount } from './models/firebase';
 
 const app = express();
 app.set('views', path.join(__dirname, '../views'));
@@ -39,6 +41,11 @@ app.use(
 
 app.use(express.static(path.join(__dirname, 'public'), { maxAge: 31557600000 }));
 
+admin.initializeApp({
+  credential: admin.credential.cert(serviceAccount),
+  databaseURL: FIREBASE_DATABASE,
+});
+
 // jwt for protected resources
 app.use('/top', jwt({ secret: JWT_SECRET, algorithms: ['HS512'] }));
 app.use('/authenticate', authenticationController.createToken);

src/controllers/auth.ts

@@ -1,5 +1,6 @@
 import { Request, Response } from 'express';
 import jwt from 'jsonwebtoken';
+import * as admin from 'firebase-admin';
 
 import logger from '../util/logger';
 import { ENVIRONMENT, JWT_SECRET } from '../util/secrets';
@@ -24,22 +25,43 @@ export const createToken = (req: Request, res: Response) => {
     const [id, hash] = [body.id, body.uniqueHash];
 
     // enable test case user only for development
-    let users: User[] | undefined;
+    let testUsers: User[] | undefined = undefined;
+    let firebaseToken: string | undefined = undefined;
+
     if (ENVIRONMENT === 'development' || process.env.NODE_ENV == 'test') {
-      users = [testCaseUser];
-    } else {
-      // db connection logic or users defined from file from production
-      users = undefined;
+      testUsers = [testCaseUser];
+    } else if (id) {
+      firebaseToken = id; // verify user with firebase id token,
     }
-    if (users) {
-      const user = users.filter((user) => user.id === id)[0];
+
+    if (testUsers) {
+      const user = testUsers.filter((user) => user.id === id)[0];
       if (user && user.id === id && user.uniqueHash === hash) {
         const token = {
           token: jwt.sign({ user: 'testCaseUser' }, JWT_SECRET, { algorithm: 'HS512', expiresIn: '30m' }),
         };
         return res.json(token);
       }
+    } else if (firebaseToken) {
+      // authen token generated by firebase on client,
+      //  that token is verifiable in firebase admin console
+      admin
+        .auth()
+        .verifyIdToken(firebaseToken)
+        .then((decodedToken) => {
+          if (decodedToken) {
+            console.log('decodedtoken', decodedToken);
+            const token = {
+              token: jwt.sign({ user: decodedToken.uid }, JWT_SECRET, { algorithm: 'HS512', expiresIn: '30m' }),
+            };
+            return res.json(token);
+          }
+        })
+        .catch((error) => {
+          logger.debug('firebase admin lib error' + error);
+        });
     }
+
     // if users empty or provided with invalid credentials
     return res.status(401).send('Unauthorized');
   } catch (e) {

src/models/firebase.ts

@@ -0,0 +1,25 @@
+import { FIREBASE_SERVICE_ACCOUNT, FIREBASE_DATABASE } from '../util/secrets';
+
+//eslint-disable-next-line @typescript-eslint/no-var-requires
+export const serviceAccount = require(FIREBASE_SERVICE_ACCOUNT);
+
+if (FIREBASE_SERVICE_ACCOUNT === '' || FIREBASE_DATABASE === '') {
+  throw new Error('Please configure env "FIREBASE_DATABASE_URL" & "FIREBASE_SERVICE_ACCOUNT"');
+}
+
+// reference
+// https://firebase.google.com/docs/auth/users#auth_tokens
+
+// Firebase ID tokens = Created by Firebase when a user signs in to an app. These tokens are signed JWTs that securely
+// identify a user in a Firebase project. These tokens contain basic profile information for a user, including the
+//user's ID string, which is unique to the Firebase project. Because the integrity of ID tokens can be verified, you
+// can send them to a backend server to identify the currently signed-in user.
+
+// Identity provider tokens =  	Created by federated identity providers, such as Google and Facebook. These tokens
+// can have different formats, but are often OAuth 2.0 access tokens. Apps use these tokens to verify that users
+// have successfully authenticated with the identity provider, and then convert them into credentials usable by
+// Firebase services.
+
+// Firebase custom tokens =  	Created by your custom auth system to allow users to sign in to an app using your auth
+// system. Custom tokens are JWTs signed using a service account's private key. Apps use these tokens much like they
+// use the tokens returned from federated identity providers.

src/util/secrets.ts

@@ -25,6 +25,8 @@ export const PORT = process.env['PORT'];
 export const RATE_LIMIT_WINDOW_MS = <number>(process.env['RATE_LIMIT_WINDOW_MS'] || 30);
 export const RATE_LIMIT_MAX = <number>(process.env['RATE_LIMIT_MAX'] || 2);
 export const JWT_SECRET = <string>(process.env['JWT_SECRET'] || '');
+export const FIREBASE_DATABASE = <string>(process.env['FIREBASE_DATABASE_URL'] || '');
+export const FIREBASE_SERVICE_ACCOUNT = <string>(process.env['FIREBASE_SERVICE_ACCOUNT'] || '');
 
 if (!MONGODB_URI) {
   if (prod) {