ExFirebaseAuth icon indicating copy to clipboard operation
ExFirebaseAuth copied to clipboard
verified publisher icon Nickforall

Support verifying cookies from Firebase

Open jsmestad opened this issue 3 years ago • 7 comments

This PR adds support for verifying session cookies from Firebase. They are JWTs that have the same shape as idTokens, but are longer lived for backend applications. The difference is the kid values are unique between idToken and sessionCookies payloads.

I did my best to work inside the existing API to avoid any major rewrite, but am happy to adjust the approach.

Other Changes

I loosened the version constraints on Finch

jsmestad avatar Apr 27 '22 19:04 jsmestad

FYI I am using this fork in a new library I am working on called flame.

Given the overlap, it may make sense to pull this code into that library. Thoughts?

jsmestad avatar Apr 28 '22 19:04 jsmestad

Will have a look at ur code later :)

Yeah there is a lot of overlap, love what you're doing with flame, looks great.

On the one hand it makes sense to have this independent, not all auth key consumers need to manage users, on the other hand I can imagine a lot of people needing both.

Nickforall avatar Apr 29 '22 12:04 Nickforall

I was debating the same thing, so glad to hear I am not alone there.

I would love to separate out the Cookie / Token APIs ideally as I think you should know which type you are dealing with at any time. However I was worried it would cause a major version bump for the library and create too much duplicate code. What do you think?

jsmestad avatar Apr 29 '22 14:04 jsmestad

Security wise that makes a lot of sense, we can definitely come up with an api that doesn't cause too many dupes. As long as verify_token and mock still work with the current behavior I think we're fine in terms of breaking changes?

Nickforall avatar Apr 29 '22 14:04 Nickforall

@Nickforall I changed the API to ExFirebaseAuth.Cookie.verify_cookie/1 to mirror the ExFirebaseAuth.Token.verify_token/1 pattern.

I think you should be able to release this as a 0.x release in this form

jsmestad avatar May 03 '22 18:05 jsmestad

@Nickforall any luck on getting your eyes on this? I want to release the Flame library I've been working on, but I need a packaged version of ExFirebaseAuth first 😬

jsmestad avatar Oct 17 '22 20:10 jsmestad

@Nickforall any luck on getting your eyes on this? I want to release the Flame library I've been working on, but I need a packaged version of ExFirebaseAuth first 😬

Having a look now! Sorry for the inactivity here, founded a startup so have been super busy and no longer using this lib in production myself.

Nickforall avatar Oct 18 '22 10:10 Nickforall