class FireJWT::Validator

Validator validates tokens applying guidelines outlined in firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library.

Public Class Methods

new(project_id) click to toggle source

@param [String] project_id the unique identifier for your Firebase project, which can be found in the URL of that project's console.

# File lib/firejwt/validator.rb, line 12
def initialize(project_id)
  project_id = project_id.to_s

  @certs = Certificates.new
  @opts  = {
    algorithms: %w[RS256].freeze,

    # exp must be in the future, iat must be in the past
    verify_expiration: true,
    verify_iat: true,

    # aud must be your Firebase project ID
    verify_aud: true, aud: project_id,

    # iss must be "https://securetoken.google.com/<projectId>"
    verify_iss:  true, iss: "https://securetoken.google.com/#{project_id}",
  }
end

Public Instance Methods

decode(token) click to toggle source

@param [String] token the token string @return [FireJWT::Token] the token @raises [JWT::DecodeError] validation errors

# File lib/firejwt/validator.rb, line 34
def decode(token)
  payload, header = JWT.decode token, nil, true, **@opts do |header|
    @certs.get(header['kid'])
  end

  # sub must be a non-empty string
  sub = payload['sub']
  raise(JWT::InvalidSubError, 'Invalid subject. Expected non-empty string') unless sub.is_a?(String) && !sub.empty?

  # auth_time must be in the past
  aut = payload['auth_time']
  raise(InvalidAuthTimeError, 'Invalid auth_time') if !aut.is_a?(Numeric) || aut.to_f > Time.now.to_f

  Token.new(payload, header)
end