Support verifying cookies from Firebase #53
Conversation
|
FYI I am using this fork in a new library I am working on called flame. Given the overlap, it may make sense to pull this code into that library. Thoughts? |
|
Will have a look at ur code later :) Yeah there is a lot of overlap, love what you're doing with flame, looks great. On the one hand it makes sense to have this independent, not all auth key consumers need to manage users, on the other hand I can imagine a lot of people needing both. |
|
I was debating the same thing, so glad to hear I am not alone there. I would love to separate out the Cookie / Token APIs ideally as I think you should know which type you are dealing with at any time. However I was worried it would cause a major version bump for the library and create too much duplicate code. What do you think? |
|
Security wise that makes a lot of sense, we can definitely come up with an api that doesn't cause too many dupes. As long as verify_token and mock still work with the current behavior I think we're fine in terms of breaking changes? |
|
@Nickforall I changed the API to I think you should be able to release this as a 0.x release in this form |
|
@Nickforall any luck on getting your eyes on this? I want to release the Flame library I've been working on, but I need a packaged version of ExFirebaseAuth first 😬 |
| @@ -30,8 +30,8 @@ defmodule ExFirebaseAuth.MixProject do | |||
| defp deps do | |||
| [ | |||
| {:jose, "~> 1.10"}, | |||
| {:finch, "~> 0.10.0"}, | |||
| {:jason, "~> 1.3.0"}, | |||
| {:finch, "~> 0.10"}, | |||
There was a problem hiding this comment.
Not sure if this can be a problem, but it might be better to remove these changes so it will be easier for the maintainer to merge the dependabot patches that are already waiting.
There was a problem hiding this comment.
Yeah i'll verify and merge dependabot's PRs, this change should be removed after rebasing :)
Having a look now! Sorry for the inactivity here, founded a startup so have been super busy and no longer using this lib in production myself. |
| with {:ok, %Finch.Response{body: body}} <- | ||
| Finch.build(:get, endpoint_url) |> Finch.request(ExFirebaseAuthFinch), | ||
| {:ok, json_data} <- Jason.decode(body) do | ||
| {:ok, convert_to_jose_keys(json_data)} | ||
| else | ||
| _ -> :error | ||
| end |
There was a problem hiding this comment.
Let's extract this to a seperate function for readability
Co-authored-by: Robert Parcus <[email protected]>
This PR adds support for verifying session cookies from Firebase. They are JWTs that have the same shape as idTokens, but are longer lived for backend applications. The difference is the
kidvalues are unique between idToken and sessionCookies payloads.I did my best to work inside the existing API to avoid any major rewrite, but am happy to adjust the approach.
Other Changes
I loosened the version constraints on Finch