Auth rework

README.md

@@ -12,13 +12,11 @@ The Firebase Admin Rust SDK enables access to Firebase services from privileged
 use rs_firebase_admin_sdk::{
     auth::{FirebaseAuthService, UserIdentifiers},
     client::ApiHttpClient,
-    App, credentials_provider,
+    App,
 };
 
-// Load your GCP SA from env, see https://crates.io/crates/gcp_auth for more details
-let gcp_service_account = credentials_provider().await.unwrap();
 // Create live (not emulated) context for Firebase app
-let live_app = App::live(gcp_service_account.into()).await.unwrap();
+let live_app = App::live().await.unwrap();
 
 // Create Firebase authentication admin client
 let auth_admin = live_app.auth();

examples/clear_emulator/src/main.rs

@@ -12,7 +12,7 @@ where
 
 #[tokio::main]
 async fn main() {
-    let emulator_app = App::emulated("my_project".into());
+    let emulator_app = App::emulated();
     let emulator_admin = emulator_app.auth("http://localhost:9099".into());
 
     clear_emulator(&emulator_admin).await;

examples/get_users/src/main.rs

@@ -2,7 +2,6 @@ use rs_firebase_admin_sdk::{
     App,
     auth::{FirebaseAuthService, UserList},
     client::ApiHttpClient,
-    credentials_provider,
 };
 
 /// Generic method to print out all live users, fetch 10 at a time
@@ -27,18 +26,13 @@ where
 
 #[tokio::main]
 async fn main() {
-    // Live Firebase App
-    let gcp_service_account = credentials_provider().await.unwrap();
-
-    let live_app = App::live(gcp_service_account).await.unwrap();
-
+    let live_app = App::live().await.unwrap();
     let live_auth_admin = live_app.auth();
 
     print_all_users(&live_auth_admin).await;
 
     // Emulator Firebase App
-    let emulator_app = App::emulated("my_project".into());
-
+    let emulator_app = App::emulated();
     let emulator_auth_admin = emulator_app.auth("http://localhost:9099".into());
 
     print_all_users(&emulator_auth_admin).await;

examples/verify_token/src/main.rs

@@ -1,29 +1,27 @@
-use rs_firebase_admin_sdk::{App, auth::token::TokenVerifier, credentials_provider};
+use rs_firebase_admin_sdk::{App, jwt::TokenValidator};
 
-async fn verify_token<T: TokenVerifier>(token: &str, verifier: &T) {
-    match verifier.verify_token(token).await {
+async fn verify_token<T: TokenValidator>(token: &str, validator: &T) {
+    match validator.validate(token).await {
         Ok(token) => {
-            let user_id = token.critical_claims.sub;
+            let user_id = token.get("sub").unwrap().as_str().unwrap();
             println!("Token for user {user_id} is valid!")
         }
         Err(err) => {
-            println!("Token is invalid because {err}!")
+            println!("Token is invalid because {err:?}!")
         }
     }
 }
 
 #[tokio::main]
 async fn main() {
+    // Live
     let oidc_token = std::env::var("ID_TOKEN").unwrap();
+    let live_app = App::live().await.unwrap();
+    let live_token_validator = live_app.id_token_verifier().await.unwrap();
+    verify_token(&oidc_token, &live_token_validator).await;
 
-    // Live Firebase App
-    let gcp_service_account = credentials_provider().await.unwrap();
-    let live_app = App::live(gcp_service_account).await.unwrap();
-    let live_token_verifier = live_app.id_token_verifier().await.unwrap();
-    verify_token(&oidc_token, &live_token_verifier).await;
-
-    // Emulator Firebase App
-    let emulator_app = App::emulated("my_project".into());
-    let emulator_token_verifier = emulator_app.id_token_verifier();
-    verify_token(&oidc_token, &emulator_token_verifier).await;
+    // Emulator
+    let emulator_app = App::emulated();
+    let emulator_token_validator = emulator_app.id_token_verifier();
+    verify_token(&oidc_token, &emulator_token_validator).await;
 }

lib/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rs-firebase-admin-sdk"
-version = "3.0.0"
+version = "4.0.0"
 rust-version = "1.85"
 edition = "2024"
 authors = ["Kostas Petrikas"]
@@ -16,7 +16,7 @@ doctest = false
 [features]
 default = ["tokens", "reqwest/default-tls"]
 rustls-tls = ["reqwest/rustls-tls"]
-tokens = ["dep:openssl"]
+tokens = ["dep:jsonwebtoken", "dep:jsonwebtoken-jwks-cache"]
 
 [dependencies]
 tokio = { version = "1.48", features = ["sync"], default-features = false }
@@ -29,10 +29,11 @@ headers = "0.4"
 reqwest = { version = "0.12", features = ["charset", "json"], default-features = false }
 urlencoding = "2.1"
 bytes = "1"
-gcp_auth = "0.12"
+google-cloud-auth = "1.3"
 time = { version = "0.3", features = ["serde"] }
 base64 = "0.22"
-openssl = { version = "0.10", optional = true }
+jsonwebtoken = { version = "10.2", optional = true }
+jsonwebtoken-jwks-cache = { version = "0.1", optional = true }
 
 [dev-dependencies]
 tokio = { version = "1.48", features = ["macros", "rt-multi-thread"] }

lib/src/auth/mod.rs

@@ -7,9 +7,6 @@ pub mod claims;
 pub mod import;
 pub mod oob_code;
 
-#[cfg(feature = "tokens")]
-pub mod token;
-
 use crate::api_uri::{ApiUriBuilder, FirebaseAuthEmulatorRestApi, FirebaseAuthRestApi};
 use crate::client::ApiHttpClient;
 use crate::client::error::ApiClientError;
@@ -27,11 +24,6 @@ use time::{Duration, OffsetDateTime};
 
 const FIREBASE_AUTH_REST_AUTHORITY: &str = "identitytoolkit.googleapis.com";
 
-const FIREBASE_AUTH_SCOPES: [&str; 2] = [
-    "https://www.googleapis.com/auth/cloud-platform",
-    "https://www.googleapis.com/auth/userinfo.email",
-];
-
 #[derive(Serialize, Debug, Clone, Default)]
 #[serde(rename_all = "camelCase")]
 pub struct NewUser {
@@ -363,7 +355,7 @@ pub trait FirebaseAuthService<C: ApiHttpClient>: Send + Sync + 'static {
             .get_auth_uri_builder()
             .build(FirebaseAuthRestApi::CreateUser);
 
-        client.send_request_body(uri, Method::POST, user, &FIREBASE_AUTH_SCOPES)
+        client.send_request_body(uri, Method::POST, user)
     }
 
     /// Get first user that matches given identifier filter
@@ -413,7 +405,6 @@ pub trait FirebaseAuthService<C: ApiHttpClient>: Send + Sync + 'static {
                     uri_builder.build(FirebaseAuthRestApi::GetUsers),
                     Method::POST,
                     indentifiers,
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await?;
 
@@ -460,7 +451,6 @@ pub trait FirebaseAuthService<C: ApiHttpClient>: Send + Sync + 'static {
                     uri_builder.build(FirebaseAuthRestApi::ListUsers),
                     params.into_iter(),
                     Method::GET,
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await?;
 
@@ -482,7 +472,6 @@ pub trait FirebaseAuthService<C: ApiHttpClient>: Send + Sync + 'static {
                     uri_builder.build(FirebaseAuthRestApi::DeleteUser),
                     Method::POST,
                     UserId { uid },
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await
         }
@@ -503,7 +492,6 @@ pub trait FirebaseAuthService<C: ApiHttpClient>: Send + Sync + 'static {
                     uri_builder.build(FirebaseAuthRestApi::DeleteUsers),
                     Method::POST,
                     UserIds { uids, force },
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await
         }
@@ -532,7 +520,6 @@ pub trait FirebaseAuthService<C: ApiHttpClient>: Send + Sync + 'static {
                     uri_builder.build(FirebaseAuthRestApi::UpdateUser),
                     Method::POST,
                     update,
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await
         }
@@ -562,7 +549,6 @@ pub trait FirebaseAuthService<C: ApiHttpClient>: Send + Sync + 'static {
                     uri_builder.build(FirebaseAuthRestApi::ImportUsers),
                     Method::POST,
                     UserImportRecords { users },
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await?;
 
@@ -593,7 +579,6 @@ pub trait FirebaseAuthService<C: ApiHttpClient>: Send + Sync + 'static {
                     uri_builder.build(FirebaseAuthRestApi::SendOobCode),
                     Method::POST,
                     oob_action,
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await?;
 
@@ -622,7 +607,6 @@ pub trait FirebaseAuthService<C: ApiHttpClient>: Send + Sync + 'static {
                     uri_builder.build(FirebaseAuthRestApi::CreateSessionCookie),
                     Method::POST,
                     create_cookie,
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await?;
 
@@ -689,7 +673,6 @@ where
                 .send_request(
                     uri_builder.build(FirebaseAuthEmulatorRestApi::ClearUserAccounts),
                     Method::DELETE,
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await?;
 
@@ -709,7 +692,6 @@ where
                 .send_request(
                     uri_builder.build(FirebaseAuthEmulatorRestApi::Configuration),
                     Method::GET,
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await
         }
@@ -729,7 +711,6 @@ where
                     uri_builder.build(FirebaseAuthEmulatorRestApi::Configuration),
                     Method::PATCH,
                     configuration,
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await
         }
@@ -747,7 +728,6 @@ where
                 .send_request(
                     uri_builder.build(FirebaseAuthEmulatorRestApi::OobCodes),
                     Method::GET,
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await?;
 
@@ -767,7 +747,6 @@ where
                 .send_request(
                     uri_builder.build(FirebaseAuthEmulatorRestApi::SmsVerificationCodes),
                     Method::GET,
-                    &FIREBASE_AUTH_SCOPES,
                 )
                 .await
         }

lib/src/auth/test.rs

@@ -1,6 +1,6 @@
 use super::import::{PasswordHash, UserImportRecord};
 #[cfg(feature = "tokens")]
-use super::token::jwt::JWToken;
+// use super::token::jwt::JWToken;
 use super::{
     AttributeOp, Claims, FirebaseAuth, FirebaseAuthService, FirebaseEmulatorAuthService, NewUser,
     OobCode, OobCodeAction, OobCodeActionType, UserIdentifiers, UserList, UserUpdate,
@@ -18,7 +18,7 @@ use time::Duration;
 use tokio;
 
 fn get_auth_service() -> FirebaseAuth<ReqwestApiClient<EmulatorCredentials>> {
-    App::emulated("demo-firebase-project".into()).auth("http://emulator:9099".parse().unwrap())
+    App::emulated().auth("http://emulator:9099".parse().unwrap())
 }
 
 #[derive(Serialize)]
@@ -529,6 +529,7 @@ async fn test_generate_email_action_link() {
 #[tokio::test]
 #[serial]
 async fn test_create_session_cookie() {
+    use crate::jwt::{EmulatorValidator, TokenValidator};
     let auth = get_auth_service();
 
     auth.create_user(NewUser::email_and_password(
@@ -544,7 +545,9 @@ async fn test_create_session_cookie() {
         .await
         .unwrap();
 
-    JWToken::from_encoded(&cookie).expect("Got invalid session cookie token");
+    let claims = EmulatorValidator.validate(&cookie).await.unwrap();
+    let email = claims.get("email").unwrap().as_str().unwrap();
+    assert_eq!(email, "test@example.com");
 
     auth.clear_all_users().await.unwrap();
 }