How to verify JWT?

Question

I'm unsure of the examples in Google's documentation. How do I verify a JWT produced by Firebase, in a Google App engine flexible service?

main.go :

// ...

func main () {
    InitializeAppWithServiceAccount()
    go lib.GetStockData()
    http.HandleFunc("/_ah/someendPoint", SomeHandler)
}

func InitializeAppWithServiceAccount() *firebase.App {
    // [START initialize_app_service_account]
    opt := option.WithCredentialsFile("keystore/someapp-firebase-adminsdk-1ts1k-1fbbbad63f.json")
    app, err := firebase.NewApp(context.Background(), nil, opt)
    if err != nil {
        log.Fatalf("error initializing app: %v\n", err)
    }
    return app
}


func someHandler(w http.ResponseWriter, r *http.Request) {
    // Set content type:
    w.Header().Set("Content-Type", "application/json")

    if r.Header != nil {
        ReqToken := r.Header.Get("Authorization")
        splitToken := strings.Split(ReqToken, "Bearer")
        ReqToken = splitToken[1]
        fmt.Println(ReqToken) // Correctly prints the JWT
        // Verify JWT
        // If it's invalid, return?
        // verifyIDToken(??, reqToken)

        enc := json.NewEncoder(w)
        err := enc.Encode(somedata)
        fmt.Println("request made")
        if err != nil {
            http.Error(w, err.Error(), http.StatusInternalServerError)
            return
        }
    }
    http.Error(w, "Unauthorized", http.StatusUnauthorized)
}

According to their documentation, you can use the following function to verify an ID token? But what do I pass in as app? The documentation doesn't really say.

func verifyIDToken(app *firebase.App, idToken string) *auth.Token {
    // [START verify_id_token]
    client, err := app.Auth(context.Background())
    if err != nil {
        log.Fatalf("error getting Auth client: %v\n", err)
    }

    token, err := client.VerifyIDToken(idToken)
    if err != nil {
        log.Fatalf("error verifying ID token: %v\n", err)
    }

    log.Printf("Verified ID token: %v\n", token)
    // [END verify_id_token]

    return token
}

Obviously, idToken is my token from the handler. But what is app *firebase.App and how would I pass it in to the function from the handler itself?

Answer 1

You're already initializing a firebase.App in your InitializeAppWithServiceAccount() function. You just need to pass the return value into your handler.

conf := firebase.Config{
    ProjectID: "my-project-id",
}
app, err := firebase.NewApp(context.Background(), &conf)
if err != nil {
    log.Fatalln(err)
}
handler := func(w http.ResponseWriter, r *http.Request) {
    client, err := app.Auth(context.Background())
    if err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
    }

    token := getTokenFromReq(r)
    t, err := client.VerifyIDToken(token)
    if err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
    }
    w.Write([]byte("token verified"))
}

In this example I'm not using a service account (which is probably what you want as well). And since this is on GAE, make sure to pass the GAE context instead of the background context.