feat: Implement verify method #48
Conversation
|
As mentioned in the original PR, we'd want tests :) |
|
I'm having difficulty designing test scenarios when trying to write test code. If you have the time, I'd be interested in collaborating on writing the tests. |
| 'no-matching-kid-error', | ||
| ); | ||
| } | ||
| JWT.verify( |
There was a problem hiding this comment.
Looking at what needs to be verified from https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library:
- audience: already verified in FirebaseTokenVerifier._verifyContent()
- issuer: already verified in FirebaseTokenVerifier._verifyContent()
- sub: presence already verified in FirebaseTokenVerifier._verifyContent()
- exp: unless I missed something, doesn't seem to be verified, but JWT.verify() will take care of it (this should be documented because for the sake of consistency we would have wanted to verify it in _verifyContent())
- iat: doesn't seem to be verified either, JWT.verify() has the issueAt parameter but the way it handles it and verifies the token's iat confuses me, so I would actually recommend checking it in _verifyContent()
So in summary, the use of JWT.verify() without any parameter in the proposed implementation is consistent with the existing implementation, assuming 'iat' is verified in _verifyContent().
I would recommend removing the existing verifyJwtSignature() function and the commented-out line that invokes it.
Related Issues
fixes #20 #33
Thanks to @tkfinitefield
Checklist
Before you create this PR confirm that it meets all requirements listed below by checking the relevant checkboxes (
[x]).I have updated the
CHANGELOG.mdof the relevant packages.Changelog files must be edited under the form:
If this contains new features or behavior changes,
I have updated the documentation to match those changes.