forked from wuman/firebase-server-sdk-go
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcredential.go
92 lines (81 loc) · 2.34 KB
/
credential.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package firebase
import (
"crypto/rsa"
"encoding/json"
"errors"
"io"
"github.com/SermoDigital/jose/crypto"
"golang.org/x/net/context"
"golang.org/x/oauth2/jwt"
)
// GoogleServiceAccountCredential is the credential for a GCP Service Account.
type GoogleServiceAccountCredential struct {
// ProjectID is the project ID.
ProjectID string
// PrivateKey is the RSA256 private key.
PrivateKey *rsa.PrivateKey
// PrivateKeyString is the private key represented in string.
PrivateKeyString string
// ClientEmail is the client email.
ClientEmail string
}
// UnmarshalJSON is the custom unmarshaler for GoogleServiceAccountCredential.
// Private key is parsed from PEM format.
func (c *GoogleServiceAccountCredential) UnmarshalJSON(data []byte) error {
var aux struct {
ProjectID string `json:"project_id"`
PrivateKey string `json:"private_key"`
ClientEmail string `json:"client_email"`
}
if err := json.Unmarshal(data, &aux); err != nil {
return err
}
privKey, err := crypto.ParseRSAPrivateKeyFromPEM([]byte(aux.PrivateKey))
if err != nil {
return err
}
c.PrivateKey = privKey
c.PrivateKeyString = aux.PrivateKey
c.ProjectID = aux.ProjectID
c.ClientEmail = aux.ClientEmail
return nil
}
// loadCredential loads the Service Account credential from a JSON file.
func loadCredential(r io.Reader) (*GoogleServiceAccountCredential, error) {
var c GoogleServiceAccountCredential
if err := json.NewDecoder(r).Decode(&c); err != nil {
return nil, err
}
return &c, nil
}
const (
// jwtTokenURL is Google's OAuth 2.0 token URL to use with the JWT flow.
jwtTokenURL = "https://accounts.google.com/o/oauth2/token"
)
var (
scopes = []string{
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/firebase.database",
"https://www.googleapis.com/auth/firebase.messaging",
"https://www.googleapis.com/auth/identitytoolkit",
}
)
func (auth *Auth) ensureTokenSource() error {
auth.tsLock.Lock()
defer auth.tsLock.Unlock()
if auth.ts != nil {
return nil
}
cred := auth.app.options.ServiceAccountCredential
if cred == nil {
return errors.New("no service account credential found")
}
cfg := &jwt.Config{
Email: cred.ClientEmail,
PrivateKey: []byte(cred.PrivateKeyString),
Scopes: append([]string{}, scopes...),
TokenURL: jwtTokenURL,
}
auth.ts = cfg.TokenSource(context.TODO())
return nil
}