-
Notifications
You must be signed in to change notification settings - Fork 315
/
index.py
654 lines (582 loc) · 23.1 KB
/
index.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
# Copyright 2018 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from __future__ import print_function
import base64
import datetime
import sys
import time
# [START import_sdk]
import firebase_admin
# [END import_sdk]
from firebase_admin import credentials
from firebase_admin import auth
from firebase_admin import exceptions
sys.path.append("lib")
def initialize_sdk_with_service_account():
# [START initialize_sdk_with_service_account]
import firebase_admin
from firebase_admin import credentials
from firebase_admin import exceptions
cred = credentials.Certificate('path/to/serviceAccountKey.json')
default_app = firebase_admin.initialize_app(cred)
# [END initialize_sdk_with_service_account]
firebase_admin.delete_app(default_app)
def initialize_sdk_with_application_default():
# [START initialize_sdk_with_application_default]
default_app = firebase_admin.initialize_app()
# [END initialize_sdk_with_application_default]
firebase_admin.delete_app(default_app)
def initialize_sdk_with_refresh_token():
# [START initialize_sdk_with_refresh_token]
cred = credentials.RefreshToken('path/to/refreshToken.json')
default_app = firebase_admin.initialize_app(cred)
# [END initialize_sdk_with_refresh_token]
firebase_admin.delete_app(default_app)
def initialize_sdk_with_service_account_id():
# [START initialize_sdk_with_service_account_id]
options = {
'serviceAccountId': 'my-client-id@my-project-id.iam.gserviceaccount.com',
}
firebase_admin.initialize_app(options=options)
# [END initialize_sdk_with_service_account_id]
firebase_admin.delete_app(firebase_admin.get_app())
def access_services_default():
cred = credentials.Certificate('path/to/service.json')
# [START access_services_default]
# Import the Firebase service
from firebase_admin import auth
# Initialize the default app
default_app = firebase_admin.initialize_app(cred)
print(default_app.name) # "[DEFAULT]"
# Retrieve services via the auth package...
# auth.create_custom_token(...)
# [END access_services_default]
firebase_admin.delete_app(default_app)
def access_services_nondefault():
cred = credentials.Certificate('path/to/service.json')
other_cred = credentials.Certificate('path/to/other_service.json')
# [START access_services_nondefault]
# Initialize the default app
default_app = firebase_admin.initialize_app(cred)
# Initialize another app with a different config
other_app = firebase_admin.initialize_app(cred, name='other')
print(default_app.name) # "[DEFAULT]"
print(other_app.name) # "other"
# Retrieve default services via the auth package...
# auth.create_custom_token(...)
# Use the `app` argument to retrieve the other app's services
# auth.create_custom_token(..., app=other_app)
# [END access_services_nondefault]
firebase_admin.delete_app(default_app)
firebase_admin.delete_app(other_app)
def create_token_uid():
cred = credentials.Certificate('path/to/service.json')
default_app = firebase_admin.initialize_app(cred)
# [START create_token_uid]
uid = 'some-uid'
custom_token = auth.create_custom_token(uid)
# [END create_token_uid]
firebase_admin.delete_app(default_app)
return custom_token
def create_token_with_claims():
cred = credentials.Certificate('path/to/service.json')
default_app = firebase_admin.initialize_app(cred)
# [START create_token_with_claims]
uid = 'some-uid'
additional_claims = {
'premiumAccount': True
}
custom_token = auth.create_custom_token(uid, additional_claims)
# [END create_token_with_claims]
firebase_admin.delete_app(default_app)
return custom_token
def verify_token_uid(id_token):
cred = credentials.Certificate('path/to/service.json')
default_app = firebase_admin.initialize_app(cred)
# [START verify_token_uid]
# id_token comes from the client app (shown above)
decoded_token = auth.verify_id_token(id_token)
uid = decoded_token['uid']
# [END verify_token_uid]
print(uid)
firebase_admin.delete_app(default_app)
def verify_token_uid_check_revoke(id_token):
cred = credentials.Certificate('path/to/service.json')
default_app = firebase_admin.initialize_app(cred)
# [START verify_token_id_check_revoked]
try:
# Verify the ID token while checking if the token is revoked by
# passing check_revoked=True.
decoded_token = auth.verify_id_token(id_token, check_revoked=True)
# Token is valid and not revoked.
uid = decoded_token['uid']
except auth.RevokedIdTokenError:
# Token revoked, inform the user to reauthenticate or signOut().
pass
except auth.InvalidIdTokenError:
# Token is invalid
pass
# [END verify_token_id_check_revoked]
firebase_admin.delete_app(default_app)
return uid
def revoke_refresh_token_uid():
cred = credentials.Certificate('path/to/service.json')
default_app = firebase_admin.initialize_app(cred)
# [START revoke_tokens]
# Revoke tokens on the backend.
auth.revoke_refresh_tokens(uid)
user = auth.get_user(uid)
# Convert to seconds as the auth_time in the token claims is in seconds.
revocation_second = user.tokens_valid_after_timestamp / 1000
print('Tokens revoked at: {0}'.format(revocation_second))
# [END revoke_tokens]
# [START save_revocation_in_db]
metadata_ref = firebase_admin.db.reference("metadata/" + uid)
metadata_ref.set({'revokeTime': revocation_second})
# [END save_revocation_in_db]
print(uid)
firebase_admin.delete_app(default_app)
def get_user(uid):
# [START get_user]
from firebase_admin import auth
user = auth.get_user(uid)
print('Successfully fetched user data: {0}'.format(user.uid))
# [END get_user]
def get_user_by_email():
email = 'user@example.com'
# [START get_user_by_email]
from firebase_admin import auth
user = auth.get_user_by_email(email)
print('Successfully fetched user data: {0}'.format(user.uid))
# [END get_user_by_email]
def get_user_by_phone_number():
phone = '+1 555 555 0100'
# [START get_user_by_phone]
from firebase_admin import auth
user = auth.get_user_by_phone_number(phone)
print('Successfully fetched user data: {0}'.format(user.uid))
# [END get_user_by_phone]
def create_user():
# [START create_user]
user = auth.create_user(
email='user@example.com',
email_verified=False,
phone_number='+15555550100',
password='secretPassword',
display_name='John Doe',
photo_url='http://www.example.com/12345678/photo.png',
disabled=False)
print('Sucessfully created new user: {0}'.format(user.uid))
# [END create_user]
return user.uid
def create_user_with_id():
# [START create_user_with_id]
user = auth.create_user(
uid='some-uid', email='user@example.com', phone_number='+15555550100')
print('Sucessfully created new user: {0}'.format(user.uid))
# [END create_user_with_id]
def update_user(uid):
# [START update_user]
user = auth.update_user(
uid,
email='user@example.com',
phone_number='+15555550100',
email_verified=True,
password='newPassword',
display_name='John Doe',
photo_url='http://www.example.com/12345678/photo.png',
disabled=True)
print('Sucessfully updated user: {0}'.format(user.uid))
# [END update_user]
def delete_user(uid):
# [START delete_user]
auth.delete_user(uid)
print('Successfully deleted user')
# [END delete_user]
def set_custom_user_claims(uid):
# [START set_custom_user_claims]
# Set admin privilege on the user corresponding to uid.
auth.set_custom_user_claims(uid, {'admin': True})
# The new custom claims will propagate to the user's ID token the
# next time a new one is issued.
# [END set_custom_user_claims]
id_token = 'id_token'
# [START verify_custom_claims]
# Verify the ID token first.
claims = auth.verify_id_token(id_token)
if claims['admin'] is True:
# Allow access to requested admin resource.
pass
# [END verify_custom_claims]
# [START read_custom_user_claims]
# Lookup the user associated with the specified uid.
user = auth.get_user(uid)
# The claims can be accessed on the user record.
print(user.custom_claims.get('admin'))
# [END read_custom_user_claims]
def set_custom_user_claims_script():
# [START set_custom_user_claims_script]
user = auth.get_user_by_email('user@admin.example.com')
# Confirm user is verified
if user.email_verified:
# Add custom claims for additional privileges.
# This will be picked up by the user on token refresh or next sign in on new device.
auth.set_custom_user_claims(user.uid, {
'admin': True
})
# [END set_custom_user_claims_script]
def set_custom_user_claims_incremental():
# [START set_custom_user_claims_incremental]
user = auth.get_user_by_email('user@admin.example.com')
# Add incremental custom claim without overwriting existing claims.
current_custom_claims = user.custom_claims
if current_custom_claims.get('admin'):
# Add level.
current_custom_claims['accessLevel'] = 10
# Add custom claims for additional privileges.
auth.set_custom_user_claims(user.uid, current_custom_claims)
# [END set_custom_user_claims_incremental]
def list_all_users():
# [START list_all_users]
# Start listing users from the beginning, 1000 at a time.
page = auth.list_users()
while page:
for user in page.users:
print('User: ' + user.uid)
# Get next batch of users.
page = page.get_next_page()
# Iterate through all users. This will still retrieve users in batches,
# buffering no more than 1000 users in memory at a time.
for user in auth.list_users().iterate_all():
print('User: ' + user.uid)
# [END list_all_users]
def create_session_cookie(flask, app):
# [START session_login]
@app.route('/sessionLogin', methods=['POST'])
def session_login():
# Get the ID token sent by the client
id_token = flask.request.json['idToken']
# Set session expiration to 5 days.
expires_in = datetime.timedelta(days=5)
try:
# Create the session cookie. This will also verify the ID token in the process.
# The session cookie will have the same claims as the ID token.
session_cookie = auth.create_session_cookie(id_token, expires_in=expires_in)
response = flask.jsonify({'status': 'success'})
# Set cookie policy for session cookie.
expires = datetime.datetime.now() + expires_in
response.set_cookie(
'session', session_cookie, expires=expires, httponly=True, secure=True)
return response
except exceptions.FirebaseError:
return flask.abort(401, 'Failed to create a session cookie')
# [END session_login]
def check_auth_time(id_token, flask):
# [START check_auth_time]
# To ensure that cookies are set only on recently signed in users, check auth_time in
# ID token before creating a cookie.
try:
decoded_claims = auth.verify_id_token(id_token)
# Only process if the user signed in within the last 5 minutes.
if time.time() - decoded_claims['auth_time'] < 5 * 60:
expires_in = datetime.timedelta(days=5)
expires = datetime.datetime.now() + expires_in
session_cookie = auth.create_session_cookie(id_token, expires_in=expires_in)
response = flask.jsonify({'status': 'success'})
response.set_cookie(
'session', session_cookie, expires=expires, httponly=True, secure=True)
return response
# User did not sign in recently. To guard against ID token theft, require
# re-authentication.
return flask.abort(401, 'Recent sign in required')
except auth.InvalidIdTokenError:
return flask.abort(401, 'Invalid ID token')
except exceptions.FirebaseError:
return flask.abort(401, 'Failed to create a session cookie')
# [END check_auth_time]
def verfy_session_cookie(app, flask):
def serve_content_for_user(decoded_claims):
print('Serving content with claims:', decoded_claims)
return flask.jsonify({'status': 'success'})
# [START session_verify]
@app.route('/profile', methods=['POST'])
def access_restricted_content():
session_cookie = flask.request.cookies.get('session')
if not session_cookie:
# Session cookie is unavailable. Force user to login.
return flask.redirect('/login')
# Verify the session cookie. In this case an additional check is added to detect
# if the user's Firebase session was revoked, user deleted/disabled, etc.
try:
decoded_claims = auth.verify_session_cookie(session_cookie, check_revoked=True)
return serve_content_for_user(decoded_claims)
except auth.InvalidSessionCookieError:
# Session cookie is invalid, expired or revoked. Force user to login.
return flask.redirect('/login')
# [END session_verify]
def check_permissions(session_cookie, flask):
def serve_content_for_admin(decoded_claims):
print('Serving content with claims:', decoded_claims)
return flask.jsonify({'status': 'success'})
# [START session_verify_with_permission_check]
try:
decoded_claims = auth.verify_session_cookie(session_cookie, check_revoked=True)
# Check custom claims to confirm user is an admin.
if decoded_claims.get('admin') is True:
return serve_content_for_admin(decoded_claims)
else:
return flask.abort(401, 'Insufficient permissions')
except auth.InvalidSessionCookieError:
# Session cookie is invalid, expired or revoked. Force user to login.
return flask.redirect('/login')
# [END session_verify_with_permission_check]
def clear_session_cookie(app, flask):
# [START session_clear]
@app.route('/sessionLogout', methods=['POST'])
def session_logout():
response = flask.make_response(flask.redirect('/login'))
response.set_cookie('session', expires=0)
return response
# [END session_clear]
def clear_session_cookie_and_revoke(app, flask):
# [START session_clear_and_revoke]
@app.route('/sessionLogout', methods=['POST'])
def session_logout():
session_cookie = flask.request.cookies.get('session')
try:
decoded_claims = auth.verify_session_cookie(session_cookie)
auth.revoke_refresh_tokens(decoded_claims['sub'])
response = flask.make_response(flask.redirect('/login'))
response.set_cookie('session', expires=0)
return response
except auth.InvalidSessionCookieError:
return flask.redirect('/login')
# [END session_clear_and_revoke]
def import_users():
# [START build_user_list]
# Up to 1000 users can be imported at once.
users = [
auth.ImportUserRecord(
uid='uid1',
email='user1@example.com',
password_hash=b'password_hash_1',
password_salt=b'salt1'
),
auth.ImportUserRecord(
uid='uid2',
email='user2@example.com',
password_hash=b'password_hash_2',
password_salt=b'salt2'
),
]
# [END build_user_list]
# [START import_users]
hash_alg = auth.UserImportHash.hmac_sha256(key=b'secret_key')
try:
result = auth.import_users(users, hash_alg=hash_alg)
print('Successfully imported {0} users. Failed to import {1} users.'.format(
result.success_count, result.failure_count))
for err in result.errors:
print('Failed to import {0} due to {1}'.format(users[err.index].uid, err.reason))
except exceptions.FirebaseError:
# Some unrecoverable error occurred that prevented the operation from running.
pass
# [END import_users]
def import_with_hmac():
# [START import_with_hmac]
users = [
auth.ImportUserRecord(
uid='some-uid',
email='user@example.com',
password_hash=b'password_hash',
password_salt=b'salt'
),
]
hash_alg = auth.UserImportHash.hmac_sha256(key=b'secret')
try:
result = auth.import_users(users, hash_alg=hash_alg)
for err in result.errors:
print('Failed to import user:', err.reason)
except exceptions.FirebaseError as error:
print('Error importing users:', error)
# [END import_with_hmac]
def import_with_pbkdf():
# [START import_with_pbkdf]
users = [
auth.ImportUserRecord(
uid='some-uid',
email='user@example.com',
password_hash=b'password_hash',
password_salt=b'salt'
),
]
hash_alg = auth.UserImportHash.pbkdf2_sha256(rounds=100000)
try:
result = auth.import_users(users, hash_alg=hash_alg)
for err in result.errors:
print('Failed to import user:', err.reason)
except exceptions.FirebaseError as error:
print('Error importing users:', error)
# [END import_with_pbkdf]
def import_with_standard_scrypt():
# [START import_with_standard_scrypt]
users = [
auth.ImportUserRecord(
uid='some-uid',
email='user@example.com',
password_hash=b'password_hash',
password_salt=b'salt'
),
]
hash_alg = auth.UserImportHash.standard_scrypt(
memory_cost=1024, parallelization=16, block_size=8, derived_key_length=64)
try:
result = auth.import_users(users, hash_alg=hash_alg)
for err in result.errors:
print('Failed to import user:', err.reason)
except exceptions.FirebaseError as error:
print('Error importing users:', error)
# [END import_with_standard_scrypt]
def import_with_bcrypt():
# [START import_with_bcrypt]
users = [
auth.ImportUserRecord(
uid='some-uid',
email='user@example.com',
password_hash=b'password_hash',
password_salt=b'salt'
),
]
hash_alg = auth.UserImportHash.bcrypt()
try:
result = auth.import_users(users, hash_alg=hash_alg)
for err in result.errors:
print('Failed to import user:', err.reason)
except exceptions.FirebaseError as error:
print('Error importing users:', error)
# [END import_with_bcrypt]
def import_with_scrypt():
# [START import_with_scrypt]
users = [
auth.ImportUserRecord(
uid='some-uid',
email='user@example.com',
password_hash=b'password_hash',
password_salt=b'salt'
),
]
# All the parameters below can be obtained from the Firebase Console's "Users"
# section. Base64 encoded parameters must be decoded into raw bytes.
hash_alg = auth.UserImportHash.scrypt(
key=base64.b64decode('base64_secret'),
salt_separator=base64.b64decode('base64_salt_separator'),
rounds=8,
memory_cost=14
)
try:
result = auth.import_users(users, hash_alg=hash_alg)
for err in result.errors:
print('Failed to import user:', err.reason)
except exceptions.FirebaseError as error:
print('Error importing users:', error)
# [END import_with_scrypt]
def import_without_password():
# [START import_without_password]
users = [
auth.ImportUserRecord(
uid='some-uid',
display_name='John Doe',
email='johndoe@gmail.com',
photo_url='http://www.example.com/12345678/photo.png',
email_verified=True,
phone_number='+11234567890',
custom_claims={'admin': True}, # set this user as admin
provider_data=[ # user with Google provider
auth.UserProvider(
uid='google-uid',
email='johndoe@gmail.com',
display_name='John Doe',
photo_url='http://www.example.com/12345678/photo.png',
provider_id='google.com'
)
],
),
]
try:
result = auth.import_users(users)
for err in result.errors:
print('Failed to import user:', err.reason)
except exceptions.FirebaseError as error:
print('Error importing users:', error)
# [END import_without_password]
def init_action_code_settings():
# [START init_action_code_settings]
action_code_settings = auth.ActionCodeSettings(
url='https://www.example.com/checkout?cartId=1234',
handle_code_in_app=True,
ios_bundle_id='com.example.ios',
android_package_name='com.example.android',
android_install_app=True,
android_minimum_version='12',
dynamic_link_domain='coolapp.page.link',
)
# [END init_action_code_settings]
return action_code_settings
def password_reset_link():
action_code_settings = init_action_code_settings()
# [START password_reset_link]
email = 'user@example.com'
link = auth.generate_password_reset_link(email, action_code_settings)
# Construct password reset email from a template embedding the link, and send
# using a custom SMTP server.
send_custom_email(email, link)
# [END password_reset_link]
def email_verification_link():
action_code_settings = init_action_code_settings()
# [START email_verification_link]
email = 'user@example.com'
link = auth.generate_email_verification_link(email, action_code_settings)
# Construct email from a template embedding the link, and send
# using a custom SMTP server.
send_custom_email(email, link)
# [END email_verification_link]
def sign_in_with_email_link():
action_code_settings = init_action_code_settings()
# [START sign_in_with_email_link]
email = 'user@example.com'
link = auth.generate_sign_in_with_email_link(email, action_code_settings)
# Construct email from a template embedding the link, and send
# using a custom SMTP server.
send_custom_email(email, link)
# [END sign_in_with_email_link]
def send_custom_email(email, link):
del email
del link
initialize_sdk_with_service_account()
initialize_sdk_with_application_default()
#initialize_sdk_with_refresh_token()
access_services_default()
access_services_nondefault()
create_token_uid()
token_with_claims = create_token_with_claims()
#verify_token_uid()
uid = create_user()
create_user_with_id()
get_user(uid)
get_user_by_email()
get_user_by_phone_number()
update_user(uid)
set_custom_user_claims(uid)
list_all_users()
delete_user(uid)