go: firebase.google.com/go/auth Index | Files

package auth

import "firebase.google.com/go/auth"

Package auth contains functions for minting custom authentication tokens, verifying Firebase ID tokens, and managing users in a Firebase project.

Index

Package Files

auth.go auth_std.go export_users.go import_users.go token_generator.go token_verifier.go user_mgt.go

func IsEmailAlreadyExists Uses

func IsEmailAlreadyExists(err error) bool

IsEmailAlreadyExists checks if the given error was due to a duplicate email.

func IsIDTokenRevoked Uses

func IsIDTokenRevoked(err error) bool

IsIDTokenRevoked checks if the given error was due to a revoked ID token.

func IsInsufficientPermission Uses

func IsInsufficientPermission(err error) bool

IsInsufficientPermission checks if the given error was due to insufficient permissions.

func IsPhoneNumberAlreadyExists Uses

func IsPhoneNumberAlreadyExists(err error) bool

IsPhoneNumberAlreadyExists checks if the given error was due to a duplicate phone number.

func IsProjectNotFound Uses

func IsProjectNotFound(err error) bool

IsProjectNotFound checks if the given error was due to a non-existing project.

func IsSessionCookieRevoked Uses

func IsSessionCookieRevoked(err error) bool

IsSessionCookieRevoked checks if the given error was due to a revoked session cookie.

func IsUIDAlreadyExists Uses

func IsUIDAlreadyExists(err error) bool

IsUIDAlreadyExists checks if the given error was due to a duplicate uid.

func IsUnknown Uses

func IsUnknown(err error) bool

IsUnknown checks if the given error was due to a unknown server error.

func IsUserNotFound Uses

func IsUserNotFound(err error) bool

IsUserNotFound checks if the given error was due to non-existing user.

type Client Uses

type Client struct {
    // contains filtered or unexported fields
}

Client is the interface for the Firebase auth service.

Client facilitates generating custom JWT tokens for Firebase clients, and verifying ID tokens issued by Firebase backend services.

func NewClient Uses

func NewClient(ctx context.Context, conf *internal.AuthConfig) (*Client, error)

NewClient creates a new instance of the Firebase Auth Client.

This function can only be invoked from within the SDK. Client applications should access the Auth service through firebase.App.

func (*Client) CreateUser Uses

func (c *Client) CreateUser(ctx context.Context, user *UserToCreate) (*UserRecord, error)

CreateUser creates a new user with the specified properties.

func (*Client) CustomToken Uses

func (c *Client) CustomToken(ctx context.Context, uid string) (string, error)

CustomToken creates a signed custom authentication token with the specified user ID.

The resulting JWT can be used in a Firebase client SDK to trigger an authentication flow. See https://firebase.google.com/docs/auth/admin/create-custom-tokens#sign_in_using_custom_tokens_on_clients for more details on how to use custom tokens for client authentication.

CustomToken follows the protocol outlined below to sign the generated tokens:

- If the SDK was initialized with service account credentials, uses the private key present in
  the credentials to sign tokens locally.
- If a service account email was specified during initialization (via firebase.Config struct),
  calls the IAM service with that email to sign tokens remotely. See
  https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob.
- If the code is deployed in the Google App Engine standard environment, uses the App Identity
  service to sign tokens. See https://cloud.google.com/appengine/docs/standard/go/reference#SignBytes.
- If the code is deployed in a different GCP-managed environment (e.g. Google Compute Engine),
  uses the local Metadata server to auto discover a service account email. This is used in
  conjunction with the IAM service to sign tokens remotely.

CustomToken returns an error the SDK fails to discover a viable mechanism for signing tokens.

func (*Client) CustomTokenWithClaims Uses

func (c *Client) CustomTokenWithClaims(ctx context.Context, uid string, devClaims map[string]interface{}) (string, error)

CustomTokenWithClaims is similar to CustomToken, but in addition to the user ID, it also encodes all the key-value pairs in the provided map as claims in the resulting JWT.

func (*Client) DeleteUser Uses

func (c *Client) DeleteUser(ctx context.Context, uid string) error

DeleteUser deletes the user by the given UID.

func (*Client) GetUser Uses

func (c *Client) GetUser(ctx context.Context, uid string) (*UserRecord, error)

GetUser gets the user data corresponding to the specified user ID.

func (*Client) GetUserByEmail Uses

func (c *Client) GetUserByEmail(ctx context.Context, email string) (*UserRecord, error)

GetUserByEmail gets the user data corresponding to the specified email.

func (*Client) GetUserByPhoneNumber Uses

func (c *Client) GetUserByPhoneNumber(ctx context.Context, phone string) (*UserRecord, error)

GetUserByPhoneNumber gets the user data corresponding to the specified user phone number.

func (*Client) ImportUsers Uses

func (c *Client) ImportUsers(ctx context.Context, users []*UserToImport, opts ...UserImportOption) (*UserImportResult, error)

ImportUsers imports an array of users to Firebase Auth.

No more than 1000 users can be imported in a single call. If at least one user specifies a password, a UserImportHash must be specified as an option.

func (*Client) RevokeRefreshTokens Uses

func (c *Client) RevokeRefreshTokens(ctx context.Context, uid string) error

RevokeRefreshTokens revokes all refresh tokens issued to a user.

RevokeRefreshTokens updates the user's TokensValidAfterMillis to the current UTC second. It is important that the server on which this is called has its clock set correctly and synchronized.

While this revokes all sessions for a specified user and disables any new ID tokens for existing sessions from getting minted, existing ID tokens may remain active until their natural expiration (one hour). To verify that ID tokens are revoked, use `verifyIdTokenAndCheckRevoked(ctx, idToken)`.

func (*Client) SessionCookie Uses

func (c *Client) SessionCookie(
    ctx context.Context,
    idToken string,
    expiresIn time.Duration,
) (string, error)

SessionCookie creates a new Firebase session cookie from the given ID token and expiry duration. The returned JWT can be set as a server-side session cookie with a custom cookie policy. Expiry duration must be at least 5 minutes but may not exceed 14 days.

func (*Client) SetCustomUserClaims Uses

func (c *Client) SetCustomUserClaims(ctx context.Context, uid string, customClaims map[string]interface{}) error

SetCustomUserClaims sets additional claims on an existing user account.

Custom claims set via this function can be used to define user roles and privilege levels. These claims propagate to all the devices where the user is already signed in (after token expiration or when token refresh is forced), and next time the user signs in. The claims can be accessed via the user's ID token JWT. If a reserved OIDC claim is specified (sub, iat, iss, etc), an error is thrown. Claims payload must also not be larger then 1000 characters when serialized into a JSON string.

func (*Client) UpdateUser Uses

func (c *Client) UpdateUser(ctx context.Context, uid string, user *UserToUpdate) (ur *UserRecord, err error)

UpdateUser updates an existing user account with the specified properties.

DisplayName, PhotoURL and PhoneNumber will be set to "" to signify deleting them from the record.

func (*Client) Users Uses

func (c *Client) Users(ctx context.Context, nextPageToken string) *UserIterator

Users returns an iterator over Users.

If nextPageToken is empty, the iterator will start at the beginning. If the nextPageToken is not empty, the iterator starts after the token.

func (*Client) VerifyIDToken Uses

func (c *Client) VerifyIDToken(ctx context.Context, idToken string) (*Token, error)

VerifyIDToken verifies the signature and payload of the provided ID token.

VerifyIDToken accepts a signed JWT token string, and verifies that it is current, issued for the correct Firebase project, and signed by the Google Firebase services in the cloud. It returns a Token containing the decoded claims in the input JWT. See https://firebase.google.com/docs/auth/admin/verify-id-tokens#retrieve_id_tokens_on_clients for more details on how to obtain an ID token in a client app.

This function does not make any RPC calls most of the time. The only time it makes an RPC call is when Google public keys need to be refreshed. These keys get cached up to 24 hours, and therefore the RPC overhead gets amortized over many invocations of this function.

This does not check whether or not the token has been revoked. Use `VerifyIDTokenAndCheckRevoked()` when a revocation check is needed.

func (*Client) VerifyIDTokenAndCheckRevoked Uses

func (c *Client) VerifyIDTokenAndCheckRevoked(ctx context.Context, idToken string) (*Token, error)

VerifyIDTokenAndCheckRevoked verifies the provided ID token, and additionally checks that the token has not been revoked.

This function uses `VerifyIDToken()` internally to verify the ID token JWT. However, unlike `VerifyIDToken()` this function must make an RPC call to perform the revocation check. Developers are advised to take this additional overhead into consideration when including this function in an authorization flow that gets executed often.

func (*Client) VerifySessionCookie Uses

func (c *Client) VerifySessionCookie(ctx context.Context, sessionCookie string) (*Token, error)

VerifySessionCookie verifies the signature and payload of the provided Firebase session cookie.

VerifySessionCookie accepts a signed JWT token string, and verifies that it is current, issued for the correct Firebase project, and signed by the Google Firebase services in the cloud. It returns a Token containing the decoded claims in the input JWT. See https://firebase.google.com/docs/auth/admin/manage-cookies for more details on how to obtain a session cookie.

This function does not make any RPC calls most of the time. The only time it makes an RPC call is when Google public keys need to be refreshed. These keys get cached up to 24 hours, and therefore the RPC overhead gets amortized over many invocations of this function.

This does not check whether or not the cookie has been revoked. Use `VerifySessionCookieAndCheckRevoked()` when a revocation check is needed.

func (*Client) VerifySessionCookieAndCheckRevoked Uses

func (c *Client) VerifySessionCookieAndCheckRevoked(ctx context.Context, sessionCookie string) (*Token, error)

VerifySessionCookieAndCheckRevoked verifies the provided session cookie, and additionally checks that the cookie has not been revoked.

This function uses `VerifySessionCookie()` internally to verify the cookie JWT. However, unlike `VerifySessionCookie()` this function must make an RPC call to perform the revocation check. Developers are advised to take this additional overhead into consideration when including this function in an authorization flow that gets executed often.

type ErrorInfo Uses

type ErrorInfo struct {
    Index  int
    Reason string
}

ErrorInfo represents an error encountered while importing a single user account.

The Index field corresponds to the index of the failed user in the users array that was passed to ImportUsers().

type ExportedUserRecord Uses

type ExportedUserRecord struct {
    *UserRecord
    PasswordHash string
    PasswordSalt string
}

ExportedUserRecord is the returned user value used when listing all the users.

type Token Uses

type Token struct {
    Issuer   string                 `json:"iss"`
    Audience string                 `json:"aud"`
    Expires  int64                  `json:"exp"`
    IssuedAt int64                  `json:"iat"`
    Subject  string                 `json:"sub,omitempty"`
    UID      string                 `json:"uid,omitempty"`
    Claims   map[string]interface{} `json:"-"`
}

Token represents a decoded Firebase ID token.

Token provides typed accessors to the common JWT fields such as Audience (aud) and Expiry (exp). Additionally it provides a UID field, which indicates the user ID of the account to which this token belongs. Any additional JWT claims can be accessed via the Claims map of Token.

type UserImportHash Uses

type UserImportHash interface {
    Config() (*internal.HashConfig, error)
}

UserImportHash represents a hash algorithm and the associated configuration that can be used to hash user passwords.

A UserImportHash must be specified in the form of a UserImportOption when importing users with passwords. See ImportUsers() and WithHash() functions.

type UserImportOption Uses

type UserImportOption interface {
    // contains filtered or unexported methods
}

UserImportOption is an option for the ImportUsers() function.

func WithHash Uses

func WithHash(hash UserImportHash) UserImportOption

WithHash returns a UserImportOption that specifies a hash configuration.

type UserImportResult Uses

type UserImportResult struct {
    SuccessCount int
    FailureCount int
    Errors       []*ErrorInfo
}

UserImportResult represents the result of an ImportUsers() call.

type UserInfo Uses

type UserInfo struct {
    DisplayName string
    Email       string
    PhoneNumber string
    PhotoURL    string
    // In the ProviderUserInfo[] ProviderID can be a short domain name (e.g. google.com),
    // or the identity of an OpenID identity provider.
    // In UserRecord.UserInfo it will return the constant string "firebase".
    ProviderID string
    UID        string
}

UserInfo is a collection of standard profile information for a user.

type UserIterator Uses

type UserIterator struct {
    // contains filtered or unexported fields
}

UserIterator is an iterator over Users.

Also see: https://github.com/GoogleCloudPlatform/google-cloud-go/wiki/Iterator-Guidelines

func (*UserIterator) Next Uses

func (it *UserIterator) Next() (*ExportedUserRecord, error)

Next returns the next result. Its second return value is [iterator.Done] if there are no more results. Once Next returns [iterator.Done], all subsequent calls will return [iterator.Done].

func (*UserIterator) PageInfo Uses

func (it *UserIterator) PageInfo() *iterator.PageInfo

PageInfo supports pagination. See the google.golang.org/api/iterator package for details. Page size can be determined by the NewPager(...) function described there.

type UserMetadata Uses

type UserMetadata struct {
    CreationTimestamp  int64
    LastLogInTimestamp int64
}

UserMetadata contains additional metadata associated with a user account. Timestamps are in milliseconds since epoch.

type UserProvider Uses

type UserProvider struct {
    UID         string
    ProviderID  string
    Email       string
    DisplayName string
    PhotoURL    string
}

UserProvider represents a user identity provider.

One or more user providers can be specified for each user when importing in bulk. See UserToImport type.

type UserRecord Uses

type UserRecord struct {
    *UserInfo
    CustomClaims           map[string]interface{}
    Disabled               bool
    EmailVerified          bool
    ProviderUserInfo       []*UserInfo
    TokensValidAfterMillis int64 // milliseconds since epoch.
    UserMetadata           *UserMetadata
}

UserRecord contains metadata associated with a Firebase user account.

type UserToCreate Uses

type UserToCreate struct {
    // contains filtered or unexported fields
}

UserToCreate is the parameter struct for the CreateUser function.

func (*UserToCreate) Disabled Uses

func (u *UserToCreate) Disabled(disabled bool) *UserToCreate

Disabled setter.

func (*UserToCreate) DisplayName Uses

func (u *UserToCreate) DisplayName(name string) *UserToCreate

DisplayName setter.

func (*UserToCreate) Email Uses

func (u *UserToCreate) Email(email string) *UserToCreate

Email setter.

func (*UserToCreate) EmailVerified Uses

func (u *UserToCreate) EmailVerified(verified bool) *UserToCreate

EmailVerified setter.

func (*UserToCreate) Password Uses

func (u *UserToCreate) Password(pw string) *UserToCreate

Password setter.

func (*UserToCreate) PhoneNumber Uses

func (u *UserToCreate) PhoneNumber(phone string) *UserToCreate

PhoneNumber setter.

func (*UserToCreate) PhotoURL Uses

func (u *UserToCreate) PhotoURL(url string) *UserToCreate

PhotoURL setter.

func (*UserToCreate) UID Uses

func (u *UserToCreate) UID(uid string) *UserToCreate

UID setter.

type UserToImport Uses

type UserToImport struct {
    // contains filtered or unexported fields
}

UserToImport represents a user account that can be bulk imported into Firebase Auth.

func (*UserToImport) CustomClaims Uses

func (u *UserToImport) CustomClaims(claims map[string]interface{}) *UserToImport

CustomClaims setter.

func (*UserToImport) Disabled Uses

func (u *UserToImport) Disabled(disabled bool) *UserToImport

Disabled setter.

func (*UserToImport) DisplayName Uses

func (u *UserToImport) DisplayName(displayName string) *UserToImport

DisplayName setter.

func (*UserToImport) Email Uses

func (u *UserToImport) Email(email string) *UserToImport

Email setter.

func (*UserToImport) EmailVerified Uses

func (u *UserToImport) EmailVerified(emailVerified bool) *UserToImport

EmailVerified setter.

func (*UserToImport) Metadata Uses

func (u *UserToImport) Metadata(metadata *UserMetadata) *UserToImport

Metadata setter.

func (*UserToImport) PasswordHash Uses

func (u *UserToImport) PasswordHash(password []byte) *UserToImport

PasswordHash setter. When set a UserImportHash must be specified as an option to call ImportUsers().

func (*UserToImport) PasswordSalt Uses

func (u *UserToImport) PasswordSalt(salt []byte) *UserToImport

PasswordSalt setter.

func (*UserToImport) PhoneNumber Uses

func (u *UserToImport) PhoneNumber(phoneNumber string) *UserToImport

PhoneNumber setter.

func (*UserToImport) PhotoURL Uses

func (u *UserToImport) PhotoURL(url string) *UserToImport

PhotoURL setter.

func (*UserToImport) ProviderData Uses

func (u *UserToImport) ProviderData(providers []*UserProvider) *UserToImport

ProviderData setter.

func (*UserToImport) UID Uses

func (u *UserToImport) UID(uid string) *UserToImport

UID setter. This field is required.

type UserToUpdate Uses

type UserToUpdate struct {
    // contains filtered or unexported fields
}

UserToUpdate is the parameter struct for the UpdateUser function.

func (*UserToUpdate) CustomClaims Uses

func (u *UserToUpdate) CustomClaims(claims map[string]interface{}) *UserToUpdate

CustomClaims setter.

func (*UserToUpdate) Disabled Uses

func (u *UserToUpdate) Disabled(disabled bool) *UserToUpdate

Disabled setter.

func (*UserToUpdate) DisplayName Uses

func (u *UserToUpdate) DisplayName(name string) *UserToUpdate

DisplayName setter.

func (*UserToUpdate) Email Uses

func (u *UserToUpdate) Email(email string) *UserToUpdate

Email setter.

func (*UserToUpdate) EmailVerified Uses

func (u *UserToUpdate) EmailVerified(verified bool) *UserToUpdate

EmailVerified setter.

func (*UserToUpdate) Password Uses

func (u *UserToUpdate) Password(pw string) *UserToUpdate

Password setter.

func (*UserToUpdate) PhoneNumber Uses

func (u *UserToUpdate) PhoneNumber(phone string) *UserToUpdate

PhoneNumber setter.

func (*UserToUpdate) PhotoURL Uses

func (u *UserToUpdate) PhotoURL(url string) *UserToUpdate

PhotoURL setter.

Package auth imports 25 packages (graph) and is imported by 14 packages. Updated 2019-03-28. Refresh now. Tools for package owners.