add working ssr authentication

Author: davidgamez

.gitignore

@@ -1,7 +1,7 @@
 # See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
 
 # dependencies
-/node_modules
+node_modules
 /.pnp
 .pnp.js
 

scripts/iap-test/.gitignore

@@ -0,0 +1,2 @@
+.env
+sa-key.json

scripts/iap-test/README.md

@@ -0,0 +1,92 @@
+# IAP Test Scripts (IAP + GCIP)
+
+This folder contains two minimal scripts to test calling an IAP-protected API:
+
+- `fetch-iap.js`: Uses a Google OIDC ID token (audience = IAP OAuth Client ID). Works when IAP uses Google accounts.
+- `fetch-gcip.js`: Uses an Identity Platform (GCIP) ID token obtained via custom token flow. Use this when IAP is configured with GCIP.
+
+## Environment
+Create `.env` based on `.env.sample`:
+
+```env
+# Common
+API_URL=https://<your-iap-domain>/<path>
+GOOGLE_SA_JSON_PATH=./sa-key.json
+
+# IAP (Google accounts)
+IAP_AUDIENCE=<your-iap-oauth-client-id>
+
+# GCIP (Identity Platform)
+GCIP_PROJECT_ID=<your-project-id>
+GCIP_API_KEY=<identity-platform-api-key>
+# optional if using multi-tenant
+GCIP_TENANT_ID=<tenant-id>
+# optional synthetic UID for the service caller
+GCIP_SERVICE_UID=iap-service-caller
+```
+
+## Install & Run
+```bash
+# Install local-only deps
+npm i google-auth-library firebase-admin node-fetch dotenv
+
+# IAP (Google accounts) flow
+node fetch-iap.js
+
+# GCIP (Identity Platform) flow
+node fetch-gcip.js
+```
+
+### Using Yarn
+```bash
+# Install
+yarn add google-auth-library firebase-admin node-fetch dotenv
+
+# IAP flow
+yarn run test:iap
+
+# GCIP flow (default)
+yarn test
+```
+
+## Notes
+- `GCIP_API_KEY` is the Web API key for Identity Platform (Firebase/GCIP). Find it in Google Cloud Console → APIs & Services → Credentials.
+- For GCIP multi-tenant, set `GCIP_TENANT_ID` and ensure the IAP resource is linked to the same tenant.
+- The Service Account must have access to mint custom tokens and (optionally) act as a service principal.# IAP ID Token Test Script
+
+Minimal Node.js script to fetch a Google-signed OIDC ID token for an IAP-protected HTTPS resource and perform a request to your API.
+
+## Prerequisites
+- Node.js 18+ installed
+- Service Account with role `roles/iap.httpsResourceAccessor`
+- IAP OAuth 2.0 Client ID (the audience)
+
+## Setup
+1. Create a service account key locally (for testing only; rotate/secure it):
+```bash
+PROJECT_ID=<your-project-id>
+gcloud iam service-accounts keys create sa-key.json \
+  --iam-account=vercel-iap-caller@${PROJECT_ID}.iam.gserviceaccount.com
+```
+
+2. Copy `.env.sample` to `.env` and fill values:
+```bash
+cp .env.sample .env
+```
+
+3. Install dependencies and run:
+```bash
+npm ci
+npm run test
+```
+
+## Environment Variables
+- `IAP_AUDIENCE`: The IAP OAuth client ID (…apps.googleusercontent.com)
+- `API_URL`: Full URL to a reachable endpoint (e.g., https://<your-iap-domain>/health)
+- `GOOGLE_SA_JSON_PATH` (preferred): Path to SA key JSON file (e.g., `./sa-key.json`).
+- `GOOGLE_SA_JSON` (optional): Inline JSON string of SA key (used if `GOOGLE_SA_JSON_PATH` not provided).
+- `LOG_JWT_CLAIMS` (optional): `true|false` print decoded JWT claims for verification.
+
+## Notes
+- For production (Vercel), store secrets in environment variables and avoid files.
+- The audience must exactly match the IAP OAuth client ID configured on the protected resource.

scripts/iap-test/fetch-gcip.js

@@ -0,0 +1,105 @@
+/*
+ * GCIP (Identity Platform) token flow for IAP when IAP is configured with GCIP.
+ * 1) Use Firebase Admin to mint a custom token for a synthetic service user.
+ * 2) Exchange the custom token for a GCIP ID token via Identity Toolkit API.
+ * 3) Call the IAP-protected API with Authorization: Bearer <GCIP ID token>.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const fetch = require('node-fetch');
+const admin = require('firebase-admin');
+require('dotenv').config();
+
+function ensureEnv(name) {
+  const v = process.env[name];
+  if (!v) {
+    console.error(`Missing ${name}`);
+    process.exit(2);
+  }
+  return v;
+}
+
+async function main() {
+  const apiUrl = ensureEnv('API_URL');
+  const saJsonPath = process.env.GOOGLE_SA_JSON_PATH;
+  const saJsonInline = process.env.GOOGLE_SA_JSON;
+  const projectId = ensureEnv('GCIP_PROJECT_ID');
+  const apiKey = ensureEnv('GCIP_API_KEY');
+  const tenantId = process.env.GCIP_TENANT_ID || undefined; // optional if default tenant
+  const serviceUid = process.env.GCIP_SERVICE_UID || 'iap-service-caller';
+
+  let credentials;
+  if (saJsonPath && fs.existsSync(path.resolve(saJsonPath))) {
+    credentials = JSON.parse(fs.readFileSync(path.resolve(saJsonPath), 'utf8'));
+  } else if (saJsonInline) {
+    credentials = JSON.parse(saJsonInline);
+  } else {
+    console.error('Provide GOOGLE_SA_JSON_PATH or GOOGLE_SA_JSON');
+    process.exit(2);
+  }
+
+  if (!credentials.client_email || !credentials.private_key) {
+    console.error('Service Account JSON must include client_email and private_key');
+    process.exit(2);
+  }
+
+  if (!admin.apps.length) {
+    admin.initializeApp({
+      credential: admin.credential.cert(credentials),
+      projectId,
+    });
+  }
+
+  // Mint a custom token for a synthetic service user UID.
+  const customToken = await admin.auth().createCustomToken(serviceUid, {
+    service: true,
+  });
+
+  // Exchange the custom token for an ID token.
+  const url = `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+  const body = {
+    token: customToken,
+    returnSecureToken: true,
+  };
+  if (tenantId) body.tenantId = tenantId;
+
+  const resp = await fetch(url, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(body),
+  });
+  if (!resp.ok) {
+    const errText = await resp.text();
+    console.error('Failed to exchange custom token:', resp.status, errText);
+    process.exit(1);
+  }
+  const tokens = await resp.json();
+  const idToken = tokens.idToken;
+  if (!idToken) {
+    console.error('No idToken in response');
+    process.exit(1);
+  }
+
+  // Call the IAP-protected API with GCIP ID token.
+  console.log(`Calling ${apiUrl} with GCIP ID token (tenant: ${tenantId || 'default'})...`);
+  const apiResp = await fetch(apiUrl, {
+    headers: { Authorization: `Bearer ${idToken}` },
+  });
+  console.log('Status:', apiResp.status);
+  const data = await apiResp.text();
+  if (apiResp.status >= 400) {
+    console.error('Error body:', data);
+    process.exit(1);
+  }
+  try {
+    console.log(JSON.stringify(JSON.parse(data), null, 2));
+  } catch {
+    console.log(data);
+  }
+}
+
+main().catch((e) => {
+  console.error('Unhandled error:', e);
+  process.exit(1);
+});

scripts/iap-test/fetch-iap.js

@@ -0,0 +1,110 @@
+/*
+ * Minimal script to acquire an IAP OIDC ID token and call the API.
+ * Reads configuration from environment variables (see .env.sample).
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { GoogleAuth } = require('google-auth-library');
+require('dotenv').config();
+
+function base64UrlDecode(input) {
+  // Pad input to multiple of 4 and replace URL-safe chars
+  input = input.replace(/-/g, '+').replace(/_/g, '/');
+  const pad = input.length % 4;
+  if (pad) input += '='.repeat(4 - pad);
+  return Buffer.from(input, 'base64').toString('utf8');
+}
+
+function decodeJwt(jwt) {
+  try {
+    const [header, payload] = jwt.split('.');
+    const h = JSON.parse(base64UrlDecode(header));
+    const p = JSON.parse(base64UrlDecode(payload));
+    return { header: h, payload: p };
+  } catch (e) {
+    return null;
+  }
+}
+
+async function main() {
+  const audience = process.env.IAP_AUDIENCE;
+  const apiUrl = process.env.API_URL;
+  const saJsonPath = process.env.GOOGLE_SA_JSON_PATH;
+  const saJsonInline = process.env.GOOGLE_SA_JSON;
+  const logClaims = String(process.env.LOG_JWT_CLAIMS || 'false').toLowerCase() === 'true';
+
+  if (!audience) {
+    console.error('Missing IAP_AUDIENCE');
+    process.exit(2);
+  }
+  if (!apiUrl) {
+    console.error('Missing API_URL');
+    process.exit(2);
+  }
+
+  let credentials;
+  if (saJsonPath && fs.existsSync(path.resolve(saJsonPath))) {
+    credentials = JSON.parse(fs.readFileSync(path.resolve(saJsonPath), 'utf8'));
+  } else if (saJsonInline) {
+    credentials = JSON.parse(saJsonInline);
+  } else {
+    console.error('Provide GOOGLE_SA_JSON_PATH or GOOGLE_SA_JSON');
+    process.exit(2);
+  }
+
+  const auth = new GoogleAuth({ credentials });
+  const client = await auth.getIdTokenClient(audience);
+
+  // Intercept to print the ID token (and optionally decode claims)
+  const origRequest = client.request.bind(client);
+  client.request = async (opts) => {
+    const res = await origRequest(opts);
+    return res;
+  };
+
+  // The getRequestHeaders() includes Authorization header; we can decode claims for sanity
+  const headers = await client.getRequestHeaders();
+  const token = (headers.Authorization || headers.authorization || '').replace(/^Bearer\s+/i, '');
+  if (!token) {
+    console.error('Failed to obtain ID token');
+    process.exit(1);
+  }
+  if (logClaims) {
+    const decoded = decodeJwt(token);
+    if (decoded) {
+      console.log('JWT header:', JSON.stringify(decoded.header, null, 2));
+      console.log('JWT payload:', JSON.stringify(decoded.payload, null, 2));
+      if (decoded.payload && decoded.payload.iss) {
+        console.log('JWT issuer:', decoded.payload.iss);
+      }
+      if (decoded.payload && decoded.payload.aud !== audience) {
+        console.warn('Warning: token aud does not match IAP_AUDIENCE');
+      }
+    }
+  }
+
+  console.log(`Calling ${apiUrl} with IAP audience ${audience}...`);
+  try {
+    const res = await client.request({ url: apiUrl });
+    console.log('Status:', res.status);
+    if (res.status >= 400) {
+      console.error('Error body:', res.data);
+      process.exit(1);
+    }
+    console.log(typeof res.data === 'string' ? res.data : JSON.stringify(res.data));
+  } catch (err) {
+    if (err.response) {
+      console.error('Request failed:', err.response.status, err.response.data);
+      const body = typeof err.response.data === 'string' ? err.response.data : JSON.stringify(err.response.data);
+      if (err.response.status === 401 && /Invalid GCIP ID token/i.test(body)) {
+        console.error('Hint: IAP is configured with Identity Platform (GCIP). Use fetch-gcip.js instead of fetch-iap.js.');
+      }
+    } else {
+      console.error('Error:', err.message);
+    }
+    process.exit(1);
+  }
+}
+
+main();

scripts/iap-test/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "iap-test",
+  "private": true,
+  "version": "0.1.0",
+  "description": "IAP + GCIP token test scripts for IAP-protected API calls",
+  "license": "UNLICENSED",
+  "type": "commonjs",
+  "scripts": {
+    "test:iap": "node fetch-iap.js",
+    "test:gcip": "node fetch-gcip.js",
+    "test": "node fetch-gcip.js"
+  },
+  "dependencies": {
+    "dotenv": "^16.4.5",
+    "firebase-admin": "^12.3.0",
+    "google-auth-library": "^9.14.2",
+    "node-fetch": "^2.6.9"
+  }
+}