kurrik · June 24, 2023 19:16
diff --git a/README.md b/README.md
diff --git a/googleauth.ts b/googleauth.ts
 // Taken from https://github.com/Schachte/cloudflare-google-auth/blob/master/index.ts
 // I added the code which adds `sub` to the claimset, which is the mechanism used to activate delegated auth.

 const PEM_HEADER: string = '-----BEGIN PRIVATE KEY-----'
 const PEM_FOOTER: string = '-----END PRIVATE KEY-----'

 // Simplify binding the env var to a typed object
 export interface GoogleKey {
  type: string;
  project_id: string;
  private_key_id: string;
  private_key: string;
  client_email: string;
  client_id: string;
  auth_uri: string;
  token_uri: string;
  auth_provider_x509_cert_url: string;
  client_x509_cert_url: string;
 }

 interface TokenResponse {
  access_token: string;
 }

 // Inspiration: https://gist.github.com/markelliot/6627143be1fc8209c9662c504d0ff205
 //
 // GoogleOAuth encapsulates the logic required to retrieve an access token
 // for the OAuth flow.
 export default class GoogleOAuth {
  constructor(public googleKey: GoogleKey, public scopes: string[], public delegated_account: string | null) { }

  public async getGoogleAuthToken(
  ): Promise<string | undefined> {
    const { client_email: user, private_key: key } = this.googleKey
    const scope = this.formatScopes(this.scopes)
    const jwtHeader = this.objectToBase64url({ alg: 'RS256', typ: 'JWT' })

    try {
      const assertiontime = Math.round(Date.now() / 1000)
      const expirytime = assertiontime + 3600
      let claimobj = {
        iss: user,
        scope,
        aud: 'https://oauth2.googleapis.com/token',
        exp: expirytime,
        iat: assertiontime,
        ...this.delegated_account && { sub: this.delegated_account }
      }
      const claimset = this.objectToBase64url(claimobj);

      const jwtUnsigned = `${jwtHeader}.${claimset}`
      const signedJwt = `${jwtUnsigned}.${await this.sign(jwtUnsigned, key)}`
      const body = `grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=${signedJwt}`

      const response = await fetch(this.googleKey.token_uri, {
        method: 'POST',
        headers: {
          'Content-Type': 'application/x-www-form-urlencoded',
          'Cache-Control': 'no-cache',
          Host: 'oauth2.googleapis.com',
        },
        body,
      })

      const resp = await response.json<TokenResponse>()
      return resp.access_token
    } catch (err) {
      console.error(err)
      return undefined
    }
  }

  private objectToBase64url(object: object): string {
    return this.arrayBufferToBase64Url(new TextEncoder().encode(JSON.stringify(object)))
  }

  private arrayBufferToBase64Url(buffer: ArrayBuffer): string {
    return btoa(String.fromCharCode(...new Uint8Array(buffer)))
      .replace(/=/g, '')
      .replace(/\+/g, '-')
      .replace(/\//g, '_')
  }

  private str2ab(str: string): ArrayBuffer {
    const buf = new ArrayBuffer(str.length)
    const bufView = new Uint8Array(buf)
    for (let i = 0, strLen = str.length; i < strLen; i += 1) {
      bufView[i] = str.charCodeAt(i)
    }
    return buf
  }

  private async sign(content: string, signingKey: string): Promise<string> {
    const buf = this.str2ab(content)
    const plainKey = signingKey
      .replace(/(\r\n|\n|\r)/gm, '')
      .replace(PEM_HEADER, '')
      .replace(PEM_FOOTER, '')
      .trim()

    const binaryKey = this.str2ab(atob(plainKey))
    const signer = await crypto.subtle.importKey(
      'pkcs8',
      binaryKey,
      {
        name: 'RSASSA-PKCS1-V1_5',
        hash: { name: 'SHA-256' },
      },
      false,
      ['sign'],
    )
    const binarySignature = await crypto.subtle.sign(
      { name: 'RSASSA-PKCS1-V1_5' },
      signer,
      buf,
    )
    return this.arrayBufferToBase64Url(binarySignature)
  }

  // formatScopes will create a scopes string that is formatted for the Google API
  private formatScopes(scopes: string[]): string {
    return scopes.join(' ')
  }
 }
diff --git a/index.ts b/index.ts
 // This code uses googleauth to make an authenticated call.
 // Web framework is Hono: https://hono.dev/

 import { Hono } from 'hono';
 import GoogleAuth, { GoogleKey } from './googleauth';

 const app = new Hono();

 app.get('/test', async (c) => {
  const scopes: string[] = ['https://www.googleapis.com/auth/chat.messages.readonly'];
  const env = c.env;
  if (!env) {
    return c.json({
      error: 'Invalid environment'
    });
  }

  const googleAuth: GoogleKey = JSON.parse(env.GCP_SERVICE_ACCOUNT as string)

  const oauth = new GoogleAuth(googleAuth, scopes, env.GCP_DELEGATED_ACCESS_ACCOUNT as string)
  const token = await oauth.getGoogleAuthToken()

  const res = await fetch(`https://chat.googleapis.com/v1/${env.SPACE_ID as string}/messages`, {
    method: 'GET',
    headers: {
      'Authorization': `Bearer ${token}`,
    },
  })

  const body = await res.json();
  console.log(`Body: ${JSON.stringify(body)}`)
  return c.json(body)
 });

 export default app
	// Taken from https://github.com/Schachte/cloudflare-google-auth/blob/master/index.ts
	// I added the code which adds `sub` to the claimset, which is the mechanism used to activate delegated auth.

	const PEM_HEADER: string = '-----BEGIN PRIVATE KEY-----'
	const PEM_FOOTER: string = '-----END PRIVATE KEY-----'

	// Simplify binding the env var to a typed object
	export interface GoogleKey {
	type: string;
	project_id: string;
	private_key_id: string;
	private_key: string;
	client_email: string;
	client_id: string;
	auth_uri: string;
	token_uri: string;
	auth_provider_x509_cert_url: string;
	client_x509_cert_url: string;
	}

	interface TokenResponse {
	access_token: string;
	}

	// Inspiration: https://gist.github.com/markelliot/6627143be1fc8209c9662c504d0ff205
	//
	// GoogleOAuth encapsulates the logic required to retrieve an access token
	// for the OAuth flow.
	export default class GoogleOAuth {
	constructor(public googleKey: GoogleKey, public scopes: string[], public delegated_account: string \| null) { }

	public async getGoogleAuthToken(
	): Promise<string \| undefined> {
	const { client_email: user, private_key: key } = this.googleKey
	const scope = this.formatScopes(this.scopes)
	const jwtHeader = this.objectToBase64url({ alg: 'RS256', typ: 'JWT' })

	try {
	const assertiontime = Math.round(Date.now() / 1000)
	const expirytime = assertiontime + 3600
	let claimobj = {
	iss: user,
	scope,
	aud: 'https://oauth2.googleapis.com/token',
	exp: expirytime,
	iat: assertiontime,
	...this.delegated_account && { sub: this.delegated_account }
	}
	const claimset = this.objectToBase64url(claimobj);

	const jwtUnsigned = `${jwtHeader}.${claimset}`
	const signedJwt = `${jwtUnsigned}.${await this.sign(jwtUnsigned, key)}`
	const body = `grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=${signedJwt}`

	const response = await fetch(this.googleKey.token_uri, {
	method: 'POST',
	headers: {
	'Content-Type': 'application/x-www-form-urlencoded',
	'Cache-Control': 'no-cache',
	Host: 'oauth2.googleapis.com',
	},
	body,
	})

	const resp = await response.json<TokenResponse>()
	return resp.access_token
	} catch (err) {
	console.error(err)
	return undefined
	}
	}

	private objectToBase64url(object: object): string {
	return this.arrayBufferToBase64Url(new TextEncoder().encode(JSON.stringify(object)))
	}

	private arrayBufferToBase64Url(buffer: ArrayBuffer): string {
	return btoa(String.fromCharCode(...new Uint8Array(buffer)))
	.replace(/=/g, '')
	.replace(/\+/g, '-')
	.replace(/\//g, '_')
	}

	private str2ab(str: string): ArrayBuffer {
	const buf = new ArrayBuffer(str.length)
	const bufView = new Uint8Array(buf)
	for (let i = 0, strLen = str.length; i < strLen; i += 1) {
	bufView[i] = str.charCodeAt(i)
	}
	return buf
	}

	private async sign(content: string, signingKey: string): Promise<string> {
	const buf = this.str2ab(content)
	const plainKey = signingKey
	.replace(/(\r\n\|\n\|\r)/gm, '')
	.replace(PEM_HEADER, '')
	.replace(PEM_FOOTER, '')
	.trim()

	const binaryKey = this.str2ab(atob(plainKey))
	const signer = await crypto.subtle.importKey(
	'pkcs8',
	binaryKey,
	{
	name: 'RSASSA-PKCS1-V1_5',
	hash: { name: 'SHA-256' },
	},
	false,
	['sign'],
	)
	const binarySignature = await crypto.subtle.sign(
	{ name: 'RSASSA-PKCS1-V1_5' },
	signer,
	buf,
	)
	return this.arrayBufferToBase64Url(binarySignature)
	}

	// formatScopes will create a scopes string that is formatted for the Google API
	private formatScopes(scopes: string[]): string {
	return scopes.join(' ')
	}
	}
	// This code uses googleauth to make an authenticated call.
	// Web framework is Hono: https://hono.dev/

	import { Hono } from 'hono';
	import GoogleAuth, { GoogleKey } from './googleauth';

	const app = new Hono();

	app.get('/test', async (c) => {
	const scopes: string[] = ['https://www.googleapis.com/auth/chat.messages.readonly'];
	const env = c.env;
	if (!env) {
	return c.json({
	error: 'Invalid environment'
	});
	}

	const googleAuth: GoogleKey = JSON.parse(env.GCP_SERVICE_ACCOUNT as string)

	const oauth = new GoogleAuth(googleAuth, scopes, env.GCP_DELEGATED_ACCESS_ACCOUNT as string)
	const token = await oauth.getGoogleAuthToken()

	const res = await fetch(`https://chat.googleapis.com/v1/${env.SPACE_ID as string}/messages`, {
	method: 'GET',
	headers: {
	'Authorization': `Bearer ${token}`,
	},
	})

	const body = await res.json();
	console.log(`Body: ${JSON.stringify(body)}`)
	return c.json(body)
	});

	export default app