Add the firebase site framework to carbon-lang.

firebase/.firebaserc

@@ -0,0 +1,5 @@
+{
+  "projects": {
+    "default": "carbon-language"
+  }
+}

firebase/.gitignore

@@ -0,0 +1,68 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+firebase-debug.log*
+
+# Firebase cache
+.firebase/
+
+# Firebase config
+
+# Uncomment this if you'd like others to create their own Firebase project.
+# For a team working on the same Firebase project(s), it is recommended to leave
+# it commented so all members can deploy to the same project(s) in .firebaserc.
+# .firebaserc
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+
+# npm package-lock
+package-lock.json

firebase/.npmrc

@@ -0,0 +1 @@
+package-lock=false

firebase/README.md

@@ -0,0 +1,4 @@
+Generated documentation goes to a minimal site at carbon-lang.dev.
+
+This is the framework for that site, including authorization. Only
+carbon-language members should be able to access the site.

firebase/firebase.json

@@ -0,0 +1,16 @@
+{
+  "hosting": {
+    "public": "public",
+    "rewrites": [
+      {
+        "source":"**/*",
+        "function":"site"
+      }
+    ],
+    "ignore": [
+      "firebase.json",
+      "**/.*",
+      "**/node_modules/**"
+    ]
+  }
+}

firebase/functions/.gitignore

@@ -0,0 +1 @@
+node_modules/

firebase/functions/index.js

@@ -0,0 +1,84 @@
+// Part of the Carbon Language, under the Apache License v2.0 with LLVM
+// Exceptions.
+// See /LICENSE for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+'use strict';
+
+const functions = require('firebase-functions');
+const admin = require('firebase-admin');
+admin.initializeApp();
+const express = require('express');
+const cookieParser = require('cookie-parser')();
+const cors = require('cors')({origin: true});
+const app = express();
+
+const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');
+const secrets = new SecretManagerServiceClient();
+
+const { Octokit } = require('@octokit/rest');
+
+const {Storage} = require('@google-cloud/storage');
+const gcs = new Storage();
+
+// Checks for a session cookie. If present, the content will be added as
+// req.user.
+const validateFirebaseIdToken = async (req, res, next) => {
+  if (!req.cookies || !req.cookies.__session) {
+    // Not logged in.
+    res.redirect(302, "/login.html");
+    return;
+  }
+
+  // Validate the cookie, and get user info from it.
+  const idToken = req.cookies.__session;
+  try {
+    req.user = await admin.auth().verifyIdToken(idToken);
+  } catch (error) {
+    // Invalid login, use logout to clear it.
+    res.redirect(302, "/logout.html");
+    return;
+  }
+
+  // Load the GitHub auth token. The associated secret is attached to the
+  // CarbonLangInfra GitHub account.
+  const [secret] = await secrets.accessSecretVersion({
+    name: 'projects/985662022432/secrets/github-org-lookup-token-for-www/versions/latest',
+  });
+  const octokit = new Octokit({
+    auth: secret.payload.data.toString('utf8'),
+  });
+
+  // Validate that the GitHub user is in carbon-language.
+  const { data: members } = await octokit.orgs.listMembers({
+    org: 'carbon-language',
+  });
+  const wantId = req.user.firebase.identities["github.com"][0];
+  for (var i = 0; i < members.length; ++i) {
+    if (members[i].id == wantId) {
+      next();
+      return;
+    }
+  }
+
+  // No access, force logout.
+  res.redirect(302, "/logout.html");
+};
+
+app.use(cors);
+app.use(cookieParser);
+app.use(validateFirebaseIdToken);
+
+app.get('*', (req, res) => {
+  // Serve the requested data from the carbon-lang bucket.
+  const bucket = gcs.bucket("gs://www.carbon-lang.dev");
+  const stream = bucket.file(req.path.replace(/^(\/)/, "")).createReadStream();
+  //stream.on('error', function(err) { res.status(404).send(err.message); });
+  stream.on('error', function(err) {
+    console.log(err.message);
+    res.status(404).send("Not found");
+  });
+  stream.pipe(res);
+});
+
+exports.site = functions.https.onRequest(app);

firebase/functions/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "functions",
+  "description": "Cloud Functions for Firebase",
+  "scripts": {
+    "serve": "firebase emulators:start --only functions",
+    "shell": "firebase functions:shell",
+    "start": "npm run shell",
+    "deploy": "firebase deploy --only functions",
+    "logs": "firebase functions:log"
+  },
+  "engines": {
+    "node": "10"
+  },
+  "dependencies": {
+    "@google-cloud/secret-manager": "^3.0.0",
+    "@google-cloud/storage": "^4.3.1",
+    "@octokit/rest": "^17.6.0",
+    "cookie-parser": "^1.4.5",
+    "cors": "^2.8.5",
+    "firebase-admin": "^8.10.0",
+    "firebase-functions": "^3.6.1"
+  },
+  "devDependencies": {
+    "firebase-functions-test": "^0.2.0"
+  },
+  "private": true
+}

firebase/public/login.html

@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!--
+Part of the Carbon Language, under the Apache License v2.0 with LLVM Exceptions.
+See /LICENSE for license information.
+SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+-->
+<html>
+<head>
+  <title>Carbon: Login</title>
+  <script src="/__/firebase/7.14.0/firebase-app.js"></script>
+  <script src="/__/firebase/7.14.0/firebase-auth.js"></script>
+  <script src="/__/firebase/init.js"></script>
+  <script type="text/javascript">
+    function login() {
+      var provider = new firebase.auth.GithubAuthProvider();
+      firebase.auth().signInWithPopup(provider).then(function(result) {
+        var user = result.user;
+        user.getIdToken(true).then(function(token) {
+          document.cookie = '__session=' + token + ';max-age=25920000';
+          window.location.href = window.location.href.replace(
+              "/login.html", "/index.html");
+        });
+      });
+    };
+
+    firebase.auth().onAuthStateChanged(function(user) {
+      // If there's no user, we can redirect.
+      if (!user) redirect();
+    });
+
+    window.onload = function() {
+      document.cookie = "__session=; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+      firebase.auth().signOut();
+    };
+  </script>
+</head>
+<body>
+<p>Currently logged out.</p>
+
+<button onclick="login()">Log in using GitHub</button>
+</body>
+</html>

firebase/public/logout.html

@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<!--
+Part of the Carbon Language, under the Apache License v2.0 with LLVM Exceptions.
+See /LICENSE for license information.
+SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+-->
+<html>
+<head>
+  <title>Carbon: Access denied -- logging out</title>
+  <script src="/__/firebase/7.14.0/firebase-app.js"></script>
+  <script src="/__/firebase/7.14.0/firebase-auth.js"></script>
+  <script src="/__/firebase/init.js"></script>
+  <script type="text/javascript">
+    function redirect() {
+      // Re-clear the cookie, just in case.
+      document.cookie = "__session=; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+      window.location.href = window.location.href.replace(
+          "/logout.html", "/login.html");
+    };
+
+    firebase.auth().onAuthStateChanged(function(user) {
+      // If there's no user, we can redirect.
+      if (!user) redirect();
+    });
+
+    window.onload = function() {
+      document.cookie = "__session=; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+      firebase.auth().signOut();
+    };
+  </script>
+</head>
+<body>
+Access denied -- logging out
+</body>
+</html>