@lpdjs/firestore-repo-service 2.2.9-beta.2 → 2.2.9-beta.3

package/dist/{create-servers-xx0m3wwM.d.ts → create-servers-Dbmq3aN0.d.ts}

@@ -1,11 +1,11 @@
 import { S as SyncQueue } from './queue-D_-aMf4H.js';
 import { F as FirestoreSyncConfig, S as SyncEvent } from './types-CX5AbZWV.js';
-import { O as OpenAPIDocument } from './openapi-BHZ2XHgn.js';
+import { O as OpenAPIDocument } from './openapi-BSdeinkq.js';
 import * as firebase_functions_v2_https from 'firebase-functions/v2/https';
 import { onRequest, HttpsOptions } from 'firebase-functions/v2/https';
 import { a as HistoryTriggersConfig } from './read-D4xAmsbE.js';
-import { C as ConfiguredRepository, m as CrudServerOptions, l as CrudRepoConfig } from './types-C822D0dX.js';
-import { b as AdminServerOptions, A as AdminRepoConfig } from './index-Njwf8jvu.js';
+import { C as ConfiguredRepository, m as CrudServerOptions, l as CrudRepoConfig } from './types-CqXbEeXp.js';
+import { b as AdminServerOptions, A as AdminRepoConfig } from './index-CP4WoShV.js';
 
 /** Per-repo admin config with `repo` omitted (auto-bound from the registry key). */
 type BoundAdminRepoConfig<TRepo extends ConfiguredRepository<any>> = Omit<AdminRepoConfig<TRepo>, "repo">;

package/dist/{create-servers-CfLtucbQ.d.cts → create-servers-XKBCK7vV.d.cts}

@@ -1,11 +1,11 @@
 import { S as SyncQueue } from './queue-Dk1Ezhkf.cjs';
 import { F as FirestoreSyncConfig, S as SyncEvent } from './types-CX5AbZWV.cjs';
-import { O as OpenAPIDocument } from './openapi-DXUE_MEP.cjs';
+import { O as OpenAPIDocument } from './openapi-BSp3x2yW.cjs';
 import * as firebase_functions_v2_https from 'firebase-functions/v2/https';
 import { onRequest, HttpsOptions } from 'firebase-functions/v2/https';
 import { a as HistoryTriggersConfig } from './read-D4xAmsbE.cjs';
-import { C as ConfiguredRepository, m as CrudServerOptions, l as CrudRepoConfig } from './types-Z1Zy-2hs.cjs';
-import { b as AdminServerOptions, A as AdminRepoConfig } from './index-BvKyjs6k.cjs';
+import { C as ConfiguredRepository, m as CrudServerOptions, l as CrudRepoConfig } from './types-DptSRAK6.cjs';
+import { b as AdminServerOptions, A as AdminRepoConfig } from './index-BTrgC2ZA.cjs';
 
 /** Per-repo admin config with `repo` omitted (auto-bound from the registry key). */
 type BoundAdminRepoConfig<TRepo extends ConfiguredRepository<any>> = Omit<AdminRepoConfig<TRepo>, "repo">;

package/dist/firebase-auth-CBqtAeb5.d.cts

@@ -0,0 +1,309 @@
+/**
+ * Minimal zero-dependency HTTP router for Firebase Functions.
+ * Compatible with any Express-like (req, res) handler.
+ *
+ * Supports:
+ *  - Named path parameters  (e.g. "/repos/:name/:id")
+ *  - GET, POST, DELETE methods
+ *  - Global middleware (before each route)
+ *  - 404 / error fallbacks
+ *
+ * @example
+ * ```typescript
+ * import { MiniRouter } from "@lpdjs/firestore-repo-service/servers/admin";
+ *
+ * // Create router
+ * const router = new MiniRouter();
+ *
+ * // Add global middleware (executed before every route)
+ * router.use(async (req, res, next) => {
+ *   console.log(`${req.method} ${req.url}`);
+ *   await next();
+ * });
+ *
+ * // Auth middleware
+ * router.use((req, res, next) => {
+ *   if (!req.headers?.authorization) {
+ *     res.status(401).send("Unauthorized");
+ *     return;
+ *   }
+ *   next();
+ * });
+ *
+ * // Define routes with path parameters
+ * router.get("/users", async (req, res) => {
+ *   res.json({ users: await getAllUsers() });
+ * });
+ *
+ * router.get("/users/:id", async (req, res) => {
+ *   const user = await getUser(req.params.id); // Access path params
+ *   if (!user) {
+ *     res.status(404).send("User not found");
+ *     return;
+ *   }
+ *   res.json(user);
+ * });
+ *
+ * router.post("/users", async (req, res) => {
+ *   const user = await createUser(req.body);
+ *   res.status(201).json(user);
+ * });
+ *
+ * router.delete("/users/:id", async (req, res) => {
+ *   await deleteUser(req.params.id);
+ *   res.status(204).end();
+ * });
+ *
+ * // Custom 404 handler
+ * router.onNotFound((req, res) => {
+ *   res.status(404).json({ error: "Route not found", path: req.url });
+ * });
+ *
+ * // Custom error handler
+ * router.onError((err, req, res) => {
+ *   console.error("Error:", err);
+ *   res.status(500).json({ error: "Internal server error" });
+ * });
+ *
+ * // Use with Firebase Functions
+ * export const api = onRequest(async (req, res) => {
+ *   await router.handle(req, res);
+ * });
+ * ```
+ */
+type AnyReq = {
+    method?: string;
+    url?: string;
+    /** Express originalUrl — preserved before any router stripping, contains the full path including the Firebase Functions prefix */
+    originalUrl?: string;
+    path?: string;
+    headers?: Record<string, string | string[] | undefined>;
+    body?: unknown;
+    query?: Record<string, string | string[] | undefined>;
+};
+type AnyRes = {
+    status: (code: number) => AnyRes;
+    set: (key: string, value: string) => AnyRes;
+    send: (body: string) => void;
+    json: (body: unknown) => void;
+    end: () => void;
+};
+type RouteParams = Record<string, string>;
+type RouteHandler = (req: AnyReq & {
+    params: RouteParams;
+}, res: AnyRes) => void | Promise<void>;
+type Middleware = (req: AnyReq & {
+    params: RouteParams;
+}, res: AnyRes, next: () => void | Promise<void>) => void | Promise<void>;
+declare class MiniRouter {
+    private routes;
+    private middlewares;
+    private notFoundHandler;
+    private errorHandler;
+    use(middleware: Middleware): this;
+    get(path: string, handler: RouteHandler): this;
+    post(path: string, handler: RouteHandler): this;
+    put(path: string, handler: RouteHandler): this;
+    patch(path: string, handler: RouteHandler): this;
+    delete(path: string, handler: RouteHandler): this;
+    onNotFound(handler: RouteHandler): this;
+    onError(handler: (err: unknown, req: AnyReq, res: AnyRes) => void): this;
+    private addRoute;
+    handle(req: AnyReq, res: AnyRes): Promise<void>;
+    private runMiddlewareChain;
+}
+
+/**
+ * Firebase Auth helper for the admin & CRUD servers.
+ *
+ * Returns an {@link AuthExtension} ready to plug into `servers.admin()` or
+ * `servers.crud()`. Supports two transport modes:
+ *
+ * - **`cookie`** — session cookie pattern (default for admin UIs). Mounts
+ *   `/__login`, `/__session`, `/__logout` routes; the page lets the user sign
+ *   in client-side with the Firebase JS SDK and exchanges the resulting ID
+ *   token for an HttpOnly session cookie via Firebase Admin SDK.
+ * - **`bearer`** — verifies `Authorization: Bearer <idToken>` on every request
+ *   (default for REST APIs). No login routes mounted.
+ * - **`both`** — accept either cookie or bearer.
+ *
+ * The helper is **agnostic** about authorization: pass an `allow` callback
+ * returning whatever role/context shape you need. The result is exposed as
+ * `req.user.context` to downstream middlewares and route handlers.
+ *
+ * @example Admin (cookie + role trio)
+ * ```ts
+ * import { firebaseAuth } from "@lpdjs/firestore-repo-service/servers/auth";
+ * import { getAuth } from "firebase-admin/auth";
+ *
+ * servers.admin({
+ *   auth: firebaseAuth({
+ *     getAuth,
+ *     mode: "cookie",
+ *     apiKey: process.env.FIREBASE_WEB_API_KEY!,
+ *     authDomain: process.env.FIREBASE_AUTH_DOMAIN!,
+ *     allow: ({ email, claims }) => {
+ *       if (claims.superAdmin) return { role: "superAdmin" };
+ *       if (email?.endsWith("@solarpush.io")) return { role: "admin" };
+ *       if (email) return { role: "viewer" };
+ *       return null;
+ *     },
+ *   }),
+ *   repos: { ... },
+ * });
+ * ```
+ *
+ * @example CRUD (bearer + business rules per repo)
+ * ```ts
+ * servers.crud({
+ *   auth: firebaseAuth({ getAuth, mode: "bearer", allow: (u) => u }),
+ *   repos: {
+ *     comments: {
+ *       repo: repos.comments,
+ *       rules: {
+ *         list:   () => true,
+ *         get:    ({ user, doc }) => doc.public || doc.authorId === user.uid,
+ *         create: ({ user })      => !!user.uid,
+ *         update: ({ user, doc }) => user.uid === doc.authorId,
+ *         delete: ({ user, doc }) => user.claims.role === "moderator",
+ *       },
+ *     },
+ *   },
+ * });
+ * ```
+ */
+
+/**
+ * Minimal Firebase Admin Auth surface needed by this helper.
+ * Avoids a hard import of `firebase-admin/auth` so the package stays
+ * decoupled from a specific firebase-admin version.
+ */
+interface FirebaseAdminAuthLike {
+    verifyIdToken(idToken: string, checkRevoked?: boolean): Promise<DecodedIdTokenLike>;
+    verifySessionCookie(sessionCookie: string, checkRevoked?: boolean): Promise<DecodedIdTokenLike>;
+    createSessionCookie(idToken: string, sessionCookieOptions: {
+        expiresIn: number;
+    }): Promise<string>;
+    revokeRefreshTokens(uid: string): Promise<void>;
+}
+interface DecodedIdTokenLike {
+    uid: string;
+    email?: string;
+    email_verified?: boolean;
+    [claim: string]: any;
+}
+/** Identity attached to every authenticated request as `req.user`. */
+interface AuthUser<TContext = unknown> {
+    uid: string;
+    email: string | null;
+    emailVerified: boolean;
+    claims: Record<string, any>;
+    /** Result of the user-supplied `allow()` callback. */
+    context: TContext;
+}
+/** A route descriptor mounted by `firebaseAuth` before the protected chain. */
+interface AuthRoute {
+    method: "GET" | "POST";
+    path: string;
+    handler: RouteHandler;
+}
+/**
+ * Returned by {@link firebaseAuth}. Servers detect this shape (vs.
+ * `BasicAuthConfig` / raw `Middleware`) and mount the routes before pushing
+ * the middleware onto the chain.
+ */
+interface AuthExtension {
+    readonly __authExtension: true;
+    middleware: Middleware;
+    /** Auxiliary routes (login page, session, logout). Empty in pure bearer mode. */
+    routes: AuthRoute[];
+    /** Path used to redirect unauthenticated browser requests. */
+    loginPath: string;
+}
+type FirebaseAuthMode = "cookie" | "bearer" | "both";
+/** Provider configuration for the bundled login page. */
+interface FirebaseAuthLoginPageConfig {
+    /** Page title. Default: "Admin sign-in". */
+    title?: string;
+    /**
+     * Providers shown on the login page.
+     * Default: `["password", "google"]`.
+     */
+    providers?: ("password" | "google")[];
+}
+interface FirebaseAuthConfig<TContext = unknown> {
+    /** Lazy getter for the Firebase Admin Auth instance. */
+    getAuth: () => FirebaseAdminAuthLike;
+    /** Transport mode. Default: `"cookie"`. */
+    mode?: FirebaseAuthMode;
+    /**
+     * Authorization callback. Receives the verified token claims and returns:
+     * - a context object → request is allowed, exposed as `req.user.context`,
+     * - `null` → request is rejected (401 / redirect to login).
+     *
+     * If omitted, the default policy allows any authenticated user with
+     * `context = null`.
+     */
+    allow?: (user: Omit<AuthUser, "context">) => TContext | null | Promise<TContext | null>;
+    /**
+     * Whether to mount the bundled `/__login`, `/__session`, `/__logout`
+     * routes. Default: `true` for `cookie`/`both`, `false` for `bearer`.
+     */
+    loginPage?: boolean | FirebaseAuthLoginPageConfig;
+    /**
+     * Firebase Web API key required by the JS SDK on the login page.
+     * Mandatory when `loginPage` is enabled. Find it in your Firebase Console
+     * under Project Settings → General → Web app config.
+     */
+    apiKey?: string;
+    /**
+     * Firebase Auth domain (e.g. `my-project.firebaseapp.com`).
+     * Mandatory when `loginPage` is enabled.
+     */
+    authDomain?: string;
+    /** Cookie name. Default: `__admin_session`. */
+    cookieName?: string;
+    /** Session cookie TTL in days. Default: `5` (Firebase max is 14). */
+    sessionTtlDays?: number;
+    /**
+     * Cookie `Secure` flag. Default: `true`. Set to `false` only for local
+     * development over HTTP.
+     */
+    secureCookie?: boolean;
+    /** Cookie `SameSite`. Default: `"Lax"`. */
+    sameSite?: "Strict" | "Lax" | "None";
+    /**
+     * Behaviour when authentication fails or `allow()` returns `null`.
+     * - `"redirect"` (default in cookie mode) → 302 to the login page,
+     * - `"401"` (default in bearer mode)     → JSON 401 response.
+     */
+    onUnauthenticated?: "redirect" | "401";
+    /**
+     * Routes that should bypass the auth middleware (matched against the path
+     * after the basePath stripping). The auxiliary login routes are always
+     * public regardless of this option.
+     */
+    publicPaths?: (string | RegExp)[];
+}
+/**
+ * Build a Firebase Auth extension for use with `servers.admin()` or
+ * `servers.crud()`. See module-level docs for the full design and examples.
+ */
+declare function firebaseAuth<TContext = unknown>(config: FirebaseAuthConfig<TContext>): AuthExtension;
+/**
+ * Type guard: detect an {@link AuthExtension} (vs. legacy
+ * `BasicAuthConfig` / `Middleware`).
+ */
+declare function isAuthExtension(value: unknown): value is AuthExtension;
+/**
+ * Helper for explicitly opening a CRUD operation when the server has
+ * `auth` defined (bypasses the default-deny policy).
+ *
+ * @example
+ * ```ts
+ * rules: { list: allowAll, get: allowAll }
+ * ```
+ */
+declare const allowAll: () => true;
+
+export { type AuthExtension as A, type DecodedIdTokenLike as D, type FirebaseAdminAuthLike as F, MiniRouter as M, type RouteHandler as R, type Middleware as a, type AuthUser as b, allowAll as c, type AuthRoute as d, type FirebaseAuthConfig as e, firebaseAuth as f, type FirebaseAuthLoginPageConfig as g, type FirebaseAuthMode as h, isAuthExtension as i };

package/dist/firebase-auth-CBqtAeb5.d.ts

@@ -0,0 +1,309 @@
+/**
+ * Minimal zero-dependency HTTP router for Firebase Functions.
+ * Compatible with any Express-like (req, res) handler.
+ *
+ * Supports:
+ *  - Named path parameters  (e.g. "/repos/:name/:id")
+ *  - GET, POST, DELETE methods
+ *  - Global middleware (before each route)
+ *  - 404 / error fallbacks
+ *
+ * @example
+ * ```typescript
+ * import { MiniRouter } from "@lpdjs/firestore-repo-service/servers/admin";
+ *
+ * // Create router
+ * const router = new MiniRouter();
+ *
+ * // Add global middleware (executed before every route)
+ * router.use(async (req, res, next) => {
+ *   console.log(`${req.method} ${req.url}`);
+ *   await next();
+ * });
+ *
+ * // Auth middleware
+ * router.use((req, res, next) => {
+ *   if (!req.headers?.authorization) {
+ *     res.status(401).send("Unauthorized");
+ *     return;
+ *   }
+ *   next();
+ * });
+ *
+ * // Define routes with path parameters
+ * router.get("/users", async (req, res) => {
+ *   res.json({ users: await getAllUsers() });
+ * });
+ *
+ * router.get("/users/:id", async (req, res) => {
+ *   const user = await getUser(req.params.id); // Access path params
+ *   if (!user) {
+ *     res.status(404).send("User not found");
+ *     return;
+ *   }
+ *   res.json(user);
+ * });
+ *
+ * router.post("/users", async (req, res) => {
+ *   const user = await createUser(req.body);
+ *   res.status(201).json(user);
+ * });
+ *
+ * router.delete("/users/:id", async (req, res) => {
+ *   await deleteUser(req.params.id);
+ *   res.status(204).end();
+ * });
+ *
+ * // Custom 404 handler
+ * router.onNotFound((req, res) => {
+ *   res.status(404).json({ error: "Route not found", path: req.url });
+ * });
+ *
+ * // Custom error handler
+ * router.onError((err, req, res) => {
+ *   console.error("Error:", err);
+ *   res.status(500).json({ error: "Internal server error" });
+ * });
+ *
+ * // Use with Firebase Functions
+ * export const api = onRequest(async (req, res) => {
+ *   await router.handle(req, res);
+ * });
+ * ```
+ */
+type AnyReq = {
+    method?: string;
+    url?: string;
+    /** Express originalUrl — preserved before any router stripping, contains the full path including the Firebase Functions prefix */
+    originalUrl?: string;
+    path?: string;
+    headers?: Record<string, string | string[] | undefined>;
+    body?: unknown;
+    query?: Record<string, string | string[] | undefined>;
+};
+type AnyRes = {
+    status: (code: number) => AnyRes;
+    set: (key: string, value: string) => AnyRes;
+    send: (body: string) => void;
+    json: (body: unknown) => void;
+    end: () => void;
+};
+type RouteParams = Record<string, string>;
+type RouteHandler = (req: AnyReq & {
+    params: RouteParams;
+}, res: AnyRes) => void | Promise<void>;
+type Middleware = (req: AnyReq & {
+    params: RouteParams;
+}, res: AnyRes, next: () => void | Promise<void>) => void | Promise<void>;
+declare class MiniRouter {
+    private routes;
+    private middlewares;
+    private notFoundHandler;
+    private errorHandler;
+    use(middleware: Middleware): this;
+    get(path: string, handler: RouteHandler): this;
+    post(path: string, handler: RouteHandler): this;
+    put(path: string, handler: RouteHandler): this;
+    patch(path: string, handler: RouteHandler): this;
+    delete(path: string, handler: RouteHandler): this;
+    onNotFound(handler: RouteHandler): this;
+    onError(handler: (err: unknown, req: AnyReq, res: AnyRes) => void): this;
+    private addRoute;
+    handle(req: AnyReq, res: AnyRes): Promise<void>;
+    private runMiddlewareChain;
+}
+
+/**
+ * Firebase Auth helper for the admin & CRUD servers.
+ *
+ * Returns an {@link AuthExtension} ready to plug into `servers.admin()` or
+ * `servers.crud()`. Supports two transport modes:
+ *
+ * - **`cookie`** — session cookie pattern (default for admin UIs). Mounts
+ *   `/__login`, `/__session`, `/__logout` routes; the page lets the user sign
+ *   in client-side with the Firebase JS SDK and exchanges the resulting ID
+ *   token for an HttpOnly session cookie via Firebase Admin SDK.
+ * - **`bearer`** — verifies `Authorization: Bearer <idToken>` on every request
+ *   (default for REST APIs). No login routes mounted.
+ * - **`both`** — accept either cookie or bearer.
+ *
+ * The helper is **agnostic** about authorization: pass an `allow` callback
+ * returning whatever role/context shape you need. The result is exposed as
+ * `req.user.context` to downstream middlewares and route handlers.
+ *
+ * @example Admin (cookie + role trio)
+ * ```ts
+ * import { firebaseAuth } from "@lpdjs/firestore-repo-service/servers/auth";
+ * import { getAuth } from "firebase-admin/auth";
+ *
+ * servers.admin({
+ *   auth: firebaseAuth({
+ *     getAuth,
+ *     mode: "cookie",
+ *     apiKey: process.env.FIREBASE_WEB_API_KEY!,
+ *     authDomain: process.env.FIREBASE_AUTH_DOMAIN!,
+ *     allow: ({ email, claims }) => {
+ *       if (claims.superAdmin) return { role: "superAdmin" };
+ *       if (email?.endsWith("@solarpush.io")) return { role: "admin" };
+ *       if (email) return { role: "viewer" };
+ *       return null;
+ *     },
+ *   }),
+ *   repos: { ... },
+ * });
+ * ```
+ *
+ * @example CRUD (bearer + business rules per repo)
+ * ```ts
+ * servers.crud({
+ *   auth: firebaseAuth({ getAuth, mode: "bearer", allow: (u) => u }),
+ *   repos: {
+ *     comments: {
+ *       repo: repos.comments,
+ *       rules: {
+ *         list:   () => true,
+ *         get:    ({ user, doc }) => doc.public || doc.authorId === user.uid,
+ *         create: ({ user })      => !!user.uid,
+ *         update: ({ user, doc }) => user.uid === doc.authorId,
+ *         delete: ({ user, doc }) => user.claims.role === "moderator",
+ *       },
+ *     },
+ *   },
+ * });
+ * ```
+ */
+
+/**
+ * Minimal Firebase Admin Auth surface needed by this helper.
+ * Avoids a hard import of `firebase-admin/auth` so the package stays
+ * decoupled from a specific firebase-admin version.
+ */
+interface FirebaseAdminAuthLike {
+    verifyIdToken(idToken: string, checkRevoked?: boolean): Promise<DecodedIdTokenLike>;
+    verifySessionCookie(sessionCookie: string, checkRevoked?: boolean): Promise<DecodedIdTokenLike>;
+    createSessionCookie(idToken: string, sessionCookieOptions: {
+        expiresIn: number;
+    }): Promise<string>;
+    revokeRefreshTokens(uid: string): Promise<void>;
+}
+interface DecodedIdTokenLike {
+    uid: string;
+    email?: string;
+    email_verified?: boolean;
+    [claim: string]: any;
+}
+/** Identity attached to every authenticated request as `req.user`. */
+interface AuthUser<TContext = unknown> {
+    uid: string;
+    email: string | null;
+    emailVerified: boolean;
+    claims: Record<string, any>;
+    /** Result of the user-supplied `allow()` callback. */
+    context: TContext;
+}
+/** A route descriptor mounted by `firebaseAuth` before the protected chain. */
+interface AuthRoute {
+    method: "GET" | "POST";
+    path: string;
+    handler: RouteHandler;
+}
+/**
+ * Returned by {@link firebaseAuth}. Servers detect this shape (vs.
+ * `BasicAuthConfig` / raw `Middleware`) and mount the routes before pushing
+ * the middleware onto the chain.
+ */
+interface AuthExtension {
+    readonly __authExtension: true;
+    middleware: Middleware;
+    /** Auxiliary routes (login page, session, logout). Empty in pure bearer mode. */
+    routes: AuthRoute[];
+    /** Path used to redirect unauthenticated browser requests. */
+    loginPath: string;
+}
+type FirebaseAuthMode = "cookie" | "bearer" | "both";
+/** Provider configuration for the bundled login page. */
+interface FirebaseAuthLoginPageConfig {
+    /** Page title. Default: "Admin sign-in". */
+    title?: string;
+    /**
+     * Providers shown on the login page.
+     * Default: `["password", "google"]`.
+     */
+    providers?: ("password" | "google")[];
+}
+interface FirebaseAuthConfig<TContext = unknown> {
+    /** Lazy getter for the Firebase Admin Auth instance. */
+    getAuth: () => FirebaseAdminAuthLike;
+    /** Transport mode. Default: `"cookie"`. */
+    mode?: FirebaseAuthMode;
+    /**
+     * Authorization callback. Receives the verified token claims and returns:
+     * - a context object → request is allowed, exposed as `req.user.context`,
+     * - `null` → request is rejected (401 / redirect to login).
+     *
+     * If omitted, the default policy allows any authenticated user with
+     * `context = null`.
+     */
+    allow?: (user: Omit<AuthUser, "context">) => TContext | null | Promise<TContext | null>;
+    /**
+     * Whether to mount the bundled `/__login`, `/__session`, `/__logout`
+     * routes. Default: `true` for `cookie`/`both`, `false` for `bearer`.
+     */
+    loginPage?: boolean | FirebaseAuthLoginPageConfig;
+    /**
+     * Firebase Web API key required by the JS SDK on the login page.
+     * Mandatory when `loginPage` is enabled. Find it in your Firebase Console
+     * under Project Settings → General → Web app config.
+     */
+    apiKey?: string;
+    /**
+     * Firebase Auth domain (e.g. `my-project.firebaseapp.com`).
+     * Mandatory when `loginPage` is enabled.
+     */
+    authDomain?: string;
+    /** Cookie name. Default: `__admin_session`. */
+    cookieName?: string;
+    /** Session cookie TTL in days. Default: `5` (Firebase max is 14). */
+    sessionTtlDays?: number;
+    /**
+     * Cookie `Secure` flag. Default: `true`. Set to `false` only for local
+     * development over HTTP.
+     */
+    secureCookie?: boolean;
+    /** Cookie `SameSite`. Default: `"Lax"`. */
+    sameSite?: "Strict" | "Lax" | "None";
+    /**
+     * Behaviour when authentication fails or `allow()` returns `null`.
+     * - `"redirect"` (default in cookie mode) → 302 to the login page,
+     * - `"401"` (default in bearer mode)     → JSON 401 response.
+     */
+    onUnauthenticated?: "redirect" | "401";
+    /**
+     * Routes that should bypass the auth middleware (matched against the path
+     * after the basePath stripping). The auxiliary login routes are always
+     * public regardless of this option.
+     */
+    publicPaths?: (string | RegExp)[];
+}
+/**
+ * Build a Firebase Auth extension for use with `servers.admin()` or
+ * `servers.crud()`. See module-level docs for the full design and examples.
+ */
+declare function firebaseAuth<TContext = unknown>(config: FirebaseAuthConfig<TContext>): AuthExtension;
+/**
+ * Type guard: detect an {@link AuthExtension} (vs. legacy
+ * `BasicAuthConfig` / `Middleware`).
+ */
+declare function isAuthExtension(value: unknown): value is AuthExtension;
+/**
+ * Helper for explicitly opening a CRUD operation when the server has
+ * `auth` defined (bypasses the default-deny policy).
+ *
+ * @example
+ * ```ts
+ * rules: { list: allowAll, get: allowAll }
+ * ```
+ */
+declare const allowAll: () => true;
+
+export { type AuthExtension as A, type DecodedIdTokenLike as D, type FirebaseAdminAuthLike as F, MiniRouter as M, type RouteHandler as R, type Middleware as a, type AuthUser as b, allowAll as c, type AuthRoute as d, type FirebaseAuthConfig as e, firebaseAuth as f, type FirebaseAuthLoginPageConfig as g, type FirebaseAuthMode as h, isAuthExtension as i };