@mastra/auth-google 0.0.0

package/dist/index.js

@@ -0,0 +1,686 @@
+import { MastraAuthProvider } from '@mastra/core/server';
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+import { createSign } from 'crypto';
+import { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';
+import { LRUCache } from 'lru-cache';
+
+// src/auth-provider.ts
+
+// src/types.ts
+function mapGoogleClaimsToUser(payload) {
+  const googleId = payload.sub || "";
+  const email = payload.email;
+  const hostedDomain = payload.hd;
+  const emailVerified = payload.email_verified;
+  return {
+    id: googleId,
+    googleId,
+    email,
+    name: payload.name || [payload.given_name, payload.family_name].filter(Boolean).join(" ") || email || void 0,
+    avatarUrl: payload.picture,
+    expiresAt: typeof payload.exp === "number" ? new Date(payload.exp * 1e3) : void 0,
+    hostedDomain,
+    emailVerified,
+    groups: payload.groups,
+    metadata: {
+      googleId,
+      hostedDomain,
+      emailVerified,
+      givenName: payload.given_name,
+      familyName: payload.family_name
+    }
+  };
+}
+
+// src/auth-provider.ts
+var GOOGLE_AUTHORIZATION_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+var GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token";
+var GOOGLE_JWKS_URL = "https://www.googleapis.com/oauth2/v3/certs";
+var GOOGLE_ISSUERS = ["https://accounts.google.com", "accounts.google.com"];
+var DEFAULT_COOKIE_NAME = "google_session";
+var DEFAULT_COOKIE_MAX_AGE = 86400;
+var DEFAULT_SCOPES = ["openid", "profile", "email"];
+var STATE_TOKEN_EXPIRY_MS = 10 * 60 * 1e3;
+var SALT_LENGTH = 16;
+var IV_LENGTH = 12;
+function getRequestHeader(request, name) {
+  if (request instanceof Request) {
+    return request.headers.get(name);
+  }
+  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;
+}
+function normalizeDomain(domain) {
+  const normalized = domain?.trim().toLowerCase().replace(/^@/, "");
+  return normalized || void 0;
+}
+function normalizeAllowedDomains(value) {
+  if (!value) return [];
+  const parts = Array.isArray(value) ? value : value.split(",");
+  return Array.from(new Set(parts.map(normalizeDomain).filter((domain) => !!domain)));
+}
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function getServerRedirectStateSuffix(state) {
+  const separatorIndex = state.indexOf("|");
+  return separatorIndex === -1 ? "" : state.slice(separatorIndex);
+}
+function getStateTokenFromCallbackState(state) {
+  const separatorIndex = state.indexOf("|");
+  return separatorIndex === -1 ? state : state.slice(0, separatorIndex);
+}
+function verifyCallbackStateSuffix(callbackState, originalState) {
+  const callbackSuffix = getServerRedirectStateSuffix(callbackState);
+  if (!callbackSuffix) return;
+  if (callbackSuffix !== getServerRedirectStateSuffix(originalState)) {
+    throw new Error("Invalid state redirect suffix");
+  }
+}
+function getExpirationMs(expiresAt) {
+  if (expiresAt === void 0 || expiresAt === null) {
+    return void 0;
+  }
+  if (expiresAt instanceof Date) {
+    return expiresAt.getTime();
+  }
+  if (typeof expiresAt === "string" || typeof expiresAt === "number") {
+    return new Date(expiresAt).getTime();
+  }
+  return Number.NaN;
+}
+async function deriveKey(password, salt, usage) {
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey("raw", encoder.encode(password), "PBKDF2", false, [
+    "deriveBits",
+    "deriveKey"
+  ]);
+  return crypto.subtle.deriveKey(
+    { name: "PBKDF2", salt, iterations: 1e5, hash: "SHA-256" },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    [usage]
+  );
+}
+async function encryptSession(data, password) {
+  const encoder = new TextEncoder();
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
+  const key = await deriveKey(password, salt, "encrypt");
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+  const encrypted = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, encoder.encode(JSON.stringify(data)));
+  const combined = new Uint8Array(salt.length + iv.length + new Uint8Array(encrypted).length);
+  combined.set(salt);
+  combined.set(iv, salt.length);
+  combined.set(new Uint8Array(encrypted), salt.length + iv.length);
+  return btoa(String.fromCharCode(...combined));
+}
+async function decryptSession(encrypted, password) {
+  const combined = Uint8Array.from(atob(encrypted), (c) => c.charCodeAt(0));
+  if (combined.length < SALT_LENGTH + IV_LENGTH + 1) {
+    throw new Error("Invalid encrypted session data");
+  }
+  const salt = combined.slice(0, SALT_LENGTH);
+  const iv = combined.slice(SALT_LENGTH, SALT_LENGTH + IV_LENGTH);
+  const data = combined.slice(SALT_LENGTH + IV_LENGTH);
+  const key = await deriveKey(password, salt, "decrypt");
+  const decrypted = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, data);
+  return JSON.parse(new TextDecoder().decode(decrypted));
+}
+async function hmacSign(data, secret) {
+  const encoder = new TextEncoder();
+  const cryptoKey = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", cryptoKey, encoder.encode(data));
+  const sigBytes = new Uint8Array(signature);
+  return btoa(String.fromCharCode(...sigBytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+async function createStateToken(originalState, redirectUri, nonce, secret) {
+  const payload = {
+    s: originalState,
+    r: redirectUri,
+    e: Date.now() + STATE_TOKEN_EXPIRY_MS,
+    n: nonce
+  };
+  const payloadB64 = btoa(JSON.stringify(payload));
+  const signature = await hmacSign(payloadB64, secret);
+  return `${payloadB64}.${signature}`;
+}
+async function verifyStateToken(stateToken, secret) {
+  const parts = stateToken.split(".");
+  if (parts.length !== 2) {
+    throw new Error("Invalid state token format");
+  }
+  const [payloadB64, signature] = parts;
+  const expectedSig = await hmacSign(payloadB64, secret);
+  if (!timingSafeEqual(signature, expectedSig)) {
+    throw new Error("Invalid state token signature");
+  }
+  let payload;
+  try {
+    payload = JSON.parse(atob(payloadB64));
+  } catch {
+    throw new Error("Invalid state token payload");
+  }
+  if (payload.e < Date.now()) {
+    throw new Error("State token has expired");
+  }
+  return {
+    originalState: payload.s,
+    redirectUri: payload.r,
+    nonce: payload.n
+  };
+}
+function hasExpired(payload) {
+  return typeof payload.exp === "number" && payload.exp * 1e3 < Date.now();
+}
+var MastraAuthGoogle = class extends MastraAuthProvider {
+  clientId;
+  clientSecret;
+  redirectUri;
+  scopes;
+  cookieName;
+  cookieMaxAge;
+  cookiePassword;
+  secureCookies;
+  allowedDomains;
+  hostedDomain;
+  ssoEnabled;
+  jwks;
+  constructor(options) {
+    super({ name: options?.name ?? "google" });
+    const clientId = options?.clientId ?? process.env.GOOGLE_CLIENT_ID;
+    if (!clientId) {
+      throw new Error(
+        "Google client ID is required. Provide it in the options or set GOOGLE_CLIENT_ID environment variable."
+      );
+    }
+    const allowedDomains = normalizeAllowedDomains(options?.allowedDomains ?? process.env.GOOGLE_ALLOWED_DOMAINS);
+    const configuredHostedDomain = normalizeDomain(options?.hostedDomain ?? process.env.GOOGLE_HOSTED_DOMAIN);
+    const clientSecret = options?.clientSecret ?? process.env.GOOGLE_CLIENT_SECRET;
+    const redirectUri = options?.redirectUri ?? process.env.GOOGLE_REDIRECT_URI;
+    const hasConfiguredCookiePassword = !!(options?.session?.cookiePassword ?? process.env.GOOGLE_COOKIE_PASSWORD);
+    const cookiePassword = options?.session?.cookiePassword ?? process.env.GOOGLE_COOKIE_PASSWORD ?? crypto.randomUUID() + crypto.randomUUID();
+    this.clientId = clientId;
+    this.clientSecret = clientSecret ?? null;
+    this.redirectUri = redirectUri ?? null;
+    this.scopes = options?.scopes ?? DEFAULT_SCOPES;
+    this.cookieName = options?.session?.cookieName ?? DEFAULT_COOKIE_NAME;
+    this.cookieMaxAge = options?.session?.cookieMaxAge ?? DEFAULT_COOKIE_MAX_AGE;
+    this.cookiePassword = cookiePassword;
+    this.secureCookies = options?.session?.secureCookies ?? process.env.NODE_ENV === "production";
+    this.allowedDomains = allowedDomains;
+    this.hostedDomain = configuredHostedDomain ?? (allowedDomains.length === 1 ? allowedDomains[0] : void 0);
+    this.ssoEnabled = !!clientSecret;
+    this.jwks = createRemoteJWKSet(new URL(GOOGLE_JWKS_URL));
+    if (this.ssoEnabled) {
+      if (cookiePassword.length < 32) {
+        throw new Error(
+          "Cookie password must be at least 32 characters for SSO. Set GOOGLE_COOKIE_PASSWORD environment variable."
+        );
+      }
+      if (!hasConfiguredCookiePassword) {
+        const message = "[MastraAuthGoogle] GOOGLE_COOKIE_PASSWORD is required for Google SSO in production. Set GOOGLE_COOKIE_PASSWORD or pass session.cookiePassword.";
+        if (process.env.NODE_ENV === "production") {
+          throw new Error(message);
+        }
+        console.warn(
+          `${message} Using an auto-generated value for development only; sessions will not survive restarts.`
+        );
+      }
+      this.attachSSOProvider();
+      this.attachSessionProvider();
+    }
+    this.registerOptions(options);
+  }
+  async authenticateToken(token, request) {
+    if (this.ssoEnabled && request) {
+      const sessionUser = await this.getUserFromSessionCookie(request);
+      if (sessionUser) return sessionUser;
+    }
+    if (!token || typeof token !== "string") {
+      return null;
+    }
+    try {
+      const user = await this.verifyIdToken(token);
+      return user;
+    } catch {
+      return null;
+    }
+  }
+  authorizeUser(user) {
+    if (!user?.googleId && !user?.id) return false;
+    const expiresAt = getExpirationMs(user.expiresAt);
+    if (expiresAt !== void 0 && (!Number.isFinite(expiresAt) || expiresAt < Date.now())) return false;
+    return this.isHostedDomainAllowed(user.hostedDomain);
+  }
+  async getCurrentUser(request) {
+    if (this.ssoEnabled) {
+      const sessionUser = await this.getUserFromSessionCookie(request);
+      if (sessionUser) return sessionUser;
+    }
+    const token = this.extractBearerToken(request);
+    if (!token) return null;
+    return this.authenticateToken(token, request);
+  }
+  async getUser(_userId) {
+    return null;
+  }
+  getUserProfileUrl(user) {
+    return `/user/${user.id}`;
+  }
+  isSSOEnabled() {
+    return this.ssoEnabled;
+  }
+  getAllowedDomains() {
+    return [...this.allowedDomains];
+  }
+  getHostedDomain() {
+    return this.hostedDomain;
+  }
+  getClientId() {
+    return this.clientId;
+  }
+  async verifyIdToken(token, nonce) {
+    const { payload } = await jwtVerify(token, this.jwks, {
+      issuer: GOOGLE_ISSUERS,
+      audience: this.clientId
+    });
+    if (nonce && payload.nonce !== nonce) {
+      throw new Error("Invalid Google ID token nonce");
+    }
+    if (hasExpired(payload)) {
+      throw new Error("Google ID token has expired");
+    }
+    const user = mapGoogleClaimsToUser(payload);
+    if (!user.googleId) {
+      throw new Error("Google ID token is missing subject");
+    }
+    if (!this.isHostedDomainAllowed(user.hostedDomain)) {
+      throw new Error("Google user is not in an allowed hosted domain");
+    }
+    return user;
+  }
+  isHostedDomainAllowed(hostedDomain) {
+    if (this.allowedDomains.length === 0) return true;
+    const domain = normalizeDomain(hostedDomain);
+    if (!domain) return false;
+    return this.allowedDomains.includes(domain);
+  }
+  extractBearerToken(request) {
+    const authHeader = request.headers.get("Authorization");
+    if (!authHeader) return null;
+    const token = authHeader.replace(/^Bearer\s+/i, "").trim();
+    return token || null;
+  }
+  cookieFlags(maxAge) {
+    const flags = `Path=/; HttpOnly; SameSite=Lax; Max-Age=${maxAge}`;
+    return this.secureCookies ? `${flags}; Secure` : flags;
+  }
+  async getUserFromSessionCookie(request) {
+    const cookie = getRequestHeader(request, "cookie");
+    if (!cookie) return null;
+    const match = cookie.match(new RegExp(`(?:^|;\\s*)${escapeRegex(this.cookieName)}=([^;]+)`));
+    if (!match?.[1]) return null;
+    try {
+      const sessionData = await decryptSession(decodeURIComponent(match[1]), this.cookiePassword);
+      if (sessionData.expiresAt < Date.now()) {
+        return null;
+      }
+      const userExpiresAt = getExpirationMs(sessionData.user.expiresAt);
+      if (userExpiresAt !== void 0 && (!Number.isFinite(userExpiresAt) || userExpiresAt < Date.now())) {
+        return null;
+      }
+      const { expiresAt: _expiresAt, ...sessionUser } = sessionData.user;
+      const user = {
+        ...sessionUser,
+        ...userExpiresAt !== void 0 ? { expiresAt: new Date(userExpiresAt) } : {}
+      };
+      if (!this.isHostedDomainAllowed(user.hostedDomain)) {
+        return null;
+      }
+      return user;
+    } catch {
+      return null;
+    }
+  }
+  attachSSOProvider() {
+    const self = this;
+    this.getLoginUrl = async function(redirectUri, state) {
+      const actualRedirectUri = redirectUri ?? self.redirectUri;
+      if (!actualRedirectUri) {
+        throw new Error("Redirect URI is required for Google SSO. Set GOOGLE_REDIRECT_URI or pass redirectUri.");
+      }
+      const nonce = crypto.randomUUID();
+      const signedState = await createStateToken(state, actualRedirectUri, nonce, self.cookiePassword);
+      const oauthState = `${signedState}${getServerRedirectStateSuffix(state)}`;
+      const params = new URLSearchParams({
+        client_id: self.clientId,
+        response_type: "code",
+        scope: self.scopes.join(" "),
+        redirect_uri: actualRedirectUri,
+        state: oauthState,
+        nonce
+      });
+      if (self.hostedDomain) {
+        params.set("hd", self.hostedDomain);
+      }
+      return `${GOOGLE_AUTHORIZATION_URL}?${params.toString()}`;
+    };
+    this.handleCallback = async function(code, callbackState) {
+      const signedState = getStateTokenFromCallbackState(callbackState);
+      const { originalState, redirectUri, nonce } = await verifyStateToken(signedState, self.cookiePassword);
+      verifyCallbackStateSuffix(callbackState, originalState);
+      const tokenResponse = await fetch(GOOGLE_TOKEN_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          client_id: self.clientId,
+          client_secret: self.clientSecret,
+          redirect_uri: redirectUri
+        }),
+        signal: AbortSignal.timeout(1e4)
+      });
+      if (!tokenResponse.ok) {
+        const error = await tokenResponse.text();
+        throw new Error(`Google token exchange failed: ${error}`);
+      }
+      const tokens = await tokenResponse.json();
+      if (!tokens.id_token) {
+        throw new Error("Google token response did not include an ID token");
+      }
+      const user = await self.verifyIdToken(tokens.id_token, nonce);
+      const sessionData = {
+        user,
+        expiresAt: Date.now() + self.cookieMaxAge * 1e3
+      };
+      const encryptedSession = await encryptSession(sessionData, self.cookiePassword);
+      const cookieValue = `${self.cookieName}=${encodeURIComponent(encryptedSession)}; ${self.cookieFlags(self.cookieMaxAge)}`;
+      return {
+        user,
+        tokens: {
+          accessToken: tokens.access_token,
+          refreshToken: tokens.refresh_token,
+          idToken: tokens.id_token,
+          expiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+        },
+        cookies: [cookieValue]
+      };
+    };
+    this.getLoginButtonConfig = function() {
+      return {
+        provider: "google",
+        text: "Sign in with Google",
+        description: "Sign in using your Google account"
+      };
+    };
+    this.getLoginCookies = function() {
+      return [];
+    };
+    this.getLogoutUrl = async function() {
+      return null;
+    };
+  }
+  attachSessionProvider() {
+    const self = this;
+    this.createSession = async function(userId, metadata) {
+      const now = /* @__PURE__ */ new Date();
+      return {
+        id: crypto.randomUUID(),
+        userId,
+        createdAt: now,
+        expiresAt: new Date(now.getTime() + self.cookieMaxAge * 1e3),
+        metadata
+      };
+    };
+    this.validateSession = async function() {
+      return null;
+    };
+    this.destroySession = async function() {
+    };
+    this.refreshSession = async function() {
+      return null;
+    };
+    this.getSessionIdFromRequest = function(request) {
+      const cookie = request.headers.get("Cookie");
+      if (!cookie) return null;
+      const match = cookie.match(new RegExp(`(?:^|;\\s*)${escapeRegex(self.cookieName)}=([^;]+)`));
+      return match?.[1] ? decodeURIComponent(match[1]) : null;
+    };
+    this.getSessionHeaders = function() {
+      return {};
+    };
+    this.getClearSessionHeaders = function() {
+      return {
+        "Set-Cookie": `${self.cookieName}=; ${self.cookieFlags(0)}`
+      };
+    };
+  }
+};
+var OAUTH_TOKEN_URL = "https://oauth2.googleapis.com/token";
+var DIRECTORY_GROUPS_URL = "https://admin.googleapis.com/admin/directory/v1/groups";
+var DEFAULT_DIRECTORY_SCOPES = ["https://www.googleapis.com/auth/admin.directory.group.readonly"];
+var DEFAULT_CACHE_TTL_MS = 60 * 1e3;
+var DEFAULT_CACHE_MAX_SIZE = 1e3;
+var DEFAULT_FETCH_TIMEOUT_MS = 1e4;
+var MastraRBACGoogle = class {
+  options;
+  rolesCache;
+  accessToken;
+  tokenExpiresAt = 0;
+  tokenRefreshPromise;
+  get roleMapping() {
+    return this.options.roleMapping;
+  }
+  constructor(options) {
+    if (!options.roleMapping) {
+      throw new Error("Google RBAC roleMapping is required.");
+    }
+    this.options = options;
+    this.accessToken = options.accessToken;
+    this.rolesCache = new LRUCache({
+      max: options.cache?.maxSize ?? DEFAULT_CACHE_MAX_SIZE,
+      ttl: options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS
+    });
+  }
+  async getRoles(user) {
+    if (Array.isArray(user.groups)) {
+      return user.groups;
+    }
+    const userKey = this.resolveUserKey(user);
+    if (!userKey) {
+      return [];
+    }
+    const cached = this.rolesCache.get(userKey);
+    if (cached) {
+      return cached;
+    }
+    const rolesPromise = this.fetchRolesFromGoogle(userKey).catch((err) => {
+      console.error("[MastraRBACGoogle] Failed to fetch Google Workspace groups:", err);
+      this.rolesCache.delete(userKey);
+      throw err;
+    });
+    this.rolesCache.set(userKey, rolesPromise);
+    return rolesPromise;
+  }
+  async hasRole(user, role) {
+    const roles = await this.getRoles(user);
+    return roles.includes(role);
+  }
+  async getPermissions(user) {
+    const roles = await this.getRoles(user);
+    if (roles.length === 0) {
+      return this.options.roleMapping["_default"] ?? [];
+    }
+    return resolvePermissionsFromMapping(roles, this.options.roleMapping);
+  }
+  async hasPermission(user, permission) {
+    const permissions = await this.getPermissions(user);
+    return permissions.some((granted) => matchesPermission(granted, permission));
+  }
+  async hasAllPermissions(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.every((required) => userPermissions.some((granted) => matchesPermission(granted, required)));
+  }
+  async hasAnyPermission(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.some((required) => userPermissions.some((granted) => matchesPermission(granted, required)));
+  }
+  async getAvailableRoles() {
+    return Object.keys(this.options.roleMapping).filter((key) => key !== "_default").map((key) => ({ id: key, name: key }));
+  }
+  async getPermissionsForRole(roleId) {
+    return resolvePermissionsFromMapping([roleId], this.options.roleMapping);
+  }
+  clearCache() {
+    this.rolesCache.clear();
+  }
+  clearUserCache(userKey) {
+    this.rolesCache.delete(userKey);
+  }
+  getCacheStats() {
+    return {
+      size: this.rolesCache.size,
+      maxSize: this.rolesCache.max
+    };
+  }
+  resolveUserKey(user) {
+    if (this.options.getUserKey) {
+      return this.options.getUserKey(user);
+    }
+    return user.email;
+  }
+  async fetchRolesFromGoogle(userKey) {
+    const token = await this.getToken();
+    const roles = /* @__PURE__ */ new Set();
+    let pageToken;
+    do {
+      const url = new URL(DIRECTORY_GROUPS_URL);
+      url.searchParams.set("userKey", userKey);
+      url.searchParams.set("maxResults", "200");
+      if (pageToken) {
+        url.searchParams.set("pageToken", pageToken);
+      }
+      const response = await fetch(url, {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/json"
+        },
+        signal: AbortSignal.timeout(DEFAULT_FETCH_TIMEOUT_MS)
+      });
+      if (!response.ok) {
+        throw new Error(`Google Directory groups.list failed (${response.status}): ${await response.text()}`);
+      }
+      const json = await response.json();
+      for (const group of json.groups ?? []) {
+        const mappedRoles = this.options.mapGroupToRoles?.(group) ?? [group.email];
+        for (const role of mappedRoles) {
+          if (role) roles.add(role);
+        }
+      }
+      pageToken = json.nextPageToken;
+    } while (pageToken);
+    return Array.from(roles);
+  }
+  async getToken() {
+    if (this.options.getAccessToken) {
+      return this.options.getAccessToken();
+    }
+    if (this.accessToken && Date.now() < this.tokenExpiresAt - 6e4) {
+      return this.accessToken;
+    }
+    if (this.options.serviceAccount) {
+      if (!this.tokenRefreshPromise) {
+        this.tokenRefreshPromise = this.getServiceAccountToken().finally(() => {
+          this.tokenRefreshPromise = void 0;
+        });
+      }
+      return this.tokenRefreshPromise;
+    }
+    if (this.accessToken) {
+      return this.accessToken;
+    }
+    throw new Error("Google Workspace Directory authentication is not configured.");
+  }
+  async getServiceAccountToken() {
+    const account = this.options.serviceAccount;
+    const now = Math.floor(Date.now() / 1e3);
+    const header = { alg: "RS256", typ: "JWT", ...account.privateKeyId ? { kid: account.privateKeyId } : {} };
+    const claim = {
+      iss: account.clientEmail,
+      scope: (account.scopes ?? DEFAULT_DIRECTORY_SCOPES).join(" "),
+      aud: OAUTH_TOKEN_URL,
+      exp: now + 3600,
+      iat: now,
+      ...account.subject ? { sub: account.subject } : {}
+    };
+    const unsigned = `${this.base64Url(JSON.stringify(header))}.${this.base64Url(JSON.stringify(claim))}`;
+    const privateKey = this.normalizePrivateKey(account.privateKey);
+    let signature;
+    try {
+      signature = createSign("RSA-SHA256").update(unsigned).sign(privateKey, "base64url");
+    } catch (err) {
+      const hasBegin = privateKey.includes("-----BEGIN");
+      const hasEnd = privateKey.includes("-----END");
+      throw new Error(
+        `Google service account private key signing failed (${err.message}). Key has BEGIN marker: ${hasBegin}, END marker: ${hasEnd}. Ensure your .env value contains the raw PEM with \\n for newlines, without extra surrounding quotes or commas.`
+      );
+    }
+    const response = await fetch(OAUTH_TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+        assertion: `${unsigned}.${signature}`
+      }),
+      signal: AbortSignal.timeout(DEFAULT_FETCH_TIMEOUT_MS)
+    });
+    if (!response.ok) {
+      throw new Error(`Google service account token request failed (${response.status}): ${await response.text()}`);
+    }
+    const json = await response.json();
+    this.accessToken = json.access_token;
+    this.tokenExpiresAt = Date.now() + json.expires_in * 1e3;
+    return json.access_token;
+  }
+  base64Url(value) {
+    return Buffer.from(value).toString("base64url");
+  }
+  normalizePrivateKey(key) {
+    let out = key.trim();
+    for (let i = 0; i < 5; i++) {
+      const before = out;
+      if (out.endsWith(",")) out = out.slice(0, -1).trim();
+      if (out.startsWith('"') && out.endsWith('"') || out.startsWith("'") && out.endsWith("'")) {
+        out = out.slice(1, -1);
+      }
+      if (out.startsWith('\\"') && out.endsWith('\\"') || out.startsWith("\\'") && out.endsWith("\\'")) {
+        out = out.slice(2, -2);
+      }
+      if (out === before) break;
+    }
+    out = out.replace(/\\n/g, "\n");
+    out = out.replace(/\\"/g, '"').replace(/\\'/g, "'");
+    out = out.replace(/\r\n?/g, "\n");
+    if (!out.endsWith("\n")) out += "\n";
+    return out;
+  }
+};
+
+export { MastraAuthGoogle, MastraRBACGoogle, mapGoogleClaimsToUser };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map