@prmichaelsen/firebase-admin-sdk-v8 1.1.2 → 2.0.0

package/README.md

@@ -9,9 +9,10 @@ This library provides Firebase Admin SDK functionality for Cloudflare Workers an
 
 ## ✨ Features
 
-- ✅ **No Node.js Dependencies** - Pure Web APIs (crypto.subtle, fetch)
+- ✅ **Zero Dependencies** - No external dependencies, pure Web APIs (crypto.subtle, fetch)
 - ✅ **JWT Token Generation** - Service account authentication
-- ✅ **ID Token Verification** - Verify Firebase ID tokens
+- ✅ **ID Token Verification** - Verify Firebase ID tokens (supports v9 and v10 formats)
+- ✅ **Firebase v10 Compatible** - Supports both old and new token issuer formats
 - ✅ **Firestore REST API** - Full CRUD operations via REST
 - ✅ **Field Value Operations** - increment, arrayUnion, arrayRemove, serverTimestamp, delete
 - ✅ **Advanced Queries** - where, orderBy, limit, offset, cursor pagination

package/dist/index.d.mts

@@ -1,5 +1,3 @@
-import { Auth } from 'firebase-auth-cloudflare-workers';
-
 /**
  * Firebase Admin SDK v8 - Type Definitions
  */
@@ -179,17 +177,12 @@ interface BatchWriteResult {
 
 /**
  * Firebase Admin SDK v8 - Authentication
- * ID token verification using firebase-auth-cloudflare-workers
+ * ID token verification supporting both Firebase v9 and v10 token formats
  */
 
-/**
- * Get or initialize Firebase Auth instance
- * @returns {Auth} Firebase Auth instance
- * @throws {Error} If PUBLIC_FIREBASE_PROJECT_ID is not set
- */
-declare function getAuth(): Auth;
 /**
  * Verify a Firebase ID token
+ * Supports both Firebase v9 (securetoken) and v10 (session) token formats
  *
  * @param {string} idToken - Firebase ID token to verify
  * @returns {Promise<DecodedIdToken>} Decoded and verified token
@@ -217,6 +210,11 @@ declare function verifyIdToken(idToken: string): Promise<DecodedIdToken>;
  * ```
  */
 declare function getUserFromToken(idToken: string): Promise<UserInfo>;
+/**
+ * Get Auth instance (for compatibility, but not used in new implementation)
+ * @deprecated Use verifyIdToken directly
+ */
+declare function getAuth(): any;
 
 /**
  * Firebase Admin SDK v8 - Firestore REST API

package/dist/index.d.ts

@@ -1,5 +1,3 @@
-import { Auth } from 'firebase-auth-cloudflare-workers';
-
 /**
  * Firebase Admin SDK v8 - Type Definitions
  */
@@ -179,17 +177,12 @@ interface BatchWriteResult {
 
 /**
  * Firebase Admin SDK v8 - Authentication
- * ID token verification using firebase-auth-cloudflare-workers
+ * ID token verification supporting both Firebase v9 and v10 token formats
  */
 
-/**
- * Get or initialize Firebase Auth instance
- * @returns {Auth} Firebase Auth instance
- * @throws {Error} If PUBLIC_FIREBASE_PROJECT_ID is not set
- */
-declare function getAuth(): Auth;
 /**
  * Verify a Firebase ID token
+ * Supports both Firebase v9 (securetoken) and v10 (session) token formats
  *
  * @param {string} idToken - Firebase ID token to verify
  * @returns {Promise<DecodedIdToken>} Decoded and verified token
@@ -217,6 +210,11 @@ declare function verifyIdToken(idToken: string): Promise<DecodedIdToken>;
  * ```
  */
 declare function getUserFromToken(idToken: string): Promise<UserInfo>;
+/**
+ * Get Auth instance (for compatibility, but not used in new implementation)
+ * @deprecated Use verifyIdToken directly
+ */
+declare function getAuth(): any;
 
 /**
  * Firebase Admin SDK v8 - Firestore REST API

package/dist/index.js

@@ -38,9 +38,6 @@ __export(index_exports, {
 });
 module.exports = __toCommonJS(index_exports);
 
-// src/auth.ts
-var import_firebase_auth_cloudflare_workers = require("firebase-auth-cloudflare-workers");
-
 // src/service-account.ts
 function getServiceAccount() {
   const key = process.env.FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY;
@@ -86,39 +83,121 @@ function getProjectId() {
 }
 
 // src/auth.ts
-var MemoryKeyStore = class {
-  constructor() {
-    this.cache = null;
-  }
-  async get() {
-    if (!this.cache) {
-      return null;
-    }
-    try {
-      return JSON.parse(this.cache);
-    } catch {
-      return null;
-    }
+var publicKeysCache = null;
+var publicKeysCacheExpiry = 0;
+async function fetchPublicKeys() {
+  if (publicKeysCache && Date.now() < publicKeysCacheExpiry) {
+    return publicKeysCache;
+  }
+  const response = await fetch(
+    "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
+  );
+  if (!response.ok) {
+    throw new Error("Failed to fetch Firebase public keys");
   }
-  async put(value, _expirationTtl) {
-    this.cache = value;
+  publicKeysCache = await response.json();
+  publicKeysCacheExpiry = Date.now() + 36e5;
+  return publicKeysCache;
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4) {
+    base64 += "=";
   }
-};
-var keyStore = new MemoryKeyStore();
-function getAuth() {
-  const projectId = getProjectId();
-  return import_firebase_auth_cloudflare_workers.Auth.getOrInitialize(projectId, keyStore);
+  return atob(base64);
+}
+function parseJWT(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT format");
+  }
+  const header = JSON.parse(base64UrlDecode(parts[0]));
+  const payload = JSON.parse(base64UrlDecode(parts[1]));
+  return { header, payload };
+}
+async function importPublicKey(pem) {
+  const pemContents = pem.replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "").replace(/\s/g, "");
+  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+  return await crypto.subtle.importKey(
+    "spki",
+    binaryDer,
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    false,
+    ["verify"]
+  );
+}
+async function verifySignature(token, publicKey) {
+  const parts = token.split(".");
+  const signedData = `${parts[0]}.${parts[1]}`;
+  const signature = Uint8Array.from(
+    base64UrlDecode(parts[2]),
+    (c) => c.charCodeAt(0)
+  );
+  return await crypto.subtle.verify(
+    "RSASSA-PKCS1-v1_5",
+    publicKey,
+    signature,
+    new TextEncoder().encode(signedData)
+  );
 }
 async function verifyIdToken(idToken) {
   if (!idToken) {
     throw new Error("ID token is required");
   }
-  const auth = getAuth();
   try {
-    const decodedToken = await auth.verifyIdToken(idToken);
-    return decodedToken;
+    const { header, payload } = parseJWT(idToken);
+    const projectId = getProjectId();
+    if (header.alg !== "RS256") {
+      throw new Error("Invalid algorithm. Expected RS256");
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    if (!payload.exp || payload.exp < now) {
+      throw new Error("Token has expired");
+    }
+    if (!payload.iat || payload.iat > now) {
+      throw new Error("Token issued in the future");
+    }
+    if (!payload.auth_time || payload.auth_time > now) {
+      throw new Error("Auth time is in the future");
+    }
+    if (payload.aud !== projectId) {
+      throw new Error(`Invalid audience. Expected ${projectId}, got ${payload.aud}`);
+    }
+    const validIssuers = [
+      `https://securetoken.google.com/${projectId}`,
+      // Firebase v9 and earlier
+      `https://session.firebase.google.com/${projectId}`
+      // Firebase v10+
+    ];
+    if (!validIssuers.includes(payload.iss)) {
+      throw new Error(
+        `Invalid issuer. Expected one of: ${validIssuers.join(", ")}, got ${payload.iss}`
+      );
+    }
+    if (!payload.sub || typeof payload.sub !== "string" || payload.sub.length === 0) {
+      throw new Error("Invalid subject");
+    }
+    if (payload.sub.length > 128) {
+      throw new Error("Subject too long");
+    }
+    const publicKeys = await fetchPublicKeys();
+    const publicKeyPem = publicKeys[header.kid];
+    if (!publicKeyPem) {
+      throw new Error("Public key not found for kid: " + header.kid);
+    }
+    const publicKey = await importPublicKey(publicKeyPem);
+    const isValid = await verifySignature(idToken, publicKey);
+    if (!isValid) {
+      throw new Error("Invalid token signature");
+    }
+    return {
+      ...payload,
+      uid: payload.sub
+    };
   } catch (error) {
-    throw new Error(`Failed to verify ID token: ${error instanceof Error ? error.message : String(error)}`);
+    throw new Error(
+      `Failed to verify ID token: ${error instanceof Error ? error.message : String(error)}`
+    );
   }
 }
 async function getUserFromToken(idToken) {
@@ -131,6 +210,11 @@ async function getUserFromToken(idToken) {
     photoURL: decodedToken.picture || null
   };
 }
+function getAuth() {
+  return {
+    verifyIdToken
+  };
+}
 
 // src/token-generation.ts
 function base64UrlEncode(str) {

package/dist/index.mjs

@@ -1,6 +1,3 @@
-// src/auth.ts
-import { Auth } from "firebase-auth-cloudflare-workers";
-
 // src/service-account.ts
 function getServiceAccount() {
   const key = process.env.FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY;
@@ -46,39 +43,121 @@ function getProjectId() {
 }
 
 // src/auth.ts
-var MemoryKeyStore = class {
-  constructor() {
-    this.cache = null;
-  }
-  async get() {
-    if (!this.cache) {
-      return null;
-    }
-    try {
-      return JSON.parse(this.cache);
-    } catch {
-      return null;
-    }
+var publicKeysCache = null;
+var publicKeysCacheExpiry = 0;
+async function fetchPublicKeys() {
+  if (publicKeysCache && Date.now() < publicKeysCacheExpiry) {
+    return publicKeysCache;
+  }
+  const response = await fetch(
+    "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
+  );
+  if (!response.ok) {
+    throw new Error("Failed to fetch Firebase public keys");
   }
-  async put(value, _expirationTtl) {
-    this.cache = value;
+  publicKeysCache = await response.json();
+  publicKeysCacheExpiry = Date.now() + 36e5;
+  return publicKeysCache;
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4) {
+    base64 += "=";
   }
-};
-var keyStore = new MemoryKeyStore();
-function getAuth() {
-  const projectId = getProjectId();
-  return Auth.getOrInitialize(projectId, keyStore);
+  return atob(base64);
+}
+function parseJWT(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT format");
+  }
+  const header = JSON.parse(base64UrlDecode(parts[0]));
+  const payload = JSON.parse(base64UrlDecode(parts[1]));
+  return { header, payload };
+}
+async function importPublicKey(pem) {
+  const pemContents = pem.replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "").replace(/\s/g, "");
+  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+  return await crypto.subtle.importKey(
+    "spki",
+    binaryDer,
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    false,
+    ["verify"]
+  );
+}
+async function verifySignature(token, publicKey) {
+  const parts = token.split(".");
+  const signedData = `${parts[0]}.${parts[1]}`;
+  const signature = Uint8Array.from(
+    base64UrlDecode(parts[2]),
+    (c) => c.charCodeAt(0)
+  );
+  return await crypto.subtle.verify(
+    "RSASSA-PKCS1-v1_5",
+    publicKey,
+    signature,
+    new TextEncoder().encode(signedData)
+  );
 }
 async function verifyIdToken(idToken) {
   if (!idToken) {
     throw new Error("ID token is required");
   }
-  const auth = getAuth();
   try {
-    const decodedToken = await auth.verifyIdToken(idToken);
-    return decodedToken;
+    const { header, payload } = parseJWT(idToken);
+    const projectId = getProjectId();
+    if (header.alg !== "RS256") {
+      throw new Error("Invalid algorithm. Expected RS256");
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    if (!payload.exp || payload.exp < now) {
+      throw new Error("Token has expired");
+    }
+    if (!payload.iat || payload.iat > now) {
+      throw new Error("Token issued in the future");
+    }
+    if (!payload.auth_time || payload.auth_time > now) {
+      throw new Error("Auth time is in the future");
+    }
+    if (payload.aud !== projectId) {
+      throw new Error(`Invalid audience. Expected ${projectId}, got ${payload.aud}`);
+    }
+    const validIssuers = [
+      `https://securetoken.google.com/${projectId}`,
+      // Firebase v9 and earlier
+      `https://session.firebase.google.com/${projectId}`
+      // Firebase v10+
+    ];
+    if (!validIssuers.includes(payload.iss)) {
+      throw new Error(
+        `Invalid issuer. Expected one of: ${validIssuers.join(", ")}, got ${payload.iss}`
+      );
+    }
+    if (!payload.sub || typeof payload.sub !== "string" || payload.sub.length === 0) {
+      throw new Error("Invalid subject");
+    }
+    if (payload.sub.length > 128) {
+      throw new Error("Subject too long");
+    }
+    const publicKeys = await fetchPublicKeys();
+    const publicKeyPem = publicKeys[header.kid];
+    if (!publicKeyPem) {
+      throw new Error("Public key not found for kid: " + header.kid);
+    }
+    const publicKey = await importPublicKey(publicKeyPem);
+    const isValid = await verifySignature(idToken, publicKey);
+    if (!isValid) {
+      throw new Error("Invalid token signature");
+    }
+    return {
+      ...payload,
+      uid: payload.sub
+    };
   } catch (error) {
-    throw new Error(`Failed to verify ID token: ${error instanceof Error ? error.message : String(error)}`);
+    throw new Error(
+      `Failed to verify ID token: ${error instanceof Error ? error.message : String(error)}`
+    );
   }
 }
 async function getUserFromToken(idToken) {
@@ -91,6 +170,11 @@ async function getUserFromToken(idToken) {
     photoURL: decodedToken.picture || null
   };
 }
+function getAuth() {
+  return {
+    verifyIdToken
+  };
+}
 
 // src/token-generation.ts
 function base64UrlEncode(str) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prmichaelsen/firebase-admin-sdk-v8",
-  "version": "1.1.2",
+  "version": "2.0.0",
   "description": "Firebase Admin SDK for Cloudflare Workers and edge runtimes using REST APIs",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -37,9 +37,7 @@
   ],
   "author": "",
   "license": "MIT",
-  "dependencies": {
-    "firebase-auth-cloudflare-workers": "^2.0.6"
-  },
+  "dependencies": {},
   "devDependencies": {
     "@types/node": "^20.11.0",
     "tsup": "^8.0.1",