@prmichaelsen/firebase-admin-sdk-v8 2.0.1 → 2.0.4

package/dist/index.js

@@ -82,21 +82,113 @@ function getProjectId() {
   return projectId;
 }
 
+// src/x509.ts
+function decodeBase64(str) {
+  const binary = atob(str);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function parseElement(bytes) {
+  let position = 0;
+  let tag = bytes[0] & 31;
+  position++;
+  if (tag === 31) {
+    tag = 0;
+    while (bytes[position] >= 128) {
+      tag = tag * 128 + bytes[position] - 128;
+      position++;
+    }
+    tag = tag * 128 + bytes[position] - 128;
+    position++;
+  }
+  let length = 0;
+  if (bytes[position] < 128) {
+    length = bytes[position];
+    position++;
+  } else if (bytes[position] === 128) {
+    length = 0;
+    while (bytes[position + length] !== 0 || bytes[position + length + 1] !== 0) {
+      if (length > bytes.byteLength) {
+        throw new TypeError("Invalid indefinite form length");
+      }
+      length++;
+    }
+    const byteLength2 = position + length + 2;
+    return {
+      byteLength: byteLength2,
+      contents: bytes.subarray(position, position + length),
+      raw: bytes.subarray(0, byteLength2)
+    };
+  } else {
+    const numberOfDigits = bytes[position] & 127;
+    position++;
+    length = 0;
+    for (let i = 0; i < numberOfDigits; i++) {
+      length = length * 256 + bytes[position];
+      position++;
+    }
+  }
+  const byteLength = position + length;
+  return {
+    byteLength,
+    contents: bytes.subarray(position, byteLength),
+    raw: bytes.subarray(0, byteLength)
+  };
+}
+function getElement(seq) {
+  const result = [];
+  let next = 0;
+  while (next < seq.length) {
+    const nextPart = parseElement(seq.subarray(next));
+    result.push(nextPart);
+    next += nextPart.byteLength;
+  }
+  return result;
+}
+async function spkiFromX509(buf) {
+  const tbsCertificate = getElement(
+    getElement(parseElement(buf).contents)[0].contents
+  );
+  const spki = tbsCertificate[tbsCertificate[0].raw[0] === 160 ? 6 : 5].raw;
+  return await crypto.subtle.importKey(
+    "spki",
+    spki,
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: "SHA-256"
+    },
+    true,
+    ["verify"]
+  );
+}
+async function importPublicKeyFromX509(pem) {
+  const base64 = pem.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g, "");
+  const raw = decodeBase64(base64);
+  return await spkiFromX509(raw);
+}
+
 // src/auth.ts
 var publicKeysCache = null;
 var publicKeysCacheExpiry = 0;
-async function fetchPublicKeys() {
+async function fetchPublicKeys(issuer) {
+  let endpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+  if (issuer && issuer.includes("session.firebase.google.com")) {
+    endpoint = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys";
+  }
   if (publicKeysCache && Date.now() < publicKeysCacheExpiry) {
     return publicKeysCache;
   }
-  const response = await fetch(
-    "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
-  );
+  console.log(`[fetchPublicKeys] Fetching from: ${endpoint}`);
+  const response = await fetch(endpoint);
   if (!response.ok) {
-    throw new Error("Failed to fetch Firebase public keys");
+    throw new Error(`Failed to fetch Firebase public keys from ${endpoint}`);
   }
   publicKeysCache = await response.json();
   publicKeysCacheExpiry = Date.now() + 36e5;
+  console.log(`[fetchPublicKeys] Fetched ${Object.keys(publicKeysCache || {}).length} keys`);
   return publicKeysCache;
 }
 function base64UrlDecode(str) {
@@ -115,17 +207,6 @@ function parseJWT(token) {
   const payload = JSON.parse(base64UrlDecode(parts[1]));
   return { header, payload };
 }
-async function importPublicKey(pem) {
-  const pemContents = pem.replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "").replace(/\s/g, "");
-  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
-  return await crypto.subtle.importKey(
-    "spki",
-    binaryDer,
-    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
-    false,
-    ["verify"]
-  );
-}
 async function verifySignature(token, publicKey) {
   const parts = token.split(".");
   const signedData = `${parts[0]}.${parts[1]}`;
@@ -180,12 +261,22 @@ async function verifyIdToken(idToken) {
     if (payload.sub.length > 128) {
       throw new Error("Subject too long");
     }
-    const publicKeys = await fetchPublicKeys();
-    const publicKeyPem = publicKeys[header.kid];
+    let publicKeys = await fetchPublicKeys(payload.iss);
+    let publicKeyPem = publicKeys[header.kid];
     if (!publicKeyPem) {
-      throw new Error("Public key not found for kid: " + header.kid);
+      console.log(`[verifyIdToken] Key ${header.kid} not found in cache, refreshing keys...`);
+      publicKeysCache = null;
+      publicKeysCacheExpiry = 0;
+      publicKeys = await fetchPublicKeys(payload.iss);
+      publicKeyPem = publicKeys[header.kid];
+      if (!publicKeyPem) {
+        const availableKids = Object.keys(publicKeys).join(", ");
+        throw new Error(
+          `Public key not found for kid: ${header.kid}. Available kids: ${availableKids}. This might indicate the token is from a different Firebase project or was signed with a very old key.`
+        );
+      }
     }
-    const publicKey = await importPublicKey(publicKeyPem);
+    const publicKey = await importPublicKeyFromX509(publicKeyPem);
     const isValid = await verifySignature(idToken, publicKey);
     if (!isValid) {
       throw new Error("Invalid token signature");

package/dist/index.mjs

@@ -42,21 +42,113 @@ function getProjectId() {
   return projectId;
 }
 
+// src/x509.ts
+function decodeBase64(str) {
+  const binary = atob(str);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function parseElement(bytes) {
+  let position = 0;
+  let tag = bytes[0] & 31;
+  position++;
+  if (tag === 31) {
+    tag = 0;
+    while (bytes[position] >= 128) {
+      tag = tag * 128 + bytes[position] - 128;
+      position++;
+    }
+    tag = tag * 128 + bytes[position] - 128;
+    position++;
+  }
+  let length = 0;
+  if (bytes[position] < 128) {
+    length = bytes[position];
+    position++;
+  } else if (bytes[position] === 128) {
+    length = 0;
+    while (bytes[position + length] !== 0 || bytes[position + length + 1] !== 0) {
+      if (length > bytes.byteLength) {
+        throw new TypeError("Invalid indefinite form length");
+      }
+      length++;
+    }
+    const byteLength2 = position + length + 2;
+    return {
+      byteLength: byteLength2,
+      contents: bytes.subarray(position, position + length),
+      raw: bytes.subarray(0, byteLength2)
+    };
+  } else {
+    const numberOfDigits = bytes[position] & 127;
+    position++;
+    length = 0;
+    for (let i = 0; i < numberOfDigits; i++) {
+      length = length * 256 + bytes[position];
+      position++;
+    }
+  }
+  const byteLength = position + length;
+  return {
+    byteLength,
+    contents: bytes.subarray(position, byteLength),
+    raw: bytes.subarray(0, byteLength)
+  };
+}
+function getElement(seq) {
+  const result = [];
+  let next = 0;
+  while (next < seq.length) {
+    const nextPart = parseElement(seq.subarray(next));
+    result.push(nextPart);
+    next += nextPart.byteLength;
+  }
+  return result;
+}
+async function spkiFromX509(buf) {
+  const tbsCertificate = getElement(
+    getElement(parseElement(buf).contents)[0].contents
+  );
+  const spki = tbsCertificate[tbsCertificate[0].raw[0] === 160 ? 6 : 5].raw;
+  return await crypto.subtle.importKey(
+    "spki",
+    spki,
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: "SHA-256"
+    },
+    true,
+    ["verify"]
+  );
+}
+async function importPublicKeyFromX509(pem) {
+  const base64 = pem.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g, "");
+  const raw = decodeBase64(base64);
+  return await spkiFromX509(raw);
+}
+
 // src/auth.ts
 var publicKeysCache = null;
 var publicKeysCacheExpiry = 0;
-async function fetchPublicKeys() {
+async function fetchPublicKeys(issuer) {
+  let endpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+  if (issuer && issuer.includes("session.firebase.google.com")) {
+    endpoint = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys";
+  }
   if (publicKeysCache && Date.now() < publicKeysCacheExpiry) {
     return publicKeysCache;
   }
-  const response = await fetch(
-    "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
-  );
+  console.log(`[fetchPublicKeys] Fetching from: ${endpoint}`);
+  const response = await fetch(endpoint);
   if (!response.ok) {
-    throw new Error("Failed to fetch Firebase public keys");
+    throw new Error(`Failed to fetch Firebase public keys from ${endpoint}`);
   }
   publicKeysCache = await response.json();
   publicKeysCacheExpiry = Date.now() + 36e5;
+  console.log(`[fetchPublicKeys] Fetched ${Object.keys(publicKeysCache || {}).length} keys`);
   return publicKeysCache;
 }
 function base64UrlDecode(str) {
@@ -75,17 +167,6 @@ function parseJWT(token) {
   const payload = JSON.parse(base64UrlDecode(parts[1]));
   return { header, payload };
 }
-async function importPublicKey(pem) {
-  const pemContents = pem.replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "").replace(/\s/g, "");
-  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
-  return await crypto.subtle.importKey(
-    "spki",
-    binaryDer,
-    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
-    false,
-    ["verify"]
-  );
-}
 async function verifySignature(token, publicKey) {
   const parts = token.split(".");
   const signedData = `${parts[0]}.${parts[1]}`;
@@ -140,12 +221,22 @@ async function verifyIdToken(idToken) {
     if (payload.sub.length > 128) {
       throw new Error("Subject too long");
     }
-    const publicKeys = await fetchPublicKeys();
-    const publicKeyPem = publicKeys[header.kid];
+    let publicKeys = await fetchPublicKeys(payload.iss);
+    let publicKeyPem = publicKeys[header.kid];
     if (!publicKeyPem) {
-      throw new Error("Public key not found for kid: " + header.kid);
+      console.log(`[verifyIdToken] Key ${header.kid} not found in cache, refreshing keys...`);
+      publicKeysCache = null;
+      publicKeysCacheExpiry = 0;
+      publicKeys = await fetchPublicKeys(payload.iss);
+      publicKeyPem = publicKeys[header.kid];
+      if (!publicKeyPem) {
+        const availableKids = Object.keys(publicKeys).join(", ");
+        throw new Error(
+          `Public key not found for kid: ${header.kid}. Available kids: ${availableKids}. This might indicate the token is from a different Firebase project or was signed with a very old key.`
+        );
+      }
     }
-    const publicKey = await importPublicKey(publicKeyPem);
+    const publicKey = await importPublicKeyFromX509(publicKeyPem);
     const isValid = await verifySignature(idToken, publicKey);
     if (!isValid) {
       throw new Error("Invalid token signature");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prmichaelsen/firebase-admin-sdk-v8",
-  "version": "2.0.1",
+  "version": "2.0.4",
   "description": "Firebase Admin SDK for Cloudflare Workers and edge runtimes using REST APIs",
   "main": "dist/index.js",
   "module": "dist/index.mjs",