@prmichaelsen/firebase-admin-sdk-v8 2.0.21 → 2.1.0

package/dist/index.mjs

@@ -62,6 +62,20 @@ function getProjectId() {
     "Firebase project ID not configured. Either call initializeApp({ projectId: ... }) or set FIREBASE_PROJECT_ID environment variable."
   );
 }
+function getFirebaseApiKey() {
+  if (globalConfig.apiKey) {
+    return globalConfig.apiKey;
+  }
+  if (typeof process !== "undefined" && process.env) {
+    const apiKey = process.env.FIREBASE_API_KEY || process.env.PUBLIC_FIREBASE_API_KEY;
+    if (apiKey) {
+      return apiKey;
+    }
+  }
+  throw new Error(
+    "Firebase API key not configured. Either call initializeApp({ apiKey: ... }) or set FIREBASE_API_KEY environment variable. Find your API key in Firebase Console > Project Settings > Web API Key."
+  );
+}
 
 // src/x509.ts
 function decodeBase64(str) {
@@ -282,6 +296,105 @@ async function getUserFromToken(idToken) {
     photoURL: decodedToken.picture || null
   };
 }
+function base64UrlEncode(str) {
+  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function signWithPrivateKey(data, privateKey) {
+  const pemHeader = "-----BEGIN PRIVATE KEY-----";
+  const pemFooter = "-----END PRIVATE KEY-----";
+  const pemContents = privateKey.replace(pemHeader, "").replace(pemFooter, "").replace(/\s/g, "");
+  const binaryString = atob(pemContents);
+  const bytes = new Uint8Array(binaryString.length);
+  for (let i = 0; i < binaryString.length; i++) {
+    bytes[i] = binaryString.charCodeAt(i);
+  }
+  const key = await crypto.subtle.importKey(
+    "pkcs8",
+    bytes,
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: "SHA-256"
+    },
+    false,
+    ["sign"]
+  );
+  const encoder = new TextEncoder();
+  const dataBytes = encoder.encode(data);
+  const signature = await crypto.subtle.sign(
+    "RSASSA-PKCS1-v1_5",
+    key,
+    dataBytes
+  );
+  return base64UrlEncode(String.fromCharCode(...new Uint8Array(signature)));
+}
+async function createCustomToken(uid, customClaims) {
+  const serviceAccount = getServiceAccount();
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  if (uid.length > 128) {
+    throw new Error("uid must be at most 128 characters");
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    iss: serviceAccount.client_email,
+    sub: serviceAccount.client_email,
+    aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+    iat: now,
+    exp: now + 3600,
+    // 1 hour
+    uid
+  };
+  if (customClaims) {
+    payload.claims = customClaims;
+  }
+  const header = {
+    alg: "RS256",
+    typ: "JWT"
+  };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const unsignedToken = `${encodedHeader}.${encodedPayload}`;
+  const signature = await signWithPrivateKey(unsignedToken, serviceAccount.private_key);
+  return `${unsignedToken}.${signature}`;
+}
+async function signInWithCustomToken(customToken) {
+  if (!customToken || typeof customToken !== "string") {
+    throw new Error("customToken must be a non-empty string");
+  }
+  const apiKey = getFirebaseApiKey();
+  const url = `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      token: customToken,
+      returnSecureToken: true
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    let errorMessage = `Failed to sign in with custom token: ${response.status}`;
+    try {
+      const errorJson = JSON.parse(errorText);
+      if (errorJson.error && errorJson.error.message) {
+        errorMessage += ` - ${errorJson.error.message}`;
+      }
+    } catch {
+      errorMessage += ` - ${errorText}`;
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await response.json();
+  return {
+    idToken: result.idToken,
+    refreshToken: result.refreshToken,
+    expiresIn: result.expiresIn,
+    localId: result.localId
+  };
+}
 function getAuth() {
   return {
     verifyIdToken
@@ -565,7 +678,7 @@ function removeFieldTransforms(data) {
 }
 
 // src/token-generation.ts
-function base64UrlEncode(str) {
+function base64UrlEncode2(str) {
   return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
 function base64UrlEncodeBuffer(buffer) {
@@ -586,8 +699,8 @@ async function createJWT(serviceAccount) {
     exp: expiry,
     scope: "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/firebase"
   };
-  const encodedHeader = base64UrlEncode(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const encodedHeader = base64UrlEncode2(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode2(JSON.stringify(payload));
   const unsignedToken = `${encodedHeader}.${encodedPayload}`;
   const pemContents = serviceAccount.private_key.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replace(/\s/g, "");
   const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
@@ -636,6 +749,26 @@ function clearTokenCache() {
   tokenExpiry = 0;
 }
 
+// src/firestore/path-validation.ts
+function validateCollectionPath(argumentName, collectionPath) {
+  const segments = collectionPath.split("/").filter((s) => s.length > 0);
+  if (segments.length % 2 === 0) {
+    throw new Error(
+      `Value for argument "${argumentName}" must point to a collection, but was "${collectionPath}". Your path does not contain an odd number of components.`
+    );
+  }
+}
+function validateDocumentPath(argumentName, collectionPath, documentId) {
+  const collectionSegments = collectionPath.split("/").filter((s) => s.length > 0);
+  const totalSegments = collectionSegments.length + 1;
+  if (totalSegments % 2 !== 0) {
+    const fullPath = `${collectionPath}/${documentId}`;
+    throw new Error(
+      `Value for argument "${argumentName}" must point to a document, but was "${fullPath}". Your path does not contain an even number of components.`
+    );
+  }
+}
+
 // src/firestore/operations.ts
 var FIRESTORE_API = "https://firestore.googleapis.com/v1";
 async function commitWrites(writes) {
@@ -656,6 +789,7 @@ async function commitWrites(writes) {
   }
 }
 async function setDocument(collectionPath, documentId, data, options) {
+  validateDocumentPath("collectionPath", collectionPath, documentId);
   const projectId = getProjectId();
   const documentPath = `projects/${projectId}/databases/(default)/documents/${collectionPath}/${documentId}`;
   const cleanData = removeFieldTransforms(data);
@@ -705,6 +839,7 @@ async function setDocument(collectionPath, documentId, data, options) {
   }
 }
 async function addDocument(collectionPath, data, documentId) {
+  validateCollectionPath("collectionPath", collectionPath);
   const accessToken = await getAdminAccessToken();
   const projectId = getProjectId();
   const baseUrl = `${FIRESTORE_API}/projects/${projectId}/databases/(default)/documents/${collectionPath}`;
@@ -736,6 +871,7 @@ async function addDocument(collectionPath, data, documentId) {
   };
 }
 async function getDocument(collectionPath, documentId) {
+  validateDocumentPath("collectionPath", collectionPath, documentId);
   const accessToken = await getAdminAccessToken();
   const projectId = getProjectId();
   const url = `${FIRESTORE_API}/projects/${projectId}/databases/(default)/documents/${collectionPath}/${documentId}`;
@@ -755,6 +891,7 @@ async function getDocument(collectionPath, documentId) {
   return convertFromFirestoreFormat(result.fields);
 }
 async function updateDocument(collectionPath, documentId, data) {
+  validateDocumentPath("collectionPath", collectionPath, documentId);
   const projectId = getProjectId();
   const documentPath = `projects/${projectId}/databases/(default)/documents/${collectionPath}/${documentId}`;
   const cleanData = removeFieldTransforms(data);
@@ -807,6 +944,7 @@ async function updateDocument(collectionPath, documentId, data) {
   }
 }
 async function deleteDocument(collectionPath, documentId) {
+  validateDocumentPath("collectionPath", collectionPath, documentId);
   const accessToken = await getAdminAccessToken();
   const projectId = getProjectId();
   const url = `${FIRESTORE_API}/projects/${projectId}/databases/(default)/documents/${collectionPath}/${documentId}`;
@@ -822,6 +960,7 @@ async function deleteDocument(collectionPath, documentId) {
   }
 }
 async function queryDocuments(collectionPath, options) {
+  validateCollectionPath("collectionPath", collectionPath);
   const accessToken = await getAdminAccessToken();
   const projectId = getProjectId();
   if (!options || Object.keys(options).length === 0) {
@@ -938,23 +1077,341 @@ async function batchWrite(operations) {
   }
   return await response.json();
 }
+
+// src/storage/client.ts
+var STORAGE_API_BASE = "https://storage.googleapis.com/storage/v1";
+var UPLOAD_API_BASE = "https://storage.googleapis.com/upload/storage/v1";
+function getDefaultBucket() {
+  const customBucket = process.env.FIREBASE_STORAGE_BUCKET;
+  if (customBucket) {
+    return customBucket;
+  }
+  const projectId = getProjectId();
+  return `${projectId}.appspot.com`;
+}
+function detectContentType(filename) {
+  const ext = filename.split(".").pop()?.toLowerCase();
+  const mimeTypes = {
+    "txt": "text/plain",
+    "html": "text/html",
+    "htm": "text/html",
+    "css": "text/css",
+    "js": "application/javascript",
+    "json": "application/json",
+    "xml": "application/xml",
+    "jpg": "image/jpeg",
+    "jpeg": "image/jpeg",
+    "png": "image/png",
+    "gif": "image/gif",
+    "svg": "image/svg+xml",
+    "webp": "image/webp",
+    "pdf": "application/pdf",
+    "zip": "application/zip",
+    "mp4": "video/mp4",
+    "mp3": "audio/mpeg",
+    "wav": "audio/wav"
+  };
+  return mimeTypes[ext || ""] || "application/octet-stream";
+}
+async function uploadFile(path, data, options = {}) {
+  const token = await getAdminAccessToken();
+  const bucket = getDefaultBucket();
+  const contentType = options.contentType || detectContentType(path);
+  const url = `${UPLOAD_API_BASE}/b/${encodeURIComponent(bucket)}/o?uploadType=media&name=${encodeURIComponent(path)}`;
+  let body;
+  if (data instanceof Blob) {
+    body = await data.arrayBuffer();
+  } else if (data instanceof Uint8Array) {
+    const buffer = new ArrayBuffer(data.byteLength);
+    new Uint8Array(buffer).set(data);
+    body = buffer;
+  } else {
+    body = data;
+  }
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": contentType,
+      "Content-Length": body.byteLength.toString()
+    },
+    body
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to upload file: ${response.status} ${errorText}`);
+  }
+  const result = await response.json();
+  if (options.public) {
+    await makeFilePublic(path);
+  }
+  if (options.metadata) {
+    return await updateFileMetadata(path, options.metadata);
+  }
+  return result;
+}
+async function downloadFile(path, _options = {}) {
+  const token = await getAdminAccessToken();
+  const bucket = getDefaultBucket();
+  const url = `${STORAGE_API_BASE}/b/${encodeURIComponent(bucket)}/o/${encodeURIComponent(path)}?alt=media`;
+  const response = await fetch(url, {
+    method: "GET",
+    headers: {
+      "Authorization": `Bearer ${token}`
+    }
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to download file: ${response.status} ${errorText}`);
+  }
+  return await response.arrayBuffer();
+}
+async function deleteFile(path) {
+  const token = await getAdminAccessToken();
+  const bucket = getDefaultBucket();
+  const url = `${STORAGE_API_BASE}/b/${encodeURIComponent(bucket)}/o/${encodeURIComponent(path)}`;
+  const response = await fetch(url, {
+    method: "DELETE",
+    headers: {
+      "Authorization": `Bearer ${token}`
+    }
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to delete file: ${response.status} ${errorText}`);
+  }
+}
+async function getFileMetadata(path) {
+  const token = await getAdminAccessToken();
+  const bucket = getDefaultBucket();
+  const url = `${STORAGE_API_BASE}/b/${encodeURIComponent(bucket)}/o/${encodeURIComponent(path)}`;
+  const response = await fetch(url, {
+    method: "GET",
+    headers: {
+      "Authorization": `Bearer ${token}`
+    }
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to get file metadata: ${response.status} ${errorText}`);
+  }
+  return await response.json();
+}
+async function updateFileMetadata(path, metadata) {
+  const token = await getAdminAccessToken();
+  const bucket = getDefaultBucket();
+  const url = `${STORAGE_API_BASE}/b/${encodeURIComponent(bucket)}/o/${encodeURIComponent(path)}`;
+  const response = await fetch(url, {
+    method: "PATCH",
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ metadata })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to update file metadata: ${response.status} ${errorText}`);
+  }
+  return await response.json();
+}
+async function makeFilePublic(path) {
+  const token = await getAdminAccessToken();
+  const bucket = getDefaultBucket();
+  const url = `${STORAGE_API_BASE}/b/${encodeURIComponent(bucket)}/o/${encodeURIComponent(path)}/acl`;
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      entity: "allUsers",
+      role: "READER"
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to make file public: ${response.status} ${errorText}`);
+  }
+}
+async function listFiles(options = {}) {
+  const token = await getAdminAccessToken();
+  const bucket = getDefaultBucket();
+  const params = new URLSearchParams();
+  if (options.prefix) params.append("prefix", options.prefix);
+  if (options.delimiter) params.append("delimiter", options.delimiter);
+  if (options.maxResults) params.append("maxResults", options.maxResults.toString());
+  if (options.pageToken) params.append("pageToken", options.pageToken);
+  const url = `${STORAGE_API_BASE}/b/${encodeURIComponent(bucket)}/o?${params.toString()}`;
+  const response = await fetch(url, {
+    method: "GET",
+    headers: {
+      "Authorization": `Bearer ${token}`
+    }
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to list files: ${response.status} ${errorText}`);
+  }
+  const result = await response.json();
+  return {
+    files: result.items || [],
+    nextPageToken: result.nextPageToken
+  };
+}
+async function fileExists(path) {
+  try {
+    await getFileMetadata(path);
+    return true;
+  } catch (error) {
+    if (error instanceof Error && error.message.includes("404")) {
+      return false;
+    }
+    throw error;
+  }
+}
+
+// src/storage/signed-urls.ts
+function getStorageBucket() {
+  const customBucket = process.env.FIREBASE_STORAGE_BUCKET;
+  if (customBucket) {
+    return customBucket;
+  }
+  const projectId = getProjectId();
+  return `${projectId}.appspot.com`;
+}
+function getExpirationTimestamp(expires) {
+  if (expires instanceof Date) {
+    return Math.floor(expires.getTime() / 1e3);
+  }
+  return Math.floor(Date.now() / 1e3) + expires;
+}
+function actionToMethod(action) {
+  switch (action) {
+    case "read":
+      return "GET";
+    case "write":
+      return "PUT";
+    case "delete":
+      return "DELETE";
+  }
+}
+function stringToHex(str) {
+  const encoder = new TextEncoder();
+  const bytes = encoder.encode(str);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function signData(data, privateKey) {
+  const pemHeader = "-----BEGIN PRIVATE KEY-----";
+  const pemFooter = "-----END PRIVATE KEY-----";
+  const pemContents = privateKey.replace(pemHeader, "").replace(pemFooter, "").replace(/\s/g, "");
+  const binaryString = atob(pemContents);
+  const bytes = new Uint8Array(binaryString.length);
+  for (let i = 0; i < binaryString.length; i++) {
+    bytes[i] = binaryString.charCodeAt(i);
+  }
+  const key = await crypto.subtle.importKey(
+    "pkcs8",
+    bytes,
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: "SHA-256"
+    },
+    false,
+    ["sign"]
+  );
+  const encoder = new TextEncoder();
+  const dataBytes = encoder.encode(data);
+  const signature = await crypto.subtle.sign(
+    "RSASSA-PKCS1-v1_5",
+    key,
+    dataBytes
+  );
+  const signatureArray = new Uint8Array(signature);
+  return Array.from(signatureArray).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function generateSignedUrl(path, options) {
+  const serviceAccount = getServiceAccount();
+  const bucket = getStorageBucket();
+  const method = actionToMethod(options.action);
+  const expiration = getExpirationTimestamp(options.expires);
+  const now = /* @__PURE__ */ new Date();
+  const timestamp = Math.floor(now.getTime() / 1e3);
+  const isoString = now.toISOString();
+  const datestamp = isoString.split("T")[0].replace(/-/g, "");
+  const timeString = isoString.split("T")[1].replace(/[:.]/g, "").substring(0, 6);
+  const dateTimeStamp = `${datestamp}T${timeString}Z`;
+  const credentialScope = `${datestamp}/auto/storage/goog4_request`;
+  const credential = `${serviceAccount.client_email}/${credentialScope}`;
+  const canonicalHeaders = `host:storage.googleapis.com
+`;
+  const signedHeaders = "host";
+  const queryParams = {
+    "X-Goog-Algorithm": "GOOG4-RSA-SHA256",
+    "X-Goog-Credential": credential,
+    "X-Goog-Date": dateTimeStamp,
+    "X-Goog-Expires": (expiration - timestamp).toString(),
+    "X-Goog-SignedHeaders": signedHeaders
+  };
+  if (options.contentType) {
+    queryParams["response-content-type"] = options.contentType;
+  }
+  if (options.responseDisposition) {
+    queryParams["response-content-disposition"] = options.responseDisposition;
+  }
+  if (options.responseType) {
+    queryParams["response-content-type"] = options.responseType;
+  }
+  const sortedParams = Object.keys(queryParams).sort();
+  const canonicalQueryString = sortedParams.map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(queryParams[key])}`).join("&");
+  const encodedPath = path.split("/").map((segment) => encodeURIComponent(segment)).join("/");
+  const canonicalUri = `/${bucket}/${encodedPath}`;
+  const canonicalRequest = [
+    method,
+    canonicalUri,
+    canonicalQueryString,
+    canonicalHeaders,
+    signedHeaders,
+    "UNSIGNED-PAYLOAD"
+  ].join("\n");
+  const canonicalRequestHash = stringToHex(canonicalRequest);
+  const stringToSign = [
+    "GOOG4-RSA-SHA256",
+    dateTimeStamp,
+    credentialScope,
+    canonicalRequestHash
+  ].join("\n");
+  const signature = await signData(stringToSign, serviceAccount.private_key);
+  const signedUrl = `https://storage.googleapis.com${canonicalUri}?${canonicalQueryString}&X-Goog-Signature=${signature}`;
+  return signedUrl;
+}
 export {
   FieldValue,
   addDocument,
   batchWrite,
   clearConfig,
   clearTokenCache,
+  createCustomToken,
   deleteDocument,
+  deleteFile,
+  downloadFile,
+  fileExists,
+  generateSignedUrl,
   getAdminAccessToken,
   getAuth,
   getConfig,
   getDocument,
+  getFileMetadata,
   getProjectId,
   getServiceAccount,
   getUserFromToken,
   initializeApp,
+  listFiles,
   queryDocuments,
   setDocument,
+  signInWithCustomToken,
   updateDocument,
+  uploadFile,
   verifyIdToken
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prmichaelsen/firebase-admin-sdk-v8",
-  "version": "2.0.21",
+  "version": "2.1.0",
   "description": "Firebase Admin SDK for Cloudflare Workers and edge runtimes using REST APIs",
   "main": "dist/index.js",
   "module": "dist/index.mjs",