@prmichaelsen/firebase-admin-sdk-v8 2.0.22 → 2.2.0

package/dist/index.d.mts

@@ -195,6 +195,7 @@ interface BatchWriteResult {
 interface SDKConfig {
     serviceAccount?: ServiceAccount | string;
     projectId?: string;
+    apiKey?: string;
 }
 /**
  * Initialize the Firebase Admin SDK with configuration
@@ -250,6 +251,21 @@ declare function getProjectId(): string;
  * ID token verification supporting both Firebase v9 and v10 token formats
  */
 
+/**
+ * Custom claims for custom tokens
+ */
+interface CustomClaims {
+    [key: string]: any;
+}
+/**
+ * Response from signInWithCustomToken
+ */
+interface CustomTokenSignInResponse {
+    idToken: string;
+    refreshToken: string;
+    expiresIn: string;
+    isNewUser?: boolean;
+}
 /**
  * Verify a Firebase ID token
  * Supports both Firebase v9 (securetoken) and v10 (session) token formats
@@ -280,6 +296,45 @@ declare function verifyIdToken(idToken: string): Promise<DecodedIdToken>;
  * ```
  */
 declare function getUserFromToken(idToken: string): Promise<UserInfo>;
+/**
+ * Create a custom token for a user
+ *
+ * @param uid - User ID
+ * @param customClaims - Optional custom claims to include in token
+ * @returns Custom JWT token
+ *
+ * @example
+ * ```typescript
+ * // Create token with custom claims
+ * const token = await createCustomToken('user123', {
+ *   role: 'admin',
+ *   premium: true,
+ * });
+ *
+ * // Use token on client to sign in
+ * await signInWithCustomToken(auth, token);
+ * ```
+ */
+declare function createCustomToken(uid: string, customClaims?: CustomClaims): Promise<string>;
+/**
+ * Exchange a custom token for an ID token and refresh token
+ *
+ * @param customToken - Custom JWT token created with createCustomToken
+ * @returns User credentials (idToken, refreshToken, expiresIn, localId)
+ *
+ * @example
+ * ```typescript
+ * // Server-side: Create custom token
+ * const customToken = await createCustomToken('user123', { role: 'admin' });
+ *
+ * // Exchange for ID token
+ * const credentials = await signInWithCustomToken(customToken);
+ *
+ * // Use ID token for authenticated requests
+ * const user = await verifyIdToken(credentials.idToken);
+ * ```
+ */
+declare function signInWithCustomToken(customToken: string): Promise<CustomTokenSignInResponse>;
 /**
  * Get Auth instance (for compatibility, but not used in new implementation)
  * @deprecated Use verifyIdToken directly
@@ -705,4 +760,4 @@ declare function getAdminAccessToken(): Promise<string>;
  */
 declare function clearTokenCache(): void;
 
-export { type BatchWrite, type BatchWriteResult, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type QueryFilter, type QueryOptions, type QueryOrder, type ServiceAccount, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UploadOptions, type UserInfo, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, deleteDocument, deleteFile, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserFromToken, initializeApp, listFiles, queryDocuments, setDocument, updateDocument, uploadFile, verifyIdToken };
+export { type BatchWrite, type BatchWriteResult, type CustomClaims, type CustomTokenSignInResponse, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type QueryFilter, type QueryOptions, type QueryOrder, type ServiceAccount, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UploadOptions, type UserInfo, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, createCustomToken, deleteDocument, deleteFile, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserFromToken, initializeApp, listFiles, queryDocuments, setDocument, signInWithCustomToken, updateDocument, uploadFile, verifyIdToken };

package/dist/index.d.ts

@@ -195,6 +195,7 @@ interface BatchWriteResult {
 interface SDKConfig {
     serviceAccount?: ServiceAccount | string;
     projectId?: string;
+    apiKey?: string;
 }
 /**
  * Initialize the Firebase Admin SDK with configuration
@@ -250,6 +251,21 @@ declare function getProjectId(): string;
  * ID token verification supporting both Firebase v9 and v10 token formats
  */
 
+/**
+ * Custom claims for custom tokens
+ */
+interface CustomClaims {
+    [key: string]: any;
+}
+/**
+ * Response from signInWithCustomToken
+ */
+interface CustomTokenSignInResponse {
+    idToken: string;
+    refreshToken: string;
+    expiresIn: string;
+    isNewUser?: boolean;
+}
 /**
  * Verify a Firebase ID token
  * Supports both Firebase v9 (securetoken) and v10 (session) token formats
@@ -280,6 +296,45 @@ declare function verifyIdToken(idToken: string): Promise<DecodedIdToken>;
  * ```
  */
 declare function getUserFromToken(idToken: string): Promise<UserInfo>;
+/**
+ * Create a custom token for a user
+ *
+ * @param uid - User ID
+ * @param customClaims - Optional custom claims to include in token
+ * @returns Custom JWT token
+ *
+ * @example
+ * ```typescript
+ * // Create token with custom claims
+ * const token = await createCustomToken('user123', {
+ *   role: 'admin',
+ *   premium: true,
+ * });
+ *
+ * // Use token on client to sign in
+ * await signInWithCustomToken(auth, token);
+ * ```
+ */
+declare function createCustomToken(uid: string, customClaims?: CustomClaims): Promise<string>;
+/**
+ * Exchange a custom token for an ID token and refresh token
+ *
+ * @param customToken - Custom JWT token created with createCustomToken
+ * @returns User credentials (idToken, refreshToken, expiresIn, localId)
+ *
+ * @example
+ * ```typescript
+ * // Server-side: Create custom token
+ * const customToken = await createCustomToken('user123', { role: 'admin' });
+ *
+ * // Exchange for ID token
+ * const credentials = await signInWithCustomToken(customToken);
+ *
+ * // Use ID token for authenticated requests
+ * const user = await verifyIdToken(credentials.idToken);
+ * ```
+ */
+declare function signInWithCustomToken(customToken: string): Promise<CustomTokenSignInResponse>;
 /**
  * Get Auth instance (for compatibility, but not used in new implementation)
  * @deprecated Use verifyIdToken directly
@@ -705,4 +760,4 @@ declare function getAdminAccessToken(): Promise<string>;
  */
 declare function clearTokenCache(): void;
 
-export { type BatchWrite, type BatchWriteResult, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type QueryFilter, type QueryOptions, type QueryOrder, type ServiceAccount, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UploadOptions, type UserInfo, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, deleteDocument, deleteFile, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserFromToken, initializeApp, listFiles, queryDocuments, setDocument, updateDocument, uploadFile, verifyIdToken };
+export { type BatchWrite, type BatchWriteResult, type CustomClaims, type CustomTokenSignInResponse, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type QueryFilter, type QueryOptions, type QueryOrder, type ServiceAccount, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UploadOptions, type UserInfo, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, createCustomToken, deleteDocument, deleteFile, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserFromToken, initializeApp, listFiles, queryDocuments, setDocument, signInWithCustomToken, updateDocument, uploadFile, verifyIdToken };

package/dist/index.js

@@ -25,6 +25,7 @@ __export(index_exports, {
   batchWrite: () => batchWrite,
   clearConfig: () => clearConfig,
   clearTokenCache: () => clearTokenCache,
+  createCustomToken: () => createCustomToken,
   deleteDocument: () => deleteDocument,
   deleteFile: () => deleteFile,
   downloadFile: () => downloadFile,
@@ -42,6 +43,7 @@ __export(index_exports, {
   listFiles: () => listFiles,
   queryDocuments: () => queryDocuments,
   setDocument: () => setDocument,
+  signInWithCustomToken: () => signInWithCustomToken,
   updateDocument: () => updateDocument,
   uploadFile: () => uploadFile,
   verifyIdToken: () => verifyIdToken
@@ -112,6 +114,20 @@ function getProjectId() {
     "Firebase project ID not configured. Either call initializeApp({ projectId: ... }) or set FIREBASE_PROJECT_ID environment variable."
   );
 }
+function getFirebaseApiKey() {
+  if (globalConfig.apiKey) {
+    return globalConfig.apiKey;
+  }
+  if (typeof process !== "undefined" && process.env) {
+    const apiKey = process.env.FIREBASE_API_KEY || process.env.PUBLIC_FIREBASE_API_KEY;
+    if (apiKey) {
+      return apiKey;
+    }
+  }
+  throw new Error(
+    "Firebase API key not configured. Either call initializeApp({ apiKey: ... }) or set FIREBASE_API_KEY environment variable. Find your API key in Firebase Console > Project Settings > Web API Key."
+  );
+}
 
 // src/x509.ts
 function decodeBase64(str) {
@@ -332,6 +348,105 @@ async function getUserFromToken(idToken) {
     photoURL: decodedToken.picture || null
   };
 }
+function base64UrlEncode(str) {
+  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function signWithPrivateKey(data, privateKey) {
+  const pemHeader = "-----BEGIN PRIVATE KEY-----";
+  const pemFooter = "-----END PRIVATE KEY-----";
+  const pemContents = privateKey.replace(pemHeader, "").replace(pemFooter, "").replace(/\s/g, "");
+  const binaryString = atob(pemContents);
+  const bytes = new Uint8Array(binaryString.length);
+  for (let i = 0; i < binaryString.length; i++) {
+    bytes[i] = binaryString.charCodeAt(i);
+  }
+  const key = await crypto.subtle.importKey(
+    "pkcs8",
+    bytes,
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: "SHA-256"
+    },
+    false,
+    ["sign"]
+  );
+  const encoder = new TextEncoder();
+  const dataBytes = encoder.encode(data);
+  const signature = await crypto.subtle.sign(
+    "RSASSA-PKCS1-v1_5",
+    key,
+    dataBytes
+  );
+  return base64UrlEncode(String.fromCharCode(...new Uint8Array(signature)));
+}
+async function createCustomToken(uid, customClaims) {
+  const serviceAccount = getServiceAccount();
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  if (uid.length > 128) {
+    throw new Error("uid must be at most 128 characters");
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    iss: serviceAccount.client_email,
+    sub: serviceAccount.client_email,
+    aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+    iat: now,
+    exp: now + 3600,
+    // 1 hour
+    uid
+  };
+  if (customClaims) {
+    payload.claims = customClaims;
+  }
+  const header = {
+    alg: "RS256",
+    typ: "JWT"
+  };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const unsignedToken = `${encodedHeader}.${encodedPayload}`;
+  const signature = await signWithPrivateKey(unsignedToken, serviceAccount.private_key);
+  return `${unsignedToken}.${signature}`;
+}
+async function signInWithCustomToken(customToken) {
+  if (!customToken || typeof customToken !== "string") {
+    throw new Error("customToken must be a non-empty string");
+  }
+  const apiKey = getFirebaseApiKey();
+  const url = `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      token: customToken,
+      returnSecureToken: true
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    let errorMessage = `Failed to sign in with custom token: ${response.status}`;
+    try {
+      const errorJson = JSON.parse(errorText);
+      if (errorJson.error && errorJson.error.message) {
+        errorMessage += ` - ${errorJson.error.message}`;
+      }
+    } catch {
+      errorMessage += ` - ${errorText}`;
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await response.json();
+  return {
+    idToken: result.idToken,
+    refreshToken: result.refreshToken,
+    expiresIn: result.expiresIn,
+    isNewUser: result.isNewUser
+  };
+}
 function getAuth() {
   return {
     verifyIdToken
@@ -615,7 +730,7 @@ function removeFieldTransforms(data) {
 }
 
 // src/token-generation.ts
-function base64UrlEncode(str) {
+function base64UrlEncode2(str) {
   return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
 function base64UrlEncodeBuffer(buffer) {
@@ -636,8 +751,8 @@ async function createJWT(serviceAccount) {
     exp: expiry,
     scope: "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/firebase"
   };
-  const encodedHeader = base64UrlEncode(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const encodedHeader = base64UrlEncode2(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode2(JSON.stringify(payload));
   const unsignedToken = `${encodedHeader}.${encodedPayload}`;
   const pemContents = serviceAccount.private_key.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replace(/\s/g, "");
   const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
@@ -1019,6 +1134,10 @@ async function batchWrite(operations) {
 var STORAGE_API_BASE = "https://storage.googleapis.com/storage/v1";
 var UPLOAD_API_BASE = "https://storage.googleapis.com/upload/storage/v1";
 function getDefaultBucket() {
+  const customBucket = process.env.FIREBASE_STORAGE_BUCKET;
+  if (customBucket) {
+    return customBucket;
+  }
   const projectId = getProjectId();
   return `${projectId}.appspot.com`;
 }
@@ -1206,6 +1325,14 @@ async function fileExists(path) {
 }
 
 // src/storage/signed-urls.ts
+function getStorageBucket() {
+  const customBucket = process.env.FIREBASE_STORAGE_BUCKET;
+  if (customBucket) {
+    return customBucket;
+  }
+  const projectId = getProjectId();
+  return `${projectId}.appspot.com`;
+}
 function getExpirationTimestamp(expires) {
   if (expires instanceof Date) {
     return Math.floor(expires.getTime() / 1e3);
@@ -1258,12 +1385,15 @@ async function signData(data, privateKey) {
 }
 async function generateSignedUrl(path, options) {
   const serviceAccount = getServiceAccount();
-  const projectId = getProjectId();
-  const bucket = `${projectId}.appspot.com`;
+  const bucket = getStorageBucket();
   const method = actionToMethod(options.action);
   const expiration = getExpirationTimestamp(options.expires);
-  const timestamp = Math.floor(Date.now() / 1e3);
-  const datestamp = new Date(timestamp * 1e3).toISOString().split("T")[0].replace(/-/g, "");
+  const now = /* @__PURE__ */ new Date();
+  const timestamp = Math.floor(now.getTime() / 1e3);
+  const isoString = now.toISOString();
+  const datestamp = isoString.split("T")[0].replace(/-/g, "");
+  const timeString = isoString.split("T")[1].replace(/[:.]/g, "").substring(0, 6);
+  const dateTimeStamp = `${datestamp}T${timeString}Z`;
   const credentialScope = `${datestamp}/auto/storage/goog4_request`;
   const credential = `${serviceAccount.client_email}/${credentialScope}`;
   const canonicalHeaders = `host:storage.googleapis.com
@@ -1272,7 +1402,7 @@ async function generateSignedUrl(path, options) {
   const queryParams = {
     "X-Goog-Algorithm": "GOOG4-RSA-SHA256",
     "X-Goog-Credential": credential,
-    "X-Goog-Date": `${datestamp}T000000Z`,
+    "X-Goog-Date": dateTimeStamp,
     "X-Goog-Expires": (expiration - timestamp).toString(),
     "X-Goog-SignedHeaders": signedHeaders
   };
@@ -1287,7 +1417,8 @@ async function generateSignedUrl(path, options) {
   }
   const sortedParams = Object.keys(queryParams).sort();
   const canonicalQueryString = sortedParams.map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(queryParams[key])}`).join("&");
-  const canonicalUri = `/${bucket}/${path}`;
+  const encodedPath = path.split("/").map((segment) => encodeURIComponent(segment)).join("/");
+  const canonicalUri = `/${bucket}/${encodedPath}`;
   const canonicalRequest = [
     method,
     canonicalUri,
@@ -1299,7 +1430,7 @@ async function generateSignedUrl(path, options) {
   const canonicalRequestHash = stringToHex(canonicalRequest);
   const stringToSign = [
     "GOOG4-RSA-SHA256",
-    `${datestamp}T000000Z`,
+    dateTimeStamp,
     credentialScope,
     canonicalRequestHash
   ].join("\n");
@@ -1314,6 +1445,7 @@ async function generateSignedUrl(path, options) {
   batchWrite,
   clearConfig,
   clearTokenCache,
+  createCustomToken,
   deleteDocument,
   deleteFile,
   downloadFile,
@@ -1331,6 +1463,7 @@ async function generateSignedUrl(path, options) {
   listFiles,
   queryDocuments,
   setDocument,
+  signInWithCustomToken,
   updateDocument,
   uploadFile,
   verifyIdToken

package/dist/index.mjs

@@ -62,6 +62,20 @@ function getProjectId() {
     "Firebase project ID not configured. Either call initializeApp({ projectId: ... }) or set FIREBASE_PROJECT_ID environment variable."
   );
 }
+function getFirebaseApiKey() {
+  if (globalConfig.apiKey) {
+    return globalConfig.apiKey;
+  }
+  if (typeof process !== "undefined" && process.env) {
+    const apiKey = process.env.FIREBASE_API_KEY || process.env.PUBLIC_FIREBASE_API_KEY;
+    if (apiKey) {
+      return apiKey;
+    }
+  }
+  throw new Error(
+    "Firebase API key not configured. Either call initializeApp({ apiKey: ... }) or set FIREBASE_API_KEY environment variable. Find your API key in Firebase Console > Project Settings > Web API Key."
+  );
+}
 
 // src/x509.ts
 function decodeBase64(str) {
@@ -282,6 +296,105 @@ async function getUserFromToken(idToken) {
     photoURL: decodedToken.picture || null
   };
 }
+function base64UrlEncode(str) {
+  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function signWithPrivateKey(data, privateKey) {
+  const pemHeader = "-----BEGIN PRIVATE KEY-----";
+  const pemFooter = "-----END PRIVATE KEY-----";
+  const pemContents = privateKey.replace(pemHeader, "").replace(pemFooter, "").replace(/\s/g, "");
+  const binaryString = atob(pemContents);
+  const bytes = new Uint8Array(binaryString.length);
+  for (let i = 0; i < binaryString.length; i++) {
+    bytes[i] = binaryString.charCodeAt(i);
+  }
+  const key = await crypto.subtle.importKey(
+    "pkcs8",
+    bytes,
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: "SHA-256"
+    },
+    false,
+    ["sign"]
+  );
+  const encoder = new TextEncoder();
+  const dataBytes = encoder.encode(data);
+  const signature = await crypto.subtle.sign(
+    "RSASSA-PKCS1-v1_5",
+    key,
+    dataBytes
+  );
+  return base64UrlEncode(String.fromCharCode(...new Uint8Array(signature)));
+}
+async function createCustomToken(uid, customClaims) {
+  const serviceAccount = getServiceAccount();
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  if (uid.length > 128) {
+    throw new Error("uid must be at most 128 characters");
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    iss: serviceAccount.client_email,
+    sub: serviceAccount.client_email,
+    aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+    iat: now,
+    exp: now + 3600,
+    // 1 hour
+    uid
+  };
+  if (customClaims) {
+    payload.claims = customClaims;
+  }
+  const header = {
+    alg: "RS256",
+    typ: "JWT"
+  };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const unsignedToken = `${encodedHeader}.${encodedPayload}`;
+  const signature = await signWithPrivateKey(unsignedToken, serviceAccount.private_key);
+  return `${unsignedToken}.${signature}`;
+}
+async function signInWithCustomToken(customToken) {
+  if (!customToken || typeof customToken !== "string") {
+    throw new Error("customToken must be a non-empty string");
+  }
+  const apiKey = getFirebaseApiKey();
+  const url = `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      token: customToken,
+      returnSecureToken: true
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    let errorMessage = `Failed to sign in with custom token: ${response.status}`;
+    try {
+      const errorJson = JSON.parse(errorText);
+      if (errorJson.error && errorJson.error.message) {
+        errorMessage += ` - ${errorJson.error.message}`;
+      }
+    } catch {
+      errorMessage += ` - ${errorText}`;
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await response.json();
+  return {
+    idToken: result.idToken,
+    refreshToken: result.refreshToken,
+    expiresIn: result.expiresIn,
+    isNewUser: result.isNewUser
+  };
+}
 function getAuth() {
   return {
     verifyIdToken
@@ -565,7 +678,7 @@ function removeFieldTransforms(data) {
 }
 
 // src/token-generation.ts
-function base64UrlEncode(str) {
+function base64UrlEncode2(str) {
   return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
 function base64UrlEncodeBuffer(buffer) {
@@ -586,8 +699,8 @@ async function createJWT(serviceAccount) {
     exp: expiry,
     scope: "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/firebase"
   };
-  const encodedHeader = base64UrlEncode(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const encodedHeader = base64UrlEncode2(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode2(JSON.stringify(payload));
   const unsignedToken = `${encodedHeader}.${encodedPayload}`;
   const pemContents = serviceAccount.private_key.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replace(/\s/g, "");
   const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
@@ -969,6 +1082,10 @@ async function batchWrite(operations) {
 var STORAGE_API_BASE = "https://storage.googleapis.com/storage/v1";
 var UPLOAD_API_BASE = "https://storage.googleapis.com/upload/storage/v1";
 function getDefaultBucket() {
+  const customBucket = process.env.FIREBASE_STORAGE_BUCKET;
+  if (customBucket) {
+    return customBucket;
+  }
   const projectId = getProjectId();
   return `${projectId}.appspot.com`;
 }
@@ -1156,6 +1273,14 @@ async function fileExists(path) {
 }
 
 // src/storage/signed-urls.ts
+function getStorageBucket() {
+  const customBucket = process.env.FIREBASE_STORAGE_BUCKET;
+  if (customBucket) {
+    return customBucket;
+  }
+  const projectId = getProjectId();
+  return `${projectId}.appspot.com`;
+}
 function getExpirationTimestamp(expires) {
   if (expires instanceof Date) {
     return Math.floor(expires.getTime() / 1e3);
@@ -1208,12 +1333,15 @@ async function signData(data, privateKey) {
 }
 async function generateSignedUrl(path, options) {
   const serviceAccount = getServiceAccount();
-  const projectId = getProjectId();
-  const bucket = `${projectId}.appspot.com`;
+  const bucket = getStorageBucket();
   const method = actionToMethod(options.action);
   const expiration = getExpirationTimestamp(options.expires);
-  const timestamp = Math.floor(Date.now() / 1e3);
-  const datestamp = new Date(timestamp * 1e3).toISOString().split("T")[0].replace(/-/g, "");
+  const now = /* @__PURE__ */ new Date();
+  const timestamp = Math.floor(now.getTime() / 1e3);
+  const isoString = now.toISOString();
+  const datestamp = isoString.split("T")[0].replace(/-/g, "");
+  const timeString = isoString.split("T")[1].replace(/[:.]/g, "").substring(0, 6);
+  const dateTimeStamp = `${datestamp}T${timeString}Z`;
   const credentialScope = `${datestamp}/auto/storage/goog4_request`;
   const credential = `${serviceAccount.client_email}/${credentialScope}`;
   const canonicalHeaders = `host:storage.googleapis.com
@@ -1222,7 +1350,7 @@ async function generateSignedUrl(path, options) {
   const queryParams = {
     "X-Goog-Algorithm": "GOOG4-RSA-SHA256",
     "X-Goog-Credential": credential,
-    "X-Goog-Date": `${datestamp}T000000Z`,
+    "X-Goog-Date": dateTimeStamp,
     "X-Goog-Expires": (expiration - timestamp).toString(),
     "X-Goog-SignedHeaders": signedHeaders
   };
@@ -1237,7 +1365,8 @@ async function generateSignedUrl(path, options) {
   }
   const sortedParams = Object.keys(queryParams).sort();
   const canonicalQueryString = sortedParams.map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(queryParams[key])}`).join("&");
-  const canonicalUri = `/${bucket}/${path}`;
+  const encodedPath = path.split("/").map((segment) => encodeURIComponent(segment)).join("/");
+  const canonicalUri = `/${bucket}/${encodedPath}`;
   const canonicalRequest = [
     method,
     canonicalUri,
@@ -1249,7 +1378,7 @@ async function generateSignedUrl(path, options) {
   const canonicalRequestHash = stringToHex(canonicalRequest);
   const stringToSign = [
     "GOOG4-RSA-SHA256",
-    `${datestamp}T000000Z`,
+    dateTimeStamp,
     credentialScope,
     canonicalRequestHash
   ].join("\n");
@@ -1263,6 +1392,7 @@ export {
   batchWrite,
   clearConfig,
   clearTokenCache,
+  createCustomToken,
   deleteDocument,
   deleteFile,
   downloadFile,
@@ -1280,6 +1410,7 @@ export {
   listFiles,
   queryDocuments,
   setDocument,
+  signInWithCustomToken,
   updateDocument,
   uploadFile,
   verifyIdToken

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prmichaelsen/firebase-admin-sdk-v8",
-  "version": "2.0.22",
+  "version": "2.2.0",
   "description": "Firebase Admin SDK for Cloudflare Workers and edge runtimes using REST APIs",
   "main": "dist/index.js",
   "module": "dist/index.mjs",