@prmichaelsen/firebase-admin-sdk-v8 2.3.0 → 2.4.0

package/CHANGELOG.md

@@ -7,6 +7,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.4.0] - 2026-02-15
+
+### Added
+- **Session Cookie Support**: Added `createSessionCookie()` and `verifySessionCookie()`
+- Long-lived authentication sessions (up to 14 days) instead of 1-hour ID tokens
+- Session cookie verification with proper issuer validation
+- 15 new unit tests for session cookie functionality
+- 3 new E2E tests for session cookie creation and verification
+- Comprehensive session cookie documentation in README
+
+### Changed
+- Auth module coverage improved from 63.18% to 97.51%
+- Total tests increased from 418 to 433 (+15 tests)
+
+## [2.3.1] - 2026-02-14
+
+### Fixed
+- **CRITICAL**: Fixed signed URL generation to match Google Cloud Storage SDK encoding
+- Implemented `fixedEncodeURIComponent` to additionally encode `! * ' ( )` characters
+- This fixes `SignatureDoesNotMatch` errors in production environments
+- Path encoding now exactly matches official `@google-cloud/storage` SDK behavior
+
 ## [2.3.0] - 2026-02-14
 
 ### Added

package/README.md

@@ -15,6 +15,7 @@ This library provides Firebase Admin SDK functionality for Cloudflare Workers an
 - ✅ **Zero Dependencies** - No external dependencies, pure Web APIs (crypto.subtle, fetch)
 - ✅ **JWT Token Generation** - Service account authentication
 - ✅ **ID Token Verification** - Verify Firebase ID tokens (supports v9 and v10 formats)
+- ✅ **Session Cookies** - Create and verify long-lived session cookies (up to 14 days)
 - ✅ **Firebase v10 Compatible** - Supports both old and new token issuer formats
 - ✅ **Firestore REST API** - Full CRUD operations via REST
 - ✅ **Field Value Operations** - increment, arrayUnion, arrayRemove, serverTimestamp, delete
@@ -94,7 +95,26 @@ try {
 }
 ```
 
-### 3. Basic Firestore Operations
+### 3. Session Cookies (Long-Lived Sessions)
+
+```typescript
+import { createSessionCookie, verifySessionCookie } from '@prmichaelsen/firebase-admin-sdk-v8';
+
+// Create 14-day session cookie from ID token
+const sessionCookie = await createSessionCookie(idToken, {
+  expiresIn: 60 * 60 * 24 * 14 * 1000
+});
+
+// Set as HTTP-only cookie
+response.headers.set('Set-Cookie',
+  `session=${sessionCookie}; Max-Age=1209600; HttpOnly; Secure; SameSite=Strict`
+);
+
+// Verify session cookie
+const user = await verifySessionCookie(cookie);
+```
+
+### 4. Basic Firestore Operations
 
 ```typescript
 import { setDocument, getDocument, updateDocument, FieldValue } from '@prmichaelsen/firebase-admin-sdk-v8';

package/dist/chunk-5X465GLA.mjs

@@ -0,0 +1,161 @@
+// src/config.ts
+var globalConfig = {};
+function initializeApp(config) {
+  globalConfig = { ...config };
+}
+function getConfig() {
+  return globalConfig;
+}
+function clearConfig() {
+  globalConfig = {};
+}
+function getServiceAccount() {
+  if (globalConfig.serviceAccount) {
+    if (typeof globalConfig.serviceAccount === "string") {
+      return JSON.parse(globalConfig.serviceAccount);
+    }
+    return globalConfig.serviceAccount;
+  }
+  const key = typeof process !== "undefined" && process.env?.FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY;
+  if (!key) {
+    throw new Error(
+      "Firebase service account not configured. Either call initializeApp({ serviceAccount: ... }) or set FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY environment variable."
+    );
+  }
+  try {
+    const serviceAccount = JSON.parse(key);
+    const requiredFields = [
+      "type",
+      "project_id",
+      "private_key_id",
+      "private_key",
+      "client_email",
+      "client_id",
+      "token_uri"
+    ];
+    for (const field of requiredFields) {
+      if (!(field in serviceAccount)) {
+        throw new Error(`Service account is missing required field: ${field}`);
+      }
+    }
+    return serviceAccount;
+  } catch (error) {
+    if (error instanceof SyntaxError) {
+      throw new Error(
+        "Failed to parse FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY. Ensure it contains valid JSON."
+      );
+    }
+    throw error;
+  }
+}
+function getProjectId() {
+  if (globalConfig.projectId) {
+    return globalConfig.projectId;
+  }
+  if (typeof process !== "undefined" && process.env) {
+    const projectId = process.env.FIREBASE_PROJECT_ID || process.env.PUBLIC_FIREBASE_PROJECT_ID;
+    if (projectId) {
+      return projectId;
+    }
+  }
+  throw new Error(
+    "Firebase project ID not configured. Either call initializeApp({ projectId: ... }) or set FIREBASE_PROJECT_ID environment variable."
+  );
+}
+function getFirebaseApiKey() {
+  if (globalConfig.apiKey) {
+    return globalConfig.apiKey;
+  }
+  if (typeof process !== "undefined" && process.env) {
+    const apiKey = process.env.FIREBASE_API_KEY || process.env.PUBLIC_FIREBASE_API_KEY;
+    if (apiKey) {
+      return apiKey;
+    }
+  }
+  throw new Error(
+    "Firebase API key not configured. Either call initializeApp({ apiKey: ... }) or set FIREBASE_API_KEY environment variable. Find your API key in Firebase Console > Project Settings > Web API Key."
+  );
+}
+
+// src/token-generation.ts
+function base64UrlEncode(str) {
+  return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function base64UrlEncodeBuffer(buffer) {
+  return btoa(String.fromCharCode(...buffer)).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+async function createJWT(serviceAccount) {
+  const now = Math.floor(Date.now() / 1e3);
+  const expiry = now + 3600;
+  const header = {
+    alg: "RS256",
+    typ: "JWT"
+  };
+  const payload = {
+    iss: serviceAccount.client_email,
+    sub: serviceAccount.client_email,
+    aud: serviceAccount.token_uri,
+    iat: now,
+    exp: expiry,
+    scope: "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/firebase"
+  };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const unsignedToken = `${encodedHeader}.${encodedPayload}`;
+  const pemContents = serviceAccount.private_key.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replace(/\s/g, "");
+  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+  const cryptoKey = await crypto.subtle.importKey(
+    "pkcs8",
+    binaryDer,
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "RSASSA-PKCS1-v1_5",
+    cryptoKey,
+    new TextEncoder().encode(unsignedToken)
+  );
+  const encodedSignature = base64UrlEncodeBuffer(new Uint8Array(signature));
+  return `${unsignedToken}.${encodedSignature}`;
+}
+var cachedAccessToken = null;
+var tokenExpiry = 0;
+async function getAdminAccessToken() {
+  if (cachedAccessToken && Date.now() < tokenExpiry) {
+    return cachedAccessToken;
+  }
+  const serviceAccount = getServiceAccount();
+  const jwt = await createJWT(serviceAccount);
+  const response = await fetch(serviceAccount.token_uri, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to get access token: ${errorText}`);
+  }
+  const data = await response.json();
+  cachedAccessToken = data.access_token;
+  tokenExpiry = Date.now() + data.expires_in * 1e3 - 6e4;
+  return cachedAccessToken;
+}
+function clearTokenCache() {
+  cachedAccessToken = null;
+  tokenExpiry = 0;
+}
+
+export {
+  initializeApp,
+  getConfig,
+  clearConfig,
+  getServiceAccount,
+  getProjectId,
+  getFirebaseApiKey,
+  getAdminAccessToken,
+  clearTokenCache
+};

package/dist/index.d.mts

@@ -335,6 +335,60 @@ declare function createCustomToken(uid: string, customClaims?: CustomClaims): Pr
  * ```
  */
 declare function signInWithCustomToken(customToken: string): Promise<CustomTokenSignInResponse>;
+/**
+ * Options for creating a session cookie
+ */
+interface SessionCookieOptions {
+    /**
+     * Session duration in milliseconds
+     * Maximum: 14 days (1,209,600,000 ms)
+     * Minimum: 5 minutes (300,000 ms)
+     */
+    expiresIn: number;
+}
+/**
+ * Create a session cookie from an ID token
+ *
+ * Session cookies can have a maximum duration of 14 days and are
+ * useful for maintaining long-lived authentication sessions.
+ *
+ * @param idToken - Valid Firebase ID token
+ * @param options - Session cookie options
+ * @returns Session cookie string
+ *
+ * @example
+ * ```typescript
+ * // Create 14-day session cookie
+ * const sessionCookie = await createSessionCookie(idToken, {
+ *   expiresIn: 60 * 60 * 24 * 14 * 1000
+ * });
+ *
+ * // Set as HTTP-only cookie
+ * response.headers.set('Set-Cookie',
+ *   `session=${sessionCookie}; Max-Age=1209600; HttpOnly; Secure; SameSite=Strict`
+ * );
+ * ```
+ */
+declare function createSessionCookie(idToken: string, options: SessionCookieOptions): Promise<string>;
+/**
+ * Verify a Firebase session cookie
+ *
+ * Session cookies are verified similarly to ID tokens but have
+ * different expiration times (up to 14 days) and issuer format.
+ *
+ * @param sessionCookie - Session cookie string to verify
+ * @param checkRevoked - Whether to check if the token has been revoked (not yet implemented)
+ * @returns Decoded token claims
+ *
+ * @example
+ * ```typescript
+ * // Verify session cookie from request
+ * const sessionCookie = request.cookies.get('session');
+ * const decodedToken = await verifySessionCookie(sessionCookie);
+ * console.log('User ID:', decodedToken.uid);
+ * ```
+ */
+declare function verifySessionCookie(sessionCookie: string, checkRevoked?: boolean): Promise<DecodedIdToken>;
 /**
  * Get Auth instance (for compatibility, but not used in new implementation)
  * @deprecated Use verifyIdToken directly
@@ -925,4 +979,4 @@ declare function getAdminAccessToken(): Promise<string>;
  */
 declare function clearTokenCache(): void;
 
-export { type BatchWrite, type BatchWriteResult, type CustomClaims, type CustomTokenSignInResponse, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type QueryFilter, type QueryOptions, type QueryOrder, type ResumableUploadOptions, type ServiceAccount, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UploadOptions, type UserInfo, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, countDocuments, createCustomToken, deleteDocument, deleteFile, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserFromToken, initializeApp, iterateCollection, listDocuments, listFiles, queryDocuments, setDocument, signInWithCustomToken, updateDocument, uploadFile, uploadFileResumable, verifyIdToken };
+export { type BatchWrite, type BatchWriteResult, type CustomClaims, type CustomTokenSignInResponse, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type QueryFilter, type QueryOptions, type QueryOrder, type ResumableUploadOptions, type ServiceAccount, type SessionCookieOptions, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UploadOptions, type UserInfo, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, countDocuments, createCustomToken, createSessionCookie, deleteDocument, deleteFile, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserFromToken, initializeApp, iterateCollection, listDocuments, listFiles, queryDocuments, setDocument, signInWithCustomToken, updateDocument, uploadFile, uploadFileResumable, verifyIdToken, verifySessionCookie };

package/dist/index.d.ts

@@ -335,6 +335,60 @@ declare function createCustomToken(uid: string, customClaims?: CustomClaims): Pr
  * ```
  */
 declare function signInWithCustomToken(customToken: string): Promise<CustomTokenSignInResponse>;
+/**
+ * Options for creating a session cookie
+ */
+interface SessionCookieOptions {
+    /**
+     * Session duration in milliseconds
+     * Maximum: 14 days (1,209,600,000 ms)
+     * Minimum: 5 minutes (300,000 ms)
+     */
+    expiresIn: number;
+}
+/**
+ * Create a session cookie from an ID token
+ *
+ * Session cookies can have a maximum duration of 14 days and are
+ * useful for maintaining long-lived authentication sessions.
+ *
+ * @param idToken - Valid Firebase ID token
+ * @param options - Session cookie options
+ * @returns Session cookie string
+ *
+ * @example
+ * ```typescript
+ * // Create 14-day session cookie
+ * const sessionCookie = await createSessionCookie(idToken, {
+ *   expiresIn: 60 * 60 * 24 * 14 * 1000
+ * });
+ *
+ * // Set as HTTP-only cookie
+ * response.headers.set('Set-Cookie',
+ *   `session=${sessionCookie}; Max-Age=1209600; HttpOnly; Secure; SameSite=Strict`
+ * );
+ * ```
+ */
+declare function createSessionCookie(idToken: string, options: SessionCookieOptions): Promise<string>;
+/**
+ * Verify a Firebase session cookie
+ *
+ * Session cookies are verified similarly to ID tokens but have
+ * different expiration times (up to 14 days) and issuer format.
+ *
+ * @param sessionCookie - Session cookie string to verify
+ * @param checkRevoked - Whether to check if the token has been revoked (not yet implemented)
+ * @returns Decoded token claims
+ *
+ * @example
+ * ```typescript
+ * // Verify session cookie from request
+ * const sessionCookie = request.cookies.get('session');
+ * const decodedToken = await verifySessionCookie(sessionCookie);
+ * console.log('User ID:', decodedToken.uid);
+ * ```
+ */
+declare function verifySessionCookie(sessionCookie: string, checkRevoked?: boolean): Promise<DecodedIdToken>;
 /**
  * Get Auth instance (for compatibility, but not used in new implementation)
  * @deprecated Use verifyIdToken directly
@@ -925,4 +979,4 @@ declare function getAdminAccessToken(): Promise<string>;
  */
 declare function clearTokenCache(): void;
 
-export { type BatchWrite, type BatchWriteResult, type CustomClaims, type CustomTokenSignInResponse, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type QueryFilter, type QueryOptions, type QueryOrder, type ResumableUploadOptions, type ServiceAccount, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UploadOptions, type UserInfo, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, countDocuments, createCustomToken, deleteDocument, deleteFile, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserFromToken, initializeApp, iterateCollection, listDocuments, listFiles, queryDocuments, setDocument, signInWithCustomToken, updateDocument, uploadFile, uploadFileResumable, verifyIdToken };
+export { type BatchWrite, type BatchWriteResult, type CustomClaims, type CustomTokenSignInResponse, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type QueryFilter, type QueryOptions, type QueryOrder, type ResumableUploadOptions, type ServiceAccount, type SessionCookieOptions, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UploadOptions, type UserInfo, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, countDocuments, createCustomToken, createSessionCookie, deleteDocument, deleteFile, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserFromToken, initializeApp, iterateCollection, listDocuments, listFiles, queryDocuments, setDocument, signInWithCustomToken, updateDocument, uploadFile, uploadFileResumable, verifyIdToken, verifySessionCookie };

package/dist/index.js

@@ -3,6 +3,9 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -17,45 +20,7 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// src/index.ts
-var index_exports = {};
-__export(index_exports, {
-  FieldValue: () => FieldValue,
-  addDocument: () => addDocument,
-  batchWrite: () => batchWrite,
-  clearConfig: () => clearConfig,
-  clearTokenCache: () => clearTokenCache,
-  countDocuments: () => countDocuments,
-  createCustomToken: () => createCustomToken,
-  deleteDocument: () => deleteDocument,
-  deleteFile: () => deleteFile,
-  downloadFile: () => downloadFile,
-  fileExists: () => fileExists,
-  generateSignedUrl: () => generateSignedUrl,
-  getAdminAccessToken: () => getAdminAccessToken,
-  getAuth: () => getAuth,
-  getConfig: () => getConfig,
-  getDocument: () => getDocument,
-  getFileMetadata: () => getFileMetadata,
-  getProjectId: () => getProjectId,
-  getServiceAccount: () => getServiceAccount,
-  getUserFromToken: () => getUserFromToken,
-  initializeApp: () => initializeApp,
-  iterateCollection: () => iterateCollection,
-  listDocuments: () => listDocuments,
-  listFiles: () => listFiles,
-  queryDocuments: () => queryDocuments,
-  setDocument: () => setDocument,
-  signInWithCustomToken: () => signInWithCustomToken,
-  updateDocument: () => updateDocument,
-  uploadFile: () => uploadFile,
-  uploadFileResumable: () => uploadFileResumable,
-  verifyIdToken: () => verifyIdToken
-});
-module.exports = __toCommonJS(index_exports);
-
 // src/config.ts
-var globalConfig = {};
 function initializeApp(config) {
   globalConfig = { ...config };
 }
@@ -132,6 +97,149 @@ function getFirebaseApiKey() {
     "Firebase API key not configured. Either call initializeApp({ apiKey: ... }) or set FIREBASE_API_KEY environment variable. Find your API key in Firebase Console > Project Settings > Web API Key."
   );
 }
+var globalConfig;
+var init_config = __esm({
+  "src/config.ts"() {
+    "use strict";
+    globalConfig = {};
+  }
+});
+
+// src/service-account.ts
+var init_service_account = __esm({
+  "src/service-account.ts"() {
+    "use strict";
+    init_config();
+  }
+});
+
+// src/token-generation.ts
+var token_generation_exports = {};
+__export(token_generation_exports, {
+  clearTokenCache: () => clearTokenCache,
+  getAdminAccessToken: () => getAdminAccessToken
+});
+function base64UrlEncode(str) {
+  return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function base64UrlEncodeBuffer(buffer) {
+  return btoa(String.fromCharCode(...buffer)).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+async function createJWT(serviceAccount) {
+  const now = Math.floor(Date.now() / 1e3);
+  const expiry = now + 3600;
+  const header = {
+    alg: "RS256",
+    typ: "JWT"
+  };
+  const payload = {
+    iss: serviceAccount.client_email,
+    sub: serviceAccount.client_email,
+    aud: serviceAccount.token_uri,
+    iat: now,
+    exp: expiry,
+    scope: "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/firebase"
+  };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const unsignedToken = `${encodedHeader}.${encodedPayload}`;
+  const pemContents = serviceAccount.private_key.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replace(/\s/g, "");
+  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+  const cryptoKey = await crypto.subtle.importKey(
+    "pkcs8",
+    binaryDer,
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "RSASSA-PKCS1-v1_5",
+    cryptoKey,
+    new TextEncoder().encode(unsignedToken)
+  );
+  const encodedSignature = base64UrlEncodeBuffer(new Uint8Array(signature));
+  return `${unsignedToken}.${encodedSignature}`;
+}
+async function getAdminAccessToken() {
+  if (cachedAccessToken && Date.now() < tokenExpiry) {
+    return cachedAccessToken;
+  }
+  const serviceAccount = getServiceAccount();
+  const jwt = await createJWT(serviceAccount);
+  const response = await fetch(serviceAccount.token_uri, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to get access token: ${errorText}`);
+  }
+  const data = await response.json();
+  cachedAccessToken = data.access_token;
+  tokenExpiry = Date.now() + data.expires_in * 1e3 - 6e4;
+  return cachedAccessToken;
+}
+function clearTokenCache() {
+  cachedAccessToken = null;
+  tokenExpiry = 0;
+}
+var cachedAccessToken, tokenExpiry;
+var init_token_generation = __esm({
+  "src/token-generation.ts"() {
+    "use strict";
+    init_service_account();
+    cachedAccessToken = null;
+    tokenExpiry = 0;
+  }
+});
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  FieldValue: () => FieldValue,
+  addDocument: () => addDocument,
+  batchWrite: () => batchWrite,
+  clearConfig: () => clearConfig,
+  clearTokenCache: () => clearTokenCache,
+  countDocuments: () => countDocuments,
+  createCustomToken: () => createCustomToken,
+  createSessionCookie: () => createSessionCookie,
+  deleteDocument: () => deleteDocument,
+  deleteFile: () => deleteFile,
+  downloadFile: () => downloadFile,
+  fileExists: () => fileExists,
+  generateSignedUrl: () => generateSignedUrl,
+  getAdminAccessToken: () => getAdminAccessToken,
+  getAuth: () => getAuth,
+  getConfig: () => getConfig,
+  getDocument: () => getDocument,
+  getFileMetadata: () => getFileMetadata,
+  getProjectId: () => getProjectId,
+  getServiceAccount: () => getServiceAccount,
+  getUserFromToken: () => getUserFromToken,
+  initializeApp: () => initializeApp,
+  iterateCollection: () => iterateCollection,
+  listDocuments: () => listDocuments,
+  listFiles: () => listFiles,
+  queryDocuments: () => queryDocuments,
+  setDocument: () => setDocument,
+  signInWithCustomToken: () => signInWithCustomToken,
+  updateDocument: () => updateDocument,
+  uploadFile: () => uploadFile,
+  uploadFileResumable: () => uploadFileResumable,
+  verifyIdToken: () => verifyIdToken,
+  verifySessionCookie: () => verifySessionCookie
+});
+module.exports = __toCommonJS(index_exports);
+init_config();
+
+// src/auth.ts
+init_service_account();
+init_config();
 
 // src/x509.ts
 function decodeBase64(str) {
@@ -349,7 +457,7 @@ async function getUserFromToken(idToken) {
     photoURL: decodedToken.picture || null
   };
 }
-function base64UrlEncode(str) {
+function base64UrlEncode2(str) {
   return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 async function signWithPrivateKey(data, privateKey) {
@@ -378,7 +486,7 @@ async function signWithPrivateKey(data, privateKey) {
     key,
     dataBytes
   );
-  return base64UrlEncode(String.fromCharCode(...new Uint8Array(signature)));
+  return base64UrlEncode2(String.fromCharCode(...new Uint8Array(signature)));
 }
 async function createCustomToken(uid, customClaims) {
   const serviceAccount = getServiceAccount();
@@ -405,8 +513,8 @@ async function createCustomToken(uid, customClaims) {
     alg: "RS256",
     typ: "JWT"
   };
-  const encodedHeader = base64UrlEncode(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const encodedHeader = base64UrlEncode2(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode2(JSON.stringify(payload));
   const unsignedToken = `${encodedHeader}.${encodedPayload}`;
   const signature = await signWithPrivateKey(unsignedToken, serviceAccount.private_key);
   return `${unsignedToken}.${signature}`;
@@ -448,6 +556,136 @@ async function signInWithCustomToken(customToken) {
     isNewUser: result.isNewUser
   };
 }
+async function createSessionCookie(idToken, options) {
+  if (!idToken || typeof idToken !== "string") {
+    throw new Error("idToken must be a non-empty string");
+  }
+  if (!options.expiresIn || typeof options.expiresIn !== "number") {
+    throw new Error("expiresIn must be a number");
+  }
+  const MIN_DURATION = 5 * 60 * 1e3;
+  const MAX_DURATION = 14 * 24 * 60 * 60 * 1e3;
+  if (options.expiresIn < MIN_DURATION) {
+    throw new Error(`expiresIn must be at least ${MIN_DURATION}ms (5 minutes)`);
+  }
+  if (options.expiresIn > MAX_DURATION) {
+    throw new Error(`expiresIn must be at most ${MAX_DURATION}ms (14 days)`);
+  }
+  const { getAdminAccessToken: getAdminAccessToken2 } = await Promise.resolve().then(() => (init_token_generation(), token_generation_exports));
+  const accessToken = await getAdminAccessToken2();
+  const projectId = getProjectId();
+  const url = `https://identitytoolkit.googleapis.com/v1/projects/${projectId}:createSessionCookie`;
+  const validDurationSeconds = Math.floor(options.expiresIn / 1e3);
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      idToken,
+      validDuration: validDurationSeconds.toString()
+      // Must be string per API spec
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    let errorMessage = `Failed to create session cookie: ${response.status}`;
+    try {
+      const errorJson = JSON.parse(errorText);
+      if (errorJson.error && errorJson.error.message) {
+        errorMessage += ` - ${errorJson.error.message}`;
+      }
+    } catch {
+      errorMessage += ` - ${errorText}`;
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await response.json();
+  return result.sessionCookie;
+}
+async function verifySessionCookie(sessionCookie, checkRevoked = false) {
+  if (!sessionCookie || typeof sessionCookie !== "string") {
+    throw new Error("sessionCookie must be a non-empty string");
+  }
+  try {
+    const parts = sessionCookie.split(".");
+    if (parts.length !== 3) {
+      throw new Error("Invalid session cookie format");
+    }
+    const [headerB64, payloadB64] = parts;
+    const headerJson = atob(headerB64.replace(/-/g, "+").replace(/_/g, "/"));
+    const header = JSON.parse(headerJson);
+    const payloadJson = atob(payloadB64.replace(/-/g, "+").replace(/_/g, "/"));
+    const payload = JSON.parse(payloadJson);
+    const projectId = getProjectId();
+    const now = Math.floor(Date.now() / 1e3);
+    if (!payload.exp || payload.exp < now) {
+      throw new Error("Session cookie has expired");
+    }
+    if (!payload.iat || payload.iat > now) {
+      throw new Error("Session cookie issued in the future");
+    }
+    if (payload.aud !== projectId) {
+      throw new Error(`Session cookie has incorrect audience. Expected ${projectId}, got ${payload.aud}`);
+    }
+    const expectedIssuer = `https://session.firebase.google.com/${projectId}`;
+    if (payload.iss !== expectedIssuer) {
+      throw new Error(`Session cookie has incorrect issuer. Expected ${expectedIssuer}, got ${payload.iss}`);
+    }
+    if (!payload.sub || typeof payload.sub !== "string" || payload.sub.length === 0) {
+      throw new Error("Session cookie has no subject (user ID)");
+    }
+    await verifySessionCookieSignature(sessionCookie, header, payload);
+    if (checkRevoked) {
+    }
+    return {
+      uid: payload.sub,
+      aud: payload.aud,
+      auth_time: payload.auth_time,
+      exp: payload.exp,
+      iat: payload.iat,
+      iss: payload.iss,
+      sub: payload.sub,
+      email: payload.email,
+      email_verified: payload.email_verified,
+      firebase: payload.firebase,
+      ...payload
+    };
+  } catch (error) {
+    throw new Error(`Failed to verify session cookie: ${error.message}`);
+  }
+}
+async function verifySessionCookieSignature(jwt, header, payload) {
+  const keys = await fetchPublicKeys(payload.iss);
+  const kid = header.kid;
+  if (!kid || !keys[kid]) {
+    throw new Error("Session cookie has invalid key ID");
+  }
+  const publicKeyPem = keys[kid];
+  const publicKey = await importPublicKeyFromX509(publicKeyPem);
+  const [headerAndPayload, signature] = [
+    jwt.split(".").slice(0, 2).join("."),
+    jwt.split(".")[2]
+  ];
+  const encoder = new TextEncoder();
+  const data = encoder.encode(headerAndPayload);
+  const signatureBase64 = signature.replace(/-/g, "+").replace(/_/g, "/");
+  const signatureBinary = atob(signatureBase64);
+  const signatureBytes = new Uint8Array(signatureBinary.length);
+  for (let i = 0; i < signatureBinary.length; i++) {
+    signatureBytes[i] = signatureBinary.charCodeAt(i);
+  }
+  const isValid = await crypto.subtle.verify(
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    publicKey,
+    signatureBytes,
+    data
+  );
+  if (!isValid) {
+    throw new Error("Session cookie signature verification failed");
+  }
+}
 function getAuth() {
   return {
     verifyIdToken
@@ -730,77 +968,9 @@ function removeFieldTransforms(data) {
   return result;
 }
 
-// src/token-generation.ts
-function base64UrlEncode2(str) {
-  return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-function base64UrlEncodeBuffer(buffer) {
-  return btoa(String.fromCharCode(...buffer)).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-async function createJWT(serviceAccount) {
-  const now = Math.floor(Date.now() / 1e3);
-  const expiry = now + 3600;
-  const header = {
-    alg: "RS256",
-    typ: "JWT"
-  };
-  const payload = {
-    iss: serviceAccount.client_email,
-    sub: serviceAccount.client_email,
-    aud: serviceAccount.token_uri,
-    iat: now,
-    exp: expiry,
-    scope: "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/firebase"
-  };
-  const encodedHeader = base64UrlEncode2(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode2(JSON.stringify(payload));
-  const unsignedToken = `${encodedHeader}.${encodedPayload}`;
-  const pemContents = serviceAccount.private_key.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replace(/\s/g, "");
-  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
-  const cryptoKey = await crypto.subtle.importKey(
-    "pkcs8",
-    binaryDer,
-    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-  const signature = await crypto.subtle.sign(
-    "RSASSA-PKCS1-v1_5",
-    cryptoKey,
-    new TextEncoder().encode(unsignedToken)
-  );
-  const encodedSignature = base64UrlEncodeBuffer(new Uint8Array(signature));
-  return `${unsignedToken}.${encodedSignature}`;
-}
-var cachedAccessToken = null;
-var tokenExpiry = 0;
-async function getAdminAccessToken() {
-  if (cachedAccessToken && Date.now() < tokenExpiry) {
-    return cachedAccessToken;
-  }
-  const serviceAccount = getServiceAccount();
-  const jwt = await createJWT(serviceAccount);
-  const response = await fetch(serviceAccount.token_uri, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: new URLSearchParams({
-      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
-      assertion: jwt
-    })
-  });
-  if (!response.ok) {
-    const errorText = await response.text();
-    throw new Error(`Failed to get access token: ${errorText}`);
-  }
-  const data = await response.json();
-  cachedAccessToken = data.access_token;
-  tokenExpiry = Date.now() + data.expires_in * 1e3 - 6e4;
-  return cachedAccessToken;
-}
-function clearTokenCache() {
-  cachedAccessToken = null;
-  tokenExpiry = 0;
-}
+// src/firestore/operations.ts
+init_token_generation();
+init_service_account();
 
 // src/firestore/path-validation.ts
 function validateCollectionPath(argumentName, collectionPath) {
@@ -1172,6 +1342,8 @@ async function countDocuments(collectionPath, options) {
 }
 
 // src/storage/client.ts
+init_token_generation();
+init_config();
 var STORAGE_API_BASE = "https://storage.googleapis.com/storage/v1";
 var UPLOAD_API_BASE = "https://storage.googleapis.com/upload/storage/v1";
 function getDefaultBucket() {
@@ -1366,13 +1538,14 @@ async function fileExists(path) {
 }
 
 // src/storage/signed-urls.ts
+init_config();
 function getStorageBucket() {
   const customBucket = process.env.FIREBASE_STORAGE_BUCKET;
   if (customBucket) {
     return customBucket;
   }
   const projectId = getProjectId();
-  return `${projectId}.appspot.com`;
+  return `${projectId}.firebasestorage.app`;
 }
 function getExpirationTimestamp(expires) {
   if (expires instanceof Date) {
@@ -1390,10 +1563,18 @@ function actionToMethod(action) {
       return "DELETE";
   }
 }
-function stringToHex(str) {
+function fixedEncodeURIComponent(str) {
+  return encodeURIComponent(str).replace(
+    /[!'()*]/g,
+    (c) => "%" + c.charCodeAt(0).toString(16).toUpperCase()
+  );
+}
+async function sha256Hex(str) {
   const encoder = new TextEncoder();
-  const bytes = encoder.encode(str);
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const data = encoder.encode(str);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
 async function signData(data, privateKey) {
   const pemHeader = "-----BEGIN PRIVATE KEY-----";
@@ -1458,17 +1639,15 @@ async function generateSignedUrl(path, options) {
   }
   const sortedParams = Object.keys(queryParams).sort();
   const canonicalQueryString = sortedParams.map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(queryParams[key])}`).join("&");
-  const encodedPath = path.split("/").map((segment) => encodeURIComponent(segment)).join("/");
+  const encodedPath = path.split("/").map((segment) => fixedEncodeURIComponent(segment)).join("/");
   const canonicalUri = `/${bucket}/${encodedPath}`;
-  const canonicalRequest = [
-    method,
-    canonicalUri,
-    canonicalQueryString,
-    canonicalHeaders,
-    signedHeaders,
-    "UNSIGNED-PAYLOAD"
-  ].join("\n");
-  const canonicalRequestHash = stringToHex(canonicalRequest);
+  const canonicalRequest = `${method}
+${canonicalUri}
+${canonicalQueryString}
+${canonicalHeaders}
+${signedHeaders}
+UNSIGNED-PAYLOAD`;
+  const canonicalRequestHash = await sha256Hex(canonicalRequest);
   const stringToSign = [
     "GOOG4-RSA-SHA256",
     dateTimeStamp,
@@ -1481,6 +1660,8 @@ async function generateSignedUrl(path, options) {
 }
 
 // src/storage/resumable-upload.ts
+init_token_generation();
+init_config();
 var UPLOAD_API_BASE2 = "https://storage.googleapis.com/upload/storage/v1";
 function getDefaultBucket2() {
   const customBucket = process.env.FIREBASE_STORAGE_BUCKET;
@@ -1677,6 +1858,10 @@ async function uploadFromStream(bucket, path, stream, contentType, chunkSize, op
     reader.releaseLock();
   }
 }
+
+// src/index.ts
+init_token_generation();
+init_service_account();
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   FieldValue,
@@ -1686,6 +1871,7 @@ async function uploadFromStream(bucket, path, stream, contentType, chunkSize, op
   clearTokenCache,
   countDocuments,
   createCustomToken,
+  createSessionCookie,
   deleteDocument,
   deleteFile,
   downloadFile,
@@ -1709,5 +1895,6 @@ async function uploadFromStream(bucket, path, stream, contentType, chunkSize, op
   updateDocument,
   uploadFile,
   uploadFileResumable,
-  verifyIdToken
+  verifyIdToken,
+  verifySessionCookie
 });

package/dist/index.mjs

@@ -1,81 +1,13 @@
-// src/config.ts
-var globalConfig = {};
-function initializeApp(config) {
-  globalConfig = { ...config };
-}
-function getConfig() {
-  return globalConfig;
-}
-function clearConfig() {
-  globalConfig = {};
-}
-function getServiceAccount() {
-  if (globalConfig.serviceAccount) {
-    if (typeof globalConfig.serviceAccount === "string") {
-      return JSON.parse(globalConfig.serviceAccount);
-    }
-    return globalConfig.serviceAccount;
-  }
-  const key = typeof process !== "undefined" && process.env?.FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY;
-  if (!key) {
-    throw new Error(
-      "Firebase service account not configured. Either call initializeApp({ serviceAccount: ... }) or set FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY environment variable."
-    );
-  }
-  try {
-    const serviceAccount = JSON.parse(key);
-    const requiredFields = [
-      "type",
-      "project_id",
-      "private_key_id",
-      "private_key",
-      "client_email",
-      "client_id",
-      "token_uri"
-    ];
-    for (const field of requiredFields) {
-      if (!(field in serviceAccount)) {
-        throw new Error(`Service account is missing required field: ${field}`);
-      }
-    }
-    return serviceAccount;
-  } catch (error) {
-    if (error instanceof SyntaxError) {
-      throw new Error(
-        "Failed to parse FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY. Ensure it contains valid JSON."
-      );
-    }
-    throw error;
-  }
-}
-function getProjectId() {
-  if (globalConfig.projectId) {
-    return globalConfig.projectId;
-  }
-  if (typeof process !== "undefined" && process.env) {
-    const projectId = process.env.FIREBASE_PROJECT_ID || process.env.PUBLIC_FIREBASE_PROJECT_ID;
-    if (projectId) {
-      return projectId;
-    }
-  }
-  throw new Error(
-    "Firebase project ID not configured. Either call initializeApp({ projectId: ... }) or set FIREBASE_PROJECT_ID environment variable."
-  );
-}
-function getFirebaseApiKey() {
-  if (globalConfig.apiKey) {
-    return globalConfig.apiKey;
-  }
-  if (typeof process !== "undefined" && process.env) {
-    const apiKey = process.env.FIREBASE_API_KEY || process.env.PUBLIC_FIREBASE_API_KEY;
-    if (apiKey) {
-      return apiKey;
-    }
-  }
-  throw new Error(
-    "Firebase API key not configured. Either call initializeApp({ apiKey: ... }) or set FIREBASE_API_KEY environment variable. Find your API key in Firebase Console > Project Settings > Web API Key."
-  );
-}
+import {
+  clearConfig,
+  clearTokenCache,
+  getAdminAccessToken,
+  getConfig,
+  getFirebaseApiKey,
+  getProjectId,
+  getServiceAccount,
+  initializeApp
+} from "./chunk-5X465GLA.mjs";
 
 // src/x509.ts
 function decodeBase64(str) {
@@ -392,6 +324,136 @@ async function signInWithCustomToken(customToken) {
     isNewUser: result.isNewUser
   };
 }
+async function createSessionCookie(idToken, options) {
+  if (!idToken || typeof idToken !== "string") {
+    throw new Error("idToken must be a non-empty string");
+  }
+  if (!options.expiresIn || typeof options.expiresIn !== "number") {
+    throw new Error("expiresIn must be a number");
+  }
+  const MIN_DURATION = 5 * 60 * 1e3;
+  const MAX_DURATION = 14 * 24 * 60 * 60 * 1e3;
+  if (options.expiresIn < MIN_DURATION) {
+    throw new Error(`expiresIn must be at least ${MIN_DURATION}ms (5 minutes)`);
+  }
+  if (options.expiresIn > MAX_DURATION) {
+    throw new Error(`expiresIn must be at most ${MAX_DURATION}ms (14 days)`);
+  }
+  const { getAdminAccessToken: getAdminAccessToken2 } = await import("./token-generation-5K7K6T6U.mjs");
+  const accessToken = await getAdminAccessToken2();
+  const projectId = getProjectId();
+  const url = `https://identitytoolkit.googleapis.com/v1/projects/${projectId}:createSessionCookie`;
+  const validDurationSeconds = Math.floor(options.expiresIn / 1e3);
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      idToken,
+      validDuration: validDurationSeconds.toString()
+      // Must be string per API spec
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    let errorMessage = `Failed to create session cookie: ${response.status}`;
+    try {
+      const errorJson = JSON.parse(errorText);
+      if (errorJson.error && errorJson.error.message) {
+        errorMessage += ` - ${errorJson.error.message}`;
+      }
+    } catch {
+      errorMessage += ` - ${errorText}`;
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await response.json();
+  return result.sessionCookie;
+}
+async function verifySessionCookie(sessionCookie, checkRevoked = false) {
+  if (!sessionCookie || typeof sessionCookie !== "string") {
+    throw new Error("sessionCookie must be a non-empty string");
+  }
+  try {
+    const parts = sessionCookie.split(".");
+    if (parts.length !== 3) {
+      throw new Error("Invalid session cookie format");
+    }
+    const [headerB64, payloadB64] = parts;
+    const headerJson = atob(headerB64.replace(/-/g, "+").replace(/_/g, "/"));
+    const header = JSON.parse(headerJson);
+    const payloadJson = atob(payloadB64.replace(/-/g, "+").replace(/_/g, "/"));
+    const payload = JSON.parse(payloadJson);
+    const projectId = getProjectId();
+    const now = Math.floor(Date.now() / 1e3);
+    if (!payload.exp || payload.exp < now) {
+      throw new Error("Session cookie has expired");
+    }
+    if (!payload.iat || payload.iat > now) {
+      throw new Error("Session cookie issued in the future");
+    }
+    if (payload.aud !== projectId) {
+      throw new Error(`Session cookie has incorrect audience. Expected ${projectId}, got ${payload.aud}`);
+    }
+    const expectedIssuer = `https://session.firebase.google.com/${projectId}`;
+    if (payload.iss !== expectedIssuer) {
+      throw new Error(`Session cookie has incorrect issuer. Expected ${expectedIssuer}, got ${payload.iss}`);
+    }
+    if (!payload.sub || typeof payload.sub !== "string" || payload.sub.length === 0) {
+      throw new Error("Session cookie has no subject (user ID)");
+    }
+    await verifySessionCookieSignature(sessionCookie, header, payload);
+    if (checkRevoked) {
+    }
+    return {
+      uid: payload.sub,
+      aud: payload.aud,
+      auth_time: payload.auth_time,
+      exp: payload.exp,
+      iat: payload.iat,
+      iss: payload.iss,
+      sub: payload.sub,
+      email: payload.email,
+      email_verified: payload.email_verified,
+      firebase: payload.firebase,
+      ...payload
+    };
+  } catch (error) {
+    throw new Error(`Failed to verify session cookie: ${error.message}`);
+  }
+}
+async function verifySessionCookieSignature(jwt, header, payload) {
+  const keys = await fetchPublicKeys(payload.iss);
+  const kid = header.kid;
+  if (!kid || !keys[kid]) {
+    throw new Error("Session cookie has invalid key ID");
+  }
+  const publicKeyPem = keys[kid];
+  const publicKey = await importPublicKeyFromX509(publicKeyPem);
+  const [headerAndPayload, signature] = [
+    jwt.split(".").slice(0, 2).join("."),
+    jwt.split(".")[2]
+  ];
+  const encoder = new TextEncoder();
+  const data = encoder.encode(headerAndPayload);
+  const signatureBase64 = signature.replace(/-/g, "+").replace(/_/g, "/");
+  const signatureBinary = atob(signatureBase64);
+  const signatureBytes = new Uint8Array(signatureBinary.length);
+  for (let i = 0; i < signatureBinary.length; i++) {
+    signatureBytes[i] = signatureBinary.charCodeAt(i);
+  }
+  const isValid = await crypto.subtle.verify(
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    publicKey,
+    signatureBytes,
+    data
+  );
+  if (!isValid) {
+    throw new Error("Session cookie signature verification failed");
+  }
+}
 function getAuth() {
   return {
     verifyIdToken
@@ -674,78 +736,6 @@ function removeFieldTransforms(data) {
   return result;
 }
 
-// src/token-generation.ts
-function base64UrlEncode2(str) {
-  return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-function base64UrlEncodeBuffer(buffer) {
-  return btoa(String.fromCharCode(...buffer)).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-async function createJWT(serviceAccount) {
-  const now = Math.floor(Date.now() / 1e3);
-  const expiry = now + 3600;
-  const header = {
-    alg: "RS256",
-    typ: "JWT"
-  };
-  const payload = {
-    iss: serviceAccount.client_email,
-    sub: serviceAccount.client_email,
-    aud: serviceAccount.token_uri,
-    iat: now,
-    exp: expiry,
-    scope: "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/firebase"
-  };
-  const encodedHeader = base64UrlEncode2(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode2(JSON.stringify(payload));
-  const unsignedToken = `${encodedHeader}.${encodedPayload}`;
-  const pemContents = serviceAccount.private_key.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replace(/\s/g, "");
-  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
-  const cryptoKey = await crypto.subtle.importKey(
-    "pkcs8",
-    binaryDer,
-    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-  const signature = await crypto.subtle.sign(
-    "RSASSA-PKCS1-v1_5",
-    cryptoKey,
-    new TextEncoder().encode(unsignedToken)
-  );
-  const encodedSignature = base64UrlEncodeBuffer(new Uint8Array(signature));
-  return `${unsignedToken}.${encodedSignature}`;
-}
-var cachedAccessToken = null;
-var tokenExpiry = 0;
-async function getAdminAccessToken() {
-  if (cachedAccessToken && Date.now() < tokenExpiry) {
-    return cachedAccessToken;
-  }
-  const serviceAccount = getServiceAccount();
-  const jwt = await createJWT(serviceAccount);
-  const response = await fetch(serviceAccount.token_uri, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: new URLSearchParams({
-      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
-      assertion: jwt
-    })
-  });
-  if (!response.ok) {
-    const errorText = await response.text();
-    throw new Error(`Failed to get access token: ${errorText}`);
-  }
-  const data = await response.json();
-  cachedAccessToken = data.access_token;
-  tokenExpiry = Date.now() + data.expires_in * 1e3 - 6e4;
-  return cachedAccessToken;
-}
-function clearTokenCache() {
-  cachedAccessToken = null;
-  tokenExpiry = 0;
-}
-
 // src/firestore/path-validation.ts
 function validateCollectionPath(argumentName, collectionPath) {
   const segments = collectionPath.split("/").filter((s) => s.length > 0);
@@ -1316,7 +1306,7 @@ function getStorageBucket() {
     return customBucket;
   }
   const projectId = getProjectId();
-  return `${projectId}.appspot.com`;
+  return `${projectId}.firebasestorage.app`;
 }
 function getExpirationTimestamp(expires) {
   if (expires instanceof Date) {
@@ -1334,10 +1324,18 @@ function actionToMethod(action) {
       return "DELETE";
   }
 }
-function stringToHex(str) {
+function fixedEncodeURIComponent(str) {
+  return encodeURIComponent(str).replace(
+    /[!'()*]/g,
+    (c) => "%" + c.charCodeAt(0).toString(16).toUpperCase()
+  );
+}
+async function sha256Hex(str) {
   const encoder = new TextEncoder();
-  const bytes = encoder.encode(str);
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const data = encoder.encode(str);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
 async function signData(data, privateKey) {
   const pemHeader = "-----BEGIN PRIVATE KEY-----";
@@ -1402,17 +1400,15 @@ async function generateSignedUrl(path, options) {
   }
   const sortedParams = Object.keys(queryParams).sort();
   const canonicalQueryString = sortedParams.map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(queryParams[key])}`).join("&");
-  const encodedPath = path.split("/").map((segment) => encodeURIComponent(segment)).join("/");
+  const encodedPath = path.split("/").map((segment) => fixedEncodeURIComponent(segment)).join("/");
   const canonicalUri = `/${bucket}/${encodedPath}`;
-  const canonicalRequest = [
-    method,
-    canonicalUri,
-    canonicalQueryString,
-    canonicalHeaders,
-    signedHeaders,
-    "UNSIGNED-PAYLOAD"
-  ].join("\n");
-  const canonicalRequestHash = stringToHex(canonicalRequest);
+  const canonicalRequest = `${method}
+${canonicalUri}
+${canonicalQueryString}
+${canonicalHeaders}
+${signedHeaders}
+UNSIGNED-PAYLOAD`;
+  const canonicalRequestHash = await sha256Hex(canonicalRequest);
   const stringToSign = [
     "GOOG4-RSA-SHA256",
     dateTimeStamp,
@@ -1629,6 +1625,7 @@ export {
   clearTokenCache,
   countDocuments,
   createCustomToken,
+  createSessionCookie,
   deleteDocument,
   deleteFile,
   downloadFile,
@@ -1652,5 +1649,6 @@ export {
   updateDocument,
   uploadFile,
   uploadFileResumable,
-  verifyIdToken
+  verifyIdToken,
+  verifySessionCookie
 };

package/dist/token-generation-5K7K6T6U.mjs

@@ -0,0 +1,8 @@
+import {
+  clearTokenCache,
+  getAdminAccessToken
+} from "./chunk-5X465GLA.mjs";
+export {
+  clearTokenCache,
+  getAdminAccessToken
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prmichaelsen/firebase-admin-sdk-v8",
-  "version": "2.3.0",
+  "version": "2.4.0",
   "description": "Firebase Admin SDK for Cloudflare Workers and edge runtimes using REST APIs",
   "main": "dist/index.js",
   "module": "dist/index.mjs",