npm - @prmichaelsen/firebase-admin-sdk-v8 - Versions diffs - 2.3.1 → 2.4.2 - Mend

@prmichaelsen/firebase-admin-sdk-v8 2.3.1 → 2.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/AGENT.md +117 -6
package/CHANGELOG.md +14 -0
package/README.md +21 -1
package/dist/chunk-5X465GLA.mjs +161 -0
package/dist/index.d.mts +55 -1
package/dist/index.d.ts +55 -1
package/dist/index.js +330 -125
package/dist/index.mjs +178 -162
package/dist/token-generation-5K7K6T6U.mjs +8 -0
package/package.json +3 -3

package/dist/index.js CHANGED Viewed

@@ -3,6 +3,9 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -17,45 +20,7 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-// src/index.ts
-var index_exports = {};
-__export(index_exports, {
-  FieldValue: () => FieldValue,
-  addDocument: () => addDocument,
-  batchWrite: () => batchWrite,
-  clearConfig: () => clearConfig,
-  clearTokenCache: () => clearTokenCache,
-  countDocuments: () => countDocuments,
-  createCustomToken: () => createCustomToken,
-  deleteDocument: () => deleteDocument,
-  deleteFile: () => deleteFile,
-  downloadFile: () => downloadFile,
-  fileExists: () => fileExists,
-  generateSignedUrl: () => generateSignedUrl,
-  getAdminAccessToken: () => getAdminAccessToken,
-  getAuth: () => getAuth,
-  getConfig: () => getConfig,
-  getDocument: () => getDocument,
-  getFileMetadata: () => getFileMetadata,
-  getProjectId: () => getProjectId,
-  getServiceAccount: () => getServiceAccount,
-  getUserFromToken: () => getUserFromToken,
-  initializeApp: () => initializeApp,
-  iterateCollection: () => iterateCollection,
-  listDocuments: () => listDocuments,
-  listFiles: () => listFiles,
-  queryDocuments: () => queryDocuments,
-  setDocument: () => setDocument,
-  signInWithCustomToken: () => signInWithCustomToken,
-  updateDocument: () => updateDocument,
-  uploadFile: () => uploadFile,
-  uploadFileResumable: () => uploadFileResumable,
-  verifyIdToken: () => verifyIdToken
-});
-module.exports = __toCommonJS(index_exports);
 // src/config.ts
-var globalConfig = {};
 function initializeApp(config) {
   globalConfig = { ...config };
 }
@@ -132,6 +97,149 @@ function getFirebaseApiKey() {
     "Firebase API key not configured. Either call initializeApp({ apiKey: ... }) or set FIREBASE_API_KEY environment variable. Find your API key in Firebase Console > Project Settings > Web API Key."
   );
 }
+var globalConfig;
+var init_config = __esm({
+  "src/config.ts"() {
+    "use strict";
+    globalConfig = {};
+  }
+});
+// src/service-account.ts
+var init_service_account = __esm({
+  "src/service-account.ts"() {
+    "use strict";
+    init_config();
+  }
+});
+// src/token-generation.ts
+var token_generation_exports = {};
+__export(token_generation_exports, {
+  clearTokenCache: () => clearTokenCache,
+  getAdminAccessToken: () => getAdminAccessToken
+});
+function base64UrlEncode(str) {
+  return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function base64UrlEncodeBuffer(buffer) {
+  return btoa(String.fromCharCode(...buffer)).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+async function createJWT(serviceAccount) {
+  const now = Math.floor(Date.now() / 1e3);
+  const expiry = now + 3600;
+  const header = {
+    alg: "RS256",
+    typ: "JWT"
+  };
+  const payload = {
+    iss: serviceAccount.client_email,
+    sub: serviceAccount.client_email,
+    aud: serviceAccount.token_uri,
+    iat: now,
+    exp: expiry,
+    scope: "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/firebase"
+  };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const unsignedToken = `${encodedHeader}.${encodedPayload}`;
+  const pemContents = serviceAccount.private_key.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replace(/\s/g, "");
+  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+  const cryptoKey = await crypto.subtle.importKey(
+    "pkcs8",
+    binaryDer,
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "RSASSA-PKCS1-v1_5",
+    cryptoKey,
+    new TextEncoder().encode(unsignedToken)
+  );
+  const encodedSignature = base64UrlEncodeBuffer(new Uint8Array(signature));
+  return `${unsignedToken}.${encodedSignature}`;
+}
+async function getAdminAccessToken() {
+  if (cachedAccessToken && Date.now() < tokenExpiry) {
+    return cachedAccessToken;
+  }
+  const serviceAccount = getServiceAccount();
+  const jwt = await createJWT(serviceAccount);
+  const response = await fetch(serviceAccount.token_uri, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to get access token: ${errorText}`);
+  }
+  const data = await response.json();
+  cachedAccessToken = data.access_token;
+  tokenExpiry = Date.now() + data.expires_in * 1e3 - 6e4;
+  return cachedAccessToken;
+}
+function clearTokenCache() {
+  cachedAccessToken = null;
+  tokenExpiry = 0;
+}
+var cachedAccessToken, tokenExpiry;
+var init_token_generation = __esm({
+  "src/token-generation.ts"() {
+    "use strict";
+    init_service_account();
+    cachedAccessToken = null;
+    tokenExpiry = 0;
+  }
+});
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  FieldValue: () => FieldValue,
+  addDocument: () => addDocument,
+  batchWrite: () => batchWrite,
+  clearConfig: () => clearConfig,
+  clearTokenCache: () => clearTokenCache,
+  countDocuments: () => countDocuments,
+  createCustomToken: () => createCustomToken,
+  createSessionCookie: () => createSessionCookie,
+  deleteDocument: () => deleteDocument,
+  deleteFile: () => deleteFile,
+  downloadFile: () => downloadFile,
+  fileExists: () => fileExists,
+  generateSignedUrl: () => generateSignedUrl,
+  getAdminAccessToken: () => getAdminAccessToken,
+  getAuth: () => getAuth,
+  getConfig: () => getConfig,
+  getDocument: () => getDocument,
+  getFileMetadata: () => getFileMetadata,
+  getProjectId: () => getProjectId,
+  getServiceAccount: () => getServiceAccount,
+  getUserFromToken: () => getUserFromToken,
+  initializeApp: () => initializeApp,
+  iterateCollection: () => iterateCollection,
+  listDocuments: () => listDocuments,
+  listFiles: () => listFiles,
+  queryDocuments: () => queryDocuments,
+  setDocument: () => setDocument,
+  signInWithCustomToken: () => signInWithCustomToken,
+  updateDocument: () => updateDocument,
+  uploadFile: () => uploadFile,
+  uploadFileResumable: () => uploadFileResumable,
+  verifyIdToken: () => verifyIdToken,
+  verifySessionCookie: () => verifySessionCookie
+});
+module.exports = __toCommonJS(index_exports);
+init_config();
+// src/auth.ts
+init_service_account();
+init_config();
 // src/x509.ts
 function decodeBase64(str) {
@@ -222,23 +330,41 @@ async function importPublicKeyFromX509(pem) {
 }
 // src/auth.ts
-var publicKeysCache = null;
-var publicKeysCacheExpiry = 0;
+var idTokenKeysCache = null;
+var idTokenKeysCacheExpiry = 0;
+var sessionKeysCache = null;
+var sessionKeysCacheExpiry = 0;
 async function fetchPublicKeys(issuer) {
-  let endpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
-  if (issuer && issuer.includes("session.firebase.google.com")) {
+  const isSessionCookie = issuer && issuer.includes("session.firebase.google.com");
+  let endpoint;
+  let cache;
+  let cacheExpiry;
+  if (isSessionCookie) {
     endpoint = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys";
+    cache = sessionKeysCache;
+    cacheExpiry = sessionKeysCacheExpiry;
+  } else {
+    endpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+    cache = idTokenKeysCache;
+    cacheExpiry = idTokenKeysCacheExpiry;
   }
-  if (publicKeysCache && Date.now() < publicKeysCacheExpiry) {
-    return publicKeysCache;
+  if (cache && Date.now() < cacheExpiry) {
+    return cache;
   }
   const response = await fetch(endpoint);
   if (!response.ok) {
     throw new Error(`Failed to fetch Firebase public keys from ${endpoint}`);
   }
-  publicKeysCache = await response.json();
-  publicKeysCacheExpiry = Date.now() + 36e5;
-  return publicKeysCache;
+  const keys = await response.json();
+  const newExpiry = Date.now() + 36e5;
+  if (isSessionCookie) {
+    sessionKeysCache = keys;
+    sessionKeysCacheExpiry = newExpiry;
+  } else {
+    idTokenKeysCache = keys;
+    idTokenKeysCacheExpiry = newExpiry;
+  }
+  return keys;
 }
 function base64UrlDecode(str) {
   let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
@@ -313,8 +439,14 @@ async function verifyIdToken(idToken) {
     let publicKeys = await fetchPublicKeys(payload.iss);
     let publicKeyPem = publicKeys[header.kid];
     if (!publicKeyPem) {
-      publicKeysCache = null;
-      publicKeysCacheExpiry = 0;
+      const isSessionCookie = payload.iss && payload.iss.includes("session.firebase.google.com");
+      if (isSessionCookie) {
+        sessionKeysCache = null;
+        sessionKeysCacheExpiry = 0;
+      } else {
+        idTokenKeysCache = null;
+        idTokenKeysCacheExpiry = 0;
+      }
       publicKeys = await fetchPublicKeys(payload.iss);
       publicKeyPem = publicKeys[header.kid];
       if (!publicKeyPem) {
@@ -349,7 +481,7 @@ async function getUserFromToken(idToken) {
     photoURL: decodedToken.picture || null
   };
 }
-function base64UrlEncode(str) {
+function base64UrlEncode2(str) {
   return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 async function signWithPrivateKey(data, privateKey) {
@@ -378,7 +510,7 @@ async function signWithPrivateKey(data, privateKey) {
     key,
     dataBytes
   );
-  return base64UrlEncode(String.fromCharCode(...new Uint8Array(signature)));
+  return base64UrlEncode2(String.fromCharCode(...new Uint8Array(signature)));
 }
 async function createCustomToken(uid, customClaims) {
   const serviceAccount = getServiceAccount();
@@ -405,8 +537,8 @@ async function createCustomToken(uid, customClaims) {
     alg: "RS256",
     typ: "JWT"
   };
-  const encodedHeader = base64UrlEncode(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const encodedHeader = base64UrlEncode2(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode2(JSON.stringify(payload));
   const unsignedToken = `${encodedHeader}.${encodedPayload}`;
   const signature = await signWithPrivateKey(unsignedToken, serviceAccount.private_key);
   return `${unsignedToken}.${signature}`;
@@ -448,6 +580,136 @@ async function signInWithCustomToken(customToken) {
     isNewUser: result.isNewUser
   };
 }
+async function createSessionCookie(idToken, options) {
+  if (!idToken || typeof idToken !== "string") {
+    throw new Error("idToken must be a non-empty string");
+  }
+  if (!options.expiresIn || typeof options.expiresIn !== "number") {
+    throw new Error("expiresIn must be a number");
+  }
+  const MIN_DURATION = 5 * 60 * 1e3;
+  const MAX_DURATION = 14 * 24 * 60 * 60 * 1e3;
+  if (options.expiresIn < MIN_DURATION) {
+    throw new Error(`expiresIn must be at least ${MIN_DURATION}ms (5 minutes)`);
+  }
+  if (options.expiresIn > MAX_DURATION) {
+    throw new Error(`expiresIn must be at most ${MAX_DURATION}ms (14 days)`);
+  }
+  const { getAdminAccessToken: getAdminAccessToken2 } = await Promise.resolve().then(() => (init_token_generation(), token_generation_exports));
+  const accessToken = await getAdminAccessToken2();
+  const projectId = getProjectId();
+  const url = `https://identitytoolkit.googleapis.com/v1/projects/${projectId}:createSessionCookie`;
+  const validDurationSeconds = Math.floor(options.expiresIn / 1e3);
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      idToken,
+      validDuration: validDurationSeconds.toString()
+      // Must be string per API spec
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    let errorMessage = `Failed to create session cookie: ${response.status}`;
+    try {
+      const errorJson = JSON.parse(errorText);
+      if (errorJson.error && errorJson.error.message) {
+        errorMessage += ` - ${errorJson.error.message}`;
+      }
+    } catch {
+      errorMessage += ` - ${errorText}`;
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await response.json();
+  return result.sessionCookie;
+}
+async function verifySessionCookie(sessionCookie, checkRevoked = false) {
+  if (!sessionCookie || typeof sessionCookie !== "string") {
+    throw new Error("sessionCookie must be a non-empty string");
+  }
+  try {
+    const parts = sessionCookie.split(".");
+    if (parts.length !== 3) {
+      throw new Error("Invalid session cookie format");
+    }
+    const [headerB64, payloadB64] = parts;
+    const headerJson = atob(headerB64.replace(/-/g, "+").replace(/_/g, "/"));
+    const header = JSON.parse(headerJson);
+    const payloadJson = atob(payloadB64.replace(/-/g, "+").replace(/_/g, "/"));
+    const payload = JSON.parse(payloadJson);
+    const projectId = getProjectId();
+    const now = Math.floor(Date.now() / 1e3);
+    if (!payload.exp || payload.exp < now) {
+      throw new Error("Session cookie has expired");
+    }
+    if (!payload.iat || payload.iat > now) {
+      throw new Error("Session cookie issued in the future");
+    }
+    if (payload.aud !== projectId) {
+      throw new Error(`Session cookie has incorrect audience. Expected ${projectId}, got ${payload.aud}`);
+    }
+    const expectedIssuer = `https://session.firebase.google.com/${projectId}`;
+    if (payload.iss !== expectedIssuer) {
+      throw new Error(`Session cookie has incorrect issuer. Expected ${expectedIssuer}, got ${payload.iss}`);
+    }
+    if (!payload.sub || typeof payload.sub !== "string" || payload.sub.length === 0) {
+      throw new Error("Session cookie has no subject (user ID)");
+    }
+    await verifySessionCookieSignature(sessionCookie, header, payload);
+    if (checkRevoked) {
+    }
+    return {
+      uid: payload.sub,
+      aud: payload.aud,
+      auth_time: payload.auth_time,
+      exp: payload.exp,
+      iat: payload.iat,
+      iss: payload.iss,
+      sub: payload.sub,
+      email: payload.email,
+      email_verified: payload.email_verified,
+      firebase: payload.firebase,
+      ...payload
+    };
+  } catch (error) {
+    throw new Error(`Failed to verify session cookie: ${error.message}`);
+  }
+}
+async function verifySessionCookieSignature(jwt, header, payload) {
+  const keys = await fetchPublicKeys(payload.iss);
+  const kid = header.kid;
+  if (!kid || !keys[kid]) {
+    throw new Error("Session cookie has invalid key ID");
+  }
+  const publicKeyPem = keys[kid];
+  const publicKey = await importPublicKeyFromX509(publicKeyPem);
+  const [headerAndPayload, signature] = [
+    jwt.split(".").slice(0, 2).join("."),
+    jwt.split(".")[2]
+  ];
+  const encoder = new TextEncoder();
+  const data = encoder.encode(headerAndPayload);
+  const signatureBase64 = signature.replace(/-/g, "+").replace(/_/g, "/");
+  const signatureBinary = atob(signatureBase64);
+  const signatureBytes = new Uint8Array(signatureBinary.length);
+  for (let i = 0; i < signatureBinary.length; i++) {
+    signatureBytes[i] = signatureBinary.charCodeAt(i);
+  }
+  const isValid = await crypto.subtle.verify(
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    publicKey,
+    signatureBytes,
+    data
+  );
+  if (!isValid) {
+    throw new Error("Session cookie signature verification failed");
+  }
+}
 function getAuth() {
   return {
     verifyIdToken
@@ -730,77 +992,9 @@ function removeFieldTransforms(data) {
   return result;
 }
-// src/token-generation.ts
-function base64UrlEncode2(str) {
-  return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-function base64UrlEncodeBuffer(buffer) {
-  return btoa(String.fromCharCode(...buffer)).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-async function createJWT(serviceAccount) {
-  const now = Math.floor(Date.now() / 1e3);
-  const expiry = now + 3600;
-  const header = {
-    alg: "RS256",
-    typ: "JWT"
-  };
-  const payload = {
-    iss: serviceAccount.client_email,
-    sub: serviceAccount.client_email,
-    aud: serviceAccount.token_uri,
-    iat: now,
-    exp: expiry,
-    scope: "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/firebase"
-  };
-  const encodedHeader = base64UrlEncode2(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode2(JSON.stringify(payload));
-  const unsignedToken = `${encodedHeader}.${encodedPayload}`;
-  const pemContents = serviceAccount.private_key.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replace(/\s/g, "");
-  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
-  const cryptoKey = await crypto.subtle.importKey(
-    "pkcs8",
-    binaryDer,
-    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-  const signature = await crypto.subtle.sign(
-    "RSASSA-PKCS1-v1_5",
-    cryptoKey,
-    new TextEncoder().encode(unsignedToken)
-  );
-  const encodedSignature = base64UrlEncodeBuffer(new Uint8Array(signature));
-  return `${unsignedToken}.${encodedSignature}`;
-}
-var cachedAccessToken = null;
-var tokenExpiry = 0;
-async function getAdminAccessToken() {
-  if (cachedAccessToken && Date.now() < tokenExpiry) {
-    return cachedAccessToken;
-  }
-  const serviceAccount = getServiceAccount();
-  const jwt = await createJWT(serviceAccount);
-  const response = await fetch(serviceAccount.token_uri, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: new URLSearchParams({
-      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
-      assertion: jwt
-    })
-  });
-  if (!response.ok) {
-    const errorText = await response.text();
-    throw new Error(`Failed to get access token: ${errorText}`);
-  }
-  const data = await response.json();
-  cachedAccessToken = data.access_token;
-  tokenExpiry = Date.now() + data.expires_in * 1e3 - 6e4;
-  return cachedAccessToken;
-}
-function clearTokenCache() {
-  cachedAccessToken = null;
-  tokenExpiry = 0;
-}
+// src/firestore/operations.ts
+init_token_generation();
+init_service_account();
 // src/firestore/path-validation.ts
 function validateCollectionPath(argumentName, collectionPath) {
@@ -1172,6 +1366,8 @@ async function countDocuments(collectionPath, options) {
 }
 // src/storage/client.ts
+init_token_generation();
+init_config();
 var STORAGE_API_BASE = "https://storage.googleapis.com/storage/v1";
 var UPLOAD_API_BASE = "https://storage.googleapis.com/upload/storage/v1";
 function getDefaultBucket() {
@@ -1366,6 +1562,7 @@ async function fileExists(path) {
 }
 // src/storage/signed-urls.ts
+init_config();
 function getStorageBucket() {
   const customBucket = process.env.FIREBASE_STORAGE_BUCKET;
   if (customBucket) {
@@ -1487,6 +1684,8 @@ UNSIGNED-PAYLOAD`;
 }
 // src/storage/resumable-upload.ts
+init_token_generation();
+init_config();
 var UPLOAD_API_BASE2 = "https://storage.googleapis.com/upload/storage/v1";
 function getDefaultBucket2() {
   const customBucket = process.env.FIREBASE_STORAGE_BUCKET;
@@ -1683,6 +1882,10 @@ async function uploadFromStream(bucket, path, stream, contentType, chunkSize, op
     reader.releaseLock();
   }
 }
+// src/index.ts
+init_token_generation();
+init_service_account();
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   FieldValue,
@@ -1692,6 +1895,7 @@ async function uploadFromStream(bucket, path, stream, contentType, chunkSize, op
   clearTokenCache,
   countDocuments,
   createCustomToken,
+  createSessionCookie,
   deleteDocument,
   deleteFile,
   downloadFile,
@@ -1715,5 +1919,6 @@ async function uploadFromStream(bucket, path, stream, contentType, chunkSize, op
   updateDocument,
   uploadFile,
   uploadFileResumable,
-  verifyIdToken
+  verifyIdToken,
+  verifySessionCookie
 });