@prmichaelsen/firebase-admin-sdk-v8 2.3.1 → 2.4.2

package/dist/index.mjs

@@ -1,81 +1,13 @@
-// src/config.ts
-var globalConfig = {};
-function initializeApp(config) {
-  globalConfig = { ...config };
-}
-function getConfig() {
-  return globalConfig;
-}
-function clearConfig() {
-  globalConfig = {};
-}
-function getServiceAccount() {
-  if (globalConfig.serviceAccount) {
-    if (typeof globalConfig.serviceAccount === "string") {
-      return JSON.parse(globalConfig.serviceAccount);
-    }
-    return globalConfig.serviceAccount;
-  }
-  const key = typeof process !== "undefined" && process.env?.FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY;
-  if (!key) {
-    throw new Error(
-      "Firebase service account not configured. Either call initializeApp({ serviceAccount: ... }) or set FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY environment variable."
-    );
-  }
-  try {
-    const serviceAccount = JSON.parse(key);
-    const requiredFields = [
-      "type",
-      "project_id",
-      "private_key_id",
-      "private_key",
-      "client_email",
-      "client_id",
-      "token_uri"
-    ];
-    for (const field of requiredFields) {
-      if (!(field in serviceAccount)) {
-        throw new Error(`Service account is missing required field: ${field}`);
-      }
-    }
-    return serviceAccount;
-  } catch (error) {
-    if (error instanceof SyntaxError) {
-      throw new Error(
-        "Failed to parse FIREBASE_ADMIN_SERVICE_ACCOUNT_KEY. Ensure it contains valid JSON."
-      );
-    }
-    throw error;
-  }
-}
-function getProjectId() {
-  if (globalConfig.projectId) {
-    return globalConfig.projectId;
-  }
-  if (typeof process !== "undefined" && process.env) {
-    const projectId = process.env.FIREBASE_PROJECT_ID || process.env.PUBLIC_FIREBASE_PROJECT_ID;
-    if (projectId) {
-      return projectId;
-    }
-  }
-  throw new Error(
-    "Firebase project ID not configured. Either call initializeApp({ projectId: ... }) or set FIREBASE_PROJECT_ID environment variable."
-  );
-}
-function getFirebaseApiKey() {
-  if (globalConfig.apiKey) {
-    return globalConfig.apiKey;
-  }
-  if (typeof process !== "undefined" && process.env) {
-    const apiKey = process.env.FIREBASE_API_KEY || process.env.PUBLIC_FIREBASE_API_KEY;
-    if (apiKey) {
-      return apiKey;
-    }
-  }
-  throw new Error(
-    "Firebase API key not configured. Either call initializeApp({ apiKey: ... }) or set FIREBASE_API_KEY environment variable. Find your API key in Firebase Console > Project Settings > Web API Key."
-  );
-}
+import {
+  clearConfig,
+  clearTokenCache,
+  getAdminAccessToken,
+  getConfig,
+  getFirebaseApiKey,
+  getProjectId,
+  getServiceAccount,
+  initializeApp
+} from "./chunk-5X465GLA.mjs";
 
 // src/x509.ts
 function decodeBase64(str) {
@@ -166,23 +98,41 @@ async function importPublicKeyFromX509(pem) {
 }
 
 // src/auth.ts
-var publicKeysCache = null;
-var publicKeysCacheExpiry = 0;
+var idTokenKeysCache = null;
+var idTokenKeysCacheExpiry = 0;
+var sessionKeysCache = null;
+var sessionKeysCacheExpiry = 0;
 async function fetchPublicKeys(issuer) {
-  let endpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
-  if (issuer && issuer.includes("session.firebase.google.com")) {
+  const isSessionCookie = issuer && issuer.includes("session.firebase.google.com");
+  let endpoint;
+  let cache;
+  let cacheExpiry;
+  if (isSessionCookie) {
     endpoint = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys";
+    cache = sessionKeysCache;
+    cacheExpiry = sessionKeysCacheExpiry;
+  } else {
+    endpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+    cache = idTokenKeysCache;
+    cacheExpiry = idTokenKeysCacheExpiry;
   }
-  if (publicKeysCache && Date.now() < publicKeysCacheExpiry) {
-    return publicKeysCache;
+  if (cache && Date.now() < cacheExpiry) {
+    return cache;
   }
   const response = await fetch(endpoint);
   if (!response.ok) {
     throw new Error(`Failed to fetch Firebase public keys from ${endpoint}`);
   }
-  publicKeysCache = await response.json();
-  publicKeysCacheExpiry = Date.now() + 36e5;
-  return publicKeysCache;
+  const keys = await response.json();
+  const newExpiry = Date.now() + 36e5;
+  if (isSessionCookie) {
+    sessionKeysCache = keys;
+    sessionKeysCacheExpiry = newExpiry;
+  } else {
+    idTokenKeysCache = keys;
+    idTokenKeysCacheExpiry = newExpiry;
+  }
+  return keys;
 }
 function base64UrlDecode(str) {
   let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
@@ -257,8 +207,14 @@ async function verifyIdToken(idToken) {
     let publicKeys = await fetchPublicKeys(payload.iss);
     let publicKeyPem = publicKeys[header.kid];
     if (!publicKeyPem) {
-      publicKeysCache = null;
-      publicKeysCacheExpiry = 0;
+      const isSessionCookie = payload.iss && payload.iss.includes("session.firebase.google.com");
+      if (isSessionCookie) {
+        sessionKeysCache = null;
+        sessionKeysCacheExpiry = 0;
+      } else {
+        idTokenKeysCache = null;
+        idTokenKeysCacheExpiry = 0;
+      }
       publicKeys = await fetchPublicKeys(payload.iss);
       publicKeyPem = publicKeys[header.kid];
       if (!publicKeyPem) {
@@ -392,6 +348,136 @@ async function signInWithCustomToken(customToken) {
     isNewUser: result.isNewUser
   };
 }
+async function createSessionCookie(idToken, options) {
+  if (!idToken || typeof idToken !== "string") {
+    throw new Error("idToken must be a non-empty string");
+  }
+  if (!options.expiresIn || typeof options.expiresIn !== "number") {
+    throw new Error("expiresIn must be a number");
+  }
+  const MIN_DURATION = 5 * 60 * 1e3;
+  const MAX_DURATION = 14 * 24 * 60 * 60 * 1e3;
+  if (options.expiresIn < MIN_DURATION) {
+    throw new Error(`expiresIn must be at least ${MIN_DURATION}ms (5 minutes)`);
+  }
+  if (options.expiresIn > MAX_DURATION) {
+    throw new Error(`expiresIn must be at most ${MAX_DURATION}ms (14 days)`);
+  }
+  const { getAdminAccessToken: getAdminAccessToken2 } = await import("./token-generation-5K7K6T6U.mjs");
+  const accessToken = await getAdminAccessToken2();
+  const projectId = getProjectId();
+  const url = `https://identitytoolkit.googleapis.com/v1/projects/${projectId}:createSessionCookie`;
+  const validDurationSeconds = Math.floor(options.expiresIn / 1e3);
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      idToken,
+      validDuration: validDurationSeconds.toString()
+      // Must be string per API spec
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    let errorMessage = `Failed to create session cookie: ${response.status}`;
+    try {
+      const errorJson = JSON.parse(errorText);
+      if (errorJson.error && errorJson.error.message) {
+        errorMessage += ` - ${errorJson.error.message}`;
+      }
+    } catch {
+      errorMessage += ` - ${errorText}`;
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await response.json();
+  return result.sessionCookie;
+}
+async function verifySessionCookie(sessionCookie, checkRevoked = false) {
+  if (!sessionCookie || typeof sessionCookie !== "string") {
+    throw new Error("sessionCookie must be a non-empty string");
+  }
+  try {
+    const parts = sessionCookie.split(".");
+    if (parts.length !== 3) {
+      throw new Error("Invalid session cookie format");
+    }
+    const [headerB64, payloadB64] = parts;
+    const headerJson = atob(headerB64.replace(/-/g, "+").replace(/_/g, "/"));
+    const header = JSON.parse(headerJson);
+    const payloadJson = atob(payloadB64.replace(/-/g, "+").replace(/_/g, "/"));
+    const payload = JSON.parse(payloadJson);
+    const projectId = getProjectId();
+    const now = Math.floor(Date.now() / 1e3);
+    if (!payload.exp || payload.exp < now) {
+      throw new Error("Session cookie has expired");
+    }
+    if (!payload.iat || payload.iat > now) {
+      throw new Error("Session cookie issued in the future");
+    }
+    if (payload.aud !== projectId) {
+      throw new Error(`Session cookie has incorrect audience. Expected ${projectId}, got ${payload.aud}`);
+    }
+    const expectedIssuer = `https://session.firebase.google.com/${projectId}`;
+    if (payload.iss !== expectedIssuer) {
+      throw new Error(`Session cookie has incorrect issuer. Expected ${expectedIssuer}, got ${payload.iss}`);
+    }
+    if (!payload.sub || typeof payload.sub !== "string" || payload.sub.length === 0) {
+      throw new Error("Session cookie has no subject (user ID)");
+    }
+    await verifySessionCookieSignature(sessionCookie, header, payload);
+    if (checkRevoked) {
+    }
+    return {
+      uid: payload.sub,
+      aud: payload.aud,
+      auth_time: payload.auth_time,
+      exp: payload.exp,
+      iat: payload.iat,
+      iss: payload.iss,
+      sub: payload.sub,
+      email: payload.email,
+      email_verified: payload.email_verified,
+      firebase: payload.firebase,
+      ...payload
+    };
+  } catch (error) {
+    throw new Error(`Failed to verify session cookie: ${error.message}`);
+  }
+}
+async function verifySessionCookieSignature(jwt, header, payload) {
+  const keys = await fetchPublicKeys(payload.iss);
+  const kid = header.kid;
+  if (!kid || !keys[kid]) {
+    throw new Error("Session cookie has invalid key ID");
+  }
+  const publicKeyPem = keys[kid];
+  const publicKey = await importPublicKeyFromX509(publicKeyPem);
+  const [headerAndPayload, signature] = [
+    jwt.split(".").slice(0, 2).join("."),
+    jwt.split(".")[2]
+  ];
+  const encoder = new TextEncoder();
+  const data = encoder.encode(headerAndPayload);
+  const signatureBase64 = signature.replace(/-/g, "+").replace(/_/g, "/");
+  const signatureBinary = atob(signatureBase64);
+  const signatureBytes = new Uint8Array(signatureBinary.length);
+  for (let i = 0; i < signatureBinary.length; i++) {
+    signatureBytes[i] = signatureBinary.charCodeAt(i);
+  }
+  const isValid = await crypto.subtle.verify(
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    publicKey,
+    signatureBytes,
+    data
+  );
+  if (!isValid) {
+    throw new Error("Session cookie signature verification failed");
+  }
+}
 function getAuth() {
   return {
     verifyIdToken
@@ -674,78 +760,6 @@ function removeFieldTransforms(data) {
   return result;
 }
 
-// src/token-generation.ts
-function base64UrlEncode2(str) {
-  return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-function base64UrlEncodeBuffer(buffer) {
-  return btoa(String.fromCharCode(...buffer)).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-async function createJWT(serviceAccount) {
-  const now = Math.floor(Date.now() / 1e3);
-  const expiry = now + 3600;
-  const header = {
-    alg: "RS256",
-    typ: "JWT"
-  };
-  const payload = {
-    iss: serviceAccount.client_email,
-    sub: serviceAccount.client_email,
-    aud: serviceAccount.token_uri,
-    iat: now,
-    exp: expiry,
-    scope: "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/firebase"
-  };
-  const encodedHeader = base64UrlEncode2(JSON.stringify(header));
-  const encodedPayload = base64UrlEncode2(JSON.stringify(payload));
-  const unsignedToken = `${encodedHeader}.${encodedPayload}`;
-  const pemContents = serviceAccount.private_key.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replace(/\s/g, "");
-  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
-  const cryptoKey = await crypto.subtle.importKey(
-    "pkcs8",
-    binaryDer,
-    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-  const signature = await crypto.subtle.sign(
-    "RSASSA-PKCS1-v1_5",
-    cryptoKey,
-    new TextEncoder().encode(unsignedToken)
-  );
-  const encodedSignature = base64UrlEncodeBuffer(new Uint8Array(signature));
-  return `${unsignedToken}.${encodedSignature}`;
-}
-var cachedAccessToken = null;
-var tokenExpiry = 0;
-async function getAdminAccessToken() {
-  if (cachedAccessToken && Date.now() < tokenExpiry) {
-    return cachedAccessToken;
-  }
-  const serviceAccount = getServiceAccount();
-  const jwt = await createJWT(serviceAccount);
-  const response = await fetch(serviceAccount.token_uri, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: new URLSearchParams({
-      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
-      assertion: jwt
-    })
-  });
-  if (!response.ok) {
-    const errorText = await response.text();
-    throw new Error(`Failed to get access token: ${errorText}`);
-  }
-  const data = await response.json();
-  cachedAccessToken = data.access_token;
-  tokenExpiry = Date.now() + data.expires_in * 1e3 - 6e4;
-  return cachedAccessToken;
-}
-function clearTokenCache() {
-  cachedAccessToken = null;
-  tokenExpiry = 0;
-}
-
 // src/firestore/path-validation.ts
 function validateCollectionPath(argumentName, collectionPath) {
   const segments = collectionPath.split("/").filter((s) => s.length > 0);
@@ -1635,6 +1649,7 @@ export {
   clearTokenCache,
   countDocuments,
   createCustomToken,
+  createSessionCookie,
   deleteDocument,
   deleteFile,
   downloadFile,
@@ -1658,5 +1673,6 @@ export {
   updateDocument,
   uploadFile,
   uploadFileResumable,
-  verifyIdToken
+  verifyIdToken,
+  verifySessionCookie
 };

package/dist/token-generation-5K7K6T6U.mjs

@@ -0,0 +1,8 @@
+import {
+  clearTokenCache,
+  getAdminAccessToken
+} from "./chunk-5X465GLA.mjs";
+export {
+  clearTokenCache,
+  getAdminAccessToken
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prmichaelsen/firebase-admin-sdk-v8",
-  "version": "2.3.1",
+  "version": "2.4.2",
   "description": "Firebase Admin SDK for Cloudflare Workers and edge runtimes using REST APIs",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -26,8 +26,8 @@
     "typecheck": "tsc --noEmit",
     "test": "jest",
     "test:watch": "jest --watch",
-    "test:e2e": "jest --config jest.e2e.config.js",
-    "test:e2e:watch": "jest --config jest.e2e.config.js --watch",
+    "test:e2e": "node --env-file=.env node_modules/.bin/jest --config jest.e2e.config.js",
+    "test:e2e:watch": "node --env-file=.env node_modules/.bin/jest --config jest.e2e.config.js --watch",
     "test:all": "npm test && npm run test:e2e",
     "prepublishOnly": "npm run build"
   },