@tern-secure/backend 1.1.5 → 1.1.7

package/dist/jwt/index.mjs

@@ -0,0 +1,139 @@
+import {
+  ternDecodeJwt
+} from "../chunk-WZYVAHZ3.mjs";
+
+// src/jwt/guardReturn.ts
+function createJwtGuard(decodedFn) {
+  return (...args) => {
+    const { data, errors } = decodedFn(...args);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
+  };
+}
+
+// src/jwt/jwt.ts
+import { createRemoteJWKSet, decodeJwt, jwtVerify } from "jose";
+var FIREBASE_ID_TOKEN_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+var FIREBASE_SESSION_CERT_URL = "https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys";
+var idTokenJWKS = null;
+var sessionJWKS = null;
+var getIdTokenJWKS = () => {
+  if (!idTokenJWKS) {
+    idTokenJWKS = createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {
+      cacheMaxAge: 36e5,
+      // 1 hour
+      timeoutDuration: 5e3,
+      // 5 seconds
+      cooldownDuration: 3e4
+      // 30 seconds between retries
+    });
+  }
+  return idTokenJWKS;
+};
+var getSessionJWKS = () => {
+  if (!sessionJWKS) {
+    sessionJWKS = createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {
+      cacheMaxAge: 36e5,
+      // 1 hour
+      timeoutDuration: 5e3,
+      // 5 seconds
+      cooldownDuration: 3e4
+      // 30 seconds between retries
+    });
+  }
+  return sessionJWKS;
+};
+async function verifyToken(token, isSessionCookie = false) {
+  try {
+    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;
+    if (!projectId) {
+      throw new Error("Firebase Project ID is not configured");
+    }
+    const { decoded } = decodeJwt(token);
+    if (!decoded) {
+      throw new Error("Invalid token format");
+    }
+    let retries = 3;
+    let lastError = null;
+    while (retries > 0) {
+      try {
+        const JWKS = isSessionCookie ? getSessionJWKS() : getIdTokenJWKS();
+        const { payload } = await jwtVerify(token, JWKS, {
+          issuer: isSessionCookie ? "https://session.firebase.google.com/" + projectId : "https://securetoken.google.com/" + projectId,
+          audience: projectId,
+          algorithms: ["RS256"]
+        });
+        const firebasePayload = payload;
+        const now = Math.floor(Date.now() / 1e3);
+        if (firebasePayload.exp <= now) {
+          throw new Error("Token has expired");
+        }
+        if (firebasePayload.iat > now) {
+          throw new Error("Token issued time is in the future");
+        }
+        if (!firebasePayload.sub) {
+          throw new Error("Token subject is empty");
+        }
+        if (firebasePayload.auth_time > now) {
+          throw new Error("Token auth time is in the future");
+        }
+        return {
+          valid: true,
+          uid: firebasePayload.sub,
+          sub: firebasePayload.sub,
+          email: firebasePayload.email,
+          email_verified: firebasePayload.email_verified,
+          auth_time: firebasePayload.auth_time,
+          iat: firebasePayload.iat,
+          exp: firebasePayload.exp,
+          aud: firebasePayload.aud,
+          iss: firebasePayload.iss,
+          firebase: firebasePayload.firebase,
+          phone_number: firebasePayload.phone_number,
+          picture: firebasePayload.picture
+        };
+      } catch (error) {
+        lastError = error;
+        if (error instanceof Error && error.name === "JWKSNoMatchingKey") {
+          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);
+          retries--;
+          if (retries > 0) {
+            await new Promise((resolve) => setTimeout(resolve, 1e3));
+            continue;
+          }
+        }
+        throw error;
+      }
+    }
+    throw lastError || new Error("Failed to verify token after retries");
+  } catch (error) {
+    console.error("Token verification details:", {
+      error: error instanceof Error ? {
+        name: error.name,
+        message: error.message,
+        stack: error.stack
+      } : error,
+      decoded: decodeJwt(token),
+      isSessionCookie
+    });
+    return {
+      valid: false,
+      error: {
+        success: false,
+        message: error instanceof Error ? error.message : "Invalid token",
+        code: "INVALID_TOKEN"
+      }
+    };
+  }
+}
+
+// src/jwt/index.ts
+var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
+export {
+  ternDecodeJwt2 as ternDecodeJwt,
+  ternDecodeJwt as ternDecodeJwtUnguarded,
+  verifyToken
+};
+//# sourceMappingURL=index.mjs.map

package/dist/jwt/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/jwt/guardReturn.ts","../../src/jwt/jwt.ts","../../src/jwt/index.ts"],"sourcesContent":["import { type JwtReturnType } from \"./types\";\n\nexport function createJwtGuard<T extends (...args: any[]) => JwtReturnType<any, any>>(decodedFn: T) {\n  return (...args: Parameters<T>): NonNullable<Awaited<ReturnType<T>>['data']> | never => {\n    const { data, errors } = decodedFn(...args);\n\n    if (errors) {\n      throw errors[0];\n    }\n\n    return data;\n  };\n}\n","import type {\n  DecodedIdToken,\n  TernVerificationResult,\n} from \"@tern-secure/types\";\nimport { createRemoteJWKSet, decodeJwt,jwtVerify } from \"jose\";\n\n\nexport type FirebaseIdTokenPayload = DecodedIdToken;\n\n// Firebase public key endpoints\nconst FIREBASE_ID_TOKEN_URL =\n  \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\";\nconst FIREBASE_SESSION_CERT_URL =\n  \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\";\n\n//const FIREBASE_NEW_SESSION_PK = \"https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys\"\n\n// Simple in-memory cache for JWKS\nlet idTokenJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet sessionJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;\n\nconst getIdTokenJWKS = () => {\n  if (!idTokenJWKS) {\n    idTokenJWKS = createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\n      cacheMaxAge: 3600000, // 1 hour\n      timeoutDuration: 5000, // 5 seconds\n      cooldownDuration: 30000, // 30 seconds between retries\n    });\n  }\n  return idTokenJWKS;\n};\n\nconst getSessionJWKS = () => {\n  if (!sessionJWKS) {\n    sessionJWKS = createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\n      cacheMaxAge: 3600000, // 1 hour\n      timeoutDuration: 5000, // 5 seconds\n      cooldownDuration: 30000, // 30 seconds between retries\n    });\n  }\n  return sessionJWKS;\n};\n\n\n\nexport async function verifyToken(\n  token: string,\n  isSessionCookie = false\n): Promise<TernVerificationResult> {\n  try {\n    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;\n    if (!projectId) {\n      throw new Error(\"Firebase Project ID is not configured\");\n    }\n\n    const { decoded } = decodeJwt(token);\n    if (!decoded) {\n      throw new Error(\"Invalid token format\");\n    }\n\n    let retries = 3;\n    let lastError: Error | null = null;\n\n    while (retries > 0) {\n      try {\n        // Use different JWKS based on token type\n        const JWKS = isSessionCookie ? getSessionJWKS() : getIdTokenJWKS();\n\n        const { payload } = await jwtVerify(token, JWKS, {\n          issuer: isSessionCookie\n            ? \"https://session.firebase.google.com/\" + projectId\n            : \"https://securetoken.google.com/\" + projectId,\n          audience: projectId,\n          algorithms: [\"RS256\"],\n        });\n\n        const firebasePayload = payload as unknown as FirebaseIdTokenPayload;\n        const now = Math.floor(Date.now() / 1000);\n\n        // Verify token claims\n        if (firebasePayload.exp <= now) {\n          throw new Error(\"Token has expired\");\n        }\n\n        if (firebasePayload.iat > now) {\n          throw new Error(\"Token issued time is in the future\");\n        }\n\n        if (!firebasePayload.sub) {\n          throw new Error(\"Token subject is empty\");\n        }\n\n        if (firebasePayload.auth_time > now) {\n          throw new Error(\"Token auth time is in the future\");\n        }\n\n        return {\n          valid: true,\n          uid: firebasePayload.sub,\n          sub: firebasePayload.sub,\n          email: firebasePayload.email,\n          email_verified: firebasePayload.email_verified,\n          auth_time: firebasePayload.auth_time,\n          iat: firebasePayload.iat,\n          exp: firebasePayload.exp,\n          aud: firebasePayload.aud,\n          iss: firebasePayload.iss,\n          firebase: firebasePayload.firebase,\n          phone_number: firebasePayload.phone_number,\n          picture: firebasePayload.picture,\n        };\n      } catch (error) {\n        lastError = error as Error;\n        if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\n          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);\n          retries--;\n          if (retries > 0) {\n            await new Promise((resolve) => setTimeout(resolve, 1000));\n            continue;\n          }\n        }\n        throw error;\n      }\n    }\n\n    throw lastError || new Error(\"Failed to verify token after retries\");\n  } catch (error) {\n    console.error(\"Token verification details:\", {\n      error:\n        error instanceof Error\n          ? {\n              name: error.name,\n              message: error.message,\n              stack: error.stack,\n            }\n          : error,\n      decoded: decodeJwt(token),\n      isSessionCookie,\n    });\n\n    return {\n      valid: false,\n      error: {\n        success: false,\n        message: error instanceof Error ? error.message : \"Invalid token\",\n        code: \"INVALID_TOKEN\",\n      },\n    };\n  }\n}\n","import { createJwtGuard } from './guardReturn';\nimport { ternDecodeJwt as _ternDecodeJwt } from './verifyJwt';\n\nexport const ternDecodeJwt = createJwtGuard(_ternDecodeJwt);\nexport { ternDecodeJwt as ternDecodeJwtUnguarded } from './verifyJwt';\n\nexport * from './jwt';"],"mappings":";;;;;AAEO,SAAS,eAAsE,WAAc;AAClG,SAAO,IAAI,SAA6E;AACtF,UAAM,EAAE,MAAM,OAAO,IAAI,UAAU,GAAG,IAAI;AAE1C,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAEA,WAAO;AAAA,EACT;AACF;;;ACRA,SAAS,oBAAoB,WAAU,iBAAiB;AAMxD,IAAM,wBACJ;AACF,IAAM,4BACJ;AAKF,IAAI,cAA4D;AAChE,IAAI,cAA4D;AAEhE,IAAM,iBAAiB,MAAM;AAC3B,MAAI,CAAC,aAAa;AAChB,kBAAc,mBAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,MAC/D,aAAa;AAAA;AAAA,MACb,iBAAiB;AAAA;AAAA,MACjB,kBAAkB;AAAA;AAAA,IACpB,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,IAAM,iBAAiB,MAAM;AAC3B,MAAI,CAAC,aAAa;AAChB,kBAAc,mBAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,MACnE,aAAa;AAAA;AAAA,MACb,iBAAiB;AAAA;AAAA,MACjB,kBAAkB;AAAA;AAAA,IACpB,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAIA,eAAsB,YACpB,OACA,kBAAkB,OACe;AACjC,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAEA,UAAM,EAAE,QAAQ,IAAI,UAAU,KAAK;AACnC,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,QAAI,UAAU;AACd,QAAI,YAA0B;AAE9B,WAAO,UAAU,GAAG;AAClB,UAAI;AAEF,cAAM,OAAO,kBAAkB,eAAe,IAAI,eAAe;AAEjE,cAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM;AAAA,UAC/C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,UACxC,UAAU;AAAA,UACV,YAAY,CAAC,OAAO;AAAA,QACtB,CAAC;AAED,cAAM,kBAAkB;AACxB,cAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,YAAI,gBAAgB,OAAO,KAAK;AAC9B,gBAAM,IAAI,MAAM,mBAAmB;AAAA,QACrC;AAEA,YAAI,gBAAgB,MAAM,KAAK;AAC7B,gBAAM,IAAI,MAAM,oCAAoC;AAAA,QACtD;AAEA,YAAI,CAAC,gBAAgB,KAAK;AACxB,gBAAM,IAAI,MAAM,wBAAwB;AAAA,QAC1C;AAEA,YAAI,gBAAgB,YAAY,KAAK;AACnC,gBAAM,IAAI,MAAM,kCAAkC;AAAA,QACpD;AAEA,eAAO;AAAA,UACL,OAAO;AAAA,UACP,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,OAAO,gBAAgB;AAAA,UACvB,gBAAgB,gBAAgB;AAAA,UAChC,WAAW,gBAAgB;AAAA,UAC3B,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,UAAU,gBAAgB;AAAA,UAC1B,cAAc,gBAAgB;AAAA,UAC9B,SAAS,gBAAgB;AAAA,QAC3B;AAAA,MACF,SAAS,OAAO;AACd,oBAAY;AACZ,YAAI,iBAAiB,SAAS,MAAM,SAAS,qBAAqB;AAChE,kBAAQ,KAAK,sBAAsB,IAAI,OAAO,KAAK,MAAM,OAAO;AAChE;AACA,cAAI,UAAU,GAAG;AACf,kBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAI,CAAC;AACxD;AAAA,UACF;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,sCAAsC;AAAA,EACrE,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,SAAS,UAAU,KAAK;AAAA,MACxB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS,iBAAiB,QAAQ,MAAM,UAAU;AAAA,QAClD,MAAM;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;;;AClJO,IAAMA,iBAAgB,eAAe,aAAc;","names":["ternDecodeJwt"]}

package/dist/jwt/jwt.d.ts

@@ -0,0 +1,4 @@
+import type { DecodedIdToken, TernVerificationResult } from "@tern-secure/types";
+export type FirebaseIdTokenPayload = DecodedIdToken;
+export declare function verifyToken(token: string, isSessionCookie?: boolean): Promise<TernVerificationResult>;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/jwt/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/jwt/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,cAAc,EACd,sBAAsB,EACvB,MAAM,oBAAoB,CAAC;AAI5B,MAAM,MAAM,sBAAsB,GAAG,cAAc,CAAC;AAsCpD,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,eAAe,UAAQ,GACtB,OAAO,CAAC,sBAAsB,CAAC,CAqGjC"}

package/dist/jwt/signJwt.d.ts

@@ -0,0 +1,5 @@
+export interface SignJwtOptions {
+    algorithm?: string;
+    header?: Record<string, unknown>;
+}
+//# sourceMappingURL=signJwt.d.ts.map

package/dist/jwt/signJwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signJwt.d.ts","sourceRoot":"","sources":["../../src/jwt/signJwt.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC"}

package/dist/jwt/types.d.ts

@@ -0,0 +1,8 @@
+export type JwtReturnType<R, E extends Error> = {
+    data: R;
+    errors?: undefined;
+} | {
+    data?: undefined;
+    errors: [E];
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/jwt/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/jwt/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,CAAC,CAAC,EAAE,CAAC,SAAS,KAAK,IACxC;IACE,IAAI,EAAE,CAAC,CAAC;IACR,MAAM,CAAC,EAAE,SAAS,CAAC;CACpB,GACD;IACE,IAAI,CAAC,EAAE,SAAS,CAAC;IACjB,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;CACb,CAAC"}

package/dist/jwt/verifyContent.d.ts

@@ -0,0 +1,7 @@
+export declare const verifyHeaderType: (typ?: unknown) => void;
+export declare const verifyHeaderKid: (kid?: unknown) => void;
+export declare const verifyHeaderAlgorithm: (alg: string) => void;
+export declare const verifySubClaim: (sub?: string) => void;
+export declare const verifyExpirationClaim: (exp: number | undefined, clockSkewInMs: number) => void;
+export declare const verifyIssuedAtClaim: (iat: number | undefined, clockSkewInMs: number) => void;
+//# sourceMappingURL=verifyContent.d.ts.map

package/dist/jwt/verifyContent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyContent.d.ts","sourceRoot":"","sources":["../../src/jwt/verifyContent.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,gBAAgB,GAAI,MAAM,OAAO,SAW7C,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,MAAM,OAAO,SAW5C,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,SAOhD,CAAC;AAEF,eAAO,MAAM,cAAc,GAAI,MAAM,MAAM,SAO1C,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,GAAG,SAAS,EAAE,eAAe,MAAM,SAmBnF,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAAI,KAAK,MAAM,GAAG,SAAS,EAAE,eAAe,MAAM,SAuBjF,CAAC"}

package/dist/jwt/verifyJwt.d.ts

@@ -0,0 +1,12 @@
+import type { DecodedIdToken, Jwt, JWTPayload } from '@tern-secure/types';
+import { TokenVerificationError } from '../utils/errors';
+import type { JwtReturnType } from './types';
+export type VerifyJwtOptions = {
+    audience?: string | string[];
+    clockSkewInMs?: number;
+    key: JsonWebKey | string;
+};
+export declare function verifySignature(jwt: Jwt, key: JsonWebKey | string): Promise<JwtReturnType<JWTPayload, Error>>;
+export declare function ternDecodeJwt(token: string): JwtReturnType<Jwt, TokenVerificationError>;
+export declare function verifyJwt(token: string, options: VerifyJwtOptions): Promise<JwtReturnType<DecodedIdToken, TokenVerificationError>>;
+//# sourceMappingURL=verifyJwt.d.ts.map

package/dist/jwt/verifyJwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyJwt.d.ts","sourceRoot":"","sources":["../../src/jwt/verifyJwt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,GAAG,EAAC,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAOzE,OAAO,EAAE,sBAAsB,EAAgC,MAAM,iBAAiB,CAAC;AAIvF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAU7C,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,GAAG,EAAE,UAAU,GAAG,MAAM,CAAC;CAC1B,CAAC;AAEF,wBAAsB,eAAe,CACnC,GAAG,EAAE,GAAG,EACR,GAAG,EAAE,UAAU,GAAG,MAAM,GACvB,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,CAoB3C;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,CAAC,GAAG,EAAE,sBAAsB,CAAC,CA2CvF;AAED,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,aAAa,CAAC,cAAc,EAAE,sBAAsB,CAAC,CAAC,CAmChE"}

package/dist/runtime/browser/crypto.mjs

@@ -0,0 +1 @@
+export const webcrypto = crypto;

package/dist/runtime/node/crypto.js

@@ -0,0 +1 @@
+module.exports.webcrypto = require('node:crypto').webcrypto;

package/dist/runtime/node/crypto.mjs

@@ -0,0 +1 @@
+export { webcrypto } from 'node:crypto';

package/dist/runtime.d.ts

@@ -0,0 +1,26 @@
+/**
+ * This file exports APIs that vary across runtimes (i.e. Node & Browser - V8 isolates)
+ * as a singleton object.
+ *
+ * Runtime polyfills are written in VanillaJS for now to avoid TS complication. Moreover,
+ * due to this issue https://github.com/microsoft/TypeScript/issues/44848, there is not a good way
+ * to tell Typescript which conditional import to use during build type.
+ *
+ * The Runtime type definition ensures type safety for now.
+ * Runtime js modules are copied into dist folder with bash script.
+ *
+ * TODO: Support TS runtime modules
+ */
+type Runtime = {
+    crypto: Crypto;
+    fetch: typeof globalThis.fetch;
+    AbortController: typeof globalThis.AbortController;
+    Blob: typeof globalThis.Blob;
+    FormData: typeof globalThis.FormData;
+    Headers: typeof globalThis.Headers;
+    Request: typeof globalThis.Request;
+    Response: typeof globalThis.Response;
+};
+export declare const runtime: Runtime;
+export {};
+//# sourceMappingURL=runtime.d.ts.map

package/dist/runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,KAAK,OAAO,GAAG;IACb,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;IAC/B,eAAe,EAAE,OAAO,UAAU,CAAC,eAAe,CAAC;IACnD,IAAI,EAAE,OAAO,UAAU,CAAC,IAAI,CAAC;IAC7B,QAAQ,EAAE,OAAO,UAAU,CAAC,QAAQ,CAAC;IACrC,OAAO,EAAE,OAAO,UAAU,CAAC,OAAO,CAAC;IACnC,OAAO,EAAE,OAAO,UAAU,CAAC,OAAO,CAAC;IACnC,QAAQ,EAAE,OAAO,UAAU,CAAC,QAAQ,CAAC;CACtC,CAAC;AAUF,eAAO,MAAM,OAAO,EAAE,OAYrB,CAAC"}

package/dist/ternsecureauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ternsecureauth.d.ts","sourceRoot":"","sources":["../src/ternsecureauth.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,qBAAa,sBAAsB;IAC/B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAgC;WAEzC,mBAAmB,IAAI,sBAAsB;IAO3D,MAAM,CAAC,aAAa;CAIvB"}

package/dist/tokens/authstate.d.ts

@@ -0,0 +1,61 @@
+import type { CheckAuthorizationFromSessionClaims, DecodedIdToken } from '@tern-secure/types';
+import type { JWTPayload } from 'jose';
+import type { TokenVerificationErrorReason } from '../utils/errors';
+import type { TernSecureRequest } from './ternSecureRequest';
+export declare const AuthStatus: {
+    readonly SignedIn: "signed-in";
+    readonly SignedOut: "signed-out";
+};
+export type AuthStatus = (typeof AuthStatus)[keyof typeof AuthStatus];
+export declare const AuthErrorReason: {
+    readonly SessionTokenAndUATMissing: "session-token-and-uat-missing";
+    readonly SessionTokenMissing: "session-token-missing";
+    readonly SessionTokenExpired: "session-token-expired";
+    readonly SessionTokenIATBeforeClientUAT: "session-token-iat-before-client-uat";
+    readonly SessionTokenNBF: "session-token-nbf";
+    readonly SessionTokenIatInTheFuture: "session-token-iat-in-the-future";
+    readonly ActiveOrganizationMismatch: "active-organization-mismatch";
+    readonly UnexpectedError: "unexpected-error";
+};
+export type AuthErrorReason = (typeof AuthErrorReason)[keyof typeof AuthErrorReason];
+export type AuthReason = AuthErrorReason | TokenVerificationErrorReason;
+export type SignedInAuthObject = {
+    sessionClaims: DecodedIdToken;
+    userId: string;
+    token: string;
+    require: CheckAuthorizationFromSessionClaims;
+    error: string | null;
+};
+export type SignedOutAuthObject = {
+    sessionClaims: null;
+    userId: null;
+    require: CheckAuthorizationFromSessionClaims;
+    error: string | null;
+};
+export type SignedInState = {
+    status: typeof AuthStatus.SignedIn;
+    reason: null;
+    isSignedIn: true;
+    auth: () => SignedInAuthObject;
+    token: string;
+    headers: Headers;
+};
+export type SignedOutState = {
+    status: typeof AuthStatus.SignedOut;
+    reason: string;
+    isSignedIn: false;
+    auth: () => SignedOutAuthObject;
+    token: null;
+    headers: Headers;
+};
+export type RequestState = SignedInState | SignedOutState;
+export interface BackendInstance {
+    ternSecureRequest: TernSecureRequest;
+    requestState: RequestState;
+}
+export type AuthObject = SignedInAuthObject | SignedOutAuthObject;
+export declare function signedInAuthObject(sessionToken: string, sessionClaims: JWTPayload): SignedInAuthObject;
+export declare function signedOutAuthObject(): SignedOutAuthObject;
+export declare function signedIn(sessionClaims: JWTPayload, headers: Headers | undefined, token: string): SignedInState;
+export declare function signedOut(reason: AuthReason, headers?: Headers): SignedOutState;
+//# sourceMappingURL=authstate.d.ts.map

package/dist/tokens/authstate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authstate.d.ts","sourceRoot":"","sources":["../../src/tokens/authstate.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mCAAmC,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC9F,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAGvC,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAEpE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAE7D,eAAO,MAAM,UAAU;;;CAGb,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAEtE,eAAO,MAAM,eAAe;;;;;;;;;CASlB,CAAC;AAEX,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,eAAe,CAAC,CAAC,MAAM,OAAO,eAAe,CAAC,CAAC;AAErF,MAAM,MAAM,UAAU,GAAG,eAAe,GAAG,4BAA4B,CAAC;AAExE,MAAM,MAAM,kBAAkB,GAAG;IAC/B,aAAa,EAAE,cAAc,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,mCAAmC,CAAC;IAC7C,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,aAAa,EAAE,IAAI,CAAC;IACpB,MAAM,EAAE,IAAI,CAAC;IACb,OAAO,EAAE,mCAAmC,CAAC;IAC7C,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,OAAO,UAAU,CAAC,QAAQ,CAAC;IACnC,MAAM,EAAE,IAAI,CAAC;IACb,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,kBAAkB,CAAC;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,MAAM,EAAE,OAAO,UAAU,CAAC,SAAS,CAAC;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,KAAK,CAAC;IAClB,IAAI,EAAE,MAAM,mBAAmB,CAAC;IAChC,KAAK,EAAE,IAAI,CAAC;IACZ,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG,aAAa,GAAG,cAAc,CAAC;AAE1D,MAAM,WAAW,eAAe;IAC9B,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,YAAY,EAAE,YAAY,CAAC;CAC5B;AAED,MAAM,MAAM,UAAU,GAAG,kBAAkB,GAAG,mBAAmB,CAAC;AAmClE,wBAAgB,kBAAkB,CAChC,YAAY,EAAE,MAAM,EACpB,aAAa,EAAE,UAAU,GACxB,kBAAkB,CAWpB;AAED,wBAAgB,mBAAmB,IAAI,mBAAmB,CAOzD;AAED,wBAAgB,QAAQ,CACtB,aAAa,EAAE,UAAU,EACzB,OAAO,EAAE,OAAO,YAAgB,EAChC,KAAK,EAAE,MAAM,GACZ,aAAa,CAUf;AAED,wBAAgB,SAAS,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,GAAE,OAAuB,GAAG,cAAc,CAS9F"}

package/dist/tokens/keys.d.ts

@@ -0,0 +1,16 @@
+import { type RemoteJWKSetOptions } from 'jose';
+export type PublicKeys = {
+    [key: string]: string;
+};
+export type LoadJWKFromRemoteOptions = RemoteJWKSetOptions & {
+    kid: string;
+    keyURL?: string;
+    skipJwksCache?: boolean;
+};
+export declare function loadJWKFromRemote({ keyURL, skipJwksCache, kid, }: LoadJWKFromRemoteOptions): Promise<string>;
+export declare const getCacheStats: () => {
+    localExpiry: number;
+    googleExpiry: number;
+    cacheCount: number;
+};
+//# sourceMappingURL=keys.d.ts.map

package/dist/tokens/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/tokens/keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,MAAM,CAAC;AAUhD,MAAM,MAAM,UAAU,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAAE,CAAC;AAOnD,MAAM,MAAM,wBAAwB,GAAG,mBAAmB,GAAG;IAC3D,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC;AAwCF,wBAAsB,iBAAiB,CAAC,EACtC,MAAuC,EACvC,aAAa,EACb,GAAG,GACJ,EAAE,wBAAwB,GAAG,OAAO,CAAC,MAAM,CAAC,CA2B5C;AAiCD,eAAO,MAAM,aAAa;;;;CAIxB,CAAC"}

package/dist/tokens/request.d.ts

@@ -0,0 +1,16 @@
+import type { ApiClient } from '../api';
+import { type buildTimeOptions, type RuntimeOptions } from '../utils/options';
+import type { RequestState } from './authstate';
+import type { RequestOptions } from './types';
+export declare function authenticateRequest(request: Request, options: RequestOptions): Promise<RequestState>;
+/**
+ * @internal
+ */
+export type CreateAuthenticateRequestOptions = {
+    options: buildTimeOptions;
+    apiClient: ApiClient;
+};
+export declare function createAuthenticateRequest(params: CreateAuthenticateRequestOptions): {
+    authenticateRequest: (request: Request, options?: RuntimeOptions) => Promise<RequestState>;
+};
+//# sourceMappingURL=request.d.ts.map

package/dist/tokens/request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request.d.ts","sourceRoot":"","sources":["../../src/tokens/request.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,EACL,KAAK,gBAAgB,EAErB,KAAK,cAAc,EACpB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGhD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAwC9C,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAqCvB;AAED;;GAEG;AACH,MAAM,MAAM,gCAAgC,GAAG;IAC7C,OAAO,EAAE,gBAAgB,CAAC;IAC1B,SAAS,EAAE,SAAS,CAAC;CACtB,CAAC;AAEF,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,gCAAgC;mCAIpC,OAAO,YAAW,cAAc;EAQ7E"}

package/dist/tokens/requestFire.d.ts

@@ -0,0 +1,17 @@
+import type { RequestState } from './authstate';
+import type { AuthenticateFireRequestOptions } from './types';
+type RuntimeOptions = Omit<AuthenticateFireRequestOptions, 'firebaseConfig'>;
+type FirebaseOptions = Partial<Pick<AuthenticateFireRequestOptions, 'firebaseConfig'>>;
+export declare function mergePreDefinedOptions<T extends Record<string, any>>(preDefinedOptions: T, options: Partial<T>): T;
+export declare function authenticateRequest(request: Request, options: AuthenticateFireRequestOptions): Promise<RequestState>;
+/**
+ * @internal
+ */
+export type CreateFireAuthenticateRequestOptions = {
+    options: FirebaseOptions;
+};
+export declare function createFireAuthenticateRequest(params: CreateFireAuthenticateRequestOptions): {
+    authenticateRequest: (request: Request, options?: RuntimeOptions) => Promise<RequestState>;
+};
+export {};
+//# sourceMappingURL=requestFire.d.ts.map

package/dist/tokens/requestFire.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"requestFire.d.ts","sourceRoot":"","sources":["../../src/tokens/requestFire.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGhD,OAAO,KAAK,EAAE,8BAA8B,EAAkB,MAAM,SAAS,CAAC;AAG9E,KAAK,cAAc,GAAG,IAAI,CAAC,8BAA8B,EAAE,gBAAgB,CAAC,CAAC;AAE7E,KAAK,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,8BAA8B,EAAE,gBAAgB,CAAC,CAAC,CAAC;AASvF,wBAAgB,sBAAsB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAClE,iBAAiB,EAAE,CAAC,EACpB,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,GAClB,CAAC,CAOH;AAuCD,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,8BAA8B,GACtC,OAAO,CAAC,YAAY,CAAC,CAqCvB;AAED;;GAEG;AACH,MAAM,MAAM,oCAAoC,GAAG;IACjD,OAAO,EAAE,eAAe,CAAC;CAC1B,CAAC;AAEF,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,oCAAoC;mCAG5C,OAAO,YAAW,cAAc;EAQ7E"}

package/dist/tokens/sessionConfig.d.ts

@@ -0,0 +1,14 @@
+import type { RequestOptions } from "./types";
+export declare const getSessionConfig: (options?: RequestOptions) => {
+    COOKIE_NAME: string | undefined;
+    DEFAULT_EXPIRES_IN_MS: number | undefined;
+    DEFAULT_EXPIRES_IN_SECONDS: number;
+    REVOKE_REFRESH_TOKENS_ON_SIGNOUT: boolean | undefined;
+};
+export declare const getCookieOptions: (options?: RequestOptions) => {
+    httpOnly: boolean | undefined;
+    secure: boolean | undefined;
+    sameSite: "lax" | "strict" | "none" | undefined;
+    path: string | undefined;
+};
+//# sourceMappingURL=sessionConfig.d.ts.map

package/dist/tokens/sessionConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessionConfig.d.ts","sourceRoot":"","sources":["../../src/tokens/sessionConfig.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE9C,eAAO,MAAM,gBAAgB,GAAI,UAAU,cAAc;;;;;CASxD,CAAC;AAGF,eAAO,MAAM,gBAAgB,GAAI,UAAU,cAAc;;;;;CASxD,CAAC"}

package/dist/tokens/ternSecureRequest.d.ts

@@ -0,0 +1,20 @@
+import type { TernUrl } from "./ternUrl";
+declare class TernSecureRequest extends Request {
+    readonly ternUrl: TernUrl;
+    readonly cookies: Map<string, string | undefined>;
+    constructor(input: TernSecureRequest | Request | RequestInfo, init?: RequestInit);
+    toJSON(): {
+        url: string;
+        method: string;
+        headers: string;
+        ternUrl: string;
+        cookies: string;
+    };
+    private deriveUrlFromHeaders;
+    private getFirstValueFromHeader;
+    private parseCookies;
+    private decodeCookieValue;
+}
+export declare const createTernSecureRequest: (...args: ConstructorParameters<typeof TernSecureRequest>) => TernSecureRequest;
+export type { TernSecureRequest };
+//# sourceMappingURL=ternSecureRequest.d.ts.map

package/dist/tokens/ternSecureRequest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ternSecureRequest.d.ts","sourceRoot":"","sources":["../../src/tokens/ternSecureRequest.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGzC,cAAM,iBAAkB,SAAQ,OAAO;IACrC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;gBAGhD,KAAK,EAAE,iBAAiB,GAAG,OAAO,GAAG,WAAW,EAChD,IAAI,CAAC,EAAE,WAAW;IASb,MAAM;;;;;;;IAUb,OAAO,CAAC,oBAAoB;IAuB5B,OAAO,CAAC,uBAAuB;IAI/B,OAAO,CAAC,YAAY;IAOpB,OAAO,CAAC,iBAAiB;CAG1B;AAED,eAAO,MAAM,uBAAuB,GAClC,GAAG,MAAM,qBAAqB,CAAC,OAAO,iBAAiB,CAAC,KACvD,iBAIF,CAAC;AAEF,YAAY,EAAE,iBAAiB,EAAE,CAAC"}

package/dist/tokens/ternUrl.d.ts

@@ -0,0 +1,15 @@
+declare class TernUrl extends URL {
+    isCrossOrigin(other: URL | string): boolean;
+}
+export type WithTernUrl<T> = T & {
+    /**
+     * When a NextJs app is hosted on a platform different from Vercel
+     * or inside a container (Netlify, Fly.io, AWS Amplify, docker etc),
+     * req.url is always set to `localhost:3000` instead of the actual host of the app.
+     *
+     */
+    ternUrl: TernUrl;
+};
+export declare const createTernUrl: (...args: ConstructorParameters<typeof TernUrl>) => TernUrl;
+export type { TernUrl };
+//# sourceMappingURL=ternUrl.d.ts.map

package/dist/tokens/ternUrl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ternUrl.d.ts","sourceRoot":"","sources":["../../src/tokens/ternUrl.ts"],"names":[],"mappings":"AAAA,cAAM,OAAQ,SAAQ,GAAG;IAChB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM;CAGzC;AAED,MAAM,MAAM,WAAW,CAAC,CAAC,IAAI,CAAC,GAAG;IAC/B;;;;;OAKG;IACH,OAAO,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,eAAO,MAAM,aAAa,GACxB,GAAG,MAAM,qBAAqB,CAAC,OAAO,OAAO,CAAC,KAC7C,OAEF,CAAC;AAEF,YAAY,EAAE,OAAO,EAAE,CAAC"}

package/dist/tokens/types.d.ts

@@ -0,0 +1,41 @@
+import type { CheckRevokedOptions } from '../adapters';
+import type { ApiClient } from '../api';
+import type { TernSecureConfig, VerifyTokenVOptions } from './verify';
+export type SessionCookieAttributes = {
+    path?: string;
+    domain?: string;
+    expires?: Date;
+    maxAge?: number;
+    secure?: boolean;
+    httpOnly?: boolean;
+    sameSite?: 'lax' | 'strict' | 'none';
+};
+export type SessionCookieFromMiddleware = {
+    name: string;
+    attributes: SessionCookieAttributes;
+    revokeRefreshTokensOnSignOut?: boolean;
+};
+export type MiddlewareCookiesOptions = {
+    session_cookie: SessionCookieFromMiddleware;
+};
+export type RequestOptions = {
+    tenantId?: string;
+    signInUrl?: string;
+    signUpUrl?: string;
+    checkRevoked?: CheckRevokedOptions;
+    cookies?: MiddlewareCookiesOptions;
+    apiClient?: ApiClient;
+    apiUrl?: string;
+    apiVersion?: string;
+} & VerifyTokenVOptions;
+export type AuthenticateFireRequestOptions = {
+    signInUrl?: string;
+    signUpUrl?: string;
+    checkRevoked?: CheckRevokedOptions;
+    cookies?: MiddlewareCookiesOptions;
+    apiClient?: ApiClient;
+    apiUrl?: string;
+    apiVersion?: string;
+    firebaseConfig?: TernSecureConfig;
+} & VerifyTokenVOptions;
+//# sourceMappingURL=types.d.ts.map

package/dist/tokens/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/tokens/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACxC,OAAO,KAAK,EAAE,gBAAgB,EAAC,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAErE,MAAM,MAAM,uBAAuB,GAAG;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,IAAI,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;CACtC,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,uBAAuB,CAAC;IACpC,4BAA4B,CAAC,EAAE,OAAO,CAAC;CACxC,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,cAAc,EAAE,2BAA2B,CAAC;CAC7C,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,mBAAmB,CAAC;IACnC,OAAO,CAAC,EAAE,wBAAwB,CAAC;IACnC,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,mBAAmB,CAAC;AAExB,MAAM,MAAM,8BAA8B,GAAG;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,mBAAmB,CAAC;IACnC,OAAO,CAAC,EAAE,wBAAwB,CAAC;IACnC,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,gBAAgB,CAAA;CAClC,GAAG,mBAAmB,CAAC"}

package/dist/tokens/verify.d.ts

@@ -0,0 +1,11 @@
+import type { DecodedIdToken, TernSecureConfig } from '@tern-secure/types';
+import type { JwtReturnType } from '../jwt/types';
+import { type VerifyJwtOptions } from '../jwt/verifyJwt';
+import { TokenVerificationError } from '../utils/errors';
+import type { LoadJWKFromRemoteOptions } from './keys';
+export type VerifyTokenVOptions = Omit<VerifyJwtOptions, 'key'> & Omit<LoadJWKFromRemoteOptions, 'kid'> & {
+    jwtKey?: string;
+};
+export { TernSecureConfig };
+export declare function verifyToken(token: string, options: VerifyTokenVOptions): Promise<JwtReturnType<DecodedIdToken, TokenVerificationError>>;
+//# sourceMappingURL=verify.d.ts.map

package/dist/tokens/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/tokens/verify.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAE3E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAA4B,KAAK,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACnF,OAAO,EAAE,sBAAsB,EAAgC,MAAM,iBAAiB,CAAC;AACvF,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,QAAQ,CAAC;AAGvD,MAAM,MAAM,mBAAmB,GAAG,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,GAAG,IAAI,CAAC,wBAAwB,EAAE,KAAK,CAAC,GAAG;IACxG,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,OAAO,EAAE,gBAAgB,EAAE,CAAC;AAE5B,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,cAAc,EAAE,sBAAsB,CAAC,CAAC,CA2ChE"}

package/dist/utils/admin-init.d.ts

@@ -0,0 +1,13 @@
+import admin from 'firebase-admin';
+export declare const adminTernSecureAuth: admin.auth.Auth;
+export declare const adminTernSecureDb: admin.firestore.Firestore;
+export declare const TernSecureTenantManager: admin.auth.TenantManager;
+/**
+ * Gets the appropriate Firebase Auth instance.
+ * If a tenantId is provided, it returns the Auth instance for that tenant.
+ * Otherwise, it returns the default project-level Auth instance.
+ * @param tenantId - The optional tenant ID.
+ * @returns An admin.auth.Auth instance.
+ */
+export declare function getAuthForTenant(tenantId?: string): admin.auth.Auth;
+//# sourceMappingURL=admin-init.d.ts.map

package/dist/utils/admin-init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-init.d.ts","sourceRoot":"","sources":["../../src/utils/admin-init.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,gBAAgB,CAAC;AAkBnC,eAAO,MAAM,mBAAmB,EAAE,KAAK,CAAC,IAAI,CAAC,IAAmB,CAAC;AACjE,eAAO,MAAM,iBAAiB,EAAE,KAAK,CAAC,SAAS,CAAC,SAA6B,CAAC;AAC9E,eAAO,MAAM,uBAAuB,EAAE,KAAK,CAAC,IAAI,CAAC,aAA4C,CAAC;AAE9F;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAKnE"}

package/dist/{types/utils → utils}/config.d.ts

@@ -1,4 +1,4 @@
-import { TernSecureConfig, ConfigValidationResult, TernSecureAdminConfig, AdminConfigValidationResult } from '@tern-secure/types';
+import type { AdminConfigValidationResult, ConfigValidationResult, TernSecureAdminConfig, TernSecureConfig } from '@tern-secure/types';
 /**
  * Loads Firebase configuration from environment variables
  * @returns {TernSecureConfig} Firebase configuration object

package/dist/utils/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/utils/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,EAAC,MAAM,oBAAoB,CAAA;AAE7C;;;GAGG;AACH,eAAO,MAAM,cAAc,QAAO,gBAQhC,CAAA;AAEF;;;;;GAKG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ,gBAAgB,KAAG,sBAuBzD,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,gBAAgB,QAAO,gBAWnC,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,QAAO,qBAIjC,CAAA;AAEF;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,GAAI,QAAQ,qBAAqB,KAAG,2BAoBnE,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB,QAAO,qBAWxC,CAAA"}

package/dist/utils/enableDebugLogging.d.ts

@@ -0,0 +1,5 @@
+import { LogLevel } from "./logger";
+export declare function enableDebugLogging(): void;
+export declare function disableDebugLogging(): void;
+export declare function setLogLevel(level: LogLevel): void;
+//# sourceMappingURL=enableDebugLogging.d.ts.map

package/dist/utils/enableDebugLogging.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enableDebugLogging.d.ts","sourceRoot":"","sources":["../../src/utils/enableDebugLogging.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,QAAQ,EAAe,MAAM,UAAU,CAAA;AAE5D,wBAAgB,kBAAkB,IAAI,IAAI,CAMzC;AAED,wBAAgB,mBAAmB,IAAI,IAAI,CAG1C;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI,CAGjD"}

package/dist/utils/errors.d.ts

@@ -0,0 +1,29 @@
+export type TokenCarrier = 'header' | 'cookie';
+export declare const TokenVerificationErrorReason: {
+    TokenExpired: string;
+    TokenInvalid: string;
+    TokenInvalidAlgorithm: string;
+    TokenInvalidAuthorizedParties: string;
+    TokenInvalidSignature: string;
+    TokenNotActiveYet: string;
+    TokenIatInTheFuture: string;
+    TokenVerificationFailed: string;
+    InvalidSecretKey: string;
+    LocalJWKMissing: string;
+    RemoteJWKFailedToLoad: string;
+    RemoteJWKInvalid: string;
+    RemoteJWKMissing: string;
+    JWKFailedToResolve: string;
+    JWKKidMismatch: string;
+};
+export type TokenVerificationErrorReason = (typeof TokenVerificationErrorReason)[keyof typeof TokenVerificationErrorReason];
+export declare class TokenVerificationError extends Error {
+    reason: TokenVerificationErrorReason;
+    tokenCarrier?: TokenCarrier;
+    constructor({ message, reason, }: {
+        message: string;
+        reason: TokenVerificationErrorReason;
+    });
+    getFullMessage(): string;
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/utils/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/utils/errors.ts"],"names":[],"mappings":"AACA,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE/C,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;CAgBxC,CAAC;AAEF,MAAM,MAAM,4BAA4B,GACtC,CAAC,OAAO,4BAA4B,CAAC,CAAC,MAAM,OAAO,4BAA4B,CAAC,CAAC;AAEnF,qBAAa,sBAAuB,SAAQ,KAAK;IAC/C,MAAM,EAAE,4BAA4B,CAAC;IACrC,YAAY,CAAC,EAAE,YAAY,CAAC;gBAEhB,EACV,OAAO,EACP,MAAM,GACP,EAAE;QACD,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,4BAA4B,CAAC;KACtC;IASM,cAAc;CAKpB"}

package/dist/utils/gemini_admin-init.d.ts

@@ -0,0 +1,10 @@
+import admin from 'firebase-admin';
+/**
+ * Gets the appropriate Firebase Auth instance.
+ * If a tenantId is provided, it returns the Auth instance for that tenant.
+ * Otherwise, it returns the default project-level Auth instance.
+ * @param tenantId - The optional tenant ID.
+ * @returns An admin.auth.Auth instance.
+ */
+export declare function getAuthForTenant(tenantId?: string): admin.auth.Auth;
+//# sourceMappingURL=gemini_admin-init.d.ts.map

package/dist/utils/gemini_admin-init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gemini_admin-init.d.ts","sourceRoot":"","sources":["../../src/utils/gemini_admin-init.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,gBAAgB,CAAC;AAoBnC;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAKnE"}