@tern-secure/backend 1.1.5 → 1.1.7

package/dist/admin/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/admin/index.ts","../../src/admin/sessionTernSecure.ts","../../src/tokens/sessionConfig.ts","../../src/utils/admin-init.ts","../../src/utils/config.ts","../../src/admin/tenant.ts","../../src/admin/nextSessionTernSecure.ts","../../src/tokens/ternSecureRequest.ts","../../src/constants.ts","../../src/tokens/ternUrl.ts","../../src/instance/backendInstance.ts"],"sourcesContent":["export { \n    createSessionCookie, \n    clearSessionCookie\n} from './sessionTernSecure'\nexport { \n    adminTernSecureAuth, \n    adminTernSecureDb, \n    TernSecureTenantManager \n} from '../utils/admin-init'\nexport { initializeAdminConfig } from '../utils/config'\nexport { createTenant, createTenantUser } from './tenant'\nexport { \n    CreateNextSessionCookie,\n    GetNextServerSessionCookie,\n    GetNextIdToken,\n    SetNextServerSession,\n    SetNextServerToken,\n    VerifyNextTernIdToken,\n    VerifyNextTernSessionCookie,\n    ClearNextSessionCookie\n} from './nextSessionTernSecure'\n\nexport type { SignInAuthObject, RequestState } from '../instance/backendInstance'\nexport { createBackendInstance, authenticateRequest, signedIn } from '../instance/backendInstance'","\"use server\";\r\n\r\nimport { handleFirebaseAuthError } from \"@tern-secure/shared/errors\";\r\nimport type {\r\n  CookieStore,\r\n  SessionParams,\r\n  SessionResult,\r\n} from \"@tern-secure/types\";\r\n\r\nimport { getCookieOptions, getSessionConfig } from \"../tokens/sessionConfig\";\r\nimport type { RequestOptions } from \"../tokens/types\";\r\nimport {  getAuthForTenant } from \"../utils/admin-init\";\r\n\r\nconst SESSION_CONSTANTS = {\r\n  COOKIE_NAME: \"_session_cookie\",\r\n  //DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1000, // 5 days\r\n  //DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5, // 5days\r\n  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1000, // 5 minutes\r\n  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,\r\n  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true,\r\n} as const;\r\n\r\nconst COOKIE_OPTIONS = {\r\n  httpOnly: true,\r\n  secure: process.env.NODE_ENV === \"production\",\r\n  sameSite: \"strict\" as const,\r\n  path: \"/\",\r\n} as const;\r\n\r\n\r\nexport async function createSessionCookie(\r\n  params: SessionParams | string,\r\n  cookieStore: CookieStore,\r\n  options?: RequestOptions\r\n): Promise<SessionResult> {\r\n  try {\r\n    const tenantAuth = getAuthForTenant(options?.tenantId);\r\n\r\n    const sessionConfig = getSessionConfig(options);\r\n    const cookieOptions = getCookieOptions(options);\r\n    \r\n    let decodedToken;\r\n    let sessionCookie;\r\n\r\n    const idToken = typeof params === \"string\" ? params : params.idToken;\r\n\r\n    if (!idToken) {\r\n      const error = new Error(\"ID token is required for session creation\");\r\n      console.error(\"[createSessionCookie] Missing ID token:\", error);\r\n      return {\r\n        success: false,\r\n        message: \"ID token is required\",\r\n        error: \"INVALID_TOKEN\",\r\n        cookieSet: false,\r\n      };\r\n    }\r\n\r\n    try {\r\n      console.log(\"Verifying ID token for tenant:\", options?.tenantId);\r\n      decodedToken = await tenantAuth.verifyIdToken(idToken);\r\n    } catch (verifyError) {\r\n      console.error(\r\n        \"[createSessionCookie] ID token verification failed:\",\r\n        verifyError\r\n      );\r\n      const authError = handleFirebaseAuthError(verifyError);\r\n      return {\r\n        success: false,\r\n        message: authError.message,\r\n        error: authError.code,\r\n        cookieSet: false,\r\n      };\r\n    }\r\n\r\n    if (!decodedToken) {\r\n      const error = new Error(\"Invalid ID token - verification returned null\");\r\n      console.error(\r\n        \"[createSessionCookie] Token verification returned null:\",\r\n        error\r\n      );\r\n      return {\r\n        success: false,\r\n        message: \"Invalid ID token\",\r\n        error: \"INVALID_TOKEN\",\r\n        cookieSet: false,\r\n      };\r\n    }\r\n\r\n    try {\r\n      sessionCookie = await tenantAuth.createSessionCookie(idToken, {\r\n        expiresIn: SESSION_CONSTANTS.DEFAULT_EXPIRES_IN_MS,\r\n      });\r\n    } catch (sessionError) {\r\n      console.error(\r\n        \"[createSessionCookie] Firebase session cookie creation failed:\",\r\n        sessionError\r\n      );\r\n      const authError = handleFirebaseAuthError(sessionError);\r\n      return {\r\n        success: false,\r\n        message: authError.message,\r\n        error: authError.code,\r\n        cookieSet: false,\r\n      };\r\n    }\r\n\r\n    // Set the cookie and verify it was set\r\n    let cookieSetSuccessfully = false;\r\n    try {\r\n      //const cookieStore = await cookies();\r\n      cookieStore.set(SESSION_CONSTANTS.COOKIE_NAME, sessionCookie, {\r\n        maxAge: SESSION_CONSTANTS.DEFAULT_EXPIRES_IN_SECONDS,\r\n        ...COOKIE_OPTIONS,\r\n      });\r\n\r\n      // Verify the cookie was actually set\r\n      const verifySetCookie = await cookieStore.get(\r\n        SESSION_CONSTANTS.COOKIE_NAME\r\n      );\r\n      cookieSetSuccessfully = !!verifySetCookie?.value;\r\n\r\n      if (!cookieSetSuccessfully) {\r\n        const error = new Error(\"Session cookie was not set successfully\");\r\n        console.error(\r\n          \"[createSessionCookie] Cookie verification failed:\",\r\n          error\r\n        );\r\n        throw error;\r\n      }\r\n    } catch (cookieError) {\r\n      console.error(\r\n        \"[createSessionCookie] Failed to set session cookie:\",\r\n        cookieError\r\n      );\r\n      return {\r\n        success: false,\r\n        message: \"Failed to set session cookie\",\r\n        error: \"COOKIE_SET_FAILED\",\r\n        cookieSet: false,\r\n      };\r\n    }\r\n\r\n    console.log(\r\n      `[createSessionCookie] Session cookie created successfully for user: ${decodedToken.uid}`\r\n    );\r\n    return {\r\n      success: true,\r\n      message: \"Session created successfully\",\r\n      expiresIn: SESSION_CONSTANTS.DEFAULT_EXPIRES_IN_SECONDS,\r\n      cookieSet: cookieSetSuccessfully,\r\n    };\r\n  } catch (error) {\r\n    console.error(\"[createSessionCookie] Unexpected error:\", error);\r\n    const authError = handleFirebaseAuthError(error);\r\n    return {\r\n      success: false,\r\n      message: authError.message || \"Failed to create session\",\r\n      error: authError.code || \"INTERNAL_ERROR\",\r\n      cookieSet: false,\r\n    };\r\n  }\r\n}\r\n\r\nexport async function clearSessionCookie(\r\n  cookieStore: CookieStore,\r\n  options?: RequestOptions\r\n): Promise<SessionResult> {\r\n  try {\r\n    const adminAuth = getAuthForTenant(options?.tenantId);\r\n    const sessionCookie = await cookieStore.get(SESSION_CONSTANTS.COOKIE_NAME);\r\n\r\n    await cookieStore.delete(SESSION_CONSTANTS.COOKIE_NAME);\r\n    await cookieStore.delete(\"_session_token\");\r\n    await cookieStore.delete(\"_session\");\r\n\r\n    if (\r\n      SESSION_CONSTANTS.REVOKE_REFRESH_TOKENS_ON_SIGNOUT &&\r\n      sessionCookie?.value\r\n    ) {\r\n      try {\r\n        const decodedClaims = await adminAuth.verifySessionCookie(\r\n          sessionCookie.value\r\n        );\r\n        await adminAuth.revokeRefreshTokens(decodedClaims.sub);\r\n        console.log(\r\n          `[clearSessionCookie] Successfully revoked tokens for user: ${decodedClaims.sub}`\r\n        );\r\n      } catch (revokeError) {\r\n        console.error(\r\n          \"[clearSessionCookie] Failed to revoke refresh tokens:\",\r\n          revokeError\r\n        );\r\n      }\r\n    }\r\n\r\n    console.log(\"[clearSessionCookie] Session cookies cleared successfully\");\r\n    return {\r\n      success: true,\r\n      message: \"Session cleared successfully\",\r\n      cookieSet: false,\r\n    };\r\n  } catch (error) {\r\n    console.error(\"[clearSessionCookie] Unexpected error:\", error);\r\n    const authError = handleFirebaseAuthError(error);\r\n    return {\r\n      success: false,\r\n      message: authError.message || \"Failed to clear session\",\r\n      error: authError.code || \"INTERNAL_ERROR\",\r\n      cookieSet: false,\r\n    };\r\n  }\r\n}\r\n\r\nexport async function createCustomToken(uid: string, options?: RequestOptions): Promise<string | null> {\r\n  const adminAuth = getAuthForTenant(options?.tenantId);\r\n  try {\r\n    const customToken = await adminAuth.createCustomToken(uid);\r\n    return customToken;\r\n  } catch (error) {\r\n    console.error(\"[createCustomToken] Error creating custom token:\", error);\r\n    return null;\r\n  }\r\n}\r\n","import type { RequestOptions } from \"./types\";\n\nexport const getSessionConfig = (options?: RequestOptions) => {\n  const cookieConfig = options?.cookies?.session_cookie;\n  \n  return {\n    COOKIE_NAME: cookieConfig?.name,\n    DEFAULT_EXPIRES_IN_MS: cookieConfig?.attributes?.maxAge,\n    DEFAULT_EXPIRES_IN_SECONDS: Math.floor((cookieConfig?.attributes?.maxAge || 0) / 1000),\n    REVOKE_REFRESH_TOKENS_ON_SIGNOUT: cookieConfig?.revokeRefreshTokensOnSignOut,\n  };\n};\n\n\nexport const getCookieOptions = (options?: RequestOptions) => {\n  const cookieConfig = options?.cookies?.session_cookie;\n  \n  return {\n    httpOnly: cookieConfig?.attributes?.httpOnly,\n    secure: cookieConfig?.attributes?.secure,\n    sameSite: cookieConfig?.attributes?.sameSite,\n    path: cookieConfig?.attributes?.path,\n  };\n};","import admin from 'firebase-admin';\r\n\r\nimport { initializeAdminConfig } from './config';\r\n\r\nif (!admin.apps.length) {\r\n  try {\r\n    const config = initializeAdminConfig();\r\n    admin.initializeApp({\r\n      credential: admin.credential.cert({\r\n        ...config,\r\n        privateKey: config.privateKey.replace(/\\\\n/g, '\\n'),\r\n      }),\r\n    });\r\n  } catch (error) {\r\n    console.error('Firebase admin initialization error', error);\r\n  }\r\n}\r\n\r\nexport const adminTernSecureAuth: admin.auth.Auth = admin.auth();\r\nexport const adminTernSecureDb: admin.firestore.Firestore = admin.firestore();\r\nexport const TernSecureTenantManager: admin.auth.TenantManager = admin.auth().tenantManager();\r\n\r\n/**\r\n * Gets the appropriate Firebase Auth instance.\r\n * If a tenantId is provided, it returns the Auth instance for that tenant.\r\n * Otherwise, it returns the default project-level Auth instance.\r\n * @param tenantId - The optional tenant ID.\r\n * @returns An admin.auth.Auth instance.\r\n */\r\nexport function getAuthForTenant(tenantId?: string): admin.auth.Auth {\r\n  if (tenantId) {\r\n    return TernSecureTenantManager.authForTenant(tenantId) as unknown as admin.auth.Auth;\r\n  }\r\n  return admin.auth();\r\n}","import type { \r\n  AdminConfigValidationResult, \r\n  ConfigValidationResult, \r\n  TernSecureAdminConfig, \r\n  TernSecureConfig} from '@tern-secure/types'\r\n\r\n/**\r\n * Loads Firebase configuration from environment variables\r\n * @returns {TernSecureConfig} Firebase configuration object\r\n */\r\nexport const loadFireConfig = (): TernSecureConfig => ({\r\n  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY || '',\r\n  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN || '',\r\n  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID || '',\r\n  storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET || '',\r\n  messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID || '',\r\n  appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID || '',\r\n  measurementId: process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID || undefined,\r\n})\r\n\r\n/**\r\n * Validates Firebase configuration\r\n * @param {TernSecureConfig} config - Firebase configuration object\r\n * @throws {Error} If required configuration values are missing\r\n * @returns {TernSecureConfig} Validated configuration object\r\n */\r\nexport const validateConfig = (config: TernSecureConfig): ConfigValidationResult => {\r\n  const requiredFields: (keyof TernSecureConfig)[] = [\r\n    'apiKey',\r\n    'authDomain',\r\n    'projectId',\r\n    'storageBucket',\r\n    'messagingSenderId',\r\n    'appId'\r\n  ]\r\n\r\n  const errors: string[] = []\r\n  \r\n  requiredFields.forEach(field => {\r\n    if (!config[field]) {\r\n      errors.push(`Missing required field: NEXT_PUBLIC_FIREBASE_${String(field).toUpperCase()}`)\r\n    }\r\n  })\r\n\r\n  return {\r\n    isValid: errors.length === 0,\r\n    errors,\r\n    config\r\n  }\r\n}\r\n\r\n/**\r\n * Initializes configuration with validation\r\n * @throws {Error} If configuration is invalid\r\n */\r\nexport const initializeConfig = (): TernSecureConfig => {\r\n  const config = loadFireConfig()\r\n  const validationResult = validateConfig(config)\r\n\r\n  if (!validationResult.isValid) {\r\n    throw new Error(\r\n      `Firebase configuration validation failed:\\n${validationResult.errors.join('\\n')}`\r\n    )\r\n  }\r\n\r\n  return config\r\n}\r\n\r\n/**\r\n * Loads Firebase Admin configuration from environment variables\r\n * @returns {AdminConfig} Firebase Admin configuration object\r\n */\r\nexport const loadAdminConfig = (): TernSecureAdminConfig => ({\r\n  projectId: process.env.FIREBASE_PROJECT_ID || '',\r\n  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || '',\r\n  privateKey: process.env.FIREBASE_PRIVATE_KEY || '',\r\n})\r\n\r\n/**\r\n * Validates Firebase Admin configuration\r\n * @param {AdminConfig} config - Firebase Admin configuration object\r\n * @returns {ConfigValidationResult} Validation result\r\n */\r\nexport const validateAdminConfig = (config: TernSecureAdminConfig): AdminConfigValidationResult => {\r\n  const requiredFields: (keyof TernSecureAdminConfig)[] = [\r\n    'projectId',\r\n    'clientEmail',\r\n    'privateKey'\r\n  ]\r\n\r\n  const errors: string[] = []\r\n  \r\n  requiredFields.forEach(field => {\r\n    if (!config[field]) {\r\n      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`)\r\n    }\r\n  })\r\n\r\n  return {\r\n    isValid: errors.length === 0,\r\n    errors,\r\n    config\r\n  }\r\n}\r\n\r\n/**\r\n * Initializes admin configuration with validation\r\n * @throws {Error} If configuration is invalid\r\n */\r\nexport const initializeAdminConfig = (): TernSecureAdminConfig => {\r\n  const config = loadAdminConfig()\r\n  const validationResult = validateAdminConfig(config)\r\n\r\n  if (!validationResult.isValid) {\r\n    throw new Error(\r\n      `Firebase Admin configuration validation failed:\\n${validationResult.errors.join('\\n')}`\r\n    )\r\n  }\r\n\r\n  return config\r\n}","import type { SignInResponse } from '@tern-secure/types';\r\n\r\nimport { TernSecureTenantManager } from \"../utils/admin-init\";\r\n\r\n\r\nexport async function createTenant(\r\n  displayName: string,\r\n  emailSignInConfig: {\r\n    enabled: boolean;\r\n    passwordRequired: boolean;\r\n  },\r\n  multiFactorConfig?: {\r\n    state: 'ENABLED' | 'DISABLED';\r\n    factorIds: \"phone\"[];\r\n    testPhoneNumbers?: {\r\n        [phoneNumber: string]: string;\r\n    }\r\n  }\r\n) {\r\n  try {\r\n    const tenantConfig = {\r\n      displayName,\r\n      emailSignInConfig,\r\n      ...(multiFactorConfig && { multiFactorConfig })\r\n    };\r\n\r\n    const tenant = await TernSecureTenantManager.createTenant(tenantConfig);\r\n    \r\n    return {\r\n      success: true,\r\n      tenantId: tenant.tenantId,\r\n      displayName: tenant.displayName,\r\n    };\r\n  } catch (error) {\r\n    console.error('Error creating tenant:', error);\r\n    throw new Error('Failed to create tenant');\r\n  }\r\n}\r\n\r\nexport async function createTenantUser(\r\n  email: string,\r\n  password: string,\r\n  tenantId: string\r\n): Promise<SignInResponse> {\r\n  try {\r\n    const tenantAuth = TernSecureTenantManager.authForTenant(tenantId);\r\n    \r\n    const userRecord = await tenantAuth.createUser({\r\n      email,\r\n      password,\r\n      emailVerified: false,\r\n      disabled: false\r\n    });\r\n\r\n    return {\r\n      success: true,\r\n      message: 'Tenant user created successfully',\r\n      user: userRecord.uid,\r\n    };\r\n  } catch (error) {\r\n    console.error('Error creating tenant user:', error);\r\n    throw new Error('Failed to create tenant user');\r\n  }\r\n}\r\n","\"use server\";\n\nimport { handleFirebaseAuthError } from \"@tern-secure/shared/errors\";\nimport type { TernVerificationResult } from \"@tern-secure/types\";\nimport { cookies } from \"next/headers\";\n\nimport { adminTernSecureAuth as adminAuth, getAuthForTenant } from \"../utils/admin-init\";\n\n\nconst SESSION_CONSTANTS = {\n  COOKIE_NAME: \"_session_cookie\",\n  DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1000, // 5 days\n  DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,\n  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true,\n} as const;\n\nexport async function CreateNextSessionCookie(idToken: string) {\n  try {\n    const expiresIn = 60 * 60 * 24 * 5 * 1000;\n    const sessionCookie = await adminAuth.createSessionCookie(idToken, {\n      expiresIn,\n    });\n\n    const cookieStore = await cookies();\n    cookieStore.set(\"_session_cookie\", sessionCookie, {\n      maxAge: expiresIn,\n      httpOnly: true,\n      secure: process.env.NODE_ENV === \"production\",\n      path: \"/\",\n    });\n    return { success: true, message: \"Session created\" };\n  } catch (error) {\n    return { success: false, message: \"Failed to create session\" };\n  }\n}\n\nexport async function GetNextServerSessionCookie() {\n  const cookieStore = await cookies();\n  const sessionCookie = cookieStore.get(\"_session_cookie\")?.value;\n\n  if (!sessionCookie) {\n    throw new Error(\"No session cookie found\");\n  }\n\n  try {\n    const decondeClaims = await adminAuth.verifySessionCookie(\n      sessionCookie,\n      true\n    );\n    return {\n      token: sessionCookie,\n      userId: decondeClaims.uid,\n    };\n  } catch (error) {\n    console.error(\"Error verifying session:\", error);\n    throw new Error(\"Invalid Session\");\n  }\n}\n\nexport async function GetNextIdToken() {\n  const cookieStore = await cookies();\n  const token = cookieStore.get(\"_session_token\")?.value;\n\n  if (!token) {\n    throw new Error(\"No session cookie found\");\n  }\n\n  try {\n    const decodedClaims = await adminAuth.verifyIdToken(token);\n    return {\n      token: token,\n      userId: decodedClaims.uid,\n    };\n  } catch (error) {\n    console.error(\"Error verifying session:\", error);\n    throw new Error(\"Invalid Session\");\n  }\n}\n\nexport async function SetNextServerSession(token: string) {\n  try {\n    const cookieStore = await cookies();\n    cookieStore.set(\"_session_token\", token, {\n      httpOnly: true,\n      secure: process.env.NODE_ENV === \"production\",\n      sameSite: \"strict\",\n      maxAge: 60 * 60, // 1 hour\n      path: \"/\",\n    });\n    return { success: true, message: \"Session created\" };\n  } catch {\n    return { success: false, message: \"Failed to create session\" };\n  }\n}\n\nexport async function SetNextServerToken(token: string) {\n  try {\n    const cookieStore = await cookies();\n    cookieStore.set(\"_tern\", token, {\n      httpOnly: true,\n      secure: process.env.NODE_ENV === \"production\",\n      sameSite: \"strict\",\n      maxAge: 60 * 60, // 1 hour\n      path: \"/\",\n    });\n    return { success: true, message: \"Session created\" };\n  } catch {\n    return { success: false, message: \"Failed to create session\" };\n  }\n}\n\nexport async function VerifyNextTernIdToken(\n  token: string\n): Promise<TernVerificationResult> {\n  try {\n    const decodedToken = await adminAuth.verifyIdToken(token);\n    return {\n      ...decodedToken,\n      valid: true,\n    };\n  } catch (error) {\n    console.error(\"[VerifyNextTernIdToken] Error verifying session:\", error);\n    const authError = handleFirebaseAuthError(error);\n    return {\n      valid: false,\n      error: authError,\n    };\n  }\n}\n\nexport async function VerifyNextTernSessionCookie(\n  session: string\n): Promise<TernVerificationResult> {\n  try {\n    const res = await adminAuth.verifySessionCookie(session);\n    console.warn(\n      \"[VerifyNextTernSessionCookie] uid in Decoded Token:\",\n      res.uid\n    );\n    return {\n      valid: true,\n      ...res,\n    };\n  } catch (error) {\n    console.error(\n      \"[VerifyNextTernSessionCookie] Error verifying session:\",\n      error\n    );\n    const authError = handleFirebaseAuthError(error);\n    return {\n      valid: false,\n      error: authError,\n    };\n  }\n}\n\nexport async function ClearNextSessionCookie(tenantId?: string) {\n  try {\n    console.log(\"[clearSessionCookie] Clearing session for tenant:\", tenantId);\n    const tenantAuth = getAuthForTenant(tenantId);\n    const cookieStore = await cookies();\n    const sessionCookie = cookieStore.get(SESSION_CONSTANTS.COOKIE_NAME);\n\n    cookieStore.delete(SESSION_CONSTANTS.COOKIE_NAME);\n    cookieStore.delete(\"_session_token\");\n    cookieStore.delete(\"_session\");\n\n    if (\n      SESSION_CONSTANTS.REVOKE_REFRESH_TOKENS_ON_SIGNOUT &&\n      sessionCookie?.value\n    ) {\n      try {\n        const decodedClaims = await tenantAuth.verifySessionCookie(\n          sessionCookie.value\n        );\n        await tenantAuth.revokeRefreshTokens(decodedClaims.sub);\n        console.log(\n          `[clearSessionCookie] Successfully revoked tokens for user: ${decodedClaims.sub}`\n        );\n      } catch (revokeError) {\n        console.error(\n          \"[ClearNextSessionCookie] Failed to revoke refresh tokens:\",\n          revokeError\n        );\n      }\n    }\n    return { success: true, message: \"Session cleared successfully\" };\n  } catch (error) {\n    console.error(\"Error clearing session:\", error);\n    return { success: false, message: \"Failed to clear session cookies\" };\n  }\n}\n","import { parse } from \"cookie\";\n\nimport { constants } from \"../constants\";\nimport type { TernUrl } from \"./ternUrl\";\nimport { createTernUrl } from \"./ternUrl\";\n\nclass TernSecureRequest extends Request {\n  readonly ternUrl: TernUrl;\n  readonly cookies: Map<string, string | undefined>;\n\n  public constructor(\n    input: TernSecureRequest | Request | RequestInfo,\n    init?: RequestInit\n  ) {\n    const url =\n      typeof input !== \"string\" && \"url\" in input ? input.url : String(input);\n    super(url, init || typeof input === \"string\" ? undefined : input);\n    this.ternUrl = this.deriveUrlFromHeaders(this);\n    this.cookies = this.parseCookies(this);\n  }\n\n  public toJSON() {\n    return {\n      url: this.ternUrl.href,\n      method: this.method,\n      headers: JSON.stringify(Object.fromEntries(this.headers)),\n      ternUrl: this.ternUrl.toString(),\n      cookies: JSON.stringify(Object.fromEntries(this.cookies)),\n    };\n  }\n\n  private deriveUrlFromHeaders(req: Request) {\n    const initialUrl = new URL(req.url);\n    const forwardedProto = req.headers.get(constants.Headers.ForwardedProto);\n    const forwardedHost = req.headers.get(constants.Headers.ForwardedHost);\n    const host = req.headers.get(constants.Headers.Host);\n    const protocol = initialUrl.protocol;\n\n    const resolvedHost = this.getFirstValueFromHeader(forwardedHost) ?? host;\n    const resolvedProtocol =\n      this.getFirstValueFromHeader(forwardedProto) ??\n      protocol?.replace(/[:/]/, \"\");\n    const origin =\n      resolvedHost && resolvedProtocol\n        ? `${resolvedProtocol}://${resolvedHost}`\n        : initialUrl.origin;\n\n    if (origin === initialUrl.origin) {\n      return createTernUrl(initialUrl);\n    }\n\n    return createTernUrl(initialUrl.pathname + initialUrl.search, origin);\n  }\n\n  private getFirstValueFromHeader(value?: string | null) {\n    return value?.split(\",\")[0];\n  }\n\n  private parseCookies(req: Request) {\n    const cookiesRecord = parse(\n      this.decodeCookieValue(req.headers.get(\"cookie\") || \"\")\n    );\n    return new Map(Object.entries(cookiesRecord));\n  }\n\n  private decodeCookieValue(str: string) {\n    return str ? str.replace(/(%[0-9A-Z]{2})+/g, decodeURIComponent) : str;\n  }\n}\n\nexport const createTernSecureRequest = (\n  ...args: ConstructorParameters<typeof TernSecureRequest>\n): TernSecureRequest => {\n  return args[0] instanceof TernSecureRequest\n    ? args[0]\n    : new TernSecureRequest(...args);\n};\n\nexport type { TernSecureRequest };\n","export const GOOGLE_PUBLIC_KEYS_URL =\n  'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com';\nexport const SESSION_COOKIE_PUBLIC_KEYS_URL =\n  'https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys';\nexport const MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;\nexport const DEFAULT_CACHE_DURATION = 3600 * 1000; // 1 hour in milliseconds\nexport const CACHE_CONTROL_REGEX = /max-age=(\\d+)/;\n\nconst Attributes = {\n  AuthToken: '__ternsecureAuthToken',\n  AuthSignature: '__ternsecureAuthSignature',\n  AuthStatus: '__ternsecureAuthStatus',\n  AuthReason: '__ternsecureAuthReason',\n  AuthMessage: '__ternsecureAuthMessage',\n  TernSecureUrl: '__ternsecureUrl',\n} as const;\n\nconst Cookies = {\n  Session: '__session',\n  IdToken: '_tern',\n  SessionCookie: '_session_cookie',\n  SessionToken: '_session_token',\n  Refresh: '__refresh',\n  Handshake: '__ternsecure_handshake',\n  DevBrowser: '__ternsecure_db_jwt',\n  RedirectCount: '__ternsecure_redirect_count',\n  HandshakeNonce: '__ternsecure_handshake_nonce',\n} as const;\n\nconst Headers = {\n  Accept: 'accept',\n  AuthMessage: 'x-ternsecure-auth-message',\n  Authorization: 'authorization',\n  AuthReason: 'x-ternsecure-auth-reason',\n  AuthSignature: 'x-ternsecure-auth-signature',\n  AuthStatus: 'x-ternsecure-auth-status',\n  AuthToken: 'x-ternsecure-auth-token',\n  CacheControl: 'cache-control',\n  TernSecureRedirectTo: 'x-ternsecure-redirect-to',\n  TernSecureRequestData: 'x-ternsecure-request-data',\n  TernSecureUrl: 'x-ternsecure-url',\n  CloudFrontForwardedProto: 'cloudfront-forwarded-proto',\n  ContentType: 'content-type',\n  ContentSecurityPolicy: 'content-security-policy',\n  ContentSecurityPolicyReportOnly: 'content-security-policy-report-only',\n  EnableDebug: 'x-ternsecure-debug',\n  ForwardedHost: 'x-forwarded-host',\n  ForwardedPort: 'x-forwarded-port',\n  ForwardedProto: 'x-forwarded-proto',\n  Host: 'host',\n  Location: 'location',\n  Nonce: 'x-nonce',\n  Origin: 'origin',\n  Referrer: 'referer',\n  SecFetchDest: 'sec-fetch-dest',\n  UserAgent: 'user-agent',\n  ReportingEndpoints: 'reporting-endpoints',\n} as const;\n\nconst ContentTypes = {\n  Json: 'application/json',\n} as const;\n\n/**\n * @internal\n */\nexport const constants = {\n  Attributes,\n  Cookies,\n  Headers,\n  ContentTypes,\n} as const;\n\nexport type Constants = typeof constants;\n","class TernUrl extends URL {\n  public isCrossOrigin(other: URL | string) {\n    return this.origin !== new URL(other.toString()).origin;\n  }\n}\n\nexport type WithTernUrl<T> = T & {\n  /**\n   * When a NextJs app is hosted on a platform different from Vercel\n   * or inside a container (Netlify, Fly.io, AWS Amplify, docker etc),\n   * req.url is always set to `localhost:3000` instead of the actual host of the app.\n   *\n   */\n  ternUrl: TernUrl;\n};\n\nexport const createTernUrl = (\n  ...args: ConstructorParameters<typeof TernUrl>\n): TernUrl => {\n  return new TernUrl(...args);\n};\n\nexport type { TernUrl };\n","import type { CheckCustomClaims, DecodedIdToken,SharedSignInAuthObjectProperties } from \"@tern-secure/types\";\n\nimport { VerifyNextTernSessionCookie } from \"../admin/nextSessionTernSecure\";\nimport type { TernSecureRequest} from \"../tokens/ternSecureRequest\";\nimport { createTernSecureRequest } from \"../tokens/ternSecureRequest\";\n\nexport type SignInAuthObject = SharedSignInAuthObjectProperties & {\n  has: CheckCustomClaims\n}\n\nexport type SignInState = {\n  auth: () => SignInAuthObject\n  token: string\n  headers: Headers\n}\n\nexport type RequestState = SignInState\n\nexport interface BackendInstance {\n  ternSecureRequest: TernSecureRequest;\n  requestState: RequestState;\n}\n\nexport const createBackendInstance = async (request: Request): Promise<BackendInstance> => {\n  const ternSecureRequest = createTernSecureRequest(request);\n  const requestState = await authenticateRequest(request);\n  \n  return {\n    ternSecureRequest,\n    requestState,\n  };\n};\n\nexport async function authenticateRequest(request: Request): Promise<RequestState> {\n  const sessionCookie = request.headers.get('cookie');\n  const sessionToken = sessionCookie?.split(';')\n    .find(c => c.trim().startsWith('_session_cookie='))\n    ?.split('=')[1];\n  \n  if (!sessionToken) {\n    throw new Error(\"No session token found\");\n  }\n\n  const verificationResult = await VerifyNextTernSessionCookie(sessionToken);\n\n  if (!verificationResult.valid) {\n    throw new Error(\"Invalid session token\");\n  }\n\n  return signedIn(\n    verificationResult as DecodedIdToken,\n    new Headers(request.headers),\n    sessionToken\n  );\n}\n\nexport function signInAuthObject(\n  session: DecodedIdToken,\n): SignInAuthObject {\n  return {\n    session,\n    userId: session.uid,\n    has: {} as CheckCustomClaims,\n  };\n}\n\nexport function signedIn(\n  session: DecodedIdToken,\n  headers: Headers = new Headers(),\n  token: string\n): SignInState {\n  const authObject = signInAuthObject(session);\n  return {\n    auth: () => authObject,\n    token,\n    headers,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACEA,oBAAwC;;;ACAjC,IAAM,mBAAmB,CAAC,YAA6B;AAC5D,QAAM,eAAe,SAAS,SAAS;AAEvC,SAAO;AAAA,IACL,aAAa,cAAc;AAAA,IAC3B,uBAAuB,cAAc,YAAY;AAAA,IACjD,4BAA4B,KAAK,OAAO,cAAc,YAAY,UAAU,KAAK,GAAI;AAAA,IACrF,kCAAkC,cAAc;AAAA,EAClD;AACF;AAGO,IAAM,mBAAmB,CAAC,YAA6B;AAC5D,QAAM,eAAe,SAAS,SAAS;AAEvC,SAAO;AAAA,IACL,UAAU,cAAc,YAAY;AAAA,IACpC,QAAQ,cAAc,YAAY;AAAA,IAClC,UAAU,cAAc,YAAY;AAAA,IACpC,MAAM,cAAc,YAAY;AAAA,EAClC;AACF;;;ACvBA,4BAAkB;;;ACwEX,IAAM,kBAAkB,OAA8B;AAAA,EAC3D,WAAW,QAAQ,IAAI,uBAAuB;AAAA,EAC9C,aAAa,QAAQ,IAAI,yBAAyB;AAAA,EAClD,YAAY,QAAQ,IAAI,wBAAwB;AAClD;AAOO,IAAM,sBAAsB,CAAC,WAA+D;AACjG,QAAM,iBAAkD;AAAA,IACtD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,QAAM,SAAmB,CAAC;AAE1B,iBAAe,QAAQ,WAAS;AAC9B,QAAI,CAAC,OAAO,KAAK,GAAG;AAClB,aAAO,KAAK,oCAAoC,OAAO,KAAK,EAAE,YAAY,CAAC,EAAE;AAAA,IAC/E;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,SAAS,OAAO,WAAW;AAAA,IAC3B;AAAA,IACA;AAAA,EACF;AACF;AAMO,IAAM,wBAAwB,MAA6B;AAChE,QAAM,SAAS,gBAAgB;AAC/B,QAAM,mBAAmB,oBAAoB,MAAM;AAEnD,MAAI,CAAC,iBAAiB,SAAS;AAC7B,UAAM,IAAI;AAAA,MACR;AAAA,EAAoD,iBAAiB,OAAO,KAAK,IAAI,CAAC;AAAA,IACxF;AAAA,EACF;AAEA,SAAO;AACT;;;ADpHA,IAAI,CAAC,sBAAAA,QAAM,KAAK,QAAQ;AACtB,MAAI;AACF,UAAM,SAAS,sBAAsB;AACrC,0BAAAA,QAAM,cAAc;AAAA,MAClB,YAAY,sBAAAA,QAAM,WAAW,KAAK;AAAA,QAChC,GAAG;AAAA,QACH,YAAY,OAAO,WAAW,QAAQ,QAAQ,IAAI;AAAA,MACpD,CAAC;AAAA,IACH,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,uCAAuC,KAAK;AAAA,EAC5D;AACF;AAEO,IAAM,sBAAuC,sBAAAA,QAAM,KAAK;AACxD,IAAM,oBAA+C,sBAAAA,QAAM,UAAU;AACrE,IAAM,0BAAoD,sBAAAA,QAAM,KAAK,EAAE,cAAc;AASrF,SAAS,iBAAiB,UAAoC;AACnE,MAAI,UAAU;AACZ,WAAO,wBAAwB,cAAc,QAAQ;AAAA,EACvD;AACA,SAAO,sBAAAA,QAAM,KAAK;AACpB;;;AFrBA,IAAM,oBAAoB;AAAA,EACxB,aAAa;AAAA;AAAA;AAAA,EAGb,uBAAuB,IAAI,KAAK;AAAA;AAAA,EAChC,4BAA4B,IAAI;AAAA,EAChC,kCAAkC;AACpC;AAEA,IAAM,iBAAiB;AAAA,EACrB,UAAU;AAAA,EACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,EACjC,UAAU;AAAA,EACV,MAAM;AACR;AAGA,eAAsB,oBACpB,QACA,aACA,SACwB;AACxB,MAAI;AACF,UAAM,aAAa,iBAAiB,SAAS,QAAQ;AAErD,UAAM,gBAAgB,iBAAiB,OAAO;AAC9C,UAAM,gBAAgB,iBAAiB,OAAO;AAE9C,QAAI;AACJ,QAAI;AAEJ,UAAM,UAAU,OAAO,WAAW,WAAW,SAAS,OAAO;AAE7D,QAAI,CAAC,SAAS;AACZ,YAAM,QAAQ,IAAI,MAAM,2CAA2C;AACnE,cAAQ,MAAM,2CAA2C,KAAK;AAC9D,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS;AAAA,QACT,OAAO;AAAA,QACP,WAAW;AAAA,MACb;AAAA,IACF;AAEA,QAAI;AACF,cAAQ,IAAI,kCAAkC,SAAS,QAAQ;AAC/D,qBAAe,MAAM,WAAW,cAAc,OAAO;AAAA,IACvD,SAAS,aAAa;AACpB,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,MACF;AACA,YAAM,gBAAY,uCAAwB,WAAW;AACrD,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS,UAAU;AAAA,QACnB,OAAO,UAAU;AAAA,QACjB,WAAW;AAAA,MACb;AAAA,IACF;AAEA,QAAI,CAAC,cAAc;AACjB,YAAM,QAAQ,IAAI,MAAM,+CAA+C;AACvE,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,MACF;AACA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS;AAAA,QACT,OAAO;AAAA,QACP,WAAW;AAAA,MACb;AAAA,IACF;AAEA,QAAI;AACF,sBAAgB,MAAM,WAAW,oBAAoB,SAAS;AAAA,QAC5D,WAAW,kBAAkB;AAAA,MAC/B,CAAC;AAAA,IACH,SAAS,cAAc;AACrB,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,MACF;AACA,YAAM,gBAAY,uCAAwB,YAAY;AACtD,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS,UAAU;AAAA,QACnB,OAAO,UAAU;AAAA,QACjB,WAAW;AAAA,MACb;AAAA,IACF;AAGA,QAAI,wBAAwB;AAC5B,QAAI;AAEF,kBAAY,IAAI,kBAAkB,aAAa,eAAe;AAAA,QAC5D,QAAQ,kBAAkB;AAAA,QAC1B,GAAG;AAAA,MACL,CAAC;AAGD,YAAM,kBAAkB,MAAM,YAAY;AAAA,QACxC,kBAAkB;AAAA,MACpB;AACA,8BAAwB,CAAC,CAAC,iBAAiB;AAE3C,UAAI,CAAC,uBAAuB;AAC1B,cAAM,QAAQ,IAAI,MAAM,yCAAyC;AACjE,gBAAQ;AAAA,UACN;AAAA,UACA;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF,SAAS,aAAa;AACpB,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,MACF;AACA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS;AAAA,QACT,OAAO;AAAA,QACP,WAAW;AAAA,MACb;AAAA,IACF;AAEA,YAAQ;AAAA,MACN,uEAAuE,aAAa,GAAG;AAAA,IACzF;AACA,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS;AAAA,MACT,WAAW,kBAAkB;AAAA,MAC7B,WAAW;AAAA,IACb;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,2CAA2C,KAAK;AAC9D,UAAM,gBAAY,uCAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS,UAAU,WAAW;AAAA,MAC9B,OAAO,UAAU,QAAQ;AAAA,MACzB,WAAW;AAAA,IACb;AAAA,EACF;AACF;AAEA,eAAsB,mBACpB,aACA,SACwB;AACxB,MAAI;AACF,UAAM,YAAY,iBAAiB,SAAS,QAAQ;AACpD,UAAM,gBAAgB,MAAM,YAAY,IAAI,kBAAkB,WAAW;AAEzE,UAAM,YAAY,OAAO,kBAAkB,WAAW;AACtD,UAAM,YAAY,OAAO,gBAAgB;AACzC,UAAM,YAAY,OAAO,UAAU;AAEnC,QACE,kBAAkB,oCAClB,eAAe,OACf;AACA,UAAI;AACF,cAAM,gBAAgB,MAAM,UAAU;AAAA,UACpC,cAAc;AAAA,QAChB;AACA,cAAM,UAAU,oBAAoB,cAAc,GAAG;AACrD,gBAAQ;AAAA,UACN,8DAA8D,cAAc,GAAG;AAAA,QACjF;AAAA,MACF,SAAS,aAAa;AACpB,gBAAQ;AAAA,UACN;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,YAAQ,IAAI,2DAA2D;AACvE,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS;AAAA,MACT,WAAW;AAAA,IACb;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,0CAA0C,KAAK;AAC7D,UAAM,gBAAY,uCAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS,UAAU,WAAW;AAAA,MAC9B,OAAO,UAAU,QAAQ;AAAA,MACzB,WAAW;AAAA,IACb;AAAA,EACF;AACF;;;AI9MA,eAAsB,aACpB,aACA,mBAIA,mBAOA;AACA,MAAI;AACF,UAAM,eAAe;AAAA,MACnB;AAAA,MACA;AAAA,MACA,GAAI,qBAAqB,EAAE,kBAAkB;AAAA,IAC/C;AAEA,UAAM,SAAS,MAAM,wBAAwB,aAAa,YAAY;AAEtE,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU,OAAO;AAAA,MACjB,aAAa,OAAO;AAAA,IACtB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,0BAA0B,KAAK;AAC7C,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AACF;AAEA,eAAsB,iBACpB,OACA,UACA,UACyB;AACzB,MAAI;AACF,UAAM,aAAa,wBAAwB,cAAc,QAAQ;AAEjE,UAAM,aAAa,MAAM,WAAW,WAAW;AAAA,MAC7C;AAAA,MACA;AAAA,MACA,eAAe;AAAA,MACf,UAAU;AAAA,IACZ,CAAC;AAED,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS;AAAA,MACT,MAAM,WAAW;AAAA,IACnB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B,KAAK;AAClD,UAAM,IAAI,MAAM,8BAA8B;AAAA,EAChD;AACF;;;AC7DA,IAAAC,iBAAwC;AAExC,qBAAwB;AAKxB,IAAMC,qBAAoB;AAAA,EACxB,aAAa;AAAA,EACb,uBAAuB,KAAK,KAAK,KAAK,IAAI;AAAA;AAAA,EAC1C,4BAA4B,KAAK,KAAK,KAAK;AAAA,EAC3C,kCAAkC;AACpC;AAEA,eAAsB,wBAAwB,SAAiB;AAC7D,MAAI;AACF,UAAM,YAAY,KAAK,KAAK,KAAK,IAAI;AACrC,UAAM,gBAAgB,MAAM,oBAAU,oBAAoB,SAAS;AAAA,MACjE;AAAA,IACF,CAAC;AAED,UAAM,cAAc,UAAM,wBAAQ;AAClC,gBAAY,IAAI,mBAAmB,eAAe;AAAA,MAChD,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,MAAM;AAAA,IACR,CAAC;AACD,WAAO,EAAE,SAAS,MAAM,SAAS,kBAAkB;AAAA,EACrD,SAAS,OAAO;AACd,WAAO,EAAE,SAAS,OAAO,SAAS,2BAA2B;AAAA,EAC/D;AACF;AAEA,eAAsB,6BAA6B;AACjD,QAAM,cAAc,UAAM,wBAAQ;AAClC,QAAM,gBAAgB,YAAY,IAAI,iBAAiB,GAAG;AAE1D,MAAI,CAAC,eAAe;AAClB,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI;AACF,UAAM,gBAAgB,MAAM,oBAAU;AAAA,MACpC;AAAA,MACA;AAAA,IACF;AACA,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ,cAAc;AAAA,IACxB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,4BAA4B,KAAK;AAC/C,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AACF;AAEA,eAAsB,iBAAiB;AACrC,QAAM,cAAc,UAAM,wBAAQ;AAClC,QAAM,QAAQ,YAAY,IAAI,gBAAgB,GAAG;AAEjD,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI;AACF,UAAM,gBAAgB,MAAM,oBAAU,cAAc,KAAK;AACzD,WAAO;AAAA,MACL;AAAA,MACA,QAAQ,cAAc;AAAA,IACxB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,4BAA4B,KAAK;AAC/C,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AACF;AAEA,eAAsB,qBAAqB,OAAe;AACxD,MAAI;AACF,UAAM,cAAc,UAAM,wBAAQ;AAClC,gBAAY,IAAI,kBAAkB,OAAO;AAAA,MACvC,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,UAAU;AAAA,MACV,QAAQ,KAAK;AAAA;AAAA,MACb,MAAM;AAAA,IACR,CAAC;AACD,WAAO,EAAE,SAAS,MAAM,SAAS,kBAAkB;AAAA,EACrD,QAAQ;AACN,WAAO,EAAE,SAAS,OAAO,SAAS,2BAA2B;AAAA,EAC/D;AACF;AAEA,eAAsB,mBAAmB,OAAe;AACtD,MAAI;AACF,UAAM,cAAc,UAAM,wBAAQ;AAClC,gBAAY,IAAI,SAAS,OAAO;AAAA,MAC9B,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,UAAU;AAAA,MACV,QAAQ,KAAK;AAAA;AAAA,MACb,MAAM;AAAA,IACR,CAAC;AACD,WAAO,EAAE,SAAS,MAAM,SAAS,kBAAkB;AAAA,EACrD,QAAQ;AACN,WAAO,EAAE,SAAS,OAAO,SAAS,2BAA2B;AAAA,EAC/D;AACF;AAEA,eAAsB,sBACpB,OACiC;AACjC,MAAI;AACF,UAAM,eAAe,MAAM,oBAAU,cAAc,KAAK;AACxD,WAAO;AAAA,MACL,GAAG;AAAA,MACH,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,oDAAoD,KAAK;AACvE,UAAM,gBAAY,wCAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,eAAsB,4BACpB,SACiC;AACjC,MAAI;AACF,UAAM,MAAM,MAAM,oBAAU,oBAAoB,OAAO;AACvD,YAAQ;AAAA,MACN;AAAA,MACA,IAAI;AAAA,IACN;AACA,WAAO;AAAA,MACL,OAAO;AAAA,MACP,GAAG;AAAA,IACL;AAAA,EACF,SAAS,OAAO;AACd,YAAQ;AAAA,MACN;AAAA,MACA;AAAA,IACF;AACA,UAAM,gBAAY,wCAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,eAAsB,uBAAuB,UAAmB;AAC9D,MAAI;AACF,YAAQ,IAAI,qDAAqD,QAAQ;AACzE,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,cAAc,UAAM,wBAAQ;AAClC,UAAM,gBAAgB,YAAY,IAAIA,mBAAkB,WAAW;AAEnE,gBAAY,OAAOA,mBAAkB,WAAW;AAChD,gBAAY,OAAO,gBAAgB;AACnC,gBAAY,OAAO,UAAU;AAE7B,QACEA,mBAAkB,oCAClB,eAAe,OACf;AACA,UAAI;AACF,cAAM,gBAAgB,MAAM,WAAW;AAAA,UACrC,cAAc;AAAA,QAChB;AACA,cAAM,WAAW,oBAAoB,cAAc,GAAG;AACtD,gBAAQ;AAAA,UACN,8DAA8D,cAAc,GAAG;AAAA,QACjF;AAAA,MACF,SAAS,aAAa;AACpB,gBAAQ;AAAA,UACN;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO,EAAE,SAAS,MAAM,SAAS,+BAA+B;AAAA,EAClE,SAAS,OAAO;AACd,YAAQ,MAAM,2BAA2B,KAAK;AAC9C,WAAO,EAAE,SAAS,OAAO,SAAS,kCAAkC;AAAA,EACtE;AACF;;;AC/LA,oBAAsB;;;ACIf,IAAM,oCAAoC,IAAI;AAC9C,IAAM,yBAAyB,OAAO;AAG7C,IAAM,aAAa;AAAA,EACjB,WAAW;AAAA,EACX,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,eAAe;AACjB;AAEA,IAAM,UAAU;AAAA,EACd,SAAS;AAAA,EACT,SAAS;AAAA,EACT,eAAe;AAAA,EACf,cAAc;AAAA,EACd,SAAS;AAAA,EACT,WAAW;AAAA,EACX,YAAY;AAAA,EACZ,eAAe;AAAA,EACf,gBAAgB;AAClB;AAEA,IAAMC,WAAU;AAAA,EACd,QAAQ;AAAA,EACR,aAAa;AAAA,EACb,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,WAAW;AAAA,EACX,cAAc;AAAA,EACd,sBAAsB;AAAA,EACtB,uBAAuB;AAAA,EACvB,eAAe;AAAA,EACf,0BAA0B;AAAA,EAC1B,aAAa;AAAA,EACb,uBAAuB;AAAA,EACvB,iCAAiC;AAAA,EACjC,aAAa;AAAA,EACb,eAAe;AAAA,EACf,eAAe;AAAA,EACf,gBAAgB;AAAA,EAChB,MAAM;AAAA,EACN,UAAU;AAAA,EACV,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,UAAU;AAAA,EACV,cAAc;AAAA,EACd,WAAW;AAAA,EACX,oBAAoB;AACtB;AAEA,IAAM,eAAe;AAAA,EACnB,MAAM;AACR;AAKO,IAAM,YAAY;AAAA,EACvB;AAAA,EACA;AAAA,EACA,SAAAA;AAAA,EACA;AACF;;;ACvEA,IAAM,UAAN,cAAsB,IAAI;AAAA,EACjB,cAAc,OAAqB;AACxC,WAAO,KAAK,WAAW,IAAI,IAAI,MAAM,SAAS,CAAC,EAAE;AAAA,EACnD;AACF;AAYO,IAAM,gBAAgB,IACxB,SACS;AACZ,SAAO,IAAI,QAAQ,GAAG,IAAI;AAC5B;;;AFdA,IAAM,oBAAN,cAAgC,QAAQ;AAAA,EAC7B;AAAA,EACA;AAAA,EAEF,YACL,OACA,MACA;AACA,UAAM,MACJ,OAAO,UAAU,YAAY,SAAS,QAAQ,MAAM,MAAM,OAAO,KAAK;AACxE,UAAM,KAAK,QAAQ,OAAO,UAAU,WAAW,SAAY,KAAK;AAChE,SAAK,UAAU,KAAK,qBAAqB,IAAI;AAC7C,SAAK,UAAU,KAAK,aAAa,IAAI;AAAA,EACvC;AAAA,EAEO,SAAS;AACd,WAAO;AAAA,MACL,KAAK,KAAK,QAAQ;AAAA,MAClB,QAAQ,KAAK;AAAA,MACb,SAAS,KAAK,UAAU,OAAO,YAAY,KAAK,OAAO,CAAC;AAAA,MACxD,SAAS,KAAK,QAAQ,SAAS;AAAA,MAC/B,SAAS,KAAK,UAAU,OAAO,YAAY,KAAK,OAAO,CAAC;AAAA,IAC1D;AAAA,EACF;AAAA,EAEQ,qBAAqB,KAAc;AACzC,UAAM,aAAa,IAAI,IAAI,IAAI,GAAG;AAClC,UAAM,iBAAiB,IAAI,QAAQ,IAAI,UAAU,QAAQ,cAAc;AACvE,UAAM,gBAAgB,IAAI,QAAQ,IAAI,UAAU,QAAQ,aAAa;AACrE,UAAM,OAAO,IAAI,QAAQ,IAAI,UAAU,QAAQ,IAAI;AACnD,UAAM,WAAW,WAAW;AAE5B,UAAM,eAAe,KAAK,wBAAwB,aAAa,KAAK;AACpE,UAAM,mBACJ,KAAK,wBAAwB,cAAc,KAC3C,UAAU,QAAQ,QAAQ,EAAE;AAC9B,UAAM,SACJ,gBAAgB,mBACZ,GAAG,gBAAgB,MAAM,YAAY,KACrC,WAAW;AAEjB,QAAI,WAAW,WAAW,QAAQ;AAChC,aAAO,cAAc,UAAU;AAAA,IACjC;AAEA,WAAO,cAAc,WAAW,WAAW,WAAW,QAAQ,MAAM;AAAA,EACtE;AAAA,EAEQ,wBAAwB,OAAuB;AACrD,WAAO,OAAO,MAAM,GAAG,EAAE,CAAC;AAAA,EAC5B;AAAA,EAEQ,aAAa,KAAc;AACjC,UAAM,oBAAgB;AAAA,MACpB,KAAK,kBAAkB,IAAI,QAAQ,IAAI,QAAQ,KAAK,EAAE;AAAA,IACxD;AACA,WAAO,IAAI,IAAI,OAAO,QAAQ,aAAa,CAAC;AAAA,EAC9C;AAAA,EAEQ,kBAAkB,KAAa;AACrC,WAAO,MAAM,IAAI,QAAQ,oBAAoB,kBAAkB,IAAI;AAAA,EACrE;AACF;AAEO,IAAM,0BAA0B,IAClC,SACmB;AACtB,SAAO,KAAK,CAAC,aAAa,oBACtB,KAAK,CAAC,IACN,IAAI,kBAAkB,GAAG,IAAI;AACnC;;;AGrDO,IAAM,wBAAwB,OAAO,YAA+C;AACzF,QAAM,oBAAoB,wBAAwB,OAAO;AACzD,QAAM,eAAe,MAAM,oBAAoB,OAAO;AAEtD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAsB,oBAAoB,SAAyC;AACjF,QAAM,gBAAgB,QAAQ,QAAQ,IAAI,QAAQ;AAClD,QAAM,eAAe,eAAe,MAAM,GAAG,EAC1C,KAAK,OAAK,EAAE,KAAK,EAAE,WAAW,kBAAkB,CAAC,GAChD,MAAM,GAAG,EAAE,CAAC;AAEhB,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,MAAM,wBAAwB;AAAA,EAC1C;AAEA,QAAM,qBAAqB,MAAM,4BAA4B,YAAY;AAEzE,MAAI,CAAC,mBAAmB,OAAO;AAC7B,UAAM,IAAI,MAAM,uBAAuB;AAAA,EACzC;AAEA,SAAO;AAAA,IACL;AAAA,IACA,IAAI,QAAQ,QAAQ,OAAO;AAAA,IAC3B;AAAA,EACF;AACF;AAEO,SAAS,iBACd,SACkB;AAClB,SAAO;AAAA,IACL;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB,KAAK,CAAC;AAAA,EACR;AACF;AAEO,SAAS,SACd,SACA,UAAmB,IAAI,QAAQ,GAC/B,OACa;AACb,QAAM,aAAa,iBAAiB,OAAO;AAC3C,SAAO;AAAA,IACL,MAAM,MAAM;AAAA,IACZ;AAAA,IACA;AAAA,EACF;AACF;","names":["admin","import_errors","SESSION_CONSTANTS","Headers"]}

package/dist/admin/index.mjs

@@ -0,0 +1,512 @@
+import {
+  createTernSecureRequest,
+  getCookieOptions,
+  getSessionConfig
+} from "../chunk-JFOTE3Y5.mjs";
+
+// src/admin/sessionTernSecure.ts
+import { handleFirebaseAuthError } from "@tern-secure/shared/errors";
+
+// src/utils/admin-init.ts
+import admin from "firebase-admin";
+
+// src/utils/config.ts
+var loadAdminConfig = () => ({
+  projectId: process.env.FIREBASE_PROJECT_ID || "",
+  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || "",
+  privateKey: process.env.FIREBASE_PRIVATE_KEY || ""
+});
+var validateAdminConfig = (config) => {
+  const requiredFields = [
+    "projectId",
+    "clientEmail",
+    "privateKey"
+  ];
+  const errors = [];
+  requiredFields.forEach((field) => {
+    if (!config[field]) {
+      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`);
+    }
+  });
+  return {
+    isValid: errors.length === 0,
+    errors,
+    config
+  };
+};
+var initializeAdminConfig = () => {
+  const config = loadAdminConfig();
+  const validationResult = validateAdminConfig(config);
+  if (!validationResult.isValid) {
+    throw new Error(
+      `Firebase Admin configuration validation failed:
+${validationResult.errors.join("\n")}`
+    );
+  }
+  return config;
+};
+
+// src/utils/admin-init.ts
+if (!admin.apps.length) {
+  try {
+    const config = initializeAdminConfig();
+    admin.initializeApp({
+      credential: admin.credential.cert({
+        ...config,
+        privateKey: config.privateKey.replace(/\\n/g, "\n")
+      })
+    });
+  } catch (error) {
+    console.error("Firebase admin initialization error", error);
+  }
+}
+var adminTernSecureAuth = admin.auth();
+var adminTernSecureDb = admin.firestore();
+var TernSecureTenantManager = admin.auth().tenantManager();
+function getAuthForTenant(tenantId) {
+  if (tenantId) {
+    return TernSecureTenantManager.authForTenant(tenantId);
+  }
+  return admin.auth();
+}
+
+// src/admin/sessionTernSecure.ts
+var SESSION_CONSTANTS = {
+  COOKIE_NAME: "_session_cookie",
+  //DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1000, // 5 days
+  //DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5, // 5days
+  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1e3,
+  // 5 minutes
+  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
+var COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  path: "/"
+};
+async function createSessionCookie(params, cookieStore, options) {
+  try {
+    const tenantAuth = getAuthForTenant(options?.tenantId);
+    const sessionConfig = getSessionConfig(options);
+    const cookieOptions = getCookieOptions(options);
+    let decodedToken;
+    let sessionCookie;
+    const idToken = typeof params === "string" ? params : params.idToken;
+    if (!idToken) {
+      const error = new Error("ID token is required for session creation");
+      console.error("[createSessionCookie] Missing ID token:", error);
+      return {
+        success: false,
+        message: "ID token is required",
+        error: "INVALID_TOKEN",
+        cookieSet: false
+      };
+    }
+    try {
+      console.log("Verifying ID token for tenant:", options?.tenantId);
+      decodedToken = await tenantAuth.verifyIdToken(idToken);
+    } catch (verifyError) {
+      console.error(
+        "[createSessionCookie] ID token verification failed:",
+        verifyError
+      );
+      const authError = handleFirebaseAuthError(verifyError);
+      return {
+        success: false,
+        message: authError.message,
+        error: authError.code,
+        cookieSet: false
+      };
+    }
+    if (!decodedToken) {
+      const error = new Error("Invalid ID token - verification returned null");
+      console.error(
+        "[createSessionCookie] Token verification returned null:",
+        error
+      );
+      return {
+        success: false,
+        message: "Invalid ID token",
+        error: "INVALID_TOKEN",
+        cookieSet: false
+      };
+    }
+    try {
+      sessionCookie = await tenantAuth.createSessionCookie(idToken, {
+        expiresIn: SESSION_CONSTANTS.DEFAULT_EXPIRES_IN_MS
+      });
+    } catch (sessionError) {
+      console.error(
+        "[createSessionCookie] Firebase session cookie creation failed:",
+        sessionError
+      );
+      const authError = handleFirebaseAuthError(sessionError);
+      return {
+        success: false,
+        message: authError.message,
+        error: authError.code,
+        cookieSet: false
+      };
+    }
+    let cookieSetSuccessfully = false;
+    try {
+      cookieStore.set(SESSION_CONSTANTS.COOKIE_NAME, sessionCookie, {
+        maxAge: SESSION_CONSTANTS.DEFAULT_EXPIRES_IN_SECONDS,
+        ...COOKIE_OPTIONS
+      });
+      const verifySetCookie = await cookieStore.get(
+        SESSION_CONSTANTS.COOKIE_NAME
+      );
+      cookieSetSuccessfully = !!verifySetCookie?.value;
+      if (!cookieSetSuccessfully) {
+        const error = new Error("Session cookie was not set successfully");
+        console.error(
+          "[createSessionCookie] Cookie verification failed:",
+          error
+        );
+        throw error;
+      }
+    } catch (cookieError) {
+      console.error(
+        "[createSessionCookie] Failed to set session cookie:",
+        cookieError
+      );
+      return {
+        success: false,
+        message: "Failed to set session cookie",
+        error: "COOKIE_SET_FAILED",
+        cookieSet: false
+      };
+    }
+    console.log(
+      `[createSessionCookie] Session cookie created successfully for user: ${decodedToken.uid}`
+    );
+    return {
+      success: true,
+      message: "Session created successfully",
+      expiresIn: SESSION_CONSTANTS.DEFAULT_EXPIRES_IN_SECONDS,
+      cookieSet: cookieSetSuccessfully
+    };
+  } catch (error) {
+    console.error("[createSessionCookie] Unexpected error:", error);
+    const authError = handleFirebaseAuthError(error);
+    return {
+      success: false,
+      message: authError.message || "Failed to create session",
+      error: authError.code || "INTERNAL_ERROR",
+      cookieSet: false
+    };
+  }
+}
+async function clearSessionCookie(cookieStore, options) {
+  try {
+    const adminAuth = getAuthForTenant(options?.tenantId);
+    const sessionCookie = await cookieStore.get(SESSION_CONSTANTS.COOKIE_NAME);
+    await cookieStore.delete(SESSION_CONSTANTS.COOKIE_NAME);
+    await cookieStore.delete("_session_token");
+    await cookieStore.delete("_session");
+    if (SESSION_CONSTANTS.REVOKE_REFRESH_TOKENS_ON_SIGNOUT && sessionCookie?.value) {
+      try {
+        const decodedClaims = await adminAuth.verifySessionCookie(
+          sessionCookie.value
+        );
+        await adminAuth.revokeRefreshTokens(decodedClaims.sub);
+        console.log(
+          `[clearSessionCookie] Successfully revoked tokens for user: ${decodedClaims.sub}`
+        );
+      } catch (revokeError) {
+        console.error(
+          "[clearSessionCookie] Failed to revoke refresh tokens:",
+          revokeError
+        );
+      }
+    }
+    console.log("[clearSessionCookie] Session cookies cleared successfully");
+    return {
+      success: true,
+      message: "Session cleared successfully",
+      cookieSet: false
+    };
+  } catch (error) {
+    console.error("[clearSessionCookie] Unexpected error:", error);
+    const authError = handleFirebaseAuthError(error);
+    return {
+      success: false,
+      message: authError.message || "Failed to clear session",
+      error: authError.code || "INTERNAL_ERROR",
+      cookieSet: false
+    };
+  }
+}
+
+// src/admin/tenant.ts
+async function createTenant(displayName, emailSignInConfig, multiFactorConfig) {
+  try {
+    const tenantConfig = {
+      displayName,
+      emailSignInConfig,
+      ...multiFactorConfig && { multiFactorConfig }
+    };
+    const tenant = await TernSecureTenantManager.createTenant(tenantConfig);
+    return {
+      success: true,
+      tenantId: tenant.tenantId,
+      displayName: tenant.displayName
+    };
+  } catch (error) {
+    console.error("Error creating tenant:", error);
+    throw new Error("Failed to create tenant");
+  }
+}
+async function createTenantUser(email, password, tenantId) {
+  try {
+    const tenantAuth = TernSecureTenantManager.authForTenant(tenantId);
+    const userRecord = await tenantAuth.createUser({
+      email,
+      password,
+      emailVerified: false,
+      disabled: false
+    });
+    return {
+      success: true,
+      message: "Tenant user created successfully",
+      user: userRecord.uid
+    };
+  } catch (error) {
+    console.error("Error creating tenant user:", error);
+    throw new Error("Failed to create tenant user");
+  }
+}
+
+// src/admin/nextSessionTernSecure.ts
+import { handleFirebaseAuthError as handleFirebaseAuthError2 } from "@tern-secure/shared/errors";
+import { cookies } from "next/headers";
+var SESSION_CONSTANTS2 = {
+  COOKIE_NAME: "_session_cookie",
+  DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1e3,
+  // 5 days
+  DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
+async function CreateNextSessionCookie(idToken) {
+  try {
+    const expiresIn = 60 * 60 * 24 * 5 * 1e3;
+    const sessionCookie = await adminTernSecureAuth.createSessionCookie(idToken, {
+      expiresIn
+    });
+    const cookieStore = await cookies();
+    cookieStore.set("_session_cookie", sessionCookie, {
+      maxAge: expiresIn,
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      path: "/"
+    });
+    return { success: true, message: "Session created" };
+  } catch (error) {
+    return { success: false, message: "Failed to create session" };
+  }
+}
+async function GetNextServerSessionCookie() {
+  const cookieStore = await cookies();
+  const sessionCookie = cookieStore.get("_session_cookie")?.value;
+  if (!sessionCookie) {
+    throw new Error("No session cookie found");
+  }
+  try {
+    const decondeClaims = await adminTernSecureAuth.verifySessionCookie(
+      sessionCookie,
+      true
+    );
+    return {
+      token: sessionCookie,
+      userId: decondeClaims.uid
+    };
+  } catch (error) {
+    console.error("Error verifying session:", error);
+    throw new Error("Invalid Session");
+  }
+}
+async function GetNextIdToken() {
+  const cookieStore = await cookies();
+  const token = cookieStore.get("_session_token")?.value;
+  if (!token) {
+    throw new Error("No session cookie found");
+  }
+  try {
+    const decodedClaims = await adminTernSecureAuth.verifyIdToken(token);
+    return {
+      token,
+      userId: decodedClaims.uid
+    };
+  } catch (error) {
+    console.error("Error verifying session:", error);
+    throw new Error("Invalid Session");
+  }
+}
+async function SetNextServerSession(token) {
+  try {
+    const cookieStore = await cookies();
+    cookieStore.set("_session_token", token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "strict",
+      maxAge: 60 * 60,
+      // 1 hour
+      path: "/"
+    });
+    return { success: true, message: "Session created" };
+  } catch {
+    return { success: false, message: "Failed to create session" };
+  }
+}
+async function SetNextServerToken(token) {
+  try {
+    const cookieStore = await cookies();
+    cookieStore.set("_tern", token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "strict",
+      maxAge: 60 * 60,
+      // 1 hour
+      path: "/"
+    });
+    return { success: true, message: "Session created" };
+  } catch {
+    return { success: false, message: "Failed to create session" };
+  }
+}
+async function VerifyNextTernIdToken(token) {
+  try {
+    const decodedToken = await adminTernSecureAuth.verifyIdToken(token);
+    return {
+      ...decodedToken,
+      valid: true
+    };
+  } catch (error) {
+    console.error("[VerifyNextTernIdToken] Error verifying session:", error);
+    const authError = handleFirebaseAuthError2(error);
+    return {
+      valid: false,
+      error: authError
+    };
+  }
+}
+async function VerifyNextTernSessionCookie(session) {
+  try {
+    const res = await adminTernSecureAuth.verifySessionCookie(session);
+    console.warn(
+      "[VerifyNextTernSessionCookie] uid in Decoded Token:",
+      res.uid
+    );
+    return {
+      valid: true,
+      ...res
+    };
+  } catch (error) {
+    console.error(
+      "[VerifyNextTernSessionCookie] Error verifying session:",
+      error
+    );
+    const authError = handleFirebaseAuthError2(error);
+    return {
+      valid: false,
+      error: authError
+    };
+  }
+}
+async function ClearNextSessionCookie(tenantId) {
+  try {
+    console.log("[clearSessionCookie] Clearing session for tenant:", tenantId);
+    const tenantAuth = getAuthForTenant(tenantId);
+    const cookieStore = await cookies();
+    const sessionCookie = cookieStore.get(SESSION_CONSTANTS2.COOKIE_NAME);
+    cookieStore.delete(SESSION_CONSTANTS2.COOKIE_NAME);
+    cookieStore.delete("_session_token");
+    cookieStore.delete("_session");
+    if (SESSION_CONSTANTS2.REVOKE_REFRESH_TOKENS_ON_SIGNOUT && sessionCookie?.value) {
+      try {
+        const decodedClaims = await tenantAuth.verifySessionCookie(
+          sessionCookie.value
+        );
+        await tenantAuth.revokeRefreshTokens(decodedClaims.sub);
+        console.log(
+          `[clearSessionCookie] Successfully revoked tokens for user: ${decodedClaims.sub}`
+        );
+      } catch (revokeError) {
+        console.error(
+          "[ClearNextSessionCookie] Failed to revoke refresh tokens:",
+          revokeError
+        );
+      }
+    }
+    return { success: true, message: "Session cleared successfully" };
+  } catch (error) {
+    console.error("Error clearing session:", error);
+    return { success: false, message: "Failed to clear session cookies" };
+  }
+}
+
+// src/instance/backendInstance.ts
+var createBackendInstance = async (request) => {
+  const ternSecureRequest = createTernSecureRequest(request);
+  const requestState = await authenticateRequest(request);
+  return {
+    ternSecureRequest,
+    requestState
+  };
+};
+async function authenticateRequest(request) {
+  const sessionCookie = request.headers.get("cookie");
+  const sessionToken = sessionCookie?.split(";").find((c) => c.trim().startsWith("_session_cookie="))?.split("=")[1];
+  if (!sessionToken) {
+    throw new Error("No session token found");
+  }
+  const verificationResult = await VerifyNextTernSessionCookie(sessionToken);
+  if (!verificationResult.valid) {
+    throw new Error("Invalid session token");
+  }
+  return signedIn(
+    verificationResult,
+    new Headers(request.headers),
+    sessionToken
+  );
+}
+function signInAuthObject(session) {
+  return {
+    session,
+    userId: session.uid,
+    has: {}
+  };
+}
+function signedIn(session, headers = new Headers(), token) {
+  const authObject = signInAuthObject(session);
+  return {
+    auth: () => authObject,
+    token,
+    headers
+  };
+}
+export {
+  ClearNextSessionCookie,
+  CreateNextSessionCookie,
+  GetNextIdToken,
+  GetNextServerSessionCookie,
+  SetNextServerSession,
+  SetNextServerToken,
+  TernSecureTenantManager,
+  VerifyNextTernIdToken,
+  VerifyNextTernSessionCookie,
+  adminTernSecureAuth,
+  adminTernSecureDb,
+  authenticateRequest,
+  clearSessionCookie,
+  createBackendInstance,
+  createSessionCookie,
+  createTenant,
+  createTenantUser,
+  initializeAdminConfig,
+  signedIn
+};
+//# sourceMappingURL=index.mjs.map