@tern-secure/backend 1.1.5 → 1.1.7

package/dist/index.js

@@ -0,0 +1,1307 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AuthStatus: () => AuthStatus,
+  LogLevel: () => LogLevel,
+  PostgresAdapter: () => PostgresAdapter,
+  RedisAdapter: () => RedisAdapter,
+  constants: () => constants,
+  createAdapter: () => createAdapter,
+  createBackendInstanceClient: () => createBackendInstanceClient,
+  createFireClient: () => createFireClient,
+  createTernSecureRequest: () => createTernSecureRequest,
+  disableDebugLogging: () => disableDebugLogging,
+  enableDebugLogging: () => enableDebugLogging,
+  setLogLevel: () => setLogLevel,
+  signedIn: () => signedIn,
+  signedInAuthObject: () => signedInAuthObject,
+  signedOutAuthObject: () => signedOutAuthObject,
+  validateCheckRevokedOptions: () => validateCheckRevokedOptions
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/constants.ts
+var SESSION_COOKIE_PUBLIC_KEYS_URL = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys";
+var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
+var DEFAULT_CACHE_DURATION = 3600 * 1e3;
+var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
+var Attributes = {
+  AuthToken: "__ternsecureAuthToken",
+  AuthSignature: "__ternsecureAuthSignature",
+  AuthStatus: "__ternsecureAuthStatus",
+  AuthReason: "__ternsecureAuthReason",
+  AuthMessage: "__ternsecureAuthMessage",
+  TernSecureUrl: "__ternsecureUrl"
+};
+var Cookies = {
+  Session: "__session",
+  IdToken: "_tern",
+  SessionCookie: "_session_cookie",
+  SessionToken: "_session_token",
+  Refresh: "__refresh",
+  Handshake: "__ternsecure_handshake",
+  DevBrowser: "__ternsecure_db_jwt",
+  RedirectCount: "__ternsecure_redirect_count",
+  HandshakeNonce: "__ternsecure_handshake_nonce"
+};
+var Headers2 = {
+  Accept: "accept",
+  AuthMessage: "x-ternsecure-auth-message",
+  Authorization: "authorization",
+  AuthReason: "x-ternsecure-auth-reason",
+  AuthSignature: "x-ternsecure-auth-signature",
+  AuthStatus: "x-ternsecure-auth-status",
+  AuthToken: "x-ternsecure-auth-token",
+  CacheControl: "cache-control",
+  TernSecureRedirectTo: "x-ternsecure-redirect-to",
+  TernSecureRequestData: "x-ternsecure-request-data",
+  TernSecureUrl: "x-ternsecure-url",
+  CloudFrontForwardedProto: "cloudfront-forwarded-proto",
+  ContentType: "content-type",
+  ContentSecurityPolicy: "content-security-policy",
+  ContentSecurityPolicyReportOnly: "content-security-policy-report-only",
+  EnableDebug: "x-ternsecure-debug",
+  ForwardedHost: "x-forwarded-host",
+  ForwardedPort: "x-forwarded-port",
+  ForwardedProto: "x-forwarded-proto",
+  Host: "host",
+  Location: "location",
+  Nonce: "x-nonce",
+  Origin: "origin",
+  Referrer: "referer",
+  SecFetchDest: "sec-fetch-dest",
+  UserAgent: "user-agent",
+  ReportingEndpoints: "reporting-endpoints"
+};
+var ContentTypes = {
+  Json: "application/json"
+};
+var constants = {
+  Attributes,
+  Cookies,
+  Headers: Headers2,
+  ContentTypes
+};
+
+// src/tokens/ternSecureRequest.ts
+var import_cookie = require("cookie");
+
+// src/tokens/ternUrl.ts
+var TernUrl = class extends URL {
+  isCrossOrigin(other) {
+    return this.origin !== new URL(other.toString()).origin;
+  }
+};
+var createTernUrl = (...args) => {
+  return new TernUrl(...args);
+};
+
+// src/tokens/ternSecureRequest.ts
+var TernSecureRequest = class extends Request {
+  ternUrl;
+  cookies;
+  constructor(input, init) {
+    const url = typeof input !== "string" && "url" in input ? input.url : String(input);
+    super(url, init || typeof input === "string" ? void 0 : input);
+    this.ternUrl = this.deriveUrlFromHeaders(this);
+    this.cookies = this.parseCookies(this);
+  }
+  toJSON() {
+    return {
+      url: this.ternUrl.href,
+      method: this.method,
+      headers: JSON.stringify(Object.fromEntries(this.headers)),
+      ternUrl: this.ternUrl.toString(),
+      cookies: JSON.stringify(Object.fromEntries(this.cookies))
+    };
+  }
+  deriveUrlFromHeaders(req) {
+    const initialUrl = new URL(req.url);
+    const forwardedProto = req.headers.get(constants.Headers.ForwardedProto);
+    const forwardedHost = req.headers.get(constants.Headers.ForwardedHost);
+    const host = req.headers.get(constants.Headers.Host);
+    const protocol = initialUrl.protocol;
+    const resolvedHost = this.getFirstValueFromHeader(forwardedHost) ?? host;
+    const resolvedProtocol = this.getFirstValueFromHeader(forwardedProto) ?? protocol?.replace(/[:/]/, "");
+    const origin = resolvedHost && resolvedProtocol ? `${resolvedProtocol}://${resolvedHost}` : initialUrl.origin;
+    if (origin === initialUrl.origin) {
+      return createTernUrl(initialUrl);
+    }
+    return createTernUrl(initialUrl.pathname + initialUrl.search, origin);
+  }
+  getFirstValueFromHeader(value) {
+    return value?.split(",")[0];
+  }
+  parseCookies(req) {
+    const cookiesRecord = (0, import_cookie.parse)(
+      this.decodeCookieValue(req.headers.get("cookie") || "")
+    );
+    return new Map(Object.entries(cookiesRecord));
+  }
+  decodeCookieValue(str) {
+    return str ? str.replace(/(%[0-9A-Z]{2})+/g, decodeURIComponent) : str;
+  }
+};
+var createTernSecureRequest = (...args) => {
+  return args[0] instanceof TernSecureRequest ? args[0] : new TernSecureRequest(...args);
+};
+
+// src/utils/mapDecode.ts
+function mapJwtPayloadToDecodedIdToken(payload) {
+  const decodedIdToken = payload;
+  decodedIdToken.uid = decodedIdToken.sub;
+  return decodedIdToken;
+}
+
+// src/tokens/authstate.ts
+var AuthStatus = {
+  SignedIn: "signed-in",
+  SignedOut: "signed-out"
+};
+var AuthErrorReason = {
+  SessionTokenAndUATMissing: "session-token-and-uat-missing",
+  SessionTokenMissing: "session-token-missing",
+  SessionTokenExpired: "session-token-expired",
+  SessionTokenIATBeforeClientUAT: "session-token-iat-before-client-uat",
+  SessionTokenNBF: "session-token-nbf",
+  SessionTokenIatInTheFuture: "session-token-iat-in-the-future",
+  ActiveOrganizationMismatch: "active-organization-mismatch",
+  UnexpectedError: "unexpected-error"
+};
+function createHasAuthorization(decodedIdToken) {
+  return (authorizationParams) => {
+    if (!authorizationParams || typeof authorizationParams !== "object" || Array.isArray(authorizationParams)) {
+      return false;
+    }
+    const claims = decodedIdToken;
+    return Object.entries(authorizationParams).every(([key, value]) => {
+      const claimValue = claims[key];
+      if (typeof claimValue === "undefined") {
+        return false;
+      }
+      if (Array.isArray(value)) {
+        if (Array.isArray(claimValue)) {
+          return value.some((v) => claimValue.includes(v));
+        }
+        return value.includes(claimValue);
+      }
+      if (Array.isArray(claimValue)) {
+        return claimValue.includes(value);
+      }
+      return claimValue === value;
+    });
+  };
+}
+function signedInAuthObject(sessionToken, sessionClaims) {
+  const decodedIdToken = mapJwtPayloadToDecodedIdToken(sessionClaims);
+  return {
+    sessionClaims: {
+      ...decodedIdToken
+    },
+    userId: decodedIdToken.uid,
+    token: sessionToken,
+    require: createHasAuthorization(decodedIdToken),
+    error: null
+  };
+}
+function signedOutAuthObject() {
+  return {
+    sessionClaims: null,
+    userId: null,
+    require: () => false,
+    error: "No active session"
+  };
+}
+function signedIn(sessionClaims, headers = new Headers(), token) {
+  const authObject = signedInAuthObject(token, sessionClaims);
+  return {
+    status: AuthStatus.SignedIn,
+    reason: null,
+    isSignedIn: true,
+    auth: () => authObject,
+    token,
+    headers
+  };
+}
+function signedOut(reason, headers = new Headers()) {
+  return decorateHeaders({
+    status: AuthStatus.SignedOut,
+    reason,
+    isSignedIn: false,
+    auth: () => signedOutAuthObject(),
+    token: null,
+    headers
+  });
+}
+var decorateHeaders = (requestState) => {
+  const headers = new Headers(requestState.headers || {});
+  if (requestState.reason) {
+    try {
+      headers.set(constants.Headers.AuthReason, requestState.reason);
+    } catch {
+    }
+  }
+  if (requestState.status) {
+    try {
+      headers.set(constants.Headers.AuthStatus, requestState.status);
+    } catch {
+    }
+  }
+  requestState.headers = headers;
+  return requestState;
+};
+
+// src/api/endpoints/SessionApi.ts
+var rootPath = "/sessions";
+var SessionApi = class {
+  constructor(request) {
+    this.request = request;
+  }
+  async createSession(params) {
+    return this.request({
+      method: "POST",
+      path: rootPath,
+      bodyParams: params
+    });
+  }
+};
+
+// src/runtime.ts
+var import_crypto = require("#crypto");
+var globalFetch = fetch.bind(globalThis);
+var runtime = {
+  crypto: import_crypto.webcrypto,
+  get fetch() {
+    return process.env.NODE_ENV === "test" ? fetch : globalFetch;
+  },
+  AbortController: globalThis.AbortController,
+  Blob: globalThis.Blob,
+  FormData: globalThis.FormData,
+  Headers: globalThis.Headers,
+  Request: globalThis.Request,
+  Response: globalThis.Response
+};
+
+// src/utils/path.ts
+var SEPARATOR = "/";
+var MULTIPLE_SEPARATOR_REGEX = new RegExp("(?<!:)" + SEPARATOR + "{1,}", "g");
+function joinPaths(...args) {
+  return args.filter((p) => p).join(SEPARATOR).replace(MULTIPLE_SEPARATOR_REGEX, SEPARATOR);
+}
+
+// src/api/request.ts
+function createRequest(options) {
+  const requestFn = async (requestOptions) => {
+    const { apiUrl, apiVersion } = options;
+    const { path, method, queryParams, headerParams, bodyParams, formData } = requestOptions;
+    const url = joinPaths(apiUrl, apiVersion, path);
+    const finalUrl = new URL(url);
+    if (queryParams) {
+      Object.entries(queryParams).forEach(([key, value]) => {
+        if (value) {
+          [value].flat().forEach((v) => finalUrl.searchParams.append(key, v));
+        }
+      });
+    }
+    const headers = {
+      ...headerParams
+    };
+    let res;
+    try {
+      if (formData) {
+        res = await runtime.fetch(finalUrl.href, {
+          method,
+          headers,
+          body: formData
+        });
+      } else {
+        headers["Content-Type"] = "application/json";
+        const hasBody = method !== "GET" && bodyParams && Object.keys(bodyParams).length > 0;
+        const body = hasBody ? { body: JSON.stringify(bodyParams) } : null;
+        res = await runtime.fetch(finalUrl.href, {
+          method,
+          headers,
+          ...body
+        });
+      }
+      const isJSONResponse = res?.headers && res.headers?.get(constants.Headers.ContentType) === constants.ContentTypes.Json;
+      const responseBody = await (isJSONResponse ? res.json() : res.text());
+      if (!res.ok) {
+        return {
+          data: null,
+          errors: parseErrors(responseBody),
+          status: res?.status,
+          statusText: res?.statusText
+        };
+      }
+      return {
+        data: responseBody,
+        errors: null
+      };
+    } catch (error) {
+      if (error instanceof Error) {
+        return {
+          data: null,
+          errors: [
+            {
+              code: "unexpected_error",
+              message: error.message || "An unexpected error occurred"
+            }
+          ]
+        };
+      }
+      return {
+        data: null,
+        errors: parseErrors(error),
+        status: res?.status,
+        statusText: res?.statusText
+      };
+    }
+  };
+  return requestFn;
+}
+function parseErrors(data) {
+  if (!!data && typeof data === "object" && "errors" in data) {
+    const errors = data.errors;
+    return errors.length > 0 ? errors.map(parseError) : [];
+  }
+  return [];
+}
+function parseError(error) {
+  return {
+    code: error.code,
+    message: error.message
+  };
+}
+
+// src/api/createBackendApi.ts
+function createBackendApi(options) {
+  const request = createRequest(options);
+  return {
+    sessions: new SessionApi(request)
+  };
+}
+
+// src/utils/options.ts
+var defaultOptions = {
+  apiUrl: void 0,
+  apiVersion: void 0
+};
+function mergePreDefinedOptions(userOptions = {}) {
+  return {
+    ...defaultOptions,
+    ...userOptions
+  };
+}
+
+// src/tokens/sessionConfig.ts
+var getSessionConfig = (options) => {
+  const cookieConfig = options?.cookies?.session_cookie;
+  return {
+    COOKIE_NAME: cookieConfig?.name,
+    DEFAULT_EXPIRES_IN_MS: cookieConfig?.attributes?.maxAge,
+    DEFAULT_EXPIRES_IN_SECONDS: Math.floor((cookieConfig?.attributes?.maxAge || 0) / 1e3),
+    REVOKE_REFRESH_TOKENS_ON_SIGNOUT: cookieConfig?.revokeRefreshTokensOnSignOut
+  };
+};
+
+// src/jwt/verifyJwt.ts
+var import_jose2 = require("jose");
+
+// src/utils/errors.ts
+var TokenVerificationErrorReason = {
+  TokenExpired: "token-expired",
+  TokenInvalid: "token-invalid",
+  TokenInvalidAlgorithm: "token-invalid-algorithm",
+  TokenInvalidAuthorizedParties: "token-invalid-authorized-parties",
+  TokenInvalidSignature: "token-invalid-signature",
+  TokenNotActiveYet: "token-not-active-yet",
+  TokenIatInTheFuture: "token-iat-in-the-future",
+  TokenVerificationFailed: "token-verification-failed",
+  InvalidSecretKey: "secret-key-invalid",
+  LocalJWKMissing: "jwk-local-missing",
+  RemoteJWKFailedToLoad: "jwk-remote-failed-to-load",
+  RemoteJWKInvalid: "jwk-remote-invalid",
+  RemoteJWKMissing: "jwk-remote-missing",
+  JWKFailedToResolve: "jwk-failed-to-resolve",
+  JWKKidMismatch: "jwk-kid-mismatch"
+};
+var TokenVerificationError = class _TokenVerificationError extends Error {
+  reason;
+  tokenCarrier;
+  constructor({
+    message,
+    reason
+  }) {
+    super(message);
+    Object.setPrototypeOf(this, _TokenVerificationError.prototype);
+    this.reason = reason;
+    this.message = message;
+  }
+  getFullMessage() {
+    return `${[this.message].filter((m) => m).join(" ")} (reason=${this.reason}, token-carrier=${this.tokenCarrier})`;
+  }
+};
+
+// src/utils/rfc4648.ts
+var base64url = {
+  parse(string, opts) {
+    return parse2(string, base64UrlEncoding, opts);
+  },
+  stringify(data, opts) {
+    return stringify(data, base64UrlEncoding, opts);
+  }
+};
+var base64UrlEncoding = {
+  chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_",
+  bits: 6
+};
+function parse2(string, encoding, opts = {}) {
+  if (!encoding.codes) {
+    encoding.codes = {};
+    for (let i = 0; i < encoding.chars.length; ++i) {
+      encoding.codes[encoding.chars[i]] = i;
+    }
+  }
+  if (!opts.loose && string.length * encoding.bits & 7) {
+    throw new SyntaxError("Invalid padding");
+  }
+  let end = string.length;
+  while (string[end - 1] === "=") {
+    --end;
+    if (!opts.loose && !((string.length - end) * encoding.bits & 7)) {
+      throw new SyntaxError("Invalid padding");
+    }
+  }
+  const out = new (opts.out ?? Uint8Array)(end * encoding.bits / 8 | 0);
+  let bits = 0;
+  let buffer = 0;
+  let written = 0;
+  for (let i = 0; i < end; ++i) {
+    const value = encoding.codes[string[i]];
+    if (value === void 0) {
+      throw new SyntaxError("Invalid character " + string[i]);
+    }
+    buffer = buffer << encoding.bits | value;
+    bits += encoding.bits;
+    if (bits >= 8) {
+      bits -= 8;
+      out[written++] = 255 & buffer >> bits;
+    }
+  }
+  if (bits >= encoding.bits || 255 & buffer << 8 - bits) {
+    throw new SyntaxError("Unexpected end of data");
+  }
+  return out;
+}
+function stringify(data, encoding, opts = {}) {
+  const { pad = true } = opts;
+  const mask = (1 << encoding.bits) - 1;
+  let out = "";
+  let bits = 0;
+  let buffer = 0;
+  for (let i = 0; i < data.length; ++i) {
+    buffer = buffer << 8 | 255 & data[i];
+    bits += 8;
+    while (bits > encoding.bits) {
+      bits -= encoding.bits;
+      out += encoding.chars[mask & buffer >> bits];
+    }
+  }
+  if (bits) {
+    out += encoding.chars[mask & buffer << encoding.bits - bits];
+  }
+  if (pad) {
+    while (out.length * encoding.bits & 7) {
+      out += "=";
+    }
+  }
+  return out;
+}
+
+// src/jwt/cryptoKeys.ts
+var import_jose = require("jose");
+async function importKey(key, algorithm) {
+  if (typeof key === "object") {
+    const result = await (0, import_jose.importJWK)(key, algorithm);
+    if (result instanceof Uint8Array) {
+      throw new Error("Unexpected Uint8Array result from JWK import");
+    }
+    return result;
+  }
+  const keyString = key.trim();
+  if (keyString.includes("-----BEGIN CERTIFICATE-----")) {
+    return await (0, import_jose.importX509)(keyString, algorithm);
+  }
+  if (keyString.includes("-----BEGIN PUBLIC KEY-----")) {
+    return await (0, import_jose.importSPKI)(keyString, algorithm);
+  }
+  try {
+    return await (0, import_jose.importSPKI)(keyString, algorithm);
+  } catch (error) {
+    throw new Error(
+      `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`
+    );
+  }
+}
+
+// src/jwt/algorithms.ts
+var algToHash = {
+  RS256: "SHA-256",
+  RS384: "SHA-384",
+  RS512: "SHA-512"
+};
+var algs = Object.keys(algToHash);
+
+// src/jwt/verifyContent.ts
+var verifyHeaderKid = (kid) => {
+  if (typeof kid === "undefined") {
+    return;
+  }
+  if (typeof kid !== "string") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenInvalid,
+      message: `Invalid JWT kid ${JSON.stringify(kid)}. Expected a string.`
+    });
+  }
+};
+var verifySubClaim = (sub) => {
+  if (typeof sub !== "string") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`
+    });
+  }
+};
+var verifyExpirationClaim = (exp, clockSkewInMs) => {
+  if (typeof exp !== "number") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT expiry date (exp) claim ${JSON.stringify(exp)}. Expected a number.`
+    });
+  }
+  const currentDate = new Date(Date.now());
+  const expiryDate = /* @__PURE__ */ new Date(0);
+  expiryDate.setUTCSeconds(exp);
+  const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;
+  if (expired) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenExpired,
+      message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`
+    });
+  }
+};
+var verifyIssuedAtClaim = (iat, clockSkewInMs) => {
+  if (typeof iat === "undefined") {
+    return;
+  }
+  if (typeof iat !== "number") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected a number.`
+    });
+  }
+  const currentDate = new Date(Date.now());
+  const issuedAtDate = /* @__PURE__ */ new Date(0);
+  issuedAtDate.setUTCSeconds(iat);
+  const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;
+  if (postIssued) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenIatInTheFuture,
+      message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`
+    });
+  }
+};
+
+// src/jwt/verifyJwt.ts
+var DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1e3;
+async function verifySignature(jwt, key) {
+  const { header, raw } = jwt;
+  const joseAlgorithm = header.alg || "RS256";
+  try {
+    const publicKey = await importKey(key, joseAlgorithm);
+    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, publicKey);
+    return { data: payload };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: error.message
+        })
+      ]
+    };
+  }
+}
+function ternDecodeJwt(token) {
+  try {
+    const header = (0, import_jose2.decodeProtectedHeader)(token);
+    const payload = (0, import_jose2.decodeJwt)(token);
+    const tokenParts = (token || "").toString().split(".");
+    if (tokenParts.length !== 3) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: "Invalid JWT format"
+          })
+        ]
+      };
+    }
+    const [rawHeader, rawPayload, rawSignature] = tokenParts;
+    const signature = base64url.parse(rawSignature, { loose: true });
+    const data = {
+      header,
+      payload,
+      signature,
+      raw: {
+        header: rawHeader,
+        payload: rawPayload,
+        signature: rawSignature,
+        text: token
+      }
+    };
+    return { data };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: error.message
+        })
+      ]
+    };
+  }
+}
+async function verifyJwt(token, options) {
+  const { key } = options;
+  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
+  const { data: decoded, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header, payload } = decoded;
+  try {
+    verifyHeaderKid(header.kid);
+    verifySubClaim(payload.sub);
+    verifyExpirationClaim(payload.exp, clockSkew);
+    verifyIssuedAtClaim(payload.iat, clockSkew);
+  } catch (error) {
+    return { errors: [error] };
+  }
+  const { data: verifiedPayload, errors: signatureErrors } = await verifySignature(decoded, key);
+  if (signatureErrors) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: "Token signature verification failed."
+        })
+      ]
+    };
+  }
+  const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);
+  return { data: decodedIdToken };
+}
+
+// src/tokens/keys.ts
+var cache = {};
+var lastUpdatedAt = 0;
+var googleExpiresAt = 0;
+function getFromCache(kid) {
+  return cache[kid];
+}
+function getCacheValues() {
+  return Object.values(cache);
+}
+function setInCache(kid, certificate, shouldExpire = true) {
+  cache[kid] = certificate;
+  lastUpdatedAt = shouldExpire ? Date.now() : -1;
+}
+async function fetchPublicKeys(keyUrl) {
+  const url = new URL(keyUrl);
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new TokenVerificationError({
+      message: `Error loading public keys from ${url.href} with code=${response.status} `,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  const data = await response.json();
+  const expiresAt = getExpiresAt(response);
+  return {
+    keys: data,
+    expiresAt
+  };
+}
+async function loadJWKFromRemote({
+  keyURL = SESSION_COOKIE_PUBLIC_KEYS_URL,
+  skipJwksCache,
+  kid
+}) {
+  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
+    const { keys, expiresAt } = await fetchPublicKeys(keyURL);
+    if (!keys || Object.keys(keys).length === 0) {
+      throw new TokenVerificationError({
+        message: `The JWKS endpoint ${keyURL} returned no keys`,
+        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
+      });
+    }
+    googleExpiresAt = expiresAt;
+    Object.entries(keys).forEach(([keyId, cert2]) => {
+      setInCache(keyId, cert2);
+    });
+  }
+  const cert = getFromCache(kid);
+  if (!cert) {
+    getCacheValues();
+    const availableKids = Object.keys(cache).sort().join(", ");
+    throw new TokenVerificationError({
+      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  return cert;
+}
+function isCacheExpired() {
+  const now = Date.now();
+  if (lastUpdatedAt === -1) {
+    return false;
+  }
+  const cacheAge = now - lastUpdatedAt;
+  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
+  const localCacheExpired = cacheAge >= maxCacheAge;
+  const googleCacheExpired = now >= googleExpiresAt;
+  const isExpired = localCacheExpired || googleCacheExpired;
+  if (isExpired) {
+    cache = {};
+  }
+  return isExpired;
+}
+function getExpiresAt(res) {
+  const cacheControlHeader = res.headers.get("cache-control");
+  if (!cacheControlHeader) {
+    return Date.now() + DEFAULT_CACHE_DURATION;
+  }
+  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
+  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
+  return Date.now() + maxAge * 1e3;
+}
+
+// src/tokens/verify.ts
+async function verifyToken(token, options) {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
+  }
+  try {
+    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
+    if (!key) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: `No public key found for kid "${kid}".`
+          })
+        ]
+      };
+    }
+    return await verifyJwt(token, { ...options, key });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
+    }
+    return {
+      errors: [error]
+    };
+  }
+}
+
+// src/tokens/request.ts
+var BEARER_PREFIX = "Bearer ";
+var AUTH_COOKIE_NAME = "_session_cookie";
+function extractTokenFromHeader(request) {
+  const authHeader = request.headers.get("Authorization");
+  if (!authHeader || !authHeader.startsWith(BEARER_PREFIX)) {
+    return null;
+  }
+  return authHeader.slice(BEARER_PREFIX.length);
+}
+function extractTokenFromCookie(request, opts) {
+  const cookieHeader = request.headers.get("Cookie") || void 0;
+  const sessionName = getSessionConfig(opts).COOKIE_NAME;
+  if (!cookieHeader) {
+    return null;
+  }
+  const cookies = cookieHeader.split(";").reduce(
+    (acc, cookie) => {
+      const [name, value] = cookie.trim().split("=");
+      acc[name] = value;
+      return acc;
+    },
+    {}
+  );
+  return cookies[AUTH_COOKIE_NAME] || null;
+}
+function hasAuthorizationHeader(request) {
+  return request.headers.has("Authorization");
+}
+async function authenticateRequest(request, options) {
+  async function authenticateRequestWithTokenInCookie() {
+    const token = extractTokenFromCookie(request, options);
+    if (!token) {
+      return signedOut(AuthErrorReason.SessionTokenMissing);
+    }
+    const { data, errors } = await verifyToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    const signedInRequestState = signedIn(data, void 0, token);
+    return signedInRequestState;
+  }
+  async function authenticateRequestWithTokenInHeader() {
+    const token = extractTokenFromHeader(request);
+    if (!token) {
+      return signedOut(AuthErrorReason.SessionTokenMissing);
+    }
+    const { data, errors } = await verifyToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    const signedInRequestState = signedIn(data, void 0, token);
+    return signedInRequestState;
+  }
+  if (hasAuthorizationHeader(request)) {
+    return authenticateRequestWithTokenInHeader();
+  }
+  return authenticateRequestWithTokenInCookie();
+}
+function createAuthenticateRequest(params) {
+  const buildTimeOptions = mergePreDefinedOptions(params.options);
+  const apiClient = params.apiClient;
+  const handleAuthenticateRequest = (request, options = {}) => {
+    const { apiUrl } = buildTimeOptions;
+    return authenticateRequest(request, { ...options, apiUrl, apiClient });
+  };
+  return {
+    authenticateRequest: handleAuthenticateRequest
+  };
+}
+
+// src/instance/backendInstanceEdge.ts
+function createBackendInstanceClient(options) {
+  const opts = { ...options };
+  const apiClient = createBackendApi(opts);
+  const requestState = createAuthenticateRequest({ options: opts, apiClient });
+  return {
+    ...apiClient,
+    ...requestState
+  };
+}
+
+// src/tokens/requestFire.ts
+var defaultFirebaseOptions = {
+  apiKey: "",
+  authDomain: "",
+  projectId: "",
+  tenantId: void 0
+};
+function mergePreDefinedOptions2(preDefinedOptions, options) {
+  return Object.keys(preDefinedOptions).reduce(
+    (obj, key) => {
+      return { ...obj, [key]: options[key] || obj[key] };
+    },
+    { ...preDefinedOptions }
+  );
+}
+var BEARER_PREFIX2 = "Bearer ";
+var AUTH_COOKIE_NAME2 = "_session_cookie";
+function extractTokenFromHeader2(request) {
+  const authHeader = request.headers.get("Authorization");
+  if (!authHeader || !authHeader.startsWith(BEARER_PREFIX2)) {
+    return null;
+  }
+  return authHeader.slice(BEARER_PREFIX2.length);
+}
+function extractTokenFromCookie2(request, opts) {
+  const cookieHeader = request.headers.get("Cookie") || void 0;
+  const sessionName = getSessionConfig(opts).COOKIE_NAME;
+  if (!cookieHeader) {
+    return null;
+  }
+  const cookies = cookieHeader.split(";").reduce(
+    (acc, cookie) => {
+      const [name, value] = cookie.trim().split("=");
+      acc[name] = value;
+      return acc;
+    },
+    {}
+  );
+  return cookies[AUTH_COOKIE_NAME2] || null;
+}
+function hasAuthorizationHeader2(request) {
+  return request.headers.has("Authorization");
+}
+async function authenticateRequest2(request, options) {
+  async function authenticateRequestWithTokenInCookie() {
+    const token = extractTokenFromCookie2(request, options);
+    if (!token) {
+      return signedOut(AuthErrorReason.SessionTokenMissing);
+    }
+    const { data, errors } = await verifyToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    const signedInRequestState = signedIn(data, void 0, token);
+    return signedInRequestState;
+  }
+  async function authenticateRequestWithTokenInHeader() {
+    const token = extractTokenFromHeader2(request);
+    if (!token) {
+      return signedOut(AuthErrorReason.SessionTokenMissing);
+    }
+    const { data, errors } = await verifyToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    const signedInRequestState = signedIn(data, void 0, token);
+    return signedInRequestState;
+  }
+  if (hasAuthorizationHeader2(request)) {
+    return authenticateRequestWithTokenInHeader();
+  }
+  return authenticateRequestWithTokenInCookie();
+}
+function createFireAuthenticateRequest(params) {
+  const buildTimeOptions = mergePreDefinedOptions2(defaultFirebaseOptions, params.options);
+  const handleAuthenticateRequest = (request, options = {}) => {
+    const runtimeOptions = { ...buildTimeOptions, ...options };
+    return authenticateRequest2(request, runtimeOptions);
+  };
+  return {
+    authenticateRequest: handleAuthenticateRequest
+  };
+}
+
+// src/instance/backendFireInstance.ts
+function createFireClient(options) {
+  const opts = { ...options };
+  const apiClient = createBackendApi(opts);
+  const requestState = createFireAuthenticateRequest({ options: opts });
+  return {
+    ...apiClient,
+    ...requestState
+  };
+}
+
+// src/utils/logger.ts
+var LogLevel = /* @__PURE__ */ ((LogLevel2) => {
+  LogLevel2[LogLevel2["ERROR"] = 0] = "ERROR";
+  LogLevel2[LogLevel2["WARN"] = 1] = "WARN";
+  LogLevel2[LogLevel2["INFO"] = 2] = "INFO";
+  LogLevel2[LogLevel2["DEBUG"] = 3] = "DEBUG";
+  return LogLevel2;
+})(LogLevel || {});
+var Logger = class {
+  options;
+  constructor(options = {}) {
+    this.options = {
+      enabled: false,
+      level: 2 /* INFO */,
+      prefix: "[TernSecure-Backend]",
+      ...options
+    };
+  }
+  enable() {
+    this.options.enabled = true;
+  }
+  disable() {
+    this.options.enabled = false;
+  }
+  setLevel(level) {
+    this.options.level = level;
+  }
+  setPrefix(prefix) {
+    this.options.prefix = prefix;
+  }
+  log(level, levelName, message, ...args) {
+    if (!this.options.enabled || level > this.options.level) {
+      return;
+    }
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const formattedMessage = `${timestamp} ${this.options.prefix} [${levelName}] ${message}`;
+    switch (level) {
+      case 0 /* ERROR */:
+        console.error(formattedMessage, ...args);
+        break;
+      case 1 /* WARN */:
+        console.warn(formattedMessage, ...args);
+        break;
+      case 2 /* INFO */:
+        console.info(formattedMessage, ...args);
+        break;
+      case 3 /* DEBUG */:
+        console.debug(formattedMessage, ...args);
+        break;
+    }
+  }
+  error(message, ...args) {
+    this.log(0 /* ERROR */, "ERROR", message, ...args);
+  }
+  warn(message, ...args) {
+    this.log(1 /* WARN */, "WARN", message, ...args);
+  }
+  info(message, ...args) {
+    this.log(2 /* INFO */, "INFO", message, ...args);
+  }
+  debug(message, ...args) {
+    this.log(3 /* DEBUG */, "DEBUG", message, ...args);
+  }
+};
+var createLogger = (options) => {
+  return new Logger(options);
+};
+var redisLogger = createLogger({ prefix: "[TernSecure-Redis]" });
+var authLogger = createLogger({ prefix: "[TernSecure-Auth]" });
+
+// src/utils/enableDebugLogging.ts
+function enableDebugLogging() {
+  authLogger.enable();
+  authLogger.setLevel(3 /* DEBUG */);
+  redisLogger.enable();
+  redisLogger.setLevel(3 /* DEBUG */);
+}
+function disableDebugLogging() {
+  authLogger.disable();
+  redisLogger.disable();
+}
+function setLogLevel(level) {
+  authLogger.setLevel(level);
+  redisLogger.setLevel(level);
+}
+
+// src/adapters/PostgresAdapter.ts
+var PostgresAdapter = class {
+  config;
+  tableName;
+  constructor(config) {
+    this.config = config;
+    this.tableName = config.table || "disabled_users";
+  }
+  getDisabledUser = async (uid) => {
+    try {
+      const response = await fetch(this.config.url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${this.config.token}`
+        },
+        body: JSON.stringify({
+          query: `SELECT uid, email, disabled_time as "disabledTime" FROM ${this.tableName} WHERE uid = $1`,
+          params: [uid]
+        })
+      });
+      if (!response.ok) {
+        throw new Error(`HTTP error! status: ${response.status}`);
+      }
+      const result = await response.json();
+      if (result.rows && result.rows.length > 0) {
+        const row = result.rows[0];
+        const disabledUser = {
+          uid: row.uid,
+          email: row.email,
+          disabledTime: row.disabledTime
+        };
+        authLogger.debug(`Found disabled user: ${uid}`);
+        return disabledUser;
+      }
+      authLogger.debug(`No disabled user found: ${uid}`);
+      return null;
+    } catch (error) {
+      authLogger.error("Failed to fetch disabled user from Postgres:", error);
+      return null;
+    }
+  };
+};
+
+// src/adapters/RedisAdapter.ts
+var import_redis = require("@upstash/redis");
+var TTLCache = class {
+  cache = /* @__PURE__ */ new Map();
+  defaultTTL;
+  constructor(defaultTTLMs = 6e4) {
+    this.defaultTTL = defaultTTLMs;
+  }
+  set(key, value, ttlMs) {
+    const expiresAt = Date.now() + (ttlMs ?? this.defaultTTL);
+    this.cache.set(key, { value, expiresAt });
+    console.log(`TTLCache.set: key=${key}, value=${JSON.stringify(value)}, expiresAt=${expiresAt}, cacheSize=${this.cache.size}`);
+  }
+  getEntry(key) {
+    const entry = this.cache.get(key);
+    if (!entry) return void 0;
+    const now = Date.now();
+    if (now > entry.expiresAt) {
+      console.log(`TTLCache: key=${key} expired (now=${now}, expiresAt=${entry.expiresAt})`);
+      this.cache.delete(key);
+      return void 0;
+    }
+    return entry;
+  }
+  get(key) {
+    const entry = this.getEntry(key);
+    const hasEntry = entry !== void 0;
+    const cacheHasKey = this.cache.has(key);
+    const rawEntry = this.cache.get(key);
+    console.log(`TTLCache.get: key=${key}, hasEntry=${hasEntry}, cacheHasKey=${cacheHasKey}`);
+    console.log(`TTLCache.get: rawEntry=${JSON.stringify(rawEntry)}, entry=${JSON.stringify(entry)}`);
+    if (!entry) {
+      console.log(`TTLCache.get: no entry found for key=${key}, returning undefined`);
+      return void 0;
+    }
+    console.log(`TTLCache.get: returning value=${JSON.stringify(entry.value)} for key=${key}`);
+    return entry.value;
+  }
+  delete(key) {
+    return this.cache.delete(key);
+  }
+  clear() {
+    this.cache.clear();
+  }
+  cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.cache.entries()) {
+      if (now > entry.expiresAt) {
+        this.cache.delete(key);
+      }
+    }
+  }
+};
+var RedisAdapter = class {
+  redis;
+  cache;
+  keyPrefix;
+  constructor(config) {
+    this.redis = new import_redis.Redis({
+      url: config.url,
+      token: config.token
+    });
+    this.keyPrefix = config.keyPrefix || "disabled_user:";
+    const cacheTTL = config.ttl || 3e4;
+    this.cache = new TTLCache(cacheTTL);
+    setInterval(() => this.cache.cleanup(), 5 * 60 * 1e3);
+  }
+  getDisabledUser = async (uid) => {
+    const cacheKey = `${this.keyPrefix}${uid}`;
+    authLogger.debug(`RedisAdapter: Checking cache for key: ${cacheKey}`);
+    const cachedResult = this.cache.get(cacheKey);
+    authLogger.debug(`RedisAdapter: Cache get result for ${cacheKey}:`, {
+      cachedResult: JSON.stringify(cachedResult),
+      isUndefined: cachedResult === void 0,
+      type: typeof cachedResult
+    });
+    if (cachedResult !== void 0) {
+      authLogger.debug(`Cache hit for disabled user: ${uid}`, {
+        cacheKey,
+        cachedResult: JSON.stringify(cachedResult)
+      });
+      return cachedResult;
+    }
+    authLogger.debug(
+      `Cache miss for disabled user: ${uid}, fetching from Redis with key: ${cacheKey}`
+    );
+    try {
+      const disabledUser = await this.redis.get(cacheKey);
+      authLogger.debug(`Redis returned for key ${cacheKey}:`, {
+        disabledUser: JSON.stringify(disabledUser),
+        type: typeof disabledUser
+      });
+      this.cache.set(cacheKey, disabledUser);
+      authLogger.debug(`Cached disabled user result for: ${uid}`, {
+        cacheKey,
+        isDisabled: !!disabledUser,
+        cachedValue: JSON.stringify(disabledUser)
+      });
+      return disabledUser;
+    } catch (error) {
+      authLogger.error("Failed to fetch disabled user from Redis:", error);
+      return null;
+    }
+  };
+  invalidateCache(uid) {
+    const cacheKey = `${this.keyPrefix}${uid}`;
+    this.cache.delete(cacheKey);
+  }
+};
+
+// src/adapters/index.ts
+function createAdapter(config) {
+  switch (config.type) {
+    case "redis":
+      return new RedisAdapter(config.config);
+    case "postgres":
+      return new PostgresAdapter(config.config);
+    default:
+      throw new Error(`Unsupported adapter type: ${config.type}`);
+  }
+}
+function validateCheckRevokedOptions(options) {
+  if (options?.enabled && !options.adapter) {
+    return {
+      isValid: false,
+      error: "When checkRevoked.enabled is true, an adapter must be provided"
+    };
+  }
+  return { isValid: true };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthStatus,
+  LogLevel,
+  PostgresAdapter,
+  RedisAdapter,
+  constants,
+  createAdapter,
+  createBackendInstanceClient,
+  createFireClient,
+  createTernSecureRequest,
+  disableDebugLogging,
+  enableDebugLogging,
+  setLogLevel,
+  signedIn,
+  signedInAuthObject,
+  signedOutAuthObject,
+  validateCheckRevokedOptions
+});
+//# sourceMappingURL=index.js.map