npm - @tern-secure/backend - Versions diffs - 1.1.6 → 1.1.8 - Mend

@tern-secure/backend 1.1.6 → 1.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (159) hide show

package/admin/package.json +5 -0
package/dist/adapters/PostgresAdapter.d.ts +8 -0
package/dist/adapters/PostgresAdapter.d.ts.map +1 -0
package/dist/adapters/RedisAdapter.d.ts +10 -0
package/dist/adapters/RedisAdapter.d.ts.map +1 -0
package/dist/adapters/index.d.ts +13 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/types.d.ts +30 -0
package/dist/adapters/types.d.ts.map +1 -0
package/dist/admin/gemini_sessionTernSecure.d.ts +10 -0
package/dist/admin/gemini_sessionTernSecure.d.ts.map +1 -0
package/dist/admin/index.d.ts +8 -0
package/dist/admin/index.d.ts.map +1 -0
package/dist/admin/index.js +705 -0
package/dist/admin/index.js.map +1 -0
package/dist/admin/index.mjs +512 -0
package/dist/admin/index.mjs.map +1 -0
package/dist/admin/nextSessionTernSecure.d.ts +28 -0
package/dist/admin/nextSessionTernSecure.d.ts.map +1 -0
package/dist/admin/sessionTernSecure.d.ts +6 -0
package/dist/admin/sessionTernSecure.d.ts.map +1 -0
package/dist/admin/tenant.d.ts.map +1 -0
package/dist/api/createBackendApi.d.ts +8 -0
package/dist/api/createBackendApi.d.ts.map +1 -0
package/dist/api/endpoints/SessionApi.d.ts +12 -0
package/dist/api/endpoints/SessionApi.d.ts.map +1 -0
package/dist/api/endpoints/index.d.ts +2 -0
package/dist/api/endpoints/index.d.ts.map +1 -0
package/dist/api/index.d.ts +2 -0
package/dist/api/index.d.ts.map +1 -0
package/dist/api/request.d.ts +36 -0
package/dist/api/request.d.ts.map +1 -0
package/dist/chunk-JFOTE3Y5.mjs +157 -0
package/dist/chunk-JFOTE3Y5.mjs.map +1 -0
package/dist/chunk-WZYVAHZ3.mjs +318 -0
package/dist/chunk-WZYVAHZ3.mjs.map +1 -0
package/dist/constants.d.ts +63 -0
package/dist/constants.d.ts.map +1 -0
package/dist/index.d.ts +14 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +1307 -0
package/dist/index.js.map +1 -0
package/dist/index.mjs +839 -0
package/dist/index.mjs.map +1 -0
package/dist/instance/backendFireInstance.d.ts +7 -0
package/dist/instance/backendFireInstance.d.ts.map +1 -0
package/dist/instance/backendInstance.d.ts +20 -0
package/dist/instance/backendInstance.d.ts.map +1 -0
package/dist/instance/backendInstanceEdge.d.ts +13 -0
package/dist/instance/backendInstanceEdge.d.ts.map +1 -0
package/dist/jwt/algorithms.d.ts +3 -0
package/dist/jwt/algorithms.d.ts.map +1 -0
package/dist/jwt/cryptoKeys.d.ts +3 -0
package/dist/jwt/cryptoKeys.d.ts.map +1 -0
package/dist/jwt/guardReturn.d.ts +3 -0
package/dist/jwt/guardReturn.d.ts.map +1 -0
package/dist/jwt/index.d.ts +4 -0
package/dist/jwt/index.d.ts.map +1 -0
package/dist/jwt/index.js +332 -0
package/dist/jwt/index.js.map +1 -0
package/dist/jwt/index.mjs +139 -0
package/dist/jwt/index.mjs.map +1 -0
package/dist/jwt/jwt.d.ts +4 -0
package/dist/jwt/jwt.d.ts.map +1 -0
package/dist/jwt/signJwt.d.ts +5 -0
package/dist/jwt/signJwt.d.ts.map +1 -0
package/dist/jwt/types.d.ts +8 -0
package/dist/jwt/types.d.ts.map +1 -0
package/dist/jwt/verifyContent.d.ts +7 -0
package/dist/jwt/verifyContent.d.ts.map +1 -0
package/dist/jwt/verifyJwt.d.ts +12 -0
package/dist/jwt/verifyJwt.d.ts.map +1 -0
package/dist/runtime/browser/crypto.mjs +1 -0
package/dist/runtime/node/crypto.js +1 -0
package/dist/runtime/node/crypto.mjs +1 -0
package/dist/runtime.d.ts +26 -0
package/dist/runtime.d.ts.map +1 -0
package/dist/ternsecureauth.d.ts.map +1 -0
package/dist/tokens/authstate.d.ts +61 -0
package/dist/tokens/authstate.d.ts.map +1 -0
package/dist/tokens/keys.d.ts +16 -0
package/dist/tokens/keys.d.ts.map +1 -0
package/dist/tokens/request.d.ts +16 -0
package/dist/tokens/request.d.ts.map +1 -0
package/dist/tokens/requestFire.d.ts +17 -0
package/dist/tokens/requestFire.d.ts.map +1 -0
package/dist/tokens/sessionConfig.d.ts +14 -0
package/dist/tokens/sessionConfig.d.ts.map +1 -0
package/dist/tokens/ternSecureRequest.d.ts +20 -0
package/dist/tokens/ternSecureRequest.d.ts.map +1 -0
package/dist/tokens/ternUrl.d.ts +15 -0
package/dist/tokens/ternUrl.d.ts.map +1 -0
package/dist/tokens/types.d.ts +41 -0
package/dist/tokens/types.d.ts.map +1 -0
package/dist/tokens/verify.d.ts +11 -0
package/dist/tokens/verify.d.ts.map +1 -0
package/dist/utils/admin-init.d.ts +13 -0
package/dist/utils/admin-init.d.ts.map +1 -0
package/dist/{types/utils → utils}/config.d.ts +1 -1
package/dist/utils/config.d.ts.map +1 -0
package/dist/utils/enableDebugLogging.d.ts +5 -0
package/dist/utils/enableDebugLogging.d.ts.map +1 -0
package/dist/utils/errors.d.ts +29 -0
package/dist/utils/errors.d.ts.map +1 -0
package/dist/utils/gemini_admin-init.d.ts +10 -0
package/dist/utils/gemini_admin-init.d.ts.map +1 -0
package/dist/utils/logger.d.ts +28 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/mapDecode.d.ts +4 -0
package/dist/utils/mapDecode.d.ts.map +1 -0
package/dist/utils/options.d.ts +5 -0
package/dist/utils/options.d.ts.map +1 -0
package/dist/utils/path.d.ts +4 -0
package/dist/utils/path.d.ts.map +1 -0
package/dist/utils/redis.d.ts +10 -0
package/dist/utils/redis.d.ts.map +1 -0
package/dist/utils/rfc4648.d.ts +26 -0
package/dist/utils/rfc4648.d.ts.map +1 -0
package/jwt/package.json +5 -0
package/package.json +59 -10
package/dist/cjs/admin/sessionTernSecure.js +0 -256
package/dist/cjs/admin/sessionTernSecure.js.map +0 -1
package/dist/cjs/admin/tenant.js +0 -68
package/dist/cjs/admin/tenant.js.map +0 -1
package/dist/cjs/global.d.js +0 -2
package/dist/cjs/global.d.js.map +0 -1
package/dist/cjs/index.js +0 -48
package/dist/cjs/index.js.map +0 -1
package/dist/cjs/ternsecureauth.js +0 -40
package/dist/cjs/ternsecureauth.js.map +0 -1
package/dist/cjs/utils/admin-init.js +0 -60
package/dist/cjs/utils/admin-init.js.map +0 -1
package/dist/cjs/utils/config.js +0 -113
package/dist/cjs/utils/config.js.map +0 -1
package/dist/esm/admin/sessionTernSecure.js +0 -226
package/dist/esm/admin/sessionTernSecure.js.map +0 -1
package/dist/esm/admin/tenant.js +0 -43
package/dist/esm/admin/tenant.js.map +0 -1
package/dist/esm/global.d.js +0 -1
package/dist/esm/global.d.js.map +0 -1
package/dist/esm/index.js +0 -24
package/dist/esm/index.js.map +0 -1
package/dist/esm/ternsecureauth.js +0 -16
package/dist/esm/ternsecureauth.js.map +0 -1
package/dist/esm/utils/admin-init.js +0 -24
package/dist/esm/utils/admin-init.js.map +0 -1
package/dist/esm/utils/config.js +0 -84
package/dist/esm/utils/config.js.map +0 -1
package/dist/types/admin/sessionTernSecure.d.ts +0 -36
package/dist/types/admin/sessionTernSecure.d.ts.map +0 -1
package/dist/types/admin/tenant.d.ts.map +0 -1
package/dist/types/index.d.ts +0 -5
package/dist/types/index.d.ts.map +0 -1
package/dist/types/ternsecureauth.d.ts.map +0 -1
package/dist/types/utils/admin-init.d.ts +0 -5
package/dist/types/utils/admin-init.d.ts.map +0 -1
package/dist/types/utils/config.d.ts.map +0 -1
/package/dist/{types/admin → admin}/tenant.d.ts +0 -0
/package/dist/{types/ternsecureauth.d.ts → ternsecureauth.d.ts} +0 -0

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,839 @@
+import {
+  CACHE_CONTROL_REGEX,
+  DEFAULT_CACHE_DURATION,
+  MAX_CACHE_LAST_UPDATED_AT_SECONDS,
+  SESSION_COOKIE_PUBLIC_KEYS_URL,
+  constants,
+  createTernSecureRequest,
+  getSessionConfig
+} from "./chunk-JFOTE3Y5.mjs";
+import {
+  TokenVerificationError,
+  TokenVerificationErrorReason,
+  mapJwtPayloadToDecodedIdToken,
+  ternDecodeJwt,
+  verifyJwt
+} from "./chunk-WZYVAHZ3.mjs";
+// src/tokens/authstate.ts
+var AuthStatus = {
+  SignedIn: "signed-in",
+  SignedOut: "signed-out"
+};
+var AuthErrorReason = {
+  SessionTokenAndUATMissing: "session-token-and-uat-missing",
+  SessionTokenMissing: "session-token-missing",
+  SessionTokenExpired: "session-token-expired",
+  SessionTokenIATBeforeClientUAT: "session-token-iat-before-client-uat",
+  SessionTokenNBF: "session-token-nbf",
+  SessionTokenIatInTheFuture: "session-token-iat-in-the-future",
+  ActiveOrganizationMismatch: "active-organization-mismatch",
+  UnexpectedError: "unexpected-error"
+};
+function createHasAuthorization(decodedIdToken) {
+  return (authorizationParams) => {
+    if (!authorizationParams || typeof authorizationParams !== "object" || Array.isArray(authorizationParams)) {
+      return false;
+    }
+    const claims = decodedIdToken;
+    return Object.entries(authorizationParams).every(([key, value]) => {
+      const claimValue = claims[key];
+      if (typeof claimValue === "undefined") {
+        return false;
+      }
+      if (Array.isArray(value)) {
+        if (Array.isArray(claimValue)) {
+          return value.some((v) => claimValue.includes(v));
+        }
+        return value.includes(claimValue);
+      }
+      if (Array.isArray(claimValue)) {
+        return claimValue.includes(value);
+      }
+      return claimValue === value;
+    });
+  };
+}
+function signedInAuthObject(sessionToken, sessionClaims) {
+  const decodedIdToken = mapJwtPayloadToDecodedIdToken(sessionClaims);
+  return {
+    sessionClaims: {
+      ...decodedIdToken
+    },
+    userId: decodedIdToken.uid,
+    token: sessionToken,
+    require: createHasAuthorization(decodedIdToken),
+    error: null
+  };
+}
+function signedOutAuthObject() {
+  return {
+    sessionClaims: null,
+    userId: null,
+    require: () => false,
+    error: "No active session"
+  };
+}
+function signedIn(sessionClaims, headers = new Headers(), token) {
+  const authObject = signedInAuthObject(token, sessionClaims);
+  return {
+    status: AuthStatus.SignedIn,
+    reason: null,
+    isSignedIn: true,
+    auth: () => authObject,
+    token,
+    headers
+  };
+}
+function signedOut(reason, headers = new Headers()) {
+  return decorateHeaders({
+    status: AuthStatus.SignedOut,
+    reason,
+    isSignedIn: false,
+    auth: () => signedOutAuthObject(),
+    token: null,
+    headers
+  });
+}
+var decorateHeaders = (requestState) => {
+  const headers = new Headers(requestState.headers || {});
+  if (requestState.reason) {
+    try {
+      headers.set(constants.Headers.AuthReason, requestState.reason);
+    } catch {
+    }
+  }
+  if (requestState.status) {
+    try {
+      headers.set(constants.Headers.AuthStatus, requestState.status);
+    } catch {
+    }
+  }
+  requestState.headers = headers;
+  return requestState;
+};
+// src/api/endpoints/SessionApi.ts
+var rootPath = "/sessions";
+var SessionApi = class {
+  constructor(request) {
+    this.request = request;
+  }
+  async createSession(params) {
+    return this.request({
+      method: "POST",
+      path: rootPath,
+      bodyParams: params
+    });
+  }
+};
+// src/runtime.ts
+import { webcrypto as crypto } from "#crypto";
+var globalFetch = fetch.bind(globalThis);
+var runtime = {
+  crypto,
+  get fetch() {
+    return process.env.NODE_ENV === "test" ? fetch : globalFetch;
+  },
+  AbortController: globalThis.AbortController,
+  Blob: globalThis.Blob,
+  FormData: globalThis.FormData,
+  Headers: globalThis.Headers,
+  Request: globalThis.Request,
+  Response: globalThis.Response
+};
+// src/utils/path.ts
+var SEPARATOR = "/";
+var MULTIPLE_SEPARATOR_REGEX = new RegExp("(?<!:)" + SEPARATOR + "{1,}", "g");
+function joinPaths(...args) {
+  return args.filter((p) => p).join(SEPARATOR).replace(MULTIPLE_SEPARATOR_REGEX, SEPARATOR);
+}
+// src/api/request.ts
+function createRequest(options) {
+  const requestFn = async (requestOptions) => {
+    const { apiUrl, apiVersion } = options;
+    const { path, method, queryParams, headerParams, bodyParams, formData } = requestOptions;
+    const url = joinPaths(apiUrl, apiVersion, path);
+    const finalUrl = new URL(url);
+    if (queryParams) {
+      Object.entries(queryParams).forEach(([key, value]) => {
+        if (value) {
+          [value].flat().forEach((v) => finalUrl.searchParams.append(key, v));
+        }
+      });
+    }
+    const headers = {
+      ...headerParams
+    };
+    let res;
+    try {
+      if (formData) {
+        res = await runtime.fetch(finalUrl.href, {
+          method,
+          headers,
+          body: formData
+        });
+      } else {
+        headers["Content-Type"] = "application/json";
+        const hasBody = method !== "GET" && bodyParams && Object.keys(bodyParams).length > 0;
+        const body = hasBody ? { body: JSON.stringify(bodyParams) } : null;
+        res = await runtime.fetch(finalUrl.href, {
+          method,
+          headers,
+          ...body
+        });
+      }
+      const isJSONResponse = res?.headers && res.headers?.get(constants.Headers.ContentType) === constants.ContentTypes.Json;
+      const responseBody = await (isJSONResponse ? res.json() : res.text());
+      if (!res.ok) {
+        return {
+          data: null,
+          errors: parseErrors(responseBody),
+          status: res?.status,
+          statusText: res?.statusText
+        };
+      }
+      return {
+        data: responseBody,
+        errors: null
+      };
+    } catch (error) {
+      if (error instanceof Error) {
+        return {
+          data: null,
+          errors: [
+            {
+              code: "unexpected_error",
+              message: error.message || "An unexpected error occurred"
+            }
+          ]
+        };
+      }
+      return {
+        data: null,
+        errors: parseErrors(error),
+        status: res?.status,
+        statusText: res?.statusText
+      };
+    }
+  };
+  return requestFn;
+}
+function parseErrors(data) {
+  if (!!data && typeof data === "object" && "errors" in data) {
+    const errors = data.errors;
+    return errors.length > 0 ? errors.map(parseError) : [];
+  }
+  return [];
+}
+function parseError(error) {
+  return {
+    code: error.code,
+    message: error.message
+  };
+}
+// src/api/createBackendApi.ts
+function createBackendApi(options) {
+  const request = createRequest(options);
+  return {
+    sessions: new SessionApi(request)
+  };
+}
+// src/utils/options.ts
+var defaultOptions = {
+  apiUrl: void 0,
+  apiVersion: void 0
+};
+function mergePreDefinedOptions(userOptions = {}) {
+  return {
+    ...defaultOptions,
+    ...userOptions
+  };
+}
+// src/tokens/keys.ts
+var cache = {};
+var lastUpdatedAt = 0;
+var googleExpiresAt = 0;
+function getFromCache(kid) {
+  return cache[kid];
+}
+function getCacheValues() {
+  return Object.values(cache);
+}
+function setInCache(kid, certificate, shouldExpire = true) {
+  cache[kid] = certificate;
+  lastUpdatedAt = shouldExpire ? Date.now() : -1;
+}
+async function fetchPublicKeys(keyUrl) {
+  const url = new URL(keyUrl);
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new TokenVerificationError({
+      message: `Error loading public keys from ${url.href} with code=${response.status} `,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  const data = await response.json();
+  const expiresAt = getExpiresAt(response);
+  return {
+    keys: data,
+    expiresAt
+  };
+}
+async function loadJWKFromRemote({
+  keyURL = SESSION_COOKIE_PUBLIC_KEYS_URL,
+  skipJwksCache,
+  kid
+}) {
+  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
+    const { keys, expiresAt } = await fetchPublicKeys(keyURL);
+    if (!keys || Object.keys(keys).length === 0) {
+      throw new TokenVerificationError({
+        message: `The JWKS endpoint ${keyURL} returned no keys`,
+        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
+      });
+    }
+    googleExpiresAt = expiresAt;
+    Object.entries(keys).forEach(([keyId, cert2]) => {
+      setInCache(keyId, cert2);
+    });
+  }
+  const cert = getFromCache(kid);
+  if (!cert) {
+    getCacheValues();
+    const availableKids = Object.keys(cache).sort().join(", ");
+    throw new TokenVerificationError({
+      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  return cert;
+}
+function isCacheExpired() {
+  const now = Date.now();
+  if (lastUpdatedAt === -1) {
+    return false;
+  }
+  const cacheAge = now - lastUpdatedAt;
+  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
+  const localCacheExpired = cacheAge >= maxCacheAge;
+  const googleCacheExpired = now >= googleExpiresAt;
+  const isExpired = localCacheExpired || googleCacheExpired;
+  if (isExpired) {
+    cache = {};
+  }
+  return isExpired;
+}
+function getExpiresAt(res) {
+  const cacheControlHeader = res.headers.get("cache-control");
+  if (!cacheControlHeader) {
+    return Date.now() + DEFAULT_CACHE_DURATION;
+  }
+  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
+  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
+  return Date.now() + maxAge * 1e3;
+}
+// src/tokens/verify.ts
+async function verifyToken(token, options) {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
+  }
+  try {
+    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
+    if (!key) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: `No public key found for kid "${kid}".`
+          })
+        ]
+      };
+    }
+    return await verifyJwt(token, { ...options, key });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
+    }
+    return {
+      errors: [error]
+    };
+  }
+}
+// src/tokens/request.ts
+var BEARER_PREFIX = "Bearer ";
+var AUTH_COOKIE_NAME = "_session_cookie";
+function extractTokenFromHeader(request) {
+  const authHeader = request.headers.get("Authorization");
+  if (!authHeader || !authHeader.startsWith(BEARER_PREFIX)) {
+    return null;
+  }
+  return authHeader.slice(BEARER_PREFIX.length);
+}
+function extractTokenFromCookie(request, opts) {
+  const cookieHeader = request.headers.get("Cookie") || void 0;
+  const sessionName = getSessionConfig(opts).COOKIE_NAME;
+  if (!cookieHeader) {
+    return null;
+  }
+  const cookies = cookieHeader.split(";").reduce(
+    (acc, cookie) => {
+      const [name, value] = cookie.trim().split("=");
+      acc[name] = value;
+      return acc;
+    },
+    {}
+  );
+  return cookies[AUTH_COOKIE_NAME] || null;
+}
+function hasAuthorizationHeader(request) {
+  return request.headers.has("Authorization");
+}
+async function authenticateRequest(request, options) {
+  async function authenticateRequestWithTokenInCookie() {
+    const token = extractTokenFromCookie(request, options);
+    if (!token) {
+      return signedOut(AuthErrorReason.SessionTokenMissing);
+    }
+    const { data, errors } = await verifyToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    const signedInRequestState = signedIn(data, void 0, token);
+    return signedInRequestState;
+  }
+  async function authenticateRequestWithTokenInHeader() {
+    const token = extractTokenFromHeader(request);
+    if (!token) {
+      return signedOut(AuthErrorReason.SessionTokenMissing);
+    }
+    const { data, errors } = await verifyToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    const signedInRequestState = signedIn(data, void 0, token);
+    return signedInRequestState;
+  }
+  if (hasAuthorizationHeader(request)) {
+    return authenticateRequestWithTokenInHeader();
+  }
+  return authenticateRequestWithTokenInCookie();
+}
+function createAuthenticateRequest(params) {
+  const buildTimeOptions = mergePreDefinedOptions(params.options);
+  const apiClient = params.apiClient;
+  const handleAuthenticateRequest = (request, options = {}) => {
+    const { apiUrl } = buildTimeOptions;
+    return authenticateRequest(request, { ...options, apiUrl, apiClient });
+  };
+  return {
+    authenticateRequest: handleAuthenticateRequest
+  };
+}
+// src/instance/backendInstanceEdge.ts
+function createBackendInstanceClient(options) {
+  const opts = { ...options };
+  const apiClient = createBackendApi(opts);
+  const requestState = createAuthenticateRequest({ options: opts, apiClient });
+  return {
+    ...apiClient,
+    ...requestState
+  };
+}
+// src/tokens/requestFire.ts
+var defaultFirebaseOptions = {
+  apiKey: "",
+  authDomain: "",
+  projectId: "",
+  tenantId: void 0
+};
+function mergePreDefinedOptions2(preDefinedOptions, options) {
+  return Object.keys(preDefinedOptions).reduce(
+    (obj, key) => {
+      return { ...obj, [key]: options[key] || obj[key] };
+    },
+    { ...preDefinedOptions }
+  );
+}
+var BEARER_PREFIX2 = "Bearer ";
+var AUTH_COOKIE_NAME2 = "_session_cookie";
+function extractTokenFromHeader2(request) {
+  const authHeader = request.headers.get("Authorization");
+  if (!authHeader || !authHeader.startsWith(BEARER_PREFIX2)) {
+    return null;
+  }
+  return authHeader.slice(BEARER_PREFIX2.length);
+}
+function extractTokenFromCookie2(request, opts) {
+  const cookieHeader = request.headers.get("Cookie") || void 0;
+  const sessionName = getSessionConfig(opts).COOKIE_NAME;
+  if (!cookieHeader) {
+    return null;
+  }
+  const cookies = cookieHeader.split(";").reduce(
+    (acc, cookie) => {
+      const [name, value] = cookie.trim().split("=");
+      acc[name] = value;
+      return acc;
+    },
+    {}
+  );
+  return cookies[AUTH_COOKIE_NAME2] || null;
+}
+function hasAuthorizationHeader2(request) {
+  return request.headers.has("Authorization");
+}
+async function authenticateRequest2(request, options) {
+  async function authenticateRequestWithTokenInCookie() {
+    const token = extractTokenFromCookie2(request, options);
+    if (!token) {
+      return signedOut(AuthErrorReason.SessionTokenMissing);
+    }
+    const { data, errors } = await verifyToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    const signedInRequestState = signedIn(data, void 0, token);
+    return signedInRequestState;
+  }
+  async function authenticateRequestWithTokenInHeader() {
+    const token = extractTokenFromHeader2(request);
+    if (!token) {
+      return signedOut(AuthErrorReason.SessionTokenMissing);
+    }
+    const { data, errors } = await verifyToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    const signedInRequestState = signedIn(data, void 0, token);
+    return signedInRequestState;
+  }
+  if (hasAuthorizationHeader2(request)) {
+    return authenticateRequestWithTokenInHeader();
+  }
+  return authenticateRequestWithTokenInCookie();
+}
+function createFireAuthenticateRequest(params) {
+  const buildTimeOptions = mergePreDefinedOptions2(defaultFirebaseOptions, params.options);
+  const handleAuthenticateRequest = (request, options = {}) => {
+    const runtimeOptions = { ...buildTimeOptions, ...options };
+    return authenticateRequest2(request, runtimeOptions);
+  };
+  return {
+    authenticateRequest: handleAuthenticateRequest
+  };
+}
+// src/instance/backendFireInstance.ts
+function createFireClient(options) {
+  const opts = { ...options };
+  const apiClient = createBackendApi(opts);
+  const requestState = createFireAuthenticateRequest({ options: opts });
+  return {
+    ...apiClient,
+    ...requestState
+  };
+}
+// src/utils/logger.ts
+var LogLevel = /* @__PURE__ */ ((LogLevel2) => {
+  LogLevel2[LogLevel2["ERROR"] = 0] = "ERROR";
+  LogLevel2[LogLevel2["WARN"] = 1] = "WARN";
+  LogLevel2[LogLevel2["INFO"] = 2] = "INFO";
+  LogLevel2[LogLevel2["DEBUG"] = 3] = "DEBUG";
+  return LogLevel2;
+})(LogLevel || {});
+var Logger = class {
+  options;
+  constructor(options = {}) {
+    this.options = {
+      enabled: false,
+      level: 2 /* INFO */,
+      prefix: "[TernSecure-Backend]",
+      ...options
+    };
+  }
+  enable() {
+    this.options.enabled = true;
+  }
+  disable() {
+    this.options.enabled = false;
+  }
+  setLevel(level) {
+    this.options.level = level;
+  }
+  setPrefix(prefix) {
+    this.options.prefix = prefix;
+  }
+  log(level, levelName, message, ...args) {
+    if (!this.options.enabled || level > this.options.level) {
+      return;
+    }
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const formattedMessage = `${timestamp} ${this.options.prefix} [${levelName}] ${message}`;
+    switch (level) {
+      case 0 /* ERROR */:
+        console.error(formattedMessage, ...args);
+        break;
+      case 1 /* WARN */:
+        console.warn(formattedMessage, ...args);
+        break;
+      case 2 /* INFO */:
+        console.info(formattedMessage, ...args);
+        break;
+      case 3 /* DEBUG */:
+        console.debug(formattedMessage, ...args);
+        break;
+    }
+  }
+  error(message, ...args) {
+    this.log(0 /* ERROR */, "ERROR", message, ...args);
+  }
+  warn(message, ...args) {
+    this.log(1 /* WARN */, "WARN", message, ...args);
+  }
+  info(message, ...args) {
+    this.log(2 /* INFO */, "INFO", message, ...args);
+  }
+  debug(message, ...args) {
+    this.log(3 /* DEBUG */, "DEBUG", message, ...args);
+  }
+};
+var createLogger = (options) => {
+  return new Logger(options);
+};
+var redisLogger = createLogger({ prefix: "[TernSecure-Redis]" });
+var authLogger = createLogger({ prefix: "[TernSecure-Auth]" });
+// src/utils/enableDebugLogging.ts
+function enableDebugLogging() {
+  authLogger.enable();
+  authLogger.setLevel(3 /* DEBUG */);
+  redisLogger.enable();
+  redisLogger.setLevel(3 /* DEBUG */);
+}
+function disableDebugLogging() {
+  authLogger.disable();
+  redisLogger.disable();
+}
+function setLogLevel(level) {
+  authLogger.setLevel(level);
+  redisLogger.setLevel(level);
+}
+// src/adapters/PostgresAdapter.ts
+var PostgresAdapter = class {
+  config;
+  tableName;
+  constructor(config) {
+    this.config = config;
+    this.tableName = config.table || "disabled_users";
+  }
+  getDisabledUser = async (uid) => {
+    try {
+      const response = await fetch(this.config.url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${this.config.token}`
+        },
+        body: JSON.stringify({
+          query: `SELECT uid, email, disabled_time as "disabledTime" FROM ${this.tableName} WHERE uid = $1`,
+          params: [uid]
+        })
+      });
+      if (!response.ok) {
+        throw new Error(`HTTP error! status: ${response.status}`);
+      }
+      const result = await response.json();
+      if (result.rows && result.rows.length > 0) {
+        const row = result.rows[0];
+        const disabledUser = {
+          uid: row.uid,
+          email: row.email,
+          disabledTime: row.disabledTime
+        };
+        authLogger.debug(`Found disabled user: ${uid}`);
+        return disabledUser;
+      }
+      authLogger.debug(`No disabled user found: ${uid}`);
+      return null;
+    } catch (error) {
+      authLogger.error("Failed to fetch disabled user from Postgres:", error);
+      return null;
+    }
+  };
+};
+// src/adapters/RedisAdapter.ts
+import { Redis } from "@upstash/redis";
+var TTLCache = class {
+  cache = /* @__PURE__ */ new Map();
+  defaultTTL;
+  constructor(defaultTTLMs = 6e4) {
+    this.defaultTTL = defaultTTLMs;
+  }
+  set(key, value, ttlMs) {
+    const expiresAt = Date.now() + (ttlMs ?? this.defaultTTL);
+    this.cache.set(key, { value, expiresAt });
+    console.log(`TTLCache.set: key=${key}, value=${JSON.stringify(value)}, expiresAt=${expiresAt}, cacheSize=${this.cache.size}`);
+  }
+  getEntry(key) {
+    const entry = this.cache.get(key);
+    if (!entry) return void 0;
+    const now = Date.now();
+    if (now > entry.expiresAt) {
+      console.log(`TTLCache: key=${key} expired (now=${now}, expiresAt=${entry.expiresAt})`);
+      this.cache.delete(key);
+      return void 0;
+    }
+    return entry;
+  }
+  get(key) {
+    const entry = this.getEntry(key);
+    const hasEntry = entry !== void 0;
+    const cacheHasKey = this.cache.has(key);
+    const rawEntry = this.cache.get(key);
+    console.log(`TTLCache.get: key=${key}, hasEntry=${hasEntry}, cacheHasKey=${cacheHasKey}`);
+    console.log(`TTLCache.get: rawEntry=${JSON.stringify(rawEntry)}, entry=${JSON.stringify(entry)}`);
+    if (!entry) {
+      console.log(`TTLCache.get: no entry found for key=${key}, returning undefined`);
+      return void 0;
+    }
+    console.log(`TTLCache.get: returning value=${JSON.stringify(entry.value)} for key=${key}`);
+    return entry.value;
+  }
+  delete(key) {
+    return this.cache.delete(key);
+  }
+  clear() {
+    this.cache.clear();
+  }
+  cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.cache.entries()) {
+      if (now > entry.expiresAt) {
+        this.cache.delete(key);
+      }
+    }
+  }
+};
+var RedisAdapter = class {
+  redis;
+  cache;
+  keyPrefix;
+  constructor(config) {
+    this.redis = new Redis({
+      url: config.url,
+      token: config.token
+    });
+    this.keyPrefix = config.keyPrefix || "disabled_user:";
+    const cacheTTL = config.ttl || 3e4;
+    this.cache = new TTLCache(cacheTTL);
+    setInterval(() => this.cache.cleanup(), 5 * 60 * 1e3);
+  }
+  getDisabledUser = async (uid) => {
+    const cacheKey = `${this.keyPrefix}${uid}`;
+    authLogger.debug(`RedisAdapter: Checking cache for key: ${cacheKey}`);
+    const cachedResult = this.cache.get(cacheKey);
+    authLogger.debug(`RedisAdapter: Cache get result for ${cacheKey}:`, {
+      cachedResult: JSON.stringify(cachedResult),
+      isUndefined: cachedResult === void 0,
+      type: typeof cachedResult
+    });
+    if (cachedResult !== void 0) {
+      authLogger.debug(`Cache hit for disabled user: ${uid}`, {
+        cacheKey,
+        cachedResult: JSON.stringify(cachedResult)
+      });
+      return cachedResult;
+    }
+    authLogger.debug(
+      `Cache miss for disabled user: ${uid}, fetching from Redis with key: ${cacheKey}`
+    );
+    try {
+      const disabledUser = await this.redis.get(cacheKey);
+      authLogger.debug(`Redis returned for key ${cacheKey}:`, {
+        disabledUser: JSON.stringify(disabledUser),
+        type: typeof disabledUser
+      });
+      this.cache.set(cacheKey, disabledUser);
+      authLogger.debug(`Cached disabled user result for: ${uid}`, {
+        cacheKey,
+        isDisabled: !!disabledUser,
+        cachedValue: JSON.stringify(disabledUser)
+      });
+      return disabledUser;
+    } catch (error) {
+      authLogger.error("Failed to fetch disabled user from Redis:", error);
+      return null;
+    }
+  };
+  invalidateCache(uid) {
+    const cacheKey = `${this.keyPrefix}${uid}`;
+    this.cache.delete(cacheKey);
+  }
+};
+// src/adapters/index.ts
+function createAdapter(config) {
+  switch (config.type) {
+    case "redis":
+      return new RedisAdapter(config.config);
+    case "postgres":
+      return new PostgresAdapter(config.config);
+    default:
+      throw new Error(`Unsupported adapter type: ${config.type}`);
+  }
+}
+function validateCheckRevokedOptions(options) {
+  if (options?.enabled && !options.adapter) {
+    return {
+      isValid: false,
+      error: "When checkRevoked.enabled is true, an adapter must be provided"
+    };
+  }
+  return { isValid: true };
+}
+export {
+  AuthStatus,
+  LogLevel,
+  PostgresAdapter,
+  RedisAdapter,
+  constants,
+  createAdapter,
+  createBackendInstanceClient,
+  createFireClient,
+  createTernSecureRequest,
+  disableDebugLogging,
+  enableDebugLogging,
+  setLogLevel,
+  signedIn,
+  signedInAuthObject,
+  signedOutAuthObject,
+  validateCheckRevokedOptions
+};
+//# sourceMappingURL=index.mjs.map