@tern-secure/backend 1.1.6 → 1.1.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/admin/package.json +5 -0
- package/dist/adapters/PostgresAdapter.d.ts +8 -0
- package/dist/adapters/PostgresAdapter.d.ts.map +1 -0
- package/dist/adapters/RedisAdapter.d.ts +10 -0
- package/dist/adapters/RedisAdapter.d.ts.map +1 -0
- package/dist/adapters/index.d.ts +13 -0
- package/dist/adapters/index.d.ts.map +1 -0
- package/dist/adapters/types.d.ts +30 -0
- package/dist/adapters/types.d.ts.map +1 -0
- package/dist/admin/gemini_sessionTernSecure.d.ts +10 -0
- package/dist/admin/gemini_sessionTernSecure.d.ts.map +1 -0
- package/dist/admin/index.d.ts +8 -0
- package/dist/admin/index.d.ts.map +1 -0
- package/dist/admin/index.js +705 -0
- package/dist/admin/index.js.map +1 -0
- package/dist/admin/index.mjs +512 -0
- package/dist/admin/index.mjs.map +1 -0
- package/dist/admin/nextSessionTernSecure.d.ts +28 -0
- package/dist/admin/nextSessionTernSecure.d.ts.map +1 -0
- package/dist/admin/sessionTernSecure.d.ts +6 -0
- package/dist/admin/sessionTernSecure.d.ts.map +1 -0
- package/dist/admin/tenant.d.ts.map +1 -0
- package/dist/api/createBackendApi.d.ts +8 -0
- package/dist/api/createBackendApi.d.ts.map +1 -0
- package/dist/api/endpoints/SessionApi.d.ts +12 -0
- package/dist/api/endpoints/SessionApi.d.ts.map +1 -0
- package/dist/api/endpoints/index.d.ts +2 -0
- package/dist/api/endpoints/index.d.ts.map +1 -0
- package/dist/api/index.d.ts +2 -0
- package/dist/api/index.d.ts.map +1 -0
- package/dist/api/request.d.ts +36 -0
- package/dist/api/request.d.ts.map +1 -0
- package/dist/chunk-JFOTE3Y5.mjs +157 -0
- package/dist/chunk-JFOTE3Y5.mjs.map +1 -0
- package/dist/chunk-WZYVAHZ3.mjs +318 -0
- package/dist/chunk-WZYVAHZ3.mjs.map +1 -0
- package/dist/constants.d.ts +63 -0
- package/dist/constants.d.ts.map +1 -0
- package/dist/index.d.ts +14 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +1307 -0
- package/dist/index.js.map +1 -0
- package/dist/index.mjs +839 -0
- package/dist/index.mjs.map +1 -0
- package/dist/instance/backendFireInstance.d.ts +7 -0
- package/dist/instance/backendFireInstance.d.ts.map +1 -0
- package/dist/instance/backendInstance.d.ts +20 -0
- package/dist/instance/backendInstance.d.ts.map +1 -0
- package/dist/instance/backendInstanceEdge.d.ts +13 -0
- package/dist/instance/backendInstanceEdge.d.ts.map +1 -0
- package/dist/jwt/algorithms.d.ts +3 -0
- package/dist/jwt/algorithms.d.ts.map +1 -0
- package/dist/jwt/cryptoKeys.d.ts +3 -0
- package/dist/jwt/cryptoKeys.d.ts.map +1 -0
- package/dist/jwt/guardReturn.d.ts +3 -0
- package/dist/jwt/guardReturn.d.ts.map +1 -0
- package/dist/jwt/index.d.ts +4 -0
- package/dist/jwt/index.d.ts.map +1 -0
- package/dist/jwt/index.js +332 -0
- package/dist/jwt/index.js.map +1 -0
- package/dist/jwt/index.mjs +139 -0
- package/dist/jwt/index.mjs.map +1 -0
- package/dist/jwt/jwt.d.ts +4 -0
- package/dist/jwt/jwt.d.ts.map +1 -0
- package/dist/jwt/signJwt.d.ts +5 -0
- package/dist/jwt/signJwt.d.ts.map +1 -0
- package/dist/jwt/types.d.ts +8 -0
- package/dist/jwt/types.d.ts.map +1 -0
- package/dist/jwt/verifyContent.d.ts +7 -0
- package/dist/jwt/verifyContent.d.ts.map +1 -0
- package/dist/jwt/verifyJwt.d.ts +12 -0
- package/dist/jwt/verifyJwt.d.ts.map +1 -0
- package/dist/runtime/browser/crypto.mjs +1 -0
- package/dist/runtime/node/crypto.js +1 -0
- package/dist/runtime/node/crypto.mjs +1 -0
- package/dist/runtime.d.ts +26 -0
- package/dist/runtime.d.ts.map +1 -0
- package/dist/ternsecureauth.d.ts.map +1 -0
- package/dist/tokens/authstate.d.ts +61 -0
- package/dist/tokens/authstate.d.ts.map +1 -0
- package/dist/tokens/keys.d.ts +16 -0
- package/dist/tokens/keys.d.ts.map +1 -0
- package/dist/tokens/request.d.ts +16 -0
- package/dist/tokens/request.d.ts.map +1 -0
- package/dist/tokens/requestFire.d.ts +17 -0
- package/dist/tokens/requestFire.d.ts.map +1 -0
- package/dist/tokens/sessionConfig.d.ts +14 -0
- package/dist/tokens/sessionConfig.d.ts.map +1 -0
- package/dist/tokens/ternSecureRequest.d.ts +20 -0
- package/dist/tokens/ternSecureRequest.d.ts.map +1 -0
- package/dist/tokens/ternUrl.d.ts +15 -0
- package/dist/tokens/ternUrl.d.ts.map +1 -0
- package/dist/tokens/types.d.ts +41 -0
- package/dist/tokens/types.d.ts.map +1 -0
- package/dist/tokens/verify.d.ts +11 -0
- package/dist/tokens/verify.d.ts.map +1 -0
- package/dist/utils/admin-init.d.ts +13 -0
- package/dist/utils/admin-init.d.ts.map +1 -0
- package/dist/{types/utils → utils}/config.d.ts +1 -1
- package/dist/utils/config.d.ts.map +1 -0
- package/dist/utils/enableDebugLogging.d.ts +5 -0
- package/dist/utils/enableDebugLogging.d.ts.map +1 -0
- package/dist/utils/errors.d.ts +29 -0
- package/dist/utils/errors.d.ts.map +1 -0
- package/dist/utils/gemini_admin-init.d.ts +10 -0
- package/dist/utils/gemini_admin-init.d.ts.map +1 -0
- package/dist/utils/logger.d.ts +28 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/mapDecode.d.ts +4 -0
- package/dist/utils/mapDecode.d.ts.map +1 -0
- package/dist/utils/options.d.ts +5 -0
- package/dist/utils/options.d.ts.map +1 -0
- package/dist/utils/path.d.ts +4 -0
- package/dist/utils/path.d.ts.map +1 -0
- package/dist/utils/redis.d.ts +10 -0
- package/dist/utils/redis.d.ts.map +1 -0
- package/dist/utils/rfc4648.d.ts +26 -0
- package/dist/utils/rfc4648.d.ts.map +1 -0
- package/jwt/package.json +5 -0
- package/package.json +59 -10
- package/dist/cjs/admin/sessionTernSecure.js +0 -256
- package/dist/cjs/admin/sessionTernSecure.js.map +0 -1
- package/dist/cjs/admin/tenant.js +0 -68
- package/dist/cjs/admin/tenant.js.map +0 -1
- package/dist/cjs/global.d.js +0 -2
- package/dist/cjs/global.d.js.map +0 -1
- package/dist/cjs/index.js +0 -48
- package/dist/cjs/index.js.map +0 -1
- package/dist/cjs/ternsecureauth.js +0 -40
- package/dist/cjs/ternsecureauth.js.map +0 -1
- package/dist/cjs/utils/admin-init.js +0 -60
- package/dist/cjs/utils/admin-init.js.map +0 -1
- package/dist/cjs/utils/config.js +0 -113
- package/dist/cjs/utils/config.js.map +0 -1
- package/dist/esm/admin/sessionTernSecure.js +0 -226
- package/dist/esm/admin/sessionTernSecure.js.map +0 -1
- package/dist/esm/admin/tenant.js +0 -43
- package/dist/esm/admin/tenant.js.map +0 -1
- package/dist/esm/global.d.js +0 -1
- package/dist/esm/global.d.js.map +0 -1
- package/dist/esm/index.js +0 -24
- package/dist/esm/index.js.map +0 -1
- package/dist/esm/ternsecureauth.js +0 -16
- package/dist/esm/ternsecureauth.js.map +0 -1
- package/dist/esm/utils/admin-init.js +0 -24
- package/dist/esm/utils/admin-init.js.map +0 -1
- package/dist/esm/utils/config.js +0 -84
- package/dist/esm/utils/config.js.map +0 -1
- package/dist/types/admin/sessionTernSecure.d.ts +0 -36
- package/dist/types/admin/sessionTernSecure.d.ts.map +0 -1
- package/dist/types/admin/tenant.d.ts.map +0 -1
- package/dist/types/index.d.ts +0 -5
- package/dist/types/index.d.ts.map +0 -1
- package/dist/types/ternsecureauth.d.ts.map +0 -1
- package/dist/types/utils/admin-init.d.ts +0 -5
- package/dist/types/utils/admin-init.d.ts.map +0 -1
- package/dist/types/utils/config.d.ts.map +0 -1
- /package/dist/{types/admin → admin}/tenant.d.ts +0 -0
- /package/dist/{types/ternsecureauth.d.ts → ternsecureauth.d.ts} +0 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/tokens/authstate.ts","../src/api/endpoints/SessionApi.ts","../src/runtime.ts","../src/utils/path.ts","../src/api/request.ts","../src/api/createBackendApi.ts","../src/utils/options.ts","../src/tokens/keys.ts","../src/tokens/verify.ts","../src/tokens/request.ts","../src/instance/backendInstanceEdge.ts","../src/tokens/requestFire.ts","../src/instance/backendFireInstance.ts","../src/utils/logger.ts","../src/utils/enableDebugLogging.ts","../src/adapters/PostgresAdapter.ts","../src/adapters/RedisAdapter.ts","../src/adapters/index.ts"],"sourcesContent":["import type { CheckAuthorizationFromSessionClaims, DecodedIdToken } from '@tern-secure/types';\nimport type { JWTPayload } from 'jose';\n\nimport { constants } from '../constants';\nimport type { TokenVerificationErrorReason } from '../utils/errors';\nimport { mapJwtPayloadToDecodedIdToken } from '../utils/mapDecode';\nimport type { TernSecureRequest } from './ternSecureRequest';\n\nexport const AuthStatus = {\n SignedIn: 'signed-in',\n SignedOut: 'signed-out',\n} as const;\n\nexport type AuthStatus = (typeof AuthStatus)[keyof typeof AuthStatus];\n\nexport const AuthErrorReason = {\n SessionTokenAndUATMissing: 'session-token-and-uat-missing',\n SessionTokenMissing: 'session-token-missing',\n SessionTokenExpired: 'session-token-expired',\n SessionTokenIATBeforeClientUAT: 'session-token-iat-before-client-uat',\n SessionTokenNBF: 'session-token-nbf',\n SessionTokenIatInTheFuture: 'session-token-iat-in-the-future',\n ActiveOrganizationMismatch: 'active-organization-mismatch',\n UnexpectedError: 'unexpected-error',\n} as const;\n\nexport type AuthErrorReason = (typeof AuthErrorReason)[keyof typeof AuthErrorReason];\n\nexport type AuthReason = AuthErrorReason | TokenVerificationErrorReason;\n\nexport type SignedInAuthObject = {\n sessionClaims: DecodedIdToken;\n userId: string;\n token: string;\n require: CheckAuthorizationFromSessionClaims;\n error: string | null;\n};\n\nexport type SignedOutAuthObject = {\n sessionClaims: null;\n userId: null;\n require: CheckAuthorizationFromSessionClaims;\n error: string | null;\n};\n\nexport type SignedInState = {\n status: typeof AuthStatus.SignedIn;\n reason: null;\n isSignedIn: true;\n auth: () => SignedInAuthObject;\n token: string;\n headers: Headers;\n};\n\nexport type SignedOutState = {\n status: typeof AuthStatus.SignedOut;\n reason: string;\n isSignedIn: false;\n auth: () => SignedOutAuthObject;\n token: null;\n headers: Headers;\n};\n\nexport type RequestState = SignedInState | SignedOutState;\n\nexport interface BackendInstance {\n ternSecureRequest: TernSecureRequest;\n requestState: RequestState;\n}\n\nexport type AuthObject = SignedInAuthObject | SignedOutAuthObject;\n\nfunction createHasAuthorization(\n decodedIdToken: DecodedIdToken,\n): CheckAuthorizationFromSessionClaims {\n return (authorizationParams: any) => {\n if (\n !authorizationParams ||\n typeof authorizationParams !== 'object' ||\n Array.isArray(authorizationParams)\n ) {\n return false;\n }\n const claims = decodedIdToken as Record<string, any>;\n\n return Object.entries(authorizationParams).every(([key, value]) => {\n const claimValue = claims[key];\n if (typeof claimValue === 'undefined') {\n return false;\n }\n if (Array.isArray(value)) {\n if (Array.isArray(claimValue)) {\n return value.some(v => claimValue.includes(v));\n }\n return value.includes(claimValue);\n }\n\n if (Array.isArray(claimValue)) {\n return claimValue.includes(value);\n }\n return claimValue === value;\n });\n };\n}\n\nexport function signedInAuthObject(\n sessionToken: string,\n sessionClaims: JWTPayload,\n): SignedInAuthObject {\n const decodedIdToken = mapJwtPayloadToDecodedIdToken(sessionClaims);\n return {\n sessionClaims: {\n ...decodedIdToken,\n },\n userId: decodedIdToken.uid,\n token: sessionToken,\n require: createHasAuthorization(decodedIdToken),\n error: null,\n };\n}\n\nexport function signedOutAuthObject(): SignedOutAuthObject {\n return {\n sessionClaims: null,\n userId: null,\n require: () => false,\n error: 'No active session',\n };\n}\n\nexport function signedIn(\n sessionClaims: JWTPayload,\n headers: Headers = new Headers(),\n token: string,\n): SignedInState {\n const authObject = signedInAuthObject(token, sessionClaims);\n return {\n status: AuthStatus.SignedIn,\n reason: null,\n isSignedIn: true,\n auth: () => authObject,\n token,\n headers,\n };\n}\n\nexport function signedOut(reason: AuthReason, headers: Headers = new Headers()): SignedOutState {\n return decorateHeaders({\n status: AuthStatus.SignedOut,\n reason,\n isSignedIn: false,\n auth: () => signedOutAuthObject(),\n token: null,\n headers,\n });\n}\n\nconst decorateHeaders = <T extends RequestState>(requestState: T): T => {\n const headers = new Headers(requestState.headers || {});\n if (requestState.reason) {\n try {\n headers.set(constants.Headers.AuthReason, requestState.reason);\n } catch {\n // Ignore errors\n }\n }\n\n if (requestState.status) {\n try {\n headers.set(constants.Headers.AuthStatus, requestState.status);\n } catch {\n // Ignore errors\n }\n }\n requestState.headers = headers;\n return requestState;\n};\n","import type { RequestFunction } from \"../request\";\n\nconst rootPath = \"/sessions\";\n\ntype CreateSessionParams = {\n idToken: string;\n csrfToken: string;\n};\n\nexport class SessionApi {\n constructor(protected request: RequestFunction) {}\n\n public async createSession(params: CreateSessionParams) {\n return this.request({\n method: \"POST\",\n path: rootPath,\n bodyParams: params,\n });\n }\n}\n","/**\n * This file exports APIs that vary across runtimes (i.e. Node & Browser - V8 isolates)\n * as a singleton object.\n *\n * Runtime polyfills are written in VanillaJS for now to avoid TS complication. Moreover,\n * due to this issue https://github.com/microsoft/TypeScript/issues/44848, there is not a good way\n * to tell Typescript which conditional import to use during build type.\n *\n * The Runtime type definition ensures type safety for now.\n * Runtime js modules are copied into dist folder with bash script.\n *\n * TODO: Support TS runtime modules\n */\n\n// @ts-ignore - These are package subpaths\nimport { webcrypto as crypto } from '#crypto';\n\ntype Runtime = {\n crypto: Crypto;\n fetch: typeof globalThis.fetch;\n AbortController: typeof globalThis.AbortController;\n Blob: typeof globalThis.Blob;\n FormData: typeof globalThis.FormData;\n Headers: typeof globalThis.Headers;\n Request: typeof globalThis.Request;\n Response: typeof globalThis.Response;\n};\n\n// Invoking the global.fetch without binding it first to the globalObject fails in\n// Cloudflare Workers with an \"Illegal Invocation\" error.\n//\n// The globalThis object is supported for Node >= 12.0.\n//\n// https://github.com/supabase/supabase/issues/4417\nconst globalFetch = fetch.bind(globalThis);\n\nexport const runtime: Runtime = {\n crypto,\n get fetch() {\n // We need to use the globalFetch for Cloudflare Workers but the fetch for testing\n return process.env.NODE_ENV === 'test' ? fetch : globalFetch;\n },\n AbortController: globalThis.AbortController,\n Blob: globalThis.Blob,\n FormData: globalThis.FormData,\n Headers: globalThis.Headers,\n Request: globalThis.Request,\n Response: globalThis.Response,\n};\n","const SEPARATOR = '/';\nconst MULTIPLE_SEPARATOR_REGEX = new RegExp('(?<!:)' + SEPARATOR + '{1,}', 'g');\n\ntype PathString = string | null | undefined;\n\nexport function joinPaths(...args: PathString[]): string {\n return args\n .filter(p => p)\n .join(SEPARATOR)\n .replace(MULTIPLE_SEPARATOR_REGEX, SEPARATOR);\n}\n","import type {\n TernSecureAPIError,\n TernSecureApiErrorJSON,\n} from \"@tern-secure/types\";\n\nimport { constants } from \"../constants\";\nimport { runtime } from \"../runtime\";\nimport { joinPaths } from \"../utils/path\";\n\nexport type HTTPMethod = \"DELETE\" | \"GET\" | \"PATCH\" | \"POST\" | \"PUT\";\nexport type BackendApiRequestOptions = {\n method?: HTTPMethod;\n queryParams?: Record<string, unknown>;\n headerParams?: Record<string, string>;\n bodyParams?: Record<string, unknown>;\n formData?: FormData;\n} & ({ url: string; path?: string } | { url?: string; path: string });\n\nexport type BackendApiResponse<T> =\n | {\n data: T;\n errors: null;\n totalCount?: number;\n }\n | {\n data: null;\n errors: TernSecureAPIError[];\n totalCount?: never;\n status?: number;\n statusText?: string;\n retryAfter?: number;\n };\n\nexport type RequestFunction = ReturnType<typeof createRequest>;\n\ntype CreateRequestOptions = {\n apiUrl?: string;\n apiVersion?: string;\n};\n\nexport function createRequest(options: CreateRequestOptions) {\n const requestFn = async <T>(\n requestOptions: BackendApiRequestOptions\n ): Promise<BackendApiResponse<T>> => {\n const { apiUrl, apiVersion } = options;\n const { path, method, queryParams, headerParams, bodyParams, formData } =\n requestOptions;\n\n const url = joinPaths(apiUrl, apiVersion, path);\n const finalUrl = new URL(url);\n\n if (queryParams) {\n Object.entries(queryParams).forEach(([key, value]) => {\n if (value) {\n [value].flat().forEach(v => finalUrl.searchParams.append(key, v as string));\n }\n });\n }\n\n const headers: Record<string, any> = {\n ...headerParams,\n };\n let res: Response | undefined;\n\n try {\n if (formData) {\n res = await runtime.fetch(finalUrl.href, {\n method,\n headers,\n body: formData,\n });\n } else {\n headers[\"Content-Type\"] = \"application/json\";\n const hasBody =\n method !== \"GET\" && bodyParams && Object.keys(bodyParams).length > 0;\n const body = hasBody ? { body: JSON.stringify(bodyParams) } : null;\n\n res = await runtime.fetch(finalUrl.href, {\n method,\n headers,\n ...body,\n });\n }\n\n const isJSONResponse =\n res?.headers &&\n res.headers?.get(constants.Headers.ContentType) ===\n constants.ContentTypes.Json;\n const responseBody = await (isJSONResponse ? res.json() : res.text());\n\n if (!res.ok) {\n return {\n data: null,\n errors: parseErrors(responseBody),\n status: res?.status,\n statusText: res?.statusText,\n };\n }\n\n return {\n data: responseBody,\n errors: null,\n };\n } catch (error) {\n if (error instanceof Error) {\n return {\n data: null,\n errors: [\n {\n code: \"unexpected_error\",\n message: error.message || \"An unexpected error occurred\",\n },\n ],\n };\n }\n\n return {\n data: null,\n errors: parseErrors(error),\n status: res?.status,\n statusText: res?.statusText,\n };\n }\n };\n return requestFn;\n}\n\nfunction parseErrors(data: unknown): TernSecureAPIError[] {\n if (!!data && typeof data === \"object\" && \"errors\" in data) {\n const errors = data.errors as TernSecureApiErrorJSON[];\n return errors.length > 0 ? errors.map(parseError) : [];\n }\n return [];\n}\n\nexport function parseError(error: TernSecureApiErrorJSON): TernSecureAPIError {\n return {\n code: error.code,\n message: error.message,\n };\n}\n","import { SessionApi } from \"./endpoints\";\nimport { createRequest } from './request'\n\nexport type CreateBackendApiOptions = Parameters<typeof createRequest>[0];\nexport type ApiClient = ReturnType<typeof createBackendApi>;\n\nexport function createBackendApi(options: CreateBackendApiOptions) {\n const request = createRequest(options);\n return {\n sessions: new SessionApi(request),\n };\n}","import type {RequestOptions } from \"../tokens/types\";\n\nexport type RuntimeOptions = Omit<RequestOptions, \"apiUrl\">;\n\nexport type buildTimeOptions = Partial<Pick<RequestOptions, \"apiUrl\" | \"apiVersion\">>;\n\nconst defaultOptions: buildTimeOptions = {\n apiUrl: undefined,\n apiVersion: undefined,\n};\n\nexport function mergePreDefinedOptions(\n userOptions: buildTimeOptions = {}\n): buildTimeOptions {\n return {\n ...defaultOptions,\n ...userOptions,\n };\n}","import { type RemoteJWKSetOptions } from 'jose';\n\nimport {\n CACHE_CONTROL_REGEX,\n DEFAULT_CACHE_DURATION,\n MAX_CACHE_LAST_UPDATED_AT_SECONDS,\n SESSION_COOKIE_PUBLIC_KEYS_URL,\n} from '../constants';\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\n\nexport type PublicKeys = { [key: string]: string };\n\ninterface PublicKeysResponse {\n keys: PublicKeys;\n expiresAt: number;\n}\n\nexport type LoadJWKFromRemoteOptions = RemoteJWKSetOptions & {\n kid: string;\n keyURL?: string;\n skipJwksCache?: boolean;\n};\n\ntype CertificateCache = Record<string, string>;\n\nlet cache: CertificateCache = {};\nlet lastUpdatedAt = 0;\nlet googleExpiresAt = 0;\n\nfunction getFromCache(kid: string) {\n return cache[kid];\n}\n\nfunction getCacheValues() {\n return Object.values(cache);\n}\n\nfunction setInCache(kid: string, certificate: string, shouldExpire = true) {\n cache[kid] = certificate;\n lastUpdatedAt = shouldExpire ? Date.now() : -1;\n}\n\nasync function fetchPublicKeys(keyUrl: string): Promise<PublicKeysResponse> {\n const url = new URL(keyUrl);\n const response = await fetch(url);\n if (!response.ok) {\n throw new TokenVerificationError({\n message: `Error loading public keys from ${url.href} with code=${response.status} `,\n reason: TokenVerificationErrorReason.TokenInvalid,\n });\n }\n\n const data = await response.json();\n const expiresAt = getExpiresAt(response);\n\n return {\n keys: data,\n expiresAt,\n };\n}\n\nexport async function loadJWKFromRemote({\n keyURL = SESSION_COOKIE_PUBLIC_KEYS_URL,\n skipJwksCache,\n kid,\n}: LoadJWKFromRemoteOptions): Promise<string> {\n if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {\n const { keys, expiresAt } = await fetchPublicKeys(keyURL);\n\n if (!keys || Object.keys(keys).length === 0) {\n throw new TokenVerificationError({\n message: `The JWKS endpoint ${keyURL} returned no keys`,\n reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad,\n });\n }\n googleExpiresAt = expiresAt;\n\n Object.entries(keys).forEach(([keyId, cert]) => {\n setInCache(keyId, cert);\n });\n }\n const cert = getFromCache(kid);\n if (!cert) {\n getCacheValues();\n const availableKids = Object.keys(cache).sort().join(', ');\n\n throw new TokenVerificationError({\n message: `No public key found for kid \"${kid}\". Available kids: [${availableKids}]`,\n reason: TokenVerificationErrorReason.TokenInvalid,\n });\n }\n return cert;\n}\n\nfunction isCacheExpired() {\n const now = Date.now();\n if (lastUpdatedAt === -1) {\n return false;\n }\n\n const cacheAge = now - lastUpdatedAt;\n const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1000;\n const localCacheExpired = cacheAge >= maxCacheAge;\n const googleCacheExpired = now >= googleExpiresAt;\n\n const isExpired = localCacheExpired || googleCacheExpired;\n\n if (isExpired) {\n cache = {};\n }\n\n return isExpired;\n}\n\nfunction getExpiresAt(res: Response) {\n const cacheControlHeader = res.headers.get('cache-control');\n if (!cacheControlHeader) {\n return Date.now() + DEFAULT_CACHE_DURATION;\n }\n const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);\n const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1000;\n\n return Date.now() + maxAge * 1000;\n}\n\nexport const getCacheStats = () => ({\n localExpiry: lastUpdatedAt + MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1000,\n googleExpiry: googleExpiresAt,\n cacheCount: Object.keys(cache).length,\n});\n","import type { DecodedIdToken, TernSecureConfig } from '@tern-secure/types';\n\nimport type { JwtReturnType } from '../jwt/types';\nimport { ternDecodeJwt, verifyJwt, type VerifyJwtOptions } from '../jwt/verifyJwt';\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport type { LoadJWKFromRemoteOptions } from './keys';\nimport { loadJWKFromRemote } from './keys';\n\nexport type VerifyTokenVOptions = Omit<VerifyJwtOptions, 'key'> & Omit<LoadJWKFromRemoteOptions, 'kid'> & {\n jwtKey?: string;\n};\n\nexport { TernSecureConfig };\n\nexport async function verifyToken(\n token: string,\n options: VerifyTokenVOptions,\n): Promise<JwtReturnType<DecodedIdToken, TokenVerificationError>> {\n const { data: decodedResult, errors } = ternDecodeJwt(token);\n\n if (errors) {\n return { errors };\n }\n\n const { header } = decodedResult;\n const { kid } = header;\n\n if (!kid) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: 'JWT \"kid\" header is missing.',\n }),\n ],\n };\n }\n\n try {\n const key = options.jwtKey || (await loadJWKFromRemote({ ...options, kid }));\n\n if (!key) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: `No public key found for kid \"${kid}\".`,\n }),\n ],\n };\n }\n return await verifyJwt(token, { ...options, key });\n } catch (error) {\n if (error instanceof TokenVerificationError) {\n return { errors: [error] };\n }\n return {\n errors: [error as TokenVerificationError],\n };\n }\n}\n","import type { ApiClient } from '../api';\nimport {\n type buildTimeOptions,\n mergePreDefinedOptions,\n type RuntimeOptions,\n} from '../utils/options';\nimport type { RequestState } from './authstate';\nimport { AuthErrorReason, signedIn, signedOut } from './authstate';\nimport { getSessionConfig } from './sessionConfig';\nimport type { RequestOptions } from './types';\nimport { verifyToken } from './verify';\n\nconst BEARER_PREFIX = 'Bearer ';\nconst AUTH_COOKIE_NAME = '_session_cookie';\n\nfunction extractTokenFromHeader(request: Request): string | null {\n const authHeader = request.headers.get('Authorization');\n\n if (!authHeader || !authHeader.startsWith(BEARER_PREFIX)) {\n return null;\n }\n\n return authHeader.slice(BEARER_PREFIX.length);\n}\n\nfunction extractTokenFromCookie(request: Request, opts: RequestOptions): string | null {\n const cookieHeader = request.headers.get('Cookie') || undefined;\n const sessionName = getSessionConfig(opts).COOKIE_NAME;\n\n if (!cookieHeader) {\n return null;\n }\n\n const cookies = cookieHeader.split(';').reduce(\n (acc, cookie) => {\n const [name, value] = cookie.trim().split('=');\n acc[name] = value;\n return acc;\n },\n {} as Record<string, string>,\n );\n\n return cookies[AUTH_COOKIE_NAME] || null;\n}\n\nfunction hasAuthorizationHeader(request: Request): boolean {\n return request.headers.has('Authorization');\n}\n\nexport async function authenticateRequest(\n request: Request,\n options: RequestOptions,\n): Promise<RequestState> {\n async function authenticateRequestWithTokenInCookie() {\n const token = extractTokenFromCookie(request, options);\n if (!token) {\n return signedOut(AuthErrorReason.SessionTokenMissing);\n }\n const { data, errors } = await verifyToken(token, options);\n\n if (errors) {\n throw errors[0];\n }\n\n const signedInRequestState = signedIn(data, undefined, token);\n return signedInRequestState;\n }\n\n async function authenticateRequestWithTokenInHeader() {\n const token = extractTokenFromHeader(request);\n if (!token) {\n return signedOut(AuthErrorReason.SessionTokenMissing);\n }\n\n const { data, errors } = await verifyToken(token, options);\n\n if (errors) {\n throw errors[0];\n }\n\n const signedInRequestState = signedIn(data, undefined, token);\n return signedInRequestState;\n }\n\n if (hasAuthorizationHeader(request)) {\n return authenticateRequestWithTokenInHeader();\n }\n\n return authenticateRequestWithTokenInCookie();\n}\n\n/**\n * @internal\n */\nexport type CreateAuthenticateRequestOptions = {\n options: buildTimeOptions;\n apiClient: ApiClient;\n};\n\nexport function createAuthenticateRequest(params: CreateAuthenticateRequestOptions) {\n const buildTimeOptions = mergePreDefinedOptions(params.options);\n const apiClient = params.apiClient;\n\n const handleAuthenticateRequest = (request: Request, options: RuntimeOptions = {}) => {\n const { apiUrl } = buildTimeOptions;\n return authenticateRequest(request, { ...options, apiUrl, apiClient });\n };\n\n return {\n authenticateRequest: handleAuthenticateRequest,\n };\n}\n","import type { ApiClient,CreateBackendApiOptions} from \"../api\";\r\nimport { createBackendApi } from \"../api\";\r\nimport type { RequestState } from \"../tokens/authstate\";\r\nimport type { CreateAuthenticateRequestOptions } from \"../tokens/request\";\r\nimport { createAuthenticateRequest } from \"../tokens/request\";\r\nimport type {\r\n TernSecureRequest,\r\n} from \"../tokens/ternSecureRequest\";\r\n\r\nexport type TernSecureBackendOptions = CreateBackendApiOptions & CreateAuthenticateRequestOptions['options']\r\n\r\nexport type TernSecureBackendClient = ApiClient & ReturnType<typeof createAuthenticateRequest>;\r\n\r\nexport interface BackendInstance {\r\n ternSecureRequest: TernSecureRequest;\r\n requestState: RequestState;\r\n}\r\n\r\nexport function createBackendInstanceClient(options: TernSecureBackendOptions): TernSecureBackendClient {\r\n const opts = { ...options };\r\n const apiClient = createBackendApi(opts);\r\n const requestState = createAuthenticateRequest({options: opts, apiClient});\r\n\r\n return {\r\n ...apiClient,\r\n ...requestState,\r\n };\r\n}\r\n","import type { RequestState } from './authstate';\nimport { AuthErrorReason, signedIn, signedOut } from './authstate';\nimport { getSessionConfig } from './sessionConfig';\nimport type { AuthenticateFireRequestOptions, RequestOptions } from './types';\nimport { verifyToken } from './verify';\n\ntype RuntimeOptions = Omit<AuthenticateFireRequestOptions, 'firebaseConfig'>;\n\ntype FirebaseOptions = Partial<Pick<AuthenticateFireRequestOptions, 'firebaseConfig'>>;\n\nconst defaultFirebaseOptions = {\n apiKey: '',\n authDomain: '',\n projectId: '',\n tenantId: undefined,\n} as FirebaseOptions;\n\nexport function mergePreDefinedOptions<T extends Record<string, any>>(\n preDefinedOptions: T,\n options: Partial<T>,\n): T {\n return Object.keys(preDefinedOptions).reduce(\n (obj: T, key: string) => {\n return { ...obj, [key]: options[key] || obj[key] };\n },\n { ...preDefinedOptions },\n );\n}\n\nconst BEARER_PREFIX = 'Bearer ';\nconst AUTH_COOKIE_NAME = '_session_cookie';\n\nfunction extractTokenFromHeader(request: Request): string | null {\n const authHeader = request.headers.get('Authorization');\n\n if (!authHeader || !authHeader.startsWith(BEARER_PREFIX)) {\n return null;\n }\n\n return authHeader.slice(BEARER_PREFIX.length);\n}\n\nfunction extractTokenFromCookie(request: Request, opts: RequestOptions): string | null {\n const cookieHeader = request.headers.get('Cookie') || undefined;\n const sessionName = getSessionConfig(opts).COOKIE_NAME;\n\n if (!cookieHeader) {\n return null;\n }\n\n const cookies = cookieHeader.split(';').reduce(\n (acc, cookie) => {\n const [name, value] = cookie.trim().split('=');\n acc[name] = value;\n return acc;\n },\n {} as Record<string, string>,\n );\n\n return cookies[AUTH_COOKIE_NAME] || null;\n}\n\nfunction hasAuthorizationHeader(request: Request): boolean {\n return request.headers.has('Authorization');\n}\n\nexport async function authenticateRequest(\n request: Request,\n options: AuthenticateFireRequestOptions,\n): Promise<RequestState> {\n async function authenticateRequestWithTokenInCookie() {\n const token = extractTokenFromCookie(request, options);\n if (!token) {\n return signedOut(AuthErrorReason.SessionTokenMissing);\n }\n const { data, errors } = await verifyToken(token, options);\n\n if (errors) {\n throw errors[0];\n }\n\n const signedInRequestState = signedIn(data, undefined, token);\n return signedInRequestState;\n }\n\n async function authenticateRequestWithTokenInHeader() {\n const token = extractTokenFromHeader(request);\n if (!token) {\n return signedOut(AuthErrorReason.SessionTokenMissing);\n }\n\n const { data, errors } = await verifyToken(token, options);\n\n if (errors) {\n throw errors[0];\n }\n\n const signedInRequestState = signedIn(data, undefined, token);\n return signedInRequestState;\n }\n\n if (hasAuthorizationHeader(request)) {\n return authenticateRequestWithTokenInHeader();\n }\n\n return authenticateRequestWithTokenInCookie();\n}\n\n/**\n * @internal\n */\nexport type CreateFireAuthenticateRequestOptions = {\n options: FirebaseOptions;\n};\n\nexport function createFireAuthenticateRequest(params: CreateFireAuthenticateRequestOptions) {\n const buildTimeOptions = mergePreDefinedOptions(defaultFirebaseOptions, params.options);\n\n const handleAuthenticateRequest = (request: Request, options: RuntimeOptions = {}) => {\n const runtimeOptions = { ...buildTimeOptions, ...options };\n return authenticateRequest(request, runtimeOptions);\n };\n\n return {\n authenticateRequest: handleAuthenticateRequest,\n };\n}\n","\nimport type { ApiClient,CreateBackendApiOptions} from \"../api\";\nimport { createBackendApi } from \"../api\";\nimport type { CreateFireAuthenticateRequestOptions } from \"../tokens/requestFire\";\nimport { createFireAuthenticateRequest } from \"../tokens/requestFire\";\n\nexport type TernSecureFireOptions = CreateBackendApiOptions & CreateFireAuthenticateRequestOptions['options']\n\nexport type TernSecureFireClient = ApiClient & ReturnType<typeof createFireAuthenticateRequest>;\n\nexport function createFireClient(options: TernSecureFireOptions): TernSecureFireClient {\n const opts = { ...options };\n const apiClient = createBackendApi(opts);\n const requestState = createFireAuthenticateRequest({options: opts});\n\n return {\n ...apiClient,\n ...requestState,\n };\n}\n","export enum LogLevel {\n ERROR = 0,\n WARN = 1,\n INFO = 2,\n DEBUG = 3,\n}\n\nexport interface LoggerOptions {\n enabled: boolean\n level: LogLevel\n prefix: string\n}\n\nexport class Logger {\n private options: LoggerOptions\n\n constructor(options: Partial<LoggerOptions> = {}) {\n this.options = {\n enabled: false,\n level: LogLevel.INFO,\n prefix: '[TernSecure-Backend]',\n ...options,\n }\n }\n\n enable(): void {\n this.options.enabled = true\n }\n\n disable(): void {\n this.options.enabled = false\n }\n\n setLevel(level: LogLevel): void {\n this.options.level = level\n }\n\n setPrefix(prefix: string): void {\n this.options.prefix = prefix\n }\n\n private log(level: LogLevel, levelName: string, message: string, ...args: any[]): void {\n if (!this.options.enabled || level > this.options.level) {\n return\n }\n\n const timestamp = new Date().toISOString()\n const formattedMessage = `${timestamp} ${this.options.prefix} [${levelName}] ${message}`\n \n switch (level) {\n case LogLevel.ERROR:\n console.error(formattedMessage, ...args)\n break\n case LogLevel.WARN:\n console.warn(formattedMessage, ...args)\n break\n case LogLevel.INFO:\n console.info(formattedMessage, ...args)\n break\n case LogLevel.DEBUG:\n console.debug(formattedMessage, ...args)\n break\n }\n }\n\n error(message: string, ...args: any[]): void {\n this.log(LogLevel.ERROR, 'ERROR', message, ...args)\n }\n\n warn(message: string, ...args: any[]): void {\n this.log(LogLevel.WARN, 'WARN', message, ...args)\n }\n\n info(message: string, ...args: any[]): void {\n this.log(LogLevel.INFO, 'INFO', message, ...args)\n }\n\n debug(message: string, ...args: any[]): void {\n this.log(LogLevel.DEBUG, 'DEBUG', message, ...args)\n }\n}\n\nexport const createLogger = (options?: Partial<LoggerOptions>): Logger => {\n return new Logger(options)\n}\n\nexport const redisLogger = createLogger({ prefix: '[TernSecure-Redis]' })\nexport const authLogger = createLogger({ prefix: '[TernSecure-Auth]' })","import { authLogger, LogLevel,redisLogger } from \"./logger\"\n\nexport function enableDebugLogging(): void {\n authLogger.enable()\n authLogger.setLevel(LogLevel.DEBUG)\n \n redisLogger.enable()\n redisLogger.setLevel(LogLevel.DEBUG)\n}\n\nexport function disableDebugLogging(): void {\n authLogger.disable()\n redisLogger.disable()\n}\n\nexport function setLogLevel(level: LogLevel): void {\n authLogger.setLevel(level)\n redisLogger.setLevel(level)\n}","import { authLogger } from \"../utils/logger\";\nimport type { DisabledUserAdapter, DisabledUserRecord, PostgresConfig } from \"./types\";\n\nexport class PostgresAdapter implements DisabledUserAdapter {\n private config: PostgresConfig;\n private tableName: string;\n\n constructor(config: PostgresConfig) {\n this.config = config;\n this.tableName = config.table || 'disabled_users';\n }\n\n getDisabledUser = async(uid: string): Promise<DisabledUserRecord | null> => {\n try {\n // For edge runtime, we'll use fetch to call a REST API endpoint\n // This avoids the need for full postgres client libraries in edge\n const response = await fetch(this.config.url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'Authorization': `Bearer ${this.config.token}`,\n },\n body: JSON.stringify({\n query: `SELECT uid, email, disabled_time as \"disabledTime\" FROM ${this.tableName} WHERE uid = $1`,\n params: [uid],\n }),\n });\n\n if (!response.ok) {\n throw new Error(`HTTP error! status: ${response.status}`);\n }\n\n const result = await response.json();\n \n if (result.rows && result.rows.length > 0) {\n const row = result.rows[0];\n const disabledUser: DisabledUserRecord = {\n uid: row.uid,\n email: row.email,\n disabledTime: row.disabledTime,\n };\n \n authLogger.debug(`Found disabled user: ${uid}`);\n return disabledUser;\n }\n\n authLogger.debug(`No disabled user found: ${uid}`);\n return null;\n } catch (error) {\n authLogger.error('Failed to fetch disabled user from Postgres:', error);\n return null;\n }\n }\n}","import { Redis } from \"@upstash/redis\";\n\nimport { authLogger } from \"../utils/logger\";\nimport type {\n DisabledUserAdapter,\n DisabledUserRecord,\n RedisConfig,\n} from \"./types\";\n\ninterface CacheEntry<T> {\n value: T;\n expiresAt: number;\n}\n\nclass TTLCache<T> {\n private cache = new Map<string, CacheEntry<T>>();\n private readonly defaultTTL: number;\n\n constructor(defaultTTLMs: number = 60000) {\n this.defaultTTL = defaultTTLMs;\n }\n\n set(key: string, value: T, ttlMs?: number): void {\n const expiresAt = Date.now() + (ttlMs ?? this.defaultTTL);\n this.cache.set(key, { value, expiresAt });\n console.log(`TTLCache.set: key=${key}, value=${JSON.stringify(value)}, expiresAt=${expiresAt}, cacheSize=${this.cache.size}`);\n }\n\n private getEntry(key: string): CacheEntry<T> | undefined {\n const entry = this.cache.get(key);\n if (!entry) return undefined;\n\n const now = Date.now();\n if (now > entry.expiresAt) {\n console.log(`TTLCache: key=${key} expired (now=${now}, expiresAt=${entry.expiresAt})`);\n this.cache.delete(key);\n return undefined;\n }\n\n return entry;\n }\n\n get(key: string): T | undefined {\n const entry = this.getEntry(key);\n const hasEntry = entry !== undefined;\n const cacheHasKey = this.cache.has(key);\n const rawEntry = this.cache.get(key);\n \n console.log(`TTLCache.get: key=${key}, hasEntry=${hasEntry}, cacheHasKey=${cacheHasKey}`);\n console.log(`TTLCache.get: rawEntry=${JSON.stringify(rawEntry)}, entry=${JSON.stringify(entry)}`);\n \n if (!entry) {\n console.log(`TTLCache.get: no entry found for key=${key}, returning undefined`);\n return undefined;\n }\n\n console.log(`TTLCache.get: returning value=${JSON.stringify(entry.value)} for key=${key}`);\n return entry.value;\n }\n\n\n delete(key: string): boolean {\n return this.cache.delete(key);\n }\n\n clear(): void {\n this.cache.clear();\n }\n\n cleanup(): void {\n const now = Date.now();\n for (const [key, entry] of this.cache.entries()) {\n if (now > entry.expiresAt) {\n this.cache.delete(key);\n }\n }\n }\n}\n\nexport class RedisAdapter implements DisabledUserAdapter {\n private redis: Redis;\n private cache: TTLCache<DisabledUserRecord | null>;\n private keyPrefix: string;\n\n constructor(config: RedisConfig) {\n this.redis = new Redis({\n url: config.url,\n token: config.token,\n });\n\n this.keyPrefix = config.keyPrefix || \"disabled_user:\";\n const cacheTTL = config.ttl || 30000; // Default 30 seconds\n this.cache = new TTLCache<DisabledUserRecord | null>(cacheTTL);\n\n setInterval(() => this.cache.cleanup(), 5 * 60 * 1000);\n }\n\n getDisabledUser = async (uid: string): Promise<DisabledUserRecord | null> => {\n const cacheKey = `${this.keyPrefix}${uid}`;\n \n authLogger.debug(`RedisAdapter: Checking cache for key: ${cacheKey}`);\n \n // Try to get from cache first\n const cachedResult = this.cache.get(cacheKey);\n authLogger.debug(`RedisAdapter: Cache get result for ${cacheKey}:`, {\n cachedResult: JSON.stringify(cachedResult),\n isUndefined: cachedResult === undefined,\n type: typeof cachedResult\n });\n \n if (cachedResult !== undefined) {\n authLogger.debug(`Cache hit for disabled user: ${uid}`, { \n cacheKey,\n cachedResult: JSON.stringify(cachedResult)\n });\n return cachedResult;\n }\n\n authLogger.debug(\n `Cache miss for disabled user: ${uid}, fetching from Redis with key: ${cacheKey}`\n );\n\n try {\n const disabledUser: DisabledUserRecord | null =\n await this.redis.get(cacheKey);\n\n authLogger.debug(`Redis returned for key ${cacheKey}:`, { \n disabledUser: JSON.stringify(disabledUser),\n type: typeof disabledUser\n });\n\n // Cache the result (including null values to prevent repeated Redis calls)\n this.cache.set(cacheKey, disabledUser);\n \n authLogger.debug(`Cached disabled user result for: ${uid}`, {\n cacheKey,\n isDisabled: !!disabledUser,\n cachedValue: JSON.stringify(disabledUser)\n });\n\n return disabledUser;\n } catch (error) {\n authLogger.error(\"Failed to fetch disabled user from Redis:\", error);\n return null;\n }\n };\n\n invalidateCache(uid: string): void {\n const cacheKey = `${this.keyPrefix}${uid}`;\n this.cache.delete(cacheKey);\n }\n}\n","import { PostgresAdapter } from \"./PostgresAdapter\";\nimport { RedisAdapter } from \"./RedisAdapter\";\nimport type { AdapterConfiguration,DisabledUserAdapter } from \"./types\";\n\nexport function createAdapter(\n config: AdapterConfiguration\n): DisabledUserAdapter {\n switch (config.type) {\n case \"redis\":\n return new RedisAdapter(config.config as any);\n case \"postgres\":\n return new PostgresAdapter(config.config as any);\n default:\n throw new Error(`Unsupported adapter type: ${(config as any).type}`);\n }\n}\n\nexport function validateCheckRevokedOptions(options?: {\n enabled: boolean;\n adapter?: AdapterConfiguration;\n}): { isValid: boolean; error?: string } {\n if (options?.enabled && !options.adapter) {\n return {\n isValid: false,\n error: \"When checkRevoked.enabled is true, an adapter must be provided\",\n };\n }\n return { isValid: true };\n}\n\n\nexport { RedisAdapter } from './RedisAdapter';\nexport { PostgresAdapter } from './PostgresAdapter';\nexport type {\n DisabledUserAdapter,\n DisabledUserRecord,\n AdapterConfig,\n RedisConfig,\n PostgresConfig,\n AdapterType,\n AdapterConfiguration,\n CheckRevokedOptions,\n} from './types';\n"],"mappings":";;;;;;;;;;;;;;;;;;AAQO,IAAM,aAAa;AAAA,EACxB,UAAU;AAAA,EACV,WAAW;AACb;AAIO,IAAM,kBAAkB;AAAA,EAC7B,2BAA2B;AAAA,EAC3B,qBAAqB;AAAA,EACrB,qBAAqB;AAAA,EACrB,gCAAgC;AAAA,EAChC,iBAAiB;AAAA,EACjB,4BAA4B;AAAA,EAC5B,4BAA4B;AAAA,EAC5B,iBAAiB;AACnB;AAgDA,SAAS,uBACP,gBACqC;AACrC,SAAO,CAAC,wBAA6B;AACnC,QACE,CAAC,uBACD,OAAO,wBAAwB,YAC/B,MAAM,QAAQ,mBAAmB,GACjC;AACA,aAAO;AAAA,IACT;AACA,UAAM,SAAS;AAEf,WAAO,OAAO,QAAQ,mBAAmB,EAAE,MAAM,CAAC,CAAC,KAAK,KAAK,MAAM;AACjE,YAAM,aAAa,OAAO,GAAG;AAC7B,UAAI,OAAO,eAAe,aAAa;AACrC,eAAO;AAAA,MACT;AACA,UAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,YAAI,MAAM,QAAQ,UAAU,GAAG;AAC7B,iBAAO,MAAM,KAAK,OAAK,WAAW,SAAS,CAAC,CAAC;AAAA,QAC/C;AACA,eAAO,MAAM,SAAS,UAAU;AAAA,MAClC;AAEA,UAAI,MAAM,QAAQ,UAAU,GAAG;AAC7B,eAAO,WAAW,SAAS,KAAK;AAAA,MAClC;AACA,aAAO,eAAe;AAAA,IACxB,CAAC;AAAA,EACH;AACF;AAEO,SAAS,mBACd,cACA,eACoB;AACpB,QAAM,iBAAiB,8BAA8B,aAAa;AAClE,SAAO;AAAA,IACL,eAAe;AAAA,MACb,GAAG;AAAA,IACL;AAAA,IACA,QAAQ,eAAe;AAAA,IACvB,OAAO;AAAA,IACP,SAAS,uBAAuB,cAAc;AAAA,IAC9C,OAAO;AAAA,EACT;AACF;AAEO,SAAS,sBAA2C;AACzD,SAAO;AAAA,IACL,eAAe;AAAA,IACf,QAAQ;AAAA,IACR,SAAS,MAAM;AAAA,IACf,OAAO;AAAA,EACT;AACF;AAEO,SAAS,SACd,eACA,UAAmB,IAAI,QAAQ,GAC/B,OACe;AACf,QAAM,aAAa,mBAAmB,OAAO,aAAa;AAC1D,SAAO;AAAA,IACL,QAAQ,WAAW;AAAA,IACnB,QAAQ;AAAA,IACR,YAAY;AAAA,IACZ,MAAM,MAAM;AAAA,IACZ;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,UAAU,QAAoB,UAAmB,IAAI,QAAQ,GAAmB;AAC9F,SAAO,gBAAgB;AAAA,IACrB,QAAQ,WAAW;AAAA,IACnB;AAAA,IACA,YAAY;AAAA,IACZ,MAAM,MAAM,oBAAoB;AAAA,IAChC,OAAO;AAAA,IACP;AAAA,EACF,CAAC;AACH;AAEA,IAAM,kBAAkB,CAAyB,iBAAuB;AACtE,QAAM,UAAU,IAAI,QAAQ,aAAa,WAAW,CAAC,CAAC;AACtD,MAAI,aAAa,QAAQ;AACvB,QAAI;AACF,cAAQ,IAAI,UAAU,QAAQ,YAAY,aAAa,MAAM;AAAA,IAC/D,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,MAAI,aAAa,QAAQ;AACvB,QAAI;AACF,cAAQ,IAAI,UAAU,QAAQ,YAAY,aAAa,MAAM;AAAA,IAC/D,QAAQ;AAAA,IAER;AAAA,EACF;AACA,eAAa,UAAU;AACvB,SAAO;AACT;;;AC9KA,IAAM,WAAW;AAOV,IAAM,aAAN,MAAiB;AAAA,EACtB,YAAsB,SAA0B;AAA1B;AAAA,EAA2B;AAAA,EAEjD,MAAa,cAAc,QAA6B;AACtD,WAAO,KAAK,QAAQ;AAAA,MAClB,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AACF;;;ACJA,SAAS,aAAa,cAAc;AAmBpC,IAAM,cAAc,MAAM,KAAK,UAAU;AAElC,IAAM,UAAmB;AAAA,EAC9B;AAAA,EACA,IAAI,QAAQ;AAEV,WAAO,QAAQ,IAAI,aAAa,SAAS,QAAQ;AAAA,EACnD;AAAA,EACA,iBAAiB,WAAW;AAAA,EAC5B,MAAM,WAAW;AAAA,EACjB,UAAU,WAAW;AAAA,EACrB,SAAS,WAAW;AAAA,EACpB,SAAS,WAAW;AAAA,EACpB,UAAU,WAAW;AACvB;;;AChDA,IAAM,YAAY;AAClB,IAAM,2BAA2B,IAAI,OAAO,WAAW,YAAY,QAAQ,GAAG;AAIvE,SAAS,aAAa,MAA4B;AACvD,SAAO,KACJ,OAAO,OAAK,CAAC,EACb,KAAK,SAAS,EACd,QAAQ,0BAA0B,SAAS;AAChD;;;AC8BO,SAAS,cAAc,SAA+B;AAC3D,QAAM,YAAY,OAChB,mBACmC;AACnC,UAAM,EAAE,QAAQ,WAAW,IAAI;AAC/B,UAAM,EAAE,MAAM,QAAQ,aAAa,cAAc,YAAY,SAAS,IACpE;AAEF,UAAM,MAAM,UAAU,QAAQ,YAAY,IAAI;AAC9C,UAAM,WAAW,IAAI,IAAI,GAAG;AAE5B,QAAI,aAAa;AACf,aAAO,QAAQ,WAAW,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AACpD,YAAI,OAAO;AACT,WAAC,KAAK,EAAE,KAAK,EAAE,QAAQ,OAAK,SAAS,aAAa,OAAO,KAAK,CAAW,CAAC;AAAA,QAC5E;AAAA,MACF,CAAC;AAAA,IACH;AAEA,UAAM,UAA+B;AAAA,MACnC,GAAG;AAAA,IACL;AACA,QAAI;AAEJ,QAAI;AACF,UAAI,UAAU;AACZ,cAAM,MAAM,QAAQ,MAAM,SAAS,MAAM;AAAA,UACvC;AAAA,UACA;AAAA,UACA,MAAM;AAAA,QACR,CAAC;AAAA,MACH,OAAO;AACL,gBAAQ,cAAc,IAAI;AAC1B,cAAM,UACJ,WAAW,SAAS,cAAc,OAAO,KAAK,UAAU,EAAE,SAAS;AACrE,cAAM,OAAO,UAAU,EAAE,MAAM,KAAK,UAAU,UAAU,EAAE,IAAI;AAE9D,cAAM,MAAM,QAAQ,MAAM,SAAS,MAAM;AAAA,UACvC;AAAA,UACA;AAAA,UACA,GAAG;AAAA,QACL,CAAC;AAAA,MACH;AAEA,YAAM,iBACJ,KAAK,WACL,IAAI,SAAS,IAAI,UAAU,QAAQ,WAAW,MAC5C,UAAU,aAAa;AAC3B,YAAM,eAAe,OAAO,iBAAiB,IAAI,KAAK,IAAI,IAAI,KAAK;AAEnE,UAAI,CAAC,IAAI,IAAI;AACX,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ,YAAY,YAAY;AAAA,UAChC,QAAQ,KAAK;AAAA,UACb,YAAY,KAAK;AAAA,QACnB;AAAA,MACF;AAEA,aAAO;AAAA,QACL,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF,SAAS,OAAO;AACd,UAAI,iBAAiB,OAAO;AAC1B,eAAO;AAAA,UACL,MAAM;AAAA,UACN,QAAQ;AAAA,YACN;AAAA,cACE,MAAM;AAAA,cACN,SAAS,MAAM,WAAW;AAAA,YAC5B;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAEA,aAAO;AAAA,QACL,MAAM;AAAA,QACN,QAAQ,YAAY,KAAK;AAAA,QACzB,QAAQ,KAAK;AAAA,QACb,YAAY,KAAK;AAAA,MACnB;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,YAAY,MAAqC;AACxD,MAAI,CAAC,CAAC,QAAQ,OAAO,SAAS,YAAY,YAAY,MAAM;AAC1D,UAAM,SAAS,KAAK;AACpB,WAAO,OAAO,SAAS,IAAI,OAAO,IAAI,UAAU,IAAI,CAAC;AAAA,EACvD;AACA,SAAO,CAAC;AACV;AAEO,SAAS,WAAW,OAAmD;AAC5E,SAAO;AAAA,IACL,MAAM,MAAM;AAAA,IACZ,SAAS,MAAM;AAAA,EACjB;AACF;;;ACtIO,SAAS,iBAAiB,SAAkC;AACjE,QAAM,UAAU,cAAc,OAAO;AACrC,SAAO;AAAA,IACL,UAAU,IAAI,WAAW,OAAO;AAAA,EAClC;AACF;;;ACLA,IAAM,iBAAmC;AAAA,EACvC,QAAQ;AAAA,EACR,YAAY;AACd;AAEO,SAAS,uBACd,cAAgC,CAAC,GACf;AAClB,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAG;AAAA,EACL;AACF;;;ACOA,IAAI,QAA0B,CAAC;AAC/B,IAAI,gBAAgB;AACpB,IAAI,kBAAkB;AAEtB,SAAS,aAAa,KAAa;AACjC,SAAO,MAAM,GAAG;AAClB;AAEA,SAAS,iBAAiB;AACxB,SAAO,OAAO,OAAO,KAAK;AAC5B;AAEA,SAAS,WAAW,KAAa,aAAqB,eAAe,MAAM;AACzE,QAAM,GAAG,IAAI;AACb,kBAAgB,eAAe,KAAK,IAAI,IAAI;AAC9C;AAEA,eAAe,gBAAgB,QAA6C;AAC1E,QAAM,MAAM,IAAI,IAAI,MAAM;AAC1B,QAAM,WAAW,MAAM,MAAM,GAAG;AAChC,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,uBAAuB;AAAA,MAC/B,SAAS,kCAAkC,IAAI,IAAI,cAAc,SAAS,MAAM;AAAA,MAChF,QAAQ,6BAA6B;AAAA,IACvC,CAAC;AAAA,EACH;AAEA,QAAM,OAAO,MAAM,SAAS,KAAK;AACjC,QAAM,YAAY,aAAa,QAAQ;AAEvC,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,EACF;AACF;AAEA,eAAsB,kBAAkB;AAAA,EACtC,SAAS;AAAA,EACT;AAAA,EACA;AACF,GAA8C;AAC5C,MAAI,iBAAiB,eAAe,KAAK,CAAC,aAAa,GAAG,GAAG;AAC3D,UAAM,EAAE,MAAM,UAAU,IAAI,MAAM,gBAAgB,MAAM;AAExD,QAAI,CAAC,QAAQ,OAAO,KAAK,IAAI,EAAE,WAAW,GAAG;AAC3C,YAAM,IAAI,uBAAuB;AAAA,QAC/B,SAAS,qBAAqB,MAAM;AAAA,QACpC,QAAQ,6BAA6B;AAAA,MACvC,CAAC;AAAA,IACH;AACA,sBAAkB;AAElB,WAAO,QAAQ,IAAI,EAAE,QAAQ,CAAC,CAAC,OAAOA,KAAI,MAAM;AAC9C,iBAAW,OAAOA,KAAI;AAAA,IACxB,CAAC;AAAA,EACH;AACA,QAAM,OAAO,aAAa,GAAG;AAC7B,MAAI,CAAC,MAAM;AACT,mBAAe;AACf,UAAM,gBAAgB,OAAO,KAAK,KAAK,EAAE,KAAK,EAAE,KAAK,IAAI;AAEzD,UAAM,IAAI,uBAAuB;AAAA,MAC/B,SAAS,gCAAgC,GAAG,uBAAuB,aAAa;AAAA,MAChF,QAAQ,6BAA6B;AAAA,IACvC,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB;AACxB,QAAM,MAAM,KAAK,IAAI;AACrB,MAAI,kBAAkB,IAAI;AACxB,WAAO;AAAA,EACT;AAEA,QAAM,WAAW,MAAM;AACvB,QAAM,cAAc,oCAAoC;AACxD,QAAM,oBAAoB,YAAY;AACtC,QAAM,qBAAqB,OAAO;AAElC,QAAM,YAAY,qBAAqB;AAEvC,MAAI,WAAW;AACb,YAAQ,CAAC;AAAA,EACX;AAEA,SAAO;AACT;AAEA,SAAS,aAAa,KAAe;AACnC,QAAM,qBAAqB,IAAI,QAAQ,IAAI,eAAe;AAC1D,MAAI,CAAC,oBAAoB;AACvB,WAAO,KAAK,IAAI,IAAI;AAAA,EACtB;AACA,QAAM,cAAc,mBAAmB,MAAM,mBAAmB;AAChE,QAAM,SAAS,cAAc,SAAS,YAAY,CAAC,GAAG,EAAE,IAAI,yBAAyB;AAErF,SAAO,KAAK,IAAI,IAAI,SAAS;AAC/B;;;AC7GA,eAAsB,YACpB,OACA,SACgE;AAChE,QAAM,EAAE,MAAM,eAAe,OAAO,IAAI,cAAc,KAAK;AAE3D,MAAI,QAAQ;AACV,WAAO,EAAE,OAAO;AAAA,EAClB;AAEA,QAAM,EAAE,OAAO,IAAI;AACnB,QAAM,EAAE,IAAI,IAAI;AAEhB,MAAI,CAAC,KAAK;AACR,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,MAAI;AACF,UAAM,MAAM,QAAQ,UAAW,MAAM,kBAAkB,EAAE,GAAG,SAAS,IAAI,CAAC;AAE1E,QAAI,CAAC,KAAK;AACR,aAAO;AAAA,QACL,QAAQ;AAAA,UACN,IAAI,uBAAuB;AAAA,YACzB,QAAQ,6BAA6B;AAAA,YACrC,SAAS,gCAAgC,GAAG;AAAA,UAC9C,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AACA,WAAO,MAAM,UAAU,OAAO,EAAE,GAAG,SAAS,IAAI,CAAC;AAAA,EACnD,SAAS,OAAO;AACd,QAAI,iBAAiB,wBAAwB;AAC3C,aAAO,EAAE,QAAQ,CAAC,KAAK,EAAE;AAAA,IAC3B;AACA,WAAO;AAAA,MACL,QAAQ,CAAC,KAA+B;AAAA,IAC1C;AAAA,EACF;AACF;;;AChDA,IAAM,gBAAgB;AACtB,IAAM,mBAAmB;AAEzB,SAAS,uBAAuB,SAAiC;AAC/D,QAAM,aAAa,QAAQ,QAAQ,IAAI,eAAe;AAEtD,MAAI,CAAC,cAAc,CAAC,WAAW,WAAW,aAAa,GAAG;AACxD,WAAO;AAAA,EACT;AAEA,SAAO,WAAW,MAAM,cAAc,MAAM;AAC9C;AAEA,SAAS,uBAAuB,SAAkB,MAAqC;AACrF,QAAM,eAAe,QAAQ,QAAQ,IAAI,QAAQ,KAAK;AACtD,QAAM,cAAc,iBAAiB,IAAI,EAAE;AAE3C,MAAI,CAAC,cAAc;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,aAAa,MAAM,GAAG,EAAE;AAAA,IACtC,CAAC,KAAK,WAAW;AACf,YAAM,CAAC,MAAM,KAAK,IAAI,OAAO,KAAK,EAAE,MAAM,GAAG;AAC7C,UAAI,IAAI,IAAI;AACZ,aAAO;AAAA,IACT;AAAA,IACA,CAAC;AAAA,EACH;AAEA,SAAO,QAAQ,gBAAgB,KAAK;AACtC;AAEA,SAAS,uBAAuB,SAA2B;AACzD,SAAO,QAAQ,QAAQ,IAAI,eAAe;AAC5C;AAEA,eAAsB,oBACpB,SACA,SACuB;AACvB,iBAAe,uCAAuC;AACpD,UAAM,QAAQ,uBAAuB,SAAS,OAAO;AACrD,QAAI,CAAC,OAAO;AACV,aAAO,UAAU,gBAAgB,mBAAmB;AAAA,IACtD;AACA,UAAM,EAAE,MAAM,OAAO,IAAI,MAAM,YAAY,OAAO,OAAO;AAEzD,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAEA,UAAM,uBAAuB,SAAS,MAAM,QAAW,KAAK;AAC5D,WAAO;AAAA,EACT;AAEA,iBAAe,uCAAuC;AACpD,UAAM,QAAQ,uBAAuB,OAAO;AAC5C,QAAI,CAAC,OAAO;AACV,aAAO,UAAU,gBAAgB,mBAAmB;AAAA,IACtD;AAEA,UAAM,EAAE,MAAM,OAAO,IAAI,MAAM,YAAY,OAAO,OAAO;AAEzD,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAEA,UAAM,uBAAuB,SAAS,MAAM,QAAW,KAAK;AAC5D,WAAO;AAAA,EACT;AAEA,MAAI,uBAAuB,OAAO,GAAG;AACnC,WAAO,qCAAqC;AAAA,EAC9C;AAEA,SAAO,qCAAqC;AAC9C;AAUO,SAAS,0BAA0B,QAA0C;AAClF,QAAM,mBAAmB,uBAAuB,OAAO,OAAO;AAC9D,QAAM,YAAY,OAAO;AAEzB,QAAM,4BAA4B,CAAC,SAAkB,UAA0B,CAAC,MAAM;AACpF,UAAM,EAAE,OAAO,IAAI;AACnB,WAAO,oBAAoB,SAAS,EAAE,GAAG,SAAS,QAAQ,UAAU,CAAC;AAAA,EACvE;AAEA,SAAO;AAAA,IACL,qBAAqB;AAAA,EACvB;AACF;;;AC7FO,SAAS,4BAA4B,SAA4D;AACtG,QAAM,OAAO,EAAE,GAAG,QAAQ;AAC1B,QAAM,YAAY,iBAAiB,IAAI;AACvC,QAAM,eAAe,0BAA0B,EAAC,SAAS,MAAM,UAAS,CAAC;AAEzE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAG;AAAA,EACL;AACF;;;ACjBA,IAAM,yBAAyB;AAAA,EAC7B,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,WAAW;AAAA,EACX,UAAU;AACZ;AAEO,SAASC,wBACd,mBACA,SACG;AACH,SAAO,OAAO,KAAK,iBAAiB,EAAE;AAAA,IACpC,CAAC,KAAQ,QAAgB;AACvB,aAAO,EAAE,GAAG,KAAK,CAAC,GAAG,GAAG,QAAQ,GAAG,KAAK,IAAI,GAAG,EAAE;AAAA,IACnD;AAAA,IACA,EAAE,GAAG,kBAAkB;AAAA,EACzB;AACF;AAEA,IAAMC,iBAAgB;AACtB,IAAMC,oBAAmB;AAEzB,SAASC,wBAAuB,SAAiC;AAC/D,QAAM,aAAa,QAAQ,QAAQ,IAAI,eAAe;AAEtD,MAAI,CAAC,cAAc,CAAC,WAAW,WAAWF,cAAa,GAAG;AACxD,WAAO;AAAA,EACT;AAEA,SAAO,WAAW,MAAMA,eAAc,MAAM;AAC9C;AAEA,SAASG,wBAAuB,SAAkB,MAAqC;AACrF,QAAM,eAAe,QAAQ,QAAQ,IAAI,QAAQ,KAAK;AACtD,QAAM,cAAc,iBAAiB,IAAI,EAAE;AAE3C,MAAI,CAAC,cAAc;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,aAAa,MAAM,GAAG,EAAE;AAAA,IACtC,CAAC,KAAK,WAAW;AACf,YAAM,CAAC,MAAM,KAAK,IAAI,OAAO,KAAK,EAAE,MAAM,GAAG;AAC7C,UAAI,IAAI,IAAI;AACZ,aAAO;AAAA,IACT;AAAA,IACA,CAAC;AAAA,EACH;AAEA,SAAO,QAAQF,iBAAgB,KAAK;AACtC;AAEA,SAASG,wBAAuB,SAA2B;AACzD,SAAO,QAAQ,QAAQ,IAAI,eAAe;AAC5C;AAEA,eAAsBC,qBACpB,SACA,SACuB;AACvB,iBAAe,uCAAuC;AACpD,UAAM,QAAQF,wBAAuB,SAAS,OAAO;AACrD,QAAI,CAAC,OAAO;AACV,aAAO,UAAU,gBAAgB,mBAAmB;AAAA,IACtD;AACA,UAAM,EAAE,MAAM,OAAO,IAAI,MAAM,YAAY,OAAO,OAAO;AAEzD,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAEA,UAAM,uBAAuB,SAAS,MAAM,QAAW,KAAK;AAC5D,WAAO;AAAA,EACT;AAEA,iBAAe,uCAAuC;AACpD,UAAM,QAAQD,wBAAuB,OAAO;AAC5C,QAAI,CAAC,OAAO;AACV,aAAO,UAAU,gBAAgB,mBAAmB;AAAA,IACtD;AAEA,UAAM,EAAE,MAAM,OAAO,IAAI,MAAM,YAAY,OAAO,OAAO;AAEzD,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAEA,UAAM,uBAAuB,SAAS,MAAM,QAAW,KAAK;AAC5D,WAAO;AAAA,EACT;AAEA,MAAIE,wBAAuB,OAAO,GAAG;AACnC,WAAO,qCAAqC;AAAA,EAC9C;AAEA,SAAO,qCAAqC;AAC9C;AASO,SAAS,8BAA8B,QAA8C;AAC1F,QAAM,mBAAmBL,wBAAuB,wBAAwB,OAAO,OAAO;AAEtF,QAAM,4BAA4B,CAAC,SAAkB,UAA0B,CAAC,MAAM;AACpF,UAAM,iBAAiB,EAAE,GAAG,kBAAkB,GAAG,QAAQ;AACzD,WAAOM,qBAAoB,SAAS,cAAc;AAAA,EACpD;AAEA,SAAO;AAAA,IACL,qBAAqB;AAAA,EACvB;AACF;;;ACpHO,SAAS,iBAAiB,SAAsD;AACrF,QAAM,OAAO,EAAE,GAAG,QAAQ;AAC1B,QAAM,YAAY,iBAAiB,IAAI;AACvC,QAAM,eAAe,8BAA8B,EAAC,SAAS,KAAI,CAAC;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAG;AAAA,EACL;AACF;;;ACnBO,IAAK,WAAL,kBAAKC,cAAL;AACL,EAAAA,oBAAA,WAAQ,KAAR;AACA,EAAAA,oBAAA,UAAO,KAAP;AACA,EAAAA,oBAAA,UAAO,KAAP;AACA,EAAAA,oBAAA,WAAQ,KAAR;AAJU,SAAAA;AAAA,GAAA;AAaL,IAAM,SAAN,MAAa;AAAA,EACV;AAAA,EAER,YAAY,UAAkC,CAAC,GAAG;AAChD,SAAK,UAAU;AAAA,MACb,SAAS;AAAA,MACT,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,GAAG;AAAA,IACL;AAAA,EACF;AAAA,EAEA,SAAe;AACb,SAAK,QAAQ,UAAU;AAAA,EACzB;AAAA,EAEA,UAAgB;AACd,SAAK,QAAQ,UAAU;AAAA,EACzB;AAAA,EAEA,SAAS,OAAuB;AAC9B,SAAK,QAAQ,QAAQ;AAAA,EACvB;AAAA,EAEA,UAAU,QAAsB;AAC9B,SAAK,QAAQ,SAAS;AAAA,EACxB;AAAA,EAEQ,IAAI,OAAiB,WAAmB,YAAoB,MAAmB;AACrF,QAAI,CAAC,KAAK,QAAQ,WAAW,QAAQ,KAAK,QAAQ,OAAO;AACvD;AAAA,IACF;AAEA,UAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AACzC,UAAM,mBAAmB,GAAG,SAAS,IAAI,KAAK,QAAQ,MAAM,KAAK,SAAS,KAAK,OAAO;AAEtF,YAAQ,OAAO;AAAA,MACb,KAAK;AACH,gBAAQ,MAAM,kBAAkB,GAAG,IAAI;AACvC;AAAA,MACF,KAAK;AACH,gBAAQ,KAAK,kBAAkB,GAAG,IAAI;AACtC;AAAA,MACF,KAAK;AACH,gBAAQ,KAAK,kBAAkB,GAAG,IAAI;AACtC;AAAA,MACF,KAAK;AACH,gBAAQ,MAAM,kBAAkB,GAAG,IAAI;AACvC;AAAA,IACJ;AAAA,EACF;AAAA,EAEA,MAAM,YAAoB,MAAmB;AAC3C,SAAK,IAAI,eAAgB,SAAS,SAAS,GAAG,IAAI;AAAA,EACpD;AAAA,EAEA,KAAK,YAAoB,MAAmB;AAC1C,SAAK,IAAI,cAAe,QAAQ,SAAS,GAAG,IAAI;AAAA,EAClD;AAAA,EAEA,KAAK,YAAoB,MAAmB;AAC1C,SAAK,IAAI,cAAe,QAAQ,SAAS,GAAG,IAAI;AAAA,EAClD;AAAA,EAEA,MAAM,YAAoB,MAAmB;AAC3C,SAAK,IAAI,eAAgB,SAAS,SAAS,GAAG,IAAI;AAAA,EACpD;AACF;AAEO,IAAM,eAAe,CAAC,YAA6C;AACxE,SAAO,IAAI,OAAO,OAAO;AAC3B;AAEO,IAAM,cAAc,aAAa,EAAE,QAAQ,qBAAqB,CAAC;AACjE,IAAM,aAAa,aAAa,EAAE,QAAQ,oBAAoB,CAAC;;;ACrF/D,SAAS,qBAA2B;AACzC,aAAW,OAAO;AAClB,aAAW,sBAAuB;AAElC,cAAY,OAAO;AACnB,cAAY,sBAAuB;AACrC;AAEO,SAAS,sBAA4B;AAC1C,aAAW,QAAQ;AACnB,cAAY,QAAQ;AACtB;AAEO,SAAS,YAAY,OAAuB;AACjD,aAAW,SAAS,KAAK;AACzB,cAAY,SAAS,KAAK;AAC5B;;;ACfO,IAAM,kBAAN,MAAqD;AAAA,EAClD;AAAA,EACA;AAAA,EAER,YAAY,QAAwB;AAClC,SAAK,SAAS;AACd,SAAK,YAAY,OAAO,SAAS;AAAA,EACnC;AAAA,EAEA,kBAAkB,OAAM,QAAoD;AAC1E,QAAI;AAGF,YAAM,WAAW,MAAM,MAAM,KAAK,OAAO,KAAK;AAAA,QAC5C,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,iBAAiB,UAAU,KAAK,OAAO,KAAK;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,OAAO,2DAA2D,KAAK,SAAS;AAAA,UAChF,QAAQ,CAAC,GAAG;AAAA,QACd,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,IAAI,MAAM,uBAAuB,SAAS,MAAM,EAAE;AAAA,MAC1D;AAEA,YAAM,SAAS,MAAM,SAAS,KAAK;AAEnC,UAAI,OAAO,QAAQ,OAAO,KAAK,SAAS,GAAG;AACzC,cAAM,MAAM,OAAO,KAAK,CAAC;AACzB,cAAM,eAAmC;AAAA,UACvC,KAAK,IAAI;AAAA,UACT,OAAO,IAAI;AAAA,UACX,cAAc,IAAI;AAAA,QACpB;AAEA,mBAAW,MAAM,wBAAwB,GAAG,EAAE;AAC9C,eAAO;AAAA,MACT;AAEA,iBAAW,MAAM,2BAA2B,GAAG,EAAE;AACjD,aAAO;AAAA,IACT,SAAS,OAAO;AACd,iBAAW,MAAM,gDAAgD,KAAK;AACtE,aAAO;AAAA,IACT;AAAA,EACF;AACF;;;ACrDA,SAAS,aAAa;AActB,IAAM,WAAN,MAAkB;AAAA,EACR,QAAQ,oBAAI,IAA2B;AAAA,EAC9B;AAAA,EAEjB,YAAY,eAAuB,KAAO;AACxC,SAAK,aAAa;AAAA,EACpB;AAAA,EAEA,IAAI,KAAa,OAAU,OAAsB;AAC/C,UAAM,YAAY,KAAK,IAAI,KAAK,SAAS,KAAK;AAC9C,SAAK,MAAM,IAAI,KAAK,EAAE,OAAO,UAAU,CAAC;AACxC,YAAQ,IAAI,qBAAqB,GAAG,WAAW,KAAK,UAAU,KAAK,CAAC,eAAe,SAAS,eAAe,KAAK,MAAM,IAAI,EAAE;AAAA,EAC9H;AAAA,EAEQ,SAAS,KAAwC;AACvD,UAAM,QAAQ,KAAK,MAAM,IAAI,GAAG;AAChC,QAAI,CAAC,MAAO,QAAO;AAEnB,UAAM,MAAM,KAAK,IAAI;AACrB,QAAI,MAAM,MAAM,WAAW;AACzB,cAAQ,IAAI,iBAAiB,GAAG,iBAAiB,GAAG,eAAe,MAAM,SAAS,GAAG;AACrF,WAAK,MAAM,OAAO,GAAG;AACrB,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,IAAI,KAA4B;AAC9B,UAAM,QAAQ,KAAK,SAAS,GAAG;AAC/B,UAAM,WAAW,UAAU;AAC3B,UAAM,cAAc,KAAK,MAAM,IAAI,GAAG;AACtC,UAAM,WAAW,KAAK,MAAM,IAAI,GAAG;AAEnC,YAAQ,IAAI,qBAAqB,GAAG,cAAc,QAAQ,iBAAiB,WAAW,EAAE;AACxF,YAAQ,IAAI,0BAA0B,KAAK,UAAU,QAAQ,CAAC,WAAW,KAAK,UAAU,KAAK,CAAC,EAAE;AAEhG,QAAI,CAAC,OAAO;AACV,cAAQ,IAAI,wCAAwC,GAAG,uBAAuB;AAC9E,aAAO;AAAA,IACT;AAEA,YAAQ,IAAI,iCAAiC,KAAK,UAAU,MAAM,KAAK,CAAC,YAAY,GAAG,EAAE;AACzF,WAAO,MAAM;AAAA,EACf;AAAA,EAGA,OAAO,KAAsB;AAC3B,WAAO,KAAK,MAAM,OAAO,GAAG;AAAA,EAC9B;AAAA,EAEA,QAAc;AACZ,SAAK,MAAM,MAAM;AAAA,EACnB;AAAA,EAEA,UAAgB;AACd,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,KAAK,KAAK,KAAK,KAAK,MAAM,QAAQ,GAAG;AAC/C,UAAI,MAAM,MAAM,WAAW;AACzB,aAAK,MAAM,OAAO,GAAG;AAAA,MACvB;AAAA,IACF;AAAA,EACF;AACF;AAEO,IAAM,eAAN,MAAkD;AAAA,EAC/C;AAAA,EACA;AAAA,EACA;AAAA,EAER,YAAY,QAAqB;AAC/B,SAAK,QAAQ,IAAI,MAAM;AAAA,MACrB,KAAK,OAAO;AAAA,MACZ,OAAO,OAAO;AAAA,IAChB,CAAC;AAED,SAAK,YAAY,OAAO,aAAa;AACrC,UAAM,WAAW,OAAO,OAAO;AAC/B,SAAK,QAAQ,IAAI,SAAoC,QAAQ;AAE7D,gBAAY,MAAM,KAAK,MAAM,QAAQ,GAAG,IAAI,KAAK,GAAI;AAAA,EACvD;AAAA,EAEA,kBAAkB,OAAO,QAAoD;AAC3E,UAAM,WAAW,GAAG,KAAK,SAAS,GAAG,GAAG;AAExC,eAAW,MAAM,yCAAyC,QAAQ,EAAE;AAGpE,UAAM,eAAe,KAAK,MAAM,IAAI,QAAQ;AAC5C,eAAW,MAAM,sCAAsC,QAAQ,KAAK;AAAA,MAClE,cAAc,KAAK,UAAU,YAAY;AAAA,MACzC,aAAa,iBAAiB;AAAA,MAC9B,MAAM,OAAO;AAAA,IACf,CAAC;AAED,QAAI,iBAAiB,QAAW;AAC9B,iBAAW,MAAM,gCAAgC,GAAG,IAAI;AAAA,QACtD;AAAA,QACA,cAAc,KAAK,UAAU,YAAY;AAAA,MAC3C,CAAC;AACD,aAAO;AAAA,IACT;AAEA,eAAW;AAAA,MACT,iCAAiC,GAAG,mCAAmC,QAAQ;AAAA,IACjF;AAEA,QAAI;AACF,YAAM,eACJ,MAAM,KAAK,MAAM,IAAI,QAAQ;AAE/B,iBAAW,MAAM,0BAA0B,QAAQ,KAAK;AAAA,QACtD,cAAc,KAAK,UAAU,YAAY;AAAA,QACzC,MAAM,OAAO;AAAA,MACf,CAAC;AAGD,WAAK,MAAM,IAAI,UAAU,YAAY;AAErC,iBAAW,MAAM,oCAAoC,GAAG,IAAI;AAAA,QAC1D;AAAA,QACA,YAAY,CAAC,CAAC;AAAA,QACd,aAAa,KAAK,UAAU,YAAY;AAAA,MAC1C,CAAC;AAED,aAAO;AAAA,IACT,SAAS,OAAO;AACd,iBAAW,MAAM,6CAA6C,KAAK;AACnE,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,gBAAgB,KAAmB;AACjC,UAAM,WAAW,GAAG,KAAK,SAAS,GAAG,GAAG;AACxC,SAAK,MAAM,OAAO,QAAQ;AAAA,EAC5B;AACF;;;ACnJO,SAAS,cACd,QACqB;AACrB,UAAQ,OAAO,MAAM;AAAA,IACnB,KAAK;AACH,aAAO,IAAI,aAAa,OAAO,MAAa;AAAA,IAC9C,KAAK;AACH,aAAO,IAAI,gBAAgB,OAAO,MAAa;AAAA,IACjD;AACE,YAAM,IAAI,MAAM,6BAA8B,OAAe,IAAI,EAAE;AAAA,EACvE;AACF;AAEO,SAAS,4BAA4B,SAGH;AACvC,MAAI,SAAS,WAAW,CAAC,QAAQ,SAAS;AACxC,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO,EAAE,SAAS,KAAK;AACzB;","names":["cert","mergePreDefinedOptions","BEARER_PREFIX","AUTH_COOKIE_NAME","extractTokenFromHeader","extractTokenFromCookie","hasAuthorizationHeader","authenticateRequest","LogLevel"]}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
import type { ApiClient, CreateBackendApiOptions } from "../api";
|
|
2
|
+
import type { CreateFireAuthenticateRequestOptions } from "../tokens/requestFire";
|
|
3
|
+
import { createFireAuthenticateRequest } from "../tokens/requestFire";
|
|
4
|
+
export type TernSecureFireOptions = CreateBackendApiOptions & CreateFireAuthenticateRequestOptions['options'];
|
|
5
|
+
export type TernSecureFireClient = ApiClient & ReturnType<typeof createFireAuthenticateRequest>;
|
|
6
|
+
export declare function createFireClient(options: TernSecureFireOptions): TernSecureFireClient;
|
|
7
|
+
//# sourceMappingURL=backendFireInstance.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"backendFireInstance.d.ts","sourceRoot":"","sources":["../../src/instance/backendFireInstance.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAC,uBAAuB,EAAC,MAAM,QAAQ,CAAC;AAE/D,OAAO,KAAK,EAAE,oCAAoC,EAAE,MAAM,uBAAuB,CAAC;AAClF,OAAO,EAAE,6BAA6B,EAAE,MAAM,uBAAuB,CAAC;AAEtE,MAAM,MAAM,qBAAqB,GAAG,uBAAuB,GAAG,oCAAoC,CAAC,SAAS,CAAC,CAAA;AAE7G,MAAM,MAAM,oBAAoB,GAAG,SAAS,GAAG,UAAU,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAEhG,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,qBAAqB,GAAG,oBAAoB,CASrF"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import type { CheckCustomClaims, DecodedIdToken, SharedSignInAuthObjectProperties } from "@tern-secure/types";
|
|
2
|
+
import type { TernSecureRequest } from "../tokens/ternSecureRequest";
|
|
3
|
+
export type SignInAuthObject = SharedSignInAuthObjectProperties & {
|
|
4
|
+
has: CheckCustomClaims;
|
|
5
|
+
};
|
|
6
|
+
export type SignInState = {
|
|
7
|
+
auth: () => SignInAuthObject;
|
|
8
|
+
token: string;
|
|
9
|
+
headers: Headers;
|
|
10
|
+
};
|
|
11
|
+
export type RequestState = SignInState;
|
|
12
|
+
export interface BackendInstance {
|
|
13
|
+
ternSecureRequest: TernSecureRequest;
|
|
14
|
+
requestState: RequestState;
|
|
15
|
+
}
|
|
16
|
+
export declare const createBackendInstance: (request: Request) => Promise<BackendInstance>;
|
|
17
|
+
export declare function authenticateRequest(request: Request): Promise<RequestState>;
|
|
18
|
+
export declare function signInAuthObject(session: DecodedIdToken): SignInAuthObject;
|
|
19
|
+
export declare function signedIn(session: DecodedIdToken, headers: Headers | undefined, token: string): SignInState;
|
|
20
|
+
//# sourceMappingURL=backendInstance.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"backendInstance.d.ts","sourceRoot":"","sources":["../../src/instance/backendInstance.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,cAAc,EAAC,gCAAgC,EAAE,MAAM,oBAAoB,CAAC;AAG7G,OAAO,KAAK,EAAE,iBAAiB,EAAC,MAAM,6BAA6B,CAAC;AAGpE,MAAM,MAAM,gBAAgB,GAAG,gCAAgC,GAAG;IAChE,GAAG,EAAE,iBAAiB,CAAA;CACvB,CAAA;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,MAAM,gBAAgB,CAAA;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,OAAO,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,CAAA;AAEtC,MAAM,WAAW,eAAe;IAC9B,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,YAAY,EAAE,YAAY,CAAC;CAC5B;AAED,eAAO,MAAM,qBAAqB,GAAU,SAAS,OAAO,KAAG,OAAO,CAAC,eAAe,CAQrF,CAAC;AAEF,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC,CAqBjF;AAED,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,cAAc,GACtB,gBAAgB,CAMlB;AAED,wBAAgB,QAAQ,CACtB,OAAO,EAAE,cAAc,EACvB,OAAO,EAAE,OAAO,YAAgB,EAChC,KAAK,EAAE,MAAM,GACZ,WAAW,CAOb"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { ApiClient, CreateBackendApiOptions } from "../api";
|
|
2
|
+
import type { RequestState } from "../tokens/authstate";
|
|
3
|
+
import type { CreateAuthenticateRequestOptions } from "../tokens/request";
|
|
4
|
+
import { createAuthenticateRequest } from "../tokens/request";
|
|
5
|
+
import type { TernSecureRequest } from "../tokens/ternSecureRequest";
|
|
6
|
+
export type TernSecureBackendOptions = CreateBackendApiOptions & CreateAuthenticateRequestOptions['options'];
|
|
7
|
+
export type TernSecureBackendClient = ApiClient & ReturnType<typeof createAuthenticateRequest>;
|
|
8
|
+
export interface BackendInstance {
|
|
9
|
+
ternSecureRequest: TernSecureRequest;
|
|
10
|
+
requestState: RequestState;
|
|
11
|
+
}
|
|
12
|
+
export declare function createBackendInstanceClient(options: TernSecureBackendOptions): TernSecureBackendClient;
|
|
13
|
+
//# sourceMappingURL=backendInstanceEdge.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"backendInstanceEdge.d.ts","sourceRoot":"","sources":["../../src/instance/backendInstanceEdge.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAC,uBAAuB,EAAC,MAAM,QAAQ,CAAC;AAE/D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,KAAK,EAAE,gCAAgC,EAAE,MAAM,mBAAmB,CAAC;AAC1E,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,KAAK,EACV,iBAAiB,EAClB,MAAM,6BAA6B,CAAC;AAErC,MAAM,MAAM,wBAAwB,GAAG,uBAAuB,GAAG,gCAAgC,CAAC,SAAS,CAAC,CAAA;AAE5G,MAAM,MAAM,uBAAuB,GAAG,SAAS,GAAG,UAAU,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE/F,MAAM,WAAW,eAAe;IAC9B,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,YAAY,EAAE,YAAY,CAAC;CAC5B;AAED,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,wBAAwB,GAAG,uBAAuB,CAStG"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"algorithms.d.ts","sourceRoot":"","sources":["../../src/jwt/algorithms.ts"],"names":[],"mappings":"AAaA,eAAO,MAAM,IAAI,UAAyB,CAAC;AAE3C,wBAAgB,kBAAkB,CAAC,aAAa,EAAE,MAAM,GAAG,qBAAqB,CAY/E"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cryptoKeys.d.ts","sourceRoot":"","sources":["../../src/jwt/cryptoKeys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAoC,KAAK,OAAO,EAAE,MAAM,MAAM,CAAC;AAEtE,wBAAsB,SAAS,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CA0B7F"}
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
import { type JwtReturnType } from "./types";
|
|
2
|
+
export declare function createJwtGuard<T extends (...args: any[]) => JwtReturnType<any, any>>(decodedFn: T): (...args: Parameters<T>) => NonNullable<Awaited<ReturnType<T>>["data"]> | never;
|
|
3
|
+
//# sourceMappingURL=guardReturn.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"guardReturn.d.ts","sourceRoot":"","sources":["../../src/jwt/guardReturn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C,wBAAgB,cAAc,CAAC,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,SAAS,EAAE,CAAC,IACxF,GAAG,MAAM,UAAU,CAAC,CAAC,CAAC,KAAG,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,KAAK,CASrF"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/jwt/index.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,aAAa,qDAAiC,CAAC;AAC5D,OAAO,EAAE,aAAa,IAAI,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAEtE,cAAc,OAAO,CAAC"}
|
|
@@ -0,0 +1,332 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __defProp = Object.defineProperty;
|
|
3
|
+
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
+
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
+
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
+
var __export = (target, all) => {
|
|
7
|
+
for (var name in all)
|
|
8
|
+
__defProp(target, name, { get: all[name], enumerable: true });
|
|
9
|
+
};
|
|
10
|
+
var __copyProps = (to, from, except, desc) => {
|
|
11
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
12
|
+
for (let key of __getOwnPropNames(from))
|
|
13
|
+
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
14
|
+
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
15
|
+
}
|
|
16
|
+
return to;
|
|
17
|
+
};
|
|
18
|
+
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
|
+
|
|
20
|
+
// src/jwt/index.ts
|
|
21
|
+
var jwt_exports = {};
|
|
22
|
+
__export(jwt_exports, {
|
|
23
|
+
ternDecodeJwt: () => ternDecodeJwt2,
|
|
24
|
+
ternDecodeJwtUnguarded: () => ternDecodeJwt,
|
|
25
|
+
verifyToken: () => verifyToken
|
|
26
|
+
});
|
|
27
|
+
module.exports = __toCommonJS(jwt_exports);
|
|
28
|
+
|
|
29
|
+
// src/jwt/guardReturn.ts
|
|
30
|
+
function createJwtGuard(decodedFn) {
|
|
31
|
+
return (...args) => {
|
|
32
|
+
const { data, errors } = decodedFn(...args);
|
|
33
|
+
if (errors) {
|
|
34
|
+
throw errors[0];
|
|
35
|
+
}
|
|
36
|
+
return data;
|
|
37
|
+
};
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
// src/jwt/verifyJwt.ts
|
|
41
|
+
var import_jose2 = require("jose");
|
|
42
|
+
|
|
43
|
+
// src/utils/errors.ts
|
|
44
|
+
var TokenVerificationErrorReason = {
|
|
45
|
+
TokenExpired: "token-expired",
|
|
46
|
+
TokenInvalid: "token-invalid",
|
|
47
|
+
TokenInvalidAlgorithm: "token-invalid-algorithm",
|
|
48
|
+
TokenInvalidAuthorizedParties: "token-invalid-authorized-parties",
|
|
49
|
+
TokenInvalidSignature: "token-invalid-signature",
|
|
50
|
+
TokenNotActiveYet: "token-not-active-yet",
|
|
51
|
+
TokenIatInTheFuture: "token-iat-in-the-future",
|
|
52
|
+
TokenVerificationFailed: "token-verification-failed",
|
|
53
|
+
InvalidSecretKey: "secret-key-invalid",
|
|
54
|
+
LocalJWKMissing: "jwk-local-missing",
|
|
55
|
+
RemoteJWKFailedToLoad: "jwk-remote-failed-to-load",
|
|
56
|
+
RemoteJWKInvalid: "jwk-remote-invalid",
|
|
57
|
+
RemoteJWKMissing: "jwk-remote-missing",
|
|
58
|
+
JWKFailedToResolve: "jwk-failed-to-resolve",
|
|
59
|
+
JWKKidMismatch: "jwk-kid-mismatch"
|
|
60
|
+
};
|
|
61
|
+
var TokenVerificationError = class _TokenVerificationError extends Error {
|
|
62
|
+
reason;
|
|
63
|
+
tokenCarrier;
|
|
64
|
+
constructor({
|
|
65
|
+
message,
|
|
66
|
+
reason
|
|
67
|
+
}) {
|
|
68
|
+
super(message);
|
|
69
|
+
Object.setPrototypeOf(this, _TokenVerificationError.prototype);
|
|
70
|
+
this.reason = reason;
|
|
71
|
+
this.message = message;
|
|
72
|
+
}
|
|
73
|
+
getFullMessage() {
|
|
74
|
+
return `${[this.message].filter((m) => m).join(" ")} (reason=${this.reason}, token-carrier=${this.tokenCarrier})`;
|
|
75
|
+
}
|
|
76
|
+
};
|
|
77
|
+
|
|
78
|
+
// src/utils/rfc4648.ts
|
|
79
|
+
var base64url = {
|
|
80
|
+
parse(string, opts) {
|
|
81
|
+
return parse(string, base64UrlEncoding, opts);
|
|
82
|
+
},
|
|
83
|
+
stringify(data, opts) {
|
|
84
|
+
return stringify(data, base64UrlEncoding, opts);
|
|
85
|
+
}
|
|
86
|
+
};
|
|
87
|
+
var base64UrlEncoding = {
|
|
88
|
+
chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_",
|
|
89
|
+
bits: 6
|
|
90
|
+
};
|
|
91
|
+
function parse(string, encoding, opts = {}) {
|
|
92
|
+
if (!encoding.codes) {
|
|
93
|
+
encoding.codes = {};
|
|
94
|
+
for (let i = 0; i < encoding.chars.length; ++i) {
|
|
95
|
+
encoding.codes[encoding.chars[i]] = i;
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
if (!opts.loose && string.length * encoding.bits & 7) {
|
|
99
|
+
throw new SyntaxError("Invalid padding");
|
|
100
|
+
}
|
|
101
|
+
let end = string.length;
|
|
102
|
+
while (string[end - 1] === "=") {
|
|
103
|
+
--end;
|
|
104
|
+
if (!opts.loose && !((string.length - end) * encoding.bits & 7)) {
|
|
105
|
+
throw new SyntaxError("Invalid padding");
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
const out = new (opts.out ?? Uint8Array)(end * encoding.bits / 8 | 0);
|
|
109
|
+
let bits = 0;
|
|
110
|
+
let buffer = 0;
|
|
111
|
+
let written = 0;
|
|
112
|
+
for (let i = 0; i < end; ++i) {
|
|
113
|
+
const value = encoding.codes[string[i]];
|
|
114
|
+
if (value === void 0) {
|
|
115
|
+
throw new SyntaxError("Invalid character " + string[i]);
|
|
116
|
+
}
|
|
117
|
+
buffer = buffer << encoding.bits | value;
|
|
118
|
+
bits += encoding.bits;
|
|
119
|
+
if (bits >= 8) {
|
|
120
|
+
bits -= 8;
|
|
121
|
+
out[written++] = 255 & buffer >> bits;
|
|
122
|
+
}
|
|
123
|
+
}
|
|
124
|
+
if (bits >= encoding.bits || 255 & buffer << 8 - bits) {
|
|
125
|
+
throw new SyntaxError("Unexpected end of data");
|
|
126
|
+
}
|
|
127
|
+
return out;
|
|
128
|
+
}
|
|
129
|
+
function stringify(data, encoding, opts = {}) {
|
|
130
|
+
const { pad = true } = opts;
|
|
131
|
+
const mask = (1 << encoding.bits) - 1;
|
|
132
|
+
let out = "";
|
|
133
|
+
let bits = 0;
|
|
134
|
+
let buffer = 0;
|
|
135
|
+
for (let i = 0; i < data.length; ++i) {
|
|
136
|
+
buffer = buffer << 8 | 255 & data[i];
|
|
137
|
+
bits += 8;
|
|
138
|
+
while (bits > encoding.bits) {
|
|
139
|
+
bits -= encoding.bits;
|
|
140
|
+
out += encoding.chars[mask & buffer >> bits];
|
|
141
|
+
}
|
|
142
|
+
}
|
|
143
|
+
if (bits) {
|
|
144
|
+
out += encoding.chars[mask & buffer << encoding.bits - bits];
|
|
145
|
+
}
|
|
146
|
+
if (pad) {
|
|
147
|
+
while (out.length * encoding.bits & 7) {
|
|
148
|
+
out += "=";
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
return out;
|
|
152
|
+
}
|
|
153
|
+
|
|
154
|
+
// src/jwt/cryptoKeys.ts
|
|
155
|
+
var import_jose = require("jose");
|
|
156
|
+
|
|
157
|
+
// src/jwt/algorithms.ts
|
|
158
|
+
var algToHash = {
|
|
159
|
+
RS256: "SHA-256",
|
|
160
|
+
RS384: "SHA-384",
|
|
161
|
+
RS512: "SHA-512"
|
|
162
|
+
};
|
|
163
|
+
var algs = Object.keys(algToHash);
|
|
164
|
+
|
|
165
|
+
// src/jwt/verifyJwt.ts
|
|
166
|
+
var DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1e3;
|
|
167
|
+
function ternDecodeJwt(token) {
|
|
168
|
+
try {
|
|
169
|
+
const header = (0, import_jose2.decodeProtectedHeader)(token);
|
|
170
|
+
const payload = (0, import_jose2.decodeJwt)(token);
|
|
171
|
+
const tokenParts = (token || "").toString().split(".");
|
|
172
|
+
if (tokenParts.length !== 3) {
|
|
173
|
+
return {
|
|
174
|
+
errors: [
|
|
175
|
+
new TokenVerificationError({
|
|
176
|
+
reason: TokenVerificationErrorReason.TokenInvalid,
|
|
177
|
+
message: "Invalid JWT format"
|
|
178
|
+
})
|
|
179
|
+
]
|
|
180
|
+
};
|
|
181
|
+
}
|
|
182
|
+
const [rawHeader, rawPayload, rawSignature] = tokenParts;
|
|
183
|
+
const signature = base64url.parse(rawSignature, { loose: true });
|
|
184
|
+
const data = {
|
|
185
|
+
header,
|
|
186
|
+
payload,
|
|
187
|
+
signature,
|
|
188
|
+
raw: {
|
|
189
|
+
header: rawHeader,
|
|
190
|
+
payload: rawPayload,
|
|
191
|
+
signature: rawSignature,
|
|
192
|
+
text: token
|
|
193
|
+
}
|
|
194
|
+
};
|
|
195
|
+
return { data };
|
|
196
|
+
} catch (error) {
|
|
197
|
+
return {
|
|
198
|
+
errors: [
|
|
199
|
+
new TokenVerificationError({
|
|
200
|
+
reason: TokenVerificationErrorReason.TokenInvalid,
|
|
201
|
+
message: error.message
|
|
202
|
+
})
|
|
203
|
+
]
|
|
204
|
+
};
|
|
205
|
+
}
|
|
206
|
+
}
|
|
207
|
+
|
|
208
|
+
// src/jwt/jwt.ts
|
|
209
|
+
var import_jose3 = require("jose");
|
|
210
|
+
var FIREBASE_ID_TOKEN_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
|
|
211
|
+
var FIREBASE_SESSION_CERT_URL = "https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys";
|
|
212
|
+
var idTokenJWKS = null;
|
|
213
|
+
var sessionJWKS = null;
|
|
214
|
+
var getIdTokenJWKS = () => {
|
|
215
|
+
if (!idTokenJWKS) {
|
|
216
|
+
idTokenJWKS = (0, import_jose3.createRemoteJWKSet)(new URL(FIREBASE_ID_TOKEN_URL), {
|
|
217
|
+
cacheMaxAge: 36e5,
|
|
218
|
+
// 1 hour
|
|
219
|
+
timeoutDuration: 5e3,
|
|
220
|
+
// 5 seconds
|
|
221
|
+
cooldownDuration: 3e4
|
|
222
|
+
// 30 seconds between retries
|
|
223
|
+
});
|
|
224
|
+
}
|
|
225
|
+
return idTokenJWKS;
|
|
226
|
+
};
|
|
227
|
+
var getSessionJWKS = () => {
|
|
228
|
+
if (!sessionJWKS) {
|
|
229
|
+
sessionJWKS = (0, import_jose3.createRemoteJWKSet)(new URL(FIREBASE_SESSION_CERT_URL), {
|
|
230
|
+
cacheMaxAge: 36e5,
|
|
231
|
+
// 1 hour
|
|
232
|
+
timeoutDuration: 5e3,
|
|
233
|
+
// 5 seconds
|
|
234
|
+
cooldownDuration: 3e4
|
|
235
|
+
// 30 seconds between retries
|
|
236
|
+
});
|
|
237
|
+
}
|
|
238
|
+
return sessionJWKS;
|
|
239
|
+
};
|
|
240
|
+
async function verifyToken(token, isSessionCookie = false) {
|
|
241
|
+
try {
|
|
242
|
+
const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;
|
|
243
|
+
if (!projectId) {
|
|
244
|
+
throw new Error("Firebase Project ID is not configured");
|
|
245
|
+
}
|
|
246
|
+
const { decoded } = (0, import_jose3.decodeJwt)(token);
|
|
247
|
+
if (!decoded) {
|
|
248
|
+
throw new Error("Invalid token format");
|
|
249
|
+
}
|
|
250
|
+
let retries = 3;
|
|
251
|
+
let lastError = null;
|
|
252
|
+
while (retries > 0) {
|
|
253
|
+
try {
|
|
254
|
+
const JWKS = isSessionCookie ? getSessionJWKS() : getIdTokenJWKS();
|
|
255
|
+
const { payload } = await (0, import_jose3.jwtVerify)(token, JWKS, {
|
|
256
|
+
issuer: isSessionCookie ? "https://session.firebase.google.com/" + projectId : "https://securetoken.google.com/" + projectId,
|
|
257
|
+
audience: projectId,
|
|
258
|
+
algorithms: ["RS256"]
|
|
259
|
+
});
|
|
260
|
+
const firebasePayload = payload;
|
|
261
|
+
const now = Math.floor(Date.now() / 1e3);
|
|
262
|
+
if (firebasePayload.exp <= now) {
|
|
263
|
+
throw new Error("Token has expired");
|
|
264
|
+
}
|
|
265
|
+
if (firebasePayload.iat > now) {
|
|
266
|
+
throw new Error("Token issued time is in the future");
|
|
267
|
+
}
|
|
268
|
+
if (!firebasePayload.sub) {
|
|
269
|
+
throw new Error("Token subject is empty");
|
|
270
|
+
}
|
|
271
|
+
if (firebasePayload.auth_time > now) {
|
|
272
|
+
throw new Error("Token auth time is in the future");
|
|
273
|
+
}
|
|
274
|
+
return {
|
|
275
|
+
valid: true,
|
|
276
|
+
uid: firebasePayload.sub,
|
|
277
|
+
sub: firebasePayload.sub,
|
|
278
|
+
email: firebasePayload.email,
|
|
279
|
+
email_verified: firebasePayload.email_verified,
|
|
280
|
+
auth_time: firebasePayload.auth_time,
|
|
281
|
+
iat: firebasePayload.iat,
|
|
282
|
+
exp: firebasePayload.exp,
|
|
283
|
+
aud: firebasePayload.aud,
|
|
284
|
+
iss: firebasePayload.iss,
|
|
285
|
+
firebase: firebasePayload.firebase,
|
|
286
|
+
phone_number: firebasePayload.phone_number,
|
|
287
|
+
picture: firebasePayload.picture
|
|
288
|
+
};
|
|
289
|
+
} catch (error) {
|
|
290
|
+
lastError = error;
|
|
291
|
+
if (error instanceof Error && error.name === "JWKSNoMatchingKey") {
|
|
292
|
+
console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);
|
|
293
|
+
retries--;
|
|
294
|
+
if (retries > 0) {
|
|
295
|
+
await new Promise((resolve) => setTimeout(resolve, 1e3));
|
|
296
|
+
continue;
|
|
297
|
+
}
|
|
298
|
+
}
|
|
299
|
+
throw error;
|
|
300
|
+
}
|
|
301
|
+
}
|
|
302
|
+
throw lastError || new Error("Failed to verify token after retries");
|
|
303
|
+
} catch (error) {
|
|
304
|
+
console.error("Token verification details:", {
|
|
305
|
+
error: error instanceof Error ? {
|
|
306
|
+
name: error.name,
|
|
307
|
+
message: error.message,
|
|
308
|
+
stack: error.stack
|
|
309
|
+
} : error,
|
|
310
|
+
decoded: (0, import_jose3.decodeJwt)(token),
|
|
311
|
+
isSessionCookie
|
|
312
|
+
});
|
|
313
|
+
return {
|
|
314
|
+
valid: false,
|
|
315
|
+
error: {
|
|
316
|
+
success: false,
|
|
317
|
+
message: error instanceof Error ? error.message : "Invalid token",
|
|
318
|
+
code: "INVALID_TOKEN"
|
|
319
|
+
}
|
|
320
|
+
};
|
|
321
|
+
}
|
|
322
|
+
}
|
|
323
|
+
|
|
324
|
+
// src/jwt/index.ts
|
|
325
|
+
var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
|
|
326
|
+
// Annotate the CommonJS export names for ESM import in node:
|
|
327
|
+
0 && (module.exports = {
|
|
328
|
+
ternDecodeJwt,
|
|
329
|
+
ternDecodeJwtUnguarded,
|
|
330
|
+
verifyToken
|
|
331
|
+
});
|
|
332
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../../src/jwt/index.ts","../../src/jwt/guardReturn.ts","../../src/jwt/verifyJwt.ts","../../src/utils/errors.ts","../../src/utils/rfc4648.ts","../../src/jwt/cryptoKeys.ts","../../src/jwt/algorithms.ts","../../src/jwt/jwt.ts"],"sourcesContent":["import { createJwtGuard } from './guardReturn';\nimport { ternDecodeJwt as _ternDecodeJwt } from './verifyJwt';\n\nexport const ternDecodeJwt = createJwtGuard(_ternDecodeJwt);\nexport { ternDecodeJwt as ternDecodeJwtUnguarded } from './verifyJwt';\n\nexport * from './jwt';","import { type JwtReturnType } from \"./types\";\n\nexport function createJwtGuard<T extends (...args: any[]) => JwtReturnType<any, any>>(decodedFn: T) {\n return (...args: Parameters<T>): NonNullable<Awaited<ReturnType<T>>['data']> | never => {\n const { data, errors } = decodedFn(...args);\n\n if (errors) {\n throw errors[0];\n }\n\n return data;\n };\n}\n","import type { DecodedIdToken, Jwt,JWTPayload } from '@tern-secure/types';\nimport {\n decodeJwt,\n decodeProtectedHeader,\n jwtVerify,\n} from 'jose';\n\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport { mapJwtPayloadToDecodedIdToken } from '../utils/mapDecode';\nimport { base64url } from '../utils/rfc4648';\nimport { importKey } from './cryptoKeys';\nimport type { JwtReturnType } from './types';\nimport {\n verifyExpirationClaim,\n verifyHeaderKid,\n verifyIssuedAtClaim,\n verifySubClaim,\n} from './verifyContent';\n\nconst DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1000;\n\nexport type VerifyJwtOptions = {\n audience?: string | string[];\n clockSkewInMs?: number;\n key: JsonWebKey | string;\n};\n\nexport async function verifySignature(\n jwt: Jwt,\n key: JsonWebKey | string,\n): Promise<JwtReturnType<JWTPayload, Error>> {\n const { header, raw } = jwt;\n const joseAlgorithm = header.alg || 'RS256';\n\n try {\n const publicKey = await importKey(key, joseAlgorithm);\n\n const { payload } = await jwtVerify(raw.text, publicKey);\n\n return { data: payload };\n } catch (error) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidSignature,\n message: (error as Error).message,\n }),\n ],\n };\n }\n}\n\nexport function ternDecodeJwt(token: string): JwtReturnType<Jwt, TokenVerificationError> {\n try {\n const header = decodeProtectedHeader(token);\n const payload = decodeJwt(token);\n\n const tokenParts = (token || '').toString().split('.');\n if (tokenParts.length !== 3) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: 'Invalid JWT format',\n }),\n ],\n };\n }\n\n const [rawHeader, rawPayload, rawSignature] = tokenParts;\n const signature = base64url.parse(rawSignature, { loose: true });\n\n const data = {\n header,\n payload,\n signature,\n raw: {\n header: rawHeader,\n payload: rawPayload,\n signature: rawSignature,\n text: token,\n },\n };\n\n return { data };\n } catch (error: any) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: error.message,\n }),\n ],\n };\n }\n}\n\nexport async function verifyJwt(\n token: string,\n options: VerifyJwtOptions,\n): Promise<JwtReturnType<DecodedIdToken, TokenVerificationError>> {\n const { key } = options;\n const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;\n\n const { data: decoded, errors } = ternDecodeJwt(token);\n if (errors) {\n return { errors };\n }\n\n const { header, payload } = decoded;\n\n try {\n verifyHeaderKid(header.kid);\n verifySubClaim(payload.sub);\n verifyExpirationClaim(payload.exp, clockSkew);\n verifyIssuedAtClaim(payload.iat, clockSkew);\n } catch (error) {\n return { errors: [error as TokenVerificationError] };\n }\n\n const { data: verifiedPayload, errors: signatureErrors } = await verifySignature(decoded, key);\n if (signatureErrors) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidSignature,\n message: 'Token signature verification failed.',\n }),\n ],\n };\n }\n\n const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);\n\n return { data: decodedIdToken };\n}\n","\nexport type TokenCarrier = 'header' | 'cookie';\n\nexport const TokenVerificationErrorReason = {\n TokenExpired: 'token-expired',\n TokenInvalid: 'token-invalid',\n TokenInvalidAlgorithm: 'token-invalid-algorithm',\n TokenInvalidAuthorizedParties: 'token-invalid-authorized-parties',\n TokenInvalidSignature: 'token-invalid-signature',\n TokenNotActiveYet: 'token-not-active-yet',\n TokenIatInTheFuture: 'token-iat-in-the-future',\n TokenVerificationFailed: 'token-verification-failed',\n InvalidSecretKey: 'secret-key-invalid',\n LocalJWKMissing: 'jwk-local-missing',\n RemoteJWKFailedToLoad: 'jwk-remote-failed-to-load',\n RemoteJWKInvalid: 'jwk-remote-invalid',\n RemoteJWKMissing: 'jwk-remote-missing',\n JWKFailedToResolve: 'jwk-failed-to-resolve',\n JWKKidMismatch: 'jwk-kid-mismatch',\n};\n\nexport type TokenVerificationErrorReason =\n (typeof TokenVerificationErrorReason)[keyof typeof TokenVerificationErrorReason];\n\nexport class TokenVerificationError extends Error {\n reason: TokenVerificationErrorReason;\n tokenCarrier?: TokenCarrier;\n\n constructor({\n message,\n reason,\n }: {\n message: string;\n reason: TokenVerificationErrorReason;\n }) {\n super(message);\n\n Object.setPrototypeOf(this, TokenVerificationError.prototype);\n\n this.reason = reason;\n this.message = message;\n }\n\n public getFullMessage() {\n return `${[this.message].filter(m => m).join(' ')} (reason=${this.reason}, token-carrier=${\n this.tokenCarrier\n })`;\n }\n }\n","/**\n * The base64url helper was extracted from the rfc4648 package\n * in order to resolve CSJ/ESM interoperability issues\n *\n * https://github.com/swansontec/rfc4648.js\n *\n * For more context please refer to:\n * - https://github.com/evanw/esbuild/issues/1719\n * - https://github.com/evanw/esbuild/issues/532\n * - https://github.com/swansontec/rollup-plugin-mjs-entry\n */\nexport const base64url = {\n parse(string: string, opts?: ParseOptions): Uint8Array {\n return parse(string, base64UrlEncoding, opts);\n },\n\n stringify(data: ArrayLike<number>, opts?: StringifyOptions): string {\n return stringify(data, base64UrlEncoding, opts);\n },\n};\n\nconst base64UrlEncoding: Encoding = {\n chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_',\n bits: 6,\n};\n\ninterface Encoding {\n bits: number;\n chars: string;\n codes?: { [char: string]: number };\n}\n\ninterface ParseOptions {\n loose?: boolean;\n out?: new (size: number) => { [index: number]: number };\n}\n\ninterface StringifyOptions {\n pad?: boolean;\n}\n\nfunction parse(string: string, encoding: Encoding, opts: ParseOptions = {}): Uint8Array {\n // Build the character lookup table:\n if (!encoding.codes) {\n encoding.codes = {};\n for (let i = 0; i < encoding.chars.length; ++i) {\n encoding.codes[encoding.chars[i]] = i;\n }\n }\n\n // The string must have a whole number of bytes:\n if (!opts.loose && (string.length * encoding.bits) & 7) {\n throw new SyntaxError('Invalid padding');\n }\n\n // Count the padding bytes:\n let end = string.length;\n while (string[end - 1] === '=') {\n --end;\n\n // If we get a whole number of bytes, there is too much padding:\n if (!opts.loose && !(((string.length - end) * encoding.bits) & 7)) {\n throw new SyntaxError('Invalid padding');\n }\n }\n\n // Allocate the output:\n const out = new (opts.out ?? Uint8Array)(((end * encoding.bits) / 8) | 0) as Uint8Array;\n\n // Parse the data:\n let bits = 0; // Number of bits currently in the buffer\n let buffer = 0; // Bits waiting to be written out, MSB first\n let written = 0; // Next byte to write\n for (let i = 0; i < end; ++i) {\n // Read one character from the string:\n const value = encoding.codes[string[i]];\n if (value === undefined) {\n throw new SyntaxError('Invalid character ' + string[i]);\n }\n\n // Append the bits to the buffer:\n buffer = (buffer << encoding.bits) | value;\n bits += encoding.bits;\n\n // Write out some bits if the buffer has a byte's worth:\n if (bits >= 8) {\n bits -= 8;\n out[written++] = 0xff & (buffer >> bits);\n }\n }\n\n // Verify that we have received just enough bits:\n if (bits >= encoding.bits || 0xff & (buffer << (8 - bits))) {\n throw new SyntaxError('Unexpected end of data');\n }\n\n return out;\n}\n\nfunction stringify(data: ArrayLike<number>, encoding: Encoding, opts: StringifyOptions = {}): string {\n const { pad = true } = opts;\n const mask = (1 << encoding.bits) - 1;\n let out = '';\n\n let bits = 0; // Number of bits currently in the buffer\n let buffer = 0; // Bits waiting to be written out, MSB first\n for (let i = 0; i < data.length; ++i) {\n // Slurp data into the buffer:\n buffer = (buffer << 8) | (0xff & data[i]);\n bits += 8;\n\n // Write out as much as we can:\n while (bits > encoding.bits) {\n bits -= encoding.bits;\n out += encoding.chars[mask & (buffer >> bits)];\n }\n }\n\n // Partial character:\n if (bits) {\n out += encoding.chars[mask & (buffer << (encoding.bits - bits))];\n }\n\n // Add padding characters until we hit a byte boundary:\n if (pad) {\n while ((out.length * encoding.bits) & 7) {\n out += '=';\n }\n }\n\n return out;\n}\n","import { importJWK, importSPKI,importX509, type KeyLike } from 'jose';\n\nexport async function importKey(key: JsonWebKey | string, algorithm: string): Promise<KeyLike> {\n if (typeof key === 'object') {\n const result = await importJWK(key as Parameters<typeof importJWK>[0], algorithm);\n if (result instanceof Uint8Array) {\n throw new Error('Unexpected Uint8Array result from JWK import');\n }\n return result;\n }\n\n const keyString = key.trim();\n\n if (keyString.includes('-----BEGIN CERTIFICATE-----')) {\n return await importX509(keyString, algorithm);\n }\n\n if (keyString.includes('-----BEGIN PUBLIC KEY-----')) {\n return await importSPKI(keyString, algorithm);\n }\n\n try {\n return await importSPKI(keyString, algorithm);\n } catch (error) {\n throw new Error(\n `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`,\n );\n }\n}\n","const algToHash: Record<string, string> = {\n RS256: 'SHA-256',\n RS384: 'SHA-384',\n RS512: 'SHA-512',\n};\nconst RSA_ALGORITHM_NAME = 'RSASSA-PKCS1-v1_5';\n\nconst jwksAlgToCryptoAlg: Record<string, string> = {\n RS256: RSA_ALGORITHM_NAME,\n RS384: RSA_ALGORITHM_NAME,\n RS512: RSA_ALGORITHM_NAME,\n};\n\nexport const algs = Object.keys(algToHash);\n\nexport function getCryptoAlgorithm(algorithmName: string): RsaHashedImportParams {\n const hash = algToHash[algorithmName];\n const name = jwksAlgToCryptoAlg[algorithmName];\n\n if (!hash || !name) {\n throw new Error(`Unsupported algorithm ${algorithmName}, expected one of ${algs.join(',')}.`);\n }\n\n return {\n hash: { name: algToHash[algorithmName] },\n name: jwksAlgToCryptoAlg[algorithmName],\n };\n}\n","import type {\n DecodedIdToken,\n TernVerificationResult,\n} from \"@tern-secure/types\";\nimport { createRemoteJWKSet, decodeJwt,jwtVerify } from \"jose\";\n\n\nexport type FirebaseIdTokenPayload = DecodedIdToken;\n\n// Firebase public key endpoints\nconst FIREBASE_ID_TOKEN_URL =\n \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\";\nconst FIREBASE_SESSION_CERT_URL =\n \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\";\n\n//const FIREBASE_NEW_SESSION_PK = \"https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys\"\n\n// Simple in-memory cache for JWKS\nlet idTokenJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet sessionJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;\n\nconst getIdTokenJWKS = () => {\n if (!idTokenJWKS) {\n idTokenJWKS = createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\n cacheMaxAge: 3600000, // 1 hour\n timeoutDuration: 5000, // 5 seconds\n cooldownDuration: 30000, // 30 seconds between retries\n });\n }\n return idTokenJWKS;\n};\n\nconst getSessionJWKS = () => {\n if (!sessionJWKS) {\n sessionJWKS = createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\n cacheMaxAge: 3600000, // 1 hour\n timeoutDuration: 5000, // 5 seconds\n cooldownDuration: 30000, // 30 seconds between retries\n });\n }\n return sessionJWKS;\n};\n\n\n\nexport async function verifyToken(\n token: string,\n isSessionCookie = false\n): Promise<TernVerificationResult> {\n try {\n const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;\n if (!projectId) {\n throw new Error(\"Firebase Project ID is not configured\");\n }\n\n const { decoded } = decodeJwt(token);\n if (!decoded) {\n throw new Error(\"Invalid token format\");\n }\n\n let retries = 3;\n let lastError: Error | null = null;\n\n while (retries > 0) {\n try {\n // Use different JWKS based on token type\n const JWKS = isSessionCookie ? getSessionJWKS() : getIdTokenJWKS();\n\n const { payload } = await jwtVerify(token, JWKS, {\n issuer: isSessionCookie\n ? \"https://session.firebase.google.com/\" + projectId\n : \"https://securetoken.google.com/\" + projectId,\n audience: projectId,\n algorithms: [\"RS256\"],\n });\n\n const firebasePayload = payload as unknown as FirebaseIdTokenPayload;\n const now = Math.floor(Date.now() / 1000);\n\n // Verify token claims\n if (firebasePayload.exp <= now) {\n throw new Error(\"Token has expired\");\n }\n\n if (firebasePayload.iat > now) {\n throw new Error(\"Token issued time is in the future\");\n }\n\n if (!firebasePayload.sub) {\n throw new Error(\"Token subject is empty\");\n }\n\n if (firebasePayload.auth_time > now) {\n throw new Error(\"Token auth time is in the future\");\n }\n\n return {\n valid: true,\n uid: firebasePayload.sub,\n sub: firebasePayload.sub,\n email: firebasePayload.email,\n email_verified: firebasePayload.email_verified,\n auth_time: firebasePayload.auth_time,\n iat: firebasePayload.iat,\n exp: firebasePayload.exp,\n aud: firebasePayload.aud,\n iss: firebasePayload.iss,\n firebase: firebasePayload.firebase,\n phone_number: firebasePayload.phone_number,\n picture: firebasePayload.picture,\n };\n } catch (error) {\n lastError = error as Error;\n if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\n console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);\n retries--;\n if (retries > 0) {\n await new Promise((resolve) => setTimeout(resolve, 1000));\n continue;\n }\n }\n throw error;\n }\n }\n\n throw lastError || new Error(\"Failed to verify token after retries\");\n } catch (error) {\n console.error(\"Token verification details:\", {\n error:\n error instanceof Error\n ? {\n name: error.name,\n message: error.message,\n stack: error.stack,\n }\n : error,\n decoded: decodeJwt(token),\n isSessionCookie,\n });\n\n return {\n valid: false,\n error: {\n success: false,\n message: error instanceof Error ? error.message : \"Invalid token\",\n code: \"INVALID_TOKEN\",\n },\n };\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA,uBAAAA;AAAA,EAAA;AAAA;AAAA;AAAA;;;ACEO,SAAS,eAAsE,WAAc;AAClG,SAAO,IAAI,SAA6E;AACtF,UAAM,EAAE,MAAM,OAAO,IAAI,UAAU,GAAG,IAAI;AAE1C,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAEA,WAAO;AAAA,EACT;AACF;;;ACXA,IAAAC,eAIO;;;ACFA,IAAM,+BAA+B;AAAA,EAC1C,cAAc;AAAA,EACd,cAAc;AAAA,EACd,uBAAuB;AAAA,EACvB,+BAA+B;AAAA,EAC/B,uBAAuB;AAAA,EACvB,mBAAmB;AAAA,EACnB,qBAAqB;AAAA,EACrB,yBAAyB;AAAA,EACzB,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,uBAAuB;AAAA,EACvB,kBAAkB;AAAA,EAClB,kBAAkB;AAAA,EAClB,oBAAoB;AAAA,EACpB,gBAAgB;AAClB;AAKO,IAAM,yBAAN,MAAM,gCAA+B,MAAM;AAAA,EAChD;AAAA,EACA;AAAA,EAEA,YAAY;AAAA,IACV;AAAA,IACA;AAAA,EACF,GAGG;AACD,UAAM,OAAO;AAEb,WAAO,eAAe,MAAM,wBAAuB,SAAS;AAE5D,SAAK,SAAS;AACd,SAAK,UAAU;AAAA,EACjB;AAAA,EAEO,iBAAiB;AACtB,WAAO,GAAG,CAAC,KAAK,OAAO,EAAE,OAAO,OAAK,CAAC,EAAE,KAAK,GAAG,CAAC,YAAY,KAAK,MAAM,mBACtE,KAAK,YACP;AAAA,EACF;AACA;;;ACrCK,IAAM,YAAY;AAAA,EACvB,MAAM,QAAgB,MAAiC;AACrD,WAAO,MAAM,QAAQ,mBAAmB,IAAI;AAAA,EAC9C;AAAA,EAEA,UAAU,MAAyB,MAAiC;AAClE,WAAO,UAAU,MAAM,mBAAmB,IAAI;AAAA,EAChD;AACF;AAEA,IAAM,oBAA8B;AAAA,EAClC,OAAO;AAAA,EACP,MAAM;AACR;AAiBA,SAAS,MAAM,QAAgB,UAAoB,OAAqB,CAAC,GAAe;AAEtF,MAAI,CAAC,SAAS,OAAO;AACnB,aAAS,QAAQ,CAAC;AAClB,aAAS,IAAI,GAAG,IAAI,SAAS,MAAM,QAAQ,EAAE,GAAG;AAC9C,eAAS,MAAM,SAAS,MAAM,CAAC,CAAC,IAAI;AAAA,IACtC;AAAA,EACF;AAGA,MAAI,CAAC,KAAK,SAAU,OAAO,SAAS,SAAS,OAAQ,GAAG;AACtD,UAAM,IAAI,YAAY,iBAAiB;AAAA,EACzC;AAGA,MAAI,MAAM,OAAO;AACjB,SAAO,OAAO,MAAM,CAAC,MAAM,KAAK;AAC9B,MAAE;AAGF,QAAI,CAAC,KAAK,SAAS,GAAI,OAAO,SAAS,OAAO,SAAS,OAAQ,IAAI;AACjE,YAAM,IAAI,YAAY,iBAAiB;AAAA,IACzC;AAAA,EACF;AAGA,QAAM,MAAM,KAAK,KAAK,OAAO,YAAc,MAAM,SAAS,OAAQ,IAAK,CAAC;AAGxE,MAAI,OAAO;AACX,MAAI,SAAS;AACb,MAAI,UAAU;AACd,WAAS,IAAI,GAAG,IAAI,KAAK,EAAE,GAAG;AAE5B,UAAM,QAAQ,SAAS,MAAM,OAAO,CAAC,CAAC;AACtC,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI,YAAY,uBAAuB,OAAO,CAAC,CAAC;AAAA,IACxD;AAGA,aAAU,UAAU,SAAS,OAAQ;AACrC,YAAQ,SAAS;AAGjB,QAAI,QAAQ,GAAG;AACb,cAAQ;AACR,UAAI,SAAS,IAAI,MAAQ,UAAU;AAAA,IACrC;AAAA,EACF;AAGA,MAAI,QAAQ,SAAS,QAAQ,MAAQ,UAAW,IAAI,MAAQ;AAC1D,UAAM,IAAI,YAAY,wBAAwB;AAAA,EAChD;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,MAAyB,UAAoB,OAAyB,CAAC,GAAW;AACnG,QAAM,EAAE,MAAM,KAAK,IAAI;AACvB,QAAM,QAAQ,KAAK,SAAS,QAAQ;AACpC,MAAI,MAAM;AAEV,MAAI,OAAO;AACX,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,EAAE,GAAG;AAEpC,aAAU,UAAU,IAAM,MAAO,KAAK,CAAC;AACvC,YAAQ;AAGR,WAAO,OAAO,SAAS,MAAM;AAC3B,cAAQ,SAAS;AACjB,aAAO,SAAS,MAAM,OAAQ,UAAU,IAAK;AAAA,IAC/C;AAAA,EACF;AAGA,MAAI,MAAM;AACR,WAAO,SAAS,MAAM,OAAQ,UAAW,SAAS,OAAO,IAAM;AAAA,EACjE;AAGA,MAAI,KAAK;AACP,WAAQ,IAAI,SAAS,SAAS,OAAQ,GAAG;AACvC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;ACnIA,kBAA+D;;;ACA/D,IAAM,YAAoC;AAAA,EACxC,OAAO;AAAA,EACP,OAAO;AAAA,EACP,OAAO;AACT;AASO,IAAM,OAAO,OAAO,KAAK,SAAS;;;AJMzC,IAAM,2BAA2B,IAAI;AAiC9B,SAAS,cAAc,OAA2D;AACvF,MAAI;AACF,UAAM,aAAS,oCAAsB,KAAK;AAC1C,UAAM,cAAU,wBAAU,KAAK;AAE/B,UAAM,cAAc,SAAS,IAAI,SAAS,EAAE,MAAM,GAAG;AACrD,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO;AAAA,QACL,QAAQ;AAAA,UACN,IAAI,uBAAuB;AAAA,YACzB,QAAQ,6BAA6B;AAAA,YACrC,SAAS;AAAA,UACX,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,UAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAC9C,UAAM,YAAY,UAAU,MAAM,cAAc,EAAE,OAAO,KAAK,CAAC;AAE/D,UAAM,OAAO;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,MACA,KAAK;AAAA,QACH,QAAQ;AAAA,QACR,SAAS;AAAA,QACT,WAAW;AAAA,QACX,MAAM;AAAA,MACR;AAAA,IACF;AAEA,WAAO,EAAE,KAAK;AAAA,EAChB,SAAS,OAAY;AACnB,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS,MAAM;AAAA,QACjB,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;;;AK3FA,IAAAC,eAAwD;AAMxD,IAAM,wBACJ;AACF,IAAM,4BACJ;AAKF,IAAI,cAA4D;AAChE,IAAI,cAA4D;AAEhE,IAAM,iBAAiB,MAAM;AAC3B,MAAI,CAAC,aAAa;AAChB,sBAAc,iCAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,MAC/D,aAAa;AAAA;AAAA,MACb,iBAAiB;AAAA;AAAA,MACjB,kBAAkB;AAAA;AAAA,IACpB,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,IAAM,iBAAiB,MAAM;AAC3B,MAAI,CAAC,aAAa;AAChB,sBAAc,iCAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,MACnE,aAAa;AAAA;AAAA,MACb,iBAAiB;AAAA;AAAA,MACjB,kBAAkB;AAAA;AAAA,IACpB,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAIA,eAAsB,YACpB,OACA,kBAAkB,OACe;AACjC,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAEA,UAAM,EAAE,QAAQ,QAAI,wBAAU,KAAK;AACnC,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,QAAI,UAAU;AACd,QAAI,YAA0B;AAE9B,WAAO,UAAU,GAAG;AAClB,UAAI;AAEF,cAAM,OAAO,kBAAkB,eAAe,IAAI,eAAe;AAEjE,cAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,MAAM;AAAA,UAC/C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,UACxC,UAAU;AAAA,UACV,YAAY,CAAC,OAAO;AAAA,QACtB,CAAC;AAED,cAAM,kBAAkB;AACxB,cAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,YAAI,gBAAgB,OAAO,KAAK;AAC9B,gBAAM,IAAI,MAAM,mBAAmB;AAAA,QACrC;AAEA,YAAI,gBAAgB,MAAM,KAAK;AAC7B,gBAAM,IAAI,MAAM,oCAAoC;AAAA,QACtD;AAEA,YAAI,CAAC,gBAAgB,KAAK;AACxB,gBAAM,IAAI,MAAM,wBAAwB;AAAA,QAC1C;AAEA,YAAI,gBAAgB,YAAY,KAAK;AACnC,gBAAM,IAAI,MAAM,kCAAkC;AAAA,QACpD;AAEA,eAAO;AAAA,UACL,OAAO;AAAA,UACP,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,OAAO,gBAAgB;AAAA,UACvB,gBAAgB,gBAAgB;AAAA,UAChC,WAAW,gBAAgB;AAAA,UAC3B,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,UAAU,gBAAgB;AAAA,UAC1B,cAAc,gBAAgB;AAAA,UAC9B,SAAS,gBAAgB;AAAA,QAC3B;AAAA,MACF,SAAS,OAAO;AACd,oBAAY;AACZ,YAAI,iBAAiB,SAAS,MAAM,SAAS,qBAAqB;AAChE,kBAAQ,KAAK,sBAAsB,IAAI,OAAO,KAAK,MAAM,OAAO;AAChE;AACA,cAAI,UAAU,GAAG;AACf,kBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAI,CAAC;AACxD;AAAA,UACF;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,sCAAsC;AAAA,EACrE,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,aAAS,wBAAU,KAAK;AAAA,MACxB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS,iBAAiB,QAAQ,MAAM,UAAU;AAAA,QAClD,MAAM;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;;;APlJO,IAAMC,iBAAgB,eAAe,aAAc;","names":["ternDecodeJwt","import_jose","import_jose","ternDecodeJwt"]}
|