@tern-secure/backend 1.2.0-canary.v20250919134427 → 1.2.0-canary.v20251002175916

package/auth/package.json

@@ -0,0 +1,5 @@
+{
+  "main": "../dist/auth/index.js",
+  "module": "../dist/auth/index.mjs",
+  "types": "../dist/auth/index.d.ts"
+}

package/dist/admin/index.d.ts

@@ -1,4 +1,4 @@
-export { createSessionCookie, clearSessionCookie } from './sessionTernSecure';
+export { createSessionCookie, createCustomTokenClaims, clearSessionCookie } from './sessionTernSecure';
 export { adminTernSecureAuth, adminTernSecureDb, TernSecureTenantManager } from '../utils/admin-init';
 export { initializeAdminConfig } from '../utils/config';
 export { createTenant, createTenantUser } from './tenant';

package/dist/admin/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/admin/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,mBAAmB,EACnB,kBAAkB,EACrB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACH,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EAC1B,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAA;AACvD,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAA;AACzD,OAAO,EACH,uBAAuB,EACvB,0BAA0B,EAC1B,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACzB,MAAM,yBAAyB,CAAA;AAEhC,YAAY,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAA;AACjF,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/admin/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,mBAAmB,EACnB,uBAAuB,EACvB,kBAAkB,EACrB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACH,mBAAmB,EACnB,iBAAiB,EACjB,uBAAuB,EAC1B,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAA;AACvD,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAA;AACzD,OAAO,EACH,uBAAuB,EACvB,0BAA0B,EAC1B,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACzB,MAAM,yBAAyB,CAAA;AAEhC,YAAY,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAA;AACjF,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAA"}

package/dist/admin/index.js

@@ -44,6 +44,7 @@ __export(admin_exports, {
   authenticateRequest: () => authenticateRequest,
   clearSessionCookie: () => clearSessionCookie,
   createBackendInstance: () => createBackendInstance,
+  createCustomTokenClaims: () => createCustomTokenClaims,
   createSessionCookie: () => createSessionCookie,
   createTenant: () => createTenant,
   createTenantUser: () => createTenantUser,
@@ -55,24 +56,65 @@ module.exports = __toCommonJS(admin_exports);
 // src/admin/sessionTernSecure.ts
 var import_errors = require("@tern-secure/shared/errors");
 
-// src/tokens/sessionConfig.ts
-var getSessionConfig = (options) => {
-  const cookieConfig = options?.cookies?.session_cookie;
-  return {
-    COOKIE_NAME: cookieConfig?.name,
-    DEFAULT_EXPIRES_IN_MS: cookieConfig?.attributes?.maxAge,
-    DEFAULT_EXPIRES_IN_SECONDS: Math.floor((cookieConfig?.attributes?.maxAge || 0) / 1e3),
-    REVOKE_REFRESH_TOKENS_ON_SIGNOUT: cookieConfig?.revokeRefreshTokensOnSignOut
-  };
+// src/constants.ts
+var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
+var DEFAULT_CACHE_DURATION = 3600 * 1e3;
+var Attributes = {
+  AuthToken: "__ternsecureAuthToken",
+  AuthSignature: "__ternsecureAuthSignature",
+  AuthStatus: "__ternsecureAuthStatus",
+  AuthReason: "__ternsecureAuthReason",
+  AuthMessage: "__ternsecureAuthMessage",
+  TernSecureUrl: "__ternsecureUrl"
 };
-var getCookieOptions = (options) => {
-  const cookieConfig = options?.cookies?.session_cookie;
-  return {
-    httpOnly: cookieConfig?.attributes?.httpOnly,
-    secure: cookieConfig?.attributes?.secure,
-    sameSite: cookieConfig?.attributes?.sameSite,
-    path: cookieConfig?.attributes?.path
-  };
+var Cookies = {
+  Session: "__session",
+  CsrfToken: "__session_terncf",
+  IdToken: "FIREBASE_[DEFAULT]",
+  Refresh: "FIREBASEID_[DEFAULT]",
+  Custom: "__custom",
+  Handshake: "__ternsecure_handshake",
+  DevBrowser: "__ternsecure_db_jwt",
+  RedirectCount: "__ternsecure_redirect_count",
+  HandshakeNonce: "__ternsecure_handshake_nonce"
+};
+var Headers2 = {
+  Accept: "accept",
+  AuthMessage: "x-ternsecure-auth-message",
+  Authorization: "authorization",
+  AuthReason: "x-ternsecure-auth-reason",
+  AuthSignature: "x-ternsecure-auth-signature",
+  AuthStatus: "x-ternsecure-auth-status",
+  AuthToken: "x-ternsecure-auth-token",
+  CacheControl: "cache-control",
+  TernSecureRedirectTo: "x-ternsecure-redirect-to",
+  TernSecureRequestData: "x-ternsecure-request-data",
+  TernSecureUrl: "x-ternsecure-url",
+  CloudFrontForwardedProto: "cloudfront-forwarded-proto",
+  ContentType: "content-type",
+  ContentSecurityPolicy: "content-security-policy",
+  ContentSecurityPolicyReportOnly: "content-security-policy-report-only",
+  EnableDebug: "x-ternsecure-debug",
+  ForwardedHost: "x-forwarded-host",
+  ForwardedPort: "x-forwarded-port",
+  ForwardedProto: "x-forwarded-proto",
+  Host: "host",
+  Location: "location",
+  Nonce: "x-nonce",
+  Origin: "origin",
+  Referrer: "referer",
+  SecFetchDest: "sec-fetch-dest",
+  UserAgent: "user-agent",
+  ReportingEndpoints: "reporting-endpoints"
+};
+var ContentTypes = {
+  Json: "application/json"
+};
+var constants = {
+  Attributes,
+  Cookies,
+  Headers: Headers2,
+  ContentTypes
 };
 
 // src/utils/admin-init.ts
@@ -154,108 +196,128 @@ var COOKIE_OPTIONS = {
   sameSite: "strict",
   path: "/"
 };
+var DEFAULT_COOKIE_CONFIG = {
+  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1e3,
+  // 5 minutes
+  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
+var DEFAULT_COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  path: "/"
+};
+var getCookieName = (baseName, prefix) => {
+  return prefix ? `${prefix}${baseName}` : baseName;
+};
+var createCookieOptions = (maxAge, overrides) => {
+  return {
+    maxAge,
+    httpOnly: overrides?.httpOnly ?? DEFAULT_COOKIE_OPTIONS.httpOnly,
+    secure: overrides?.secure ?? DEFAULT_COOKIE_OPTIONS.secure,
+    sameSite: overrides?.sameSite ?? DEFAULT_COOKIE_OPTIONS.sameSite,
+    path: overrides?.path ?? DEFAULT_COOKIE_OPTIONS.path
+  };
+};
+var getCookiePrefix = () => {
+  const isProduction = process.env.NODE_ENV === "production";
+  return isProduction ? "__HOST-" : "__dev_";
+};
 async function createSessionCookie(params, cookieStore, options) {
   try {
-    const tenantAuth = getAuthForTenant(options?.tenantId);
-    const sessionConfig = getSessionConfig(options);
-    const cookieOptions = getCookieOptions(options);
-    let decodedToken;
-    let sessionCookie;
+    const tenantAuth = getAuthForTenant(options?.tenantId || "");
     const idToken = typeof params === "string" ? params : params.idToken;
+    const refreshToken = typeof params === "string" ? void 0 : params.refreshToken;
     if (!idToken) {
-      const error = new Error("ID token is required for session creation");
-      console.error("[createSessionCookie] Missing ID token:", error);
       return {
         success: false,
         message: "ID token is required",
-        error: "INVALID_TOKEN",
-        cookieSet: false
+        error: "INVALID_TOKEN"
       };
     }
+    let decodedToken;
     try {
-      console.log("Verifying ID token for tenant:", options?.tenantId);
       decodedToken = await tenantAuth.verifyIdToken(idToken);
     } catch (verifyError) {
-      console.error(
-        "[createSessionCookie] ID token verification failed:",
-        verifyError
-      );
       const authError = (0, import_errors.handleFirebaseAuthError)(verifyError);
       return {
         success: false,
         message: authError.message,
-        error: authError.code,
-        cookieSet: false
+        error: authError.code
       };
     }
-    if (!decodedToken) {
-      const error = new Error("Invalid ID token - verification returned null");
-      console.error(
-        "[createSessionCookie] Token verification returned null:",
-        error
-      );
-      return {
-        success: false,
-        message: "Invalid ID token",
-        error: "INVALID_TOKEN",
-        cookieSet: false
-      };
-    }
-    try {
-      sessionCookie = await tenantAuth.createSessionCookie(idToken, {
-        expiresIn: SESSION_CONSTANTS.DEFAULT_EXPIRES_IN_MS
-      });
-    } catch (sessionError) {
-      console.error(
-        "[createSessionCookie] Firebase session cookie creation failed:",
-        sessionError
+    const cookiePromises = [];
+    const cookiePrefix = getCookiePrefix();
+    const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);
+    cookiePromises.push(
+      cookieStore.set(
+        idTokenCookieName,
+        idToken,
+        createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS)
+      )
+    );
+    if (refreshToken) {
+      const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);
+      cookiePromises.push(
+        cookieStore.set(
+          refreshTokenCookieName,
+          refreshToken,
+          createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS)
+        )
       );
-      const authError = (0, import_errors.handleFirebaseAuthError)(sessionError);
-      return {
-        success: false,
-        message: authError.message,
-        error: authError.code,
-        cookieSet: false
-      };
     }
-    let cookieSetSuccessfully = false;
-    try {
-      cookieStore.set(SESSION_CONSTANTS.COOKIE_NAME, sessionCookie, {
-        maxAge: SESSION_CONSTANTS.DEFAULT_EXPIRES_IN_SECONDS,
-        ...COOKIE_OPTIONS
-      });
-      const verifySetCookie = await cookieStore.get(
-        SESSION_CONSTANTS.COOKIE_NAME
-      );
-      cookieSetSuccessfully = !!verifySetCookie?.value;
-      if (!cookieSetSuccessfully) {
-        const error = new Error("Session cookie was not set successfully");
+    if (options?.cookies?.session) {
+      const sessionOptions = options.cookies.session;
+      const sessionCookieName = getCookieName(constants.Cookies.Session);
+      const expiresIn = sessionOptions.maxAge ? sessionOptions.maxAge * 1e3 : DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_MS;
+      try {
+        const sessionCookie = await tenantAuth.createSessionCookie(idToken, { expiresIn });
+        cookiePromises.push(
+          cookieStore.set(
+            sessionCookieName,
+            sessionCookie,
+            createCookieOptions(
+              sessionOptions.maxAge || DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS,
+              {
+                httpOnly: sessionOptions.httpOnly,
+                sameSite: sessionOptions.sameSite,
+                path: sessionOptions.path
+              }
+            )
+          )
+        );
+      } catch (sessionError) {
         console.error(
-          "[createSessionCookie] Cookie verification failed:",
-          error
+          "[createSessionCookie] Firebase session cookie creation failed:",
+          sessionError
         );
-        throw error;
+        const authError = (0, import_errors.handleFirebaseAuthError)(sessionError);
+        return {
+          success: false,
+          message: authError.message,
+          error: authError.code
+        };
       }
-    } catch (cookieError) {
-      console.error(
-        "[createSessionCookie] Failed to set session cookie:",
-        cookieError
-      );
-      return {
-        success: false,
-        message: "Failed to set session cookie",
-        error: "COOKIE_SET_FAILED",
-        cookieSet: false
-      };
     }
-    console.log(
-      `[createSessionCookie] Session cookie created successfully for user: ${decodedToken.uid}`
-    );
+    if (options?.enableCustomToken && decodedToken?.uid) {
+      const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);
+      const customToken = await createCustomToken(decodedToken.uid, options);
+      if (customToken) {
+        cookiePromises.push(
+          cookieStore.set(
+            customTokenCookieName,
+            customToken,
+            createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS)
+          )
+        );
+      }
+    }
+    await Promise.all(cookiePromises);
     return {
       success: true,
       message: "Session created successfully",
-      expiresIn: SESSION_CONSTANTS.DEFAULT_EXPIRES_IN_SECONDS,
-      cookieSet: cookieSetSuccessfully
+      expiresIn: DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS
     };
   } catch (error) {
     console.error("[createSessionCookie] Unexpected error:", error);
@@ -263,51 +325,69 @@ async function createSessionCookie(params, cookieStore, options) {
     return {
       success: false,
       message: authError.message || "Failed to create session",
-      error: authError.code || "INTERNAL_ERROR",
-      cookieSet: false
+      error: authError.code || "INTERNAL_ERROR"
     };
   }
 }
 async function clearSessionCookie(cookieStore, options) {
   try {
-    const adminAuth = getAuthForTenant(options?.tenantId);
-    const sessionCookie = await cookieStore.get(SESSION_CONSTANTS.COOKIE_NAME);
-    await cookieStore.delete(SESSION_CONSTANTS.COOKIE_NAME);
-    await cookieStore.delete("_session_token");
-    await cookieStore.delete("_session");
-    if (SESSION_CONSTANTS.REVOKE_REFRESH_TOKENS_ON_SIGNOUT && sessionCookie?.value) {
+    const adminAuth = getAuthForTenant(options?.tenantId || "");
+    const cookiePrefix = getCookiePrefix();
+    const sessionCookieName = getCookieName(constants.Cookies.Session, cookiePrefix);
+    const sessionCookie = await cookieStore.get(sessionCookieName);
+    const deletionPromises = [];
+    if (options?.cookies?.session) {
+      deletionPromises.push(cookieStore.delete(sessionCookieName));
+    }
+    const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);
+    deletionPromises.push(cookieStore.delete(idTokenCookieName));
+    const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);
+    deletionPromises.push(cookieStore.delete(refreshTokenCookieName));
+    const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);
+    deletionPromises.push(cookieStore.delete(customTokenCookieName));
+    deletionPromises.push(cookieStore.delete(constants.Cookies.Session));
+    await Promise.all(deletionPromises);
+    if (DEFAULT_COOKIE_CONFIG.REVOKE_REFRESH_TOKENS_ON_SIGNOUT && sessionCookie?.value) {
       try {
-        const decodedClaims = await adminAuth.verifySessionCookie(
-          sessionCookie.value
-        );
+        const decodedClaims = await adminAuth.verifySessionCookie(sessionCookie.value);
         await adminAuth.revokeRefreshTokens(decodedClaims.sub);
-        console.log(
-          `[clearSessionCookie] Successfully revoked tokens for user: ${decodedClaims.sub}`
-        );
       } catch (revokeError) {
-        console.error(
-          "[clearSessionCookie] Failed to revoke refresh tokens:",
-          revokeError
-        );
+        console.error("[clearSessionCookie] Failed to revoke refresh tokens:", revokeError);
       }
     }
-    console.log("[clearSessionCookie] Session cookies cleared successfully");
     return {
       success: true,
-      message: "Session cleared successfully",
-      cookieSet: false
+      message: "Session cleared successfully"
     };
   } catch (error) {
-    console.error("[clearSessionCookie] Unexpected error:", error);
     const authError = (0, import_errors.handleFirebaseAuthError)(error);
     return {
       success: false,
       message: authError.message || "Failed to clear session",
-      error: authError.code || "INTERNAL_ERROR",
-      cookieSet: false
+      error: authError.code || "INTERNAL_ERROR"
     };
   }
 }
+async function createCustomToken(uid, options) {
+  const adminAuth = getAuthForTenant(options?.tenantId || "");
+  try {
+    const customToken = await adminAuth.createCustomToken(uid);
+    return customToken;
+  } catch (error) {
+    console.error("[createCustomToken] Error creating custom token:", error);
+    return null;
+  }
+}
+async function createCustomTokenClaims(uid, developerClaims) {
+  const adminAuth = getAuthForTenant();
+  try {
+    const customToken = await adminAuth.createCustomToken(uid, developerClaims);
+    return customToken;
+  } catch (error) {
+    console.error("[createCustomToken] Error creating custom token:", error);
+    return "";
+  }
+}
 
 // src/admin/tenant.ts
 async function createTenant(displayName, emailSignInConfig, multiFactorConfig) {
@@ -352,7 +432,7 @@ async function createTenantUser(email, password, tenantId) {
 var import_errors2 = require("@tern-secure/shared/errors");
 var import_headers = require("next/headers");
 var SESSION_CONSTANTS2 = {
-  COOKIE_NAME: "_session_cookie",
+  COOKIE_NAME: constants.Cookies.Session,
   DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1e3,
   // 5 days
   DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,
@@ -365,7 +445,7 @@ async function CreateNextSessionCookie(idToken) {
       expiresIn
     });
     const cookieStore = await (0, import_headers.cookies)();
-    cookieStore.set("_session_cookie", sessionCookie, {
+    cookieStore.set(constants.Cookies.Session, sessionCookie, {
       maxAge: expiresIn,
       httpOnly: true,
       secure: process.env.NODE_ENV === "production",
@@ -491,8 +571,7 @@ async function ClearNextSessionCookie(tenantId) {
     const cookieStore = await (0, import_headers.cookies)();
     const sessionCookie = cookieStore.get(SESSION_CONSTANTS2.COOKIE_NAME);
     cookieStore.delete(SESSION_CONSTANTS2.COOKIE_NAME);
-    cookieStore.delete("_session_token");
-    cookieStore.delete("_session");
+    cookieStore.delete(constants.Cookies.IdToken);
     if (SESSION_CONSTANTS2.REVOKE_REFRESH_TOKENS_ON_SIGNOUT && sessionCookie?.value) {
       try {
         const decodedClaims = await tenantAuth.verifySessionCookie(
@@ -519,68 +598,6 @@ async function ClearNextSessionCookie(tenantId) {
 // src/tokens/ternSecureRequest.ts
 var import_cookie = require("cookie");
 
-// src/constants.ts
-var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
-var DEFAULT_CACHE_DURATION = 3600 * 1e3;
-var Attributes = {
-  AuthToken: "__ternsecureAuthToken",
-  AuthSignature: "__ternsecureAuthSignature",
-  AuthStatus: "__ternsecureAuthStatus",
-  AuthReason: "__ternsecureAuthReason",
-  AuthMessage: "__ternsecureAuthMessage",
-  TernSecureUrl: "__ternsecureUrl"
-};
-var Cookies = {
-  Session: "__session",
-  IdToken: "_tern",
-  CsrfToken: "_session_terncf",
-  SessionCookie: "_session_cookie",
-  SessionToken: "_session_token",
-  Refresh: "__refresh",
-  Handshake: "__ternsecure_handshake",
-  DevBrowser: "__ternsecure_db_jwt",
-  RedirectCount: "__ternsecure_redirect_count",
-  HandshakeNonce: "__ternsecure_handshake_nonce"
-};
-var Headers2 = {
-  Accept: "accept",
-  AuthMessage: "x-ternsecure-auth-message",
-  Authorization: "authorization",
-  AuthReason: "x-ternsecure-auth-reason",
-  AuthSignature: "x-ternsecure-auth-signature",
-  AuthStatus: "x-ternsecure-auth-status",
-  AuthToken: "x-ternsecure-auth-token",
-  CacheControl: "cache-control",
-  TernSecureRedirectTo: "x-ternsecure-redirect-to",
-  TernSecureRequestData: "x-ternsecure-request-data",
-  TernSecureUrl: "x-ternsecure-url",
-  CloudFrontForwardedProto: "cloudfront-forwarded-proto",
-  ContentType: "content-type",
-  ContentSecurityPolicy: "content-security-policy",
-  ContentSecurityPolicyReportOnly: "content-security-policy-report-only",
-  EnableDebug: "x-ternsecure-debug",
-  ForwardedHost: "x-forwarded-host",
-  ForwardedPort: "x-forwarded-port",
-  ForwardedProto: "x-forwarded-proto",
-  Host: "host",
-  Location: "location",
-  Nonce: "x-nonce",
-  Origin: "origin",
-  Referrer: "referer",
-  SecFetchDest: "sec-fetch-dest",
-  UserAgent: "user-agent",
-  ReportingEndpoints: "reporting-endpoints"
-};
-var ContentTypes = {
-  Json: "application/json"
-};
-var constants = {
-  Attributes,
-  Cookies,
-  Headers: Headers2,
-  ContentTypes
-};
-
 // src/tokens/ternUrl.ts
 var TernUrl = class extends URL {
   isCrossOrigin(other) {
@@ -697,6 +714,7 @@ function signedIn(session, headers = new Headers(), token) {
   authenticateRequest,
   clearSessionCookie,
   createBackendInstance,
+  createCustomTokenClaims,
   createSessionCookie,
   createTenant,
   createTenantUser,