@tern-secure/backend 1.2.0-canary.v20250919134427 → 1.2.0-canary.v20251002175916

package/dist/index.mjs

@@ -1,18 +1,13 @@
 import {
-  CACHE_CONTROL_REGEX,
-  DEFAULT_CACHE_DURATION,
-  MAX_CACHE_LAST_UPDATED_AT_SECONDS,
-  SESSION_COOKIE_PUBLIC_KEYS_URL,
+  verifyToken
+} from "./chunk-YKIA5EBF.mjs";
+import {
   constants,
-  createTernSecureRequest,
-  getSessionConfig
-} from "./chunk-ZIO4EKS5.mjs";
+  createTernSecureRequest
+} from "./chunk-4SGWLAJG.mjs";
 import {
   TokenVerificationError,
-  TokenVerificationErrorReason,
-  mapJwtPayloadToDecodedIdToken,
-  ternDecodeJwt,
-  verifyJwt
+  mapJwtPayloadToDecodedIdToken
 } from "./chunk-WZYVAHZ3.mjs";
 
 // src/tokens/authstate.ts
@@ -85,10 +80,11 @@ function signedIn(sessionClaims, headers = new Headers(), token) {
     headers
   };
 }
-function signedOut(reason, headers = new Headers()) {
+function signedOut(reason, message = "", headers = new Headers()) {
   return decorateHeaders({
     status: AuthStatus.SignedOut,
     reason,
+    message,
     isSignedIn: false,
     auth: () => signedOutAuthObject(),
     token: null,
@@ -113,19 +109,139 @@ var decorateHeaders = (requestState) => {
   return requestState;
 };
 
-// src/api/endpoints/SessionApi.ts
-var rootPath = "/sessions";
-var SessionApi = class {
+// src/fireRestApi/endpoints/AbstractApi.ts
+var AbstractAPI = class {
   constructor(request) {
     this.request = request;
   }
-  async createSession(params) {
+  requireApiKey(apiKey) {
+    if (!apiKey) {
+      throw new Error("A valid API key is required.");
+    }
+  }
+};
+
+// src/fireRestApi/endpoints/EmailApi.ts
+var EmailApi = class extends AbstractAPI {
+  async verifyEmailVerification(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
     return this.request({
+      endpoint: "sendOobCode",
       method: "POST",
-      path: rootPath,
-      bodyParams: params
+      bodyParams: restParams
     });
   }
+  async confirmEmailVerification(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "sendOobCode",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+};
+
+// src/fireRestApi/endpoints/PasswordApi.ts
+var PasswordApi = class extends AbstractAPI {
+  async verifyPasswordResetCode(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "passwordReset",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+  async confirmPasswordReset(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "passwordReset",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+  async changePassword(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "passwordReset",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+};
+
+// src/fireRestApi/endpoints/SignInTokenApi.ts
+var SignInTokenApi = class extends AbstractAPI {
+  async createCustomToken(apiKey, params) {
+    try {
+      this.requireApiKey(apiKey);
+      const { ...restParams } = params;
+      const response = await this.request({
+        endpoint: "signInWithCustomToken",
+        method: "POST",
+        bodyParams: restParams
+      });
+      if (response.errors) {
+        const errorMessage = response.errors[0]?.message || "Failed to create custom token";
+        throw new Error(errorMessage);
+      }
+      return response.data;
+    } catch (error) {
+      const contextualMessage = `Failed to create custom token: ${error instanceof Error ? error.message : "Unknown error"}`;
+      throw new Error(contextualMessage);
+    }
+  }
+};
+
+// src/fireRestApi/endpoints/SignUpApi.ts
+var SignUpApi = class extends AbstractAPI {
+  async createCustomToken(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "signUp",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+};
+
+// src/fireRestApi/endpoints/TokenApi.ts
+var TokenApi = class extends AbstractAPI {
+  async refreshToken(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "refreshToken",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+  async exchangeCustomForIdAndRefreshTokens(apiKey, params) {
+    try {
+      this.requireApiKey(apiKey);
+      const { ...restParams } = params;
+      const response = await this.request({
+        endpoint: "signInWithCustomToken",
+        method: "POST",
+        apiKey,
+        bodyParams: restParams
+      });
+      if (response.errors) {
+        const errorMessage = response.errors[0]?.message || "Failed to create custom token";
+        console.error("Error response from exchangeCustomForIdAndRefreshTokens:", response.errors);
+        throw new Error(errorMessage);
+      }
+      return response.data;
+    } catch (error) {
+      const contextualMessage = `Failed to create custom token: ${error instanceof Error ? error.message : "Unknown error"}`;
+      throw new Error(contextualMessage);
+    }
+  }
 };
 
 // src/runtime.ts
@@ -144,20 +260,69 @@ var runtime = {
   Response: globalThis.Response
 };
 
-// src/utils/path.ts
-var SEPARATOR = "/";
-var MULTIPLE_SEPARATOR_REGEX = new RegExp("(?<!:)" + SEPARATOR + "{1,}", "g");
-function joinPaths(...args) {
-  return args.filter((p) => p).join(SEPARATOR).replace(MULTIPLE_SEPARATOR_REGEX, SEPARATOR);
+// src/fireRestApi/emulator.ts
+var FIREBASE_AUTH_EMULATOR_HOST = process.env.FIREBASE_AUTH_EMULATOR_HOST;
+function emulatorHost() {
+  if (typeof process === "undefined") return void 0;
+  return FIREBASE_AUTH_EMULATOR_HOST;
+}
+function useEmulator() {
+  return !!emulatorHost();
 }
 
-// src/api/request.ts
+// src/fireRestApi/endpointUrl.ts
+var getRefreshTokenEndpoint = (apiKey) => {
+  return `https://securetoken.googleapis.com/v1/token?key=${apiKey}`;
+};
+var signInWithPassword = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=${apiKey}`;
+};
+var signUpEndpoint = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=${apiKey}`;
+};
+var getCustomTokenEndpoint = (apiKey) => {
+  if (useEmulator() && FIREBASE_AUTH_EMULATOR_HOST) {
+    let protocol = "http://";
+    if (FIREBASE_AUTH_EMULATOR_HOST.startsWith("http://")) {
+      protocol = "";
+    }
+    return `${protocol}${FIREBASE_AUTH_EMULATOR_HOST}/identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+  }
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+};
+var passwordResetEndpoint = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:resetPassword?key=${apiKey}`;
+};
+
+// src/fireRestApi/request.ts
+var FIREBASE_ENDPOINT_MAP = {
+  refreshToken: getRefreshTokenEndpoint,
+  signInWithPassword,
+  signUp: signUpEndpoint,
+  signInWithCustomToken: getCustomTokenEndpoint,
+  passwordReset: passwordResetEndpoint,
+  sendOobCode: signInWithPassword
+};
 function createRequest(options) {
   const requestFn = async (requestOptions) => {
-    const { apiUrl, apiVersion } = options;
-    const { path, method, queryParams, headerParams, bodyParams, formData } = requestOptions;
-    const url = joinPaths(apiUrl, apiVersion, path);
-    const finalUrl = new URL(url);
+    const { endpoint, method, apiKey, queryParams, headerParams, bodyParams, formData } = requestOptions;
+    if (!apiKey) {
+      return {
+        data: null,
+        errors: [
+          {
+            code: "missing_api_key",
+            message: "Firebase API key is required"
+          }
+        ]
+      };
+    }
+    const endpointUrl = FIREBASE_ENDPOINT_MAP[endpoint](apiKey);
+    const finalUrl = new URL(endpointUrl);
+    console.log("endpoint url:", endpointUrl);
+    console.log("Final URL href:", finalUrl.href);
+    console.log("Final URL:", finalUrl);
+    console.log("Method:", method);
     if (queryParams) {
       Object.entries(queryParams).forEach(([key, value]) => {
         if (value) {
@@ -236,16 +401,24 @@ function parseError(error) {
   };
 }
 
-// src/api/createBackendApi.ts
-function createBackendApi(options) {
+// src/fireRestApi/createFireApi.ts
+function createFireApi(options) {
   const request = createRequest(options);
   return {
-    sessions: new SessionApi(request)
+    email: new EmailApi(request),
+    password: new PasswordApi(request),
+    signIn: new SignInTokenApi(request),
+    signUp: new SignUpApi(request),
+    tokens: new TokenApi(request)
   };
 }
 
+// src/tokens/request.ts
+import { getCookieName, getCookiePrefix } from "@tern-secure/shared/cookie";
+
 // src/utils/options.ts
 var defaultOptions = {
+  apiKey: void 0,
   apiUrl: void 0,
   apiVersion: void 0
 };
@@ -256,134 +429,8 @@ function mergePreDefinedOptions(userOptions = {}) {
   };
 }
 
-// src/tokens/keys.ts
-var cache = {};
-var lastUpdatedAt = 0;
-var googleExpiresAt = 0;
-function getFromCache(kid) {
-  return cache[kid];
-}
-function getCacheValues() {
-  return Object.values(cache);
-}
-function setInCache(kid, certificate, shouldExpire = true) {
-  cache[kid] = certificate;
-  lastUpdatedAt = shouldExpire ? Date.now() : -1;
-}
-async function fetchPublicKeys(keyUrl) {
-  const url = new URL(keyUrl);
-  const response = await fetch(url);
-  if (!response.ok) {
-    throw new TokenVerificationError({
-      message: `Error loading public keys from ${url.href} with code=${response.status} `,
-      reason: TokenVerificationErrorReason.TokenInvalid
-    });
-  }
-  const data = await response.json();
-  const expiresAt = getExpiresAt(response);
-  return {
-    keys: data,
-    expiresAt
-  };
-}
-async function loadJWKFromRemote({
-  keyURL = SESSION_COOKIE_PUBLIC_KEYS_URL,
-  skipJwksCache,
-  kid
-}) {
-  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
-    const { keys, expiresAt } = await fetchPublicKeys(keyURL);
-    if (!keys || Object.keys(keys).length === 0) {
-      throw new TokenVerificationError({
-        message: `The JWKS endpoint ${keyURL} returned no keys`,
-        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
-      });
-    }
-    googleExpiresAt = expiresAt;
-    Object.entries(keys).forEach(([keyId, cert2]) => {
-      setInCache(keyId, cert2);
-    });
-  }
-  const cert = getFromCache(kid);
-  if (!cert) {
-    getCacheValues();
-    const availableKids = Object.keys(cache).sort().join(", ");
-    throw new TokenVerificationError({
-      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
-      reason: TokenVerificationErrorReason.TokenInvalid
-    });
-  }
-  return cert;
-}
-function isCacheExpired() {
-  const now = Date.now();
-  if (lastUpdatedAt === -1) {
-    return false;
-  }
-  const cacheAge = now - lastUpdatedAt;
-  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
-  const localCacheExpired = cacheAge >= maxCacheAge;
-  const googleCacheExpired = now >= googleExpiresAt;
-  const isExpired = localCacheExpired || googleCacheExpired;
-  if (isExpired) {
-    cache = {};
-  }
-  return isExpired;
-}
-function getExpiresAt(res) {
-  const cacheControlHeader = res.headers.get("cache-control");
-  if (!cacheControlHeader) {
-    return Date.now() + DEFAULT_CACHE_DURATION;
-  }
-  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
-  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
-  return Date.now() + maxAge * 1e3;
-}
-
-// src/tokens/verify.ts
-async function verifyToken(token, options) {
-  const { data: decodedResult, errors } = ternDecodeJwt(token);
-  if (errors) {
-    return { errors };
-  }
-  const { header } = decodedResult;
-  const { kid } = header;
-  if (!kid) {
-    return {
-      errors: [
-        new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalid,
-          message: 'JWT "kid" header is missing.'
-        })
-      ]
-    };
-  }
-  try {
-    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
-    if (!key) {
-      return {
-        errors: [
-          new TokenVerificationError({
-            reason: TokenVerificationErrorReason.TokenInvalid,
-            message: `No public key found for kid "${kid}".`
-          })
-        ]
-      };
-    }
-    return await verifyJwt(token, { ...options, key });
-  } catch (error) {
-    if (error instanceof TokenVerificationError) {
-      return { errors: [error] };
-    }
-    return {
-      errors: [error]
-    };
-  }
-}
-
 // src/tokens/request.ts
 var BEARER_PREFIX = "Bearer ";
-var AUTH_COOKIE_NAME = "_session_cookie";
 function extractTokenFromHeader(request) {
   const authHeader = request.headers.get("Authorization");
   if (!authHeader || !authHeader.startsWith(BEARER_PREFIX)) {
@@ -391,12 +438,16 @@ function extractTokenFromHeader(request) {
   }
   return authHeader.slice(BEARER_PREFIX.length);
 }
-function extractTokenFromCookie(request, opts) {
+function extractTokenFromCookie(request) {
   const cookieHeader = request.headers.get("Cookie") || void 0;
-  const sessionName = getSessionConfig(opts).COOKIE_NAME;
   if (!cookieHeader) {
     return null;
   }
+  const cookiePrefix = getCookiePrefix();
+  const idTokenCookieName = getCookieName(
+    constants.Cookies.IdToken,
+    cookiePrefix
+  );
   const cookies = cookieHeader.split(";").reduce(
     (acc, cookie) => {
       const [name, value] = cookie.trim().split("=");
@@ -405,35 +456,63 @@ function extractTokenFromCookie(request, opts) {
     },
     {}
   );
-  return cookies[AUTH_COOKIE_NAME] || null;
+  return idTokenCookieName || null;
 }
 function hasAuthorizationHeader(request) {
   return request.headers.has("Authorization");
 }
 async function authenticateRequest(request, options) {
+  async function refreshToken() {
+    try {
+      const response = await options.apiClient?.tokens.refreshToken(options.firebaseConfig?.apiKey || "", {
+        format: "cookie",
+        refresh_token: "",
+        expired_token: "",
+        request_origin: options.apiUrl || ""
+      });
+    } catch (error) {
+      console.error("Error refreshing token:", error);
+    }
+  }
   async function authenticateRequestWithTokenInCookie() {
-    const token = extractTokenFromCookie(request, options);
+    const token = extractTokenFromCookie(request);
     if (!token) {
       return signedOut(AuthErrorReason.SessionTokenMissing);
     }
-    const { data, errors } = await verifyToken(token, options);
-    if (errors) {
-      throw errors[0];
+    try {
+      const { data, errors } = await verifyToken(token, options);
+      if (errors) {
+        throw errors[0];
+      }
+      const signedInRequestState = signedIn(data, void 0, token);
+      return signedInRequestState;
+    } catch (err) {
+      return handleError(err, "cookie");
     }
-    const signedInRequestState = signedIn(data, void 0, token);
-    return signedInRequestState;
   }
   async function authenticateRequestWithTokenInHeader() {
     const token = extractTokenFromHeader(request);
     if (!token) {
-      return signedOut(AuthErrorReason.SessionTokenMissing);
+      return signedOut(AuthErrorReason.SessionTokenMissing, "");
     }
-    const { data, errors } = await verifyToken(token, options);
-    if (errors) {
-      throw errors[0];
+    try {
+      const { data, errors } = await verifyToken(token, options);
+      if (errors) {
+        throw errors[0];
+      }
+      const signedInRequestState = signedIn(data, void 0, token);
+      return signedInRequestState;
+    } catch (err) {
+      return handleError(err, "header");
     }
-    const signedInRequestState = signedIn(data, void 0, token);
-    return signedInRequestState;
+  }
+  async function handleError(err, tokenCarrier) {
+    if (!(err instanceof TokenVerificationError)) {
+      return signedOut(AuthErrorReason.UnexpectedError);
+    }
+    let refreshError;
+    err.tokenCarrier = tokenCarrier;
+    return signedOut(err.reason, err.getFullMessage());
   }
   if (hasAuthorizationHeader(request)) {
     return authenticateRequestWithTokenInHeader();
@@ -455,7 +534,7 @@ function createAuthenticateRequest(params) {
 // src/instance/backendInstanceEdge.ts
 function createBackendInstanceClient(options) {
   const opts = { ...options };
-  const apiClient = createBackendApi(opts);
+  const apiClient = createFireApi(opts);
   const requestState = createAuthenticateRequest({ options: opts, apiClient });
   return {
     ...apiClient,
@@ -479,7 +558,7 @@ function mergePreDefinedOptions2(preDefinedOptions, options) {
   );
 }
 var BEARER_PREFIX2 = "Bearer ";
-var AUTH_COOKIE_NAME2 = "_session_cookie";
+var AUTH_COOKIE_NAME = "_session_cookie";
 function extractTokenFromHeader2(request) {
   const authHeader = request.headers.get("Authorization");
   if (!authHeader || !authHeader.startsWith(BEARER_PREFIX2)) {
@@ -487,9 +566,8 @@ function extractTokenFromHeader2(request) {
   }
   return authHeader.slice(BEARER_PREFIX2.length);
 }
-function extractTokenFromCookie2(request, opts) {
+function extractTokenFromCookie2(request) {
   const cookieHeader = request.headers.get("Cookie") || void 0;
-  const sessionName = getSessionConfig(opts).COOKIE_NAME;
   if (!cookieHeader) {
     return null;
   }
@@ -501,14 +579,14 @@ function extractTokenFromCookie2(request, opts) {
     },
     {}
   );
-  return cookies[AUTH_COOKIE_NAME2] || null;
+  return cookies[AUTH_COOKIE_NAME] || null;
 }
 function hasAuthorizationHeader2(request) {
   return request.headers.has("Authorization");
 }
 async function authenticateRequest2(request, options) {
   async function authenticateRequestWithTokenInCookie() {
-    const token = extractTokenFromCookie2(request, options);
+    const token = extractTokenFromCookie2(request);
     if (!token) {
       return signedOut(AuthErrorReason.SessionTokenMissing);
     }
@@ -550,7 +628,7 @@ function createFireAuthenticateRequest(params) {
 // src/instance/backendFireInstance.ts
 function createFireClient(options) {
   const opts = { ...options };
-  const apiClient = createBackendApi(opts);
+  const apiClient = createFireApi(opts);
   const requestState = createFireAuthenticateRequest({ options: opts });
   return {
     ...apiClient,