@tern-secure/backend 1.2.0-canary.v20250919134427 → 1.2.0-canary.v20251002175916

package/dist/index.js

@@ -40,7 +40,7 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/constants.ts
-var SESSION_COOKIE_PUBLIC_KEYS_URL = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys";
+var GOOGLE_PUBLIC_KEYS_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
 var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
 var DEFAULT_CACHE_DURATION = 3600 * 1e3;
 var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
@@ -54,11 +54,10 @@ var Attributes = {
 };
 var Cookies = {
   Session: "__session",
-  IdToken: "_tern",
-  CsrfToken: "_session_terncf",
-  SessionCookie: "_session_cookie",
-  SessionToken: "_session_token",
-  Refresh: "__refresh",
+  CsrfToken: "__session_terncf",
+  IdToken: "FIREBASE_[DEFAULT]",
+  Refresh: "FIREBASEID_[DEFAULT]",
+  Custom: "__custom",
   Handshake: "__ternsecure_handshake",
   DevBrowser: "__ternsecure_db_jwt",
   RedirectCount: "__ternsecure_redirect_count",
@@ -243,10 +242,11 @@ function signedIn(sessionClaims, headers = new Headers(), token) {
     headers
   };
 }
-function signedOut(reason, headers = new Headers()) {
+function signedOut(reason, message = "", headers = new Headers()) {
   return decorateHeaders({
     status: AuthStatus.SignedOut,
     reason,
+    message,
     isSignedIn: false,
     auth: () => signedOutAuthObject(),
     token: null,
@@ -271,19 +271,139 @@ var decorateHeaders = (requestState) => {
   return requestState;
 };
 
-// src/api/endpoints/SessionApi.ts
-var rootPath = "/sessions";
-var SessionApi = class {
+// src/fireRestApi/endpoints/AbstractApi.ts
+var AbstractAPI = class {
   constructor(request) {
     this.request = request;
   }
-  async createSession(params) {
+  requireApiKey(apiKey) {
+    if (!apiKey) {
+      throw new Error("A valid API key is required.");
+    }
+  }
+};
+
+// src/fireRestApi/endpoints/EmailApi.ts
+var EmailApi = class extends AbstractAPI {
+  async verifyEmailVerification(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "sendOobCode",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+  async confirmEmailVerification(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "sendOobCode",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+};
+
+// src/fireRestApi/endpoints/PasswordApi.ts
+var PasswordApi = class extends AbstractAPI {
+  async verifyPasswordResetCode(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "passwordReset",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+  async confirmPasswordReset(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "passwordReset",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+  async changePassword(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "passwordReset",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+};
+
+// src/fireRestApi/endpoints/SignInTokenApi.ts
+var SignInTokenApi = class extends AbstractAPI {
+  async createCustomToken(apiKey, params) {
+    try {
+      this.requireApiKey(apiKey);
+      const { ...restParams } = params;
+      const response = await this.request({
+        endpoint: "signInWithCustomToken",
+        method: "POST",
+        bodyParams: restParams
+      });
+      if (response.errors) {
+        const errorMessage = response.errors[0]?.message || "Failed to create custom token";
+        throw new Error(errorMessage);
+      }
+      return response.data;
+    } catch (error) {
+      const contextualMessage = `Failed to create custom token: ${error instanceof Error ? error.message : "Unknown error"}`;
+      throw new Error(contextualMessage);
+    }
+  }
+};
+
+// src/fireRestApi/endpoints/SignUpApi.ts
+var SignUpApi = class extends AbstractAPI {
+  async createCustomToken(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
+      endpoint: "signUp",
+      method: "POST",
+      bodyParams: restParams
+    });
+  }
+};
+
+// src/fireRestApi/endpoints/TokenApi.ts
+var TokenApi = class extends AbstractAPI {
+  async refreshToken(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
     return this.request({
+      endpoint: "refreshToken",
       method: "POST",
-      path: rootPath,
-      bodyParams: params
+      bodyParams: restParams
     });
   }
+  async exchangeCustomForIdAndRefreshTokens(apiKey, params) {
+    try {
+      this.requireApiKey(apiKey);
+      const { ...restParams } = params;
+      const response = await this.request({
+        endpoint: "signInWithCustomToken",
+        method: "POST",
+        apiKey,
+        bodyParams: restParams
+      });
+      if (response.errors) {
+        const errorMessage = response.errors[0]?.message || "Failed to create custom token";
+        console.error("Error response from exchangeCustomForIdAndRefreshTokens:", response.errors);
+        throw new Error(errorMessage);
+      }
+      return response.data;
+    } catch (error) {
+      const contextualMessage = `Failed to create custom token: ${error instanceof Error ? error.message : "Unknown error"}`;
+      throw new Error(contextualMessage);
+    }
+  }
 };
 
 // src/runtime.ts
@@ -302,20 +422,69 @@ var runtime = {
   Response: globalThis.Response
 };
 
-// src/utils/path.ts
-var SEPARATOR = "/";
-var MULTIPLE_SEPARATOR_REGEX = new RegExp("(?<!:)" + SEPARATOR + "{1,}", "g");
-function joinPaths(...args) {
-  return args.filter((p) => p).join(SEPARATOR).replace(MULTIPLE_SEPARATOR_REGEX, SEPARATOR);
+// src/fireRestApi/emulator.ts
+var FIREBASE_AUTH_EMULATOR_HOST = process.env.FIREBASE_AUTH_EMULATOR_HOST;
+function emulatorHost() {
+  if (typeof process === "undefined") return void 0;
+  return FIREBASE_AUTH_EMULATOR_HOST;
+}
+function useEmulator() {
+  return !!emulatorHost();
 }
 
-// src/api/request.ts
+// src/fireRestApi/endpointUrl.ts
+var getRefreshTokenEndpoint = (apiKey) => {
+  return `https://securetoken.googleapis.com/v1/token?key=${apiKey}`;
+};
+var signInWithPassword = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=${apiKey}`;
+};
+var signUpEndpoint = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=${apiKey}`;
+};
+var getCustomTokenEndpoint = (apiKey) => {
+  if (useEmulator() && FIREBASE_AUTH_EMULATOR_HOST) {
+    let protocol = "http://";
+    if (FIREBASE_AUTH_EMULATOR_HOST.startsWith("http://")) {
+      protocol = "";
+    }
+    return `${protocol}${FIREBASE_AUTH_EMULATOR_HOST}/identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+  }
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+};
+var passwordResetEndpoint = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:resetPassword?key=${apiKey}`;
+};
+
+// src/fireRestApi/request.ts
+var FIREBASE_ENDPOINT_MAP = {
+  refreshToken: getRefreshTokenEndpoint,
+  signInWithPassword,
+  signUp: signUpEndpoint,
+  signInWithCustomToken: getCustomTokenEndpoint,
+  passwordReset: passwordResetEndpoint,
+  sendOobCode: signInWithPassword
+};
 function createRequest(options) {
   const requestFn = async (requestOptions) => {
-    const { apiUrl, apiVersion } = options;
-    const { path, method, queryParams, headerParams, bodyParams, formData } = requestOptions;
-    const url = joinPaths(apiUrl, apiVersion, path);
-    const finalUrl = new URL(url);
+    const { endpoint, method, apiKey, queryParams, headerParams, bodyParams, formData } = requestOptions;
+    if (!apiKey) {
+      return {
+        data: null,
+        errors: [
+          {
+            code: "missing_api_key",
+            message: "Firebase API key is required"
+          }
+        ]
+      };
+    }
+    const endpointUrl = FIREBASE_ENDPOINT_MAP[endpoint](apiKey);
+    const finalUrl = new URL(endpointUrl);
+    console.log("endpoint url:", endpointUrl);
+    console.log("Final URL href:", finalUrl.href);
+    console.log("Final URL:", finalUrl);
+    console.log("Method:", method);
     if (queryParams) {
       Object.entries(queryParams).forEach(([key, value]) => {
         if (value) {
@@ -394,39 +563,20 @@ function parseError(error) {
   };
 }
 
-// src/api/createBackendApi.ts
-function createBackendApi(options) {
+// src/fireRestApi/createFireApi.ts
+function createFireApi(options) {
   const request = createRequest(options);
   return {
-    sessions: new SessionApi(request)
-  };
-}
-
-// src/utils/options.ts
-var defaultOptions = {
-  apiUrl: void 0,
-  apiVersion: void 0
-};
-function mergePreDefinedOptions(userOptions = {}) {
-  return {
-    ...defaultOptions,
-    ...userOptions
+    email: new EmailApi(request),
+    password: new PasswordApi(request),
+    signIn: new SignInTokenApi(request),
+    signUp: new SignUpApi(request),
+    tokens: new TokenApi(request)
   };
 }
 
-// src/tokens/sessionConfig.ts
-var getSessionConfig = (options) => {
-  const cookieConfig = options?.cookies?.session_cookie;
-  return {
-    COOKIE_NAME: cookieConfig?.name,
-    DEFAULT_EXPIRES_IN_MS: cookieConfig?.attributes?.maxAge,
-    DEFAULT_EXPIRES_IN_SECONDS: Math.floor((cookieConfig?.attributes?.maxAge || 0) / 1e3),
-    REVOKE_REFRESH_TOKENS_ON_SIGNOUT: cookieConfig?.revokeRefreshTokensOnSignOut
-  };
-};
-
-// src/jwt/verifyJwt.ts
-var import_jose2 = require("jose");
+// src/tokens/request.ts
+var import_cookie2 = require("@tern-secure/shared/cookie");
 
 // src/utils/errors.ts
 var TokenVerificationErrorReason = {
@@ -463,6 +613,22 @@ var TokenVerificationError = class _TokenVerificationError extends Error {
   }
 };
 
+// src/utils/options.ts
+var defaultOptions = {
+  apiKey: void 0,
+  apiUrl: void 0,
+  apiVersion: void 0
+};
+function mergePreDefinedOptions(userOptions = {}) {
+  return {
+    ...defaultOptions,
+    ...userOptions
+  };
+}
+
+// src/jwt/verifyJwt.ts
+var import_jose2 = require("jose");
+
 // src/utils/rfc4648.ts
 var base64url = {
   parse(string, opts) {
@@ -755,7 +921,7 @@ async function fetchPublicKeys(keyUrl) {
   };
 }
 async function loadJWKFromRemote({
-  keyURL = SESSION_COOKIE_PUBLIC_KEYS_URL,
+  keyURL = GOOGLE_PUBLIC_KEYS_URL,
   skipJwksCache,
   kid
 }) {
@@ -851,7 +1017,6 @@ async function verifyToken(token, options) {
 
 // src/tokens/request.ts
 var BEARER_PREFIX = "Bearer ";
-var AUTH_COOKIE_NAME = "_session_cookie";
 function extractTokenFromHeader(request) {
   const authHeader = request.headers.get("Authorization");
   if (!authHeader || !authHeader.startsWith(BEARER_PREFIX)) {
@@ -859,12 +1024,16 @@ function extractTokenFromHeader(request) {
   }
   return authHeader.slice(BEARER_PREFIX.length);
 }
-function extractTokenFromCookie(request, opts) {
+function extractTokenFromCookie(request) {
   const cookieHeader = request.headers.get("Cookie") || void 0;
-  const sessionName = getSessionConfig(opts).COOKIE_NAME;
   if (!cookieHeader) {
     return null;
   }
+  const cookiePrefix = (0, import_cookie2.getCookiePrefix)();
+  const idTokenCookieName = (0, import_cookie2.getCookieName)(
+    constants.Cookies.IdToken,
+    cookiePrefix
+  );
   const cookies = cookieHeader.split(";").reduce(
     (acc, cookie) => {
       const [name, value] = cookie.trim().split("=");
@@ -873,35 +1042,63 @@ function extractTokenFromCookie(request, opts) {
     },
     {}
   );
-  return cookies[AUTH_COOKIE_NAME] || null;
+  return idTokenCookieName || null;
 }
 function hasAuthorizationHeader(request) {
   return request.headers.has("Authorization");
 }
 async function authenticateRequest(request, options) {
+  async function refreshToken() {
+    try {
+      const response = await options.apiClient?.tokens.refreshToken(options.firebaseConfig?.apiKey || "", {
+        format: "cookie",
+        refresh_token: "",
+        expired_token: "",
+        request_origin: options.apiUrl || ""
+      });
+    } catch (error) {
+      console.error("Error refreshing token:", error);
+    }
+  }
   async function authenticateRequestWithTokenInCookie() {
-    const token = extractTokenFromCookie(request, options);
+    const token = extractTokenFromCookie(request);
     if (!token) {
       return signedOut(AuthErrorReason.SessionTokenMissing);
     }
-    const { data, errors } = await verifyToken(token, options);
-    if (errors) {
-      throw errors[0];
+    try {
+      const { data, errors } = await verifyToken(token, options);
+      if (errors) {
+        throw errors[0];
+      }
+      const signedInRequestState = signedIn(data, void 0, token);
+      return signedInRequestState;
+    } catch (err) {
+      return handleError(err, "cookie");
     }
-    const signedInRequestState = signedIn(data, void 0, token);
-    return signedInRequestState;
   }
   async function authenticateRequestWithTokenInHeader() {
     const token = extractTokenFromHeader(request);
     if (!token) {
-      return signedOut(AuthErrorReason.SessionTokenMissing);
+      return signedOut(AuthErrorReason.SessionTokenMissing, "");
     }
-    const { data, errors } = await verifyToken(token, options);
-    if (errors) {
-      throw errors[0];
+    try {
+      const { data, errors } = await verifyToken(token, options);
+      if (errors) {
+        throw errors[0];
+      }
+      const signedInRequestState = signedIn(data, void 0, token);
+      return signedInRequestState;
+    } catch (err) {
+      return handleError(err, "header");
     }
-    const signedInRequestState = signedIn(data, void 0, token);
-    return signedInRequestState;
+  }
+  async function handleError(err, tokenCarrier) {
+    if (!(err instanceof TokenVerificationError)) {
+      return signedOut(AuthErrorReason.UnexpectedError);
+    }
+    let refreshError;
+    err.tokenCarrier = tokenCarrier;
+    return signedOut(err.reason, err.getFullMessage());
   }
   if (hasAuthorizationHeader(request)) {
     return authenticateRequestWithTokenInHeader();
@@ -923,7 +1120,7 @@ function createAuthenticateRequest(params) {
 // src/instance/backendInstanceEdge.ts
 function createBackendInstanceClient(options) {
   const opts = { ...options };
-  const apiClient = createBackendApi(opts);
+  const apiClient = createFireApi(opts);
   const requestState = createAuthenticateRequest({ options: opts, apiClient });
   return {
     ...apiClient,
@@ -947,7 +1144,7 @@ function mergePreDefinedOptions2(preDefinedOptions, options) {
   );
 }
 var BEARER_PREFIX2 = "Bearer ";
-var AUTH_COOKIE_NAME2 = "_session_cookie";
+var AUTH_COOKIE_NAME = "_session_cookie";
 function extractTokenFromHeader2(request) {
   const authHeader = request.headers.get("Authorization");
   if (!authHeader || !authHeader.startsWith(BEARER_PREFIX2)) {
@@ -955,9 +1152,8 @@ function extractTokenFromHeader2(request) {
   }
   return authHeader.slice(BEARER_PREFIX2.length);
 }
-function extractTokenFromCookie2(request, opts) {
+function extractTokenFromCookie2(request) {
   const cookieHeader = request.headers.get("Cookie") || void 0;
-  const sessionName = getSessionConfig(opts).COOKIE_NAME;
   if (!cookieHeader) {
     return null;
   }
@@ -969,14 +1165,14 @@ function extractTokenFromCookie2(request, opts) {
     },
     {}
   );
-  return cookies[AUTH_COOKIE_NAME2] || null;
+  return cookies[AUTH_COOKIE_NAME] || null;
 }
 function hasAuthorizationHeader2(request) {
   return request.headers.has("Authorization");
 }
 async function authenticateRequest2(request, options) {
   async function authenticateRequestWithTokenInCookie() {
-    const token = extractTokenFromCookie2(request, options);
+    const token = extractTokenFromCookie2(request);
     if (!token) {
       return signedOut(AuthErrorReason.SessionTokenMissing);
     }
@@ -1018,7 +1214,7 @@ function createFireAuthenticateRequest(params) {
 // src/instance/backendFireInstance.ts
 function createFireClient(options) {
   const opts = { ...options };
-  const apiClient = createBackendApi(opts);
+  const apiClient = createFireApi(opts);
   const requestState = createFireAuthenticateRequest({ options: opts });
   return {
     ...apiClient,