@tern-secure/backend 1.2.0-canary.v20250926170202 → 1.2.0-canary.v20251002181737

package/dist/index.mjs

@@ -1,17 +1,13 @@
 import {
-  CACHE_CONTROL_REGEX,
-  DEFAULT_CACHE_DURATION,
-  MAX_CACHE_LAST_UPDATED_AT_SECONDS,
-  SESSION_COOKIE_PUBLIC_KEYS_URL,
+  verifyToken
+} from "./chunk-YKIA5EBF.mjs";
+import {
   constants,
   createTernSecureRequest
-} from "./chunk-ZMDLKXUP.mjs";
+} from "./chunk-4SGWLAJG.mjs";
 import {
   TokenVerificationError,
-  TokenVerificationErrorReason,
-  mapJwtPayloadToDecodedIdToken,
-  ternDecodeJwt,
-  verifyJwt
+  mapJwtPayloadToDecodedIdToken
 } from "./chunk-WZYVAHZ3.mjs";
 
 // src/tokens/authstate.ts
@@ -126,14 +122,13 @@ var AbstractAPI = class {
 };
 
 // src/fireRestApi/endpoints/EmailApi.ts
-var rootPath = "/customTokens";
 var EmailApi = class extends AbstractAPI {
   async verifyEmailVerification(apiKey, params) {
     this.requireApiKey(apiKey);
     const { ...restParams } = params;
     return this.request({
+      endpoint: "sendOobCode",
       method: "POST",
-      path: `${rootPath}`,
       bodyParams: restParams
     });
   }
@@ -141,22 +136,21 @@ var EmailApi = class extends AbstractAPI {
     this.requireApiKey(apiKey);
     const { ...restParams } = params;
     return this.request({
+      endpoint: "sendOobCode",
       method: "POST",
-      path: `${rootPath}`,
       bodyParams: restParams
     });
   }
 };
 
 // src/fireRestApi/endpoints/PasswordApi.ts
-var rootPath2 = "/customTokens";
 var PasswordApi = class extends AbstractAPI {
   async verifyPasswordResetCode(apiKey, params) {
     this.requireApiKey(apiKey);
     const { ...restParams } = params;
     return this.request({
+      endpoint: "passwordReset",
       method: "POST",
-      path: `${rootPath2}`,
       bodyParams: restParams
     });
   }
@@ -164,8 +158,8 @@ var PasswordApi = class extends AbstractAPI {
     this.requireApiKey(apiKey);
     const { ...restParams } = params;
     return this.request({
+      endpoint: "passwordReset",
       method: "POST",
-      path: `${rootPath2}`,
       bodyParams: restParams
     });
   }
@@ -173,53 +167,81 @@ var PasswordApi = class extends AbstractAPI {
     this.requireApiKey(apiKey);
     const { ...restParams } = params;
     return this.request({
+      endpoint: "passwordReset",
       method: "POST",
-      path: `${rootPath2}`,
       bodyParams: restParams
     });
   }
 };
 
 // src/fireRestApi/endpoints/SignInTokenApi.ts
-var rootPath3 = "/customTokens";
 var SignInTokenApi = class extends AbstractAPI {
   async createCustomToken(apiKey, params) {
-    this.requireApiKey(apiKey);
-    const { ...restParams } = params;
-    return this.request({
-      method: "POST",
-      path: `${rootPath3}`,
-      bodyParams: restParams
-    });
+    try {
+      this.requireApiKey(apiKey);
+      const { ...restParams } = params;
+      const response = await this.request({
+        endpoint: "signInWithCustomToken",
+        method: "POST",
+        bodyParams: restParams
+      });
+      if (response.errors) {
+        const errorMessage = response.errors[0]?.message || "Failed to create custom token";
+        throw new Error(errorMessage);
+      }
+      return response.data;
+    } catch (error) {
+      const contextualMessage = `Failed to create custom token: ${error instanceof Error ? error.message : "Unknown error"}`;
+      throw new Error(contextualMessage);
+    }
   }
 };
 
 // src/fireRestApi/endpoints/SignUpApi.ts
-var rootPath4 = "/customTokens";
 var SignUpApi = class extends AbstractAPI {
   async createCustomToken(apiKey, params) {
     this.requireApiKey(apiKey);
     const { ...restParams } = params;
     return this.request({
+      endpoint: "signUp",
       method: "POST",
-      path: `${rootPath4}`,
       bodyParams: restParams
     });
   }
 };
 
 // src/fireRestApi/endpoints/TokenApi.ts
-var rootPath5 = "/sessions";
 var TokenApi = class extends AbstractAPI {
   async refreshToken(apiKey, params) {
     this.requireApiKey(apiKey);
     const { ...restParams } = params;
     return this.request({
+      endpoint: "refreshToken",
       method: "POST",
-      path: `${rootPath5}/refresh`,
       bodyParams: restParams
     });
   }
+  async exchangeCustomForIdAndRefreshTokens(apiKey, params) {
+    try {
+      this.requireApiKey(apiKey);
+      const { ...restParams } = params;
+      const response = await this.request({
+        endpoint: "signInWithCustomToken",
+        method: "POST",
+        apiKey,
+        bodyParams: restParams
+      });
+      if (response.errors) {
+        const errorMessage = response.errors[0]?.message || "Failed to create custom token";
+        console.error("Error response from exchangeCustomForIdAndRefreshTokens:", response.errors);
+        throw new Error(errorMessage);
+      }
+      return response.data;
+    } catch (error) {
+      const contextualMessage = `Failed to create custom token: ${error instanceof Error ? error.message : "Unknown error"}`;
+      throw new Error(contextualMessage);
+    }
+  }
 };
 
 // src/runtime.ts
@@ -238,20 +260,65 @@ var runtime = {
   Response: globalThis.Response
 };
 
-// src/utils/path.ts
-var SEPARATOR = "/";
-var MULTIPLE_SEPARATOR_REGEX = new RegExp("(?<!:)" + SEPARATOR + "{1,}", "g");
-function joinPaths(...args) {
-  return args.filter((p) => p).join(SEPARATOR).replace(MULTIPLE_SEPARATOR_REGEX, SEPARATOR);
+// src/fireRestApi/emulator.ts
+var FIREBASE_AUTH_EMULATOR_HOST = process.env.FIREBASE_AUTH_EMULATOR_HOST;
+function emulatorHost() {
+  if (typeof process === "undefined") return void 0;
+  return FIREBASE_AUTH_EMULATOR_HOST;
+}
+function useEmulator() {
+  return !!emulatorHost();
 }
 
+// src/fireRestApi/endpointUrl.ts
+var getRefreshTokenEndpoint = (apiKey) => {
+  return `https://securetoken.googleapis.com/v1/token?key=${apiKey}`;
+};
+var signInWithPassword = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=${apiKey}`;
+};
+var signUpEndpoint = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=${apiKey}`;
+};
+var getCustomTokenEndpoint = (apiKey) => {
+  if (useEmulator() && process.env.FIREBASE_AUTH_EMULATOR_HOST) {
+    let protocol = "http://";
+    if (process.env.FIREBASE_AUTH_EMULATOR_HOST.startsWith("http://")) {
+      protocol = "";
+    }
+    return `${protocol}${process.env.FIREBASE_AUTH_EMULATOR_HOST}/identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+  }
+  return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
+};
+var passwordResetEndpoint = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:resetPassword?key=${apiKey}`;
+};
+
 // src/fireRestApi/request.ts
+var FIREBASE_ENDPOINT_MAP = {
+  refreshToken: getRefreshTokenEndpoint,
+  signInWithPassword,
+  signUp: signUpEndpoint,
+  signInWithCustomToken: getCustomTokenEndpoint,
+  passwordReset: passwordResetEndpoint,
+  sendOobCode: signInWithPassword
+};
 function createRequest(options) {
   const requestFn = async (requestOptions) => {
-    const { apiKey, apiUrl, apiVersion = "v1" } = options;
-    const { path, method, queryParams, headerParams, bodyParams, formData } = requestOptions;
-    const url = joinPaths(apiUrl, apiVersion, path);
-    const finalUrl = new URL(url);
+    const { endpoint, method, apiKey, queryParams, headerParams, bodyParams, formData } = requestOptions;
+    if (!apiKey) {
+      return {
+        data: null,
+        errors: [
+          {
+            code: "missing_api_key",
+            message: "Firebase API key is required"
+          }
+        ]
+      };
+    }
+    const endpointUrl = FIREBASE_ENDPOINT_MAP[endpoint](apiKey);
+    const finalUrl = new URL(endpointUrl);
     if (queryParams) {
       Object.entries(queryParams).forEach(([key, value]) => {
         if (value) {
@@ -342,8 +409,12 @@ function createFireApi(options) {
   };
 }
 
+// src/tokens/request.ts
+import { getCookieName, getCookiePrefix } from "@tern-secure/shared/cookie";
+
 // src/utils/options.ts
 var defaultOptions = {
+  apiKey: void 0,
   apiUrl: void 0,
   apiVersion: void 0
 };
@@ -354,131 +425,6 @@ function mergePreDefinedOptions(userOptions = {}) {
   };
 }
 
-// src/tokens/keys.ts
-var cache = {};
-var lastUpdatedAt = 0;
-var googleExpiresAt = 0;
-function getFromCache(kid) {
-  return cache[kid];
-}
-function getCacheValues() {
-  return Object.values(cache);
-}
-function setInCache(kid, certificate, shouldExpire = true) {
-  cache[kid] = certificate;
-  lastUpdatedAt = shouldExpire ? Date.now() : -1;
-}
-async function fetchPublicKeys(keyUrl) {
-  const url = new URL(keyUrl);
-  const response = await fetch(url);
-  if (!response.ok) {
-    throw new TokenVerificationError({
-      message: `Error loading public keys from ${url.href} with code=${response.status} `,
-      reason: TokenVerificationErrorReason.TokenInvalid
-    });
-  }
-  const data = await response.json();
-  const expiresAt = getExpiresAt(response);
-  return {
-    keys: data,
-    expiresAt
-  };
-}
-async function loadJWKFromRemote({
-  keyURL = SESSION_COOKIE_PUBLIC_KEYS_URL,
-  skipJwksCache,
-  kid
-}) {
-  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
-    const { keys, expiresAt } = await fetchPublicKeys(keyURL);
-    if (!keys || Object.keys(keys).length === 0) {
-      throw new TokenVerificationError({
-        message: `The JWKS endpoint ${keyURL} returned no keys`,
-        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
-      });
-    }
-    googleExpiresAt = expiresAt;
-    Object.entries(keys).forEach(([keyId, cert2]) => {
-      setInCache(keyId, cert2);
-    });
-  }
-  const cert = getFromCache(kid);
-  if (!cert) {
-    getCacheValues();
-    const availableKids = Object.keys(cache).sort().join(", ");
-    throw new TokenVerificationError({
-      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
-      reason: TokenVerificationErrorReason.TokenInvalid
-    });
-  }
-  return cert;
-}
-function isCacheExpired() {
-  const now = Date.now();
-  if (lastUpdatedAt === -1) {
-    return false;
-  }
-  const cacheAge = now - lastUpdatedAt;
-  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
-  const localCacheExpired = cacheAge >= maxCacheAge;
-  const googleCacheExpired = now >= googleExpiresAt;
-  const isExpired = localCacheExpired || googleCacheExpired;
-  if (isExpired) {
-    cache = {};
-  }
-  return isExpired;
-}
-function getExpiresAt(res) {
-  const cacheControlHeader = res.headers.get("cache-control");
-  if (!cacheControlHeader) {
-    return Date.now() + DEFAULT_CACHE_DURATION;
-  }
-  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
-  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
-  return Date.now() + maxAge * 1e3;
-}
-
-// src/tokens/verify.ts
-async function verifyToken(token, options) {
-  const { data: decodedResult, errors } = ternDecodeJwt(token);
-  if (errors) {
-    return { errors };
-  }
-  const { header } = decodedResult;
-  const { kid } = header;
-  if (!kid) {
-    return {
-      errors: [
-        new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalid,
-          message: 'JWT "kid" header is missing.'
-        })
-      ]
-    };
-  }
-  try {
-    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
-    if (!key) {
-      return {
-        errors: [
-          new TokenVerificationError({
-            reason: TokenVerificationErrorReason.TokenInvalid,
-            message: `No public key found for kid "${kid}".`
-          })
-        ]
-      };
-    }
-    return await verifyJwt(token, { ...options, key });
-  } catch (error) {
-    if (error instanceof TokenVerificationError) {
-      return { errors: [error] };
-    }
-    return {
-      errors: [error]
-    };
-  }
-}
-
 // src/tokens/request.ts
 var BEARER_PREFIX = "Bearer ";
 function extractTokenFromHeader(request) {
@@ -493,6 +439,11 @@ function extractTokenFromCookie(request) {
   if (!cookieHeader) {
     return null;
   }
+  const cookiePrefix = getCookiePrefix();
+  const idTokenCookieName = getCookieName(
+    constants.Cookies.IdToken,
+    cookiePrefix
+  );
   const cookies = cookieHeader.split(";").reduce(
     (acc, cookie) => {
       const [name, value] = cookie.trim().split("=");
@@ -501,7 +452,7 @@ function extractTokenFromCookie(request) {
     },
     {}
   );
-  return cookies[constants.Cookies.Session] || null;
+  return idTokenCookieName || null;
 }
 function hasAuthorizationHeader(request) {
   return request.headers.has("Authorization");