npm - @tern-secure/backend - Versions diffs - 1.2.0-canary.v20251003134325 → 1.2.0-canary.v20251008131428 - Mend

@tern-secure/backend 1.2.0-canary.v20251003134325 → 1.2.0-canary.v20251008131428

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/dist/admin/index.js +7 -3
package/dist/admin/index.js.map +1 -1
package/dist/admin/index.mjs +531 -22
package/dist/admin/index.mjs.map +1 -1
package/dist/admin/nextSessionTernSecure.d.ts.map +1 -1
package/dist/auth/getauth.d.ts +16 -2
package/dist/auth/getauth.d.ts.map +1 -1
package/dist/auth/index.js +166 -213
package/dist/auth/index.js.map +1 -1
package/dist/auth/index.mjs +4 -51
package/dist/auth/index.mjs.map +1 -1
package/dist/{chunk-4SGWLAJG.mjs → chunk-3ZLDOHI2.mjs} +4 -68
package/dist/chunk-3ZLDOHI2.mjs.map +1 -0
package/dist/{chunk-WZYVAHZ3.mjs → chunk-SVZUAXAW.mjs} +115 -1
package/dist/chunk-SVZUAXAW.mjs.map +1 -0
package/dist/chunk-VSYYHCUV.mjs +71 -0
package/dist/chunk-VSYYHCUV.mjs.map +1 -0
package/dist/{chunk-YKIA5EBF.mjs → chunk-YGNTGJTP.mjs} +94 -4
package/dist/chunk-YGNTGJTP.mjs.map +1 -0
package/dist/fireRestApi/endpoints/TokenApi.d.ts +6 -3
package/dist/fireRestApi/endpoints/TokenApi.d.ts.map +1 -1
package/dist/fireRestApi/request.d.ts +3 -3
package/dist/fireRestApi/request.d.ts.map +1 -1
package/dist/index.d.ts +12 -12
package/dist/index.d.ts.map +1 -1
package/dist/index.js +405 -103
package/dist/index.js.map +1 -1
package/dist/index.mjs +130 -18
package/dist/index.mjs.map +1 -1
package/dist/jwt/customJwt.d.ts +11 -0
package/dist/jwt/customJwt.d.ts.map +1 -0
package/dist/jwt/index.d.ts +1 -0
package/dist/jwt/index.d.ts.map +1 -1
package/dist/jwt/index.js +104 -0
package/dist/jwt/index.js.map +1 -1
package/dist/jwt/index.mjs +7 -1
package/dist/jwt/index.mjs.map +1 -1
package/dist/tokens/cookie.d.ts +5 -0
package/dist/tokens/cookie.d.ts.map +1 -0
package/dist/tokens/request.d.ts.map +1 -1
package/dist/tokens/types.d.ts +1 -12
package/dist/tokens/types.d.ts.map +1 -1
package/dist/utils/errors.d.ts +12 -0
package/dist/utils/errors.d.ts.map +1 -1
package/dist/utils/options.d.ts +3 -3
package/dist/utils/options.d.ts.map +1 -1
package/package.json +3 -3
package/dist/chunk-4SGWLAJG.mjs.map +0 -1
package/dist/chunk-NEPV6OWI.mjs +0 -550
package/dist/chunk-NEPV6OWI.mjs.map +0 -1
package/dist/chunk-WZYVAHZ3.mjs.map +0 -1
package/dist/chunk-YKIA5EBF.mjs.map +0 -1
package/dist/tokens/sessionConfig.d.ts +0 -14
package/dist/tokens/sessionConfig.d.ts.map +0 -1

package/dist/auth/getauth.d.ts CHANGED Viewed

@@ -8,8 +8,22 @@ export interface CustomTokens {
     refreshToken: string;
     customToken: string;
 }
+interface CustomForIdAndRefreshTokenOptions {
+    tenantId?: string;
+    appCheckToken?: string;
+    referer?: string;
+}
+type AuthResult<T = any> = {
+    data: T;
+    error: null;
+} | {
+    data: null;
+    error: any;
+};
 export declare function getAuth(options: AuthenticateRequestOptions): {
-    customForIdAndRefreshToken: (customToken: string) => Promise<IdAndRefreshTokens>;
-    createCustomIdAndRefreshToken: (idToken: string) => Promise<CustomTokens>;
+    customForIdAndRefreshToken: (customToken: string, opts: CustomForIdAndRefreshTokenOptions) => Promise<IdAndRefreshTokens>;
+    createCustomIdAndRefreshToken: (idToken: string, opts: CustomForIdAndRefreshTokenOptions) => Promise<CustomTokens>;
+    refreshExpiredIdToken: (refreshToken: string, opts: CustomForIdAndRefreshTokenOptions) => Promise<AuthResult>;
 };
+export {};
 //# sourceMappingURL=getauth.d.ts.map

package/dist/auth/getauth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"getauth.d.ts","sourceRoot":"","sources":["../../src/auth/getauth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iBAAiB,CAAC;AAGlE,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;CACrB;~~AAUD~~,wBAAgB,OAAO,CAAC,OAAO,EAAE,0BAA0B;~~8CAI1C~~,MAAM,~~KAClB~~,OAAO,CAAC,kBAAkB,CAAC;~~6CAqBwB~~,MAAM,~~KAAG~~,OAAO,CAAC,YAAY,CAAC;~~EA2BrF~~"}
1	+ {"version":3,"file":"getauth.d.ts","sourceRoot":"","sources":["../../src/auth/getauth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iBAAiB,CAAC;AAGlE,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,UAAU,iCAAiC;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAkBD,KAAK,UAAU,CAAC,CAAC,GAAG,GAAG,IAAI;IAAE,IAAI,EAAE,CAAC,CAAC;IAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,GAAG,CAAA;CAAE,CAAC;AAgBjF,wBAAgB,OAAO,CAAC,OAAO,EAAE,0BAA0B;8CAoC1C,MAAM,QACb,iCAAiC,KACtC,OAAO,CAAC,kBAAkB,CAAC;6CA4BnB,MAAM,QACT,iCAAiC,KACtC,OAAO,CAAC,YAAY,CAAC;0CA9DR,MAAM,QACd,iCAAiC,KACtC,OAAO,CAAC,UAAU,CAAC;EAuFvB"}

package/dist/auth/index.js CHANGED Viewed

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 // src/auth/index.ts
@@ -34,190 +24,103 @@ __export(auth_exports, {
 });
 module.exports = __toCommonJS(auth_exports);
-// src/admin/sessionTernSecure.ts
-var import_errors = require("@tern-secure/shared/errors");
-// src/constants.ts
-var GOOGLE_PUBLIC_KEYS_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
-var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
-var DEFAULT_CACHE_DURATION = 3600 * 1e3;
-var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
-var Attributes = {
-  AuthToken: "__ternsecureAuthToken",
-  AuthSignature: "__ternsecureAuthSignature",
-  AuthStatus: "__ternsecureAuthStatus",
-  AuthReason: "__ternsecureAuthReason",
-  AuthMessage: "__ternsecureAuthMessage",
-  TernSecureUrl: "__ternsecureUrl"
-};
-var Cookies = {
-  Session: "__session",
-  CsrfToken: "__session_terncf",
-  IdToken: "FIREBASE_[DEFAULT]",
-  Refresh: "FIREBASEID_[DEFAULT]",
-  Custom: "__custom",
-  Handshake: "__ternsecure_handshake",
-  DevBrowser: "__ternsecure_db_jwt",
-  RedirectCount: "__ternsecure_redirect_count",
-  HandshakeNonce: "__ternsecure_handshake_nonce"
-};
-var Headers2 = {
-  Accept: "accept",
-  AuthMessage: "x-ternsecure-auth-message",
-  Authorization: "authorization",
-  AuthReason: "x-ternsecure-auth-reason",
-  AuthSignature: "x-ternsecure-auth-signature",
-  AuthStatus: "x-ternsecure-auth-status",
-  AuthToken: "x-ternsecure-auth-token",
-  CacheControl: "cache-control",
-  TernSecureRedirectTo: "x-ternsecure-redirect-to",
-  TernSecureRequestData: "x-ternsecure-request-data",
-  TernSecureUrl: "x-ternsecure-url",
-  CloudFrontForwardedProto: "cloudfront-forwarded-proto",
-  ContentType: "content-type",
-  ContentSecurityPolicy: "content-security-policy",
-  ContentSecurityPolicyReportOnly: "content-security-policy-report-only",
-  EnableDebug: "x-ternsecure-debug",
-  ForwardedHost: "x-forwarded-host",
-  ForwardedPort: "x-forwarded-port",
-  ForwardedProto: "x-forwarded-proto",
-  Host: "host",
-  Location: "location",
-  Nonce: "x-nonce",
-  Origin: "origin",
-  Referrer: "referer",
-  SecFetchDest: "sec-fetch-dest",
-  UserAgent: "user-agent",
-  ReportingEndpoints: "reporting-endpoints"
-};
-var ContentTypes = {
-  Json: "application/json"
-};
-var constants = {
-  Attributes,
-  Cookies,
-  Headers: Headers2,
-  ContentTypes
-};
-// src/utils/admin-init.ts
-var import_firebase_admin = __toESM(require("firebase-admin"));
-// src/utils/config.ts
-var loadAdminConfig = () => ({
-  projectId: process.env.FIREBASE_PROJECT_ID || "",
-  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || "",
-  privateKey: process.env.FIREBASE_PRIVATE_KEY || ""
-});
-var validateAdminConfig = (config) => {
-  const requiredFields = [
-    "projectId",
-    "clientEmail",
-    "privateKey"
-  ];
-  const errors = [];
-  requiredFields.forEach((field) => {
-    if (!config[field]) {
-      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`);
-    }
-  });
-  return {
-    isValid: errors.length === 0,
-    errors,
-    config
-  };
-};
-var initializeAdminConfig = () => {
-  const config = loadAdminConfig();
-  const validationResult = validateAdminConfig(config);
-  if (!validationResult.isValid) {
-    throw new Error(
-      `Firebase Admin configuration validation failed:
-${validationResult.errors.join("\n")}`
-    );
+// src/jwt/customJwt.ts
+var import_jose = require("jose");
+var CustomTokenError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "CustomTokenError";
   }
-  return config;
 };
-// src/utils/admin-init.ts
-if (!import_firebase_admin.default.apps.length) {
+var RESERVED_CLAIMS = [
+  "acr",
+  "amr",
+  "at_hash",
+  "aud",
+  "auth_time",
+  "azp",
+  "cnf",
+  "c_hash",
+  "exp",
+  "firebase",
+  "iat",
+  "iss",
+  "jti",
+  "nbf",
+  "nonce",
+  "sub"
+];
+async function createCustomTokenJwt(uid, developerClaims) {
   try {
-    const config = initializeAdminConfig();
-    import_firebase_admin.default.initializeApp({
-      credential: import_firebase_admin.default.credential.cert({
-        ...config,
-        privateKey: config.privateKey.replace(/\\n/g, "\n")
-      })
-    });
+    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
+    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
+    if (!privateKey || !clientEmail) {
+      return {
+        errors: [
+          new CustomTokenError(
+            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
+            "MISSING_ENV_VARS"
+          )
+        ]
+      };
+    }
+    if (!uid || typeof uid !== "string") {
+      return {
+        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
+      };
+    }
+    if (uid.length > 128) {
+      return {
+        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
+      };
+    }
+    if (developerClaims) {
+      for (const claim of Object.keys(developerClaims)) {
+        if (RESERVED_CLAIMS.includes(claim)) {
+          return {
+            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
+          };
+        }
+      }
+    }
+    const expiresIn = 3600;
+    const now = Math.floor(Date.now() / 1e3);
+    const parsedPrivateKey = await (0, import_jose.importPKCS8)(privateKey.replace(/\\n/g, "\n"), "RS256");
+    const payload = {
+      iss: clientEmail,
+      sub: clientEmail,
+      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+      iat: now,
+      exp: now + expiresIn,
+      uid,
+      ...developerClaims
+    };
+    const jwt = await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
+      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
+    ).sign(parsedPrivateKey);
+    return {
+      data: jwt
+    };
   } catch (error) {
-    console.error("Firebase admin initialization error", error);
+    const message = error instanceof Error ? error.message : "Unknown error occurred";
+    return {
+      errors: [
+        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
+      ]
+    };
   }
 }
-var adminTernSecureAuth = import_firebase_admin.default.auth();
-var adminTernSecureDb = import_firebase_admin.default.firestore();
-var TernSecureTenantManager = import_firebase_admin.default.auth().tenantManager();
-function getAuthForTenant(tenantId) {
-  if (tenantId) {
-    return TernSecureTenantManager.authForTenant(tenantId);
-  }
-  return import_firebase_admin.default.auth();
-}
-// src/admin/sessionTernSecure.ts
-var SESSION_CONSTANTS = {
-  COOKIE_NAME: "_session_cookie",
-  //DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1000, // 5 days
-  //DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5, // 5days
-  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1e3,
-  // 5 minutes
-  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,
-  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
-};
-var COOKIE_OPTIONS = {
-  httpOnly: true,
-  secure: process.env.NODE_ENV === "production",
-  sameSite: "strict",
-  path: "/"
-};
-var DEFAULT_COOKIE_CONFIG = {
-  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1e3,
-  // 5 minutes
-  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,
-  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
-};
-var DEFAULT_COOKIE_OPTIONS = {
-  httpOnly: true,
-  secure: process.env.NODE_ENV === "production",
-  sameSite: "strict",
-  path: "/"
-};
-async function createCustomTokenClaims(uid, developerClaims) {
-  const adminAuth = getAuthForTenant();
-  try {
-    const customToken = await adminAuth.createCustomToken(uid, developerClaims);
-    return customToken;
-  } catch (error) {
-    console.error("[createCustomToken] Error creating custom token:", error);
-    return "";
+async function createCustomToken(uid, developerClaims) {
+  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
+  if (errors) {
+    throw errors[0];
   }
+  return data;
 }
-// src/admin/nextSessionTernSecure.ts
-var import_errors2 = require("@tern-secure/shared/errors");
-var import_headers = require("next/headers");
-var SESSION_CONSTANTS2 = {
-  COOKIE_NAME: constants.Cookies.Session,
-  DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1e3,
-  // 5 days
-  DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,
-  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
-};
-// src/tokens/ternSecureRequest.ts
-var import_cookie = require("cookie");
 // src/jwt/verifyJwt.ts
-var import_jose2 = require("jose");
+var import_jose3 = require("jose");
 // src/utils/errors.ts
 var TokenVerificationErrorReason = {
@@ -264,7 +167,7 @@ function mapJwtPayloadToDecodedIdToken(payload) {
 // src/utils/rfc4648.ts
 var base64url = {
   parse(string, opts) {
-    return parse2(string, base64UrlEncoding, opts);
+    return parse(string, base64UrlEncoding, opts);
   },
   stringify(data, opts) {
     return stringify(data, base64UrlEncoding, opts);
@@ -274,7 +177,7 @@ var base64UrlEncoding = {
   chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_",
   bits: 6
 };
-function parse2(string, encoding, opts = {}) {
+function parse(string, encoding, opts = {}) {
   if (!encoding.codes) {
     encoding.codes = {};
     for (let i = 0; i < encoding.chars.length; ++i) {
@@ -338,10 +241,10 @@ function stringify(data, encoding, opts = {}) {
 }
 // src/jwt/cryptoKeys.ts
-var import_jose = require("jose");
+var import_jose2 = require("jose");
 async function importKey(key, algorithm) {
   if (typeof key === "object") {
-    const result = await (0, import_jose.importJWK)(key, algorithm);
+    const result = await (0, import_jose2.importJWK)(key, algorithm);
     if (result instanceof Uint8Array) {
       throw new Error("Unexpected Uint8Array result from JWK import");
     }
@@ -349,13 +252,13 @@ async function importKey(key, algorithm) {
   }
   const keyString = key.trim();
   if (keyString.includes("-----BEGIN CERTIFICATE-----")) {
-    return await (0, import_jose.importX509)(keyString, algorithm);
+    return await (0, import_jose2.importX509)(keyString, algorithm);
   }
   if (keyString.includes("-----BEGIN PUBLIC KEY-----")) {
-    return await (0, import_jose.importSPKI)(keyString, algorithm);
+    return await (0, import_jose2.importSPKI)(keyString, algorithm);
   }
   try {
-    return await (0, import_jose.importSPKI)(keyString, algorithm);
+    return await (0, import_jose2.importSPKI)(keyString, algorithm);
   } catch (error) {
     throw new Error(
       `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`
@@ -438,7 +341,7 @@ async function verifySignature(jwt, key) {
   const joseAlgorithm = header.alg || "RS256";
   try {
     const publicKey = await importKey(key, joseAlgorithm);
-    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, publicKey);
+    const { payload } = await (0, import_jose3.jwtVerify)(raw.text, publicKey);
     return { data: payload };
   } catch (error) {
     return {
@@ -453,8 +356,8 @@ async function verifySignature(jwt, key) {
 }
 function ternDecodeJwt(token) {
   try {
-    const header = (0, import_jose2.decodeProtectedHeader)(token);
-    const payload = (0, import_jose2.decodeJwt)(token);
+    const header = (0, import_jose3.decodeProtectedHeader)(token);
+    const payload = (0, import_jose3.decodeJwt)(token);
     const tokenParts = (token || "").toString().split(".");
     if (tokenParts.length !== 3) {
       return {
@@ -522,6 +425,12 @@ async function verifyJwt(token, options) {
   return { data: decodedIdToken };
 }
+// src/constants.ts
+var GOOGLE_PUBLIC_KEYS_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
+var DEFAULT_CACHE_DURATION = 3600 * 1e3;
+var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
 // src/tokens/keys.ts
 var cache = {};
 var lastUpdatedAt = 0;
@@ -648,38 +557,81 @@ async function verifyToken(token, options) {
 }
 // src/auth/getauth.ts
+var API_KEY_ERROR = "API Key is required";
+var NO_DATA_ERROR = "No token data received";
+function parseFirebaseResponse(data) {
+  if (typeof data === "string") {
+    try {
+      return JSON.parse(data);
+    } catch (error) {
+      throw new Error(`Failed to parse Firebase response: ${error}`);
+    }
+  }
+  return data;
+}
 function getAuth(options) {
-  const { apiKey, tenantId } = options.firebaseConfig || {};
-  async function customForIdAndRefreshToken(customToken) {
-    if (!apiKey) {
-      throw new Error("API Key is required to create custom token");
+  const { apiKey } = options;
+  const firebaseApiKey = options.firebaseConfig?.apiKey;
+  const effectiveApiKey = apiKey || firebaseApiKey;
+  async function refreshExpiredIdToken(refreshToken, opts) {
+    if (!effectiveApiKey) {
+      return { data: null, error: new Error(API_KEY_ERROR) };
     }
-    const response = await options.apiClient?.tokens.exchangeCustomForIdAndRefreshTokens(apiKey, {
-      token: customToken,
-      returnSecureToken: true
+    const response = await options.apiClient?.tokens.refreshToken(effectiveApiKey, {
+      refresh_token: refreshToken,
+      request_origin: opts.referer
     });
-    console.log("[getAuth]customForIdAndRefreshToken response", response);
-    console.log("[getAuth]idToken:", response?.data?.idToken);
-    console.log("[getAuth]refreshToken:", response?.data?.refreshToken);
+    if (!response?.data) {
+      return {
+        data: null,
+        error: new Error(NO_DATA_ERROR)
+      };
+    }
+    const parsedData = parseFirebaseResponse(response.data);
+    return {
+      data: {
+        idToken: parsedData.id_token,
+        refreshToken: parsedData.refresh_token
+      },
+      error: null
+    };
+  }
+  async function customForIdAndRefreshToken(customToken, opts) {
+    if (!effectiveApiKey) {
+      throw new Error("API Key is required to create custom token");
+    }
+    const response = await options.apiClient?.tokens.exchangeCustomForIdAndRefreshTokens(
+      effectiveApiKey,
+      {
+        token: customToken,
+        returnSecureToken: true
+      },
+      {
+        referer: opts.referer
+      }
+    );
+    if (!response?.data) {
+      throw new Error("No data received from Firebase token exchange");
+    }
+    const parsedData = parseFirebaseResponse(response.data);
     return {
-      idToken: response?.data?.idToken || "",
-      refreshToken: response?.data?.refreshToken || ""
+      idToken: parsedData.idToken,
+      refreshToken: parsedData.refreshToken
     };
   }
-  async function createCustomIdAndRefreshToken(idToken) {
+  async function createCustomIdAndRefreshToken(idToken, opts) {
     const decoded = await verifyToken(idToken, options);
     const { data, errors } = decoded;
     if (errors) {
-      console.error("Token Verification failed:", errors);
       throw errors[0];
     }
-    const customToken = await createCustomTokenClaims(data.uid, {
+    const customToken = await createCustomToken(data.uid, {
       emailVerified: data.email_verified,
       source_sign_in_provider: data.firebase.sign_in_provider
     });
-    const idAndRefreshTokens = await customForIdAndRefreshToken(
-      customToken
-    );
+    const idAndRefreshTokens = await customForIdAndRefreshToken(customToken, {
+      referer: opts.referer
+    });
     return {
       ...idAndRefreshTokens,
       customToken
@@ -687,7 +639,8 @@ function getAuth(options) {
   }
   return {
     customForIdAndRefreshToken,
-    createCustomIdAndRefreshToken
+    createCustomIdAndRefreshToken,
+    refreshExpiredIdToken
   };
 }
 // Annotate the CommonJS export names for ESM import in node: