@tern-secure/backend 1.2.0-canary.v20251003134325 → 1.2.0-canary.v20251008131428

package/dist/index.js

@@ -376,20 +376,36 @@ var SignUpApi = class extends AbstractAPI {
 var TokenApi = class extends AbstractAPI {
   async refreshToken(apiKey, params) {
     this.requireApiKey(apiKey);
-    const { ...restParams } = params;
+    const { refresh_token, request_origin, ...restParams } = params;
+    const headers = {};
+    if (request_origin) {
+      headers["Referer"] = request_origin;
+    }
+    const bodyParams = {
+      grant_type: "refresh_token",
+      refresh_token,
+      ...restParams
+    };
     return this.request({
       endpoint: "refreshToken",
       method: "POST",
-      bodyParams: restParams
+      apiKey,
+      bodyParams,
+      headerParams: headers
     });
   }
-  async exchangeCustomForIdAndRefreshTokens(apiKey, params) {
+  async exchangeCustomForIdAndRefreshTokens(apiKey, params, options) {
     this.requireApiKey(apiKey);
+    const headers = {};
+    if (options?.referer) {
+      headers["Referer"] = options.referer;
+    }
     return this.request({
       endpoint: "signInWithCustomToken",
       method: "POST",
       apiKey,
-      bodyParams: params
+      bodyParams: params,
+      headerParams: headers
     });
   }
 };
@@ -461,8 +477,10 @@ function createRequest(options) {
         data: null,
         errors: [
           {
-            code: "missing_api_key",
-            message: "Firebase API key is required"
+            domain: "none",
+            reason: "invalid_parameter",
+            message: "Firebase API key is required",
+            code: "400"
           }
         ]
       };
@@ -517,8 +535,10 @@ function createRequest(options) {
           data: null,
           errors: [
             {
-              code: "unexpected_error",
-              message: error.message || "An unexpected error occurred"
+              domain: "none",
+              reason: "request_failed",
+              message: error.message || "An unexpected error occurred",
+              code: "500"
             }
           ]
         };
@@ -534,16 +554,42 @@ function createRequest(options) {
   return requestFn;
 }
 function parseErrors(data) {
-  if (!!data && typeof data === "object" && "errors" in data) {
-    const errors = data.errors;
-    return errors.length > 0 ? errors.map(parseError) : [];
+  let parsedData = data;
+  if (typeof data === "string") {
+    try {
+      parsedData = JSON.parse(data);
+    } catch (error) {
+      return [];
+    }
+  }
+  if (!parsedData || typeof parsedData !== "object") {
+    return [];
+  }
+  if ("error" in parsedData && typeof parsedData.error === "object" && parsedData.error !== null) {
+    const errorObj = parsedData.error;
+    if ("errors" in errorObj && Array.isArray(errorObj.errors) && errorObj.errors.length > 0) {
+      return errorObj.errors.map((err) => parseError({
+        code: errorObj.code || "unknown_error",
+        message: err.message || "Unknown error",
+        domain: err.domain,
+        reason: err.reason
+      }));
+    }
+    return [parseError({
+      code: errorObj.code?.toString() || "unknown_error",
+      message: errorObj.message || "Unknown error",
+      domain: errorObj.domain || "unknown",
+      reason: errorObj.reason || errorObj.code?.toString() || "unknown_error"
+    })];
   }
   return [];
 }
 function parseError(error) {
   return {
-    code: error.code,
-    message: error.message
+    domain: error.domain,
+    reason: error.reason,
+    message: error.message,
+    code: error.code
   };
 }
 
@@ -559,7 +605,117 @@ function createFireApi(options) {
   };
 }
 
+// src/jwt/customJwt.ts
+var import_jose = require("jose");
+var CustomTokenError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "CustomTokenError";
+  }
+};
+var RESERVED_CLAIMS = [
+  "acr",
+  "amr",
+  "at_hash",
+  "aud",
+  "auth_time",
+  "azp",
+  "cnf",
+  "c_hash",
+  "exp",
+  "firebase",
+  "iat",
+  "iss",
+  "jti",
+  "nbf",
+  "nonce",
+  "sub"
+];
+async function createCustomTokenJwt(uid, developerClaims) {
+  try {
+    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
+    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
+    if (!privateKey || !clientEmail) {
+      return {
+        errors: [
+          new CustomTokenError(
+            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
+            "MISSING_ENV_VARS"
+          )
+        ]
+      };
+    }
+    if (!uid || typeof uid !== "string") {
+      return {
+        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
+      };
+    }
+    if (uid.length > 128) {
+      return {
+        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
+      };
+    }
+    if (developerClaims) {
+      for (const claim of Object.keys(developerClaims)) {
+        if (RESERVED_CLAIMS.includes(claim)) {
+          return {
+            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
+          };
+        }
+      }
+    }
+    const expiresIn = 3600;
+    const now = Math.floor(Date.now() / 1e3);
+    const parsedPrivateKey = await (0, import_jose.importPKCS8)(privateKey.replace(/\\n/g, "\n"), "RS256");
+    const payload = {
+      iss: clientEmail,
+      sub: clientEmail,
+      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+      iat: now,
+      exp: now + expiresIn,
+      uid,
+      ...developerClaims
+    };
+    const jwt = await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
+      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
+    ).sign(parsedPrivateKey);
+    return {
+      data: jwt
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error occurred";
+    return {
+      errors: [
+        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
+      ]
+    };
+  }
+}
+async function createCustomToken(uid, developerClaims) {
+  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
+  if (errors) {
+    throw errors[0];
+  }
+  return data;
+}
+
+// src/jwt/verifyJwt.ts
+var import_jose3 = require("jose");
+
 // src/utils/errors.ts
+var RefreshTokenErrorReason = {
+  NonEligibleNoCookie: "non-eligible-no-refresh-cookie",
+  NonEligibleNonGet: "non-eligible-non-get",
+  InvalidSessionToken: "invalid-session-token",
+  MissingApiClient: "missing-api-client",
+  MissingIdToken: "missing-id-token",
+  MissingSessionToken: "missing-session-token",
+  MissingRefreshToken: "missing-refresh-token",
+  ExpiredIdTokenDecodeFailed: "expired-id-token-decode-failed",
+  ExpiredSessionTokenDecodeFailed: "expired-session-token-decode-failed",
+  FetchError: "fetch-error"
+};
 var TokenVerificationErrorReason = {
   TokenExpired: "token-expired",
   TokenInvalid: "token-invalid",
@@ -594,88 +750,6 @@ var TokenVerificationError = class _TokenVerificationError extends Error {
   }
 };
 
-// src/utils/options.ts
-var defaultOptions = {
-  apiKey: void 0,
-  apiUrl: void 0,
-  apiVersion: void 0
-};
-function mergePreDefinedOptions(userOptions = {}) {
-  return {
-    ...defaultOptions,
-    ...userOptions
-  };
-}
-
-// src/tokens/c-authenticateRequestProcessor.ts
-var RequestProcessorContext = class {
-  constructor(ternSecureRequest, options) {
-    this.ternSecureRequest = ternSecureRequest;
-    this.options = options;
-    this.initHeaderValues();
-    this.initCookieValues();
-    this.initUrlValues();
-    Object.assign(this, options);
-    this.ternUrl = this.ternSecureRequest.ternUrl;
-  }
-  get request() {
-    return this.ternSecureRequest;
-  }
-  initHeaderValues() {
-    this.sessionTokenInHeader = this.parseAuthorizationHeader(
-      this.getHeader(constants.Headers.Authorization)
-    );
-    this.origin = this.getHeader(constants.Headers.Origin);
-    this.host = this.getHeader(constants.Headers.Host);
-    this.forwardedHost = this.getHeader(constants.Headers.ForwardedHost);
-    this.forwardedProto = this.getHeader(constants.Headers.CloudFrontForwardedProto) || this.getHeader(constants.Headers.ForwardedProto);
-    this.referrer = this.getHeader(constants.Headers.Referrer);
-    this.userAgent = this.getHeader(constants.Headers.UserAgent);
-    this.secFetchDest = this.getHeader(constants.Headers.SecFetchDest);
-    this.accept = this.getHeader(constants.Headers.Accept);
-  }
-  initCookieValues() {
-    const isProduction = process.env.NODE_ENV === "production";
-    const defaultPrefix = isProduction ? "__HOST-" : "__dev_";
-    this.sessionTokenInCookie = this.getCookie(constants.Cookies.Session);
-    this.idTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.IdToken}`);
-    this.refreshTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.Refresh}`);
-    this.csrfTokenInCookie = this.getCookie(constants.Cookies.CsrfToken);
-    this.customTokenInCookie = this.getCookie(constants.Cookies.Custom);
-  }
-  initUrlValues() {
-    this.method = this.ternSecureRequest.method;
-    this.pathSegments = this.ternSecureRequest.ternUrl.pathname.split("/").filter(Boolean);
-    this.endpoint = this.pathSegments[2];
-    this.subEndpoint = this.pathSegments[3];
-  }
-  getHeader(name) {
-    return this.ternSecureRequest.headers.get(name) || void 0;
-  }
-  getCookie(name) {
-    return this.ternSecureRequest.cookies.get(name) || void 0;
-  }
-  parseAuthorizationHeader(authorizationHeader) {
-    if (!authorizationHeader) {
-      return void 0;
-    }
-    const [scheme, token] = authorizationHeader.split(" ", 2);
-    if (!token) {
-      return scheme;
-    }
-    if (scheme === "Bearer") {
-      return token;
-    }
-    return void 0;
-  }
-};
-var createRequestProcessor = (ternSecureRequest, options) => {
-  return new RequestProcessorContext(ternSecureRequest, options);
-};
-
-// src/jwt/verifyJwt.ts
-var import_jose2 = require("jose");
-
 // src/utils/rfc4648.ts
 var base64url = {
   parse(string, opts) {
@@ -753,10 +827,10 @@ function stringify(data, encoding, opts = {}) {
 }
 
 // src/jwt/cryptoKeys.ts
-var import_jose = require("jose");
+var import_jose2 = require("jose");
 async function importKey(key, algorithm) {
   if (typeof key === "object") {
-    const result = await (0, import_jose.importJWK)(key, algorithm);
+    const result = await (0, import_jose2.importJWK)(key, algorithm);
     if (result instanceof Uint8Array) {
       throw new Error("Unexpected Uint8Array result from JWK import");
     }
@@ -764,13 +838,13 @@ async function importKey(key, algorithm) {
   }
   const keyString = key.trim();
   if (keyString.includes("-----BEGIN CERTIFICATE-----")) {
-    return await (0, import_jose.importX509)(keyString, algorithm);
+    return await (0, import_jose2.importX509)(keyString, algorithm);
   }
   if (keyString.includes("-----BEGIN PUBLIC KEY-----")) {
-    return await (0, import_jose.importSPKI)(keyString, algorithm);
+    return await (0, import_jose2.importSPKI)(keyString, algorithm);
   }
   try {
-    return await (0, import_jose.importSPKI)(keyString, algorithm);
+    return await (0, import_jose2.importSPKI)(keyString, algorithm);
   } catch (error) {
     throw new Error(
       `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`
@@ -853,7 +927,7 @@ async function verifySignature(jwt, key) {
   const joseAlgorithm = header.alg || "RS256";
   try {
     const publicKey = await importKey(key, joseAlgorithm);
-    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, publicKey);
+    const { payload } = await (0, import_jose3.jwtVerify)(raw.text, publicKey);
     return { data: payload };
   } catch (error) {
     return {
@@ -868,8 +942,8 @@ async function verifySignature(jwt, key) {
 }
 function ternDecodeJwt(token) {
   try {
-    const header = (0, import_jose2.decodeProtectedHeader)(token);
-    const payload = (0, import_jose2.decodeJwt)(token);
+    const header = (0, import_jose3.decodeProtectedHeader)(token);
+    const payload = (0, import_jose3.decodeJwt)(token);
     const tokenParts = (token || "").toString().split(".");
     if (tokenParts.length !== 3) {
       return {
@@ -1062,12 +1136,223 @@ async function verifyToken(token, options) {
   }
 }
 
+// src/auth/getauth.ts
+var API_KEY_ERROR = "API Key is required";
+var NO_DATA_ERROR = "No token data received";
+function parseFirebaseResponse(data) {
+  if (typeof data === "string") {
+    try {
+      return JSON.parse(data);
+    } catch (error) {
+      throw new Error(`Failed to parse Firebase response: ${error}`);
+    }
+  }
+  return data;
+}
+function getAuth(options) {
+  const { apiKey } = options;
+  const firebaseApiKey = options.firebaseConfig?.apiKey;
+  const effectiveApiKey = apiKey || firebaseApiKey;
+  async function refreshExpiredIdToken(refreshToken, opts) {
+    if (!effectiveApiKey) {
+      return { data: null, error: new Error(API_KEY_ERROR) };
+    }
+    const response = await options.apiClient?.tokens.refreshToken(effectiveApiKey, {
+      refresh_token: refreshToken,
+      request_origin: opts.referer
+    });
+    if (!response?.data) {
+      return {
+        data: null,
+        error: new Error(NO_DATA_ERROR)
+      };
+    }
+    const parsedData = parseFirebaseResponse(response.data);
+    return {
+      data: {
+        idToken: parsedData.id_token,
+        refreshToken: parsedData.refresh_token
+      },
+      error: null
+    };
+  }
+  async function customForIdAndRefreshToken(customToken, opts) {
+    if (!effectiveApiKey) {
+      throw new Error("API Key is required to create custom token");
+    }
+    const response = await options.apiClient?.tokens.exchangeCustomForIdAndRefreshTokens(
+      effectiveApiKey,
+      {
+        token: customToken,
+        returnSecureToken: true
+      },
+      {
+        referer: opts.referer
+      }
+    );
+    if (!response?.data) {
+      throw new Error("No data received from Firebase token exchange");
+    }
+    const parsedData = parseFirebaseResponse(response.data);
+    return {
+      idToken: parsedData.idToken,
+      refreshToken: parsedData.refreshToken
+    };
+  }
+  async function createCustomIdAndRefreshToken(idToken, opts) {
+    const decoded = await verifyToken(idToken, options);
+    const { data, errors } = decoded;
+    if (errors) {
+      throw errors[0];
+    }
+    const customToken = await createCustomToken(data.uid, {
+      emailVerified: data.email_verified,
+      source_sign_in_provider: data.firebase.sign_in_provider
+    });
+    const idAndRefreshTokens = await customForIdAndRefreshToken(customToken, {
+      referer: opts.referer
+    });
+    return {
+      ...idAndRefreshTokens,
+      customToken
+    };
+  }
+  return {
+    customForIdAndRefreshToken,
+    createCustomIdAndRefreshToken,
+    refreshExpiredIdToken
+  };
+}
+
+// src/utils/options.ts
+var defaultOptions = {
+  apiKey: void 0,
+  apiUrl: void 0,
+  apiVersion: void 0
+};
+function mergePreDefinedOptions(userOptions = {}) {
+  return {
+    ...defaultOptions,
+    ...userOptions
+  };
+}
+
+// src/tokens/c-authenticateRequestProcessor.ts
+var RequestProcessorContext = class {
+  constructor(ternSecureRequest, options) {
+    this.ternSecureRequest = ternSecureRequest;
+    this.options = options;
+    this.initHeaderValues();
+    this.initCookieValues();
+    this.initUrlValues();
+    Object.assign(this, options);
+    this.ternUrl = this.ternSecureRequest.ternUrl;
+  }
+  get request() {
+    return this.ternSecureRequest;
+  }
+  initHeaderValues() {
+    this.sessionTokenInHeader = this.parseAuthorizationHeader(
+      this.getHeader(constants.Headers.Authorization)
+    );
+    this.origin = this.getHeader(constants.Headers.Origin);
+    this.host = this.getHeader(constants.Headers.Host);
+    this.forwardedHost = this.getHeader(constants.Headers.ForwardedHost);
+    this.forwardedProto = this.getHeader(constants.Headers.CloudFrontForwardedProto) || this.getHeader(constants.Headers.ForwardedProto);
+    this.referrer = this.getHeader(constants.Headers.Referrer);
+    this.userAgent = this.getHeader(constants.Headers.UserAgent);
+    this.secFetchDest = this.getHeader(constants.Headers.SecFetchDest);
+    this.accept = this.getHeader(constants.Headers.Accept);
+  }
+  initCookieValues() {
+    const isProduction = process.env.NODE_ENV === "production";
+    const defaultPrefix = isProduction ? "__HOST-" : "__dev_";
+    this.sessionTokenInCookie = this.getCookie(constants.Cookies.Session);
+    this.idTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.IdToken}`);
+    this.refreshTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.Refresh}`);
+    this.csrfTokenInCookie = this.getCookie(constants.Cookies.CsrfToken);
+    this.customTokenInCookie = this.getCookie(constants.Cookies.Custom);
+  }
+  initUrlValues() {
+    this.method = this.ternSecureRequest.method;
+    this.pathSegments = this.ternSecureRequest.ternUrl.pathname.split("/").filter(Boolean);
+    this.endpoint = this.pathSegments[2];
+    this.subEndpoint = this.pathSegments[3];
+  }
+  getHeader(name) {
+    return this.ternSecureRequest.headers.get(name) || void 0;
+  }
+  getCookie(name) {
+    return this.ternSecureRequest.cookies.get(name) || void 0;
+  }
+  parseAuthorizationHeader(authorizationHeader) {
+    if (!authorizationHeader) {
+      return void 0;
+    }
+    const [scheme, token] = authorizationHeader.split(" ", 2);
+    if (!token) {
+      return scheme;
+    }
+    if (scheme === "Bearer") {
+      return token;
+    }
+    return void 0;
+  }
+};
+var createRequestProcessor = (ternSecureRequest, options) => {
+  return new RequestProcessorContext(ternSecureRequest, options);
+};
+
+// src/tokens/cookie.ts
+var import_cookie2 = require("@tern-secure/shared/cookie");
+
 // src/tokens/request.ts
 function hasAuthorizationHeader(request) {
   return request.headers.has("Authorization");
 }
+function isRequestForRefresh(error, context, request) {
+  return error.reason === TokenVerificationErrorReason.TokenExpired && !!context.refreshTokenInCookie && request.method === "GET";
+}
 async function authenticateRequest(request, options) {
   const context = createRequestProcessor(createTernSecureRequest(request), options);
+  const { refreshTokenInCookie } = context;
+  const { refreshExpiredIdToken } = getAuth(options);
+  async function refreshToken() {
+    if (!refreshTokenInCookie) {
+      return {
+        data: null,
+        error: {
+          message: "No refresh token available",
+          reason: AuthErrorReason.SessionTokenMissing
+        }
+      };
+    }
+    return await refreshExpiredIdToken(refreshTokenInCookie, {
+      referer: context.ternUrl.origin
+    });
+  }
+  async function handleRefresh() {
+    const { data: refreshedData, error } = await refreshToken();
+    if (!refreshedData) {
+      return { data: null, error };
+    }
+    const headers = new Headers();
+    const { idToken } = refreshedData;
+    const maxAge = 3600;
+    const cookiePrefix = (0, import_cookie2.getCookiePrefix)();
+    const idTokenCookieName = (0, import_cookie2.getCookieName)(constants.Cookies.IdToken, cookiePrefix);
+    const baseCookieAttributes = "HttpOnly; Secure; SameSite=Strict; Path=/";
+    const idTokenCookie = `${idTokenCookieName}=${idToken}; ${baseCookieAttributes};`;
+    headers.append("Set-Cookie", idTokenCookie);
+    const { data: decoded, errors } = await verifyToken(idToken, options);
+    if (errors) {
+      return {
+        data: null,
+        error: errors ? errors[0] : new Error("Failed to verify refreshed token")
+      };
+    }
+    return { data: { decoded, token: idToken, headers }, error: null };
+  }
   async function authenticateRequestWithTokenInCookie() {
     try {
       const { data, errors } = await verifyToken(context.idTokenInCookie, options);
@@ -1098,6 +1383,23 @@ async function authenticateRequest(request, options) {
       return signedOut(AuthErrorReason.UnexpectedError);
     }
     let refreshError;
+    if (isRequestForRefresh(err, context, request)) {
+      const { data, error } = await handleRefresh();
+      if (data) {
+        return signedIn(data.decoded, data.headers, data.token);
+      }
+      if (error?.cause?.reason) {
+        refreshError = error.cause.reason;
+      }
+    } else {
+      if (request.method !== "GET") {
+        refreshError = RefreshTokenErrorReason.NonEligibleNonGet;
+      } else if (!context.refreshTokenInCookie) {
+        refreshError = RefreshTokenErrorReason.NonEligibleNoCookie;
+      } else {
+        refreshError = null;
+      }
+    }
     err.tokenCarrier = tokenCarrier;
     return signedOut(err.reason, err.getFullMessage());
   }