@tern-secure/backend 1.2.0-canary.v20251108045933 → 1.2.0-canary.v20251127221555

package/dist/index.js

@@ -78,6 +78,7 @@ var QueryParameters = {
 };
 var Headers2 = {
   Accept: "accept",
+  AppCheckToken: "x-firebase-appcheck",
   AuthMessage: "x-ternsecure-auth-message",
   Authorization: "authorization",
   AuthReason: "x-ternsecure-auth-reason",
@@ -371,6 +372,84 @@ var AbstractAPI = class {
   }
 };
 
+// src/fireRestApi/endpoints/AppCheckApi.ts
+function getSdkVersion() {
+  return "12.7.0";
+}
+var FIREBASE_APP_CHECK_CONFIG_HEADERS = {
+  "X-Firebase-Client": `fire-admin-node/${getSdkVersion()}`
+};
+var AppCheckApi = class extends AbstractAPI {
+  async exchangeCustomToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
+    const headers = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${accessToken}`
+    };
+    const body = {
+      customToken,
+      limitedUse
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+  async exchangeDebugToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
+    const headers = {
+      ...FIREBASE_APP_CHECK_CONFIG_HEADERS,
+      "Authorization": `Bearer ${accessToken}`
+    };
+    const body = {
+      customToken,
+      limitedUse
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+};
+
 // src/fireRestApi/endpoints/EmailApi.ts
 var EmailApi = class extends AbstractAPI {
   async verifyEmailVerification(apiKey, params) {
@@ -424,6 +503,30 @@ var PasswordApi = class extends AbstractAPI {
   }
 };
 
+// src/fireRestApi/endpoints/SignInApi.ts
+var SignInApi = class extends AbstractAPI {
+  async resetPasswordEmail(apiKey, params) {
+    try {
+      this.requireApiKey(apiKey);
+      const { ...restParams } = params;
+      const response = await this.request({
+        endpoint: "sendOobCode",
+        method: "POST",
+        apiKey,
+        bodyParams: restParams
+      });
+      if (response.errors) {
+        const errorMessage = response.errors[0]?.message || "Failed to send reset password email";
+        throw new Error(errorMessage);
+      }
+      return response.data;
+    } catch (error) {
+      const contextualMessage = `Failed to send reset password email: ${error instanceof Error ? error.message : "Unknown error"}`;
+      throw new Error(contextualMessage);
+    }
+  }
+};
+
 // src/fireRestApi/endpoints/SignInTokenApi.ts
 var SignInTokenApi = class extends AbstractAPI {
   async createCustomToken(apiKey, params) {
@@ -464,11 +567,14 @@ var SignUpApi = class extends AbstractAPI {
 var TokenApi = class extends AbstractAPI {
   async refreshToken(apiKey, params) {
     this.requireApiKey(apiKey);
-    const { refresh_token, request_origin, ...restParams } = params;
+    const { refresh_token, request_origin, app_check_token, ...restParams } = params;
     const headers = {};
     if (request_origin) {
       headers["Referer"] = request_origin;
     }
+    if (app_check_token) {
+      headers["X-Firebase-AppCheck"] = app_check_token;
+    }
     const bodyParams = {
       grant_type: "refresh_token",
       refresh_token,
@@ -488,13 +594,23 @@ var TokenApi = class extends AbstractAPI {
     if (options?.referer) {
       headers["Referer"] = options.referer;
     }
-    return this.request({
+    if (options?.appCheckToken) {
+      headers["X-Firebase-AppCheck"] = options.appCheckToken;
+    }
+    const response = await this.request({
       endpoint: "signInWithCustomToken",
       method: "POST",
       apiKey,
       bodyParams: params,
       headerParams: headers
     });
+    if (response.errors) {
+      throw new Error(response.errors[0].message);
+    }
+    if (!response.data) {
+      throw new Error("No data received from Firebase token exchange");
+    }
+    return response.data;
   }
 };
 
@@ -556,6 +672,9 @@ var signInWithPassword = (apiKey) => {
 var signUpEndpoint = (apiKey) => {
   return `https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=${apiKey}`;
 };
+var sendOobCode = (apiKey) => {
+  return `https://identitytoolkit.googleapis.com/v1/accounts:sendOobCode?key=${apiKey}`;
+};
 var getCustomTokenEndpoint = (apiKey) => {
   if (useEmulator() && FIREBASE_AUTH_EMULATOR_HOST) {
     let protocol = "http://";
@@ -566,9 +685,6 @@ var getCustomTokenEndpoint = (apiKey) => {
   }
   return `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`;
 };
-var passwordResetEndpoint = (apiKey) => {
-  return `https://identitytoolkit.googleapis.com/v1/accounts:resetPassword?key=${apiKey}`;
-};
 
 // src/fireRestApi/request.ts
 var FIREBASE_ENDPOINT_MAP = {
@@ -576,8 +692,8 @@ var FIREBASE_ENDPOINT_MAP = {
   signInWithPassword,
   signUp: signUpEndpoint,
   signInWithCustomToken: getCustomTokenEndpoint,
-  passwordReset: passwordResetEndpoint,
-  sendOobCode: signInWithPassword,
+  passwordReset: sendOobCode,
+  sendOobCode,
   lookup: lookupEndpoint
 };
 function createRequest(options) {
@@ -626,8 +742,18 @@ function createRequest(options) {
           ...body
         });
       }
-      const isJSONResponse = res?.headers && res.headers?.get(constants.Headers.ContentType) === constants.ContentTypes.Json;
-      const responseBody = await (isJSONResponse ? res.json() : res.text());
+      const isJSONResponse = res?.headers && res.headers?.get(constants.Headers.ContentType)?.includes(constants.ContentTypes.Json);
+      let responseBody;
+      try {
+        const text = await res.text();
+        try {
+          responseBody = JSON.parse(text);
+        } catch {
+          responseBody = text;
+        }
+      } catch (e) {
+        responseBody = null;
+      }
       if (!res.ok) {
         return {
           data: null,
@@ -708,9 +834,11 @@ function parseError(error) {
 function createFireApi(options) {
   const request = createRequest(options);
   return {
+    appCheck: new AppCheckApi(request),
     email: new EmailApi(request),
     password: new PasswordApi(request),
-    signIn: new SignInTokenApi(request),
+    signIn: new SignInApi(request),
+    signInToken: new SignInTokenApi(request),
     signUp: new SignUpApi(request),
     tokens: new TokenApi(request),
     userData: new UserData(request)
@@ -1069,33 +1197,44 @@ async function verifySignature(jwt, key) {
   }
 }
 function ternDecodeJwt(token) {
-  const header = (0, import_jose3.decodeProtectedHeader)(token);
-  const payload = (0, import_jose3.decodeJwt)(token);
-  const tokenParts = (token || "").toString().split(".");
-  if (tokenParts.length !== 3) {
+  try {
+    const header = (0, import_jose3.decodeProtectedHeader)(token);
+    const payload = (0, import_jose3.decodeJwt)(token);
+    const tokenParts = (token || "").toString().split(".");
+    if (tokenParts.length !== 3) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: "Invalid JWT format"
+          })
+        ]
+      };
+    }
+    const [rawHeader, rawPayload, rawSignature] = tokenParts;
+    const signature = base64url.parse(rawSignature, { loose: true });
+    const data = {
+      header,
+      payload,
+      signature,
+      raw: {
+        header: rawHeader,
+        payload: rawPayload,
+        signature: rawSignature,
+        text: token
+      }
+    };
+    return { data };
+  } catch (error) {
     return {
       errors: [
         new TokenVerificationError({
           reason: TokenVerificationErrorReason.TokenInvalid,
-          message: "Invalid JWT format"
+          message: `${error.message || "Invalid Token or Protected Header formatting"} (Token length: ${token?.length}, First 10 chars: ${token?.substring(0, 10)}...)`
         })
       ]
     };
   }
-  const [rawHeader, rawPayload, rawSignature] = tokenParts;
-  const signature = base64url.parse(rawSignature, { loose: true });
-  const data = {
-    header,
-    payload,
-    signature,
-    raw: {
-      header: rawHeader,
-      payload: rawPayload,
-      signature: rawSignature,
-      text: token
-    }
-  };
-  return { data };
 }
 async function verifyJwt(token, options) {
   const { key } = options;
@@ -1253,6 +1392,143 @@ async function verifyToken(token, options) {
   }
 }
 
+// src/jwt/guardReturn.ts
+function createJwtGuard(decodedFn) {
+  return (...args) => {
+    const { data, errors } = decodedFn(...args);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
+  };
+}
+
+// src/jwt/jwt.ts
+var import_jose4 = require("jose");
+
+// src/jwt/signJwt.ts
+var import_jose5 = require("jose");
+var ALGORITHM_RS256 = "RS256";
+async function ternSignJwt(opts) {
+  const { payload, privateKey, keyId } = opts;
+  let key;
+  try {
+    key = await (0, import_jose5.importPKCS8)(privateKey, ALGORITHM_RS256);
+  } catch (error) {
+    throw new TokenVerificationError({
+      message: `Failed to import private key: ${error.message}`,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  return new import_jose5.SignJWT(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
+}
+
+// src/jwt/index.ts
+var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
+
+// src/auth/constants.ts
+var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
+var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
+var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
+var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
+var ONE_HOUR_IN_SECONDS = 60 * 60;
+
+// src/auth/utils.ts
+async function getDetailFromResponse(response) {
+  const json = await response.json();
+  if (!json) {
+    return "Missing error payload";
+  }
+  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
+  if (json.error_description) {
+    detail += " (" + json.error_description + ")";
+  }
+  return detail;
+}
+async function fetchJson(url, init) {
+  return (await fetchAny(url, init)).json();
+}
+async function fetchAny(url, init) {
+  const response = await fetch(url, init);
+  if (!response.ok) {
+    throw new Error(await getDetailFromResponse(response));
+  }
+  return response;
+}
+
+// src/auth/credential.ts
+var accessTokenCache = /* @__PURE__ */ new Map();
+async function requestAccessToken(urlString, init) {
+  const json = await fetchJson(urlString, init);
+  if (!json.access_token || !json.expires_in) {
+    throw new Error("Invalid access token response");
+  }
+  return {
+    accessToken: json.access_token,
+    expirationTime: Date.now() + json.expires_in * 1e3
+  };
+}
+var ServiceAccountTokenManager = class {
+  projectId;
+  privateKey;
+  clientEmail;
+  constructor(serviceAccount) {
+    this.projectId = serviceAccount.projectId;
+    this.privateKey = serviceAccount.privateKey;
+    this.clientEmail = serviceAccount.clientEmail;
+  }
+  fetchAccessToken = async (url) => {
+    const token = await this.createJwt();
+    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
+    return requestAccessToken(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json"
+      },
+      body: postData
+    });
+  };
+  fetchAndCacheAccessToken = async (url) => {
+    const accessToken = await this.fetchAccessToken(url);
+    accessTokenCache.set(this.projectId, accessToken);
+    return accessToken;
+  };
+  getAccessToken = async (refresh) => {
+    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
+    if (refresh) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    const cachedResponse = accessTokenCache.get(this.projectId);
+    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    return cachedResponse;
+  };
+  createJwt = async () => {
+    const iat = Math.floor(Date.now() / 1e3);
+    const payload = {
+      aud: GOOGLE_TOKEN_AUDIENCE,
+      iat,
+      exp: iat + ONE_HOUR_IN_SECONDS,
+      iss: this.clientEmail,
+      sub: this.clientEmail,
+      scope: [
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/firebase.database",
+        "https://www.googleapis.com/auth/firebase.messaging",
+        "https://www.googleapis.com/auth/identitytoolkit",
+        "https://www.googleapis.com/auth/userinfo.email"
+      ].join(" ")
+    };
+    return ternSignJwt({
+      payload,
+      privateKey: this.privateKey
+    });
+  };
+};
+
 // src/auth/getauth.ts
 var API_KEY_ERROR = "API Key is required";
 var NO_DATA_ERROR = "No token data received";
@@ -1267,9 +1543,17 @@ function parseFirebaseResponse(data) {
   return data;
 }
 function getAuth(options) {
-  const { apiKey } = options;
+  const { apiKey, firebaseAdminConfig } = options;
   const firebaseApiKey = options.firebaseConfig?.apiKey;
   const effectiveApiKey = apiKey || firebaseApiKey;
+  let credential = null;
+  if (firebaseAdminConfig?.projectId && firebaseAdminConfig?.privateKey && firebaseAdminConfig?.clientEmail) {
+    credential = new ServiceAccountTokenManager({
+      projectId: firebaseAdminConfig.projectId,
+      privateKey: firebaseAdminConfig.privateKey,
+      clientEmail: firebaseAdminConfig.clientEmail
+    });
+  }
   async function getUserData(idToken, localId) {
     if (!effectiveApiKey) {
       throw new Error(API_KEY_ERROR);
@@ -1311,23 +1595,23 @@ function getAuth(options) {
     if (!effectiveApiKey) {
       throw new Error("API Key is required to create custom token");
     }
-    const response = await options.apiClient?.tokens.exchangeCustomForIdAndRefreshTokens(
+    const data = await options.apiClient?.tokens.exchangeCustomForIdAndRefreshTokens(
       effectiveApiKey,
       {
         token: customToken,
         returnSecureToken: true
       },
       {
-        referer: opts.referer
+        referer: opts.referer,
+        appCheckToken: opts.appCheckToken
       }
     );
-    if (!response?.data) {
+    if (!data) {
       throw new Error("No data received from Firebase token exchange");
     }
-    const parsedData = parseFirebaseResponse(response.data);
     return {
-      idToken: parsedData.idToken,
-      refreshToken: parsedData.refreshToken
+      idToken: data.idToken,
+      refreshToken: data.refreshToken
     };
   }
   async function createCustomIdAndRefreshToken(idToken, opts) {
@@ -1341,7 +1625,8 @@ function getAuth(options) {
       source_sign_in_provider: data.firebase.sign_in_provider
     });
     const idAndRefreshTokens = await customForIdAndRefreshToken(customToken, {
-      referer: opts.referer
+      referer: opts.referer,
+      appCheckToken: opts.appCheckToken
     });
     const decodedCustomIdToken = await verifyToken(idAndRefreshTokens.idToken, options);
     if (decodedCustomIdToken.errors) {
@@ -1353,11 +1638,60 @@ function getAuth(options) {
       auth_time: decodedCustomIdToken.data.auth_time
     };
   }
+  async function exchangeAppCheckToken(idToken) {
+    if (!credential) {
+      return {
+        data: null,
+        error: new Error(
+          "Firebase Admin config must be provided to exchange App Check tokens."
+        )
+      };
+    }
+    if (!effectiveApiKey) {
+      return { data: null, error: new Error(API_KEY_ERROR) };
+    }
+    try {
+      const decoded = await verifyToken(idToken, options);
+      if (decoded.errors) {
+        return { data: null, error: decoded.errors[0] };
+      }
+      const customToken = await createCustomToken(decoded.data.uid, {
+        emailVerified: decoded.data.email_verified,
+        source_sign_in_provider: decoded.data.firebase.sign_in_provider
+      });
+      const projectId = options.firebaseConfig?.projectId;
+      const appId = options.firebaseConfig?.appId;
+      if (!projectId || !appId) {
+        return { data: null, error: new Error("Project ID and App ID are required for App Check") };
+      }
+      const { accessToken } = await credential.getAccessToken();
+      const appCheckResponse = await options.apiClient?.appCheck.exchangeCustomToken({
+        accessToken,
+        projectId,
+        appId,
+        customToken,
+        limitedUse: false
+      });
+      if (!appCheckResponse?.token) {
+        return { data: null, error: new Error("Failed to exchange for App Check token") };
+      }
+      return {
+        data: {
+          token: appCheckResponse.token,
+          ttl: appCheckResponse.ttl
+        },
+        error: null
+      };
+    } catch (error) {
+      return { data: null, error };
+    }
+  }
   return {
     getUserData,
     customForIdAndRefreshToken,
     createCustomIdAndRefreshToken,
-    refreshExpiredIdToken
+    refreshExpiredIdToken,
+    exchangeAppCheckToken
   };
 }
 
@@ -1388,6 +1722,7 @@ var RequestProcessorContext = class {
     this.userAgent = this.getHeader(constants.Headers.UserAgent);
     this.secFetchDest = this.getHeader(constants.Headers.SecFetchDest);
     this.accept = this.getHeader(constants.Headers.Accept);
+    this.appCheckToken = this.getHeader(constants.Headers.AppCheckToken);
   }
   initCookieValues() {
     const isProduction = process.env.NODE_ENV === "production";
@@ -1451,14 +1786,13 @@ function isRequestForRefresh(error, context, request) {
 }
 async function authenticateRequest(request, options) {
   const context = createRequestProcessor(createTernSecureRequest(request), options);
-  const { refreshTokenInCookie } = context;
+  const { refreshTokenInCookie, appCheckToken } = context;
   const { refreshExpiredIdToken } = getAuth(options);
   function checkSessionTimeout(authTimeValue) {
     const defaultMaxAgeSeconds = convertToSeconds("5 days");
     const REAUTH_PERIOD_SECONDS = context.session?.maxAge ? convertToSeconds(context.session.maxAge) : defaultMaxAgeSeconds;
     const currentTime = Math.floor(Date.now() / 1e3);
     const authAge = currentTime - authTimeValue;
-    console.log("Current time:", currentTime, "Auth age:", authAge, "Reauth period (s):", REAUTH_PERIOD_SECONDS);
     if (authTimeValue > 0 && authAge > REAUTH_PERIOD_SECONDS) {
       return signedOut(context, AuthErrorReason.AuthTimeout, "Authentication expired");
     }
@@ -1475,7 +1809,8 @@ async function authenticateRequest(request, options) {
       };
     }
     return await refreshExpiredIdToken(refreshTokenInCookie, {
-      referer: context.ternUrl.origin
+      referer: context.ternUrl.origin,
+      appCheckToken
     });
   }
   async function handleRefresh() {
@@ -1577,7 +1912,24 @@ async function authenticateRequest(request, options) {
       if (errors) {
         throw errors[0];
       }
-      const signedInRequestState = signedIn(context, data, void 0, context.idTokenInCookie);
+      const { exchangeAppCheckToken } = getAuth(options);
+      let appCheckTokenValue;
+      try {
+        const idToken = context.idTokenInCookie || "";
+        const appCheckResult = await exchangeAppCheckToken(idToken);
+        console.log("[authenticateRequest] App Check exchange result:", appCheckResult);
+        if (appCheckResult.data?.token) {
+          appCheckTokenValue = appCheckResult.data.token;
+        }
+      } catch (error) {
+        console.warn("App Check token exchange failed:", error);
+      }
+      const headers = new Headers();
+      headers.set(
+        constants.Headers.AppCheckToken,
+        appCheckTokenValue || ""
+      );
+      const signedInRequestState = signedIn(context, data, headers, context.idTokenInCookie);
       return signedInRequestState;
     } catch (err) {
       return handleError(err, "cookie");
@@ -1591,7 +1943,23 @@ async function authenticateRequest(request, options) {
       if (errors) {
         throw errors[0];
       }
-      const signedInRequestState = signedIn(context, data, void 0, sessionTokenInHeader);
+      const { exchangeAppCheckToken } = getAuth(options);
+      let appCheckTokenValue;
+      try {
+        const token = sessionTokenInHeader || "";
+        const appCheckResult = await exchangeAppCheckToken(token);
+        if (appCheckResult.data?.token) {
+          appCheckTokenValue = appCheckResult.data.token;
+        }
+      } catch (error) {
+        console.warn("App Check token exchange failed:", error);
+      }
+      const headers = new Headers();
+      headers.set(
+        constants.Headers.AppCheckToken,
+        appCheckTokenValue || ""
+      );
+      const signedInRequestState = signedIn(context, data, headers, sessionTokenInHeader);
       return signedInRequestState;
     } catch (err) {
       return handleError(err, "header");
@@ -1605,6 +1973,16 @@ async function authenticateRequest(request, options) {
     if (isRequestForRefresh(err, context, request)) {
       const { data, error } = await handleRefresh();
       if (data) {
+        const { exchangeAppCheckToken } = getAuth(options);
+        let appCheckTokenValue;
+        try {
+          const appCheckResult = await exchangeAppCheckToken(data.token);
+          if (appCheckResult.data?.token) {
+            appCheckTokenValue = appCheckResult.data.token;
+          }
+        } catch (error2) {
+          console.warn("App Check token exchange failed in error handler:", error2);
+        }
         return signedIn(context, data.decoded, data.headers, data.token);
       }
       if (error?.cause?.reason) {