@tern-secure/backend 1.2.0-canary.v20251125170702 → 1.2.0-canary.v20251127221555

package/dist/{chunk-MS6L7M3C.mjs → chunk-DJLDUW7J.mjs}

@@ -3,14 +3,15 @@ import {
   DEFAULT_CACHE_DURATION,
   GOOGLE_PUBLIC_KEYS_URL,
   MAX_CACHE_LAST_UPDATED_AT_SECONDS
-} from "./chunk-DFAJCSBJ.mjs";
+} from "./chunk-WIVOBOZR.mjs";
 import {
   TokenVerificationError,
   TokenVerificationErrorReason,
   createCustomToken,
   ternDecodeJwt,
+  ternSignJwt,
   verifyJwt
-} from "./chunk-DDUNOEIM.mjs";
+} from "./chunk-NXYWC6YO.mjs";
 
 // src/tokens/keys.ts
 var cache = {};
@@ -137,6 +138,109 @@ async function verifyToken(token, options) {
   }
 }
 
+// src/auth/constants.ts
+var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
+var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
+var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
+var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
+var ONE_HOUR_IN_SECONDS = 60 * 60;
+
+// src/auth/utils.ts
+async function getDetailFromResponse(response) {
+  const json = await response.json();
+  if (!json) {
+    return "Missing error payload";
+  }
+  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
+  if (json.error_description) {
+    detail += " (" + json.error_description + ")";
+  }
+  return detail;
+}
+async function fetchJson(url, init) {
+  return (await fetchAny(url, init)).json();
+}
+async function fetchAny(url, init) {
+  const response = await fetch(url, init);
+  if (!response.ok) {
+    throw new Error(await getDetailFromResponse(response));
+  }
+  return response;
+}
+
+// src/auth/credential.ts
+var accessTokenCache = /* @__PURE__ */ new Map();
+async function requestAccessToken(urlString, init) {
+  const json = await fetchJson(urlString, init);
+  if (!json.access_token || !json.expires_in) {
+    throw new Error("Invalid access token response");
+  }
+  return {
+    accessToken: json.access_token,
+    expirationTime: Date.now() + json.expires_in * 1e3
+  };
+}
+var ServiceAccountTokenManager = class {
+  projectId;
+  privateKey;
+  clientEmail;
+  constructor(serviceAccount) {
+    this.projectId = serviceAccount.projectId;
+    this.privateKey = serviceAccount.privateKey;
+    this.clientEmail = serviceAccount.clientEmail;
+  }
+  fetchAccessToken = async (url) => {
+    const token = await this.createJwt();
+    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
+    return requestAccessToken(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json"
+      },
+      body: postData
+    });
+  };
+  fetchAndCacheAccessToken = async (url) => {
+    const accessToken = await this.fetchAccessToken(url);
+    accessTokenCache.set(this.projectId, accessToken);
+    return accessToken;
+  };
+  getAccessToken = async (refresh) => {
+    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
+    if (refresh) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    const cachedResponse = accessTokenCache.get(this.projectId);
+    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    return cachedResponse;
+  };
+  createJwt = async () => {
+    const iat = Math.floor(Date.now() / 1e3);
+    const payload = {
+      aud: GOOGLE_TOKEN_AUDIENCE,
+      iat,
+      exp: iat + ONE_HOUR_IN_SECONDS,
+      iss: this.clientEmail,
+      sub: this.clientEmail,
+      scope: [
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/firebase.database",
+        "https://www.googleapis.com/auth/firebase.messaging",
+        "https://www.googleapis.com/auth/identitytoolkit",
+        "https://www.googleapis.com/auth/userinfo.email"
+      ].join(" ")
+    };
+    return ternSignJwt({
+      payload,
+      privateKey: this.privateKey
+    });
+  };
+};
+
 // src/auth/getauth.ts
 var API_KEY_ERROR = "API Key is required";
 var NO_DATA_ERROR = "No token data received";
@@ -151,9 +255,17 @@ function parseFirebaseResponse(data) {
   return data;
 }
 function getAuth(options) {
-  const { apiKey } = options;
+  const { apiKey, firebaseAdminConfig } = options;
   const firebaseApiKey = options.firebaseConfig?.apiKey;
   const effectiveApiKey = apiKey || firebaseApiKey;
+  let credential = null;
+  if (firebaseAdminConfig?.projectId && firebaseAdminConfig?.privateKey && firebaseAdminConfig?.clientEmail) {
+    credential = new ServiceAccountTokenManager({
+      projectId: firebaseAdminConfig.projectId,
+      privateKey: firebaseAdminConfig.privateKey,
+      clientEmail: firebaseAdminConfig.clientEmail
+    });
+  }
   async function getUserData(idToken, localId) {
     if (!effectiveApiKey) {
       throw new Error(API_KEY_ERROR);
@@ -195,23 +307,23 @@ function getAuth(options) {
     if (!effectiveApiKey) {
       throw new Error("API Key is required to create custom token");
     }
-    const response = await options.apiClient?.tokens.exchangeCustomForIdAndRefreshTokens(
+    const data = await options.apiClient?.tokens.exchangeCustomForIdAndRefreshTokens(
       effectiveApiKey,
       {
         token: customToken,
         returnSecureToken: true
       },
       {
-        referer: opts.referer
+        referer: opts.referer,
+        appCheckToken: opts.appCheckToken
       }
     );
-    if (!response?.data) {
+    if (!data) {
       throw new Error("No data received from Firebase token exchange");
     }
-    const parsedData = parseFirebaseResponse(response.data);
     return {
-      idToken: parsedData.idToken,
-      refreshToken: parsedData.refreshToken
+      idToken: data.idToken,
+      refreshToken: data.refreshToken
     };
   }
   async function createCustomIdAndRefreshToken(idToken, opts) {
@@ -225,7 +337,8 @@ function getAuth(options) {
       source_sign_in_provider: data.firebase.sign_in_provider
     });
     const idAndRefreshTokens = await customForIdAndRefreshToken(customToken, {
-      referer: opts.referer
+      referer: opts.referer,
+      appCheckToken: opts.appCheckToken
     });
     const decodedCustomIdToken = await verifyToken(idAndRefreshTokens.idToken, options);
     if (decodedCustomIdToken.errors) {
@@ -237,11 +350,60 @@ function getAuth(options) {
       auth_time: decodedCustomIdToken.data.auth_time
     };
   }
+  async function exchangeAppCheckToken(idToken) {
+    if (!credential) {
+      return {
+        data: null,
+        error: new Error(
+          "Firebase Admin config must be provided to exchange App Check tokens."
+        )
+      };
+    }
+    if (!effectiveApiKey) {
+      return { data: null, error: new Error(API_KEY_ERROR) };
+    }
+    try {
+      const decoded = await verifyToken(idToken, options);
+      if (decoded.errors) {
+        return { data: null, error: decoded.errors[0] };
+      }
+      const customToken = await createCustomToken(decoded.data.uid, {
+        emailVerified: decoded.data.email_verified,
+        source_sign_in_provider: decoded.data.firebase.sign_in_provider
+      });
+      const projectId = options.firebaseConfig?.projectId;
+      const appId = options.firebaseConfig?.appId;
+      if (!projectId || !appId) {
+        return { data: null, error: new Error("Project ID and App ID are required for App Check") };
+      }
+      const { accessToken } = await credential.getAccessToken();
+      const appCheckResponse = await options.apiClient?.appCheck.exchangeCustomToken({
+        accessToken,
+        projectId,
+        appId,
+        customToken,
+        limitedUse: false
+      });
+      if (!appCheckResponse?.token) {
+        return { data: null, error: new Error("Failed to exchange for App Check token") };
+      }
+      return {
+        data: {
+          token: appCheckResponse.token,
+          ttl: appCheckResponse.ttl
+        },
+        error: null
+      };
+    } catch (error) {
+      return { data: null, error };
+    }
+  }
   return {
     getUserData,
     customForIdAndRefreshToken,
     createCustomIdAndRefreshToken,
-    refreshExpiredIdToken
+    refreshExpiredIdToken,
+    exchangeAppCheckToken
   };
 }
 
@@ -249,4 +411,4 @@ export {
   verifyToken,
   getAuth
 };
-//# sourceMappingURL=chunk-MS6L7M3C.mjs.map
+//# sourceMappingURL=chunk-DJLDUW7J.mjs.map

package/dist/chunk-DJLDUW7J.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/tokens/keys.ts","../src/tokens/verify.ts","../src/auth/constants.ts","../src/auth/utils.ts","../src/auth/credential.ts","../src/auth/getauth.ts"],"sourcesContent":["import { type RemoteJWKSetOptions } from 'jose';\n\nimport {\n  CACHE_CONTROL_REGEX,\n  DEFAULT_CACHE_DURATION,\n  GOOGLE_PUBLIC_KEYS_URL,\n  MAX_CACHE_LAST_UPDATED_AT_SECONDS\n} from '../constants';\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\n\nexport type PublicKeys = { [key: string]: string };\n\ninterface PublicKeysResponse {\n  keys: PublicKeys;\n  expiresAt: number;\n}\n\nexport type LoadJWKFromRemoteOptions = RemoteJWKSetOptions & {\n  kid: string;\n  keyURL?: string;\n  skipJwksCache?: boolean;\n};\n\ntype CertificateCache = Record<string, string>;\n\nlet cache: CertificateCache = {};\nlet lastUpdatedAt = 0;\nlet googleExpiresAt = 0;\n\nfunction getFromCache(kid: string) {\n  return cache[kid];\n}\n\nfunction getCacheValues() {\n  return Object.values(cache);\n}\n\nfunction setInCache(kid: string, certificate: string, shouldExpire = true) {\n  cache[kid] = certificate;\n  lastUpdatedAt = shouldExpire ? Date.now() : -1;\n}\n\nasync function fetchPublicKeys(keyUrl: string): Promise<PublicKeysResponse> {\n  const url = new URL(keyUrl);\n  const response = await fetch(url);\n  if (!response.ok) {\n    throw new TokenVerificationError({\n      message: `Error loading public keys from ${url.href} with code=${response.status} `,\n      reason: TokenVerificationErrorReason.TokenInvalid,\n    });\n  }\n\n  const data = await response.json();\n  const expiresAt = getExpiresAt(response);\n\n  return {\n    keys: data,\n    expiresAt,\n  };\n}\n\nexport async function loadJWKFromRemote({\n  keyURL = GOOGLE_PUBLIC_KEYS_URL,\n  skipJwksCache,\n  kid,\n}: LoadJWKFromRemoteOptions): Promise<string> {\n  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {\n    const { keys, expiresAt } = await fetchPublicKeys(keyURL);\n\n    if (!keys || Object.keys(keys).length === 0) {\n      throw new TokenVerificationError({\n        message: `The JWKS endpoint ${keyURL} returned no keys`,\n        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad,\n      });\n    }\n    googleExpiresAt = expiresAt;\n\n    Object.entries(keys).forEach(([keyId, cert]) => {\n      setInCache(keyId, cert);\n    });\n  }\n  const cert = getFromCache(kid);\n  if (!cert) {\n    getCacheValues();\n    const availableKids = Object.keys(cache).sort().join(', ');\n\n    throw new TokenVerificationError({\n      message: `No public key found for kid \"${kid}\". Available kids: [${availableKids}]`,\n      reason: TokenVerificationErrorReason.TokenInvalid,\n    });\n  }\n  return cert;\n}\n\nfunction isCacheExpired() {\n  const now = Date.now();\n  if (lastUpdatedAt === -1) {\n    return false;\n  }\n\n  const cacheAge = now - lastUpdatedAt;\n  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1000;\n  const localCacheExpired = cacheAge >= maxCacheAge;\n  const googleCacheExpired = now >= googleExpiresAt;\n\n  const isExpired = localCacheExpired || googleCacheExpired;\n\n  if (isExpired) {\n    cache = {};\n  }\n\n  return isExpired;\n}\n\nfunction getExpiresAt(res: Response) {\n  const cacheControlHeader = res.headers.get('cache-control');\n  if (!cacheControlHeader) {\n    return Date.now() + DEFAULT_CACHE_DURATION;\n  }\n  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);\n  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1000;\n\n  return Date.now() + maxAge * 1000;\n}\n\nexport const getCacheStats = () => ({\n  localExpiry: lastUpdatedAt + MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1000,\n  googleExpiry: googleExpiresAt,\n  cacheCount: Object.keys(cache).length,\n});\n","import type { DecodedIdToken, TernSecureAdminConfig, TernSecureConfig, TernSecureUserData} from '@tern-secure/types';\n\nimport type { JwtReturnType } from '../jwt/types';\nimport { ternDecodeJwt, verifyJwt, type VerifyJwtOptions } from '../jwt/verifyJwt';\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport type { LoadJWKFromRemoteOptions } from './keys';\nimport { loadJWKFromRemote } from './keys';\n\nexport type VerifyTokenVOptions = Omit<VerifyJwtOptions, 'key'> & Omit<LoadJWKFromRemoteOptions, 'kid'> & {\n  jwtKey?: string;\n};\n\nexport { TernSecureConfig, TernSecureAdminConfig, TernSecureUserData };\n\nexport async function verifyToken(\n  token: string,\n  options: VerifyTokenVOptions,\n): Promise<JwtReturnType<DecodedIdToken, TokenVerificationError>> {\n  const { data: decodedResult, errors } = ternDecodeJwt(token);\n\n  if (errors) {\n    return { errors };\n  }\n\n  const { header } = decodedResult;\n  const { kid } = header;\n\n  if (!kid) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          reason: TokenVerificationErrorReason.TokenInvalid,\n          message: 'JWT \"kid\" header is missing.',\n        }),\n      ],\n    };\n  }\n\n  try {\n    const key = options.jwtKey || (await loadJWKFromRemote({ ...options, kid }));\n\n    if (!key) {\n      return {\n        errors: [\n          new TokenVerificationError({\n            reason: TokenVerificationErrorReason.TokenInvalid,\n            message: `No public key found for kid \"${kid}\".`,\n          }),\n        ],\n      };\n    }\n    return await verifyJwt(token, { ...options, key });\n  } catch (error) {\n    if (error instanceof TokenVerificationError) {\n      return { errors: [error] };\n    }\n    return {\n      errors: [error as TokenVerificationError],\n    };\n  }\n}\n","export const TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1000;\nexport const GOOGLE_TOKEN_AUDIENCE = 'https://accounts.google.com/o/oauth2/token';\nexport const GOOGLE_AUTH_TOKEN_HOST = 'accounts.google.com';\nexport const GOOGLE_AUTH_TOKEN_PATH = '/o/oauth2/token';\nexport const ONE_HOUR_IN_SECONDS = 60 * 60;","async function getDetailFromResponse(response: Response): Promise<string> {\n    const json = await response.json();\n\n    if (!json) {\n        return 'Missing error payload';\n    }\n\n    let detail =\n        typeof json.error === 'string'\n            ? json.error\n            : (json.error?.message ?? 'Missing error payload');\n\n    if (json.error_description) {\n        detail += ' (' + json.error_description + ')';\n    }\n\n    return detail;\n}\n\nexport async function fetchJson(url: string, init: RequestInit) {\n    return (await fetchAny(url, init)).json();\n}\n\nexport async function fetchAny(url: string, init: RequestInit) {\n    const response = await fetch(url, init);\n\n    if (!response.ok) {\n        throw new Error(await getDetailFromResponse(response));\n    }\n\n    return response;\n}","import type { JWTPayload } from '@tern-secure/types';\n\nimport { ternSignJwt } from '../jwt';\nimport {\n    GOOGLE_AUTH_TOKEN_HOST,\n    GOOGLE_AUTH_TOKEN_PATH,\n    GOOGLE_TOKEN_AUDIENCE,\n    ONE_HOUR_IN_SECONDS,\n    TOKEN_EXPIRY_THRESHOLD_MILLIS\n} from './constants'\nimport { fetchJson } from './utils';\n\n\nexport interface GoogleOAuthAccessToken {\n    access_token: string;\n    expires_in: number;\n}\n\nexport interface ServiceAccount {\n    projectId: string;\n    privateKey: string;\n    clientEmail: string;\n}\n\nexport interface FirebaseAccessToken {\n    accessToken: string;\n    expirationTime: number;\n}\n\nconst accessTokenCache: Map<string, FirebaseAccessToken> = new Map();\n\nexport interface ServiceAccountCredential {\n    getAccessToken: (refresh?: boolean) => Promise<FirebaseAccessToken>;\n}\n\nasync function requestAccessToken(urlString: string, init: RequestInit): Promise<FirebaseAccessToken> {\n    const json = await fetchJson(urlString, init);\n\n    if (!json.access_token || !json.expires_in) {\n        throw new Error('Invalid access token response');\n    }\n\n    return {\n        accessToken: json.access_token,\n        expirationTime: Date.now() + (json.expires_in * 1000),\n    }\n}\n\nexport class ServiceAccountTokenManager implements ServiceAccountCredential {\n    private readonly projectId: string;\n    private readonly privateKey: string;\n    private readonly clientEmail: string;\n\n    constructor(serviceAccount: ServiceAccount) {\n        this.projectId = serviceAccount.projectId;\n        this.privateKey = serviceAccount.privateKey;\n        this.clientEmail = serviceAccount.clientEmail;\n    }\n\n    private fetchAccessToken = async (url: string): Promise<FirebaseAccessToken> => {\n        const token = await this.createJwt();\n        const postData =\n            'grant_type=urn%3Aietf%3Aparams%3Aoauth%3A' +\n            'grant-type%3Ajwt-bearer&assertion=' +\n            token;\n\n        return requestAccessToken(url, {\n            method: 'POST',\n            headers: {\n                'Content-Type': 'application/x-www-form-urlencoded',\n                Authorization: `Bearer ${token}`,\n                Accept: 'application/json',\n            },\n            body: postData,\n        })\n    }\n\n    private fetchAndCacheAccessToken = async (url: string): Promise<FirebaseAccessToken> => {\n        const accessToken = await this.fetchAccessToken(url);\n        accessTokenCache.set(this.projectId, accessToken);\n        return accessToken;\n    }\n\n    public getAccessToken = async (refresh?: boolean): Promise<FirebaseAccessToken> => {\n        const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;\n\n        if (refresh) {\n            return this.fetchAndCacheAccessToken(url);\n        }\n\n        const cachedResponse = accessTokenCache.get(this.projectId);\n\n        if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {\n            return this.fetchAndCacheAccessToken(url);\n        }\n\n        return cachedResponse;\n    }\n\n    private createJwt = async (): Promise<string> => {\n        const iat = Math.floor(Date.now() / 1000);\n\n        const payload = {\n            aud: GOOGLE_TOKEN_AUDIENCE,\n            iat,\n            exp: iat + ONE_HOUR_IN_SECONDS,\n            iss: this.clientEmail,\n            sub: this.clientEmail,\n            scope: [\n                'https://www.googleapis.com/auth/cloud-platform',\n                'https://www.googleapis.com/auth/firebase.database',\n                'https://www.googleapis.com/auth/firebase.messaging',\n                'https://www.googleapis.com/auth/identitytoolkit',\n                'https://www.googleapis.com/auth/userinfo.email'\n            ].join(' ')\n        } as JWTPayload;\n\n        return ternSignJwt({\n            payload,\n            privateKey: this.privateKey,\n        });\n    }\n}\n","import { createCustomToken } from '../jwt/customJwt';\nimport type { AuthenticateRequestOptions, TernSecureUserData } from '../tokens/types';\nimport { verifyToken } from '../tokens/verify';\nimport { ServiceAccountTokenManager } from './credential';\n\nexport interface IdAndRefreshTokens {\n  idToken: string;\n  refreshToken: string;\n}\n\nexport interface CustomTokens {\n  auth_time: number;\n  idToken: string;\n  refreshToken: string;\n  customToken: string;\n}\n\ninterface CustomForIdAndRefreshTokenOptions {\n  tenantId?: string;\n  appCheckToken?: string;\n  referer?: string;\n}\n\ninterface FirebaseRefreshTokenResponse {\n  kind: string;\n  id_token: string;\n  refresh_token: string;\n  expires_in: string;\n  isNewUser: boolean;\n}\n\ntype AuthResult<T = any> = { data: T; error: null } | { data: null; error: any };\n\nconst API_KEY_ERROR = 'API Key is required';\nconst NO_DATA_ERROR = 'No token data received';\n\nfunction parseFirebaseResponse<T>(data: unknown): T {\n  if (typeof data === 'string') {\n    try {\n      return JSON.parse(data) as T;\n    } catch (error) {\n      throw new Error(`Failed to parse Firebase response: ${error}`);\n    }\n  }\n  return data as T;\n}\n\nexport function getAuth(options: AuthenticateRequestOptions) {\n  const { apiKey, firebaseAdminConfig } = options;\n  const firebaseApiKey = options.firebaseConfig?.apiKey;\n  const effectiveApiKey = apiKey || firebaseApiKey;\n\n  let credential: ServiceAccountTokenManager | null = null;\n  if (\n    firebaseAdminConfig?.projectId &&\n    firebaseAdminConfig?.privateKey &&\n    firebaseAdminConfig?.clientEmail\n  ) {\n    credential = new ServiceAccountTokenManager({\n      projectId: firebaseAdminConfig.projectId,\n      privateKey: firebaseAdminConfig.privateKey,\n      clientEmail: firebaseAdminConfig.clientEmail,\n    });\n  }\n\n  async function getUserData(idToken?: string, localId?: string): Promise<TernSecureUserData> {\n    if (!effectiveApiKey) {\n      throw new Error(API_KEY_ERROR);\n    }\n    const response = await options.apiClient?.userData.getUserData(effectiveApiKey, {\n      idToken,\n      localId,\n    });\n\n    if (!response?.data) {\n      throw new Error(NO_DATA_ERROR);\n    }\n\n    const parsedData = parseFirebaseResponse<TernSecureUserData>(response.data);\n    return parsedData;\n  }\n\n  async function refreshExpiredIdToken(\n    refreshToken: string,\n    opts: CustomForIdAndRefreshTokenOptions,\n  ): Promise<AuthResult> {\n    if (!effectiveApiKey) {\n      return { data: null, error: new Error(API_KEY_ERROR) };\n    }\n    const response = await options.apiClient?.tokens.refreshToken(effectiveApiKey, {\n      refresh_token: refreshToken,\n      request_origin: opts.referer,\n    });\n\n    if (!response?.data) {\n      return {\n        data: null,\n        error: new Error(NO_DATA_ERROR),\n      };\n    }\n\n    const parsedData = parseFirebaseResponse<FirebaseRefreshTokenResponse>(response.data);\n\n    return {\n      data: {\n        idToken: parsedData.id_token,\n        refreshToken: parsedData.refresh_token,\n      },\n      error: null,\n    };\n  }\n\n  async function customForIdAndRefreshToken(\n    customToken: string,\n    opts: CustomForIdAndRefreshTokenOptions,\n  ): Promise<IdAndRefreshTokens> {\n    if (!effectiveApiKey) {\n      throw new Error('API Key is required to create custom token');\n    }\n    const data = await options.apiClient?.tokens.exchangeCustomForIdAndRefreshTokens(\n      effectiveApiKey,\n      {\n        token: customToken,\n        returnSecureToken: true,\n      },\n      {\n        referer: opts.referer,\n        appCheckToken: opts.appCheckToken,\n      },\n    );\n\n    if (!data) {\n      throw new Error('No data received from Firebase token exchange');\n    }\n\n    return {\n      idToken: data.idToken,\n      refreshToken: data.refreshToken,\n    };\n  }\n\n  async function createCustomIdAndRefreshToken(\n    idToken: string,\n    opts: CustomForIdAndRefreshTokenOptions,\n  ): Promise<CustomTokens> {\n    const decoded = await verifyToken(idToken, options);\n    const { data, errors } = decoded;\n    if (errors) {\n      throw errors[0];\n    }\n\n    //todo:\n    /**\n     * For sensitive applications, the auth_time should be checked before issuing the session cookie, minimizing the window of attack in case an ID token is stolen:\n    */\n    //if (new Date().getTime() / 1000 - data.auth_time < 5 * 60) {\n    //proceed\n    //}\n\n    const customToken = await createCustomToken(data.uid, {\n      emailVerified: data.email_verified,\n      source_sign_in_provider: data.firebase.sign_in_provider,\n    });\n\n    const idAndRefreshTokens = await customForIdAndRefreshToken(customToken, {\n      referer: opts.referer,\n      appCheckToken: opts.appCheckToken,\n    });\n\n    const decodedCustomIdToken = await verifyToken(idAndRefreshTokens.idToken, options);\n    if (decodedCustomIdToken.errors) {\n      throw decodedCustomIdToken.errors[0];\n    }\n\n    return {\n      ...idAndRefreshTokens,\n      customToken,\n      auth_time: decodedCustomIdToken.data.auth_time,\n    };\n  }\n\n  async function exchangeAppCheckToken(idToken: string): Promise<AuthResult> {\n    if (!credential) {\n      return {\n        data: null,\n        error: new Error(\n          'Firebase Admin config must be provided to exchange App Check tokens.',\n        ),\n      };\n    }\n    if (!effectiveApiKey) {\n      return { data: null, error: new Error(API_KEY_ERROR) };\n    }\n\n    try {\n      const decoded = await verifyToken(idToken, options);\n      if (decoded.errors) {\n        return { data: null, error: decoded.errors[0] };\n      }\n\n      const customToken = await createCustomToken(decoded.data.uid, {\n        emailVerified: decoded.data.email_verified,\n        source_sign_in_provider: decoded.data.firebase.sign_in_provider,\n      });\n\n      const projectId = options.firebaseConfig?.projectId;\n      const appId = options.firebaseConfig?.appId;\n\n      if (!projectId || !appId) {\n        return { data: null, error: new Error('Project ID and App ID are required for App Check') };\n      }\n\n      const { accessToken } = await credential.getAccessToken();\n\n      const appCheckResponse = await options.apiClient?.appCheck.exchangeCustomToken({\n        accessToken,\n        projectId,\n        appId,\n        customToken,\n        limitedUse: false,\n      });\n\n      if (!appCheckResponse?.token) {\n        return { data: null, error: new Error('Failed to exchange for App Check token') };\n      }\n\n      return {\n        data: {\n          token: appCheckResponse.token,\n          ttl: appCheckResponse.ttl\n        },\n        error: null,\n      };\n    } catch (error) {\n      return { data: null, error };\n    }\n  }\n\n  return {\n    getUserData,\n    customForIdAndRefreshToken,\n    createCustomIdAndRefreshToken,\n    refreshExpiredIdToken,\n    exchangeAppCheckToken,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAyBA,IAAI,QAA0B,CAAC;AAC/B,IAAI,gBAAgB;AACpB,IAAI,kBAAkB;AAEtB,SAAS,aAAa,KAAa;AACjC,SAAO,MAAM,GAAG;AAClB;AAEA,SAAS,iBAAiB;AACxB,SAAO,OAAO,OAAO,KAAK;AAC5B;AAEA,SAAS,WAAW,KAAa,aAAqB,eAAe,MAAM;AACzE,QAAM,GAAG,IAAI;AACb,kBAAgB,eAAe,KAAK,IAAI,IAAI;AAC9C;AAEA,eAAe,gBAAgB,QAA6C;AAC1E,QAAM,MAAM,IAAI,IAAI,MAAM;AAC1B,QAAM,WAAW,MAAM,MAAM,GAAG;AAChC,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,uBAAuB;AAAA,MAC/B,SAAS,kCAAkC,IAAI,IAAI,cAAc,SAAS,MAAM;AAAA,MAChF,QAAQ,6BAA6B;AAAA,IACvC,CAAC;AAAA,EACH;AAEA,QAAM,OAAO,MAAM,SAAS,KAAK;AACjC,QAAM,YAAY,aAAa,QAAQ;AAEvC,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,EACF;AACF;AAEA,eAAsB,kBAAkB;AAAA,EACtC,SAAS;AAAA,EACT;AAAA,EACA;AACF,GAA8C;AAC5C,MAAI,iBAAiB,eAAe,KAAK,CAAC,aAAa,GAAG,GAAG;AAC3D,UAAM,EAAE,MAAM,UAAU,IAAI,MAAM,gBAAgB,MAAM;AAExD,QAAI,CAAC,QAAQ,OAAO,KAAK,IAAI,EAAE,WAAW,GAAG;AAC3C,YAAM,IAAI,uBAAuB;AAAA,QAC/B,SAAS,qBAAqB,MAAM;AAAA,QACpC,QAAQ,6BAA6B;AAAA,MACvC,CAAC;AAAA,IACH;AACA,sBAAkB;AAElB,WAAO,QAAQ,IAAI,EAAE,QAAQ,CAAC,CAAC,OAAOA,KAAI,MAAM;AAC9C,iBAAW,OAAOA,KAAI;AAAA,IACxB,CAAC;AAAA,EACH;AACA,QAAM,OAAO,aAAa,GAAG;AAC7B,MAAI,CAAC,MAAM;AACT,mBAAe;AACf,UAAM,gBAAgB,OAAO,KAAK,KAAK,EAAE,KAAK,EAAE,KAAK,IAAI;AAEzD,UAAM,IAAI,uBAAuB;AAAA,MAC/B,SAAS,gCAAgC,GAAG,uBAAuB,aAAa;AAAA,MAChF,QAAQ,6BAA6B;AAAA,IACvC,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB;AACxB,QAAM,MAAM,KAAK,IAAI;AACrB,MAAI,kBAAkB,IAAI;AACxB,WAAO;AAAA,EACT;AAEA,QAAM,WAAW,MAAM;AACvB,QAAM,cAAc,oCAAoC;AACxD,QAAM,oBAAoB,YAAY;AACtC,QAAM,qBAAqB,OAAO;AAElC,QAAM,YAAY,qBAAqB;AAEvC,MAAI,WAAW;AACb,YAAQ,CAAC;AAAA,EACX;AAEA,SAAO;AACT;AAEA,SAAS,aAAa,KAAe;AACnC,QAAM,qBAAqB,IAAI,QAAQ,IAAI,eAAe;AAC1D,MAAI,CAAC,oBAAoB;AACvB,WAAO,KAAK,IAAI,IAAI;AAAA,EACtB;AACA,QAAM,cAAc,mBAAmB,MAAM,mBAAmB;AAChE,QAAM,SAAS,cAAc,SAAS,YAAY,CAAC,GAAG,EAAE,IAAI,yBAAyB;AAErF,SAAO,KAAK,IAAI,IAAI,SAAS;AAC/B;;;AC7GA,eAAsB,YACpB,OACA,SACgE;AAChE,QAAM,EAAE,MAAM,eAAe,OAAO,IAAI,cAAc,KAAK;AAE3D,MAAI,QAAQ;AACV,WAAO,EAAE,OAAO;AAAA,EAClB;AAEA,QAAM,EAAE,OAAO,IAAI;AACnB,QAAM,EAAE,IAAI,IAAI;AAEhB,MAAI,CAAC,KAAK;AACR,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,MAAI;AACF,UAAM,MAAM,QAAQ,UAAW,MAAM,kBAAkB,EAAE,GAAG,SAAS,IAAI,CAAC;AAE1E,QAAI,CAAC,KAAK;AACR,aAAO;AAAA,QACL,QAAQ;AAAA,UACN,IAAI,uBAAuB;AAAA,YACzB,QAAQ,6BAA6B;AAAA,YACrC,SAAS,gCAAgC,GAAG;AAAA,UAC9C,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AACA,WAAO,MAAM,UAAU,OAAO,EAAE,GAAG,SAAS,IAAI,CAAC;AAAA,EACnD,SAAS,OAAO;AACd,QAAI,iBAAiB,wBAAwB;AAC3C,aAAO,EAAE,QAAQ,CAAC,KAAK,EAAE;AAAA,IAC3B;AACA,WAAO;AAAA,MACL,QAAQ,CAAC,KAA+B;AAAA,IAC1C;AAAA,EACF;AACF;;;AC5DO,IAAM,gCAAgC,IAAI,KAAK;AAC/C,IAAM,wBAAwB;AAC9B,IAAM,yBAAyB;AAC/B,IAAM,yBAAyB;AAC/B,IAAM,sBAAsB,KAAK;;;ACJxC,eAAe,sBAAsB,UAAqC;AACtE,QAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,MAAI,CAAC,MAAM;AACP,WAAO;AAAA,EACX;AAEA,MAAI,SACA,OAAO,KAAK,UAAU,WAChB,KAAK,QACJ,KAAK,OAAO,WAAW;AAElC,MAAI,KAAK,mBAAmB;AACxB,cAAU,OAAO,KAAK,oBAAoB;AAAA,EAC9C;AAEA,SAAO;AACX;AAEA,eAAsB,UAAU,KAAa,MAAmB;AAC5D,UAAQ,MAAM,SAAS,KAAK,IAAI,GAAG,KAAK;AAC5C;AAEA,eAAsB,SAAS,KAAa,MAAmB;AAC3D,QAAM,WAAW,MAAM,MAAM,KAAK,IAAI;AAEtC,MAAI,CAAC,SAAS,IAAI;AACd,UAAM,IAAI,MAAM,MAAM,sBAAsB,QAAQ,CAAC;AAAA,EACzD;AAEA,SAAO;AACX;;;ACFA,IAAM,mBAAqD,oBAAI,IAAI;AAMnE,eAAe,mBAAmB,WAAmB,MAAiD;AAClG,QAAM,OAAO,MAAM,UAAU,WAAW,IAAI;AAE5C,MAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,YAAY;AACxC,UAAM,IAAI,MAAM,+BAA+B;AAAA,EACnD;AAEA,SAAO;AAAA,IACH,aAAa,KAAK;AAAA,IAClB,gBAAgB,KAAK,IAAI,IAAK,KAAK,aAAa;AAAA,EACpD;AACJ;AAEO,IAAM,6BAAN,MAAqE;AAAA,EACvD;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,gBAAgC;AACxC,SAAK,YAAY,eAAe;AAChC,SAAK,aAAa,eAAe;AACjC,SAAK,cAAc,eAAe;AAAA,EACtC;AAAA,EAEQ,mBAAmB,OAAO,QAA8C;AAC5E,UAAM,QAAQ,MAAM,KAAK,UAAU;AACnC,UAAM,WACF,gFAEA;AAEJ,WAAO,mBAAmB,KAAK;AAAA,MAC3B,QAAQ;AAAA,MACR,SAAS;AAAA,QACL,gBAAgB;AAAA,QAChB,eAAe,UAAU,KAAK;AAAA,QAC9B,QAAQ;AAAA,MACZ;AAAA,MACA,MAAM;AAAA,IACV,CAAC;AAAA,EACL;AAAA,EAEQ,2BAA2B,OAAO,QAA8C;AACpF,UAAM,cAAc,MAAM,KAAK,iBAAiB,GAAG;AACnD,qBAAiB,IAAI,KAAK,WAAW,WAAW;AAChD,WAAO;AAAA,EACX;AAAA,EAEO,iBAAiB,OAAO,YAAoD;AAC/E,UAAM,MAAM,WAAW,sBAAsB,GAAG,sBAAsB;AAEtE,QAAI,SAAS;AACT,aAAO,KAAK,yBAAyB,GAAG;AAAA,IAC5C;AAEA,UAAM,iBAAiB,iBAAiB,IAAI,KAAK,SAAS;AAE1D,QAAI,CAAC,kBAAkB,eAAe,iBAAiB,KAAK,IAAI,KAAK,+BAA+B;AAChG,aAAO,KAAK,yBAAyB,GAAG;AAAA,IAC5C;AAEA,WAAO;AAAA,EACX;AAAA,EAEQ,YAAY,YAA6B;AAC7C,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExC,UAAM,UAAU;AAAA,MACZ,KAAK;AAAA,MACL;AAAA,MACA,KAAK,MAAM;AAAA,MACX,KAAK,KAAK;AAAA,MACV,KAAK,KAAK;AAAA,MACV,OAAO;AAAA,QACH;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACJ,EAAE,KAAK,GAAG;AAAA,IACd;AAEA,WAAO,YAAY;AAAA,MACf;AAAA,MACA,YAAY,KAAK;AAAA,IACrB,CAAC;AAAA,EACL;AACJ;;;ACzFA,IAAM,gBAAgB;AACtB,IAAM,gBAAgB;AAEtB,SAAS,sBAAyB,MAAkB;AAClD,MAAI,OAAO,SAAS,UAAU;AAC5B,QAAI;AACF,aAAO,KAAK,MAAM,IAAI;AAAA,IACxB,SAAS,OAAO;AACd,YAAM,IAAI,MAAM,sCAAsC,KAAK,EAAE;AAAA,IAC/D;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,QAAQ,SAAqC;AAC3D,QAAM,EAAE,QAAQ,oBAAoB,IAAI;AACxC,QAAM,iBAAiB,QAAQ,gBAAgB;AAC/C,QAAM,kBAAkB,UAAU;AAElC,MAAI,aAAgD;AACpD,MACE,qBAAqB,aACrB,qBAAqB,cACrB,qBAAqB,aACrB;AACA,iBAAa,IAAI,2BAA2B;AAAA,MAC1C,WAAW,oBAAoB;AAAA,MAC/B,YAAY,oBAAoB;AAAA,MAChC,aAAa,oBAAoB;AAAA,IACnC,CAAC;AAAA,EACH;AAEA,iBAAe,YAAY,SAAkB,SAA+C;AAC1F,QAAI,CAAC,iBAAiB;AACpB,YAAM,IAAI,MAAM,aAAa;AAAA,IAC/B;AACA,UAAM,WAAW,MAAM,QAAQ,WAAW,SAAS,YAAY,iBAAiB;AAAA,MAC9E;AAAA,MACA;AAAA,IACF,CAAC;AAED,QAAI,CAAC,UAAU,MAAM;AACnB,YAAM,IAAI,MAAM,aAAa;AAAA,IAC/B;AAEA,UAAM,aAAa,sBAA0C,SAAS,IAAI;AAC1E,WAAO;AAAA,EACT;AAEA,iBAAe,sBACb,cACA,MACqB;AACrB,QAAI,CAAC,iBAAiB;AACpB,aAAO,EAAE,MAAM,MAAM,OAAO,IAAI,MAAM,aAAa,EAAE;AAAA,IACvD;AACA,UAAM,WAAW,MAAM,QAAQ,WAAW,OAAO,aAAa,iBAAiB;AAAA,MAC7E,eAAe;AAAA,MACf,gBAAgB,KAAK;AAAA,IACvB,CAAC;AAED,QAAI,CAAC,UAAU,MAAM;AACnB,aAAO;AAAA,QACL,MAAM;AAAA,QACN,OAAO,IAAI,MAAM,aAAa;AAAA,MAChC;AAAA,IACF;AAEA,UAAM,aAAa,sBAAoD,SAAS,IAAI;AAEpF,WAAO;AAAA,MACL,MAAM;AAAA,QACJ,SAAS,WAAW;AAAA,QACpB,cAAc,WAAW;AAAA,MAC3B;AAAA,MACA,OAAO;AAAA,IACT;AAAA,EACF;AAEA,iBAAe,2BACb,aACA,MAC6B;AAC7B,QAAI,CAAC,iBAAiB;AACpB,YAAM,IAAI,MAAM,4CAA4C;AAAA,IAC9D;AACA,UAAM,OAAO,MAAM,QAAQ,WAAW,OAAO;AAAA,MAC3C;AAAA,MACA;AAAA,QACE,OAAO;AAAA,QACP,mBAAmB;AAAA,MACrB;AAAA,MACA;AAAA,QACE,SAAS,KAAK;AAAA,QACd,eAAe,KAAK;AAAA,MACtB;AAAA,IACF;AAEA,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,MAAM,+CAA+C;AAAA,IACjE;AAEA,WAAO;AAAA,MACL,SAAS,KAAK;AAAA,MACd,cAAc,KAAK;AAAA,IACrB;AAAA,EACF;AAEA,iBAAe,8BACb,SACA,MACuB;AACvB,UAAM,UAAU,MAAM,YAAY,SAAS,OAAO;AAClD,UAAM,EAAE,MAAM,OAAO,IAAI;AACzB,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAUA,UAAM,cAAc,MAAM,kBAAkB,KAAK,KAAK;AAAA,MACpD,eAAe,KAAK;AAAA,MACpB,yBAAyB,KAAK,SAAS;AAAA,IACzC,CAAC;AAED,UAAM,qBAAqB,MAAM,2BAA2B,aAAa;AAAA,MACvE,SAAS,KAAK;AAAA,MACd,eAAe,KAAK;AAAA,IACtB,CAAC;AAED,UAAM,uBAAuB,MAAM,YAAY,mBAAmB,SAAS,OAAO;AAClF,QAAI,qBAAqB,QAAQ;AAC/B,YAAM,qBAAqB,OAAO,CAAC;AAAA,IACrC;AAEA,WAAO;AAAA,MACL,GAAG;AAAA,MACH;AAAA,MACA,WAAW,qBAAqB,KAAK;AAAA,IACvC;AAAA,EACF;AAEA,iBAAe,sBAAsB,SAAsC;AACzE,QAAI,CAAC,YAAY;AACf,aAAO;AAAA,QACL,MAAM;AAAA,QACN,OAAO,IAAI;AAAA,UACT;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,QAAI,CAAC,iBAAiB;AACpB,aAAO,EAAE,MAAM,MAAM,OAAO,IAAI,MAAM,aAAa,EAAE;AAAA,IACvD;AAEA,QAAI;AACF,YAAM,UAAU,MAAM,YAAY,SAAS,OAAO;AAClD,UAAI,QAAQ,QAAQ;AAClB,eAAO,EAAE,MAAM,MAAM,OAAO,QAAQ,OAAO,CAAC,EAAE;AAAA,MAChD;AAEA,YAAM,cAAc,MAAM,kBAAkB,QAAQ,KAAK,KAAK;AAAA,QAC5D,eAAe,QAAQ,KAAK;AAAA,QAC5B,yBAAyB,QAAQ,KAAK,SAAS;AAAA,MACjD,CAAC;AAED,YAAM,YAAY,QAAQ,gBAAgB;AAC1C,YAAM,QAAQ,QAAQ,gBAAgB;AAEtC,UAAI,CAAC,aAAa,CAAC,OAAO;AACxB,eAAO,EAAE,MAAM,MAAM,OAAO,IAAI,MAAM,kDAAkD,EAAE;AAAA,MAC5F;AAEA,YAAM,EAAE,YAAY,IAAI,MAAM,WAAW,eAAe;AAExD,YAAM,mBAAmB,MAAM,QAAQ,WAAW,SAAS,oBAAoB;AAAA,QAC7E;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,YAAY;AAAA,MACd,CAAC;AAED,UAAI,CAAC,kBAAkB,OAAO;AAC5B,eAAO,EAAE,MAAM,MAAM,OAAO,IAAI,MAAM,wCAAwC,EAAE;AAAA,MAClF;AAEA,aAAO;AAAA,QACL,MAAM;AAAA,UACJ,OAAO,iBAAiB;AAAA,UACxB,KAAK,iBAAiB;AAAA,QACxB;AAAA,QACA,OAAO;AAAA,MACT;AAAA,IACF,SAAS,OAAO;AACd,aAAO,EAAE,MAAM,MAAM,MAAM;AAAA,IAC7B;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":["cert"]}

package/dist/{chunk-ASGV4MFO.mjs → chunk-GFH5CXQR.mjs}

@@ -1,6 +1,6 @@
 import {
   constants
-} from "./chunk-DFAJCSBJ.mjs";
+} from "./chunk-WIVOBOZR.mjs";
 
 // src/tokens/ternSecureRequest.ts
 import { parse } from "cookie";
@@ -68,4 +68,4 @@ var createTernSecureRequest = (...args) => {
 export {
   createTernSecureRequest
 };
-//# sourceMappingURL=chunk-ASGV4MFO.mjs.map
+//# sourceMappingURL=chunk-GFH5CXQR.mjs.map