@tern-secure/backend 1.2.0-canary.v20251125170702 → 1.2.0-canary.v20251127221555

package/dist/{chunk-DDUNOEIM.mjs → chunk-NXYWC6YO.mjs}

@@ -1,99 +1,12 @@
-// src/jwt/customJwt.ts
-import { importPKCS8, SignJWT } from "jose";
-var CustomTokenError = class extends Error {
-  constructor(message, code) {
-    super(message);
-    this.code = code;
-    this.name = "CustomTokenError";
-  }
-};
-var RESERVED_CLAIMS = [
-  "acr",
-  "amr",
-  "at_hash",
-  "aud",
-  "auth_time",
-  "azp",
-  "cnf",
-  "c_hash",
-  "exp",
-  "firebase",
-  "iat",
-  "iss",
-  "jti",
-  "nbf",
-  "nonce",
-  "sub"
-];
-async function createCustomTokenJwt(uid, developerClaims) {
-  try {
-    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
-    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
-    if (!privateKey || !clientEmail) {
-      return {
-        errors: [
-          new CustomTokenError(
-            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
-            "MISSING_ENV_VARS"
-          )
-        ]
-      };
-    }
-    if (!uid || typeof uid !== "string") {
-      return {
-        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
-      };
+// src/jwt/guardReturn.ts
+function createJwtGuard(decodedFn) {
+  return (...args) => {
+    const { data, errors } = decodedFn(...args);
+    if (errors) {
+      throw errors[0];
     }
-    if (uid.length > 128) {
-      return {
-        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
-      };
-    }
-    if (developerClaims) {
-      for (const claim of Object.keys(developerClaims)) {
-        if (RESERVED_CLAIMS.includes(claim)) {
-          return {
-            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
-          };
-        }
-      }
-    }
-    const expiresIn = 3600;
-    const now = Math.floor(Date.now() / 1e3);
-    const parsedPrivateKey = await importPKCS8(privateKey.replace(/\\n/g, "\n"), "RS256");
-    const payload = {
-      iss: clientEmail,
-      sub: clientEmail,
-      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
-      iat: now,
-      exp: now + expiresIn,
-      uid,
-      ...developerClaims
-    };
-    const jwt = await new SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
-      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
-    ).sign(parsedPrivateKey);
-    return {
-      data: jwt
-    };
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error occurred";
-    return {
-      errors: [
-        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
-      ]
-    };
-  }
-}
-async function createCustomToken(uid, developerClaims) {
-  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
-  if (errors) {
-    throw errors[0];
-  }
-  return data;
-}
-function createCustomTokenWithResult(uid, developerClaims) {
-  return createCustomTokenJwt(uid, developerClaims);
+    return data;
+  };
 }
 
 // src/jwt/verifyJwt.ts
@@ -348,33 +261,44 @@ async function verifySignature(jwt, key) {
   }
 }
 function ternDecodeJwt(token) {
-  const header = decodeProtectedHeader(token);
-  const payload = decodeJwt(token);
-  const tokenParts = (token || "").toString().split(".");
-  if (tokenParts.length !== 3) {
+  try {
+    const header = decodeProtectedHeader(token);
+    const payload = decodeJwt(token);
+    const tokenParts = (token || "").toString().split(".");
+    if (tokenParts.length !== 3) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: "Invalid JWT format"
+          })
+        ]
+      };
+    }
+    const [rawHeader, rawPayload, rawSignature] = tokenParts;
+    const signature = base64url.parse(rawSignature, { loose: true });
+    const data = {
+      header,
+      payload,
+      signature,
+      raw: {
+        header: rawHeader,
+        payload: rawPayload,
+        signature: rawSignature,
+        text: token
+      }
+    };
+    return { data };
+  } catch (error) {
     return {
       errors: [
         new TokenVerificationError({
           reason: TokenVerificationErrorReason.TokenInvalid,
-          message: "Invalid JWT format"
+          message: `${error.message || "Invalid Token or Protected Header formatting"} (Token length: ${token?.length}, First 10 chars: ${token?.substring(0, 10)}...)`
         })
       ]
     };
   }
-  const [rawHeader, rawPayload, rawSignature] = tokenParts;
-  const signature = base64url.parse(rawSignature, { loose: true });
-  const data = {
-    header,
-    payload,
-    signature,
-    raw: {
-      header: rawHeader,
-      payload: rawPayload,
-      signature: rawSignature,
-      text: token
-    }
-  };
-  return { data };
 }
 async function verifyJwt(token, options) {
   const { key } = options;
@@ -407,6 +331,240 @@ async function verifyJwt(token, options) {
   return { data: decodedIdToken };
 }
 
+// src/jwt/jwt.ts
+import { createRemoteJWKSet, decodeJwt as decodeJwt2, jwtVerify as jwtVerify2 } from "jose";
+var FIREBASE_ID_TOKEN_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+var FIREBASE_SESSION_CERT_URL = "https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys";
+var idTokenJWKS = null;
+var sessionJWKS = null;
+var getIdTokenJWKS = () => {
+  if (!idTokenJWKS) {
+    idTokenJWKS = createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {
+      cacheMaxAge: 36e5,
+      // 1 hour
+      timeoutDuration: 5e3,
+      // 5 seconds
+      cooldownDuration: 3e4
+      // 30 seconds between retries
+    });
+  }
+  return idTokenJWKS;
+};
+var getSessionJWKS = () => {
+  if (!sessionJWKS) {
+    sessionJWKS = createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {
+      cacheMaxAge: 36e5,
+      // 1 hour
+      timeoutDuration: 5e3,
+      // 5 seconds
+      cooldownDuration: 3e4
+      // 30 seconds between retries
+    });
+  }
+  return sessionJWKS;
+};
+async function verifyToken(token, isSessionCookie = false) {
+  try {
+    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;
+    if (!projectId) {
+      throw new Error("Firebase Project ID is not configured");
+    }
+    const { decoded } = decodeJwt2(token);
+    if (!decoded) {
+      throw new Error("Invalid token format");
+    }
+    let retries = 3;
+    let lastError = null;
+    while (retries > 0) {
+      try {
+        const JWKS = isSessionCookie ? getSessionJWKS() : getIdTokenJWKS();
+        const { payload } = await jwtVerify2(token, JWKS, {
+          issuer: isSessionCookie ? "https://session.firebase.google.com/" + projectId : "https://securetoken.google.com/" + projectId,
+          audience: projectId,
+          algorithms: ["RS256"]
+        });
+        const firebasePayload = payload;
+        const now = Math.floor(Date.now() / 1e3);
+        if (firebasePayload.exp <= now) {
+          throw new Error("Token has expired");
+        }
+        if (firebasePayload.iat > now) {
+          throw new Error("Token issued time is in the future");
+        }
+        if (!firebasePayload.sub) {
+          throw new Error("Token subject is empty");
+        }
+        if (firebasePayload.auth_time > now) {
+          throw new Error("Token auth time is in the future");
+        }
+        return {
+          valid: true,
+          uid: firebasePayload.sub,
+          sub: firebasePayload.sub,
+          email: firebasePayload.email,
+          email_verified: firebasePayload.email_verified,
+          auth_time: firebasePayload.auth_time,
+          iat: firebasePayload.iat,
+          exp: firebasePayload.exp,
+          aud: firebasePayload.aud,
+          iss: firebasePayload.iss,
+          firebase: firebasePayload.firebase,
+          phone_number: firebasePayload.phone_number,
+          picture: firebasePayload.picture
+        };
+      } catch (error) {
+        lastError = error;
+        if (error instanceof Error && error.name === "JWKSNoMatchingKey") {
+          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);
+          retries--;
+          if (retries > 0) {
+            await new Promise((resolve) => setTimeout(resolve, 1e3));
+            continue;
+          }
+        }
+        throw error;
+      }
+    }
+    throw lastError || new Error("Failed to verify token after retries");
+  } catch (error) {
+    console.error("Token verification details:", {
+      error: error instanceof Error ? {
+        name: error.name,
+        message: error.message,
+        stack: error.stack
+      } : error,
+      decoded: decodeJwt2(token),
+      isSessionCookie
+    });
+    return {
+      valid: false,
+      error: {
+        success: false,
+        message: error instanceof Error ? error.message : "Invalid token",
+        code: "INVALID_TOKEN"
+      }
+    };
+  }
+}
+
+// src/jwt/customJwt.ts
+import { importPKCS8, SignJWT } from "jose";
+var CustomTokenError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "CustomTokenError";
+  }
+};
+var RESERVED_CLAIMS = [
+  "acr",
+  "amr",
+  "at_hash",
+  "aud",
+  "auth_time",
+  "azp",
+  "cnf",
+  "c_hash",
+  "exp",
+  "firebase",
+  "iat",
+  "iss",
+  "jti",
+  "nbf",
+  "nonce",
+  "sub"
+];
+async function createCustomTokenJwt(uid, developerClaims) {
+  try {
+    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
+    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
+    if (!privateKey || !clientEmail) {
+      return {
+        errors: [
+          new CustomTokenError(
+            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
+            "MISSING_ENV_VARS"
+          )
+        ]
+      };
+    }
+    if (!uid || typeof uid !== "string") {
+      return {
+        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
+      };
+    }
+    if (uid.length > 128) {
+      return {
+        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
+      };
+    }
+    if (developerClaims) {
+      for (const claim of Object.keys(developerClaims)) {
+        if (RESERVED_CLAIMS.includes(claim)) {
+          return {
+            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
+          };
+        }
+      }
+    }
+    const expiresIn = 3600;
+    const now = Math.floor(Date.now() / 1e3);
+    const parsedPrivateKey = await importPKCS8(privateKey.replace(/\\n/g, "\n"), "RS256");
+    const payload = {
+      iss: clientEmail,
+      sub: clientEmail,
+      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+      iat: now,
+      exp: now + expiresIn,
+      uid,
+      ...developerClaims
+    };
+    const jwt = await new SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
+      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
+    ).sign(parsedPrivateKey);
+    return {
+      data: jwt
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error occurred";
+    return {
+      errors: [
+        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
+      ]
+    };
+  }
+}
+async function createCustomToken(uid, developerClaims) {
+  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
+  if (errors) {
+    throw errors[0];
+  }
+  return data;
+}
+function createCustomTokenWithResult(uid, developerClaims) {
+  return createCustomTokenJwt(uid, developerClaims);
+}
+
+// src/jwt/signJwt.ts
+import { importPKCS8 as importPKCS82, SignJWT as SignJWT2 } from "jose";
+var ALGORITHM_RS256 = "RS256";
+async function ternSignJwt(opts) {
+  const { payload, privateKey, keyId } = opts;
+  let key;
+  try {
+    key = await importPKCS82(privateKey, ALGORITHM_RS256);
+  } catch (error) {
+    throw new TokenVerificationError({
+      message: `Failed to import private key: ${error.message}`,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  return new SignJWT2(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
+}
+
+// src/jwt/index.ts
+var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
+
 export {
   mapJwtPayloadToDecodedIdToken,
   CustomTokenError,
@@ -416,6 +574,10 @@ export {
   TokenVerificationErrorReason,
   TokenVerificationError,
   ternDecodeJwt,
-  verifyJwt
+  verifyJwt,
+  verifyToken,
+  ALGORITHM_RS256,
+  ternSignJwt,
+  ternDecodeJwt2
 };
-//# sourceMappingURL=chunk-DDUNOEIM.mjs.map
+//# sourceMappingURL=chunk-NXYWC6YO.mjs.map

package/dist/chunk-NXYWC6YO.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/jwt/guardReturn.ts","../src/jwt/verifyJwt.ts","../src/utils/errors.ts","../src/utils/mapDecode.ts","../src/utils/rfc4648.ts","../src/jwt/cryptoKeys.ts","../src/jwt/algorithms.ts","../src/jwt/verifyContent.ts","../src/jwt/jwt.ts","../src/jwt/customJwt.ts","../src/jwt/signJwt.ts","../src/jwt/index.ts"],"sourcesContent":["import { type JwtReturnType } from \"./types\";\n\nexport function createJwtGuard<T extends (...args: any[]) => JwtReturnType<any, any>>(decodedFn: T) {\n  return (...args: Parameters<T>): NonNullable<Awaited<ReturnType<T>>['data']> | never => {\n    const { data, errors } = decodedFn(...args);\n\n    if (errors) {\n      throw errors[0];\n    }\n\n    return data;\n  };\n}\n","import type { DecodedIdToken, Jwt, JWTPayload } from '@tern-secure/types';\nimport {\n  decodeJwt,\n  decodeProtectedHeader,\n  jwtVerify,\n} from 'jose';\n\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport { mapJwtPayloadToDecodedIdToken } from '../utils/mapDecode';\nimport { base64url } from '../utils/rfc4648';\nimport { importKey } from './cryptoKeys';\nimport type { JwtReturnType } from './types';\nimport {\n  verifyExpirationClaim,\n  verifyHeaderKid,\n  verifyIssuedAtClaim,\n  verifySubClaim,\n} from './verifyContent';\n\nconst DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1000;\n\nexport type VerifyJwtOptions = {\n  audience?: string | string[];\n  clockSkewInMs?: number;\n  key: JsonWebKey | string;\n};\n\nexport async function verifySignature(\n  jwt: Jwt,\n  key: JsonWebKey | string,\n): Promise<JwtReturnType<JWTPayload, Error>> {\n  const { header, raw } = jwt;\n  const joseAlgorithm = header.alg || 'RS256';\n\n  try {\n    const publicKey = await importKey(key, joseAlgorithm);\n\n    const { payload } = await jwtVerify(raw.text, publicKey);\n\n    return { data: payload };\n  } catch (error) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          reason: TokenVerificationErrorReason.TokenInvalidSignature,\n          message: (error as Error).message,\n        }),\n      ],\n    };\n  }\n}\n\nexport function ternDecodeJwt(token: string): JwtReturnType<Jwt, TokenVerificationError> {\n  try {\n    const header = decodeProtectedHeader(token);\n    const payload = decodeJwt(token);\n\n    const tokenParts = (token || '').toString().split('.');\n    if (tokenParts.length !== 3) {\n      return {\n        errors: [\n          new TokenVerificationError({\n            reason: TokenVerificationErrorReason.TokenInvalid,\n            message: 'Invalid JWT format',\n          }),\n        ],\n      };\n    }\n\n    const [rawHeader, rawPayload, rawSignature] = tokenParts;\n    const signature = base64url.parse(rawSignature, { loose: true });\n\n    const data = {\n      header,\n      payload,\n      signature,\n      raw: {\n        header: rawHeader,\n        payload: rawPayload,\n        signature: rawSignature,\n        text: token,\n      },\n    } satisfies Jwt;\n\n    return { data };\n  } catch (error) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          reason: TokenVerificationErrorReason.TokenInvalid,\n          message: `${(error as Error).message || 'Invalid Token or Protected Header formatting'} (Token length: ${token?.length}, First 10 chars: ${token?.substring(0, 10)}...)`,\n        }),\n      ],\n    };\n  }\n}\n\nexport async function verifyJwt(\n  token: string,\n  options: VerifyJwtOptions,\n): Promise<JwtReturnType<DecodedIdToken, TokenVerificationError>> {\n  const { key } = options;\n  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;\n\n  const { data: decoded, errors } = ternDecodeJwt(token);\n  if (errors) {\n    return { errors };\n  }\n\n  const { header, payload } = decoded;\n\n  try {\n    verifyHeaderKid(header.kid);\n    verifySubClaim(payload.sub);\n    verifyExpirationClaim(payload.exp, clockSkew);\n    verifyIssuedAtClaim(payload.iat, clockSkew);\n  } catch (error) {\n    return { errors: [error as TokenVerificationError] };\n  }\n\n  const { data: verifiedPayload, errors: signatureErrors } = await verifySignature(decoded, key);\n  if (signatureErrors) {\n    return {\n      errors: [\n        new TokenVerificationError({\n          reason: TokenVerificationErrorReason.TokenInvalidSignature,\n          message: 'Token signature verification failed.',\n        }),\n      ],\n    };\n  }\n\n  const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);\n\n  return { data: decodedIdToken };\n}\n","export const RefreshTokenErrorReason = {\n  NonEligibleNoCookie: 'non-eligible-no-refresh-cookie',\n  NonEligibleNonGet: 'non-eligible-non-get',\n  InvalidSessionToken: 'invalid-session-token',\n  MissingApiClient: 'missing-api-client',\n  MissingIdToken: 'missing-id-token',\n  MissingSessionToken: 'missing-session-token',\n  MissingRefreshToken: 'missing-refresh-token',\n  ExpiredIdTokenDecodeFailed: 'expired-id-token-decode-failed',\n  ExpiredSessionTokenDecodeFailed: 'expired-session-token-decode-failed',\n  FetchError: 'fetch-error',\n} as const;\n\nexport type TokenCarrier = 'header' | 'cookie';\n\nexport const TokenVerificationErrorReason = {\n  TokenExpired: 'token-expired',\n  TokenInvalid: 'token-invalid',\n  TokenInvalidAlgorithm: 'token-invalid-algorithm',\n  TokenInvalidAuthorizedParties: 'token-invalid-authorized-parties',\n  TokenInvalidSignature: 'token-invalid-signature',\n  TokenNotActiveYet: 'token-not-active-yet',\n  TokenIatInTheFuture: 'token-iat-in-the-future',\n  TokenVerificationFailed: 'token-verification-failed',\n  InvalidSecretKey: 'secret-key-invalid',\n  LocalJWKMissing: 'jwk-local-missing',\n  RemoteJWKFailedToLoad: 'jwk-remote-failed-to-load',\n  RemoteJWKInvalid: 'jwk-remote-invalid',\n  RemoteJWKMissing: 'jwk-remote-missing',\n  JWKFailedToResolve: 'jwk-failed-to-resolve',\n  JWKKidMismatch: 'jwk-kid-mismatch',\n};\n\nexport type TokenVerificationErrorReason =\n  (typeof TokenVerificationErrorReason)[keyof typeof TokenVerificationErrorReason];\n\nexport class TokenVerificationError extends Error {\n  reason: TokenVerificationErrorReason;\n  tokenCarrier?: TokenCarrier;\n\n  constructor({\n    message,\n    reason,\n  }: {\n    message: string;\n    reason: TokenVerificationErrorReason;\n  }) {\n    super(message);\n\n    Object.setPrototypeOf(this, TokenVerificationError.prototype);\n\n    this.reason = reason;\n    this.message = message;\n  }\n\n  public getFullMessage() {\n    return `${[this.message].filter(m => m).join(' ')} (reason=${this.reason}, token-carrier=${\n      this.tokenCarrier\n    })`;\n  }\n  }\n","import type { DecodedIdToken } from \"@tern-secure/types\";\nimport type {\n  JWTPayload,\n} from \"jose\";\n\nexport function mapJwtPayloadToDecodedIdToken(payload: JWTPayload) {\n  const decodedIdToken = payload as DecodedIdToken;\n  decodedIdToken.uid = decodedIdToken.sub;\n  return decodedIdToken;\n}","/**\n * The base64url helper was extracted from the rfc4648 package\n * in order to resolve CSJ/ESM interoperability issues\n *\n * https://github.com/swansontec/rfc4648.js\n *\n * For more context please refer to:\n * - https://github.com/evanw/esbuild/issues/1719\n * - https://github.com/evanw/esbuild/issues/532\n * - https://github.com/swansontec/rollup-plugin-mjs-entry\n */\nexport const base64url = {\n  parse(string: string, opts?: ParseOptions): Uint8Array {\n    return parse(string, base64UrlEncoding, opts);\n  },\n\n  stringify(data: ArrayLike<number>, opts?: StringifyOptions): string {\n    return stringify(data, base64UrlEncoding, opts);\n  },\n};\n\nconst base64UrlEncoding: Encoding = {\n  chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_',\n  bits: 6,\n};\n\ninterface Encoding {\n  bits: number;\n  chars: string;\n  codes?: { [char: string]: number };\n}\n\ninterface ParseOptions {\n  loose?: boolean;\n  out?: new (size: number) => { [index: number]: number };\n}\n\ninterface StringifyOptions {\n  pad?: boolean;\n}\n\nfunction parse(string: string, encoding: Encoding, opts: ParseOptions = {}): Uint8Array {\n  // Build the character lookup table:\n  if (!encoding.codes) {\n    encoding.codes = {};\n    for (let i = 0; i < encoding.chars.length; ++i) {\n      encoding.codes[encoding.chars[i]] = i;\n    }\n  }\n\n  // The string must have a whole number of bytes:\n  if (!opts.loose && (string.length * encoding.bits) & 7) {\n    throw new SyntaxError('Invalid padding');\n  }\n\n  // Count the padding bytes:\n  let end = string.length;\n  while (string[end - 1] === '=') {\n    --end;\n\n    // If we get a whole number of bytes, there is too much padding:\n    if (!opts.loose && !(((string.length - end) * encoding.bits) & 7)) {\n      throw new SyntaxError('Invalid padding');\n    }\n  }\n\n  // Allocate the output:\n  const out = new (opts.out ?? Uint8Array)(((end * encoding.bits) / 8) | 0) as Uint8Array;\n\n  // Parse the data:\n  let bits = 0; // Number of bits currently in the buffer\n  let buffer = 0; // Bits waiting to be written out, MSB first\n  let written = 0; // Next byte to write\n  for (let i = 0; i < end; ++i) {\n    // Read one character from the string:\n    const value = encoding.codes[string[i]];\n    if (value === undefined) {\n      throw new SyntaxError('Invalid character ' + string[i]);\n    }\n\n    // Append the bits to the buffer:\n    buffer = (buffer << encoding.bits) | value;\n    bits += encoding.bits;\n\n    // Write out some bits if the buffer has a byte's worth:\n    if (bits >= 8) {\n      bits -= 8;\n      out[written++] = 0xff & (buffer >> bits);\n    }\n  }\n\n  // Verify that we have received just enough bits:\n  if (bits >= encoding.bits || 0xff & (buffer << (8 - bits))) {\n    throw new SyntaxError('Unexpected end of data');\n  }\n\n  return out;\n}\n\nfunction stringify(data: ArrayLike<number>, encoding: Encoding, opts: StringifyOptions = {}): string {\n  const { pad = true } = opts;\n  const mask = (1 << encoding.bits) - 1;\n  let out = '';\n\n  let bits = 0; // Number of bits currently in the buffer\n  let buffer = 0; // Bits waiting to be written out, MSB first\n  for (let i = 0; i < data.length; ++i) {\n    // Slurp data into the buffer:\n    buffer = (buffer << 8) | (0xff & data[i]);\n    bits += 8;\n\n    // Write out as much as we can:\n    while (bits > encoding.bits) {\n      bits -= encoding.bits;\n      out += encoding.chars[mask & (buffer >> bits)];\n    }\n  }\n\n  // Partial character:\n  if (bits) {\n    out += encoding.chars[mask & (buffer << (encoding.bits - bits))];\n  }\n\n  // Add padding characters until we hit a byte boundary:\n  if (pad) {\n    while ((out.length * encoding.bits) & 7) {\n      out += '=';\n    }\n  }\n\n  return out;\n}\n","import { importJWK, importSPKI,importX509, type KeyLike } from 'jose';\n\nexport async function importKey(key: JsonWebKey | string, algorithm: string): Promise<KeyLike> {\n  if (typeof key === 'object') {\n    const result = await importJWK(key as Parameters<typeof importJWK>[0], algorithm);\n    if (result instanceof Uint8Array) {\n      throw new Error('Unexpected Uint8Array result from JWK import');\n    }\n    return result;\n  }\n\n  const keyString = key.trim();\n\n  if (keyString.includes('-----BEGIN CERTIFICATE-----')) {\n    return await importX509(keyString, algorithm);\n  }\n\n  if (keyString.includes('-----BEGIN PUBLIC KEY-----')) {\n    return await importSPKI(keyString, algorithm);\n  }\n\n  try {\n    return await importSPKI(keyString, algorithm);\n  } catch (error) {\n    throw new Error(\n      `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`,\n    );\n  }\n}\n","const algToHash: Record<string, string> = {\n  RS256: 'SHA-256',\n  RS384: 'SHA-384',\n  RS512: 'SHA-512',\n};\nconst RSA_ALGORITHM_NAME = 'RSASSA-PKCS1-v1_5';\n\nconst jwksAlgToCryptoAlg: Record<string, string> = {\n  RS256: RSA_ALGORITHM_NAME,\n  RS384: RSA_ALGORITHM_NAME,\n  RS512: RSA_ALGORITHM_NAME,\n};\n\nexport const algs = Object.keys(algToHash);\n\nexport function getCryptoAlgorithm(algorithmName: string): RsaHashedImportParams {\n  const hash = algToHash[algorithmName];\n  const name = jwksAlgToCryptoAlg[algorithmName];\n\n  if (!hash || !name) {\n    throw new Error(`Unsupported algorithm ${algorithmName}, expected one of ${algs.join(',')}.`);\n  }\n\n  return {\n    hash: { name: algToHash[algorithmName] },\n    name: jwksAlgToCryptoAlg[algorithmName],\n  };\n}\n","import { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport { algs } from './algorithms';\n\nexport const verifyHeaderType = (typ?: unknown) => {\n  if (typeof typ === 'undefined') {\n    return;\n  }\n\n  if (typ !== 'JWT') {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenInvalid,\n      message: `Invalid JWT type ${JSON.stringify(typ)}. Expected \"JWT\".`,\n    });\n  }\n};\n\nexport const verifyHeaderKid = (kid?: unknown) => {\n  if (typeof kid === 'undefined') {\n    return;\n  }\n\n  if (typeof kid !== 'string') {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenInvalid,\n      message: `Invalid JWT kid ${JSON.stringify(kid)}. Expected a string.`,\n    });\n  }\n};\n\nexport const verifyHeaderAlgorithm = (alg: string) => {\n  if (!algs.includes(alg)) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenInvalidAlgorithm,\n      message: `Invalid JWT algorithm ${JSON.stringify(alg)}. Supported: ${algs}.`,\n    });\n  }\n};\n\nexport const verifySubClaim = (sub?: string) => {\n  if (typeof sub !== 'string') {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`,\n    });\n  }\n};\n\nexport const verifyExpirationClaim = (exp: number | undefined, clockSkewInMs: number) => {\n  if (typeof exp !== 'number') {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Invalid JWT expiry date (exp) claim ${JSON.stringify(exp)}. Expected a number.`,\n    });\n  }\n\n  const currentDate = new Date(Date.now());\n  const expiryDate = new Date(0);\n  expiryDate.setUTCSeconds(exp);\n\n  const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;\n  if (expired) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenExpired,\n      message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`,\n    });\n  }\n};\n\nexport const verifyIssuedAtClaim = (iat: number | undefined, clockSkewInMs: number) => {\n  if (typeof iat === 'undefined') {\n    return;\n  }\n\n  if (typeof iat !== 'number') {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenVerificationFailed,\n      message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected a number.`,\n    });\n  }\n\n  const currentDate = new Date(Date.now());\n  const issuedAtDate = new Date(0);\n  issuedAtDate.setUTCSeconds(iat);\n\n  const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;\n  if (postIssued) {\n    throw new TokenVerificationError({\n      reason: TokenVerificationErrorReason.TokenIatInTheFuture,\n      message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`,\n    });\n  }\n};\n","import type {\n  DecodedIdToken,\n  TernVerificationResult,\n} from \"@tern-secure/types\";\nimport { createRemoteJWKSet, decodeJwt,jwtVerify } from \"jose\";\n\n\nexport type FirebaseIdTokenPayload = DecodedIdToken;\n\n// Firebase public key endpoints\nconst FIREBASE_ID_TOKEN_URL =\n  \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\";\nconst FIREBASE_SESSION_CERT_URL =\n  \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\";\n\n//const FIREBASE_NEW_SESSION_PK = \"https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys\"\n\n// Simple in-memory cache for JWKS\nlet idTokenJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet sessionJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;\n\nconst getIdTokenJWKS = () => {\n  if (!idTokenJWKS) {\n    idTokenJWKS = createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\n      cacheMaxAge: 3600000, // 1 hour\n      timeoutDuration: 5000, // 5 seconds\n      cooldownDuration: 30000, // 30 seconds between retries\n    });\n  }\n  return idTokenJWKS;\n};\n\nconst getSessionJWKS = () => {\n  if (!sessionJWKS) {\n    sessionJWKS = createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\n      cacheMaxAge: 3600000, // 1 hour\n      timeoutDuration: 5000, // 5 seconds\n      cooldownDuration: 30000, // 30 seconds between retries\n    });\n  }\n  return sessionJWKS;\n};\n\n\n\nexport async function verifyToken(\n  token: string,\n  isSessionCookie = false\n): Promise<TernVerificationResult> {\n  try {\n    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;\n    if (!projectId) {\n      throw new Error(\"Firebase Project ID is not configured\");\n    }\n\n    const { decoded } = decodeJwt(token);\n    if (!decoded) {\n      throw new Error(\"Invalid token format\");\n    }\n\n    let retries = 3;\n    let lastError: Error | null = null;\n\n    while (retries > 0) {\n      try {\n        // Use different JWKS based on token type\n        const JWKS = isSessionCookie ? getSessionJWKS() : getIdTokenJWKS();\n\n        const { payload } = await jwtVerify(token, JWKS, {\n          issuer: isSessionCookie\n            ? \"https://session.firebase.google.com/\" + projectId\n            : \"https://securetoken.google.com/\" + projectId,\n          audience: projectId,\n          algorithms: [\"RS256\"],\n        });\n\n        const firebasePayload = payload as unknown as FirebaseIdTokenPayload;\n        const now = Math.floor(Date.now() / 1000);\n\n        // Verify token claims\n        if (firebasePayload.exp <= now) {\n          throw new Error(\"Token has expired\");\n        }\n\n        if (firebasePayload.iat > now) {\n          throw new Error(\"Token issued time is in the future\");\n        }\n\n        if (!firebasePayload.sub) {\n          throw new Error(\"Token subject is empty\");\n        }\n\n        if (firebasePayload.auth_time > now) {\n          throw new Error(\"Token auth time is in the future\");\n        }\n\n        return {\n          valid: true,\n          uid: firebasePayload.sub,\n          sub: firebasePayload.sub,\n          email: firebasePayload.email,\n          email_verified: firebasePayload.email_verified,\n          auth_time: firebasePayload.auth_time,\n          iat: firebasePayload.iat,\n          exp: firebasePayload.exp,\n          aud: firebasePayload.aud,\n          iss: firebasePayload.iss,\n          firebase: firebasePayload.firebase,\n          phone_number: firebasePayload.phone_number,\n          picture: firebasePayload.picture,\n        };\n      } catch (error) {\n        lastError = error as Error;\n        if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\n          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);\n          retries--;\n          if (retries > 0) {\n            await new Promise((resolve) => setTimeout(resolve, 1000));\n            continue;\n          }\n        }\n        throw error;\n      }\n    }\n\n    throw lastError || new Error(\"Failed to verify token after retries\");\n  } catch (error) {\n    console.error(\"Token verification details:\", {\n      error:\n        error instanceof Error\n          ? {\n              name: error.name,\n              message: error.message,\n              stack: error.stack,\n            }\n          : error,\n      decoded: decodeJwt(token),\n      isSessionCookie,\n    });\n\n    return {\n      valid: false,\n      error: {\n        success: false,\n        message: error instanceof Error ? error.message : \"Invalid token\",\n        code: \"INVALID_TOKEN\",\n      },\n    };\n  }\n}\n","import type { JWTPayload } from '@tern-secure/types';\nimport { importPKCS8, SignJWT } from 'jose';\n\nimport type { JwtReturnType } from './types';\n\n\nexport interface CustomTokenClaims {\n  [key: string]: unknown;\n}\n\nexport class CustomTokenError extends Error {\n  constructor(\n    message: string,\n    public code?: string,\n  ) {\n    super(message);\n    this.name = 'CustomTokenError';\n  }\n}\n\nconst RESERVED_CLAIMS = [\n  'acr',\n  'amr',\n  'at_hash',\n  'aud',\n  'auth_time',\n  'azp',\n  'cnf',\n  'c_hash',\n  'exp',\n  'firebase',\n  'iat',\n  'iss',\n  'jti',\n  'nbf',\n  'nonce',\n  'sub',\n];\n\nasync function createCustomTokenJwt(\n  uid: string,\n  developerClaims?: CustomTokenClaims,\n): Promise<JwtReturnType<string, CustomTokenError>> {\n  try {\n    const privateKey = process.env.FIREBASE_PRIVATE_KEY;\n    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;\n\n    if (!privateKey || !clientEmail) {\n      return {\n        errors: [\n          new CustomTokenError(\n            'Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables',\n            'MISSING_ENV_VARS',\n          ),\n        ],\n      };\n    }\n\n    if (!uid || typeof uid !== 'string') {\n      return {\n        errors: [new CustomTokenError('uid must be a non-empty string', 'INVALID_UID')],\n      };\n    }\n\n    if (uid.length > 128) {\n      return {\n        errors: [new CustomTokenError('uid must not exceed 128 characters', 'UID_TOO_LONG')],\n      };\n    }\n\n    if (developerClaims) {\n      for (const claim of Object.keys(developerClaims)) {\n        if (RESERVED_CLAIMS.includes(claim)) {\n          return {\n            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, 'RESERVED_CLAIM')],\n          };\n        }\n      }\n    }\n\n    // Set expiration (default 1 hour, max 1 hour)\n    const expiresIn = 3600;\n    const now = Math.floor(Date.now() / 1000);\n\n    const parsedPrivateKey = await importPKCS8(privateKey.replace(/\\\\n/g, '\\n'), 'RS256');\n\n    const payload: JWTPayload = {\n      iss: clientEmail,\n      sub: clientEmail,\n      aud: 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',\n      iat: now,\n      exp: now + expiresIn,\n      uid: uid,\n      ...developerClaims,\n    };\n\n    const jwt = await new SignJWT(payload)\n      .setProtectedHeader({ alg: 'RS256', typ: 'JWT' })\n      .setIssuedAt(now)\n      .setExpirationTime(now + expiresIn)\n      .setIssuer(clientEmail)\n      .setSubject(clientEmail)\n      .setAudience(\n        'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',\n      )\n      .sign(parsedPrivateKey);\n\n    return {\n      data: jwt,\n    };\n  } catch (error) {\n    const message = error instanceof Error ? error.message : 'Unknown error occurred';\n    return {\n      errors: [\n        new CustomTokenError(`Failed to create custom token: ${message}`, 'TOKEN_CREATION_FAILED'),\n      ],\n    };\n  }\n}\n\nexport async function createCustomToken(\n  uid: string,\n  developerClaims?: CustomTokenClaims,\n): Promise<string> {\n  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);\n\n  if (errors) {\n    throw errors[0];\n  }\n\n  return data;\n}\n\nexport function createCustomTokenWithResult(\n  uid: string,\n  developerClaims?: CustomTokenClaims,\n): Promise<JwtReturnType<string, CustomTokenError>> {\n  return createCustomTokenJwt(uid, developerClaims);\n}","import type { JWTPayload } from '@tern-secure/types';\nimport type { KeyLike } from 'jose';\nimport { importPKCS8, SignJWT } from 'jose';\n\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\n\nexport interface SignJwtOptions {\n  algorithm?: string;\n  header?: Record<string, unknown>;\n}\n\nexport const ALGORITHM_RS256 = 'RS256' as const;\n\n\nexport type SignOptions = {\n  readonly payload: JWTPayload;\n  readonly privateKey: string;\n  readonly keyId?: string;\n};\n\n\nexport async function ternSignJwt(opts: SignOptions): Promise<string> {\n  const { payload, privateKey, keyId } = opts;\n  let key: KeyLike;\n\n  try {\n    key = await importPKCS8(privateKey, ALGORITHM_RS256);\n  } catch (error) {\n    throw new TokenVerificationError({\n      message: `Failed to import private key: ${(error as Error).message}`,\n      reason: TokenVerificationErrorReason.TokenInvalid,\n    });\n  }\n\n  return new SignJWT(payload)\n    .setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId })\n    .sign(key);\n}\n","import { createJwtGuard } from './guardReturn';\nimport { ternDecodeJwt as _ternDecodeJwt } from './verifyJwt';\n\nexport const ternDecodeJwt = createJwtGuard(_ternDecodeJwt);\nexport { ternDecodeJwt as ternDecodeJwtUnguarded } from './verifyJwt';\n\nexport * from './jwt';\nexport * from './customJwt';\nexport * from './signJwt';\nexport type { JwtReturnType } from './types';"],"mappings":";AAEO,SAAS,eAAsE,WAAc;AAClG,SAAO,IAAI,SAA6E;AACtF,UAAM,EAAE,MAAM,OAAO,IAAI,UAAU,GAAG,IAAI;AAE1C,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAEA,WAAO;AAAA,EACT;AACF;;;ACXA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;;;ACLA,IAAM,0BAA0B;AAAA,EACrC,qBAAqB;AAAA,EACrB,mBAAmB;AAAA,EACnB,qBAAqB;AAAA,EACrB,kBAAkB;AAAA,EAClB,gBAAgB;AAAA,EAChB,qBAAqB;AAAA,EACrB,qBAAqB;AAAA,EACrB,4BAA4B;AAAA,EAC5B,iCAAiC;AAAA,EACjC,YAAY;AACd;AAIO,IAAM,+BAA+B;AAAA,EAC1C,cAAc;AAAA,EACd,cAAc;AAAA,EACd,uBAAuB;AAAA,EACvB,+BAA+B;AAAA,EAC/B,uBAAuB;AAAA,EACvB,mBAAmB;AAAA,EACnB,qBAAqB;AAAA,EACrB,yBAAyB;AAAA,EACzB,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,uBAAuB;AAAA,EACvB,kBAAkB;AAAA,EAClB,kBAAkB;AAAA,EAClB,oBAAoB;AAAA,EACpB,gBAAgB;AAClB;AAKO,IAAM,yBAAN,MAAM,gCAA+B,MAAM;AAAA,EAChD;AAAA,EACA;AAAA,EAEA,YAAY;AAAA,IACV;AAAA,IACA;AAAA,EACF,GAGG;AACD,UAAM,OAAO;AAEb,WAAO,eAAe,MAAM,wBAAuB,SAAS;AAE5D,SAAK,SAAS;AACd,SAAK,UAAU;AAAA,EACjB;AAAA,EAEO,iBAAiB;AACtB,WAAO,GAAG,CAAC,KAAK,OAAO,EAAE,OAAO,OAAK,CAAC,EAAE,KAAK,GAAG,CAAC,YAAY,KAAK,MAAM,mBACtE,KAAK,YACP;AAAA,EACF;AACA;;;ACvDK,SAAS,8BAA8B,SAAqB;AACjE,QAAM,iBAAiB;AACvB,iBAAe,MAAM,eAAe;AACpC,SAAO;AACT;;;ACEO,IAAM,YAAY;AAAA,EACvB,MAAM,QAAgB,MAAiC;AACrD,WAAO,MAAM,QAAQ,mBAAmB,IAAI;AAAA,EAC9C;AAAA,EAEA,UAAU,MAAyB,MAAiC;AAClE,WAAO,UAAU,MAAM,mBAAmB,IAAI;AAAA,EAChD;AACF;AAEA,IAAM,oBAA8B;AAAA,EAClC,OAAO;AAAA,EACP,MAAM;AACR;AAiBA,SAAS,MAAM,QAAgB,UAAoB,OAAqB,CAAC,GAAe;AAEtF,MAAI,CAAC,SAAS,OAAO;AACnB,aAAS,QAAQ,CAAC;AAClB,aAAS,IAAI,GAAG,IAAI,SAAS,MAAM,QAAQ,EAAE,GAAG;AAC9C,eAAS,MAAM,SAAS,MAAM,CAAC,CAAC,IAAI;AAAA,IACtC;AAAA,EACF;AAGA,MAAI,CAAC,KAAK,SAAU,OAAO,SAAS,SAAS,OAAQ,GAAG;AACtD,UAAM,IAAI,YAAY,iBAAiB;AAAA,EACzC;AAGA,MAAI,MAAM,OAAO;AACjB,SAAO,OAAO,MAAM,CAAC,MAAM,KAAK;AAC9B,MAAE;AAGF,QAAI,CAAC,KAAK,SAAS,GAAI,OAAO,SAAS,OAAO,SAAS,OAAQ,IAAI;AACjE,YAAM,IAAI,YAAY,iBAAiB;AAAA,IACzC;AAAA,EACF;AAGA,QAAM,MAAM,KAAK,KAAK,OAAO,YAAc,MAAM,SAAS,OAAQ,IAAK,CAAC;AAGxE,MAAI,OAAO;AACX,MAAI,SAAS;AACb,MAAI,UAAU;AACd,WAAS,IAAI,GAAG,IAAI,KAAK,EAAE,GAAG;AAE5B,UAAM,QAAQ,SAAS,MAAM,OAAO,CAAC,CAAC;AACtC,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI,YAAY,uBAAuB,OAAO,CAAC,CAAC;AAAA,IACxD;AAGA,aAAU,UAAU,SAAS,OAAQ;AACrC,YAAQ,SAAS;AAGjB,QAAI,QAAQ,GAAG;AACb,cAAQ;AACR,UAAI,SAAS,IAAI,MAAQ,UAAU;AAAA,IACrC;AAAA,EACF;AAGA,MAAI,QAAQ,SAAS,QAAQ,MAAQ,UAAW,IAAI,MAAQ;AAC1D,UAAM,IAAI,YAAY,wBAAwB;AAAA,EAChD;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,MAAyB,UAAoB,OAAyB,CAAC,GAAW;AACnG,QAAM,EAAE,MAAM,KAAK,IAAI;AACvB,QAAM,QAAQ,KAAK,SAAS,QAAQ;AACpC,MAAI,MAAM;AAEV,MAAI,OAAO;AACX,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,EAAE,GAAG;AAEpC,aAAU,UAAU,IAAM,MAAO,KAAK,CAAC;AACvC,YAAQ;AAGR,WAAO,OAAO,SAAS,MAAM;AAC3B,cAAQ,SAAS;AACjB,aAAO,SAAS,MAAM,OAAQ,UAAU,IAAK;AAAA,IAC/C;AAAA,EACF;AAGA,MAAI,MAAM;AACR,WAAO,SAAS,MAAM,OAAQ,UAAW,SAAS,OAAO,IAAM;AAAA,EACjE;AAGA,MAAI,KAAK;AACP,WAAQ,IAAI,SAAS,SAAS,OAAQ,GAAG;AACvC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;ACnIA,SAAS,WAAW,YAAW,kBAAgC;AAE/D,eAAsB,UAAU,KAA0B,WAAqC;AAC7F,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,SAAS,MAAM,UAAU,KAAwC,SAAS;AAChF,QAAI,kBAAkB,YAAY;AAChC,YAAM,IAAI,MAAM,8CAA8C;AAAA,IAChE;AACA,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,KAAK;AAE3B,MAAI,UAAU,SAAS,6BAA6B,GAAG;AACrD,WAAO,MAAM,WAAW,WAAW,SAAS;AAAA,EAC9C;AAEA,MAAI,UAAU,SAAS,4BAA4B,GAAG;AACpD,WAAO,MAAM,WAAW,WAAW,SAAS;AAAA,EAC9C;AAEA,MAAI;AACF,WAAO,MAAM,WAAW,WAAW,SAAS;AAAA,EAC9C,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,uHAAuH,KAAK;AAAA,IAC9H;AAAA,EACF;AACF;;;AC5BA,IAAM,YAAoC;AAAA,EACxC,OAAO;AAAA,EACP,OAAO;AAAA,EACP,OAAO;AACT;AASO,IAAM,OAAO,OAAO,KAAK,SAAS;;;ACGlC,IAAM,kBAAkB,CAAC,QAAkB;AAChD,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,mBAAmB,KAAK,UAAU,GAAG,CAAC;AAAA,IACjD,CAAC;AAAA,EACH;AACF;AAWO,IAAM,iBAAiB,CAAC,QAAiB;AAC9C,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,kEAAkE,KAAK,UAAU,GAAG,CAAC;AAAA,IAChG,CAAC;AAAA,EACH;AACF;AAEO,IAAM,wBAAwB,CAAC,KAAyB,kBAA0B;AACvF,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,uCAAuC,KAAK,UAAU,GAAG,CAAC;AAAA,IACrE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,aAAa,oBAAI,KAAK,CAAC;AAC7B,aAAW,cAAc,GAAG;AAE5B,QAAM,UAAU,WAAW,QAAQ,KAAK,YAAY,QAAQ,IAAI;AAChE,MAAI,SAAS;AACX,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,gCAAgC,WAAW,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IAC/G,CAAC;AAAA,EACH;AACF;AAEO,IAAM,sBAAsB,CAAC,KAAyB,kBAA0B;AACrF,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,0CAA0C,KAAK,UAAU,GAAG,CAAC;AAAA,IACxE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,eAAe,oBAAI,KAAK,CAAC;AAC/B,eAAa,cAAc,GAAG;AAE9B,QAAM,aAAa,aAAa,QAAQ,IAAI,YAAY,QAAQ,IAAI;AACpE,MAAI,YAAY;AACd,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,oEAAoE,aAAa,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IACrJ,CAAC;AAAA,EACH;AACF;;;ANxEA,IAAM,2BAA2B,IAAI;AAQrC,eAAsB,gBACpB,KACA,KAC2C;AAC3C,QAAM,EAAE,QAAQ,IAAI,IAAI;AACxB,QAAM,gBAAgB,OAAO,OAAO;AAEpC,MAAI;AACF,UAAM,YAAY,MAAM,UAAU,KAAK,aAAa;AAEpD,UAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,IAAI,MAAM,SAAS;AAEvD,WAAO,EAAE,MAAM,QAAQ;AAAA,EACzB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAU,MAAgB;AAAA,QAC5B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,cAAc,OAA2D;AACvF,MAAI;AACF,UAAM,SAAS,sBAAsB,KAAK;AAC1C,UAAM,UAAU,UAAU,KAAK;AAE/B,UAAM,cAAc,SAAS,IAAI,SAAS,EAAE,MAAM,GAAG;AACrD,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO;AAAA,QACL,QAAQ;AAAA,UACN,IAAI,uBAAuB;AAAA,YACzB,QAAQ,6BAA6B;AAAA,YACrC,SAAS;AAAA,UACX,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,UAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAC9C,UAAM,YAAY,UAAU,MAAM,cAAc,EAAE,OAAO,KAAK,CAAC;AAE/D,UAAM,OAAO;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,MACA,KAAK;AAAA,QACH,QAAQ;AAAA,QACR,SAAS;AAAA,QACT,WAAW;AAAA,QACX,MAAM;AAAA,MACR;AAAA,IACF;AAEA,WAAO,EAAE,KAAK;AAAA,EAChB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS,GAAI,MAAgB,WAAW,8CAA8C,mBAAmB,OAAO,MAAM,qBAAqB,OAAO,UAAU,GAAG,EAAE,CAAC;AAAA,QACpK,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAsB,UACpB,OACA,SACgE;AAChE,QAAM,EAAE,IAAI,IAAI;AAChB,QAAM,YAAY,QAAQ,iBAAiB;AAE3C,QAAM,EAAE,MAAM,SAAS,OAAO,IAAI,cAAc,KAAK;AACrD,MAAI,QAAQ;AACV,WAAO,EAAE,OAAO;AAAA,EAClB;AAEA,QAAM,EAAE,QAAQ,QAAQ,IAAI;AAE5B,MAAI;AACF,oBAAgB,OAAO,GAAG;AAC1B,mBAAe,QAAQ,GAAG;AAC1B,0BAAsB,QAAQ,KAAK,SAAS;AAC5C,wBAAoB,QAAQ,KAAK,SAAS;AAAA,EAC5C,SAAS,OAAO;AACd,WAAO,EAAE,QAAQ,CAAC,KAA+B,EAAE;AAAA,EACrD;AAEA,QAAM,EAAE,MAAM,iBAAiB,QAAQ,gBAAgB,IAAI,MAAM,gBAAgB,SAAS,GAAG;AAC7F,MAAI,iBAAiB;AACnB,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,QAAM,iBAAiB,8BAA8B,eAAe;AAEpE,SAAO,EAAE,MAAM,eAAe;AAChC;;;AOnIA,SAAS,oBAAoB,aAAAA,YAAU,aAAAC,kBAAiB;AAMxD,IAAM,wBACJ;AACF,IAAM,4BACJ;AAKF,IAAI,cAA4D;AAChE,IAAI,cAA4D;AAEhE,IAAM,iBAAiB,MAAM;AAC3B,MAAI,CAAC,aAAa;AAChB,kBAAc,mBAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,MAC/D,aAAa;AAAA;AAAA,MACb,iBAAiB;AAAA;AAAA,MACjB,kBAAkB;AAAA;AAAA,IACpB,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,IAAM,iBAAiB,MAAM;AAC3B,MAAI,CAAC,aAAa;AAChB,kBAAc,mBAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,MACnE,aAAa;AAAA;AAAA,MACb,iBAAiB;AAAA;AAAA,MACjB,kBAAkB;AAAA;AAAA,IACpB,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAIA,eAAsB,YACpB,OACA,kBAAkB,OACe;AACjC,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAEA,UAAM,EAAE,QAAQ,IAAID,WAAU,KAAK;AACnC,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,QAAI,UAAU;AACd,QAAI,YAA0B;AAE9B,WAAO,UAAU,GAAG;AAClB,UAAI;AAEF,cAAM,OAAO,kBAAkB,eAAe,IAAI,eAAe;AAEjE,cAAM,EAAE,QAAQ,IAAI,MAAMC,WAAU,OAAO,MAAM;AAAA,UAC/C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,UACxC,UAAU;AAAA,UACV,YAAY,CAAC,OAAO;AAAA,QACtB,CAAC;AAED,cAAM,kBAAkB;AACxB,cAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,YAAI,gBAAgB,OAAO,KAAK;AAC9B,gBAAM,IAAI,MAAM,mBAAmB;AAAA,QACrC;AAEA,YAAI,gBAAgB,MAAM,KAAK;AAC7B,gBAAM,IAAI,MAAM,oCAAoC;AAAA,QACtD;AAEA,YAAI,CAAC,gBAAgB,KAAK;AACxB,gBAAM,IAAI,MAAM,wBAAwB;AAAA,QAC1C;AAEA,YAAI,gBAAgB,YAAY,KAAK;AACnC,gBAAM,IAAI,MAAM,kCAAkC;AAAA,QACpD;AAEA,eAAO;AAAA,UACL,OAAO;AAAA,UACP,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,OAAO,gBAAgB;AAAA,UACvB,gBAAgB,gBAAgB;AAAA,UAChC,WAAW,gBAAgB;AAAA,UAC3B,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,UAAU,gBAAgB;AAAA,UAC1B,cAAc,gBAAgB;AAAA,UAC9B,SAAS,gBAAgB;AAAA,QAC3B;AAAA,MACF,SAAS,OAAO;AACd,oBAAY;AACZ,YAAI,iBAAiB,SAAS,MAAM,SAAS,qBAAqB;AAChE,kBAAQ,KAAK,sBAAsB,IAAI,OAAO,KAAK,MAAM,OAAO;AAChE;AACA,cAAI,UAAU,GAAG;AACf,kBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAI,CAAC;AACxD;AAAA,UACF;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,sCAAsC;AAAA,EACrE,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,SAASD,WAAU,KAAK;AAAA,MACxB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS,iBAAiB,QAAQ,MAAM,UAAU;AAAA,QAClD,MAAM;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;;;ACpJA,SAAS,aAAa,eAAe;AAS9B,IAAM,mBAAN,cAA+B,MAAM;AAAA,EAC1C,YACE,SACO,MACP;AACA,UAAM,OAAO;AAFN;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAEA,IAAM,kBAAkB;AAAA,EACtB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,eAAe,qBACb,KACA,iBACkD;AAClD,MAAI;AACF,UAAM,aAAa,QAAQ,IAAI;AAC/B,UAAM,cAAc,QAAQ,IAAI;AAEhC,QAAI,CAAC,cAAc,CAAC,aAAa;AAC/B,aAAO;AAAA,QACL,QAAQ;AAAA,UACN,IAAI;AAAA,YACF;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,aAAO;AAAA,QACL,QAAQ,CAAC,IAAI,iBAAiB,kCAAkC,aAAa,CAAC;AAAA,MAChF;AAAA,IACF;AAEA,QAAI,IAAI,SAAS,KAAK;AACpB,aAAO;AAAA,QACL,QAAQ,CAAC,IAAI,iBAAiB,sCAAsC,cAAc,CAAC;AAAA,MACrF;AAAA,IACF;AAEA,QAAI,iBAAiB;AACnB,iBAAW,SAAS,OAAO,KAAK,eAAe,GAAG;AAChD,YAAI,gBAAgB,SAAS,KAAK,GAAG;AACnC,iBAAO;AAAA,YACL,QAAQ,CAAC,IAAI,iBAAiB,iBAAiB,KAAK,iBAAiB,gBAAgB,CAAC;AAAA,UACxF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,YAAY;AAClB,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExC,UAAM,mBAAmB,MAAM,YAAY,WAAW,QAAQ,QAAQ,IAAI,GAAG,OAAO;AAEpF,UAAM,UAAsB;AAAA,MAC1B,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK,MAAM;AAAA,MACX;AAAA,MACA,GAAG;AAAA,IACL;AAEA,UAAM,MAAM,MAAM,IAAI,QAAQ,OAAO,EAClC,mBAAmB,EAAE,KAAK,SAAS,KAAK,MAAM,CAAC,EAC/C,YAAY,GAAG,EACf,kBAAkB,MAAM,SAAS,EACjC,UAAU,WAAW,EACrB,WAAW,WAAW,EACtB;AAAA,MACC;AAAA,IACF,EACC,KAAK,gBAAgB;AAExB,WAAO;AAAA,MACL,MAAM;AAAA,IACR;AAAA,EACF,SAAS,OAAO;AACd,UAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,iBAAiB,kCAAkC,OAAO,IAAI,uBAAuB;AAAA,MAC3F;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAsB,kBACpB,KACA,iBACiB;AACjB,QAAM,EAAE,MAAM,OAAO,IAAI,MAAM,qBAAqB,KAAK,eAAe;AAExE,MAAI,QAAQ;AACV,UAAM,OAAO,CAAC;AAAA,EAChB;AAEA,SAAO;AACT;AAEO,SAAS,4BACd,KACA,iBACkD;AAClD,SAAO,qBAAqB,KAAK,eAAe;AAClD;;;ACxIA,SAAS,eAAAE,cAAa,WAAAC,gBAAe;AAS9B,IAAM,kBAAkB;AAU/B,eAAsB,YAAY,MAAoC;AACpE,QAAM,EAAE,SAAS,YAAY,MAAM,IAAI;AACvC,MAAI;AAEJ,MAAI;AACF,UAAM,MAAMC,aAAY,YAAY,eAAe;AAAA,EACrD,SAAS,OAAO;AACd,UAAM,IAAI,uBAAuB;AAAA,MAC/B,SAAS,iCAAkC,MAAgB,OAAO;AAAA,MAClE,QAAQ,6BAA6B;AAAA,IACvC,CAAC;AAAA,EACH;AAEA,SAAO,IAAIC,SAAQ,OAAO,EACvB,mBAAmB,EAAE,KAAK,iBAAiB,KAAK,MAAM,CAAC,EACvD,KAAK,GAAG;AACb;;;AClCO,IAAMC,iBAAgB,eAAe,aAAc;","names":["decodeJwt","jwtVerify","importPKCS8","SignJWT","importPKCS8","SignJWT","ternDecodeJwt"]}

package/dist/{chunk-DFAJCSBJ.mjs → chunk-WIVOBOZR.mjs}

@@ -37,6 +37,7 @@ var QueryParameters = {
 };
 var Headers = {
   Accept: "accept",
+  AppCheckToken: "x-firebase-appcheck",
   AuthMessage: "x-ternsecure-auth-message",
   Authorization: "authorization",
   AuthReason: "x-ternsecure-auth-reason",
@@ -82,4 +83,4 @@ export {
   CACHE_CONTROL_REGEX,
   constants
 };
-//# sourceMappingURL=chunk-DFAJCSBJ.mjs.map
+//# sourceMappingURL=chunk-WIVOBOZR.mjs.map

package/dist/chunk-WIVOBOZR.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/constants.ts"],"sourcesContent":["export const GOOGLE_PUBLIC_KEYS_URL =\n  'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com';\nexport const SESSION_COOKIE_PUBLIC_KEYS_URL =\n  'https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys';\n\nexport const MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;\nexport const DEFAULT_CACHE_DURATION = 3600 * 1000; // 1 hour in milliseconds\nexport const CACHE_CONTROL_REGEX = /max-age=(\\d+)/;\n\nconst Attributes = {\n  AuthToken: '__ternsecureAuthToken',\n  AuthSignature: '__ternsecureAuthSignature',\n  AuthStatus: '__ternsecureAuthStatus',\n  AuthReason: '__ternsecureAuthReason',\n  AuthMessage: '__ternsecureAuthMessage',\n  TernSecureUrl: '__ternsecureUrl',\n} as const;\n\nconst Cookies = {\n  Session: '__session',\n  CsrfToken: '__terncf',\n  IdToken: 'TernSecure_[DEFAULT]',\n  Refresh: 'TernSecureID_[DEFAULT]',\n  Custom: '__custom',\n  TernAut: 'tern_aut',\n  Handshake: '__ternsecure_handshake',\n  DevBrowser: '__ternsecure_db_jwt',\n  RedirectCount: '__ternsecure_redirect_count',\n  HandshakeNonce: '__ternsecure_handshake_nonce',\n} as const;\n\n\nconst QueryParameters = {\n  TernSynced: '__tern_synced',\n  SuffixedCookies: 'suffixed_cookies',\n  TernRedirectUrl: '__tern_redirect_url',\n  // use the reference to Cookies to indicate that it's the same value\n  DevBrowser: Cookies.DevBrowser,\n  Handshake: Cookies.Handshake,\n  HandshakeHelp: '__tern_help',\n  LegacyDevBrowser: '__dev_session',\n  HandshakeReason: '__tern_hs_reason',\n  HandshakeNonce: Cookies.HandshakeNonce,\n} as const;\n\nconst Headers = {\n  Accept: 'accept',\n  AppCheckToken: 'x-firebase-appcheck',\n  AuthMessage: 'x-ternsecure-auth-message',\n  Authorization: 'authorization',\n  AuthReason: 'x-ternsecure-auth-reason',\n  AuthSignature: 'x-ternsecure-auth-signature',\n  AuthStatus: 'x-ternsecure-auth-status',\n  AuthToken: 'x-ternsecure-auth-token',\n  CacheControl: 'cache-control',\n  TernSecureRedirectTo: 'x-ternsecure-redirect-to',\n  TernSecureRequestData: 'x-ternsecure-request-data',\n  TernSecureUrl: 'x-ternsecure-url',\n  CloudFrontForwardedProto: 'cloudfront-forwarded-proto',\n  ContentType: 'content-type',\n  ContentSecurityPolicy: 'content-security-policy',\n  ContentSecurityPolicyReportOnly: 'content-security-policy-report-only',\n  EnableDebug: 'x-ternsecure-debug',\n  ForwardedHost: 'x-forwarded-host',\n  ForwardedPort: 'x-forwarded-port',\n  ForwardedProto: 'x-forwarded-proto',\n  Host: 'host',\n  Location: 'location',\n  Nonce: 'x-nonce',\n  Origin: 'origin',\n  Referrer: 'referer',\n  SecFetchDest: 'sec-fetch-dest',\n  UserAgent: 'user-agent',\n  ReportingEndpoints: 'reporting-endpoints',\n} as const;\n\nconst ContentTypes = {\n  Json: 'application/json',\n} as const;\n\n/**\n * @internal\n */\nexport const constants = {\n  Attributes,\n  Cookies,\n  Headers,\n  ContentTypes,\n  QueryParameters,\n} as const;\n\nexport type Constants = typeof constants;\n"],"mappings":";AAAO,IAAM,yBACX;AAIK,IAAM,oCAAoC,IAAI;AAC9C,IAAM,yBAAyB,OAAO;AACtC,IAAM,sBAAsB;AAEnC,IAAM,aAAa;AAAA,EACjB,WAAW;AAAA,EACX,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,eAAe;AACjB;AAEA,IAAM,UAAU;AAAA,EACd,SAAS;AAAA,EACT,WAAW;AAAA,EACX,SAAS;AAAA,EACT,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,WAAW;AAAA,EACX,YAAY;AAAA,EACZ,eAAe;AAAA,EACf,gBAAgB;AAClB;AAGA,IAAM,kBAAkB;AAAA,EACtB,YAAY;AAAA,EACZ,iBAAiB;AAAA,EACjB,iBAAiB;AAAA;AAAA,EAEjB,YAAY,QAAQ;AAAA,EACpB,WAAW,QAAQ;AAAA,EACnB,eAAe;AAAA,EACf,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,gBAAgB,QAAQ;AAC1B;AAEA,IAAM,UAAU;AAAA,EACd,QAAQ;AAAA,EACR,eAAe;AAAA,EACf,aAAa;AAAA,EACb,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,WAAW;AAAA,EACX,cAAc;AAAA,EACd,sBAAsB;AAAA,EACtB,uBAAuB;AAAA,EACvB,eAAe;AAAA,EACf,0BAA0B;AAAA,EAC1B,aAAa;AAAA,EACb,uBAAuB;AAAA,EACvB,iCAAiC;AAAA,EACjC,aAAa;AAAA,EACb,eAAe;AAAA,EACf,eAAe;AAAA,EACf,gBAAgB;AAAA,EAChB,MAAM;AAAA,EACN,UAAU;AAAA,EACV,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,UAAU;AAAA,EACV,cAAc;AAAA,EACd,WAAW;AAAA,EACX,oBAAoB;AACtB;AAEA,IAAM,eAAe;AAAA,EACnB,MAAM;AACR;AAKO,IAAM,YAAY;AAAA,EACvB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;","names":[]}

package/dist/constants.d.ts

@@ -29,6 +29,7 @@ export declare const constants: {
     };
     readonly Headers: {
         readonly Accept: "accept";
+        readonly AppCheckToken: "x-firebase-appcheck";
         readonly AuthMessage: "x-ternsecure-auth-message";
         readonly Authorization: "authorization";
         readonly AuthReason: "x-ternsecure-auth-reason";

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,sBAAsB,6FACyD,CAAC;AAC7F,eAAO,MAAM,8BAA8B,0EAC8B,CAAC;AAE1E,eAAO,MAAM,iCAAiC,QAAS,CAAC;AACxD,eAAO,MAAM,sBAAsB,QAAc,CAAC;AAClD,eAAO,MAAM,mBAAmB,QAAkB,CAAC;AAwEnD;;GAEG;AACH,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAMZ,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,OAAO,SAAS,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,sBAAsB,6FACyD,CAAC;AAC7F,eAAO,MAAM,8BAA8B,0EAC8B,CAAC;AAE1E,eAAO,MAAM,iCAAiC,QAAS,CAAC;AACxD,eAAO,MAAM,sBAAsB,QAAc,CAAC;AAClD,eAAO,MAAM,mBAAmB,QAAkB,CAAC;AAyEnD;;GAEG;AACH,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAMZ,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,OAAO,SAAS,CAAC"}

package/dist/fireRestApi/createFireApi.d.ts

@@ -1,8 +1,9 @@
-import { EmailApi, PasswordApi, SignInApi, SignInTokenApi, SignUpApi, TokenApi, UserData } from './endpoints';
+import { AppCheckApi, EmailApi, PasswordApi, SignInApi, SignInTokenApi, SignUpApi, TokenApi, UserData } from './endpoints';
 import { createRequest } from './request';
 export type CreateFireApiOptions = Parameters<typeof createRequest>[0];
 export type ApiClient = ReturnType<typeof createFireApi>;
 export declare function createFireApi(options: CreateFireApiOptions): {
+    appCheck: AppCheckApi;
     email: EmailApi;
     password: PasswordApi;
     signIn: SignInApi;

package/dist/fireRestApi/createFireApi.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"createFireApi.d.ts","sourceRoot":"","sources":["../../src/fireRestApi/createFireApi.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAC9G,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAE1C,MAAM,MAAM,oBAAoB,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;AACvE,MAAM,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AAEzD,wBAAgB,aAAa,CAAC,OAAO,EAAE,oBAAoB;;;;;;;;EAW1D"}
+{"version":3,"file":"createFireApi.d.ts","sourceRoot":"","sources":["../../src/fireRestApi/createFireApi.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAC3H,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAE1C,MAAM,MAAM,oBAAoB,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;AACvE,MAAM,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AAEzD,wBAAgB,aAAa,CAAC,OAAO,EAAE,oBAAoB;;;;;;;;;EAY1D"}

package/dist/fireRestApi/endpoints/AppCheckApi.d.ts

@@ -0,0 +1,23 @@
+import { AbstractAPI } from './AbstractApi';
+export interface AppCheckTokenResponse {
+    token: string;
+    ttl: string;
+}
+type AppCheckParams = {
+    accessToken: string;
+    projectId: string;
+    appId: string;
+    customToken: string;
+    limitedUse?: boolean;
+};
+export declare function getSdkVersion(): string;
+/**
+ * App Check API for managing Firebase App Check tokens via REST
+ * Firebase REST API endpoint: https://firebaseappcheck.googleapis.com/v1beta/projects/{projectId}/apps/{appId}:exchangeCustomToken
+ */
+export declare class AppCheckApi extends AbstractAPI {
+    exchangeCustomToken(params: AppCheckParams): Promise<AppCheckTokenResponse>;
+    exchangeDebugToken(params: AppCheckParams): Promise<AppCheckTokenResponse>;
+}
+export {};
+//# sourceMappingURL=AppCheckApi.d.ts.map

package/dist/fireRestApi/endpoints/AppCheckApi.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AppCheckApi.d.ts","sourceRoot":"","sources":["../../../src/fireRestApi/endpoints/AppCheckApi.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAG5C,MAAM,WAAW,qBAAqB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACf;AAGD,KAAK,cAAc,GAAG;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;CACxB,CAAA;AAED,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAMD;;;GAGG;AACH,qBAAa,WAAY,SAAQ,WAAW;IAC3B,mBAAmB,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAyC3E,kBAAkB,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAwC1F"}

package/dist/fireRestApi/endpoints/TokenApi.d.ts

@@ -7,6 +7,7 @@ type RefreshTokenParams = {
     request_originating_ip?: string;
     request_headers?: Record<string, string[]>;
     suffixed_cookies?: boolean;
+    app_check_token?: string;
     format?: 'token' | 'cookie';
 };
 type IdAndRefreshTokensParams = {
@@ -15,10 +16,11 @@ type IdAndRefreshTokensParams = {
 };
 type IdAndRefreshTokensOptions = {
     referer?: string;
+    appCheckToken?: string;
 };
 export declare class TokenApi extends AbstractAPI {
     refreshToken(apiKey: string, params: RefreshTokenParams): Promise<import("../request").BackendApiResponse<unknown>>;
-    exchangeCustomForIdAndRefreshTokens(apiKey: string, params: IdAndRefreshTokensParams, options?: IdAndRefreshTokensOptions): Promise<import("../request").BackendApiResponse<IdAndRefreshTokens>>;
+    exchangeCustomForIdAndRefreshTokens(apiKey: string, params: IdAndRefreshTokensParams, options?: IdAndRefreshTokensOptions): Promise<IdAndRefreshTokens>;
 }
 export {};
 //# sourceMappingURL=TokenApi.d.ts.map

package/dist/fireRestApi/endpoints/TokenApi.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"TokenApi.d.ts","sourceRoot":"","sources":["../../../src/fireRestApi/endpoints/TokenApi.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,KAAK,kBAAkB,GAAG;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC3C,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,MAAM,CAAC,EAAE,OAAO,GAAG,QAAQ,CAAC;CAC7B,CAAC;AAEF,KAAK,wBAAwB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B,CAAC;AAEF,KAAK,yBAAyB,GAAG;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,qBAAa,QAAS,SAAQ,WAAW;IAC1B,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB;IAwBvD,mCAAmC,CAC9C,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,wBAAwB,EAChC,OAAO,CAAC,EAAE,yBAAyB;CAiBtC"}
+{"version":3,"file":"TokenApi.d.ts","sourceRoot":"","sources":["../../../src/fireRestApi/endpoints/TokenApi.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,KAAK,kBAAkB,GAAG;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC3C,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,CAAC,EAAE,OAAO,GAAG,QAAQ,CAAC;CAC7B,CAAC;AAEF,KAAK,wBAAwB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B,CAAC;AAEF,KAAK,yBAAyB,GAAG;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,qBAAa,QAAS,SAAQ,WAAW;IAC1B,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB;IA6BvD,mCAAmC,CAC9C,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,wBAAwB,EAChC,OAAO,CAAC,EAAE,yBAAyB,GAClC,OAAO,CAAC,kBAAkB,CAAC;CA6B/B"}

package/dist/fireRestApi/endpoints/UserData.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"UserData.d.ts","sourceRoot":"","sources":["../../../src/fireRestApi/endpoints/UserData.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,KAAK,cAAc,GAAG;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,KAAK,eAAe,GAAG;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,qBAAa,QAAS,SAAQ,WAAW;IACxB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,CAAC,EAAE,eAAe;CAgB7F"}
+{"version":3,"file":"UserData.d.ts","sourceRoot":"","sources":["../../../src/fireRestApi/endpoints/UserData.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,KAAK,cAAc,GAAG;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,KAAK,eAAe,GAAG;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,qBAAa,QAAS,SAAQ,WAAW;IAC1B,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,CAAC,EAAE,eAAe;CAgB3F"}

package/dist/fireRestApi/endpoints/index.d.ts

@@ -1,3 +1,4 @@
+export * from './AppCheckApi';
 export * from './EmailApi';
 export * from './PasswordApi';
 export * from './SignInApi';

package/dist/fireRestApi/endpoints/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/fireRestApi/endpoints/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,eAAe,CAAC;AAC9B,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC;AACjC,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/fireRestApi/endpoints/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,eAAe,CAAC;AAC9B,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC;AACjC,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC"}

package/dist/fireRestApi/request.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"request.d.ts","sourceRoot":"","sources":["../../src/fireRestApi/request.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,uBAAuB,EACvB,2BAA2B,EAC5B,MAAM,oBAAoB,CAAC;AAa5B,MAAM,MAAM,UAAU,GAAG,QAAQ,GAAG,KAAK,GAAG,OAAO,GAAG,MAAM,GAAG,KAAK,CAAC;AACrE,MAAM,MAAM,gBAAgB,GACxB,QAAQ,GACR,cAAc,GACd,oBAAoB,GACpB,QAAQ,GACR,uBAAuB,GACvB,eAAe,GACf,aAAa,CAAA;AAEjB,MAAM,MAAM,wBAAwB,GAAG;IACrC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,QAAQ,CAAC,EAAE,QAAQ,CAAC;CACrB,CAAA;AAED,MAAM,MAAM,kBAAkB,CAAC,CAAC,IAC5B;IACE,IAAI,EAAE,CAAC,CAAC;IACR,MAAM,EAAE,IAAI,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GACD;IACE,IAAI,EAAE,IAAI,CAAC;IACX,MAAM,EAAE,uBAAuB,EAAE,CAAC;IAClC,UAAU,CAAC,EAAE,KAAK,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEN,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AAE/D,KAAK,oBAAoB,GAAG;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAaF,wBAAgB,aAAa,CAAC,OAAO,EAAE,oBAAoB,IAChC,CAAC,kBACR,wBAAwB,KACvC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAmGlC;AAwCD,wBAAgB,UAAU,CAAC,KAAK,EAAE,2BAA2B,GAAG,uBAAuB,CAOtF"}
+{"version":3,"file":"request.d.ts","sourceRoot":"","sources":["../../src/fireRestApi/request.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,uBAAuB,EACvB,2BAA2B,EAC5B,MAAM,oBAAoB,CAAC;AAa5B,MAAM,MAAM,UAAU,GAAG,QAAQ,GAAG,KAAK,GAAG,OAAO,GAAG,MAAM,GAAG,KAAK,CAAC;AACrE,MAAM,MAAM,gBAAgB,GACxB,QAAQ,GACR,cAAc,GACd,oBAAoB,GACpB,QAAQ,GACR,uBAAuB,GACvB,eAAe,GACf,aAAa,CAAA;AAEjB,MAAM,MAAM,wBAAwB,GAAG;IACrC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,QAAQ,CAAC,EAAE,QAAQ,CAAC;CACrB,CAAA;AAED,MAAM,MAAM,kBAAkB,CAAC,CAAC,IAC5B;IACE,IAAI,EAAE,CAAC,CAAC;IACR,MAAM,EAAE,IAAI,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GACD;IACE,IAAI,EAAE,IAAI,CAAC;IACX,MAAM,EAAE,uBAAuB,EAAE,CAAC;IAClC,UAAU,CAAC,EAAE,KAAK,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEN,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AAE/D,KAAK,oBAAoB,GAAG;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAaF,wBAAgB,aAAa,CAAC,OAAO,EAAE,oBAAoB,IAChC,CAAC,kBACR,wBAAwB,KACvC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CA6GlC;AAwCD,wBAAgB,UAAU,CAAC,KAAK,EAAE,2BAA2B,GAAG,uBAAuB,CAOtF"}