@tern-secure/backend 1.2.0-canary.v20251127221555 → 1.2.0-canary.v20251202162458

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (91) hide show
  1. package/dist/adapters/index.d.ts +1 -1
  2. package/dist/adapters/index.d.ts.map +1 -1
  3. package/dist/adapters/types.d.ts +42 -0
  4. package/dist/adapters/types.d.ts.map +1 -1
  5. package/dist/admin/index.d.ts +1 -1
  6. package/dist/admin/index.d.ts.map +1 -1
  7. package/dist/admin/index.js +8 -1
  8. package/dist/admin/index.js.map +1 -1
  9. package/dist/admin/index.mjs +10 -70
  10. package/dist/admin/index.mjs.map +1 -1
  11. package/dist/app-check/AppCheckApi.d.ts +14 -0
  12. package/dist/app-check/AppCheckApi.d.ts.map +1 -0
  13. package/dist/app-check/generator.d.ts +9 -0
  14. package/dist/app-check/generator.d.ts.map +1 -0
  15. package/dist/app-check/index.d.ts +18 -0
  16. package/dist/app-check/index.d.ts.map +1 -0
  17. package/dist/app-check/index.js +1052 -0
  18. package/dist/app-check/index.js.map +1 -0
  19. package/dist/app-check/index.mjs +13 -0
  20. package/dist/app-check/index.mjs.map +1 -0
  21. package/dist/app-check/serverAppCheck.d.ts +33 -0
  22. package/dist/app-check/serverAppCheck.d.ts.map +1 -0
  23. package/dist/app-check/types.d.ts +21 -0
  24. package/dist/app-check/types.d.ts.map +1 -0
  25. package/dist/app-check/verifier.d.ts +16 -0
  26. package/dist/app-check/verifier.d.ts.map +1 -0
  27. package/dist/auth/credential.d.ts +5 -5
  28. package/dist/auth/credential.d.ts.map +1 -1
  29. package/dist/auth/getauth.d.ts +2 -1
  30. package/dist/auth/getauth.d.ts.map +1 -1
  31. package/dist/auth/index.d.ts +2 -0
  32. package/dist/auth/index.d.ts.map +1 -1
  33. package/dist/auth/index.js +819 -394
  34. package/dist/auth/index.js.map +1 -1
  35. package/dist/auth/index.mjs +5 -3
  36. package/dist/chunk-3OGMNIOJ.mjs +174 -0
  37. package/dist/chunk-3OGMNIOJ.mjs.map +1 -0
  38. package/dist/{chunk-GFH5CXQR.mjs → chunk-AW5OXT7N.mjs} +2 -2
  39. package/dist/chunk-IEJQ7F4A.mjs +778 -0
  40. package/dist/chunk-IEJQ7F4A.mjs.map +1 -0
  41. package/dist/{chunk-NXYWC6YO.mjs → chunk-TUYCJY35.mjs} +182 -6
  42. package/dist/chunk-TUYCJY35.mjs.map +1 -0
  43. package/dist/constants.d.ts +10 -1
  44. package/dist/constants.d.ts.map +1 -1
  45. package/dist/fireRestApi/endpoints/AppCheckApi.d.ts.map +1 -1
  46. package/dist/index.d.ts +4 -1
  47. package/dist/index.d.ts.map +1 -1
  48. package/dist/index.js +1570 -1183
  49. package/dist/index.js.map +1 -1
  50. package/dist/index.mjs +97 -135
  51. package/dist/index.mjs.map +1 -1
  52. package/dist/jwt/crypto-signer.d.ts +21 -0
  53. package/dist/jwt/crypto-signer.d.ts.map +1 -0
  54. package/dist/jwt/index.d.ts +2 -1
  55. package/dist/jwt/index.d.ts.map +1 -1
  56. package/dist/jwt/index.js +119 -2
  57. package/dist/jwt/index.js.map +1 -1
  58. package/dist/jwt/index.mjs +7 -3
  59. package/dist/jwt/signJwt.d.ts +8 -2
  60. package/dist/jwt/signJwt.d.ts.map +1 -1
  61. package/dist/jwt/types.d.ts +6 -0
  62. package/dist/jwt/types.d.ts.map +1 -1
  63. package/dist/jwt/verifyJwt.d.ts +7 -1
  64. package/dist/jwt/verifyJwt.d.ts.map +1 -1
  65. package/dist/tokens/authstate.d.ts +2 -0
  66. package/dist/tokens/authstate.d.ts.map +1 -1
  67. package/dist/tokens/c-authenticateRequestProcessor.d.ts +2 -2
  68. package/dist/tokens/c-authenticateRequestProcessor.d.ts.map +1 -1
  69. package/dist/tokens/keys.d.ts.map +1 -1
  70. package/dist/tokens/request.d.ts.map +1 -1
  71. package/dist/tokens/types.d.ts +6 -4
  72. package/dist/tokens/types.d.ts.map +1 -1
  73. package/dist/utils/config.d.ts.map +1 -1
  74. package/dist/{auth/utils.d.ts → utils/fetcher.d.ts} +2 -1
  75. package/dist/utils/fetcher.d.ts.map +1 -0
  76. package/dist/utils/mapDecode.d.ts +2 -1
  77. package/dist/utils/mapDecode.d.ts.map +1 -1
  78. package/dist/utils/token-generator.d.ts +4 -0
  79. package/dist/utils/token-generator.d.ts.map +1 -0
  80. package/package.json +13 -3
  81. package/dist/auth/constants.d.ts +0 -6
  82. package/dist/auth/constants.d.ts.map +0 -1
  83. package/dist/auth/utils.d.ts.map +0 -1
  84. package/dist/chunk-DJLDUW7J.mjs +0 -414
  85. package/dist/chunk-DJLDUW7J.mjs.map +0 -1
  86. package/dist/chunk-NXYWC6YO.mjs.map +0 -1
  87. package/dist/chunk-WIVOBOZR.mjs +0 -86
  88. package/dist/chunk-WIVOBOZR.mjs.map +0 -1
  89. package/dist/utils/gemini_admin-init.d.ts +0 -10
  90. package/dist/utils/gemini_admin-init.d.ts.map +0 -1
  91. /package/dist/{chunk-GFH5CXQR.mjs.map → chunk-AW5OXT7N.mjs.map} +0 -0
package/dist/app-check/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../../src/app-check/index.ts","../../src/jwt/customJwt.ts","../../src/jwt/verifyJwt.ts","../../src/utils/errors.ts","../../src/utils/mapDecode.ts","../../src/utils/rfc4648.ts","../../src/jwt/cryptoKeys.ts","../../src/jwt/algorithms.ts","../../src/jwt/verifyContent.ts","../../src/constants.ts","../../src/utils/config.ts","../../src/jwt/guardReturn.ts","../../src/jwt/jwt.ts","../../src/jwt/signJwt.ts","../../src/utils/fetcher.ts","../../src/jwt/types.ts","../../src/jwt/crypto-signer.ts","../../src/jwt/index.ts","../../src/auth/credential.ts","../../src/utils/token-generator.ts","../../src/app-check/AppCheckApi.ts","../../src/app-check/generator.ts","../../src/app-check/serverAppCheck.ts","../../src/utils/admin-init.ts","../../src/app-check/verifier.ts"],"sourcesContent":["import type { VerifyAppCheckTokenResponse } from \"@tern-secure/types\";\n\nimport type { Credential, ServiceAccount } from \"../auth\";\nimport { ServiceAccountManager } from \"../auth\";\nimport { cryptoSignerFromCredential } from '../utils/token-generator';\nimport { AppCheckApi } from \"./AppCheckApi\";\nimport { AppCheckTokenGenerator } from \"./generator\";\nimport { ServerAppCheckManager } from \"./serverAppCheck\";\nimport type { AppCheckToken, AppCheckTokenOptions } from \"./types\";\nimport { AppcheckTokenVerifier, type VerifyAppcheckOptions } from \"./verifier\";\n\n\nconst JWKS_URL = 'https://firebaseappcheck.googleapis.com/v1/jwks';\n\nclass AppCheck {\n private readonly client: AppCheckApi;\n private readonly tokenGenerator: AppCheckTokenGenerator;\n private readonly appCheckTokenVerifier: AppcheckTokenVerifier;\n private readonly limitedUse?: boolean;\n\n constructor(credential: Credential, tenantId?: string, limitedUse?: boolean) {\n this.client = new AppCheckApi(credential);\n this.tokenGenerator = new AppCheckTokenGenerator(\n cryptoSignerFromCredential(credential, tenantId)\n );\n this.appCheckTokenVerifier = new AppcheckTokenVerifier(credential);\n this.limitedUse = limitedUse;\n }\n\n public createToken = (projectId: string, appId: string, options?: AppCheckTokenOptions): Promise<AppCheckToken> => {\n return this.tokenGenerator\n .createCustomToken(appId, options)\n .then((customToken) => {\n return this.client.exchangeToken({ customToken, projectId, appId });\n });\n };\n\n public verifyToken = async (appCheckToken: string, projectId: string, options: VerifyAppcheckOptions): Promise<VerifyAppCheckTokenResponse> => {\n return this.appCheckTokenVerifier\n .verifyToken(appCheckToken, projectId, { keyURL: JWKS_URL, ...options })\n .then((decodedToken) => {\n return {\n appId: decodedToken.app_id,\n token: decodedToken,\n };\n });\n\n }\n\n}\n\n\nfunction getAppCheck(serviceAccount: ServiceAccount, tenantId?: string, limitedUse?: boolean): AppCheck {\n return new AppCheck(new ServiceAccountManager(serviceAccount), tenantId, limitedUse);\n}\n\nexport { AppCheck, getAppCheck };\nexport { ServerAppCheckManager };","import type { JWTPayload } from '@tern-secure/types';\nimport { importPKCS8, SignJWT } from 'jose';\n\nimport type { JwtReturnType } from './types';\n\n\nexport interface CustomTokenClaims {\n [key: string]: unknown;\n}\n\nexport class CustomTokenError extends Error {\n constructor(\n message: string,\n public code?: string,\n ) {\n super(message);\n this.name = 'CustomTokenError';\n }\n}\n\nconst RESERVED_CLAIMS = [\n 'acr',\n 'amr',\n 'at_hash',\n 'aud',\n 'auth_time',\n 'azp',\n 'cnf',\n 'c_hash',\n 'exp',\n 'firebase',\n 'iat',\n 'iss',\n 'jti',\n 'nbf',\n 'nonce',\n 'sub',\n];\n\nasync function createCustomTokenJwt(\n uid: string,\n developerClaims?: CustomTokenClaims,\n): Promise<JwtReturnType<string, CustomTokenError>> {\n try {\n const privateKey = process.env.FIREBASE_PRIVATE_KEY;\n const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;\n\n if (!privateKey || !clientEmail) {\n return {\n errors: [\n new CustomTokenError(\n 'Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables',\n 'MISSING_ENV_VARS',\n ),\n ],\n };\n }\n\n if (!uid || typeof uid !== 'string') {\n return {\n errors: [new CustomTokenError('uid must be a non-empty string', 'INVALID_UID')],\n };\n }\n\n if (uid.length > 128) {\n return {\n errors: [new CustomTokenError('uid must not exceed 128 characters', 'UID_TOO_LONG')],\n };\n }\n\n if (developerClaims) {\n for (const claim of Object.keys(developerClaims)) {\n if (RESERVED_CLAIMS.includes(claim)) {\n return {\n errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, 'RESERVED_CLAIM')],\n };\n }\n }\n }\n\n // Set expiration (default 1 hour, max 1 hour)\n const expiresIn = 3600;\n const now = Math.floor(Date.now() / 1000);\n\n const parsedPrivateKey = await importPKCS8(privateKey.replace(/\\\\n/g, '\\n'), 'RS256');\n\n const payload: JWTPayload = {\n iss: clientEmail,\n sub: clientEmail,\n aud: 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',\n iat: now,\n exp: now + expiresIn,\n uid: uid,\n ...developerClaims,\n };\n\n const jwt = await new SignJWT(payload)\n .setProtectedHeader({ alg: 'RS256', typ: 'JWT' })\n .setIssuedAt(now)\n .setExpirationTime(now + expiresIn)\n .setIssuer(clientEmail)\n .setSubject(clientEmail)\n .setAudience(\n 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',\n )\n .sign(parsedPrivateKey);\n\n return {\n data: jwt,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error occurred';\n return {\n errors: [\n new CustomTokenError(`Failed to create custom token: ${message}`, 'TOKEN_CREATION_FAILED'),\n ],\n };\n }\n}\n\nexport async function createCustomToken(\n uid: string,\n developerClaims?: CustomTokenClaims,\n): Promise<string> {\n const { data, errors } = await createCustomTokenJwt(uid, developerClaims);\n\n if (errors) {\n throw errors[0];\n }\n\n return data;\n}\n\nexport function createCustomTokenWithResult(\n uid: string,\n developerClaims?: CustomTokenClaims,\n): Promise<JwtReturnType<string, CustomTokenError>> {\n return createCustomTokenJwt(uid, developerClaims);\n}","import type { DecodedAppCheckToken, DecodedIdToken, Jwt, JWTPayload } from '@tern-secure/types';\nimport {\n decodeJwt,\n decodeProtectedHeader,\n jwtVerify,\n type KeyLike,\n} from 'jose';\n\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport { mapJwtPayloadToDecodedAppCheckToken, mapJwtPayloadToDecodedIdToken } from '../utils/mapDecode';\nimport { base64url } from '../utils/rfc4648';\nimport { importKey } from './cryptoKeys';\nimport type { JwtReturnType } from './types';\nimport {\n verifyExpirationClaim,\n verifyHeaderKid,\n verifyIssuedAtClaim,\n verifySubClaim,\n} from './verifyContent';\n\nconst DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1000;\n\nexport type VerifyJwtOptions = {\n audience?: string | string[];\n clockSkewInMs?: number;\n key: JsonWebKey | string;\n};\n\nexport async function verifySignature(\n jwt: Jwt,\n key: JsonWebKey | string,\n): Promise<JwtReturnType<JWTPayload, Error>> {\n const { header, raw } = jwt;\n const joseAlgorithm = header.alg || 'RS256';\n\n try {\n const publicKey = await importKey(key, joseAlgorithm);\n\n const { payload } = await jwtVerify(raw.text, publicKey);\n\n return { data: payload };\n } catch (error) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidSignature,\n message: (error as Error).message,\n }),\n ],\n };\n }\n}\n\nexport function ternDecodeJwt(token: string): JwtReturnType<Jwt, TokenVerificationError> {\n try {\n const header = decodeProtectedHeader(token);\n const payload = decodeJwt(token);\n\n const tokenParts = (token || '').toString().split('.');\n if (tokenParts.length !== 3) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: 'Invalid JWT format',\n }),\n ],\n };\n }\n\n const [rawHeader, rawPayload, rawSignature] = tokenParts;\n const signature = base64url.parse(rawSignature, { loose: true });\n\n const data = {\n header,\n payload,\n signature,\n raw: {\n header: rawHeader,\n payload: rawPayload,\n signature: rawSignature,\n text: token,\n },\n } satisfies Jwt;\n\n return { data };\n } catch (error) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: `${(error as Error).message || 'Invalid Token or Protected Header formatting'} (Token length: ${token?.length}, First 10 chars: ${token?.substring(0, 10)}...)`,\n }),\n ],\n };\n }\n}\n\nexport async function verifyJwt(\n token: string,\n options: VerifyJwtOptions,\n): Promise<JwtReturnType<DecodedIdToken, TokenVerificationError>> {\n const { key } = options;\n const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;\n\n const { data: decoded, errors } = ternDecodeJwt(token);\n if (errors) {\n return { errors };\n }\n\n const { header, payload } = decoded;\n\n try {\n verifyHeaderKid(header.kid);\n verifySubClaim(payload.sub);\n verifyExpirationClaim(payload.exp, clockSkew);\n verifyIssuedAtClaim(payload.iat, clockSkew);\n } catch (error) {\n return { errors: [error as TokenVerificationError] };\n }\n\n const { data: verifiedPayload, errors: signatureErrors } = await verifySignature(decoded, key);\n if (signatureErrors) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidSignature,\n message: 'Token signature verification failed.',\n }),\n ],\n };\n }\n\n const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);\n\n return { data: decodedIdToken };\n}\n\nexport type VerifyAppCheckJwtOptions = Omit<VerifyJwtOptions, 'key'> & {\n key: () => Promise<KeyLike>;\n};\n\nexport async function verifyAppCheckSignature(\n jwt: Jwt,\n getPublicKey: () => Promise<KeyLike>,\n): Promise<JwtReturnType<JWTPayload, Error>> {\n const { header, raw } = jwt;\n const joseAlgorithm = header.alg || 'RS256';\n\n try {\n const key = await getPublicKey();\n\n const { payload } = await jwtVerify(raw.text, key);\n\n return { data: payload };\n } catch (error) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidSignature,\n message: (error as Error).message,\n }),\n ],\n };\n }\n}\n\n\nexport async function verifyAppCheckJwt(\n token: string,\n options: VerifyAppCheckJwtOptions,\n): Promise<JwtReturnType<DecodedAppCheckToken, TokenVerificationError>> {\n const { key: getPublicKey } = options;\n const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;\n\n const { data: decoded, errors } = ternDecodeJwt(token);\n if (errors) {\n return { errors };\n }\n\n const { header, payload } = decoded;\n\n try {\n verifyHeaderKid(header.kid);\n verifySubClaim(payload.sub);\n verifyExpirationClaim(payload.exp, clockSkew);\n verifyIssuedAtClaim(payload.iat, clockSkew);\n } catch (error) {\n return { errors: [error as TokenVerificationError] };\n }\n\n const { data: verifiedPayload, errors: signatureErrors } = await verifyAppCheckSignature(\n decoded,\n getPublicKey,\n );\n if (signatureErrors) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidSignature,\n message: 'Token signature verification failed.',\n }),\n ],\n };\n }\n\n const decodedAppCheckToken = mapJwtPayloadToDecodedAppCheckToken(verifiedPayload);\n\n return { data: decodedAppCheckToken };\n}","export const RefreshTokenErrorReason = {\n NonEligibleNoCookie: 'non-eligible-no-refresh-cookie',\n NonEligibleNonGet: 'non-eligible-non-get',\n InvalidSessionToken: 'invalid-session-token',\n MissingApiClient: 'missing-api-client',\n MissingIdToken: 'missing-id-token',\n MissingSessionToken: 'missing-session-token',\n MissingRefreshToken: 'missing-refresh-token',\n ExpiredIdTokenDecodeFailed: 'expired-id-token-decode-failed',\n ExpiredSessionTokenDecodeFailed: 'expired-session-token-decode-failed',\n FetchError: 'fetch-error',\n} as const;\n\nexport type TokenCarrier = 'header' | 'cookie';\n\nexport const TokenVerificationErrorReason = {\n TokenExpired: 'token-expired',\n TokenInvalid: 'token-invalid',\n TokenInvalidAlgorithm: 'token-invalid-algorithm',\n TokenInvalidAuthorizedParties: 'token-invalid-authorized-parties',\n TokenInvalidSignature: 'token-invalid-signature',\n TokenNotActiveYet: 'token-not-active-yet',\n TokenIatInTheFuture: 'token-iat-in-the-future',\n TokenVerificationFailed: 'token-verification-failed',\n InvalidSecretKey: 'secret-key-invalid',\n LocalJWKMissing: 'jwk-local-missing',\n RemoteJWKFailedToLoad: 'jwk-remote-failed-to-load',\n RemoteJWKInvalid: 'jwk-remote-invalid',\n RemoteJWKMissing: 'jwk-remote-missing',\n JWKFailedToResolve: 'jwk-failed-to-resolve',\n JWKKidMismatch: 'jwk-kid-mismatch',\n};\n\nexport type TokenVerificationErrorReason =\n (typeof TokenVerificationErrorReason)[keyof typeof TokenVerificationErrorReason];\n\nexport class TokenVerificationError extends Error {\n reason: TokenVerificationErrorReason;\n tokenCarrier?: TokenCarrier;\n\n constructor({\n message,\n reason,\n }: {\n message: string;\n reason: TokenVerificationErrorReason;\n }) {\n super(message);\n\n Object.setPrototypeOf(this, TokenVerificationError.prototype);\n\n this.reason = reason;\n this.message = message;\n }\n\n public getFullMessage() {\n return `${[this.message].filter(m => m).join(' ')} (reason=${this.reason}, token-carrier=${\n this.tokenCarrier\n })`;\n }\n }\n","import type { DecodedAppCheckToken, DecodedIdToken } from \"@tern-secure/types\";\nimport type {\n JWTPayload,\n} from \"jose\";\n\nexport function mapJwtPayloadToDecodedIdToken(payload: JWTPayload) {\n const decodedIdToken = payload as DecodedIdToken;\n decodedIdToken.uid = decodedIdToken.sub;\n return decodedIdToken;\n}\n\n\nexport function mapJwtPayloadToDecodedAppCheckToken(payload: JWTPayload) {\n const decodedAppCheckToken = payload as DecodedAppCheckToken;\n decodedAppCheckToken.app_id = decodedAppCheckToken.sub;\n return decodedAppCheckToken;\n}","/**\n * The base64url helper was extracted from the rfc4648 package\n * in order to resolve CSJ/ESM interoperability issues\n *\n * https://github.com/swansontec/rfc4648.js\n *\n * For more context please refer to:\n * - https://github.com/evanw/esbuild/issues/1719\n * - https://github.com/evanw/esbuild/issues/532\n * - https://github.com/swansontec/rollup-plugin-mjs-entry\n */\nexport const base64url = {\n parse(string: string, opts?: ParseOptions): Uint8Array {\n return parse(string, base64UrlEncoding, opts);\n },\n\n stringify(data: ArrayLike<number>, opts?: StringifyOptions): string {\n return stringify(data, base64UrlEncoding, opts);\n },\n};\n\nconst base64UrlEncoding: Encoding = {\n chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_',\n bits: 6,\n};\n\ninterface Encoding {\n bits: number;\n chars: string;\n codes?: { [char: string]: number };\n}\n\ninterface ParseOptions {\n loose?: boolean;\n out?: new (size: number) => { [index: number]: number };\n}\n\ninterface StringifyOptions {\n pad?: boolean;\n}\n\nfunction parse(string: string, encoding: Encoding, opts: ParseOptions = {}): Uint8Array {\n // Build the character lookup table:\n if (!encoding.codes) {\n encoding.codes = {};\n for (let i = 0; i < encoding.chars.length; ++i) {\n encoding.codes[encoding.chars[i]] = i;\n }\n }\n\n // The string must have a whole number of bytes:\n if (!opts.loose && (string.length * encoding.bits) & 7) {\n throw new SyntaxError('Invalid padding');\n }\n\n // Count the padding bytes:\n let end = string.length;\n while (string[end - 1] === '=') {\n --end;\n\n // If we get a whole number of bytes, there is too much padding:\n if (!opts.loose && !(((string.length - end) * encoding.bits) & 7)) {\n throw new SyntaxError('Invalid padding');\n }\n }\n\n // Allocate the output:\n const out = new (opts.out ?? Uint8Array)(((end * encoding.bits) / 8) | 0) as Uint8Array;\n\n // Parse the data:\n let bits = 0; // Number of bits currently in the buffer\n let buffer = 0; // Bits waiting to be written out, MSB first\n let written = 0; // Next byte to write\n for (let i = 0; i < end; ++i) {\n // Read one character from the string:\n const value = encoding.codes[string[i]];\n if (value === undefined) {\n throw new SyntaxError('Invalid character ' + string[i]);\n }\n\n // Append the bits to the buffer:\n buffer = (buffer << encoding.bits) | value;\n bits += encoding.bits;\n\n // Write out some bits if the buffer has a byte's worth:\n if (bits >= 8) {\n bits -= 8;\n out[written++] = 0xff & (buffer >> bits);\n }\n }\n\n // Verify that we have received just enough bits:\n if (bits >= encoding.bits || 0xff & (buffer << (8 - bits))) {\n throw new SyntaxError('Unexpected end of data');\n }\n\n return out;\n}\n\nfunction stringify(data: ArrayLike<number>, encoding: Encoding, opts: StringifyOptions = {}): string {\n const { pad = true } = opts;\n const mask = (1 << encoding.bits) - 1;\n let out = '';\n\n let bits = 0; // Number of bits currently in the buffer\n let buffer = 0; // Bits waiting to be written out, MSB first\n for (let i = 0; i < data.length; ++i) {\n // Slurp data into the buffer:\n buffer = (buffer << 8) | (0xff & data[i]);\n bits += 8;\n\n // Write out as much as we can:\n while (bits > encoding.bits) {\n bits -= encoding.bits;\n out += encoding.chars[mask & (buffer >> bits)];\n }\n }\n\n // Partial character:\n if (bits) {\n out += encoding.chars[mask & (buffer << (encoding.bits - bits))];\n }\n\n // Add padding characters until we hit a byte boundary:\n if (pad) {\n while ((out.length * encoding.bits) & 7) {\n out += '=';\n }\n }\n\n return out;\n}\n","import { importJWK, importSPKI,importX509, type KeyLike } from 'jose';\n\nexport async function importKey(key: JsonWebKey | string, algorithm: string): Promise<KeyLike> {\n if (typeof key === 'object') {\n const result = await importJWK(key as Parameters<typeof importJWK>[0], algorithm);\n if (result instanceof Uint8Array) {\n throw new Error('Unexpected Uint8Array result from JWK import');\n }\n return result;\n }\n\n const keyString = key.trim();\n\n if (keyString.includes('-----BEGIN CERTIFICATE-----')) {\n return await importX509(keyString, algorithm);\n }\n\n if (keyString.includes('-----BEGIN PUBLIC KEY-----')) {\n return await importSPKI(keyString, algorithm);\n }\n\n try {\n return await importSPKI(keyString, algorithm);\n } catch (error) {\n throw new Error(\n `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`,\n );\n }\n}\n","const algToHash: Record<string, string> = {\n RS256: 'SHA-256',\n RS384: 'SHA-384',\n RS512: 'SHA-512',\n};\nconst RSA_ALGORITHM_NAME = 'RSASSA-PKCS1-v1_5';\n\nconst jwksAlgToCryptoAlg: Record<string, string> = {\n RS256: RSA_ALGORITHM_NAME,\n RS384: RSA_ALGORITHM_NAME,\n RS512: RSA_ALGORITHM_NAME,\n};\n\nexport const algs = Object.keys(algToHash);\n\nexport function getCryptoAlgorithm(algorithmName: string): RsaHashedImportParams {\n const hash = algToHash[algorithmName];\n const name = jwksAlgToCryptoAlg[algorithmName];\n\n if (!hash || !name) {\n throw new Error(`Unsupported algorithm ${algorithmName}, expected one of ${algs.join(',')}.`);\n }\n\n return {\n hash: { name: algToHash[algorithmName] },\n name: jwksAlgToCryptoAlg[algorithmName],\n };\n}\n","import { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport { algs } from './algorithms';\n\nexport const verifyHeaderType = (typ?: unknown) => {\n if (typeof typ === 'undefined') {\n return;\n }\n\n if (typ !== 'JWT') {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: `Invalid JWT type ${JSON.stringify(typ)}. Expected \"JWT\".`,\n });\n }\n};\n\nexport const verifyHeaderKid = (kid?: unknown) => {\n if (typeof kid === 'undefined') {\n return;\n }\n\n if (typeof kid !== 'string') {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: `Invalid JWT kid ${JSON.stringify(kid)}. Expected a string.`,\n });\n }\n};\n\nexport const verifyHeaderAlgorithm = (alg: string) => {\n if (!algs.includes(alg)) {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidAlgorithm,\n message: `Invalid JWT algorithm ${JSON.stringify(alg)}. Supported: ${algs}.`,\n });\n }\n};\n\nexport const verifySubClaim = (sub?: string) => {\n if (typeof sub !== 'string') {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenVerificationFailed,\n message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`,\n });\n }\n};\n\nexport const verifyExpirationClaim = (exp: number | undefined, clockSkewInMs: number) => {\n if (typeof exp !== 'number') {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenVerificationFailed,\n message: `Invalid JWT expiry date (exp) claim ${JSON.stringify(exp)}. Expected a number.`,\n });\n }\n\n const currentDate = new Date(Date.now());\n const expiryDate = new Date(0);\n expiryDate.setUTCSeconds(exp);\n\n const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;\n if (expired) {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenExpired,\n message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`,\n });\n }\n};\n\nexport const verifyIssuedAtClaim = (iat: number | undefined, clockSkewInMs: number) => {\n if (typeof iat === 'undefined') {\n return;\n }\n\n if (typeof iat !== 'number') {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenVerificationFailed,\n message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected a number.`,\n });\n }\n\n const currentDate = new Date(Date.now());\n const issuedAtDate = new Date(0);\n issuedAtDate.setUTCSeconds(iat);\n\n const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;\n if (postIssued) {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenIatInTheFuture,\n message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`,\n });\n }\n};\n","export const GOOGLE_PUBLIC_KEYS_URL =\n 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com';\nexport const SESSION_COOKIE_PUBLIC_KEYS_URL =\n 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys';\n\nexport const FIREBASE_APP_CHECK_AUDIENCE =\n 'https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1.TokenExchangeService';\n\nexport const MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;\nexport const DEFAULT_CACHE_DURATION = 3600 * 1000; // 1 hour in milliseconds\nexport const CACHE_CONTROL_REGEX = /max-age=(\\d+)/;\n\nexport const TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1000;\nexport const GOOGLE_TOKEN_AUDIENCE = 'https://accounts.google.com/o/oauth2/token';\nexport const GOOGLE_AUTH_TOKEN_HOST = 'accounts.google.com';\nexport const GOOGLE_AUTH_TOKEN_PATH = '/o/oauth2/token';\nexport const ONE_HOUR_IN_SECONDS = 60 * 60;\n\nexport const ONE_MINUTE_IN_SECONDS = 60;\nexport const ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1000;\nexport const ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1000;\n\nconst Attributes = {\n AuthToken: '__ternsecureAuthToken',\n AuthSignature: '__ternsecureAuthSignature',\n AuthStatus: '__ternsecureAuthStatus',\n AuthReason: '__ternsecureAuthReason',\n AuthMessage: '__ternsecureAuthMessage',\n TernSecureUrl: '__ternsecureUrl',\n} as const;\n\nconst Cookies = {\n Session: '__session',\n CsrfToken: '__terncf',\n IdToken: 'TernSecure_[DEFAULT]',\n Refresh: 'TernSecureID_[DEFAULT]',\n Custom: '__custom',\n TernAut: 'tern_aut',\n Handshake: '__ternsecure_handshake',\n DevBrowser: '__ternsecure_db_jwt',\n RedirectCount: '__ternsecure_redirect_count',\n HandshakeNonce: '__ternsecure_handshake_nonce',\n} as const;\n\n\nconst QueryParameters = {\n TernSynced: '__tern_synced',\n SuffixedCookies: 'suffixed_cookies',\n TernRedirectUrl: '__tern_redirect_url',\n // use the reference to Cookies to indicate that it's the same value\n DevBrowser: Cookies.DevBrowser,\n Handshake: Cookies.Handshake,\n HandshakeHelp: '__tern_help',\n LegacyDevBrowser: '__dev_session',\n HandshakeReason: '__tern_hs_reason',\n HandshakeNonce: Cookies.HandshakeNonce,\n} as const;\n\nconst Headers = {\n Accept: 'accept',\n AppCheckToken: 'x-ternsecure-appcheck',\n AuthMessage: 'x-ternsecure-auth-message',\n Authorization: 'authorization',\n AuthReason: 'x-ternsecure-auth-reason',\n AuthSignature: 'x-ternsecure-auth-signature',\n AuthStatus: 'x-ternsecure-auth-status',\n AuthToken: 'x-ternsecure-auth-token',\n CacheControl: 'cache-control',\n TernSecureRedirectTo: 'x-ternsecure-redirect-to',\n TernSecureRequestData: 'x-ternsecure-request-data',\n TernSecureUrl: 'x-ternsecure-url',\n CloudFrontForwardedProto: 'cloudfront-forwarded-proto',\n ContentType: 'content-type',\n ContentSecurityPolicy: 'content-security-policy',\n ContentSecurityPolicyReportOnly: 'content-security-policy-report-only',\n EnableDebug: 'x-ternsecure-debug',\n ForwardedHost: 'x-forwarded-host',\n ForwardedPort: 'x-forwarded-port',\n ForwardedProto: 'x-forwarded-proto',\n Host: 'host',\n Location: 'location',\n Nonce: 'x-nonce',\n Origin: 'origin',\n Referrer: 'referer',\n SecFetchDest: 'sec-fetch-dest',\n UserAgent: 'user-agent',\n ReportingEndpoints: 'reporting-endpoints',\n} as const;\n\nconst ContentTypes = {\n Json: 'application/json',\n} as const;\n\n/**\n * @internal\n */\nexport const constants = {\n Attributes,\n Cookies,\n Headers,\n ContentTypes,\n QueryParameters,\n} as const;\n\nexport type Constants = typeof constants;\n","import type { \r\n AdminConfigValidationResult, \r\n ConfigValidationResult, \r\n TernSecureAdminConfig, \r\n TernSecureConfig} from '@tern-secure/types'\r\n\r\n/**\r\n * Loads Firebase configuration from environment variables\r\n * @returns {TernSecureConfig} Firebase configuration object\r\n */\r\nexport const loadFireConfig = (): TernSecureConfig => ({\r\n apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY || '',\r\n authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN || '',\r\n databaseURL: process.env.NEXT_PUBLIC_FIREBASE_DATABASE_URL || undefined,\r\n projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID || '',\r\n storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET || '',\r\n messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID || '',\r\n appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID || '',\r\n measurementId: process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID || undefined,\r\n})\r\n\r\n/**\r\n * Validates Firebase configuration\r\n * @param {TernSecureConfig} config - Firebase configuration object\r\n * @throws {Error} If required configuration values are missing\r\n * @returns {TernSecureConfig} Validated configuration object\r\n */\r\nexport const validateConfig = (config: TernSecureConfig): ConfigValidationResult => {\r\n const requiredFields: (keyof TernSecureConfig)[] = [\r\n 'apiKey',\r\n 'authDomain',\r\n 'projectId',\r\n 'storageBucket',\r\n 'messagingSenderId',\r\n 'appId'\r\n ]\r\n\r\n const errors: string[] = []\r\n \r\n requiredFields.forEach(field => {\r\n if (!config[field]) {\r\n errors.push(`Missing required field: NEXT_PUBLIC_FIREBASE_${String(field).toUpperCase()}`)\r\n }\r\n })\r\n\r\n return {\r\n isValid: errors.length === 0,\r\n errors,\r\n config\r\n }\r\n}\r\n\r\n/**\r\n * Initializes configuration with validation\r\n * @throws {Error} If configuration is invalid\r\n */\r\nexport const initializeConfig = (): TernSecureConfig => {\r\n const config = loadFireConfig()\r\n const validationResult = validateConfig(config)\r\n\r\n if (!validationResult.isValid) {\r\n throw new Error(\r\n `Firebase configuration validation failed:\\n${validationResult.errors.join('\\n')}`\r\n )\r\n }\r\n\r\n return config\r\n}\r\n\r\n/**\r\n * Loads Firebase Admin configuration from environment variables\r\n * @returns {AdminConfig} Firebase Admin configuration object\r\n */\r\nexport const loadAdminConfig = (): TernSecureAdminConfig => ({\r\n projectId: process.env.FIREBASE_PROJECT_ID || '',\r\n clientEmail: process.env.FIREBASE_CLIENT_EMAIL || '',\r\n privateKey: process.env.FIREBASE_PRIVATE_KEY || '',\r\n})\r\n\r\n/**\r\n * Validates Firebase Admin configuration\r\n * @param {AdminConfig} config - Firebase Admin configuration object\r\n * @returns {ConfigValidationResult} Validation result\r\n */\r\nexport const validateAdminConfig = (config: TernSecureAdminConfig): AdminConfigValidationResult => {\r\n const requiredFields: (keyof TernSecureAdminConfig)[] = [\r\n 'projectId',\r\n 'clientEmail',\r\n 'privateKey'\r\n ]\r\n\r\n const errors: string[] = []\r\n \r\n requiredFields.forEach(field => {\r\n if (!config[field]) {\r\n errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`)\r\n }\r\n })\r\n\r\n return {\r\n isValid: errors.length === 0,\r\n errors,\r\n config\r\n }\r\n}\r\n\r\n/**\r\n * Initializes admin configuration with validation\r\n * @throws {Error} If configuration is invalid\r\n */\r\nexport const initializeAdminConfig = (): TernSecureAdminConfig => {\r\n const config = loadAdminConfig()\r\n const validationResult = validateAdminConfig(config)\r\n\r\n if (!validationResult.isValid) {\r\n throw new Error(\r\n `Firebase Admin configuration validation failed:\\n${validationResult.errors.join('\\n')}`\r\n )\r\n }\r\n\r\n return config\r\n}","import { type JwtReturnType } from \"./types\";\n\nexport function createJwtGuard<T extends (...args: any[]) => JwtReturnType<any, any>>(decodedFn: T) {\n return (...args: Parameters<T>): NonNullable<Awaited<ReturnType<T>>['data']> | never => {\n const { data, errors } = decodedFn(...args);\n\n if (errors) {\n throw errors[0];\n }\n\n return data;\n };\n}\n","import type {\n DecodedIdToken,\n TernVerificationResult,\n} from \"@tern-secure/types\";\nimport { createRemoteJWKSet, decodeJwt,jwtVerify } from \"jose\";\n\n\nexport type FirebaseIdTokenPayload = DecodedIdToken;\n\n// Firebase public key endpoints\nconst FIREBASE_ID_TOKEN_URL =\n \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\";\nconst FIREBASE_SESSION_CERT_URL =\n \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\";\n\n//const FIREBASE_NEW_SESSION_PK = \"https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys\"\n\n// Simple in-memory cache for JWKS\nlet idTokenJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet sessionJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;\n\nconst getIdTokenJWKS = () => {\n if (!idTokenJWKS) {\n idTokenJWKS = createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\n cacheMaxAge: 3600000, // 1 hour\n timeoutDuration: 5000, // 5 seconds\n cooldownDuration: 30000, // 30 seconds between retries\n });\n }\n return idTokenJWKS;\n};\n\nconst getSessionJWKS = () => {\n if (!sessionJWKS) {\n sessionJWKS = createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\n cacheMaxAge: 3600000, // 1 hour\n timeoutDuration: 5000, // 5 seconds\n cooldownDuration: 30000, // 30 seconds between retries\n });\n }\n return sessionJWKS;\n};\n\n\n\nexport async function verifyToken(\n token: string,\n isSessionCookie = false\n): Promise<TernVerificationResult> {\n try {\n const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;\n if (!projectId) {\n throw new Error(\"Firebase Project ID is not configured\");\n }\n\n const { decoded } = decodeJwt(token);\n if (!decoded) {\n throw new Error(\"Invalid token format\");\n }\n\n let retries = 3;\n let lastError: Error | null = null;\n\n while (retries > 0) {\n try {\n // Use different JWKS based on token type\n const JWKS = isSessionCookie ? getSessionJWKS() : getIdTokenJWKS();\n\n const { payload } = await jwtVerify(token, JWKS, {\n issuer: isSessionCookie\n ? \"https://session.firebase.google.com/\" + projectId\n : \"https://securetoken.google.com/\" + projectId,\n audience: projectId,\n algorithms: [\"RS256\"],\n });\n\n const firebasePayload = payload as unknown as FirebaseIdTokenPayload;\n const now = Math.floor(Date.now() / 1000);\n\n // Verify token claims\n if (firebasePayload.exp <= now) {\n throw new Error(\"Token has expired\");\n }\n\n if (firebasePayload.iat > now) {\n throw new Error(\"Token issued time is in the future\");\n }\n\n if (!firebasePayload.sub) {\n throw new Error(\"Token subject is empty\");\n }\n\n if (firebasePayload.auth_time > now) {\n throw new Error(\"Token auth time is in the future\");\n }\n\n return {\n valid: true,\n uid: firebasePayload.sub,\n sub: firebasePayload.sub,\n email: firebasePayload.email,\n email_verified: firebasePayload.email_verified,\n auth_time: firebasePayload.auth_time,\n iat: firebasePayload.iat,\n exp: firebasePayload.exp,\n aud: firebasePayload.aud,\n iss: firebasePayload.iss,\n firebase: firebasePayload.firebase,\n phone_number: firebasePayload.phone_number,\n picture: firebasePayload.picture,\n };\n } catch (error) {\n lastError = error as Error;\n if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\n console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);\n retries--;\n if (retries > 0) {\n await new Promise((resolve) => setTimeout(resolve, 1000));\n continue;\n }\n }\n throw error;\n }\n }\n\n throw lastError || new Error(\"Failed to verify token after retries\");\n } catch (error) {\n console.error(\"Token verification details:\", {\n error:\n error instanceof Error\n ? {\n name: error.name,\n message: error.message,\n stack: error.stack,\n }\n : error,\n decoded: decodeJwt(token),\n isSessionCookie,\n });\n\n return {\n valid: false,\n error: {\n success: false,\n message: error instanceof Error ? error.message : \"Invalid token\",\n code: \"INVALID_TOKEN\",\n },\n };\n }\n}\n","import type { JWTPayload } from '@tern-secure/types';\nimport type { KeyLike } from 'jose';\nimport { base64url,importPKCS8, SignJWT, } from 'jose';\n\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport { fetchAny } from '../utils/fetcher'\nimport { ALGORITHM_RS256 } from './types';\n\nexport interface SignJwtOptions {\n algorithm?: string;\n header?: Record<string, unknown>;\n}\n\n\nexport type SignOptions = {\n readonly payload: JWTPayload;\n readonly privateKey: string;\n readonly keyId?: string;\n};\n\n\nasync function ternSignJwt(opts: SignOptions): Promise<string> {\n const { payload, privateKey, keyId } = opts;\n let key: KeyLike;\n\n try {\n key = await importPKCS8(privateKey, ALGORITHM_RS256);\n } catch (error) {\n throw new TokenVerificationError({\n message: `Failed to import private key: ${(error as Error).message}`,\n reason: TokenVerificationErrorReason.TokenInvalid,\n });\n }\n\n return new SignJWT(payload)\n .setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId })\n .sign(key);\n}\n\n\nexport type SignBlobOptions = {\n readonly serviceAccountId: string;\n readonly accessToken: string;\n readonly payload: JWTPayload;\n};\n\n\nfunction formatBase64(value: string) {\n return value.replace(/\\//g, '_').replace(/\\+/g, '-').replace(/=+$/, '');\n}\n\nfunction encodeSegment(segment: Record<string, string> | JWTPayload): string {\n const value = JSON.stringify(segment);\n\n return formatBase64(base64url.encode(value));\n}\n\n\nasync function ternSignBlob({\n payload,\n serviceAccountId,\n accessToken\n}: SignBlobOptions): Promise<string> {\n const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${serviceAccountId}:signBlob`;\n const header = {\n alg: ALGORITHM_RS256,\n typ: 'JWT'\n };\n const token = `${encodeSegment(header)}.${encodeSegment(payload)}`;\n const request: RequestInit = {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${accessToken}`\n },\n body: JSON.stringify({payload: base64url.encode(token)})\n };\n const response = await fetchAny(url, request);\n const blob = await response.blob();\n const key = await blob.text();\n const {signedBlob} = JSON.parse(key);\n\n return `${token}.${formatBase64(signedBlob)}`;\n}\n\nexport { ternSignJwt, ternSignBlob };\n","async function getDetailFromResponse(response: Response): Promise<string> {\n const json = await response.json();\n\n if (!json) {\n return 'Missing error payload';\n }\n\n let detail =\n typeof json.error === 'string'\n ? json.error\n : (json.error?.message ?? 'Missing error payload');\n\n if (json.error_description) {\n detail += ' (' + json.error_description + ')';\n }\n\n return detail;\n}\n\nexport async function fetchText(url: string, init: RequestInit) {\n return (await fetchAny(url, init)).text();\n}\n\nexport async function fetchJson(url: string, init: RequestInit) {\n return (await fetchAny(url, init)).json();\n}\n\nexport async function fetchAny(url: string, init: RequestInit) {\n const response = await fetch(url, init);\n\n if (!response.ok) {\n throw new Error(await getDetailFromResponse(response));\n }\n\n return response;\n}","import type { JWTPayload } from '@tern-secure/types';\n\n\nexport type JwtReturnType<R, E extends Error> =\n | {\n data: R;\n errors?: undefined;\n }\n | {\n data?: undefined;\n errors: [E];\n };\n\n\nexport const ALGORITHM_RS256 = 'RS256' as const;\n\nexport interface CryptoSigner {\n getAccountId(): Promise<string>;\n sign(payload: JWTPayload): Promise<string>;\n}","import type { JWTPayload } from '@tern-secure/types';\n\nimport type { Credential, ServiceAccountManager } from '../auth';\nimport { fetchText } from '../utils/fetcher'\nimport { ternSignBlob, ternSignJwt } from './signJwt';\nimport { ALGORITHM_RS256, type CryptoSigner } from './types';\n\n\nclass ServiceAccountSigner implements CryptoSigner {\n\n constructor(\n private readonly credential: ServiceAccountManager,\n private tenantId?: string\n ) { }\n\n public async getAccountId(): Promise<string> {\n return Promise.resolve(this.credential.clientEmail);\n }\n\n public async sign(payload: JWTPayload): Promise<string> {\n if (this.tenantId) {\n payload.tenant_id = this.tenantId;\n }\n\n return ternSignJwt({ payload, privateKey: this.credential.privateKey });\n }\n}\n\nclass IAMSigner implements CryptoSigner {\n algorithm = ALGORITHM_RS256;\n\n private credential: Credential;\n private tenantId?: string;\n private serviceAccountId?: string;\n\n constructor(\n credential: Credential,\n tenantId?: string,\n serviceAccountId?: string\n ) {\n this.credential = credential;\n this.tenantId = tenantId;\n this.serviceAccountId = serviceAccountId;\n }\n\n public async sign(payload: JWTPayload): Promise<string> {\n if (this.tenantId) {\n payload.tenant_id = this.tenantId;\n }\n\n const serviceAccount = await this.getAccountId();\n const accessToken = await this.credential.getAccessToken();\n\n return ternSignBlob({\n accessToken: accessToken.accessToken,\n serviceAccountId: serviceAccount,\n payload\n });\n }\n\n public async getAccountId(): Promise<string> {\n if (this.serviceAccountId) {\n return this.serviceAccountId;\n }\n\n const token = await this.credential.getAccessToken();\n const url =\n 'http://metadata/computeMetadata/v1/instance/service-accounts/default/email';\n const request: RequestInit = {\n method: 'GET',\n headers: {\n 'Metadata-Flavor': 'Google',\n Authorization: `Bearer ${token.accessToken}`\n }\n };\n\n return (this.serviceAccountId = await fetchText(url, request));\n }\n}\n\n\nexport { ServiceAccountSigner, IAMSigner };\n\n","import { createJwtGuard } from './guardReturn';\nimport { ternDecodeJwt as _ternDecodeJwt } from './verifyJwt';\n\nexport const ternDecodeJwt = createJwtGuard(_ternDecodeJwt);\nexport { ternDecodeJwt as ternDecodeJwtUnguarded } from './verifyJwt';\n\nexport * from './jwt';\nexport * from './customJwt';\nexport * from './signJwt';\nexport { ServiceAccountSigner, IAMSigner } from './crypto-signer';\nexport type { JwtReturnType, CryptoSigner } from './types';","import type { JWTPayload } from '@tern-secure/types';\n\nimport {\n GOOGLE_AUTH_TOKEN_HOST,\n GOOGLE_AUTH_TOKEN_PATH,\n GOOGLE_TOKEN_AUDIENCE,\n ONE_HOUR_IN_SECONDS,\n TOKEN_EXPIRY_THRESHOLD_MILLIS\n} from '../constants'\nimport { ternSignJwt } from '../jwt';\nimport { fetchJson } from '../utils/fetcher';\n\n\nexport interface GoogleOAuthAccessToken {\n access_token: string;\n expires_in: number;\n}\n\nexport interface ServiceAccount {\n projectId: string;\n privateKey: string;\n clientEmail: string;\n}\n\nexport interface FirebaseAccessToken {\n accessToken: string;\n expirationTime: number;\n}\n\nconst accessTokenCache: Map<string, FirebaseAccessToken> = new Map();\n\nexport interface Credential {\n getAccessToken: (refresh?: boolean) => Promise<FirebaseAccessToken>;\n}\n\nasync function requestAccessToken(urlString: string, init: RequestInit): Promise<FirebaseAccessToken> {\n const json = await fetchJson(urlString, init);\n\n if (!json.access_token || !json.expires_in) {\n throw new Error('Invalid access token response');\n }\n\n return {\n accessToken: json.access_token,\n expirationTime: Date.now() + (json.expires_in * 1000),\n }\n}\n\nexport class ServiceAccountManager implements Credential {\n public readonly projectId: string;\n public readonly privateKey: string;\n public readonly clientEmail: string;\n\n constructor(serviceAccount: ServiceAccount) {\n this.projectId = serviceAccount.projectId;\n this.privateKey = serviceAccount.privateKey;\n this.clientEmail = serviceAccount.clientEmail;\n }\n\n private fetchAccessToken = async (url: string): Promise<FirebaseAccessToken> => {\n const token = await this.createJwt();\n const postData =\n 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3A' +\n 'grant-type%3Ajwt-bearer&assertion=' +\n token;\n\n return requestAccessToken(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n Authorization: `Bearer ${token}`,\n Accept: 'application/json',\n },\n body: postData,\n })\n }\n\n private fetchAndCacheAccessToken = async (url: string): Promise<FirebaseAccessToken> => {\n const accessToken = await this.fetchAccessToken(url);\n accessTokenCache.set(this.projectId, accessToken);\n return accessToken;\n }\n\n public getAccessToken = async (refresh?: boolean): Promise<FirebaseAccessToken> => {\n const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;\n\n if (refresh) {\n return this.fetchAndCacheAccessToken(url);\n }\n\n const cachedResponse = accessTokenCache.get(this.projectId);\n\n if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {\n return this.fetchAndCacheAccessToken(url);\n }\n\n return cachedResponse;\n }\n\n private createJwt = async (): Promise<string> => {\n const iat = Math.floor(Date.now() / 1000);\n\n const payload = {\n aud: GOOGLE_TOKEN_AUDIENCE,\n iat,\n exp: iat + ONE_HOUR_IN_SECONDS,\n iss: this.clientEmail,\n sub: this.clientEmail,\n scope: [\n 'https://www.googleapis.com/auth/cloud-platform',\n 'https://www.googleapis.com/auth/firebase.database',\n 'https://www.googleapis.com/auth/firebase.messaging',\n 'https://www.googleapis.com/auth/identitytoolkit',\n 'https://www.googleapis.com/auth/userinfo.email'\n ].join(' ')\n } as JWTPayload;\n\n return ternSignJwt({\n payload,\n privateKey: this.privateKey,\n });\n }\n}\n","import type { Credential } from '../auth'\nimport { ServiceAccountManager } from '../auth'\nimport type { CryptoSigner } from '../jwt'\nimport { IAMSigner, ServiceAccountSigner } from '../jwt'\n\nexport function cryptoSignerFromCredential(\n credential: Credential,\n tenantId?: string,\n serviceAccountId?: string\n): CryptoSigner {\n if (credential instanceof ServiceAccountManager) {\n return new ServiceAccountSigner(credential, tenantId);\n }\n\n return new IAMSigner(credential, tenantId, serviceAccountId);\n}","import type { Credential } from '../auth'\nimport type { AppCheckParams, AppCheckToken } from './types'\n\nexport function getSdkVersion(): string {\n return '12.7.0';\n}\n\nconst FIREBASE_APP_CHECK_CONFIG_HEADERS = {\n 'X-Firebase-Client': `fire-admin-node/${getSdkVersion()}`\n};\n\n/**\n * App Check API for managing Firebase App Check tokens via REST\n * Firebase REST API endpoint: https://firebaseappcheck.googleapis.com/v1beta/projects/{projectId}/apps/{appId}:exchangeCustomToken\n */\nexport class AppCheckApi {\n constructor(private credential: Credential) { }\n\n public async exchangeToken(params: AppCheckParams): Promise<AppCheckToken> {\n const { projectId, appId, customToken, limitedUse = false } = params;\n const token = await this.credential.getAccessToken(false);\n if (!projectId || !appId) {\n throw new Error('Project ID and App ID are required for App Check token exchange');\n }\n\n const endpoint = `https://firebaseappcheck.googleapis.com/v1/projects/${projectId}/apps/${appId}:exchangeCustomToken`;\n\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n 'Authorization': `Bearer ${token.accessToken}`,\n };\n\n try {\n const response = await fetch(endpoint, {\n method: 'POST',\n headers,\n body: JSON.stringify({ customToken, limitedUse }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);\n }\n\n const data = await response.json();\n return {\n token: data.token,\n ttl: data.ttl,\n };\n } catch (error) {\n console.warn('[ternsecure - appcheck api]unexpected error:', error);\n throw error;\n }\n }\n public async exchangeDebugToken(params: AppCheckParams): Promise<AppCheckToken> {\n const { projectId, appId, customToken, accessToken, limitedUse = false } = params;\n if (!projectId || !appId) {\n throw new Error('Project ID and App ID are required for App Check token exchange');\n }\n\n const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;\n\n const headers: Record<string, string> = {\n ...FIREBASE_APP_CHECK_CONFIG_HEADERS,\n 'Authorization': `Bearer ${accessToken}`,\n };\n\n const body = {\n customToken,\n limitedUse,\n }\n\n try {\n const response = await fetch(endpoint, {\n method: 'POST',\n headers,\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);\n }\n\n const data = await response.json();\n return {\n token: data.token,\n ttl: data.ttl,\n };\n } catch (error) {\n console.warn('[ternsecure - appcheck api]unexpected error:', error);\n throw error;\n }\n }\n}\n","import {\n FIREBASE_APP_CHECK_AUDIENCE,\n ONE_DAY_IN_MILLIS,\n ONE_MINUTE_IN_MILLIS,\n ONE_MINUTE_IN_SECONDS\n} from '../constants'\nimport type { CryptoSigner } from '../jwt';\nimport type { AppCheckTokenOptions } from './types';\n\n\nfunction transformMillisecondsToSecondsString(milliseconds: number): string {\n let duration: string;\n const seconds = Math.floor(milliseconds / 1000);\n const nanos = Math.floor((milliseconds - seconds * 1000) * 1000000);\n if (nanos > 0) {\n let nanoString = nanos.toString();\n while (nanoString.length < 9) {\n nanoString = '0' + nanoString;\n }\n duration = `${seconds}.${nanoString}s`;\n } else {\n duration = `${seconds}s`;\n }\n return duration;\n}\n\nexport class AppCheckTokenGenerator {\n private readonly signer: CryptoSigner;\n\n constructor(signer: CryptoSigner) {\n this.signer = signer;\n }\n\n public async createCustomToken(\n appId: string,\n options?: AppCheckTokenOptions\n ): Promise<string> {\n if (!appId) {\n throw new Error(\n 'appId is invalid',\n );\n }\n let customOptions = {};\n if (typeof options !== 'undefined') {\n customOptions = this.validateTokenOptions(options);\n }\n\n const account = await this.signer.getAccountId();\n\n const iat = Math.floor(Date.now() / 1000);\n const body = {\n iss: account,\n sub: account,\n app_id: appId,\n aud: FIREBASE_APP_CHECK_AUDIENCE,\n exp: iat + ONE_MINUTE_IN_SECONDS * 5,\n iat,\n ...customOptions\n };\n\n return this.signer.sign(body);\n }\n\n private validateTokenOptions(options: AppCheckTokenOptions): {\n [key: string]: unknown;\n } {\n if (typeof options.ttlMillis !== 'undefined') {\n if (\n options.ttlMillis < ONE_MINUTE_IN_MILLIS * 30 ||\n options.ttlMillis > ONE_DAY_IN_MILLIS * 7\n ) {\n throw new Error(\n 'ttlMillis must be a duration in milliseconds between 30 minutes and 7 days (inclusive).'\n );\n }\n\n return { ttl: transformMillisecondsToSecondsString(options.ttlMillis) };\n }\n return {};\n }\n}\n","import { Redis } from \"@upstash/redis\";\n\nimport type { AppCheckOptions } from '../adapters/types';\nimport { appCheckAdmin } from '../utils/admin-init';\n\ninterface CachedToken {\n token: string;\n expiresAt: number;\n}\n\n/**\n * Redis client interface for AppCheck token caching (Upstash Redis or compatible adapter)\n */\ninterface RedisClient {\n get(key: string): Promise<any>;\n set(key: string, value: any, opts?: { px?: number }): Promise<any>;\n del(key: string): Promise<number>;\n}\n\n\nexport class ServerAppCheckManager {\n private static instances: Map<string, ServerAppCheckManager> = new Map();\n private memoryCache: Map<string, CachedToken> = new Map();\n private redisClient: RedisClient | null = null;\n private readonly options: Required<Omit<AppCheckOptions, 'redis' | 'skipInMemoryFirst'>> & {\n redis?: AppCheckOptions['redis'];\n skipInMemoryFirst: boolean;\n };\n private pendingTokens: Map<string, Promise<string | null>> = new Map();\n\n private constructor(options?: AppCheckOptions) {\n const defaultOptions: Required<Omit<AppCheckOptions, 'redis' | 'skipInMemoryFirst'>> & { skipInMemoryFirst: boolean } = {\n strategy: 'memory',\n ttlMillis: 3600000, // 1 hour\n refreshBufferMillis: 300000, // 5 minutes\n keyPrefix: 'appcheck:token:',\n skipInMemoryFirst: false,\n };\n\n this.options = { ...defaultOptions, ...options };\n\n if (this.options.strategy === 'redis' && this.options.redis) {\n void this.initializeRedis(this.options.redis);\n }\n }\n\n private initializeRedis = (config: AppCheckOptions['redis']): void => {\n if (!config) {\n throw new Error('[AppCheck] Redis configuration is required when strategy is \"redis\"');\n }\n\n try {\n this.redisClient = new Redis({\n url: config.url,\n token: config.token,\n });\n\n console.info('[AppCheck] Redis client initialized for token caching');\n } catch (error) {\n console.error('[AppCheck] Failed to initialize Redis client:', error);\n throw new Error('[AppCheck] Redis initialization failed. Install \"@upstash/redis\" package.');\n }\n }\n\n public static getInstance(options?: AppCheckOptions): ServerAppCheckManager {\n const key = options?.strategy || 'memory';\n\n if (!ServerAppCheckManager.instances.has(key)) {\n ServerAppCheckManager.instances.set(key, new ServerAppCheckManager(options));\n }\n\n const instance = ServerAppCheckManager.instances.get(key);\n if (!instance) {\n throw new Error('[AppCheck] Failed to get instance');\n }\n\n return instance;\n }\n\n private buildCacheKey(appId: string): string {\n return `${this.options.keyPrefix}${appId}`;\n }\n\n\n private getCachedToken = async (appId: string): Promise<CachedToken | null> => {\n if (this.options.strategy === 'memory') {\n return this.memoryCache.get(appId) || null;\n }\n\n if (this.options.strategy === 'redis') {\n // Check in-memory cache first (unless skipInMemoryFirst is true)\n if (!this.options.skipInMemoryFirst) {\n const memCached = this.memoryCache.get(appId);\n if (memCached) {\n return memCached;\n }\n }\n\n // Fallback to Redis\n if (this.redisClient) {\n try {\n const key = this.buildCacheKey(appId);\n const cached = await this.redisClient.get(key);\n\n if (cached) {\n const parsed: CachedToken = typeof cached === 'string' ? JSON.parse(cached) : cached;\n\n if (!this.options.skipInMemoryFirst) {\n this.memoryCache.set(appId, parsed);\n }\n\n return parsed;\n }\n } catch (error) {\n console.error('[AppCheck] Redis get error:', error);\n }\n }\n }\n\n return null;\n }\n\n\n private setCachedToken = async (appId: string, token: string, expiresAt: number): Promise<void> => {\n const cachedToken: CachedToken = { token, expiresAt };\n\n // Always store in memory cache for both strategies\n this.memoryCache.set(appId, cachedToken);\n\n if (this.options.strategy === 'memory') {\n return;\n }\n\n // For Redis strategy, also persist to Redis\n if (this.options.strategy === 'redis' && this.redisClient) {\n try {\n const key = this.buildCacheKey(appId);\n const ttl = expiresAt - Date.now();\n\n await this.redisClient.set(key, JSON.stringify(cachedToken), {\n px: ttl, // Expiry in milliseconds (lowercase for Upstash)\n });\n } catch (error) {\n console.error('[AppCheck] Redis set error:', error);\n }\n }\n }\n\n getOrGenerateToken = async (appId: string): Promise<string | null> => {\n const cached = await this.getCachedToken(appId);\n const now = Date.now();\n\n if (cached && cached.expiresAt > now + this.options.refreshBufferMillis) {\n return cached.token;\n }\n\n const pending = this.pendingTokens.get(appId);\n if (pending) {\n return pending;\n }\n\n const tokenPromise = this.generateAndCacheToken(appId);\n this.pendingTokens.set(appId, tokenPromise);\n\n try {\n const token = await tokenPromise;\n return token;\n } finally {\n this.pendingTokens.delete(appId);\n }\n }\n\n /**\n * Generate and cache a new token\n */\n private generateAndCacheToken = async (appId: string): Promise<string | null> => {\n try {\n const now = Date.now();\n\n const appCheckToken = await appCheckAdmin.createToken(appId, {\n ttlMillis: this.options.ttlMillis,\n });\n\n const expiresAt = now + this.options.ttlMillis;\n await this.setCachedToken(appId, appCheckToken.token, expiresAt);\n\n return appCheckToken.token;\n } catch (error) {\n console.error('[AppCheck] Failed to generate token:', error);\n return null;\n }\n }\n\n clearCache = async (appId?: string): Promise<void> => {\n if (appId) {\n this.memoryCache.delete(appId);\n } else {\n this.memoryCache.clear();\n }\n\n if (this.options.strategy === 'redis' && this.redisClient) {\n try {\n if (appId) {\n const key = this.buildCacheKey(appId);\n await this.redisClient.del(key);\n }\n } catch (error) {\n console.error('[AppCheck] Redis delete error:', error);\n }\n }\n }\n\n getCacheStats(): {\n strategy: string;\n memorySize: number;\n entries: Array<{ appId: string; expiresIn: number }>\n } {\n const now = Date.now();\n const entries = Array.from(this.memoryCache.entries()).map(([appId, cached]) => ({\n appId,\n expiresIn: Math.max(0, cached.expiresAt - now),\n }));\n\n return {\n strategy: this.options.strategy,\n memorySize: this.memoryCache.size,\n entries,\n };\n }\n\n /**\n * Close Redis connection\n */\n disconnect(): void {\n if (this.redisClient) {\n this.redisClient = null;\n }\n }\n}","import admin from 'firebase-admin';\r\nimport { getAppCheck } from \"firebase-admin/app-check\";\r\n\r\nimport { initializeAdminConfig } from './config';\r\n\r\nif (!admin.apps.length) {\r\n try {\r\n const config = initializeAdminConfig();\r\n admin.initializeApp({\r\n credential: admin.credential.cert({\r\n ...config,\r\n privateKey: config.privateKey.replace(/\\\\n/g, '\\n'),\r\n }),\r\n });\r\n } catch (error) {\r\n console.error('Firebase admin initialization error', error);\r\n }\r\n}\r\n\r\nexport const adminTernSecureAuth: admin.auth.Auth = admin.auth();\r\nexport const adminTernSecureDb: admin.firestore.Firestore = admin.firestore();\r\nexport const TernSecureTenantManager: admin.auth.TenantManager = admin.auth().tenantManager();\r\nexport const appCheckAdmin: admin.appCheck.AppCheck = getAppCheck();\r\n\r\n/**\r\n * Gets the appropriate Firebase Auth instance.\r\n * If a tenantId is provided, it returns the Auth instance for that tenant.\r\n * Otherwise, it returns the default project-level Auth instance.\r\n * @param tenantId - The optional tenant ID.\r\n * @returns An admin.auth.Auth instance.\r\n */\r\nexport function getAuthForTenant(tenantId?: string): admin.auth.Auth {\r\n if (tenantId) {\r\n return TernSecureTenantManager.authForTenant(tenantId) as unknown as admin.auth.Auth;\r\n }\r\n return admin.auth();\r\n}","import type { DecodedAppCheckToken } from '@tern-secure/types';\nimport { createRemoteJWKSet, type KeyLike, type ProtectedHeaderParameters } from 'jose';\n\nimport type { Credential } from '../auth';\nimport type { JwtReturnType } from '../jwt';\nimport { ternDecodeJwt, verifyAppCheckJwt, type VerifyJwtOptions } from '../jwt/verifyJwt';\nimport type { LoadJWKFromRemoteOptions } from '../tokens/keys';\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\n\nexport type VerifyAppcheckOptions = Omit<VerifyJwtOptions, 'key'> & Omit<LoadJWKFromRemoteOptions, 'kid'> & {\n currentDate?: Date;\n checkRevoked?: boolean;\n referer?: string;\n experimental_enableTokenRefreshOnExpiredKidHeader?: boolean;\n};\n\nconst getPublicKey = async (header: ProtectedHeaderParameters, keyURL: string): Promise<KeyLike> => {\n const jswksUrl: URL = new URL(keyURL);\n const getKey = createRemoteJWKSet(jswksUrl);\n\n return getKey(header);\n\n}\n\n\nconst verifyAppCheckToken = async (\n token: string,\n options: VerifyAppcheckOptions,\n): Promise<JwtReturnType<DecodedAppCheckToken, TokenVerificationError>> => {\n const { data: decodedResult, errors } = ternDecodeJwt(token);\n\n if (errors) {\n throw errors[0];\n }\n\n const { header } = decodedResult;\n const { kid } = header;\n\n if (!kid) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: 'JWT \"kid\" header is missing.',\n }),\n ],\n };\n }\n\n try {\n const getPublicKeyForToken = () => getPublicKey(header, options.keyURL || '');\n\n return await verifyAppCheckJwt(token, { ...options, key: getPublicKeyForToken });\n } catch (error) {\n if (error instanceof TokenVerificationError) {\n return { errors: [error] };\n }\n return {\n errors: [error as TokenVerificationError],\n };\n }\n};\n\nexport class AppcheckTokenVerifier {\n constructor(private readonly credential: Credential) { }\n\n public verifyToken = async (\n token: string,\n projectId: string,\n options: VerifyAppcheckOptions,\n ): Promise<DecodedAppCheckToken> => {\n const { data, errors } = await verifyAppCheckToken(token, options);\n if (errors) {\n throw errors[0];\n }\n\n return data;\n };\n}"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCA,kBAAqC;;;ACArC,IAAAA,eAKO;;;ACSA,IAAM,+BAA+B;AAAA,EAC1C,cAAc;AAAA,EACd,cAAc;AAAA,EACd,uBAAuB;AAAA,EACvB,+BAA+B;AAAA,EAC/B,uBAAuB;AAAA,EACvB,mBAAmB;AAAA,EACnB,qBAAqB;AAAA,EACrB,yBAAyB;AAAA,EACzB,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,uBAAuB;AAAA,EACvB,kBAAkB;AAAA,EAClB,kBAAkB;AAAA,EAClB,oBAAoB;AAAA,EACpB,gBAAgB;AAClB;AAKO,IAAM,yBAAN,MAAM,gCAA+B,MAAM;AAAA,EAChD;AAAA,EACA;AAAA,EAEA,YAAY;AAAA,IACV;AAAA,IACA;AAAA,EACF,GAGG;AACD,UAAM,OAAO;AAEb,WAAO,eAAe,MAAM,wBAAuB,SAAS;AAE5D,SAAK,SAAS;AACd,SAAK,UAAU;AAAA,EACjB;AAAA,EAEO,iBAAiB;AACtB,WAAO,GAAG,CAAC,KAAK,OAAO,EAAE,OAAO,OAAK,CAAC,EAAE,KAAK,GAAG,CAAC,YAAY,KAAK,MAAM,mBACtE,KAAK,YACP;AAAA,EACF;AACA;;;AChDK,SAAS,oCAAoC,SAAqB;AACvE,QAAM,uBAAuB;AAC7B,uBAAqB,SAAS,qBAAqB;AACnD,SAAO;AACT;;;ACLO,IAAM,YAAY;AAAA,EACvB,MAAM,QAAgB,MAAiC;AACrD,WAAO,MAAM,QAAQ,mBAAmB,IAAI;AAAA,EAC9C;AAAA,EAEA,UAAU,MAAyB,MAAiC;AAClE,WAAO,UAAU,MAAM,mBAAmB,IAAI;AAAA,EAChD;AACF;AAEA,IAAM,oBAA8B;AAAA,EAClC,OAAO;AAAA,EACP,MAAM;AACR;AAiBA,SAAS,MAAM,QAAgB,UAAoB,OAAqB,CAAC,GAAe;AAEtF,MAAI,CAAC,SAAS,OAAO;AACnB,aAAS,QAAQ,CAAC;AAClB,aAAS,IAAI,GAAG,IAAI,SAAS,MAAM,QAAQ,EAAE,GAAG;AAC9C,eAAS,MAAM,SAAS,MAAM,CAAC,CAAC,IAAI;AAAA,IACtC;AAAA,EACF;AAGA,MAAI,CAAC,KAAK,SAAU,OAAO,SAAS,SAAS,OAAQ,GAAG;AACtD,UAAM,IAAI,YAAY,iBAAiB;AAAA,EACzC;AAGA,MAAI,MAAM,OAAO;AACjB,SAAO,OAAO,MAAM,CAAC,MAAM,KAAK;AAC9B,MAAE;AAGF,QAAI,CAAC,KAAK,SAAS,GAAI,OAAO,SAAS,OAAO,SAAS,OAAQ,IAAI;AACjE,YAAM,IAAI,YAAY,iBAAiB;AAAA,IACzC;AAAA,EACF;AAGA,QAAM,MAAM,KAAK,KAAK,OAAO,YAAc,MAAM,SAAS,OAAQ,IAAK,CAAC;AAGxE,MAAI,OAAO;AACX,MAAI,SAAS;AACb,MAAI,UAAU;AACd,WAAS,IAAI,GAAG,IAAI,KAAK,EAAE,GAAG;AAE5B,UAAM,QAAQ,SAAS,MAAM,OAAO,CAAC,CAAC;AACtC,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI,YAAY,uBAAuB,OAAO,CAAC,CAAC;AAAA,IACxD;AAGA,aAAU,UAAU,SAAS,OAAQ;AACrC,YAAQ,SAAS;AAGjB,QAAI,QAAQ,GAAG;AACb,cAAQ;AACR,UAAI,SAAS,IAAI,MAAQ,UAAU;AAAA,IACrC;AAAA,EACF;AAGA,MAAI,QAAQ,SAAS,QAAQ,MAAQ,UAAW,IAAI,MAAQ;AAC1D,UAAM,IAAI,YAAY,wBAAwB;AAAA,EAChD;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,MAAyB,UAAoB,OAAyB,CAAC,GAAW;AACnG,QAAM,EAAE,MAAM,KAAK,IAAI;AACvB,QAAM,QAAQ,KAAK,SAAS,QAAQ;AACpC,MAAI,MAAM;AAEV,MAAI,OAAO;AACX,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,EAAE,GAAG;AAEpC,aAAU,UAAU,IAAM,MAAO,KAAK,CAAC;AACvC,YAAQ;AAGR,WAAO,OAAO,SAAS,MAAM;AAC3B,cAAQ,SAAS;AACjB,aAAO,SAAS,MAAM,OAAQ,UAAU,IAAK;AAAA,IAC/C;AAAA,EACF;AAGA,MAAI,MAAM;AACR,WAAO,SAAS,MAAM,OAAQ,UAAW,SAAS,OAAO,IAAM;AAAA,EACjE;AAGA,MAAI,KAAK;AACP,WAAQ,IAAI,SAAS,SAAS,OAAQ,GAAG;AACvC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;ACnIA,IAAAC,eAA+D;;;ACA/D,IAAM,YAAoC;AAAA,EACxC,OAAO;AAAA,EACP,OAAO;AAAA,EACP,OAAO;AACT;AASO,IAAM,OAAO,OAAO,KAAK,SAAS;;;ACGlC,IAAM,kBAAkB,CAAC,QAAkB;AAChD,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,mBAAmB,KAAK,UAAU,GAAG,CAAC;AAAA,IACjD,CAAC;AAAA,EACH;AACF;AAWO,IAAM,iBAAiB,CAAC,QAAiB;AAC9C,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,kEAAkE,KAAK,UAAU,GAAG,CAAC;AAAA,IAChG,CAAC;AAAA,EACH;AACF;AAEO,IAAM,wBAAwB,CAAC,KAAyB,kBAA0B;AACvF,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,uCAAuC,KAAK,UAAU,GAAG,CAAC;AAAA,IACrE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,aAAa,oBAAI,KAAK,CAAC;AAC7B,aAAW,cAAc,GAAG;AAE5B,QAAM,UAAU,WAAW,QAAQ,KAAK,YAAY,QAAQ,IAAI;AAChE,MAAI,SAAS;AACX,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,gCAAgC,WAAW,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IAC/G,CAAC;AAAA,EACH;AACF;AAEO,IAAM,sBAAsB,CAAC,KAAyB,kBAA0B;AACrF,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,0CAA0C,KAAK,UAAU,GAAG,CAAC;AAAA,IACxE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,eAAe,oBAAI,KAAK,CAAC;AAC/B,eAAa,cAAc,GAAG;AAE9B,QAAM,aAAa,aAAa,QAAQ,IAAI,YAAY,QAAQ,IAAI;AACpE,MAAI,YAAY;AACd,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,oEAAoE,aAAa,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IACrJ,CAAC;AAAA,EACH;AACF;;;ANvEA,IAAM,2BAA2B,IAAI;AAiC9B,SAAS,cAAc,OAA2D;AACvF,MAAI;AACF,UAAM,aAAS,oCAAsB,KAAK;AAC1C,UAAM,cAAU,wBAAU,KAAK;AAE/B,UAAM,cAAc,SAAS,IAAI,SAAS,EAAE,MAAM,GAAG;AACrD,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO;AAAA,QACL,QAAQ;AAAA,UACN,IAAI,uBAAuB;AAAA,YACzB,QAAQ,6BAA6B;AAAA,YACrC,SAAS;AAAA,UACX,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,UAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAC9C,UAAM,YAAY,UAAU,MAAM,cAAc,EAAE,OAAO,KAAK,CAAC;AAE/D,UAAM,OAAO;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,MACA,KAAK;AAAA,QACH,QAAQ;AAAA,QACR,SAAS;AAAA,QACT,WAAW;AAAA,QACX,MAAM;AAAA,MACR;AAAA,IACF;AAEA,WAAO,EAAE,KAAK;AAAA,EAChB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS,GAAI,MAAgB,WAAW,8CAA8C,mBAAmB,OAAO,MAAM,qBAAqB,OAAO,UAAU,GAAG,EAAE,CAAC;AAAA,QACpK,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AA8CA,eAAsB,wBACpB,KACAC,eAC2C;AAC3C,QAAM,EAAE,QAAQ,IAAI,IAAI;AACxB,QAAM,gBAAgB,OAAO,OAAO;AAEpC,MAAI;AACF,UAAM,MAAM,MAAMA,cAAa;AAE/B,UAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,IAAI,MAAM,GAAG;AAEjD,WAAO,EAAE,MAAM,QAAQ;AAAA,EACzB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAU,MAAgB;AAAA,QAC5B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAGA,eAAsB,kBACpB,OACA,SACsE;AACtE,QAAM,EAAE,KAAKA,cAAa,IAAI;AAC9B,QAAM,YAAY,QAAQ,iBAAiB;AAE3C,QAAM,EAAE,MAAM,SAAS,OAAO,IAAI,cAAc,KAAK;AACrD,MAAI,QAAQ;AACV,WAAO,EAAE,OAAO;AAAA,EAClB;AAEA,QAAM,EAAE,QAAQ,QAAQ,IAAI;AAE5B,MAAI;AACF,oBAAgB,OAAO,GAAG;AAC1B,mBAAe,QAAQ,GAAG;AAC1B,0BAAsB,QAAQ,KAAK,SAAS;AAC5C,wBAAoB,QAAQ,KAAK,SAAS;AAAA,EAC5C,SAAS,OAAO;AACd,WAAO,EAAE,QAAQ,CAAC,KAA+B,EAAE;AAAA,EACrD;AAEA,QAAM,EAAE,MAAM,iBAAiB,QAAQ,gBAAgB,IAAI,MAAM;AAAA,IAC/D;AAAA,IACAA;AAAA,EACF;AACA,MAAI,iBAAiB;AACnB,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,QAAM,uBAAuB,oCAAoC,eAAe;AAEhF,SAAO,EAAE,MAAM,qBAAqB;AACtC;;;AO5MO,IAAM,8BACX;AAEK,IAAM,oCAAoC,IAAI;AAC9C,IAAM,yBAAyB,OAAO;AAGtC,IAAM,gCAAgC,IAAI,KAAK;AAC/C,IAAM,wBAAwB;AAC9B,IAAM,yBAAyB;AAC/B,IAAM,yBAAyB;AAC/B,IAAM,sBAAsB,KAAK;AAEjC,IAAM,wBAAwB;AAC9B,IAAM,uBAAuB,wBAAwB;AACrD,IAAM,oBAAoB,KAAK,KAAK,KAAK;AAWhD,IAAM,UAAU;AAAA,EACd,SAAS;AAAA,EACT,WAAW;AAAA,EACX,SAAS;AAAA,EACT,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,WAAW;AAAA,EACX,YAAY;AAAA,EACZ,eAAe;AAAA,EACf,gBAAgB;AAClB;AAGA,IAAM,kBAAkB;AAAA,EACtB,YAAY;AAAA,EACZ,iBAAiB;AAAA,EACjB,iBAAiB;AAAA;AAAA,EAEjB,YAAY,QAAQ;AAAA,EACpB,WAAW,QAAQ;AAAA,EACnB,eAAe;AAAA,EACf,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,gBAAgB,QAAQ;AAC1B;;;ACiBO,IAAM,kBAAkB,OAA8B;AAAA,EAC3D,WAAW,QAAQ,IAAI,uBAAuB;AAAA,EAC9C,aAAa,QAAQ,IAAI,yBAAyB;AAAA,EAClD,YAAY,QAAQ,IAAI,wBAAwB;AAClD;AAOO,IAAM,sBAAsB,CAAC,WAA+D;AACjG,QAAM,iBAAkD;AAAA,IACtD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,QAAM,SAAmB,CAAC;AAE1B,iBAAe,QAAQ,WAAS;AAC9B,QAAI,CAAC,OAAO,KAAK,GAAG;AAClB,aAAO,KAAK,oCAAoC,OAAO,KAAK,EAAE,YAAY,CAAC,EAAE;AAAA,IAC/E;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,SAAS,OAAO,WAAW;AAAA,IAC3B;AAAA,IACA;AAAA,EACF;AACF;AAMO,IAAM,wBAAwB,MAA6B;AAChE,QAAM,SAAS,gBAAgB;AAC/B,QAAM,mBAAmB,oBAAoB,MAAM;AAEnD,MAAI,CAAC,iBAAiB,SAAS;AAC7B,UAAM,IAAI;AAAA,MACR;AAAA,EAAoD,iBAAiB,OAAO,KAAK,IAAI,CAAC;AAAA,IACxF;AAAA,EACF;AAEA,SAAO;AACT;;;ACvHO,SAAS,eAAsE,WAAc;AAClG,SAAO,IAAI,SAA6E;AACtF,UAAM,EAAE,MAAM,OAAO,IAAI,UAAU,GAAG,IAAI;AAE1C,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAEA,WAAO;AAAA,EACT;AACF;;;ACRA,IAAAC,eAAwD;;;ACFxD,IAAAC,eAAiD;;;ACFjD,eAAe,sBAAsB,UAAqC;AACtE,QAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,MAAI,CAAC,MAAM;AACP,WAAO;AAAA,EACX;AAEA,MAAI,SACA,OAAO,KAAK,UAAU,WAChB,KAAK,QACJ,KAAK,OAAO,WAAW;AAElC,MAAI,KAAK,mBAAmB;AACxB,cAAU,OAAO,KAAK,oBAAoB;AAAA,EAC9C;AAEA,SAAO;AACX;AAEA,eAAsB,UAAU,KAAa,MAAmB;AAC9D,UAAQ,MAAM,SAAS,KAAK,IAAI,GAAG,KAAK;AAC1C;AAEA,eAAsB,UAAU,KAAa,MAAmB;AAC5D,UAAQ,MAAM,SAAS,KAAK,IAAI,GAAG,KAAK;AAC5C;AAEA,eAAsB,SAAS,KAAa,MAAmB;AAC3D,QAAM,WAAW,MAAM,MAAM,KAAK,IAAI;AAEtC,MAAI,CAAC,SAAS,IAAI;AACd,UAAM,IAAI,MAAM,MAAM,sBAAsB,QAAQ,CAAC;AAAA,EACzD;AAEA,SAAO;AACX;;;ACrBO,IAAM,kBAAkB;;;AFO/B,eAAe,YAAY,MAAoC;AAC7D,QAAM,EAAE,SAAS,YAAY,MAAM,IAAI;AACvC,MAAI;AAEJ,MAAI;AACF,UAAM,UAAM,0BAAY,YAAY,eAAe;AAAA,EACrD,SAAS,OAAO;AACd,UAAM,IAAI,uBAAuB;AAAA,MAC/B,SAAS,iCAAkC,MAAgB,OAAO;AAAA,MAClE,QAAQ,6BAA6B;AAAA,IACvC,CAAC;AAAA,EACH;AAEA,SAAO,IAAI,qBAAQ,OAAO,EACvB,mBAAmB,EAAE,KAAK,iBAAiB,KAAK,MAAM,CAAC,EACvD,KAAK,GAAG;AACb;AAUA,SAAS,aAAa,OAAe;AACnC,SAAO,MAAM,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AACxE;AAEA,SAAS,cAAc,SAAsD;AAC3E,QAAM,QAAQ,KAAK,UAAU,OAAO;AAEpC,SAAO,aAAa,uBAAU,OAAO,KAAK,CAAC;AAC7C;AAGA,eAAe,aAAa;AAAA,EAC1B;AAAA,EACA;AAAA,EACA;AACF,GAAqC;AACnC,QAAM,MAAM,uEAAuE,gBAAgB;AACnG,QAAM,SAAS;AAAA,IACb,KAAK;AAAA,IACL,KAAK;AAAA,EACP;AACA,QAAM,QAAQ,GAAG,cAAc,MAAM,CAAC,IAAI,cAAc,OAAO,CAAC;AAChE,QAAM,UAAuB;AAAA,IAC3B,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,eAAe,UAAU,WAAW;AAAA,IACtC;AAAA,IACA,MAAM,KAAK,UAAU,EAAC,SAAS,uBAAU,OAAO,KAAK,EAAC,CAAC;AAAA,EACzD;AACA,QAAM,WAAW,MAAM,SAAS,KAAK,OAAO;AAC5C,QAAM,OAAO,MAAM,SAAS,KAAK;AACjC,QAAM,MAAM,MAAM,KAAK,KAAK;AAC5B,QAAM,EAAC,WAAU,IAAI,KAAK,MAAM,GAAG;AAEnC,SAAO,GAAG,KAAK,IAAI,aAAa,UAAU,CAAC;AAC7C;;;AG1EA,IAAM,uBAAN,MAAmD;AAAA,EAE/C,YACqB,YACT,UACV;AAFmB;AACT;AAAA,EACR;AAAA,EAEJ,MAAa,eAAgC;AACzC,WAAO,QAAQ,QAAQ,KAAK,WAAW,WAAW;AAAA,EACtD;AAAA,EAEA,MAAa,KAAK,SAAsC;AACpD,QAAI,KAAK,UAAU;AACf,cAAQ,YAAY,KAAK;AAAA,IAC7B;AAEA,WAAO,YAAY,EAAE,SAAS,YAAY,KAAK,WAAW,WAAW,CAAC;AAAA,EAC1E;AACJ;AAEA,IAAM,YAAN,MAAwC;AAAA,EACpC,YAAY;AAAA,EAEJ;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACI,YACA,UACA,kBACF;AACE,SAAK,aAAa;AAClB,SAAK,WAAW;AAChB,SAAK,mBAAmB;AAAA,EAC5B;AAAA,EAEA,MAAa,KAAK,SAAsC;AACpD,QAAI,KAAK,UAAU;AACf,cAAQ,YAAY,KAAK;AAAA,IAC7B;AAEA,UAAM,iBAAiB,MAAM,KAAK,aAAa;AAC/C,UAAM,cAAc,MAAM,KAAK,WAAW,eAAe;AAEzD,WAAO,aAAa;AAAA,MAChB,aAAa,YAAY;AAAA,MACzB,kBAAkB;AAAA,MAClB;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,MAAa,eAAgC;AACzC,QAAI,KAAK,kBAAkB;AACvB,aAAO,KAAK;AAAA,IAChB;AAEA,UAAM,QAAQ,MAAM,KAAK,WAAW,eAAe;AACnD,UAAM,MACF;AACJ,UAAM,UAAuB;AAAA,MACzB,QAAQ;AAAA,MACR,SAAS;AAAA,QACL,mBAAmB;AAAA,QACnB,eAAe,UAAU,MAAM,WAAW;AAAA,MAC9C;AAAA,IACJ;AAEA,WAAQ,KAAK,mBAAmB,MAAM,UAAU,KAAK,OAAO;AAAA,EAChE;AACJ;;;AC3EO,IAAMC,iBAAgB,eAAe,aAAc;;;AC0B1D,IAAM,mBAAqD,oBAAI,IAAI;AAMnE,eAAe,mBAAmB,WAAmB,MAAiD;AAClG,QAAM,OAAO,MAAM,UAAU,WAAW,IAAI;AAE5C,MAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,YAAY;AACxC,UAAM,IAAI,MAAM,+BAA+B;AAAA,EACnD;AAEA,SAAO;AAAA,IACH,aAAa,KAAK;AAAA,IAClB,gBAAgB,KAAK,IAAI,IAAK,KAAK,aAAa;AAAA,EACpD;AACJ;AAEO,IAAM,wBAAN,MAAkD;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AAAA,EAEhB,YAAY,gBAAgC;AACxC,SAAK,YAAY,eAAe;AAChC,SAAK,aAAa,eAAe;AACjC,SAAK,cAAc,eAAe;AAAA,EACtC;AAAA,EAEQ,mBAAmB,OAAO,QAA8C;AAC5E,UAAM,QAAQ,MAAM,KAAK,UAAU;AACnC,UAAM,WACF,gFAEA;AAEJ,WAAO,mBAAmB,KAAK;AAAA,MAC3B,QAAQ;AAAA,MACR,SAAS;AAAA,QACL,gBAAgB;AAAA,QAChB,eAAe,UAAU,KAAK;AAAA,QAC9B,QAAQ;AAAA,MACZ;AAAA,MACA,MAAM;AAAA,IACV,CAAC;AAAA,EACL;AAAA,EAEQ,2BAA2B,OAAO,QAA8C;AACpF,UAAM,cAAc,MAAM,KAAK,iBAAiB,GAAG;AACnD,qBAAiB,IAAI,KAAK,WAAW,WAAW;AAChD,WAAO;AAAA,EACX;AAAA,EAEO,iBAAiB,OAAO,YAAoD;AAC/E,UAAM,MAAM,WAAW,sBAAsB,GAAG,sBAAsB;AAEtE,QAAI,SAAS;AACT,aAAO,KAAK,yBAAyB,GAAG;AAAA,IAC5C;AAEA,UAAM,iBAAiB,iBAAiB,IAAI,KAAK,SAAS;AAE1D,QAAI,CAAC,kBAAkB,eAAe,iBAAiB,KAAK,IAAI,KAAK,+BAA+B;AAChG,aAAO,KAAK,yBAAyB,GAAG;AAAA,IAC5C;AAEA,WAAO;AAAA,EACX;AAAA,EAEQ,YAAY,YAA6B;AAC7C,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExC,UAAM,UAAU;AAAA,MACZ,KAAK;AAAA,MACL;AAAA,MACA,KAAK,MAAM;AAAA,MACX,KAAK,KAAK;AAAA,MACV,KAAK,KAAK;AAAA,MACV,OAAO;AAAA,QACH;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACJ,EAAE,KAAK,GAAG;AAAA,IACd;AAEA,WAAO,YAAY;AAAA,MACf;AAAA,MACA,YAAY,KAAK;AAAA,IACrB,CAAC;AAAA,EACL;AACJ;;;ACrHO,SAAS,2BACZ,YACA,UACA,kBACY;AACZ,MAAI,sBAAsB,uBAAuB;AAC7C,WAAO,IAAI,qBAAqB,YAAY,QAAQ;AAAA,EACxD;AAEA,SAAO,IAAI,UAAU,YAAY,UAAU,gBAAgB;AAC/D;;;ACZO,SAAS,gBAAwB;AACpC,SAAO;AACX;AAEA,IAAM,oCAAoC;AAAA,EACtC,qBAAqB,mBAAmB,cAAc,CAAC;AAC3D;AAMO,IAAM,cAAN,MAAkB;AAAA,EACrB,YAAoB,YAAwB;AAAxB;AAAA,EAA0B;AAAA,EAE9C,MAAa,cAAc,QAAgD;AACvE,UAAM,EAAE,WAAW,OAAO,aAAa,aAAa,MAAM,IAAI;AAC9D,UAAM,QAAQ,MAAM,KAAK,WAAW,eAAe,KAAK;AACxD,QAAI,CAAC,aAAa,CAAC,OAAO;AACtB,YAAM,IAAI,MAAM,iEAAiE;AAAA,IACrF;AAEA,UAAM,WAAW,uDAAuD,SAAS,SAAS,KAAK;AAE/F,UAAM,UAAkC;AAAA,MACpC,gBAAgB;AAAA,MAChB,iBAAiB,UAAU,MAAM,WAAW;AAAA,IAChD;AAEA,QAAI;AACA,YAAM,WAAW,MAAM,MAAM,UAAU;AAAA,QACnC,QAAQ;AAAA,QACR;AAAA,QACA,MAAM,KAAK,UAAU,EAAE,aAAa,WAAW,CAAC;AAAA,MACpD,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AACd,cAAM,YAAY,MAAM,SAAS,KAAK;AACtC,cAAM,IAAI,MAAM,oCAAoC,SAAS,MAAM,IAAI,SAAS,EAAE;AAAA,MACtF;AAEA,YAAM,OAAO,MAAM,SAAS,KAAK;AACjC,aAAO;AAAA,QACH,OAAO,KAAK;AAAA,QACZ,KAAK,KAAK;AAAA,MACd;AAAA,IACJ,SAAS,OAAO;AACZ,cAAQ,KAAK,gDAAgD,KAAK;AAClE,YAAM;AAAA,IACV;AAAA,EACJ;AAAA,EACA,MAAa,mBAAmB,QAAgD;AAC5E,UAAM,EAAE,WAAW,OAAO,aAAa,aAAa,aAAa,MAAM,IAAI;AAC3E,QAAI,CAAC,aAAa,CAAC,OAAO;AACtB,YAAM,IAAI,MAAM,iEAAiE;AAAA,IACrF;AAEA,UAAM,WAAW,2DAA2D,SAAS,SAAS,KAAK;AAEnG,UAAM,UAAkC;AAAA,MACpC,GAAG;AAAA,MACH,iBAAiB,UAAU,WAAW;AAAA,IAC1C;AAEA,UAAM,OAAO;AAAA,MACT;AAAA,MACA;AAAA,IACJ;AAEA,QAAI;AACA,YAAM,WAAW,MAAM,MAAM,UAAU;AAAA,QACnC,QAAQ;AAAA,QACR;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC7B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AACd,cAAM,YAAY,MAAM,SAAS,KAAK;AACtC,cAAM,IAAI,MAAM,oCAAoC,SAAS,MAAM,IAAI,SAAS,EAAE;AAAA,MACtF;AAEA,YAAM,OAAO,MAAM,SAAS,KAAK;AACjC,aAAO;AAAA,QACH,OAAO,KAAK;AAAA,QACZ,KAAK,KAAK;AAAA,MACd;AAAA,IACJ,SAAS,OAAO;AACZ,cAAQ,KAAK,gDAAgD,KAAK;AAClE,YAAM;AAAA,IACV;AAAA,EACJ;AACJ;;;ACpFA,SAAS,qCAAqC,cAA8B;AACxE,MAAI;AACJ,QAAM,UAAU,KAAK,MAAM,eAAe,GAAI;AAC9C,QAAM,QAAQ,KAAK,OAAO,eAAe,UAAU,OAAQ,GAAO;AAClE,MAAI,QAAQ,GAAG;AACX,QAAI,aAAa,MAAM,SAAS;AAChC,WAAO,WAAW,SAAS,GAAG;AAC1B,mBAAa,MAAM;AAAA,IACvB;AACA,eAAW,GAAG,OAAO,IAAI,UAAU;AAAA,EACvC,OAAO;AACH,eAAW,GAAG,OAAO;AAAA,EACzB;AACA,SAAO;AACX;AAEO,IAAM,yBAAN,MAA6B;AAAA,EACf;AAAA,EAEjB,YAAY,QAAsB;AAC9B,SAAK,SAAS;AAAA,EAClB;AAAA,EAEA,MAAa,kBACT,OACA,SACe;AACf,QAAI,CAAC,OAAO;AACR,YAAM,IAAI;AAAA,QACN;AAAA,MACJ;AAAA,IACJ;AACA,QAAI,gBAAgB,CAAC;AACrB,QAAI,OAAO,YAAY,aAAa;AAChC,sBAAgB,KAAK,qBAAqB,OAAO;AAAA,IACrD;AAEA,UAAM,UAAU,MAAM,KAAK,OAAO,aAAa;AAE/C,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,UAAM,OAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,KAAK;AAAA,MACL,KAAK,MAAM,wBAAwB;AAAA,MACnC;AAAA,MACA,GAAG;AAAA,IACP;AAEA,WAAO,KAAK,OAAO,KAAK,IAAI;AAAA,EAChC;AAAA,EAEQ,qBAAqB,SAE3B;AACE,QAAI,OAAO,QAAQ,cAAc,aAAa;AAC1C,UACI,QAAQ,YAAY,uBAAuB,MAC3C,QAAQ,YAAY,oBAAoB,GAC1C;AACE,cAAM,IAAI;AAAA,UACN;AAAA,QACJ;AAAA,MACJ;AAEA,aAAO,EAAE,KAAK,qCAAqC,QAAQ,SAAS,EAAE;AAAA,IAC1E;AACA,WAAO,CAAC;AAAA,EACZ;AACJ;;;AChFA,mBAAsB;;;ACAtB,4BAAkB;AAClB,IAAAC,oBAA4B;AAI5B,IAAI,CAAC,sBAAAC,QAAM,KAAK,QAAQ;AACtB,MAAI;AACF,UAAM,SAAS,sBAAsB;AACrC,0BAAAA,QAAM,cAAc;AAAA,MAClB,YAAY,sBAAAA,QAAM,WAAW,KAAK;AAAA,QAChC,GAAG;AAAA,QACH,YAAY,OAAO,WAAW,QAAQ,QAAQ,IAAI;AAAA,MACpD,CAAC;AAAA,IACH,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,uCAAuC,KAAK;AAAA,EAC5D;AACF;AAEO,IAAM,sBAAuC,sBAAAA,QAAM,KAAK;AACxD,IAAM,oBAA+C,sBAAAA,QAAM,UAAU;AACrE,IAAM,0BAAoD,sBAAAA,QAAM,KAAK,EAAE,cAAc;AACrF,IAAM,oBAAyC,+BAAY;;;ADF3D,IAAM,wBAAN,MAAM,uBAAsB;AAAA,EACjC,OAAe,YAAgD,oBAAI,IAAI;AAAA,EAC/D,cAAwC,oBAAI,IAAI;AAAA,EAChD,cAAkC;AAAA,EACzB;AAAA,EAIT,gBAAqD,oBAAI,IAAI;AAAA,EAE7D,YAAY,SAA2B;AAC7C,UAAM,iBAAkH;AAAA,MACtH,UAAU;AAAA,MACV,WAAW;AAAA;AAAA,MACX,qBAAqB;AAAA;AAAA,MACrB,WAAW;AAAA,MACX,mBAAmB;AAAA,IACrB;AAEA,SAAK,UAAU,EAAE,GAAG,gBAAgB,GAAG,QAAQ;AAE/C,QAAI,KAAK,QAAQ,aAAa,WAAW,KAAK,QAAQ,OAAO;AAC3D,WAAK,KAAK,gBAAgB,KAAK,QAAQ,KAAK;AAAA,IAC9C;AAAA,EACF;AAAA,EAEQ,kBAAkB,CAAC,WAA2C;AACpE,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,MAAM,qEAAqE;AAAA,IACvF;AAEA,QAAI;AACF,WAAK,cAAc,IAAI,mBAAM;AAAA,QAC3B,KAAK,OAAO;AAAA,QACZ,OAAO,OAAO;AAAA,MAChB,CAAC;AAED,cAAQ,KAAK,uDAAuD;AAAA,IACtE,SAAS,OAAO;AACd,cAAQ,MAAM,iDAAiD,KAAK;AACpE,YAAM,IAAI,MAAM,2EAA2E;AAAA,IAC7F;AAAA,EACF;AAAA,EAEA,OAAc,YAAY,SAAkD;AAC1E,UAAM,MAAM,SAAS,YAAY;AAEjC,QAAI,CAAC,uBAAsB,UAAU,IAAI,GAAG,GAAG;AAC7C,6BAAsB,UAAU,IAAI,KAAK,IAAI,uBAAsB,OAAO,CAAC;AAAA,IAC7E;AAEA,UAAM,WAAW,uBAAsB,UAAU,IAAI,GAAG;AACxD,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,mCAAmC;AAAA,IACrD;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,cAAc,OAAuB;AAC3C,WAAO,GAAG,KAAK,QAAQ,SAAS,GAAG,KAAK;AAAA,EAC1C;AAAA,EAGQ,iBAAiB,OAAO,UAA+C;AAC7E,QAAI,KAAK,QAAQ,aAAa,UAAU;AACtC,aAAO,KAAK,YAAY,IAAI,KAAK,KAAK;AAAA,IACxC;AAEA,QAAI,KAAK,QAAQ,aAAa,SAAS;AAErC,UAAI,CAAC,KAAK,QAAQ,mBAAmB;AACnC,cAAM,YAAY,KAAK,YAAY,IAAI,KAAK;AAC5C,YAAI,WAAW;AACb,iBAAO;AAAA,QACT;AAAA,MACF;AAGA,UAAI,KAAK,aAAa;AACpB,YAAI;AACF,gBAAM,MAAM,KAAK,cAAc,KAAK;AACpC,gBAAM,SAAS,MAAM,KAAK,YAAY,IAAI,GAAG;AAE7C,cAAI,QAAQ;AACV,kBAAM,SAAsB,OAAO,WAAW,WAAW,KAAK,MAAM,MAAM,IAAI;AAE9E,gBAAI,CAAC,KAAK,QAAQ,mBAAmB;AACnC,mBAAK,YAAY,IAAI,OAAO,MAAM;AAAA,YACpC;AAEA,mBAAO;AAAA,UACT;AAAA,QACF,SAAS,OAAO;AACd,kBAAQ,MAAM,+BAA+B,KAAK;AAAA,QACpD;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAGQ,iBAAiB,OAAO,OAAe,OAAe,cAAqC;AACjG,UAAM,cAA2B,EAAE,OAAO,UAAU;AAGpD,SAAK,YAAY,IAAI,OAAO,WAAW;AAEvC,QAAI,KAAK,QAAQ,aAAa,UAAU;AACtC;AAAA,IACF;AAGA,QAAI,KAAK,QAAQ,aAAa,WAAW,KAAK,aAAa;AACzD,UAAI;AACF,cAAM,MAAM,KAAK,cAAc,KAAK;AACpC,cAAM,MAAM,YAAY,KAAK,IAAI;AAEjC,cAAM,KAAK,YAAY,IAAI,KAAK,KAAK,UAAU,WAAW,GAAG;AAAA,UAC3D,IAAI;AAAA;AAAA,QACN,CAAC;AAAA,MACH,SAAS,OAAO;AACd,gBAAQ,MAAM,+BAA+B,KAAK;AAAA,MACpD;AAAA,IACF;AAAA,EACF;AAAA,EAEA,qBAAqB,OAAO,UAA0C;AACpE,UAAM,SAAS,MAAM,KAAK,eAAe,KAAK;AAC9C,UAAM,MAAM,KAAK,IAAI;AAErB,QAAI,UAAU,OAAO,YAAY,MAAM,KAAK,QAAQ,qBAAqB;AACvE,aAAO,OAAO;AAAA,IAChB;AAEA,UAAM,UAAU,KAAK,cAAc,IAAI,KAAK;AAC5C,QAAI,SAAS;AACX,aAAO;AAAA,IACT;AAEA,UAAM,eAAe,KAAK,sBAAsB,KAAK;AACrD,SAAK,cAAc,IAAI,OAAO,YAAY;AAE1C,QAAI;AACF,YAAM,QAAQ,MAAM;AACpB,aAAO;AAAA,IACT,UAAE;AACA,WAAK,cAAc,OAAO,KAAK;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,wBAAwB,OAAO,UAA0C;AAC/E,QAAI;AACF,YAAM,MAAM,KAAK,IAAI;AAErB,YAAM,gBAAgB,MAAM,cAAc,YAAY,OAAO;AAAA,QAC3D,WAAW,KAAK,QAAQ;AAAA,MAC1B,CAAC;AAED,YAAM,YAAY,MAAM,KAAK,QAAQ;AACrC,YAAM,KAAK,eAAe,OAAO,cAAc,OAAO,SAAS;AAE/D,aAAO,cAAc;AAAA,IACvB,SAAS,OAAO;AACd,cAAQ,MAAM,wCAAwC,KAAK;AAC3D,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,aAAa,OAAO,UAAkC;AACpD,QAAI,OAAO;AACT,WAAK,YAAY,OAAO,KAAK;AAAA,IAC/B,OAAO;AACL,WAAK,YAAY,MAAM;AAAA,IACzB;AAEA,QAAI,KAAK,QAAQ,aAAa,WAAW,KAAK,aAAa;AACzD,UAAI;AACF,YAAI,OAAO;AACT,gBAAM,MAAM,KAAK,cAAc,KAAK;AACpC,gBAAM,KAAK,YAAY,IAAI,GAAG;AAAA,QAChC;AAAA,MACF,SAAS,OAAO;AACd,gBAAQ,MAAM,kCAAkC,KAAK;AAAA,MACvD;AAAA,IACF;AAAA,EACF;AAAA,EAEA,gBAIE;AACA,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,UAAU,MAAM,KAAK,KAAK,YAAY,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,OAAO,MAAM,OAAO;AAAA,MAC/E;AAAA,MACA,WAAW,KAAK,IAAI,GAAG,OAAO,YAAY,GAAG;AAAA,IAC/C,EAAE;AAEF,WAAO;AAAA,MACL,UAAU,KAAK,QAAQ;AAAA,MACvB,YAAY,KAAK,YAAY;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,aAAmB;AACjB,QAAI,KAAK,aAAa;AACpB,WAAK,cAAc;AAAA,IACrB;AAAA,EACF;AACF;;;AE7OA,IAAAC,eAAiF;AAejF,IAAM,eAAe,OAAO,QAAmC,WAAqC;AAClG,QAAM,WAAgB,IAAI,IAAI,MAAM;AACpC,QAAM,aAAS,iCAAmB,QAAQ;AAE1C,SAAO,OAAO,MAAM;AAEtB;AAGA,IAAM,sBAAsB,OAC1B,OACA,YACyE;AACzE,QAAM,EAAE,MAAM,eAAe,OAAO,IAAI,cAAc,KAAK;AAE3D,MAAI,QAAQ;AACV,UAAM,OAAO,CAAC;AAAA,EAChB;AAEA,QAAM,EAAE,OAAO,IAAI;AACnB,QAAM,EAAE,IAAI,IAAI;AAEhB,MAAI,CAAC,KAAK;AACR,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,MAAI;AACF,UAAM,uBAAuB,MAAM,aAAa,QAAQ,QAAQ,UAAU,EAAE;AAE5E,WAAO,MAAM,kBAAkB,OAAO,EAAE,GAAG,SAAS,KAAK,qBAAqB,CAAC;AAAA,EACjF,SAAS,OAAO;AACd,QAAI,iBAAiB,wBAAwB;AAC3C,aAAO,EAAE,QAAQ,CAAC,KAAK,EAAE;AAAA,IAC3B;AACA,WAAO;AAAA,MACL,QAAQ,CAAC,KAA+B;AAAA,IAC1C;AAAA,EACF;AACF;AAEO,IAAM,wBAAN,MAA4B;AAAA,EACjC,YAA6B,YAAwB;AAAxB;AAAA,EAA0B;AAAA,EAEhD,cAAc,OACnB,OACA,WACA,YACkC;AAClC,UAAM,EAAE,MAAM,OAAO,IAAI,MAAM,oBAAoB,OAAO,OAAO;AACjE,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAEA,WAAO;AAAA,EACT;AACF;;;AxBlEA,IAAM,WAAW;AAEjB,IAAM,WAAN,MAAe;AAAA,EACM;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,YAAwB,UAAmB,YAAsB;AACzE,SAAK,SAAS,IAAI,YAAY,UAAU;AACxC,SAAK,iBAAiB,IAAI;AAAA,MACtB,2BAA2B,YAAY,QAAQ;AAAA,IACnD;AACA,SAAK,wBAAwB,IAAI,sBAAsB,UAAU;AACjE,SAAK,aAAa;AAAA,EACtB;AAAA,EAEO,cAAc,CAAC,WAAmB,OAAe,YAA2D;AAC/G,WAAO,KAAK,eACP,kBAAkB,OAAO,OAAO,EAChC,KAAK,CAAC,gBAAgB;AACnB,aAAO,KAAK,OAAO,cAAc,EAAE,aAAa,WAAW,MAAM,CAAC;AAAA,IACtE,CAAC;AAAA,EACT;AAAA,EAEO,cAAc,OAAO,eAAuB,WAAmB,YAAyE;AAC3I,WAAO,KAAK,sBACP,YAAY,eAAe,WAAW,EAAE,QAAQ,UAAU,GAAG,QAAQ,CAAC,EACtE,KAAK,CAAC,iBAAiB;AACpB,aAAO;AAAA,QACH,OAAO,aAAa;AAAA,QACpB,OAAO;AAAA,MACX;AAAA,IACJ,CAAC;AAAA,EAET;AAEJ;AAGA,SAAS,YAAY,gBAAgC,UAAmB,YAAgC;AACpG,SAAO,IAAI,SAAS,IAAI,sBAAsB,cAAc,GAAG,UAAU,UAAU;AACvF;","names":["import_jose","import_jose","getPublicKey","import_jose","import_jose","ternDecodeJwt","import_app_check","admin","import_jose"]}
package/dist/app-check/index.mjs ADDED
@@ -0,0 +1,13 @@
1
+ import {
2
+ AppCheck,
3
+ ServerAppCheckManager,
4
+ getAppCheck
5
+ } from "../chunk-IEJQ7F4A.mjs";
6
+ import "../chunk-3OGMNIOJ.mjs";
7
+ import "../chunk-TUYCJY35.mjs";
8
+ export {
9
+ AppCheck,
10
+ ServerAppCheckManager,
11
+ getAppCheck
12
+ };
13
+ //# sourceMappingURL=index.mjs.map
package/dist/app-check/index.mjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
package/dist/app-check/serverAppCheck.d.ts ADDED
@@ -0,0 +1,33 @@
1
+ import type { AppCheckOptions } from '../adapters/types';
2
+ export declare class ServerAppCheckManager {
3
+ private static instances;
4
+ private memoryCache;
5
+ private redisClient;
6
+ private readonly options;
7
+ private pendingTokens;
8
+ private constructor();
9
+ private initializeRedis;
10
+ static getInstance(options?: AppCheckOptions): ServerAppCheckManager;
11
+ private buildCacheKey;
12
+ private getCachedToken;
13
+ private setCachedToken;
14
+ getOrGenerateToken: (appId: string) => Promise<string | null>;
15
+ /**
16
+ * Generate and cache a new token
17
+ */
18
+ private generateAndCacheToken;
19
+ clearCache: (appId?: string) => Promise<void>;
20
+ getCacheStats(): {
21
+ strategy: string;
22
+ memorySize: number;
23
+ entries: Array<{
24
+ appId: string;
25
+ expiresIn: number;
26
+ }>;
27
+ };
28
+ /**
29
+ * Close Redis connection
30
+ */
31
+ disconnect(): void;
32
+ }
33
+ //# sourceMappingURL=serverAppCheck.d.ts.map
package/dist/app-check/serverAppCheck.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"serverAppCheck.d.ts","sourceRoot":"","sources":["../../src/app-check/serverAppCheck.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAkBzD,qBAAa,qBAAqB;IAChC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAiD;IACzE,OAAO,CAAC,WAAW,CAAuC;IAC1D,OAAO,CAAC,WAAW,CAA4B;IAC/C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAGtB;IACF,OAAO,CAAC,aAAa,CAAkD;IAEvE,OAAO;IAgBP,OAAO,CAAC,eAAe,CAgBtB;WAEa,WAAW,CAAC,OAAO,CAAC,EAAE,eAAe,GAAG,qBAAqB;IAe3E,OAAO,CAAC,aAAa;IAKrB,OAAO,CAAC,cAAc,CAoCrB;IAGD,OAAO,CAAC,cAAc,CAuBrB;IAED,kBAAkB,GAAU,OAAO,MAAM,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAsBjE;IAED;;OAEG;IACH,OAAO,CAAC,qBAAqB,CAgB5B;IAED,UAAU,GAAU,QAAQ,MAAM,KAAG,OAAO,CAAC,IAAI,CAAC,CAiBjD;IAED,aAAa,IAAI;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,KAAK,CAAC;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KACrD;IAcD;;OAEG;IACH,UAAU,IAAI,IAAI;CAKnB"}
package/dist/app-check/types.d.ts ADDED
@@ -0,0 +1,21 @@
1
+ export interface AppCheckTokenOptions {
2
+ ttlMillis?: number;
3
+ }
4
+ export interface AppCheckToken {
5
+ token: string;
6
+ ttl: string;
7
+ }
8
+ export type AppCheckParams = {
9
+ accessToken?: string;
10
+ projectId: string;
11
+ appId: string;
12
+ customToken: string;
13
+ limitedUse?: boolean;
14
+ };
15
+ export interface VerifyOptions {
16
+ currentDate?: Date;
17
+ checkRevoked?: boolean;
18
+ referer?: string;
19
+ experimental_enableTokenRefreshOnExpiredKidHeader?: boolean;
20
+ }
21
+ //# sourceMappingURL=types.d.ts.map
package/dist/app-check/types.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/app-check/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACjC,SAAS,CAAC,EAAE,MAAM,CAAC;CACtB;AAGD,MAAM,WAAW,aAAa;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACf;AAED,MAAM,MAAM,cAAc,GAAG;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;CACxB,CAAA;AAGD,MAAM,WAAW,aAAa;IAC1B,WAAW,CAAC,EAAE,IAAI,CAAC;IACnB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iDAAiD,CAAC,EAAE,OAAO,CAAC;CAC/D"}
package/dist/app-check/verifier.d.ts ADDED
@@ -0,0 +1,16 @@
1
+ import type { DecodedAppCheckToken } from '@tern-secure/types';
2
+ import type { Credential } from '../auth';
3
+ import { type VerifyJwtOptions } from '../jwt/verifyJwt';
4
+ import type { LoadJWKFromRemoteOptions } from '../tokens/keys';
5
+ export type VerifyAppcheckOptions = Omit<VerifyJwtOptions, 'key'> & Omit<LoadJWKFromRemoteOptions, 'kid'> & {
6
+ currentDate?: Date;
7
+ checkRevoked?: boolean;
8
+ referer?: string;
9
+ experimental_enableTokenRefreshOnExpiredKidHeader?: boolean;
10
+ };
11
+ export declare class AppcheckTokenVerifier {
12
+ private readonly credential;
13
+ constructor(credential: Credential);
14
+ verifyToken: (token: string, projectId: string, options: VerifyAppcheckOptions) => Promise<DecodedAppCheckToken>;
15
+ }
16
+ //# sourceMappingURL=verifier.d.ts.map
package/dist/app-check/verifier.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../src/app-check/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAG/D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE1C,OAAO,EAAoC,KAAK,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC3F,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAG/D,MAAM,MAAM,qBAAqB,GAAG,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,GAAG,IAAI,CAAC,wBAAwB,EAAE,KAAK,CAAC,GAAG;IAC1G,WAAW,CAAC,EAAE,IAAI,CAAC;IACnB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iDAAiD,CAAC,EAAE,OAAO,CAAC;CAC7D,CAAC;AAiDF,qBAAa,qBAAqB;IACpB,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAAV,UAAU,EAAE,UAAU;IAE5C,WAAW,GAChB,OAAO,MAAM,EACb,WAAW,MAAM,EACjB,SAAS,qBAAqB,KAC7B,OAAO,CAAC,oBAAoB,CAAC,CAO9B;CACH"}
package/dist/auth/credential.d.ts CHANGED
@@ -11,13 +11,13 @@ export interface FirebaseAccessToken {
11
11
  accessToken: string;
12
12
  expirationTime: number;
13
13
  }
14
- export interface ServiceAccountCredential {
14
+ export interface Credential {
15
15
  getAccessToken: (refresh?: boolean) => Promise<FirebaseAccessToken>;
16
16
  }
17
- export declare class ServiceAccountTokenManager implements ServiceAccountCredential {
18
- private readonly projectId;
19
- private readonly privateKey;
20
- private readonly clientEmail;
17
+ export declare class ServiceAccountManager implements Credential {
18
+ readonly projectId: string;
19
+ readonly privateKey: string;
20
+ readonly clientEmail: string;
21
21
  constructor(serviceAccount: ServiceAccount);
22
22
  private fetchAccessToken;
23
23
  private fetchAndCacheAccessToken;
package/dist/auth/credential.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"credential.d.ts","sourceRoot":"","sources":["../../src/auth/credential.ts"],"names":[],"mappings":"AAaA,MAAM,WAAW,sBAAsB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,mBAAmB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CAC1B;AAID,MAAM,WAAW,wBAAwB;IACrC,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;CACvE;AAeD,qBAAa,0BAA2B,YAAW,wBAAwB;IACvE,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;gBAEzB,cAAc,EAAE,cAAc;IAM1C,OAAO,CAAC,gBAAgB,CAgBvB;IAED,OAAO,CAAC,wBAAwB,CAI/B;IAEM,cAAc,GAAU,UAAU,OAAO,KAAG,OAAO,CAAC,mBAAmB,CAAC,CAc9E;IAED,OAAO,CAAC,SAAS,CAsBhB;CACJ"}
1
+ {"version":3,"file":"credential.d.ts","sourceRoot":"","sources":["../../src/auth/credential.ts"],"names":[],"mappings":"AAaA,MAAM,WAAW,sBAAsB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,mBAAmB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CAC1B;AAID,MAAM,WAAW,UAAU;IACvB,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;CACvE;AAeD,qBAAa,qBAAsB,YAAW,UAAU;IACpD,SAAgB,SAAS,EAAE,MAAM,CAAC;IAClC,SAAgB,UAAU,EAAE,MAAM,CAAC;IACnC,SAAgB,WAAW,EAAE,MAAM,CAAC;gBAExB,cAAc,EAAE,cAAc;IAM1C,OAAO,CAAC,gBAAgB,CAgBvB;IAED,OAAO,CAAC,wBAAwB,CAI/B;IAEM,cAAc,GAAU,UAAU,OAAO,KAAG,OAAO,CAAC,mBAAmB,CAAC,CAc9E;IAED,OAAO,CAAC,SAAS,CAsBhB;CACJ"}
package/dist/auth/getauth.d.ts CHANGED
@@ -26,7 +26,8 @@ export declare function getAuth(options: AuthenticateRequestOptions): {
26
26
  customForIdAndRefreshToken: (customToken: string, opts: CustomForIdAndRefreshTokenOptions) => Promise<IdAndRefreshTokens>;
27
27
  createCustomIdAndRefreshToken: (idToken: string, opts: CustomForIdAndRefreshTokenOptions) => Promise<CustomTokens>;
28
28
  refreshExpiredIdToken: (refreshToken: string, opts: CustomForIdAndRefreshTokenOptions) => Promise<AuthResult>;
29
- exchangeAppCheckToken: (idToken: string) => Promise<AuthResult>;
29
+ createAppCheckToken: () => Promise<AuthResult>;
30
+ verifyAppCheckToken: (token: string) => Promise<AuthResult>;
30
31
  };
31
32
  export {};
32
33
  //# sourceMappingURL=getauth.d.ts.map
package/dist/auth/getauth.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"getauth.d.ts","sourceRoot":"","sources":["../../src/auth/getauth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,0BAA0B,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAItF,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,UAAU,iCAAiC;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAUD,KAAK,UAAU,CAAC,CAAC,GAAG,GAAG,IAAI;IAAE,IAAI,EAAE,CAAC,CAAC;IAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,GAAG,CAAA;CAAE,CAAC;AAgBjF,wBAAgB,OAAO,CAAC,OAAO,EAAE,0BAA0B;4BAkBpB,MAAM,YAAY,MAAM,KAAG,OAAO,CAAC,kBAAkB,CAAC;8CAgD5E,MAAM,QACb,iCAAiC,KACtC,OAAO,CAAC,kBAAkB,CAAC;6CA2BnB,MAAM,QACT,iCAAiC,KACtC,OAAO,CAAC,YAAY,CAAC;0CA7DR,MAAM,QACd,iCAAiC,KACtC,OAAO,CAAC,UAAU,CAAC;qCAgGwB,MAAM,KAAG,OAAO,CAAC,UAAU,CAAC;EAgE3E"}
1
+ {"version":3,"file":"getauth.d.ts","sourceRoot":"","sources":["../../src/auth/getauth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,0BAA0B,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAItF,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,UAAU,iCAAiC;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAUD,KAAK,UAAU,CAAC,CAAC,GAAG,GAAG,IAAI;IAAE,IAAI,EAAE,CAAC,CAAC;IAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,GAAG,CAAA;CAAE,CAAC;AAgBjF,wBAAgB,OAAO,CAAC,OAAO,EAAE,0BAA0B;4BAKpB,MAAM,YAAY,MAAM,KAAG,OAAO,CAAC,kBAAkB,CAAC;8CAgD5E,MAAM,QACb,iCAAiC,KACtC,OAAO,CAAC,kBAAkB,CAAC;6CA2BnB,MAAM,QACT,iCAAiC,KACtC,OAAO,CAAC,YAAY,CAAC;0CA7DR,MAAM,QACd,iCAAiC,KACtC,OAAO,CAAC,UAAU,CAAC;+BAgGgB,OAAO,CAAC,UAAU,CAAC;iCAmBf,MAAM,KAAG,OAAO,CAAC,UAAU,CAAC;EAuBvE"}
package/dist/auth/index.d.ts CHANGED
@@ -1,2 +1,4 @@
1
1
  export * from './getauth';
2
+ export { ServiceAccountManager } from './credential';
3
+ export type { ServiceAccount, Credential } from './credential';
2
4
  //# sourceMappingURL=index.d.ts.map
package/dist/auth/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAErD,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC"}