@tern-secure/backend 1.2.0-canary.v20251127221555 → 1.2.0-canary.v20251202162458

package/dist/chunk-IEJQ7F4A.mjs

@@ -0,0 +1,778 @@
+import {
+  CACHE_CONTROL_REGEX,
+  DEFAULT_CACHE_DURATION,
+  FIREBASE_APP_CHECK_AUDIENCE,
+  GOOGLE_AUTH_TOKEN_HOST,
+  GOOGLE_AUTH_TOKEN_PATH,
+  GOOGLE_PUBLIC_KEYS_URL,
+  GOOGLE_TOKEN_AUDIENCE,
+  MAX_CACHE_LAST_UPDATED_AT_SECONDS,
+  ONE_DAY_IN_MILLIS,
+  ONE_HOUR_IN_SECONDS,
+  ONE_MINUTE_IN_MILLIS,
+  ONE_MINUTE_IN_SECONDS,
+  TOKEN_EXPIRY_THRESHOLD_MILLIS,
+  appCheckAdmin,
+  loadAdminConfig
+} from "./chunk-3OGMNIOJ.mjs";
+import {
+  IAMSigner,
+  ServiceAccountSigner,
+  TokenVerificationError,
+  TokenVerificationErrorReason,
+  createCustomToken,
+  fetchJson,
+  ternDecodeJwt,
+  ternSignJwt,
+  verifyAppCheckJwt,
+  verifyJwt
+} from "./chunk-TUYCJY35.mjs";
+
+// src/tokens/keys.ts
+var cache = {};
+var lastUpdatedAt = 0;
+var googleExpiresAt = 0;
+function getFromCache(kid) {
+  return cache[kid];
+}
+function getCacheValues() {
+  return Object.values(cache);
+}
+function setInCache(kid, certificate, shouldExpire = true) {
+  cache[kid] = certificate;
+  lastUpdatedAt = shouldExpire ? Date.now() : -1;
+}
+async function fetchPublicKeys(keyUrl) {
+  const url = new URL(keyUrl);
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new TokenVerificationError({
+      message: `Error loading public keys from ${url.href} with code=${response.status} `,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  const data = await response.json();
+  const expiresAt = getExpiresAt(response);
+  return {
+    keys: data,
+    expiresAt
+  };
+}
+async function loadJWKFromRemote({
+  keyURL,
+  skipJwksCache,
+  kid
+}) {
+  const finalKeyURL = keyURL || GOOGLE_PUBLIC_KEYS_URL;
+  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
+    const { keys, expiresAt } = await fetchPublicKeys(finalKeyURL);
+    if (!keys || Object.keys(keys).length === 0) {
+      throw new TokenVerificationError({
+        message: `The JWKS endpoint ${finalKeyURL} returned no keys`,
+        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
+      });
+    }
+    googleExpiresAt = expiresAt;
+    Object.entries(keys).forEach(([keyId, cert2]) => {
+      setInCache(keyId, cert2);
+    });
+  }
+  const cert = getFromCache(kid);
+  if (!cert) {
+    getCacheValues();
+    const availableKids = Object.keys(cache).sort().join(", ");
+    throw new TokenVerificationError({
+      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  return cert;
+}
+function isCacheExpired() {
+  const now = Date.now();
+  if (lastUpdatedAt === -1) {
+    return false;
+  }
+  const cacheAge = now - lastUpdatedAt;
+  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
+  const localCacheExpired = cacheAge >= maxCacheAge;
+  const googleCacheExpired = now >= googleExpiresAt;
+  const isExpired = localCacheExpired || googleCacheExpired;
+  if (isExpired) {
+    cache = {};
+  }
+  return isExpired;
+}
+function getExpiresAt(res) {
+  const cacheControlHeader = res.headers.get("cache-control");
+  if (!cacheControlHeader) {
+    return Date.now() + DEFAULT_CACHE_DURATION;
+  }
+  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
+  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
+  return Date.now() + maxAge * 1e3;
+}
+
+// src/tokens/verify.ts
+async function verifyToken(token, options) {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
+  }
+  try {
+    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
+    if (!key) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: `No public key found for kid "${kid}".`
+          })
+        ]
+      };
+    }
+    return await verifyJwt(token, { ...options, key });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
+    }
+    return {
+      errors: [error]
+    };
+  }
+}
+
+// src/auth/getauth.ts
+var API_KEY_ERROR = "API Key is required";
+var NO_DATA_ERROR = "No token data received";
+function parseFirebaseResponse(data) {
+  if (typeof data === "string") {
+    try {
+      return JSON.parse(data);
+    } catch (error) {
+      throw new Error(`Failed to parse Firebase response: ${error}`);
+    }
+  }
+  return data;
+}
+function getAuth(options) {
+  const { apiKey } = options;
+  const effectiveApiKey = apiKey || process.env.NEXT_PUBLIC_FIREBASE_API_KEY;
+  async function getUserData(idToken, localId) {
+    if (!effectiveApiKey) {
+      throw new Error(API_KEY_ERROR);
+    }
+    const response = await options.apiClient?.userData.getUserData(effectiveApiKey, {
+      idToken,
+      localId
+    });
+    if (!response?.data) {
+      throw new Error(NO_DATA_ERROR);
+    }
+    const parsedData = parseFirebaseResponse(response.data);
+    return parsedData;
+  }
+  async function refreshExpiredIdToken(refreshToken, opts) {
+    if (!effectiveApiKey) {
+      return { data: null, error: new Error(API_KEY_ERROR) };
+    }
+    const response = await options.apiClient?.tokens.refreshToken(effectiveApiKey, {
+      refresh_token: refreshToken,
+      request_origin: opts.referer
+    });
+    if (!response?.data) {
+      return {
+        data: null,
+        error: new Error(NO_DATA_ERROR)
+      };
+    }
+    const parsedData = parseFirebaseResponse(response.data);
+    return {
+      data: {
+        idToken: parsedData.id_token,
+        refreshToken: parsedData.refresh_token
+      },
+      error: null
+    };
+  }
+  async function customForIdAndRefreshToken(customToken, opts) {
+    if (!effectiveApiKey) {
+      throw new Error("API Key is required to create custom token");
+    }
+    const data = await options.apiClient?.tokens.exchangeCustomForIdAndRefreshTokens(
+      effectiveApiKey,
+      {
+        token: customToken,
+        returnSecureToken: true
+      },
+      {
+        referer: opts.referer,
+        appCheckToken: opts.appCheckToken
+      }
+    );
+    if (!data) {
+      throw new Error("No data received from Firebase token exchange");
+    }
+    return {
+      idToken: data.idToken,
+      refreshToken: data.refreshToken
+    };
+  }
+  async function createCustomIdAndRefreshToken(idToken, opts) {
+    const decoded = await verifyToken(idToken, options);
+    const { data, errors } = decoded;
+    if (errors) {
+      throw errors[0];
+    }
+    const customToken = await createCustomToken(data.uid, {
+      emailVerified: data.email_verified,
+      source_sign_in_provider: data.firebase.sign_in_provider
+    });
+    const idAndRefreshTokens = await customForIdAndRefreshToken(customToken, {
+      referer: opts.referer,
+      appCheckToken: opts.appCheckToken
+    });
+    const decodedCustomIdToken = await verifyToken(idAndRefreshTokens.idToken, options);
+    if (decodedCustomIdToken.errors) {
+      throw decodedCustomIdToken.errors[0];
+    }
+    return {
+      ...idAndRefreshTokens,
+      customToken,
+      auth_time: decodedCustomIdToken.data.auth_time
+    };
+  }
+  async function createAppCheckToken() {
+    const adminConfig = loadAdminConfig();
+    const appId = process.env.NEXT_PUBLIC_FIREBASE_APP_ID || "";
+    const appCheck = getAppCheck(adminConfig, options.tenantId);
+    try {
+      const appCheckResponse = await appCheck.createToken(adminConfig.projectId, appId);
+      return {
+        data: {
+          token: appCheckResponse.token,
+          ttl: appCheckResponse.ttl
+        },
+        error: null
+      };
+    } catch (error) {
+      return { data: null, error };
+    }
+  }
+  async function verifyAppCheckToken2(token) {
+    const adminConfig = loadAdminConfig();
+    const appCheck = getAppCheck(adminConfig, options.tenantId);
+    try {
+      const decodedToken = await appCheck.verifyToken(token, adminConfig.projectId, {});
+      return {
+        data: decodedToken,
+        error: null
+      };
+    } catch (error) {
+      return { data: null, error };
+    }
+  }
+  return {
+    getUserData,
+    customForIdAndRefreshToken,
+    createCustomIdAndRefreshToken,
+    refreshExpiredIdToken,
+    createAppCheckToken,
+    verifyAppCheckToken: verifyAppCheckToken2
+  };
+}
+
+// src/auth/credential.ts
+var accessTokenCache = /* @__PURE__ */ new Map();
+async function requestAccessToken(urlString, init) {
+  const json = await fetchJson(urlString, init);
+  if (!json.access_token || !json.expires_in) {
+    throw new Error("Invalid access token response");
+  }
+  return {
+    accessToken: json.access_token,
+    expirationTime: Date.now() + json.expires_in * 1e3
+  };
+}
+var ServiceAccountManager = class {
+  projectId;
+  privateKey;
+  clientEmail;
+  constructor(serviceAccount) {
+    this.projectId = serviceAccount.projectId;
+    this.privateKey = serviceAccount.privateKey;
+    this.clientEmail = serviceAccount.clientEmail;
+  }
+  fetchAccessToken = async (url) => {
+    const token = await this.createJwt();
+    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
+    return requestAccessToken(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json"
+      },
+      body: postData
+    });
+  };
+  fetchAndCacheAccessToken = async (url) => {
+    const accessToken = await this.fetchAccessToken(url);
+    accessTokenCache.set(this.projectId, accessToken);
+    return accessToken;
+  };
+  getAccessToken = async (refresh) => {
+    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
+    if (refresh) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    const cachedResponse = accessTokenCache.get(this.projectId);
+    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    return cachedResponse;
+  };
+  createJwt = async () => {
+    const iat = Math.floor(Date.now() / 1e3);
+    const payload = {
+      aud: GOOGLE_TOKEN_AUDIENCE,
+      iat,
+      exp: iat + ONE_HOUR_IN_SECONDS,
+      iss: this.clientEmail,
+      sub: this.clientEmail,
+      scope: [
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/firebase.database",
+        "https://www.googleapis.com/auth/firebase.messaging",
+        "https://www.googleapis.com/auth/identitytoolkit",
+        "https://www.googleapis.com/auth/userinfo.email"
+      ].join(" ")
+    };
+    return ternSignJwt({
+      payload,
+      privateKey: this.privateKey
+    });
+  };
+};
+
+// src/utils/token-generator.ts
+function cryptoSignerFromCredential(credential, tenantId, serviceAccountId) {
+  if (credential instanceof ServiceAccountManager) {
+    return new ServiceAccountSigner(credential, tenantId);
+  }
+  return new IAMSigner(credential, tenantId, serviceAccountId);
+}
+
+// src/app-check/AppCheckApi.ts
+function getSdkVersion() {
+  return "12.7.0";
+}
+var FIREBASE_APP_CHECK_CONFIG_HEADERS = {
+  "X-Firebase-Client": `fire-admin-node/${getSdkVersion()}`
+};
+var AppCheckApi = class {
+  constructor(credential) {
+    this.credential = credential;
+  }
+  async exchangeToken(params) {
+    const { projectId, appId, customToken, limitedUse = false } = params;
+    const token = await this.credential.getAccessToken(false);
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
+    const headers = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${token.accessToken}`
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ customToken, limitedUse })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+  async exchangeDebugToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
+    const headers = {
+      ...FIREBASE_APP_CHECK_CONFIG_HEADERS,
+      "Authorization": `Bearer ${accessToken}`
+    };
+    const body = {
+      customToken,
+      limitedUse
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+};
+
+// src/app-check/generator.ts
+function transformMillisecondsToSecondsString(milliseconds) {
+  let duration;
+  const seconds = Math.floor(milliseconds / 1e3);
+  const nanos = Math.floor((milliseconds - seconds * 1e3) * 1e6);
+  if (nanos > 0) {
+    let nanoString = nanos.toString();
+    while (nanoString.length < 9) {
+      nanoString = "0" + nanoString;
+    }
+    duration = `${seconds}.${nanoString}s`;
+  } else {
+    duration = `${seconds}s`;
+  }
+  return duration;
+}
+var AppCheckTokenGenerator = class {
+  signer;
+  constructor(signer) {
+    this.signer = signer;
+  }
+  async createCustomToken(appId, options) {
+    if (!appId) {
+      throw new Error(
+        "appId is invalid"
+      );
+    }
+    let customOptions = {};
+    if (typeof options !== "undefined") {
+      customOptions = this.validateTokenOptions(options);
+    }
+    const account = await this.signer.getAccountId();
+    const iat = Math.floor(Date.now() / 1e3);
+    const body = {
+      iss: account,
+      sub: account,
+      app_id: appId,
+      aud: FIREBASE_APP_CHECK_AUDIENCE,
+      exp: iat + ONE_MINUTE_IN_SECONDS * 5,
+      iat,
+      ...customOptions
+    };
+    return this.signer.sign(body);
+  }
+  validateTokenOptions(options) {
+    if (typeof options.ttlMillis !== "undefined") {
+      if (options.ttlMillis < ONE_MINUTE_IN_MILLIS * 30 || options.ttlMillis > ONE_DAY_IN_MILLIS * 7) {
+        throw new Error(
+          "ttlMillis must be a duration in milliseconds between 30 minutes and 7 days (inclusive)."
+        );
+      }
+      return { ttl: transformMillisecondsToSecondsString(options.ttlMillis) };
+    }
+    return {};
+  }
+};
+
+// src/app-check/serverAppCheck.ts
+import { Redis } from "@upstash/redis";
+var ServerAppCheckManager = class _ServerAppCheckManager {
+  static instances = /* @__PURE__ */ new Map();
+  memoryCache = /* @__PURE__ */ new Map();
+  redisClient = null;
+  options;
+  pendingTokens = /* @__PURE__ */ new Map();
+  constructor(options) {
+    const defaultOptions = {
+      strategy: "memory",
+      ttlMillis: 36e5,
+      // 1 hour
+      refreshBufferMillis: 3e5,
+      // 5 minutes
+      keyPrefix: "appcheck:token:",
+      skipInMemoryFirst: false
+    };
+    this.options = { ...defaultOptions, ...options };
+    if (this.options.strategy === "redis" && this.options.redis) {
+      void this.initializeRedis(this.options.redis);
+    }
+  }
+  initializeRedis = (config) => {
+    if (!config) {
+      throw new Error('[AppCheck] Redis configuration is required when strategy is "redis"');
+    }
+    try {
+      this.redisClient = new Redis({
+        url: config.url,
+        token: config.token
+      });
+      console.info("[AppCheck] Redis client initialized for token caching");
+    } catch (error) {
+      console.error("[AppCheck] Failed to initialize Redis client:", error);
+      throw new Error('[AppCheck] Redis initialization failed. Install "@upstash/redis" package.');
+    }
+  };
+  static getInstance(options) {
+    const key = options?.strategy || "memory";
+    if (!_ServerAppCheckManager.instances.has(key)) {
+      _ServerAppCheckManager.instances.set(key, new _ServerAppCheckManager(options));
+    }
+    const instance = _ServerAppCheckManager.instances.get(key);
+    if (!instance) {
+      throw new Error("[AppCheck] Failed to get instance");
+    }
+    return instance;
+  }
+  buildCacheKey(appId) {
+    return `${this.options.keyPrefix}${appId}`;
+  }
+  getCachedToken = async (appId) => {
+    if (this.options.strategy === "memory") {
+      return this.memoryCache.get(appId) || null;
+    }
+    if (this.options.strategy === "redis") {
+      if (!this.options.skipInMemoryFirst) {
+        const memCached = this.memoryCache.get(appId);
+        if (memCached) {
+          return memCached;
+        }
+      }
+      if (this.redisClient) {
+        try {
+          const key = this.buildCacheKey(appId);
+          const cached = await this.redisClient.get(key);
+          if (cached) {
+            const parsed = typeof cached === "string" ? JSON.parse(cached) : cached;
+            if (!this.options.skipInMemoryFirst) {
+              this.memoryCache.set(appId, parsed);
+            }
+            return parsed;
+          }
+        } catch (error) {
+          console.error("[AppCheck] Redis get error:", error);
+        }
+      }
+    }
+    return null;
+  };
+  setCachedToken = async (appId, token, expiresAt) => {
+    const cachedToken = { token, expiresAt };
+    this.memoryCache.set(appId, cachedToken);
+    if (this.options.strategy === "memory") {
+      return;
+    }
+    if (this.options.strategy === "redis" && this.redisClient) {
+      try {
+        const key = this.buildCacheKey(appId);
+        const ttl = expiresAt - Date.now();
+        await this.redisClient.set(key, JSON.stringify(cachedToken), {
+          px: ttl
+          // Expiry in milliseconds (lowercase for Upstash)
+        });
+      } catch (error) {
+        console.error("[AppCheck] Redis set error:", error);
+      }
+    }
+  };
+  getOrGenerateToken = async (appId) => {
+    const cached = await this.getCachedToken(appId);
+    const now = Date.now();
+    if (cached && cached.expiresAt > now + this.options.refreshBufferMillis) {
+      return cached.token;
+    }
+    const pending = this.pendingTokens.get(appId);
+    if (pending) {
+      return pending;
+    }
+    const tokenPromise = this.generateAndCacheToken(appId);
+    this.pendingTokens.set(appId, tokenPromise);
+    try {
+      const token = await tokenPromise;
+      return token;
+    } finally {
+      this.pendingTokens.delete(appId);
+    }
+  };
+  /**
+   * Generate and cache a new token
+   */
+  generateAndCacheToken = async (appId) => {
+    try {
+      const now = Date.now();
+      const appCheckToken = await appCheckAdmin.createToken(appId, {
+        ttlMillis: this.options.ttlMillis
+      });
+      const expiresAt = now + this.options.ttlMillis;
+      await this.setCachedToken(appId, appCheckToken.token, expiresAt);
+      return appCheckToken.token;
+    } catch (error) {
+      console.error("[AppCheck] Failed to generate token:", error);
+      return null;
+    }
+  };
+  clearCache = async (appId) => {
+    if (appId) {
+      this.memoryCache.delete(appId);
+    } else {
+      this.memoryCache.clear();
+    }
+    if (this.options.strategy === "redis" && this.redisClient) {
+      try {
+        if (appId) {
+          const key = this.buildCacheKey(appId);
+          await this.redisClient.del(key);
+        }
+      } catch (error) {
+        console.error("[AppCheck] Redis delete error:", error);
+      }
+    }
+  };
+  getCacheStats() {
+    const now = Date.now();
+    const entries = Array.from(this.memoryCache.entries()).map(([appId, cached]) => ({
+      appId,
+      expiresIn: Math.max(0, cached.expiresAt - now)
+    }));
+    return {
+      strategy: this.options.strategy,
+      memorySize: this.memoryCache.size,
+      entries
+    };
+  }
+  /**
+   * Close Redis connection
+   */
+  disconnect() {
+    if (this.redisClient) {
+      this.redisClient = null;
+    }
+  }
+};
+
+// src/app-check/verifier.ts
+import { createRemoteJWKSet } from "jose";
+var getPublicKey = async (header, keyURL) => {
+  const jswksUrl = new URL(keyURL);
+  const getKey = createRemoteJWKSet(jswksUrl);
+  return getKey(header);
+};
+var verifyAppCheckToken = async (token, options) => {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    throw errors[0];
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
+  }
+  try {
+    const getPublicKeyForToken = () => getPublicKey(header, options.keyURL || "");
+    return await verifyAppCheckJwt(token, { ...options, key: getPublicKeyForToken });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
+    }
+    return {
+      errors: [error]
+    };
+  }
+};
+var AppcheckTokenVerifier = class {
+  constructor(credential) {
+    this.credential = credential;
+  }
+  verifyToken = async (token, projectId, options) => {
+    const { data, errors } = await verifyAppCheckToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
+  };
+};
+
+// src/app-check/index.ts
+var JWKS_URL = "https://firebaseappcheck.googleapis.com/v1/jwks";
+var AppCheck = class {
+  client;
+  tokenGenerator;
+  appCheckTokenVerifier;
+  limitedUse;
+  constructor(credential, tenantId, limitedUse) {
+    this.client = new AppCheckApi(credential);
+    this.tokenGenerator = new AppCheckTokenGenerator(
+      cryptoSignerFromCredential(credential, tenantId)
+    );
+    this.appCheckTokenVerifier = new AppcheckTokenVerifier(credential);
+    this.limitedUse = limitedUse;
+  }
+  createToken = (projectId, appId, options) => {
+    return this.tokenGenerator.createCustomToken(appId, options).then((customToken) => {
+      return this.client.exchangeToken({ customToken, projectId, appId });
+    });
+  };
+  verifyToken = async (appCheckToken, projectId, options) => {
+    return this.appCheckTokenVerifier.verifyToken(appCheckToken, projectId, { keyURL: JWKS_URL, ...options }).then((decodedToken) => {
+      return {
+        appId: decodedToken.app_id,
+        token: decodedToken
+      };
+    });
+  };
+};
+function getAppCheck(serviceAccount, tenantId, limitedUse) {
+  return new AppCheck(new ServiceAccountManager(serviceAccount), tenantId, limitedUse);
+}
+
+export {
+  verifyToken,
+  ServerAppCheckManager,
+  AppCheck,
+  getAppCheck,
+  getAuth,
+  ServiceAccountManager
+};
+//# sourceMappingURL=chunk-IEJQ7F4A.mjs.map