@tern-secure/backend 1.2.0-canary.v20251127235234 → 1.2.0-canary.v20251202164451

package/dist/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -28,6 +38,7 @@ __export(index_exports, {
   createAdapter: () => createAdapter,
   createBackendInstanceClient: () => createBackendInstanceClient,
   createRedirect: () => createRedirect,
+  createRequestProcessor: () => createRequestProcessor,
   createTernSecureRequest: () => createTernSecureRequest,
   disableDebugLogging: () => disableDebugLogging,
   enableDebugLogging: () => enableDebugLogging,
@@ -35,15 +46,25 @@ __export(index_exports, {
   signedIn: () => signedIn,
   signedInAuthObject: () => signedInAuthObject,
   signedOutAuthObject: () => signedOutAuthObject,
-  validateCheckRevokedOptions: () => validateCheckRevokedOptions
+  validateCheckRevokedOptions: () => validateCheckRevokedOptions,
+  verifyToken: () => verifyToken
 });
 module.exports = __toCommonJS(index_exports);
 
 // src/constants.ts
 var GOOGLE_PUBLIC_KEYS_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+var FIREBASE_APP_CHECK_AUDIENCE = "https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1.TokenExchangeService";
 var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
 var DEFAULT_CACHE_DURATION = 3600 * 1e3;
 var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
+var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
+var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
+var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
+var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
+var ONE_HOUR_IN_SECONDS = 60 * 60;
+var ONE_MINUTE_IN_SECONDS = 60;
+var ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1e3;
+var ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1e3;
 var Attributes = {
   AuthToken: "__ternsecureAuthToken",
   AuthSignature: "__ternsecureAuthSignature",
@@ -78,7 +99,7 @@ var QueryParameters = {
 };
 var Headers2 = {
   Accept: "accept",
-  AppCheckToken: "x-firebase-appcheck",
+  AppCheckToken: "x-ternsecure-appcheck",
   AuthMessage: "x-ternsecure-auth-message",
   Authorization: "authorization",
   AuthReason: "x-ternsecure-auth-reason",
@@ -238,12 +259,93 @@ var createTernSecureRequest = (...args) => {
   return args[0] instanceof TernSecureRequest ? args[0] : new TernSecureRequest(...args);
 };
 
+// src/tokens/c-authenticateRequestProcessor.ts
+var RequestProcessorContext = class {
+  constructor(ternSecureRequest, options) {
+    this.ternSecureRequest = ternSecureRequest;
+    this.options = options;
+    this.initHeaderValues();
+    this.initCookieValues();
+    this.initHandshakeValues();
+    this.initUrlValues();
+    Object.assign(this, options);
+    this.ternUrl = this.ternSecureRequest.ternUrl;
+  }
+  get request() {
+    return this.ternSecureRequest;
+  }
+  initHeaderValues() {
+    this.sessionTokenInHeader = this.parseAuthorizationHeader(
+      this.getHeader(constants.Headers.Authorization)
+    );
+    this.origin = this.getHeader(constants.Headers.Origin);
+    this.host = this.getHeader(constants.Headers.Host);
+    this.forwardedHost = this.getHeader(constants.Headers.ForwardedHost);
+    this.forwardedProto = this.getHeader(constants.Headers.CloudFrontForwardedProto) || this.getHeader(constants.Headers.ForwardedProto);
+    this.referrer = this.getHeader(constants.Headers.Referrer);
+    this.userAgent = this.getHeader(constants.Headers.UserAgent);
+    this.secFetchDest = this.getHeader(constants.Headers.SecFetchDest);
+    this.accept = this.getHeader(constants.Headers.Accept);
+    this.appCheckToken = this.getHeader(constants.Headers.AppCheckToken);
+  }
+  initCookieValues() {
+    const isProduction = process.env.NODE_ENV === "production";
+    const defaultPrefix = isProduction ? "__HOST-" : "__dev_";
+    this.sessionTokenInCookie = this.getCookie(constants.Cookies.Session);
+    this.idTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.IdToken}`);
+    this.refreshTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.Refresh}`);
+    this.csrfTokenInCookie = this.getCookie(constants.Cookies.CsrfToken);
+    this.customTokenInCookie = this.getCookie(constants.Cookies.Custom);
+    this.ternAuth = Number.parseInt(this.getCookie(constants.Cookies.TernAut) || "0", 10);
+  }
+  initHandshakeValues() {
+    this.handshakeToken = this.getQueryParam(constants.QueryParameters.Handshake) || this.getCookie(constants.Cookies.Handshake);
+    this.handshakeNonce = this.getQueryParam(constants.QueryParameters.HandshakeNonce) || this.getCookie(constants.Cookies.HandshakeNonce);
+  }
+  initUrlValues() {
+    this.method = this.ternSecureRequest.method;
+    this.pathSegments = this.ternSecureRequest.ternUrl.pathname.split("/").filter(Boolean);
+    this.endpoint = this.pathSegments[2];
+    this.subEndpoint = this.pathSegments[3];
+  }
+  getQueryParam(name) {
+    return this.ternSecureRequest.ternUrl.searchParams.get(name);
+  }
+  getHeader(name) {
+    return this.ternSecureRequest.headers.get(name) || void 0;
+  }
+  getCookie(name) {
+    return this.ternSecureRequest.cookies.get(name) || void 0;
+  }
+  parseAuthorizationHeader(authorizationHeader) {
+    if (!authorizationHeader) {
+      return void 0;
+    }
+    const [scheme, token] = authorizationHeader.split(" ", 2);
+    if (!token) {
+      return scheme;
+    }
+    if (scheme === "Bearer") {
+      return token;
+    }
+    return void 0;
+  }
+};
+var createRequestProcessor = (ternSecureRequest, options) => {
+  return new RequestProcessorContext(ternSecureRequest, options);
+};
+
 // src/utils/mapDecode.ts
 function mapJwtPayloadToDecodedIdToken(payload) {
   const decodedIdToken = payload;
   decodedIdToken.uid = decodedIdToken.sub;
   return decodedIdToken;
 }
+function mapJwtPayloadToDecodedAppCheckToken(payload) {
+  const decodedAppCheckToken = payload;
+  decodedAppCheckToken.app_id = decodedAppCheckToken.sub;
+  return decodedAppCheckToken;
+}
 
 // src/tokens/authstate.ts
 var AuthStatus = {
@@ -333,6 +435,7 @@ function signedOut(authCtx, reason, message = "", headers = new Headers()) {
     isSignedIn: false,
     auth: () => signedOutAuthObject(),
     token: null,
+    appCheckToken: authCtx.appCheckToken,
     headers
   });
 }
@@ -356,106 +459,596 @@ var decorateHeaders = (requestState) => {
     } catch {
     }
   }
+  if (requestState.appCheckToken) {
+    try {
+      headers.set(constants.Headers.AppCheckToken, requestState.appCheckToken);
+    } catch {
+    }
+  }
   requestState.headers = headers;
   return requestState;
 };
 
-// src/fireRestApi/endpoints/AbstractApi.ts
-var AbstractAPI = class {
-  constructor(request) {
-    this.request = request;
+// src/jwt/verifyJwt.ts
+var import_jose2 = require("jose");
+
+// src/utils/errors.ts
+var RefreshTokenErrorReason = {
+  NonEligibleNoCookie: "non-eligible-no-refresh-cookie",
+  NonEligibleNonGet: "non-eligible-non-get",
+  InvalidSessionToken: "invalid-session-token",
+  MissingApiClient: "missing-api-client",
+  MissingIdToken: "missing-id-token",
+  MissingSessionToken: "missing-session-token",
+  MissingRefreshToken: "missing-refresh-token",
+  ExpiredIdTokenDecodeFailed: "expired-id-token-decode-failed",
+  ExpiredSessionTokenDecodeFailed: "expired-session-token-decode-failed",
+  FetchError: "fetch-error"
+};
+var TokenVerificationErrorReason = {
+  TokenExpired: "token-expired",
+  TokenInvalid: "token-invalid",
+  TokenInvalidAlgorithm: "token-invalid-algorithm",
+  TokenInvalidAuthorizedParties: "token-invalid-authorized-parties",
+  TokenInvalidSignature: "token-invalid-signature",
+  TokenNotActiveYet: "token-not-active-yet",
+  TokenIatInTheFuture: "token-iat-in-the-future",
+  TokenVerificationFailed: "token-verification-failed",
+  InvalidSecretKey: "secret-key-invalid",
+  LocalJWKMissing: "jwk-local-missing",
+  RemoteJWKFailedToLoad: "jwk-remote-failed-to-load",
+  RemoteJWKInvalid: "jwk-remote-invalid",
+  RemoteJWKMissing: "jwk-remote-missing",
+  JWKFailedToResolve: "jwk-failed-to-resolve",
+  JWKKidMismatch: "jwk-kid-mismatch"
+};
+var TokenVerificationError = class _TokenVerificationError extends Error {
+  reason;
+  tokenCarrier;
+  constructor({
+    message,
+    reason
+  }) {
+    super(message);
+    Object.setPrototypeOf(this, _TokenVerificationError.prototype);
+    this.reason = reason;
+    this.message = message;
   }
-  requireApiKey(apiKey) {
-    if (!apiKey) {
-      throw new Error("A valid API key is required.");
-    }
+  getFullMessage() {
+    return `${[this.message].filter((m) => m).join(" ")} (reason=${this.reason}, token-carrier=${this.tokenCarrier})`;
   }
 };
 
-// src/fireRestApi/endpoints/AppCheckApi.ts
-function getSdkVersion() {
-  return "12.7.0";
-}
-var FIREBASE_APP_CHECK_CONFIG_HEADERS = {
-  "X-Firebase-Client": `fire-admin-node/${getSdkVersion()}`
+// src/utils/rfc4648.ts
+var base64url = {
+  parse(string, opts) {
+    return parse2(string, base64UrlEncoding, opts);
+  },
+  stringify(data, opts) {
+    return stringify(data, base64UrlEncoding, opts);
+  }
 };
-var AppCheckApi = class extends AbstractAPI {
-  async exchangeCustomToken(params) {
-    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
-    if (!projectId || !appId) {
-      throw new Error("Project ID and App ID are required for App Check token exchange");
+var base64UrlEncoding = {
+  chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_",
+  bits: 6
+};
+function parse2(string, encoding, opts = {}) {
+  if (!encoding.codes) {
+    encoding.codes = {};
+    for (let i = 0; i < encoding.chars.length; ++i) {
+      encoding.codes[encoding.chars[i]] = i;
     }
-    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
-    const headers = {
-      "Content-Type": "application/json",
-      "Authorization": `Bearer ${accessToken}`
-    };
-    const body = {
-      customToken,
-      limitedUse
-    };
-    try {
-      const response = await fetch(endpoint, {
-        method: "POST",
-        headers,
-        body: JSON.stringify(body)
-      });
-      if (!response.ok) {
-        const errorText = await response.text();
-        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
-      }
-      const data = await response.json();
-      return {
-        token: data.token,
-        ttl: data.ttl
-      };
-    } catch (error) {
-      console.warn("[ternsecure - appcheck api]unexpected error:", error);
-      throw error;
+  }
+  if (!opts.loose && string.length * encoding.bits & 7) {
+    throw new SyntaxError("Invalid padding");
+  }
+  let end = string.length;
+  while (string[end - 1] === "=") {
+    --end;
+    if (!opts.loose && !((string.length - end) * encoding.bits & 7)) {
+      throw new SyntaxError("Invalid padding");
     }
   }
-  async exchangeDebugToken(params) {
-    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
-    if (!projectId || !appId) {
-      throw new Error("Project ID and App ID are required for App Check token exchange");
+  const out = new (opts.out ?? Uint8Array)(end * encoding.bits / 8 | 0);
+  let bits = 0;
+  let buffer = 0;
+  let written = 0;
+  for (let i = 0; i < end; ++i) {
+    const value = encoding.codes[string[i]];
+    if (value === void 0) {
+      throw new SyntaxError("Invalid character " + string[i]);
     }
-    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
-    const headers = {
-      ...FIREBASE_APP_CHECK_CONFIG_HEADERS,
-      "Authorization": `Bearer ${accessToken}`
-    };
-    const body = {
-      customToken,
-      limitedUse
-    };
-    try {
-      const response = await fetch(endpoint, {
-        method: "POST",
-        headers,
-        body: JSON.stringify(body)
-      });
-      if (!response.ok) {
-        const errorText = await response.text();
-        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
-      }
-      const data = await response.json();
-      return {
-        token: data.token,
-        ttl: data.ttl
-      };
-    } catch (error) {
-      console.warn("[ternsecure - appcheck api]unexpected error:", error);
-      throw error;
+    buffer = buffer << encoding.bits | value;
+    bits += encoding.bits;
+    if (bits >= 8) {
+      bits -= 8;
+      out[written++] = 255 & buffer >> bits;
     }
   }
-};
-
-// src/fireRestApi/endpoints/EmailApi.ts
-var EmailApi = class extends AbstractAPI {
-  async verifyEmailVerification(apiKey, params) {
-    this.requireApiKey(apiKey);
-    const { ...restParams } = params;
-    return this.request({
+  if (bits >= encoding.bits || 255 & buffer << 8 - bits) {
+    throw new SyntaxError("Unexpected end of data");
+  }
+  return out;
+}
+function stringify(data, encoding, opts = {}) {
+  const { pad = true } = opts;
+  const mask = (1 << encoding.bits) - 1;
+  let out = "";
+  let bits = 0;
+  let buffer = 0;
+  for (let i = 0; i < data.length; ++i) {
+    buffer = buffer << 8 | 255 & data[i];
+    bits += 8;
+    while (bits > encoding.bits) {
+      bits -= encoding.bits;
+      out += encoding.chars[mask & buffer >> bits];
+    }
+  }
+  if (bits) {
+    out += encoding.chars[mask & buffer << encoding.bits - bits];
+  }
+  if (pad) {
+    while (out.length * encoding.bits & 7) {
+      out += "=";
+    }
+  }
+  return out;
+}
+
+// src/jwt/cryptoKeys.ts
+var import_jose = require("jose");
+async function importKey(key, algorithm) {
+  if (typeof key === "object") {
+    const result = await (0, import_jose.importJWK)(key, algorithm);
+    if (result instanceof Uint8Array) {
+      throw new Error("Unexpected Uint8Array result from JWK import");
+    }
+    return result;
+  }
+  const keyString = key.trim();
+  if (keyString.includes("-----BEGIN CERTIFICATE-----")) {
+    return await (0, import_jose.importX509)(keyString, algorithm);
+  }
+  if (keyString.includes("-----BEGIN PUBLIC KEY-----")) {
+    return await (0, import_jose.importSPKI)(keyString, algorithm);
+  }
+  try {
+    return await (0, import_jose.importSPKI)(keyString, algorithm);
+  } catch (error) {
+    throw new Error(
+      `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`
+    );
+  }
+}
+
+// src/jwt/algorithms.ts
+var algToHash = {
+  RS256: "SHA-256",
+  RS384: "SHA-384",
+  RS512: "SHA-512"
+};
+var algs = Object.keys(algToHash);
+
+// src/jwt/verifyContent.ts
+var verifyHeaderKid = (kid) => {
+  if (typeof kid === "undefined") {
+    return;
+  }
+  if (typeof kid !== "string") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenInvalid,
+      message: `Invalid JWT kid ${JSON.stringify(kid)}. Expected a string.`
+    });
+  }
+};
+var verifySubClaim = (sub) => {
+  if (typeof sub !== "string") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`
+    });
+  }
+};
+var verifyExpirationClaim = (exp, clockSkewInMs) => {
+  if (typeof exp !== "number") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT expiry date (exp) claim ${JSON.stringify(exp)}. Expected a number.`
+    });
+  }
+  const currentDate = new Date(Date.now());
+  const expiryDate = /* @__PURE__ */ new Date(0);
+  expiryDate.setUTCSeconds(exp);
+  const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;
+  if (expired) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenExpired,
+      message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`
+    });
+  }
+};
+var verifyIssuedAtClaim = (iat, clockSkewInMs) => {
+  if (typeof iat === "undefined") {
+    return;
+  }
+  if (typeof iat !== "number") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected a number.`
+    });
+  }
+  const currentDate = new Date(Date.now());
+  const issuedAtDate = /* @__PURE__ */ new Date(0);
+  issuedAtDate.setUTCSeconds(iat);
+  const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;
+  if (postIssued) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenIatInTheFuture,
+      message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`
+    });
+  }
+};
+
+// src/jwt/verifyJwt.ts
+var DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1e3;
+async function verifySignature(jwt, key) {
+  const { header, raw } = jwt;
+  const joseAlgorithm = header.alg || "RS256";
+  try {
+    const publicKey = await importKey(key, joseAlgorithm);
+    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, publicKey);
+    return { data: payload };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: error.message
+        })
+      ]
+    };
+  }
+}
+function ternDecodeJwt(token) {
+  try {
+    const header = (0, import_jose2.decodeProtectedHeader)(token);
+    const payload = (0, import_jose2.decodeJwt)(token);
+    const tokenParts = (token || "").toString().split(".");
+    if (tokenParts.length !== 3) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: "Invalid JWT format"
+          })
+        ]
+      };
+    }
+    const [rawHeader, rawPayload, rawSignature] = tokenParts;
+    const signature = base64url.parse(rawSignature, { loose: true });
+    const data = {
+      header,
+      payload,
+      signature,
+      raw: {
+        header: rawHeader,
+        payload: rawPayload,
+        signature: rawSignature,
+        text: token
+      }
+    };
+    return { data };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: `${error.message || "Invalid Token or Protected Header formatting"} (Token length: ${token?.length}, First 10 chars: ${token?.substring(0, 10)}...)`
+        })
+      ]
+    };
+  }
+}
+async function verifyJwt(token, options) {
+  const { key } = options;
+  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
+  const { data: decoded, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header, payload } = decoded;
+  try {
+    verifyHeaderKid(header.kid);
+    verifySubClaim(payload.sub);
+    verifyExpirationClaim(payload.exp, clockSkew);
+    verifyIssuedAtClaim(payload.iat, clockSkew);
+  } catch (error) {
+    return { errors: [error] };
+  }
+  const { data: verifiedPayload, errors: signatureErrors } = await verifySignature(decoded, key);
+  if (signatureErrors) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: "Token signature verification failed."
+        })
+      ]
+    };
+  }
+  const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);
+  return { data: decodedIdToken };
+}
+async function verifyAppCheckSignature(jwt, getPublicKey2) {
+  const { header, raw } = jwt;
+  const joseAlgorithm = header.alg || "RS256";
+  try {
+    const key = await getPublicKey2();
+    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, key);
+    return { data: payload };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: error.message
+        })
+      ]
+    };
+  }
+}
+async function verifyAppCheckJwt(token, options) {
+  const { key: getPublicKey2 } = options;
+  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
+  const { data: decoded, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header, payload } = decoded;
+  try {
+    verifyHeaderKid(header.kid);
+    verifySubClaim(payload.sub);
+    verifyExpirationClaim(payload.exp, clockSkew);
+    verifyIssuedAtClaim(payload.iat, clockSkew);
+  } catch (error) {
+    return { errors: [error] };
+  }
+  const { data: verifiedPayload, errors: signatureErrors } = await verifyAppCheckSignature(
+    decoded,
+    getPublicKey2
+  );
+  if (signatureErrors) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: "Token signature verification failed."
+        })
+      ]
+    };
+  }
+  const decodedAppCheckToken = mapJwtPayloadToDecodedAppCheckToken(verifiedPayload);
+  return { data: decodedAppCheckToken };
+}
+
+// src/tokens/keys.ts
+var cache = {};
+var lastUpdatedAt = 0;
+var googleExpiresAt = 0;
+function getFromCache(kid) {
+  return cache[kid];
+}
+function getCacheValues() {
+  return Object.values(cache);
+}
+function setInCache(kid, certificate, shouldExpire = true) {
+  cache[kid] = certificate;
+  lastUpdatedAt = shouldExpire ? Date.now() : -1;
+}
+async function fetchPublicKeys(keyUrl) {
+  const url = new URL(keyUrl);
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new TokenVerificationError({
+      message: `Error loading public keys from ${url.href} with code=${response.status} `,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  const data = await response.json();
+  const expiresAt = getExpiresAt(response);
+  return {
+    keys: data,
+    expiresAt
+  };
+}
+async function loadJWKFromRemote({
+  keyURL,
+  skipJwksCache,
+  kid
+}) {
+  const finalKeyURL = keyURL || GOOGLE_PUBLIC_KEYS_URL;
+  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
+    const { keys, expiresAt } = await fetchPublicKeys(finalKeyURL);
+    if (!keys || Object.keys(keys).length === 0) {
+      throw new TokenVerificationError({
+        message: `The JWKS endpoint ${finalKeyURL} returned no keys`,
+        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
+      });
+    }
+    googleExpiresAt = expiresAt;
+    Object.entries(keys).forEach(([keyId, cert2]) => {
+      setInCache(keyId, cert2);
+    });
+  }
+  const cert = getFromCache(kid);
+  if (!cert) {
+    getCacheValues();
+    const availableKids = Object.keys(cache).sort().join(", ");
+    throw new TokenVerificationError({
+      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  return cert;
+}
+function isCacheExpired() {
+  const now = Date.now();
+  if (lastUpdatedAt === -1) {
+    return false;
+  }
+  const cacheAge = now - lastUpdatedAt;
+  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
+  const localCacheExpired = cacheAge >= maxCacheAge;
+  const googleCacheExpired = now >= googleExpiresAt;
+  const isExpired = localCacheExpired || googleCacheExpired;
+  if (isExpired) {
+    cache = {};
+  }
+  return isExpired;
+}
+function getExpiresAt(res) {
+  const cacheControlHeader = res.headers.get("cache-control");
+  if (!cacheControlHeader) {
+    return Date.now() + DEFAULT_CACHE_DURATION;
+  }
+  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
+  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
+  return Date.now() + maxAge * 1e3;
+}
+
+// src/tokens/verify.ts
+async function verifyToken(token, options) {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
+  }
+  try {
+    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
+    if (!key) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: `No public key found for kid "${kid}".`
+          })
+        ]
+      };
+    }
+    return await verifyJwt(token, { ...options, key });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
+    }
+    return {
+      errors: [error]
+    };
+  }
+}
+
+// src/fireRestApi/endpoints/AbstractApi.ts
+var AbstractAPI = class {
+  constructor(request) {
+    this.request = request;
+  }
+  requireApiKey(apiKey) {
+    if (!apiKey) {
+      throw new Error("A valid API key is required.");
+    }
+  }
+};
+
+// src/fireRestApi/endpoints/AppCheckApi.ts
+function getSdkVersion() {
+  return "12.7.0";
+}
+var FIREBASE_APP_CHECK_CONFIG_HEADERS = {
+  "X-Firebase-Client": `fire-admin-node/${getSdkVersion()}`
+};
+var AppCheckApi = class extends AbstractAPI {
+  async exchangeCustomToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
+    const headers = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${accessToken}`
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ customToken, limitedUse })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+  async exchangeDebugToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
+    const headers = {
+      ...FIREBASE_APP_CHECK_CONFIG_HEADERS,
+      "Authorization": `Bearer ${accessToken}`
+    };
+    const body = {
+      customToken,
+      limitedUse
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+};
+
+// src/fireRestApi/endpoints/EmailApi.ts
+var EmailApi = class extends AbstractAPI {
+  async verifyEmailVerification(apiKey, params) {
+    this.requireApiKey(apiKey);
+    const { ...restParams } = params;
+    return this.request({
       endpoint: "sendOobCode",
       method: "POST",
       bodyParams: restParams
@@ -861,673 +1454,569 @@ function mergePreDefinedOptions(userOptions = {}) {
 // src/tokens/request.ts
 var import_ms = require("@tern-secure/shared/ms");
 
-// src/jwt/customJwt.ts
-var import_jose = require("jose");
-var CustomTokenError = class extends Error {
-  constructor(message, code) {
-    super(message);
-    this.code = code;
-    this.name = "CustomTokenError";
-  }
-};
-var RESERVED_CLAIMS = [
-  "acr",
-  "amr",
-  "at_hash",
-  "aud",
-  "auth_time",
-  "azp",
-  "cnf",
-  "c_hash",
-  "exp",
-  "firebase",
-  "iat",
-  "iss",
-  "jti",
-  "nbf",
-  "nonce",
-  "sub"
-];
-async function createCustomTokenJwt(uid, developerClaims) {
-  try {
-    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
-    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
-    if (!privateKey || !clientEmail) {
-      return {
-        errors: [
-          new CustomTokenError(
-            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
-            "MISSING_ENV_VARS"
-          )
-        ]
-      };
-    }
-    if (!uid || typeof uid !== "string") {
-      return {
-        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
-      };
-    }
-    if (uid.length > 128) {
-      return {
-        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
-      };
-    }
-    if (developerClaims) {
-      for (const claim of Object.keys(developerClaims)) {
-        if (RESERVED_CLAIMS.includes(claim)) {
-          return {
-            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
-          };
-        }
-      }
-    }
-    const expiresIn = 3600;
-    const now = Math.floor(Date.now() / 1e3);
-    const parsedPrivateKey = await (0, import_jose.importPKCS8)(privateKey.replace(/\\n/g, "\n"), "RS256");
-    const payload = {
-      iss: clientEmail,
-      sub: clientEmail,
-      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
-      iat: now,
-      exp: now + expiresIn,
-      uid,
-      ...developerClaims
-    };
-    const jwt = await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
-      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
-    ).sign(parsedPrivateKey);
-    return {
-      data: jwt
-    };
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error occurred";
-    return {
-      errors: [
-        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
-      ]
-    };
-  }
-}
-async function createCustomToken(uid, developerClaims) {
-  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
-  if (errors) {
-    throw errors[0];
-  }
-  return data;
-}
-
-// src/jwt/verifyJwt.ts
-var import_jose3 = require("jose");
-
-// src/utils/errors.ts
-var RefreshTokenErrorReason = {
-  NonEligibleNoCookie: "non-eligible-no-refresh-cookie",
-  NonEligibleNonGet: "non-eligible-non-get",
-  InvalidSessionToken: "invalid-session-token",
-  MissingApiClient: "missing-api-client",
-  MissingIdToken: "missing-id-token",
-  MissingSessionToken: "missing-session-token",
-  MissingRefreshToken: "missing-refresh-token",
-  ExpiredIdTokenDecodeFailed: "expired-id-token-decode-failed",
-  ExpiredSessionTokenDecodeFailed: "expired-session-token-decode-failed",
-  FetchError: "fetch-error"
-};
-var TokenVerificationErrorReason = {
-  TokenExpired: "token-expired",
-  TokenInvalid: "token-invalid",
-  TokenInvalidAlgorithm: "token-invalid-algorithm",
-  TokenInvalidAuthorizedParties: "token-invalid-authorized-parties",
-  TokenInvalidSignature: "token-invalid-signature",
-  TokenNotActiveYet: "token-not-active-yet",
-  TokenIatInTheFuture: "token-iat-in-the-future",
-  TokenVerificationFailed: "token-verification-failed",
-  InvalidSecretKey: "secret-key-invalid",
-  LocalJWKMissing: "jwk-local-missing",
-  RemoteJWKFailedToLoad: "jwk-remote-failed-to-load",
-  RemoteJWKInvalid: "jwk-remote-invalid",
-  RemoteJWKMissing: "jwk-remote-missing",
-  JWKFailedToResolve: "jwk-failed-to-resolve",
-  JWKKidMismatch: "jwk-kid-mismatch"
-};
-var TokenVerificationError = class _TokenVerificationError extends Error {
-  reason;
-  tokenCarrier;
-  constructor({
-    message,
-    reason
-  }) {
-    super(message);
-    Object.setPrototypeOf(this, _TokenVerificationError.prototype);
-    this.reason = reason;
-    this.message = message;
-  }
-  getFullMessage() {
-    return `${[this.message].filter((m) => m).join(" ")} (reason=${this.reason}, token-carrier=${this.tokenCarrier})`;
-  }
-};
-
-// src/utils/rfc4648.ts
-var base64url = {
-  parse(string, opts) {
-    return parse2(string, base64UrlEncoding, opts);
-  },
-  stringify(data, opts) {
-    return stringify(data, base64UrlEncoding, opts);
-  }
-};
-var base64UrlEncoding = {
-  chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_",
-  bits: 6
-};
-function parse2(string, encoding, opts = {}) {
-  if (!encoding.codes) {
-    encoding.codes = {};
-    for (let i = 0; i < encoding.chars.length; ++i) {
-      encoding.codes[encoding.chars[i]] = i;
-    }
-  }
-  if (!opts.loose && string.length * encoding.bits & 7) {
-    throw new SyntaxError("Invalid padding");
-  }
-  let end = string.length;
-  while (string[end - 1] === "=") {
-    --end;
-    if (!opts.loose && !((string.length - end) * encoding.bits & 7)) {
-      throw new SyntaxError("Invalid padding");
-    }
-  }
-  const out = new (opts.out ?? Uint8Array)(end * encoding.bits / 8 | 0);
-  let bits = 0;
-  let buffer = 0;
-  let written = 0;
-  for (let i = 0; i < end; ++i) {
-    const value = encoding.codes[string[i]];
-    if (value === void 0) {
-      throw new SyntaxError("Invalid character " + string[i]);
-    }
-    buffer = buffer << encoding.bits | value;
-    bits += encoding.bits;
-    if (bits >= 8) {
-      bits -= 8;
-      out[written++] = 255 & buffer >> bits;
-    }
-  }
-  if (bits >= encoding.bits || 255 & buffer << 8 - bits) {
-    throw new SyntaxError("Unexpected end of data");
-  }
-  return out;
-}
-function stringify(data, encoding, opts = {}) {
-  const { pad = true } = opts;
-  const mask = (1 << encoding.bits) - 1;
-  let out = "";
-  let bits = 0;
-  let buffer = 0;
-  for (let i = 0; i < data.length; ++i) {
-    buffer = buffer << 8 | 255 & data[i];
-    bits += 8;
-    while (bits > encoding.bits) {
-      bits -= encoding.bits;
-      out += encoding.chars[mask & buffer >> bits];
-    }
-  }
-  if (bits) {
-    out += encoding.chars[mask & buffer << encoding.bits - bits];
-  }
-  if (pad) {
-    while (out.length * encoding.bits & 7) {
-      out += "=";
-    }
-  }
-  return out;
-}
-
-// src/jwt/cryptoKeys.ts
-var import_jose2 = require("jose");
-async function importKey(key, algorithm) {
-  if (typeof key === "object") {
-    const result = await (0, import_jose2.importJWK)(key, algorithm);
-    if (result instanceof Uint8Array) {
-      throw new Error("Unexpected Uint8Array result from JWK import");
-    }
-    return result;
-  }
-  const keyString = key.trim();
-  if (keyString.includes("-----BEGIN CERTIFICATE-----")) {
-    return await (0, import_jose2.importX509)(keyString, algorithm);
-  }
-  if (keyString.includes("-----BEGIN PUBLIC KEY-----")) {
-    return await (0, import_jose2.importSPKI)(keyString, algorithm);
-  }
-  try {
-    return await (0, import_jose2.importSPKI)(keyString, algorithm);
-  } catch (error) {
-    throw new Error(
-      `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`
-    );
-  }
+// src/jwt/guardReturn.ts
+function createJwtGuard(decodedFn) {
+  return (...args) => {
+    const { data, errors } = decodedFn(...args);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
+  };
 }
 
-// src/jwt/algorithms.ts
-var algToHash = {
-  RS256: "SHA-256",
-  RS384: "SHA-384",
-  RS512: "SHA-512"
-};
-var algs = Object.keys(algToHash);
+// src/jwt/jwt.ts
+var import_jose3 = require("jose");
 
-// src/jwt/verifyContent.ts
-var verifyHeaderKid = (kid) => {
-  if (typeof kid === "undefined") {
-    return;
-  }
-  if (typeof kid !== "string") {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenInvalid,
-      message: `Invalid JWT kid ${JSON.stringify(kid)}. Expected a string.`
-    });
-  }
-};
-var verifySubClaim = (sub) => {
-  if (typeof sub !== "string") {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenVerificationFailed,
-      message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`
-    });
-  }
-};
-var verifyExpirationClaim = (exp, clockSkewInMs) => {
-  if (typeof exp !== "number") {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenVerificationFailed,
-      message: `Invalid JWT expiry date (exp) claim ${JSON.stringify(exp)}. Expected a number.`
-    });
-  }
-  const currentDate = new Date(Date.now());
-  const expiryDate = /* @__PURE__ */ new Date(0);
-  expiryDate.setUTCSeconds(exp);
-  const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;
-  if (expired) {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenExpired,
-      message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`
-    });
-  }
-};
-var verifyIssuedAtClaim = (iat, clockSkewInMs) => {
-  if (typeof iat === "undefined") {
-    return;
-  }
-  if (typeof iat !== "number") {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenVerificationFailed,
-      message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected a number.`
-    });
-  }
-  const currentDate = new Date(Date.now());
-  const issuedAtDate = /* @__PURE__ */ new Date(0);
-  issuedAtDate.setUTCSeconds(iat);
-  const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;
-  if (postIssued) {
-    throw new TokenVerificationError({
-      reason: TokenVerificationErrorReason.TokenIatInTheFuture,
-      message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`
-    });
+// src/jwt/customJwt.ts
+var import_jose4 = require("jose");
+var CustomTokenError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "CustomTokenError";
   }
 };
-
-// src/jwt/verifyJwt.ts
-var DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1e3;
-async function verifySignature(jwt, key) {
-  const { header, raw } = jwt;
-  const joseAlgorithm = header.alg || "RS256";
-  try {
-    const publicKey = await importKey(key, joseAlgorithm);
-    const { payload } = await (0, import_jose3.jwtVerify)(raw.text, publicKey);
-    return { data: payload };
-  } catch (error) {
-    return {
-      errors: [
-        new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalidSignature,
-          message: error.message
-        })
-      ]
-    };
-  }
-}
-function ternDecodeJwt(token) {
+var RESERVED_CLAIMS = [
+  "acr",
+  "amr",
+  "at_hash",
+  "aud",
+  "auth_time",
+  "azp",
+  "cnf",
+  "c_hash",
+  "exp",
+  "firebase",
+  "iat",
+  "iss",
+  "jti",
+  "nbf",
+  "nonce",
+  "sub"
+];
+async function createCustomTokenJwt(uid, developerClaims) {
   try {
-    const header = (0, import_jose3.decodeProtectedHeader)(token);
-    const payload = (0, import_jose3.decodeJwt)(token);
-    const tokenParts = (token || "").toString().split(".");
-    if (tokenParts.length !== 3) {
+    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
+    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
+    if (!privateKey || !clientEmail) {
       return {
         errors: [
-          new TokenVerificationError({
-            reason: TokenVerificationErrorReason.TokenInvalid,
-            message: "Invalid JWT format"
-          })
+          new CustomTokenError(
+            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
+            "MISSING_ENV_VARS"
+          )
         ]
       };
     }
-    const [rawHeader, rawPayload, rawSignature] = tokenParts;
-    const signature = base64url.parse(rawSignature, { loose: true });
-    const data = {
-      header,
-      payload,
-      signature,
-      raw: {
-        header: rawHeader,
-        payload: rawPayload,
-        signature: rawSignature,
-        text: token
+    if (!uid || typeof uid !== "string") {
+      return {
+        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
+      };
+    }
+    if (uid.length > 128) {
+      return {
+        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
+      };
+    }
+    if (developerClaims) {
+      for (const claim of Object.keys(developerClaims)) {
+        if (RESERVED_CLAIMS.includes(claim)) {
+          return {
+            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
+          };
+        }
       }
+    }
+    const expiresIn = 3600;
+    const now = Math.floor(Date.now() / 1e3);
+    const parsedPrivateKey = await (0, import_jose4.importPKCS8)(privateKey.replace(/\\n/g, "\n"), "RS256");
+    const payload = {
+      iss: clientEmail,
+      sub: clientEmail,
+      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+      iat: now,
+      exp: now + expiresIn,
+      uid,
+      ...developerClaims
+    };
+    const jwt = await new import_jose4.SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
+      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
+    ).sign(parsedPrivateKey);
+    return {
+      data: jwt
     };
-    return { data };
   } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error occurred";
     return {
       errors: [
-        new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalid,
-          message: `${error.message || "Invalid Token or Protected Header formatting"} (Token length: ${token?.length}, First 10 chars: ${token?.substring(0, 10)}...)`
-        })
+        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
       ]
     };
   }
 }
-async function verifyJwt(token, options) {
-  const { key } = options;
-  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
-  const { data: decoded, errors } = ternDecodeJwt(token);
+async function createCustomToken(uid, developerClaims) {
+  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
   if (errors) {
-    return { errors };
-  }
-  const { header, payload } = decoded;
-  try {
-    verifyHeaderKid(header.kid);
-    verifySubClaim(payload.sub);
-    verifyExpirationClaim(payload.exp, clockSkew);
-    verifyIssuedAtClaim(payload.iat, clockSkew);
-  } catch (error) {
-    return { errors: [error] };
-  }
-  const { data: verifiedPayload, errors: signatureErrors } = await verifySignature(decoded, key);
-  if (signatureErrors) {
-    return {
-      errors: [
-        new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalidSignature,
-          message: "Token signature verification failed."
-        })
-      ]
-    };
+    throw errors[0];
   }
-  const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);
-  return { data: decodedIdToken };
+  return data;
 }
 
-// src/tokens/keys.ts
-var cache = {};
-var lastUpdatedAt = 0;
-var googleExpiresAt = 0;
-function getFromCache(kid) {
-  return cache[kid];
+// src/jwt/signJwt.ts
+var import_jose5 = require("jose");
+
+// src/utils/fetcher.ts
+async function getDetailFromResponse(response) {
+  const json = await response.json();
+  if (!json) {
+    return "Missing error payload";
+  }
+  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
+  if (json.error_description) {
+    detail += " (" + json.error_description + ")";
+  }
+  return detail;
 }
-function getCacheValues() {
-  return Object.values(cache);
+async function fetchText(url, init) {
+  return (await fetchAny(url, init)).text();
 }
-function setInCache(kid, certificate, shouldExpire = true) {
-  cache[kid] = certificate;
-  lastUpdatedAt = shouldExpire ? Date.now() : -1;
+async function fetchJson(url, init) {
+  return (await fetchAny(url, init)).json();
 }
-async function fetchPublicKeys(keyUrl) {
-  const url = new URL(keyUrl);
-  const response = await fetch(url);
+async function fetchAny(url, init) {
+  const response = await fetch(url, init);
   if (!response.ok) {
+    throw new Error(await getDetailFromResponse(response));
+  }
+  return response;
+}
+
+// src/jwt/types.ts
+var ALGORITHM_RS256 = "RS256";
+
+// src/jwt/signJwt.ts
+async function ternSignJwt(opts) {
+  const { payload, privateKey, keyId } = opts;
+  let key;
+  try {
+    key = await (0, import_jose5.importPKCS8)(privateKey, ALGORITHM_RS256);
+  } catch (error) {
     throw new TokenVerificationError({
-      message: `Error loading public keys from ${url.href} with code=${response.status} `,
+      message: `Failed to import private key: ${error.message}`,
       reason: TokenVerificationErrorReason.TokenInvalid
     });
   }
-  const data = await response.json();
-  const expiresAt = getExpiresAt(response);
-  return {
-    keys: data,
-    expiresAt
-  };
+  return new import_jose5.SignJWT(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
 }
-async function loadJWKFromRemote({
-  keyURL = GOOGLE_PUBLIC_KEYS_URL,
-  skipJwksCache,
-  kid
+function formatBase64(value) {
+  return value.replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+}
+function encodeSegment(segment) {
+  const value = JSON.stringify(segment);
+  return formatBase64(import_jose5.base64url.encode(value));
+}
+async function ternSignBlob({
+  payload,
+  serviceAccountId,
+  accessToken
 }) {
-  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
-    const { keys, expiresAt } = await fetchPublicKeys(keyURL);
-    if (!keys || Object.keys(keys).length === 0) {
-      throw new TokenVerificationError({
-        message: `The JWKS endpoint ${keyURL} returned no keys`,
-        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
-      });
+  const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${serviceAccountId}:signBlob`;
+  const header = {
+    alg: ALGORITHM_RS256,
+    typ: "JWT"
+  };
+  const token = `${encodeSegment(header)}.${encodeSegment(payload)}`;
+  const request = {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    },
+    body: JSON.stringify({ payload: import_jose5.base64url.encode(token) })
+  };
+  const response = await fetchAny(url, request);
+  const blob = await response.blob();
+  const key = await blob.text();
+  const { signedBlob } = JSON.parse(key);
+  return `${token}.${formatBase64(signedBlob)}`;
+}
+
+// src/jwt/crypto-signer.ts
+var ServiceAccountSigner = class {
+  constructor(credential, tenantId) {
+    this.credential = credential;
+    this.tenantId = tenantId;
+  }
+  async getAccountId() {
+    return Promise.resolve(this.credential.clientEmail);
+  }
+  async sign(payload) {
+    if (this.tenantId) {
+      payload.tenant_id = this.tenantId;
     }
-    googleExpiresAt = expiresAt;
-    Object.entries(keys).forEach(([keyId, cert2]) => {
-      setInCache(keyId, cert2);
-    });
+    return ternSignJwt({ payload, privateKey: this.credential.privateKey });
   }
-  const cert = getFromCache(kid);
-  if (!cert) {
-    getCacheValues();
-    const availableKids = Object.keys(cache).sort().join(", ");
-    throw new TokenVerificationError({
-      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
-      reason: TokenVerificationErrorReason.TokenInvalid
+};
+var IAMSigner = class {
+  algorithm = ALGORITHM_RS256;
+  credential;
+  tenantId;
+  serviceAccountId;
+  constructor(credential, tenantId, serviceAccountId) {
+    this.credential = credential;
+    this.tenantId = tenantId;
+    this.serviceAccountId = serviceAccountId;
+  }
+  async sign(payload) {
+    if (this.tenantId) {
+      payload.tenant_id = this.tenantId;
+    }
+    const serviceAccount = await this.getAccountId();
+    const accessToken = await this.credential.getAccessToken();
+    return ternSignBlob({
+      accessToken: accessToken.accessToken,
+      serviceAccountId: serviceAccount,
+      payload
     });
   }
-  return cert;
-}
-function isCacheExpired() {
-  const now = Date.now();
-  if (lastUpdatedAt === -1) {
-    return false;
-  }
-  const cacheAge = now - lastUpdatedAt;
-  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
-  const localCacheExpired = cacheAge >= maxCacheAge;
-  const googleCacheExpired = now >= googleExpiresAt;
-  const isExpired = localCacheExpired || googleCacheExpired;
-  if (isExpired) {
-    cache = {};
+  async getAccountId() {
+    if (this.serviceAccountId) {
+      return this.serviceAccountId;
+    }
+    const token = await this.credential.getAccessToken();
+    const url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/email";
+    const request = {
+      method: "GET",
+      headers: {
+        "Metadata-Flavor": "Google",
+        Authorization: `Bearer ${token.accessToken}`
+      }
+    };
+    return this.serviceAccountId = await fetchText(url, request);
   }
-  return isExpired;
-}
-function getExpiresAt(res) {
-  const cacheControlHeader = res.headers.get("cache-control");
-  if (!cacheControlHeader) {
-    return Date.now() + DEFAULT_CACHE_DURATION;
+};
+
+// src/jwt/index.ts
+var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
+
+// src/utils/token-generator.ts
+function cryptoSignerFromCredential(credential, tenantId, serviceAccountId) {
+  if (credential instanceof ServiceAccountManager) {
+    return new ServiceAccountSigner(credential, tenantId);
   }
-  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
-  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
-  return Date.now() + maxAge * 1e3;
+  return new IAMSigner(credential, tenantId, serviceAccountId);
 }
 
-// src/tokens/verify.ts
-async function verifyToken(token, options) {
-  const { data: decodedResult, errors } = ternDecodeJwt(token);
-  if (errors) {
-    return { errors };
+// src/app-check/AppCheckApi.ts
+function getSdkVersion2() {
+  return "12.7.0";
+}
+var FIREBASE_APP_CHECK_CONFIG_HEADERS2 = {
+  "X-Firebase-Client": `fire-admin-node/${getSdkVersion2()}`
+};
+var AppCheckApi2 = class {
+  constructor(credential) {
+    this.credential = credential;
   }
-  const { header } = decodedResult;
-  const { kid } = header;
-  if (!kid) {
-    return {
-      errors: [
-        new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalid,
-          message: 'JWT "kid" header is missing.'
-        })
-      ]
+  async exchangeToken(params) {
+    const { projectId, appId, customToken, limitedUse = false } = params;
+    const token = await this.credential.getAccessToken(false);
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
+    const headers = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${token.accessToken}`
     };
-  }
-  try {
-    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
-    if (!key) {
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ customToken, limitedUse })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
       return {
-        errors: [
-          new TokenVerificationError({
-            reason: TokenVerificationErrorReason.TokenInvalid,
-            message: `No public key found for kid "${kid}".`
-          })
-        ]
+        token: data.token,
+        ttl: data.ttl
       };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
     }
-    return await verifyJwt(token, { ...options, key });
-  } catch (error) {
-    if (error instanceof TokenVerificationError) {
-      return { errors: [error] };
+  }
+  async exchangeDebugToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
     }
-    return {
-      errors: [error]
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
+    const headers = {
+      ...FIREBASE_APP_CHECK_CONFIG_HEADERS2,
+      "Authorization": `Bearer ${accessToken}`
+    };
+    const body = {
+      customToken,
+      limitedUse
     };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
   }
+};
+
+// src/app-check/generator.ts
+function transformMillisecondsToSecondsString(milliseconds) {
+  let duration;
+  const seconds = Math.floor(milliseconds / 1e3);
+  const nanos = Math.floor((milliseconds - seconds * 1e3) * 1e6);
+  if (nanos > 0) {
+    let nanoString = nanos.toString();
+    while (nanoString.length < 9) {
+      nanoString = "0" + nanoString;
+    }
+    duration = `${seconds}.${nanoString}s`;
+  } else {
+    duration = `${seconds}s`;
+  }
+  return duration;
 }
+var AppCheckTokenGenerator = class {
+  signer;
+  constructor(signer) {
+    this.signer = signer;
+  }
+  async createCustomToken(appId, options) {
+    if (!appId) {
+      throw new Error(
+        "appId is invalid"
+      );
+    }
+    let customOptions = {};
+    if (typeof options !== "undefined") {
+      customOptions = this.validateTokenOptions(options);
+    }
+    const account = await this.signer.getAccountId();
+    const iat = Math.floor(Date.now() / 1e3);
+    const body = {
+      iss: account,
+      sub: account,
+      app_id: appId,
+      aud: FIREBASE_APP_CHECK_AUDIENCE,
+      exp: iat + ONE_MINUTE_IN_SECONDS * 5,
+      iat,
+      ...customOptions
+    };
+    return this.signer.sign(body);
+  }
+  validateTokenOptions(options) {
+    if (typeof options.ttlMillis !== "undefined") {
+      if (options.ttlMillis < ONE_MINUTE_IN_MILLIS * 30 || options.ttlMillis > ONE_DAY_IN_MILLIS * 7) {
+        throw new Error(
+          "ttlMillis must be a duration in milliseconds between 30 minutes and 7 days (inclusive)."
+        );
+      }
+      return { ttl: transformMillisecondsToSecondsString(options.ttlMillis) };
+    }
+    return {};
+  }
+};
 
-// src/jwt/guardReturn.ts
-function createJwtGuard(decodedFn) {
-  return (...args) => {
-    const { data, errors } = decodedFn(...args);
-    if (errors) {
-      throw errors[0];
+// src/app-check/serverAppCheck.ts
+var import_redis = require("@upstash/redis");
+
+// src/admin/sessionTernSecure.ts
+var import_errors6 = require("@tern-secure/shared/errors");
+
+// src/utils/admin-init.ts
+var import_firebase_admin = __toESM(require("firebase-admin"));
+var import_app_check = require("firebase-admin/app-check");
+
+// src/utils/config.ts
+var loadAdminConfig = () => ({
+  projectId: process.env.FIREBASE_PROJECT_ID || "",
+  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || "",
+  privateKey: process.env.FIREBASE_PRIVATE_KEY || ""
+});
+var validateAdminConfig = (config) => {
+  const requiredFields = [
+    "projectId",
+    "clientEmail",
+    "privateKey"
+  ];
+  const errors = [];
+  requiredFields.forEach((field) => {
+    if (!config[field]) {
+      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`);
     }
-    return data;
+  });
+  return {
+    isValid: errors.length === 0,
+    errors,
+    config
   };
-}
-
-// src/jwt/jwt.ts
-var import_jose4 = require("jose");
+};
+var initializeAdminConfig = () => {
+  const config = loadAdminConfig();
+  const validationResult = validateAdminConfig(config);
+  if (!validationResult.isValid) {
+    throw new Error(
+      `Firebase Admin configuration validation failed:
+${validationResult.errors.join("\n")}`
+    );
+  }
+  return config;
+};
 
-// src/jwt/signJwt.ts
-var import_jose5 = require("jose");
-var ALGORITHM_RS256 = "RS256";
-async function ternSignJwt(opts) {
-  const { payload, privateKey, keyId } = opts;
-  let key;
+// src/utils/admin-init.ts
+if (!import_firebase_admin.default.apps.length) {
   try {
-    key = await (0, import_jose5.importPKCS8)(privateKey, ALGORITHM_RS256);
-  } catch (error) {
-    throw new TokenVerificationError({
-      message: `Failed to import private key: ${error.message}`,
-      reason: TokenVerificationErrorReason.TokenInvalid
+    const config = initializeAdminConfig();
+    import_firebase_admin.default.initializeApp({
+      credential: import_firebase_admin.default.credential.cert({
+        ...config,
+        privateKey: config.privateKey.replace(/\\n/g, "\n")
+      })
     });
+  } catch (error) {
+    console.error("Firebase admin initialization error", error);
   }
-  return new import_jose5.SignJWT(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
 }
+var adminTernSecureAuth = import_firebase_admin.default.auth();
+var adminTernSecureDb = import_firebase_admin.default.firestore();
+var TernSecureTenantManager = import_firebase_admin.default.auth().tenantManager();
+var appCheckAdmin = (0, import_app_check.getAppCheck)();
 
-// src/jwt/index.ts
-var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
+// src/admin/sessionTernSecure.ts
+var DEFAULT_COOKIE_CONFIG = {
+  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1e3,
+  // 5 minutes
+  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
+var DEFAULT_COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  path: "/"
+};
 
-// src/auth/constants.ts
-var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
-var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
-var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
-var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
-var ONE_HOUR_IN_SECONDS = 60 * 60;
+// src/admin/nextSessionTernSecure.ts
+var import_cookie2 = require("@tern-secure/shared/cookie");
+var import_errors7 = require("@tern-secure/shared/errors");
+var import_headers = require("next/headers");
+var SESSION_CONSTANTS = {
+  COOKIE_NAME: constants.Cookies.Session,
+  DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1e3,
+  // 5 days
+  DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
 
-// src/auth/utils.ts
-async function getDetailFromResponse(response) {
-  const json = await response.json();
-  if (!json) {
-    return "Missing error payload";
+// src/admin/user.ts
+var import_errors8 = require("@tern-secure/shared/errors");
+
+// src/app-check/verifier.ts
+var import_jose6 = require("jose");
+var getPublicKey = async (header, keyURL) => {
+  const jswksUrl = new URL(keyURL);
+  const getKey = (0, import_jose6.createRemoteJWKSet)(jswksUrl);
+  return getKey(header);
+};
+var verifyAppCheckToken = async (token, options) => {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    throw errors[0];
   }
-  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
-  if (json.error_description) {
-    detail += " (" + json.error_description + ")";
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
   }
-  return detail;
-}
-async function fetchJson(url, init) {
-  return (await fetchAny(url, init)).json();
-}
-async function fetchAny(url, init) {
-  const response = await fetch(url, init);
-  if (!response.ok) {
-    throw new Error(await getDetailFromResponse(response));
+  try {
+    const getPublicKeyForToken = () => getPublicKey(header, options.keyURL || "");
+    return await verifyAppCheckJwt(token, { ...options, key: getPublicKeyForToken });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
+    }
+    return {
+      errors: [error]
+    };
   }
-  return response;
-}
-
-// src/auth/credential.ts
-var accessTokenCache = /* @__PURE__ */ new Map();
-async function requestAccessToken(urlString, init) {
-  const json = await fetchJson(urlString, init);
-  if (!json.access_token || !json.expires_in) {
-    throw new Error("Invalid access token response");
+};
+var AppcheckTokenVerifier = class {
+  constructor(credential) {
+    this.credential = credential;
   }
-  return {
-    accessToken: json.access_token,
-    expirationTime: Date.now() + json.expires_in * 1e3
+  verifyToken = async (token, projectId, options) => {
+    const { data, errors } = await verifyAppCheckToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
   };
-}
-var ServiceAccountTokenManager = class {
-  projectId;
-  privateKey;
-  clientEmail;
-  constructor(serviceAccount) {
-    this.projectId = serviceAccount.projectId;
-    this.privateKey = serviceAccount.privateKey;
-    this.clientEmail = serviceAccount.clientEmail;
+};
+
+// src/app-check/index.ts
+var JWKS_URL = "https://firebaseappcheck.googleapis.com/v1/jwks";
+var AppCheck = class {
+  client;
+  tokenGenerator;
+  appCheckTokenVerifier;
+  limitedUse;
+  constructor(credential, tenantId, limitedUse) {
+    this.client = new AppCheckApi2(credential);
+    this.tokenGenerator = new AppCheckTokenGenerator(
+      cryptoSignerFromCredential(credential, tenantId)
+    );
+    this.appCheckTokenVerifier = new AppcheckTokenVerifier(credential);
+    this.limitedUse = limitedUse;
   }
-  fetchAccessToken = async (url) => {
-    const token = await this.createJwt();
-    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
-    return requestAccessToken(url, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Authorization: `Bearer ${token}`,
-        Accept: "application/json"
-      },
-      body: postData
+  createToken = (projectId, appId, options) => {
+    return this.tokenGenerator.createCustomToken(appId, options).then((customToken) => {
+      return this.client.exchangeToken({ customToken, projectId, appId });
     });
   };
-  fetchAndCacheAccessToken = async (url) => {
-    const accessToken = await this.fetchAccessToken(url);
-    accessTokenCache.set(this.projectId, accessToken);
-    return accessToken;
-  };
-  getAccessToken = async (refresh) => {
-    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
-    if (refresh) {
-      return this.fetchAndCacheAccessToken(url);
-    }
-    const cachedResponse = accessTokenCache.get(this.projectId);
-    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
-      return this.fetchAndCacheAccessToken(url);
-    }
-    return cachedResponse;
-  };
-  createJwt = async () => {
-    const iat = Math.floor(Date.now() / 1e3);
-    const payload = {
-      aud: GOOGLE_TOKEN_AUDIENCE,
-      iat,
-      exp: iat + ONE_HOUR_IN_SECONDS,
-      iss: this.clientEmail,
-      sub: this.clientEmail,
-      scope: [
-        "https://www.googleapis.com/auth/cloud-platform",
-        "https://www.googleapis.com/auth/firebase.database",
-        "https://www.googleapis.com/auth/firebase.messaging",
-        "https://www.googleapis.com/auth/identitytoolkit",
-        "https://www.googleapis.com/auth/userinfo.email"
-      ].join(" ")
-    };
-    return ternSignJwt({
-      payload,
-      privateKey: this.privateKey
+  verifyToken = async (appCheckToken, projectId, options) => {
+    return this.appCheckTokenVerifier.verifyToken(appCheckToken, projectId, { keyURL: JWKS_URL, ...options }).then((decodedToken) => {
+      return {
+        appId: decodedToken.app_id,
+        token: decodedToken
+      };
     });
   };
 };
+function getAppCheck2(serviceAccount, tenantId, limitedUse) {
+  return new AppCheck(new ServiceAccountManager(serviceAccount), tenantId, limitedUse);
+}
 
 // src/auth/getauth.ts
 var API_KEY_ERROR = "API Key is required";
@@ -1543,17 +2032,8 @@ function parseFirebaseResponse(data) {
   return data;
 }
 function getAuth(options) {
-  const { apiKey, firebaseAdminConfig } = options;
-  const firebaseApiKey = options.firebaseConfig?.apiKey;
-  const effectiveApiKey = apiKey || firebaseApiKey;
-  let credential = null;
-  if (firebaseAdminConfig?.projectId && firebaseAdminConfig?.privateKey && firebaseAdminConfig?.clientEmail) {
-    credential = new ServiceAccountTokenManager({
-      projectId: firebaseAdminConfig.projectId,
-      privateKey: firebaseAdminConfig.privateKey,
-      clientEmail: firebaseAdminConfig.clientEmail
-    });
-  }
+  const { apiKey } = options;
+  const effectiveApiKey = apiKey || process.env.NEXT_PUBLIC_FIREBASE_API_KEY;
   async function getUserData(idToken, localId) {
     if (!effectiveApiKey) {
       throw new Error(API_KEY_ERROR);
@@ -1638,43 +2118,12 @@ function getAuth(options) {
       auth_time: decodedCustomIdToken.data.auth_time
     };
   }
-  async function exchangeAppCheckToken(idToken) {
-    if (!credential) {
-      return {
-        data: null,
-        error: new Error(
-          "Firebase Admin config must be provided to exchange App Check tokens."
-        )
-      };
-    }
-    if (!effectiveApiKey) {
-      return { data: null, error: new Error(API_KEY_ERROR) };
-    }
+  async function createAppCheckToken() {
+    const adminConfig = loadAdminConfig();
+    const appId = process.env.NEXT_PUBLIC_FIREBASE_APP_ID || "";
+    const appCheck = getAppCheck2(adminConfig, options.tenantId);
     try {
-      const decoded = await verifyToken(idToken, options);
-      if (decoded.errors) {
-        return { data: null, error: decoded.errors[0] };
-      }
-      const customToken = await createCustomToken(decoded.data.uid, {
-        emailVerified: decoded.data.email_verified,
-        source_sign_in_provider: decoded.data.firebase.sign_in_provider
-      });
-      const projectId = options.firebaseConfig?.projectId;
-      const appId = options.firebaseConfig?.appId;
-      if (!projectId || !appId) {
-        return { data: null, error: new Error("Project ID and App ID are required for App Check") };
-      }
-      const { accessToken } = await credential.getAccessToken();
-      const appCheckResponse = await options.apiClient?.appCheck.exchangeCustomToken({
-        accessToken,
-        projectId,
-        appId,
-        customToken,
-        limitedUse: false
-      });
-      if (!appCheckResponse?.token) {
-        return { data: null, error: new Error("Failed to exchange for App Check token") };
-      }
+      const appCheckResponse = await appCheck.createToken(adminConfig.projectId, appId);
       return {
         data: {
           token: appCheckResponse.token,
@@ -1686,93 +2135,104 @@ function getAuth(options) {
       return { data: null, error };
     }
   }
+  async function verifyAppCheckToken2(token) {
+    const adminConfig = loadAdminConfig();
+    const appCheck = getAppCheck2(adminConfig, options.tenantId);
+    try {
+      const decodedToken = await appCheck.verifyToken(token, adminConfig.projectId, {});
+      return {
+        data: decodedToken,
+        error: null
+      };
+    } catch (error) {
+      return { data: null, error };
+    }
+  }
   return {
     getUserData,
     customForIdAndRefreshToken,
     createCustomIdAndRefreshToken,
     refreshExpiredIdToken,
-    exchangeAppCheckToken
+    createAppCheckToken,
+    verifyAppCheckToken: verifyAppCheckToken2
   };
 }
 
-// src/tokens/c-authenticateRequestProcessor.ts
-var RequestProcessorContext = class {
-  constructor(ternSecureRequest, options) {
-    this.ternSecureRequest = ternSecureRequest;
-    this.options = options;
-    this.initHeaderValues();
-    this.initCookieValues();
-    this.initHandshakeValues();
-    this.initUrlValues();
-    Object.assign(this, options);
-    this.ternUrl = this.ternSecureRequest.ternUrl;
-  }
-  get request() {
-    return this.ternSecureRequest;
-  }
-  initHeaderValues() {
-    this.sessionTokenInHeader = this.parseAuthorizationHeader(
-      this.getHeader(constants.Headers.Authorization)
-    );
-    this.origin = this.getHeader(constants.Headers.Origin);
-    this.host = this.getHeader(constants.Headers.Host);
-    this.forwardedHost = this.getHeader(constants.Headers.ForwardedHost);
-    this.forwardedProto = this.getHeader(constants.Headers.CloudFrontForwardedProto) || this.getHeader(constants.Headers.ForwardedProto);
-    this.referrer = this.getHeader(constants.Headers.Referrer);
-    this.userAgent = this.getHeader(constants.Headers.UserAgent);
-    this.secFetchDest = this.getHeader(constants.Headers.SecFetchDest);
-    this.accept = this.getHeader(constants.Headers.Accept);
-    this.appCheckToken = this.getHeader(constants.Headers.AppCheckToken);
-  }
-  initCookieValues() {
-    const isProduction = process.env.NODE_ENV === "production";
-    const defaultPrefix = isProduction ? "__HOST-" : "__dev_";
-    this.sessionTokenInCookie = this.getCookie(constants.Cookies.Session);
-    this.idTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.IdToken}`);
-    this.refreshTokenInCookie = this.getCookie(`${defaultPrefix}${constants.Cookies.Refresh}`);
-    this.csrfTokenInCookie = this.getCookie(constants.Cookies.CsrfToken);
-    this.customTokenInCookie = this.getCookie(constants.Cookies.Custom);
-    this.ternAuth = Number.parseInt(this.getCookie(constants.Cookies.TernAut) || "0", 10);
-  }
-  initHandshakeValues() {
-    this.handshakeToken = this.getQueryParam(constants.QueryParameters.Handshake) || this.getCookie(constants.Cookies.Handshake);
-    this.handshakeNonce = this.getQueryParam(constants.QueryParameters.HandshakeNonce) || this.getCookie(constants.Cookies.HandshakeNonce);
-  }
-  initUrlValues() {
-    this.method = this.ternSecureRequest.method;
-    this.pathSegments = this.ternSecureRequest.ternUrl.pathname.split("/").filter(Boolean);
-    this.endpoint = this.pathSegments[2];
-    this.subEndpoint = this.pathSegments[3];
-  }
-  getQueryParam(name) {
-    return this.ternSecureRequest.ternUrl.searchParams.get(name);
-  }
-  getHeader(name) {
-    return this.ternSecureRequest.headers.get(name) || void 0;
+// src/auth/credential.ts
+var accessTokenCache = /* @__PURE__ */ new Map();
+async function requestAccessToken(urlString, init) {
+  const json = await fetchJson(urlString, init);
+  if (!json.access_token || !json.expires_in) {
+    throw new Error("Invalid access token response");
   }
-  getCookie(name) {
-    return this.ternSecureRequest.cookies.get(name) || void 0;
+  return {
+    accessToken: json.access_token,
+    expirationTime: Date.now() + json.expires_in * 1e3
+  };
+}
+var ServiceAccountManager = class {
+  projectId;
+  privateKey;
+  clientEmail;
+  constructor(serviceAccount) {
+    this.projectId = serviceAccount.projectId;
+    this.privateKey = serviceAccount.privateKey;
+    this.clientEmail = serviceAccount.clientEmail;
   }
-  parseAuthorizationHeader(authorizationHeader) {
-    if (!authorizationHeader) {
-      return void 0;
-    }
-    const [scheme, token] = authorizationHeader.split(" ", 2);
-    if (!token) {
-      return scheme;
+  fetchAccessToken = async (url) => {
+    const token = await this.createJwt();
+    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
+    return requestAccessToken(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json"
+      },
+      body: postData
+    });
+  };
+  fetchAndCacheAccessToken = async (url) => {
+    const accessToken = await this.fetchAccessToken(url);
+    accessTokenCache.set(this.projectId, accessToken);
+    return accessToken;
+  };
+  getAccessToken = async (refresh) => {
+    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
+    if (refresh) {
+      return this.fetchAndCacheAccessToken(url);
     }
-    if (scheme === "Bearer") {
-      return token;
+    const cachedResponse = accessTokenCache.get(this.projectId);
+    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
+      return this.fetchAndCacheAccessToken(url);
     }
-    return void 0;
-  }
-};
-var createRequestProcessor = (ternSecureRequest, options) => {
-  return new RequestProcessorContext(ternSecureRequest, options);
+    return cachedResponse;
+  };
+  createJwt = async () => {
+    const iat = Math.floor(Date.now() / 1e3);
+    const payload = {
+      aud: GOOGLE_TOKEN_AUDIENCE,
+      iat,
+      exp: iat + ONE_HOUR_IN_SECONDS,
+      iss: this.clientEmail,
+      sub: this.clientEmail,
+      scope: [
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/firebase.database",
+        "https://www.googleapis.com/auth/firebase.messaging",
+        "https://www.googleapis.com/auth/identitytoolkit",
+        "https://www.googleapis.com/auth/userinfo.email"
+      ].join(" ")
+    };
+    return ternSignJwt({
+      payload,
+      privateKey: this.privateKey
+    });
+  };
 };
 
 // src/tokens/cookie.ts
-var import_cookie2 = require("@tern-secure/shared/cookie");
+var import_cookie3 = require("@tern-secure/shared/cookie");
 
 // src/tokens/request.ts
 function hasAuthorizationHeader(request) {
@@ -1784,9 +2244,9 @@ function convertToSeconds(value) {
 function isRequestForRefresh(error, context, request) {
   return error.reason === TokenVerificationErrorReason.TokenExpired && !!context.refreshTokenInCookie && request.method === "GET";
 }
-async function authenticateRequest(request, options) {
+async function authenticateRequest2(request, options) {
   const context = createRequestProcessor(createTernSecureRequest(request), options);
-  const { refreshTokenInCookie, appCheckToken } = context;
+  const { refreshTokenInCookie } = context;
   const { refreshExpiredIdToken } = getAuth(options);
   function checkSessionTimeout(authTimeValue) {
     const defaultMaxAgeSeconds = convertToSeconds("5 days");
@@ -1809,8 +2269,7 @@ async function authenticateRequest(request, options) {
       };
     }
     return await refreshExpiredIdToken(refreshTokenInCookie, {
-      referer: context.ternUrl.origin,
-      appCheckToken
+      referer: context.ternUrl.origin
     });
   }
   async function handleRefresh() {
@@ -1821,8 +2280,8 @@ async function authenticateRequest(request, options) {
     const headers = new Headers();
     const { idToken } = refreshedData;
     const maxAge = 365 * 24 * 60 * 60;
-    const cookiePrefix = (0, import_cookie2.getCookiePrefix)();
-    const idTokenCookieName = (0, import_cookie2.getCookieName)(constants.Cookies.IdToken, cookiePrefix);
+    const cookiePrefix = (0, import_cookie3.getCookiePrefix)();
+    const idTokenCookieName = (0, import_cookie3.getCookieName)(constants.Cookies.IdToken, cookiePrefix);
     const baseCookieAttributes = `HttpOnly; Secure; SameSite=Strict; Max-Age=${maxAge}; Path=/`;
     const idTokenCookie = `${idTokenCookieName}=${idToken}; ${baseCookieAttributes};`;
     headers.append("Set-Cookie", idTokenCookie);
@@ -1912,24 +2371,7 @@ async function authenticateRequest(request, options) {
       if (errors) {
         throw errors[0];
       }
-      const { exchangeAppCheckToken } = getAuth(options);
-      let appCheckTokenValue;
-      try {
-        const idToken = context.idTokenInCookie || "";
-        const appCheckResult = await exchangeAppCheckToken(idToken);
-        console.log("[authenticateRequest] App Check exchange result:", appCheckResult);
-        if (appCheckResult.data?.token) {
-          appCheckTokenValue = appCheckResult.data.token;
-        }
-      } catch (error) {
-        console.warn("App Check token exchange failed:", error);
-      }
-      const headers = new Headers();
-      headers.set(
-        constants.Headers.AppCheckToken,
-        appCheckTokenValue || ""
-      );
-      const signedInRequestState = signedIn(context, data, headers, context.idTokenInCookie);
+      const signedInRequestState = signedIn(context, data, void 0, context.idTokenInCookie);
       return signedInRequestState;
     } catch (err) {
       return handleError(err, "cookie");
@@ -1943,23 +2385,7 @@ async function authenticateRequest(request, options) {
       if (errors) {
         throw errors[0];
       }
-      const { exchangeAppCheckToken } = getAuth(options);
-      let appCheckTokenValue;
-      try {
-        const token = sessionTokenInHeader || "";
-        const appCheckResult = await exchangeAppCheckToken(token);
-        if (appCheckResult.data?.token) {
-          appCheckTokenValue = appCheckResult.data.token;
-        }
-      } catch (error) {
-        console.warn("App Check token exchange failed:", error);
-      }
-      const headers = new Headers();
-      headers.set(
-        constants.Headers.AppCheckToken,
-        appCheckTokenValue || ""
-      );
-      const signedInRequestState = signedIn(context, data, headers, sessionTokenInHeader);
+      const signedInRequestState = signedIn(context, data, void 0, sessionTokenInHeader);
       return signedInRequestState;
     } catch (err) {
       return handleError(err, "header");
@@ -1973,17 +2399,8 @@ async function authenticateRequest(request, options) {
     if (isRequestForRefresh(err, context, request)) {
       const { data, error } = await handleRefresh();
       if (data) {
-        const { exchangeAppCheckToken } = getAuth(options);
-        let appCheckTokenValue;
-        try {
-          const appCheckResult = await exchangeAppCheckToken(data.token);
-          if (appCheckResult.data?.token) {
-            appCheckTokenValue = appCheckResult.data.token;
-          }
-        } catch (error2) {
-          console.warn("App Check token exchange failed in error handler:", error2);
-        }
-        return signedIn(context, data.decoded, data.headers, data.token);
+        const signedInState = signedIn(context, data.decoded, data.headers, data.token);
+        return signedInState;
       }
       if (error?.cause?.reason) {
         refreshError = error.cause.reason;
@@ -2012,7 +2429,7 @@ function createAuthenticateRequest(params) {
   const apiClient = params.apiClient;
   const handleAuthenticateRequest = (request, options = {}) => {
     const { apiUrl } = buildTimeOptions;
-    return authenticateRequest(request, { ...options, apiUrl, apiClient });
+    return authenticateRequest2(request, { ...options, apiUrl, apiClient });
   };
   return {
     authenticateRequest: handleAuthenticateRequest
@@ -2161,7 +2578,7 @@ var PostgresAdapter = class {
 };
 
 // src/adapters/RedisAdapter.ts
-var import_redis = require("@upstash/redis");
+var import_redis2 = require("@upstash/redis");
 var TTLCache = class {
   cache = /* @__PURE__ */ new Map();
   defaultTTL;
@@ -2218,7 +2635,7 @@ var RedisAdapter = class {
   cache;
   keyPrefix;
   constructor(config) {
-    this.redis = new import_redis.Redis({
+    this.redis = new import_redis2.Redis({
       url: config.url,
       token: config.token
     });
@@ -2300,6 +2717,7 @@ function validateCheckRevokedOptions(options) {
   createAdapter,
   createBackendInstanceClient,
   createRedirect,
+  createRequestProcessor,
   createTernSecureRequest,
   disableDebugLogging,
   enableDebugLogging,
@@ -2307,6 +2725,7 @@ function validateCheckRevokedOptions(options) {
   signedIn,
   signedInAuthObject,
   signedOutAuthObject,
-  validateCheckRevokedOptions
+  validateCheckRevokedOptions,
+  verifyToken
 });
 //# sourceMappingURL=index.js.map