@tern-secure/backend 1.2.0-canary.v20251127235234 → 1.2.0-canary.v20251202164451

package/dist/admin/index.mjs

@@ -1,602 +1,27 @@
 import {
-  createTernSecureRequest
-} from "../chunk-GFH5CXQR.mjs";
-import {
-  constants
-} from "../chunk-WIVOBOZR.mjs";
-
-// src/admin/sessionTernSecure.ts
-import { handleFirebaseAuthError } from "@tern-secure/shared/errors";
-
-// src/utils/admin-init.ts
-import admin from "firebase-admin";
-import { getAppCheck } from "firebase-admin/app-check";
-
-// src/utils/config.ts
-var loadAdminConfig = () => ({
-  projectId: process.env.FIREBASE_PROJECT_ID || "",
-  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || "",
-  privateKey: process.env.FIREBASE_PRIVATE_KEY || ""
-});
-var validateAdminConfig = (config) => {
-  const requiredFields = [
-    "projectId",
-    "clientEmail",
-    "privateKey"
-  ];
-  const errors = [];
-  requiredFields.forEach((field) => {
-    if (!config[field]) {
-      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`);
-    }
-  });
-  return {
-    isValid: errors.length === 0,
-    errors,
-    config
-  };
-};
-var initializeAdminConfig = () => {
-  const config = loadAdminConfig();
-  const validationResult = validateAdminConfig(config);
-  if (!validationResult.isValid) {
-    throw new Error(
-      `Firebase Admin configuration validation failed:
-${validationResult.errors.join("\n")}`
-    );
-  }
-  return config;
-};
-
-// src/utils/admin-init.ts
-if (!admin.apps.length) {
-  try {
-    const config = initializeAdminConfig();
-    admin.initializeApp({
-      credential: admin.credential.cert({
-        ...config,
-        privateKey: config.privateKey.replace(/\\n/g, "\n")
-      })
-    });
-  } catch (error) {
-    console.error("Firebase admin initialization error", error);
-  }
-}
-var adminTernSecureAuth = admin.auth();
-var adminTernSecureDb = admin.firestore();
-var TernSecureTenantManager = admin.auth().tenantManager();
-var appCheckAdmin = getAppCheck();
-function getAuthForTenant(tenantId) {
-  if (tenantId) {
-    return TernSecureTenantManager.authForTenant(tenantId);
-  }
-  return admin.auth();
-}
-
-// src/admin/sessionTernSecure.ts
-var DEFAULT_COOKIE_CONFIG = {
-  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1e3,
-  // 5 minutes
-  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,
-  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
-};
-var DEFAULT_COOKIE_OPTIONS = {
-  httpOnly: true,
-  secure: process.env.NODE_ENV === "production",
-  sameSite: "strict",
-  path: "/"
-};
-var getCookieName = (baseName, prefix) => {
-  return prefix ? `${prefix}${baseName}` : baseName;
-};
-var createCookieOptions = (maxAge, overrides) => {
-  return {
-    maxAge,
-    httpOnly: overrides?.httpOnly ?? DEFAULT_COOKIE_OPTIONS.httpOnly,
-    secure: overrides?.secure ?? DEFAULT_COOKIE_OPTIONS.secure,
-    sameSite: overrides?.sameSite ?? DEFAULT_COOKIE_OPTIONS.sameSite,
-    path: overrides?.path ?? DEFAULT_COOKIE_OPTIONS.path
-  };
-};
-var getCookiePrefix = () => {
-  const isProduction = process.env.NODE_ENV === "production";
-  return isProduction ? "__HOST-" : "__dev_";
-};
-async function createSessionCookie(params, cookieStore, options) {
-  try {
-    const tenantAuth = getAuthForTenant(options?.tenantId || "");
-    const idToken = typeof params === "string" ? params : params.idToken;
-    const refreshToken = typeof params === "string" ? void 0 : params.refreshToken;
-    if (!idToken) {
-      return {
-        success: false,
-        message: "ID token is required",
-        error: "INVALID_TOKEN"
-      };
-    }
-    let decodedToken;
-    try {
-      decodedToken = await tenantAuth.verifyIdToken(idToken);
-    } catch (verifyError) {
-      const authError = handleFirebaseAuthError(verifyError);
-      return {
-        success: false,
-        message: authError.message,
-        error: authError.code
-      };
-    }
-    const cookiePromises = [];
-    const cookiePrefix = getCookiePrefix();
-    const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);
-    cookiePromises.push(
-      cookieStore.set(
-        idTokenCookieName,
-        idToken,
-        createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS)
-      )
-    );
-    if (refreshToken) {
-      const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);
-      cookiePromises.push(
-        cookieStore.set(
-          refreshTokenCookieName,
-          refreshToken,
-          createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS)
-        )
-      );
-    }
-    if (options?.cookies) {
-      const sessionOptions = options.cookies;
-      const sessionCookieName = getCookieName(constants.Cookies.Session);
-      const expiresIn = sessionOptions.maxAge ? sessionOptions.maxAge * 1e3 : DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_MS;
-      try {
-        const sessionCookie = await tenantAuth.createSessionCookie(idToken, { expiresIn });
-        cookiePromises.push(
-          cookieStore.set(
-            sessionCookieName,
-            sessionCookie,
-            createCookieOptions(
-              sessionOptions.maxAge || DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS,
-              {
-                httpOnly: sessionOptions.httpOnly,
-                sameSite: sessionOptions.sameSite,
-                path: sessionOptions.path
-              }
-            )
-          )
-        );
-      } catch (sessionError) {
-        console.error(
-          "[createSessionCookie] Firebase session cookie creation failed:",
-          sessionError
-        );
-        const authError = handleFirebaseAuthError(sessionError);
-        return {
-          success: false,
-          message: authError.message,
-          error: authError.code
-        };
-      }
-    }
-    if (options?.enableCustomToken && decodedToken?.uid) {
-      const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);
-      const customToken = await createCustomToken(decodedToken.uid, options);
-      if (customToken) {
-        cookiePromises.push(
-          cookieStore.set(
-            customTokenCookieName,
-            customToken,
-            createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS)
-          )
-        );
-      }
-    }
-    await Promise.all(cookiePromises);
-    return {
-      success: true,
-      message: "Session created successfully",
-      expiresIn: DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS
-    };
-  } catch (error) {
-    console.error("[createSessionCookie] Unexpected error:", error);
-    const authError = handleFirebaseAuthError(error);
-    return {
-      success: false,
-      message: authError.message || "Failed to create session",
-      error: authError.code || "INTERNAL_ERROR"
-    };
-  }
-}
-async function clearSessionCookie(cookieStore, options) {
-  try {
-    const adminAuth = getAuthForTenant(options?.tenantId || "");
-    const cookiePrefix = getCookiePrefix();
-    const sessionCookieName = getCookieName(constants.Cookies.Session, cookiePrefix);
-    const sessionCookie = await cookieStore.get(sessionCookieName);
-    const deletionPromises = [];
-    if (options?.cookies) {
-      deletionPromises.push(cookieStore.delete(sessionCookieName));
-    }
-    const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);
-    deletionPromises.push(cookieStore.delete(idTokenCookieName));
-    const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);
-    deletionPromises.push(cookieStore.delete(refreshTokenCookieName));
-    const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);
-    deletionPromises.push(cookieStore.delete(customTokenCookieName));
-    const authTimeCookieName = constants.Cookies.TernAut;
-    deletionPromises.push(cookieStore.delete(authTimeCookieName));
-    deletionPromises.push(cookieStore.delete(constants.Cookies.Session));
-    await Promise.all(deletionPromises);
-    if (DEFAULT_COOKIE_CONFIG.REVOKE_REFRESH_TOKENS_ON_SIGNOUT && sessionCookie?.value) {
-      try {
-        const decodedClaims = await adminAuth.verifySessionCookie(sessionCookie.value);
-        await adminAuth.revokeRefreshTokens(decodedClaims.sub);
-      } catch (revokeError) {
-        console.error("[clearSessionCookie] Failed to revoke refresh tokens:", revokeError);
-      }
-    }
-    return {
-      success: true,
-      message: "Session cleared successfully"
-    };
-  } catch (error) {
-    const authError = handleFirebaseAuthError(error);
-    return {
-      success: false,
-      message: authError.message || "Failed to clear session",
-      error: authError.code || "INTERNAL_ERROR"
-    };
-  }
-}
-async function createCustomToken(uid, options) {
-  const adminAuth = getAuthForTenant(options?.tenantId || "");
-  try {
-    const customToken = await adminAuth.createCustomToken(uid);
-    return customToken;
-  } catch (error) {
-    console.error("[createCustomToken] Error creating custom token:", error);
-    return null;
-  }
-}
-async function createCustomTokenClaims(uid, developerClaims) {
-  const adminAuth = getAuthForTenant();
-  try {
-    const customToken = await adminAuth.createCustomToken(uid, developerClaims);
-    return customToken;
-  } catch (error) {
-    console.error("[createCustomToken] Error creating custom token:", error);
-    return "";
-  }
-}
-
-// src/admin/tenant.ts
-async function createTenant(displayName, emailSignInConfig, multiFactorConfig) {
-  try {
-    const tenantConfig = {
-      displayName,
-      emailSignInConfig,
-      ...multiFactorConfig && { multiFactorConfig }
-    };
-    const tenant = await TernSecureTenantManager.createTenant(tenantConfig);
-    return {
-      success: true,
-      tenantId: tenant.tenantId,
-      displayName: tenant.displayName
-    };
-  } catch (error) {
-    console.error("Error creating tenant:", error);
-    throw new Error("Failed to create tenant");
-  }
-}
-async function createTenantUser(email, password, tenantId) {
-  try {
-    const tenantAuth = TernSecureTenantManager.authForTenant(tenantId);
-    const userRecord = await tenantAuth.createUser({
-      email,
-      password,
-      emailVerified: false,
-      disabled: false
-    });
-    return {
-      status: "success",
-      user: userRecord,
-      message: "Tenant user created successfully"
-    };
-  } catch (error) {
-    console.error("Error creating tenant user:", error);
-    throw new Error("Failed to create tenant user");
-  }
-}
-
-// src/admin/nextSessionTernSecure.ts
-import { getCookieName as getCookieName2, getCookiePrefix as getCookiePrefix2 } from "@tern-secure/shared/cookie";
-import { handleFirebaseAuthError as handleFirebaseAuthError2 } from "@tern-secure/shared/errors";
-import { cookies } from "next/headers";
-var SESSION_CONSTANTS = {
-  COOKIE_NAME: constants.Cookies.Session,
-  DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1e3,
-  // 5 days
-  DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,
-  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
-};
-var debugLog = {
-  log: (...args) => {
-    if (process.env.NODE_ENV === "development") {
-      console.log(...args);
-    }
-  },
-  warn: (...args) => {
-    if (process.env.NODE_ENV === "development") {
-      console.warn(...args);
-    }
-  },
-  error: (...args) => {
-    console.error(...args);
-  }
-};
-async function CreateNextSessionCookie(idToken) {
-  try {
-    const expiresIn = 60 * 60 * 24 * 5 * 1e3;
-    const sessionCookie = await adminTernSecureAuth.createSessionCookie(idToken, {
-      expiresIn
-    });
-    const cookieStore = await cookies();
-    cookieStore.set(constants.Cookies.Session, sessionCookie, {
-      maxAge: expiresIn,
-      httpOnly: true,
-      secure: process.env.NODE_ENV === "production",
-      path: "/"
-    });
-    return { success: true, message: "Session created" };
-  } catch (error) {
-    return { success: false, message: "Failed to create session" };
-  }
-}
-async function GetNextServerSessionCookie() {
-  const cookieStore = await cookies();
-  const sessionCookie = cookieStore.get("_session_cookie")?.value;
-  if (!sessionCookie) {
-    throw new Error("No session cookie found");
-  }
-  try {
-    const decondeClaims = await adminTernSecureAuth.verifySessionCookie(sessionCookie, true);
-    return {
-      token: sessionCookie,
-      userId: decondeClaims.uid
-    };
-  } catch (error) {
-    console.error("Error verifying session:", error);
-    throw new Error("Invalid Session");
-  }
-}
-async function GetNextIdToken() {
-  const cookieStore = await cookies();
-  const token = cookieStore.get("_session_token")?.value;
-  if (!token) {
-    throw new Error("No session cookie found");
-  }
-  try {
-    const decodedClaims = await adminTernSecureAuth.verifyIdToken(token);
-    return {
-      token,
-      userId: decodedClaims.uid
-    };
-  } catch (error) {
-    console.error("Error verifying session:", error);
-    throw new Error("Invalid Session");
-  }
-}
-async function SetNextServerSession(token) {
-  try {
-    const cookieStore = await cookies();
-    cookieStore.set("_session_token", token, {
-      httpOnly: true,
-      secure: process.env.NODE_ENV === "production",
-      sameSite: "strict",
-      maxAge: 60 * 60,
-      // 1 hour
-      path: "/"
-    });
-    return { success: true, message: "Session created" };
-  } catch {
-    return { success: false, message: "Failed to create session" };
-  }
-}
-async function SetNextServerToken(token) {
-  try {
-    const cookieStore = await cookies();
-    cookieStore.set("_tern", token, {
-      httpOnly: true,
-      secure: process.env.NODE_ENV === "production",
-      sameSite: "strict",
-      maxAge: 60 * 60,
-      // 1 hour
-      path: "/"
-    });
-    return { success: true, message: "Session created" };
-  } catch {
-    return { success: false, message: "Failed to create session" };
-  }
-}
-async function VerifyNextTernIdToken(token) {
-  try {
-    const decodedToken = await adminTernSecureAuth.verifyIdToken(token);
-    return {
-      ...decodedToken,
-      valid: true
-    };
-  } catch (error) {
-    console.error("[VerifyNextTernIdToken] Error verifying session:", error);
-    const authError = handleFirebaseAuthError2(error);
-    return {
-      valid: false,
-      error: authError
-    };
-  }
-}
-async function VerifyNextTernSessionCookie(session) {
-  try {
-    const res = await adminTernSecureAuth.verifySessionCookie(session);
-    console.warn("[VerifyNextTernSessionCookie] uid in Decoded Token:", res.uid);
-    return {
-      valid: true,
-      ...res
-    };
-  } catch (error) {
-    console.error("[VerifyNextTernSessionCookie] Error verifying session:", error);
-    const authError = handleFirebaseAuthError2(error);
-    return {
-      valid: false,
-      error: authError
-    };
-  }
-}
-async function ClearNextSessionCookie(tenantId, deleteOptions) {
-  try {
-    const tenantAuth = getAuthForTenant(tenantId || "");
-    const cookieStore = await cookies();
-    const sessionCookie = cookieStore.get(SESSION_CONSTANTS.COOKIE_NAME);
-    const cookiePrefix = getCookiePrefix2();
-    const idTokenCookieName = getCookieName2(constants.Cookies.IdToken, cookiePrefix);
-    const idTokenCookie = cookieStore.get(idTokenCookieName);
-    const finalDeleteOptions = {
-      path: deleteOptions?.path,
-      domain: deleteOptions?.domain,
-      httpOnly: deleteOptions?.httpOnly,
-      secure: deleteOptions?.secure,
-      sameSite: deleteOptions?.sameSite
-    };
-    const idRefreshCustomTokenDeleteOptions = {
-      path: "/",
-      httpOnly: true,
-      secure: process.env.NODE_ENV === "production",
-      sameSite: "strict"
-    };
-    cookieStore.delete({ name: SESSION_CONSTANTS.COOKIE_NAME, ...finalDeleteOptions });
-    cookieStore.delete({ name: constants.Cookies.TernAut });
-    cookieStore.delete({ name: idTokenCookieName, ...idRefreshCustomTokenDeleteOptions });
-    cookieStore.delete({
-      name: getCookieName2(constants.Cookies.Refresh, cookiePrefix),
-      ...idRefreshCustomTokenDeleteOptions
-    });
-    cookieStore.delete({ name: constants.Cookies.Custom, ...idRefreshCustomTokenDeleteOptions });
-    const shouldRevokeTokens = deleteOptions?.revokeRefreshTokensOnSignOut ?? SESSION_CONSTANTS.REVOKE_REFRESH_TOKENS_ON_SIGNOUT;
-    if (shouldRevokeTokens) {
-      try {
-        let userSub;
-        if (sessionCookie?.value) {
-          try {
-            const decodedClaims = await tenantAuth.verifySessionCookie(sessionCookie.value);
-            userSub = decodedClaims.sub;
-          } catch (sessionError) {
-            debugLog.warn(
-              "[ClearNextSessionCookie] Session cookie verification failed:",
-              sessionError
-            );
-          }
-        }
-        if (!userSub) {
-          if (idTokenCookie?.value) {
-            try {
-              const decodedIdToken = await tenantAuth.verifyIdToken(idTokenCookie.value);
-              userSub = decodedIdToken.sub;
-            } catch (idTokenError) {
-              debugLog.warn("[ClearNextSessionCookie] ID token verification failed:", idTokenError);
-            }
-          }
-        }
-        if (userSub) {
-          await tenantAuth.revokeRefreshTokens(userSub);
-          debugLog.log(`[ClearNextSessionCookie] Successfully revoked tokens for user: ${userSub}`);
-        } else {
-          debugLog.warn("[ClearNextSessionCookie] No valid token found for revocation");
-        }
-      } catch (revokeError) {
-        debugLog.error("[ClearNextSessionCookie] Failed to revoke refresh tokens:", revokeError);
-      }
-    }
-    return { success: true, message: "Session cleared successfully" };
-  } catch (error) {
-    debugLog.error("Error clearing session:", error);
-    return { success: false, message: "Failed to clear session cookies" };
-  }
-}
-
-// src/instance/backendInstance.ts
-var createBackendInstance = async (request) => {
-  const ternSecureRequest = createTernSecureRequest(request);
-  const requestState = await authenticateRequest(request);
-  return {
-    ternSecureRequest,
-    requestState
-  };
-};
-async function authenticateRequest(request) {
-  const sessionCookie = request.headers.get("cookie");
-  const sessionToken = sessionCookie?.split(";").find((c) => c.trim().startsWith("_session_cookie="))?.split("=")[1];
-  if (!sessionToken) {
-    throw new Error("No session token found");
-  }
-  const verificationResult = await VerifyNextTernSessionCookie(sessionToken);
-  if (!verificationResult.valid) {
-    throw new Error("Invalid session token");
-  }
-  return signedIn(
-    verificationResult,
-    new Headers(request.headers),
-    sessionToken
-  );
-}
-function signInAuthObject(session) {
-  return {
-    session,
-    userId: session.uid,
-    has: {}
-  };
-}
-function signedIn(session, headers = new Headers(), token) {
-  const authObject = signInAuthObject(session);
-  return {
-    auth: () => authObject,
-    token,
-    headers
-  };
-}
-
-// src/admin/user.ts
-import { handleFirebaseAuthError as handleFirebaseAuthError3 } from "@tern-secure/shared/errors";
-function RetrieveUser(tenantId) {
-  const auth = getAuthForTenant(tenantId);
-  async function getUserUid(uid) {
-    try {
-      const user = await auth.getUser(uid);
-      return { data: user, error: null };
-    } catch (error) {
-      return { data: null, error: handleFirebaseAuthError3(error) };
-    }
-  }
-  async function getUserByEmail(email) {
-    try {
-      const user = await auth.getUserByEmail(email);
-      return { data: user, error: null };
-    } catch (error) {
-      return { data: null, error: handleFirebaseAuthError3(error) };
-    }
-  }
-  async function getUserByPhoneNumber(phoneNumber) {
-    try {
-      const user = await auth.getUserByPhoneNumber(phoneNumber);
-      return { data: user, error: null };
-    } catch (error) {
-      return { data: null, error: handleFirebaseAuthError3(error) };
-    }
-  }
-  return {
-    getUserUid,
-    getUserByEmail,
-    getUserByPhoneNumber
-  };
-}
+  ClearNextSessionCookie,
+  CreateNextSessionCookie,
+  GetNextIdToken,
+  GetNextServerSessionCookie,
+  RetrieveUser,
+  SetNextServerSession,
+  SetNextServerToken,
+  TernSecureTenantManager,
+  VerifyNextTernIdToken,
+  VerifyNextTernSessionCookie,
+  adminTernSecureAuth,
+  adminTernSecureDb,
+  appCheckAdmin,
+  authenticateRequest,
+  clearSessionCookie,
+  createBackendInstance,
+  createCustomTokenClaims,
+  createSessionCookie,
+  createTenant,
+  createTenantUser,
+  initializeAdminConfig,
+  signedIn
+} from "../chunk-34QENCWP.mjs";
 export {
   ClearNextSessionCookie,
   CreateNextSessionCookie,
@@ -610,6 +35,7 @@ export {
   VerifyNextTernSessionCookie,
   adminTernSecureAuth,
   adminTernSecureDb,
+  appCheckAdmin,
   authenticateRequest,
   clearSessionCookie,
   createBackendInstance,