@tern-secure/backend 1.2.0-canary.v20251127235234 → 1.2.0-canary.v20251202164451

package/dist/admin/index.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/admin/sessionTernSecure.ts","../../src/utils/admin-init.ts","../../src/utils/config.ts","../../src/admin/tenant.ts","../../src/admin/nextSessionTernSecure.ts","../../src/instance/backendInstance.ts","../../src/admin/user.ts"],"sourcesContent":["'use server';\r\nimport { handleFirebaseAuthError } from '@tern-secure/shared/errors';\r\nimport type {\r\n  CookieStore,\r\n  SessionParams,\r\n  SessionResult,\r\n  TernSecureHandlerOptions,\r\n} from '@tern-secure/types';\r\n\r\nimport { constants } from '../constants';\r\nimport { getAuthForTenant } from '../utils/admin-init';\r\n\r\n\r\n/**\r\n * Generates cookie name with optional prefix\r\n */\r\n\r\nconst DEFAULT_COOKIE_CONFIG = {\r\n  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1000, // 5 minutes\r\n  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,\r\n  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true,\r\n} as const;\r\n\r\nconst DEFAULT_COOKIE_OPTIONS = {\r\n  httpOnly: true,\r\n  secure: process.env.NODE_ENV === 'production',\r\n  sameSite: 'strict' as const,\r\n  path: '/',\r\n} as const;\r\n\r\n/**\r\n * Generates cookie name with optional prefix\r\n */\r\nconst getCookieName = (baseName: string, prefix?: string): string => {\r\n  return prefix ? `${prefix}${baseName}` : baseName;\r\n};\r\n\r\n/**\r\n * Creates standard cookie options with optional overrides\r\n */\r\nconst createCookieOptions = (\r\n  maxAge: number,\r\n  overrides?: {\r\n    httpOnly?: boolean;\r\n    secure?: boolean;\r\n    sameSite?: 'strict' | 'lax' | 'none';\r\n    path?: string;\r\n  },\r\n) => {\r\n  return {\r\n    maxAge,\r\n    httpOnly: overrides?.httpOnly ?? DEFAULT_COOKIE_OPTIONS.httpOnly,\r\n    secure: overrides?.secure ?? DEFAULT_COOKIE_OPTIONS.secure,\r\n    sameSite: overrides?.sameSite ?? DEFAULT_COOKIE_OPTIONS.sameSite,\r\n    path: overrides?.path ?? DEFAULT_COOKIE_OPTIONS.path,\r\n  };\r\n};\r\n\r\n/**\r\n * Determines the appropriate cookie prefix based on environment and options\r\n */\r\nconst getCookiePrefix = (): string => {\r\n  const isProduction = process.env.NODE_ENV === 'production';\r\n  return isProduction ? '__HOST-' : '__dev_';\r\n};\r\n\r\n/**\r\n * Creates cookies for user session management\r\n * @param params - Session parameters containing idToken and optional refreshToken\r\n * @param cookieStore - Cookie store interface for managing cookies\r\n * @param options - TernSecure handler options containing cookie configurations\r\n */\r\nexport async function createSessionCookie(\r\n  params: SessionParams | string,\r\n  cookieStore: CookieStore,\r\n  options?: TernSecureHandlerOptions,\r\n): Promise<SessionResult> {\r\n  try {\r\n    const tenantAuth = getAuthForTenant(options?.tenantId || '');\r\n\r\n    const idToken = typeof params === 'string' ? params : params.idToken;\r\n    const refreshToken = typeof params === 'string' ? undefined : (params as any).refreshToken;\r\n\r\n    if (!idToken) {\r\n      return {\r\n        success: false,\r\n        message: 'ID token is required',\r\n        error: 'INVALID_TOKEN',\r\n      };\r\n    }\r\n\r\n    // Verify the ID token\r\n    let decodedToken;\r\n    try {\r\n      decodedToken = await tenantAuth.verifyIdToken(idToken);\r\n    } catch (verifyError) {\r\n      const authError = handleFirebaseAuthError(verifyError);\r\n      return {\r\n        success: false,\r\n        message: authError.message,\r\n        error: authError.code,\r\n      };\r\n    }\r\n\r\n    const cookiePromises: Promise<void>[] = [];\r\n    const cookiePrefix = getCookiePrefix();\r\n\r\n    // Always set idToken cookie by default\r\n    const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);\r\n    cookiePromises.push(\r\n      cookieStore.set(\r\n        idTokenCookieName,\r\n        idToken,\r\n        createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS),\r\n      ),\r\n    );\r\n\r\n    // Always set refreshToken cookie by default if provided\r\n    if (refreshToken) {\r\n      const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);\r\n      cookiePromises.push(\r\n        cookieStore.set(\r\n          refreshTokenCookieName,\r\n          refreshToken,\r\n          createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS),\r\n        ),\r\n      );\r\n    }\r\n\r\n    // Create and set session cookie only if session config is provided\r\n    if (options?.cookies) {\r\n      const sessionOptions = options.cookies;\r\n      const sessionCookieName = getCookieName(constants.Cookies.Session);\r\n      const expiresIn = sessionOptions.maxAge\r\n        ? sessionOptions.maxAge * 1000\r\n        : DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_MS;\r\n\r\n      try {\r\n        const sessionCookie = await tenantAuth.createSessionCookie(idToken, { expiresIn });\r\n        cookiePromises.push(\r\n          cookieStore.set(\r\n            sessionCookieName,\r\n            sessionCookie,\r\n            createCookieOptions(\r\n              sessionOptions.maxAge || DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS,\r\n              {\r\n                httpOnly: sessionOptions.httpOnly,\r\n                sameSite: sessionOptions.sameSite,\r\n                path: sessionOptions.path,\r\n              },\r\n            ),\r\n          ),\r\n        );\r\n      } catch (sessionError) {\r\n        console.error(\r\n          '[createSessionCookie] Firebase session cookie creation failed:',\r\n          sessionError,\r\n        );\r\n        const authError = handleFirebaseAuthError(sessionError);\r\n        return {\r\n          success: false,\r\n          message: authError.message,\r\n          error: authError.code,\r\n        };\r\n      }\r\n    }\r\n\r\n    // Create and set custom token cookie only if enableCustomToken is true\r\n    if (options?.enableCustomToken && decodedToken?.uid) {\r\n      const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);\r\n      const customToken = await createCustomToken(decodedToken.uid, options);\r\n      if (customToken) {\r\n        cookiePromises.push(\r\n          cookieStore.set(\r\n            customTokenCookieName,\r\n            customToken,\r\n            createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS),\r\n          ),\r\n        );\r\n      }\r\n    }\r\n\r\n    await Promise.all(cookiePromises);\r\n\r\n    return {\r\n      success: true,\r\n      message: 'Session created successfully',\r\n      expiresIn: DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS,\r\n    };\r\n  } catch (error) {\r\n    console.error('[createSessionCookie] Unexpected error:', error);\r\n    const authError = handleFirebaseAuthError(error);\r\n    return {\r\n      success: false,\r\n      message: authError.message || 'Failed to create session',\r\n      error: authError.code || 'INTERNAL_ERROR',\r\n    };\r\n  }\r\n}\r\n\r\n/**\r\n * Clears user session cookies\r\n * @param cookieStore - Cookie store interface for managing cookies\r\n * @param options - TernSecure handler options containing cookie configurations\r\n */\r\nexport async function clearSessionCookie(\r\n  cookieStore: CookieStore,\r\n  options?: TernSecureHandlerOptions,\r\n): Promise<SessionResult> {\r\n  try {\r\n    const adminAuth = getAuthForTenant(options?.tenantId || '');\r\n    const cookiePrefix = getCookiePrefix();\r\n\r\n    // Get the session cookie name for revocation purposes\r\n    const sessionCookieName = getCookieName(constants.Cookies.Session, cookiePrefix);\r\n    const sessionCookie = await cookieStore.get(sessionCookieName);\r\n\r\n    const deletionPromises: Promise<void>[] = [];\r\n\r\n    // Delete all cookie types\r\n    // Session cookie (only if it was configured)\r\n    if (options?.cookies) {\r\n      deletionPromises.push(cookieStore.delete(sessionCookieName));\r\n    }\r\n\r\n    // Always delete default cookies\r\n    const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);\r\n    deletionPromises.push(cookieStore.delete(idTokenCookieName));\r\n\r\n    const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);\r\n    deletionPromises.push(cookieStore.delete(refreshTokenCookieName));\r\n\r\n    const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);\r\n    deletionPromises.push(cookieStore.delete(customTokenCookieName));\r\n\r\n    // Delete auth_time cookie\r\n    const authTimeCookieName = constants.Cookies.TernAut;\r\n    deletionPromises.push(cookieStore.delete(authTimeCookieName));\r\n\r\n    // Also delete legacy cookie names for backward compatibility\r\n    deletionPromises.push(cookieStore.delete(constants.Cookies.Session));\r\n\r\n    await Promise.all(deletionPromises);\r\n\r\n    // Revoke refresh tokens if session cookie exists and revocation is enabled\r\n    if (DEFAULT_COOKIE_CONFIG.REVOKE_REFRESH_TOKENS_ON_SIGNOUT && sessionCookie?.value) {\r\n      try {\r\n        const decodedClaims = await adminAuth.verifySessionCookie(sessionCookie.value);\r\n        await adminAuth.revokeRefreshTokens(decodedClaims.sub);\r\n      } catch (revokeError) {\r\n        console.error('[clearSessionCookie] Failed to revoke refresh tokens:', revokeError);\r\n      }\r\n    }\r\n\r\n    return {\r\n      success: true,\r\n      message: 'Session cleared successfully',\r\n    };\r\n  } catch (error) {\r\n    const authError = handleFirebaseAuthError(error);\r\n    return {\r\n      success: false,\r\n      message: authError.message || 'Failed to clear session',\r\n      error: authError.code || 'INTERNAL_ERROR',\r\n    };\r\n  }\r\n}\r\n\r\n/**\r\n * Creates a custom token for a user\r\n * @param uid - User ID to create the custom token for\r\n * @param options - TernSecure handler options\r\n * @returns Promise resolving to the custom token string or null if creation fails\r\n */\r\nexport async function createCustomToken(\r\n  uid: string,\r\n  options?: TernSecureHandlerOptions,\r\n): Promise<string | null> {\r\n  const adminAuth = getAuthForTenant(options?.tenantId || '');\r\n  try {\r\n    const customToken = await adminAuth.createCustomToken(uid);\r\n    return customToken;\r\n  } catch (error) {\r\n    console.error('[createCustomToken] Error creating custom token:', error);\r\n    return null;\r\n  }\r\n}\r\n\r\n\r\nexport async function createCustomTokenClaims(\r\n  uid: string,\r\n  developerClaims?: { [key: string]: unknown },\r\n): Promise<string> {\r\n  const adminAuth = getAuthForTenant();\r\n  try {\r\n    const customToken = await adminAuth.createCustomToken(uid, developerClaims);\r\n    return customToken;\r\n  } catch (error) {\r\n    console.error('[createCustomToken] Error creating custom token:', error);\r\n    return '';\r\n  }\r\n}\r\n","import admin from 'firebase-admin';\r\nimport { getAppCheck } from \"firebase-admin/app-check\";\r\n\r\nimport { initializeAdminConfig } from './config';\r\n\r\nif (!admin.apps.length) {\r\n  try {\r\n    const config = initializeAdminConfig();\r\n    admin.initializeApp({\r\n      credential: admin.credential.cert({\r\n        ...config,\r\n        privateKey: config.privateKey.replace(/\\\\n/g, '\\n'),\r\n      }),\r\n    });\r\n  } catch (error) {\r\n    console.error('Firebase admin initialization error', error);\r\n  }\r\n}\r\n\r\nexport const adminTernSecureAuth: admin.auth.Auth = admin.auth();\r\nexport const adminTernSecureDb: admin.firestore.Firestore = admin.firestore();\r\nexport const TernSecureTenantManager: admin.auth.TenantManager = admin.auth().tenantManager();\r\nexport const appCheckAdmin: admin.appCheck.AppCheck = getAppCheck();\r\n\r\n/**\r\n * Gets the appropriate Firebase Auth instance.\r\n * If a tenantId is provided, it returns the Auth instance for that tenant.\r\n * Otherwise, it returns the default project-level Auth instance.\r\n * @param tenantId - The optional tenant ID.\r\n * @returns An admin.auth.Auth instance.\r\n */\r\nexport function getAuthForTenant(tenantId?: string): admin.auth.Auth {\r\n  if (tenantId) {\r\n    return TernSecureTenantManager.authForTenant(tenantId) as unknown as admin.auth.Auth;\r\n  }\r\n  return admin.auth();\r\n}","import type { \r\n  AdminConfigValidationResult, \r\n  ConfigValidationResult, \r\n  TernSecureAdminConfig, \r\n  TernSecureConfig} from '@tern-secure/types'\r\n\r\n/**\r\n * Loads Firebase configuration from environment variables\r\n * @returns {TernSecureConfig} Firebase configuration object\r\n */\r\nexport const loadFireConfig = (): TernSecureConfig => ({\r\n  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY || '',\r\n  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN || '',\r\n  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID || '',\r\n  storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET || '',\r\n  messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID || '',\r\n  appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID || '',\r\n  measurementId: process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID || undefined,\r\n})\r\n\r\n/**\r\n * Validates Firebase configuration\r\n * @param {TernSecureConfig} config - Firebase configuration object\r\n * @throws {Error} If required configuration values are missing\r\n * @returns {TernSecureConfig} Validated configuration object\r\n */\r\nexport const validateConfig = (config: TernSecureConfig): ConfigValidationResult => {\r\n  const requiredFields: (keyof TernSecureConfig)[] = [\r\n    'apiKey',\r\n    'authDomain',\r\n    'projectId',\r\n    'storageBucket',\r\n    'messagingSenderId',\r\n    'appId'\r\n  ]\r\n\r\n  const errors: string[] = []\r\n  \r\n  requiredFields.forEach(field => {\r\n    if (!config[field]) {\r\n      errors.push(`Missing required field: NEXT_PUBLIC_FIREBASE_${String(field).toUpperCase()}`)\r\n    }\r\n  })\r\n\r\n  return {\r\n    isValid: errors.length === 0,\r\n    errors,\r\n    config\r\n  }\r\n}\r\n\r\n/**\r\n * Initializes configuration with validation\r\n * @throws {Error} If configuration is invalid\r\n */\r\nexport const initializeConfig = (): TernSecureConfig => {\r\n  const config = loadFireConfig()\r\n  const validationResult = validateConfig(config)\r\n\r\n  if (!validationResult.isValid) {\r\n    throw new Error(\r\n      `Firebase configuration validation failed:\\n${validationResult.errors.join('\\n')}`\r\n    )\r\n  }\r\n\r\n  return config\r\n}\r\n\r\n/**\r\n * Loads Firebase Admin configuration from environment variables\r\n * @returns {AdminConfig} Firebase Admin configuration object\r\n */\r\nexport const loadAdminConfig = (): TernSecureAdminConfig => ({\r\n  projectId: process.env.FIREBASE_PROJECT_ID || '',\r\n  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || '',\r\n  privateKey: process.env.FIREBASE_PRIVATE_KEY || '',\r\n})\r\n\r\n/**\r\n * Validates Firebase Admin configuration\r\n * @param {AdminConfig} config - Firebase Admin configuration object\r\n * @returns {ConfigValidationResult} Validation result\r\n */\r\nexport const validateAdminConfig = (config: TernSecureAdminConfig): AdminConfigValidationResult => {\r\n  const requiredFields: (keyof TernSecureAdminConfig)[] = [\r\n    'projectId',\r\n    'clientEmail',\r\n    'privateKey'\r\n  ]\r\n\r\n  const errors: string[] = []\r\n  \r\n  requiredFields.forEach(field => {\r\n    if (!config[field]) {\r\n      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`)\r\n    }\r\n  })\r\n\r\n  return {\r\n    isValid: errors.length === 0,\r\n    errors,\r\n    config\r\n  }\r\n}\r\n\r\n/**\r\n * Initializes admin configuration with validation\r\n * @throws {Error} If configuration is invalid\r\n */\r\nexport const initializeAdminConfig = (): TernSecureAdminConfig => {\r\n  const config = loadAdminConfig()\r\n  const validationResult = validateAdminConfig(config)\r\n\r\n  if (!validationResult.isValid) {\r\n    throw new Error(\r\n      `Firebase Admin configuration validation failed:\\n${validationResult.errors.join('\\n')}`\r\n    )\r\n  }\r\n\r\n  return config\r\n}","import type { SignInResponse } from '@tern-secure/types';\r\n\r\nimport { TernSecureTenantManager } from \"../utils/admin-init\";\r\n\r\n\r\nexport async function createTenant(\r\n  displayName: string,\r\n  emailSignInConfig: {\r\n    enabled: boolean;\r\n    passwordRequired: boolean;\r\n  },\r\n  multiFactorConfig?: {\r\n    state: 'ENABLED' | 'DISABLED';\r\n    factorIds: \"phone\"[];\r\n    testPhoneNumbers?: {\r\n        [phoneNumber: string]: string;\r\n    }\r\n  }\r\n) {\r\n  try {\r\n    const tenantConfig = {\r\n      displayName,\r\n      emailSignInConfig,\r\n      ...(multiFactorConfig && { multiFactorConfig })\r\n    };\r\n\r\n    const tenant = await TernSecureTenantManager.createTenant(tenantConfig);\r\n    \r\n    return {\r\n      success: true,\r\n      tenantId: tenant.tenantId,\r\n      displayName: tenant.displayName,\r\n    };\r\n  } catch (error) {\r\n    console.error('Error creating tenant:', error);\r\n    throw new Error('Failed to create tenant');\r\n  }\r\n}\r\n\r\nexport async function createTenantUser(\r\n  email: string,\r\n  password: string,\r\n  tenantId: string\r\n): Promise<SignInResponse> {\r\n  try {\r\n    const tenantAuth = TernSecureTenantManager.authForTenant(tenantId);\r\n    \r\n    const userRecord = await tenantAuth.createUser({\r\n      email,\r\n      password,\r\n      emailVerified: false,\r\n      disabled: false\r\n    });\r\n\r\n    return {\r\n      status: 'success',\r\n      user: userRecord,\r\n      message: 'Tenant user created successfully',\r\n    };\r\n  } catch (error) {\r\n    console.error('Error creating tenant user:', error);\r\n    throw new Error('Failed to create tenant user');\r\n  }\r\n}\r\n","'use server';\n\nimport { getCookieName, getCookiePrefix } from '@tern-secure/shared/cookie';\nimport { handleFirebaseAuthError } from '@tern-secure/shared/errors';\nimport type { CookieStore, SessionResult, TernVerificationResult } from '@tern-secure/types';\nimport { cookies } from 'next/headers';\n\nimport { constants } from '../constants';\nimport { adminTernSecureAuth as adminAuth, getAuthForTenant } from '../utils/admin-init';\n\nconst SESSION_CONSTANTS = {\n  COOKIE_NAME: constants.Cookies.Session,\n  DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1000, // 5 days\n  DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,\n  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true,\n} as const;\n\n/**\n * Helper function to log debug messages only in development environment\n */\nconst debugLog = {\n  log: (...args: unknown[]) => {\n    if (process.env.NODE_ENV === 'development') {\n      console.log(...args);\n    }\n  },\n  warn: (...args: unknown[]) => {\n    if (process.env.NODE_ENV === 'development') {\n      console.warn(...args);\n    }\n  },\n  error: (...args: unknown[]) => {\n    console.error(...args);\n  },\n};\n\nexport async function CreateNextSessionCookie(idToken: string) {\n  try {\n    const expiresIn = 60 * 60 * 24 * 5 * 1000;\n    const sessionCookie = await adminAuth.createSessionCookie(idToken, {\n      expiresIn,\n    });\n\n    const cookieStore = await cookies();\n    cookieStore.set(constants.Cookies.Session, sessionCookie, {\n      maxAge: expiresIn,\n      httpOnly: true,\n      secure: process.env.NODE_ENV === 'production',\n      path: '/',\n    });\n    return { success: true, message: 'Session created' };\n  } catch (error) {\n    return { success: false, message: 'Failed to create session' };\n  }\n}\n\nexport async function GetNextServerSessionCookie() {\n  const cookieStore = await cookies();\n  const sessionCookie = cookieStore.get('_session_cookie')?.value;\n\n  if (!sessionCookie) {\n    throw new Error('No session cookie found');\n  }\n\n  try {\n    const decondeClaims = await adminAuth.verifySessionCookie(sessionCookie, true);\n    return {\n      token: sessionCookie,\n      userId: decondeClaims.uid,\n    };\n  } catch (error) {\n    console.error('Error verifying session:', error);\n    throw new Error('Invalid Session');\n  }\n}\n\nexport async function GetNextIdToken() {\n  const cookieStore = await cookies();\n  const token = cookieStore.get('_session_token')?.value;\n\n  if (!token) {\n    throw new Error('No session cookie found');\n  }\n\n  try {\n    const decodedClaims = await adminAuth.verifyIdToken(token);\n    return {\n      token: token,\n      userId: decodedClaims.uid,\n    };\n  } catch (error) {\n    console.error('Error verifying session:', error);\n    throw new Error('Invalid Session');\n  }\n}\n\nexport async function SetNextServerSession(token: string) {\n  try {\n    const cookieStore = await cookies();\n    cookieStore.set('_session_token', token, {\n      httpOnly: true,\n      secure: process.env.NODE_ENV === 'production',\n      sameSite: 'strict',\n      maxAge: 60 * 60, // 1 hour\n      path: '/',\n    });\n    return { success: true, message: 'Session created' };\n  } catch {\n    return { success: false, message: 'Failed to create session' };\n  }\n}\n\nexport async function SetNextServerToken(token: string) {\n  try {\n    const cookieStore = await cookies();\n    cookieStore.set('_tern', token, {\n      httpOnly: true,\n      secure: process.env.NODE_ENV === 'production',\n      sameSite: 'strict',\n      maxAge: 60 * 60, // 1 hour\n      path: '/',\n    });\n    return { success: true, message: 'Session created' };\n  } catch {\n    return { success: false, message: 'Failed to create session' };\n  }\n}\n\nexport async function VerifyNextTernIdToken(token: string): Promise<TernVerificationResult> {\n  try {\n    const decodedToken = await adminAuth.verifyIdToken(token);\n    return {\n      ...decodedToken,\n      valid: true,\n    };\n  } catch (error) {\n    console.error('[VerifyNextTernIdToken] Error verifying session:', error);\n    const authError = handleFirebaseAuthError(error);\n    return {\n      valid: false,\n      error: authError,\n    };\n  }\n}\n\nexport async function VerifyNextTernSessionCookie(\n  session: string,\n): Promise<TernVerificationResult> {\n  try {\n    const res = await adminAuth.verifySessionCookie(session);\n    console.warn('[VerifyNextTernSessionCookie] uid in Decoded Token:', res.uid);\n    return {\n      valid: true,\n      ...res,\n    };\n  } catch (error) {\n    console.error('[VerifyNextTernSessionCookie] Error verifying session:', error);\n    const authError = handleFirebaseAuthError(error);\n    return {\n      valid: false,\n      error: authError,\n    };\n  }\n}\n\nexport async function ClearNextSessionCookie(\n  tenantId?: string,\n  deleteOptions?: {\n    path?: string;\n    domain?: string;\n    httpOnly?: boolean;\n    secure?: boolean;\n    sameSite?: 'lax' | 'strict' | 'none';\n    revokeRefreshTokensOnSignOut?: boolean;\n  },\n): Promise<SessionResult> {\n  try {\n    const tenantAuth = getAuthForTenant(tenantId || '');\n    const cookieStore = await cookies();\n    const sessionCookie = cookieStore.get(SESSION_CONSTANTS.COOKIE_NAME);\n    const cookiePrefix = getCookiePrefix();\n    const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);\n    const idTokenCookie = cookieStore.get(idTokenCookieName);\n\n    const finalDeleteOptions = {\n      path: deleteOptions?.path,\n      domain: deleteOptions?.domain,\n      httpOnly: deleteOptions?.httpOnly,\n      secure: deleteOptions?.secure,\n      sameSite: deleteOptions?.sameSite,\n    };\n\n    const idRefreshCustomTokenDeleteOptions = {\n      path: '/',\n      httpOnly: true,\n      secure: process.env.NODE_ENV === 'production',\n      sameSite: 'strict' as const,\n    };\n\n    cookieStore.delete({ name: SESSION_CONSTANTS.COOKIE_NAME, ...finalDeleteOptions });\n    cookieStore.delete({ name: constants.Cookies.TernAut });\n    \n    cookieStore.delete({ name: idTokenCookieName, ...idRefreshCustomTokenDeleteOptions });\n    cookieStore.delete({\n      name: getCookieName(constants.Cookies.Refresh, cookiePrefix),\n      ...idRefreshCustomTokenDeleteOptions,\n    });\n    cookieStore.delete({ name: constants.Cookies.Custom, ...idRefreshCustomTokenDeleteOptions });\n\n    const shouldRevokeTokens =\n      deleteOptions?.revokeRefreshTokensOnSignOut ??\n      SESSION_CONSTANTS.REVOKE_REFRESH_TOKENS_ON_SIGNOUT;\n\n    if (shouldRevokeTokens) {\n      try {\n        let userSub: string | undefined;\n\n        // Try to get user sub from session cookie first\n        if (sessionCookie?.value) {\n          try {\n            const decodedClaims = await tenantAuth.verifySessionCookie(sessionCookie.value);\n            userSub = decodedClaims.sub;\n          } catch (sessionError) {\n            debugLog.warn(\n              '[ClearNextSessionCookie] Session cookie verification failed:',\n              sessionError,\n            );\n          }\n        }\n\n        // If no session cookie, try idToken cookie\n        if (!userSub) {\n          if (idTokenCookie?.value) {\n            try {\n              const decodedIdToken = await tenantAuth.verifyIdToken(idTokenCookie.value);\n              userSub = decodedIdToken.sub;\n            } catch (idTokenError) {\n              debugLog.warn('[ClearNextSessionCookie] ID token verification failed:', idTokenError);\n            }\n          }\n        }\n\n        // Revoke tokens if we got a user sub\n        if (userSub) {\n          await tenantAuth.revokeRefreshTokens(userSub);\n          debugLog.log(`[ClearNextSessionCookie] Successfully revoked tokens for user: ${userSub}`);\n        } else {\n          debugLog.warn('[ClearNextSessionCookie] No valid token found for revocation');\n        }\n      } catch (revokeError) {\n        debugLog.error('[ClearNextSessionCookie] Failed to revoke refresh tokens:', revokeError);\n      }\n    }\n    return { success: true, message: 'Session cleared successfully' };\n  } catch (error) {\n    debugLog.error('Error clearing session:', error);\n    return { success: false, message: 'Failed to clear session cookies' };\n  }\n}\n\nexport async function ClearNextSessionCookie_old(cookieStore: CookieStore): Promise<SessionResult> {\n  try {\n    const cookiePrefix = getCookiePrefix();\n\n    const deletionPromises: Promise<void>[] = [];\n\n    // Always delete default cookies\n    const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);\n    deletionPromises.push(cookieStore.delete(idTokenCookieName));\n\n    const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);\n    deletionPromises.push(cookieStore.delete(refreshTokenCookieName));\n\n    const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);\n    deletionPromises.push(cookieStore.delete(customTokenCookieName));\n\n    // Also delete legacy cookie names for backward compatibility\n    deletionPromises.push(cookieStore.delete(constants.Cookies.Session));\n\n    await Promise.all(deletionPromises);\n\n    return {\n      success: true,\n      message: 'Session cleared successfully',\n    };\n  } catch (error) {\n    const authError = handleFirebaseAuthError(error);\n    return {\n      success: false,\n      message: authError.message || 'Failed to clear session',\n      error: authError.code || 'INTERNAL_ERROR',\n    };\n  }\n}\n","import type { CheckCustomClaims, DecodedIdToken,SharedSignInAuthObjectProperties } from \"@tern-secure/types\";\n\nimport { VerifyNextTernSessionCookie } from \"../admin/nextSessionTernSecure\";\nimport type { TernSecureRequest} from \"../tokens/ternSecureRequest\";\nimport { createTernSecureRequest } from \"../tokens/ternSecureRequest\";\n\nexport type SignInAuthObject = SharedSignInAuthObjectProperties & {\n  has: CheckCustomClaims\n}\n\nexport type SignInState = {\n  auth: () => SignInAuthObject\n  token: string\n  headers: Headers\n}\n\nexport type RequestState = SignInState\n\nexport interface BackendInstance {\n  ternSecureRequest: TernSecureRequest;\n  requestState: RequestState;\n}\n\nexport const createBackendInstance = async (request: Request): Promise<BackendInstance> => {\n  const ternSecureRequest = createTernSecureRequest(request);\n  const requestState = await authenticateRequest(request);\n  \n  return {\n    ternSecureRequest,\n    requestState,\n  };\n};\n\nexport async function authenticateRequest(request: Request): Promise<RequestState> {\n  const sessionCookie = request.headers.get('cookie');\n  const sessionToken = sessionCookie?.split(';')\n    .find(c => c.trim().startsWith('_session_cookie='))\n    ?.split('=')[1];\n  \n  if (!sessionToken) {\n    throw new Error(\"No session token found\");\n  }\n\n  const verificationResult = await VerifyNextTernSessionCookie(sessionToken);\n\n  if (!verificationResult.valid) {\n    throw new Error(\"Invalid session token\");\n  }\n\n  return signedIn(\n    verificationResult as DecodedIdToken,\n    new Headers(request.headers),\n    sessionToken\n  );\n}\n\nexport function signInAuthObject(\n  session: DecodedIdToken,\n): SignInAuthObject {\n  return {\n    session,\n    userId: session.uid,\n    has: {} as CheckCustomClaims,\n  };\n}\n\nexport function signedIn(\n  session: DecodedIdToken,\n  headers: Headers = new Headers(),\n  token: string\n): SignInState {\n  const authObject = signInAuthObject(session);\n  return {\n    auth: () => authObject,\n    token,\n    headers,\n  };\n}\n","import { handleFirebaseAuthError } from '@tern-secure/shared/errors';\nimport type { AuthErrorResponse } from '@tern-secure/types';\nimport type { UserRecord } from 'firebase-admin/auth';\n\nimport { getAuthForTenant } from '../utils/admin-init';\n\ntype RetrieveUserResult = {\n    data: UserRecord;\n    error: null;\n} | {\n    data: null;\n    error: AuthErrorResponse;\n}\n\nexport function RetrieveUser(tenantId?: string) {\n    const auth = getAuthForTenant(tenantId);\n\n    async function getUserUid(uid: string): Promise<RetrieveUserResult> {\n        try {\n            const user = await auth.getUser(uid);\n            return { data: user, error: null };\n        } catch (error) {\n            return { data: null, error: handleFirebaseAuthError(error) };\n        }\n    }\n    async function getUserByEmail(email: string): Promise<RetrieveUserResult> {\n        try {\n            const user = await auth.getUserByEmail(email);\n            return { data: user, error: null };\n        } catch (error) {\n            return { data: null, error: handleFirebaseAuthError(error) };\n        }\n    }\n\n    async function getUserByPhoneNumber(phoneNumber: string): Promise<RetrieveUserResult> {\n        try {\n            const user = await auth.getUserByPhoneNumber(phoneNumber);\n            return { data: user, error: null };\n        } catch (error) {\n            return { data: null, error: handleFirebaseAuthError(error) };\n        }\n    }\n\n    return {\n        getUserUid,\n        getUserByEmail,\n        getUserByPhoneNumber,\n    }\n}"],"mappings":";;;;;;;;AACA,SAAS,+BAA+B;;;ACDxC,OAAO,WAAW;AAClB,SAAS,mBAAmB;;;ACuErB,IAAM,kBAAkB,OAA8B;AAAA,EAC3D,WAAW,QAAQ,IAAI,uBAAuB;AAAA,EAC9C,aAAa,QAAQ,IAAI,yBAAyB;AAAA,EAClD,YAAY,QAAQ,IAAI,wBAAwB;AAClD;AAOO,IAAM,sBAAsB,CAAC,WAA+D;AACjG,QAAM,iBAAkD;AAAA,IACtD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,QAAM,SAAmB,CAAC;AAE1B,iBAAe,QAAQ,WAAS;AAC9B,QAAI,CAAC,OAAO,KAAK,GAAG;AAClB,aAAO,KAAK,oCAAoC,OAAO,KAAK,EAAE,YAAY,CAAC,EAAE;AAAA,IAC/E;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,SAAS,OAAO,WAAW;AAAA,IAC3B;AAAA,IACA;AAAA,EACF;AACF;AAMO,IAAM,wBAAwB,MAA6B;AAChE,QAAM,SAAS,gBAAgB;AAC/B,QAAM,mBAAmB,oBAAoB,MAAM;AAEnD,MAAI,CAAC,iBAAiB,SAAS;AAC7B,UAAM,IAAI;AAAA,MACR;AAAA,EAAoD,iBAAiB,OAAO,KAAK,IAAI,CAAC;AAAA,IACxF;AAAA,EACF;AAEA,SAAO;AACT;;;ADnHA,IAAI,CAAC,MAAM,KAAK,QAAQ;AACtB,MAAI;AACF,UAAM,SAAS,sBAAsB;AACrC,UAAM,cAAc;AAAA,MAClB,YAAY,MAAM,WAAW,KAAK;AAAA,QAChC,GAAG;AAAA,QACH,YAAY,OAAO,WAAW,QAAQ,QAAQ,IAAI;AAAA,MACpD,CAAC;AAAA,IACH,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,uCAAuC,KAAK;AAAA,EAC5D;AACF;AAEO,IAAM,sBAAuC,MAAM,KAAK;AACxD,IAAM,oBAA+C,MAAM,UAAU;AACrE,IAAM,0BAAoD,MAAM,KAAK,EAAE,cAAc;AACrF,IAAM,gBAAyC,YAAY;AAS3D,SAAS,iBAAiB,UAAoC;AACnE,MAAI,UAAU;AACZ,WAAO,wBAAwB,cAAc,QAAQ;AAAA,EACvD;AACA,SAAO,MAAM,KAAK;AACpB;;;ADnBA,IAAM,wBAAwB;AAAA,EAC5B,uBAAuB,IAAI,KAAK;AAAA;AAAA,EAChC,4BAA4B,IAAI;AAAA,EAChC,kCAAkC;AACpC;AAEA,IAAM,yBAAyB;AAAA,EAC7B,UAAU;AAAA,EACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,EACjC,UAAU;AAAA,EACV,MAAM;AACR;AAKA,IAAM,gBAAgB,CAAC,UAAkB,WAA4B;AACnE,SAAO,SAAS,GAAG,MAAM,GAAG,QAAQ,KAAK;AAC3C;AAKA,IAAM,sBAAsB,CAC1B,QACA,cAMG;AACH,SAAO;AAAA,IACL;AAAA,IACA,UAAU,WAAW,YAAY,uBAAuB;AAAA,IACxD,QAAQ,WAAW,UAAU,uBAAuB;AAAA,IACpD,UAAU,WAAW,YAAY,uBAAuB;AAAA,IACxD,MAAM,WAAW,QAAQ,uBAAuB;AAAA,EAClD;AACF;AAKA,IAAM,kBAAkB,MAAc;AACpC,QAAM,eAAe,QAAQ,IAAI,aAAa;AAC9C,SAAO,eAAe,YAAY;AACpC;AAQA,eAAsB,oBACpB,QACA,aACA,SACwB;AACxB,MAAI;AACF,UAAM,aAAa,iBAAiB,SAAS,YAAY,EAAE;AAE3D,UAAM,UAAU,OAAO,WAAW,WAAW,SAAS,OAAO;AAC7D,UAAM,eAAe,OAAO,WAAW,WAAW,SAAa,OAAe;AAE9E,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS;AAAA,QACT,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI;AACJ,QAAI;AACF,qBAAe,MAAM,WAAW,cAAc,OAAO;AAAA,IACvD,SAAS,aAAa;AACpB,YAAM,YAAY,wBAAwB,WAAW;AACrD,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS,UAAU;AAAA,QACnB,OAAO,UAAU;AAAA,MACnB;AAAA,IACF;AAEA,UAAM,iBAAkC,CAAC;AACzC,UAAM,eAAe,gBAAgB;AAGrC,UAAM,oBAAoB,cAAc,UAAU,QAAQ,SAAS,YAAY;AAC/E,mBAAe;AAAA,MACb,YAAY;AAAA,QACV;AAAA,QACA;AAAA,QACA,oBAAoB,sBAAsB,0BAA0B;AAAA,MACtE;AAAA,IACF;AAGA,QAAI,cAAc;AAChB,YAAM,yBAAyB,cAAc,UAAU,QAAQ,SAAS,YAAY;AACpF,qBAAe;AAAA,QACb,YAAY;AAAA,UACV;AAAA,UACA;AAAA,UACA,oBAAoB,sBAAsB,0BAA0B;AAAA,QACtE;AAAA,MACF;AAAA,IACF;AAGA,QAAI,SAAS,SAAS;AACpB,YAAM,iBAAiB,QAAQ;AAC/B,YAAM,oBAAoB,cAAc,UAAU,QAAQ,OAAO;AACjE,YAAM,YAAY,eAAe,SAC7B,eAAe,SAAS,MACxB,sBAAsB;AAE1B,UAAI;AACF,cAAM,gBAAgB,MAAM,WAAW,oBAAoB,SAAS,EAAE,UAAU,CAAC;AACjF,uBAAe;AAAA,UACb,YAAY;AAAA,YACV;AAAA,YACA;AAAA,YACA;AAAA,cACE,eAAe,UAAU,sBAAsB;AAAA,cAC/C;AAAA,gBACE,UAAU,eAAe;AAAA,gBACzB,UAAU,eAAe;AAAA,gBACzB,MAAM,eAAe;AAAA,cACvB;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,MACF,SAAS,cAAc;AACrB,gBAAQ;AAAA,UACN;AAAA,UACA;AAAA,QACF;AACA,cAAM,YAAY,wBAAwB,YAAY;AACtD,eAAO;AAAA,UACL,SAAS;AAAA,UACT,SAAS,UAAU;AAAA,UACnB,OAAO,UAAU;AAAA,QACnB;AAAA,MACF;AAAA,IACF;AAGA,QAAI,SAAS,qBAAqB,cAAc,KAAK;AACnD,YAAM,wBAAwB,cAAc,UAAU,QAAQ,QAAQ,YAAY;AAClF,YAAM,cAAc,MAAM,kBAAkB,aAAa,KAAK,OAAO;AACrE,UAAI,aAAa;AACf,uBAAe;AAAA,UACb,YAAY;AAAA,YACV;AAAA,YACA;AAAA,YACA,oBAAoB,sBAAsB,0BAA0B;AAAA,UACtE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,QAAQ,IAAI,cAAc;AAEhC,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS;AAAA,MACT,WAAW,sBAAsB;AAAA,IACnC;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,2CAA2C,KAAK;AAC9D,UAAM,YAAY,wBAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS,UAAU,WAAW;AAAA,MAC9B,OAAO,UAAU,QAAQ;AAAA,IAC3B;AAAA,EACF;AACF;AAOA,eAAsB,mBACpB,aACA,SACwB;AACxB,MAAI;AACF,UAAM,YAAY,iBAAiB,SAAS,YAAY,EAAE;AAC1D,UAAM,eAAe,gBAAgB;AAGrC,UAAM,oBAAoB,cAAc,UAAU,QAAQ,SAAS,YAAY;AAC/E,UAAM,gBAAgB,MAAM,YAAY,IAAI,iBAAiB;AAE7D,UAAM,mBAAoC,CAAC;AAI3C,QAAI,SAAS,SAAS;AACpB,uBAAiB,KAAK,YAAY,OAAO,iBAAiB,CAAC;AAAA,IAC7D;AAGA,UAAM,oBAAoB,cAAc,UAAU,QAAQ,SAAS,YAAY;AAC/E,qBAAiB,KAAK,YAAY,OAAO,iBAAiB,CAAC;AAE3D,UAAM,yBAAyB,cAAc,UAAU,QAAQ,SAAS,YAAY;AACpF,qBAAiB,KAAK,YAAY,OAAO,sBAAsB,CAAC;AAEhE,UAAM,wBAAwB,cAAc,UAAU,QAAQ,QAAQ,YAAY;AAClF,qBAAiB,KAAK,YAAY,OAAO,qBAAqB,CAAC;AAG/D,UAAM,qBAAqB,UAAU,QAAQ;AAC7C,qBAAiB,KAAK,YAAY,OAAO,kBAAkB,CAAC;AAG5D,qBAAiB,KAAK,YAAY,OAAO,UAAU,QAAQ,OAAO,CAAC;AAEnE,UAAM,QAAQ,IAAI,gBAAgB;AAGlC,QAAI,sBAAsB,oCAAoC,eAAe,OAAO;AAClF,UAAI;AACF,cAAM,gBAAgB,MAAM,UAAU,oBAAoB,cAAc,KAAK;AAC7E,cAAM,UAAU,oBAAoB,cAAc,GAAG;AAAA,MACvD,SAAS,aAAa;AACpB,gBAAQ,MAAM,yDAAyD,WAAW;AAAA,MACpF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS;AAAA,IACX;AAAA,EACF,SAAS,OAAO;AACd,UAAM,YAAY,wBAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS,UAAU,WAAW;AAAA,MAC9B,OAAO,UAAU,QAAQ;AAAA,IAC3B;AAAA,EACF;AACF;AAQA,eAAsB,kBACpB,KACA,SACwB;AACxB,QAAM,YAAY,iBAAiB,SAAS,YAAY,EAAE;AAC1D,MAAI;AACF,UAAM,cAAc,MAAM,UAAU,kBAAkB,GAAG;AACzD,WAAO;AAAA,EACT,SAAS,OAAO;AACd,YAAQ,MAAM,oDAAoD,KAAK;AACvE,WAAO;AAAA,EACT;AACF;AAGA,eAAsB,wBACpB,KACA,iBACiB;AACjB,QAAM,YAAY,iBAAiB;AACnC,MAAI;AACF,UAAM,cAAc,MAAM,UAAU,kBAAkB,KAAK,eAAe;AAC1E,WAAO;AAAA,EACT,SAAS,OAAO;AACd,YAAQ,MAAM,oDAAoD,KAAK;AACvE,WAAO;AAAA,EACT;AACF;;;AGxSA,eAAsB,aACpB,aACA,mBAIA,mBAOA;AACA,MAAI;AACF,UAAM,eAAe;AAAA,MACnB;AAAA,MACA;AAAA,MACA,GAAI,qBAAqB,EAAE,kBAAkB;AAAA,IAC/C;AAEA,UAAM,SAAS,MAAM,wBAAwB,aAAa,YAAY;AAEtE,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU,OAAO;AAAA,MACjB,aAAa,OAAO;AAAA,IACtB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,0BAA0B,KAAK;AAC7C,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AACF;AAEA,eAAsB,iBACpB,OACA,UACA,UACyB;AACzB,MAAI;AACF,UAAM,aAAa,wBAAwB,cAAc,QAAQ;AAEjE,UAAM,aAAa,MAAM,WAAW,WAAW;AAAA,MAC7C;AAAA,MACA;AAAA,MACA,eAAe;AAAA,MACf,UAAU;AAAA,IACZ,CAAC;AAED,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,SAAS;AAAA,IACX;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B,KAAK;AAClD,UAAM,IAAI,MAAM,8BAA8B;AAAA,EAChD;AACF;;;AC7DA,SAAS,iBAAAA,gBAAe,mBAAAC,wBAAuB;AAC/C,SAAS,2BAAAC,gCAA+B;AAExC,SAAS,eAAe;AAKxB,IAAM,oBAAoB;AAAA,EACxB,aAAa,UAAU,QAAQ;AAAA,EAC/B,uBAAuB,KAAK,KAAK,KAAK,IAAI;AAAA;AAAA,EAC1C,4BAA4B,KAAK,KAAK,KAAK;AAAA,EAC3C,kCAAkC;AACpC;AAKA,IAAM,WAAW;AAAA,EACf,KAAK,IAAI,SAAoB;AAC3B,QAAI,QAAQ,IAAI,aAAa,eAAe;AAC1C,cAAQ,IAAI,GAAG,IAAI;AAAA,IACrB;AAAA,EACF;AAAA,EACA,MAAM,IAAI,SAAoB;AAC5B,QAAI,QAAQ,IAAI,aAAa,eAAe;AAC1C,cAAQ,KAAK,GAAG,IAAI;AAAA,IACtB;AAAA,EACF;AAAA,EACA,OAAO,IAAI,SAAoB;AAC7B,YAAQ,MAAM,GAAG,IAAI;AAAA,EACvB;AACF;AAEA,eAAsB,wBAAwB,SAAiB;AAC7D,MAAI;AACF,UAAM,YAAY,KAAK,KAAK,KAAK,IAAI;AACrC,UAAM,gBAAgB,MAAM,oBAAU,oBAAoB,SAAS;AAAA,MACjE;AAAA,IACF,CAAC;AAED,UAAM,cAAc,MAAM,QAAQ;AAClC,gBAAY,IAAI,UAAU,QAAQ,SAAS,eAAe;AAAA,MACxD,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,MAAM;AAAA,IACR,CAAC;AACD,WAAO,EAAE,SAAS,MAAM,SAAS,kBAAkB;AAAA,EACrD,SAAS,OAAO;AACd,WAAO,EAAE,SAAS,OAAO,SAAS,2BAA2B;AAAA,EAC/D;AACF;AAEA,eAAsB,6BAA6B;AACjD,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,gBAAgB,YAAY,IAAI,iBAAiB,GAAG;AAE1D,MAAI,CAAC,eAAe;AAClB,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI;AACF,UAAM,gBAAgB,MAAM,oBAAU,oBAAoB,eAAe,IAAI;AAC7E,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ,cAAc;AAAA,IACxB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,4BAA4B,KAAK;AAC/C,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AACF;AAEA,eAAsB,iBAAiB;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,QAAQ,YAAY,IAAI,gBAAgB,GAAG;AAEjD,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI;AACF,UAAM,gBAAgB,MAAM,oBAAU,cAAc,KAAK;AACzD,WAAO;AAAA,MACL;AAAA,MACA,QAAQ,cAAc;AAAA,IACxB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,4BAA4B,KAAK;AAC/C,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AACF;AAEA,eAAsB,qBAAqB,OAAe;AACxD,MAAI;AACF,UAAM,cAAc,MAAM,QAAQ;AAClC,gBAAY,IAAI,kBAAkB,OAAO;AAAA,MACvC,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,UAAU;AAAA,MACV,QAAQ,KAAK;AAAA;AAAA,MACb,MAAM;AAAA,IACR,CAAC;AACD,WAAO,EAAE,SAAS,MAAM,SAAS,kBAAkB;AAAA,EACrD,QAAQ;AACN,WAAO,EAAE,SAAS,OAAO,SAAS,2BAA2B;AAAA,EAC/D;AACF;AAEA,eAAsB,mBAAmB,OAAe;AACtD,MAAI;AACF,UAAM,cAAc,MAAM,QAAQ;AAClC,gBAAY,IAAI,SAAS,OAAO;AAAA,MAC9B,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,UAAU;AAAA,MACV,QAAQ,KAAK;AAAA;AAAA,MACb,MAAM;AAAA,IACR,CAAC;AACD,WAAO,EAAE,SAAS,MAAM,SAAS,kBAAkB;AAAA,EACrD,QAAQ;AACN,WAAO,EAAE,SAAS,OAAO,SAAS,2BAA2B;AAAA,EAC/D;AACF;AAEA,eAAsB,sBAAsB,OAAgD;AAC1F,MAAI;AACF,UAAM,eAAe,MAAM,oBAAU,cAAc,KAAK;AACxD,WAAO;AAAA,MACL,GAAG;AAAA,MACH,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,oDAAoD,KAAK;AACvE,UAAM,YAAYC,yBAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,eAAsB,4BACpB,SACiC;AACjC,MAAI;AACF,UAAM,MAAM,MAAM,oBAAU,oBAAoB,OAAO;AACvD,YAAQ,KAAK,uDAAuD,IAAI,GAAG;AAC3E,WAAO;AAAA,MACL,OAAO;AAAA,MACP,GAAG;AAAA,IACL;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,0DAA0D,KAAK;AAC7E,UAAM,YAAYA,yBAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,eAAsB,uBACpB,UACA,eAQwB;AACxB,MAAI;AACF,UAAM,aAAa,iBAAiB,YAAY,EAAE;AAClD,UAAM,cAAc,MAAM,QAAQ;AAClC,UAAM,gBAAgB,YAAY,IAAI,kBAAkB,WAAW;AACnE,UAAM,eAAeC,iBAAgB;AACrC,UAAM,oBAAoBC,eAAc,UAAU,QAAQ,SAAS,YAAY;AAC/E,UAAM,gBAAgB,YAAY,IAAI,iBAAiB;AAEvD,UAAM,qBAAqB;AAAA,MACzB,MAAM,eAAe;AAAA,MACrB,QAAQ,eAAe;AAAA,MACvB,UAAU,eAAe;AAAA,MACzB,QAAQ,eAAe;AAAA,MACvB,UAAU,eAAe;AAAA,IAC3B;AAEA,UAAM,oCAAoC;AAAA,MACxC,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,UAAU;AAAA,IACZ;AAEA,gBAAY,OAAO,EAAE,MAAM,kBAAkB,aAAa,GAAG,mBAAmB,CAAC;AACjF,gBAAY,OAAO,EAAE,MAAM,UAAU,QAAQ,QAAQ,CAAC;AAEtD,gBAAY,OAAO,EAAE,MAAM,mBAAmB,GAAG,kCAAkC,CAAC;AACpF,gBAAY,OAAO;AAAA,MACjB,MAAMA,eAAc,UAAU,QAAQ,SAAS,YAAY;AAAA,MAC3D,GAAG;AAAA,IACL,CAAC;AACD,gBAAY,OAAO,EAAE,MAAM,UAAU,QAAQ,QAAQ,GAAG,kCAAkC,CAAC;AAE3F,UAAM,qBACJ,eAAe,gCACf,kBAAkB;AAEpB,QAAI,oBAAoB;AACtB,UAAI;AACF,YAAI;AAGJ,YAAI,eAAe,OAAO;AACxB,cAAI;AACF,kBAAM,gBAAgB,MAAM,WAAW,oBAAoB,cAAc,KAAK;AAC9E,sBAAU,cAAc;AAAA,UAC1B,SAAS,cAAc;AACrB,qBAAS;AAAA,cACP;AAAA,cACA;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAGA,YAAI,CAAC,SAAS;AACZ,cAAI,eAAe,OAAO;AACxB,gBAAI;AACF,oBAAM,iBAAiB,MAAM,WAAW,cAAc,cAAc,KAAK;AACzE,wBAAU,eAAe;AAAA,YAC3B,SAAS,cAAc;AACrB,uBAAS,KAAK,0DAA0D,YAAY;AAAA,YACtF;AAAA,UACF;AAAA,QACF;AAGA,YAAI,SAAS;AACX,gBAAM,WAAW,oBAAoB,OAAO;AAC5C,mBAAS,IAAI,kEAAkE,OAAO,EAAE;AAAA,QAC1F,OAAO;AACL,mBAAS,KAAK,8DAA8D;AAAA,QAC9E;AAAA,MACF,SAAS,aAAa;AACpB,iBAAS,MAAM,6DAA6D,WAAW;AAAA,MACzF;AAAA,IACF;AACA,WAAO,EAAE,SAAS,MAAM,SAAS,+BAA+B;AAAA,EAClE,SAAS,OAAO;AACd,aAAS,MAAM,2BAA2B,KAAK;AAC/C,WAAO,EAAE,SAAS,OAAO,SAAS,kCAAkC;AAAA,EACtE;AACF;;;AC3OO,IAAM,wBAAwB,OAAO,YAA+C;AACzF,QAAM,oBAAoB,wBAAwB,OAAO;AACzD,QAAM,eAAe,MAAM,oBAAoB,OAAO;AAEtD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAsB,oBAAoB,SAAyC;AACjF,QAAM,gBAAgB,QAAQ,QAAQ,IAAI,QAAQ;AAClD,QAAM,eAAe,eAAe,MAAM,GAAG,EAC1C,KAAK,OAAK,EAAE,KAAK,EAAE,WAAW,kBAAkB,CAAC,GAChD,MAAM,GAAG,EAAE,CAAC;AAEhB,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,MAAM,wBAAwB;AAAA,EAC1C;AAEA,QAAM,qBAAqB,MAAM,4BAA4B,YAAY;AAEzE,MAAI,CAAC,mBAAmB,OAAO;AAC7B,UAAM,IAAI,MAAM,uBAAuB;AAAA,EACzC;AAEA,SAAO;AAAA,IACL;AAAA,IACA,IAAI,QAAQ,QAAQ,OAAO;AAAA,IAC3B;AAAA,EACF;AACF;AAEO,SAAS,iBACd,SACkB;AAClB,SAAO;AAAA,IACL;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB,KAAK,CAAC;AAAA,EACR;AACF;AAEO,SAAS,SACd,SACA,UAAmB,IAAI,QAAQ,GAC/B,OACa;AACb,QAAM,aAAa,iBAAiB,OAAO;AAC3C,SAAO;AAAA,IACL,MAAM,MAAM;AAAA,IACZ;AAAA,IACA;AAAA,EACF;AACF;;;AC7EA,SAAS,2BAAAC,gCAA+B;AAcjC,SAAS,aAAa,UAAmB;AAC5C,QAAM,OAAO,iBAAiB,QAAQ;AAEtC,iBAAe,WAAW,KAA0C;AAChE,QAAI;AACA,YAAM,OAAO,MAAM,KAAK,QAAQ,GAAG;AACnC,aAAO,EAAE,MAAM,MAAM,OAAO,KAAK;AAAA,IACrC,SAAS,OAAO;AACZ,aAAO,EAAE,MAAM,MAAM,OAAOC,yBAAwB,KAAK,EAAE;AAAA,IAC/D;AAAA,EACJ;AACA,iBAAe,eAAe,OAA4C;AACtE,QAAI;AACA,YAAM,OAAO,MAAM,KAAK,eAAe,KAAK;AAC5C,aAAO,EAAE,MAAM,MAAM,OAAO,KAAK;AAAA,IACrC,SAAS,OAAO;AACZ,aAAO,EAAE,MAAM,MAAM,OAAOA,yBAAwB,KAAK,EAAE;AAAA,IAC/D;AAAA,EACJ;AAEA,iBAAe,qBAAqB,aAAkD;AAClF,QAAI;AACA,YAAM,OAAO,MAAM,KAAK,qBAAqB,WAAW;AACxD,aAAO,EAAE,MAAM,MAAM,OAAO,KAAK;AAAA,IACrC,SAAS,OAAO;AACZ,aAAO,EAAE,MAAM,MAAM,OAAOA,yBAAwB,KAAK,EAAE;AAAA,IAC/D;AAAA,EACJ;AAEA,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,EACJ;AACJ;","names":["getCookieName","getCookiePrefix","handleFirebaseAuthError","handleFirebaseAuthError","getCookiePrefix","getCookieName","handleFirebaseAuthError","handleFirebaseAuthError"]}
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/app-check/AppCheckApi.d.ts

@@ -0,0 +1,14 @@
+import type { Credential } from '../auth';
+import type { AppCheckParams, AppCheckToken } from './types';
+export declare function getSdkVersion(): string;
+/**
+ * App Check API for managing Firebase App Check tokens via REST
+ * Firebase REST API endpoint: https://firebaseappcheck.googleapis.com/v1beta/projects/{projectId}/apps/{appId}:exchangeCustomToken
+ */
+export declare class AppCheckApi {
+    private credential;
+    constructor(credential: Credential);
+    exchangeToken(params: AppCheckParams): Promise<AppCheckToken>;
+    exchangeDebugToken(params: AppCheckParams): Promise<AppCheckToken>;
+}
+//# sourceMappingURL=AppCheckApi.d.ts.map

package/dist/app-check/AppCheckApi.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AppCheckApi.d.ts","sourceRoot":"","sources":["../../src/app-check/AppCheckApi.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AACzC,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AAE5D,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAMD;;;GAGG;AACH,qBAAa,WAAW;IACR,OAAO,CAAC,UAAU;gBAAV,UAAU,EAAE,UAAU;IAE7B,aAAa,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;IAoC7D,kBAAkB,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;CAwClF"}

package/dist/app-check/generator.d.ts

@@ -0,0 +1,9 @@
+import type { CryptoSigner } from '../jwt';
+import type { AppCheckTokenOptions } from './types';
+export declare class AppCheckTokenGenerator {
+    private readonly signer;
+    constructor(signer: CryptoSigner);
+    createCustomToken(appId: string, options?: AppCheckTokenOptions): Promise<string>;
+    private validateTokenOptions;
+}
+//# sourceMappingURL=generator.d.ts.map

package/dist/app-check/generator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/app-check/generator.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC3C,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAmBpD,qBAAa,sBAAsB;IAC/B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAe;gBAE1B,MAAM,EAAE,YAAY;IAInB,iBAAiB,CAC1B,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,oBAAoB,GAC/B,OAAO,CAAC,MAAM,CAAC;IA2BlB,OAAO,CAAC,oBAAoB;CAiB/B"}

package/dist/app-check/index.d.ts

@@ -0,0 +1,18 @@
+import type { VerifyAppCheckTokenResponse } from "@tern-secure/types";
+import type { Credential, ServiceAccount } from "../auth";
+import { ServerAppCheckManager } from "./serverAppCheck";
+import type { AppCheckToken, AppCheckTokenOptions } from "./types";
+import { type VerifyAppcheckOptions } from "./verifier";
+declare class AppCheck {
+    private readonly client;
+    private readonly tokenGenerator;
+    private readonly appCheckTokenVerifier;
+    private readonly limitedUse?;
+    constructor(credential: Credential, tenantId?: string, limitedUse?: boolean);
+    createToken: (projectId: string, appId: string, options?: AppCheckTokenOptions) => Promise<AppCheckToken>;
+    verifyToken: (appCheckToken: string, projectId: string, options: VerifyAppcheckOptions) => Promise<VerifyAppCheckTokenResponse>;
+}
+declare function getAppCheck(serviceAccount: ServiceAccount, tenantId?: string, limitedUse?: boolean): AppCheck;
+export { AppCheck, getAppCheck };
+export { ServerAppCheckManager };
+//# sourceMappingURL=index.d.ts.map

package/dist/app-check/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/app-check/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,oBAAoB,CAAC;AAEtE,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAK1D,OAAO,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,KAAK,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AACnE,OAAO,EAAyB,KAAK,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAK/E,cAAM,QAAQ;IACV,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAc;IACrC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAyB;IACxD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAwB;IAC9D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAU;gBAE1B,UAAU,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,OAAO;IASpE,WAAW,GAAI,WAAW,MAAM,EAAE,OAAO,MAAM,EAAE,UAAU,oBAAoB,KAAG,OAAO,CAAC,aAAa,CAAC,CAM7G;IAEK,WAAW,GAAU,eAAe,MAAM,EAAE,WAAW,MAAM,EAAE,SAAS,qBAAqB,KAAG,OAAO,CAAC,2BAA2B,CAAC,CAU1I;CAEJ;AAGD,iBAAS,WAAW,CAAC,cAAc,EAAE,cAAc,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,OAAO,GAAG,QAAQ,CAEtG;AAED,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;AACjC,OAAO,EAAE,qBAAqB,EAAE,CAAC"}