@tern-secure/backend 1.2.0-canary.v20251127235234 → 1.2.0-canary.v20251202164451

package/dist/app-check/index.js

@@ -0,0 +1,1135 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/app-check/index.ts
+var app_check_exports = {};
+__export(app_check_exports, {
+  AppCheck: () => AppCheck,
+  ServerAppCheckManager: () => ServerAppCheckManager,
+  getAppCheck: () => getAppCheck
+});
+module.exports = __toCommonJS(app_check_exports);
+
+// src/jwt/customJwt.ts
+var import_jose = require("jose");
+
+// src/jwt/verifyJwt.ts
+var import_jose3 = require("jose");
+
+// src/utils/errors.ts
+var TokenVerificationErrorReason = {
+  TokenExpired: "token-expired",
+  TokenInvalid: "token-invalid",
+  TokenInvalidAlgorithm: "token-invalid-algorithm",
+  TokenInvalidAuthorizedParties: "token-invalid-authorized-parties",
+  TokenInvalidSignature: "token-invalid-signature",
+  TokenNotActiveYet: "token-not-active-yet",
+  TokenIatInTheFuture: "token-iat-in-the-future",
+  TokenVerificationFailed: "token-verification-failed",
+  InvalidSecretKey: "secret-key-invalid",
+  LocalJWKMissing: "jwk-local-missing",
+  RemoteJWKFailedToLoad: "jwk-remote-failed-to-load",
+  RemoteJWKInvalid: "jwk-remote-invalid",
+  RemoteJWKMissing: "jwk-remote-missing",
+  JWKFailedToResolve: "jwk-failed-to-resolve",
+  JWKKidMismatch: "jwk-kid-mismatch"
+};
+var TokenVerificationError = class _TokenVerificationError extends Error {
+  reason;
+  tokenCarrier;
+  constructor({
+    message,
+    reason
+  }) {
+    super(message);
+    Object.setPrototypeOf(this, _TokenVerificationError.prototype);
+    this.reason = reason;
+    this.message = message;
+  }
+  getFullMessage() {
+    return `${[this.message].filter((m) => m).join(" ")} (reason=${this.reason}, token-carrier=${this.tokenCarrier})`;
+  }
+};
+
+// src/utils/mapDecode.ts
+function mapJwtPayloadToDecodedAppCheckToken(payload) {
+  const decodedAppCheckToken = payload;
+  decodedAppCheckToken.app_id = decodedAppCheckToken.sub;
+  return decodedAppCheckToken;
+}
+
+// src/utils/rfc4648.ts
+var base64url = {
+  parse(string, opts) {
+    return parse(string, base64UrlEncoding, opts);
+  },
+  stringify(data, opts) {
+    return stringify(data, base64UrlEncoding, opts);
+  }
+};
+var base64UrlEncoding = {
+  chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_",
+  bits: 6
+};
+function parse(string, encoding, opts = {}) {
+  if (!encoding.codes) {
+    encoding.codes = {};
+    for (let i = 0; i < encoding.chars.length; ++i) {
+      encoding.codes[encoding.chars[i]] = i;
+    }
+  }
+  if (!opts.loose && string.length * encoding.bits & 7) {
+    throw new SyntaxError("Invalid padding");
+  }
+  let end = string.length;
+  while (string[end - 1] === "=") {
+    --end;
+    if (!opts.loose && !((string.length - end) * encoding.bits & 7)) {
+      throw new SyntaxError("Invalid padding");
+    }
+  }
+  const out = new (opts.out ?? Uint8Array)(end * encoding.bits / 8 | 0);
+  let bits = 0;
+  let buffer = 0;
+  let written = 0;
+  for (let i = 0; i < end; ++i) {
+    const value = encoding.codes[string[i]];
+    if (value === void 0) {
+      throw new SyntaxError("Invalid character " + string[i]);
+    }
+    buffer = buffer << encoding.bits | value;
+    bits += encoding.bits;
+    if (bits >= 8) {
+      bits -= 8;
+      out[written++] = 255 & buffer >> bits;
+    }
+  }
+  if (bits >= encoding.bits || 255 & buffer << 8 - bits) {
+    throw new SyntaxError("Unexpected end of data");
+  }
+  return out;
+}
+function stringify(data, encoding, opts = {}) {
+  const { pad = true } = opts;
+  const mask = (1 << encoding.bits) - 1;
+  let out = "";
+  let bits = 0;
+  let buffer = 0;
+  for (let i = 0; i < data.length; ++i) {
+    buffer = buffer << 8 | 255 & data[i];
+    bits += 8;
+    while (bits > encoding.bits) {
+      bits -= encoding.bits;
+      out += encoding.chars[mask & buffer >> bits];
+    }
+  }
+  if (bits) {
+    out += encoding.chars[mask & buffer << encoding.bits - bits];
+  }
+  if (pad) {
+    while (out.length * encoding.bits & 7) {
+      out += "=";
+    }
+  }
+  return out;
+}
+
+// src/jwt/cryptoKeys.ts
+var import_jose2 = require("jose");
+
+// src/jwt/algorithms.ts
+var algToHash = {
+  RS256: "SHA-256",
+  RS384: "SHA-384",
+  RS512: "SHA-512"
+};
+var algs = Object.keys(algToHash);
+
+// src/jwt/verifyContent.ts
+var verifyHeaderKid = (kid) => {
+  if (typeof kid === "undefined") {
+    return;
+  }
+  if (typeof kid !== "string") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenInvalid,
+      message: `Invalid JWT kid ${JSON.stringify(kid)}. Expected a string.`
+    });
+  }
+};
+var verifySubClaim = (sub) => {
+  if (typeof sub !== "string") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`
+    });
+  }
+};
+var verifyExpirationClaim = (exp, clockSkewInMs) => {
+  if (typeof exp !== "number") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT expiry date (exp) claim ${JSON.stringify(exp)}. Expected a number.`
+    });
+  }
+  const currentDate = new Date(Date.now());
+  const expiryDate = /* @__PURE__ */ new Date(0);
+  expiryDate.setUTCSeconds(exp);
+  const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;
+  if (expired) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenExpired,
+      message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`
+    });
+  }
+};
+var verifyIssuedAtClaim = (iat, clockSkewInMs) => {
+  if (typeof iat === "undefined") {
+    return;
+  }
+  if (typeof iat !== "number") {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected a number.`
+    });
+  }
+  const currentDate = new Date(Date.now());
+  const issuedAtDate = /* @__PURE__ */ new Date(0);
+  issuedAtDate.setUTCSeconds(iat);
+  const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;
+  if (postIssued) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenIatInTheFuture,
+      message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`
+    });
+  }
+};
+
+// src/jwt/verifyJwt.ts
+var DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1e3;
+function ternDecodeJwt(token) {
+  try {
+    const header = (0, import_jose3.decodeProtectedHeader)(token);
+    const payload = (0, import_jose3.decodeJwt)(token);
+    const tokenParts = (token || "").toString().split(".");
+    if (tokenParts.length !== 3) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: "Invalid JWT format"
+          })
+        ]
+      };
+    }
+    const [rawHeader, rawPayload, rawSignature] = tokenParts;
+    const signature = base64url.parse(rawSignature, { loose: true });
+    const data = {
+      header,
+      payload,
+      signature,
+      raw: {
+        header: rawHeader,
+        payload: rawPayload,
+        signature: rawSignature,
+        text: token
+      }
+    };
+    return { data };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: `${error.message || "Invalid Token or Protected Header formatting"} (Token length: ${token?.length}, First 10 chars: ${token?.substring(0, 10)}...)`
+        })
+      ]
+    };
+  }
+}
+async function verifyAppCheckSignature(jwt, getPublicKey2) {
+  const { header, raw } = jwt;
+  const joseAlgorithm = header.alg || "RS256";
+  try {
+    const key = await getPublicKey2();
+    const { payload } = await (0, import_jose3.jwtVerify)(raw.text, key);
+    return { data: payload };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: error.message
+        })
+      ]
+    };
+  }
+}
+async function verifyAppCheckJwt(token, options) {
+  const { key: getPublicKey2 } = options;
+  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
+  const { data: decoded, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header, payload } = decoded;
+  try {
+    verifyHeaderKid(header.kid);
+    verifySubClaim(payload.sub);
+    verifyExpirationClaim(payload.exp, clockSkew);
+    verifyIssuedAtClaim(payload.iat, clockSkew);
+  } catch (error) {
+    return { errors: [error] };
+  }
+  const { data: verifiedPayload, errors: signatureErrors } = await verifyAppCheckSignature(
+    decoded,
+    getPublicKey2
+  );
+  if (signatureErrors) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: "Token signature verification failed."
+        })
+      ]
+    };
+  }
+  const decodedAppCheckToken = mapJwtPayloadToDecodedAppCheckToken(verifiedPayload);
+  return { data: decodedAppCheckToken };
+}
+
+// src/constants.ts
+var FIREBASE_APP_CHECK_AUDIENCE = "https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1.TokenExchangeService";
+var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
+var DEFAULT_CACHE_DURATION = 3600 * 1e3;
+var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
+var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
+var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
+var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
+var ONE_HOUR_IN_SECONDS = 60 * 60;
+var ONE_MINUTE_IN_SECONDS = 60;
+var ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1e3;
+var ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1e3;
+var Attributes = {
+  AuthToken: "__ternsecureAuthToken",
+  AuthSignature: "__ternsecureAuthSignature",
+  AuthStatus: "__ternsecureAuthStatus",
+  AuthReason: "__ternsecureAuthReason",
+  AuthMessage: "__ternsecureAuthMessage",
+  TernSecureUrl: "__ternsecureUrl"
+};
+var Cookies = {
+  Session: "__session",
+  CsrfToken: "__terncf",
+  IdToken: "TernSecure_[DEFAULT]",
+  Refresh: "TernSecureID_[DEFAULT]",
+  Custom: "__custom",
+  TernAut: "tern_aut",
+  Handshake: "__ternsecure_handshake",
+  DevBrowser: "__ternsecure_db_jwt",
+  RedirectCount: "__ternsecure_redirect_count",
+  HandshakeNonce: "__ternsecure_handshake_nonce"
+};
+var QueryParameters = {
+  TernSynced: "__tern_synced",
+  SuffixedCookies: "suffixed_cookies",
+  TernRedirectUrl: "__tern_redirect_url",
+  // use the reference to Cookies to indicate that it's the same value
+  DevBrowser: Cookies.DevBrowser,
+  Handshake: Cookies.Handshake,
+  HandshakeHelp: "__tern_help",
+  LegacyDevBrowser: "__dev_session",
+  HandshakeReason: "__tern_hs_reason",
+  HandshakeNonce: Cookies.HandshakeNonce
+};
+var Headers2 = {
+  Accept: "accept",
+  AppCheckToken: "x-ternsecure-appcheck",
+  AuthMessage: "x-ternsecure-auth-message",
+  Authorization: "authorization",
+  AuthReason: "x-ternsecure-auth-reason",
+  AuthSignature: "x-ternsecure-auth-signature",
+  AuthStatus: "x-ternsecure-auth-status",
+  AuthToken: "x-ternsecure-auth-token",
+  CacheControl: "cache-control",
+  TernSecureRedirectTo: "x-ternsecure-redirect-to",
+  TernSecureRequestData: "x-ternsecure-request-data",
+  TernSecureUrl: "x-ternsecure-url",
+  CloudFrontForwardedProto: "cloudfront-forwarded-proto",
+  ContentType: "content-type",
+  ContentSecurityPolicy: "content-security-policy",
+  ContentSecurityPolicyReportOnly: "content-security-policy-report-only",
+  EnableDebug: "x-ternsecure-debug",
+  ForwardedHost: "x-forwarded-host",
+  ForwardedPort: "x-forwarded-port",
+  ForwardedProto: "x-forwarded-proto",
+  Host: "host",
+  Location: "location",
+  Nonce: "x-nonce",
+  Origin: "origin",
+  Referrer: "referer",
+  SecFetchDest: "sec-fetch-dest",
+  UserAgent: "user-agent",
+  ReportingEndpoints: "reporting-endpoints"
+};
+var ContentTypes = {
+  Json: "application/json"
+};
+var constants = {
+  Attributes,
+  Cookies,
+  Headers: Headers2,
+  ContentTypes,
+  QueryParameters
+};
+
+// src/utils/config.ts
+var loadAdminConfig = () => ({
+  projectId: process.env.FIREBASE_PROJECT_ID || "",
+  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || "",
+  privateKey: process.env.FIREBASE_PRIVATE_KEY || ""
+});
+var validateAdminConfig = (config) => {
+  const requiredFields = [
+    "projectId",
+    "clientEmail",
+    "privateKey"
+  ];
+  const errors = [];
+  requiredFields.forEach((field) => {
+    if (!config[field]) {
+      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`);
+    }
+  });
+  return {
+    isValid: errors.length === 0,
+    errors,
+    config
+  };
+};
+var initializeAdminConfig = () => {
+  const config = loadAdminConfig();
+  const validationResult = validateAdminConfig(config);
+  if (!validationResult.isValid) {
+    throw new Error(
+      `Firebase Admin configuration validation failed:
+${validationResult.errors.join("\n")}`
+    );
+  }
+  return config;
+};
+
+// src/jwt/guardReturn.ts
+function createJwtGuard(decodedFn) {
+  return (...args) => {
+    const { data, errors } = decodedFn(...args);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
+  };
+}
+
+// src/jwt/jwt.ts
+var import_jose4 = require("jose");
+
+// src/jwt/signJwt.ts
+var import_jose5 = require("jose");
+
+// src/utils/fetcher.ts
+async function getDetailFromResponse(response) {
+  const json = await response.json();
+  if (!json) {
+    return "Missing error payload";
+  }
+  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
+  if (json.error_description) {
+    detail += " (" + json.error_description + ")";
+  }
+  return detail;
+}
+async function fetchText(url, init) {
+  return (await fetchAny(url, init)).text();
+}
+async function fetchJson(url, init) {
+  return (await fetchAny(url, init)).json();
+}
+async function fetchAny(url, init) {
+  const response = await fetch(url, init);
+  if (!response.ok) {
+    throw new Error(await getDetailFromResponse(response));
+  }
+  return response;
+}
+
+// src/jwt/types.ts
+var ALGORITHM_RS256 = "RS256";
+
+// src/jwt/signJwt.ts
+async function ternSignJwt(opts) {
+  const { payload, privateKey, keyId } = opts;
+  let key;
+  try {
+    key = await (0, import_jose5.importPKCS8)(privateKey, ALGORITHM_RS256);
+  } catch (error) {
+    throw new TokenVerificationError({
+      message: `Failed to import private key: ${error.message}`,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  return new import_jose5.SignJWT(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
+}
+function formatBase64(value) {
+  return value.replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+}
+function encodeSegment(segment) {
+  const value = JSON.stringify(segment);
+  return formatBase64(import_jose5.base64url.encode(value));
+}
+async function ternSignBlob({
+  payload,
+  serviceAccountId,
+  accessToken
+}) {
+  const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${serviceAccountId}:signBlob`;
+  const header = {
+    alg: ALGORITHM_RS256,
+    typ: "JWT"
+  };
+  const token = `${encodeSegment(header)}.${encodeSegment(payload)}`;
+  const request = {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    },
+    body: JSON.stringify({ payload: import_jose5.base64url.encode(token) })
+  };
+  const response = await fetchAny(url, request);
+  const blob = await response.blob();
+  const key = await blob.text();
+  const { signedBlob } = JSON.parse(key);
+  return `${token}.${formatBase64(signedBlob)}`;
+}
+
+// src/jwt/crypto-signer.ts
+var ServiceAccountSigner = class {
+  constructor(credential, tenantId) {
+    this.credential = credential;
+    this.tenantId = tenantId;
+  }
+  async getAccountId() {
+    return Promise.resolve(this.credential.clientEmail);
+  }
+  async sign(payload) {
+    if (this.tenantId) {
+      payload.tenant_id = this.tenantId;
+    }
+    return ternSignJwt({ payload, privateKey: this.credential.privateKey });
+  }
+};
+var IAMSigner = class {
+  algorithm = ALGORITHM_RS256;
+  credential;
+  tenantId;
+  serviceAccountId;
+  constructor(credential, tenantId, serviceAccountId) {
+    this.credential = credential;
+    this.tenantId = tenantId;
+    this.serviceAccountId = serviceAccountId;
+  }
+  async sign(payload) {
+    if (this.tenantId) {
+      payload.tenant_id = this.tenantId;
+    }
+    const serviceAccount = await this.getAccountId();
+    const accessToken = await this.credential.getAccessToken();
+    return ternSignBlob({
+      accessToken: accessToken.accessToken,
+      serviceAccountId: serviceAccount,
+      payload
+    });
+  }
+  async getAccountId() {
+    if (this.serviceAccountId) {
+      return this.serviceAccountId;
+    }
+    const token = await this.credential.getAccessToken();
+    const url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/email";
+    const request = {
+      method: "GET",
+      headers: {
+        "Metadata-Flavor": "Google",
+        Authorization: `Bearer ${token.accessToken}`
+      }
+    };
+    return this.serviceAccountId = await fetchText(url, request);
+  }
+};
+
+// src/jwt/index.ts
+var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
+
+// src/auth/credential.ts
+var accessTokenCache = /* @__PURE__ */ new Map();
+async function requestAccessToken(urlString, init) {
+  const json = await fetchJson(urlString, init);
+  if (!json.access_token || !json.expires_in) {
+    throw new Error("Invalid access token response");
+  }
+  return {
+    accessToken: json.access_token,
+    expirationTime: Date.now() + json.expires_in * 1e3
+  };
+}
+var ServiceAccountManager = class {
+  projectId;
+  privateKey;
+  clientEmail;
+  constructor(serviceAccount) {
+    this.projectId = serviceAccount.projectId;
+    this.privateKey = serviceAccount.privateKey;
+    this.clientEmail = serviceAccount.clientEmail;
+  }
+  fetchAccessToken = async (url) => {
+    const token = await this.createJwt();
+    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
+    return requestAccessToken(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json"
+      },
+      body: postData
+    });
+  };
+  fetchAndCacheAccessToken = async (url) => {
+    const accessToken = await this.fetchAccessToken(url);
+    accessTokenCache.set(this.projectId, accessToken);
+    return accessToken;
+  };
+  getAccessToken = async (refresh) => {
+    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
+    if (refresh) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    const cachedResponse = accessTokenCache.get(this.projectId);
+    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    return cachedResponse;
+  };
+  createJwt = async () => {
+    const iat = Math.floor(Date.now() / 1e3);
+    const payload = {
+      aud: GOOGLE_TOKEN_AUDIENCE,
+      iat,
+      exp: iat + ONE_HOUR_IN_SECONDS,
+      iss: this.clientEmail,
+      sub: this.clientEmail,
+      scope: [
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/firebase.database",
+        "https://www.googleapis.com/auth/firebase.messaging",
+        "https://www.googleapis.com/auth/identitytoolkit",
+        "https://www.googleapis.com/auth/userinfo.email"
+      ].join(" ")
+    };
+    return ternSignJwt({
+      payload,
+      privateKey: this.privateKey
+    });
+  };
+};
+
+// src/utils/token-generator.ts
+function cryptoSignerFromCredential(credential, tenantId, serviceAccountId) {
+  if (credential instanceof ServiceAccountManager) {
+    return new ServiceAccountSigner(credential, tenantId);
+  }
+  return new IAMSigner(credential, tenantId, serviceAccountId);
+}
+
+// src/app-check/AppCheckApi.ts
+function getSdkVersion() {
+  return "12.7.0";
+}
+var FIREBASE_APP_CHECK_CONFIG_HEADERS = {
+  "X-Firebase-Client": `fire-admin-node/${getSdkVersion()}`
+};
+var AppCheckApi = class {
+  constructor(credential) {
+    this.credential = credential;
+  }
+  async exchangeToken(params) {
+    const { projectId, appId, customToken, limitedUse = false } = params;
+    const token = await this.credential.getAccessToken(false);
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
+    const headers = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${token.accessToken}`
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ customToken, limitedUse })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+  async exchangeDebugToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
+    const headers = {
+      ...FIREBASE_APP_CHECK_CONFIG_HEADERS,
+      "Authorization": `Bearer ${accessToken}`
+    };
+    const body = {
+      customToken,
+      limitedUse
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+};
+
+// src/app-check/generator.ts
+function transformMillisecondsToSecondsString(milliseconds) {
+  let duration;
+  const seconds = Math.floor(milliseconds / 1e3);
+  const nanos = Math.floor((milliseconds - seconds * 1e3) * 1e6);
+  if (nanos > 0) {
+    let nanoString = nanos.toString();
+    while (nanoString.length < 9) {
+      nanoString = "0" + nanoString;
+    }
+    duration = `${seconds}.${nanoString}s`;
+  } else {
+    duration = `${seconds}s`;
+  }
+  return duration;
+}
+var AppCheckTokenGenerator = class {
+  signer;
+  constructor(signer) {
+    this.signer = signer;
+  }
+  async createCustomToken(appId, options) {
+    if (!appId) {
+      throw new Error(
+        "appId is invalid"
+      );
+    }
+    let customOptions = {};
+    if (typeof options !== "undefined") {
+      customOptions = this.validateTokenOptions(options);
+    }
+    const account = await this.signer.getAccountId();
+    const iat = Math.floor(Date.now() / 1e3);
+    const body = {
+      iss: account,
+      sub: account,
+      app_id: appId,
+      aud: FIREBASE_APP_CHECK_AUDIENCE,
+      exp: iat + ONE_MINUTE_IN_SECONDS * 5,
+      iat,
+      ...customOptions
+    };
+    return this.signer.sign(body);
+  }
+  validateTokenOptions(options) {
+    if (typeof options.ttlMillis !== "undefined") {
+      if (options.ttlMillis < ONE_MINUTE_IN_MILLIS * 30 || options.ttlMillis > ONE_DAY_IN_MILLIS * 7) {
+        throw new Error(
+          "ttlMillis must be a duration in milliseconds between 30 minutes and 7 days (inclusive)."
+        );
+      }
+      return { ttl: transformMillisecondsToSecondsString(options.ttlMillis) };
+    }
+    return {};
+  }
+};
+
+// src/app-check/serverAppCheck.ts
+var import_redis = require("@upstash/redis");
+
+// src/admin/sessionTernSecure.ts
+var import_errors6 = require("@tern-secure/shared/errors");
+
+// src/utils/admin-init.ts
+var import_firebase_admin = __toESM(require("firebase-admin"));
+var import_app_check2 = require("firebase-admin/app-check");
+if (!import_firebase_admin.default.apps.length) {
+  try {
+    const config = initializeAdminConfig();
+    import_firebase_admin.default.initializeApp({
+      credential: import_firebase_admin.default.credential.cert({
+        ...config,
+        privateKey: config.privateKey.replace(/\\n/g, "\n")
+      })
+    });
+  } catch (error) {
+    console.error("Firebase admin initialization error", error);
+  }
+}
+var adminTernSecureAuth = import_firebase_admin.default.auth();
+var adminTernSecureDb = import_firebase_admin.default.firestore();
+var TernSecureTenantManager = import_firebase_admin.default.auth().tenantManager();
+var appCheckAdmin = (0, import_app_check2.getAppCheck)();
+
+// src/admin/sessionTernSecure.ts
+var DEFAULT_COOKIE_CONFIG = {
+  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1e3,
+  // 5 minutes
+  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
+var DEFAULT_COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  path: "/"
+};
+
+// src/admin/nextSessionTernSecure.ts
+var import_cookie = require("@tern-secure/shared/cookie");
+var import_errors7 = require("@tern-secure/shared/errors");
+var import_headers = require("next/headers");
+var SESSION_CONSTANTS = {
+  COOKIE_NAME: constants.Cookies.Session,
+  DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1e3,
+  // 5 days
+  DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
+
+// src/tokens/ternSecureRequest.ts
+var import_cookie2 = require("cookie");
+
+// src/admin/user.ts
+var import_errors8 = require("@tern-secure/shared/errors");
+
+// src/app-check/serverAppCheck.ts
+var ServerAppCheckManager = class _ServerAppCheckManager {
+  static instances = /* @__PURE__ */ new Map();
+  memoryCache = /* @__PURE__ */ new Map();
+  redisClient = null;
+  options;
+  pendingTokens = /* @__PURE__ */ new Map();
+  constructor(options) {
+    const defaultOptions = {
+      strategy: "memory",
+      ttlMillis: 36e5,
+      // 1 hour
+      refreshBufferMillis: 3e5,
+      // 5 minutes
+      keyPrefix: "appcheck:token:",
+      skipInMemoryFirst: false
+    };
+    this.options = { ...defaultOptions, ...options };
+    if (this.options.strategy === "redis" && this.options.redis) {
+      void this.initializeRedis(this.options.redis);
+    }
+  }
+  initializeRedis = (config) => {
+    if (!config) {
+      throw new Error('[AppCheck] Redis configuration is required when strategy is "redis"');
+    }
+    try {
+      this.redisClient = new import_redis.Redis({
+        url: config.url,
+        token: config.token
+      });
+      console.info("[AppCheck] Redis client initialized for token caching");
+    } catch (error) {
+      console.error("[AppCheck] Failed to initialize Redis client:", error);
+      throw new Error('[AppCheck] Redis initialization failed. Install "@upstash/redis" package.');
+    }
+  };
+  static getInstance(options) {
+    const key = options?.strategy || "memory";
+    if (!_ServerAppCheckManager.instances.has(key)) {
+      _ServerAppCheckManager.instances.set(key, new _ServerAppCheckManager(options));
+    }
+    const instance = _ServerAppCheckManager.instances.get(key);
+    if (!instance) {
+      throw new Error("[AppCheck] Failed to get instance");
+    }
+    return instance;
+  }
+  buildCacheKey(appId) {
+    return `${this.options.keyPrefix}${appId}`;
+  }
+  getCachedToken = async (appId) => {
+    if (this.options.strategy === "memory") {
+      return this.memoryCache.get(appId) || null;
+    }
+    if (this.options.strategy === "redis") {
+      if (!this.options.skipInMemoryFirst) {
+        const memCached = this.memoryCache.get(appId);
+        if (memCached) {
+          return memCached;
+        }
+      }
+      if (this.redisClient) {
+        try {
+          const key = this.buildCacheKey(appId);
+          const cached = await this.redisClient.get(key);
+          if (cached) {
+            const parsed = typeof cached === "string" ? JSON.parse(cached) : cached;
+            if (!this.options.skipInMemoryFirst) {
+              this.memoryCache.set(appId, parsed);
+            }
+            return parsed;
+          }
+        } catch (error) {
+          console.error("[AppCheck] Redis get error:", error);
+        }
+      }
+    }
+    return null;
+  };
+  setCachedToken = async (appId, token, expiresAt) => {
+    const cachedToken = { token, expiresAt };
+    this.memoryCache.set(appId, cachedToken);
+    if (this.options.strategy === "memory") {
+      return;
+    }
+    if (this.options.strategy === "redis" && this.redisClient) {
+      try {
+        const key = this.buildCacheKey(appId);
+        const ttl = expiresAt - Date.now();
+        await this.redisClient.set(key, JSON.stringify(cachedToken), {
+          px: ttl
+          // Expiry in milliseconds (lowercase for Upstash)
+        });
+      } catch (error) {
+        console.error("[AppCheck] Redis set error:", error);
+      }
+    }
+  };
+  getOrGenerateToken = async (appId) => {
+    const cached = await this.getCachedToken(appId);
+    const now = Date.now();
+    if (cached && cached.expiresAt > now + this.options.refreshBufferMillis) {
+      return cached.token;
+    }
+    const pending = this.pendingTokens.get(appId);
+    if (pending) {
+      return pending;
+    }
+    const tokenPromise = this.generateAndCacheToken(appId);
+    this.pendingTokens.set(appId, tokenPromise);
+    try {
+      const token = await tokenPromise;
+      return token;
+    } finally {
+      this.pendingTokens.delete(appId);
+    }
+  };
+  /**
+   * Generate and cache a new token
+   */
+  generateAndCacheToken = async (appId) => {
+    try {
+      const now = Date.now();
+      const appCheckToken = await appCheckAdmin.createToken(appId, {
+        ttlMillis: this.options.ttlMillis
+      });
+      const expiresAt = now + this.options.ttlMillis;
+      await this.setCachedToken(appId, appCheckToken.token, expiresAt);
+      return appCheckToken.token;
+    } catch (error) {
+      console.error("[AppCheck] Failed to generate token:", error);
+      return null;
+    }
+  };
+  clearCache = async (appId) => {
+    if (appId) {
+      this.memoryCache.delete(appId);
+    } else {
+      this.memoryCache.clear();
+    }
+    if (this.options.strategy === "redis" && this.redisClient) {
+      try {
+        if (appId) {
+          const key = this.buildCacheKey(appId);
+          await this.redisClient.del(key);
+        }
+      } catch (error) {
+        console.error("[AppCheck] Redis delete error:", error);
+      }
+    }
+  };
+  getCacheStats() {
+    const now = Date.now();
+    const entries = Array.from(this.memoryCache.entries()).map(([appId, cached]) => ({
+      appId,
+      expiresIn: Math.max(0, cached.expiresAt - now)
+    }));
+    return {
+      strategy: this.options.strategy,
+      memorySize: this.memoryCache.size,
+      entries
+    };
+  }
+  /**
+   * Close Redis connection
+   */
+  disconnect() {
+    if (this.redisClient) {
+      this.redisClient = null;
+    }
+  }
+};
+
+// src/app-check/verifier.ts
+var import_jose6 = require("jose");
+var getPublicKey = async (header, keyURL) => {
+  const jswksUrl = new URL(keyURL);
+  const getKey = (0, import_jose6.createRemoteJWKSet)(jswksUrl);
+  return getKey(header);
+};
+var verifyAppCheckToken = async (token, options) => {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    throw errors[0];
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
+  }
+  try {
+    const getPublicKeyForToken = () => getPublicKey(header, options.keyURL || "");
+    return await verifyAppCheckJwt(token, { ...options, key: getPublicKeyForToken });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
+    }
+    return {
+      errors: [error]
+    };
+  }
+};
+var AppcheckTokenVerifier = class {
+  constructor(credential) {
+    this.credential = credential;
+  }
+  verifyToken = async (token, projectId, options) => {
+    const { data, errors } = await verifyAppCheckToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
+  };
+};
+
+// src/app-check/index.ts
+var JWKS_URL = "https://firebaseappcheck.googleapis.com/v1/jwks";
+var AppCheck = class {
+  client;
+  tokenGenerator;
+  appCheckTokenVerifier;
+  limitedUse;
+  constructor(credential, tenantId, limitedUse) {
+    this.client = new AppCheckApi(credential);
+    this.tokenGenerator = new AppCheckTokenGenerator(
+      cryptoSignerFromCredential(credential, tenantId)
+    );
+    this.appCheckTokenVerifier = new AppcheckTokenVerifier(credential);
+    this.limitedUse = limitedUse;
+  }
+  createToken = (projectId, appId, options) => {
+    return this.tokenGenerator.createCustomToken(appId, options).then((customToken) => {
+      return this.client.exchangeToken({ customToken, projectId, appId });
+    });
+  };
+  verifyToken = async (appCheckToken, projectId, options) => {
+    return this.appCheckTokenVerifier.verifyToken(appCheckToken, projectId, { keyURL: JWKS_URL, ...options }).then((decodedToken) => {
+      return {
+        appId: decodedToken.app_id,
+        token: decodedToken
+      };
+    });
+  };
+};
+function getAppCheck(serviceAccount, tenantId, limitedUse) {
+  return new AppCheck(new ServiceAccountManager(serviceAccount), tenantId, limitedUse);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AppCheck,
+  ServerAppCheckManager,
+  getAppCheck
+});
+//# sourceMappingURL=index.js.map