npm - @tern-secure/backend - Versions diffs - 1.2.0-canary.v20251127235234 → 1.2.0-canary.v20251202164451 - Mend

@tern-secure/backend 1.2.0-canary.v20251127235234 → 1.2.0-canary.v20251202164451

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/dist/adapters/index.d.ts +1 -1
package/dist/adapters/index.d.ts.map +1 -1
package/dist/adapters/types.d.ts +42 -0
package/dist/adapters/types.d.ts.map +1 -1
package/dist/admin/index.d.ts +1 -1
package/dist/admin/index.d.ts.map +1 -1
package/dist/admin/index.js +8 -1
package/dist/admin/index.js.map +1 -1
package/dist/admin/index.mjs +24 -598
package/dist/admin/index.mjs.map +1 -1
package/dist/app-check/AppCheckApi.d.ts +14 -0
package/dist/app-check/AppCheckApi.d.ts.map +1 -0
package/dist/app-check/generator.d.ts +9 -0
package/dist/app-check/generator.d.ts.map +1 -0
package/dist/app-check/index.d.ts +18 -0
package/dist/app-check/index.d.ts.map +1 -0
package/dist/app-check/index.js +1135 -0
package/dist/app-check/index.js.map +1 -0
package/dist/app-check/index.mjs +13 -0
package/dist/app-check/index.mjs.map +1 -0
package/dist/app-check/serverAppCheck.d.ts +33 -0
package/dist/app-check/serverAppCheck.d.ts.map +1 -0
package/dist/app-check/types.d.ts +21 -0
package/dist/app-check/types.d.ts.map +1 -0
package/dist/app-check/verifier.d.ts +16 -0
package/dist/app-check/verifier.d.ts.map +1 -0
package/dist/auth/credential.d.ts +5 -5
package/dist/auth/credential.d.ts.map +1 -1
package/dist/auth/getauth.d.ts +2 -1
package/dist/auth/getauth.d.ts.map +1 -1
package/dist/auth/index.d.ts +2 -0
package/dist/auth/index.d.ts.map +1 -1
package/dist/auth/index.js +902 -394
package/dist/auth/index.js.map +1 -1
package/dist/auth/index.mjs +5 -3
package/dist/chunk-34QENCWP.mjs +784 -0
package/dist/chunk-34QENCWP.mjs.map +1 -0
package/dist/{chunk-NXYWC6YO.mjs → chunk-TUYCJY35.mjs} +182 -6
package/dist/chunk-TUYCJY35.mjs.map +1 -0
package/dist/chunk-UCSJDX6Y.mjs +778 -0
package/dist/chunk-UCSJDX6Y.mjs.map +1 -0
package/dist/constants.d.ts +10 -1
package/dist/constants.d.ts.map +1 -1
package/dist/fireRestApi/endpoints/AppCheckApi.d.ts.map +1 -1
package/dist/index.d.ts +4 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1275 -856
package/dist/index.js.map +1 -1
package/dist/index.mjs +97 -137
package/dist/index.mjs.map +1 -1
package/dist/jwt/crypto-signer.d.ts +21 -0
package/dist/jwt/crypto-signer.d.ts.map +1 -0
package/dist/jwt/index.d.ts +2 -1
package/dist/jwt/index.d.ts.map +1 -1
package/dist/jwt/index.js +119 -2
package/dist/jwt/index.js.map +1 -1
package/dist/jwt/index.mjs +7 -3
package/dist/jwt/signJwt.d.ts +8 -2
package/dist/jwt/signJwt.d.ts.map +1 -1
package/dist/jwt/types.d.ts +6 -0
package/dist/jwt/types.d.ts.map +1 -1
package/dist/jwt/verifyJwt.d.ts +7 -1
package/dist/jwt/verifyJwt.d.ts.map +1 -1
package/dist/tokens/authstate.d.ts +2 -0
package/dist/tokens/authstate.d.ts.map +1 -1
package/dist/tokens/c-authenticateRequestProcessor.d.ts +2 -2
package/dist/tokens/c-authenticateRequestProcessor.d.ts.map +1 -1
package/dist/tokens/keys.d.ts.map +1 -1
package/dist/tokens/request.d.ts.map +1 -1
package/dist/tokens/types.d.ts +6 -4
package/dist/tokens/types.d.ts.map +1 -1
package/dist/utils/config.d.ts.map +1 -1
package/dist/{auth/utils.d.ts → utils/fetcher.d.ts} +2 -1
package/dist/utils/fetcher.d.ts.map +1 -0
package/dist/utils/mapDecode.d.ts +2 -1
package/dist/utils/mapDecode.d.ts.map +1 -1
package/dist/utils/token-generator.d.ts +4 -0
package/dist/utils/token-generator.d.ts.map +1 -0
package/package.json +13 -3
package/dist/auth/constants.d.ts +0 -6
package/dist/auth/constants.d.ts.map +0 -1
package/dist/auth/utils.d.ts.map +0 -1
package/dist/chunk-DJLDUW7J.mjs +0 -414
package/dist/chunk-DJLDUW7J.mjs.map +0 -1
package/dist/chunk-GFH5CXQR.mjs +0 -71
package/dist/chunk-GFH5CXQR.mjs.map +0 -1
package/dist/chunk-NXYWC6YO.mjs.map +0 -1
package/dist/chunk-WIVOBOZR.mjs +0 -86
package/dist/chunk-WIVOBOZR.mjs.map +0 -1
package/dist/utils/gemini_admin-init.d.ts +0 -10
package/dist/utils/gemini_admin-init.d.ts.map +0 -1

package/dist/auth/index.js CHANGED Viewed

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,112 +17,37 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 // src/auth/index.ts
 var auth_exports = {};
 __export(auth_exports, {
+  ServiceAccountManager: () => ServiceAccountManager,
   getAuth: () => getAuth
 });
 module.exports = __toCommonJS(auth_exports);
-// src/jwt/customJwt.ts
-var import_jose = require("jose");
-var CustomTokenError = class extends Error {
-  constructor(message, code) {
-    super(message);
-    this.code = code;
-    this.name = "CustomTokenError";
-  }
-};
-var RESERVED_CLAIMS = [
-  "acr",
-  "amr",
-  "at_hash",
-  "aud",
-  "auth_time",
-  "azp",
-  "cnf",
-  "c_hash",
-  "exp",
-  "firebase",
-  "iat",
-  "iss",
-  "jti",
-  "nbf",
-  "nonce",
-  "sub"
-];
-async function createCustomTokenJwt(uid, developerClaims) {
-  try {
-    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
-    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
-    if (!privateKey || !clientEmail) {
-      return {
-        errors: [
-          new CustomTokenError(
-            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
-            "MISSING_ENV_VARS"
-          )
-        ]
-      };
-    }
-    if (!uid || typeof uid !== "string") {
-      return {
-        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
-      };
-    }
-    if (uid.length > 128) {
-      return {
-        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
-      };
-    }
-    if (developerClaims) {
-      for (const claim of Object.keys(developerClaims)) {
-        if (RESERVED_CLAIMS.includes(claim)) {
-          return {
-            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
-          };
-        }
-      }
+// src/jwt/guardReturn.ts
+function createJwtGuard(decodedFn) {
+  return (...args) => {
+    const { data, errors } = decodedFn(...args);
+    if (errors) {
+      throw errors[0];
     }
-    const expiresIn = 3600;
-    const now = Math.floor(Date.now() / 1e3);
-    const parsedPrivateKey = await (0, import_jose.importPKCS8)(privateKey.replace(/\\n/g, "\n"), "RS256");
-    const payload = {
-      iss: clientEmail,
-      sub: clientEmail,
-      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
-      iat: now,
-      exp: now + expiresIn,
-      uid,
-      ...developerClaims
-    };
-    const jwt = await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
-      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
-    ).sign(parsedPrivateKey);
-    return {
-      data: jwt
-    };
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error occurred";
-    return {
-      errors: [
-        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
-      ]
-    };
-  }
-}
-async function createCustomToken(uid, developerClaims) {
-  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
-  if (errors) {
-    throw errors[0];
-  }
-  return data;
+    return data;
+  };
 }
 // src/jwt/verifyJwt.ts
-var import_jose3 = require("jose");
+var import_jose2 = require("jose");
 // src/utils/errors.ts
 var TokenVerificationErrorReason = {
@@ -163,6 +90,11 @@ function mapJwtPayloadToDecodedIdToken(payload) {
   decodedIdToken.uid = decodedIdToken.sub;
   return decodedIdToken;
 }
+function mapJwtPayloadToDecodedAppCheckToken(payload) {
+  const decodedAppCheckToken = payload;
+  decodedAppCheckToken.app_id = decodedAppCheckToken.sub;
+  return decodedAppCheckToken;
+}
 // src/utils/rfc4648.ts
 var base64url = {
@@ -241,10 +173,10 @@ function stringify(data, encoding, opts = {}) {
 }
 // src/jwt/cryptoKeys.ts
-var import_jose2 = require("jose");
+var import_jose = require("jose");
 async function importKey(key, algorithm) {
   if (typeof key === "object") {
-    const result = await (0, import_jose2.importJWK)(key, algorithm);
+    const result = await (0, import_jose.importJWK)(key, algorithm);
     if (result instanceof Uint8Array) {
       throw new Error("Unexpected Uint8Array result from JWK import");
     }
@@ -252,13 +184,13 @@ async function importKey(key, algorithm) {
   }
   const keyString = key.trim();
   if (keyString.includes("-----BEGIN CERTIFICATE-----")) {
-    return await (0, import_jose2.importX509)(keyString, algorithm);
+    return await (0, import_jose.importX509)(keyString, algorithm);
   }
   if (keyString.includes("-----BEGIN PUBLIC KEY-----")) {
-    return await (0, import_jose2.importSPKI)(keyString, algorithm);
+    return await (0, import_jose.importSPKI)(keyString, algorithm);
   }
   try {
-    return await (0, import_jose2.importSPKI)(keyString, algorithm);
+    return await (0, import_jose.importSPKI)(keyString, algorithm);
   } catch (error) {
     throw new Error(
       `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`
@@ -341,7 +273,7 @@ async function verifySignature(jwt, key) {
   const joseAlgorithm = header.alg || "RS256";
   try {
     const publicKey = await importKey(key, joseAlgorithm);
-    const { payload } = await (0, import_jose3.jwtVerify)(raw.text, publicKey);
+    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, publicKey);
     return { data: payload };
   } catch (error) {
     return {
@@ -356,8 +288,8 @@ async function verifySignature(jwt, key) {
 }
 function ternDecodeJwt(token) {
   try {
-    const header = (0, import_jose3.decodeProtectedHeader)(token);
-    const payload = (0, import_jose3.decodeJwt)(token);
+    const header = (0, import_jose2.decodeProtectedHeader)(token);
+    const payload = (0, import_jose2.decodeJwt)(token);
     const tokenParts = (token || "").toString().split(".");
     if (tokenParts.length !== 3) {
       return {
@@ -424,179 +356,189 @@ async function verifyJwt(token, options) {
   const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);
   return { data: decodedIdToken };
 }
-// src/constants.ts
-var GOOGLE_PUBLIC_KEYS_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
-var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
-var DEFAULT_CACHE_DURATION = 3600 * 1e3;
-var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
-var Cookies = {
-  Session: "__session",
-  CsrfToken: "__terncf",
-  IdToken: "TernSecure_[DEFAULT]",
-  Refresh: "TernSecureID_[DEFAULT]",
-  Custom: "__custom",
-  TernAut: "tern_aut",
-  Handshake: "__ternsecure_handshake",
-  DevBrowser: "__ternsecure_db_jwt",
-  RedirectCount: "__ternsecure_redirect_count",
-  HandshakeNonce: "__ternsecure_handshake_nonce"
-};
-var QueryParameters = {
-  TernSynced: "__tern_synced",
-  SuffixedCookies: "suffixed_cookies",
-  TernRedirectUrl: "__tern_redirect_url",
-  // use the reference to Cookies to indicate that it's the same value
-  DevBrowser: Cookies.DevBrowser,
-  Handshake: Cookies.Handshake,
-  HandshakeHelp: "__tern_help",
-  LegacyDevBrowser: "__dev_session",
-  HandshakeReason: "__tern_hs_reason",
-  HandshakeNonce: Cookies.HandshakeNonce
-};
-// src/tokens/keys.ts
-var cache = {};
-var lastUpdatedAt = 0;
-var googleExpiresAt = 0;
-function getFromCache(kid) {
-  return cache[kid];
-}
-function getCacheValues() {
-  return Object.values(cache);
-}
-function setInCache(kid, certificate, shouldExpire = true) {
-  cache[kid] = certificate;
-  lastUpdatedAt = shouldExpire ? Date.now() : -1;
-}
-async function fetchPublicKeys(keyUrl) {
-  const url = new URL(keyUrl);
-  const response = await fetch(url);
-  if (!response.ok) {
-    throw new TokenVerificationError({
-      message: `Error loading public keys from ${url.href} with code=${response.status} `,
-      reason: TokenVerificationErrorReason.TokenInvalid
-    });
-  }
-  const data = await response.json();
-  const expiresAt = getExpiresAt(response);
-  return {
-    keys: data,
-    expiresAt
-  };
-}
-async function loadJWKFromRemote({
-  keyURL = GOOGLE_PUBLIC_KEYS_URL,
-  skipJwksCache,
-  kid
-}) {
-  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
-    const { keys, expiresAt } = await fetchPublicKeys(keyURL);
-    if (!keys || Object.keys(keys).length === 0) {
-      throw new TokenVerificationError({
-        message: `The JWKS endpoint ${keyURL} returned no keys`,
-        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
-      });
-    }
-    googleExpiresAt = expiresAt;
-    Object.entries(keys).forEach(([keyId, cert2]) => {
-      setInCache(keyId, cert2);
-    });
-  }
-  const cert = getFromCache(kid);
-  if (!cert) {
-    getCacheValues();
-    const availableKids = Object.keys(cache).sort().join(", ");
-    throw new TokenVerificationError({
-      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
-      reason: TokenVerificationErrorReason.TokenInvalid
-    });
-  }
-  return cert;
-}
-function isCacheExpired() {
-  const now = Date.now();
-  if (lastUpdatedAt === -1) {
-    return false;
-  }
-  const cacheAge = now - lastUpdatedAt;
-  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
-  const localCacheExpired = cacheAge >= maxCacheAge;
-  const googleCacheExpired = now >= googleExpiresAt;
-  const isExpired = localCacheExpired || googleCacheExpired;
-  if (isExpired) {
-    cache = {};
-  }
-  return isExpired;
-}
-function getExpiresAt(res) {
-  const cacheControlHeader = res.headers.get("cache-control");
-  if (!cacheControlHeader) {
-    return Date.now() + DEFAULT_CACHE_DURATION;
+async function verifyAppCheckSignature(jwt, getPublicKey2) {
+  const { header, raw } = jwt;
+  const joseAlgorithm = header.alg || "RS256";
+  try {
+    const key = await getPublicKey2();
+    const { payload } = await (0, import_jose2.jwtVerify)(raw.text, key);
+    return { data: payload };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: error.message
+        })
+      ]
+    };
   }
-  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
-  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
-  return Date.now() + maxAge * 1e3;
 }
-// src/tokens/verify.ts
-async function verifyToken(token, options) {
-  const { data: decodedResult, errors } = ternDecodeJwt(token);
+async function verifyAppCheckJwt(token, options) {
+  const { key: getPublicKey2 } = options;
+  const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
+  const { data: decoded, errors } = ternDecodeJwt(token);
   if (errors) {
     return { errors };
   }
-  const { header } = decodedResult;
-  const { kid } = header;
-  if (!kid) {
+  const { header, payload } = decoded;
+  try {
+    verifyHeaderKid(header.kid);
+    verifySubClaim(payload.sub);
+    verifyExpirationClaim(payload.exp, clockSkew);
+    verifyIssuedAtClaim(payload.iat, clockSkew);
+  } catch (error) {
+    return { errors: [error] };
+  }
+  const { data: verifiedPayload, errors: signatureErrors } = await verifyAppCheckSignature(
+    decoded,
+    getPublicKey2
+  );
+  if (signatureErrors) {
     return {
       errors: [
         new TokenVerificationError({
-          reason: TokenVerificationErrorReason.TokenInvalid,
-          message: 'JWT "kid" header is missing.'
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: "Token signature verification failed."
         })
       ]
     };
   }
-  try {
-    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
-    if (!key) {
-      return {
-        errors: [
-          new TokenVerificationError({
-            reason: TokenVerificationErrorReason.TokenInvalid,
-            message: `No public key found for kid "${kid}".`
-          })
+  const decodedAppCheckToken = mapJwtPayloadToDecodedAppCheckToken(verifiedPayload);
+  return { data: decodedAppCheckToken };
+}
+// src/jwt/jwt.ts
+var import_jose3 = require("jose");
+// src/jwt/customJwt.ts
+var import_jose4 = require("jose");
+var CustomTokenError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "CustomTokenError";
+  }
+};
+var RESERVED_CLAIMS = [
+  "acr",
+  "amr",
+  "at_hash",
+  "aud",
+  "auth_time",
+  "azp",
+  "cnf",
+  "c_hash",
+  "exp",
+  "firebase",
+  "iat",
+  "iss",
+  "jti",
+  "nbf",
+  "nonce",
+  "sub"
+];
+async function createCustomTokenJwt(uid, developerClaims) {
+  try {
+    const privateKey = process.env.FIREBASE_PRIVATE_KEY;
+    const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
+    if (!privateKey || !clientEmail) {
+      return {
+        errors: [
+          new CustomTokenError(
+            "Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables",
+            "MISSING_ENV_VARS"
+          )
         ]
       };
     }
-    return await verifyJwt(token, { ...options, key });
-  } catch (error) {
-    if (error instanceof TokenVerificationError) {
-      return { errors: [error] };
+    if (!uid || typeof uid !== "string") {
+      return {
+        errors: [new CustomTokenError("uid must be a non-empty string", "INVALID_UID")]
+      };
+    }
+    if (uid.length > 128) {
+      return {
+        errors: [new CustomTokenError("uid must not exceed 128 characters", "UID_TOO_LONG")]
+      };
     }
+    if (developerClaims) {
+      for (const claim of Object.keys(developerClaims)) {
+        if (RESERVED_CLAIMS.includes(claim)) {
+          return {
+            errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, "RESERVED_CLAIM")]
+          };
+        }
+      }
+    }
+    const expiresIn = 3600;
+    const now = Math.floor(Date.now() / 1e3);
+    const parsedPrivateKey = await (0, import_jose4.importPKCS8)(privateKey.replace(/\\n/g, "\n"), "RS256");
+    const payload = {
+      iss: clientEmail,
+      sub: clientEmail,
+      aud: "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
+      iat: now,
+      exp: now + expiresIn,
+      uid,
+      ...developerClaims
+    };
+    const jwt = await new import_jose4.SignJWT(payload).setProtectedHeader({ alg: "RS256", typ: "JWT" }).setIssuedAt(now).setExpirationTime(now + expiresIn).setIssuer(clientEmail).setSubject(clientEmail).setAudience(
+      "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
+    ).sign(parsedPrivateKey);
     return {
-      errors: [error]
+      data: jwt
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error occurred";
+    return {
+      errors: [
+        new CustomTokenError(`Failed to create custom token: ${message}`, "TOKEN_CREATION_FAILED")
+      ]
     };
   }
 }
-// src/jwt/guardReturn.ts
-function createJwtGuard(decodedFn) {
-  return (...args) => {
-    const { data, errors } = decodedFn(...args);
-    if (errors) {
-      throw errors[0];
-    }
-    return data;
-  };
+async function createCustomToken(uid, developerClaims) {
+  const { data, errors } = await createCustomTokenJwt(uid, developerClaims);
+  if (errors) {
+    throw errors[0];
+  }
+  return data;
 }
-// src/jwt/jwt.ts
-var import_jose4 = require("jose");
 // src/jwt/signJwt.ts
 var import_jose5 = require("jose");
+// src/utils/fetcher.ts
+async function getDetailFromResponse(response) {
+  const json = await response.json();
+  if (!json) {
+    return "Missing error payload";
+  }
+  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
+  if (json.error_description) {
+    detail += " (" + json.error_description + ")";
+  }
+  return detail;
+}
+async function fetchText(url, init) {
+  return (await fetchAny(url, init)).text();
+}
+async function fetchJson(url, init) {
+  return (await fetchAny(url, init)).json();
+}
+async function fetchAny(url, init) {
+  const response = await fetch(url, init);
+  if (!response.ok) {
+    throw new Error(await getDetailFromResponse(response));
+  }
+  return response;
+}
+// src/jwt/types.ts
 var ALGORITHM_RS256 = "RS256";
+// src/jwt/signJwt.ts
 async function ternSignJwt(opts) {
   const { payload, privateKey, keyId } = opts;
   let key;
@@ -604,118 +546,636 @@ async function ternSignJwt(opts) {
     key = await (0, import_jose5.importPKCS8)(privateKey, ALGORITHM_RS256);
   } catch (error) {
     throw new TokenVerificationError({
-      message: `Failed to import private key: ${error.message}`,
+      message: `Failed to import private key: ${error.message}`,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  return new import_jose5.SignJWT(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
+}
+function formatBase64(value) {
+  return value.replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
+}
+function encodeSegment(segment) {
+  const value = JSON.stringify(segment);
+  return formatBase64(import_jose5.base64url.encode(value));
+}
+async function ternSignBlob({
+  payload,
+  serviceAccountId,
+  accessToken
+}) {
+  const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${serviceAccountId}:signBlob`;
+  const header = {
+    alg: ALGORITHM_RS256,
+    typ: "JWT"
+  };
+  const token = `${encodeSegment(header)}.${encodeSegment(payload)}`;
+  const request = {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    },
+    body: JSON.stringify({ payload: import_jose5.base64url.encode(token) })
+  };
+  const response = await fetchAny(url, request);
+  const blob = await response.blob();
+  const key = await blob.text();
+  const { signedBlob } = JSON.parse(key);
+  return `${token}.${formatBase64(signedBlob)}`;
+}
+// src/jwt/crypto-signer.ts
+var ServiceAccountSigner = class {
+  constructor(credential, tenantId) {
+    this.credential = credential;
+    this.tenantId = tenantId;
+  }
+  async getAccountId() {
+    return Promise.resolve(this.credential.clientEmail);
+  }
+  async sign(payload) {
+    if (this.tenantId) {
+      payload.tenant_id = this.tenantId;
+    }
+    return ternSignJwt({ payload, privateKey: this.credential.privateKey });
+  }
+};
+var IAMSigner = class {
+  algorithm = ALGORITHM_RS256;
+  credential;
+  tenantId;
+  serviceAccountId;
+  constructor(credential, tenantId, serviceAccountId) {
+    this.credential = credential;
+    this.tenantId = tenantId;
+    this.serviceAccountId = serviceAccountId;
+  }
+  async sign(payload) {
+    if (this.tenantId) {
+      payload.tenant_id = this.tenantId;
+    }
+    const serviceAccount = await this.getAccountId();
+    const accessToken = await this.credential.getAccessToken();
+    return ternSignBlob({
+      accessToken: accessToken.accessToken,
+      serviceAccountId: serviceAccount,
+      payload
+    });
+  }
+  async getAccountId() {
+    if (this.serviceAccountId) {
+      return this.serviceAccountId;
+    }
+    const token = await this.credential.getAccessToken();
+    const url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/email";
+    const request = {
+      method: "GET",
+      headers: {
+        "Metadata-Flavor": "Google",
+        Authorization: `Bearer ${token.accessToken}`
+      }
+    };
+    return this.serviceAccountId = await fetchText(url, request);
+  }
+};
+// src/jwt/index.ts
+var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
+// src/utils/token-generator.ts
+function cryptoSignerFromCredential(credential, tenantId, serviceAccountId) {
+  if (credential instanceof ServiceAccountManager) {
+    return new ServiceAccountSigner(credential, tenantId);
+  }
+  return new IAMSigner(credential, tenantId, serviceAccountId);
+}
+// src/app-check/AppCheckApi.ts
+function getSdkVersion() {
+  return "12.7.0";
+}
+var FIREBASE_APP_CHECK_CONFIG_HEADERS = {
+  "X-Firebase-Client": `fire-admin-node/${getSdkVersion()}`
+};
+var AppCheckApi = class {
+  constructor(credential) {
+    this.credential = credential;
+  }
+  async exchangeToken(params) {
+    const { projectId, appId, customToken, limitedUse = false } = params;
+    const token = await this.credential.getAccessToken(false);
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1/projects/${projectId}/apps/${appId}:exchangeCustomToken`;
+    const headers = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${token.accessToken}`
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ customToken, limitedUse })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+  async exchangeDebugToken(params) {
+    const { projectId, appId, customToken, accessToken, limitedUse = false } = params;
+    if (!projectId || !appId) {
+      throw new Error("Project ID and App ID are required for App Check token exchange");
+    }
+    const endpoint = `https://firebaseappcheck.googleapis.com/v1beta/projects/${projectId}/apps/${appId}:exchangeDebugToken`;
+    const headers = {
+      ...FIREBASE_APP_CHECK_CONFIG_HEADERS,
+      "Authorization": `Bearer ${accessToken}`
+    };
+    const body = {
+      customToken,
+      limitedUse
+    };
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`App Check token exchange failed: ${response.status} ${errorText}`);
+      }
+      const data = await response.json();
+      return {
+        token: data.token,
+        ttl: data.ttl
+      };
+    } catch (error) {
+      console.warn("[ternsecure - appcheck api]unexpected error:", error);
+      throw error;
+    }
+  }
+};
+// src/constants.ts
+var GOOGLE_PUBLIC_KEYS_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+var FIREBASE_APP_CHECK_AUDIENCE = "https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1.TokenExchangeService";
+var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
+var DEFAULT_CACHE_DURATION = 3600 * 1e3;
+var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
+var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
+var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
+var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
+var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
+var ONE_HOUR_IN_SECONDS = 60 * 60;
+var ONE_MINUTE_IN_SECONDS = 60;
+var ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1e3;
+var ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1e3;
+var Attributes = {
+  AuthToken: "__ternsecureAuthToken",
+  AuthSignature: "__ternsecureAuthSignature",
+  AuthStatus: "__ternsecureAuthStatus",
+  AuthReason: "__ternsecureAuthReason",
+  AuthMessage: "__ternsecureAuthMessage",
+  TernSecureUrl: "__ternsecureUrl"
+};
+var Cookies = {
+  Session: "__session",
+  CsrfToken: "__terncf",
+  IdToken: "TernSecure_[DEFAULT]",
+  Refresh: "TernSecureID_[DEFAULT]",
+  Custom: "__custom",
+  TernAut: "tern_aut",
+  Handshake: "__ternsecure_handshake",
+  DevBrowser: "__ternsecure_db_jwt",
+  RedirectCount: "__ternsecure_redirect_count",
+  HandshakeNonce: "__ternsecure_handshake_nonce"
+};
+var QueryParameters = {
+  TernSynced: "__tern_synced",
+  SuffixedCookies: "suffixed_cookies",
+  TernRedirectUrl: "__tern_redirect_url",
+  // use the reference to Cookies to indicate that it's the same value
+  DevBrowser: Cookies.DevBrowser,
+  Handshake: Cookies.Handshake,
+  HandshakeHelp: "__tern_help",
+  LegacyDevBrowser: "__dev_session",
+  HandshakeReason: "__tern_hs_reason",
+  HandshakeNonce: Cookies.HandshakeNonce
+};
+var Headers2 = {
+  Accept: "accept",
+  AppCheckToken: "x-ternsecure-appcheck",
+  AuthMessage: "x-ternsecure-auth-message",
+  Authorization: "authorization",
+  AuthReason: "x-ternsecure-auth-reason",
+  AuthSignature: "x-ternsecure-auth-signature",
+  AuthStatus: "x-ternsecure-auth-status",
+  AuthToken: "x-ternsecure-auth-token",
+  CacheControl: "cache-control",
+  TernSecureRedirectTo: "x-ternsecure-redirect-to",
+  TernSecureRequestData: "x-ternsecure-request-data",
+  TernSecureUrl: "x-ternsecure-url",
+  CloudFrontForwardedProto: "cloudfront-forwarded-proto",
+  ContentType: "content-type",
+  ContentSecurityPolicy: "content-security-policy",
+  ContentSecurityPolicyReportOnly: "content-security-policy-report-only",
+  EnableDebug: "x-ternsecure-debug",
+  ForwardedHost: "x-forwarded-host",
+  ForwardedPort: "x-forwarded-port",
+  ForwardedProto: "x-forwarded-proto",
+  Host: "host",
+  Location: "location",
+  Nonce: "x-nonce",
+  Origin: "origin",
+  Referrer: "referer",
+  SecFetchDest: "sec-fetch-dest",
+  UserAgent: "user-agent",
+  ReportingEndpoints: "reporting-endpoints"
+};
+var ContentTypes = {
+  Json: "application/json"
+};
+var constants = {
+  Attributes,
+  Cookies,
+  Headers: Headers2,
+  ContentTypes,
+  QueryParameters
+};
+// src/app-check/generator.ts
+function transformMillisecondsToSecondsString(milliseconds) {
+  let duration;
+  const seconds = Math.floor(milliseconds / 1e3);
+  const nanos = Math.floor((milliseconds - seconds * 1e3) * 1e6);
+  if (nanos > 0) {
+    let nanoString = nanos.toString();
+    while (nanoString.length < 9) {
+      nanoString = "0" + nanoString;
+    }
+    duration = `${seconds}.${nanoString}s`;
+  } else {
+    duration = `${seconds}s`;
+  }
+  return duration;
+}
+var AppCheckTokenGenerator = class {
+  signer;
+  constructor(signer) {
+    this.signer = signer;
+  }
+  async createCustomToken(appId, options) {
+    if (!appId) {
+      throw new Error(
+        "appId is invalid"
+      );
+    }
+    let customOptions = {};
+    if (typeof options !== "undefined") {
+      customOptions = this.validateTokenOptions(options);
+    }
+    const account = await this.signer.getAccountId();
+    const iat = Math.floor(Date.now() / 1e3);
+    const body = {
+      iss: account,
+      sub: account,
+      app_id: appId,
+      aud: FIREBASE_APP_CHECK_AUDIENCE,
+      exp: iat + ONE_MINUTE_IN_SECONDS * 5,
+      iat,
+      ...customOptions
+    };
+    return this.signer.sign(body);
+  }
+  validateTokenOptions(options) {
+    if (typeof options.ttlMillis !== "undefined") {
+      if (options.ttlMillis < ONE_MINUTE_IN_MILLIS * 30 || options.ttlMillis > ONE_DAY_IN_MILLIS * 7) {
+        throw new Error(
+          "ttlMillis must be a duration in milliseconds between 30 minutes and 7 days (inclusive)."
+        );
+      }
+      return { ttl: transformMillisecondsToSecondsString(options.ttlMillis) };
+    }
+    return {};
+  }
+};
+// src/app-check/serverAppCheck.ts
+var import_redis = require("@upstash/redis");
+// src/admin/sessionTernSecure.ts
+var import_errors4 = require("@tern-secure/shared/errors");
+// src/utils/admin-init.ts
+var import_firebase_admin = __toESM(require("firebase-admin"));
+var import_app_check = require("firebase-admin/app-check");
+// src/utils/config.ts
+var loadAdminConfig = () => ({
+  projectId: process.env.FIREBASE_PROJECT_ID || "",
+  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || "",
+  privateKey: process.env.FIREBASE_PRIVATE_KEY || ""
+});
+var validateAdminConfig = (config) => {
+  const requiredFields = [
+    "projectId",
+    "clientEmail",
+    "privateKey"
+  ];
+  const errors = [];
+  requiredFields.forEach((field) => {
+    if (!config[field]) {
+      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`);
+    }
+  });
+  return {
+    isValid: errors.length === 0,
+    errors,
+    config
+  };
+};
+var initializeAdminConfig = () => {
+  const config = loadAdminConfig();
+  const validationResult = validateAdminConfig(config);
+  if (!validationResult.isValid) {
+    throw new Error(
+      `Firebase Admin configuration validation failed:
+${validationResult.errors.join("\n")}`
+    );
+  }
+  return config;
+};
+// src/utils/admin-init.ts
+if (!import_firebase_admin.default.apps.length) {
+  try {
+    const config = initializeAdminConfig();
+    import_firebase_admin.default.initializeApp({
+      credential: import_firebase_admin.default.credential.cert({
+        ...config,
+        privateKey: config.privateKey.replace(/\\n/g, "\n")
+      })
+    });
+  } catch (error) {
+    console.error("Firebase admin initialization error", error);
+  }
+}
+var adminTernSecureAuth = import_firebase_admin.default.auth();
+var adminTernSecureDb = import_firebase_admin.default.firestore();
+var TernSecureTenantManager = import_firebase_admin.default.auth().tenantManager();
+var appCheckAdmin = (0, import_app_check.getAppCheck)();
+// src/admin/sessionTernSecure.ts
+var DEFAULT_COOKIE_CONFIG = {
+  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1e3,
+  // 5 minutes
+  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
+var DEFAULT_COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  path: "/"
+};
+// src/admin/nextSessionTernSecure.ts
+var import_cookie = require("@tern-secure/shared/cookie");
+var import_errors5 = require("@tern-secure/shared/errors");
+var import_headers = require("next/headers");
+var SESSION_CONSTANTS = {
+  COOKIE_NAME: constants.Cookies.Session,
+  DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1e3,
+  // 5 days
+  DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
+// src/tokens/ternSecureRequest.ts
+var import_cookie2 = require("cookie");
+// src/admin/user.ts
+var import_errors6 = require("@tern-secure/shared/errors");
+// src/app-check/verifier.ts
+var import_jose6 = require("jose");
+var getPublicKey = async (header, keyURL) => {
+  const jswksUrl = new URL(keyURL);
+  const getKey = (0, import_jose6.createRemoteJWKSet)(jswksUrl);
+  return getKey(header);
+};
+var verifyAppCheckToken = async (token, options) => {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    throw errors[0];
+  }
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
+  }
+  try {
+    const getPublicKeyForToken = () => getPublicKey(header, options.keyURL || "");
+    return await verifyAppCheckJwt(token, { ...options, key: getPublicKeyForToken });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
+    }
+    return {
+      errors: [error]
+    };
+  }
+};
+var AppcheckTokenVerifier = class {
+  constructor(credential) {
+    this.credential = credential;
+  }
+  verifyToken = async (token, projectId, options) => {
+    const { data, errors } = await verifyAppCheckToken(token, options);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
+  };
+};
+// src/app-check/index.ts
+var JWKS_URL = "https://firebaseappcheck.googleapis.com/v1/jwks";
+var AppCheck = class {
+  client;
+  tokenGenerator;
+  appCheckTokenVerifier;
+  limitedUse;
+  constructor(credential, tenantId, limitedUse) {
+    this.client = new AppCheckApi(credential);
+    this.tokenGenerator = new AppCheckTokenGenerator(
+      cryptoSignerFromCredential(credential, tenantId)
+    );
+    this.appCheckTokenVerifier = new AppcheckTokenVerifier(credential);
+    this.limitedUse = limitedUse;
+  }
+  createToken = (projectId, appId, options) => {
+    return this.tokenGenerator.createCustomToken(appId, options).then((customToken) => {
+      return this.client.exchangeToken({ customToken, projectId, appId });
+    });
+  };
+  verifyToken = async (appCheckToken, projectId, options) => {
+    return this.appCheckTokenVerifier.verifyToken(appCheckToken, projectId, { keyURL: JWKS_URL, ...options }).then((decodedToken) => {
+      return {
+        appId: decodedToken.app_id,
+        token: decodedToken
+      };
+    });
+  };
+};
+function getAppCheck2(serviceAccount, tenantId, limitedUse) {
+  return new AppCheck(new ServiceAccountManager(serviceAccount), tenantId, limitedUse);
+}
+// src/tokens/keys.ts
+var cache = {};
+var lastUpdatedAt = 0;
+var googleExpiresAt = 0;
+function getFromCache(kid) {
+  return cache[kid];
+}
+function getCacheValues() {
+  return Object.values(cache);
+}
+function setInCache(kid, certificate, shouldExpire = true) {
+  cache[kid] = certificate;
+  lastUpdatedAt = shouldExpire ? Date.now() : -1;
+}
+async function fetchPublicKeys(keyUrl) {
+  const url = new URL(keyUrl);
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new TokenVerificationError({
+      message: `Error loading public keys from ${url.href} with code=${response.status} `,
+      reason: TokenVerificationErrorReason.TokenInvalid
+    });
+  }
+  const data = await response.json();
+  const expiresAt = getExpiresAt(response);
+  return {
+    keys: data,
+    expiresAt
+  };
+}
+async function loadJWKFromRemote({
+  keyURL,
+  skipJwksCache,
+  kid
+}) {
+  const finalKeyURL = keyURL || GOOGLE_PUBLIC_KEYS_URL;
+  if (skipJwksCache || isCacheExpired() || !getFromCache(kid)) {
+    const { keys, expiresAt } = await fetchPublicKeys(finalKeyURL);
+    if (!keys || Object.keys(keys).length === 0) {
+      throw new TokenVerificationError({
+        message: `The JWKS endpoint ${finalKeyURL} returned no keys`,
+        reason: TokenVerificationErrorReason.RemoteJWKFailedToLoad
+      });
+    }
+    googleExpiresAt = expiresAt;
+    Object.entries(keys).forEach(([keyId, cert2]) => {
+      setInCache(keyId, cert2);
+    });
+  }
+  const cert = getFromCache(kid);
+  if (!cert) {
+    getCacheValues();
+    const availableKids = Object.keys(cache).sort().join(", ");
+    throw new TokenVerificationError({
+      message: `No public key found for kid "${kid}". Available kids: [${availableKids}]`,
       reason: TokenVerificationErrorReason.TokenInvalid
     });
   }
-  return new import_jose5.SignJWT(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
+  return cert;
 }
-// src/jwt/index.ts
-var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
-// src/auth/constants.ts
-var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
-var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
-var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
-var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
-var ONE_HOUR_IN_SECONDS = 60 * 60;
-// src/auth/utils.ts
-async function getDetailFromResponse(response) {
-  const json = await response.json();
-  if (!json) {
-    return "Missing error payload";
+function isCacheExpired() {
+  const now = Date.now();
+  if (lastUpdatedAt === -1) {
+    return false;
   }
-  let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
-  if (json.error_description) {
-    detail += " (" + json.error_description + ")";
+  const cacheAge = now - lastUpdatedAt;
+  const maxCacheAge = MAX_CACHE_LAST_UPDATED_AT_SECONDS * 1e3;
+  const localCacheExpired = cacheAge >= maxCacheAge;
+  const googleCacheExpired = now >= googleExpiresAt;
+  const isExpired = localCacheExpired || googleCacheExpired;
+  if (isExpired) {
+    cache = {};
   }
-  return detail;
-}
-async function fetchJson(url, init) {
-  return (await fetchAny(url, init)).json();
+  return isExpired;
 }
-async function fetchAny(url, init) {
-  const response = await fetch(url, init);
-  if (!response.ok) {
-    throw new Error(await getDetailFromResponse(response));
+function getExpiresAt(res) {
+  const cacheControlHeader = res.headers.get("cache-control");
+  if (!cacheControlHeader) {
+    return Date.now() + DEFAULT_CACHE_DURATION;
   }
-  return response;
+  const maxAgeMatch = cacheControlHeader.match(CACHE_CONTROL_REGEX);
+  const maxAge = maxAgeMatch ? parseInt(maxAgeMatch[1], 10) : DEFAULT_CACHE_DURATION / 1e3;
+  return Date.now() + maxAge * 1e3;
 }
-// src/auth/credential.ts
-var accessTokenCache = /* @__PURE__ */ new Map();
-async function requestAccessToken(urlString, init) {
-  const json = await fetchJson(urlString, init);
-  if (!json.access_token || !json.expires_in) {
-    throw new Error("Invalid access token response");
+// src/tokens/verify.ts
+async function verifyToken(token, options) {
+  const { data: decodedResult, errors } = ternDecodeJwt(token);
+  if (errors) {
+    return { errors };
   }
-  return {
-    accessToken: json.access_token,
-    expirationTime: Date.now() + json.expires_in * 1e3
-  };
-}
-var ServiceAccountTokenManager = class {
-  projectId;
-  privateKey;
-  clientEmail;
-  constructor(serviceAccount) {
-    this.projectId = serviceAccount.projectId;
-    this.privateKey = serviceAccount.privateKey;
-    this.clientEmail = serviceAccount.clientEmail;
+  const { header } = decodedResult;
+  const { kid } = header;
+  if (!kid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: 'JWT "kid" header is missing.'
+        })
+      ]
+    };
   }
-  fetchAccessToken = async (url) => {
-    const token = await this.createJwt();
-    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
-    return requestAccessToken(url, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Authorization: `Bearer ${token}`,
-        Accept: "application/json"
-      },
-      body: postData
-    });
-  };
-  fetchAndCacheAccessToken = async (url) => {
-    const accessToken = await this.fetchAccessToken(url);
-    accessTokenCache.set(this.projectId, accessToken);
-    return accessToken;
-  };
-  getAccessToken = async (refresh) => {
-    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
-    if (refresh) {
-      return this.fetchAndCacheAccessToken(url);
+  try {
+    const key = options.jwtKey || await loadJWKFromRemote({ ...options, kid });
+    if (!key) {
+      return {
+        errors: [
+          new TokenVerificationError({
+            reason: TokenVerificationErrorReason.TokenInvalid,
+            message: `No public key found for kid "${kid}".`
+          })
+        ]
+      };
     }
-    const cachedResponse = accessTokenCache.get(this.projectId);
-    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
-      return this.fetchAndCacheAccessToken(url);
+    return await verifyJwt(token, { ...options, key });
+  } catch (error) {
+    if (error instanceof TokenVerificationError) {
+      return { errors: [error] };
     }
-    return cachedResponse;
-  };
-  createJwt = async () => {
-    const iat = Math.floor(Date.now() / 1e3);
-    const payload = {
-      aud: GOOGLE_TOKEN_AUDIENCE,
-      iat,
-      exp: iat + ONE_HOUR_IN_SECONDS,
-      iss: this.clientEmail,
-      sub: this.clientEmail,
-      scope: [
-        "https://www.googleapis.com/auth/cloud-platform",
-        "https://www.googleapis.com/auth/firebase.database",
-        "https://www.googleapis.com/auth/firebase.messaging",
-        "https://www.googleapis.com/auth/identitytoolkit",
-        "https://www.googleapis.com/auth/userinfo.email"
-      ].join(" ")
+    return {
+      errors: [error]
     };
-    return ternSignJwt({
-      payload,
-      privateKey: this.privateKey
-    });
-  };
-};
+  }
+}
 // src/auth/getauth.ts
 var API_KEY_ERROR = "API Key is required";
@@ -731,17 +1191,8 @@ function parseFirebaseResponse(data) {
   return data;
 }
 function getAuth(options) {
-  const { apiKey, firebaseAdminConfig } = options;
-  const firebaseApiKey = options.firebaseConfig?.apiKey;
-  const effectiveApiKey = apiKey || firebaseApiKey;
-  let credential = null;
-  if (firebaseAdminConfig?.projectId && firebaseAdminConfig?.privateKey && firebaseAdminConfig?.clientEmail) {
-    credential = new ServiceAccountTokenManager({
-      projectId: firebaseAdminConfig.projectId,
-      privateKey: firebaseAdminConfig.privateKey,
-      clientEmail: firebaseAdminConfig.clientEmail
-    });
-  }
+  const { apiKey } = options;
+  const effectiveApiKey = apiKey || process.env.NEXT_PUBLIC_FIREBASE_API_KEY;
   async function getUserData(idToken, localId) {
     if (!effectiveApiKey) {
       throw new Error(API_KEY_ERROR);
@@ -826,43 +1277,12 @@ function getAuth(options) {
       auth_time: decodedCustomIdToken.data.auth_time
     };
   }
-  async function exchangeAppCheckToken(idToken) {
-    if (!credential) {
-      return {
-        data: null,
-        error: new Error(
-          "Firebase Admin config must be provided to exchange App Check tokens."
-        )
-      };
-    }
-    if (!effectiveApiKey) {
-      return { data: null, error: new Error(API_KEY_ERROR) };
-    }
+  async function createAppCheckToken() {
+    const adminConfig = loadAdminConfig();
+    const appId = process.env.NEXT_PUBLIC_FIREBASE_APP_ID || "";
+    const appCheck = getAppCheck2(adminConfig, options.tenantId);
     try {
-      const decoded = await verifyToken(idToken, options);
-      if (decoded.errors) {
-        return { data: null, error: decoded.errors[0] };
-      }
-      const customToken = await createCustomToken(decoded.data.uid, {
-        emailVerified: decoded.data.email_verified,
-        source_sign_in_provider: decoded.data.firebase.sign_in_provider
-      });
-      const projectId = options.firebaseConfig?.projectId;
-      const appId = options.firebaseConfig?.appId;
-      if (!projectId || !appId) {
-        return { data: null, error: new Error("Project ID and App ID are required for App Check") };
-      }
-      const { accessToken } = await credential.getAccessToken();
-      const appCheckResponse = await options.apiClient?.appCheck.exchangeCustomToken({
-        accessToken,
-        projectId,
-        appId,
-        customToken,
-        limitedUse: false
-      });
-      if (!appCheckResponse?.token) {
-        return { data: null, error: new Error("Failed to exchange for App Check token") };
-      }
+      const appCheckResponse = await appCheck.createToken(adminConfig.projectId, appId);
       return {
         data: {
           token: appCheckResponse.token,
@@ -874,16 +1294,104 @@ function getAuth(options) {
       return { data: null, error };
     }
   }
+  async function verifyAppCheckToken2(token) {
+    const adminConfig = loadAdminConfig();
+    const appCheck = getAppCheck2(adminConfig, options.tenantId);
+    try {
+      const decodedToken = await appCheck.verifyToken(token, adminConfig.projectId, {});
+      return {
+        data: decodedToken,
+        error: null
+      };
+    } catch (error) {
+      return { data: null, error };
+    }
+  }
   return {
     getUserData,
     customForIdAndRefreshToken,
     createCustomIdAndRefreshToken,
     refreshExpiredIdToken,
-    exchangeAppCheckToken
+    createAppCheckToken,
+    verifyAppCheckToken: verifyAppCheckToken2
+  };
+}
+// src/auth/credential.ts
+var accessTokenCache = /* @__PURE__ */ new Map();
+async function requestAccessToken(urlString, init) {
+  const json = await fetchJson(urlString, init);
+  if (!json.access_token || !json.expires_in) {
+    throw new Error("Invalid access token response");
+  }
+  return {
+    accessToken: json.access_token,
+    expirationTime: Date.now() + json.expires_in * 1e3
   };
 }
+var ServiceAccountManager = class {
+  projectId;
+  privateKey;
+  clientEmail;
+  constructor(serviceAccount) {
+    this.projectId = serviceAccount.projectId;
+    this.privateKey = serviceAccount.privateKey;
+    this.clientEmail = serviceAccount.clientEmail;
+  }
+  fetchAccessToken = async (url) => {
+    const token = await this.createJwt();
+    const postData = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + token;
+    return requestAccessToken(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json"
+      },
+      body: postData
+    });
+  };
+  fetchAndCacheAccessToken = async (url) => {
+    const accessToken = await this.fetchAccessToken(url);
+    accessTokenCache.set(this.projectId, accessToken);
+    return accessToken;
+  };
+  getAccessToken = async (refresh) => {
+    const url = `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`;
+    if (refresh) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    const cachedResponse = accessTokenCache.get(this.projectId);
+    if (!cachedResponse || cachedResponse.expirationTime - Date.now() <= TOKEN_EXPIRY_THRESHOLD_MILLIS) {
+      return this.fetchAndCacheAccessToken(url);
+    }
+    return cachedResponse;
+  };
+  createJwt = async () => {
+    const iat = Math.floor(Date.now() / 1e3);
+    const payload = {
+      aud: GOOGLE_TOKEN_AUDIENCE,
+      iat,
+      exp: iat + ONE_HOUR_IN_SECONDS,
+      iss: this.clientEmail,
+      sub: this.clientEmail,
+      scope: [
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/firebase.database",
+        "https://www.googleapis.com/auth/firebase.messaging",
+        "https://www.googleapis.com/auth/identitytoolkit",
+        "https://www.googleapis.com/auth/userinfo.email"
+      ].join(" ")
+    };
+    return ternSignJwt({
+      payload,
+      privateKey: this.privateKey
+    });
+  };
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  ServiceAccountManager,
   getAuth
 });
 //# sourceMappingURL=index.js.map