@tern-secure/backend 1.2.0-canary.v20251127235234 → 1.2.0-canary.v20251202164451

package/dist/chunk-34QENCWP.mjs

@@ -0,0 +1,784 @@
+// src/admin/sessionTernSecure.ts
+import { handleFirebaseAuthError } from "@tern-secure/shared/errors";
+
+// src/constants.ts
+var GOOGLE_PUBLIC_KEYS_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+var FIREBASE_APP_CHECK_AUDIENCE = "https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1.TokenExchangeService";
+var MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;
+var DEFAULT_CACHE_DURATION = 3600 * 1e3;
+var CACHE_CONTROL_REGEX = /max-age=(\d+)/;
+var TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1e3;
+var GOOGLE_TOKEN_AUDIENCE = "https://accounts.google.com/o/oauth2/token";
+var GOOGLE_AUTH_TOKEN_HOST = "accounts.google.com";
+var GOOGLE_AUTH_TOKEN_PATH = "/o/oauth2/token";
+var ONE_HOUR_IN_SECONDS = 60 * 60;
+var ONE_MINUTE_IN_SECONDS = 60;
+var ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1e3;
+var ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1e3;
+var Attributes = {
+  AuthToken: "__ternsecureAuthToken",
+  AuthSignature: "__ternsecureAuthSignature",
+  AuthStatus: "__ternsecureAuthStatus",
+  AuthReason: "__ternsecureAuthReason",
+  AuthMessage: "__ternsecureAuthMessage",
+  TernSecureUrl: "__ternsecureUrl"
+};
+var Cookies = {
+  Session: "__session",
+  CsrfToken: "__terncf",
+  IdToken: "TernSecure_[DEFAULT]",
+  Refresh: "TernSecureID_[DEFAULT]",
+  Custom: "__custom",
+  TernAut: "tern_aut",
+  Handshake: "__ternsecure_handshake",
+  DevBrowser: "__ternsecure_db_jwt",
+  RedirectCount: "__ternsecure_redirect_count",
+  HandshakeNonce: "__ternsecure_handshake_nonce"
+};
+var QueryParameters = {
+  TernSynced: "__tern_synced",
+  SuffixedCookies: "suffixed_cookies",
+  TernRedirectUrl: "__tern_redirect_url",
+  // use the reference to Cookies to indicate that it's the same value
+  DevBrowser: Cookies.DevBrowser,
+  Handshake: Cookies.Handshake,
+  HandshakeHelp: "__tern_help",
+  LegacyDevBrowser: "__dev_session",
+  HandshakeReason: "__tern_hs_reason",
+  HandshakeNonce: Cookies.HandshakeNonce
+};
+var Headers2 = {
+  Accept: "accept",
+  AppCheckToken: "x-ternsecure-appcheck",
+  AuthMessage: "x-ternsecure-auth-message",
+  Authorization: "authorization",
+  AuthReason: "x-ternsecure-auth-reason",
+  AuthSignature: "x-ternsecure-auth-signature",
+  AuthStatus: "x-ternsecure-auth-status",
+  AuthToken: "x-ternsecure-auth-token",
+  CacheControl: "cache-control",
+  TernSecureRedirectTo: "x-ternsecure-redirect-to",
+  TernSecureRequestData: "x-ternsecure-request-data",
+  TernSecureUrl: "x-ternsecure-url",
+  CloudFrontForwardedProto: "cloudfront-forwarded-proto",
+  ContentType: "content-type",
+  ContentSecurityPolicy: "content-security-policy",
+  ContentSecurityPolicyReportOnly: "content-security-policy-report-only",
+  EnableDebug: "x-ternsecure-debug",
+  ForwardedHost: "x-forwarded-host",
+  ForwardedPort: "x-forwarded-port",
+  ForwardedProto: "x-forwarded-proto",
+  Host: "host",
+  Location: "location",
+  Nonce: "x-nonce",
+  Origin: "origin",
+  Referrer: "referer",
+  SecFetchDest: "sec-fetch-dest",
+  UserAgent: "user-agent",
+  ReportingEndpoints: "reporting-endpoints"
+};
+var ContentTypes = {
+  Json: "application/json"
+};
+var constants = {
+  Attributes,
+  Cookies,
+  Headers: Headers2,
+  ContentTypes,
+  QueryParameters
+};
+
+// src/utils/admin-init.ts
+import admin from "firebase-admin";
+import { getAppCheck } from "firebase-admin/app-check";
+
+// src/utils/config.ts
+var loadAdminConfig = () => ({
+  projectId: process.env.FIREBASE_PROJECT_ID || "",
+  clientEmail: process.env.FIREBASE_CLIENT_EMAIL || "",
+  privateKey: process.env.FIREBASE_PRIVATE_KEY || ""
+});
+var validateAdminConfig = (config) => {
+  const requiredFields = [
+    "projectId",
+    "clientEmail",
+    "privateKey"
+  ];
+  const errors = [];
+  requiredFields.forEach((field) => {
+    if (!config[field]) {
+      errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`);
+    }
+  });
+  return {
+    isValid: errors.length === 0,
+    errors,
+    config
+  };
+};
+var initializeAdminConfig = () => {
+  const config = loadAdminConfig();
+  const validationResult = validateAdminConfig(config);
+  if (!validationResult.isValid) {
+    throw new Error(
+      `Firebase Admin configuration validation failed:
+${validationResult.errors.join("\n")}`
+    );
+  }
+  return config;
+};
+
+// src/utils/admin-init.ts
+if (!admin.apps.length) {
+  try {
+    const config = initializeAdminConfig();
+    admin.initializeApp({
+      credential: admin.credential.cert({
+        ...config,
+        privateKey: config.privateKey.replace(/\\n/g, "\n")
+      })
+    });
+  } catch (error) {
+    console.error("Firebase admin initialization error", error);
+  }
+}
+var adminTernSecureAuth = admin.auth();
+var adminTernSecureDb = admin.firestore();
+var TernSecureTenantManager = admin.auth().tenantManager();
+var appCheckAdmin = getAppCheck();
+function getAuthForTenant(tenantId) {
+  if (tenantId) {
+    return TernSecureTenantManager.authForTenant(tenantId);
+  }
+  return admin.auth();
+}
+
+// src/admin/sessionTernSecure.ts
+var DEFAULT_COOKIE_CONFIG = {
+  DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1e3,
+  // 5 minutes
+  DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
+var DEFAULT_COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  path: "/"
+};
+var getCookieName = (baseName, prefix) => {
+  return prefix ? `${prefix}${baseName}` : baseName;
+};
+var createCookieOptions = (maxAge, overrides) => {
+  return {
+    maxAge,
+    httpOnly: overrides?.httpOnly ?? DEFAULT_COOKIE_OPTIONS.httpOnly,
+    secure: overrides?.secure ?? DEFAULT_COOKIE_OPTIONS.secure,
+    sameSite: overrides?.sameSite ?? DEFAULT_COOKIE_OPTIONS.sameSite,
+    path: overrides?.path ?? DEFAULT_COOKIE_OPTIONS.path
+  };
+};
+var getCookiePrefix = () => {
+  const isProduction = process.env.NODE_ENV === "production";
+  return isProduction ? "__HOST-" : "__dev_";
+};
+async function createSessionCookie(params, cookieStore, options) {
+  try {
+    const tenantAuth = getAuthForTenant(options?.tenantId || "");
+    const idToken = typeof params === "string" ? params : params.idToken;
+    const refreshToken = typeof params === "string" ? void 0 : params.refreshToken;
+    if (!idToken) {
+      return {
+        success: false,
+        message: "ID token is required",
+        error: "INVALID_TOKEN"
+      };
+    }
+    let decodedToken;
+    try {
+      decodedToken = await tenantAuth.verifyIdToken(idToken);
+    } catch (verifyError) {
+      const authError = handleFirebaseAuthError(verifyError);
+      return {
+        success: false,
+        message: authError.message,
+        error: authError.code
+      };
+    }
+    const cookiePromises = [];
+    const cookiePrefix = getCookiePrefix();
+    const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);
+    cookiePromises.push(
+      cookieStore.set(
+        idTokenCookieName,
+        idToken,
+        createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS)
+      )
+    );
+    if (refreshToken) {
+      const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);
+      cookiePromises.push(
+        cookieStore.set(
+          refreshTokenCookieName,
+          refreshToken,
+          createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS)
+        )
+      );
+    }
+    if (options?.cookies) {
+      const sessionOptions = options.cookies;
+      const sessionCookieName = getCookieName(constants.Cookies.Session);
+      const expiresIn = sessionOptions.maxAge ? sessionOptions.maxAge * 1e3 : DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_MS;
+      try {
+        const sessionCookie = await tenantAuth.createSessionCookie(idToken, { expiresIn });
+        cookiePromises.push(
+          cookieStore.set(
+            sessionCookieName,
+            sessionCookie,
+            createCookieOptions(
+              sessionOptions.maxAge || DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS,
+              {
+                httpOnly: sessionOptions.httpOnly,
+                sameSite: sessionOptions.sameSite,
+                path: sessionOptions.path
+              }
+            )
+          )
+        );
+      } catch (sessionError) {
+        console.error(
+          "[createSessionCookie] Firebase session cookie creation failed:",
+          sessionError
+        );
+        const authError = handleFirebaseAuthError(sessionError);
+        return {
+          success: false,
+          message: authError.message,
+          error: authError.code
+        };
+      }
+    }
+    if (options?.enableCustomToken && decodedToken?.uid) {
+      const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);
+      const customToken = await createCustomToken(decodedToken.uid, options);
+      if (customToken) {
+        cookiePromises.push(
+          cookieStore.set(
+            customTokenCookieName,
+            customToken,
+            createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS)
+          )
+        );
+      }
+    }
+    await Promise.all(cookiePromises);
+    return {
+      success: true,
+      message: "Session created successfully",
+      expiresIn: DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS
+    };
+  } catch (error) {
+    console.error("[createSessionCookie] Unexpected error:", error);
+    const authError = handleFirebaseAuthError(error);
+    return {
+      success: false,
+      message: authError.message || "Failed to create session",
+      error: authError.code || "INTERNAL_ERROR"
+    };
+  }
+}
+async function clearSessionCookie(cookieStore, options) {
+  try {
+    const adminAuth = getAuthForTenant(options?.tenantId || "");
+    const cookiePrefix = getCookiePrefix();
+    const sessionCookieName = getCookieName(constants.Cookies.Session, cookiePrefix);
+    const sessionCookie = await cookieStore.get(sessionCookieName);
+    const deletionPromises = [];
+    if (options?.cookies) {
+      deletionPromises.push(cookieStore.delete(sessionCookieName));
+    }
+    const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);
+    deletionPromises.push(cookieStore.delete(idTokenCookieName));
+    const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);
+    deletionPromises.push(cookieStore.delete(refreshTokenCookieName));
+    const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);
+    deletionPromises.push(cookieStore.delete(customTokenCookieName));
+    const authTimeCookieName = constants.Cookies.TernAut;
+    deletionPromises.push(cookieStore.delete(authTimeCookieName));
+    deletionPromises.push(cookieStore.delete(constants.Cookies.Session));
+    await Promise.all(deletionPromises);
+    if (DEFAULT_COOKIE_CONFIG.REVOKE_REFRESH_TOKENS_ON_SIGNOUT && sessionCookie?.value) {
+      try {
+        const decodedClaims = await adminAuth.verifySessionCookie(sessionCookie.value);
+        await adminAuth.revokeRefreshTokens(decodedClaims.sub);
+      } catch (revokeError) {
+        console.error("[clearSessionCookie] Failed to revoke refresh tokens:", revokeError);
+      }
+    }
+    return {
+      success: true,
+      message: "Session cleared successfully"
+    };
+  } catch (error) {
+    const authError = handleFirebaseAuthError(error);
+    return {
+      success: false,
+      message: authError.message || "Failed to clear session",
+      error: authError.code || "INTERNAL_ERROR"
+    };
+  }
+}
+async function createCustomToken(uid, options) {
+  const adminAuth = getAuthForTenant(options?.tenantId || "");
+  try {
+    const customToken = await adminAuth.createCustomToken(uid);
+    return customToken;
+  } catch (error) {
+    console.error("[createCustomToken] Error creating custom token:", error);
+    return null;
+  }
+}
+async function createCustomTokenClaims(uid, developerClaims) {
+  const adminAuth = getAuthForTenant();
+  try {
+    const customToken = await adminAuth.createCustomToken(uid, developerClaims);
+    return customToken;
+  } catch (error) {
+    console.error("[createCustomToken] Error creating custom token:", error);
+    return "";
+  }
+}
+
+// src/admin/tenant.ts
+async function createTenant(displayName, emailSignInConfig, multiFactorConfig) {
+  try {
+    const tenantConfig = {
+      displayName,
+      emailSignInConfig,
+      ...multiFactorConfig && { multiFactorConfig }
+    };
+    const tenant = await TernSecureTenantManager.createTenant(tenantConfig);
+    return {
+      success: true,
+      tenantId: tenant.tenantId,
+      displayName: tenant.displayName
+    };
+  } catch (error) {
+    console.error("Error creating tenant:", error);
+    throw new Error("Failed to create tenant");
+  }
+}
+async function createTenantUser(email, password, tenantId) {
+  try {
+    const tenantAuth = TernSecureTenantManager.authForTenant(tenantId);
+    const userRecord = await tenantAuth.createUser({
+      email,
+      password,
+      emailVerified: false,
+      disabled: false
+    });
+    return {
+      status: "success",
+      user: userRecord,
+      message: "Tenant user created successfully"
+    };
+  } catch (error) {
+    console.error("Error creating tenant user:", error);
+    throw new Error("Failed to create tenant user");
+  }
+}
+
+// src/admin/nextSessionTernSecure.ts
+import { getCookieName as getCookieName2, getCookiePrefix as getCookiePrefix2 } from "@tern-secure/shared/cookie";
+import { handleFirebaseAuthError as handleFirebaseAuthError2 } from "@tern-secure/shared/errors";
+import { cookies } from "next/headers";
+var SESSION_CONSTANTS = {
+  COOKIE_NAME: constants.Cookies.Session,
+  DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1e3,
+  // 5 days
+  DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,
+  REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true
+};
+var debugLog = {
+  log: (...args) => {
+    if (process.env.NODE_ENV === "development") {
+      console.log(...args);
+    }
+  },
+  warn: (...args) => {
+    if (process.env.NODE_ENV === "development") {
+      console.warn(...args);
+    }
+  },
+  error: (...args) => {
+    console.error(...args);
+  }
+};
+async function CreateNextSessionCookie(idToken) {
+  try {
+    const expiresIn = 60 * 60 * 24 * 5 * 1e3;
+    const sessionCookie = await adminTernSecureAuth.createSessionCookie(idToken, {
+      expiresIn
+    });
+    const cookieStore = await cookies();
+    cookieStore.set(constants.Cookies.Session, sessionCookie, {
+      maxAge: expiresIn,
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      path: "/"
+    });
+    return { success: true, message: "Session created" };
+  } catch (error) {
+    return { success: false, message: "Failed to create session" };
+  }
+}
+async function GetNextServerSessionCookie() {
+  const cookieStore = await cookies();
+  const sessionCookie = cookieStore.get("_session_cookie")?.value;
+  if (!sessionCookie) {
+    throw new Error("No session cookie found");
+  }
+  try {
+    const decondeClaims = await adminTernSecureAuth.verifySessionCookie(sessionCookie, true);
+    return {
+      token: sessionCookie,
+      userId: decondeClaims.uid
+    };
+  } catch (error) {
+    console.error("Error verifying session:", error);
+    throw new Error("Invalid Session");
+  }
+}
+async function GetNextIdToken() {
+  const cookieStore = await cookies();
+  const token = cookieStore.get("_session_token")?.value;
+  if (!token) {
+    throw new Error("No session cookie found");
+  }
+  try {
+    const decodedClaims = await adminTernSecureAuth.verifyIdToken(token);
+    return {
+      token,
+      userId: decodedClaims.uid
+    };
+  } catch (error) {
+    console.error("Error verifying session:", error);
+    throw new Error("Invalid Session");
+  }
+}
+async function SetNextServerSession(token) {
+  try {
+    const cookieStore = await cookies();
+    cookieStore.set("_session_token", token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "strict",
+      maxAge: 60 * 60,
+      // 1 hour
+      path: "/"
+    });
+    return { success: true, message: "Session created" };
+  } catch {
+    return { success: false, message: "Failed to create session" };
+  }
+}
+async function SetNextServerToken(token) {
+  try {
+    const cookieStore = await cookies();
+    cookieStore.set("_tern", token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "strict",
+      maxAge: 60 * 60,
+      // 1 hour
+      path: "/"
+    });
+    return { success: true, message: "Session created" };
+  } catch {
+    return { success: false, message: "Failed to create session" };
+  }
+}
+async function VerifyNextTernIdToken(token) {
+  try {
+    const decodedToken = await adminTernSecureAuth.verifyIdToken(token);
+    return {
+      ...decodedToken,
+      valid: true
+    };
+  } catch (error) {
+    console.error("[VerifyNextTernIdToken] Error verifying session:", error);
+    const authError = handleFirebaseAuthError2(error);
+    return {
+      valid: false,
+      error: authError
+    };
+  }
+}
+async function VerifyNextTernSessionCookie(session) {
+  try {
+    const res = await adminTernSecureAuth.verifySessionCookie(session);
+    console.warn("[VerifyNextTernSessionCookie] uid in Decoded Token:", res.uid);
+    return {
+      valid: true,
+      ...res
+    };
+  } catch (error) {
+    console.error("[VerifyNextTernSessionCookie] Error verifying session:", error);
+    const authError = handleFirebaseAuthError2(error);
+    return {
+      valid: false,
+      error: authError
+    };
+  }
+}
+async function ClearNextSessionCookie(tenantId, deleteOptions) {
+  try {
+    const tenantAuth = getAuthForTenant(tenantId || "");
+    const cookieStore = await cookies();
+    const sessionCookie = cookieStore.get(SESSION_CONSTANTS.COOKIE_NAME);
+    const cookiePrefix = getCookiePrefix2();
+    const idTokenCookieName = getCookieName2(constants.Cookies.IdToken, cookiePrefix);
+    const idTokenCookie = cookieStore.get(idTokenCookieName);
+    const finalDeleteOptions = {
+      path: deleteOptions?.path,
+      domain: deleteOptions?.domain,
+      httpOnly: deleteOptions?.httpOnly,
+      secure: deleteOptions?.secure,
+      sameSite: deleteOptions?.sameSite
+    };
+    const idRefreshCustomTokenDeleteOptions = {
+      path: "/",
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "strict"
+    };
+    cookieStore.delete({ name: SESSION_CONSTANTS.COOKIE_NAME, ...finalDeleteOptions });
+    cookieStore.delete({ name: constants.Cookies.TernAut });
+    cookieStore.delete({ name: idTokenCookieName, ...idRefreshCustomTokenDeleteOptions });
+    cookieStore.delete({
+      name: getCookieName2(constants.Cookies.Refresh, cookiePrefix),
+      ...idRefreshCustomTokenDeleteOptions
+    });
+    cookieStore.delete({ name: constants.Cookies.Custom, ...idRefreshCustomTokenDeleteOptions });
+    const shouldRevokeTokens = deleteOptions?.revokeRefreshTokensOnSignOut ?? SESSION_CONSTANTS.REVOKE_REFRESH_TOKENS_ON_SIGNOUT;
+    if (shouldRevokeTokens) {
+      try {
+        let userSub;
+        if (sessionCookie?.value) {
+          try {
+            const decodedClaims = await tenantAuth.verifySessionCookie(sessionCookie.value);
+            userSub = decodedClaims.sub;
+          } catch (sessionError) {
+            debugLog.warn(
+              "[ClearNextSessionCookie] Session cookie verification failed:",
+              sessionError
+            );
+          }
+        }
+        if (!userSub) {
+          if (idTokenCookie?.value) {
+            try {
+              const decodedIdToken = await tenantAuth.verifyIdToken(idTokenCookie.value);
+              userSub = decodedIdToken.sub;
+            } catch (idTokenError) {
+              debugLog.warn("[ClearNextSessionCookie] ID token verification failed:", idTokenError);
+            }
+          }
+        }
+        if (userSub) {
+          await tenantAuth.revokeRefreshTokens(userSub);
+          debugLog.log(`[ClearNextSessionCookie] Successfully revoked tokens for user: ${userSub}`);
+        } else {
+          debugLog.warn("[ClearNextSessionCookie] No valid token found for revocation");
+        }
+      } catch (revokeError) {
+        debugLog.error("[ClearNextSessionCookie] Failed to revoke refresh tokens:", revokeError);
+      }
+    }
+    return { success: true, message: "Session cleared successfully" };
+  } catch (error) {
+    debugLog.error("Error clearing session:", error);
+    return { success: false, message: "Failed to clear session cookies" };
+  }
+}
+
+// src/tokens/ternSecureRequest.ts
+import { parse } from "cookie";
+
+// src/tokens/ternUrl.ts
+var TernUrl = class extends URL {
+  isCrossOrigin(other) {
+    return this.origin !== new URL(other.toString()).origin;
+  }
+};
+var createTernUrl = (...args) => {
+  return new TernUrl(...args);
+};
+
+// src/tokens/ternSecureRequest.ts
+var TernSecureRequest = class extends Request {
+  ternUrl;
+  cookies;
+  constructor(input, init) {
+    const url = typeof input !== "string" && "url" in input ? input.url : String(input);
+    super(url, init || typeof input === "string" ? void 0 : input);
+    this.ternUrl = this.deriveUrlFromHeaders(this);
+    this.cookies = this.parseCookies(this);
+  }
+  toJSON() {
+    return {
+      url: this.ternUrl.href,
+      method: this.method,
+      headers: JSON.stringify(Object.fromEntries(this.headers)),
+      ternUrl: this.ternUrl.toString(),
+      cookies: JSON.stringify(Object.fromEntries(this.cookies))
+    };
+  }
+  deriveUrlFromHeaders(req) {
+    const initialUrl = new URL(req.url);
+    const forwardedProto = req.headers.get(constants.Headers.ForwardedProto);
+    const forwardedHost = req.headers.get(constants.Headers.ForwardedHost);
+    const host = req.headers.get(constants.Headers.Host);
+    const protocol = initialUrl.protocol;
+    const resolvedHost = this.getFirstValueFromHeader(forwardedHost) ?? host;
+    const resolvedProtocol = this.getFirstValueFromHeader(forwardedProto) ?? protocol?.replace(/[:/]/, "");
+    const origin = resolvedHost && resolvedProtocol ? `${resolvedProtocol}://${resolvedHost}` : initialUrl.origin;
+    if (origin === initialUrl.origin) {
+      return createTernUrl(initialUrl);
+    }
+    return createTernUrl(initialUrl.pathname + initialUrl.search, origin);
+  }
+  getFirstValueFromHeader(value) {
+    return value?.split(",")[0];
+  }
+  parseCookies(req) {
+    const cookiesRecord = parse(
+      this.decodeCookieValue(req.headers.get("cookie") || "")
+    );
+    return new Map(Object.entries(cookiesRecord));
+  }
+  decodeCookieValue(str) {
+    return str ? str.replace(/(%[0-9A-Z]{2})+/g, decodeURIComponent) : str;
+  }
+};
+var createTernSecureRequest = (...args) => {
+  return args[0] instanceof TernSecureRequest ? args[0] : new TernSecureRequest(...args);
+};
+
+// src/instance/backendInstance.ts
+var createBackendInstance = async (request) => {
+  const ternSecureRequest = createTernSecureRequest(request);
+  const requestState = await authenticateRequest(request);
+  return {
+    ternSecureRequest,
+    requestState
+  };
+};
+async function authenticateRequest(request) {
+  const sessionCookie = request.headers.get("cookie");
+  const sessionToken = sessionCookie?.split(";").find((c) => c.trim().startsWith("_session_cookie="))?.split("=")[1];
+  if (!sessionToken) {
+    throw new Error("No session token found");
+  }
+  const verificationResult = await VerifyNextTernSessionCookie(sessionToken);
+  if (!verificationResult.valid) {
+    throw new Error("Invalid session token");
+  }
+  return signedIn(
+    verificationResult,
+    new Headers(request.headers),
+    sessionToken
+  );
+}
+function signInAuthObject(session) {
+  return {
+    session,
+    userId: session.uid,
+    has: {}
+  };
+}
+function signedIn(session, headers = new Headers(), token) {
+  const authObject = signInAuthObject(session);
+  return {
+    auth: () => authObject,
+    token,
+    headers
+  };
+}
+
+// src/admin/user.ts
+import { handleFirebaseAuthError as handleFirebaseAuthError3 } from "@tern-secure/shared/errors";
+function RetrieveUser(tenantId) {
+  const auth = getAuthForTenant(tenantId);
+  async function getUserUid(uid) {
+    try {
+      const user = await auth.getUser(uid);
+      return { data: user, error: null };
+    } catch (error) {
+      return { data: null, error: handleFirebaseAuthError3(error) };
+    }
+  }
+  async function getUserByEmail(email) {
+    try {
+      const user = await auth.getUserByEmail(email);
+      return { data: user, error: null };
+    } catch (error) {
+      return { data: null, error: handleFirebaseAuthError3(error) };
+    }
+  }
+  async function getUserByPhoneNumber(phoneNumber) {
+    try {
+      const user = await auth.getUserByPhoneNumber(phoneNumber);
+      return { data: user, error: null };
+    } catch (error) {
+      return { data: null, error: handleFirebaseAuthError3(error) };
+    }
+  }
+  return {
+    getUserUid,
+    getUserByEmail,
+    getUserByPhoneNumber
+  };
+}
+
+export {
+  GOOGLE_PUBLIC_KEYS_URL,
+  FIREBASE_APP_CHECK_AUDIENCE,
+  MAX_CACHE_LAST_UPDATED_AT_SECONDS,
+  DEFAULT_CACHE_DURATION,
+  CACHE_CONTROL_REGEX,
+  TOKEN_EXPIRY_THRESHOLD_MILLIS,
+  GOOGLE_TOKEN_AUDIENCE,
+  GOOGLE_AUTH_TOKEN_HOST,
+  GOOGLE_AUTH_TOKEN_PATH,
+  ONE_HOUR_IN_SECONDS,
+  ONE_MINUTE_IN_SECONDS,
+  ONE_MINUTE_IN_MILLIS,
+  ONE_DAY_IN_MILLIS,
+  constants,
+  createTernSecureRequest,
+  loadAdminConfig,
+  initializeAdminConfig,
+  adminTernSecureAuth,
+  adminTernSecureDb,
+  TernSecureTenantManager,
+  appCheckAdmin,
+  createSessionCookie,
+  clearSessionCookie,
+  createCustomTokenClaims,
+  createTenant,
+  createTenantUser,
+  CreateNextSessionCookie,
+  GetNextServerSessionCookie,
+  GetNextIdToken,
+  SetNextServerSession,
+  SetNextServerToken,
+  VerifyNextTernIdToken,
+  VerifyNextTernSessionCookie,
+  ClearNextSessionCookie,
+  createBackendInstance,
+  authenticateRequest,
+  signedIn,
+  RetrieveUser
+};
+//# sourceMappingURL=chunk-34QENCWP.mjs.map