@tern-secure/backend 1.2.0-canary.v20251127235234 → 1.2.0-canary.v20251202164451

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (91) hide show
  1. package/dist/adapters/index.d.ts +1 -1
  2. package/dist/adapters/index.d.ts.map +1 -1
  3. package/dist/adapters/types.d.ts +42 -0
  4. package/dist/adapters/types.d.ts.map +1 -1
  5. package/dist/admin/index.d.ts +1 -1
  6. package/dist/admin/index.d.ts.map +1 -1
  7. package/dist/admin/index.js +8 -1
  8. package/dist/admin/index.js.map +1 -1
  9. package/dist/admin/index.mjs +24 -598
  10. package/dist/admin/index.mjs.map +1 -1
  11. package/dist/app-check/AppCheckApi.d.ts +14 -0
  12. package/dist/app-check/AppCheckApi.d.ts.map +1 -0
  13. package/dist/app-check/generator.d.ts +9 -0
  14. package/dist/app-check/generator.d.ts.map +1 -0
  15. package/dist/app-check/index.d.ts +18 -0
  16. package/dist/app-check/index.d.ts.map +1 -0
  17. package/dist/app-check/index.js +1135 -0
  18. package/dist/app-check/index.js.map +1 -0
  19. package/dist/app-check/index.mjs +13 -0
  20. package/dist/app-check/index.mjs.map +1 -0
  21. package/dist/app-check/serverAppCheck.d.ts +33 -0
  22. package/dist/app-check/serverAppCheck.d.ts.map +1 -0
  23. package/dist/app-check/types.d.ts +21 -0
  24. package/dist/app-check/types.d.ts.map +1 -0
  25. package/dist/app-check/verifier.d.ts +16 -0
  26. package/dist/app-check/verifier.d.ts.map +1 -0
  27. package/dist/auth/credential.d.ts +5 -5
  28. package/dist/auth/credential.d.ts.map +1 -1
  29. package/dist/auth/getauth.d.ts +2 -1
  30. package/dist/auth/getauth.d.ts.map +1 -1
  31. package/dist/auth/index.d.ts +2 -0
  32. package/dist/auth/index.d.ts.map +1 -1
  33. package/dist/auth/index.js +902 -394
  34. package/dist/auth/index.js.map +1 -1
  35. package/dist/auth/index.mjs +5 -3
  36. package/dist/chunk-34QENCWP.mjs +784 -0
  37. package/dist/chunk-34QENCWP.mjs.map +1 -0
  38. package/dist/{chunk-NXYWC6YO.mjs → chunk-TUYCJY35.mjs} +182 -6
  39. package/dist/chunk-TUYCJY35.mjs.map +1 -0
  40. package/dist/chunk-UCSJDX6Y.mjs +778 -0
  41. package/dist/chunk-UCSJDX6Y.mjs.map +1 -0
  42. package/dist/constants.d.ts +10 -1
  43. package/dist/constants.d.ts.map +1 -1
  44. package/dist/fireRestApi/endpoints/AppCheckApi.d.ts.map +1 -1
  45. package/dist/index.d.ts +4 -1
  46. package/dist/index.d.ts.map +1 -1
  47. package/dist/index.js +1275 -856
  48. package/dist/index.js.map +1 -1
  49. package/dist/index.mjs +97 -137
  50. package/dist/index.mjs.map +1 -1
  51. package/dist/jwt/crypto-signer.d.ts +21 -0
  52. package/dist/jwt/crypto-signer.d.ts.map +1 -0
  53. package/dist/jwt/index.d.ts +2 -1
  54. package/dist/jwt/index.d.ts.map +1 -1
  55. package/dist/jwt/index.js +119 -2
  56. package/dist/jwt/index.js.map +1 -1
  57. package/dist/jwt/index.mjs +7 -3
  58. package/dist/jwt/signJwt.d.ts +8 -2
  59. package/dist/jwt/signJwt.d.ts.map +1 -1
  60. package/dist/jwt/types.d.ts +6 -0
  61. package/dist/jwt/types.d.ts.map +1 -1
  62. package/dist/jwt/verifyJwt.d.ts +7 -1
  63. package/dist/jwt/verifyJwt.d.ts.map +1 -1
  64. package/dist/tokens/authstate.d.ts +2 -0
  65. package/dist/tokens/authstate.d.ts.map +1 -1
  66. package/dist/tokens/c-authenticateRequestProcessor.d.ts +2 -2
  67. package/dist/tokens/c-authenticateRequestProcessor.d.ts.map +1 -1
  68. package/dist/tokens/keys.d.ts.map +1 -1
  69. package/dist/tokens/request.d.ts.map +1 -1
  70. package/dist/tokens/types.d.ts +6 -4
  71. package/dist/tokens/types.d.ts.map +1 -1
  72. package/dist/utils/config.d.ts.map +1 -1
  73. package/dist/{auth/utils.d.ts → utils/fetcher.d.ts} +2 -1
  74. package/dist/utils/fetcher.d.ts.map +1 -0
  75. package/dist/utils/mapDecode.d.ts +2 -1
  76. package/dist/utils/mapDecode.d.ts.map +1 -1
  77. package/dist/utils/token-generator.d.ts +4 -0
  78. package/dist/utils/token-generator.d.ts.map +1 -0
  79. package/package.json +13 -3
  80. package/dist/auth/constants.d.ts +0 -6
  81. package/dist/auth/constants.d.ts.map +0 -1
  82. package/dist/auth/utils.d.ts.map +0 -1
  83. package/dist/chunk-DJLDUW7J.mjs +0 -414
  84. package/dist/chunk-DJLDUW7J.mjs.map +0 -1
  85. package/dist/chunk-GFH5CXQR.mjs +0 -71
  86. package/dist/chunk-GFH5CXQR.mjs.map +0 -1
  87. package/dist/chunk-NXYWC6YO.mjs.map +0 -1
  88. package/dist/chunk-WIVOBOZR.mjs +0 -86
  89. package/dist/chunk-WIVOBOZR.mjs.map +0 -1
  90. package/dist/utils/gemini_admin-init.d.ts +0 -10
  91. package/dist/utils/gemini_admin-init.d.ts.map +0 -1
package/dist/chunk-34QENCWP.mjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/admin/sessionTernSecure.ts","../src/constants.ts","../src/utils/admin-init.ts","../src/utils/config.ts","../src/admin/tenant.ts","../src/admin/nextSessionTernSecure.ts","../src/tokens/ternSecureRequest.ts","../src/tokens/ternUrl.ts","../src/instance/backendInstance.ts","../src/admin/user.ts"],"sourcesContent":["'use server';\r\nimport { handleFirebaseAuthError } from '@tern-secure/shared/errors';\r\nimport type {\r\n CookieStore,\r\n SessionParams,\r\n SessionResult,\r\n TernSecureHandlerOptions,\r\n} from '@tern-secure/types';\r\n\r\nimport { constants } from '../constants';\r\nimport { getAuthForTenant } from '../utils/admin-init';\r\n\r\n\r\n/**\r\n * Generates cookie name with optional prefix\r\n */\r\n\r\nconst DEFAULT_COOKIE_CONFIG = {\r\n DEFAULT_EXPIRES_IN_MS: 5 * 60 * 1000, // 5 minutes\r\n DEFAULT_EXPIRES_IN_SECONDS: 5 * 60,\r\n REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true,\r\n} as const;\r\n\r\nconst DEFAULT_COOKIE_OPTIONS = {\r\n httpOnly: true,\r\n secure: process.env.NODE_ENV === 'production',\r\n sameSite: 'strict' as const,\r\n path: '/',\r\n} as const;\r\n\r\n/**\r\n * Generates cookie name with optional prefix\r\n */\r\nconst getCookieName = (baseName: string, prefix?: string): string => {\r\n return prefix ? `${prefix}${baseName}` : baseName;\r\n};\r\n\r\n/**\r\n * Creates standard cookie options with optional overrides\r\n */\r\nconst createCookieOptions = (\r\n maxAge: number,\r\n overrides?: {\r\n httpOnly?: boolean;\r\n secure?: boolean;\r\n sameSite?: 'strict' | 'lax' | 'none';\r\n path?: string;\r\n },\r\n) => {\r\n return {\r\n maxAge,\r\n httpOnly: overrides?.httpOnly ?? DEFAULT_COOKIE_OPTIONS.httpOnly,\r\n secure: overrides?.secure ?? DEFAULT_COOKIE_OPTIONS.secure,\r\n sameSite: overrides?.sameSite ?? DEFAULT_COOKIE_OPTIONS.sameSite,\r\n path: overrides?.path ?? DEFAULT_COOKIE_OPTIONS.path,\r\n };\r\n};\r\n\r\n/**\r\n * Determines the appropriate cookie prefix based on environment and options\r\n */\r\nconst getCookiePrefix = (): string => {\r\n const isProduction = process.env.NODE_ENV === 'production';\r\n return isProduction ? '__HOST-' : '__dev_';\r\n};\r\n\r\n/**\r\n * Creates cookies for user session management\r\n * @param params - Session parameters containing idToken and optional refreshToken\r\n * @param cookieStore - Cookie store interface for managing cookies\r\n * @param options - TernSecure handler options containing cookie configurations\r\n */\r\nexport async function createSessionCookie(\r\n params: SessionParams | string,\r\n cookieStore: CookieStore,\r\n options?: TernSecureHandlerOptions,\r\n): Promise<SessionResult> {\r\n try {\r\n const tenantAuth = getAuthForTenant(options?.tenantId || '');\r\n\r\n const idToken = typeof params === 'string' ? params : params.idToken;\r\n const refreshToken = typeof params === 'string' ? undefined : (params as any).refreshToken;\r\n\r\n if (!idToken) {\r\n return {\r\n success: false,\r\n message: 'ID token is required',\r\n error: 'INVALID_TOKEN',\r\n };\r\n }\r\n\r\n // Verify the ID token\r\n let decodedToken;\r\n try {\r\n decodedToken = await tenantAuth.verifyIdToken(idToken);\r\n } catch (verifyError) {\r\n const authError = handleFirebaseAuthError(verifyError);\r\n return {\r\n success: false,\r\n message: authError.message,\r\n error: authError.code,\r\n };\r\n }\r\n\r\n const cookiePromises: Promise<void>[] = [];\r\n const cookiePrefix = getCookiePrefix();\r\n\r\n // Always set idToken cookie by default\r\n const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);\r\n cookiePromises.push(\r\n cookieStore.set(\r\n idTokenCookieName,\r\n idToken,\r\n createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS),\r\n ),\r\n );\r\n\r\n // Always set refreshToken cookie by default if provided\r\n if (refreshToken) {\r\n const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);\r\n cookiePromises.push(\r\n cookieStore.set(\r\n refreshTokenCookieName,\r\n refreshToken,\r\n createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS),\r\n ),\r\n );\r\n }\r\n\r\n // Create and set session cookie only if session config is provided\r\n if (options?.cookies) {\r\n const sessionOptions = options.cookies;\r\n const sessionCookieName = getCookieName(constants.Cookies.Session);\r\n const expiresIn = sessionOptions.maxAge\r\n ? sessionOptions.maxAge * 1000\r\n : DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_MS;\r\n\r\n try {\r\n const sessionCookie = await tenantAuth.createSessionCookie(idToken, { expiresIn });\r\n cookiePromises.push(\r\n cookieStore.set(\r\n sessionCookieName,\r\n sessionCookie,\r\n createCookieOptions(\r\n sessionOptions.maxAge || DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS,\r\n {\r\n httpOnly: sessionOptions.httpOnly,\r\n sameSite: sessionOptions.sameSite,\r\n path: sessionOptions.path,\r\n },\r\n ),\r\n ),\r\n );\r\n } catch (sessionError) {\r\n console.error(\r\n '[createSessionCookie] Firebase session cookie creation failed:',\r\n sessionError,\r\n );\r\n const authError = handleFirebaseAuthError(sessionError);\r\n return {\r\n success: false,\r\n message: authError.message,\r\n error: authError.code,\r\n };\r\n }\r\n }\r\n\r\n // Create and set custom token cookie only if enableCustomToken is true\r\n if (options?.enableCustomToken && decodedToken?.uid) {\r\n const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);\r\n const customToken = await createCustomToken(decodedToken.uid, options);\r\n if (customToken) {\r\n cookiePromises.push(\r\n cookieStore.set(\r\n customTokenCookieName,\r\n customToken,\r\n createCookieOptions(DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS),\r\n ),\r\n );\r\n }\r\n }\r\n\r\n await Promise.all(cookiePromises);\r\n\r\n return {\r\n success: true,\r\n message: 'Session created successfully',\r\n expiresIn: DEFAULT_COOKIE_CONFIG.DEFAULT_EXPIRES_IN_SECONDS,\r\n };\r\n } catch (error) {\r\n console.error('[createSessionCookie] Unexpected error:', error);\r\n const authError = handleFirebaseAuthError(error);\r\n return {\r\n success: false,\r\n message: authError.message || 'Failed to create session',\r\n error: authError.code || 'INTERNAL_ERROR',\r\n };\r\n }\r\n}\r\n\r\n/**\r\n * Clears user session cookies\r\n * @param cookieStore - Cookie store interface for managing cookies\r\n * @param options - TernSecure handler options containing cookie configurations\r\n */\r\nexport async function clearSessionCookie(\r\n cookieStore: CookieStore,\r\n options?: TernSecureHandlerOptions,\r\n): Promise<SessionResult> {\r\n try {\r\n const adminAuth = getAuthForTenant(options?.tenantId || '');\r\n const cookiePrefix = getCookiePrefix();\r\n\r\n // Get the session cookie name for revocation purposes\r\n const sessionCookieName = getCookieName(constants.Cookies.Session, cookiePrefix);\r\n const sessionCookie = await cookieStore.get(sessionCookieName);\r\n\r\n const deletionPromises: Promise<void>[] = [];\r\n\r\n // Delete all cookie types\r\n // Session cookie (only if it was configured)\r\n if (options?.cookies) {\r\n deletionPromises.push(cookieStore.delete(sessionCookieName));\r\n }\r\n\r\n // Always delete default cookies\r\n const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);\r\n deletionPromises.push(cookieStore.delete(idTokenCookieName));\r\n\r\n const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);\r\n deletionPromises.push(cookieStore.delete(refreshTokenCookieName));\r\n\r\n const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);\r\n deletionPromises.push(cookieStore.delete(customTokenCookieName));\r\n\r\n // Delete auth_time cookie\r\n const authTimeCookieName = constants.Cookies.TernAut;\r\n deletionPromises.push(cookieStore.delete(authTimeCookieName));\r\n\r\n // Also delete legacy cookie names for backward compatibility\r\n deletionPromises.push(cookieStore.delete(constants.Cookies.Session));\r\n\r\n await Promise.all(deletionPromises);\r\n\r\n // Revoke refresh tokens if session cookie exists and revocation is enabled\r\n if (DEFAULT_COOKIE_CONFIG.REVOKE_REFRESH_TOKENS_ON_SIGNOUT && sessionCookie?.value) {\r\n try {\r\n const decodedClaims = await adminAuth.verifySessionCookie(sessionCookie.value);\r\n await adminAuth.revokeRefreshTokens(decodedClaims.sub);\r\n } catch (revokeError) {\r\n console.error('[clearSessionCookie] Failed to revoke refresh tokens:', revokeError);\r\n }\r\n }\r\n\r\n return {\r\n success: true,\r\n message: 'Session cleared successfully',\r\n };\r\n } catch (error) {\r\n const authError = handleFirebaseAuthError(error);\r\n return {\r\n success: false,\r\n message: authError.message || 'Failed to clear session',\r\n error: authError.code || 'INTERNAL_ERROR',\r\n };\r\n }\r\n}\r\n\r\n/**\r\n * Creates a custom token for a user\r\n * @param uid - User ID to create the custom token for\r\n * @param options - TernSecure handler options\r\n * @returns Promise resolving to the custom token string or null if creation fails\r\n */\r\nexport async function createCustomToken(\r\n uid: string,\r\n options?: TernSecureHandlerOptions,\r\n): Promise<string | null> {\r\n const adminAuth = getAuthForTenant(options?.tenantId || '');\r\n try {\r\n const customToken = await adminAuth.createCustomToken(uid);\r\n return customToken;\r\n } catch (error) {\r\n console.error('[createCustomToken] Error creating custom token:', error);\r\n return null;\r\n }\r\n}\r\n\r\n\r\nexport async function createCustomTokenClaims(\r\n uid: string,\r\n developerClaims?: { [key: string]: unknown },\r\n): Promise<string> {\r\n const adminAuth = getAuthForTenant();\r\n try {\r\n const customToken = await adminAuth.createCustomToken(uid, developerClaims);\r\n return customToken;\r\n } catch (error) {\r\n console.error('[createCustomToken] Error creating custom token:', error);\r\n return '';\r\n }\r\n}\r\n","export const GOOGLE_PUBLIC_KEYS_URL =\n 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com';\nexport const SESSION_COOKIE_PUBLIC_KEYS_URL =\n 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys';\n\nexport const FIREBASE_APP_CHECK_AUDIENCE =\n 'https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1.TokenExchangeService';\n\nexport const MAX_CACHE_LAST_UPDATED_AT_SECONDS = 5 * 60;\nexport const DEFAULT_CACHE_DURATION = 3600 * 1000; // 1 hour in milliseconds\nexport const CACHE_CONTROL_REGEX = /max-age=(\\d+)/;\n\nexport const TOKEN_EXPIRY_THRESHOLD_MILLIS = 5 * 60 * 1000;\nexport const GOOGLE_TOKEN_AUDIENCE = 'https://accounts.google.com/o/oauth2/token';\nexport const GOOGLE_AUTH_TOKEN_HOST = 'accounts.google.com';\nexport const GOOGLE_AUTH_TOKEN_PATH = '/o/oauth2/token';\nexport const ONE_HOUR_IN_SECONDS = 60 * 60;\n\nexport const ONE_MINUTE_IN_SECONDS = 60;\nexport const ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1000;\nexport const ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1000;\n\nconst Attributes = {\n AuthToken: '__ternsecureAuthToken',\n AuthSignature: '__ternsecureAuthSignature',\n AuthStatus: '__ternsecureAuthStatus',\n AuthReason: '__ternsecureAuthReason',\n AuthMessage: '__ternsecureAuthMessage',\n TernSecureUrl: '__ternsecureUrl',\n} as const;\n\nconst Cookies = {\n Session: '__session',\n CsrfToken: '__terncf',\n IdToken: 'TernSecure_[DEFAULT]',\n Refresh: 'TernSecureID_[DEFAULT]',\n Custom: '__custom',\n TernAut: 'tern_aut',\n Handshake: '__ternsecure_handshake',\n DevBrowser: '__ternsecure_db_jwt',\n RedirectCount: '__ternsecure_redirect_count',\n HandshakeNonce: '__ternsecure_handshake_nonce',\n} as const;\n\n\nconst QueryParameters = {\n TernSynced: '__tern_synced',\n SuffixedCookies: 'suffixed_cookies',\n TernRedirectUrl: '__tern_redirect_url',\n // use the reference to Cookies to indicate that it's the same value\n DevBrowser: Cookies.DevBrowser,\n Handshake: Cookies.Handshake,\n HandshakeHelp: '__tern_help',\n LegacyDevBrowser: '__dev_session',\n HandshakeReason: '__tern_hs_reason',\n HandshakeNonce: Cookies.HandshakeNonce,\n} as const;\n\nconst Headers = {\n Accept: 'accept',\n AppCheckToken: 'x-ternsecure-appcheck',\n AuthMessage: 'x-ternsecure-auth-message',\n Authorization: 'authorization',\n AuthReason: 'x-ternsecure-auth-reason',\n AuthSignature: 'x-ternsecure-auth-signature',\n AuthStatus: 'x-ternsecure-auth-status',\n AuthToken: 'x-ternsecure-auth-token',\n CacheControl: 'cache-control',\n TernSecureRedirectTo: 'x-ternsecure-redirect-to',\n TernSecureRequestData: 'x-ternsecure-request-data',\n TernSecureUrl: 'x-ternsecure-url',\n CloudFrontForwardedProto: 'cloudfront-forwarded-proto',\n ContentType: 'content-type',\n ContentSecurityPolicy: 'content-security-policy',\n ContentSecurityPolicyReportOnly: 'content-security-policy-report-only',\n EnableDebug: 'x-ternsecure-debug',\n ForwardedHost: 'x-forwarded-host',\n ForwardedPort: 'x-forwarded-port',\n ForwardedProto: 'x-forwarded-proto',\n Host: 'host',\n Location: 'location',\n Nonce: 'x-nonce',\n Origin: 'origin',\n Referrer: 'referer',\n SecFetchDest: 'sec-fetch-dest',\n UserAgent: 'user-agent',\n ReportingEndpoints: 'reporting-endpoints',\n} as const;\n\nconst ContentTypes = {\n Json: 'application/json',\n} as const;\n\n/**\n * @internal\n */\nexport const constants = {\n Attributes,\n Cookies,\n Headers,\n ContentTypes,\n QueryParameters,\n} as const;\n\nexport type Constants = typeof constants;\n","import admin from 'firebase-admin';\r\nimport { getAppCheck } from \"firebase-admin/app-check\";\r\n\r\nimport { initializeAdminConfig } from './config';\r\n\r\nif (!admin.apps.length) {\r\n try {\r\n const config = initializeAdminConfig();\r\n admin.initializeApp({\r\n credential: admin.credential.cert({\r\n ...config,\r\n privateKey: config.privateKey.replace(/\\\\n/g, '\\n'),\r\n }),\r\n });\r\n } catch (error) {\r\n console.error('Firebase admin initialization error', error);\r\n }\r\n}\r\n\r\nexport const adminTernSecureAuth: admin.auth.Auth = admin.auth();\r\nexport const adminTernSecureDb: admin.firestore.Firestore = admin.firestore();\r\nexport const TernSecureTenantManager: admin.auth.TenantManager = admin.auth().tenantManager();\r\nexport const appCheckAdmin: admin.appCheck.AppCheck = getAppCheck();\r\n\r\n/**\r\n * Gets the appropriate Firebase Auth instance.\r\n * If a tenantId is provided, it returns the Auth instance for that tenant.\r\n * Otherwise, it returns the default project-level Auth instance.\r\n * @param tenantId - The optional tenant ID.\r\n * @returns An admin.auth.Auth instance.\r\n */\r\nexport function getAuthForTenant(tenantId?: string): admin.auth.Auth {\r\n if (tenantId) {\r\n return TernSecureTenantManager.authForTenant(tenantId) as unknown as admin.auth.Auth;\r\n }\r\n return admin.auth();\r\n}","import type { \r\n AdminConfigValidationResult, \r\n ConfigValidationResult, \r\n TernSecureAdminConfig, \r\n TernSecureConfig} from '@tern-secure/types'\r\n\r\n/**\r\n * Loads Firebase configuration from environment variables\r\n * @returns {TernSecureConfig} Firebase configuration object\r\n */\r\nexport const loadFireConfig = (): TernSecureConfig => ({\r\n apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY || '',\r\n authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN || '',\r\n databaseURL: process.env.NEXT_PUBLIC_FIREBASE_DATABASE_URL || undefined,\r\n projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID || '',\r\n storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET || '',\r\n messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID || '',\r\n appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID || '',\r\n measurementId: process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID || undefined,\r\n})\r\n\r\n/**\r\n * Validates Firebase configuration\r\n * @param {TernSecureConfig} config - Firebase configuration object\r\n * @throws {Error} If required configuration values are missing\r\n * @returns {TernSecureConfig} Validated configuration object\r\n */\r\nexport const validateConfig = (config: TernSecureConfig): ConfigValidationResult => {\r\n const requiredFields: (keyof TernSecureConfig)[] = [\r\n 'apiKey',\r\n 'authDomain',\r\n 'projectId',\r\n 'storageBucket',\r\n 'messagingSenderId',\r\n 'appId'\r\n ]\r\n\r\n const errors: string[] = []\r\n \r\n requiredFields.forEach(field => {\r\n if (!config[field]) {\r\n errors.push(`Missing required field: NEXT_PUBLIC_FIREBASE_${String(field).toUpperCase()}`)\r\n }\r\n })\r\n\r\n return {\r\n isValid: errors.length === 0,\r\n errors,\r\n config\r\n }\r\n}\r\n\r\n/**\r\n * Initializes configuration with validation\r\n * @throws {Error} If configuration is invalid\r\n */\r\nexport const initializeConfig = (): TernSecureConfig => {\r\n const config = loadFireConfig()\r\n const validationResult = validateConfig(config)\r\n\r\n if (!validationResult.isValid) {\r\n throw new Error(\r\n `Firebase configuration validation failed:\\n${validationResult.errors.join('\\n')}`\r\n )\r\n }\r\n\r\n return config\r\n}\r\n\r\n/**\r\n * Loads Firebase Admin configuration from environment variables\r\n * @returns {AdminConfig} Firebase Admin configuration object\r\n */\r\nexport const loadAdminConfig = (): TernSecureAdminConfig => ({\r\n projectId: process.env.FIREBASE_PROJECT_ID || '',\r\n clientEmail: process.env.FIREBASE_CLIENT_EMAIL || '',\r\n privateKey: process.env.FIREBASE_PRIVATE_KEY || '',\r\n})\r\n\r\n/**\r\n * Validates Firebase Admin configuration\r\n * @param {AdminConfig} config - Firebase Admin configuration object\r\n * @returns {ConfigValidationResult} Validation result\r\n */\r\nexport const validateAdminConfig = (config: TernSecureAdminConfig): AdminConfigValidationResult => {\r\n const requiredFields: (keyof TernSecureAdminConfig)[] = [\r\n 'projectId',\r\n 'clientEmail',\r\n 'privateKey'\r\n ]\r\n\r\n const errors: string[] = []\r\n \r\n requiredFields.forEach(field => {\r\n if (!config[field]) {\r\n errors.push(`Missing required field: FIREBASE_${String(field).toUpperCase()}`)\r\n }\r\n })\r\n\r\n return {\r\n isValid: errors.length === 0,\r\n errors,\r\n config\r\n }\r\n}\r\n\r\n/**\r\n * Initializes admin configuration with validation\r\n * @throws {Error} If configuration is invalid\r\n */\r\nexport const initializeAdminConfig = (): TernSecureAdminConfig => {\r\n const config = loadAdminConfig()\r\n const validationResult = validateAdminConfig(config)\r\n\r\n if (!validationResult.isValid) {\r\n throw new Error(\r\n `Firebase Admin configuration validation failed:\\n${validationResult.errors.join('\\n')}`\r\n )\r\n }\r\n\r\n return config\r\n}","import type { SignInResponse } from '@tern-secure/types';\r\n\r\nimport { TernSecureTenantManager } from \"../utils/admin-init\";\r\n\r\n\r\nexport async function createTenant(\r\n displayName: string,\r\n emailSignInConfig: {\r\n enabled: boolean;\r\n passwordRequired: boolean;\r\n },\r\n multiFactorConfig?: {\r\n state: 'ENABLED' | 'DISABLED';\r\n factorIds: \"phone\"[];\r\n testPhoneNumbers?: {\r\n [phoneNumber: string]: string;\r\n }\r\n }\r\n) {\r\n try {\r\n const tenantConfig = {\r\n displayName,\r\n emailSignInConfig,\r\n ...(multiFactorConfig && { multiFactorConfig })\r\n };\r\n\r\n const tenant = await TernSecureTenantManager.createTenant(tenantConfig);\r\n \r\n return {\r\n success: true,\r\n tenantId: tenant.tenantId,\r\n displayName: tenant.displayName,\r\n };\r\n } catch (error) {\r\n console.error('Error creating tenant:', error);\r\n throw new Error('Failed to create tenant');\r\n }\r\n}\r\n\r\nexport async function createTenantUser(\r\n email: string,\r\n password: string,\r\n tenantId: string\r\n): Promise<SignInResponse> {\r\n try {\r\n const tenantAuth = TernSecureTenantManager.authForTenant(tenantId);\r\n \r\n const userRecord = await tenantAuth.createUser({\r\n email,\r\n password,\r\n emailVerified: false,\r\n disabled: false\r\n });\r\n\r\n return {\r\n status: 'success',\r\n user: userRecord,\r\n message: 'Tenant user created successfully',\r\n };\r\n } catch (error) {\r\n console.error('Error creating tenant user:', error);\r\n throw new Error('Failed to create tenant user');\r\n }\r\n}\r\n","'use server';\n\nimport { getCookieName, getCookiePrefix } from '@tern-secure/shared/cookie';\nimport { handleFirebaseAuthError } from '@tern-secure/shared/errors';\nimport type { CookieStore, SessionResult, TernVerificationResult } from '@tern-secure/types';\nimport { cookies } from 'next/headers';\n\nimport { constants } from '../constants';\nimport { adminTernSecureAuth as adminAuth, getAuthForTenant } from '../utils/admin-init';\n\nconst SESSION_CONSTANTS = {\n COOKIE_NAME: constants.Cookies.Session,\n DEFAULT_EXPIRES_IN_MS: 60 * 60 * 24 * 5 * 1000, // 5 days\n DEFAULT_EXPIRES_IN_SECONDS: 60 * 60 * 24 * 5,\n REVOKE_REFRESH_TOKENS_ON_SIGNOUT: true,\n} as const;\n\n/**\n * Helper function to log debug messages only in development environment\n */\nconst debugLog = {\n log: (...args: unknown[]) => {\n if (process.env.NODE_ENV === 'development') {\n console.log(...args);\n }\n },\n warn: (...args: unknown[]) => {\n if (process.env.NODE_ENV === 'development') {\n console.warn(...args);\n }\n },\n error: (...args: unknown[]) => {\n console.error(...args);\n },\n};\n\nexport async function CreateNextSessionCookie(idToken: string) {\n try {\n const expiresIn = 60 * 60 * 24 * 5 * 1000;\n const sessionCookie = await adminAuth.createSessionCookie(idToken, {\n expiresIn,\n });\n\n const cookieStore = await cookies();\n cookieStore.set(constants.Cookies.Session, sessionCookie, {\n maxAge: expiresIn,\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n path: '/',\n });\n return { success: true, message: 'Session created' };\n } catch (error) {\n return { success: false, message: 'Failed to create session' };\n }\n}\n\nexport async function GetNextServerSessionCookie() {\n const cookieStore = await cookies();\n const sessionCookie = cookieStore.get('_session_cookie')?.value;\n\n if (!sessionCookie) {\n throw new Error('No session cookie found');\n }\n\n try {\n const decondeClaims = await adminAuth.verifySessionCookie(sessionCookie, true);\n return {\n token: sessionCookie,\n userId: decondeClaims.uid,\n };\n } catch (error) {\n console.error('Error verifying session:', error);\n throw new Error('Invalid Session');\n }\n}\n\nexport async function GetNextIdToken() {\n const cookieStore = await cookies();\n const token = cookieStore.get('_session_token')?.value;\n\n if (!token) {\n throw new Error('No session cookie found');\n }\n\n try {\n const decodedClaims = await adminAuth.verifyIdToken(token);\n return {\n token: token,\n userId: decodedClaims.uid,\n };\n } catch (error) {\n console.error('Error verifying session:', error);\n throw new Error('Invalid Session');\n }\n}\n\nexport async function SetNextServerSession(token: string) {\n try {\n const cookieStore = await cookies();\n cookieStore.set('_session_token', token, {\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'strict',\n maxAge: 60 * 60, // 1 hour\n path: '/',\n });\n return { success: true, message: 'Session created' };\n } catch {\n return { success: false, message: 'Failed to create session' };\n }\n}\n\nexport async function SetNextServerToken(token: string) {\n try {\n const cookieStore = await cookies();\n cookieStore.set('_tern', token, {\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'strict',\n maxAge: 60 * 60, // 1 hour\n path: '/',\n });\n return { success: true, message: 'Session created' };\n } catch {\n return { success: false, message: 'Failed to create session' };\n }\n}\n\nexport async function VerifyNextTernIdToken(token: string): Promise<TernVerificationResult> {\n try {\n const decodedToken = await adminAuth.verifyIdToken(token);\n return {\n ...decodedToken,\n valid: true,\n };\n } catch (error) {\n console.error('[VerifyNextTernIdToken] Error verifying session:', error);\n const authError = handleFirebaseAuthError(error);\n return {\n valid: false,\n error: authError,\n };\n }\n}\n\nexport async function VerifyNextTernSessionCookie(\n session: string,\n): Promise<TernVerificationResult> {\n try {\n const res = await adminAuth.verifySessionCookie(session);\n console.warn('[VerifyNextTernSessionCookie] uid in Decoded Token:', res.uid);\n return {\n valid: true,\n ...res,\n };\n } catch (error) {\n console.error('[VerifyNextTernSessionCookie] Error verifying session:', error);\n const authError = handleFirebaseAuthError(error);\n return {\n valid: false,\n error: authError,\n };\n }\n}\n\nexport async function ClearNextSessionCookie(\n tenantId?: string,\n deleteOptions?: {\n path?: string;\n domain?: string;\n httpOnly?: boolean;\n secure?: boolean;\n sameSite?: 'lax' | 'strict' | 'none';\n revokeRefreshTokensOnSignOut?: boolean;\n },\n): Promise<SessionResult> {\n try {\n const tenantAuth = getAuthForTenant(tenantId || '');\n const cookieStore = await cookies();\n const sessionCookie = cookieStore.get(SESSION_CONSTANTS.COOKIE_NAME);\n const cookiePrefix = getCookiePrefix();\n const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);\n const idTokenCookie = cookieStore.get(idTokenCookieName);\n\n const finalDeleteOptions = {\n path: deleteOptions?.path,\n domain: deleteOptions?.domain,\n httpOnly: deleteOptions?.httpOnly,\n secure: deleteOptions?.secure,\n sameSite: deleteOptions?.sameSite,\n };\n\n const idRefreshCustomTokenDeleteOptions = {\n path: '/',\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'strict' as const,\n };\n\n cookieStore.delete({ name: SESSION_CONSTANTS.COOKIE_NAME, ...finalDeleteOptions });\n cookieStore.delete({ name: constants.Cookies.TernAut });\n \n cookieStore.delete({ name: idTokenCookieName, ...idRefreshCustomTokenDeleteOptions });\n cookieStore.delete({\n name: getCookieName(constants.Cookies.Refresh, cookiePrefix),\n ...idRefreshCustomTokenDeleteOptions,\n });\n cookieStore.delete({ name: constants.Cookies.Custom, ...idRefreshCustomTokenDeleteOptions });\n\n const shouldRevokeTokens =\n deleteOptions?.revokeRefreshTokensOnSignOut ??\n SESSION_CONSTANTS.REVOKE_REFRESH_TOKENS_ON_SIGNOUT;\n\n if (shouldRevokeTokens) {\n try {\n let userSub: string | undefined;\n\n // Try to get user sub from session cookie first\n if (sessionCookie?.value) {\n try {\n const decodedClaims = await tenantAuth.verifySessionCookie(sessionCookie.value);\n userSub = decodedClaims.sub;\n } catch (sessionError) {\n debugLog.warn(\n '[ClearNextSessionCookie] Session cookie verification failed:',\n sessionError,\n );\n }\n }\n\n // If no session cookie, try idToken cookie\n if (!userSub) {\n if (idTokenCookie?.value) {\n try {\n const decodedIdToken = await tenantAuth.verifyIdToken(idTokenCookie.value);\n userSub = decodedIdToken.sub;\n } catch (idTokenError) {\n debugLog.warn('[ClearNextSessionCookie] ID token verification failed:', idTokenError);\n }\n }\n }\n\n // Revoke tokens if we got a user sub\n if (userSub) {\n await tenantAuth.revokeRefreshTokens(userSub);\n debugLog.log(`[ClearNextSessionCookie] Successfully revoked tokens for user: ${userSub}`);\n } else {\n debugLog.warn('[ClearNextSessionCookie] No valid token found for revocation');\n }\n } catch (revokeError) {\n debugLog.error('[ClearNextSessionCookie] Failed to revoke refresh tokens:', revokeError);\n }\n }\n return { success: true, message: 'Session cleared successfully' };\n } catch (error) {\n debugLog.error('Error clearing session:', error);\n return { success: false, message: 'Failed to clear session cookies' };\n }\n}\n\nexport async function ClearNextSessionCookie_old(cookieStore: CookieStore): Promise<SessionResult> {\n try {\n const cookiePrefix = getCookiePrefix();\n\n const deletionPromises: Promise<void>[] = [];\n\n // Always delete default cookies\n const idTokenCookieName = getCookieName(constants.Cookies.IdToken, cookiePrefix);\n deletionPromises.push(cookieStore.delete(idTokenCookieName));\n\n const refreshTokenCookieName = getCookieName(constants.Cookies.Refresh, cookiePrefix);\n deletionPromises.push(cookieStore.delete(refreshTokenCookieName));\n\n const customTokenCookieName = getCookieName(constants.Cookies.Custom, cookiePrefix);\n deletionPromises.push(cookieStore.delete(customTokenCookieName));\n\n // Also delete legacy cookie names for backward compatibility\n deletionPromises.push(cookieStore.delete(constants.Cookies.Session));\n\n await Promise.all(deletionPromises);\n\n return {\n success: true,\n message: 'Session cleared successfully',\n };\n } catch (error) {\n const authError = handleFirebaseAuthError(error);\n return {\n success: false,\n message: authError.message || 'Failed to clear session',\n error: authError.code || 'INTERNAL_ERROR',\n };\n }\n}\n","import { parse } from \"cookie\";\n\nimport { constants } from \"../constants\";\nimport type { TernUrl } from \"./ternUrl\";\nimport { createTernUrl } from \"./ternUrl\";\n\nclass TernSecureRequest extends Request {\n readonly ternUrl: TernUrl;\n readonly cookies: Map<string, string | undefined>;\n\n public constructor(\n input: TernSecureRequest | Request | RequestInfo,\n init?: RequestInit\n ) {\n const url =\n typeof input !== \"string\" && \"url\" in input ? input.url : String(input);\n super(url, init || typeof input === \"string\" ? undefined : input);\n this.ternUrl = this.deriveUrlFromHeaders(this);\n this.cookies = this.parseCookies(this);\n }\n\n public toJSON() {\n return {\n url: this.ternUrl.href,\n method: this.method,\n headers: JSON.stringify(Object.fromEntries(this.headers)),\n ternUrl: this.ternUrl.toString(),\n cookies: JSON.stringify(Object.fromEntries(this.cookies)),\n };\n }\n\n private deriveUrlFromHeaders(req: Request) {\n const initialUrl = new URL(req.url);\n const forwardedProto = req.headers.get(constants.Headers.ForwardedProto);\n const forwardedHost = req.headers.get(constants.Headers.ForwardedHost);\n const host = req.headers.get(constants.Headers.Host);\n const protocol = initialUrl.protocol;\n\n const resolvedHost = this.getFirstValueFromHeader(forwardedHost) ?? host;\n const resolvedProtocol =\n this.getFirstValueFromHeader(forwardedProto) ??\n protocol?.replace(/[:/]/, \"\");\n const origin =\n resolvedHost && resolvedProtocol\n ? `${resolvedProtocol}://${resolvedHost}`\n : initialUrl.origin;\n\n if (origin === initialUrl.origin) {\n return createTernUrl(initialUrl);\n }\n\n return createTernUrl(initialUrl.pathname + initialUrl.search, origin);\n }\n\n private getFirstValueFromHeader(value?: string | null) {\n return value?.split(\",\")[0];\n }\n\n private parseCookies(req: Request) {\n const cookiesRecord = parse(\n this.decodeCookieValue(req.headers.get(\"cookie\") || \"\")\n );\n return new Map(Object.entries(cookiesRecord));\n }\n\n private decodeCookieValue(str: string) {\n return str ? str.replace(/(%[0-9A-Z]{2})+/g, decodeURIComponent) : str;\n }\n}\n\nexport const createTernSecureRequest = (\n ...args: ConstructorParameters<typeof TernSecureRequest>\n): TernSecureRequest => {\n return args[0] instanceof TernSecureRequest\n ? args[0]\n : new TernSecureRequest(...args);\n};\n\nexport type { TernSecureRequest };\n","class TernUrl extends URL {\n public isCrossOrigin(other: URL | string) {\n return this.origin !== new URL(other.toString()).origin;\n }\n}\n\nexport type WithTernUrl<T> = T & {\n /**\n * When a NextJs app is hosted on a platform different from Vercel\n * or inside a container (Netlify, Fly.io, AWS Amplify, docker etc),\n * req.url is always set to `localhost:3000` instead of the actual host of the app.\n *\n */\n ternUrl: TernUrl;\n};\n\nexport const createTernUrl = (\n ...args: ConstructorParameters<typeof TernUrl>\n): TernUrl => {\n return new TernUrl(...args);\n};\n\nexport type { TernUrl };\n","import type { CheckCustomClaims, DecodedIdToken,SharedSignInAuthObjectProperties } from \"@tern-secure/types\";\n\nimport { VerifyNextTernSessionCookie } from \"../admin/nextSessionTernSecure\";\nimport type { TernSecureRequest} from \"../tokens/ternSecureRequest\";\nimport { createTernSecureRequest } from \"../tokens/ternSecureRequest\";\n\nexport type SignInAuthObject = SharedSignInAuthObjectProperties & {\n has: CheckCustomClaims\n}\n\nexport type SignInState = {\n auth: () => SignInAuthObject\n token: string\n headers: Headers\n}\n\nexport type RequestState = SignInState\n\nexport interface BackendInstance {\n ternSecureRequest: TernSecureRequest;\n requestState: RequestState;\n}\n\nexport const createBackendInstance = async (request: Request): Promise<BackendInstance> => {\n const ternSecureRequest = createTernSecureRequest(request);\n const requestState = await authenticateRequest(request);\n \n return {\n ternSecureRequest,\n requestState,\n };\n};\n\nexport async function authenticateRequest(request: Request): Promise<RequestState> {\n const sessionCookie = request.headers.get('cookie');\n const sessionToken = sessionCookie?.split(';')\n .find(c => c.trim().startsWith('_session_cookie='))\n ?.split('=')[1];\n \n if (!sessionToken) {\n throw new Error(\"No session token found\");\n }\n\n const verificationResult = await VerifyNextTernSessionCookie(sessionToken);\n\n if (!verificationResult.valid) {\n throw new Error(\"Invalid session token\");\n }\n\n return signedIn(\n verificationResult as DecodedIdToken,\n new Headers(request.headers),\n sessionToken\n );\n}\n\nexport function signInAuthObject(\n session: DecodedIdToken,\n): SignInAuthObject {\n return {\n session,\n userId: session.uid,\n has: {} as CheckCustomClaims,\n };\n}\n\nexport function signedIn(\n session: DecodedIdToken,\n headers: Headers = new Headers(),\n token: string\n): SignInState {\n const authObject = signInAuthObject(session);\n return {\n auth: () => authObject,\n token,\n headers,\n };\n}\n","import { handleFirebaseAuthError } from '@tern-secure/shared/errors';\nimport type { AuthErrorResponse } from '@tern-secure/types';\nimport type { UserRecord } from 'firebase-admin/auth';\n\nimport { getAuthForTenant } from '../utils/admin-init';\n\ntype RetrieveUserResult = {\n data: UserRecord;\n error: null;\n} | {\n data: null;\n error: AuthErrorResponse;\n}\n\nexport function RetrieveUser(tenantId?: string) {\n const auth = getAuthForTenant(tenantId);\n\n async function getUserUid(uid: string): Promise<RetrieveUserResult> {\n try {\n const user = await auth.getUser(uid);\n return { data: user, error: null };\n } catch (error) {\n return { data: null, error: handleFirebaseAuthError(error) };\n }\n }\n async function getUserByEmail(email: string): Promise<RetrieveUserResult> {\n try {\n const user = await auth.getUserByEmail(email);\n return { data: user, error: null };\n } catch (error) {\n return { data: null, error: handleFirebaseAuthError(error) };\n }\n }\n\n async function getUserByPhoneNumber(phoneNumber: string): Promise<RetrieveUserResult> {\n try {\n const user = await auth.getUserByPhoneNumber(phoneNumber);\n return { data: user, error: null };\n } catch (error) {\n return { data: null, error: handleFirebaseAuthError(error) };\n }\n }\n\n return {\n getUserUid,\n getUserByEmail,\n getUserByPhoneNumber,\n }\n}"],"mappings":";AACA,SAAS,+BAA+B;;;ACDjC,IAAM,yBACX;AAIK,IAAM,8BACX;AAEK,IAAM,oCAAoC,IAAI;AAC9C,IAAM,yBAAyB,OAAO;AACtC,IAAM,sBAAsB;AAE5B,IAAM,gCAAgC,IAAI,KAAK;AAC/C,IAAM,wBAAwB;AAC9B,IAAM,yBAAyB;AAC/B,IAAM,yBAAyB;AAC/B,IAAM,sBAAsB,KAAK;AAEjC,IAAM,wBAAwB;AAC9B,IAAM,uBAAuB,wBAAwB;AACrD,IAAM,oBAAoB,KAAK,KAAK,KAAK;AAEhD,IAAM,aAAa;AAAA,EACjB,WAAW;AAAA,EACX,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,eAAe;AACjB;AAEA,IAAM,UAAU;AAAA,EACd,SAAS;AAAA,EACT,WAAW;AAAA,EACX,SAAS;AAAA,EACT,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,WAAW;AAAA,EACX,YAAY;AAAA,EACZ,eAAe;AAAA,EACf,gBAAgB;AAClB;AAGA,IAAM,kBAAkB;AAAA,EACtB,YAAY;AAAA,EACZ,iBAAiB;AAAA,EACjB,iBAAiB;AAAA;AAAA,EAEjB,YAAY,QAAQ;AAAA,EACpB,WAAW,QAAQ;AAAA,EACnB,eAAe;AAAA,EACf,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,gBAAgB,QAAQ;AAC1B;AAEA,IAAMA,WAAU;AAAA,EACd,QAAQ;AAAA,EACR,eAAe;AAAA,EACf,aAAa;AAAA,EACb,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,WAAW;AAAA,EACX,cAAc;AAAA,EACd,sBAAsB;AAAA,EACtB,uBAAuB;AAAA,EACvB,eAAe;AAAA,EACf,0BAA0B;AAAA,EAC1B,aAAa;AAAA,EACb,uBAAuB;AAAA,EACvB,iCAAiC;AAAA,EACjC,aAAa;AAAA,EACb,eAAe;AAAA,EACf,eAAe;AAAA,EACf,gBAAgB;AAAA,EAChB,MAAM;AAAA,EACN,UAAU;AAAA,EACV,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,UAAU;AAAA,EACV,cAAc;AAAA,EACd,WAAW;AAAA,EACX,oBAAoB;AACtB;AAEA,IAAM,eAAe;AAAA,EACnB,MAAM;AACR;AAKO,IAAM,YAAY;AAAA,EACvB;AAAA,EACA;AAAA,EACA,SAAAA;AAAA,EACA;AAAA,EACA;AACF;;;ACtGA,OAAO,WAAW;AAClB,SAAS,mBAAmB;;;ACwErB,IAAM,kBAAkB,OAA8B;AAAA,EAC3D,WAAW,QAAQ,IAAI,uBAAuB;AAAA,EAC9C,aAAa,QAAQ,IAAI,yBAAyB;AAAA,EAClD,YAAY,QAAQ,IAAI,wBAAwB;AAClD;AAOO,IAAM,sBAAsB,CAAC,WAA+D;AACjG,QAAM,iBAAkD;AAAA,IACtD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,QAAM,SAAmB,CAAC;AAE1B,iBAAe,QAAQ,WAAS;AAC9B,QAAI,CAAC,OAAO,KAAK,GAAG;AAClB,aAAO,KAAK,oCAAoC,OAAO,KAAK,EAAE,YAAY,CAAC,EAAE;AAAA,IAC/E;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,SAAS,OAAO,WAAW;AAAA,IAC3B;AAAA,IACA;AAAA,EACF;AACF;AAMO,IAAM,wBAAwB,MAA6B;AAChE,QAAM,SAAS,gBAAgB;AAC/B,QAAM,mBAAmB,oBAAoB,MAAM;AAEnD,MAAI,CAAC,iBAAiB,SAAS;AAC7B,UAAM,IAAI;AAAA,MACR;AAAA,EAAoD,iBAAiB,OAAO,KAAK,IAAI,CAAC;AAAA,IACxF;AAAA,EACF;AAEA,SAAO;AACT;;;ADpHA,IAAI,CAAC,MAAM,KAAK,QAAQ;AACtB,MAAI;AACF,UAAM,SAAS,sBAAsB;AACrC,UAAM,cAAc;AAAA,MAClB,YAAY,MAAM,WAAW,KAAK;AAAA,QAChC,GAAG;AAAA,QACH,YAAY,OAAO,WAAW,QAAQ,QAAQ,IAAI;AAAA,MACpD,CAAC;AAAA,IACH,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,uCAAuC,KAAK;AAAA,EAC5D;AACF;AAEO,IAAM,sBAAuC,MAAM,KAAK;AACxD,IAAM,oBAA+C,MAAM,UAAU;AACrE,IAAM,0BAAoD,MAAM,KAAK,EAAE,cAAc;AACrF,IAAM,gBAAyC,YAAY;AAS3D,SAAS,iBAAiB,UAAoC;AACnE,MAAI,UAAU;AACZ,WAAO,wBAAwB,cAAc,QAAQ;AAAA,EACvD;AACA,SAAO,MAAM,KAAK;AACpB;;;AFnBA,IAAM,wBAAwB;AAAA,EAC5B,uBAAuB,IAAI,KAAK;AAAA;AAAA,EAChC,4BAA4B,IAAI;AAAA,EAChC,kCAAkC;AACpC;AAEA,IAAM,yBAAyB;AAAA,EAC7B,UAAU;AAAA,EACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,EACjC,UAAU;AAAA,EACV,MAAM;AACR;AAKA,IAAM,gBAAgB,CAAC,UAAkB,WAA4B;AACnE,SAAO,SAAS,GAAG,MAAM,GAAG,QAAQ,KAAK;AAC3C;AAKA,IAAM,sBAAsB,CAC1B,QACA,cAMG;AACH,SAAO;AAAA,IACL;AAAA,IACA,UAAU,WAAW,YAAY,uBAAuB;AAAA,IACxD,QAAQ,WAAW,UAAU,uBAAuB;AAAA,IACpD,UAAU,WAAW,YAAY,uBAAuB;AAAA,IACxD,MAAM,WAAW,QAAQ,uBAAuB;AAAA,EAClD;AACF;AAKA,IAAM,kBAAkB,MAAc;AACpC,QAAM,eAAe,QAAQ,IAAI,aAAa;AAC9C,SAAO,eAAe,YAAY;AACpC;AAQA,eAAsB,oBACpB,QACA,aACA,SACwB;AACxB,MAAI;AACF,UAAM,aAAa,iBAAiB,SAAS,YAAY,EAAE;AAE3D,UAAM,UAAU,OAAO,WAAW,WAAW,SAAS,OAAO;AAC7D,UAAM,eAAe,OAAO,WAAW,WAAW,SAAa,OAAe;AAE9E,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS;AAAA,QACT,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI;AACJ,QAAI;AACF,qBAAe,MAAM,WAAW,cAAc,OAAO;AAAA,IACvD,SAAS,aAAa;AACpB,YAAM,YAAY,wBAAwB,WAAW;AACrD,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS,UAAU;AAAA,QACnB,OAAO,UAAU;AAAA,MACnB;AAAA,IACF;AAEA,UAAM,iBAAkC,CAAC;AACzC,UAAM,eAAe,gBAAgB;AAGrC,UAAM,oBAAoB,cAAc,UAAU,QAAQ,SAAS,YAAY;AAC/E,mBAAe;AAAA,MACb,YAAY;AAAA,QACV;AAAA,QACA;AAAA,QACA,oBAAoB,sBAAsB,0BAA0B;AAAA,MACtE;AAAA,IACF;AAGA,QAAI,cAAc;AAChB,YAAM,yBAAyB,cAAc,UAAU,QAAQ,SAAS,YAAY;AACpF,qBAAe;AAAA,QACb,YAAY;AAAA,UACV;AAAA,UACA;AAAA,UACA,oBAAoB,sBAAsB,0BAA0B;AAAA,QACtE;AAAA,MACF;AAAA,IACF;AAGA,QAAI,SAAS,SAAS;AACpB,YAAM,iBAAiB,QAAQ;AAC/B,YAAM,oBAAoB,cAAc,UAAU,QAAQ,OAAO;AACjE,YAAM,YAAY,eAAe,SAC7B,eAAe,SAAS,MACxB,sBAAsB;AAE1B,UAAI;AACF,cAAM,gBAAgB,MAAM,WAAW,oBAAoB,SAAS,EAAE,UAAU,CAAC;AACjF,uBAAe;AAAA,UACb,YAAY;AAAA,YACV;AAAA,YACA;AAAA,YACA;AAAA,cACE,eAAe,UAAU,sBAAsB;AAAA,cAC/C;AAAA,gBACE,UAAU,eAAe;AAAA,gBACzB,UAAU,eAAe;AAAA,gBACzB,MAAM,eAAe;AAAA,cACvB;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,MACF,SAAS,cAAc;AACrB,gBAAQ;AAAA,UACN;AAAA,UACA;AAAA,QACF;AACA,cAAM,YAAY,wBAAwB,YAAY;AACtD,eAAO;AAAA,UACL,SAAS;AAAA,UACT,SAAS,UAAU;AAAA,UACnB,OAAO,UAAU;AAAA,QACnB;AAAA,MACF;AAAA,IACF;AAGA,QAAI,SAAS,qBAAqB,cAAc,KAAK;AACnD,YAAM,wBAAwB,cAAc,UAAU,QAAQ,QAAQ,YAAY;AAClF,YAAM,cAAc,MAAM,kBAAkB,aAAa,KAAK,OAAO;AACrE,UAAI,aAAa;AACf,uBAAe;AAAA,UACb,YAAY;AAAA,YACV;AAAA,YACA;AAAA,YACA,oBAAoB,sBAAsB,0BAA0B;AAAA,UACtE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,QAAQ,IAAI,cAAc;AAEhC,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS;AAAA,MACT,WAAW,sBAAsB;AAAA,IACnC;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,2CAA2C,KAAK;AAC9D,UAAM,YAAY,wBAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS,UAAU,WAAW;AAAA,MAC9B,OAAO,UAAU,QAAQ;AAAA,IAC3B;AAAA,EACF;AACF;AAOA,eAAsB,mBACpB,aACA,SACwB;AACxB,MAAI;AACF,UAAM,YAAY,iBAAiB,SAAS,YAAY,EAAE;AAC1D,UAAM,eAAe,gBAAgB;AAGrC,UAAM,oBAAoB,cAAc,UAAU,QAAQ,SAAS,YAAY;AAC/E,UAAM,gBAAgB,MAAM,YAAY,IAAI,iBAAiB;AAE7D,UAAM,mBAAoC,CAAC;AAI3C,QAAI,SAAS,SAAS;AACpB,uBAAiB,KAAK,YAAY,OAAO,iBAAiB,CAAC;AAAA,IAC7D;AAGA,UAAM,oBAAoB,cAAc,UAAU,QAAQ,SAAS,YAAY;AAC/E,qBAAiB,KAAK,YAAY,OAAO,iBAAiB,CAAC;AAE3D,UAAM,yBAAyB,cAAc,UAAU,QAAQ,SAAS,YAAY;AACpF,qBAAiB,KAAK,YAAY,OAAO,sBAAsB,CAAC;AAEhE,UAAM,wBAAwB,cAAc,UAAU,QAAQ,QAAQ,YAAY;AAClF,qBAAiB,KAAK,YAAY,OAAO,qBAAqB,CAAC;AAG/D,UAAM,qBAAqB,UAAU,QAAQ;AAC7C,qBAAiB,KAAK,YAAY,OAAO,kBAAkB,CAAC;AAG5D,qBAAiB,KAAK,YAAY,OAAO,UAAU,QAAQ,OAAO,CAAC;AAEnE,UAAM,QAAQ,IAAI,gBAAgB;AAGlC,QAAI,sBAAsB,oCAAoC,eAAe,OAAO;AAClF,UAAI;AACF,cAAM,gBAAgB,MAAM,UAAU,oBAAoB,cAAc,KAAK;AAC7E,cAAM,UAAU,oBAAoB,cAAc,GAAG;AAAA,MACvD,SAAS,aAAa;AACpB,gBAAQ,MAAM,yDAAyD,WAAW;AAAA,MACpF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS;AAAA,IACX;AAAA,EACF,SAAS,OAAO;AACd,UAAM,YAAY,wBAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,SAAS;AAAA,MACT,SAAS,UAAU,WAAW;AAAA,MAC9B,OAAO,UAAU,QAAQ;AAAA,IAC3B;AAAA,EACF;AACF;AAQA,eAAsB,kBACpB,KACA,SACwB;AACxB,QAAM,YAAY,iBAAiB,SAAS,YAAY,EAAE;AAC1D,MAAI;AACF,UAAM,cAAc,MAAM,UAAU,kBAAkB,GAAG;AACzD,WAAO;AAAA,EACT,SAAS,OAAO;AACd,YAAQ,MAAM,oDAAoD,KAAK;AACvE,WAAO;AAAA,EACT;AACF;AAGA,eAAsB,wBACpB,KACA,iBACiB;AACjB,QAAM,YAAY,iBAAiB;AACnC,MAAI;AACF,UAAM,cAAc,MAAM,UAAU,kBAAkB,KAAK,eAAe;AAC1E,WAAO;AAAA,EACT,SAAS,OAAO;AACd,YAAQ,MAAM,oDAAoD,KAAK;AACvE,WAAO;AAAA,EACT;AACF;;;AIxSA,eAAsB,aACpB,aACA,mBAIA,mBAOA;AACA,MAAI;AACF,UAAM,eAAe;AAAA,MACnB;AAAA,MACA;AAAA,MACA,GAAI,qBAAqB,EAAE,kBAAkB;AAAA,IAC/C;AAEA,UAAM,SAAS,MAAM,wBAAwB,aAAa,YAAY;AAEtE,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU,OAAO;AAAA,MACjB,aAAa,OAAO;AAAA,IACtB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,0BAA0B,KAAK;AAC7C,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AACF;AAEA,eAAsB,iBACpB,OACA,UACA,UACyB;AACzB,MAAI;AACF,UAAM,aAAa,wBAAwB,cAAc,QAAQ;AAEjE,UAAM,aAAa,MAAM,WAAW,WAAW;AAAA,MAC7C;AAAA,MACA;AAAA,MACA,eAAe;AAAA,MACf,UAAU;AAAA,IACZ,CAAC;AAED,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,SAAS;AAAA,IACX;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B,KAAK;AAClD,UAAM,IAAI,MAAM,8BAA8B;AAAA,EAChD;AACF;;;AC7DA,SAAS,iBAAAC,gBAAe,mBAAAC,wBAAuB;AAC/C,SAAS,2BAAAC,gCAA+B;AAExC,SAAS,eAAe;AAKxB,IAAM,oBAAoB;AAAA,EACxB,aAAa,UAAU,QAAQ;AAAA,EAC/B,uBAAuB,KAAK,KAAK,KAAK,IAAI;AAAA;AAAA,EAC1C,4BAA4B,KAAK,KAAK,KAAK;AAAA,EAC3C,kCAAkC;AACpC;AAKA,IAAM,WAAW;AAAA,EACf,KAAK,IAAI,SAAoB;AAC3B,QAAI,QAAQ,IAAI,aAAa,eAAe;AAC1C,cAAQ,IAAI,GAAG,IAAI;AAAA,IACrB;AAAA,EACF;AAAA,EACA,MAAM,IAAI,SAAoB;AAC5B,QAAI,QAAQ,IAAI,aAAa,eAAe;AAC1C,cAAQ,KAAK,GAAG,IAAI;AAAA,IACtB;AAAA,EACF;AAAA,EACA,OAAO,IAAI,SAAoB;AAC7B,YAAQ,MAAM,GAAG,IAAI;AAAA,EACvB;AACF;AAEA,eAAsB,wBAAwB,SAAiB;AAC7D,MAAI;AACF,UAAM,YAAY,KAAK,KAAK,KAAK,IAAI;AACrC,UAAM,gBAAgB,MAAM,oBAAU,oBAAoB,SAAS;AAAA,MACjE;AAAA,IACF,CAAC;AAED,UAAM,cAAc,MAAM,QAAQ;AAClC,gBAAY,IAAI,UAAU,QAAQ,SAAS,eAAe;AAAA,MACxD,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,MAAM;AAAA,IACR,CAAC;AACD,WAAO,EAAE,SAAS,MAAM,SAAS,kBAAkB;AAAA,EACrD,SAAS,OAAO;AACd,WAAO,EAAE,SAAS,OAAO,SAAS,2BAA2B;AAAA,EAC/D;AACF;AAEA,eAAsB,6BAA6B;AACjD,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,gBAAgB,YAAY,IAAI,iBAAiB,GAAG;AAE1D,MAAI,CAAC,eAAe;AAClB,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI;AACF,UAAM,gBAAgB,MAAM,oBAAU,oBAAoB,eAAe,IAAI;AAC7E,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ,cAAc;AAAA,IACxB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,4BAA4B,KAAK;AAC/C,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AACF;AAEA,eAAsB,iBAAiB;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,QAAQ,YAAY,IAAI,gBAAgB,GAAG;AAEjD,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI;AACF,UAAM,gBAAgB,MAAM,oBAAU,cAAc,KAAK;AACzD,WAAO;AAAA,MACL;AAAA,MACA,QAAQ,cAAc;AAAA,IACxB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,4BAA4B,KAAK;AAC/C,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AACF;AAEA,eAAsB,qBAAqB,OAAe;AACxD,MAAI;AACF,UAAM,cAAc,MAAM,QAAQ;AAClC,gBAAY,IAAI,kBAAkB,OAAO;AAAA,MACvC,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,UAAU;AAAA,MACV,QAAQ,KAAK;AAAA;AAAA,MACb,MAAM;AAAA,IACR,CAAC;AACD,WAAO,EAAE,SAAS,MAAM,SAAS,kBAAkB;AAAA,EACrD,QAAQ;AACN,WAAO,EAAE,SAAS,OAAO,SAAS,2BAA2B;AAAA,EAC/D;AACF;AAEA,eAAsB,mBAAmB,OAAe;AACtD,MAAI;AACF,UAAM,cAAc,MAAM,QAAQ;AAClC,gBAAY,IAAI,SAAS,OAAO;AAAA,MAC9B,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,UAAU;AAAA,MACV,QAAQ,KAAK;AAAA;AAAA,MACb,MAAM;AAAA,IACR,CAAC;AACD,WAAO,EAAE,SAAS,MAAM,SAAS,kBAAkB;AAAA,EACrD,QAAQ;AACN,WAAO,EAAE,SAAS,OAAO,SAAS,2BAA2B;AAAA,EAC/D;AACF;AAEA,eAAsB,sBAAsB,OAAgD;AAC1F,MAAI;AACF,UAAM,eAAe,MAAM,oBAAU,cAAc,KAAK;AACxD,WAAO;AAAA,MACL,GAAG;AAAA,MACH,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,oDAAoD,KAAK;AACvE,UAAM,YAAYC,yBAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,eAAsB,4BACpB,SACiC;AACjC,MAAI;AACF,UAAM,MAAM,MAAM,oBAAU,oBAAoB,OAAO;AACvD,YAAQ,KAAK,uDAAuD,IAAI,GAAG;AAC3E,WAAO;AAAA,MACL,OAAO;AAAA,MACP,GAAG;AAAA,IACL;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,0DAA0D,KAAK;AAC7E,UAAM,YAAYA,yBAAwB,KAAK;AAC/C,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,eAAsB,uBACpB,UACA,eAQwB;AACxB,MAAI;AACF,UAAM,aAAa,iBAAiB,YAAY,EAAE;AAClD,UAAM,cAAc,MAAM,QAAQ;AAClC,UAAM,gBAAgB,YAAY,IAAI,kBAAkB,WAAW;AACnE,UAAM,eAAeC,iBAAgB;AACrC,UAAM,oBAAoBC,eAAc,UAAU,QAAQ,SAAS,YAAY;AAC/E,UAAM,gBAAgB,YAAY,IAAI,iBAAiB;AAEvD,UAAM,qBAAqB;AAAA,MACzB,MAAM,eAAe;AAAA,MACrB,QAAQ,eAAe;AAAA,MACvB,UAAU,eAAe;AAAA,MACzB,QAAQ,eAAe;AAAA,MACvB,UAAU,eAAe;AAAA,IAC3B;AAEA,UAAM,oCAAoC;AAAA,MACxC,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,UAAU;AAAA,IACZ;AAEA,gBAAY,OAAO,EAAE,MAAM,kBAAkB,aAAa,GAAG,mBAAmB,CAAC;AACjF,gBAAY,OAAO,EAAE,MAAM,UAAU,QAAQ,QAAQ,CAAC;AAEtD,gBAAY,OAAO,EAAE,MAAM,mBAAmB,GAAG,kCAAkC,CAAC;AACpF,gBAAY,OAAO;AAAA,MACjB,MAAMA,eAAc,UAAU,QAAQ,SAAS,YAAY;AAAA,MAC3D,GAAG;AAAA,IACL,CAAC;AACD,gBAAY,OAAO,EAAE,MAAM,UAAU,QAAQ,QAAQ,GAAG,kCAAkC,CAAC;AAE3F,UAAM,qBACJ,eAAe,gCACf,kBAAkB;AAEpB,QAAI,oBAAoB;AACtB,UAAI;AACF,YAAI;AAGJ,YAAI,eAAe,OAAO;AACxB,cAAI;AACF,kBAAM,gBAAgB,MAAM,WAAW,oBAAoB,cAAc,KAAK;AAC9E,sBAAU,cAAc;AAAA,UAC1B,SAAS,cAAc;AACrB,qBAAS;AAAA,cACP;AAAA,cACA;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAGA,YAAI,CAAC,SAAS;AACZ,cAAI,eAAe,OAAO;AACxB,gBAAI;AACF,oBAAM,iBAAiB,MAAM,WAAW,cAAc,cAAc,KAAK;AACzE,wBAAU,eAAe;AAAA,YAC3B,SAAS,cAAc;AACrB,uBAAS,KAAK,0DAA0D,YAAY;AAAA,YACtF;AAAA,UACF;AAAA,QACF;AAGA,YAAI,SAAS;AACX,gBAAM,WAAW,oBAAoB,OAAO;AAC5C,mBAAS,IAAI,kEAAkE,OAAO,EAAE;AAAA,QAC1F,OAAO;AACL,mBAAS,KAAK,8DAA8D;AAAA,QAC9E;AAAA,MACF,SAAS,aAAa;AACpB,iBAAS,MAAM,6DAA6D,WAAW;AAAA,MACzF;AAAA,IACF;AACA,WAAO,EAAE,SAAS,MAAM,SAAS,+BAA+B;AAAA,EAClE,SAAS,OAAO;AACd,aAAS,MAAM,2BAA2B,KAAK;AAC/C,WAAO,EAAE,SAAS,OAAO,SAAS,kCAAkC;AAAA,EACtE;AACF;;;AClQA,SAAS,aAAa;;;ACAtB,IAAM,UAAN,cAAsB,IAAI;AAAA,EACjB,cAAc,OAAqB;AACxC,WAAO,KAAK,WAAW,IAAI,IAAI,MAAM,SAAS,CAAC,EAAE;AAAA,EACnD;AACF;AAYO,IAAM,gBAAgB,IACxB,SACS;AACZ,SAAO,IAAI,QAAQ,GAAG,IAAI;AAC5B;;;ADdA,IAAM,oBAAN,cAAgC,QAAQ;AAAA,EAC7B;AAAA,EACA;AAAA,EAEF,YACL,OACA,MACA;AACA,UAAM,MACJ,OAAO,UAAU,YAAY,SAAS,QAAQ,MAAM,MAAM,OAAO,KAAK;AACxE,UAAM,KAAK,QAAQ,OAAO,UAAU,WAAW,SAAY,KAAK;AAChE,SAAK,UAAU,KAAK,qBAAqB,IAAI;AAC7C,SAAK,UAAU,KAAK,aAAa,IAAI;AAAA,EACvC;AAAA,EAEO,SAAS;AACd,WAAO;AAAA,MACL,KAAK,KAAK,QAAQ;AAAA,MAClB,QAAQ,KAAK;AAAA,MACb,SAAS,KAAK,UAAU,OAAO,YAAY,KAAK,OAAO,CAAC;AAAA,MACxD,SAAS,KAAK,QAAQ,SAAS;AAAA,MAC/B,SAAS,KAAK,UAAU,OAAO,YAAY,KAAK,OAAO,CAAC;AAAA,IAC1D;AAAA,EACF;AAAA,EAEQ,qBAAqB,KAAc;AACzC,UAAM,aAAa,IAAI,IAAI,IAAI,GAAG;AAClC,UAAM,iBAAiB,IAAI,QAAQ,IAAI,UAAU,QAAQ,cAAc;AACvE,UAAM,gBAAgB,IAAI,QAAQ,IAAI,UAAU,QAAQ,aAAa;AACrE,UAAM,OAAO,IAAI,QAAQ,IAAI,UAAU,QAAQ,IAAI;AACnD,UAAM,WAAW,WAAW;AAE5B,UAAM,eAAe,KAAK,wBAAwB,aAAa,KAAK;AACpE,UAAM,mBACJ,KAAK,wBAAwB,cAAc,KAC3C,UAAU,QAAQ,QAAQ,EAAE;AAC9B,UAAM,SACJ,gBAAgB,mBACZ,GAAG,gBAAgB,MAAM,YAAY,KACrC,WAAW;AAEjB,QAAI,WAAW,WAAW,QAAQ;AAChC,aAAO,cAAc,UAAU;AAAA,IACjC;AAEA,WAAO,cAAc,WAAW,WAAW,WAAW,QAAQ,MAAM;AAAA,EACtE;AAAA,EAEQ,wBAAwB,OAAuB;AACrD,WAAO,OAAO,MAAM,GAAG,EAAE,CAAC;AAAA,EAC5B;AAAA,EAEQ,aAAa,KAAc;AACjC,UAAM,gBAAgB;AAAA,MACpB,KAAK,kBAAkB,IAAI,QAAQ,IAAI,QAAQ,KAAK,EAAE;AAAA,IACxD;AACA,WAAO,IAAI,IAAI,OAAO,QAAQ,aAAa,CAAC;AAAA,EAC9C;AAAA,EAEQ,kBAAkB,KAAa;AACrC,WAAO,MAAM,IAAI,QAAQ,oBAAoB,kBAAkB,IAAI;AAAA,EACrE;AACF;AAEO,IAAM,0BAA0B,IAClC,SACmB;AACtB,SAAO,KAAK,CAAC,aAAa,oBACtB,KAAK,CAAC,IACN,IAAI,kBAAkB,GAAG,IAAI;AACnC;;;AErDO,IAAM,wBAAwB,OAAO,YAA+C;AACzF,QAAM,oBAAoB,wBAAwB,OAAO;AACzD,QAAM,eAAe,MAAM,oBAAoB,OAAO;AAEtD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAsB,oBAAoB,SAAyC;AACjF,QAAM,gBAAgB,QAAQ,QAAQ,IAAI,QAAQ;AAClD,QAAM,eAAe,eAAe,MAAM,GAAG,EAC1C,KAAK,OAAK,EAAE,KAAK,EAAE,WAAW,kBAAkB,CAAC,GAChD,MAAM,GAAG,EAAE,CAAC;AAEhB,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,MAAM,wBAAwB;AAAA,EAC1C;AAEA,QAAM,qBAAqB,MAAM,4BAA4B,YAAY;AAEzE,MAAI,CAAC,mBAAmB,OAAO;AAC7B,UAAM,IAAI,MAAM,uBAAuB;AAAA,EACzC;AAEA,SAAO;AAAA,IACL;AAAA,IACA,IAAI,QAAQ,QAAQ,OAAO;AAAA,IAC3B;AAAA,EACF;AACF;AAEO,SAAS,iBACd,SACkB;AAClB,SAAO;AAAA,IACL;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB,KAAK,CAAC;AAAA,EACR;AACF;AAEO,SAAS,SACd,SACA,UAAmB,IAAI,QAAQ,GAC/B,OACa;AACb,QAAM,aAAa,iBAAiB,OAAO;AAC3C,SAAO;AAAA,IACL,MAAM,MAAM;AAAA,IACZ;AAAA,IACA;AAAA,EACF;AACF;;;AC7EA,SAAS,2BAAAC,gCAA+B;AAcjC,SAAS,aAAa,UAAmB;AAC5C,QAAM,OAAO,iBAAiB,QAAQ;AAEtC,iBAAe,WAAW,KAA0C;AAChE,QAAI;AACA,YAAM,OAAO,MAAM,KAAK,QAAQ,GAAG;AACnC,aAAO,EAAE,MAAM,MAAM,OAAO,KAAK;AAAA,IACrC,SAAS,OAAO;AACZ,aAAO,EAAE,MAAM,MAAM,OAAOC,yBAAwB,KAAK,EAAE;AAAA,IAC/D;AAAA,EACJ;AACA,iBAAe,eAAe,OAA4C;AACtE,QAAI;AACA,YAAM,OAAO,MAAM,KAAK,eAAe,KAAK;AAC5C,aAAO,EAAE,MAAM,MAAM,OAAO,KAAK;AAAA,IACrC,SAAS,OAAO;AACZ,aAAO,EAAE,MAAM,MAAM,OAAOA,yBAAwB,KAAK,EAAE;AAAA,IAC/D;AAAA,EACJ;AAEA,iBAAe,qBAAqB,aAAkD;AAClF,QAAI;AACA,YAAM,OAAO,MAAM,KAAK,qBAAqB,WAAW;AACxD,aAAO,EAAE,MAAM,MAAM,OAAO,KAAK;AAAA,IACrC,SAAS,OAAO;AACZ,aAAO,EAAE,MAAM,MAAM,OAAOA,yBAAwB,KAAK,EAAE;AAAA,IAC/D;AAAA,EACJ;AAEA,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,EACJ;AACJ;","names":["Headers","getCookieName","getCookiePrefix","handleFirebaseAuthError","handleFirebaseAuthError","getCookiePrefix","getCookieName","handleFirebaseAuthError","handleFirebaseAuthError"]}
package/dist/{chunk-NXYWC6YO.mjs → chunk-TUYCJY35.mjs} RENAMED
@@ -69,6 +69,11 @@ function mapJwtPayloadToDecodedIdToken(payload) {
69
69
  decodedIdToken.uid = decodedIdToken.sub;
70
70
  return decodedIdToken;
71
71
  }
72
+ function mapJwtPayloadToDecodedAppCheckToken(payload) {
73
+ const decodedAppCheckToken = payload;
74
+ decodedAppCheckToken.app_id = decodedAppCheckToken.sub;
75
+ return decodedAppCheckToken;
76
+ }
72
77
 
73
78
  // src/utils/rfc4648.ts
74
79
  var base64url = {
@@ -330,6 +335,57 @@ async function verifyJwt(token, options) {
330
335
  const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);
331
336
  return { data: decodedIdToken };
332
337
  }
338
+ async function verifyAppCheckSignature(jwt, getPublicKey) {
339
+ const { header, raw } = jwt;
340
+ const joseAlgorithm = header.alg || "RS256";
341
+ try {
342
+ const key = await getPublicKey();
343
+ const { payload } = await jwtVerify(raw.text, key);
344
+ return { data: payload };
345
+ } catch (error) {
346
+ return {
347
+ errors: [
348
+ new TokenVerificationError({
349
+ reason: TokenVerificationErrorReason.TokenInvalidSignature,
350
+ message: error.message
351
+ })
352
+ ]
353
+ };
354
+ }
355
+ }
356
+ async function verifyAppCheckJwt(token, options) {
357
+ const { key: getPublicKey } = options;
358
+ const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
359
+ const { data: decoded, errors } = ternDecodeJwt(token);
360
+ if (errors) {
361
+ return { errors };
362
+ }
363
+ const { header, payload } = decoded;
364
+ try {
365
+ verifyHeaderKid(header.kid);
366
+ verifySubClaim(payload.sub);
367
+ verifyExpirationClaim(payload.exp, clockSkew);
368
+ verifyIssuedAtClaim(payload.iat, clockSkew);
369
+ } catch (error) {
370
+ return { errors: [error] };
371
+ }
372
+ const { data: verifiedPayload, errors: signatureErrors } = await verifyAppCheckSignature(
373
+ decoded,
374
+ getPublicKey
375
+ );
376
+ if (signatureErrors) {
377
+ return {
378
+ errors: [
379
+ new TokenVerificationError({
380
+ reason: TokenVerificationErrorReason.TokenInvalidSignature,
381
+ message: "Token signature verification failed."
382
+ })
383
+ ]
384
+ };
385
+ }
386
+ const decodedAppCheckToken = mapJwtPayloadToDecodedAppCheckToken(verifiedPayload);
387
+ return { data: decodedAppCheckToken };
388
+ }
333
389
 
334
390
  // src/jwt/jwt.ts
335
391
  import { createRemoteJWKSet, decodeJwt as decodeJwt2, jwtVerify as jwtVerify2 } from "jose";
@@ -546,8 +602,38 @@ function createCustomTokenWithResult(uid, developerClaims) {
546
602
  }
547
603
 
548
604
  // src/jwt/signJwt.ts
549
- import { importPKCS8 as importPKCS82, SignJWT as SignJWT2 } from "jose";
605
+ import { base64url as base64url2, importPKCS8 as importPKCS82, SignJWT as SignJWT2 } from "jose";
606
+
607
+ // src/utils/fetcher.ts
608
+ async function getDetailFromResponse(response) {
609
+ const json = await response.json();
610
+ if (!json) {
611
+ return "Missing error payload";
612
+ }
613
+ let detail = typeof json.error === "string" ? json.error : json.error?.message ?? "Missing error payload";
614
+ if (json.error_description) {
615
+ detail += " (" + json.error_description + ")";
616
+ }
617
+ return detail;
618
+ }
619
+ async function fetchText(url, init) {
620
+ return (await fetchAny(url, init)).text();
621
+ }
622
+ async function fetchJson(url, init) {
623
+ return (await fetchAny(url, init)).json();
624
+ }
625
+ async function fetchAny(url, init) {
626
+ const response = await fetch(url, init);
627
+ if (!response.ok) {
628
+ throw new Error(await getDetailFromResponse(response));
629
+ }
630
+ return response;
631
+ }
632
+
633
+ // src/jwt/types.ts
550
634
  var ALGORITHM_RS256 = "RS256";
635
+
636
+ // src/jwt/signJwt.ts
551
637
  async function ternSignJwt(opts) {
552
638
  const { payload, privateKey, keyId } = opts;
553
639
  let key;
@@ -561,23 +647,113 @@ async function ternSignJwt(opts) {
561
647
  }
562
648
  return new SignJWT2(payload).setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId }).sign(key);
563
649
  }
650
+ function formatBase64(value) {
651
+ return value.replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
652
+ }
653
+ function encodeSegment(segment) {
654
+ const value = JSON.stringify(segment);
655
+ return formatBase64(base64url2.encode(value));
656
+ }
657
+ async function ternSignBlob({
658
+ payload,
659
+ serviceAccountId,
660
+ accessToken
661
+ }) {
662
+ const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${serviceAccountId}:signBlob`;
663
+ const header = {
664
+ alg: ALGORITHM_RS256,
665
+ typ: "JWT"
666
+ };
667
+ const token = `${encodeSegment(header)}.${encodeSegment(payload)}`;
668
+ const request = {
669
+ method: "POST",
670
+ headers: {
671
+ Authorization: `Bearer ${accessToken}`
672
+ },
673
+ body: JSON.stringify({ payload: base64url2.encode(token) })
674
+ };
675
+ const response = await fetchAny(url, request);
676
+ const blob = await response.blob();
677
+ const key = await blob.text();
678
+ const { signedBlob } = JSON.parse(key);
679
+ return `${token}.${formatBase64(signedBlob)}`;
680
+ }
681
+
682
+ // src/jwt/crypto-signer.ts
683
+ var ServiceAccountSigner = class {
684
+ constructor(credential, tenantId) {
685
+ this.credential = credential;
686
+ this.tenantId = tenantId;
687
+ }
688
+ async getAccountId() {
689
+ return Promise.resolve(this.credential.clientEmail);
690
+ }
691
+ async sign(payload) {
692
+ if (this.tenantId) {
693
+ payload.tenant_id = this.tenantId;
694
+ }
695
+ return ternSignJwt({ payload, privateKey: this.credential.privateKey });
696
+ }
697
+ };
698
+ var IAMSigner = class {
699
+ algorithm = ALGORITHM_RS256;
700
+ credential;
701
+ tenantId;
702
+ serviceAccountId;
703
+ constructor(credential, tenantId, serviceAccountId) {
704
+ this.credential = credential;
705
+ this.tenantId = tenantId;
706
+ this.serviceAccountId = serviceAccountId;
707
+ }
708
+ async sign(payload) {
709
+ if (this.tenantId) {
710
+ payload.tenant_id = this.tenantId;
711
+ }
712
+ const serviceAccount = await this.getAccountId();
713
+ const accessToken = await this.credential.getAccessToken();
714
+ return ternSignBlob({
715
+ accessToken: accessToken.accessToken,
716
+ serviceAccountId: serviceAccount,
717
+ payload
718
+ });
719
+ }
720
+ async getAccountId() {
721
+ if (this.serviceAccountId) {
722
+ return this.serviceAccountId;
723
+ }
724
+ const token = await this.credential.getAccessToken();
725
+ const url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/email";
726
+ const request = {
727
+ method: "GET",
728
+ headers: {
729
+ "Metadata-Flavor": "Google",
730
+ Authorization: `Bearer ${token.accessToken}`
731
+ }
732
+ };
733
+ return this.serviceAccountId = await fetchText(url, request);
734
+ }
735
+ };
564
736
 
565
737
  // src/jwt/index.ts
566
738
  var ternDecodeJwt2 = createJwtGuard(ternDecodeJwt);
567
739
 
568
740
  export {
569
741
  mapJwtPayloadToDecodedIdToken,
570
- CustomTokenError,
571
- createCustomToken,
572
- createCustomTokenWithResult,
573
742
  RefreshTokenErrorReason,
574
743
  TokenVerificationErrorReason,
575
744
  TokenVerificationError,
576
745
  ternDecodeJwt,
577
746
  verifyJwt,
747
+ verifyAppCheckJwt,
578
748
  verifyToken,
579
- ALGORITHM_RS256,
749
+ CustomTokenError,
750
+ createCustomToken,
751
+ createCustomTokenWithResult,
752
+ fetchJson,
580
753
  ternSignJwt,
754
+ ternSignBlob,
755
+ ServiceAccountSigner,
756
+ IAMSigner,
581
757
  ternDecodeJwt2
582
758
  };
583
- //# sourceMappingURL=chunk-NXYWC6YO.mjs.map
759
+ //# sourceMappingURL=chunk-TUYCJY35.mjs.map
package/dist/chunk-TUYCJY35.mjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/jwt/guardReturn.ts","../src/jwt/verifyJwt.ts","../src/utils/errors.ts","../src/utils/mapDecode.ts","../src/utils/rfc4648.ts","../src/jwt/cryptoKeys.ts","../src/jwt/algorithms.ts","../src/jwt/verifyContent.ts","../src/jwt/jwt.ts","../src/jwt/customJwt.ts","../src/jwt/signJwt.ts","../src/utils/fetcher.ts","../src/jwt/types.ts","../src/jwt/crypto-signer.ts","../src/jwt/index.ts"],"sourcesContent":["import { type JwtReturnType } from \"./types\";\n\nexport function createJwtGuard<T extends (...args: any[]) => JwtReturnType<any, any>>(decodedFn: T) {\n return (...args: Parameters<T>): NonNullable<Awaited<ReturnType<T>>['data']> | never => {\n const { data, errors } = decodedFn(...args);\n\n if (errors) {\n throw errors[0];\n }\n\n return data;\n };\n}\n","import type { DecodedAppCheckToken, DecodedIdToken, Jwt, JWTPayload } from '@tern-secure/types';\nimport {\n decodeJwt,\n decodeProtectedHeader,\n jwtVerify,\n type KeyLike,\n} from 'jose';\n\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport { mapJwtPayloadToDecodedAppCheckToken, mapJwtPayloadToDecodedIdToken } from '../utils/mapDecode';\nimport { base64url } from '../utils/rfc4648';\nimport { importKey } from './cryptoKeys';\nimport type { JwtReturnType } from './types';\nimport {\n verifyExpirationClaim,\n verifyHeaderKid,\n verifyIssuedAtClaim,\n verifySubClaim,\n} from './verifyContent';\n\nconst DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1000;\n\nexport type VerifyJwtOptions = {\n audience?: string | string[];\n clockSkewInMs?: number;\n key: JsonWebKey | string;\n};\n\nexport async function verifySignature(\n jwt: Jwt,\n key: JsonWebKey | string,\n): Promise<JwtReturnType<JWTPayload, Error>> {\n const { header, raw } = jwt;\n const joseAlgorithm = header.alg || 'RS256';\n\n try {\n const publicKey = await importKey(key, joseAlgorithm);\n\n const { payload } = await jwtVerify(raw.text, publicKey);\n\n return { data: payload };\n } catch (error) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidSignature,\n message: (error as Error).message,\n }),\n ],\n };\n }\n}\n\nexport function ternDecodeJwt(token: string): JwtReturnType<Jwt, TokenVerificationError> {\n try {\n const header = decodeProtectedHeader(token);\n const payload = decodeJwt(token);\n\n const tokenParts = (token || '').toString().split('.');\n if (tokenParts.length !== 3) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: 'Invalid JWT format',\n }),\n ],\n };\n }\n\n const [rawHeader, rawPayload, rawSignature] = tokenParts;\n const signature = base64url.parse(rawSignature, { loose: true });\n\n const data = {\n header,\n payload,\n signature,\n raw: {\n header: rawHeader,\n payload: rawPayload,\n signature: rawSignature,\n text: token,\n },\n } satisfies Jwt;\n\n return { data };\n } catch (error) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: `${(error as Error).message || 'Invalid Token or Protected Header formatting'} (Token length: ${token?.length}, First 10 chars: ${token?.substring(0, 10)}...)`,\n }),\n ],\n };\n }\n}\n\nexport async function verifyJwt(\n token: string,\n options: VerifyJwtOptions,\n): Promise<JwtReturnType<DecodedIdToken, TokenVerificationError>> {\n const { key } = options;\n const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;\n\n const { data: decoded, errors } = ternDecodeJwt(token);\n if (errors) {\n return { errors };\n }\n\n const { header, payload } = decoded;\n\n try {\n verifyHeaderKid(header.kid);\n verifySubClaim(payload.sub);\n verifyExpirationClaim(payload.exp, clockSkew);\n verifyIssuedAtClaim(payload.iat, clockSkew);\n } catch (error) {\n return { errors: [error as TokenVerificationError] };\n }\n\n const { data: verifiedPayload, errors: signatureErrors } = await verifySignature(decoded, key);\n if (signatureErrors) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidSignature,\n message: 'Token signature verification failed.',\n }),\n ],\n };\n }\n\n const decodedIdToken = mapJwtPayloadToDecodedIdToken(verifiedPayload);\n\n return { data: decodedIdToken };\n}\n\nexport type VerifyAppCheckJwtOptions = Omit<VerifyJwtOptions, 'key'> & {\n key: () => Promise<KeyLike>;\n};\n\nexport async function verifyAppCheckSignature(\n jwt: Jwt,\n getPublicKey: () => Promise<KeyLike>,\n): Promise<JwtReturnType<JWTPayload, Error>> {\n const { header, raw } = jwt;\n const joseAlgorithm = header.alg || 'RS256';\n\n try {\n const key = await getPublicKey();\n\n const { payload } = await jwtVerify(raw.text, key);\n\n return { data: payload };\n } catch (error) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidSignature,\n message: (error as Error).message,\n }),\n ],\n };\n }\n}\n\n\nexport async function verifyAppCheckJwt(\n token: string,\n options: VerifyAppCheckJwtOptions,\n): Promise<JwtReturnType<DecodedAppCheckToken, TokenVerificationError>> {\n const { key: getPublicKey } = options;\n const clockSkew = options.clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;\n\n const { data: decoded, errors } = ternDecodeJwt(token);\n if (errors) {\n return { errors };\n }\n\n const { header, payload } = decoded;\n\n try {\n verifyHeaderKid(header.kid);\n verifySubClaim(payload.sub);\n verifyExpirationClaim(payload.exp, clockSkew);\n verifyIssuedAtClaim(payload.iat, clockSkew);\n } catch (error) {\n return { errors: [error as TokenVerificationError] };\n }\n\n const { data: verifiedPayload, errors: signatureErrors } = await verifyAppCheckSignature(\n decoded,\n getPublicKey,\n );\n if (signatureErrors) {\n return {\n errors: [\n new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidSignature,\n message: 'Token signature verification failed.',\n }),\n ],\n };\n }\n\n const decodedAppCheckToken = mapJwtPayloadToDecodedAppCheckToken(verifiedPayload);\n\n return { data: decodedAppCheckToken };\n}","export const RefreshTokenErrorReason = {\n NonEligibleNoCookie: 'non-eligible-no-refresh-cookie',\n NonEligibleNonGet: 'non-eligible-non-get',\n InvalidSessionToken: 'invalid-session-token',\n MissingApiClient: 'missing-api-client',\n MissingIdToken: 'missing-id-token',\n MissingSessionToken: 'missing-session-token',\n MissingRefreshToken: 'missing-refresh-token',\n ExpiredIdTokenDecodeFailed: 'expired-id-token-decode-failed',\n ExpiredSessionTokenDecodeFailed: 'expired-session-token-decode-failed',\n FetchError: 'fetch-error',\n} as const;\n\nexport type TokenCarrier = 'header' | 'cookie';\n\nexport const TokenVerificationErrorReason = {\n TokenExpired: 'token-expired',\n TokenInvalid: 'token-invalid',\n TokenInvalidAlgorithm: 'token-invalid-algorithm',\n TokenInvalidAuthorizedParties: 'token-invalid-authorized-parties',\n TokenInvalidSignature: 'token-invalid-signature',\n TokenNotActiveYet: 'token-not-active-yet',\n TokenIatInTheFuture: 'token-iat-in-the-future',\n TokenVerificationFailed: 'token-verification-failed',\n InvalidSecretKey: 'secret-key-invalid',\n LocalJWKMissing: 'jwk-local-missing',\n RemoteJWKFailedToLoad: 'jwk-remote-failed-to-load',\n RemoteJWKInvalid: 'jwk-remote-invalid',\n RemoteJWKMissing: 'jwk-remote-missing',\n JWKFailedToResolve: 'jwk-failed-to-resolve',\n JWKKidMismatch: 'jwk-kid-mismatch',\n};\n\nexport type TokenVerificationErrorReason =\n (typeof TokenVerificationErrorReason)[keyof typeof TokenVerificationErrorReason];\n\nexport class TokenVerificationError extends Error {\n reason: TokenVerificationErrorReason;\n tokenCarrier?: TokenCarrier;\n\n constructor({\n message,\n reason,\n }: {\n message: string;\n reason: TokenVerificationErrorReason;\n }) {\n super(message);\n\n Object.setPrototypeOf(this, TokenVerificationError.prototype);\n\n this.reason = reason;\n this.message = message;\n }\n\n public getFullMessage() {\n return `${[this.message].filter(m => m).join(' ')} (reason=${this.reason}, token-carrier=${\n this.tokenCarrier\n })`;\n }\n }\n","import type { DecodedAppCheckToken, DecodedIdToken } from \"@tern-secure/types\";\nimport type {\n JWTPayload,\n} from \"jose\";\n\nexport function mapJwtPayloadToDecodedIdToken(payload: JWTPayload) {\n const decodedIdToken = payload as DecodedIdToken;\n decodedIdToken.uid = decodedIdToken.sub;\n return decodedIdToken;\n}\n\n\nexport function mapJwtPayloadToDecodedAppCheckToken(payload: JWTPayload) {\n const decodedAppCheckToken = payload as DecodedAppCheckToken;\n decodedAppCheckToken.app_id = decodedAppCheckToken.sub;\n return decodedAppCheckToken;\n}","/**\n * The base64url helper was extracted from the rfc4648 package\n * in order to resolve CSJ/ESM interoperability issues\n *\n * https://github.com/swansontec/rfc4648.js\n *\n * For more context please refer to:\n * - https://github.com/evanw/esbuild/issues/1719\n * - https://github.com/evanw/esbuild/issues/532\n * - https://github.com/swansontec/rollup-plugin-mjs-entry\n */\nexport const base64url = {\n parse(string: string, opts?: ParseOptions): Uint8Array {\n return parse(string, base64UrlEncoding, opts);\n },\n\n stringify(data: ArrayLike<number>, opts?: StringifyOptions): string {\n return stringify(data, base64UrlEncoding, opts);\n },\n};\n\nconst base64UrlEncoding: Encoding = {\n chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_',\n bits: 6,\n};\n\ninterface Encoding {\n bits: number;\n chars: string;\n codes?: { [char: string]: number };\n}\n\ninterface ParseOptions {\n loose?: boolean;\n out?: new (size: number) => { [index: number]: number };\n}\n\ninterface StringifyOptions {\n pad?: boolean;\n}\n\nfunction parse(string: string, encoding: Encoding, opts: ParseOptions = {}): Uint8Array {\n // Build the character lookup table:\n if (!encoding.codes) {\n encoding.codes = {};\n for (let i = 0; i < encoding.chars.length; ++i) {\n encoding.codes[encoding.chars[i]] = i;\n }\n }\n\n // The string must have a whole number of bytes:\n if (!opts.loose && (string.length * encoding.bits) & 7) {\n throw new SyntaxError('Invalid padding');\n }\n\n // Count the padding bytes:\n let end = string.length;\n while (string[end - 1] === '=') {\n --end;\n\n // If we get a whole number of bytes, there is too much padding:\n if (!opts.loose && !(((string.length - end) * encoding.bits) & 7)) {\n throw new SyntaxError('Invalid padding');\n }\n }\n\n // Allocate the output:\n const out = new (opts.out ?? Uint8Array)(((end * encoding.bits) / 8) | 0) as Uint8Array;\n\n // Parse the data:\n let bits = 0; // Number of bits currently in the buffer\n let buffer = 0; // Bits waiting to be written out, MSB first\n let written = 0; // Next byte to write\n for (let i = 0; i < end; ++i) {\n // Read one character from the string:\n const value = encoding.codes[string[i]];\n if (value === undefined) {\n throw new SyntaxError('Invalid character ' + string[i]);\n }\n\n // Append the bits to the buffer:\n buffer = (buffer << encoding.bits) | value;\n bits += encoding.bits;\n\n // Write out some bits if the buffer has a byte's worth:\n if (bits >= 8) {\n bits -= 8;\n out[written++] = 0xff & (buffer >> bits);\n }\n }\n\n // Verify that we have received just enough bits:\n if (bits >= encoding.bits || 0xff & (buffer << (8 - bits))) {\n throw new SyntaxError('Unexpected end of data');\n }\n\n return out;\n}\n\nfunction stringify(data: ArrayLike<number>, encoding: Encoding, opts: StringifyOptions = {}): string {\n const { pad = true } = opts;\n const mask = (1 << encoding.bits) - 1;\n let out = '';\n\n let bits = 0; // Number of bits currently in the buffer\n let buffer = 0; // Bits waiting to be written out, MSB first\n for (let i = 0; i < data.length; ++i) {\n // Slurp data into the buffer:\n buffer = (buffer << 8) | (0xff & data[i]);\n bits += 8;\n\n // Write out as much as we can:\n while (bits > encoding.bits) {\n bits -= encoding.bits;\n out += encoding.chars[mask & (buffer >> bits)];\n }\n }\n\n // Partial character:\n if (bits) {\n out += encoding.chars[mask & (buffer << (encoding.bits - bits))];\n }\n\n // Add padding characters until we hit a byte boundary:\n if (pad) {\n while ((out.length * encoding.bits) & 7) {\n out += '=';\n }\n }\n\n return out;\n}\n","import { importJWK, importSPKI,importX509, type KeyLike } from 'jose';\n\nexport async function importKey(key: JsonWebKey | string, algorithm: string): Promise<KeyLike> {\n if (typeof key === 'object') {\n const result = await importJWK(key as Parameters<typeof importJWK>[0], algorithm);\n if (result instanceof Uint8Array) {\n throw new Error('Unexpected Uint8Array result from JWK import');\n }\n return result;\n }\n\n const keyString = key.trim();\n\n if (keyString.includes('-----BEGIN CERTIFICATE-----')) {\n return await importX509(keyString, algorithm);\n }\n\n if (keyString.includes('-----BEGIN PUBLIC KEY-----')) {\n return await importSPKI(keyString, algorithm);\n }\n\n try {\n return await importSPKI(keyString, algorithm);\n } catch (error) {\n throw new Error(\n `Unsupported key format. Supported formats: X.509 certificate (PEM), SPKI (PEM), JWK (JSON object or string). Error: ${error}`,\n );\n }\n}\n","const algToHash: Record<string, string> = {\n RS256: 'SHA-256',\n RS384: 'SHA-384',\n RS512: 'SHA-512',\n};\nconst RSA_ALGORITHM_NAME = 'RSASSA-PKCS1-v1_5';\n\nconst jwksAlgToCryptoAlg: Record<string, string> = {\n RS256: RSA_ALGORITHM_NAME,\n RS384: RSA_ALGORITHM_NAME,\n RS512: RSA_ALGORITHM_NAME,\n};\n\nexport const algs = Object.keys(algToHash);\n\nexport function getCryptoAlgorithm(algorithmName: string): RsaHashedImportParams {\n const hash = algToHash[algorithmName];\n const name = jwksAlgToCryptoAlg[algorithmName];\n\n if (!hash || !name) {\n throw new Error(`Unsupported algorithm ${algorithmName}, expected one of ${algs.join(',')}.`);\n }\n\n return {\n hash: { name: algToHash[algorithmName] },\n name: jwksAlgToCryptoAlg[algorithmName],\n };\n}\n","import { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport { algs } from './algorithms';\n\nexport const verifyHeaderType = (typ?: unknown) => {\n if (typeof typ === 'undefined') {\n return;\n }\n\n if (typ !== 'JWT') {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: `Invalid JWT type ${JSON.stringify(typ)}. Expected \"JWT\".`,\n });\n }\n};\n\nexport const verifyHeaderKid = (kid?: unknown) => {\n if (typeof kid === 'undefined') {\n return;\n }\n\n if (typeof kid !== 'string') {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalid,\n message: `Invalid JWT kid ${JSON.stringify(kid)}. Expected a string.`,\n });\n }\n};\n\nexport const verifyHeaderAlgorithm = (alg: string) => {\n if (!algs.includes(alg)) {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenInvalidAlgorithm,\n message: `Invalid JWT algorithm ${JSON.stringify(alg)}. Supported: ${algs}.`,\n });\n }\n};\n\nexport const verifySubClaim = (sub?: string) => {\n if (typeof sub !== 'string') {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenVerificationFailed,\n message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`,\n });\n }\n};\n\nexport const verifyExpirationClaim = (exp: number | undefined, clockSkewInMs: number) => {\n if (typeof exp !== 'number') {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenVerificationFailed,\n message: `Invalid JWT expiry date (exp) claim ${JSON.stringify(exp)}. Expected a number.`,\n });\n }\n\n const currentDate = new Date(Date.now());\n const expiryDate = new Date(0);\n expiryDate.setUTCSeconds(exp);\n\n const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;\n if (expired) {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenExpired,\n message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`,\n });\n }\n};\n\nexport const verifyIssuedAtClaim = (iat: number | undefined, clockSkewInMs: number) => {\n if (typeof iat === 'undefined') {\n return;\n }\n\n if (typeof iat !== 'number') {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenVerificationFailed,\n message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected a number.`,\n });\n }\n\n const currentDate = new Date(Date.now());\n const issuedAtDate = new Date(0);\n issuedAtDate.setUTCSeconds(iat);\n\n const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;\n if (postIssued) {\n throw new TokenVerificationError({\n reason: TokenVerificationErrorReason.TokenIatInTheFuture,\n message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`,\n });\n }\n};\n","import type {\n DecodedIdToken,\n TernVerificationResult,\n} from \"@tern-secure/types\";\nimport { createRemoteJWKSet, decodeJwt,jwtVerify } from \"jose\";\n\n\nexport type FirebaseIdTokenPayload = DecodedIdToken;\n\n// Firebase public key endpoints\nconst FIREBASE_ID_TOKEN_URL =\n \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\";\nconst FIREBASE_SESSION_CERT_URL =\n \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\";\n\n//const FIREBASE_NEW_SESSION_PK = \"https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys\"\n\n// Simple in-memory cache for JWKS\nlet idTokenJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet sessionJWKS: ReturnType<typeof createRemoteJWKSet> | null = null;\n\nconst getIdTokenJWKS = () => {\n if (!idTokenJWKS) {\n idTokenJWKS = createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\n cacheMaxAge: 3600000, // 1 hour\n timeoutDuration: 5000, // 5 seconds\n cooldownDuration: 30000, // 30 seconds between retries\n });\n }\n return idTokenJWKS;\n};\n\nconst getSessionJWKS = () => {\n if (!sessionJWKS) {\n sessionJWKS = createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\n cacheMaxAge: 3600000, // 1 hour\n timeoutDuration: 5000, // 5 seconds\n cooldownDuration: 30000, // 30 seconds between retries\n });\n }\n return sessionJWKS;\n};\n\n\n\nexport async function verifyToken(\n token: string,\n isSessionCookie = false\n): Promise<TernVerificationResult> {\n try {\n const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;\n if (!projectId) {\n throw new Error(\"Firebase Project ID is not configured\");\n }\n\n const { decoded } = decodeJwt(token);\n if (!decoded) {\n throw new Error(\"Invalid token format\");\n }\n\n let retries = 3;\n let lastError: Error | null = null;\n\n while (retries > 0) {\n try {\n // Use different JWKS based on token type\n const JWKS = isSessionCookie ? getSessionJWKS() : getIdTokenJWKS();\n\n const { payload } = await jwtVerify(token, JWKS, {\n issuer: isSessionCookie\n ? \"https://session.firebase.google.com/\" + projectId\n : \"https://securetoken.google.com/\" + projectId,\n audience: projectId,\n algorithms: [\"RS256\"],\n });\n\n const firebasePayload = payload as unknown as FirebaseIdTokenPayload;\n const now = Math.floor(Date.now() / 1000);\n\n // Verify token claims\n if (firebasePayload.exp <= now) {\n throw new Error(\"Token has expired\");\n }\n\n if (firebasePayload.iat > now) {\n throw new Error(\"Token issued time is in the future\");\n }\n\n if (!firebasePayload.sub) {\n throw new Error(\"Token subject is empty\");\n }\n\n if (firebasePayload.auth_time > now) {\n throw new Error(\"Token auth time is in the future\");\n }\n\n return {\n valid: true,\n uid: firebasePayload.sub,\n sub: firebasePayload.sub,\n email: firebasePayload.email,\n email_verified: firebasePayload.email_verified,\n auth_time: firebasePayload.auth_time,\n iat: firebasePayload.iat,\n exp: firebasePayload.exp,\n aud: firebasePayload.aud,\n iss: firebasePayload.iss,\n firebase: firebasePayload.firebase,\n phone_number: firebasePayload.phone_number,\n picture: firebasePayload.picture,\n };\n } catch (error) {\n lastError = error as Error;\n if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\n console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);\n retries--;\n if (retries > 0) {\n await new Promise((resolve) => setTimeout(resolve, 1000));\n continue;\n }\n }\n throw error;\n }\n }\n\n throw lastError || new Error(\"Failed to verify token after retries\");\n } catch (error) {\n console.error(\"Token verification details:\", {\n error:\n error instanceof Error\n ? {\n name: error.name,\n message: error.message,\n stack: error.stack,\n }\n : error,\n decoded: decodeJwt(token),\n isSessionCookie,\n });\n\n return {\n valid: false,\n error: {\n success: false,\n message: error instanceof Error ? error.message : \"Invalid token\",\n code: \"INVALID_TOKEN\",\n },\n };\n }\n}\n","import type { JWTPayload } from '@tern-secure/types';\nimport { importPKCS8, SignJWT } from 'jose';\n\nimport type { JwtReturnType } from './types';\n\n\nexport interface CustomTokenClaims {\n [key: string]: unknown;\n}\n\nexport class CustomTokenError extends Error {\n constructor(\n message: string,\n public code?: string,\n ) {\n super(message);\n this.name = 'CustomTokenError';\n }\n}\n\nconst RESERVED_CLAIMS = [\n 'acr',\n 'amr',\n 'at_hash',\n 'aud',\n 'auth_time',\n 'azp',\n 'cnf',\n 'c_hash',\n 'exp',\n 'firebase',\n 'iat',\n 'iss',\n 'jti',\n 'nbf',\n 'nonce',\n 'sub',\n];\n\nasync function createCustomTokenJwt(\n uid: string,\n developerClaims?: CustomTokenClaims,\n): Promise<JwtReturnType<string, CustomTokenError>> {\n try {\n const privateKey = process.env.FIREBASE_PRIVATE_KEY;\n const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;\n\n if (!privateKey || !clientEmail) {\n return {\n errors: [\n new CustomTokenError(\n 'Missing FIREBASE_PRIVATE_KEY or FIREBASE_CLIENT_EMAIL environment variables',\n 'MISSING_ENV_VARS',\n ),\n ],\n };\n }\n\n if (!uid || typeof uid !== 'string') {\n return {\n errors: [new CustomTokenError('uid must be a non-empty string', 'INVALID_UID')],\n };\n }\n\n if (uid.length > 128) {\n return {\n errors: [new CustomTokenError('uid must not exceed 128 characters', 'UID_TOO_LONG')],\n };\n }\n\n if (developerClaims) {\n for (const claim of Object.keys(developerClaims)) {\n if (RESERVED_CLAIMS.includes(claim)) {\n return {\n errors: [new CustomTokenError(`Custom claim '${claim}' is reserved`, 'RESERVED_CLAIM')],\n };\n }\n }\n }\n\n // Set expiration (default 1 hour, max 1 hour)\n const expiresIn = 3600;\n const now = Math.floor(Date.now() / 1000);\n\n const parsedPrivateKey = await importPKCS8(privateKey.replace(/\\\\n/g, '\\n'), 'RS256');\n\n const payload: JWTPayload = {\n iss: clientEmail,\n sub: clientEmail,\n aud: 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',\n iat: now,\n exp: now + expiresIn,\n uid: uid,\n ...developerClaims,\n };\n\n const jwt = await new SignJWT(payload)\n .setProtectedHeader({ alg: 'RS256', typ: 'JWT' })\n .setIssuedAt(now)\n .setExpirationTime(now + expiresIn)\n .setIssuer(clientEmail)\n .setSubject(clientEmail)\n .setAudience(\n 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit',\n )\n .sign(parsedPrivateKey);\n\n return {\n data: jwt,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error occurred';\n return {\n errors: [\n new CustomTokenError(`Failed to create custom token: ${message}`, 'TOKEN_CREATION_FAILED'),\n ],\n };\n }\n}\n\nexport async function createCustomToken(\n uid: string,\n developerClaims?: CustomTokenClaims,\n): Promise<string> {\n const { data, errors } = await createCustomTokenJwt(uid, developerClaims);\n\n if (errors) {\n throw errors[0];\n }\n\n return data;\n}\n\nexport function createCustomTokenWithResult(\n uid: string,\n developerClaims?: CustomTokenClaims,\n): Promise<JwtReturnType<string, CustomTokenError>> {\n return createCustomTokenJwt(uid, developerClaims);\n}","import type { JWTPayload } from '@tern-secure/types';\nimport type { KeyLike } from 'jose';\nimport { base64url,importPKCS8, SignJWT, } from 'jose';\n\nimport { TokenVerificationError, TokenVerificationErrorReason } from '../utils/errors';\nimport { fetchAny } from '../utils/fetcher'\nimport { ALGORITHM_RS256 } from './types';\n\nexport interface SignJwtOptions {\n algorithm?: string;\n header?: Record<string, unknown>;\n}\n\n\nexport type SignOptions = {\n readonly payload: JWTPayload;\n readonly privateKey: string;\n readonly keyId?: string;\n};\n\n\nasync function ternSignJwt(opts: SignOptions): Promise<string> {\n const { payload, privateKey, keyId } = opts;\n let key: KeyLike;\n\n try {\n key = await importPKCS8(privateKey, ALGORITHM_RS256);\n } catch (error) {\n throw new TokenVerificationError({\n message: `Failed to import private key: ${(error as Error).message}`,\n reason: TokenVerificationErrorReason.TokenInvalid,\n });\n }\n\n return new SignJWT(payload)\n .setProtectedHeader({ alg: ALGORITHM_RS256, kid: keyId })\n .sign(key);\n}\n\n\nexport type SignBlobOptions = {\n readonly serviceAccountId: string;\n readonly accessToken: string;\n readonly payload: JWTPayload;\n};\n\n\nfunction formatBase64(value: string) {\n return value.replace(/\\//g, '_').replace(/\\+/g, '-').replace(/=+$/, '');\n}\n\nfunction encodeSegment(segment: Record<string, string> | JWTPayload): string {\n const value = JSON.stringify(segment);\n\n return formatBase64(base64url.encode(value));\n}\n\n\nasync function ternSignBlob({\n payload,\n serviceAccountId,\n accessToken\n}: SignBlobOptions): Promise<string> {\n const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${serviceAccountId}:signBlob`;\n const header = {\n alg: ALGORITHM_RS256,\n typ: 'JWT'\n };\n const token = `${encodeSegment(header)}.${encodeSegment(payload)}`;\n const request: RequestInit = {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${accessToken}`\n },\n body: JSON.stringify({payload: base64url.encode(token)})\n };\n const response = await fetchAny(url, request);\n const blob = await response.blob();\n const key = await blob.text();\n const {signedBlob} = JSON.parse(key);\n\n return `${token}.${formatBase64(signedBlob)}`;\n}\n\nexport { ternSignJwt, ternSignBlob };\n","async function getDetailFromResponse(response: Response): Promise<string> {\n const json = await response.json();\n\n if (!json) {\n return 'Missing error payload';\n }\n\n let detail =\n typeof json.error === 'string'\n ? json.error\n : (json.error?.message ?? 'Missing error payload');\n\n if (json.error_description) {\n detail += ' (' + json.error_description + ')';\n }\n\n return detail;\n}\n\nexport async function fetchText(url: string, init: RequestInit) {\n return (await fetchAny(url, init)).text();\n}\n\nexport async function fetchJson(url: string, init: RequestInit) {\n return (await fetchAny(url, init)).json();\n}\n\nexport async function fetchAny(url: string, init: RequestInit) {\n const response = await fetch(url, init);\n\n if (!response.ok) {\n throw new Error(await getDetailFromResponse(response));\n }\n\n return response;\n}","import type { JWTPayload } from '@tern-secure/types';\n\n\nexport type JwtReturnType<R, E extends Error> =\n | {\n data: R;\n errors?: undefined;\n }\n | {\n data?: undefined;\n errors: [E];\n };\n\n\nexport const ALGORITHM_RS256 = 'RS256' as const;\n\nexport interface CryptoSigner {\n getAccountId(): Promise<string>;\n sign(payload: JWTPayload): Promise<string>;\n}","import type { JWTPayload } from '@tern-secure/types';\n\nimport type { Credential, ServiceAccountManager } from '../auth';\nimport { fetchText } from '../utils/fetcher'\nimport { ternSignBlob, ternSignJwt } from './signJwt';\nimport { ALGORITHM_RS256, type CryptoSigner } from './types';\n\n\nclass ServiceAccountSigner implements CryptoSigner {\n\n constructor(\n private readonly credential: ServiceAccountManager,\n private tenantId?: string\n ) { }\n\n public async getAccountId(): Promise<string> {\n return Promise.resolve(this.credential.clientEmail);\n }\n\n public async sign(payload: JWTPayload): Promise<string> {\n if (this.tenantId) {\n payload.tenant_id = this.tenantId;\n }\n\n return ternSignJwt({ payload, privateKey: this.credential.privateKey });\n }\n}\n\nclass IAMSigner implements CryptoSigner {\n algorithm = ALGORITHM_RS256;\n\n private credential: Credential;\n private tenantId?: string;\n private serviceAccountId?: string;\n\n constructor(\n credential: Credential,\n tenantId?: string,\n serviceAccountId?: string\n ) {\n this.credential = credential;\n this.tenantId = tenantId;\n this.serviceAccountId = serviceAccountId;\n }\n\n public async sign(payload: JWTPayload): Promise<string> {\n if (this.tenantId) {\n payload.tenant_id = this.tenantId;\n }\n\n const serviceAccount = await this.getAccountId();\n const accessToken = await this.credential.getAccessToken();\n\n return ternSignBlob({\n accessToken: accessToken.accessToken,\n serviceAccountId: serviceAccount,\n payload\n });\n }\n\n public async getAccountId(): Promise<string> {\n if (this.serviceAccountId) {\n return this.serviceAccountId;\n }\n\n const token = await this.credential.getAccessToken();\n const url =\n 'http://metadata/computeMetadata/v1/instance/service-accounts/default/email';\n const request: RequestInit = {\n method: 'GET',\n headers: {\n 'Metadata-Flavor': 'Google',\n Authorization: `Bearer ${token.accessToken}`\n }\n };\n\n return (this.serviceAccountId = await fetchText(url, request));\n }\n}\n\n\nexport { ServiceAccountSigner, IAMSigner };\n\n","import { createJwtGuard } from './guardReturn';\nimport { ternDecodeJwt as _ternDecodeJwt } from './verifyJwt';\n\nexport const ternDecodeJwt = createJwtGuard(_ternDecodeJwt);\nexport { ternDecodeJwt as ternDecodeJwtUnguarded } from './verifyJwt';\n\nexport * from './jwt';\nexport * from './customJwt';\nexport * from './signJwt';\nexport { ServiceAccountSigner, IAMSigner } from './crypto-signer';\nexport type { JwtReturnType, CryptoSigner } from './types';"],"mappings":";AAEO,SAAS,eAAsE,WAAc;AAClG,SAAO,IAAI,SAA6E;AACtF,UAAM,EAAE,MAAM,OAAO,IAAI,UAAU,GAAG,IAAI;AAE1C,QAAI,QAAQ;AACV,YAAM,OAAO,CAAC;AAAA,IAChB;AAEA,WAAO;AAAA,EACT;AACF;;;ACXA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OAEK;;;ACNA,IAAM,0BAA0B;AAAA,EACrC,qBAAqB;AAAA,EACrB,mBAAmB;AAAA,EACnB,qBAAqB;AAAA,EACrB,kBAAkB;AAAA,EAClB,gBAAgB;AAAA,EAChB,qBAAqB;AAAA,EACrB,qBAAqB;AAAA,EACrB,4BAA4B;AAAA,EAC5B,iCAAiC;AAAA,EACjC,YAAY;AACd;AAIO,IAAM,+BAA+B;AAAA,EAC1C,cAAc;AAAA,EACd,cAAc;AAAA,EACd,uBAAuB;AAAA,EACvB,+BAA+B;AAAA,EAC/B,uBAAuB;AAAA,EACvB,mBAAmB;AAAA,EACnB,qBAAqB;AAAA,EACrB,yBAAyB;AAAA,EACzB,kBAAkB;AAAA,EAClB,iBAAiB;AAAA,EACjB,uBAAuB;AAAA,EACvB,kBAAkB;AAAA,EAClB,kBAAkB;AAAA,EAClB,oBAAoB;AAAA,EACpB,gBAAgB;AAClB;AAKO,IAAM,yBAAN,MAAM,gCAA+B,MAAM;AAAA,EAChD;AAAA,EACA;AAAA,EAEA,YAAY;AAAA,IACV;AAAA,IACA;AAAA,EACF,GAGG;AACD,UAAM,OAAO;AAEb,WAAO,eAAe,MAAM,wBAAuB,SAAS;AAE5D,SAAK,SAAS;AACd,SAAK,UAAU;AAAA,EACjB;AAAA,EAEO,iBAAiB;AACtB,WAAO,GAAG,CAAC,KAAK,OAAO,EAAE,OAAO,OAAK,CAAC,EAAE,KAAK,GAAG,CAAC,YAAY,KAAK,MAAM,mBACtE,KAAK,YACP;AAAA,EACF;AACA;;;ACvDK,SAAS,8BAA8B,SAAqB;AACjE,QAAM,iBAAiB;AACvB,iBAAe,MAAM,eAAe;AACpC,SAAO;AACT;AAGO,SAAS,oCAAoC,SAAqB;AACvE,QAAM,uBAAuB;AAC7B,uBAAqB,SAAS,qBAAqB;AACnD,SAAO;AACT;;;ACLO,IAAM,YAAY;AAAA,EACvB,MAAM,QAAgB,MAAiC;AACrD,WAAO,MAAM,QAAQ,mBAAmB,IAAI;AAAA,EAC9C;AAAA,EAEA,UAAU,MAAyB,MAAiC;AAClE,WAAO,UAAU,MAAM,mBAAmB,IAAI;AAAA,EAChD;AACF;AAEA,IAAM,oBAA8B;AAAA,EAClC,OAAO;AAAA,EACP,MAAM;AACR;AAiBA,SAAS,MAAM,QAAgB,UAAoB,OAAqB,CAAC,GAAe;AAEtF,MAAI,CAAC,SAAS,OAAO;AACnB,aAAS,QAAQ,CAAC;AAClB,aAAS,IAAI,GAAG,IAAI,SAAS,MAAM,QAAQ,EAAE,GAAG;AAC9C,eAAS,MAAM,SAAS,MAAM,CAAC,CAAC,IAAI;AAAA,IACtC;AAAA,EACF;AAGA,MAAI,CAAC,KAAK,SAAU,OAAO,SAAS,SAAS,OAAQ,GAAG;AACtD,UAAM,IAAI,YAAY,iBAAiB;AAAA,EACzC;AAGA,MAAI,MAAM,OAAO;AACjB,SAAO,OAAO,MAAM,CAAC,MAAM,KAAK;AAC9B,MAAE;AAGF,QAAI,CAAC,KAAK,SAAS,GAAI,OAAO,SAAS,OAAO,SAAS,OAAQ,IAAI;AACjE,YAAM,IAAI,YAAY,iBAAiB;AAAA,IACzC;AAAA,EACF;AAGA,QAAM,MAAM,KAAK,KAAK,OAAO,YAAc,MAAM,SAAS,OAAQ,IAAK,CAAC;AAGxE,MAAI,OAAO;AACX,MAAI,SAAS;AACb,MAAI,UAAU;AACd,WAAS,IAAI,GAAG,IAAI,KAAK,EAAE,GAAG;AAE5B,UAAM,QAAQ,SAAS,MAAM,OAAO,CAAC,CAAC;AACtC,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI,YAAY,uBAAuB,OAAO,CAAC,CAAC;AAAA,IACxD;AAGA,aAAU,UAAU,SAAS,OAAQ;AACrC,YAAQ,SAAS;AAGjB,QAAI,QAAQ,GAAG;AACb,cAAQ;AACR,UAAI,SAAS,IAAI,MAAQ,UAAU;AAAA,IACrC;AAAA,EACF;AAGA,MAAI,QAAQ,SAAS,QAAQ,MAAQ,UAAW,IAAI,MAAQ;AAC1D,UAAM,IAAI,YAAY,wBAAwB;AAAA,EAChD;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,MAAyB,UAAoB,OAAyB,CAAC,GAAW;AACnG,QAAM,EAAE,MAAM,KAAK,IAAI;AACvB,QAAM,QAAQ,KAAK,SAAS,QAAQ;AACpC,MAAI,MAAM;AAEV,MAAI,OAAO;AACX,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,EAAE,GAAG;AAEpC,aAAU,UAAU,IAAM,MAAO,KAAK,CAAC;AACvC,YAAQ;AAGR,WAAO,OAAO,SAAS,MAAM;AAC3B,cAAQ,SAAS;AACjB,aAAO,SAAS,MAAM,OAAQ,UAAU,IAAK;AAAA,IAC/C;AAAA,EACF;AAGA,MAAI,MAAM;AACR,WAAO,SAAS,MAAM,OAAQ,UAAW,SAAS,OAAO,IAAM;AAAA,EACjE;AAGA,MAAI,KAAK;AACP,WAAQ,IAAI,SAAS,SAAS,OAAQ,GAAG;AACvC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;ACnIA,SAAS,WAAW,YAAW,kBAAgC;AAE/D,eAAsB,UAAU,KAA0B,WAAqC;AAC7F,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,SAAS,MAAM,UAAU,KAAwC,SAAS;AAChF,QAAI,kBAAkB,YAAY;AAChC,YAAM,IAAI,MAAM,8CAA8C;AAAA,IAChE;AACA,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,KAAK;AAE3B,MAAI,UAAU,SAAS,6BAA6B,GAAG;AACrD,WAAO,MAAM,WAAW,WAAW,SAAS;AAAA,EAC9C;AAEA,MAAI,UAAU,SAAS,4BAA4B,GAAG;AACpD,WAAO,MAAM,WAAW,WAAW,SAAS;AAAA,EAC9C;AAEA,MAAI;AACF,WAAO,MAAM,WAAW,WAAW,SAAS;AAAA,EAC9C,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,uHAAuH,KAAK;AAAA,IAC9H;AAAA,EACF;AACF;;;AC5BA,IAAM,YAAoC;AAAA,EACxC,OAAO;AAAA,EACP,OAAO;AAAA,EACP,OAAO;AACT;AASO,IAAM,OAAO,OAAO,KAAK,SAAS;;;ACGlC,IAAM,kBAAkB,CAAC,QAAkB;AAChD,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,mBAAmB,KAAK,UAAU,GAAG,CAAC;AAAA,IACjD,CAAC;AAAA,EACH;AACF;AAWO,IAAM,iBAAiB,CAAC,QAAiB;AAC9C,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,kEAAkE,KAAK,UAAU,GAAG,CAAC;AAAA,IAChG,CAAC;AAAA,EACH;AACF;AAEO,IAAM,wBAAwB,CAAC,KAAyB,kBAA0B;AACvF,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,uCAAuC,KAAK,UAAU,GAAG,CAAC;AAAA,IACrE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,aAAa,oBAAI,KAAK,CAAC;AAC7B,aAAW,cAAc,GAAG;AAE5B,QAAM,UAAU,WAAW,QAAQ,KAAK,YAAY,QAAQ,IAAI;AAChE,MAAI,SAAS;AACX,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,gCAAgC,WAAW,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IAC/G,CAAC;AAAA,EACH;AACF;AAEO,IAAM,sBAAsB,CAAC,KAAyB,kBAA0B;AACrF,MAAI,OAAO,QAAQ,aAAa;AAC9B;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,0CAA0C,KAAK,UAAU,GAAG,CAAC;AAAA,IACxE,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,KAAK,KAAK,IAAI,CAAC;AACvC,QAAM,eAAe,oBAAI,KAAK,CAAC;AAC/B,eAAa,cAAc,GAAG;AAE9B,QAAM,aAAa,aAAa,QAAQ,IAAI,YAAY,QAAQ,IAAI;AACpE,MAAI,YAAY;AACd,UAAM,IAAI,uBAAuB;AAAA,MAC/B,QAAQ,6BAA6B;AAAA,MACrC,SAAS,oEAAoE,aAAa,YAAY,CAAC,mBAAmB,YAAY,YAAY,CAAC;AAAA,IACrJ,CAAC;AAAA,EACH;AACF;;;ANvEA,IAAM,2BAA2B,IAAI;AAQrC,eAAsB,gBACpB,KACA,KAC2C;AAC3C,QAAM,EAAE,QAAQ,IAAI,IAAI;AACxB,QAAM,gBAAgB,OAAO,OAAO;AAEpC,MAAI;AACF,UAAM,YAAY,MAAM,UAAU,KAAK,aAAa;AAEpD,UAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,IAAI,MAAM,SAAS;AAEvD,WAAO,EAAE,MAAM,QAAQ;AAAA,EACzB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAU,MAAgB;AAAA,QAC5B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,cAAc,OAA2D;AACvF,MAAI;AACF,UAAM,SAAS,sBAAsB,KAAK;AAC1C,UAAM,UAAU,UAAU,KAAK;AAE/B,UAAM,cAAc,SAAS,IAAI,SAAS,EAAE,MAAM,GAAG;AACrD,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO;AAAA,QACL,QAAQ;AAAA,UACN,IAAI,uBAAuB;AAAA,YACzB,QAAQ,6BAA6B;AAAA,YACrC,SAAS;AAAA,UACX,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,UAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAC9C,UAAM,YAAY,UAAU,MAAM,cAAc,EAAE,OAAO,KAAK,CAAC;AAE/D,UAAM,OAAO;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,MACA,KAAK;AAAA,QACH,QAAQ;AAAA,QACR,SAAS;AAAA,QACT,WAAW;AAAA,QACX,MAAM;AAAA,MACR;AAAA,IACF;AAEA,WAAO,EAAE,KAAK;AAAA,EAChB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS,GAAI,MAAgB,WAAW,8CAA8C,mBAAmB,OAAO,MAAM,qBAAqB,OAAO,UAAU,GAAG,EAAE,CAAC;AAAA,QACpK,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAsB,UACpB,OACA,SACgE;AAChE,QAAM,EAAE,IAAI,IAAI;AAChB,QAAM,YAAY,QAAQ,iBAAiB;AAE3C,QAAM,EAAE,MAAM,SAAS,OAAO,IAAI,cAAc,KAAK;AACrD,MAAI,QAAQ;AACV,WAAO,EAAE,OAAO;AAAA,EAClB;AAEA,QAAM,EAAE,QAAQ,QAAQ,IAAI;AAE5B,MAAI;AACF,oBAAgB,OAAO,GAAG;AAC1B,mBAAe,QAAQ,GAAG;AAC1B,0BAAsB,QAAQ,KAAK,SAAS;AAC5C,wBAAoB,QAAQ,KAAK,SAAS;AAAA,EAC5C,SAAS,OAAO;AACd,WAAO,EAAE,QAAQ,CAAC,KAA+B,EAAE;AAAA,EACrD;AAEA,QAAM,EAAE,MAAM,iBAAiB,QAAQ,gBAAgB,IAAI,MAAM,gBAAgB,SAAS,GAAG;AAC7F,MAAI,iBAAiB;AACnB,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,QAAM,iBAAiB,8BAA8B,eAAe;AAEpE,SAAO,EAAE,MAAM,eAAe;AAChC;AAMA,eAAsB,wBACpB,KACA,cAC2C;AAC3C,QAAM,EAAE,QAAQ,IAAI,IAAI;AACxB,QAAM,gBAAgB,OAAO,OAAO;AAEpC,MAAI;AACF,UAAM,MAAM,MAAM,aAAa;AAE/B,UAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,IAAI,MAAM,GAAG;AAEjD,WAAO,EAAE,MAAM,QAAQ;AAAA,EACzB,SAAS,OAAO;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAU,MAAgB;AAAA,QAC5B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAGA,eAAsB,kBACpB,OACA,SACsE;AACtE,QAAM,EAAE,KAAK,aAAa,IAAI;AAC9B,QAAM,YAAY,QAAQ,iBAAiB;AAE3C,QAAM,EAAE,MAAM,SAAS,OAAO,IAAI,cAAc,KAAK;AACrD,MAAI,QAAQ;AACV,WAAO,EAAE,OAAO;AAAA,EAClB;AAEA,QAAM,EAAE,QAAQ,QAAQ,IAAI;AAE5B,MAAI;AACF,oBAAgB,OAAO,GAAG;AAC1B,mBAAe,QAAQ,GAAG;AAC1B,0BAAsB,QAAQ,KAAK,SAAS;AAC5C,wBAAoB,QAAQ,KAAK,SAAS;AAAA,EAC5C,SAAS,OAAO;AACd,WAAO,EAAE,QAAQ,CAAC,KAA+B,EAAE;AAAA,EACrD;AAEA,QAAM,EAAE,MAAM,iBAAiB,QAAQ,gBAAgB,IAAI,MAAM;AAAA,IAC/D;AAAA,IACA;AAAA,EACF;AACA,MAAI,iBAAiB;AACnB,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,uBAAuB;AAAA,UACzB,QAAQ,6BAA6B;AAAA,UACrC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,QAAM,uBAAuB,oCAAoC,eAAe;AAEhF,SAAO,EAAE,MAAM,qBAAqB;AACtC;;;AO7MA,SAAS,oBAAoB,aAAAA,YAAU,aAAAC,kBAAiB;AAMxD,IAAM,wBACJ;AACF,IAAM,4BACJ;AAKF,IAAI,cAA4D;AAChE,IAAI,cAA4D;AAEhE,IAAM,iBAAiB,MAAM;AAC3B,MAAI,CAAC,aAAa;AAChB,kBAAc,mBAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,MAC/D,aAAa;AAAA;AAAA,MACb,iBAAiB;AAAA;AAAA,MACjB,kBAAkB;AAAA;AAAA,IACpB,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,IAAM,iBAAiB,MAAM;AAC3B,MAAI,CAAC,aAAa;AAChB,kBAAc,mBAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,MACnE,aAAa;AAAA;AAAA,MACb,iBAAiB;AAAA;AAAA,MACjB,kBAAkB;AAAA;AAAA,IACpB,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAIA,eAAsB,YACpB,OACA,kBAAkB,OACe;AACjC,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAEA,UAAM,EAAE,QAAQ,IAAID,WAAU,KAAK;AACnC,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,QAAI,UAAU;AACd,QAAI,YAA0B;AAE9B,WAAO,UAAU,GAAG;AAClB,UAAI;AAEF,cAAM,OAAO,kBAAkB,eAAe,IAAI,eAAe;AAEjE,cAAM,EAAE,QAAQ,IAAI,MAAMC,WAAU,OAAO,MAAM;AAAA,UAC/C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,UACxC,UAAU;AAAA,UACV,YAAY,CAAC,OAAO;AAAA,QACtB,CAAC;AAED,cAAM,kBAAkB;AACxB,cAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,YAAI,gBAAgB,OAAO,KAAK;AAC9B,gBAAM,IAAI,MAAM,mBAAmB;AAAA,QACrC;AAEA,YAAI,gBAAgB,MAAM,KAAK;AAC7B,gBAAM,IAAI,MAAM,oCAAoC;AAAA,QACtD;AAEA,YAAI,CAAC,gBAAgB,KAAK;AACxB,gBAAM,IAAI,MAAM,wBAAwB;AAAA,QAC1C;AAEA,YAAI,gBAAgB,YAAY,KAAK;AACnC,gBAAM,IAAI,MAAM,kCAAkC;AAAA,QACpD;AAEA,eAAO;AAAA,UACL,OAAO;AAAA,UACP,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,OAAO,gBAAgB;AAAA,UACvB,gBAAgB,gBAAgB;AAAA,UAChC,WAAW,gBAAgB;AAAA,UAC3B,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,KAAK,gBAAgB;AAAA,UACrB,UAAU,gBAAgB;AAAA,UAC1B,cAAc,gBAAgB;AAAA,UAC9B,SAAS,gBAAgB;AAAA,QAC3B;AAAA,MACF,SAAS,OAAO;AACd,oBAAY;AACZ,YAAI,iBAAiB,SAAS,MAAM,SAAS,qBAAqB;AAChE,kBAAQ,KAAK,sBAAsB,IAAI,OAAO,KAAK,MAAM,OAAO;AAChE;AACA,cAAI,UAAU,GAAG;AACf,kBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAI,CAAC;AACxD;AAAA,UACF;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,sCAAsC;AAAA,EACrE,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,SAASD,WAAU,KAAK;AAAA,MACxB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS,iBAAiB,QAAQ,MAAM,UAAU;AAAA,QAClD,MAAM;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;;;ACpJA,SAAS,aAAa,eAAe;AAS9B,IAAM,mBAAN,cAA+B,MAAM;AAAA,EAC1C,YACE,SACO,MACP;AACA,UAAM,OAAO;AAFN;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAEA,IAAM,kBAAkB;AAAA,EACtB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,eAAe,qBACb,KACA,iBACkD;AAClD,MAAI;AACF,UAAM,aAAa,QAAQ,IAAI;AAC/B,UAAM,cAAc,QAAQ,IAAI;AAEhC,QAAI,CAAC,cAAc,CAAC,aAAa;AAC/B,aAAO;AAAA,QACL,QAAQ;AAAA,UACN,IAAI;AAAA,YACF;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,aAAO;AAAA,QACL,QAAQ,CAAC,IAAI,iBAAiB,kCAAkC,aAAa,CAAC;AAAA,MAChF;AAAA,IACF;AAEA,QAAI,IAAI,SAAS,KAAK;AACpB,aAAO;AAAA,QACL,QAAQ,CAAC,IAAI,iBAAiB,sCAAsC,cAAc,CAAC;AAAA,MACrF;AAAA,IACF;AAEA,QAAI,iBAAiB;AACnB,iBAAW,SAAS,OAAO,KAAK,eAAe,GAAG;AAChD,YAAI,gBAAgB,SAAS,KAAK,GAAG;AACnC,iBAAO;AAAA,YACL,QAAQ,CAAC,IAAI,iBAAiB,iBAAiB,KAAK,iBAAiB,gBAAgB,CAAC;AAAA,UACxF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,YAAY;AAClB,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExC,UAAM,mBAAmB,MAAM,YAAY,WAAW,QAAQ,QAAQ,IAAI,GAAG,OAAO;AAEpF,UAAM,UAAsB;AAAA,MAC1B,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK,MAAM;AAAA,MACX;AAAA,MACA,GAAG;AAAA,IACL;AAEA,UAAM,MAAM,MAAM,IAAI,QAAQ,OAAO,EAClC,mBAAmB,EAAE,KAAK,SAAS,KAAK,MAAM,CAAC,EAC/C,YAAY,GAAG,EACf,kBAAkB,MAAM,SAAS,EACjC,UAAU,WAAW,EACrB,WAAW,WAAW,EACtB;AAAA,MACC;AAAA,IACF,EACC,KAAK,gBAAgB;AAExB,WAAO;AAAA,MACL,MAAM;AAAA,IACR;AAAA,EACF,SAAS,OAAO;AACd,UAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,WAAO;AAAA,MACL,QAAQ;AAAA,QACN,IAAI,iBAAiB,kCAAkC,OAAO,IAAI,uBAAuB;AAAA,MAC3F;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAsB,kBACpB,KACA,iBACiB;AACjB,QAAM,EAAE,MAAM,OAAO,IAAI,MAAM,qBAAqB,KAAK,eAAe;AAExE,MAAI,QAAQ;AACV,UAAM,OAAO,CAAC;AAAA,EAChB;AAEA,SAAO;AACT;AAEO,SAAS,4BACd,KACA,iBACkD;AAClD,SAAO,qBAAqB,KAAK,eAAe;AAClD;;;ACxIA,SAAS,aAAAE,YAAU,eAAAC,cAAa,WAAAC,gBAAiB;;;ACFjD,eAAe,sBAAsB,UAAqC;AACtE,QAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,MAAI,CAAC,MAAM;AACP,WAAO;AAAA,EACX;AAEA,MAAI,SACA,OAAO,KAAK,UAAU,WAChB,KAAK,QACJ,KAAK,OAAO,WAAW;AAElC,MAAI,KAAK,mBAAmB;AACxB,cAAU,OAAO,KAAK,oBAAoB;AAAA,EAC9C;AAEA,SAAO;AACX;AAEA,eAAsB,UAAU,KAAa,MAAmB;AAC9D,UAAQ,MAAM,SAAS,KAAK,IAAI,GAAG,KAAK;AAC1C;AAEA,eAAsB,UAAU,KAAa,MAAmB;AAC5D,UAAQ,MAAM,SAAS,KAAK,IAAI,GAAG,KAAK;AAC5C;AAEA,eAAsB,SAAS,KAAa,MAAmB;AAC3D,QAAM,WAAW,MAAM,MAAM,KAAK,IAAI;AAEtC,MAAI,CAAC,SAAS,IAAI;AACd,UAAM,IAAI,MAAM,MAAM,sBAAsB,QAAQ,CAAC;AAAA,EACzD;AAEA,SAAO;AACX;;;ACrBO,IAAM,kBAAkB;;;AFO/B,eAAe,YAAY,MAAoC;AAC7D,QAAM,EAAE,SAAS,YAAY,MAAM,IAAI;AACvC,MAAI;AAEJ,MAAI;AACF,UAAM,MAAMC,aAAY,YAAY,eAAe;AAAA,EACrD,SAAS,OAAO;AACd,UAAM,IAAI,uBAAuB;AAAA,MAC/B,SAAS,iCAAkC,MAAgB,OAAO;AAAA,MAClE,QAAQ,6BAA6B;AAAA,IACvC,CAAC;AAAA,EACH;AAEA,SAAO,IAAIC,SAAQ,OAAO,EACvB,mBAAmB,EAAE,KAAK,iBAAiB,KAAK,MAAM,CAAC,EACvD,KAAK,GAAG;AACb;AAUA,SAAS,aAAa,OAAe;AACnC,SAAO,MAAM,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AACxE;AAEA,SAAS,cAAc,SAAsD;AAC3E,QAAM,QAAQ,KAAK,UAAU,OAAO;AAEpC,SAAO,aAAaC,WAAU,OAAO,KAAK,CAAC;AAC7C;AAGA,eAAe,aAAa;AAAA,EAC1B;AAAA,EACA;AAAA,EACA;AACF,GAAqC;AACnC,QAAM,MAAM,uEAAuE,gBAAgB;AACnG,QAAM,SAAS;AAAA,IACb,KAAK;AAAA,IACL,KAAK;AAAA,EACP;AACA,QAAM,QAAQ,GAAG,cAAc,MAAM,CAAC,IAAI,cAAc,OAAO,CAAC;AAChE,QAAM,UAAuB;AAAA,IAC3B,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,eAAe,UAAU,WAAW;AAAA,IACtC;AAAA,IACA,MAAM,KAAK,UAAU,EAAC,SAASA,WAAU,OAAO,KAAK,EAAC,CAAC;AAAA,EACzD;AACA,QAAM,WAAW,MAAM,SAAS,KAAK,OAAO;AAC5C,QAAM,OAAO,MAAM,SAAS,KAAK;AACjC,QAAM,MAAM,MAAM,KAAK,KAAK;AAC5B,QAAM,EAAC,WAAU,IAAI,KAAK,MAAM,GAAG;AAEnC,SAAO,GAAG,KAAK,IAAI,aAAa,UAAU,CAAC;AAC7C;;;AG1EA,IAAM,uBAAN,MAAmD;AAAA,EAE/C,YACqB,YACT,UACV;AAFmB;AACT;AAAA,EACR;AAAA,EAEJ,MAAa,eAAgC;AACzC,WAAO,QAAQ,QAAQ,KAAK,WAAW,WAAW;AAAA,EACtD;AAAA,EAEA,MAAa,KAAK,SAAsC;AACpD,QAAI,KAAK,UAAU;AACf,cAAQ,YAAY,KAAK;AAAA,IAC7B;AAEA,WAAO,YAAY,EAAE,SAAS,YAAY,KAAK,WAAW,WAAW,CAAC;AAAA,EAC1E;AACJ;AAEA,IAAM,YAAN,MAAwC;AAAA,EACpC,YAAY;AAAA,EAEJ;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACI,YACA,UACA,kBACF;AACE,SAAK,aAAa;AAClB,SAAK,WAAW;AAChB,SAAK,mBAAmB;AAAA,EAC5B;AAAA,EAEA,MAAa,KAAK,SAAsC;AACpD,QAAI,KAAK,UAAU;AACf,cAAQ,YAAY,KAAK;AAAA,IAC7B;AAEA,UAAM,iBAAiB,MAAM,KAAK,aAAa;AAC/C,UAAM,cAAc,MAAM,KAAK,WAAW,eAAe;AAEzD,WAAO,aAAa;AAAA,MAChB,aAAa,YAAY;AAAA,MACzB,kBAAkB;AAAA,MAClB;AAAA,IACJ,CAAC;AAAA,EACL;AAAA,EAEA,MAAa,eAAgC;AACzC,QAAI,KAAK,kBAAkB;AACvB,aAAO,KAAK;AAAA,IAChB;AAEA,UAAM,QAAQ,MAAM,KAAK,WAAW,eAAe;AACnD,UAAM,MACF;AACJ,UAAM,UAAuB;AAAA,MACzB,QAAQ;AAAA,MACR,SAAS;AAAA,QACL,mBAAmB;AAAA,QACnB,eAAe,UAAU,MAAM,WAAW;AAAA,MAC9C;AAAA,IACJ;AAEA,WAAQ,KAAK,mBAAmB,MAAM,UAAU,KAAK,OAAO;AAAA,EAChE;AACJ;;;AC3EO,IAAMC,iBAAgB,eAAe,aAAc;","names":["decodeJwt","jwtVerify","base64url","importPKCS8","SignJWT","importPKCS8","SignJWT","base64url","ternDecodeJwt"]}