@tern-secure/nextjs 5.1.8 → 5.1.9

package/dist/cjs/errors.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/errors.ts"],"sourcesContent":["import { SignInResponse } from \"@tern-secure/types\"\r\n\r\nexport type ErrorCode = keyof typeof ERRORS\r\n\r\nexport interface AuthErrorResponse {\r\n  success: false\r\n  message: string\r\n  code: ErrorCode\r\n}\r\n\r\nexport const ERRORS = {\r\n  SERVER_SIDE_INITIALIZATION: \"TernSecure must be initialized on the client side\",\r\n  REQUIRES_VERIFICATION: \"AUTH_REQUIRES_VERIFICATION\",\r\n  AUTHENTICATED: \"AUTHENTICATED\",\r\n  UNAUTHENTICATED: \"UNAUTHENTICATED\",\r\n  UNVERIFIED: \"UNVERIFIED\",\r\n  NOT_INITIALIZED: \"TernSecure services are not initialized. Call initializeTernSecure() first\",\r\n  HOOK_CONTEXT: \"Hook must be used within TernSecureProvider\",\r\n  EMAIL_NOT_VERIFIED: \"EMAIL_NOT_VERIFIED\",\r\n  INVALID_CREDENTIALS: \"INVALID_CREDENTIALS\",\r\n  USER_DISABLED: \"USER_DISABLED\",\r\n  TOO_MANY_ATTEMPTS: \"TOO_MANY_ATTEMPTS\",\r\n  NETWORK_ERROR: \"NETWORK_ERROR\",\r\n  INVALID_EMAIL: \"INVALID_EMAIL\",\r\n  WEAK_PASSWORD: \"WEAK_PASSWORD\",\r\n  EMAIL_EXISTS: \"EMAIL_EXISTS\",\r\n  POPUP_BLOCKED: \"POPUP_BLOCKED\",\r\n  OPERATION_NOT_ALLOWED: \"OPERATION_NOT_ALLOWED\",\r\n  EXPIRED_TOKEN: \"EXPIRED_TOKEN\",\r\n  INVALID_TOKEN: \"INVALID_TOKEN\",\r\n  SESSION_EXPIRED: \"SESSION_EXPIRED\",\r\n  INTERNAL_ERROR: \"INTERNAL_ERROR\",\r\n} as const\r\n\r\n// Firebase Auth Error Code patterns\r\nconst ERROR_PATTERNS = {\r\n  INVALID_EMAIL: /auth.*invalid.*email|invalid.*email.*auth|Firebase:.*Error.*auth\\/invalid-email/i,\r\n  INVALID_CREDENTIALS:\r\n    /auth.*invalid.*credential|invalid.*password|wrong.*password|Firebase:.*Error.*auth\\/(invalid-credential|wrong-password|user-not-found)/i,\r\n  USER_DISABLED: /user.*disabled|disabled.*user|Firebase:.*Error.*auth\\/user-disabled/i,\r\n  TOO_MANY_ATTEMPTS: /too.*many.*attempts|too.*many.*requests|Firebase:.*Error.*auth\\/too-many-requests/i,\r\n  NETWORK_ERROR: /network.*request.*failed|failed.*network|Firebase:.*Error.*auth\\/network-request-failed/i,\r\n  OPERATION_NOT_ALLOWED: /operation.*not.*allowed|method.*not.*allowed|Firebase:.*Error.*auth\\/operation-not-allowed/i,\r\n  POPUP_BLOCKED: /popup.*blocked|blocked.*popup|Firebase:.*Error.*auth\\/popup-blocked/i,\r\n  EMAIL_EXISTS: /email.*exists|email.*already.*use|Firebase:.*Error.*auth\\/email-already-in-use/i,\r\n  EXPIRED_TOKEN: /token.*expired|expired.*token|Firebase:.*Error.*auth\\/expired-token/i,\r\n  INVALID_TOKEN: /invalid.*token|token.*invalid|Firebase:.*Error.*auth\\/invalid-token/i,\r\n  SESSION_EXPIRED: /session.*expired|expired.*session|Firebase:.*Error.*auth\\/session-expired/i,\r\n  WEAK_PASSWORD: /weak.*password|password.*weak|Firebase:.*Error.*auth\\/weak-password/i,\r\n} as const\r\n\r\nexport class TernSecureError extends Error {\r\n  code: ErrorCode\r\n\r\n  constructor(code: ErrorCode, message?: string) {\r\n    super(message || code)\r\n    this.name = \"TernSecureError\"\r\n    this.code = code\r\n  }\r\n}\r\n\r\ninterface SerializedFirebaseError {\r\n  name?: string\r\n  code?: string\r\n  message?: string\r\n  stack?: string\r\n}\r\n\r\n/**\r\n * Determines if an object matches the shape of a Firebase Error\r\n */\r\nfunction isFirebaseErrorLike(error: unknown): error is SerializedFirebaseError {\r\n  if (!error || typeof error !== \"object\") return false\r\n\r\n  const err = error as SerializedFirebaseError\r\n\r\n  // Check for bundled Firebase error format: \"Firebase: Error (auth/error-code)\"\r\n  if (typeof err.message === \"string\") {\r\n    const bundledErrorMatch = err.message.match(/Firebase:\\s*Error\\s*$$auth\\/([^)]+)$$/)\r\n    if (bundledErrorMatch) {\r\n      // Add the extracted code to the error object\r\n      err.code = `auth/${bundledErrorMatch[1]}`\r\n      return true\r\n    }\r\n  }\r\n\r\n  return (\r\n    (typeof err.code === \"string\" && err.code.startsWith(\"auth/\")) ||\r\n    (typeof err.name === \"string\" && err.name.includes(\"FirebaseError\"))\r\n  )\r\n}\r\n\r\n/**\r\n * Extracts the error code from a Firebase-like error object\r\n */\r\nfunction extractFirebaseErrorCode(error: SerializedFirebaseError): string {\r\n  // First try to extract from bundled error message format\r\n  if (typeof error.message === \"string\") {\r\n    const bundledErrorMatch = error.message.match(/Firebase:\\s*Error\\s*$$auth\\/([^)]+)$$/)\r\n    if (bundledErrorMatch) {\r\n      return bundledErrorMatch[1]\r\n    }\r\n  }\r\n\r\n  // Then try the standard code property\r\n  if (error.code) {\r\n    return error.code.replace(\"auth/\", \"\")\r\n  }\r\n\r\n  // Finally try to extract from error message if it contains an error code\r\n  if (typeof error.message === \"string\") {\r\n    const messageCodeMatch = error.message.match(/auth\\/([a-z-]+)/)\r\n    if (messageCodeMatch) {\r\n      return messageCodeMatch[1]\r\n    }\r\n  }\r\n\r\n  return \"\"\r\n}\r\n\r\n/**\r\n * Maps a Firebase error code to our internal error code\r\n */\r\nfunction mapFirebaseErrorCode(code: string): ErrorCode {\r\n  // Direct mapping for known error codes\r\n  const directMappings: Record<string, ErrorCode> = {\r\n    \"invalid-email\": \"INVALID_EMAIL\",\r\n    \"user-disabled\": \"USER_DISABLED\",\r\n    \"too-many-requests\": \"TOO_MANY_ATTEMPTS\",\r\n    \"network-request-failed\": \"NETWORK_ERROR\",\r\n    \"operation-not-allowed\": \"OPERATION_NOT_ALLOWED\",\r\n    \"popup-blocked\": \"POPUP_BLOCKED\",\r\n    \"email-already-in-use\": \"EMAIL_EXISTS\",\r\n    \"weak-password\": \"WEAK_PASSWORD\",\r\n    \"invalid-credential\": \"INVALID_CREDENTIALS\",\r\n    \"wrong-password\": \"INVALID_CREDENTIALS\",\r\n    \"user-not-found\": \"INVALID_CREDENTIALS\",\r\n    \"invalid-password\": \"INVALID_CREDENTIALS\",\r\n    \"user-token-expired\": \"EXPIRED_TOKEN\",\r\n    \"invalid-id-token\": \"INVALID_TOKEN\",\r\n  }\r\n\r\n  return directMappings[code] || \"INTERNAL_ERROR\"\r\n}\r\n\r\n/**\r\n * Determines error type based on error message pattern matching\r\n */\r\nfunction determineErrorTypeFromMessage(message: string): ErrorCode {\r\n  // First check for bundled Firebase error format\r\n  const bundledErrorMatch = message.match(/Firebase:\\s*Error\\s*$$auth\\/([^)]+)$$/)\r\n  if (bundledErrorMatch) {\r\n    const errorCode = bundledErrorMatch[1]\r\n    const mappedCode = mapFirebaseErrorCode(errorCode)\r\n    if (mappedCode) {\r\n      return mappedCode\r\n    }\r\n  }\r\n\r\n  // Then check standard patterns\r\n  for (const [errorType, pattern] of Object.entries(ERROR_PATTERNS)) {\r\n    if (pattern.test(message)) {\r\n      return errorType as ErrorCode\r\n    }\r\n  }\r\n\r\n  return \"INTERNAL_ERROR\"\r\n}\r\n\r\n/**\r\n * Creates a standardized error response\r\n */\r\nfunction createErrorResponse(code: ErrorCode, message: string): AuthErrorResponse {\r\n  const defaultMessages: Record<ErrorCode, string> = {\r\n    INVALID_EMAIL: \"Invalid email format\",\r\n    INVALID_CREDENTIALS: \"Invalid email or password\",\r\n    USER_DISABLED: \"This account has been disabled\",\r\n    TOO_MANY_ATTEMPTS: \"Too many attempts. Please try again later\",\r\n    NETWORK_ERROR: \"Network error. Please check your connection\",\r\n    OPERATION_NOT_ALLOWED: \"This login method is not enabled\",\r\n    POPUP_BLOCKED: \"Login popup was blocked. Please enable popups\",\r\n    EMAIL_EXISTS: \"This email is already in use\",\r\n    EXPIRED_TOKEN: \"Your session has expired. Please login again\",\r\n    INVALID_TOKEN: \"Invalid authentication token\",\r\n    SESSION_EXPIRED: \"Your session has expired\",\r\n    WEAK_PASSWORD: \"Password is too weak\",\r\n    EMAIL_NOT_VERIFIED: \"Email verification required\",\r\n    INTERNAL_ERROR: \"An internal error occurred. Please try again\",\r\n    SERVER_SIDE_INITIALIZATION: \"TernSecure must be initialized on the client side\",\r\n    REQUIRES_VERIFICATION: \"Email verification required\",\r\n    AUTHENTICATED: \"Already authenticated\",\r\n    UNAUTHENTICATED: \"Authentication required\",\r\n    UNVERIFIED: \"Email verification required\",\r\n    NOT_INITIALIZED: \"TernSecure services are not initialized\",\r\n    HOOK_CONTEXT: \"Hook must be used within TernSecureProvider\",\r\n  }\r\n\r\n  return {\r\n    success: false,\r\n    message: message || defaultMessages[code],\r\n    code,\r\n  }\r\n}\r\n\r\n/**\r\n * Handles Firebase authentication errors with multiple fallback mechanisms\r\n */\r\nexport function handleFirebaseAuthError(error: unknown): AuthErrorResponse {\r\n  // Helper to extract clean error code from bundled format\r\n  function extractErrorInfo(input: unknown): { code: string; message: string } | null {\r\n    // Case 1: String input (direct Firebase error message)\r\n    if (typeof input === 'string') {\r\n      const match = input.match(/Firebase:\\s*Error\\s*\\(auth\\/([^)]+)\\)/);\r\n      if (match) {\r\n        return { code: match[1], message: input };\r\n      }\r\n    }\r\n\r\n    // Case 2: Error object\r\n    if (input && typeof input === 'object') {\r\n      const err = input as { code?: string; message?: string };\r\n      \r\n      // Check for bundled message format first\r\n      if (err.message) {\r\n        const match = err.message.match(/Firebase:\\s*Error\\s*\\(auth\\/([^)]+)\\)/);\r\n        if (match) {\r\n          return { code: match[1], message: err.message };\r\n        }\r\n      }\r\n\r\n      // Check for direct code\r\n      if (err.code) {\r\n        return {\r\n          code: err.code.replace('auth/', ''),\r\n          message: err.message || ''\r\n        };\r\n      }\r\n    }\r\n\r\n    return null;\r\n  }\r\n\r\n  // Map error codes to user-friendly messages\r\n  const ERROR_MESSAGES: Record<string, { message: string; code: ErrorCode }> = {\r\n    'invalid-email': { message: 'Invalid email format', code: 'INVALID_EMAIL' },\r\n    'invalid-credential': { message: 'Invalid email or password', code: 'INVALID_CREDENTIALS' },\r\n    'invalid-login-credentials': { message: 'Invalid email or password', code: 'INVALID_CREDENTIALS' },\r\n    'wrong-password': { message: 'Invalid email or password', code: 'INVALID_CREDENTIALS' },\r\n    'user-not-found': { message: 'Invalid email or password', code: 'INVALID_CREDENTIALS' },\r\n    'user-disabled': { message: 'This account has been disabled', code: 'USER_DISABLED' },\r\n    'too-many-requests': { message: 'Too many attempts. Please try again later', code: 'TOO_MANY_ATTEMPTS' },\r\n    'network-request-failed': { message: 'Network error. Please check your connection', code: 'NETWORK_ERROR' },\r\n    'email-already-in-use': { message: 'This email is already in use', code: 'EMAIL_EXISTS' },\r\n    'weak-password': { message: 'Password is too weak', code: 'WEAK_PASSWORD' },\r\n    'operation-not-allowed': { message: 'This login method is not enabled', code: 'OPERATION_NOT_ALLOWED' },\r\n    'popup-blocked': { message: 'Login popup was blocked. Please enable popups', code: 'POPUP_BLOCKED' },\r\n    'expired-action-code': { message: 'Your session has expired. Please login again', code: 'EXPIRED_TOKEN' },\r\n    'user-token-expired': { message: 'Your session has expired. Please login again', code: 'EXPIRED_TOKEN' }\r\n  };\r\n\r\n  try {\r\n    // Extract error information\r\n    const errorInfo = extractErrorInfo(error);\r\n    \r\n    if (errorInfo) {\r\n      const mappedError = ERROR_MESSAGES[errorInfo.code];\r\n      if (mappedError) {\r\n        return {\r\n          success: false,\r\n          message: mappedError.message,\r\n          code: mappedError.code\r\n        };\r\n      }\r\n    }\r\n\r\n    // If we couldn't extract or map the error, try one last time with string conversion\r\n    const errorString = String(error);\r\n    const lastMatch = errorString.match(/Firebase:\\s*Error\\s*\\(auth\\/([^)]+)\\)/);\r\n    if (lastMatch && ERROR_MESSAGES[lastMatch[1]]) {\r\n      return {\r\n        success: false,\r\n        ...ERROR_MESSAGES[lastMatch[1]]\r\n      };\r\n    }\r\n\r\n  } catch (e) {\r\n    // Silent catch - we'll return the default error\r\n  }\r\n\r\n  // Default fallback\r\n  return {\r\n    success: false,\r\n    message: 'An unexpected error occurred. Please try again later',\r\n    code: 'INTERNAL_ERROR'\r\n  };\r\n}\r\n\r\n/**\r\n * Type guard to check if a response is an AuthErrorResponse\r\n */\r\nexport function isAuthErrorResponse(response: unknown): response is AuthErrorResponse {\r\n  return (\r\n    typeof response === \"object\" &&\r\n    response !== null &&\r\n    \"success\" in response &&\r\n    (response as { success: boolean }).success === false &&\r\n    \"code\" in response &&\r\n    \"message\" in response\r\n  )\r\n}\r\n\r\n\r\n\r\nexport function getErrorAlertVariant(error: SignInResponse | undefined) {\r\n if (!error) return \"destructive\"\r\n\r\n  switch (error.error) {\r\n    case \"AUTHENTICATED\":\r\n      return \"default\"\r\n    case \"EMAIL_EXISTS\":\r\n    case \"UNAUTHENTICATED\":\r\n    case \"UNVERIFIED\":\r\n    case \"REQUIRES_VERIFICATION\":\r\n    case \"INVALID_EMAIL\":\r\n    case \"INVALID_TOKEN\":\r\n    case \"INTERNAL_ERROR\":\r\n    case \"USER_DISABLED\":\r\n    case \"TOO_MANY_ATTEMPTS\":\r\n    case \"NETWORK_ERROR\":\r\n    case \"SESSION_EXPIRED\":\r\n    case \"EXPIRED_TOKEN\":\r\n    case \"INVALID_CREDENTIALS\":\r\n    default:\r\n      return \"destructive\"\r\n  }\r\n}"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAUO,MAAM,SAAS;AAAA,EACpB,4BAA4B;AAAA,EAC5B,uBAAuB;AAAA,EACvB,eAAe;AAAA,EACf,iBAAiB;AAAA,EACjB,YAAY;AAAA,EACZ,iBAAiB;AAAA,EACjB,cAAc;AAAA,EACd,oBAAoB;AAAA,EACpB,qBAAqB;AAAA,EACrB,eAAe;AAAA,EACf,mBAAmB;AAAA,EACnB,eAAe;AAAA,EACf,eAAe;AAAA,EACf,eAAe;AAAA,EACf,cAAc;AAAA,EACd,eAAe;AAAA,EACf,uBAAuB;AAAA,EACvB,eAAe;AAAA,EACf,eAAe;AAAA,EACf,iBAAiB;AAAA,EACjB,gBAAgB;AAClB;AAGA,MAAM,iBAAiB;AAAA,EACrB,eAAe;AAAA,EACf,qBACE;AAAA,EACF,eAAe;AAAA,EACf,mBAAmB;AAAA,EACnB,eAAe;AAAA,EACf,uBAAuB;AAAA,EACvB,eAAe;AAAA,EACf,cAAc;AAAA,EACd,eAAe;AAAA,EACf,eAAe;AAAA,EACf,iBAAiB;AAAA,EACjB,eAAe;AACjB;AAEO,MAAM,wBAAwB,MAAM;AAAA,EACzC;AAAA,EAEA,YAAY,MAAiB,SAAkB;AAC7C,UAAM,WAAW,IAAI;AACrB,SAAK,OAAO;AACZ,SAAK,OAAO;AAAA,EACd;AACF;AAYA,SAAS,oBAAoB,OAAkD;AAC7E,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAEhD,QAAM,MAAM;AAGZ,MAAI,OAAO,IAAI,YAAY,UAAU;AACnC,UAAM,oBAAoB,IAAI,QAAQ,MAAM,uCAAuC;AACnF,QAAI,mBAAmB;AAErB,UAAI,OAAO,QAAQ,kBAAkB,CAAC,CAAC;AACvC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SACG,OAAO,IAAI,SAAS,YAAY,IAAI,KAAK,WAAW,OAAO,KAC3D,OAAO,IAAI,SAAS,YAAY,IAAI,KAAK,SAAS,eAAe;AAEtE;AAKA,SAAS,yBAAyB,OAAwC;AAExE,MAAI,OAAO,MAAM,YAAY,UAAU;AACrC,UAAM,oBAAoB,MAAM,QAAQ,MAAM,uCAAuC;AACrF,QAAI,mBAAmB;AACrB,aAAO,kBAAkB,CAAC;AAAA,IAC5B;AAAA,EACF;AAGA,MAAI,MAAM,MAAM;AACd,WAAO,MAAM,KAAK,QAAQ,SAAS,EAAE;AAAA,EACvC;AAGA,MAAI,OAAO,MAAM,YAAY,UAAU;AACrC,UAAM,mBAAmB,MAAM,QAAQ,MAAM,iBAAiB;AAC9D,QAAI,kBAAkB;AACpB,aAAO,iBAAiB,CAAC;AAAA,IAC3B;AAAA,EACF;AAEA,SAAO;AACT;AAKA,SAAS,qBAAqB,MAAyB;AAErD,QAAM,iBAA4C;AAAA,IAChD,iBAAiB;AAAA,IACjB,iBAAiB;AAAA,IACjB,qBAAqB;AAAA,IACrB,0BAA0B;AAAA,IAC1B,yBAAyB;AAAA,IACzB,iBAAiB;AAAA,IACjB,wBAAwB;AAAA,IACxB,iBAAiB;AAAA,IACjB,sBAAsB;AAAA,IACtB,kBAAkB;AAAA,IAClB,kBAAkB;AAAA,IAClB,oBAAoB;AAAA,IACpB,sBAAsB;AAAA,IACtB,oBAAoB;AAAA,EACtB;AAEA,SAAO,eAAe,IAAI,KAAK;AACjC;AAKA,SAAS,8BAA8B,SAA4B;AAEjE,QAAM,oBAAoB,QAAQ,MAAM,uCAAuC;AAC/E,MAAI,mBAAmB;AACrB,UAAM,YAAY,kBAAkB,CAAC;AACrC,UAAM,aAAa,qBAAqB,SAAS;AACjD,QAAI,YAAY;AACd,aAAO;AAAA,IACT;AAAA,EACF;AAGA,aAAW,CAAC,WAAW,OAAO,KAAK,OAAO,QAAQ,cAAc,GAAG;AACjE,QAAI,QAAQ,KAAK,OAAO,GAAG;AACzB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKA,SAAS,oBAAoB,MAAiB,SAAoC;AAChF,QAAM,kBAA6C;AAAA,IACjD,eAAe;AAAA,IACf,qBAAqB;AAAA,IACrB,eAAe;AAAA,IACf,mBAAmB;AAAA,IACnB,eAAe;AAAA,IACf,uBAAuB;AAAA,IACvB,eAAe;AAAA,IACf,cAAc;AAAA,IACd,eAAe;AAAA,IACf,eAAe;AAAA,IACf,iBAAiB;AAAA,IACjB,eAAe;AAAA,IACf,oBAAoB;AAAA,IACpB,gBAAgB;AAAA,IAChB,4BAA4B;AAAA,IAC5B,uBAAuB;AAAA,IACvB,eAAe;AAAA,IACf,iBAAiB;AAAA,IACjB,YAAY;AAAA,IACZ,iBAAiB;AAAA,IACjB,cAAc;AAAA,EAChB;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT,SAAS,WAAW,gBAAgB,IAAI;AAAA,IACxC;AAAA,EACF;AACF;AAKO,SAAS,wBAAwB,OAAmC;AAEzE,WAAS,iBAAiB,OAA0D;AAElF,QAAI,OAAO,UAAU,UAAU;AAC7B,YAAM,QAAQ,MAAM,MAAM,uCAAuC;AACjE,UAAI,OAAO;AACT,eAAO,EAAE,MAAM,MAAM,CAAC,GAAG,SAAS,MAAM;AAAA,MAC1C;AAAA,IACF;AAGA,QAAI,SAAS,OAAO,UAAU,UAAU;AACtC,YAAM,MAAM;AAGZ,UAAI,IAAI,SAAS;AACf,cAAM,QAAQ,IAAI,QAAQ,MAAM,uCAAuC;AACvE,YAAI,OAAO;AACT,iBAAO,EAAE,MAAM,MAAM,CAAC,GAAG,SAAS,IAAI,QAAQ;AAAA,QAChD;AAAA,MACF;AAGA,UAAI,IAAI,MAAM;AACZ,eAAO;AAAA,UACL,MAAM,IAAI,KAAK,QAAQ,SAAS,EAAE;AAAA,UAClC,SAAS,IAAI,WAAW;AAAA,QAC1B;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAGA,QAAM,iBAAuE;AAAA,IAC3E,iBAAiB,EAAE,SAAS,wBAAwB,MAAM,gBAAgB;AAAA,IAC1E,sBAAsB,EAAE,SAAS,6BAA6B,MAAM,sBAAsB;AAAA,IAC1F,6BAA6B,EAAE,SAAS,6BAA6B,MAAM,sBAAsB;AAAA,IACjG,kBAAkB,EAAE,SAAS,6BAA6B,MAAM,sBAAsB;AAAA,IACtF,kBAAkB,EAAE,SAAS,6BAA6B,MAAM,sBAAsB;AAAA,IACtF,iBAAiB,EAAE,SAAS,kCAAkC,MAAM,gBAAgB;AAAA,IACpF,qBAAqB,EAAE,SAAS,6CAA6C,MAAM,oBAAoB;AAAA,IACvG,0BAA0B,EAAE,SAAS,+CAA+C,MAAM,gBAAgB;AAAA,IAC1G,wBAAwB,EAAE,SAAS,gCAAgC,MAAM,eAAe;AAAA,IACxF,iBAAiB,EAAE,SAAS,wBAAwB,MAAM,gBAAgB;AAAA,IAC1E,yBAAyB,EAAE,SAAS,oCAAoC,MAAM,wBAAwB;AAAA,IACtG,iBAAiB,EAAE,SAAS,iDAAiD,MAAM,gBAAgB;AAAA,IACnG,uBAAuB,EAAE,SAAS,gDAAgD,MAAM,gBAAgB;AAAA,IACxG,sBAAsB,EAAE,SAAS,gDAAgD,MAAM,gBAAgB;AAAA,EACzG;AAEA,MAAI;AAEF,UAAM,YAAY,iBAAiB,KAAK;AAExC,QAAI,WAAW;AACb,YAAM,cAAc,eAAe,UAAU,IAAI;AACjD,UAAI,aAAa;AACf,eAAO;AAAA,UACL,SAAS;AAAA,UACT,SAAS,YAAY;AAAA,UACrB,MAAM,YAAY;AAAA,QACpB;AAAA,MACF;AAAA,IACF;AAGA,UAAM,cAAc,OAAO,KAAK;AAChC,UAAM,YAAY,YAAY,MAAM,uCAAuC;AAC3E,QAAI,aAAa,eAAe,UAAU,CAAC,CAAC,GAAG;AAC7C,aAAO;AAAA,QACL,SAAS;AAAA,QACT,GAAG,eAAe,UAAU,CAAC,CAAC;AAAA,MAChC;AAAA,IACF;AAAA,EAEF,SAAS,GAAG;AAAA,EAEZ;AAGA,SAAO;AAAA,IACL,SAAS;AAAA,IACT,SAAS;AAAA,IACT,MAAM;AAAA,EACR;AACF;AAKO,SAAS,oBAAoB,UAAkD;AACpF,SACE,OAAO,aAAa,YACpB,aAAa,QACb,aAAa,YACZ,SAAkC,YAAY,SAC/C,UAAU,YACV,aAAa;AAEjB;AAIO,SAAS,qBAAqB,OAAmC;AACvE,MAAI,CAAC,MAAO,QAAO;AAElB,UAAQ,MAAM,OAAO;AAAA,IACnB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL;AACE,aAAO;AAAA,EACX;AACF;","names":[]}
+{"version":3,"sources":["../../src/errors.ts"],"sourcesContent":["import type { SignInResponse } from \"@tern-secure/types\"\r\n\r\nexport type ErrorCode = keyof typeof ERRORS\r\n\r\nexport interface AuthErrorResponse {\r\n  success: false\r\n  message: string\r\n  code: ErrorCode\r\n}\r\n\r\nexport const ERRORS = {\r\n  SERVER_SIDE_INITIALIZATION: \"TernSecure must be initialized on the client side\",\r\n  REQUIRES_VERIFICATION: \"AUTH_REQUIRES_VERIFICATION\",\r\n  AUTHENTICATED: \"AUTHENTICATED\",\r\n  UNAUTHENTICATED: \"UNAUTHENTICATED\",\r\n  UNVERIFIED: \"UNVERIFIED\",\r\n  NOT_INITIALIZED: \"TernSecure services are not initialized. Call initializeTernSecure() first\",\r\n  HOOK_CONTEXT: \"Hook must be used within TernSecureProvider\",\r\n  EMAIL_NOT_VERIFIED: \"EMAIL_NOT_VERIFIED\",\r\n  INVALID_CREDENTIALS: \"INVALID_CREDENTIALS\",\r\n  USER_DISABLED: \"USER_DISABLED\",\r\n  TOO_MANY_ATTEMPTS: \"TOO_MANY_ATTEMPTS\",\r\n  NETWORK_ERROR: \"NETWORK_ERROR\",\r\n  INVALID_EMAIL: \"INVALID_EMAIL\",\r\n  WEAK_PASSWORD: \"WEAK_PASSWORD\",\r\n  EMAIL_EXISTS: \"EMAIL_EXISTS\",\r\n  POPUP_BLOCKED: \"POPUP_BLOCKED\",\r\n  OPERATION_NOT_ALLOWED: \"OPERATION_NOT_ALLOWED\",\r\n  EXPIRED_TOKEN: \"EXPIRED_TOKEN\",\r\n  INVALID_TOKEN: \"INVALID_TOKEN\",\r\n  SESSION_EXPIRED: \"SESSION_EXPIRED\",\r\n  INTERNAL_ERROR: \"INTERNAL_ERROR\",\r\n} as const\r\n\r\n// Firebase Auth Error Code patterns\r\nconst ERROR_PATTERNS = {\r\n  INVALID_EMAIL: /auth.*invalid.*email|invalid.*email.*auth|Firebase:.*Error.*auth\\/invalid-email/i,\r\n  INVALID_CREDENTIALS:\r\n    /auth.*invalid.*credential|invalid.*password|wrong.*password|Firebase:.*Error.*auth\\/(invalid-credential|wrong-password|user-not-found)/i,\r\n  USER_DISABLED: /user.*disabled|disabled.*user|Firebase:.*Error.*auth\\/user-disabled/i,\r\n  TOO_MANY_ATTEMPTS: /too.*many.*attempts|too.*many.*requests|Firebase:.*Error.*auth\\/too-many-requests/i,\r\n  NETWORK_ERROR: /network.*request.*failed|failed.*network|Firebase:.*Error.*auth\\/network-request-failed/i,\r\n  OPERATION_NOT_ALLOWED: /operation.*not.*allowed|method.*not.*allowed|Firebase:.*Error.*auth\\/operation-not-allowed/i,\r\n  POPUP_BLOCKED: /popup.*blocked|blocked.*popup|Firebase:.*Error.*auth\\/popup-blocked/i,\r\n  EMAIL_EXISTS: /email.*exists|email.*already.*use|Firebase:.*Error.*auth\\/email-already-in-use/i,\r\n  EXPIRED_TOKEN: /token.*expired|expired.*token|Firebase:.*Error.*auth\\/expired-token/i,\r\n  INVALID_TOKEN: /invalid.*token|token.*invalid|Firebase:.*Error.*auth\\/invalid-token/i,\r\n  SESSION_EXPIRED: /session.*expired|expired.*session|Firebase:.*Error.*auth\\/session-expired/i,\r\n  WEAK_PASSWORD: /weak.*password|password.*weak|Firebase:.*Error.*auth\\/weak-password/i,\r\n} as const\r\n\r\nexport class TernSecureError extends Error {\r\n  code: ErrorCode\r\n\r\n  constructor(code: ErrorCode, message?: string) {\r\n    super(message || code)\r\n    this.name = \"TernSecureError\"\r\n    this.code = code\r\n  }\r\n}\r\n\r\ninterface SerializedFirebaseError {\r\n  name?: string\r\n  code?: string\r\n  message?: string\r\n  stack?: string\r\n}\r\n\r\n/**\r\n * Determines if an object matches the shape of a Firebase Error\r\n */\r\nfunction isFirebaseErrorLike(error: unknown): error is SerializedFirebaseError {\r\n  if (!error || typeof error !== \"object\") return false\r\n\r\n  const err = error as SerializedFirebaseError\r\n\r\n  // Check for bundled Firebase error format: \"Firebase: Error (auth/error-code)\"\r\n  if (typeof err.message === \"string\") {\r\n    const bundledErrorMatch = err.message.match(/Firebase:\\s*Error\\s*$$auth\\/([^)]+)$$/)\r\n    if (bundledErrorMatch) {\r\n      // Add the extracted code to the error object\r\n      err.code = `auth/${bundledErrorMatch[1]}`\r\n      return true\r\n    }\r\n  }\r\n\r\n  return (\r\n    (typeof err.code === \"string\" && err.code.startsWith(\"auth/\")) ||\r\n    (typeof err.name === \"string\" && err.name.includes(\"FirebaseError\"))\r\n  )\r\n}\r\n\r\n/**\r\n * Extracts the error code from a Firebase-like error object\r\n */\r\nfunction extractFirebaseErrorCode(error: SerializedFirebaseError): string {\r\n  // First try to extract from bundled error message format\r\n  if (typeof error.message === \"string\") {\r\n    const bundledErrorMatch = error.message.match(/Firebase:\\s*Error\\s*$$auth\\/([^)]+)$$/)\r\n    if (bundledErrorMatch) {\r\n      return bundledErrorMatch[1]\r\n    }\r\n  }\r\n\r\n  // Then try the standard code property\r\n  if (error.code) {\r\n    return error.code.replace(\"auth/\", \"\")\r\n  }\r\n\r\n  // Finally try to extract from error message if it contains an error code\r\n  if (typeof error.message === \"string\") {\r\n    const messageCodeMatch = error.message.match(/auth\\/([a-z-]+)/)\r\n    if (messageCodeMatch) {\r\n      return messageCodeMatch[1]\r\n    }\r\n  }\r\n\r\n  return \"\"\r\n}\r\n\r\n/**\r\n * Maps a Firebase error code to our internal error code\r\n */\r\nfunction mapFirebaseErrorCode(code: string): ErrorCode {\r\n  // Direct mapping for known error codes\r\n  const directMappings: Record<string, ErrorCode> = {\r\n    \"invalid-email\": \"INVALID_EMAIL\",\r\n    \"user-disabled\": \"USER_DISABLED\",\r\n    \"too-many-requests\": \"TOO_MANY_ATTEMPTS\",\r\n    \"network-request-failed\": \"NETWORK_ERROR\",\r\n    \"operation-not-allowed\": \"OPERATION_NOT_ALLOWED\",\r\n    \"popup-blocked\": \"POPUP_BLOCKED\",\r\n    \"email-already-in-use\": \"EMAIL_EXISTS\",\r\n    \"weak-password\": \"WEAK_PASSWORD\",\r\n    \"invalid-credential\": \"INVALID_CREDENTIALS\",\r\n    \"wrong-password\": \"INVALID_CREDENTIALS\",\r\n    \"user-not-found\": \"INVALID_CREDENTIALS\",\r\n    \"invalid-password\": \"INVALID_CREDENTIALS\",\r\n    \"user-token-expired\": \"EXPIRED_TOKEN\",\r\n    \"invalid-id-token\": \"INVALID_TOKEN\",\r\n  }\r\n\r\n  return directMappings[code] || \"INTERNAL_ERROR\"\r\n}\r\n\r\n/**\r\n * Determines error type based on error message pattern matching\r\n */\r\nfunction determineErrorTypeFromMessage(message: string): ErrorCode {\r\n  // First check for bundled Firebase error format\r\n  const bundledErrorMatch = message.match(/Firebase:\\s*Error\\s*$$auth\\/([^)]+)$$/)\r\n  if (bundledErrorMatch) {\r\n    const errorCode = bundledErrorMatch[1]\r\n    const mappedCode = mapFirebaseErrorCode(errorCode)\r\n    if (mappedCode) {\r\n      return mappedCode\r\n    }\r\n  }\r\n\r\n  // Then check standard patterns\r\n  for (const [errorType, pattern] of Object.entries(ERROR_PATTERNS)) {\r\n    if (pattern.test(message)) {\r\n      return errorType as ErrorCode\r\n    }\r\n  }\r\n\r\n  return \"INTERNAL_ERROR\"\r\n}\r\n\r\n/**\r\n * Creates a standardized error response\r\n */\r\nfunction createErrorResponse(code: ErrorCode, message: string): AuthErrorResponse {\r\n  const defaultMessages: Record<ErrorCode, string> = {\r\n    INVALID_EMAIL: \"Invalid email format\",\r\n    INVALID_CREDENTIALS: \"Invalid email or password\",\r\n    USER_DISABLED: \"This account has been disabled\",\r\n    TOO_MANY_ATTEMPTS: \"Too many attempts. Please try again later\",\r\n    NETWORK_ERROR: \"Network error. Please check your connection\",\r\n    OPERATION_NOT_ALLOWED: \"This login method is not enabled\",\r\n    POPUP_BLOCKED: \"Login popup was blocked. Please enable popups\",\r\n    EMAIL_EXISTS: \"This email is already in use\",\r\n    EXPIRED_TOKEN: \"Your session has expired. Please login again\",\r\n    INVALID_TOKEN: \"Invalid authentication token\",\r\n    SESSION_EXPIRED: \"Your session has expired\",\r\n    WEAK_PASSWORD: \"Password is too weak\",\r\n    EMAIL_NOT_VERIFIED: \"Email verification required\",\r\n    INTERNAL_ERROR: \"An internal error occurred. Please try again\",\r\n    SERVER_SIDE_INITIALIZATION: \"TernSecure must be initialized on the client side\",\r\n    REQUIRES_VERIFICATION: \"Email verification required\",\r\n    AUTHENTICATED: \"Already authenticated\",\r\n    UNAUTHENTICATED: \"Authentication required\",\r\n    UNVERIFIED: \"Email verification required\",\r\n    NOT_INITIALIZED: \"TernSecure services are not initialized\",\r\n    HOOK_CONTEXT: \"Hook must be used within TernSecureProvider\",\r\n  }\r\n\r\n  return {\r\n    success: false,\r\n    message: message || defaultMessages[code],\r\n    code,\r\n  }\r\n}\r\n\r\n/**\r\n * Handles Firebase authentication errors with multiple fallback mechanisms\r\n */\r\nexport function handleFirebaseAuthError(error: unknown): AuthErrorResponse {\r\n  // Helper to extract clean error code from bundled format\r\n  function extractErrorInfo(input: unknown): { code: string; message: string } | null {\r\n    // Case 1: String input (direct Firebase error message)\r\n    if (typeof input === 'string') {\r\n      const match = input.match(/Firebase:\\s*Error\\s*\\(auth\\/([^)]+)\\)/);\r\n      if (match) {\r\n        return { code: match[1], message: input };\r\n      }\r\n    }\r\n\r\n    // Case 2: Error object\r\n    if (input && typeof input === 'object') {\r\n      const err = input as { code?: string; message?: string };\r\n      \r\n      // Check for bundled message format first\r\n      if (err.message) {\r\n        const match = err.message.match(/Firebase:\\s*Error\\s*\\(auth\\/([^)]+)\\)/);\r\n        if (match) {\r\n          return { code: match[1], message: err.message };\r\n        }\r\n      }\r\n\r\n      // Check for direct code\r\n      if (err.code) {\r\n        return {\r\n          code: err.code.replace('auth/', ''),\r\n          message: err.message || ''\r\n        };\r\n      }\r\n    }\r\n\r\n    return null;\r\n  }\r\n\r\n  // Map error codes to user-friendly messages\r\n  const ERROR_MESSAGES: Record<string, { message: string; code: ErrorCode }> = {\r\n    'invalid-email': { message: 'Invalid email format', code: 'INVALID_EMAIL' },\r\n    'invalid-credential': { message: 'Invalid email or password', code: 'INVALID_CREDENTIALS' },\r\n    'invalid-login-credentials': { message: 'Invalid email or password', code: 'INVALID_CREDENTIALS' },\r\n    'wrong-password': { message: 'Invalid email or password', code: 'INVALID_CREDENTIALS' },\r\n    'user-not-found': { message: 'Invalid email or password', code: 'INVALID_CREDENTIALS' },\r\n    'user-disabled': { message: 'This account has been disabled', code: 'USER_DISABLED' },\r\n    'too-many-requests': { message: 'Too many attempts. Please try again later', code: 'TOO_MANY_ATTEMPTS' },\r\n    'network-request-failed': { message: 'Network error. Please check your connection', code: 'NETWORK_ERROR' },\r\n    'email-already-in-use': { message: 'This email is already in use', code: 'EMAIL_EXISTS' },\r\n    'weak-password': { message: 'Password is too weak', code: 'WEAK_PASSWORD' },\r\n    'operation-not-allowed': { message: 'This login method is not enabled', code: 'OPERATION_NOT_ALLOWED' },\r\n    'popup-blocked': { message: 'Login popup was blocked. Please enable popups', code: 'POPUP_BLOCKED' },\r\n    'expired-action-code': { message: 'Your session has expired. Please login again', code: 'EXPIRED_TOKEN' },\r\n    'user-token-expired': { message: 'Your session has expired. Please login again', code: 'EXPIRED_TOKEN' }\r\n  };\r\n\r\n  try {\r\n    // Extract error information\r\n    const errorInfo = extractErrorInfo(error);\r\n    \r\n    if (errorInfo) {\r\n      const mappedError = ERROR_MESSAGES[errorInfo.code];\r\n      if (mappedError) {\r\n        return {\r\n          success: false,\r\n          message: mappedError.message,\r\n          code: mappedError.code\r\n        };\r\n      }\r\n    }\r\n\r\n    // If we couldn't extract or map the error, try one last time with string conversion\r\n    const errorString = String(error);\r\n    const lastMatch = errorString.match(/Firebase:\\s*Error\\s*\\(auth\\/([^)]+)\\)/);\r\n    if (lastMatch && ERROR_MESSAGES[lastMatch[1]]) {\r\n      return {\r\n        success: false,\r\n        ...ERROR_MESSAGES[lastMatch[1]]\r\n      };\r\n    }\r\n\r\n  } catch (e) {\r\n    // Silent catch - we'll return the default error\r\n  }\r\n\r\n  // Default fallback\r\n  return {\r\n    success: false,\r\n    message: 'An unexpected error occurred. Please try again later',\r\n    code: 'INTERNAL_ERROR'\r\n  };\r\n}\r\n\r\n/**\r\n * Type guard to check if a response is an AuthErrorResponse\r\n */\r\nexport function isAuthErrorResponse(response: unknown): response is AuthErrorResponse {\r\n  return (\r\n    typeof response === \"object\" &&\r\n    response !== null &&\r\n    \"success\" in response &&\r\n    (response as { success: boolean }).success === false &&\r\n    \"code\" in response &&\r\n    \"message\" in response\r\n  )\r\n}\r\n\r\n\r\n\r\nexport function getErrorAlertVariant(error: SignInResponse | undefined) {\r\n if (!error) return \"destructive\"\r\n\r\n  switch (error.error) {\r\n    case \"AUTHENTICATED\":\r\n      return \"default\"\r\n    case \"EMAIL_EXISTS\":\r\n    case \"UNAUTHENTICATED\":\r\n    case \"UNVERIFIED\":\r\n    case \"REQUIRES_VERIFICATION\":\r\n    case \"INVALID_EMAIL\":\r\n    case \"INVALID_TOKEN\":\r\n    case \"INTERNAL_ERROR\":\r\n    case \"USER_DISABLED\":\r\n    case \"TOO_MANY_ATTEMPTS\":\r\n    case \"NETWORK_ERROR\":\r\n    case \"SESSION_EXPIRED\":\r\n    case \"EXPIRED_TOKEN\":\r\n    case \"INVALID_CREDENTIALS\":\r\n    default:\r\n      return \"destructive\"\r\n  }\r\n}"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAUO,MAAM,SAAS;AAAA,EACpB,4BAA4B;AAAA,EAC5B,uBAAuB;AAAA,EACvB,eAAe;AAAA,EACf,iBAAiB;AAAA,EACjB,YAAY;AAAA,EACZ,iBAAiB;AAAA,EACjB,cAAc;AAAA,EACd,oBAAoB;AAAA,EACpB,qBAAqB;AAAA,EACrB,eAAe;AAAA,EACf,mBAAmB;AAAA,EACnB,eAAe;AAAA,EACf,eAAe;AAAA,EACf,eAAe;AAAA,EACf,cAAc;AAAA,EACd,eAAe;AAAA,EACf,uBAAuB;AAAA,EACvB,eAAe;AAAA,EACf,eAAe;AAAA,EACf,iBAAiB;AAAA,EACjB,gBAAgB;AAClB;AAGA,MAAM,iBAAiB;AAAA,EACrB,eAAe;AAAA,EACf,qBACE;AAAA,EACF,eAAe;AAAA,EACf,mBAAmB;AAAA,EACnB,eAAe;AAAA,EACf,uBAAuB;AAAA,EACvB,eAAe;AAAA,EACf,cAAc;AAAA,EACd,eAAe;AAAA,EACf,eAAe;AAAA,EACf,iBAAiB;AAAA,EACjB,eAAe;AACjB;AAEO,MAAM,wBAAwB,MAAM;AAAA,EACzC;AAAA,EAEA,YAAY,MAAiB,SAAkB;AAC7C,UAAM,WAAW,IAAI;AACrB,SAAK,OAAO;AACZ,SAAK,OAAO;AAAA,EACd;AACF;AAYA,SAAS,oBAAoB,OAAkD;AAC7E,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAEhD,QAAM,MAAM;AAGZ,MAAI,OAAO,IAAI,YAAY,UAAU;AACnC,UAAM,oBAAoB,IAAI,QAAQ,MAAM,uCAAuC;AACnF,QAAI,mBAAmB;AAErB,UAAI,OAAO,QAAQ,kBAAkB,CAAC,CAAC;AACvC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SACG,OAAO,IAAI,SAAS,YAAY,IAAI,KAAK,WAAW,OAAO,KAC3D,OAAO,IAAI,SAAS,YAAY,IAAI,KAAK,SAAS,eAAe;AAEtE;AAKA,SAAS,yBAAyB,OAAwC;AAExE,MAAI,OAAO,MAAM,YAAY,UAAU;AACrC,UAAM,oBAAoB,MAAM,QAAQ,MAAM,uCAAuC;AACrF,QAAI,mBAAmB;AACrB,aAAO,kBAAkB,CAAC;AAAA,IAC5B;AAAA,EACF;AAGA,MAAI,MAAM,MAAM;AACd,WAAO,MAAM,KAAK,QAAQ,SAAS,EAAE;AAAA,EACvC;AAGA,MAAI,OAAO,MAAM,YAAY,UAAU;AACrC,UAAM,mBAAmB,MAAM,QAAQ,MAAM,iBAAiB;AAC9D,QAAI,kBAAkB;AACpB,aAAO,iBAAiB,CAAC;AAAA,IAC3B;AAAA,EACF;AAEA,SAAO;AACT;AAKA,SAAS,qBAAqB,MAAyB;AAErD,QAAM,iBAA4C;AAAA,IAChD,iBAAiB;AAAA,IACjB,iBAAiB;AAAA,IACjB,qBAAqB;AAAA,IACrB,0BAA0B;AAAA,IAC1B,yBAAyB;AAAA,IACzB,iBAAiB;AAAA,IACjB,wBAAwB;AAAA,IACxB,iBAAiB;AAAA,IACjB,sBAAsB;AAAA,IACtB,kBAAkB;AAAA,IAClB,kBAAkB;AAAA,IAClB,oBAAoB;AAAA,IACpB,sBAAsB;AAAA,IACtB,oBAAoB;AAAA,EACtB;AAEA,SAAO,eAAe,IAAI,KAAK;AACjC;AAKA,SAAS,8BAA8B,SAA4B;AAEjE,QAAM,oBAAoB,QAAQ,MAAM,uCAAuC;AAC/E,MAAI,mBAAmB;AACrB,UAAM,YAAY,kBAAkB,CAAC;AACrC,UAAM,aAAa,qBAAqB,SAAS;AACjD,QAAI,YAAY;AACd,aAAO;AAAA,IACT;AAAA,EACF;AAGA,aAAW,CAAC,WAAW,OAAO,KAAK,OAAO,QAAQ,cAAc,GAAG;AACjE,QAAI,QAAQ,KAAK,OAAO,GAAG;AACzB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKA,SAAS,oBAAoB,MAAiB,SAAoC;AAChF,QAAM,kBAA6C;AAAA,IACjD,eAAe;AAAA,IACf,qBAAqB;AAAA,IACrB,eAAe;AAAA,IACf,mBAAmB;AAAA,IACnB,eAAe;AAAA,IACf,uBAAuB;AAAA,IACvB,eAAe;AAAA,IACf,cAAc;AAAA,IACd,eAAe;AAAA,IACf,eAAe;AAAA,IACf,iBAAiB;AAAA,IACjB,eAAe;AAAA,IACf,oBAAoB;AAAA,IACpB,gBAAgB;AAAA,IAChB,4BAA4B;AAAA,IAC5B,uBAAuB;AAAA,IACvB,eAAe;AAAA,IACf,iBAAiB;AAAA,IACjB,YAAY;AAAA,IACZ,iBAAiB;AAAA,IACjB,cAAc;AAAA,EAChB;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT,SAAS,WAAW,gBAAgB,IAAI;AAAA,IACxC;AAAA,EACF;AACF;AAKO,SAAS,wBAAwB,OAAmC;AAEzE,WAAS,iBAAiB,OAA0D;AAElF,QAAI,OAAO,UAAU,UAAU;AAC7B,YAAM,QAAQ,MAAM,MAAM,uCAAuC;AACjE,UAAI,OAAO;AACT,eAAO,EAAE,MAAM,MAAM,CAAC,GAAG,SAAS,MAAM;AAAA,MAC1C;AAAA,IACF;AAGA,QAAI,SAAS,OAAO,UAAU,UAAU;AACtC,YAAM,MAAM;AAGZ,UAAI,IAAI,SAAS;AACf,cAAM,QAAQ,IAAI,QAAQ,MAAM,uCAAuC;AACvE,YAAI,OAAO;AACT,iBAAO,EAAE,MAAM,MAAM,CAAC,GAAG,SAAS,IAAI,QAAQ;AAAA,QAChD;AAAA,MACF;AAGA,UAAI,IAAI,MAAM;AACZ,eAAO;AAAA,UACL,MAAM,IAAI,KAAK,QAAQ,SAAS,EAAE;AAAA,UAClC,SAAS,IAAI,WAAW;AAAA,QAC1B;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAGA,QAAM,iBAAuE;AAAA,IAC3E,iBAAiB,EAAE,SAAS,wBAAwB,MAAM,gBAAgB;AAAA,IAC1E,sBAAsB,EAAE,SAAS,6BAA6B,MAAM,sBAAsB;AAAA,IAC1F,6BAA6B,EAAE,SAAS,6BAA6B,MAAM,sBAAsB;AAAA,IACjG,kBAAkB,EAAE,SAAS,6BAA6B,MAAM,sBAAsB;AAAA,IACtF,kBAAkB,EAAE,SAAS,6BAA6B,MAAM,sBAAsB;AAAA,IACtF,iBAAiB,EAAE,SAAS,kCAAkC,MAAM,gBAAgB;AAAA,IACpF,qBAAqB,EAAE,SAAS,6CAA6C,MAAM,oBAAoB;AAAA,IACvG,0BAA0B,EAAE,SAAS,+CAA+C,MAAM,gBAAgB;AAAA,IAC1G,wBAAwB,EAAE,SAAS,gCAAgC,MAAM,eAAe;AAAA,IACxF,iBAAiB,EAAE,SAAS,wBAAwB,MAAM,gBAAgB;AAAA,IAC1E,yBAAyB,EAAE,SAAS,oCAAoC,MAAM,wBAAwB;AAAA,IACtG,iBAAiB,EAAE,SAAS,iDAAiD,MAAM,gBAAgB;AAAA,IACnG,uBAAuB,EAAE,SAAS,gDAAgD,MAAM,gBAAgB;AAAA,IACxG,sBAAsB,EAAE,SAAS,gDAAgD,MAAM,gBAAgB;AAAA,EACzG;AAEA,MAAI;AAEF,UAAM,YAAY,iBAAiB,KAAK;AAExC,QAAI,WAAW;AACb,YAAM,cAAc,eAAe,UAAU,IAAI;AACjD,UAAI,aAAa;AACf,eAAO;AAAA,UACL,SAAS;AAAA,UACT,SAAS,YAAY;AAAA,UACrB,MAAM,YAAY;AAAA,QACpB;AAAA,MACF;AAAA,IACF;AAGA,UAAM,cAAc,OAAO,KAAK;AAChC,UAAM,YAAY,YAAY,MAAM,uCAAuC;AAC3E,QAAI,aAAa,eAAe,UAAU,CAAC,CAAC,GAAG;AAC7C,aAAO;AAAA,QACL,SAAS;AAAA,QACT,GAAG,eAAe,UAAU,CAAC,CAAC;AAAA,MAChC;AAAA,IACF;AAAA,EAEF,SAAS,GAAG;AAAA,EAEZ;AAGA,SAAO;AAAA,IACL,SAAS;AAAA,IACT,SAAS;AAAA,IACT,MAAM;AAAA,EACR;AACF;AAKO,SAAS,oBAAoB,UAAkD;AACpF,SACE,OAAO,aAAa,YACpB,aAAa,QACb,aAAa,YACZ,SAAkC,YAAY,SAC/C,UAAU,YACV,aAAa;AAEjB;AAIO,SAAS,qBAAqB,OAAmC;AACvE,MAAI,CAAC,MAAO,QAAO;AAElB,UAAQ,MAAM,OAAO;AAAA,IACnB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL;AACE,aAAO;AAAA,EACX;AACF;","names":[]}

package/dist/cjs/index.js

@@ -18,28 +18,23 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var index_exports = {};
 __export(index_exports, {
-  SignIn: () => import_uiComponents.SignIn,
-  SignUp: () => import_uiComponents.SignUp,
   TernSecureProvider: () => import_TernSecureProvider.TernSecureProvider,
-  UserButton: () => import_uiComponents.UserButton,
+  signIn: () => import_components.signIn,
   useAuth: () => import_components.useAuth,
   useIdToken: () => import_components.useIdToken,
   useSession: () => import_components.useSession,
-  useSignUp: () => import_components.useSignUp
+  useSignIn: () => import_components.useSignIn
 });
 module.exports = __toCommonJS(index_exports);
 var import_TernSecureProvider = require("./app-router/client/TernSecureProvider");
 var import_components = require("./boundary/components");
-var import_uiComponents = require("./components/uiComponents");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  SignIn,
-  SignUp,
   TernSecureProvider,
-  UserButton,
+  signIn,
   useAuth,
   useIdToken,
   useSession,
-  useSignUp
+  useSignIn
 });
 //# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/index.ts"],"sourcesContent":["\r\n//import { TernSecureServerProvider } from './app-router/server/TernSecureServerProvider'\r\n//import type { TernSecureState } from './app-router/client/TernSecureProvider'\r\n//export { \r\n//    TernSecureAuth, \r\n//    TernSecureFirestore, \r\n//    ternSecureAuth \r\n//} from '@tern-secure/react'\r\n//export { loadFireConfig, validateConfig } from './utils/config'\r\n//export { signInWithEmail } from '@tern-secure/next-backend'\r\n//export { useInternalContext } from './boundary/TernSecureCtx'\r\n//export { TernSecureClientProvider } from './app-router/client/TernSecureProvider'\r\nexport { TernSecureProvider } from './app-router/client/TernSecureProvider'\r\nexport {\r\n    useAuth,\r\n    useIdToken,\r\n    useSignUp,\r\n    useSession,\r\n    //SignIn,\r\n    //SignOut,\r\n    //SignOutButton,\r\n    //SignUp,\r\n} from './boundary/components'\r\n\r\nexport {\r\n    SignIn,\r\n    SignUp,\r\n    UserButton,\r\n} from './components/uiComponents'\r\n\r\nexport type { TernSecureUser, TernSecureUserData } from '@tern-secure/types'\r\n\r\n//export const TernSecureProvider = TernSecureServerProvider\r\n//export type { TernSecureState }"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAYA,gCAAmC;AACnC,wBASO;AAEP,0BAIO;","names":[]}
+{"version":3,"sources":["../../src/index.ts"],"sourcesContent":["export { TernSecureProvider } from './app-router/client/TernSecureProvider'\r\nexport {\r\n    useAuth,\r\n    useIdToken,\r\n    useSession,\r\n    useSignIn,\r\n    signIn\r\n    //SignIn,\r\n    //SignOut,\r\n    //SignOutButton,\r\n    //SignUp,\r\n} from './boundary/components'\r\n\r\nexport type { TernSecureUser, TernSecureUserData, SignInResponseTree } from '@tern-secure/types'\r\n\r\nexport type {\r\n    UserInfo,\r\n    SessionResult\r\n} from './types'"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gCAAmC;AACnC,wBAUO;","names":[]}

package/dist/cjs/server/constant.js

@@ -0,0 +1,38 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var constant_exports = {};
+__export(constant_exports, {
+  API_URL: () => API_URL,
+  API_VERSION: () => API_VERSION,
+  SIGN_IN_URL: () => SIGN_IN_URL,
+  SIGN_UP_URL: () => SIGN_UP_URL
+});
+module.exports = __toCommonJS(constant_exports);
+const API_URL = process.env.TERNSECURE_API_URL;
+const API_VERSION = process.env.TERNSECURE_API_VERSION || "v1";
+const SIGN_IN_URL = process.env.NEXT_PUBLIC_SIGN_IN_URL || "";
+const SIGN_UP_URL = process.env.NEXT_PUBLIC_SIGN_UP_URL || "";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  API_URL,
+  API_VERSION,
+  SIGN_IN_URL,
+  SIGN_UP_URL
+});
+//# sourceMappingURL=constant.js.map

package/dist/cjs/server/constant.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/constant.ts"],"sourcesContent":["\nexport const API_URL = process.env.TERNSECURE_API_URL\nexport const API_VERSION = process.env.TERNSECURE_API_VERSION || 'v1';\nexport const SIGN_IN_URL = process.env.NEXT_PUBLIC_SIGN_IN_URL || '';\nexport const SIGN_UP_URL = process.env.NEXT_PUBLIC_SIGN_UP_URL || '';"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACO,MAAM,UAAU,QAAQ,IAAI;AAC5B,MAAM,cAAc,QAAQ,IAAI,0BAA0B;AAC1D,MAAM,cAAc,QAAQ,IAAI,2BAA2B;AAC3D,MAAM,cAAc,QAAQ,IAAI,2BAA2B;","names":[]}

package/dist/cjs/server/edge-session.js

@@ -18,45 +18,136 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var edge_session_exports = {};
 __export(edge_session_exports, {
-  verifySession: () => verifySession
+  VerifySessionWithRestApi: () => VerifySessionWithRestApi,
+  verifySession: () => verifySession,
+  verifySessionEdge: () => verifySessionEdge,
+  verifyTokenEdge: () => verifyTokenEdge
 });
 module.exports = __toCommonJS(edge_session_exports);
-var import_jwt_edge = require("./jwt-edge");
+var import_jwt = require("./jwt");
 async function verifySession(request) {
   try {
     const sessionCookie = request.cookies.get("_session_cookie")?.value;
-    const idToken = request.cookies.get("_session_token")?.value;
     if (sessionCookie) {
-      const result = await (0, import_jwt_edge.verifyFirebaseToken)(sessionCookie, true);
+      const result = await (0, import_jwt.verifyFirebaseToken)(sessionCookie, true);
       if (result.valid) {
-        const user = {
-          uid: result.uid ?? "",
-          email: result.email || null,
-          emailVerified: result.emailVerified ?? false,
-          disabled: false,
-          authTime: result.authTime
-        };
         return {
           isAuthenticated: true,
-          user
+          user: {
+            uid: result.uid ?? "",
+            email: result.email || null,
+            tenantId: result.tenant || "default",
+            emailVerified: result.emailVerified ?? false,
+            disabled: false
+          }
         };
       }
     }
-    if (idToken) {
-      const result = await (0, import_jwt_edge.verifyFirebaseToken)(idToken, false);
-      if (result.valid) {
-        const user = {
-          uid: result.uid ?? "",
-          email: result.email || null,
-          emailVerified: result.emailVerified ?? false,
-          disabled: false,
-          authTime: result.authTime
-        };
+    return {
+      isAuthenticated: false,
+      user: null,
+      error: "No valid session found"
+    };
+  } catch (error) {
+    console.error("Session verification error:", error);
+    return {
+      isAuthenticated: false,
+      user: null,
+      error: error instanceof Error ? error.message : "Session verification failed"
+    };
+  }
+}
+async function verifyTokenEdge(idToken) {
+  try {
+    const response = await fetch(
+      `https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=${process.env.NEXT_PUBLIC_FIREBASE_API_KEY}`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({ idToken })
+      }
+    );
+    const data = await response.json();
+    console.log("data Token", data);
+    if (!response.ok || !data.users?.[0]) {
+      return null;
+    }
+    const user = data.users[0];
+    return {
+      uid: user.localId,
+      email: user.email || null,
+      tenantId: user.tenantId || "default",
+      disabled: user.disabled || false
+    };
+  } catch (error) {
+    console.error("Token verification error:", error);
+    return null;
+  }
+}
+async function verifySessionEdge(sessionCookie) {
+  try {
+    const response = await fetch(
+      `https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=${process.env.NEXT_PUBLIC_FIREBASE_API_KEY}`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${sessionCookie}`
+        }
+      }
+    );
+    const data = await response.json();
+    console.log("data Session", data);
+    if (!response.ok || !data.users?.[0]) {
+      return null;
+    }
+    const user = data.users[0];
+    return {
+      uid: user.localId,
+      email: user.email || null,
+      tenantId: user.tenant || "default",
+      disabled: user.disabled || false
+    };
+  } catch (error) {
+    console.error("Session verification error:", error);
+    return null;
+  }
+}
+async function VerifySessionWithRestApi(request) {
+  try {
+    const sessionCookie = request.cookies.get("_session_cookie")?.value;
+    if (sessionCookie) {
+      const response = await fetch(
+        `https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=${process.env.GOOGLE_CLIENT_ID}`,
+        {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${sessionCookie}`
+          }
+        }
+      );
+      const data = await response.json();
+      console.log("[edge-session] data with session cookie", data);
+      if (response.ok && data.users?.[0]) {
+        const user = data.users[0];
         return {
           isAuthenticated: true,
-          user
+          user: {
+            uid: user.localId,
+            email: user.email || null,
+            tenantId: user.tenantId || "default",
+            emailVerified: user.emailVerified ?? false,
+            disabled: user.disabled || false
+          }
         };
       }
+      console.log(
+        "Session cookie verification failed:",
+        data.error?.message || "Invalid session"
+      );
     }
     return {
       isAuthenticated: false,
@@ -74,6 +165,9 @@ async function verifySession(request) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  verifySession
+  VerifySessionWithRestApi,
+  verifySession,
+  verifySessionEdge,
+  verifyTokenEdge
 });
 //# sourceMappingURL=edge-session.js.map

package/dist/cjs/server/edge-session.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/server/edge-session.ts"],"sourcesContent":["import { verifyFirebaseToken } from \"./jwt-edge\"\r\nimport type { NextRequest } from \"next/server\"\r\nimport type { SessionResult, UserInfo } from \"./types\"\r\n\r\n\r\n\r\nexport async function verifySession(request: NextRequest): Promise<SessionResult> {\r\n  try {\r\n    //const cookieStore = await cookies()\r\n\r\n    // First try session cookie\r\n\r\n    const sessionCookie = request.cookies.get(\"_session_cookie\")?.value\r\n    const idToken = request.cookies.get(\"_session_token\")?.value\r\n\r\n    //const sessionCookie = request.cookies.get(\"_session_cookie\")?.value\r\n    if (sessionCookie) {\r\n      const result = await verifyFirebaseToken(sessionCookie, true)\r\n      if (result.valid) {\r\n          const user: UserInfo = {\r\n            uid: result.uid ?? '',\r\n            email: result.email || null,\r\n            emailVerified: result.emailVerified ?? false,\r\n            disabled: false,\r\n            authTime: result.authTime,\r\n        }\r\n\r\n        return {\r\n          isAuthenticated: true,\r\n          user\r\n        }\r\n      }\r\n    }\r\n\r\n    // Then try ID token\r\n    //const idToken = request.cookies.get(\"_session_token\")?.value\r\n    if (idToken) {\r\n      const result = await verifyFirebaseToken(idToken, false)\r\n      if (result.valid) {\r\n        const user: UserInfo =  {\r\n            uid: result.uid ?? '',\r\n            email: result.email || null,\r\n            emailVerified: result.emailVerified ?? false,\r\n            disabled: false,\r\n            authTime: result.authTime,\r\n        }\r\n        \r\n        return {\r\n          isAuthenticated: true,\r\n          user\r\n        }\r\n      }\r\n    }\r\n\r\n    return {\r\n      isAuthenticated: false,\r\n      user: null,\r\n      error: \"No valid session found\"\r\n    }\r\n  } catch (error) {\r\n    console.error(\"Session verification error:\", error)\r\n    return {\r\n      isAuthenticated: false,\r\n      user: null,\r\n      error: error instanceof Error ? error.message : \"Session verification failed\",\r\n    }\r\n  }\r\n}"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,sBAAoC;AAMpC,eAAsB,cAAc,SAA8C;AAChF,MAAI;AAKF,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB,GAAG;AAC9D,UAAM,UAAU,QAAQ,QAAQ,IAAI,gBAAgB,GAAG;AAGvD,QAAI,eAAe;AACjB,YAAM,SAAS,UAAM,qCAAoB,eAAe,IAAI;AAC5D,UAAI,OAAO,OAAO;AACd,cAAM,OAAiB;AAAA,UACrB,KAAK,OAAO,OAAO;AAAA,UACnB,OAAO,OAAO,SAAS;AAAA,UACvB,eAAe,OAAO,iBAAiB;AAAA,UACvC,UAAU;AAAA,UACV,UAAU,OAAO;AAAA,QACrB;AAEA,eAAO;AAAA,UACL,iBAAiB;AAAA,UACjB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAIA,QAAI,SAAS;AACX,YAAM,SAAS,UAAM,qCAAoB,SAAS,KAAK;AACvD,UAAI,OAAO,OAAO;AAChB,cAAM,OAAkB;AAAA,UACpB,KAAK,OAAO,OAAO;AAAA,UACnB,OAAO,OAAO,SAAS;AAAA,UACvB,eAAe,OAAO,iBAAiB;AAAA,UACvC,UAAU;AAAA,UACV,UAAU,OAAO;AAAA,QACrB;AAEA,eAAO;AAAA,UACL,iBAAiB;AAAA,UACjB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B,KAAK;AAClD,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../../../src/server/edge-session.ts"],"sourcesContent":["import type { NextRequest } from \"next/server\";\r\n\r\nimport { verifyFirebaseToken } from \"./jwt\";\r\nimport type { BaseUser,SessionResult } from \"./types\";\r\n\r\nexport async function verifySession(\r\n  request: NextRequest\r\n): Promise<SessionResult> {\r\n  try {\r\n    const sessionCookie = request.cookies.get(\"_session_cookie\")?.value;\r\n    if (sessionCookie) {\r\n      const result = await verifyFirebaseToken(sessionCookie, true);\r\n      if (result.valid) {\r\n        return {\r\n          isAuthenticated: true,\r\n          user: {\r\n            uid: result.uid ?? \"\",\r\n            email: result.email || null,\r\n            tenantId: result.tenant || \"default\",\r\n            emailVerified: result.emailVerified ?? false,\r\n            disabled: false,\r\n          },\r\n        };\r\n      }\r\n    }\r\n    return {\r\n      isAuthenticated: false,\r\n      user: null,\r\n      error: \"No valid session found\",\r\n    };\r\n  } catch (error) {\r\n    console.error(\"Session verification error:\", error);\r\n    return {\r\n      isAuthenticated: false,\r\n      user: null,\r\n      error:\r\n        error instanceof Error ? error.message : \"Session verification failed\",\r\n    };\r\n  }\r\n}\r\n\r\n/**\r\n * Edge-compatible token verification using Firebase Auth REST API\r\n */\r\nexport async function verifyTokenEdge(\r\n  idToken: string\r\n): Promise<BaseUser | null> {\r\n  try {\r\n    const response = await fetch(\r\n      `https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=${process.env.NEXT_PUBLIC_FIREBASE_API_KEY}`,\r\n      {\r\n        method: \"POST\",\r\n        headers: {\r\n          \"Content-Type\": \"application/json\",\r\n        },\r\n        body: JSON.stringify({ idToken }),\r\n      }\r\n    );\r\n\r\n    const data = await response.json();\r\n    console.log(\"data Token\", data);\r\n\r\n    if (!response.ok || !data.users?.[0]) {\r\n      return null;\r\n    }\r\n\r\n    const user = data.users[0];\r\n    return {\r\n      uid: user.localId,\r\n      email: user.email || null,\r\n      tenantId: user.tenantId || \"default\",\r\n      disabled: user.disabled || false,\r\n    };\r\n  } catch (error) {\r\n    console.error(\"Token verification error:\", error);\r\n    return null;\r\n  }\r\n}\r\n\r\n/**\r\n * Edge-compatible session cookie verification\r\n */\r\nexport async function verifySessionEdge(\r\n  sessionCookie: string\r\n): Promise<BaseUser | null> {\r\n  try {\r\n    const response = await fetch(\r\n      `https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=${process.env.NEXT_PUBLIC_FIREBASE_API_KEY}`,\r\n      {\r\n        method: \"POST\",\r\n        headers: {\r\n          \"Content-Type\": \"application/json\",\r\n          Authorization: `Bearer ${sessionCookie}`,\r\n        },\r\n      }\r\n    );\r\n\r\n    const data = await response.json();\r\n    console.log(\"data Session\", data);\r\n\r\n    if (!response.ok || !data.users?.[0]) {\r\n      return null;\r\n    }\r\n\r\n    const user = data.users[0];\r\n    return {\r\n      uid: user.localId,\r\n      email: user.email || null,\r\n      tenantId: user.tenant || \"default\",\r\n      disabled: user.disabled || false,\r\n    };\r\n  } catch (error) {\r\n    console.error(\"Session verification error:\", error);\r\n    return null;\r\n  }\r\n}\r\n\r\n/**\r\n * Edge-compatible session verification using Firebase Auth REST API\r\n */\r\nexport async function VerifySessionWithRestApi(\r\n  request: NextRequest\r\n): Promise<SessionResult> {\r\n  try {\r\n    // First try session cookie\r\n    const sessionCookie = request.cookies.get(\"_session_cookie\")?.value;\r\n    if (sessionCookie) {\r\n      const response = await fetch(\r\n        `https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=${process.env.GOOGLE_CLIENT_ID}`,\r\n        {\r\n          method: \"POST\",\r\n          headers: {\r\n            \"Content-Type\": \"application/json\",\r\n            Authorization: `Bearer ${sessionCookie}`,\r\n          },\r\n        }\r\n      );\r\n\r\n      const data = await response.json();\r\n      console.log(\"[edge-session] data with session cookie\", data);\r\n\r\n      if (response.ok && data.users?.[0]) {\r\n        const user = data.users[0];\r\n        return {\r\n          isAuthenticated: true,\r\n          user: {\r\n            uid: user.localId,\r\n            email: user.email || null,\r\n            tenantId: user.tenantId || \"default\",\r\n            emailVerified: user.emailVerified ?? false,\r\n            disabled: user.disabled || false,\r\n          },\r\n        };\r\n      }\r\n      console.log(\r\n        \"Session cookie verification failed:\",\r\n        data.error?.message || \"Invalid session\"\r\n      );\r\n    }\r\n    return {\r\n      isAuthenticated: false,\r\n      user: null,\r\n      error: \"No valid session found\",\r\n    };\r\n  } catch (error) {\r\n    console.error(\"Session verification error:\", error);\r\n    return {\r\n      isAuthenticated: false,\r\n      user: null,\r\n      error:\r\n        error instanceof Error ? error.message : \"Session verification failed\",\r\n    };\r\n  }\r\n}\r\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,iBAAoC;AAGpC,eAAsB,cACpB,SACwB;AACxB,MAAI;AACF,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB,GAAG;AAC9D,QAAI,eAAe;AACjB,YAAM,SAAS,UAAM,gCAAoB,eAAe,IAAI;AAC5D,UAAI,OAAO,OAAO;AAChB,eAAO;AAAA,UACL,iBAAiB;AAAA,UACjB,MAAM;AAAA,YACJ,KAAK,OAAO,OAAO;AAAA,YACnB,OAAO,OAAO,SAAS;AAAA,YACvB,UAAU,OAAO,UAAU;AAAA,YAC3B,eAAe,OAAO,iBAAiB;AAAA,YACvC,UAAU;AAAA,UACZ;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B,KAAK;AAClD,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OACE,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAC7C;AAAA,EACF;AACF;AAKA,eAAsB,gBACpB,SAC0B;AAC1B,MAAI;AACF,UAAM,WAAW,MAAM;AAAA,MACrB,iEAAiE,QAAQ,IAAI,4BAA4B;AAAA,MACzG;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,EAAE,QAAQ,CAAC;AAAA,MAClC;AAAA,IACF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,YAAQ,IAAI,cAAc,IAAI;AAE9B,QAAI,CAAC,SAAS,MAAM,CAAC,KAAK,QAAQ,CAAC,GAAG;AACpC,aAAO;AAAA,IACT;AAEA,UAAM,OAAO,KAAK,MAAM,CAAC;AACzB,WAAO;AAAA,MACL,KAAK,KAAK;AAAA,MACV,OAAO,KAAK,SAAS;AAAA,MACrB,UAAU,KAAK,YAAY;AAAA,MAC3B,UAAU,KAAK,YAAY;AAAA,IAC7B;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,6BAA6B,KAAK;AAChD,WAAO;AAAA,EACT;AACF;AAKA,eAAsB,kBACpB,eAC0B;AAC1B,MAAI;AACF,UAAM,WAAW,MAAM;AAAA,MACrB,iEAAiE,QAAQ,IAAI,4BAA4B;AAAA,MACzG;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,aAAa;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,YAAQ,IAAI,gBAAgB,IAAI;AAEhC,QAAI,CAAC,SAAS,MAAM,CAAC,KAAK,QAAQ,CAAC,GAAG;AACpC,aAAO;AAAA,IACT;AAEA,UAAM,OAAO,KAAK,MAAM,CAAC;AACzB,WAAO;AAAA,MACL,KAAK,KAAK;AAAA,MACV,OAAO,KAAK,SAAS;AAAA,MACrB,UAAU,KAAK,UAAU;AAAA,MACzB,UAAU,KAAK,YAAY;AAAA,IAC7B;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B,KAAK;AAClD,WAAO;AAAA,EACT;AACF;AAKA,eAAsB,yBACpB,SACwB;AACxB,MAAI;AAEF,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB,GAAG;AAC9D,QAAI,eAAe;AACjB,YAAM,WAAW,MAAM;AAAA,QACrB,iEAAiE,QAAQ,IAAI,gBAAgB;AAAA,QAC7F;AAAA,UACE,QAAQ;AAAA,UACR,SAAS;AAAA,YACP,gBAAgB;AAAA,YAChB,eAAe,UAAU,aAAa;AAAA,UACxC;AAAA,QACF;AAAA,MACF;AAEA,YAAM,OAAO,MAAM,SAAS,KAAK;AACjC,cAAQ,IAAI,2CAA2C,IAAI;AAE3D,UAAI,SAAS,MAAM,KAAK,QAAQ,CAAC,GAAG;AAClC,cAAM,OAAO,KAAK,MAAM,CAAC;AACzB,eAAO;AAAA,UACL,iBAAiB;AAAA,UACjB,MAAM;AAAA,YACJ,KAAK,KAAK;AAAA,YACV,OAAO,KAAK,SAAS;AAAA,YACrB,UAAU,KAAK,YAAY;AAAA,YAC3B,eAAe,KAAK,iBAAiB;AAAA,YACrC,UAAU,KAAK,YAAY;AAAA,UAC7B;AAAA,QACF;AAAA,MACF;AACA,cAAQ;AAAA,QACN;AAAA,QACA,KAAK,OAAO,WAAW;AAAA,MACzB;AAAA,IACF;AACA,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B,KAAK;AAClD,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OACE,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAC7C;AAAA,EACF;AACF;","names":[]}

package/dist/cjs/server/headers-utils.js

@@ -0,0 +1,70 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var headers_utils_exports = {};
+__export(headers_utils_exports, {
+  detectClerkMiddleware: () => detectClerkMiddleware,
+  getAuthKeyFromRequest: () => getAuthKeyFromRequest,
+  getCustomAttributeFromRequest: () => getCustomAttributeFromRequest,
+  getHeader: () => getHeader,
+  isNextRequest: () => isNextRequest,
+  isRequestWebAPI: () => isRequestWebAPI
+});
+module.exports = __toCommonJS(headers_utils_exports);
+var import_backend = require("@tern-secure/backend");
+function getCustomAttributeFromRequest(req, key) {
+  return key in req ? req[key] : void 0;
+}
+function getAuthKeyFromRequest(req, key) {
+  return getCustomAttributeFromRequest(req, import_backend.constants.Attributes[key]) || getHeader(req, import_backend.constants.Headers[key]);
+}
+function getHeader(req, name) {
+  if (isNextRequest(req) || isRequestWebAPI(req)) {
+    return req.headers.get(name);
+  }
+  return req.headers[name] || req.headers[name.toLowerCase()] || req.socket?._httpMessage?.getHeader(name);
+}
+function detectClerkMiddleware(req) {
+  return Boolean(getAuthKeyFromRequest(req, "AuthStatus"));
+}
+function isNextRequest(val) {
+  try {
+    const { headers, nextUrl, cookies } = val || {};
+    return typeof headers?.get === "function" && typeof nextUrl?.searchParams.get === "function" && typeof cookies?.get === "function";
+  } catch {
+    return false;
+  }
+}
+function isRequestWebAPI(val) {
+  try {
+    const { headers } = val || {};
+    return typeof headers?.get === "function";
+  } catch {
+    return false;
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  detectClerkMiddleware,
+  getAuthKeyFromRequest,
+  getCustomAttributeFromRequest,
+  getHeader,
+  isNextRequest,
+  isRequestWebAPI
+});
+//# sourceMappingURL=headers-utils.js.map

package/dist/cjs/server/headers-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/headers-utils.ts"],"sourcesContent":["import { constants } from '@tern-secure/backend';\nimport type { NextRequest } from 'next/server';\n\nimport type { RequestLike } from './types';\n\nexport function getCustomAttributeFromRequest(req: RequestLike, key: string): string | null | undefined {\n  // @ts-expect-error - TS doesn't like indexing into RequestLike\n  return key in req ? req[key] : undefined;\n}\n\nexport function getAuthKeyFromRequest(\n  req: RequestLike,\n  key: keyof typeof constants.Attributes,\n): string | null | undefined {\n  return getCustomAttributeFromRequest(req, constants.Attributes[key]) || getHeader(req, constants.Headers[key]);\n}\n\nexport function getHeader(req: RequestLike, name: string): string | null | undefined {\n  if (isNextRequest(req) || isRequestWebAPI(req)) {\n    return req.headers.get(name);\n  }\n\n  // If no header has been determined for IncomingMessage case, check if available within private `socket` headers\n  // When deployed to vercel, req.headers for API routes is a `IncomingHttpHeaders` key-val object which does not follow\n  // the Headers spec so the name is no longer case-insensitive.\n  return req.headers[name] || req.headers[name.toLowerCase()] || (req.socket as any)?._httpMessage?.getHeader(name);\n}\n\nexport function detectClerkMiddleware(req: RequestLike): boolean {\n  return Boolean(getAuthKeyFromRequest(req, 'AuthStatus'));\n}\n\nexport function isNextRequest(val: unknown): val is NextRequest {\n  try {\n    const { headers, nextUrl, cookies } = (val || {}) as NextRequest;\n    return (\n      typeof headers?.get === 'function' &&\n      typeof nextUrl?.searchParams.get === 'function' &&\n      typeof cookies?.get === 'function'\n    );\n  } catch {\n    return false;\n  }\n}\n\nexport function isRequestWebAPI(val: unknown): val is Request {\n  try {\n    const { headers } = (val || {}) as Request;\n    return typeof headers?.get === 'function';\n  } catch {\n    return false;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAA0B;AAKnB,SAAS,8BAA8B,KAAkB,KAAwC;AAEtG,SAAO,OAAO,MAAM,IAAI,GAAG,IAAI;AACjC;AAEO,SAAS,sBACd,KACA,KAC2B;AAC3B,SAAO,8BAA8B,KAAK,yBAAU,WAAW,GAAG,CAAC,KAAK,UAAU,KAAK,yBAAU,QAAQ,GAAG,CAAC;AAC/G;AAEO,SAAS,UAAU,KAAkB,MAAyC;AACnF,MAAI,cAAc,GAAG,KAAK,gBAAgB,GAAG,GAAG;AAC9C,WAAO,IAAI,QAAQ,IAAI,IAAI;AAAA,EAC7B;AAKA,SAAO,IAAI,QAAQ,IAAI,KAAK,IAAI,QAAQ,KAAK,YAAY,CAAC,KAAM,IAAI,QAAgB,cAAc,UAAU,IAAI;AAClH;AAEO,SAAS,sBAAsB,KAA2B;AAC/D,SAAO,QAAQ,sBAAsB,KAAK,YAAY,CAAC;AACzD;AAEO,SAAS,cAAc,KAAkC;AAC9D,MAAI;AACF,UAAM,EAAE,SAAS,SAAS,QAAQ,IAAK,OAAO,CAAC;AAC/C,WACE,OAAO,SAAS,QAAQ,cACxB,OAAO,SAAS,aAAa,QAAQ,cACrC,OAAO,SAAS,QAAQ;AAAA,EAE5B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,gBAAgB,KAA8B;AAC5D,MAAI;AACF,UAAM,EAAE,QAAQ,IAAK,OAAO,CAAC;AAC7B,WAAO,OAAO,SAAS,QAAQ;AAAA,EACjC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/cjs/server/index.js

@@ -18,19 +18,21 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var server_exports = {};
 __export(server_exports, {
+  NextCookieStore: () => import_NextCookieAdapter.NextCookieStore,
   auth: () => import_auth.auth,
-  createRouteMatcher: () => import_ternSecureMiddleware.createRouteMatcher,
-  getUser: () => import_auth.getUser,
-  ternSecureMiddleware: () => import_ternSecureMiddleware.ternSecureMiddleware
+  createRouteMatcher: () => import_routeMatcher.createRouteMatcher,
+  ternSecureMiddleware: () => import_ternSecureEdgeMiddleware.ternSecureMiddleware
 });
 module.exports = __toCommonJS(server_exports);
-var import_ternSecureMiddleware = require("./ternSecureMiddleware");
-var import_auth = require("./auth");
+var import_ternSecureEdgeMiddleware = require("./ternSecureEdgeMiddleware");
+var import_routeMatcher = require("./routeMatcher");
+var import_auth = require("../app-router/server/auth");
+var import_NextCookieAdapter = require("../utils/NextCookieAdapter");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  NextCookieStore,
   auth,
   createRouteMatcher,
-  getUser,
   ternSecureMiddleware
 });
 //# sourceMappingURL=index.js.map

package/dist/cjs/server/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/server/index.ts"],"sourcesContent":["export { ternSecureMiddleware, createRouteMatcher } from './ternSecureMiddleware'\r\nexport { auth, getUser, type AuthResult } from './auth'\r\nexport type { User, SessionResult } from './types'"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kCAAyD;AACzD,kBAA+C;","names":[]}
+{"version":3,"sources":["../../../src/server/index.ts"],"sourcesContent":["export {\r\n  ternSecureMiddleware,\r\n} from \"./ternSecureEdgeMiddleware\";\r\nexport { createRouteMatcher } from \"./routeMatcher\";\r\nexport {\r\n  auth\r\n} from \"../app-router/server/auth\";\r\nexport type { AuthResult } from \"../app-router/server/auth\";\r\nexport type { BaseUser, SessionResult } from \"./types\";\r\nexport { NextCookieStore } from \"../utils/NextCookieAdapter\";\r\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,sCAEO;AACP,0BAAmC;AACnC,kBAEO;AAGP,+BAAgC;","names":[]}

package/dist/cjs/server/jwt-edge.js

@@ -66,26 +66,54 @@ async function verifyFirebaseToken(token, isSessionCookie = false) {
     if (!decoded) {
       throw new Error("Invalid token format");
     }
-    const JWKS = isSessionCookie ? await getSessionJWKS() : await getIdTokenJWKS();
-    const { payload } = await (0, import_jose.jwtVerify)(token, JWKS, {
-      issuer: isSessionCookie ? "https://session.firebase.google.com/" + projectId : "https://securetoken.google.com/" + projectId,
-      audience: projectId,
-      algorithms: ["RS256"]
-    });
-    const firebasePayload = payload;
-    const now = Math.floor(Date.now() / 1e3);
-    if (!firebasePayload.sub) {
-      throw new Error("Token subject is empty");
+    let retries = 3;
+    let lastError = null;
+    while (retries > 0) {
+      try {
+        const JWKS = isSessionCookie ? await getSessionJWKS() : await getIdTokenJWKS();
+        const { payload } = await (0, import_jose.jwtVerify)(token, JWKS, {
+          issuer: isSessionCookie ? "https://session.firebase.google.com/" + projectId : "https://securetoken.google.com/" + projectId,
+          audience: projectId,
+          algorithms: ["RS256"]
+        });
+        const firebasePayload = payload;
+        const now = Math.floor(Date.now() / 1e3);
+        if (firebasePayload.exp <= now) {
+          throw new Error("Token has expired");
+        }
+        if (firebasePayload.iat > now) {
+          throw new Error("Token issued time is in the future");
+        }
+        if (!firebasePayload.sub) {
+          throw new Error("Token subject is empty");
+        }
+        if (firebasePayload.auth_time > now) {
+          throw new Error("Token auth time is in the future");
+        }
+        return {
+          valid: true,
+          uid: firebasePayload.sub,
+          email: firebasePayload.email,
+          emailVerified: firebasePayload.email_verified,
+          tenant: firebasePayload.firebase.tenant,
+          authTime: firebasePayload.auth_time,
+          issuedAt: firebasePayload.iat,
+          expiresAt: firebasePayload.exp
+        };
+      } catch (error) {
+        lastError = error;
+        if (error instanceof Error && error.name === "JWKSNoMatchingKey") {
+          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);
+          retries--;
+          if (retries > 0) {
+            await new Promise((resolve) => setTimeout(resolve, 1e3));
+            continue;
+          }
+        }
+        throw error;
+      }
     }
-    return {
-      valid: true,
-      uid: firebasePayload.sub,
-      email: firebasePayload.email,
-      emailVerified: firebasePayload.email_verified,
-      authTime: firebasePayload.auth_time,
-      issuedAt: firebasePayload.iat,
-      expiresAt: firebasePayload.exp
-    };
+    throw lastError || new Error("Failed to verify token after retries");
   } catch (error) {
     console.error("Token verification details:", {
       error: error instanceof Error ? {

package/dist/cjs/server/jwt-edge.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/server/jwt-edge.ts"],"sourcesContent":["import { jwtVerify, createRemoteJWKSet } from \"jose\"\r\nimport { cache } from \"react\"\r\n\r\ninterface FirebaseIdTokenPayload {\r\n  iss: string\r\n  aud: string\r\n  auth_time: number\r\n  user_id: string\r\n  sub: string\r\n  iat: number\r\n  exp: number\r\n  email?: string\r\n  email_verified?: boolean\r\n  firebase: {\r\n    identities: {\r\n      [key: string]: any\r\n    }\r\n    sign_in_provider: string\r\n  }\r\n}\r\n\r\n// Firebase public key endpoints\r\nconst FIREBASE_ID_TOKEN_URL = \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\"\r\nconst FIREBASE_SESSION_CERT_URL = \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\"\r\n\r\n// Cache the JWKS using React cache\r\nconst getIdTokenJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  })\r\n})\r\n\r\nconst getSessionJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  })\r\n})\r\n\r\n// Helper to decode JWT without verification\r\nfunction decodeJwt(token: string) {\r\n  try {\r\n    const [headerB64, payloadB64] = token.split(\".\")\r\n    const header = JSON.parse(Buffer.from(headerB64, \"base64\").toString())\r\n    const payload = JSON.parse(Buffer.from(payloadB64, \"base64\").toString())\r\n    return { header, payload }\r\n  } catch (error) {\r\n    console.error(\"Error decoding JWT:\", error)\r\n    return null\r\n  }\r\n}\r\n\r\nexport async function verifyFirebaseToken(token: string, isSessionCookie = false) {\r\n  try {\r\n    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID\r\n    if (!projectId) {\r\n      throw new Error(\"Firebase Project ID is not configured\")\r\n    }\r\n\r\n    // Decode token for debugging and type checking\r\n    const decoded = decodeJwt(token)\r\n    if (!decoded) {\r\n      throw new Error(\"Invalid token format\")\r\n    }\r\n\r\n    //console.log(\"Token details:\", {\r\n    //  header: decoded.header,\r\n    //  type: isSessionCookie ? \"session_cookie\" : \"id_token\",\r\n    //})\r\n\r\n\r\n        // Use different JWKS based on token type\r\n    const JWKS = isSessionCookie ? await getSessionJWKS() : await getIdTokenJWKS()\r\n\r\n    const { payload } = await jwtVerify(token, JWKS, {\r\n          issuer: isSessionCookie\r\n            ? \"https://session.firebase.google.com/\" + projectId\r\n            : \"https://securetoken.google.com/\" + projectId,\r\n          audience: projectId,\r\n          algorithms: [\"RS256\"],\r\n    })\r\n\r\n    const firebasePayload = payload as unknown as FirebaseIdTokenPayload\r\n    const now = Math.floor(Date.now() / 1000)\r\n\r\n\r\n    if (!firebasePayload.sub) {\r\n          throw new Error(\"Token subject is empty\")\r\n    }\r\n\r\n    return {\r\n          valid: true,\r\n          uid: firebasePayload.sub,\r\n          email: firebasePayload.email,\r\n          emailVerified: firebasePayload.email_verified,\r\n          authTime: firebasePayload.auth_time,\r\n          issuedAt: firebasePayload.iat,\r\n          expiresAt: firebasePayload.exp,\r\n        }\r\n    } catch (error) {\r\n        console.error(\"Token verification details:\", {\r\n          error:\r\n            error instanceof Error\r\n              ? {\r\n                  name: error.name,\r\n                  message: error.message,\r\n                  stack: error.stack,\r\n                }\r\n              : error,\r\n          decoded: decodeJwt(token),\r\n          //projectId,\r\n          isSessionCookie,\r\n        })\r\n    \r\n        return {\r\n          valid: false,\r\n          error: error instanceof Error ? error.message : \"Invalid token\",\r\n        }\r\n      }\r\n    }"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kBAA8C;AAC9C,mBAAsB;AAqBtB,MAAM,wBAAwB;AAC9B,MAAM,4BAA4B;AAGlC,MAAM,qBAAiB,oBAAM,MAAM;AACjC,aAAO,gCAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,IACxD,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAED,MAAM,qBAAiB,oBAAM,MAAM;AACjC,aAAO,gCAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,IAC5D,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAGD,SAAS,UAAU,OAAe;AAChC,MAAI;AACF,UAAM,CAAC,WAAW,UAAU,IAAI,MAAM,MAAM,GAAG;AAC/C,UAAM,SAAS,KAAK,MAAM,OAAO,KAAK,WAAW,QAAQ,EAAE,SAAS,CAAC;AACrE,UAAM,UAAU,KAAK,MAAM,OAAO,KAAK,YAAY,QAAQ,EAAE,SAAS,CAAC;AACvE,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B,SAAS,OAAO;AACd,YAAQ,MAAM,uBAAuB,KAAK;AAC1C,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,oBAAoB,OAAe,kBAAkB,OAAO;AAChF,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAGA,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AASA,UAAM,OAAO,kBAAkB,MAAM,eAAe,IAAI,MAAM,eAAe;AAE7E,UAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,MAAM;AAAA,MAC3C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,MACxC,UAAU;AAAA,MACV,YAAY,CAAC,OAAO;AAAA,IAC1B,CAAC;AAED,UAAM,kBAAkB;AACxB,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,QAAI,CAAC,gBAAgB,KAAK;AACpB,YAAM,IAAI,MAAM,wBAAwB;AAAA,IAC9C;AAEA,WAAO;AAAA,MACD,OAAO;AAAA,MACP,KAAK,gBAAgB;AAAA,MACrB,OAAO,gBAAgB;AAAA,MACvB,eAAe,gBAAgB;AAAA,MAC/B,UAAU,gBAAgB;AAAA,MAC1B,UAAU,gBAAgB;AAAA,MAC1B,WAAW,gBAAgB;AAAA,IAC7B;AAAA,EACJ,SAAS,OAAO;AACZ,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,SAAS,UAAU,KAAK;AAAA;AAAA,MAExB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../../../src/server/jwt-edge.ts"],"sourcesContent":["import { createRemoteJWKSet,jwtVerify } from \"jose\"\r\nimport { cache } from \"react\"\r\n\r\ninterface FirebaseIdTokenPayload {\r\n  iss: string\r\n  aud: string\r\n  auth_time: number\r\n  user_id: string\r\n  sub: string\r\n  iat: number\r\n  exp: number\r\n  email?: string\r\n  email_verified?: boolean\r\n  firebase: {\r\n    identities: {\r\n      [key: string]: any\r\n    }\r\n    sign_in_provider: string\r\n    tenant?: string;\r\n  }\r\n}\r\n\r\ninterface FirebaseTokenResult {\r\n  valid: boolean;\r\n  tenant?: string;\r\n  uid?: string;\r\n  email?: string | null;\r\n  emailVerified?: boolean;\r\n  authTime?: number;\r\n  issuedAt?: number;\r\n  expiresAt?: number;\r\n  error?: string;\r\n}\r\n\r\n// Firebase public key endpoints\r\nconst FIREBASE_ID_TOKEN_URL = \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\"\r\nconst FIREBASE_SESSION_CERT_URL = \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\"\r\n\r\n// Cache the JWKS using React cache\r\nconst getIdTokenJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  })\r\n})\r\n\r\nconst getSessionJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  })\r\n})\r\n\r\n// Helper to decode JWT without verification\r\nfunction decodeJwt(token: string) {\r\n  try {\r\n    const [headerB64, payloadB64] = token.split(\".\")\r\n    const header = JSON.parse(Buffer.from(headerB64, \"base64\").toString())\r\n    const payload = JSON.parse(Buffer.from(payloadB64, \"base64\").toString())\r\n    return { header, payload }\r\n  } catch (error) {\r\n    console.error(\"Error decoding JWT:\", error)\r\n    return null\r\n  }\r\n}\r\n\r\nexport async function verifyFirebaseToken(token: string, isSessionCookie = false): Promise<FirebaseTokenResult> {\r\n  try {\r\n    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID\r\n    if (!projectId) {\r\n      throw new Error(\"Firebase Project ID is not configured\")\r\n    }\r\n\r\n    // Decode token for debugging and type checking\r\n    const decoded = decodeJwt(token)\r\n    if (!decoded) {\r\n      throw new Error(\"Invalid token format\")\r\n    }\r\n\r\n    //console.log(\"Token details:\", {\r\n     // header: decoded.header,\r\n     // type: isSessionCookie ? \"session_cookie\" : \"id_token\",\r\n    //})\r\n\r\n    let retries = 3\r\n    let lastError: Error | null = null\r\n\r\n    while (retries > 0) {\r\n      try {\r\n        // Use different JWKS based on token type\r\n        const JWKS = isSessionCookie ? await getSessionJWKS() : await getIdTokenJWKS()\r\n\r\n        const { payload } = await jwtVerify(token, JWKS, {\r\n          issuer: isSessionCookie\r\n            ? \"https://session.firebase.google.com/\" + projectId\r\n            : \"https://securetoken.google.com/\" + projectId,\r\n          audience: projectId,\r\n          algorithms: [\"RS256\"],\r\n        })\r\n\r\n        const firebasePayload = payload as unknown as FirebaseIdTokenPayload\r\n        const now = Math.floor(Date.now() / 1000)\r\n\r\n        // Verify token claims\r\n        if (firebasePayload.exp <= now) {\r\n          throw new Error(\"Token has expired\")\r\n        }\r\n\r\n        if (firebasePayload.iat > now) {\r\n          throw new Error(\"Token issued time is in the future\")\r\n        }\r\n\r\n        if (!firebasePayload.sub) {\r\n          throw new Error(\"Token subject is empty\")\r\n        }\r\n\r\n        if (firebasePayload.auth_time > now) {\r\n          throw new Error(\"Token auth time is in the future\")\r\n        }\r\n\r\n        return {\r\n          valid: true,\r\n          uid: firebasePayload.sub,\r\n          email: firebasePayload.email,\r\n          emailVerified: firebasePayload.email_verified,\r\n          tenant: firebasePayload.firebase.tenant,\r\n          authTime: firebasePayload.auth_time,\r\n          issuedAt: firebasePayload.iat,\r\n          expiresAt: firebasePayload.exp,\r\n        }\r\n      } catch (error) {\r\n        lastError = error as Error\r\n        if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\r\n          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message)\r\n          retries--\r\n          if (retries > 0) {\r\n            await new Promise((resolve) => setTimeout(resolve, 1000))\r\n            continue\r\n          }\r\n        }\r\n        throw error\r\n      }\r\n    }\r\n\r\n    throw lastError || new Error(\"Failed to verify token after retries\")\r\n  } catch (error) {\r\n    console.error(\"Token verification details:\", {\r\n      error:\r\n        error instanceof Error\r\n          ? {\r\n              name: error.name,\r\n              message: error.message,\r\n              stack: error.stack,\r\n            }\r\n          : error,\r\n      decoded: decodeJwt(token),\r\n      //projectId,\r\n      isSessionCookie,\r\n    })\r\n\r\n    return {\r\n      valid: false,\r\n      error: error instanceof Error ? error.message : \"Invalid token\",\r\n    }\r\n  }\r\n}\r\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kBAA6C;AAC7C,mBAAsB;AAkCtB,MAAM,wBAAwB;AAC9B,MAAM,4BAA4B;AAGlC,MAAM,qBAAiB,oBAAM,MAAM;AACjC,aAAO,gCAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,IACxD,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAED,MAAM,qBAAiB,oBAAM,MAAM;AACjC,aAAO,gCAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,IAC5D,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAGD,SAAS,UAAU,OAAe;AAChC,MAAI;AACF,UAAM,CAAC,WAAW,UAAU,IAAI,MAAM,MAAM,GAAG;AAC/C,UAAM,SAAS,KAAK,MAAM,OAAO,KAAK,WAAW,QAAQ,EAAE,SAAS,CAAC;AACrE,UAAM,UAAU,KAAK,MAAM,OAAO,KAAK,YAAY,QAAQ,EAAE,SAAS,CAAC;AACvE,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B,SAAS,OAAO;AACd,YAAQ,MAAM,uBAAuB,KAAK;AAC1C,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,oBAAoB,OAAe,kBAAkB,OAAqC;AAC9G,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAGA,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAOA,QAAI,UAAU;AACd,QAAI,YAA0B;AAE9B,WAAO,UAAU,GAAG;AAClB,UAAI;AAEF,cAAM,OAAO,kBAAkB,MAAM,eAAe,IAAI,MAAM,eAAe;AAE7E,cAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,MAAM;AAAA,UAC/C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,UACxC,UAAU;AAAA,UACV,YAAY,CAAC,OAAO;AAAA,QACtB,CAAC;AAED,cAAM,kBAAkB;AACxB,cAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,YAAI,gBAAgB,OAAO,KAAK;AAC9B,gBAAM,IAAI,MAAM,mBAAmB;AAAA,QACrC;AAEA,YAAI,gBAAgB,MAAM,KAAK;AAC7B,gBAAM,IAAI,MAAM,oCAAoC;AAAA,QACtD;AAEA,YAAI,CAAC,gBAAgB,KAAK;AACxB,gBAAM,IAAI,MAAM,wBAAwB;AAAA,QAC1C;AAEA,YAAI,gBAAgB,YAAY,KAAK;AACnC,gBAAM,IAAI,MAAM,kCAAkC;AAAA,QACpD;AAEA,eAAO;AAAA,UACL,OAAO;AAAA,UACP,KAAK,gBAAgB;AAAA,UACrB,OAAO,gBAAgB;AAAA,UACvB,eAAe,gBAAgB;AAAA,UAC/B,QAAQ,gBAAgB,SAAS;AAAA,UACjC,UAAU,gBAAgB;AAAA,UAC1B,UAAU,gBAAgB;AAAA,UAC1B,WAAW,gBAAgB;AAAA,QAC7B;AAAA,MACF,SAAS,OAAO;AACd,oBAAY;AACZ,YAAI,iBAAiB,SAAS,MAAM,SAAS,qBAAqB;AAChE,kBAAQ,KAAK,sBAAsB,IAAI,OAAO,KAAK,MAAM,OAAO;AAChE;AACA,cAAI,UAAU,GAAG;AACf,kBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAI,CAAC;AACxD;AAAA,UACF;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,sCAAsC;AAAA,EACrE,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,SAAS,UAAU,KAAK;AAAA;AAAA,MAExB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}