firebase-admin 12.7.0 → 13.0.0

package/lib/app/credential-internal.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v12.7.0 */
+/*! firebase-admin v13.0.0 */
 "use strict";
 /*!
  * @license
@@ -17,37 +17,84 @@
  * limitations under the License.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getApplicationDefault = exports.isApplicationDefault = exports.ImpersonatedServiceAccountCredential = exports.RefreshTokenCredential = exports.ComputeEngineCredential = exports.ServiceAccountCredential = void 0;
+exports.ImpersonatedServiceAccountCredential = exports.RefreshTokenCredential = exports.ServiceAccountCredential = exports.ApplicationDefaultCredential = void 0;
+exports.isApplicationDefault = isApplicationDefault;
+exports.getApplicationDefault = getApplicationDefault;
 const fs = require("fs");
-const os = require("os");
-const path = require("path");
+const google_auth_library_1 = require("google-auth-library");
 const error_1 = require("../utils/error");
-const api_request_1 = require("../utils/api-request");
 const util = require("../utils/validator");
-const GOOGLE_TOKEN_AUDIENCE = 'https://accounts.google.com/o/oauth2/token';
-const GOOGLE_AUTH_TOKEN_HOST = 'accounts.google.com';
-const GOOGLE_AUTH_TOKEN_PATH = '/o/oauth2/token';
-// NOTE: the Google Metadata Service uses HTTP over a vlan
-const GOOGLE_METADATA_SERVICE_HOST = 'metadata.google.internal';
-const GOOGLE_METADATA_SERVICE_TOKEN_PATH = '/computeMetadata/v1/instance/service-accounts/default/token';
-const GOOGLE_METADATA_SERVICE_IDENTITY_PATH = '/computeMetadata/v1/instance/service-accounts/default/identity';
-const GOOGLE_METADATA_SERVICE_PROJECT_ID_PATH = '/computeMetadata/v1/project/project-id';
-const GOOGLE_METADATA_SERVICE_ACCOUNT_ID_PATH = '/computeMetadata/v1/instance/service-accounts/default/email';
-const configDir = (() => {
-    // Windows has a dedicated low-rights location for apps at ~/Application Data
-    const sys = os.platform();
-    if (sys && sys.length >= 3 && sys.substring(0, 3).toLowerCase() === 'win') {
-        return process.env.APPDATA;
+const SCOPES = [
+    'https://www.googleapis.com/auth/cloud-platform',
+    'https://www.googleapis.com/auth/firebase.database',
+    'https://www.googleapis.com/auth/firebase.messaging',
+    'https://www.googleapis.com/auth/identitytoolkit',
+    'https://www.googleapis.com/auth/userinfo.email',
+];
+/**
+ * Implementation of ADC that uses google-auth-library-nodejs.
+ */
+class ApplicationDefaultCredential {
+    constructor(httpAgent) {
+        this.googleAuth = new google_auth_library_1.GoogleAuth({
+            scopes: SCOPES,
+            clientOptions: {
+                transporterOptions: {
+                    agent: httpAgent,
+                },
+            },
+        });
+    }
+    async getAccessToken() {
+        if (!this.authClient) {
+            this.authClient = await this.googleAuth.getClient();
+        }
+        await this.authClient.getAccessToken();
+        const credentials = this.authClient.credentials;
+        this.quotaProjectId = this.authClient.quotaProjectId;
+        return populateCredential(credentials);
+    }
+    async getProjectId() {
+        if (!this.projectId) {
+            this.projectId = await this.googleAuth.getProjectId();
+        }
+        return Promise.resolve(this.projectId);
+    }
+    getQuotaProjectId() {
+        if (!this.quotaProjectId) {
+            this.quotaProjectId = this.authClient?.quotaProjectId;
+        }
+        return this.quotaProjectId;
+    }
+    async isComputeEngineCredential() {
+        if (!this.authClient) {
+            this.authClient = await this.googleAuth.getClient();
+        }
+        return Promise.resolve(this.authClient instanceof google_auth_library_1.Compute);
+    }
+    /**
+   * getIDToken returns a OIDC token from the compute metadata service
+   * that can be used to make authenticated calls to audience
+   * @param audience the URL the returned ID token will be used to call.
+  */
+    async getIDToken(audience) {
+        if (await this.isComputeEngineCredential()) {
+            return this.authClient.fetchIdToken(audience);
+        }
+        else {
+            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Credentials type should be Compute Engine Credentials.');
+        }
+    }
+    async getServiceAccountEmail() {
+        if (this.accountId) {
+            return Promise.resolve(this.accountId);
+        }
+        const { client_email: clientEmail } = await this.googleAuth.getCredentials();
+        this.accountId = clientEmail ?? '';
+        return Promise.resolve(this.accountId);
     }
-    // On *nix the gcloud cli creates a . dir.
-    return process.env.HOME && path.resolve(process.env.HOME, '.config');
-})();
-const GCLOUD_CREDENTIAL_SUFFIX = 'gcloud/application_default_credentials.json';
-const GCLOUD_CREDENTIAL_PATH = configDir && path.resolve(configDir, GCLOUD_CREDENTIAL_SUFFIX);
-const REFRESH_TOKEN_HOST = 'www.googleapis.com';
-const REFRESH_TOKEN_PATH = '/oauth2/v4/token';
-const ONE_HOUR_IN_SECONDS = 60 * 60;
-const JWT_ALGORITHM = 'RS256';
+}
+exports.ApplicationDefaultCredential = ApplicationDefaultCredential;
 /**
  * Implementation of Credential that uses a service account.
  */
@@ -57,12 +104,13 @@ class ServiceAccountCredential {
      *
      * @param serviceAccountPathOrObject - Service account json object or path to a service account json file.
      * @param httpAgent - Optional http.Agent to use when calling the remote token server.
-     * @param implicit - An optinal boolean indicating whether this credential was implicitly discovered from the
+     * @param implicit - An optional boolean indicating whether this credential was implicitly discovered from the
      *   environment, as opposed to being explicitly specified by the developer.
      *
      * @constructor
      */
     constructor(serviceAccountPathOrObject, httpAgent, implicit = false) {
+        this.serviceAccountPathOrObject = serviceAccountPathOrObject;
         this.httpAgent = httpAgent;
         this.implicit = implicit;
         const serviceAccount = (typeof serviceAccountPathOrObject === 'string') ?
@@ -71,43 +119,24 @@ class ServiceAccountCredential {
         this.projectId = serviceAccount.projectId;
         this.privateKey = serviceAccount.privateKey;
         this.clientEmail = serviceAccount.clientEmail;
-        this.httpClient = new api_request_1.HttpClient();
-    }
-    getAccessToken() {
-        const token = this.createAuthJwt_();
-        const postData = 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3A' +
-            'grant-type%3Ajwt-bearer&assertion=' + token;
-        const request = {
-            method: 'POST',
-            url: `https://${GOOGLE_AUTH_TOKEN_HOST}${GOOGLE_AUTH_TOKEN_PATH}`,
-            headers: {
-                'Content-Type': 'application/x-www-form-urlencoded',
-            },
-            data: postData,
-            httpAgent: this.httpAgent,
-        };
-        return requestAccessToken(this.httpClient, request);
     }
-    // eslint-disable-next-line @typescript-eslint/naming-convention
-    createAuthJwt_() {
-        const claims = {
-            scope: [
-                'https://www.googleapis.com/auth/cloud-platform',
-                'https://www.googleapis.com/auth/firebase.database',
-                'https://www.googleapis.com/auth/firebase.messaging',
-                'https://www.googleapis.com/auth/identitytoolkit',
-                'https://www.googleapis.com/auth/userinfo.email',
-            ].join(' '),
-        };
-        // eslint-disable-next-line @typescript-eslint/no-var-requires
-        const jwt = require('jsonwebtoken');
-        // This method is actually synchronous so we can capture and return the buffer.
-        return jwt.sign(claims, this.privateKey, {
-            audience: GOOGLE_TOKEN_AUDIENCE,
-            expiresIn: ONE_HOUR_IN_SECONDS,
-            issuer: this.clientEmail,
-            algorithm: JWT_ALGORITHM,
-        });
+    getGoogleAuth() {
+        if (this.googleAuth) {
+            return this.googleAuth;
+        }
+        const { auth, client } = populateGoogleAuth(this.serviceAccountPathOrObject, this.httpAgent);
+        this.googleAuth = auth;
+        this.authClient = client;
+        return this.googleAuth;
+    }
+    async getAccessToken() {
+        const googleAuth = this.getGoogleAuth();
+        if (this.authClient === undefined) {
+            this.authClient = await googleAuth.getClient();
+        }
+        await this.authClient.getAccessToken();
+        const credentials = this.authClient.credentials;
+        return populateCredential(credentials);
     }
 }
 exports.ServiceAccountCredential = ServiceAccountCredential;
@@ -154,71 +183,6 @@ class ServiceAccount {
         }
     }
 }
-/**
- * Implementation of Credential that gets access tokens from the metadata service available
- * in the Google Cloud Platform. This authenticates the process as the default service account
- * of an App Engine instance or Google Compute Engine machine.
- */
-class ComputeEngineCredential {
-    constructor(httpAgent) {
-        this.httpClient = new api_request_1.HttpClient();
-        this.httpAgent = httpAgent;
-    }
-    getAccessToken() {
-        const request = this.buildRequest(GOOGLE_METADATA_SERVICE_TOKEN_PATH);
-        return requestAccessToken(this.httpClient, request);
-    }
-    /**
-     * getIDToken returns a OIDC token from the compute metadata service
-     * that can be used to make authenticated calls to audience
-     * @param audience the URL the returned ID token will be used to call.
-    */
-    getIDToken(audience) {
-        const request = this.buildRequest(`${GOOGLE_METADATA_SERVICE_IDENTITY_PATH}?audience=${audience}`);
-        return requestIDToken(this.httpClient, request);
-    }
-    getProjectId() {
-        if (this.projectId) {
-            return Promise.resolve(this.projectId);
-        }
-        const request = this.buildRequest(GOOGLE_METADATA_SERVICE_PROJECT_ID_PATH);
-        return this.httpClient.send(request)
-            .then((resp) => {
-            this.projectId = resp.text;
-            return this.projectId;
-        })
-            .catch((err) => {
-            const detail = (err instanceof api_request_1.RequestResponseError) ? getDetailFromResponse(err.response) : err.message;
-            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, `Failed to determine project ID: ${detail}`);
-        });
-    }
-    getServiceAccountEmail() {
-        if (this.accountId) {
-            return Promise.resolve(this.accountId);
-        }
-        const request = this.buildRequest(GOOGLE_METADATA_SERVICE_ACCOUNT_ID_PATH);
-        return this.httpClient.send(request)
-            .then((resp) => {
-            this.accountId = resp.text;
-            return this.accountId;
-        })
-            .catch((err) => {
-            const detail = (err instanceof api_request_1.RequestResponseError) ? getDetailFromResponse(err.response) : err.message;
-            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, `Failed to determine service account email: ${detail}`);
-        });
-    }
-    buildRequest(urlPath) {
-        return {
-            method: 'GET',
-            url: `http://${GOOGLE_METADATA_SERVICE_HOST}${urlPath}`,
-            headers: {
-                'Metadata-Flavor': 'Google',
-            },
-            httpAgent: this.httpAgent,
-        };
-    }
-}
-exports.ComputeEngineCredential = ComputeEngineCredential;
 /**
  * Implementation of Credential that gets access tokens from refresh tokens.
  */
@@ -235,28 +199,30 @@ class RefreshTokenCredential {
      * @constructor
      */
     constructor(refreshTokenPathOrObject, httpAgent, implicit = false) {
+        this.refreshTokenPathOrObject = refreshTokenPathOrObject;
         this.httpAgent = httpAgent;
         this.implicit = implicit;
-        this.refreshToken = (typeof refreshTokenPathOrObject === 'string') ?
-            RefreshToken.fromPath(refreshTokenPathOrObject)
-            : new RefreshToken(refreshTokenPathOrObject);
-        this.httpClient = new api_request_1.HttpClient();
+        (typeof refreshTokenPathOrObject === 'string') ?
+            RefreshToken.validateFromPath(refreshTokenPathOrObject)
+            : RefreshToken.validateFromJSON(refreshTokenPathOrObject);
     }
-    getAccessToken() {
-        const postData = 'client_id=' + this.refreshToken.clientId + '&' +
-            'client_secret=' + this.refreshToken.clientSecret + '&' +
-            'refresh_token=' + this.refreshToken.refreshToken + '&' +
-            'grant_type=refresh_token';
-        const request = {
-            method: 'POST',
-            url: `https://${REFRESH_TOKEN_HOST}${REFRESH_TOKEN_PATH}`,
-            headers: {
-                'Content-Type': 'application/x-www-form-urlencoded',
-            },
-            data: postData,
-            httpAgent: this.httpAgent,
-        };
-        return requestAccessToken(this.httpClient, request);
+    getGoogleAuth() {
+        if (this.googleAuth) {
+            return this.googleAuth;
+        }
+        const { auth, client } = populateGoogleAuth(this.refreshTokenPathOrObject, this.httpAgent);
+        this.googleAuth = auth;
+        this.authClient = client;
+        return this.googleAuth;
+    }
+    async getAccessToken() {
+        const googleAuth = this.getGoogleAuth();
+        if (this.authClient === undefined) {
+            this.authClient = await googleAuth.getClient();
+        }
+        await this.authClient.getAccessToken();
+        const credentials = this.authClient.credentials;
+        return populateCredential(credentials);
     }
 }
 exports.RefreshTokenCredential = RefreshTokenCredential;
@@ -265,31 +231,32 @@ class RefreshToken {
      * Tries to load a RefreshToken from a path. Throws if the path doesn't exist or the
      * data at the path is invalid.
      */
-    static fromPath(filePath) {
+    static validateFromPath(filePath) {
         try {
-            return new RefreshToken(JSON.parse(fs.readFileSync(filePath, 'utf8')));
+            RefreshToken.validateFromJSON(JSON.parse(fs.readFileSync(filePath, 'utf8')));
         }
         catch (error) {
             // Throw a nicely formed error message if the file contents cannot be parsed
             throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse refresh token file: ' + error);
         }
     }
-    constructor(json) {
-        copyAttr(this, json, 'clientId', 'client_id');
-        copyAttr(this, json, 'clientSecret', 'client_secret');
-        copyAttr(this, json, 'refreshToken', 'refresh_token');
-        copyAttr(this, json, 'type', 'type');
+    static validateFromJSON(json) {
+        const creds = { clientId: '', clientSecret: '', refreshToken: '', type: '' };
+        copyAttr(creds, json, 'clientId', 'client_id');
+        copyAttr(creds, json, 'clientSecret', 'client_secret');
+        copyAttr(creds, json, 'refreshToken', 'refresh_token');
+        copyAttr(creds, json, 'type', 'type');
         let errorMessage;
-        if (!util.isNonEmptyString(this.clientId)) {
+        if (!util.isNonEmptyString(creds.clientId)) {
             errorMessage = 'Refresh token must contain a "client_id" property.';
         }
-        else if (!util.isNonEmptyString(this.clientSecret)) {
+        else if (!util.isNonEmptyString(creds.clientSecret)) {
             errorMessage = 'Refresh token must contain a "client_secret" property.';
         }
-        else if (!util.isNonEmptyString(this.refreshToken)) {
+        else if (!util.isNonEmptyString(creds.refreshToken)) {
             errorMessage = 'Refresh token must contain a "refresh_token" property.';
         }
-        else if (!util.isNonEmptyString(this.type)) {
+        else if (!util.isNonEmptyString(creds.type)) {
             errorMessage = 'Refresh token must contain a "type" property.';
         }
         if (typeof errorMessage !== 'undefined') {
@@ -313,67 +280,63 @@ class ImpersonatedServiceAccountCredential {
      * @constructor
      */
     constructor(impersonatedServiceAccountPathOrObject, httpAgent, implicit = false) {
+        this.impersonatedServiceAccountPathOrObject = impersonatedServiceAccountPathOrObject;
         this.httpAgent = httpAgent;
         this.implicit = implicit;
-        this.impersonatedServiceAccount = (typeof impersonatedServiceAccountPathOrObject === 'string') ?
-            ImpersonatedServiceAccount.fromPath(impersonatedServiceAccountPathOrObject)
-            : new ImpersonatedServiceAccount(impersonatedServiceAccountPathOrObject);
-        this.httpClient = new api_request_1.HttpClient();
+        (typeof impersonatedServiceAccountPathOrObject === 'string') ?
+            ImpersonatedServiceAccount.validateFromPath(impersonatedServiceAccountPathOrObject)
+            : ImpersonatedServiceAccount.validateFromJSON(impersonatedServiceAccountPathOrObject);
     }
-    getAccessToken() {
-        const postData = 'client_id=' + this.impersonatedServiceAccount.clientId + '&' +
-            'client_secret=' + this.impersonatedServiceAccount.clientSecret + '&' +
-            'refresh_token=' + this.impersonatedServiceAccount.refreshToken + '&' +
-            'grant_type=refresh_token';
-        const request = {
-            method: 'POST',
-            url: `https://${REFRESH_TOKEN_HOST}${REFRESH_TOKEN_PATH}`,
-            headers: {
-                'Content-Type': 'application/x-www-form-urlencoded',
-            },
-            data: postData,
-            httpAgent: this.httpAgent,
-        };
-        return requestAccessToken(this.httpClient, request);
+    getGoogleAuth() {
+        if (this.googleAuth) {
+            return this.googleAuth;
+        }
+        const { auth, client } = populateGoogleAuth(this.impersonatedServiceAccountPathOrObject, this.httpAgent);
+        this.googleAuth = auth;
+        this.authClient = client;
+        return this.googleAuth;
+    }
+    async getAccessToken() {
+        const googleAuth = this.getGoogleAuth();
+        if (this.authClient === undefined) {
+            this.authClient = await googleAuth.getClient();
+        }
+        await this.authClient.getAccessToken();
+        const credentials = this.authClient.credentials;
+        return populateCredential(credentials);
     }
 }
 exports.ImpersonatedServiceAccountCredential = ImpersonatedServiceAccountCredential;
 /**
- * A struct containing the properties necessary to use impersonated service account JSON credentials.
+ * A helper class to validate the properties necessary to use impersonated service account credentials.
  */
 class ImpersonatedServiceAccount {
     /*
      * Tries to load a ImpersonatedServiceAccount from a path. Throws if the path doesn't exist or the
      * data at the path is invalid.
      */
-    static fromPath(filePath) {
+    static validateFromPath(filePath) {
         try {
-            return new ImpersonatedServiceAccount(JSON.parse(fs.readFileSync(filePath, 'utf8')));
+            ImpersonatedServiceAccount.validateFromJSON(JSON.parse(fs.readFileSync(filePath, 'utf8')));
         }
         catch (error) {
             // Throw a nicely formed error message if the file contents cannot be parsed
             throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse impersonated service account file: ' + error);
         }
     }
-    constructor(json) {
-        const sourceCredentials = json['source_credentials'];
-        if (sourceCredentials) {
-            copyAttr(this, sourceCredentials, 'clientId', 'client_id');
-            copyAttr(this, sourceCredentials, 'clientSecret', 'client_secret');
-            copyAttr(this, sourceCredentials, 'refreshToken', 'refresh_token');
-            copyAttr(this, sourceCredentials, 'type', 'type');
-        }
+    static validateFromJSON(json) {
+        const { client_id: clientId, client_secret: clientSecret, refresh_token: refreshToken, type } = json['source_credentials'];
         let errorMessage;
-        if (!util.isNonEmptyString(this.clientId)) {
+        if (!util.isNonEmptyString(clientId)) {
             errorMessage = 'Impersonated Service Account must contain a "source_credentials.client_id" property.';
         }
-        else if (!util.isNonEmptyString(this.clientSecret)) {
+        else if (!util.isNonEmptyString(clientSecret)) {
             errorMessage = 'Impersonated Service Account must contain a "source_credentials.client_secret" property.';
         }
-        else if (!util.isNonEmptyString(this.refreshToken)) {
+        else if (!util.isNonEmptyString(refreshToken)) {
             errorMessage = 'Impersonated Service Account must contain a "source_credentials.refresh_token" property.';
         }
-        else if (!util.isNonEmptyString(this.type)) {
+        else if (!util.isNonEmptyString(type)) {
             errorMessage = 'Impersonated Service Account must contain a "source_credentials.type" property.';
         }
         if (typeof errorMessage !== 'undefined') {
@@ -382,33 +345,17 @@ class ImpersonatedServiceAccount {
     }
 }
 /**
- * Checks if the given credential was loaded via the application default credentials mechanism. This
- * includes all ComputeEngineCredential instances, and the ServiceAccountCredential and RefreshTokenCredential
- * instances that were loaded from well-known files or environment variables, rather than being explicitly
- * instantiated.
+ * Checks if the given credential was loaded via the application default credentials mechanism.
  *
  * @param credential - The credential instance to check.
  */
 function isApplicationDefault(credential) {
-    return credential instanceof ComputeEngineCredential ||
-        (credential instanceof ServiceAccountCredential && credential.implicit) ||
-        (credential instanceof RefreshTokenCredential && credential.implicit) ||
-        (credential instanceof ImpersonatedServiceAccountCredential && credential.implicit);
+    return credential instanceof ApplicationDefaultCredential ||
+        (credential instanceof RefreshTokenCredential && credential.implicit);
 }
-exports.isApplicationDefault = isApplicationDefault;
 function getApplicationDefault(httpAgent) {
-    if (process.env.GOOGLE_APPLICATION_CREDENTIALS) {
-        return credentialFromFile(process.env.GOOGLE_APPLICATION_CREDENTIALS, httpAgent, false);
-    }
-    // It is OK to not have this file. If it is present, it must be valid.
-    if (GCLOUD_CREDENTIAL_PATH) {
-        const credential = credentialFromFile(GCLOUD_CREDENTIAL_PATH, httpAgent, true);
-        if (credential)
-            return credential;
-    }
-    return new ComputeEngineCredential(httpAgent);
+    return new ApplicationDefaultCredential(httpAgent);
 }
-exports.getApplicationDefault = getApplicationDefault;
 /**
  * Copies the specified property from one object to another.
  *
@@ -427,89 +374,42 @@ function copyAttr(to, from, key, alt) {
     }
 }
 /**
- * Obtain a new OAuth2 token by making a remote service call.
+ * Populate google-auth-library GoogleAuth credentials type.
  */
-function requestAccessToken(client, request) {
-    return client.send(request).then((resp) => {
-        const json = resp.data;
-        if (!json.access_token || !json.expires_in) {
-            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, `Unexpected response while fetching access token: ${JSON.stringify(json)}`);
-        }
-        return json;
-    }).catch((err) => {
-        throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, getErrorMessage(err));
-    });
-}
-/**
- * Obtain a new OIDC token by making a remote service call.
- */
-function requestIDToken(client, request) {
-    return client.send(request).then((resp) => {
-        if (!resp.text) {
-            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Unexpected response while fetching id token: response.text is undefined');
-        }
-        return resp.text;
-    }).catch((err) => {
-        throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, getErrorMessage(err));
+function populateGoogleAuth(keyFile, httpAgent) {
+    let client;
+    const auth = new google_auth_library_1.GoogleAuth({
+        scopes: SCOPES,
+        clientOptions: {
+            transporterOptions: {
+                agent: httpAgent,
+            },
+        },
+        keyFile: (typeof keyFile === 'string') ? keyFile : undefined,
     });
-}
-/**
- * Constructs a human-readable error message from the given Error.
- */
-function getErrorMessage(err) {
-    const detail = (err instanceof api_request_1.RequestResponseError) ? getDetailFromResponse(err.response) : err.message;
-    return `Error fetching access token: ${detail}`;
-}
-/**
- * Extracts details from the given HTTP error response, and returns a human-readable description. If
- * the response is JSON-formatted, looks up the error and error_description fields sent by the
- * Google Auth servers. Otherwise returns the entire response payload as the error detail.
- */
-function getDetailFromResponse(response) {
-    if (response.isJson() && response.data.error) {
-        const json = response.data;
-        let detail = json.error;
-        if (json.error_description) {
-            detail += ' (' + json.error_description + ')';
-        }
-        return detail;
-    }
-    return response.text || 'Missing error payload';
-}
-function credentialFromFile(filePath, httpAgent, ignoreMissing) {
-    const credentialsFile = readCredentialFile(filePath, ignoreMissing);
-    if (typeof credentialsFile !== 'object' || credentialsFile === null) {
-        if (ignoreMissing) {
-            return null;
+    if (typeof keyFile === 'object') {
+        if (!util.isNonNullObject(keyFile)) {
+            throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Service account must be an object.');
         }
-        throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse contents of the credentials file as an object');
+        client = auth.fromJSON(keyFile);
     }
-    if (credentialsFile.type === 'service_account') {
-        return new ServiceAccountCredential(credentialsFile, httpAgent, true);
-    }
-    if (credentialsFile.type === 'authorized_user') {
-        return new RefreshTokenCredential(credentialsFile, httpAgent, true);
-    }
-    if (credentialsFile.type === 'impersonated_service_account') {
-        return new ImpersonatedServiceAccountCredential(credentialsFile, httpAgent, true);
-    }
-    throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Invalid contents in the credentials file');
+    return { auth, client };
 }
-function readCredentialFile(filePath, ignoreMissing) {
-    let fileText;
-    try {
-        fileText = fs.readFileSync(filePath, 'utf8');
-    }
-    catch (error) {
-        if (ignoreMissing) {
-            return null;
-        }
-        throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, `Failed to read credentials from file ${filePath}: ` + error);
-    }
-    try {
-        return JSON.parse(fileText);
-    }
-    catch (error) {
-        throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse contents of the credentials file as an object: ' + error);
-    }
+/**
+ * Populate GoogleOAuthAccessToken credentials from google-auth-library Credentials type.
+ */
+function populateCredential(credentials) {
+    const accessToken = credentials?.access_token;
+    const expiryDate = credentials?.expiry_date;
+    if (typeof accessToken !== 'string')
+        throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse Google auth credential: access_token must be a non empty string.');
+    if (typeof expiryDate !== 'number')
+        throw new error_1.FirebaseAppError(error_1.AppErrorCodes.INVALID_CREDENTIAL, 'Failed to parse Google auth credential: Invalid expiry_date.');
+    return {
+        ...credentials,
+        access_token: accessToken,
+        // inverse operation of following
+        // https://github.com/googleapis/google-auth-library-nodejs/blob/5ed910513451c82e2551777a3e2212964799ef8e/src/auth/baseexternalclient.ts#L446-L446
+        expires_in: Math.floor((expiryDate - new Date().getTime()) / 1000),
+    };
 }

package/lib/app/credential.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v12.7.0 */
+/*! firebase-admin v13.0.0 */
 /*!
  * @license
  * Copyright 2021 Google Inc.

package/lib/app/credential.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v12.7.0 */
+/*! firebase-admin v13.0.0 */
 "use strict";
 /*!
  * @license

package/lib/app/firebase-app.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v12.7.0 */
+/*! firebase-admin v13.0.0 */
 /*!
  * @license
  * Copyright 2017 Google Inc.

package/lib/app/firebase-app.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v12.7.0 */
+/*! firebase-admin v13.0.0 */
 "use strict";
 /*!
  * @license

package/lib/app/firebase-namespace.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v12.7.0 */
+/*! firebase-admin v13.0.0 */
 /*!
  * @license
  * Copyright 2017 Google Inc.