firebase-admin 9.100.0-alpha.0 → 10.0.2

package/lib/auth/token-generator.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.100.0-alpha.0 */
+/*! firebase-admin v10.0.2 */
 "use strict";
 /*!
  * @license
@@ -17,13 +17,11 @@
  * limitations under the License.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.FirebaseTokenGenerator = exports.cryptoSignerFromApp = exports.EmulatedSigner = exports.IAMSigner = exports.ServiceAccountSigner = exports.BLACKLISTED_CLAIMS = void 0;
-var credential_internal_1 = require("../app/credential-internal");
+exports.handleCryptoSignerError = exports.FirebaseTokenGenerator = exports.EmulatedSigner = exports.BLACKLISTED_CLAIMS = void 0;
 var error_1 = require("../utils/error");
-var api_request_1 = require("../utils/api-request");
+var crypto_signer_1 = require("../utils/crypto-signer");
 var validator = require("../utils/validator");
 var utils_1 = require("../utils");
-var ALGORITHM_RS256 = 'RS256';
 var ALGORITHM_NONE = 'none';
 var ONE_HOUR_IN_SECONDS = 60 * 60;
 // List of blacklisted claims which cannot be provided when creating a custom token
@@ -33,124 +31,6 @@ exports.BLACKLISTED_CLAIMS = [
 ];
 // Audience to use for Firebase Auth Custom tokens
 var FIREBASE_AUDIENCE = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit';
-/**
- * A CryptoSigner implementation that uses an explicitly specified service account private key to
- * sign data. Performs all operations locally, and does not make any RPC calls.
- */
-var ServiceAccountSigner = /** @class */ (function () {
-    /**
-     * Creates a new CryptoSigner instance from the given service account credential.
-     *
-     * @param {ServiceAccountCredential} credential A service account credential.
-     */
-    function ServiceAccountSigner(credential) {
-        this.credential = credential;
-        this.algorithm = ALGORITHM_RS256;
-        if (!credential) {
-            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'INTERNAL ASSERT: Must provide a service account credential to initialize ServiceAccountSigner.');
-        }
-    }
-    /**
-     * @inheritDoc
-     */
-    ServiceAccountSigner.prototype.sign = function (buffer) {
-        var crypto = require('crypto'); // eslint-disable-line @typescript-eslint/no-var-requires
-        var sign = crypto.createSign('RSA-SHA256');
-        sign.update(buffer);
-        return Promise.resolve(sign.sign(this.credential.privateKey));
-    };
-    /**
-     * @inheritDoc
-     */
-    ServiceAccountSigner.prototype.getAccountId = function () {
-        return Promise.resolve(this.credential.clientEmail);
-    };
-    return ServiceAccountSigner;
-}());
-exports.ServiceAccountSigner = ServiceAccountSigner;
-/**
- * A CryptoSigner implementation that uses the remote IAM service to sign data. If initialized without
- * a service account ID, attempts to discover a service account ID by consulting the local Metadata
- * service. This will succeed in managed environments like Google Cloud Functions and App Engine.
- *
- * @see https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob
- * @see https://cloud.google.com/compute/docs/storing-retrieving-metadata
- */
-var IAMSigner = /** @class */ (function () {
-    function IAMSigner(httpClient, serviceAccountId) {
-        this.algorithm = ALGORITHM_RS256;
-        if (!httpClient) {
-            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'INTERNAL ASSERT: Must provide a HTTP client to initialize IAMSigner.');
-        }
-        if (typeof serviceAccountId !== 'undefined' && !validator.isNonEmptyString(serviceAccountId)) {
-            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'INTERNAL ASSERT: Service account ID must be undefined or a non-empty string.');
-        }
-        this.httpClient = httpClient;
-        this.serviceAccountId = serviceAccountId;
-    }
-    /**
-     * @inheritDoc
-     */
-    IAMSigner.prototype.sign = function (buffer) {
-        var _this = this;
-        return this.getAccountId().then(function (serviceAccount) {
-            var request = {
-                method: 'POST',
-                url: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/" + serviceAccount + ":signBlob",
-                data: { payload: buffer.toString('base64') },
-            };
-            return _this.httpClient.send(request);
-        }).then(function (response) {
-            // Response from IAM is base64 encoded. Decode it into a buffer and return.
-            return Buffer.from(response.data.signedBlob, 'base64');
-        }).catch(function (err) {
-            if (err instanceof api_request_1.HttpError) {
-                var error = err.response.data;
-                if (validator.isNonNullObject(error) && error.error) {
-                    var errorCode = error.error.status;
-                    var description = 'Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens ' +
-                        'for more details on how to use and troubleshoot this feature.';
-                    var errorMsg = error.error.message + "; " + description;
-                    throw error_1.FirebaseAuthError.fromServerError(errorCode, errorMsg, error);
-                }
-                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'Error returned from server: ' + error + '. Additionally, an ' +
-                    'internal error occurred while attempting to extract the ' +
-                    'errorcode from the error.');
-            }
-            throw err;
-        });
-    };
-    /**
-     * @inheritDoc
-     */
-    IAMSigner.prototype.getAccountId = function () {
-        var _this = this;
-        if (validator.isNonEmptyString(this.serviceAccountId)) {
-            return Promise.resolve(this.serviceAccountId);
-        }
-        var request = {
-            method: 'GET',
-            url: 'http://metadata/computeMetadata/v1/instance/service-accounts/default/email',
-            headers: {
-                'Metadata-Flavor': 'Google',
-            },
-        };
-        var client = new api_request_1.HttpClient();
-        return client.send(request).then(function (response) {
-            if (!response.text) {
-                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'HTTP Response missing payload');
-            }
-            _this.serviceAccountId = response.text;
-            return response.text;
-        }).catch(function (err) {
-            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'Failed to determine service account. Make sure to initialize ' +
-                'the SDK with a service account credential. Alternatively specify a service ' +
-                ("account with iam.serviceAccounts.signBlob permission. Original error: " + err));
-        });
-    };
-    return IAMSigner;
-}());
-exports.IAMSigner = IAMSigner;
 /**
  * A CryptoSigner implementation that is used when communicating with the Auth emulator.
  * It produces unsigned tokens.
@@ -175,27 +55,14 @@ var EmulatedSigner = /** @class */ (function () {
     return EmulatedSigner;
 }());
 exports.EmulatedSigner = EmulatedSigner;
-/**
- * Create a new CryptoSigner instance for the given app. If the app has been initialized with a service
- * account credential, creates a ServiceAccountSigner. Otherwise creates an IAMSigner.
- *
- * @param {FirebaseApp} app A FirebaseApp instance.
- * @return {CryptoSigner} A CryptoSigner instance.
- */
-function cryptoSignerFromApp(app) {
-    var credential = app.options.credential;
-    if (credential instanceof credential_internal_1.ServiceAccountCredential) {
-        return new ServiceAccountSigner(credential);
-    }
-    return new IAMSigner(new api_request_1.AuthorizedHttpClient(app), app.options.serviceAccountId);
-}
-exports.cryptoSignerFromApp = cryptoSignerFromApp;
 /**
  * Class for generating different types of Firebase Auth tokens (JWTs).
+ *
+ * @internal
  */
 var FirebaseTokenGenerator = /** @class */ (function () {
     /**
-     * @param tenantId The tenant ID to use for the generated Firebase Auth
+     * @param tenantId - The tenant ID to use for the generated Firebase Auth
      *     Custom token. If absent, then no tenant ID claim will be set in the
      *     resulting JWT.
      */
@@ -212,10 +79,10 @@ var FirebaseTokenGenerator = /** @class */ (function () {
     /**
      * Creates a new Firebase Auth Custom token.
      *
-     * @param uid The user ID to use for the generated Firebase Auth Custom token.
-     * @param developerClaims Optional developer claims to include in the generated Firebase
+     * @param uid - The user ID to use for the generated Firebase Auth Custom token.
+     * @param developerClaims - Optional developer claims to include in the generated Firebase
      *     Auth Custom token.
-     * @return A Promise fulfilled with a Firebase Auth Custom token signed with a
+     * @returns A Promise fulfilled with a Firebase Auth Custom token signed with a
      *     service account key and containing the provided payload.
      */
     FirebaseTokenGenerator.prototype.createCustomToken = function (uid, developerClaims) {
@@ -260,7 +127,6 @@ var FirebaseTokenGenerator = /** @class */ (function () {
                 uid: uid,
             };
             if (_this.tenantId) {
-                // eslint-disable-next-line @typescript-eslint/camelcase
                 body.tenant_id = _this.tenantId;
             }
             if (Object.keys(claims).length > 0) {
@@ -272,6 +138,8 @@ var FirebaseTokenGenerator = /** @class */ (function () {
         }).then(function (_a) {
             var token = _a[0], signature = _a[1];
             return token + "." + _this.encodeSegment(signature);
+        }).catch(function (err) {
+            throw handleCryptoSignerError(err);
         });
     };
     FirebaseTokenGenerator.prototype.encodeSegment = function (segment) {
@@ -281,9 +149,10 @@ var FirebaseTokenGenerator = /** @class */ (function () {
     /**
      * Returns whether or not the provided developer claims are valid.
      *
-     * @param {object} [developerClaims] Optional developer claims to validate.
-     * @return {boolean} True if the provided claims are valid; otherwise, false.
+     * @param developerClaims - Optional developer claims to validate.
+     * @returns True if the provided claims are valid; otherwise, false.
      */
+    // eslint-disable-next-line @typescript-eslint/naming-convention
     FirebaseTokenGenerator.prototype.isDeveloperClaimsValid_ = function (developerClaims) {
         if (typeof developerClaims === 'undefined') {
             return true;
@@ -293,3 +162,41 @@ var FirebaseTokenGenerator = /** @class */ (function () {
     return FirebaseTokenGenerator;
 }());
 exports.FirebaseTokenGenerator = FirebaseTokenGenerator;
+/**
+ * Creates a new FirebaseAuthError by extracting the error code, message and other relevant
+ * details from a CryptoSignerError.
+ *
+ * @param err - The Error to convert into a FirebaseAuthError error
+ * @returns A Firebase Auth error that can be returned to the user.
+ */
+function handleCryptoSignerError(err) {
+    if (!(err instanceof crypto_signer_1.CryptoSignerError)) {
+        return err;
+    }
+    if (err.code === crypto_signer_1.CryptoSignerErrorCode.SERVER_ERROR && validator.isNonNullObject(err.cause)) {
+        var httpError = err.cause;
+        var errorResponse = httpError.response.data;
+        if (validator.isNonNullObject(errorResponse) && errorResponse.error) {
+            var errorCode = errorResponse.error.status;
+            var description = 'Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens ' +
+                'for more details on how to use and troubleshoot this feature.';
+            var errorMsg = errorResponse.error.message + "; " + description;
+            return error_1.FirebaseAuthError.fromServerError(errorCode, errorMsg, errorResponse);
+        }
+        return new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, 'Error returned from server: ' + errorResponse + '. Additionally, an ' +
+            'internal error occurred while attempting to extract the ' +
+            'errorcode from the error.');
+    }
+    return new error_1.FirebaseAuthError(mapToAuthClientErrorCode(err.code), err.message);
+}
+exports.handleCryptoSignerError = handleCryptoSignerError;
+function mapToAuthClientErrorCode(code) {
+    switch (code) {
+        case crypto_signer_1.CryptoSignerErrorCode.INVALID_CREDENTIAL:
+            return error_1.AuthClientErrorCode.INVALID_CREDENTIAL;
+        case crypto_signer_1.CryptoSignerErrorCode.INVALID_ARGUMENT:
+            return error_1.AuthClientErrorCode.INVALID_ARGUMENT;
+        default:
+            return error_1.AuthClientErrorCode.INTERNAL_ERROR;
+    }
+}

package/lib/auth/token-verifier.d.ts

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.100.0-alpha.0 */
+/*! firebase-admin v10.0.2 */
 /*!
  * Copyright 2018 Google Inc.
  *
@@ -16,7 +16,7 @@
  */
 /**
  * Interface representing a decoded Firebase ID token, returned from the
- * {@link auth.Auth.verifyIdToken `verifyIdToken()`} method.
+ * {@link BaseAuth.verifyIdToken} method.
  *
  * Firebase ID tokens are OpenID Connect spec-compliant JSON Web Tokens (JWTs).
  * See the
@@ -78,7 +78,7 @@ export interface DecodedIdToken {
          * The ID of the provider used to sign in the user.
          * One of `"anonymous"`, `"password"`, `"facebook.com"`, `"github.com"`,
          * `"google.com"`, `"twitter.com"`, `"apple.com"`, `"microsoft.com"`,
-         * "yahoo.com"`, `"phone"`, `"playgames.google.com"`, `"gc.apple.com"`,
+         * `"yahoo.com"`, `"phone"`, `"playgames.google.com"`, `"gc.apple.com"`,
          * or `"custom"`.
          *
          * Additional Identity Platform provider IDs include `"linkedin.com"`,
@@ -148,4 +148,3 @@ export interface DecodedIdToken {
      */
     [key: string]: any;
 }
-export declare const ALGORITHM_RS256 = "RS256";

package/lib/auth/token-verifier.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.100.0-alpha.0 */
+/*! firebase-admin v10.0.2 */
 "use strict";
 /*!
  * Copyright 2018 Google Inc.
@@ -16,20 +16,19 @@
  * limitations under the License.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createSessionCookieVerifier = exports.createIdTokenVerifier = exports.FirebaseTokenVerifier = exports.SESSION_COOKIE_INFO = exports.ID_TOKEN_INFO = exports.ALGORITHM_RS256 = void 0;
+exports.createSessionCookieVerifier = exports.createIdTokenVerifier = exports.FirebaseTokenVerifier = exports.SESSION_COOKIE_INFO = exports.ID_TOKEN_INFO = void 0;
 var error_1 = require("../utils/error");
 var util = require("../utils/index");
 var validator = require("../utils/validator");
-var jwt = require("jsonwebtoken");
-var api_request_1 = require("../utils/api-request");
+var jwt_1 = require("../utils/jwt");
 // Audience to use for Firebase Auth Custom tokens
 var FIREBASE_AUDIENCE = 'https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit';
-exports.ALGORITHM_RS256 = 'RS256';
 // URL containing the public keys for the Google certs (whose private keys are used to sign Firebase
 // Auth ID tokens)
 var CLIENT_CERT_URL = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com';
 // URL containing the public keys for Firebase session cookies. This will be updated to a different URL soon.
 var SESSION_COOKIE_CERT_URL = 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys';
+var EMULATOR_VERIFIER = new jwt_1.EmulatorSignatureVerifier();
 /**
  * User facing token information related to the Firebase ID token.
  *
@@ -60,18 +59,13 @@ exports.SESSION_COOKIE_INFO = {
  * @internal
  */
 var FirebaseTokenVerifier = /** @class */ (function () {
-    function FirebaseTokenVerifier(clientCertUrl, algorithm, issuer, tokenInfo, app) {
-        this.clientCertUrl = clientCertUrl;
-        this.algorithm = algorithm;
+    function FirebaseTokenVerifier(clientCertUrl, issuer, tokenInfo, app) {
         this.issuer = issuer;
         this.tokenInfo = tokenInfo;
         this.app = app;
         if (!validator.isURL(clientCertUrl)) {
             throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The provided public client certificate URL is an invalid URL.');
         }
-        else if (!validator.isNonEmptyString(algorithm)) {
-            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The provided JWT algorithm is an empty string.');
-        }
         else if (!validator.isURL(issuer)) {
             throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The provided JWT issuer is an invalid URL.');
         }
@@ -94,41 +88,76 @@ var FirebaseTokenVerifier = /** @class */ (function () {
             throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, 'The JWT expiration error code must be a non-null ErrorInfo object.');
         }
         this.shortNameArticle = tokenInfo.shortName.charAt(0).match(/[aeiou]/i) ? 'an' : 'a';
+        this.signatureVerifier =
+            jwt_1.PublicKeySignatureVerifier.withCertificateUrl(clientCertUrl, app.options.httpAgent);
         // For backward compatibility, the project ID is validated in the verification call.
     }
     /**
      * Verifies the format and signature of a Firebase Auth JWT token.
      *
-     * @param {string} jwtToken The Firebase Auth JWT token to verify.
-     * @return {Promise<DecodedIdToken>} A promise fulfilled with the decoded claims of the Firebase Auth ID
-     *                           token.
+     * @param jwtToken - The Firebase Auth JWT token to verify.
+     * @param isEmulator - Whether to accept Auth Emulator tokens.
+     * @returns A promise fulfilled with the decoded claims of the Firebase Auth ID token.
      */
-    FirebaseTokenVerifier.prototype.verifyJWT = function (jwtToken) {
+    FirebaseTokenVerifier.prototype.verifyJWT = function (jwtToken, isEmulator) {
         var _this = this;
+        if (isEmulator === void 0) { isEmulator = false; }
         if (!validator.isString(jwtToken)) {
             throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, "First argument to " + this.tokenInfo.verifyApiName + " must be a " + this.tokenInfo.jwtName + " string.");
         }
+        return this.ensureProjectId()
+            .then(function (projectId) {
+            return _this.decodeAndVerify(jwtToken, projectId, isEmulator);
+        })
+            .then(function (decoded) {
+            var decodedIdToken = decoded.payload;
+            decodedIdToken.uid = decodedIdToken.sub;
+            return decodedIdToken;
+        });
+    };
+    FirebaseTokenVerifier.prototype.ensureProjectId = function () {
+        var _this = this;
         return util.findProjectId(this.app)
             .then(function (projectId) {
-            return _this.verifyJWTWithProjectId(jwtToken, projectId);
+            if (!validator.isNonEmptyString(projectId)) {
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'Must initialize app with a cert credential or set your Firebase project ID as the ' +
+                    ("GOOGLE_CLOUD_PROJECT environment variable to call " + _this.tokenInfo.verifyApiName + "."));
+            }
+            return Promise.resolve(projectId);
         });
     };
-    /**
-     * Override the JWT signing algorithm.
-     * @param algorithm the new signing algorithm.
-     */
-    FirebaseTokenVerifier.prototype.setAlgorithm = function (algorithm) {
-        this.algorithm = algorithm;
+    FirebaseTokenVerifier.prototype.decodeAndVerify = function (token, projectId, isEmulator) {
+        var _this = this;
+        return this.safeDecode(token)
+            .then(function (decodedToken) {
+            _this.verifyContent(decodedToken, projectId, isEmulator);
+            return _this.verifySignature(token, isEmulator)
+                .then(function () { return decodedToken; });
+        });
     };
-    FirebaseTokenVerifier.prototype.verifyJWTWithProjectId = function (jwtToken, projectId) {
+    FirebaseTokenVerifier.prototype.safeDecode = function (jwtToken) {
         var _this = this;
-        if (!validator.isNonEmptyString(projectId)) {
-            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_CREDENTIAL, 'Must initialize app with a cert credential or set your Firebase project ID as the ' +
-                ("GOOGLE_CLOUD_PROJECT environment variable to call " + this.tokenInfo.verifyApiName + "."));
-        }
-        var fullDecodedToken = jwt.decode(jwtToken, {
-            complete: true,
+        return jwt_1.decodeJwt(jwtToken)
+            .catch(function (err) {
+            if (err.code == jwt_1.JwtErrorCode.INVALID_ARGUMENT) {
+                var verifyJwtTokenDocsMessage = " See " + _this.tokenInfo.url + " " +
+                    ("for details on how to retrieve " + _this.shortNameArticle + " " + _this.tokenInfo.shortName + ".");
+                var errorMessage = "Decoding " + _this.tokenInfo.jwtName + " failed. Make sure you passed " +
+                    ("the entire string JWT which represents " + _this.shortNameArticle + " ") +
+                    (_this.tokenInfo.shortName + ".") + verifyJwtTokenDocsMessage;
+                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
+            }
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, err.message);
         });
+    };
+    /**
+     * Verifies the content of a Firebase Auth JWT.
+     *
+     * @param fullDecodedToken - The decoded JWT.
+     * @param projectId - The Firebase Project Id.
+     * @param isEmulator - Whether the token is an Emulator token.
+     */
+    FirebaseTokenVerifier.prototype.verifyContent = function (fullDecodedToken, projectId, isEmulator) {
         var header = fullDecodedToken && fullDecodedToken.header;
         var payload = fullDecodedToken && fullDecodedToken.payload;
         var projectIdMatchMessage = " Make sure the " + this.tokenInfo.shortName + " comes from the same " +
@@ -136,11 +165,7 @@ var FirebaseTokenVerifier = /** @class */ (function () {
         var verifyJwtTokenDocsMessage = " See " + this.tokenInfo.url + " " +
             ("for details on how to retrieve " + this.shortNameArticle + " " + this.tokenInfo.shortName + ".");
         var errorMessage;
-        if (!fullDecodedToken) {
-            errorMessage = "Decoding " + this.tokenInfo.jwtName + " failed. Make sure you passed the entire string JWT " +
-                ("which represents " + this.shortNameArticle + " " + this.tokenInfo.shortName + ".") + verifyJwtTokenDocsMessage;
-        }
-        else if (typeof header.kid === 'undefined' && this.algorithm !== 'none') {
+        if (!isEmulator && typeof header.kid === 'undefined') {
             var isCustomToken = (payload.aud === FIREBASE_AUDIENCE);
             var isLegacyCustomToken = (header.alg === 'HS256' && payload.v === 0 && 'd' in payload && 'uid' in payload.d);
             if (isCustomToken) {
@@ -156,8 +181,8 @@ var FirebaseTokenVerifier = /** @class */ (function () {
             }
             errorMessage += verifyJwtTokenDocsMessage;
         }
-        else if (header.alg !== this.algorithm) {
-            errorMessage = this.tokenInfo.jwtName + " has incorrect algorithm. Expected \"" + this.algorithm + '" but got ' +
+        else if (!isEmulator && header.alg !== jwt_1.ALGORITHM_RS256) {
+            errorMessage = this.tokenInfo.jwtName + " has incorrect algorithm. Expected \"" + jwt_1.ALGORITHM_RS256 + '" but got ' +
                 '"' + header.alg + '".' + verifyJwtTokenDocsMessage;
         }
         else if (payload.aud !== projectId) {
@@ -167,7 +192,7 @@ var FirebaseTokenVerifier = /** @class */ (function () {
         }
         else if (payload.iss !== this.issuer + projectId) {
             errorMessage = this.tokenInfo.jwtName + " has incorrect \"iss\" (issuer) claim. Expected " +
-                ("\"" + this.issuer + "\"") + projectId + '" but got "' +
+                ("\"" + this.issuer) + projectId + '" but got "' +
                 payload.iss + '".' + projectIdMatchMessage + verifyJwtTokenDocsMessage;
         }
         else if (typeof payload.sub !== 'string') {
@@ -181,115 +206,43 @@ var FirebaseTokenVerifier = /** @class */ (function () {
                 verifyJwtTokenDocsMessage;
         }
         if (errorMessage) {
-            return Promise.reject(new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage));
+            throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
         }
-        // When the algorithm is set to 'none' there will be no signature and therefore we don't check
-        // the public keys.
-        if (this.algorithm === 'none') {
-            return this.verifyJwtSignatureWithKey(jwtToken, null);
-        }
-        return this.fetchPublicKeys().then(function (publicKeys) {
-            if (!Object.prototype.hasOwnProperty.call(publicKeys, header.kid)) {
-                return Promise.reject(new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, _this.tokenInfo.jwtName + " has \"kid\" claim which does not correspond to a known public key. " +
-                    ("Most likely the " + _this.tokenInfo.shortName + " is expired, so get a fresh token from your ") +
-                    'client app and try again.'));
-            }
-            else {
-                return _this.verifyJwtSignatureWithKey(jwtToken, publicKeys[header.kid]);
-            }
-        });
     };
-    /**
-     * Verifies the JWT signature using the provided public key.
-     * @param {string} jwtToken The JWT token to verify.
-     * @param {string} publicKey The public key certificate.
-     * @return {Promise<DecodedIdToken>} A promise that resolves with the decoded JWT claims on successful
-     *     verification.
-     */
-    FirebaseTokenVerifier.prototype.verifyJwtSignatureWithKey = function (jwtToken, publicKey) {
+    FirebaseTokenVerifier.prototype.verifySignature = function (jwtToken, isEmulator) {
         var _this = this;
-        var verifyJwtTokenDocsMessage = " See " + this.tokenInfo.url + " " +
-            ("for details on how to retrieve " + this.shortNameArticle + " " + this.tokenInfo.shortName + ".");
-        return new Promise(function (resolve, reject) {
-            jwt.verify(jwtToken, publicKey || '', {
-                algorithms: [_this.algorithm],
-            }, function (error, decodedToken) {
-                if (error) {
-                    if (error.name === 'TokenExpiredError') {
-                        var errorMessage = _this.tokenInfo.jwtName + " has expired. Get a fresh " + _this.tokenInfo.shortName +
-                            (" from your client app and try again (auth/" + _this.tokenInfo.expiredErrorCode.code + ").") +
-                            verifyJwtTokenDocsMessage;
-                        return reject(new error_1.FirebaseAuthError(_this.tokenInfo.expiredErrorCode, errorMessage));
-                    }
-                    else if (error.name === 'JsonWebTokenError') {
-                        var errorMessage = _this.tokenInfo.jwtName + " has invalid signature." + verifyJwtTokenDocsMessage;
-                        return reject(new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage));
-                    }
-                    return reject(new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, error.message));
-                }
-                else {
-                    var decodedIdToken = decodedToken;
-                    decodedIdToken.uid = decodedIdToken.sub;
-                    resolve(decodedIdToken);
-                }
-            });
+        var verifier = isEmulator ? EMULATOR_VERIFIER : this.signatureVerifier;
+        return verifier.verify(jwtToken)
+            .catch(function (error) {
+            throw _this.mapJwtErrorToAuthError(error);
         });
     };
     /**
-     * Fetches the public keys for the Google certs.
+     * Maps JwtError to FirebaseAuthError
      *
-     * @return {Promise<object>} A promise fulfilled with public keys for the Google certs.
+     * @param error - JwtError to be mapped.
+     * @returns FirebaseAuthError or Error instance.
      */
-    FirebaseTokenVerifier.prototype.fetchPublicKeys = function () {
-        var _this = this;
-        var publicKeysExist = (typeof this.publicKeys !== 'undefined');
-        var publicKeysExpiredExists = (typeof this.publicKeysExpireAt !== 'undefined');
-        var publicKeysStillValid = (publicKeysExpiredExists && Date.now() < this.publicKeysExpireAt);
-        if (publicKeysExist && publicKeysStillValid) {
-            return Promise.resolve(this.publicKeys);
+    FirebaseTokenVerifier.prototype.mapJwtErrorToAuthError = function (error) {
+        var verifyJwtTokenDocsMessage = " See " + this.tokenInfo.url + " " +
+            ("for details on how to retrieve " + this.shortNameArticle + " " + this.tokenInfo.shortName + ".");
+        if (error.code === jwt_1.JwtErrorCode.TOKEN_EXPIRED) {
+            var errorMessage = this.tokenInfo.jwtName + " has expired. Get a fresh " + this.tokenInfo.shortName +
+                (" from your client app and try again (auth/" + this.tokenInfo.expiredErrorCode.code + ").") +
+                verifyJwtTokenDocsMessage;
+            return new error_1.FirebaseAuthError(this.tokenInfo.expiredErrorCode, errorMessage);
         }
-        var client = new api_request_1.HttpClient();
-        var request = {
-            method: 'GET',
-            url: this.clientCertUrl,
-            httpAgent: this.app.options.httpAgent,
-        };
-        return client.send(request).then(function (resp) {
-            if (!resp.isJson() || resp.data.error) {
-                // Treat all non-json messages and messages with an 'error' field as
-                // error responses.
-                throw new api_request_1.HttpError(resp);
-            }
-            if (Object.prototype.hasOwnProperty.call(resp.headers, 'cache-control')) {
-                var cacheControlHeader = resp.headers['cache-control'];
-                var parts = cacheControlHeader.split(',');
-                parts.forEach(function (part) {
-                    var subParts = part.trim().split('=');
-                    if (subParts[0] === 'max-age') {
-                        var maxAge = +subParts[1];
-                        _this.publicKeysExpireAt = Date.now() + (maxAge * 1000);
-                    }
-                });
-            }
-            _this.publicKeys = resp.data;
-            return resp.data;
-        }).catch(function (err) {
-            if (err instanceof api_request_1.HttpError) {
-                var errorMessage = 'Error fetching public keys for Google certs: ';
-                var resp = err.response;
-                if (resp.isJson() && resp.data.error) {
-                    errorMessage += "" + resp.data.error;
-                    if (resp.data.error_description) {
-                        errorMessage += ' (' + resp.data.error_description + ')';
-                    }
-                }
-                else {
-                    errorMessage += "" + resp.text;
-                }
-                throw new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INTERNAL_ERROR, errorMessage);
-            }
-            throw err;
-        });
+        else if (error.code === jwt_1.JwtErrorCode.INVALID_SIGNATURE) {
+            var errorMessage = this.tokenInfo.jwtName + " has invalid signature." + verifyJwtTokenDocsMessage;
+            return new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
+        }
+        else if (error.code === jwt_1.JwtErrorCode.NO_MATCHING_KID) {
+            var errorMessage = this.tokenInfo.jwtName + " has \"kid\" claim which does not " +
+                ("correspond to a known public key. Most likely the " + this.tokenInfo.shortName + " ") +
+                'is expired, so get a fresh token from your client app and try again.';
+            return new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, errorMessage);
+        }
+        return new error_1.FirebaseAuthError(error_1.AuthClientErrorCode.INVALID_ARGUMENT, error.message);
     };
     return FirebaseTokenVerifier;
 }());
@@ -297,24 +250,22 @@ exports.FirebaseTokenVerifier = FirebaseTokenVerifier;
 /**
  * Creates a new FirebaseTokenVerifier to verify Firebase ID tokens.
  *
- * @param {FirebaseApp} app Firebase app instance.
- * @return {FirebaseTokenVerifier}
- *
  * @internal
+ * @param app - Firebase app instance.
+ * @returns FirebaseTokenVerifier
  */
 function createIdTokenVerifier(app) {
-    return new FirebaseTokenVerifier(CLIENT_CERT_URL, exports.ALGORITHM_RS256, 'https://securetoken.google.com/', exports.ID_TOKEN_INFO, app);
+    return new FirebaseTokenVerifier(CLIENT_CERT_URL, 'https://securetoken.google.com/', exports.ID_TOKEN_INFO, app);
 }
 exports.createIdTokenVerifier = createIdTokenVerifier;
 /**
  * Creates a new FirebaseTokenVerifier to verify Firebase session cookies.
  *
- * @param {FirebaseApp} app Firebase app instance.
- * @return {FirebaseTokenVerifier}
- *
  * @internal
+ * @param app - Firebase app instance.
+ * @returns FirebaseTokenVerifier
  */
 function createSessionCookieVerifier(app) {
-    return new FirebaseTokenVerifier(SESSION_COOKIE_CERT_URL, exports.ALGORITHM_RS256, 'https://session.firebase.google.com/', exports.SESSION_COOKIE_INFO, app);
+    return new FirebaseTokenVerifier(SESSION_COOKIE_CERT_URL, 'https://session.firebase.google.com/', exports.SESSION_COOKIE_INFO, app);
 }
 exports.createSessionCookieVerifier = createSessionCookieVerifier;