firebase-admin 9.100.0-alpha.0 → 10.0.2

package/lib/utils/index.js

@@ -1,4 +1,4 @@
-/*! firebase-admin v9.100.0-alpha.0 */
+/*! firebase-admin v10.0.2 */
 "use strict";
 /*!
  * @license
@@ -17,7 +17,7 @@
  * limitations under the License.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateUpdateMask = exports.formatString = exports.toWebSafeBase64 = exports.findProjectId = exports.getExplicitProjectId = exports.addReadonlyGetter = exports.renameProperties = exports.getSdkVersion = void 0;
+exports.transformMillisecondsToSecondsString = exports.generateUpdateMask = exports.formatString = exports.toWebSafeBase64 = exports.findProjectId = exports.getExplicitProjectId = exports.addReadonlyGetter = exports.renameProperties = exports.getSdkVersion = void 0;
 var credential_internal_1 = require("../app/credential-internal");
 var validator = require("./validator");
 var sdkVersion;
@@ -35,8 +35,8 @@ exports.getSdkVersion = getSdkVersion;
  *
  * For example, this can be used to map underscore_cased properties to camelCase.
  *
- * @param {object} obj The object whose properties to rename.
- * @param {object} keyMap The mapping from old to new property names.
+ * @param obj - The object whose properties to rename.
+ * @param keyMap - The mapping from old to new property names.
  */
 function renameProperties(obj, keyMap) {
     Object.keys(keyMap).forEach(function (oldKey) {
@@ -52,9 +52,9 @@ exports.renameProperties = renameProperties;
 /**
  * Defines a new read-only property directly on an object and returns the object.
  *
- * @param {object} obj The object on which to define the property.
- * @param {string} prop The name of the property to be defined or modified.
- * @param {any} value The value associated with the property.
+ * @param obj - The object on which to define the property.
+ * @param prop - The name of the property to be defined or modified.
+ * @param value - The value associated with the property.
  */
 function addReadonlyGetter(obj, prop, value) {
     Object.defineProperty(obj, prop, {
@@ -71,9 +71,9 @@ exports.addReadonlyGetter = addReadonlyGetter;
  * specified in either the Firebase app options, credentials or the local environment.
  * Otherwise returns null.
  *
- * @param app A Firebase app to get the project ID from.
+ * @param app - A Firebase app to get the project ID from.
  *
- * @return A project ID string or null.
+ * @returns A project ID string or null.
  */
 function getExplicitProjectId(app) {
     var options = app.options;
@@ -98,9 +98,9 @@ exports.getExplicitProjectId = getExplicitProjectId;
  * configured, but the SDK has been initialized with ComputeEngineCredentials, this
  * method attempts to discover the project ID from the local metadata service.
  *
- * @param app A Firebase app to get the project ID from.
+ * @param app - A Firebase app to get the project ID from.
  *
- * @return A project ID string or null.
+ * @returns A project ID string or null.
  */
 function findProjectId(app) {
     var projectId = getExplicitProjectId(app);
@@ -117,8 +117,8 @@ exports.findProjectId = findProjectId;
 /**
  * Encodes data using web-safe-base64.
  *
- * @param {Buffer} data The raw data byte input.
- * @return {string} The base64-encoded result.
+ * @param data - The raw data byte input.
+ * @returns The base64-encoded result.
  */
 function toWebSafeBase64(data) {
     return data.toString('base64').replace(/\//g, '_').replace(/\+/g, '-');
@@ -129,11 +129,11 @@ exports.toWebSafeBase64 = toWebSafeBase64;
  * with corresponding arguments {projectId: '1234', api: 'resource'}
  * and returns output: 'project/1234/resource'.
  *
- * @param {string} str The original string where the param need to be
+ * @param str - The original string where the param need to be
  *     replaced.
- * @param {object=} params The optional parameters to replace in the
+ * @param params - The optional parameters to replace in the
  *     string.
- * @return {string} The resulting formatted string.
+ * @returns The resulting formatted string.
  */
 function formatString(str, params) {
     var formatted = str;
@@ -147,12 +147,12 @@ exports.formatString = formatString;
  * Generates the update mask for the provided object.
  * Note this will ignore the last key with value undefined.
  *
- * @param obj The object to generate the update mask for.
- * @param terminalPaths The optional map of keys for maximum paths to traverse.
+ * @param obj - The object to generate the update mask for.
+ * @param terminalPaths - The optional map of keys for maximum paths to traverse.
  *      Nested objects beyond that path will be ignored. This is useful for
  *      keys with variable object values.
- * @param root The path so far.
- * @return The computed update mask list.
+ * @param root - The path so far.
+ * @returns The computed update mask list.
  */
 function generateUpdateMask(obj, terminalPaths, root) {
     if (terminalPaths === void 0) { terminalPaths = []; }
@@ -189,3 +189,30 @@ function generateUpdateMask(obj, terminalPaths, root) {
     return updateMask;
 }
 exports.generateUpdateMask = generateUpdateMask;
+/**
+ * Transforms milliseconds to a protobuf Duration type string.
+ * Returns the duration in seconds with up to nine fractional
+ * digits, terminated by 's'. Example: "3 seconds 0 nano seconds as 3s,
+ * 3 seconds 1 nano seconds as 3.000000001s".
+ *
+ * @param milliseconds - The duration in milliseconds.
+ * @returns The resulting formatted string in seconds with up to nine fractional
+ * digits, terminated by 's'.
+ */
+function transformMillisecondsToSecondsString(milliseconds) {
+    var duration;
+    var seconds = Math.floor(milliseconds / 1000);
+    var nanos = Math.floor((milliseconds - seconds * 1000) * 1000000);
+    if (nanos > 0) {
+        var nanoString = nanos.toString();
+        while (nanoString.length < 9) {
+            nanoString = '0' + nanoString;
+        }
+        duration = seconds + "." + nanoString + "s";
+    }
+    else {
+        duration = seconds + "s";
+    }
+    return duration;
+}
+exports.transformMillisecondsToSecondsString = transformMillisecondsToSecondsString;

package/lib/utils/jwt.d.ts

@@ -0,0 +1,131 @@
+/*! firebase-admin v10.0.2 */
+/*!
+ * Copyright 2021 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/// <reference types="node" />
+import * as jwt from 'jsonwebtoken';
+import { Agent } from 'http';
+export declare const ALGORITHM_RS256: jwt.Algorithm;
+export declare type Dictionary = {
+    [key: string]: any;
+};
+export declare type DecodedToken = {
+    header: Dictionary;
+    payload: Dictionary;
+};
+export interface SignatureVerifier {
+    verify(token: string): Promise<void>;
+}
+interface KeyFetcher {
+    fetchPublicKeys(): Promise<{
+        [key: string]: string;
+    }>;
+}
+export declare class JwksFetcher implements KeyFetcher {
+    private publicKeys;
+    private publicKeysExpireAt;
+    private client;
+    constructor(jwksUrl: string);
+    fetchPublicKeys(): Promise<{
+        [key: string]: string;
+    }>;
+    private shouldRefresh;
+    private refresh;
+}
+/**
+ * Class to fetch public keys from a client certificates URL.
+ */
+export declare class UrlKeyFetcher implements KeyFetcher {
+    private clientCertUrl;
+    private readonly httpAgent?;
+    private publicKeys;
+    private publicKeysExpireAt;
+    constructor(clientCertUrl: string, httpAgent?: Agent | undefined);
+    /**
+     * Fetches the public keys for the Google certs.
+     *
+     * @returns A promise fulfilled with public keys for the Google certs.
+     */
+    fetchPublicKeys(): Promise<{
+        [key: string]: string;
+    }>;
+    /**
+     * Checks if the cached public keys need to be refreshed.
+     *
+     * @returns Whether the keys should be fetched from the client certs url or not.
+     */
+    private shouldRefresh;
+    private refresh;
+}
+/**
+ * Class for verifying JWT signature with a public key.
+ */
+export declare class PublicKeySignatureVerifier implements SignatureVerifier {
+    private keyFetcher;
+    constructor(keyFetcher: KeyFetcher);
+    static withCertificateUrl(clientCertUrl: string, httpAgent?: Agent): PublicKeySignatureVerifier;
+    static withJwksUrl(jwksUrl: string): PublicKeySignatureVerifier;
+    verify(token: string): Promise<void>;
+    private verifyWithoutKid;
+    private verifyWithAllKeys;
+}
+/**
+ * Class for verifying unsigned (emulator) JWTs.
+ */
+export declare class EmulatorSignatureVerifier implements SignatureVerifier {
+    verify(token: string): Promise<void>;
+}
+/**
+ * Verifies the signature of a JWT using the provided secret or a function to fetch
+ * the secret or public key.
+ *
+ * @param token - The JWT to be verified.
+ * @param secretOrPublicKey - The secret or a function to fetch the secret or public key.
+ * @param options - JWT verification options.
+ * @returns A Promise resolving for a token with a valid signature.
+ */
+export declare function verifyJwtSignature(token: string, secretOrPublicKey: jwt.Secret | jwt.GetPublicKeyOrSecret, options?: jwt.VerifyOptions): Promise<void>;
+/**
+ * Decodes general purpose Firebase JWTs.
+ *
+ * @param jwtToken - JWT token to be decoded.
+ * @returns Decoded token containing the header and payload.
+ */
+export declare function decodeJwt(jwtToken: string): Promise<DecodedToken>;
+/**
+ * Jwt error code structure.
+ *
+ * @param code - The error code.
+ * @param message - The error message.
+ * @constructor
+ */
+export declare class JwtError extends Error {
+    readonly code: JwtErrorCode;
+    readonly message: string;
+    constructor(code: JwtErrorCode, message: string);
+}
+/**
+ * JWT error codes.
+ */
+export declare enum JwtErrorCode {
+    INVALID_ARGUMENT = "invalid-argument",
+    INVALID_CREDENTIAL = "invalid-credential",
+    TOKEN_EXPIRED = "token-expired",
+    INVALID_SIGNATURE = "invalid-token",
+    NO_MATCHING_KID = "no-matching-kid-error",
+    NO_KID_IN_HEADER = "no-kid-error",
+    KEY_FETCH_ERROR = "key-fetch-error"
+}
+export {};

package/lib/utils/jwt.js

@@ -0,0 +1,355 @@
+/*! firebase-admin v10.0.2 */
+"use strict";
+/*!
+ * Copyright 2021 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = function (d, b) {
+        extendStatics = Object.setPrototypeOf ||
+            ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+            function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
+        return extendStatics(d, b);
+    };
+    return function (d, b) {
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtErrorCode = exports.JwtError = exports.decodeJwt = exports.verifyJwtSignature = exports.EmulatorSignatureVerifier = exports.PublicKeySignatureVerifier = exports.UrlKeyFetcher = exports.JwksFetcher = exports.ALGORITHM_RS256 = void 0;
+var validator = require("./validator");
+var jwt = require("jsonwebtoken");
+var jwks = require("jwks-rsa");
+var api_request_1 = require("../utils/api-request");
+exports.ALGORITHM_RS256 = 'RS256';
+// `jsonwebtoken` converts errors from the `getKey` callback to its own `JsonWebTokenError` type
+// and prefixes the error message with the following. Use the prefix to identify errors thrown
+// from the key provider callback.
+// https://github.com/auth0/node-jsonwebtoken/blob/d71e383862fc735991fd2e759181480f066bf138/verify.js#L96
+var JWT_CALLBACK_ERROR_PREFIX = 'error in secret or public key callback: ';
+var NO_MATCHING_KID_ERROR_MESSAGE = 'no-matching-kid-error';
+var NO_KID_IN_HEADER_ERROR_MESSAGE = 'no-kid-in-header-error';
+var HOUR_IN_SECONDS = 3600;
+var JwksFetcher = /** @class */ (function () {
+    function JwksFetcher(jwksUrl) {
+        this.publicKeysExpireAt = 0;
+        if (!validator.isURL(jwksUrl)) {
+            throw new Error('The provided JWKS URL is not a valid URL.');
+        }
+        this.client = jwks({
+            jwksUri: jwksUrl,
+            cache: false,
+        });
+    }
+    JwksFetcher.prototype.fetchPublicKeys = function () {
+        if (this.shouldRefresh()) {
+            return this.refresh();
+        }
+        return Promise.resolve(this.publicKeys);
+    };
+    JwksFetcher.prototype.shouldRefresh = function () {
+        return !this.publicKeys || this.publicKeysExpireAt <= Date.now();
+    };
+    JwksFetcher.prototype.refresh = function () {
+        var _this = this;
+        return this.client.getSigningKeys()
+            .then(function (signingKeys) {
+            // reset expire at from previous set of keys.
+            _this.publicKeysExpireAt = 0;
+            var newKeys = signingKeys.reduce(function (map, signingKey) {
+                map[signingKey.kid] = signingKey.getPublicKey();
+                return map;
+            }, {});
+            _this.publicKeysExpireAt = Date.now() + (HOUR_IN_SECONDS * 6 * 1000);
+            _this.publicKeys = newKeys;
+            return newKeys;
+        }).catch(function (err) {
+            throw new Error("Error fetching Json Web Keys: " + err.message);
+        });
+    };
+    return JwksFetcher;
+}());
+exports.JwksFetcher = JwksFetcher;
+/**
+ * Class to fetch public keys from a client certificates URL.
+ */
+var UrlKeyFetcher = /** @class */ (function () {
+    function UrlKeyFetcher(clientCertUrl, httpAgent) {
+        this.clientCertUrl = clientCertUrl;
+        this.httpAgent = httpAgent;
+        this.publicKeysExpireAt = 0;
+        if (!validator.isURL(clientCertUrl)) {
+            throw new Error('The provided public client certificate URL is not a valid URL.');
+        }
+    }
+    /**
+     * Fetches the public keys for the Google certs.
+     *
+     * @returns A promise fulfilled with public keys for the Google certs.
+     */
+    UrlKeyFetcher.prototype.fetchPublicKeys = function () {
+        if (this.shouldRefresh()) {
+            return this.refresh();
+        }
+        return Promise.resolve(this.publicKeys);
+    };
+    /**
+     * Checks if the cached public keys need to be refreshed.
+     *
+     * @returns Whether the keys should be fetched from the client certs url or not.
+     */
+    UrlKeyFetcher.prototype.shouldRefresh = function () {
+        return !this.publicKeys || this.publicKeysExpireAt <= Date.now();
+    };
+    UrlKeyFetcher.prototype.refresh = function () {
+        var _this = this;
+        var client = new api_request_1.HttpClient();
+        var request = {
+            method: 'GET',
+            url: this.clientCertUrl,
+            httpAgent: this.httpAgent,
+        };
+        return client.send(request).then(function (resp) {
+            if (!resp.isJson() || resp.data.error) {
+                // Treat all non-json messages and messages with an 'error' field as
+                // error responses.
+                throw new api_request_1.HttpError(resp);
+            }
+            // reset expire at from previous set of keys.
+            _this.publicKeysExpireAt = 0;
+            if (Object.prototype.hasOwnProperty.call(resp.headers, 'cache-control')) {
+                var cacheControlHeader = resp.headers['cache-control'];
+                var parts = cacheControlHeader.split(',');
+                parts.forEach(function (part) {
+                    var subParts = part.trim().split('=');
+                    if (subParts[0] === 'max-age') {
+                        var maxAge = +subParts[1];
+                        _this.publicKeysExpireAt = Date.now() + (maxAge * 1000);
+                    }
+                });
+            }
+            _this.publicKeys = resp.data;
+            return resp.data;
+        }).catch(function (err) {
+            if (err instanceof api_request_1.HttpError) {
+                var errorMessage = 'Error fetching public keys for Google certs: ';
+                var resp = err.response;
+                if (resp.isJson() && resp.data.error) {
+                    errorMessage += "" + resp.data.error;
+                    if (resp.data.error_description) {
+                        errorMessage += ' (' + resp.data.error_description + ')';
+                    }
+                }
+                else {
+                    errorMessage += "" + resp.text;
+                }
+                throw new Error(errorMessage);
+            }
+            throw err;
+        });
+    };
+    return UrlKeyFetcher;
+}());
+exports.UrlKeyFetcher = UrlKeyFetcher;
+/**
+ * Class for verifying JWT signature with a public key.
+ */
+var PublicKeySignatureVerifier = /** @class */ (function () {
+    function PublicKeySignatureVerifier(keyFetcher) {
+        this.keyFetcher = keyFetcher;
+        if (!validator.isNonNullObject(keyFetcher)) {
+            throw new Error('The provided key fetcher is not an object or null.');
+        }
+    }
+    PublicKeySignatureVerifier.withCertificateUrl = function (clientCertUrl, httpAgent) {
+        return new PublicKeySignatureVerifier(new UrlKeyFetcher(clientCertUrl, httpAgent));
+    };
+    PublicKeySignatureVerifier.withJwksUrl = function (jwksUrl) {
+        return new PublicKeySignatureVerifier(new JwksFetcher(jwksUrl));
+    };
+    PublicKeySignatureVerifier.prototype.verify = function (token) {
+        var _this = this;
+        if (!validator.isString(token)) {
+            return Promise.reject(new JwtError(JwtErrorCode.INVALID_ARGUMENT, 'The provided token must be a string.'));
+        }
+        return verifyJwtSignature(token, getKeyCallback(this.keyFetcher), { algorithms: [exports.ALGORITHM_RS256] })
+            .catch(function (error) {
+            if (error.code === JwtErrorCode.NO_KID_IN_HEADER) {
+                // No kid in JWT header. Try with all the public keys.
+                return _this.verifyWithoutKid(token);
+            }
+            throw error;
+        });
+    };
+    PublicKeySignatureVerifier.prototype.verifyWithoutKid = function (token) {
+        var _this = this;
+        return this.keyFetcher.fetchPublicKeys()
+            .then(function (publicKeys) { return _this.verifyWithAllKeys(token, publicKeys); });
+    };
+    PublicKeySignatureVerifier.prototype.verifyWithAllKeys = function (token, keys) {
+        var promises = [];
+        Object.values(keys).forEach(function (key) {
+            var result = verifyJwtSignature(token, key)
+                .then(function () { return true; })
+                .catch(function (error) {
+                if (error.code === JwtErrorCode.TOKEN_EXPIRED) {
+                    throw error;
+                }
+                return false;
+            });
+            promises.push(result);
+        });
+        return Promise.all(promises)
+            .then(function (result) {
+            if (result.every(function (r) { return r === false; })) {
+                throw new JwtError(JwtErrorCode.INVALID_SIGNATURE, 'Invalid token signature.');
+            }
+        });
+    };
+    return PublicKeySignatureVerifier;
+}());
+exports.PublicKeySignatureVerifier = PublicKeySignatureVerifier;
+/**
+ * Class for verifying unsigned (emulator) JWTs.
+ */
+var EmulatorSignatureVerifier = /** @class */ (function () {
+    function EmulatorSignatureVerifier() {
+    }
+    EmulatorSignatureVerifier.prototype.verify = function (token) {
+        // Signature checks skipped for emulator; no need to fetch public keys.
+        return verifyJwtSignature(token, '');
+    };
+    return EmulatorSignatureVerifier;
+}());
+exports.EmulatorSignatureVerifier = EmulatorSignatureVerifier;
+/**
+ * Provides a callback to fetch public keys.
+ *
+ * @param fetcher - KeyFetcher to fetch the keys from.
+ * @returns A callback function that can be used to get keys in `jsonwebtoken`.
+ */
+function getKeyCallback(fetcher) {
+    return function (header, callback) {
+        if (!header.kid) {
+            callback(new Error(NO_KID_IN_HEADER_ERROR_MESSAGE));
+        }
+        var kid = header.kid || '';
+        fetcher.fetchPublicKeys().then(function (publicKeys) {
+            if (!Object.prototype.hasOwnProperty.call(publicKeys, kid)) {
+                callback(new Error(NO_MATCHING_KID_ERROR_MESSAGE));
+            }
+            else {
+                callback(null, publicKeys[kid]);
+            }
+        })
+            .catch(function (error) {
+            callback(error);
+        });
+    };
+}
+/**
+ * Verifies the signature of a JWT using the provided secret or a function to fetch
+ * the secret or public key.
+ *
+ * @param token - The JWT to be verified.
+ * @param secretOrPublicKey - The secret or a function to fetch the secret or public key.
+ * @param options - JWT verification options.
+ * @returns A Promise resolving for a token with a valid signature.
+ */
+function verifyJwtSignature(token, secretOrPublicKey, options) {
+    if (!validator.isString(token)) {
+        return Promise.reject(new JwtError(JwtErrorCode.INVALID_ARGUMENT, 'The provided token must be a string.'));
+    }
+    return new Promise(function (resolve, reject) {
+        jwt.verify(token, secretOrPublicKey, options, function (error) {
+            if (!error) {
+                return resolve();
+            }
+            if (error.name === 'TokenExpiredError') {
+                return reject(new JwtError(JwtErrorCode.TOKEN_EXPIRED, 'The provided token has expired. Get a fresh token from your ' +
+                    'client app and try again.'));
+            }
+            else if (error.name === 'JsonWebTokenError') {
+                if (error.message && error.message.includes(JWT_CALLBACK_ERROR_PREFIX)) {
+                    var message = error.message.split(JWT_CALLBACK_ERROR_PREFIX).pop() || 'Error fetching public keys.';
+                    var code = JwtErrorCode.KEY_FETCH_ERROR;
+                    if (message === NO_MATCHING_KID_ERROR_MESSAGE) {
+                        code = JwtErrorCode.NO_MATCHING_KID;
+                    }
+                    else if (message === NO_KID_IN_HEADER_ERROR_MESSAGE) {
+                        code = JwtErrorCode.NO_KID_IN_HEADER;
+                    }
+                    return reject(new JwtError(code, message));
+                }
+            }
+            return reject(new JwtError(JwtErrorCode.INVALID_SIGNATURE, error.message));
+        });
+    });
+}
+exports.verifyJwtSignature = verifyJwtSignature;
+/**
+ * Decodes general purpose Firebase JWTs.
+ *
+ * @param jwtToken - JWT token to be decoded.
+ * @returns Decoded token containing the header and payload.
+ */
+function decodeJwt(jwtToken) {
+    if (!validator.isString(jwtToken)) {
+        return Promise.reject(new JwtError(JwtErrorCode.INVALID_ARGUMENT, 'The provided token must be a string.'));
+    }
+    var fullDecodedToken = jwt.decode(jwtToken, {
+        complete: true,
+    });
+    if (!fullDecodedToken) {
+        return Promise.reject(new JwtError(JwtErrorCode.INVALID_ARGUMENT, 'Decoding token failed.'));
+    }
+    var header = fullDecodedToken === null || fullDecodedToken === void 0 ? void 0 : fullDecodedToken.header;
+    var payload = fullDecodedToken === null || fullDecodedToken === void 0 ? void 0 : fullDecodedToken.payload;
+    return Promise.resolve({ header: header, payload: payload });
+}
+exports.decodeJwt = decodeJwt;
+/**
+ * Jwt error code structure.
+ *
+ * @param code - The error code.
+ * @param message - The error message.
+ * @constructor
+ */
+var JwtError = /** @class */ (function (_super) {
+    __extends(JwtError, _super);
+    function JwtError(code, message) {
+        var _this = _super.call(this, message) || this;
+        _this.code = code;
+        _this.message = message;
+        _this.__proto__ = JwtError.prototype;
+        return _this;
+    }
+    return JwtError;
+}(Error));
+exports.JwtError = JwtError;
+/**
+ * JWT error codes.
+ */
+var JwtErrorCode;
+(function (JwtErrorCode) {
+    JwtErrorCode["INVALID_ARGUMENT"] = "invalid-argument";
+    JwtErrorCode["INVALID_CREDENTIAL"] = "invalid-credential";
+    JwtErrorCode["TOKEN_EXPIRED"] = "token-expired";
+    JwtErrorCode["INVALID_SIGNATURE"] = "invalid-token";
+    JwtErrorCode["NO_MATCHING_KID"] = "no-matching-kid-error";
+    JwtErrorCode["NO_KID_IN_HEADER"] = "no-kid-error";
+    JwtErrorCode["KEY_FETCH_ERROR"] = "key-fetch-error";
+})(JwtErrorCode = exports.JwtErrorCode || (exports.JwtErrorCode = {}));