forge-remote 0.1.0 → 0.1.2

package/src/google-auth.js

@@ -0,0 +1,334 @@
+// Forge Remote Relay — Desktop Agent for Forge Remote
+// Copyright (c) 2025-2026 Iron Forge Apps
+// Created by Daniel Wendel, CEO/Founder of Iron Forge Apps
+// AGPL-3.0 License — See LICENSE
+
+import { readFileSync, existsSync } from "fs";
+import { join } from "path";
+import { homedir, platform } from "os";
+
+// ─── Firebase CLI OAuth credentials ─────────────────────────────────────────
+// These are the same public client credentials embedded in the Firebase CLI.
+// Using them to exchange the stored refresh token for an access token is
+// equivalent to what the Firebase CLI does internally.
+
+const FIREBASE_CLIENT_ID =
+  "563584335869-fgrhgmd47bqnekij5i8b5pr03ho849e6.apps.googleusercontent.com";
+const FIREBASE_CLIENT_SECRET = "j9iVZfS8kkCEFUPaAeJV0sAi";
+
+// ─── Token Management ───────────────────────────────────────────────────────
+
+/**
+ * Get the path to the Firebase CLI's stored credentials file.
+ */
+function getFirebaseConfigPath() {
+  if (platform() === "win32") {
+    const appData =
+      process.env.APPDATA || join(homedir(), "AppData", "Roaming");
+    return join(appData, "configstore", "firebase-tools.json");
+  }
+  return join(homedir(), ".config", "configstore", "firebase-tools.json");
+}
+
+/**
+ * Read the refresh token from the Firebase CLI's stored credentials.
+ * Returns null if no token is found.
+ */
+export function readRefreshToken() {
+  const configPath = getFirebaseConfigPath();
+  if (!existsSync(configPath)) {
+    return null;
+  }
+  try {
+    const config = JSON.parse(readFileSync(configPath, "utf-8"));
+    return config?.tokens?.refresh_token || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Exchange the Firebase CLI's refresh token for a fresh access token.
+ * Throws if the token exchange fails.
+ */
+export async function getAccessToken() {
+  const refreshToken = readRefreshToken();
+  if (!refreshToken) {
+    throw new Error(
+      "No Firebase CLI refresh token found. Run `firebase login` first.",
+    );
+  }
+
+  const response = await fetch("https://oauth2.googleapis.com/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: FIREBASE_CLIENT_ID,
+      client_secret: FIREBASE_CLIENT_SECRET,
+      refresh_token: refreshToken,
+      grant_type: "refresh_token",
+    }),
+  });
+
+  if (!response.ok) {
+    const err = await response.text();
+    throw new Error(
+      `Token exchange failed (run \`firebase login\` again): ${err}`,
+    );
+  }
+
+  const data = await response.json();
+  return data.access_token;
+}
+
+// ─── Anonymous Authentication ───────────────────────────────────────────────
+
+/**
+ * Enable Anonymous Authentication for the given Firebase project.
+ * Uses the Identity Toolkit Admin v2 API.
+ */
+export async function enableAnonymousAuth(projectId) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/config?updateMask=signIn.anonymous.enabled`,
+    {
+      method: "PATCH",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Goog-User-Project": projectId,
+      },
+      body: JSON.stringify({
+        signIn: {
+          anonymous: {
+            enabled: true,
+          },
+        },
+      }),
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    throw new Error(
+      `Failed to enable Anonymous Auth: ${err.error?.message || response.statusText}`,
+    );
+  }
+
+  return true;
+}
+
+// ─── Google Cloud API Enablement ─────────────────────────────────────────────
+
+/**
+ * Enable a Google Cloud API for the given project.
+ * Uses the Service Usage API. Idempotent — safe to call even if already enabled.
+ * Waits for the operation to complete (up to ~60s).
+ */
+export async function enableApi(projectId, apiName) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://serviceusage.googleapis.com/v1/projects/${projectId}/services/${apiName}:enable`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Goog-User-Project": projectId,
+      },
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    throw new Error(
+      `Failed to enable ${apiName}: ${err.error?.message || response.statusText}`,
+    );
+  }
+
+  // The response is a long-running operation. Poll until done.
+  const op = await response.json();
+  if (op.done) return true;
+
+  const opName = op.name;
+  for (let i = 0; i < 12; i++) {
+    await new Promise((r) => setTimeout(r, 5000));
+    const pollResp = await fetch(
+      `https://serviceusage.googleapis.com/v1/${opName}`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "X-Goog-User-Project": projectId,
+        },
+      },
+    );
+    if (pollResp.ok) {
+      const pollData = await pollResp.json();
+      if (pollData.done) return true;
+    }
+  }
+
+  throw new Error(`Timed out waiting for ${apiName} to be enabled.`);
+}
+
+// ─── Service Account Management ─────────────────────────────────────────────
+
+/**
+ * Find the firebase-adminsdk service account for the given project.
+ * Returns the account object (with `.email`) or null if not found.
+ */
+export async function findFirebaseAdminSdkAccount(projectId) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts?pageSize=100`,
+    {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "X-Goog-User-Project": projectId,
+      },
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    throw new Error(
+      `Failed to list service accounts: ${err.error?.message || response.statusText}`,
+    );
+  }
+
+  const data = await response.json();
+  const accounts = data.accounts || [];
+  return (
+    accounts.find((a) => a.email && a.email.includes("firebase-adminsdk")) ||
+    null
+  );
+}
+
+/**
+ * Create a new private key for the given service account.
+ * Returns the parsed JSON key file content.
+ */
+export async function createServiceAccountKey(projectId, serviceAccountEmail) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/${serviceAccountEmail}/keys`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Goog-User-Project": projectId,
+      },
+      body: JSON.stringify({
+        privateKeyType: "TYPE_GOOGLE_CREDENTIALS_FILE",
+        keyAlgorithm: "KEY_ALG_RSA_2048",
+      }),
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    const msg = err.error?.message || response.statusText;
+    if (msg.includes("maximum number of keys")) {
+      throw new Error(
+        `Service account has reached the 10-key limit. Delete old keys at:\n` +
+          `  https://console.cloud.google.com/iam-admin/serviceaccounts/details/${encodeURIComponent(serviceAccountEmail)}/keys?project=${projectId}`,
+      );
+    }
+    throw new Error(`Failed to create service account key: ${msg}`);
+  }
+
+  const data = await response.json();
+  const keyJson = Buffer.from(data.privateKeyData, "base64").toString("utf-8");
+  return JSON.parse(keyJson);
+}
+
+// ─── Firestore Security Rules ───────────────────────────────────────────────
+
+/**
+ * Deploy Firestore security rules via the Firebase Rules REST API.
+ *
+ * Two-step process:
+ *   1. Create a new ruleset containing the rules source.
+ *   2. Update (or create) the `cloud.firestore` release to point to it.
+ */
+export async function deployFirestoreRules(projectId, rulesContent) {
+  const token = await getAccessToken();
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    "X-Goog-User-Project": projectId,
+  };
+
+  // Step 1: Create ruleset
+  const rulesetResponse = await fetch(
+    `https://firebaserules.googleapis.com/v1/projects/${projectId}/rulesets`,
+    {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        source: {
+          files: [
+            {
+              content: rulesContent,
+              name: "firestore.rules",
+            },
+          ],
+        },
+      }),
+    },
+  );
+
+  if (!rulesetResponse.ok) {
+    const err = await rulesetResponse.json().catch(() => ({}));
+    throw new Error(
+      `Failed to create ruleset: ${err.error?.message || rulesetResponse.statusText}`,
+    );
+  }
+
+  const ruleset = await rulesetResponse.json();
+  const rulesetName = ruleset.name;
+
+  // Step 2: Update existing release, or create if it doesn't exist yet
+  const releaseName = `projects/${projectId}/releases/cloud.firestore`;
+  const releaseBody = {
+    release: {
+      name: releaseName,
+      rulesetName: rulesetName,
+    },
+  };
+
+  let releaseResponse = await fetch(
+    `https://firebaserules.googleapis.com/v1/${releaseName}`,
+    {
+      method: "PATCH",
+      headers,
+      body: JSON.stringify(releaseBody),
+    },
+  );
+
+  if (!releaseResponse.ok && releaseResponse.status === 404) {
+    // Release doesn't exist yet — create it
+    releaseResponse = await fetch(
+      `https://firebaserules.googleapis.com/v1/projects/${projectId}/releases`,
+      {
+        method: "POST",
+        headers,
+        body: JSON.stringify(releaseBody),
+      },
+    );
+  }
+
+  if (!releaseResponse.ok) {
+    const err = await releaseResponse.json().catch(() => ({}));
+    throw new Error(
+      `Failed to deploy rules release: ${err.error?.message || releaseResponse.statusText}`,
+    );
+  }
+
+  return true;
+}