forge-remote 0.1.1 → 0.1.3

package/src/google-auth.js

@@ -0,0 +1,436 @@
+// Forge Remote Relay — Desktop Agent for Forge Remote
+// Copyright (c) 2025-2026 Iron Forge Apps
+// Created by Daniel Wendel, CEO/Founder of Iron Forge Apps
+
+import { readFileSync, existsSync } from "fs";
+import { join } from "path";
+import { homedir, platform } from "os";
+
+// ─── Firebase CLI OAuth credentials ─────────────────────────────────────────
+// These are the same public client credentials embedded in the Firebase CLI.
+// Using them to exchange the stored refresh token for an access token is
+// equivalent to what the Firebase CLI does internally.
+
+const FIREBASE_CLIENT_ID =
+  "563584335869-fgrhgmd47bqnekij5i8b5pr03ho849e6.apps.googleusercontent.com";
+const FIREBASE_CLIENT_SECRET = "j9iVZfS8kkCEFUPaAeJV0sAi";
+
+// ─── Token Management ───────────────────────────────────────────────────────
+
+/**
+ * Get the path to the Firebase CLI's stored credentials file.
+ */
+function getFirebaseConfigPath() {
+  if (platform() === "win32") {
+    const appData =
+      process.env.APPDATA || join(homedir(), "AppData", "Roaming");
+    return join(appData, "configstore", "firebase-tools.json");
+  }
+  return join(homedir(), ".config", "configstore", "firebase-tools.json");
+}
+
+/**
+ * Read the refresh token from the Firebase CLI's stored credentials.
+ * Returns null if no token is found.
+ */
+export function readRefreshToken() {
+  const configPath = getFirebaseConfigPath();
+  if (!existsSync(configPath)) {
+    return null;
+  }
+  try {
+    const config = JSON.parse(readFileSync(configPath, "utf-8"));
+    return config?.tokens?.refresh_token || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Exchange the Firebase CLI's refresh token for a fresh access token.
+ * Throws if the token exchange fails.
+ */
+export async function getAccessToken() {
+  const refreshToken = readRefreshToken();
+  if (!refreshToken) {
+    throw new Error(
+      "No Firebase CLI refresh token found. Run `firebase login` first.",
+    );
+  }
+
+  const response = await fetch("https://oauth2.googleapis.com/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: FIREBASE_CLIENT_ID,
+      client_secret: FIREBASE_CLIENT_SECRET,
+      refresh_token: refreshToken,
+      grant_type: "refresh_token",
+    }),
+  });
+
+  if (!response.ok) {
+    const err = await response.text();
+    throw new Error(
+      `Token exchange failed (run \`firebase login\` again): ${err}`,
+    );
+  }
+
+  const data = await response.json();
+  return data.access_token;
+}
+
+// ─── Anonymous Authentication ───────────────────────────────────────────────
+
+/**
+ * Enable Anonymous Authentication for the given Firebase project.
+ * Uses the Identity Toolkit Admin v2 API.
+ *
+ * If the project hasn't had Auth initialized yet (CONFIGURATION_NOT_FOUND),
+ * we first initialize the Identity Platform, then enable Anonymous.
+ */
+export async function enableAnonymousAuth(projectId) {
+  const token = await getAccessToken();
+
+  const patchAuth = async () => {
+    return fetch(
+      `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/config?updateMask=signIn.anonymous.enabled`,
+      {
+        method: "PATCH",
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "Content-Type": "application/json",
+          "X-Goog-User-Project": projectId,
+        },
+        body: JSON.stringify({
+          signIn: {
+            anonymous: {
+              enabled: true,
+            },
+          },
+        }),
+      },
+    );
+  };
+
+  let response = await patchAuth();
+
+  // If config doesn't exist yet, initialize Identity Platform first.
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    const errMsg = err.error?.message || "";
+
+    if (errMsg.includes("CONFIGURATION_NOT_FOUND")) {
+      // Initialize Identity Platform for this project.
+      const initResp = await fetch(
+        `https://identitytoolkit.googleapis.com/v2/projects/${projectId}/identityPlatform:initializeAuth`,
+        {
+          method: "POST",
+          headers: {
+            Authorization: `Bearer ${token}`,
+            "Content-Type": "application/json",
+            "X-Goog-User-Project": projectId,
+          },
+        },
+      );
+
+      if (!initResp.ok) {
+        const initErr = await initResp.json().catch(() => ({}));
+        throw new Error(
+          `Failed to initialize Identity Platform: ${initErr.error?.message || initResp.statusText}`,
+        );
+      }
+
+      // Retry enabling Anonymous Auth after initialization.
+      response = await patchAuth();
+    }
+  }
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    throw new Error(
+      `Failed to enable Anonymous Auth: ${err.error?.message || response.statusText}`,
+    );
+  }
+
+  return true;
+}
+
+// ─── API Key Management ─────────────────────────────────────────────────────
+
+/**
+ * Remove browser-only restrictions from the project's API key.
+ *
+ * Firebase creates a "Browser key" with browserKeyRestrictions, which blocks
+ * requests from mobile apps (they don't send HTTP referrers). We keep the
+ * API target restrictions but remove the platform restriction so the key
+ * works from iOS and Android.
+ */
+export async function removeBrowserKeyRestriction(projectId, projectNumber) {
+  const token = await getAccessToken();
+
+  // List all keys for the project.
+  const listResp = await fetch(
+    `https://apikeys.googleapis.com/v2/projects/${projectNumber}/locations/global/keys`,
+    { headers: { Authorization: `Bearer ${token}` } },
+  );
+
+  if (!listResp.ok) {
+    throw new Error("Failed to list API keys.");
+  }
+
+  const listData = await listResp.json();
+  const keys = listData.keys || [];
+
+  for (const key of keys) {
+    if (key.restrictions?.browserKeyRestrictions) {
+      // Remove browser restriction but keep API target restrictions.
+      const updateResp = await fetch(
+        `https://apikeys.googleapis.com/v2/${key.name}?updateMask=restrictions`,
+        {
+          method: "PATCH",
+          headers: {
+            Authorization: `Bearer ${token}`,
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({
+            restrictions: {
+              apiTargets: key.restrictions.apiTargets || [],
+            },
+          }),
+        },
+      );
+
+      if (!updateResp.ok) {
+        const err = await updateResp.json().catch(() => ({}));
+        throw new Error(
+          `Failed to update API key: ${err.error?.message || updateResp.statusText}`,
+        );
+      }
+      return true;
+    }
+  }
+
+  return false; // No browser-restricted keys found.
+}
+
+// ─── Google Cloud API Enablement ─────────────────────────────────────────────
+
+/**
+ * Enable a Google Cloud API for the given project.
+ * Uses the Service Usage API. Idempotent — safe to call even if already enabled.
+ * Waits for the operation to complete (up to ~60s).
+ */
+export async function enableApi(projectId, apiName) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://serviceusage.googleapis.com/v1/projects/${projectId}/services/${apiName}:enable`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Goog-User-Project": projectId,
+      },
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    throw new Error(
+      `Failed to enable ${apiName}: ${err.error?.message || response.statusText}`,
+    );
+  }
+
+  // The response is a long-running operation. Poll until done.
+  const op = await response.json();
+  if (op.done) return true;
+
+  const opName = op.name;
+  for (let i = 0; i < 12; i++) {
+    await new Promise((r) => setTimeout(r, 5000));
+    const pollResp = await fetch(
+      `https://serviceusage.googleapis.com/v1/${opName}`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "X-Goog-User-Project": projectId,
+        },
+      },
+    );
+    if (pollResp.ok) {
+      const pollData = await pollResp.json();
+      if (pollData.done) return true;
+    }
+  }
+
+  throw new Error(`Timed out waiting for ${apiName} to be enabled.`);
+}
+
+// ─── Service Account Management ─────────────────────────────────────────────
+
+/**
+ * Find the firebase-adminsdk service account for the given project.
+ * Returns the account object (with `.email`) or null if not found.
+ */
+export async function findFirebaseAdminSdkAccount(projectId) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts?pageSize=100`,
+    {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "X-Goog-User-Project": projectId,
+      },
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    throw new Error(
+      `Failed to list service accounts: ${err.error?.message || response.statusText}`,
+    );
+  }
+
+  const data = await response.json();
+  const accounts = data.accounts || [];
+  return (
+    accounts.find((a) => a.email && a.email.includes("firebase-adminsdk")) ||
+    null
+  );
+}
+
+/**
+ * Create a new private key for the given service account.
+ * Returns the parsed JSON key file content.
+ */
+export async function createServiceAccountKey(projectId, serviceAccountEmail) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/${serviceAccountEmail}/keys`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Goog-User-Project": projectId,
+      },
+      body: JSON.stringify({
+        privateKeyType: "TYPE_GOOGLE_CREDENTIALS_FILE",
+        keyAlgorithm: "KEY_ALG_RSA_2048",
+      }),
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    const msg = err.error?.message || response.statusText;
+    if (msg.includes("maximum number of keys")) {
+      throw new Error(
+        `Service account has reached the 10-key limit. Delete old keys at:\n` +
+          `  https://console.cloud.google.com/iam-admin/serviceaccounts/details/${encodeURIComponent(serviceAccountEmail)}/keys?project=${projectId}`,
+      );
+    }
+    throw new Error(`Failed to create service account key: ${msg}`);
+  }
+
+  const data = await response.json();
+  const keyJson = Buffer.from(data.privateKeyData, "base64").toString("utf-8");
+  return JSON.parse(keyJson);
+}
+
+// ─── Firestore Security Rules ───────────────────────────────────────────────
+
+/**
+ * Deploy Firestore security rules via the Firebase Rules REST API.
+ *
+ * Three-step process:
+ *   1. Create a new ruleset containing the rules source.
+ *   2. Update (or create) the `cloud.firestore` release for the (default) database.
+ *   3. Also deploy to `cloud.firestore/database/default` for the named "default"
+ *      database (firebase CLI creates a named db, not the (default) alias).
+ */
+export async function deployFirestoreRules(projectId, rulesContent) {
+  const token = await getAccessToken();
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    "X-Goog-User-Project": projectId,
+  };
+
+  // Step 1: Create ruleset
+  const rulesetResponse = await fetch(
+    `https://firebaserules.googleapis.com/v1/projects/${projectId}/rulesets`,
+    {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        source: {
+          files: [
+            {
+              content: rulesContent,
+              name: "firestore.rules",
+            },
+          ],
+        },
+      }),
+    },
+  );
+
+  if (!rulesetResponse.ok) {
+    const err = await rulesetResponse.json().catch(() => ({}));
+    throw new Error(
+      `Failed to create ruleset: ${err.error?.message || rulesetResponse.statusText}`,
+    );
+  }
+
+  const ruleset = await rulesetResponse.json();
+  const rulesetName = ruleset.name;
+
+  // Step 2: Deploy the ruleset as the release for the (default) database.
+  const releaseNames = [`projects/${projectId}/releases/cloud.firestore`];
+
+  for (const releaseName of releaseNames) {
+    // Try creating the release first (works for new projects).
+    let releaseResponse = await fetch(
+      `https://firebaserules.googleapis.com/v1/projects/${projectId}/releases`,
+      {
+        method: "POST",
+        headers,
+        body: JSON.stringify({
+          name: releaseName,
+          rulesetName: rulesetName,
+        }),
+      },
+    );
+
+    if (!releaseResponse.ok && releaseResponse.status === 409) {
+      // Release already exists — update it via PATCH (requires wrapper + updateMask).
+      releaseResponse = await fetch(
+        `https://firebaserules.googleapis.com/v1/${releaseName}?updateMask=rulesetName`,
+        {
+          method: "PATCH",
+          headers,
+          body: JSON.stringify({
+            release: {
+              name: releaseName,
+              rulesetName: rulesetName,
+            },
+          }),
+        },
+      );
+    }
+
+    if (!releaseResponse.ok) {
+      const err = await releaseResponse.json().catch(() => ({}));
+      throw new Error(
+        `Failed to deploy rules release: ${err.error?.message || releaseResponse.statusText}`,
+      );
+    }
+  }
+
+  return true;
+}