1 |
|
2 | "use strict";
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 |
|
19 | var __assign = (this && this.__assign) || function () {
|
20 | __assign = Object.assign || function(t) {
|
21 | for (var s, i = 1, n = arguments.length; i < n; i++) {
|
22 | s = arguments[i];
|
23 | for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
|
24 | t[p] = s[p];
|
25 | }
|
26 | return t;
|
27 | };
|
28 | return __assign.apply(this, arguments);
|
29 | };
|
30 | Object.defineProperty(exports, "__esModule", { value: true });
|
31 | exports.appCheckErrorFromCryptoSignerError = exports.AppCheckTokenGenerator = void 0;
|
32 | var validator = require("../utils/validator");
|
33 | var utils_1 = require("../utils");
|
34 | var crypto_signer_1 = require("../utils/crypto-signer");
|
35 | var app_check_api_client_internal_1 = require("./app-check-api-client-internal");
|
36 | var ONE_MINUTE_IN_SECONDS = 60;
|
37 | var ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1000;
|
38 | var ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1000;
|
39 |
|
40 | var FIREBASE_APP_CHECK_AUDIENCE = 'https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1beta.TokenExchangeService';
|
41 |
|
42 |
|
43 |
|
44 |
|
45 |
|
46 | var AppCheckTokenGenerator = (function () {
|
47 | |
48 |
|
49 |
|
50 |
|
51 |
|
52 |
|
53 | function AppCheckTokenGenerator(signer) {
|
54 | if (!validator.isNonNullObject(signer)) {
|
55 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'INTERNAL ASSERT: Must provide a CryptoSigner to use AppCheckTokenGenerator.');
|
56 | }
|
57 | this.signer = signer;
|
58 | }
|
59 | |
60 |
|
61 |
|
62 |
|
63 |
|
64 |
|
65 |
|
66 |
|
67 | AppCheckTokenGenerator.prototype.createCustomToken = function (appId, options) {
|
68 | var _this = this;
|
69 | if (!validator.isNonEmptyString(appId)) {
|
70 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', '`appId` must be a non-empty string.');
|
71 | }
|
72 | var customOptions = {};
|
73 | if (typeof options !== 'undefined') {
|
74 | customOptions = this.validateTokenOptions(options);
|
75 | }
|
76 | return this.signer.getAccountId().then(function (account) {
|
77 | var header = {
|
78 | alg: _this.signer.algorithm,
|
79 | typ: 'JWT',
|
80 | };
|
81 | var iat = Math.floor(Date.now() / 1000);
|
82 | var body = __assign({ iss: account, sub: account,
|
83 |
|
84 | app_id: appId, aud: FIREBASE_APP_CHECK_AUDIENCE, exp: iat + (ONE_MINUTE_IN_SECONDS * 5), iat: iat }, customOptions);
|
85 | var token = _this.encodeSegment(header) + "." + _this.encodeSegment(body);
|
86 | return _this.signer.sign(Buffer.from(token))
|
87 | .then(function (signature) {
|
88 | return token + "." + _this.encodeSegment(signature);
|
89 | });
|
90 | }).catch(function (err) {
|
91 | throw appCheckErrorFromCryptoSignerError(err);
|
92 | });
|
93 | };
|
94 | AppCheckTokenGenerator.prototype.encodeSegment = function (segment) {
|
95 | var buffer = (segment instanceof Buffer) ? segment : Buffer.from(JSON.stringify(segment));
|
96 | return utils_1.toWebSafeBase64(buffer).replace(/=+$/, '');
|
97 | };
|
98 | |
99 |
|
100 |
|
101 |
|
102 |
|
103 |
|
104 |
|
105 | AppCheckTokenGenerator.prototype.validateTokenOptions = function (options) {
|
106 | if (!validator.isNonNullObject(options)) {
|
107 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'AppCheckTokenOptions must be a non-null object.');
|
108 | }
|
109 | if (typeof options.ttlMillis !== 'undefined') {
|
110 | if (!validator.isNumber(options.ttlMillis)) {
|
111 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'ttlMillis must be a duration in milliseconds.');
|
112 | }
|
113 |
|
114 | if (options.ttlMillis < (ONE_MINUTE_IN_MILLIS * 30) || options.ttlMillis > (ONE_DAY_IN_MILLIS * 7)) {
|
115 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'ttlMillis must be a duration in milliseconds between 30 minutes and 7 days (inclusive).');
|
116 | }
|
117 | return { ttl: utils_1.transformMillisecondsToSecondsString(options.ttlMillis) };
|
118 | }
|
119 | return {};
|
120 | };
|
121 | return AppCheckTokenGenerator;
|
122 | }());
|
123 | exports.AppCheckTokenGenerator = AppCheckTokenGenerator;
|
124 |
|
125 |
|
126 |
|
127 |
|
128 |
|
129 |
|
130 |
|
131 | function appCheckErrorFromCryptoSignerError(err) {
|
132 | if (!(err instanceof crypto_signer_1.CryptoSignerError)) {
|
133 | return err;
|
134 | }
|
135 | if (err.code === crypto_signer_1.CryptoSignerErrorCode.SERVER_ERROR && validator.isNonNullObject(err.cause)) {
|
136 | var httpError = err.cause;
|
137 | var errorResponse = httpError.response.data;
|
138 | if (errorResponse === null || errorResponse === void 0 ? void 0 : errorResponse.error) {
|
139 | var status = errorResponse.error.status;
|
140 | var description = errorResponse.error.message || JSON.stringify(httpError.response);
|
141 | var code = 'unknown-error';
|
142 | if (status && status in app_check_api_client_internal_1.APP_CHECK_ERROR_CODE_MAPPING) {
|
143 | code = app_check_api_client_internal_1.APP_CHECK_ERROR_CODE_MAPPING[status];
|
144 | }
|
145 | return new app_check_api_client_internal_1.FirebaseAppCheckError(code, "Error returned from server while signing a custom token: " + description);
|
146 | }
|
147 | return new app_check_api_client_internal_1.FirebaseAppCheckError('internal-error', 'Error returned from server: ' + JSON.stringify(errorResponse) + '.');
|
148 | }
|
149 | return new app_check_api_client_internal_1.FirebaseAppCheckError(mapToAppCheckErrorCode(err.code), err.message);
|
150 | }
|
151 | exports.appCheckErrorFromCryptoSignerError = appCheckErrorFromCryptoSignerError;
|
152 | function mapToAppCheckErrorCode(code) {
|
153 | switch (code) {
|
154 | case crypto_signer_1.CryptoSignerErrorCode.INVALID_CREDENTIAL:
|
155 | return 'invalid-credential';
|
156 | case crypto_signer_1.CryptoSignerErrorCode.INVALID_ARGUMENT:
|
157 | return 'invalid-argument';
|
158 | default:
|
159 | return 'internal-error';
|
160 | }
|
161 | }
|