1 |
|
2 | "use strict";
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 |
|
19 | Object.defineProperty(exports, "__esModule", { value: true });
|
20 | exports.appCheckErrorFromCryptoSignerError = exports.AppCheckTokenGenerator = void 0;
|
21 | const validator = require("../utils/validator");
|
22 | const utils_1 = require("../utils");
|
23 | const crypto_signer_1 = require("../utils/crypto-signer");
|
24 | const app_check_api_client_internal_1 = require("./app-check-api-client-internal");
|
25 | const ONE_MINUTE_IN_SECONDS = 60;
|
26 | const ONE_MINUTE_IN_MILLIS = ONE_MINUTE_IN_SECONDS * 1000;
|
27 | const ONE_DAY_IN_MILLIS = 24 * 60 * 60 * 1000;
|
28 |
|
29 | const FIREBASE_APP_CHECK_AUDIENCE = 'https://firebaseappcheck.googleapis.com/google.firebase.appcheck.v1.TokenExchangeService';
|
30 |
|
31 |
|
32 |
|
33 |
|
34 |
|
35 | class AppCheckTokenGenerator {
|
36 | |
37 |
|
38 |
|
39 |
|
40 |
|
41 |
|
42 | constructor(signer) {
|
43 | if (!validator.isNonNullObject(signer)) {
|
44 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'INTERNAL ASSERT: Must provide a CryptoSigner to use AppCheckTokenGenerator.');
|
45 | }
|
46 | this.signer = signer;
|
47 | }
|
48 | |
49 |
|
50 |
|
51 |
|
52 |
|
53 |
|
54 |
|
55 |
|
56 | createCustomToken(appId, options) {
|
57 | if (!validator.isNonEmptyString(appId)) {
|
58 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', '`appId` must be a non-empty string.');
|
59 | }
|
60 | let customOptions = {};
|
61 | if (typeof options !== 'undefined') {
|
62 | customOptions = this.validateTokenOptions(options);
|
63 | }
|
64 | return this.signer.getAccountId().then((account) => {
|
65 | const header = {
|
66 | alg: this.signer.algorithm,
|
67 | typ: 'JWT',
|
68 | };
|
69 | const iat = Math.floor(Date.now() / 1000);
|
70 | const body = {
|
71 | iss: account,
|
72 | sub: account,
|
73 | app_id: appId,
|
74 | aud: FIREBASE_APP_CHECK_AUDIENCE,
|
75 | exp: iat + (ONE_MINUTE_IN_SECONDS * 5),
|
76 | iat,
|
77 | ...customOptions,
|
78 | };
|
79 | const token = `${this.encodeSegment(header)}.${this.encodeSegment(body)}`;
|
80 | return this.signer.sign(Buffer.from(token))
|
81 | .then((signature) => {
|
82 | return `${token}.${this.encodeSegment(signature)}`;
|
83 | });
|
84 | }).catch((err) => {
|
85 | throw appCheckErrorFromCryptoSignerError(err);
|
86 | });
|
87 | }
|
88 | encodeSegment(segment) {
|
89 | const buffer = (segment instanceof Buffer) ? segment : Buffer.from(JSON.stringify(segment));
|
90 | return (0, utils_1.toWebSafeBase64)(buffer).replace(/=+$/, '');
|
91 | }
|
92 | |
93 |
|
94 |
|
95 |
|
96 |
|
97 |
|
98 |
|
99 | validateTokenOptions(options) {
|
100 | if (!validator.isNonNullObject(options)) {
|
101 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'AppCheckTokenOptions must be a non-null object.');
|
102 | }
|
103 | if (typeof options.ttlMillis !== 'undefined') {
|
104 | if (!validator.isNumber(options.ttlMillis)) {
|
105 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'ttlMillis must be a duration in milliseconds.');
|
106 | }
|
107 |
|
108 | if (options.ttlMillis < (ONE_MINUTE_IN_MILLIS * 30) || options.ttlMillis > (ONE_DAY_IN_MILLIS * 7)) {
|
109 | throw new app_check_api_client_internal_1.FirebaseAppCheckError('invalid-argument', 'ttlMillis must be a duration in milliseconds between 30 minutes and 7 days (inclusive).');
|
110 | }
|
111 | return { ttl: (0, utils_1.transformMillisecondsToSecondsString)(options.ttlMillis) };
|
112 | }
|
113 | return {};
|
114 | }
|
115 | }
|
116 | exports.AppCheckTokenGenerator = AppCheckTokenGenerator;
|
117 |
|
118 |
|
119 |
|
120 |
|
121 |
|
122 |
|
123 |
|
124 | function appCheckErrorFromCryptoSignerError(err) {
|
125 | if (!(err instanceof crypto_signer_1.CryptoSignerError)) {
|
126 | return err;
|
127 | }
|
128 | if (err.code === crypto_signer_1.CryptoSignerErrorCode.SERVER_ERROR && validator.isNonNullObject(err.cause)) {
|
129 | const httpError = err.cause;
|
130 | const errorResponse = httpError.response.data;
|
131 | if (errorResponse?.error) {
|
132 | const status = errorResponse.error.status;
|
133 | const description = errorResponse.error.message || JSON.stringify(httpError.response);
|
134 | let code = 'unknown-error';
|
135 | if (status && status in app_check_api_client_internal_1.APP_CHECK_ERROR_CODE_MAPPING) {
|
136 | code = app_check_api_client_internal_1.APP_CHECK_ERROR_CODE_MAPPING[status];
|
137 | }
|
138 | return new app_check_api_client_internal_1.FirebaseAppCheckError(code, `Error returned from server while signing a custom token: ${description}`);
|
139 | }
|
140 | return new app_check_api_client_internal_1.FirebaseAppCheckError('internal-error', 'Error returned from server: ' + JSON.stringify(errorResponse) + '.');
|
141 | }
|
142 | return new app_check_api_client_internal_1.FirebaseAppCheckError(mapToAppCheckErrorCode(err.code), err.message);
|
143 | }
|
144 | exports.appCheckErrorFromCryptoSignerError = appCheckErrorFromCryptoSignerError;
|
145 | function mapToAppCheckErrorCode(code) {
|
146 | switch (code) {
|
147 | case crypto_signer_1.CryptoSignerErrorCode.INVALID_CREDENTIAL:
|
148 | return 'invalid-credential';
|
149 | case crypto_signer_1.CryptoSignerErrorCode.INVALID_ARGUMENT:
|
150 | return 'invalid-argument';
|
151 | default:
|
152 | return 'internal-error';
|
153 | }
|
154 | }
|