o ˷eK@sdZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddl Z ddl Z ddl Z ddlmZddlmZdd lmZd Zd Zd Zd ZeejddZeejddZeejddZdZegdZdZdZ dZ!dZ"Gddde j#j$j%Z&GdddZ'GdddZ(Gd d!d!e j)Z*Gd"d#d#Z+Gd$d%d%Z,Gd&d'd'ej-Z.Gd(d)d)ej-Z/Gd*d+d+ej0Z1Gd,d-d-ej0Z2Gd.d/d/ej3Z4Gd0d1d1e4Z5Gd2d3d3e4Z6dS)4z1Firebase token minting and validation sub module.N) credentials)iam)jwt) transport) exceptions) _auth_utils) _http_clientzhttps://securetoken.google.com/zXhttps://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.comz$https://session.firebase.google.com/zEhttps://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys)minutes)days)hourszYhttps://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit)acramrat_hashaud auth_timeazpcnfc_hashexpfirebaseiatissjtinbfnoncesubzZhttp://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/emailRS256nonez"firebase-auth-emulator@example.comc@s eZdZdZddZddZdS)_EmulatedSignerNcCsdSNselfr#r#P/var/www/ideatree/venv/lib/python3.10/site-packages/firebase_admin/_token_gen.py__init__Bz_EmulatedSigner.__init__cCsdS)Nr#r%messager#r#r&signEr(z_EmulatedSigner.sign)__name__ __module__ __qualname__key_idr'r,r#r#r#r&r!?s r!c@sdeZdZdZefddZeddZeddZedd Z e d d Z e d d Z e ddZ dS)_SigningProviderz2Stores a reference to a google.auth.crypto.Signer.cCs||_||_||_dSr")_signer _signer_email_alg)r%signer signer_emailalgr#r#r&r'Ls z_SigningProvider.__init__cC|jSr")r2r$r#r#r&r5Qz_SigningProvider.signercCr8r")r3r$r#r#r&r6Ur9z_SigningProvider.signer_emailcCr8r")r4r$r#r#r&r7Yr9z_SigningProvider.algcCst|j|jSr")r1r5r6)cls google_credr#r#r&from_credential]z _SigningProvider.from_credentialcCst|||}t||Sr")rSignerr1)r:requestr;service_accountr5r#r#r&from_iamas z_SigningProvider.from_iamcCsttttSr")r1r!AUTH_EMULATOR_EMAILALGORITHM_NONE)r:r#r#r& for_emulatorfr=z_SigningProvider.for_emulatorN)r-r.r/__doc__ALGORITHM_RS256r'propertyr5r6r7 classmethodr<rArDr#r#r#r&r1Is      r1c@sDeZdZdZdZdddZddZedd Zdd d Z d d Z dS)TokenGeneratorz,Generates custom tokens and session cookies.z)https://identitytoolkit.googleapis.com/v1NcCs<||_||_tj|_|p|j}d||j|_ d|_ dS)Nz{0}/projects/{1}) app http_clientrrequestsRequestr?ID_TOOLKIT_URLformat project_idbase_url_signing_provider)r%rJrK url_override url_prefixr#r#r&r'ps    zTokenGenerator.__init__cCstrtS|jj}t|tj j j rt |S|jj d}|r,t|j||St|tjr7t |S|jtddid}|jdkrOtd|j|j}t|j||S)zPInitializes a signing provider by following the go/firebase-admin-sign protocol.serviceAccountIdzMetadata-FlavorGoogle)urlheadersz2Failed to contact the local metadata service: {0}.)r is_emulatedr1rDrJ credentialget_credential isinstancegoogleoauth2r@ Credentialsr<optionsgetrAr?rSigningMETADATA_SERVICE_URLstatus ValueErrorrOdatadecode)r%r;r@respr#r#r&_init_signing_providerxs"      z%TokenGenerator._init_signing_providerc CsL|js#z ||_W|jSty"}z d}td||d}~ww|jS)z@Initializes and returns the SigningProvider instance to be used.z@https://firebase.google.com/docs/auth/admin/create-custom-tokenszFailed to determine service account: {0}. Make sure to initialize the SDK with service account credentials or specify a service account ID with iam.serviceAccounts.signBlob permission. Please refer to {1} for more details on creating custom tokens.N)rRrj ExceptionrfrO)r%errorrWr#r#r&signing_providers zTokenGenerator.signing_providerc Cs&|dur5t|ts tdt|t@}|r5t|dkr)dd|}t|dd|}t||rBt|t rBt|dkrFtd|j }t t }|j |j t|||td }|rb||d <|durj||d <d |ji} z tj|j|| d WStjjjy} z d| } t| | d} ~ ww)z.Builds and signs a Firebase custom auth token.Nz%developer_claims must be a dictionaryr z:Developer claims {0} are reserved and cannot be specified.z, z8Developer claim {0} is reserved and cannot be specified.z2uid must be a string between 1 and 128 characters.)rrruidrr tenant_idclaimsr7)headerz Failed to sign custom token. {0})r]dictrfsetkeysRESERVED_CLAIMSlenrOjoinstrrminttimer6FIREBASE_AUDIENCEMAX_TOKEN_LIFETIME_SECONDSr7rencoder5r^authrTransportErrorTokenSignError) r%rodeveloper_claimsrpdisallowed_keys error_messagermnowpayloadrrrlmsgr#r#r&create_custom_tokensR      z"TokenGenerator.create_custom_tokenc Cst|tr |dn|}t|tr|std|t|tjr&t| }t|t s0t|ts7td||t krCtd|t |t krOtd|t d|j }||d}z |jjd||d \}}Wntjjyz}zt|d }~ww|r|d stjd |d |d S)z4Creates a session cookie from the provided ID token.utf-8zDIllegal ID token provided: {0}. ID token must be a non-empty string.zIllegal expiry duration: {0}.zDIllegal expiry duration: {0}. Duration must be at least {1} seconds.zCIllegal expiry duration: {0}. Duration must be at most {1} seconds.z{0}:createSessionCookie)idToken validDurationpost)jsonN sessionCookiez Failed to create session cookie.) http_response)r]bytesrhryrfrOdatetime timedeltarz total_secondsbool#MIN_SESSION_COOKIE_DURATION_SECONDS#MAX_SESSION_COOKIE_DURATION_SECONDSrQrKbody_and_responserLrRequestExceptionrhandle_auth_backend_errorrbUnexpectedResponseError)r%id_token expires_inrWrbody http_resprlr#r#r&create_session_cookiesB     z$TokenGenerator.create_session_cookier")NN) r-r.r/rErNr'rjrGrmrrr#r#r#r&rIks    -rIc@s<eZdZdZd ddZeddZeddZd d d ZdS)CertificateFetchRequestzyA google-auth transport that supports HTTP cache-control. Also injects a timeout to each outgoing HTTP request. NcCs*tt|_tj|j|_||_ dSr") cachecontrol CacheControlrLSession_sessionrrMsession _delegate_timeout_seconds)r%timeout_secondsr#r#r&r's z CertificateFetchRequest.__init__cCr8r")rr$r#r#r&rr9zCertificateFetchRequest.sessioncCr8r")rr$r#r#r&rr9z'CertificateFetchRequest.timeout_secondsGETcKs&|p|j}|j|f||||d|S)N)methodrrXtimeout)rr)r%rWrrrXrkwargsr#r#r&__call__s z CertificateFetchRequest.__call__r")rNNN) r-r.r/rEr'rGrrrr#r#r#r&rs   rc@(eZdZdZddZddZddZdS) TokenVerifierz'Verifies ID tokens and session cookies.c CsX|jdtj}t||_t|jdddtt t j t d|_ t|jdddttttd|_dS)N httpTimeoutzID tokenzverify_id_token()zr!r1rIrMrrrrrrrrrrrrrr#r#r#r&sT         " t