ѮhKdZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddl Z ddl Z ddl Z ddlmZddlmZdd lmZd Zd Zd Zd Zeej.dj1Zeej.dj1Zeej.dj1ZdZegdZdZdZ dZ!dZ"Gdde jFjHjJZ&GddZ'GddZ(Gd d!e jRZ*Gd"d#Z+Gd$d%Z,Gd&d'ejZZ.Gd(d)ejZZ/Gd*d+ej`Z1Gd,d-ej`Z2Gd.d/ejfZ4Gd0d1e4Z5Gd2d3e4Z6y)4z1Firebase token minting and validation sub module.N) credentials)iam)jwt) transport) exceptions) _auth_utils) _http_clientzhttps://securetoken.google.com/zXhttps://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.comz$https://session.firebase.google.com/zEhttps://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys)minutes)days)hourszYhttps://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit)acramrat_hashaud auth_timeazpcnfc_hashexpfirebaseiatissjtinbfnoncesubzZhttp://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/emailRS256nonez"firebase-auth-emulator@example.comceZdZdZdZdZy)_EmulatedSignerNcyNselfs k/home/www/academy-backend.kofcorporation.com/venv/lib/python3.12/site-packages/firebase_admin/_token_gen.py__init__z_EmulatedSigner.__init__Bs cy)Nr+r&r(messages r)signz_EmulatedSigner.signEsr+)__name__ __module__ __qualname__key_idr*r/r&r+r)r#r#?s F r+r#czeZdZdZefdZedZedZedZ e dZ e dZ e dZ y ) _SigningProviderz2Stores a reference to a google.auth.crypto.Signer.c.||_||_||_yr%)_signer _signer_email_alg)r(signer signer_emailalgs r)r*z_SigningProvider.__init__Ls ) r+c|jSr%)r7r's r)r:z_SigningProvider.signerQs ||r+c|jSr%)r8r's r)r;z_SigningProvider.signer_emailUs!!!r+c|jSr%)r9r's r)r<z_SigningProvider.algYs yyr+cBt|j|jSr%)r5r:r;)cls google_creds r)from_credentialz _SigningProvider.from_credential]s 2 2K4L4LMMr+cHtj|||}t||Sr%)rSignerr5)rArequestrBservice_accountr:s r)from_iamz_SigningProvider.from_iamas!G[/B88r+c<ttttSr%)r5r#AUTH_EMULATOR_EMAILALGORITHM_NONE)rAs r) for_emulatorz_SigningProvider.for_emulatorfs 13FWWr+N)r0r1r2__doc__ALGORITHM_RS256r*propertyr:r;r< classmethodrCrHrLr&r+r)r5r5Is<1@ ""NN99XXr+r5c@eZdZdZdZd dZdZedZd dZ dZ y) TokenGeneratorz,Generates custom tokens and session cookies.z)https://identitytoolkit.googleapis.com/v1Nc||_||_tjj |_|xs |j }|d|j|_d|_ y)Nz /projects/) app http_clientrrequestsRequestrFID_TOOLKIT_URL project_idbase_url_signing_provider)r(rTrU url_override url_prefixs r)r*zTokenGenerator.__init__psV& ))113 !8T%8%8 %,j0@A !%r+c"tjrtjS|jj j }t|tjjjrtj|S|jjjd}|r!tj|j ||St|t"j$rtj|S|j!t&ddi}|j(dk7r't+d|j,j/d|j,j/}tj|j ||S)zPInitializes a signing provider by following the go/firebase-admin-sign protocol.serviceAccountIdzMetadata-FlavorGoogle)urlheadersz.Failed to contact the local metadata service: .)r is_emulatedr5rLrT credentialget_credential isinstancegoogleoauth2rG CredentialsrCoptionsgetrHrFrSigningMETADATA_SERVICE_URLstatus ValueErrordatadecode)r(rBrGresps r)_init_signing_providerz%TokenGenerator._init_signing_providerxs9  " " $#002 2hh))88: k6==#@#@#L#L M#33K@ @((**../AB #,,T\\;X X k;#6#6 7#33K@ @|| 4?PRZ>[|\ ;;# @AQAQAS@TTUVX X))**,(({OTTr+c|js" |j|_|jS|jS#t$r}d}td|d|d|d}~wwxYw)z@Initializes and returns the SigningProvider instance to be used.z@https://firebase.google.com/docs/auth/admin/create-custom-tokensz%Failed to determine service account: z. Make sure to initialize the SDK with service account credentials or specify a service account ID with iam.serviceAccounts.signBlob permission. Please refer to z, for more details on creating custom tokens.N)r[ru Exceptionrq)r(errorras r)signing_providerzTokenGenerator.signing_providers%% E)-)D)D)F&%%%t%%% EX ;E7CPPSuU99:@E E Es; AAAc|t|ts tdt|j t z}|rNt |dkDr ddj|d}t|ddj|d}t||rt|trt |d kDr td |j}ttj}|j|jt|||tzd }|r||d <|||d <d|ji} t!j"|j$|| S#t&j(j*j,$r} d| } t/| | | d} ~ wwxYw)z.Builds and signs a Firebase custom auth token.Nz%developer_claims must be a dictionaryrzDeveloper claims z, z& are reserved and cannot be specified.zDeveloper claim z% is reserved and cannot be specified.z2uid must be a string between 1 and 128 characters.)rrruidrr tenant_idclaimsr<)headerzFailed to sign custom token. )rhdictrqsetkeysRESERVED_CLAIMSlenjoinstrryinttimer;FIREBASE_AUDIENCEMAX_TOKEN_LIFETIME_SECONDSr<rencoder:riauthrTransportErrorTokenSignError) r(r|developer_claimsr}disallowed_keys error_messagerynowpayloadrrxmsgs r)create_custom_tokenz"TokenGenerator.create_custom_tokens  '.5 !HII!"2"7"7"9:_LO'!++DIIo,F+GH%%"!//+499_+E*FG%%"!//*S#.#c(S.QR R00$))+#00#00$33   #,GK  ' 0GH )--. 8::.55wvN N{{%%44 81%9C e,% 7 8s'!E 'F0FFc t|tr|jdn|}t|tr|st d|dt|t j rt|j}t|tst|tst d|d|tkrt d|dtd|tkDrt d|dtd|jd }||d } |jjd || \}}|r|j)dst%j*d||j)dS#tj j"$r}t%j&|d }~wwxYw)z4Creates a session cookie from the provided ID token.utf-8zIllegal ID token provided: z&. ID token must be a non-empty string.zIllegal expiry duration: rdz. Duration must be at least z seconds.z. Duration must be at most z:createSessionCookie)idToken validDurationpost)jsonN sessionCookiez Failed to create session cookie.) http_response)rhbytesrsrrqdatetime timedeltar total_secondsbool#MIN_SESSION_COOKIE_DURATION_SECONDS#MAX_SESSION_COOKIE_DURATION_SECONDSrZrUbody_and_responserVrRequestExceptionrhandle_auth_backend_errorrmUnexpectedResponseError)r(id_token expires_inrarbody http_resprxs r)create_session_cookiez$TokenGenerator.create_session_cookies/9(E/J8??7+PX(C(-hZ7]^` ` j("4"4 5Z5578J j$ 'z*c/J8 AFG G ; ;+J<7S67yBC C ; ;+J<7R67yBC C34'  ?"..@@SZ@[OD)488O4552)M Mxx(( ""33 ?77> > ?s:!EF 3FF r%)NN) r0r1r2rMrXr*rurOryrrr&r+r)rRrRks46@N&U: & &*8Z )r+rRc@eZdZdZddZedZedZddZy) CertificateFetchRequestzyA google-auth transport that supports HTTP cache-control. Also injects a timeout to each outgoing HTTP request. Nctjtj|_t jj |j|_||_ yr%) cachecontrol CacheControlrVSession_sessionrrWsession _delegate_timeout_seconds)r(timeout_secondss r)r*z CertificateFetchRequest.__init__sA$11(2B2B2DE "++33DLLA /r+c|jSr%)rr's r)rzCertificateFetchRequest.sessions }}r+c|jSr%)rr's r)rz'CertificateFetchRequest.timeout_secondss$$$r+c R|xs |j}|j|f||||d|S)N)methodrrbtimeout)rr)r(rarrrbrkwargss r)__call__z CertificateFetchRequest.__call__sB1T11t~~ WT7GWOUW Wr+r%)GETNNN) r0r1r2rMr*rOrrrr&r+r)rrs: 0 %%Wr+rc&eZdZdZdZddZddZy) TokenVerifierz'Verifies ID tokens and session cookies.c T|jjdtj}t ||_t |jdddtttjt|_ t |jdddttt t"|_y)N httpTimeoutzID tokenzverify_id_token()z>")D,D,D+EF &**U"3zz% G+ 11"'7;;sB+?"?~~&i0H0H/IJ$$#,DOO+<

@  (DOO,-OO$Kz=Q &5U%;OE "" "{{%%44 L'E %@e K E#e*,//E %/HH++CJe+D D Es&#AL44'OM22 O>AOOc tj|}tj|d}||fS#t$r!}|j t ||d}~wwxYw)NF)rr)r decode_headerrsrqrr)r(rrrrxs r)rz_JWTVerifier._decode_unverifieds^ E&&u-Fjju5G7? " E++CJe+D D Es/2 AAANr)r0r1r2rMr*rrr&r+r)rr+s@ F]E~Er+rceZdZdZdZy)rz7Unexpected error while signing a Firebase custom token.cFtjj|||yr%r UnknownErrorr*r(r.rs r)r*zTokenSignError.__init__((w>r+Nr0r1r2rMr*r&r+r)rrs A?r+rceZdZdZdZy)rzHFailed to fetch some public key certificates required to verify a token.cFtjj|||yr%rrs r)r*zCertificateFetchError.__init__rr+Nrr&r+r)rrs R?r+rceZdZdZdZy)rz!The provided ID token is expired.cFtjj|||yr%rrr*rs r)r*zExpiredIdTokenError.__init__s''00wFr+Nrr&r+r)rrs +Gr+rceZdZdZdZy)RevokedIdTokenErrorz'The provided ID token has been revoked.cDtjj||yr%r r-s r)r*zRevokedIdTokenError.__init__s''00w?r+Nrr&r+r)r r s 1@r+r ceZdZdZddZy)rz;The provided string is not a valid Firebase session cookie.NcFtjj|||yr%)rInvalidArgumentErrorr*rs r)r*z"InvalidSessionCookieError.__init__s''00wFr+r%rr&r+r)rrs EGr+rceZdZdZdZy)rz'The provided session cookie is expired.c2tj|||yr%rr*rs r)r*z"ExpiredSessionCookieError.__init__s!**4%@r+Nrr&r+r)rrs 1Ar+rceZdZdZdZy)RevokedSessionCookieErrorz-The provided session cookie has been revoked.c0tj||yr%rr-s r)r*z"RevokedSessionCookieError.__init__s!**49r+Nrr&r+r)rrs 7:r+r)7rMrrrrV google.authrrrrgoogle.auth.exceptionsrigoogle.oauth2.id_tokengoogle.oauth2.service_accountfirebase_adminrrr rrrrrrrrrrrrrrorNrKrJrcryptrEr#r5rRrWrrrrrrrrr rrrrr&r+r)rs8 #!$%&';>>Y&)*<(*<*