hKdZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddl Z ddl Z ddl Z ddlmZddlmZdd lmZd Zd Zd Zd ZeejdZeejdZeejdZdZegdZdZdZ dZ!dZ"Gdde j#j$j%Z&GddZ'GddZ(Gd d!e j)Z*Gd"d#Z+Gd$d%Z,Gd&d'ej-Z.Gd(d)ej-Z/Gd*d+ej0Z1Gd,d-ej0Z2Gd.d/ej3Z4Gd0d1e4Z5Gd2d3e4Z6dS)4z1Firebase token minting and validation sub module.N) credentials)iam)jwt) transport) exceptions) _auth_utils) _http_clientzhttps://securetoken.google.com/zXhttps://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.comz$https://session.firebase.google.com/zEhttps://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys)minutes)days)hourszYhttps://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit)acramrat_hashaud auth_timeazpcnfc_hashexpfirebaseiatissjtinbfnoncesubzZhttp://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/emailRS256nonez"firebase-auth-emulator@example.comceZdZdZdZdZdS)_EmulatedSignerNcdSNselfs ]/var/www/html/e360mart/e360mart_env/lib/python3.11/site-packages/firebase_admin/_token_gen.py__init__z_EmulatedSigner.__init__Bs cdS)Nr+r&r(messages r)signz_EmulatedSigner.signEssr+)__name__ __module__ __qualname__key_idr*r/r&r+r)r#r#?s7 F   r+r#ceZdZdZefdZedZedZedZ e dZ e dZ e dZ d S) _SigningProviderz2Stores a reference to a google.auth.crypto.Signer.c0||_||_||_dSr%)_signer _signer_email_alg)r(signer signer_emailalgs r)r*z_SigningProvider.__init__Ls ) r+c|jSr%)r7r's r)r:z_SigningProvider.signerQs |r+c|jSr%)r8r's r)r;z_SigningProvider.signer_emailUs !!r+c|jSr%)r9r's r)r<z_SigningProvider.algYs yr+c6t|j|jSr%)r5r:r;)cls google_creds r)from_credentialz _SigningProvider.from_credential]s 2K4LMMMr+cNtj|||}t||Sr%)rSignerr5)rArequestrBservice_accountr:s r)from_iamz_SigningProvider.from_iamas%G[/BB888r+cPttttSr%)r5r#AUTH_EMULATOR_EMAILALGORITHM_NONE)rAs r) for_emulatorz_SigningProvider.for_emulatorfs 1 13FWWWr+N)r0r1r2__doc__ALGORITHM_RS256r*propertyr:r;r< classmethodrCrHrLr&r+r)r5r5Is<<1@ X""X"XNN[N99[9XX[XXXr+r5cHeZdZdZdZd dZdZedZd dZ dZ dS) TokenGeneratorz,Generates custom tokens and session cookies.z)https://identitytoolkit.googleapis.com/v1Nc||_||_tj|_|p|j}|d|j|_d|_ dS)Nz /projects/) app http_clientrrequestsRequestrFID_TOOLKIT_URL project_idbase_url_signing_provider)r(rTrU url_override url_prefixs r)r*zTokenGenerator.__init__psY& )1133 !8T%8 %AAAA !%r+ctjrtS|jj}t|tj j j rt |S|jj d}|r!t|j||St|t"jrt |S|t&ddi}|jdkr*t+d|jd|j}t|j||S)zPInitializes a signing provider by following the go/firebase-admin-sign protocol.serviceAccountIdzMetadata-FlavorGoogle)urlheadersz.Failed to contact the local metadata service: .)r is_emulatedr5rLrT credentialget_credential isinstancegoogleoauth2rG CredentialsrCoptionsgetrHrFrSigningMETADATA_SERVICE_URLstatus ValueErrordatadecode)r(rBrGresps r)_init_signing_providerz%TokenGenerator._init_signing_providerxs^  " $ $ 3#0022 2h)88:: k6=#@#L M M A#33K@@ @(*../ABB  Y#,,T\;XX X k;#6 7 7 A#33K@@ @|| 4?PRZ>[|\\ ;#  VAQAQASASVVVXX X)**,,(({OTTTr+c|jsF ||_n+#t$r}d}td|d|d|d}~wwxYw|jS)z@Initializes and returns the SigningProvider instance to be used.z@https://firebase.google.com/docs/auth/admin/create-custom-tokensz%Failed to determine service account: z. Make sure to initialize the SDK with service account credentials or specify a service account ID with iam.serviceAccounts.signBlob permission. Please refer to z, for more details on creating custom tokens.N)r[ru Exceptionrq)r(errorras r)signing_providerzTokenGenerator.signing_providers% E E)-)D)D)F)F&& E E EX 9E99PS999::@E E E%%s# A AA c$|t|tstdt|t z}|rUt |dkrdd|d}ndd|d}t||r(t|trt |d krtd |j }ttj }|j |j t|||tzd }|r||d <|||d <d|ji} t!j|j|| S#t&jjj$r} d| } t/| | | d} ~ wwxYw)z.Builds and signs a Firebase custom auth token.Nz%developer_claims must be a dictionaryrzDeveloper claims z, z& are reserved and cannot be specified.zDeveloper claim z% is reserved and cannot be specified.z2uid must be a string between 1 and 128 characters.)rrruidrr tenant_idclaimsr<)headerzFailed to sign custom token. )rhdictrqsetkeysRESERVED_CLAIMSlenjoinstrryinttimer;FIREBASE_AUDIENCEMAX_TOKEN_LIFETIME_SECONDSr<rencoder:riauthrTransportErrorTokenSignError) r(r|developer_claimsr}disallowed_keys error_messagerynowpayloadrrxmsgs r)create_custom_tokenz"TokenGenerator.create_custom_tokens  '.55 J !HIII!"2"7"7"9"9::_LO 0''!++%DIIo,F,F%%%"M %499_+E+E%%%"!/// S*S#.. S#c((S..QRR R0$)++#0#0$33     -#,GK  ' 0GH )-. 8:.5wvNNN N{%4 8 8 89%99C e,,% 7 8s?EF4F  Fc|t|tr|dn|}t|tr|st d|dt|t jr!t|}t|tst|tst d|d|tkrt d|dtd|tkrt d|dtd|j d }||d } |j d || \}}n0#tjj$r}t%j|d }~wwxYw|r|dst%jd||dS)z4Creates a session cookie from the provided ID token.utf-8zIllegal ID token provided: z&. ID token must be a non-empty string.zIllegal expiry duration: rdz. Duration must be at least z seconds.z. Duration must be at most z:createSessionCookie)idToken validDurationpost)jsonN sessionCookiez Failed to create session cookie.) http_response)rhbytesrsrrqdatetime timedeltar total_secondsbool#MIN_SESSION_COOKIE_DURATION_SECONDS#MAX_SESSION_COOKIE_DURATION_SECONDSrZrUbody_and_responserVrRequestExceptionrhandle_auth_backend_errorrmUnexpectedResponseError)r(id_token expires_inrarbody http_resprxs r)create_session_cookiez$TokenGenerator.create_session_cookies@/9(E/J/JX8??7+++PX(C(( ` `^h^^^`` ` j("4 5 5 9Z557788J j$ ' ' Hz*c/J/J HFFFFGG G ; ; ;BJBB6BBBCC C ; ; ;BJBB6BBBCC C444'   ?".@@SZ@[[OD))"3 ? ? ?7>> > ? M488O44 M52)MMM Mxx(((s+ E E9 E44E9r%)NN) r0r1r2rMrXr*rurOryrrr&r+r)rRrRks66@N&&&&UUU: & &X &*8*8*8*8Z ) ) ) ) )r+rRcNeZdZdZddZedZedZd dZdS) CertificateFetchRequestzyA google-auth transport that supports HTTP cache-control. Also injects a timeout to each outgoing HTTP request. Nctjtj|_t j|j|_||_ dSr%) cachecontrol CacheControlrVSession_sessionrrWsession _delegate_timeout_seconds)r(timeout_secondss r)r*z CertificateFetchRequest.__init__sE$1(2B2D2DEE "+33DLAA /r+c|jSr%)rr's r)rzCertificateFetchRequest.sessions }r+c|jSr%)rr's r)rz'CertificateFetchRequest.timeout_secondss $$r+GETc :|p|j}|j|f||||d|S)N)methodrrbtimeout)rr)r(rarrrbrkwargss r)__call__z CertificateFetchRequest.__call__sI1T1t~ WT7GWWOUWW Wr+r%)rNNN) r0r1r2rMr*rOrrrr&r+r)rrs 0000 X%%X%WWWWWWr+rc(eZdZdZdZddZddZdS) TokenVerifierz'Verifies ID tokens and session cookies.c V|jdtj}t ||_t |jdddtttj t|_ t |jdddttt t"|_dS)N httpTimeoutzID tokenzverify_id_token()zT_'>'>D $ $'=DO'='=D $$*JJ/D$E$E!$*JJ/D$E$E!!!r+rc pt|tr|dn|}t|tr|s#t d|jd|d|jd|jst d|jd|dks|d krt d |d ||\}}| d }| d }| d}|j |jz} d|jd} d|j d|jd} tj } d} |tkr|jd|jd} nX| s~| dsi| ddkrD| ddkr+d| divr|jd|jd} nd|jd} n| s=| dd kr$d|jd!| dd"| } n||jkrd|jd#|jd$|d"| d%| } nr|| krd|jd&| d$|d"| d%| } nU|t|tsd|jd'| } n0|sd|jd(| } n t!|d)kr d|jd*| } | r||  | r|}n3t$jj|||j|j|+}|d|d<|S#t$jjj$r$}t5t||,|d}~wt$r^}d-t|vr$|t||,|t||,d}~wwxYw).z5Verifies the signature and data for the provided JWT.rzIllegal z provided: z. z must be a non-empty string.zfFailed to ascertain project ID from the credential or the environment. Project ID is required to call z. Initialize the app with a credentials.Certificate or set your Firebase project ID as an app option. Alternatively set the GOOGLE_CLOUD_PROJECT environment variable.r<z"Illegal clock_skew_seconds value: z&. Must be between 0 and 60, inclusive.rrrzMake sure the z[ comes from the same Firebase project as the service account used to authenticate this SDK.zSee z for details on how to retrieve rdNz expects z, but was given a custom token.kidr<HS256vr|dz&, but was given a legacy custom token.z Firebase z has no "kid" claim.r z4 has incorrect algorithm. Expected "RS256" but got "z". z1 has incorrect "aud" (audience) claim. Expected "z " but got " z/ has incorrect "iss" (issuer) claim. Expected "z has no "sub" (subject) claim. z, has an empty string "sub" (subject) claim. r{z9 has a "sub" (subject) claim longer than 128 characters. )rFaudience certs_urlclock_skew_in_secondscausez Token expired)rhrrrrqrrYr_decode_unverifiedrmrrarrerrrrrirjr verify_tokenrrrrCertificateFetchErrorr)r(tokenrFrrrrrsubjectexpected_issuerproject_id_match_msgverify_id_token_msgemulatedrverified_claimsrxs r)rz_JWTVerifier.verify<sy)3E3)?)?J W%%%U%'' %u %$4?$$u$$$$$%% % TS*..SSSTT T  ! !%7"%<%<5G   11%88U##;;u%%++e$$+7 5T_ 5 5 5  P48 O OT_ O O O *,, ( ( (>D,D M 6&**U"3"3 6zz%  G++ 1111"'7;;sB+?+?"?"?~$$0H$$$ !RDO Q Q Q  6fjj//7::@DO@@JJu%%@@*=@@ M ( ()DO))O))08))=Q))&)) M & &)DO))#))06));O))&)) M_Jw$<$<_aDOaaL_aa M 6)DO))&)) M\\C  5DO55255   ;++M:: : E >")"(-"8"E"E#!_"m*< #F#>#> &5U%;OE "" "{%4 L L L'E %@@@e K E E E#e**,,//E %/HHH++CJJe+DD D Es& ALN5+M  N5AN00N5c tj|}tj|d}||fS#t$r)}|t ||d}~wwxYw)NF)rr)r decode_headerrsrqrr)r(rrrrxs r)rz_JWTVerifier._decode_unverifiedsx E&u--Fju555G7? " E E E++CJJe+DD D Es-0 A#$AA#Nr)r0r1r2rMr*rrr&r+r)rr+s]@@ F F F]E]E]E]E~EEEEEr+rceZdZdZdZdS)rz7Unexpected error while signing a Firebase custom token.cHtj|||dSr%r UnknownErrorr*r(r.rs r)r*zTokenSignError.__init__#((w>>>>>r+Nr0r1r2rMr*r&r+r)rrs)AA?????r+rceZdZdZdZdS)rzHFailed to fetch some public key certificates required to verify a token.cHtj|||dSr%rrs r)r*zCertificateFetchError.__init__rr+Nrr&r+r)rrs)RR?????r+rceZdZdZdZdS)rz!The provided ID token is expired.cHtj|||dSr%rrr*rs r)r*zExpiredIdTokenError.__init__s#'00wFFFFFr+Nrr&r+r)rrs.++GGGGGr+rceZdZdZdZdS)RevokedIdTokenErrorz'The provided ID token has been revoked.cFtj||dSr%r r-s r)r*zRevokedIdTokenError.__init__s!'00w?????r+Nrr&r+r)r r s.11@@@@@r+r ceZdZdZddZdS)rz;The provided string is not a valid Firebase session cookie.NcHtj|||dSr%)rInvalidArgumentErrorr*rs r)r*z"InvalidSessionCookieError.__init__s#'00wFFFFFr+r%rr&r+r)rrs4EEGGGGGGr+rceZdZdZdZdS)rz'The provided session cookie is expired.c>t|||dSr%rr*rs r)r*z"ExpiredSessionCookieError.__init__s !**4%@@@@@r+Nrr&r+r)rrs.11AAAAAr+rceZdZdZdZdS)RevokedSessionCookieErrorz-The provided session cookie has been revoked.c<t||dSr%rr-s r)r*z"RevokedSessionCookieError.__init__s!**499999r+Nrr&r+r)rrs)77:::::r+r)7rMrrrrV google.authrrrrgoogle.auth.exceptionsrigoogle.oauth2.id_tokengoogle.oauth2.service_accountfirebase_adminrrr rrrrrrrrrrrrrrorNrKrJrcryptrEr#r5rRrWrrrrrrrrr rrrrr&r+r)rsR87 ######!!!!!!$$$$%%%%%%&&&&&&'''''';>>Y&)c*<(*