export AdminAuthApiClient class

Author: Code-Hex

README.md

@@ -129,18 +129,16 @@ See the [ID Token section of the OpenID Connect spec](http://openid.net/specs/op
 - `idToken` The ID token to verify.
 - `env` is an optional parameter. but this is using to detect should use emulator or not.
 
-### `WorkersKVStoreSingle.getOrInitialize(cacheKey: string, cfKVNamespace: KVNamespace): WorkersKVStoreSingle`
-
-WorkersKVStoreSingle is created as a singleton object. This is because the Module Worker syntax only use environment variables at the time of request.
+### `authObj.verifySessionCookie(sessionCookie: string, env?: EmulatorEnv): Promise<FirebaseIdToken>`
 
-This caches the public key used to verify the Firebase ID token in the [Workers KV](https://developers.cloudflare.com/workers/runtime-apis/kv/).
+Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified.
 
-This is implemented `KeyStorer` interface.
+See [Verify Session Cookies](https://firebase.google.com/docs/auth/admin/manage-cookies#verify_session_cookie_and_check_permissions) for code samples and detailed documentation.
 
-- `cacheKey` specifies the key of the public key cache.
-- `cfKVNamespace` specifies the KV namespace which is bound your workers.
+- `sessionCookie` The session cookie to verify.
+- `env` is an optional parameter. but this is using to detect should use emulator or not.
 
-### `createSessionCookie(idToken: string, sessionCookieOptions: SessionCookieOptions, env?: EmulatorEnv): Promise<string>`
+### `authObj.createSessionCookie(idToken: string, sessionCookieOptions: SessionCookieOptions, env?: EmulatorEnv): Promise<string>`
 
 Creates a new Firebase session cookie with the specified options. The created JWT string can be set as a server-side session cookie with a custom cookie policy, and be used for session management. The session cookie JWT will have the same payload claims as the provided ID token. See [Manage Session Cookies](https://firebase.google.com/docs/auth/admin/manage-cookies) for code samples and detailed documentation.
 
@@ -150,14 +148,24 @@ Creates a new Firebase session cookie with the specified options. The created JW
 
 **Required** service acccount credential to use this API. You need to set the credentials with `Auth.getOrInitialize`.
 
-### `verifySessionCookie(sessionCookie: string, env?: EmulatorEnv): Promise<FirebaseIdToken>`
+### `WorkersKVStoreSingle.getOrInitialize(cacheKey: string, cfKVNamespace: KVNamespace): WorkersKVStoreSingle`
 
-Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified.
+WorkersKVStoreSingle is created as a singleton object. This is because the Module Worker syntax only use environment variables at the time of request.
 
-See [Verify Session Cookies](https://firebase.google.com/docs/auth/admin/manage-cookies#verify_session_cookie_and_check_permissions) for code samples and detailed documentation.
+This caches the public key used to verify the Firebase ID token in the [Workers KV](https://developers.cloudflare.com/workers/runtime-apis/kv/).
 
-- `sessionCookie` The session cookie to verify.
-- `env` is an optional parameter. but this is using to detect should use emulator or not.
+This is implemented `KeyStorer` interface.
+
+- `cacheKey` specifies the key of the public key cache.
+- `cfKVNamespace` specifies the KV namespace which is bound your workers.
+
+### `AdminAuthApiClient.getOrInitialize(projectId: string, credential: Credential, retryConfig?: RetryConfig): AdminAuthApiClient`
+
+AdminAuthApiClient is created as a singleton object. This is because the Module Worker syntax only use environment variables at the time of request.
+
+You can send request with the [Admin Auth API](https://cloud.google.com/identity-platform/docs/reference/rest). To generate an access token, you will use the `Credential` class. For instance, if you want to generate an access token from a Service Account JSON, you need to specify `ServiceAccountCredential` as a parameter during initialization.
+
+By specifying the [`roles/firebaseauth.admin`](https://firebase.google.com/docs/projects/iam/roles-predefined-product#app-distro) role to the Service Account, it becomes available for use. If you want finer control over permissions, create a Custom Role based on the [Access Control](https://cloud.google.com/identity-platform/docs/access-control) guide and assign it to the Service Account.
 
 ### `emulatorHost(env?: EmulatorEnv): string | undefined`
 

package.json

@@ -25,7 +25,8 @@
     "lint": "eslint --ext .ts .",
     "lint-fix": "eslint --fix --ext .ts .",
     "prepublish": "run-p build:*",
-    "wrangler": "wrangler"
+    "wrangler": "wrangler",
+    "version": "pnpm run build && git add -A dist"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20240208.0",

src/index.ts

@@ -1,4 +1,6 @@
 import { BaseAuth } from './auth';
+import { AuthApiClient } from './auth-api-requests';
+import type { RetryConfig } from './client';
 import type { Credential } from './credential';
 import type { KeyStorer } from './key-store';
 import { WorkersKVStore } from './key-store';
@@ -8,17 +10,25 @@ export { emulatorHost, useEmulator } from './emulator';
 export type { KeyStorer };
 export type { EmulatorEnv } from './emulator';
 export type { FirebaseIdToken } from './token-verifier';
+export type { RetryConfig };
 
 export class Auth extends BaseAuth {
   private static instance?: Auth;
+  private static withCredential?: Auth;
 
   private constructor(projectId: string, keyStore: KeyStorer, credential?: Credential) {
     super(projectId, keyStore, credential);
   }
 
   static getOrInitialize(projectId: string, keyStore: KeyStorer, credential?: Credential): Auth {
+    if (!Auth.withCredential && credential !== undefined) {
+      Auth.withCredential = new Auth(projectId, keyStore, credential);
+    }
+    if (Auth.withCredential) {
+      return Auth.withCredential;
+    }
     if (!Auth.instance) {
-      Auth.instance = new Auth(projectId, keyStore, credential);
+      Auth.instance = new Auth(projectId, keyStore);
     }
     return Auth.instance;
   }
@@ -38,3 +48,18 @@ export class WorkersKVStoreSingle extends WorkersKVStore {
     return WorkersKVStoreSingle.instance;
   }
 }
+
+export class AdminAuthApiClient extends AuthApiClient {
+  private static instance?: AdminAuthApiClient;
+
+  private constructor(projectId: string, credential: Credential, retryConfig?: RetryConfig) {
+    super(projectId, credential, retryConfig);
+  }
+
+  static getOrInitialize(projectId: string, credential: Credential, retryConfig?: RetryConfig) {
+    if (!AdminAuthApiClient.instance) {
+      AdminAuthApiClient.instance = new AdminAuthApiClient(projectId, credential, retryConfig);
+    }
+    return AdminAuthApiClient.instance;
+  }
+}