		@@ -63,3 +63,9 @@ "use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		var axios_1 = require("axios");
		var gcpMetadata = require("gcp-metadata");
		var rax = require("retry-axios");
		var oauth2client_1 = require("./oauth2client");
		// Create a scoped axios instance that will retry 3 times by default
		var ax = axios_1.default.create();
		rax.attach(ax);
		var Compute = /** @class */ (function (_super) {
		@@ -97,17 +103,24 @@ __extends(Compute, _super);
		return __awaiter(this, void 0, void 0, function () {
		var url, res, e_1, tokens;
		return __generator(this, function (_a) {
		switch (_a.label) {
		var url, res, e_1, tokens, _a;
		return __generator(this, function (_b) {
		switch (_b.label) {
		case 0:
		url = this.tokenUrl \|\| Compute._GOOGLE_OAUTH2_TOKEN_URL;
		url = this.tokenUrl \|\|
		"" + gcpMetadata.HOST_ADDRESS + Compute._GOOGLE_OAUTH2_TOKEN_URL;
		res = null;
		_a.label = 1;
		_b.label = 1;
		case 1:
		_a.trys.push([1, 3, , 4]);
		return [4 /yield/, this.transporter.request({ url: url })];
		_b.trys.push([1, 3, , 4]);
		return [4 /yield/, ax.request({
		url: url,
		headers: (_a = {}, _a[gcpMetadata.HEADER_NAME] = 'Google', _a),
		raxConfig: { noResponseRetries: 3, retry: 3, instance: ax }
		})];
		case 2:
		res = _a.sent();
		// TODO: In 2.0, we should remove the ability to configure the tokenUrl,
		// and switch this over to use the gcp-metadata package instead.
		res = _b.sent();
		return [3 /break/, 4];
		case 3:
		e_1 = _a.sent();
		e_1 = _b.sent();
		e_1.message = 'Could not refresh access token.';
		@@ -164,3 +177,3 @@ throw e_1;
		*/
		Compute._GOOGLE_OAUTH2_TOKEN_URL = 'http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token';
		Compute._GOOGLE_OAUTH2_TOKEN_URL = gcpMetadata.BASE_PATH + "/instance/service-accounts/default/token";
		return Compute;
		@@ -167,0 +180,0 @@ }(oauth2client_1.OAuth2Client));

build/src/auth/googleauth.d.ts

		/// <reference types="node" />
		import * as fs from 'fs';
		import * as http from 'http';
		import * as stream from 'stream';
		import { DefaultTransporter, Transporter } from '../transporters';
		import { Compute } from './computeclient';
		import { JWTInput } from './credentials';
		import { GCPEnv } from './envDetect';
		import { JWT } from './jwtclient';
		@@ -26,4 +29,26 @@ import { OAuth2Client, RefreshOptions } from './oauth2client';
		}
		export interface GoogleAuthOptions {
		/**
		* Path to a .json, .pem, or .p12 key file
		*/
		keyFilename?: string;
		/**
		* Path to a .json, .pem, or .p12 key file
		*/
		keyFile?: string;
		/**
		* Object containing client_email and private_key properties
		*/
		credentials?: CredentialBody;
		/**
		* Required scopes for the desired API request
		*/
		scopes?: string \| string[];
		/**
		* Your project ID.
		*/
		projectId?: string;
		}
		export declare class GoogleAuth {
		transporter: Transporter;
		transporter?: Transporter;
		/**
		@@ -36,6 +61,8 @@ * Caches a value indicating whether the auth layer is running on Google
		readonly isGCE: boolean \| undefined;
		private _getDefaultProjectIdPromise;
		private _cachedProjectId;
		private _getDefaultProjectIdPromise?;
		private _cachedProjectId?;
		jsonContent: JWTInput \| null;
		cachedCredential: OAuth2Client \| null;
		cachedCredential: JWT \| UserRefreshClient \| Compute \| null;
		private keyFilename?;
		private scopes?;
		/**
		@@ -45,4 +72,5 @@ * Export DefaultTransporter as a static property of the class.
		static DefaultTransporter: typeof DefaultTransporter;
		constructor(opts?: GoogleAuthOptions);
		/**
		* Obtains the default project ID for the application..
		* Obtains the default project ID for the application.
		* @param callback Optional callback
		@@ -77,3 +105,3 @@ * @returns Promise that resolves with project Id (if used without callback)
		*/
		_checkIsGCE(isRetry?: boolean): Promise<boolean>;
		_checkIsGCE(): Promise<boolean>;
		/**
		@@ -169,11 +197,2 @@ * Attempts to load default credentials from the environment variable path..
		* Gets the Compute Engine project ID if it can be inferred.
		* Uses 169.254.169.254 for the metadata server to avoid request
		* latency from DNS lookup.
		* See https://cloud.google.com/compute/docs/metadata#metadataserver
		* for information about this IP address. (This IP is also used for
		* Amazon EC2 instances, so the metadata flavor is crucial.)
		* See https://github.com/google/oauth2client/issues/93 for context about
		* DNS latency.
		*
		* @api private
		*/
		@@ -194,2 +213,35 @@ private getGCEProjectId();
		private getCredentialsAsync();
		/**
		* Automatically obtain a client based on the provided configuration. If no
		* options were passed, use Application Default Credentials.
		*/
		getClient(): Promise<Compute \| JWT \| UserRefreshClient>;
		/**
		* Automatically obtain application default credentials, and return
		* an access token for making requests.
		*/
		getAccessToken(): Promise<string \| null \| undefined>;
		/**
		* Obtain the HTTP headers that will provide authorization for a given
		* request.
		*/
		getRequestHeaders(url?: string): Promise<http.IncomingHttpHeaders>;
		/**
		* Obtain credentials for a request, then attach the appropriate headers to
		* the request options.
		* @param opts Axios or Request options on which to attach the headers
		*/
		authorizeRequest(opts: {
		url?: string;
		uri?: string;
		headers?: http.IncomingHttpHeaders;
		}): Promise<{
		url?: string \| undefined;
		uri?: string \| undefined;
		headers?: http.IncomingHttpHeaders \| undefined;
		}>;
		/**
		* Determine the compute environment in which the code is running.
		*/
		getEnv(): Promise<GCPEnv>;
		}

239

build/src/auth/googleauth.js

		@@ -55,2 +55,3 @@ "use strict";
		var fs = require("fs");
		var gcpMetadata = require("gcp-metadata");
		var os = require("os");
		@@ -61,6 +62,7 @@ var path = require("path");
		var computeclient_1 = require("./computeclient");
		var envDetect_1 = require("./envDetect");
		var jwtclient_1 = require("./jwtclient");
		var refreshclient_1 = require("./refreshclient");
		var GoogleAuth = /** @class */ (function () {
		function GoogleAuth() {
		function GoogleAuth(opts) {
		/**
		@@ -75,2 +77,7 @@ * Caches a value indicating whether the auth layer is running on Google
		this.cachedCredential = null;
		opts = opts \|\| {};
		this._cachedProjectId = opts.projectId \|\| null;
		this.keyFilename = opts.keyFilename \|\| opts.keyFile;
		this.scopes = opts.scopes;
		this.jsonContent = opts.credentials \|\| null;
		}
		@@ -227,22 +234,23 @@ Object.defineProperty(GoogleAuth.prototype, "isGCE", {
		case 8:
		_b.trys.push([8, 10, , 11]);
		_b.trys.push([8, 13, , 14]);
		return [4 /yield/, this._checkIsGCE()];
		case 9:
		gce = _b.sent();
		if (gce) {
		// For GCE, just return a default ComputeClient. It will take care of
		// the rest.
		// TODO: cache the result
		return [2 /return/, { projectId: null, credential: new computeclient_1.Compute(options) }];
		}
		else {
		// We failed to find the default credentials. Bail out with an error.
		throw new Error('Could not load the default credentials. Browse to https://developers.google.com/accounts/docs/application-default-credentials for more information.');
		}
		return [3 /break/, 11];
		if (!gce) return [3 /break/, 11];
		// For GCE, just return a default ComputeClient. It will take care of
		// the rest.
		this.cachedCredential = new computeclient_1.Compute(options);
		return [4 /yield/, this.getDefaultProjectId()];
		case 10:
		projectId = _b.sent();
		return [2 /return/, { projectId: projectId, credential: this.cachedCredential }];
		case 11:
		// We failed to find the default credentials. Bail out with an error.
		throw new Error('Could not load the default credentials. Browse to https://developers.google.com/accounts/docs/application-default-credentials for more information.');
		case 12: return [3 /break/, 14];
		case 13:
		e_2 = _b.sent();
		throw new Error('Unexpected error while acquiring application default credentials: ' +
		e_2.message);
		case 11: return [2 /return/];
		case 14: return [2 /return/];
		}
		@@ -257,44 +265,15 @@ });
		*/
		GoogleAuth.prototype._checkIsGCE = function (isRetry) {
		if (isRetry === void 0) { isRetry = false; }
		GoogleAuth.prototype._checkIsGCE = function () {
		return __awaiter(this, void 0, void 0, function () {
		var res, e_3, isDNSError, ae, is5xx;
		return __generator(this, function (_a) {
		switch (_a.label) {
		var _a;
		return __generator(this, function (_b) {
		switch (_b.label) {
		case 0:
		if (this.checkIsGCE !== undefined) {
		return [2 /return/, this.checkIsGCE];
		}
		if (!this.transporter) {
		this.transporter = new transporters_1.DefaultTransporter();
		}
		_a.label = 1;
		if (!(this.checkIsGCE === undefined)) return [3 /break/, 2];
		_a = this;
		return [4 /yield/, gcpMetadata.isAvailable()];
		case 1:
		_a.trys.push([1, 3, , 8]);
		return [4 /yield/, this.transporter.request({ url: 'http://metadata.google.internal' })];
		case 2:
		res = _a.sent();
		this.checkIsGCE =
		res && res.headers && res.headers['metadata-flavor'] === 'Google';
		return [3 /break/, 8];
		case 3:
		e_3 = _a.sent();
		isDNSError = e_3.code === 'ENOTFOUND';
		ae = e_3;
		is5xx = ae.response &&
		(ae.response.status >= 500 && ae.response.status < 600);
		if (!is5xx) return [3 /break/, 6];
		if (!!isRetry) return [3 /break/, 5];
		return [4 /yield/, this._checkIsGCE(true)];
		case 4: return [2 /return/, _a.sent()];
		case 5: throw e_3;
		case 6:
		if (!isDNSError) {
		throw e_3;
		}
		_a.label = 7;
		case 7:
		this.checkIsGCE = false;
		return [3 /break/, 8];
		case 8: return [2 /return/, this.checkIsGCE];
		_a.checkIsGCE = _b.sent();
		_b.label = 2;
		case 2: return [2 /return/, this.checkIsGCE];
		}
		@@ -423,2 +402,3 @@ });
		else {
		options.scopes = this.scopes;
		client = new jwtclient_1.JWT(options);
		@@ -551,3 +531,3 @@ }
		return __awaiter(this, void 0, void 0, function () {
		var r, e_4;
		var r, e_3;
		return __generator(this, function (_a) {
		@@ -565,3 +545,3 @@ switch (_a.label) {
		case 2:
		e_4 = _a.sent();
		e_3 = _a.sent();
		return [3 /break/, 3];
		@@ -610,36 +590,19 @@ case 3: return [2 /return/, null];
		* Gets the Compute Engine project ID if it can be inferred.
		* Uses 169.254.169.254 for the metadata server to avoid request
		* latency from DNS lookup.
		* See https://cloud.google.com/compute/docs/metadata#metadataserver
		* for information about this IP address. (This IP is also used for
		* Amazon EC2 instances, so the metadata flavor is crucial.)
		* See https://github.com/google/oauth2client/issues/93 for context about
		* DNS latency.
		*
		* @api private
		*/
		GoogleAuth.prototype.getGCEProjectId = function () {
		return __awaiter(this, void 0, void 0, function () {
		var r, e_5;
		var r, e_4;
		return __generator(this, function (_a) {
		switch (_a.label) {
		case 0:
		if (!this.transporter) {
		this.transporter = new transporters_1.DefaultTransporter();
		}
		_a.label = 1;
		_a.trys.push([0, 2, , 3]);
		return [4 /yield/, gcpMetadata.project('project-id')];
		case 1:
		_a.trys.push([1, 3, , 4]);
		return [4 /yield/, this.transporter.request({
		url: 'http://169.254.169.254/computeMetadata/v1/project/project-id',
		headers: { 'Metadata-Flavor': 'Google' }
		})];
		case 2:
		r = _a.sent();
		return [2 /return/, r.data];
		case 3:
		e_5 = _a.sent();
		case 2:
		e_4 = _a.sent();
		// Ignore any errors
		return [2 /return/, null];
		case 4: return [2 /return/];
		case 3: return [2 /return/];
		}
		@@ -659,3 +622,3 @@ });
		return __awaiter(this, void 0, void 0, function () {
		var credential_1, isGCE, result, credential;
		var credential, isGCE, data;
		return __generator(this, function (_a) {
		@@ -665,7 +628,7 @@ switch (_a.label) {
		if (this.jsonContent) {
		credential_1 = {
		credential = {
		client_email: this.jsonContent.client_email,
		private_key: this.jsonContent.private_key
		};
		return [2 /return/, credential_1];
		return [2 /return/, credential];
		}
		@@ -678,13 +641,9 @@ return [4 /yield/, this._checkIsGCE()];
		}
		return [4 /yield/, this.transporter.request({
		url: 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/?recursive=true',
		headers: { 'Metadata-Flavor': 'Google' }
		})];
		return [4 /yield/, gcpMetadata.instance({ property: 'service-accounts', params: { recursive: true } })];
		case 2:
		result = _a.sent();
		if (!result.data \|\| !result.data.default \|\| !result.data.default.email) {
		data = (_a.sent()).data;
		if (!data \|\| !data.default \|\| !data.default.email) {
		throw new Error('Failure from metadata server.');
		}
		credential = { client_email: result.data.default.email };
		return [2 /return/, credential];
		return [2 /return/, { client_email: data.default.email }];
		}
		@@ -695,2 +654,104 @@ });
		/**
		* Automatically obtain a client based on the provided configuration. If no
		* options were passed, use Application Default Credentials.
		*/
		GoogleAuth.prototype.getClient = function () {
		return __awaiter(this, void 0, void 0, function () {
		var filePath, stream_1, _a, _b;
		return __generator(this, function (_c) {
		switch (_c.label) {
		case 0:
		if (!!this.cachedCredential) return [3 /break/, 6];
		if (!this.keyFilename) return [3 /break/, 2];
		filePath = path.resolve(this.keyFilename);
		stream_1 = fs.createReadStream(filePath);
		_a = this;
		return [4 /yield/, this.fromStreamAsync(stream_1)];
		case 1:
		_a.cachedCredential = _c.sent();
		return [3 /break/, 6];
		case 2:
		if (!this.jsonContent) return [3 /break/, 4];
		_b = this;
		return [4 /yield/, this.fromJSON(this.jsonContent)];
		case 3:
		_b.cachedCredential = _c.sent();
		return [3 /break/, 6];
		case 4: return [4 /yield/, this.getApplicationDefaultAsync()];
		case 5:
		_c.sent();
		_c.label = 6;
		case 6: return [2 /return/, this.cachedCredential];
		}
		});
		});
		};
		/**
		* Automatically obtain application default credentials, and return
		* an access token for making requests.
		*/
		GoogleAuth.prototype.getAccessToken = function () {
		return __awaiter(this, void 0, void 0, function () {
		var client;
		return __generator(this, function (_a) {
		switch (_a.label) {
		case 0: return [4 /yield/, this.getClient()];
		case 1:
		client = _a.sent();
		return [4 /yield/, client.getAccessToken()];
		case 2: return [2 /return/, (_a.sent()).token];
		}
		});
		});
		};
		/**
		* Obtain the HTTP headers that will provide authorization for a given
		* request.
		*/
		GoogleAuth.prototype.getRequestHeaders = function (url) {
		return __awaiter(this, void 0, void 0, function () {
		var client;
		return __generator(this, function (_a) {
		switch (_a.label) {
		case 0: return [4 /yield/, this.getClient()];
		case 1:
		client = _a.sent();
		return [4 /yield/, client.getRequestMetadata(url)];
		case 2: return [2 /return/, (_a.sent()).headers];
		}
		});
		});
		};
		/**
		* Obtain credentials for a request, then attach the appropriate headers to
		* the request options.
		* @param opts Axios or Request options on which to attach the headers
		*/
		GoogleAuth.prototype.authorizeRequest = function (opts) {
		return __awaiter(this, void 0, void 0, function () {
		var url, client, headers;
		return __generator(this, function (_a) {
		switch (_a.label) {
		case 0:
		opts = opts \|\| {};
		url = opts.url \|\| opts.uri;
		return [4 /yield/, this.getClient()];
		case 1:
		client = _a.sent();
		return [4 /yield/, client.getRequestMetadata(url)];
		case 2:
		headers = (_a.sent()).headers;
		opts.headers = Object.assign(opts.headers \|\| {}, headers);
		return [2 /return/, opts];
		}
		});
		});
		};
		/**
		* Determine the compute environment in which the code is running.
		*/
		GoogleAuth.prototype.getEnv = function () {
		return envDetect_1.getEnv();
		};
		/**
		* Export DefaultTransporter as a static property of the class.
		@@ -697,0 +758,0 @@ */

build/src/auth/jwtclient.d.ts

		@@ -36,5 +36,5 @@ /// <reference types="node" />
		subject?: string;
		gtoken: GoogleToken;
		gtoken?: GoogleToken;
		additionalClaims?: {};
		private access;
		private access?;
		/**
		@@ -41,0 +41,0 @@ * JWT service account credentials.

build/src/auth/oauth2client.d.ts

		@@ -203,3 +203,3 @@ /// <reference types="node" />
		_clientSecret?: string;
		apiKey: string;
		apiKey?: string;
		projectId?: string;
		@@ -206,0 +206,0 @@ eagerRefreshThresholdMillis: number;

build/src/auth/oauth2client.js

		@@ -65,2 +65,3 @@ "use strict";
		var querystring = require("querystring");
		var stream = require("stream");
		var pemverifier_1 = require("./../pemverifier");
		@@ -95,3 +96,2 @@ var authclient_1 = require("./authclient");
		_this.tokenUrl = opts.tokenUrl;
		_this.credentials = {};
		_this.eagerRefreshThresholdMillis =
		@@ -408,3 +408,3 @@ opts.eagerRefreshThresholdMillis \|\| 5 * 60 * 1000;
		return __awaiter(this, void 0, void 0, function () {
		var r2, r, e_1, res, statusCode;
		var r2, r, e_1, res, statusCode, isReadableStream;
		return __generator(this, function (_a) {
		@@ -433,3 +433,5 @@ switch (_a.label) {
		statusCode = res.status;
		if (!(!retry && (statusCode === 401 \|\| statusCode === 403))) return [3 /break/, 5];
		isReadableStream = res.config.data instanceof stream.Readable;
		if (!(!retry && (statusCode === 401 \|\| statusCode === 403) &&
		!isReadableStream)) return [3 /break/, 5];
		/* It only makes sense to retry once, because the retry is intended
		@@ -436,0 +438,0 @@ * to handle expiration-related failures. If refreshing the token

package.json

		{
		"name": "google-auth-library",
		"version": "1.2.1",
		"version": "1.3.0",
		"author": "Google Inc.",
		@@ -23,7 +23,8 @@ "description": "Google APIs Authentication Client Library for Node.js",
		"dependencies": {
		"axios": "^0.17.1",
		"axios": "^0.18.0",
		"gtoken": "^2.1.0",
		"jws": "^3.1.4",
		"lodash.isstring": "^4.0.1",
		"lru-cache": "^4.1.1"
		"lru-cache": "^4.1.1",
		"retry-axios": "^0.3.2"
		},
		@@ -35,10 +36,11 @@ "devDependencies": {
		"@types/lru-cache": "^4.1.0",
		"@types/mocha": "^2.2.45",
		"@types/mocha": "^2.2.48",
		"@types/ncp": "^2.0.1",
		"@types/nock": "^9.1.1",
		"@types/node": "^9.3.0",
		"@types/nock": "^9.1.2",
		"@types/node": "^9.4.6",
		"@types/pify": "^3.0.0",
		"@types/tmp": "0.0.33",
		"clang-format": "^1.0.50",
		"clang-format": "^1.2.2",
		"codecov": "^3.0.0",
		"gcp-metadata": "^0.6.0",
		"gh-pages": "^1.1.0",
		@@ -48,12 +50,12 @@ "gts": "^0.5.3",
		"keypair": "^1.0.1",
		"mocha": "^5.0.0",
		"mocha": "^5.0.1",
		"ncp": "^2.0.0",
		"nock": "^9.1.5",
		"nock": "^9.1.6",
		"nyc": "^11.4.1",
		"opn": "^5.1.0",
		"opn": "^5.2.0",
		"pify": "^3.0.0",
		"prettier": "^1.9.2",
		"source-map-support": "^0.5.0",
		"prettier": "^1.10.2",
		"source-map-support": "^0.5.3",
		"tmp": "0.0.33",
		"typescript": "~2.6.2"
		"typescript": "~2.7.0"
		},
		@@ -60,0 +62,0 @@ "files": [

build/src/auth/authclient.js.map