You're Invited:Meet the Socket Team at RSAC and BSidesSF 2026, March 23–26.RSVP
Socket
Book a DemoSign in
Socket
Book a DemoSign in

google-auth-library

Package Overview
Dependencies
Maintainers
1
Versions
169
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

google-auth-library - npm Package Compare versions

Comparing version
10.5.0
 to
10.6.1
+5
build/src/gtoken/errorWithCode.d.ts
declare class ErrorWithCode extends Error {
code: string;
constructor(message: string, code: string);
}
export { ErrorWithCode };
+25
build/src/gtoken/errorWithCode.js
"use strict";
// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Object.defineProperty(exports, "__esModule", { value: true });
exports.ErrorWithCode = void 0;
class ErrorWithCode extends Error {
code;
constructor(message, code) {
super(message);
this.code = code;
}
}
exports.ErrorWithCode = ErrorWithCode;
//# sourceMappingURL=errorWithCode.js.map
+14
build/src/gtoken/getCredentials.d.ts
/**
* Credentials object.
*/
interface Credentials {
privateKey: string;
clientEmail?: string;
}
/**
* Given a keyFile, extract the key and client email if available
* @param keyFile Path to a json, pem, or p12 file that contains the key.
* @returns an object with privateKey and clientEmail properties
*/
declare function getCredentials(keyFilePath: string): Promise<Credentials>;
export { getCredentials, Credentials };
+132
build/src/gtoken/getCredentials.js
"use strict";
// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Object.defineProperty(exports, "__esModule", { value: true });
exports.getCredentials = getCredentials;
const path = require("path");
const fs = require("fs");
const util_1 = require("util");
const errorWithCode_1 = require("./errorWithCode");
const readFile = fs.readFile
? (0, util_1.promisify)(fs.readFile)
: async () => {
// if running in the web-browser, fs.readFile may not have been shimmed.
throw new errorWithCode_1.ErrorWithCode('use key rather than keyFile.', 'MISSING_CREDENTIALS');
};
var ExtensionFiles;
(function (ExtensionFiles) {
ExtensionFiles["JSON"] = ".json";
ExtensionFiles["DER"] = ".der";
ExtensionFiles["CRT"] = ".crt";
ExtensionFiles["PEM"] = ".pem";
ExtensionFiles["P12"] = ".p12";
ExtensionFiles["PFX"] = ".pfx";
})(ExtensionFiles || (ExtensionFiles = {}));
/**
* Provides credentials from a JSON key file.
*/
class JsonCredentialsProvider {
keyFilePath;
constructor(keyFilePath) {
this.keyFilePath = keyFilePath;
}
/**
* Reads a JSON key file and extracts the private key and client email.
* @returns A promise that resolves with the credentials.
*/
async getCredentials() {
const key = await readFile(this.keyFilePath, 'utf8');
let body;
try {
body = JSON.parse(key);
}
catch (error) {
const err = error;
throw new Error(`Invalid JSON key file: ${err.message}`);
}
const privateKey = body.private_key;
const clientEmail = body.client_email;
if (!privateKey || !clientEmail) {
throw new errorWithCode_1.ErrorWithCode('private_key and client_email are required.', 'MISSING_CREDENTIALS');
}
return { privateKey, clientEmail };
}
}
/**
* Provides credentials from a PEM-like key file.
*/
class PemCredentialsProvider {
keyFilePath;
constructor(keyFilePath) {
this.keyFilePath = keyFilePath;
}
/**
* Reads a PEM-like key file.
* @returns A promise that resolves with the private key.
*/
async getCredentials() {
const privateKey = await readFile(this.keyFilePath, 'utf8');
return { privateKey };
}
}
/**
* Handles unsupported P12/PFX certificate types.
*/
class P12CredentialsProvider {
/**
* Throws an error as P12/PFX certificates are not supported.
* @returns A promise that rejects with an error.
*/
async getCredentials() {
throw new errorWithCode_1.ErrorWithCode('*.p12 certificates are not supported after v6.1.2. ' +
'Consider utilizing *.json format or converting *.p12 to *.pem using the OpenSSL CLI.', 'UNKNOWN_CERTIFICATE_TYPE');
}
}
/**
* Factory class to create the appropriate credentials provider.
*/
class CredentialsProviderFactory {
/**
* Creates a credential provider based on the key file extension.
* @param keyFilePath The path to the key file.
* @returns An instance of a class that implements ICredentialsProvider.
*/
static create(keyFilePath) {
const keyFileExtension = path.extname(keyFilePath);
switch (keyFileExtension) {
case ExtensionFiles.JSON:
return new JsonCredentialsProvider(keyFilePath);
case ExtensionFiles.DER:
case ExtensionFiles.CRT:
case ExtensionFiles.PEM:
return new PemCredentialsProvider(keyFilePath);
case ExtensionFiles.P12:
case ExtensionFiles.PFX:
return new P12CredentialsProvider();
default:
throw new errorWithCode_1.ErrorWithCode('Unknown certificate type. Type is determined based on file extension. ' +
'Current supported extensions are *.json, and *.pem.', 'UNKNOWN_CERTIFICATE_TYPE');
}
}
}
/**
* Given a keyFile, extract the key and client email if available
* @param keyFile Path to a json, pem, or p12 file that contains the key.
* @returns an object with privateKey and clientEmail properties
*/
async function getCredentials(keyFilePath) {
const provider = CredentialsProviderFactory.create(keyFilePath);
return provider.getCredentials();
}
//# sourceMappingURL=getCredentials.js.map
+23
build/src/gtoken/getToken.d.ts
import { TokenOptions } from './tokenOptions';
/**
* Interface for the data returned from the token endpoint.
*/
interface TokenData {
/** An optional refresh token. */
refresh_token?: string;
/** The duration of the token in seconds. */
expires_in?: number;
/** The access token. */
access_token?: string;
/** The type of token, e.g., "Bearer". */
token_type?: string;
/** An optional ID token. */
id_token?: string;
}
/**
* Fetches an access token.
* @param tokenOptions The options for the token.
* @returns A promise that resolves with the token data.
*/
declare function getToken(tokenOptions: TokenOptions): Promise<TokenData>;
export { getToken, TokenData };
+66
build/src/gtoken/getToken.js
"use strict";
// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Object.defineProperty(exports, "__esModule", { value: true });
exports.getToken = getToken;
const jwsSign_1 = require("./jwsSign");
/** The URL for Google's OAuth 2.0 token endpoint. */
const GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';
/** The grant type for JWT-based authorization. */
const GOOGLE_GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:jwt-bearer';
/**
* Generates the request options for fetching a token.
* @param tokenOptions The options for the token.
* @returns The Gaxios options for the request.
*/
const generateRequestOptions = (tokenOptions) => {
return {
method: 'POST',
url: GOOGLE_TOKEN_URL,
data: new URLSearchParams({
grant_type: GOOGLE_GRANT_TYPE, // Grant type for JWT
assertion: (0, jwsSign_1.getJwsSign)(tokenOptions),
}),
responseType: 'json',
retryConfig: {
httpMethodsToRetry: ['POST'],
},
};
};
/**
* Fetches an access token.
* @param tokenOptions The options for the token.
* @returns A promise that resolves with the token data.
*/
async function getToken(tokenOptions) {
if (!tokenOptions.transporter) {
throw new Error('No transporter set.');
}
try {
const gaxiosOptions = generateRequestOptions(tokenOptions);
const response = await tokenOptions.transporter.request(gaxiosOptions);
return response.data;
}
catch (e) {
// The error is re-thrown, but we want to format it to be more
// informative.
const err = e;
const errorData = err.response?.data;
if (errorData?.error) {
err.message = `${errorData.error}: ${errorData.error_description}`;
}
throw err;
}
}
//# sourceMappingURL=getToken.js.map
+73
build/src/gtoken/googleToken.d.ts
import { TokenOptions, Transporter } from './tokenOptions';
import { TokenData } from './getToken';
/**
* Options for fetching an access token.
*/
export interface GetTokenOptions {
/**
* If true, a new token will be fetched, ignoring any cached token.
*/
forceRefresh?: boolean;
}
/**
* Callback type for the `getToken` method.
*/
export type GetTokenCallback = (err: Error | null, token?: TokenData) => void;
/**
* The GoogleToken class is used to manage authentication with Google's OAuth 2.0 authorization server.
* It handles fetching, caching, and refreshing of access tokens.
*/
declare class GoogleToken {
/** The configuration options for this token instance. */
private tokenOptions;
/** The handler for token fetching and caching logic. */
private tokenHandler;
/**
* Create a GoogleToken.
*
* @param options Configuration object.
*/
constructor(options?: TokenOptions);
get expiresAt(): number | undefined;
/**
* The most recent access token obtained by this client.
*/
get accessToken(): string | undefined;
/**
* The most recent ID token obtained by this client.
*/
get idToken(): string | undefined;
/**
* The token type of the most recent access token.
*/
get tokenType(): string | undefined;
/**
* The refresh token for the current credentials.
*/
get refreshToken(): string | undefined;
/**
* A boolean indicating if the current token has expired.
*/
hasExpired(): boolean;
/**
* A boolean indicating if the current token is expiring soon,
* based on the `eagerRefreshThresholdMillis` option.
*/
isTokenExpiring(): boolean;
/**
* Fetches a new access token and returns it.
* @param opts Options for fetching the token.
*/
getToken(opts?: GetTokenOptions): Promise<TokenData>;
getToken(callback: GetTokenCallback, opts?: GetTokenOptions): void;
/**
* Revokes the current access token and resets the token handler.
*/
revokeToken(): Promise<void>;
revokeToken(callback: (err?: Error) => void): void;
/**
* Returns the configuration options for this token instance.
*/
get googleTokenOptions(): TokenOptions;
}
export { GoogleToken, Transporter, TokenOptions, TokenData };
+125
build/src/gtoken/googleToken.js
"use strict";
// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Object.defineProperty(exports, "__esModule", { value: true });
exports.GoogleToken = void 0;
const gaxios_1 = require("gaxios");
const tokenHandler_1 = require("./tokenHandler");
const revokeToken_1 = require("./revokeToken");
/**
* The GoogleToken class is used to manage authentication with Google's OAuth 2.0 authorization server.
* It handles fetching, caching, and refreshing of access tokens.
*/
class GoogleToken {
/** The configuration options for this token instance. */
tokenOptions;
/** The handler for token fetching and caching logic. */
tokenHandler;
/**
* Create a GoogleToken.
*
* @param options Configuration object.
*/
constructor(options) {
this.tokenOptions = options || {};
// If a transporter is not set, by default set it to use gaxios.
this.tokenOptions.transporter = this.tokenOptions.transporter || {
request: opts => (0, gaxios_1.request)(opts),
};
if (!this.tokenOptions.iss) {
this.tokenOptions.iss = this.tokenOptions.email;
}
if (typeof this.tokenOptions.scope === 'object') {
this.tokenOptions.scope = this.tokenOptions.scope.join(' ');
}
this.tokenHandler = new tokenHandler_1.TokenHandler(this.tokenOptions);
}
get expiresAt() {
return this.tokenHandler.tokenExpiresAt;
}
/**
* The most recent access token obtained by this client.
*/
get accessToken() {
return this.tokenHandler.token?.access_token;
}
/**
* The most recent ID token obtained by this client.
*/
get idToken() {
return this.tokenHandler.token?.id_token;
}
/**
* The token type of the most recent access token.
*/
get tokenType() {
return this.tokenHandler.token?.token_type;
}
/**
* The refresh token for the current credentials.
*/
get refreshToken() {
return this.tokenHandler.token?.refresh_token;
}
/**
* A boolean indicating if the current token has expired.
*/
hasExpired() {
return this.tokenHandler.hasExpired();
}
/**
* A boolean indicating if the current token is expiring soon,
* based on the `eagerRefreshThresholdMillis` option.
*/
isTokenExpiring() {
return this.tokenHandler.isTokenExpiring();
}
getToken(callbackOrOptions, opts = { forceRefresh: false }) {
// Handle the various method overloads.
let callback;
if (typeof callbackOrOptions === 'function') {
callback = callbackOrOptions;
}
else if (typeof callbackOrOptions === 'object') {
opts = callbackOrOptions;
}
// Delegate the token fetching to the token handler.
const promise = this.tokenHandler.getToken(opts.forceRefresh ?? false);
// If a callback is provided, use it, otherwise return the promise.
if (callback) {
promise.then(token => callback(null, token), callback);
}
return promise;
}
revokeToken(callback) {
if (!this.accessToken) {
return Promise.reject(new Error('No token to revoke.'));
}
const promise = (0, revokeToken_1.revokeToken)(this.accessToken, this.tokenOptions.transporter);
// If a callback is provided, use it.
if (callback) {
promise.then(() => callback(), callback);
}
// After revoking, reset the token handler to clear the cached token.
this.tokenHandler = new tokenHandler_1.TokenHandler(this.tokenOptions);
}
/**
* Returns the configuration options for this token instance.
*/
get googleTokenOptions() {
return this.tokenOptions;
}
}
exports.GoogleToken = GoogleToken;
//# sourceMappingURL=googleToken.js.map
+33
build/src/gtoken/jwsSign.d.ts
import { TokenOptions } from './tokenOptions';
/**
* Interface for the JWT payload required for signing.
*/
interface JwsSignPayload {
/** The issuer claim for the JWT. */
iss?: string;
/** The space-delimited list of scopes for the requested token. */
scope?: string | string[];
/** The audience for the token. */
aud: string;
/** The expiration time of the token, in seconds since the epoch. */
exp: number;
/** The time the token was issued, in seconds since the epoch. */
iat: number;
/** The subject claim for the JWT, used for impersonation. */
sub?: string;
/** Additional claims to include in the JWT payload. */
[key: string]: any;
}
/**
* Builds the JWT payload for signing.
* @param tokenOptions The options for the token.
* @returns The JWT payload.
*/
declare function buildPayloadForJwsSign(tokenOptions: TokenOptions): JwsSignPayload;
/**
* Creates a signed JWS (JSON Web Signature).
* @param tokenOptions The options for the token.
* @returns The signed JWS.
*/
declare function getJwsSign(tokenOptions: TokenOptions): string;
export { buildPayloadForJwsSign, getJwsSign };
+54
build/src/gtoken/jwsSign.js
"use strict";
// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Object.defineProperty(exports, "__esModule", { value: true });
exports.buildPayloadForJwsSign = buildPayloadForJwsSign;
exports.getJwsSign = getJwsSign;
const jws_1 = require("jws");
/** The default algorithm for signing JWTs. */
const ALG_RS256 = 'RS256';
/** The URL for Google's OAuth 2.0 token endpoint. */
const GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';
/**
* Builds the JWT payload for signing.
* @param tokenOptions The options for the token.
* @returns The JWT payload.
*/
function buildPayloadForJwsSign(tokenOptions) {
const iat = Math.floor(new Date().getTime() / 1000);
const payload = {
iss: tokenOptions.iss,
scope: tokenOptions.scope,
aud: GOOGLE_TOKEN_URL,
exp: iat + 3600,
iat,
sub: tokenOptions.sub,
...tokenOptions.additionalClaims,
};
return payload;
}
/**
* Creates a signed JWS (JSON Web Signature).
* @param tokenOptions The options for the token.
* @returns The signed JWS.
*/
function getJwsSign(tokenOptions) {
const payload = buildPayloadForJwsSign(tokenOptions);
return (0, jws_1.sign)({
header: { alg: ALG_RS256 },
payload,
secret: tokenOptions.key,
});
}
//# sourceMappingURL=jwsSign.js.map
+9
build/src/gtoken/revokeToken.d.ts
import { Transporter } from './tokenOptions';
/**
* Revokes a given access token.
* @param accessToken The access token to revoke.
* @param transporter The transporter to make the request with.
* @returns A promise that resolves with the revocation response.
*/
declare function revokeToken(accessToken: string, transporter: Transporter): Promise<import("gaxios").GaxiosResponse<unknown>>;
export { revokeToken };
+34
build/src/gtoken/revokeToken.js
"use strict";
// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Object.defineProperty(exports, "__esModule", { value: true });
exports.revokeToken = revokeToken;
/** The URL for Google's OAuth 2.0 token revocation endpoint. */
const GOOGLE_REVOKE_TOKEN_URL = 'https://oauth2.googleapis.com/revoke?token=';
/** The default retry behavior for the revoke token request. */
const DEFAULT_RETRY_VALUE = true;
/**
* Revokes a given access token.
* @param accessToken The access token to revoke.
* @param transporter The transporter to make the request with.
* @returns A promise that resolves with the revocation response.
*/
async function revokeToken(accessToken, transporter) {
const url = GOOGLE_REVOKE_TOKEN_URL + accessToken;
return await transporter.request({
url,
retry: DEFAULT_RETRY_VALUE,
});
}
//# sourceMappingURL=revokeToken.js.map
+43
build/src/gtoken/tokenHandler.d.ts
import { TokenData } from './getToken';
import { TokenOptions } from './tokenOptions';
/**
* Manages the fetching and caching of access tokens.
*/
declare class TokenHandler {
/** The cached access token. */
token: TokenData | undefined;
/** The expiration time of the cached access token. */
tokenExpiresAt: number | undefined;
/** A promise for an in-flight token request. */
private inFlightRequest;
private tokenOptions;
/**
* Creates an instance of TokenHandler.
* @param tokenOptions The options for fetching tokens.
* @param transporter The transporter to use for making requests.
*/
constructor(tokenOptions: TokenOptions);
/**
* Processes the credentials, loading them from a key file if necessary.
* This method is called before any token request.
*/
private processCredentials;
/**
* Checks if the cached token is expired or close to expiring.
* @returns True if the token is expiring, false otherwise.
*/
isTokenExpiring(): boolean;
/**
* Returns whether the token has completely expired.
*
* @returns true if the token has expired, false otherwise.
*/
hasExpired(): boolean;
/**
* Fetches an access token, using a cached one if available and not expired.
* @param forceRefresh If true, forces a new token to be fetched.
* @returns A promise that resolves with the token data.
*/
getToken(forceRefresh: boolean): Promise<TokenData>;
}
export { TokenHandler };
+97
build/src/gtoken/tokenHandler.js
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.TokenHandler = void 0;
const getToken_1 = require("./getToken");
const getCredentials_1 = require("./getCredentials");
/**
* Manages the fetching and caching of access tokens.
*/
class TokenHandler {
/** The cached access token. */
token;
/** The expiration time of the cached access token. */
tokenExpiresAt;
/** A promise for an in-flight token request. */
inFlightRequest;
tokenOptions;
/**
* Creates an instance of TokenHandler.
* @param tokenOptions The options for fetching tokens.
* @param transporter The transporter to use for making requests.
*/
constructor(tokenOptions) {
this.tokenOptions = tokenOptions;
}
/**
* Processes the credentials, loading them from a key file if necessary.
* This method is called before any token request.
*/
async processCredentials() {
if (!this.tokenOptions.key && !this.tokenOptions.keyFile) {
throw new Error('No key or keyFile set.');
}
if (!this.tokenOptions.key && this.tokenOptions.keyFile) {
const credentials = await (0, getCredentials_1.getCredentials)(this.tokenOptions.keyFile);
this.tokenOptions.key = credentials.privateKey;
this.tokenOptions.email = credentials.clientEmail;
}
}
/**
* Checks if the cached token is expired or close to expiring.
* @returns True if the token is expiring, false otherwise.
*/
isTokenExpiring() {
if (!this.token || !this.tokenExpiresAt) {
return true;
}
const now = new Date().getTime();
const eagerRefreshThresholdMillis = this.tokenOptions.eagerRefreshThresholdMillis ?? 0;
return this.tokenExpiresAt <= now + eagerRefreshThresholdMillis;
}
/**
* Returns whether the token has completely expired.
*
* @returns true if the token has expired, false otherwise.
*/
hasExpired() {
const now = new Date().getTime();
if (this.token && this.tokenExpiresAt) {
const now = new Date().getTime();
return now >= this.tokenExpiresAt;
}
return true;
}
/**
* Fetches an access token, using a cached one if available and not expired.
* @param forceRefresh If true, forces a new token to be fetched.
* @returns A promise that resolves with the token data.
*/
async getToken(forceRefresh) {
// Ensure credentials are processed before proceeding.
await this.processCredentials();
// If there's an in-flight request, return it.
if (this.inFlightRequest && !forceRefresh) {
return this.inFlightRequest;
}
// If we have a valid, non-expiring token, return it.
if (this.token && !this.isTokenExpiring() && !forceRefresh) {
return this.token;
}
// Otherwise, fetch a new token.
try {
this.inFlightRequest = (0, getToken_1.getToken)(this.tokenOptions);
const token = await this.inFlightRequest;
// Cache the new token and its expiration time.
this.token = token;
this.tokenExpiresAt =
new Date().getTime() + (token.expires_in ?? 0) * 1000;
return token;
}
finally {
// Clear the in-flight request promise once it's settled.
this.inFlightRequest = undefined;
}
}
}
exports.TokenHandler = TokenHandler;
//# sourceMappingURL=tokenHandler.js.map
+44
build/src/gtoken/tokenOptions.d.ts
import { GaxiosOptions, GaxiosPromise } from 'gaxios';
interface Transporter {
request<T>(opts: GaxiosOptions): GaxiosPromise<T>;
}
interface TokenOptions {
/**
* Path to a .json, .pem, or .p12 key file.
*/
keyFile?: string;
/**
* The raw private key value.
*/
key?: string;
/**
* The service account email address.
*/
email?: string;
/**
* The issuer claim for the JWT.
*/
iss?: string;
/**
* The subject claim for the JWT. This is used for impersonation.
*/
sub?: string;
/**
* The space-delimited list of scopes for the requested token.
*/
scope?: string | string[];
/**
* Additional claims to include in the JWT payload.
*/
additionalClaims?: {
[key: string]: any;
};
/**
* Eagerly refresh unexpired tokens when they are within this many
* milliseconds from expiring.
* Defaults to 0.
*/
eagerRefreshThresholdMillis?: number;
transporter?: Transporter;
}
export { Transporter, TokenOptions };
+16
build/src/gtoken/tokenOptions.js
"use strict";
// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Object.defineProperty(exports, "__esModule", { value: true });
//# sourceMappingURL=tokenOptions.js.map
+2
-0
build/src/auth/baseexternalclient.js

@@ -258,2 +258,3 @@ "use strict";

url: `${this.cloudResourceManagerURL.toString()}${projectNumber}`,
responseType: 'json',
};

@@ -429,2 +430,3 @@ authclient_1.AuthClient.setMethodName(opts, 'getProjectId');

},
responseType: 'json',
};

@@ -431,0 +433,0 @@ authclient_1.AuthClient.setMethodName(opts, 'getImpersonatedAccessToken');

+4
-0
build/src/auth/defaultawssecuritycredentialssupplier.js

@@ -81,2 +81,3 @@ "use strict";

method: 'GET',
responseType: 'text',
headers: metadataHeaders,

@@ -131,2 +132,3 @@ };

method: 'PUT',
responseType: 'text',
headers: { 'x-aws-ec2-metadata-token-ttl-seconds': '300' },

@@ -153,2 +155,3 @@ };

method: 'GET',
responseType: 'text',
headers: headers,

@@ -174,2 +177,3 @@ };

headers: headers,
responseType: 'json',
};

@@ -176,0 +180,0 @@ authclient_1.AuthClient.setMethodName(opts, '#retrieveAwsSecurityCredentials');

+1
-0
build/src/auth/externalAccountAuthorizedUserClient.js

@@ -63,2 +63,3 @@ "use strict";

}),
responseType: 'json',
};

@@ -65,0 +66,0 @@ authclient_1.AuthClient.setMethodName(opts, 'refreshToken');

+1
-1
build/src/auth/jwtclient.d.ts

@@ -1,2 +0,2 @@

import { GoogleToken } from 'gtoken';
import { GoogleToken } from '../gtoken/googleToken';
import * as stream from 'stream';

@@ -3,0 +3,0 @@ import { CredentialBody, Credentials, JWTInput } from './credentials';

+7
-6
build/src/auth/jwtclient.js

@@ -17,3 +17,4 @@ "use strict";

exports.JWT = void 0;
const gtoken_1 = require("gtoken");
const googleToken_1 = require("../gtoken/googleToken");
const getCredentials_1 = require("../gtoken/getCredentials");
const jwtaccess_1 = require("./jwtaccess");

@@ -127,3 +128,3 @@ const oauth2client_1 = require("./oauth2client");

// Create a new gToken for fetching an ID token
const gtoken = new gtoken_1.GoogleToken({
const gtoken = new googleToken_1.GoogleToken({
iss: this.email,

@@ -179,4 +180,4 @@ sub: this.subject,

this.credentials.refresh_token = 'jwt-placeholder';
this.key = this.gtoken.key;
this.email = this.gtoken.iss;
this.key = this.gtoken.googleTokenOptions?.key;
this.email = this.gtoken.googleTokenOptions?.iss;
return result.tokens;

@@ -208,3 +209,3 @@ }

if (!this.gtoken) {
this.gtoken = new gtoken_1.GoogleToken({
this.gtoken = new googleToken_1.GoogleToken({
iss: this.email,

@@ -297,3 +298,3 @@ sub: this.subject,

const gtoken = this.createGToken();
const creds = await gtoken.getCredentials(this.keyFile);
const creds = await (0, getCredentials_1.getCredentials)(this.keyFile);
return { private_key: creds.privateKey, client_email: creds.clientEmail };

@@ -300,0 +301,0 @@ }

+1
-0
build/src/auth/refreshclient.js

@@ -84,2 +84,3 @@ "use strict";

}),
responseType: 'json',
};

@@ -86,0 +87,0 @@ authclient_1.AuthClient.setMethodName(opts, 'fetchIdToken');

+1
-0
build/src/auth/stscredentials.js

@@ -82,2 +82,3 @@ "use strict";

data: new URLSearchParams((0, util_1.removeUndefinedValuesInObject)(values)),
responseType: 'json',
};

@@ -84,0 +85,0 @@ authclient_1.AuthClient.setMethodName(opts, 'exchangeToken');

+1
-0
build/src/auth/urlsubjecttokensupplier.js

@@ -52,2 +52,3 @@ "use strict";

headers: this.headers,
responseType: this.formatType,
};

@@ -54,0 +55,0 @@ authclient_1.AuthClient.setMethodName(opts, 'getSubjectToken');

+1
-1
build/src/crypto/browser/crypto.js

@@ -62,3 +62,3 @@ "use strict";

// this method async as well.
const result = await window.crypto.subtle.verify(algo, cryptoKey, signatureArray, dataArray);
const result = await window.crypto.subtle.verify(algo, cryptoKey, Buffer.from(signatureArray), dataArray);
return result;

@@ -65,0 +65,0 @@ }

+6
-1
build/src/crypto/node/crypto.js

@@ -73,3 +73,8 @@ "use strict";

function toArrayBuffer(buffer) {
return buffer.buffer.slice(buffer.byteOffset, buffer.byteOffset + buffer.byteLength);
const ab = new ArrayBuffer(buffer.length);
const view = new Uint8Array(ab);
for (let i = 0; i < buffer.length; ++i) {
view[i] = buffer[i];
}
return ab;
}

@@ -76,0 +81,0 @@ /**

+1
-0
build/src/index.d.ts

@@ -27,2 +27,3 @@ import { GoogleAuth } from './auth/googleauth';

export { PassThroughClient } from './auth/passthrough';
export * from './gtoken/googleToken';
type ALL_EXPORTS = (typeof import('./'))[keyof typeof import('./')];

@@ -29,0 +30,0 @@ /**

+15
-0
build/src/index.js
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __exportStar = (this && this.__exportStar) || function(m, exports) {
for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
};
Object.defineProperty(exports, "__esModule", { value: true });

@@ -68,4 +82,5 @@ exports.GoogleAuth = exports.auth = exports.PassThroughClient = exports.ExternalAccountAuthorizedUserClient = exports.EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE = exports.ExecutableError = exports.PluggableAuthClient = exports.DownscopedClient = exports.BaseExternalAccountClient = exports.ExternalAccountClient = exports.IdentityPoolClient = exports.AwsRequestSigner = exports.AwsClient = exports.UserRefreshClient = exports.LoginTicket = exports.ClientAuthentication = exports.OAuth2Client = exports.CodeChallengeMethod = exports.Impersonated = exports.JWT = exports.JWTAccess = exports.IdTokenClient = exports.IAMAuth = exports.GCPEnv = exports.Compute = exports.DEFAULT_UNIVERSE = exports.AuthClient = exports.gaxios = exports.gcpMetadata = void 0;

Object.defineProperty(exports, "PassThroughClient", { enumerable: true, get: function () { return passthrough_1.PassThroughClient; } });
__exportStar(require("./gtoken/googleToken"), exports);
const auth = new googleauth_1.GoogleAuth();
exports.auth = auth;
//# sourceMappingURL=index.js.map
+23
-19
package.json
{
"name": "google-auth-library",
"version": "10.5.0",
"version": "10.6.1",
"author": "Google Inc.",

@@ -11,3 +11,7 @@ "description": "Google APIs Authentication Client Library for Node.js",

"types": "./build/src/index.d.ts",
"repository": "googleapis/google-auth-library-nodejs.git",
"repository": {
"type": "git",
"directory": "packages/google-auth-library-nodejs",
"url": "https://github.com/googleapis/google-cloud-node-core.git"
},
"keywords": [

@@ -23,6 +27,5 @@ "google",

"ecdsa-sig-formatter": "^1.0.11",
"gaxios": "^7.0.0",
"gcp-metadata": "^8.0.0",
"google-logging-utils": "^1.0.0",
"gtoken": "^8.0.0",
"gaxios": "7.1.3",
"gcp-metadata": "8.1.2",
"google-logging-utils": "1.1.3",
"jws": "^4.0.0"

@@ -35,11 +38,11 @@ },

"@types/mv": "^2.1.0",
"@types/ncp": "^2.0.1",
"@types/node": "^22.0.0",
"@types/sinon": "^17.0.0",
"@types/ncp": "^2.0.8",
"@types/node": "^24.0.0",
"@types/sinon": "^21.0.0",
"assert-rejects": "^1.0.0",
"c8": "^10.0.0",
"codecov": "^3.0.2",
"gts": "^6.0.0",
"c8": "^10.1.3",
"codecov": "^3.8.3",
"gts": "^6.0.2",
"is-docker": "^3.0.0",
"jsdoc": "^4.0.0",
"jsdoc": "^4.0.4",
"jsdoc-fresh": "^5.0.0",

@@ -59,9 +62,9 @@ "jsdoc-region-tag": "^4.0.0",

"nock": "^14.0.5",
"null-loader": "^4.0.0",
"null-loader": "^4.0.1",
"puppeteer": "^24.0.0",
"sinon": "^21.0.0",
"ts-loader": "^8.0.0",
"typescript": "5.8.2",
"webpack": "^5.21.2",
"webpack-cli": "^4.0.0"
"ts-loader": "^9.5.2",
"typescript": "5.8.3",
"webpack": "^5.97.1",
"webpack-cli": "^6.0.1"
},

@@ -91,3 +94,4 @@ "files": [

},
"license": "Apache-2.0"
"license": "Apache-2.0",
"homepage": "https://github.com/googleapis/google-cloud-node-core/tree/main/packages/google-auth-library-nodejs"
}