Skip to main content

firebase_admin/auth/session_cookie/
create.rs

1//! Session cookie creation via the Identity Toolkit `:createSessionCookie` endpoint.
2
3use crate::auth::error::{parse_identity_toolkit_response, AuthError};
4use crate::core::HttpClient;
5use serde::{Deserialize, Serialize};
6use std::time::Duration;
7
8#[derive(Debug, Serialize)]
9struct CreateSessionCookieRequest<'a> {
10    #[serde(rename = "idToken")]
11    id_token: &'a str,
12    #[serde(rename = "validDuration")]
13    valid_duration_secs: u64,
14}
15
16#[derive(Debug, Deserialize)]
17struct CreateSessionCookieResponse {
18    #[serde(rename = "sessionCookie")]
19    session_cookie: String,
20}
21
22/// Exchanges a verified ID token for a long-lived session cookie.
23///
24/// `endpoint` is the fully-qualified `:createSessionCookie` URL, which
25/// differs between live and emulator [`crate::auth::mode::ClientMode`].
26/// `bearer_token` must be `Some` in live mode (this endpoint, like the rest
27/// of the Identity Toolkit API, requires OAuth2 authentication there) and is
28/// ignored in emulator mode, where `emulator_api_key` must be `Some` instead
29/// — see [`crate::auth::mode::ClientMode::emulator_api_key`].
30pub async fn create_session_cookie(
31    http: &HttpClient,
32    endpoint: &str,
33    id_token: &str,
34    valid_duration: Duration,
35    bearer_token: Option<&str>,
36    emulator_api_key: Option<&str>,
37) -> Result<String, AuthError> {
38    let body = CreateSessionCookieRequest {
39        id_token,
40        valid_duration_secs: valid_duration.as_secs(),
41    };
42
43    let mut request = http.inner().post(endpoint);
44    if let Some(token) = bearer_token {
45        request = request.bearer_auth(token);
46    }
47    if let Some(key) = emulator_api_key {
48        request = request.query(&[("key", key)]);
49    }
50
51    let response = request.json(&body).send().await?;
52    let parsed: CreateSessionCookieResponse = parse_identity_toolkit_response(response).await?;
53
54    Ok(parsed.session_cookie)
55}