beste
diff --git a/‎src/Firebase/Factory.php‎
Lines changed: 46 additions & 93 deletions b/‎src/Firebase/Factory.php‎
Lines changed: 46 additions & 93 deletions
diff --git a/‎src/Firebase/ServiceAccount.php‎
Lines changed: 41 additions & 0 deletions b/‎src/Firebase/ServiceAccount.php‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎tests/Integration/Auth/CustomTokenViaGoogleCredentialsTest.php‎
Lines changed: 12 additions & 1 deletion b/‎tests/Integration/Auth/CustomTokenViaGoogleCredentialsTest.php‎
Lines changed: 12 additions & 1 deletion
@@ -7,7 +7,6 @@
 use Beste\Cache\InMemoryCache;
 use Beste\Clock\SystemClock;
 use Beste\Clock\WrappingClock;
-use Beste\Json;
 use Firebase\JWT\CachedKeySet;
 use Google\Auth\ApplicationDefaultCredentials;
 use Google\Auth\Credentials\ServiceAccountCredentials;
@@ -48,21 +47,12 @@
 use Psr\Log\LogLevel;
 use Stringable;
 use Throwable;
-use UnexpectedValueException;
 
 use function array_filter;
 use function is_string;
 use function sprintf;
 use function trim;
 
-/**
- * @phpstan-type ServiceAccountShape array{
- *     project_id: non-empty-string,
- *     client_email: non-empty-string,
- *     private_key: non-empty-string,
- *     type: 'service_account'
- * }
- */
 final class Factory
 {
     public const API_CLIENT_SCOPES = [
@@ -86,10 +76,7 @@ final class Factory
      */
     private ?string $defaultStorageBucket = null;
 
-    /**
-     * @var ServiceAccountShape|null
-     */
-    private ?array $serviceAccount = null;
+    private ?ServiceAccount $serviceAccount = null;
 
     private ?FetchAuthTokenInterface $googleAuthTokenCredentials = null;
 
@@ -155,40 +142,16 @@ public function __construct()
     }
 
     /**
-     * @param non-empty-string|ServiceAccountShape $value
+     * @param string|array<mixed> $value
+     *
+     * @throws InvalidArgumentException
      */
     public function withServiceAccount(string|array $value): self
     {
-        if (is_string($value) && str_starts_with($value, '{')) {
-            try {
-                /** @var ServiceAccountShape $serviceAccount */
-                $serviceAccount = Json::decode($value, true);
-            } catch (UnexpectedValueException $e) {
-                throw new InvalidArgumentException('Invalid service account: '.$e->getMessage(), $e->getCode(), $e);
-            }
-
-            $factory = clone $this;
-            $factory->serviceAccount = $serviceAccount;
-
-            return $factory;
-        }
-
-        if (is_string($value)) {
-            try {
-                /** @var ServiceAccountShape $serviceAccount */
-                $serviceAccount = Json::decodeFile($value, true);
-
-                $factory = clone $this;
-                $factory->serviceAccount = $serviceAccount;
-
-                return $factory;
-            } catch (UnexpectedValueException $e) {
-                throw new InvalidArgumentException('Invalid service account: '.$e->getMessage(), $e->getCode(), $e);
-            }
-        }
+        $serviceAccount = $this->mapServiceAccount($value);
 
         $factory = clone $this;
-        $factory->serviceAccount = $value;
+        $factory->serviceAccount = $serviceAccount;
 
         return $factory;
     }
@@ -414,8 +377,8 @@ public function createAppCheck(): Contract\AppCheck
         return new AppCheck(
             new AppCheck\ApiClient($http),
             new AppCheckTokenGenerator(
-                $serviceAccount['client_email'],
-                $serviceAccount['private_key'],
+                $serviceAccount->clientEmail,
+                $serviceAccount->privateKey,
                 $this->clock,
             ),
             new AppCheckTokenVerifier($projectId, $keySet),
@@ -548,16 +511,7 @@ public function createStorage(): Contract\Storage
      * @deprecated 7.20.0
      * @codeCoverageIgnore
      *
-     * @return array{
-     *     credentialsType: string|null,
-     *     databaseUrl: string,
-     *     defaultStorageBucket: string|null,
-     *     serviceAccount: string|array<string, string>|null,
-     *     projectId: string,
-     *     tenantId: non-empty-string|null,
-     *     tokenCacheType: class-string,
-     *     verifierCacheType: class-string,
-     * }
+     * @return array<mixed>
      */
     public function getDebugInfo(): array
     {
@@ -645,13 +599,7 @@ public function createApiClient(?array $config = null, ?array $middlewares = nul
     }
 
     /**
-     * @return array{
-     *     projectId: non-empty-string,
-     *     authCache: CacheItemPoolInterface,
-     *     credentialsFetcher?: FetchAuthTokenInterface,
-     *     keyFile?: ServiceAccountShape,
-     *     keyFilePath?: non-empty-string
-     * }
+     * @return array<non-empty-string, mixed>
      */
     private function googleCloudClientConfig(): array
     {
@@ -667,7 +615,7 @@ private function googleCloudClientConfig(): array
 
         $serviceAccount = $this->getServiceAccount();
         if ($serviceAccount !== null) {
-            $config['keyFile'] = $serviceAccount;
+            $config['keyFile'] = $this->normalizeServiceAccount($serviceAccount);
         }
 
         return $config;
@@ -687,6 +635,8 @@ private function getProjectId(): string
             ? $credentials->getProjectId()
             : Util::getenv('GOOGLE_CLOUD_PROJECT');
 
+        $projectId ??= $this->getServiceAccount()?->projectId;
+
         if (is_string($projectId) && $projectId !== '') {
             return $this->projectId = $projectId;
         }
@@ -699,23 +649,15 @@ private function getProjectId(): string
      */
     private function getDatabaseUrl(): string
     {
-        if ($this->databaseUrl === null) {
-            $this->databaseUrl = sprintf('https://%s.firebaseio.com', $this->getProjectId());
-        }
-
-        return $this->databaseUrl;
+        return $this->databaseUrl ??= sprintf('https://%s.firebaseio.com', $this->getProjectId());
     }
 
     /**
      * @return non-empty-string
      */
     private function getStorageBucketName(): string
     {
-        if ($this->defaultStorageBucket === null) {
-            $this->defaultStorageBucket = sprintf('%s.appspot.com', $this->getProjectId());
-        }
-
-        return $this->defaultStorageBucket;
+        return $this->defaultStorageBucket ??= sprintf('%s.appspot.com', $this->getProjectId());
     }
 
     private function createCustomTokenGenerator(): ?CustomTokenViaGoogleCredentials
@@ -755,41 +697,34 @@ private function createSessionCookieVerifier(): SessionCookieVerifier
         return SessionCookieVerifier::createWithProjectIdAndCache($this->getProjectId(), $this->verifierCache ?? $this->defaultCache);
     }
 
-    /**
-     * @return ServiceAccountShape|null
-     */
-    private function getServiceAccount(): ?array
+    private function getServiceAccount(): ?ServiceAccount
     {
-        if ($this->serviceAccount === null) {
-            $googleApplicationCredentials = Util::getenv('GOOGLE_APPLICATION_CREDENTIALS');
-
-            if ($googleApplicationCredentials === null) {
-                return null;
-            }
-
-            if (!str_starts_with($googleApplicationCredentials, '{')) {
-                return null;
-            }
+        if ($this->serviceAccount !== null) {
+            return $this->serviceAccount;
+        }
 
-            /** @var ServiceAccountShape $serviceAccount */
-            $serviceAccount = Json::decode($googleApplicationCredentials, true);
+        $googleApplicationCredentials = Util::getenv('GOOGLE_APPLICATION_CREDENTIALS');
 
-            $this->serviceAccount = $serviceAccount;
+        if ($googleApplicationCredentials === null) {
+            return $this->serviceAccount;
         }
 
-        return $this->serviceAccount;
+        return $this->serviceAccount = $this->mapServiceAccount($googleApplicationCredentials);
     }
 
     private function getGoogleAuthTokenCredentials(): ?FetchAuthTokenInterface
     {
-        if ($this->googleAuthTokenCredentials !== null) {
+        if ($this->googleAuthTokenCredentials instanceof FetchAuthTokenInterface) {
             return $this->googleAuthTokenCredentials;
         }
 
         $serviceAccount = $this->getServiceAccount();
 
         if ($serviceAccount !== null) {
-            return $this->googleAuthTokenCredentials = new ServiceAccountCredentials(self::API_CLIENT_SCOPES, $serviceAccount);
+            return $this->googleAuthTokenCredentials = new ServiceAccountCredentials(
+                self::API_CLIENT_SCOPES,
+                $this->normalizeServiceAccount($serviceAccount),
+            );
         }
 
         try {
@@ -798,4 +733,22 @@ private function getGoogleAuthTokenCredentials(): ?FetchAuthTokenInterface
             return null;
         }
     }
+
+    private function mapServiceAccount(mixed $value): ServiceAccount
+    {
+        return $this->getMapper()
+            ->allowSuperfluousKeys()
+            ->snakeToCamelCase()
+            ->map(ServiceAccount::class, Source::parse($value));
+    }
+
+    /**
+     * @return array<non-empty-string, mixed>
+     */
+    private function normalizeServiceAccount(ServiceAccount $serviceAccount): array
+    {
+        return $this->getNormalizer()
+            ->camelToSnakeCase()
+            ->toArray($serviceAccount);
+    }
 }
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Kreait\Firebase;
+
+use SensitiveParameter;
+
+/**
+ * @internal
+ */
+final class ServiceAccount
+{
+    public function __construct(
+        /** @var non-empty-string */
+        public string $type,
+        /** @var non-empty-string */
+        #[SensitiveParameter] public string $projectId,
+        /** @var non-empty-string */
+        #[SensitiveParameter] public string $clientEmail,
+        /** @var non-empty-string */
+        #[SensitiveParameter] public string $clientId,
+        /** @var non-empty-string */
+        #[SensitiveParameter] public string $privateKey,
+        /** @var non-empty-string */
+        #[SensitiveParameter] public string $privateKeyId,
+        /** @var non-empty-string */
+        #[SensitiveParameter] public string $authUri,
+        /** @var non-empty-string */
+        #[SensitiveParameter] public string $tokenUri,
+        /** @var non-empty-string */
+        #[SensitiveParameter] public string $authProviderX509CertUrl,
+        /** @var non-empty-string */
+        #[SensitiveParameter] public string $clientX509CertUrl,
+        /** @var non-empty-string|null */
+        #[SensitiveParameter] public ?string $quotaProjectId = null,
+        /** @var non-empty-string|null */
+        #[SensitiveParameter] public ?string $universeDomain = null,
+    ) {
+    }
+}
@@ -8,7 +8,11 @@
 use Kreait\Firebase\Auth\CustomTokenViaGoogleCredentials;
 use Kreait\Firebase\Contract\Auth;
 use Kreait\Firebase\Factory;
+use Kreait\Firebase\ServiceAccount;
 use Kreait\Firebase\Tests\IntegrationTestCase;
+use Kreait\Firebase\Valinor\Mapper;
+use Kreait\Firebase\Valinor\Normalizer;
+use Kreait\Firebase\Valinor\Source;
 use Lcobucci\JWT\Encoding\JoseEncoder;
 use Lcobucci\JWT\Token\Parser;
 use Lcobucci\JWT\UnencryptedToken;
@@ -27,7 +31,14 @@ final class CustomTokenViaGoogleCredentialsTest extends IntegrationTestCase
 
     protected function setUp(): void
     {
-        $credentials = new ServiceAccountCredentials(Factory::API_CLIENT_SCOPES, self::$serviceAccount);
+        $serviceAccount = (new Mapper())
+            ->allowSuperfluousKeys()
+            ->snakeToCamelCase()
+            ->map(ServiceAccount::class, Source::parse(self::$credentials));
+
+        $normalizedServiceAccount = (new Normalizer())->camelToSnakeCase()->toArray($serviceAccount);
+
+        $credentials = new ServiceAccountCredentials(Factory::API_CLIENT_SCOPES, $normalizedServiceAccount);
 
         $this->generator = new CustomTokenViaGoogleCredentials($credentials);
         $this->auth = self::$factory->createAuth();