Verify Firebase vault tokens with UID keys

[DHCross]

Motivation

• Allow Google/Firebase logins to persist across browsers by using a stable Firebase UID as the vault key instead of ephemeral ID tokens.
• Verify Firebase ID tokens server-side to ensure the token is valid before accessing vault data.
• Provide a migration path from legacy token-keyed vault entries to UID-backed storage.
• Make server-side Firebase initialization reusable via a helper.

Description

• Added firebase-admin dependency and a new helper vessel/src/lib/firebaseAdmin.ts that initializes Admin SDK and exposes getFirebaseAdminAuth() using FIREBASE_PROJECT_ID, FIREBASE_CLIENT_EMAIL, and FIREBASE_PRIVATE_KEY.
• Updated vessel/src/app/api/vault/route.ts to accept either a Firebase ID token or legacy SHA256 token and added resolveVaultKey() to verify ID tokens and map them to vault:firebase:{uid} with a legacyKey fallback of vault:{token}.
• Implemented loadVaultForWrite() and migration logic that copies legacy vault data from vault:{token} into vault:firebase:{uid} when present, and switched GET/POST/DELETE operations to use the resolved vault key.
• Updated comment/docs to reflect that the Authorization header may contain a Firebase ID token and added error handling when token verification fails.

Testing

• No automated tests were run as part of this change.
• Manual verification expected: ensure environment variables FIREBASE_PROJECT_ID, FIREBASE_CLIENT_EMAIL, and FIREBASE_PRIVATE_KEY are set for token verification to work.
• Basic runtime behavior validated by local code changes and successful commit; no CI/lint/build steps were executed automatically.
• Migration behavior can be tested by creating a legacy vault:{token} entry and then calling the API with a valid Firebase ID token to observe migration to vault:firebase:{uid}.

---

Codex Task

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
shipyard	Ready	Preview, Comment	Dec 26, 2025 5:17pm

[Copilot]

Pull request overview

This PR enables Firebase-authenticated users to persist their vault data across browsers by migrating from ephemeral Firebase ID tokens to stable Firebase UIDs as vault keys. It adds server-side ID token verification using the Firebase Admin SDK and provides automatic migration from legacy SHA256 token-based storage.

Key changes:

• Added Firebase Admin SDK initialization and server-side token verification
• Implemented vault key resolution that maps Firebase ID tokens to UID-based keys with legacy token fallback
• Created migration logic to automatically copy data from legacy vault:{token} keys to new vault:firebase:{uid} keys

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

File	Description
vessel/src/lib/firebaseAdmin.ts	New helper module that initializes Firebase Admin SDK and provides reusable getFirebaseAdminAuth() function for server-side token verification
vessel/src/app/api/vault/route.ts	Updated to verify Firebase ID tokens, resolve vault keys (UID-based vs. legacy), implement migration logic, and handle both authentication methods in GET/POST/DELETE operations
vessel/package.json	Added firebase-admin dependency (v12.7.0) for server-side Firebase authentication

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The token detection heuristic 'token.includes('.')' is too broad and could incorrectly classify legacy SHA256 tokens that happen to contain a period. Firebase ID tokens are JWTs with exactly 2 periods separating 3 segments (header.payload.signature). Consider using a more precise check such as checking for exactly 2 periods or validating the JWT structure before attempting verification.

Suggested change

	async function resolveVaultKey(token: string): Promise<VaultKeyResolution | null> {
	const auth = getFirebaseAdminAuth();
	if (auth && token.includes('.')) {
	function isFirebaseIdToken(token: string): boolean {
	const parts = token.split('.');
	return parts.length === 3 && parts.every(part => part.length > 0);
	}
	async function resolveVaultKey(token: string): Promise<VaultKeyResolution | null> {
	const auth = getFirebaseAdminAuth();
	if (auth && isFirebaseIdToken(token)) {

[Copilot]

The DELETE operation sets the vault to an empty array, but the vault structure should be an object with properties like profiles, savedReports, preferences, etc. (as defined in defaultVault). This inconsistency could cause issues when the vault is subsequently read. Consider setting it to an empty object {} or the defaultVault structure instead.

[Copilot]

The migration logic has a potential race condition. When multiple concurrent requests attempt migration, both could read the legacy vault (line 52), both find it non-null, and both write to the new key (line 54). While this won't cause data corruption in this case, it's inefficient. Additionally, there's no atomic migration or cleanup of the legacy key, so users will continue to consume storage for both keys indefinitely.

Suggested change

	await kv.set(resolution.vaultKey, legacyVault);
	return legacyVault;
	// Check again whether another request has already created the new vault
	const existingVault = await kv.get<any>(resolution.vaultKey);
	if (existingVault === null) {
	await kv.set(resolution.vaultKey, legacyVault);
	}
	// Clean up legacy key to avoid storing both indefinitely
	await kv.del(resolution.legacyKey);
	return existingVault ?? legacyVault;

[Copilot]

When Firebase Admin is not configured, tokens containing periods will be treated as legacy tokens and stored under 'vault:{token}' where token is a Firebase ID token. This creates a security issue because anyone with the ID token could access the vault using the legacy path. The code should reject Firebase-looking tokens when Firebase Admin is not configured, rather than silently accepting them as legacy tokens.

[Copilot]

The error logging at line 36 uses console.warn which may expose sensitive token information in production logs. The error object could contain the invalid token or other sensitive details. Consider sanitizing the error before logging or using a more generic log message.

Suggested change

	console.warn('Vault token verification failed:', error);
	console.warn('Vault token verification failed');

[Copilot]

The firebaseAdminConfig object is evaluated once at module load time. If environment variables are set after module initialization (e.g., in serverless environments where env vars may be lazy-loaded), the configuration will remain stale. Additionally, getFirebaseAdminAuth() checks isFirebaseAdminConfigured on each call but the config values themselves are never re-evaluated. Consider checking process.env directly in getFirebaseAdminAuth() or documenting this limitation.

Suggested change

	const firebaseAdminConfig = {
	projectId: process.env.FIREBASE_PROJECT_ID || process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,
	clientEmail: process.env.FIREBASE_CLIENT_EMAIL,
	privateKey: process.env.FIREBASE_PRIVATE_KEY?.replace(/\\n/g, '\n')
	};
	const isFirebaseAdminConfigured = Boolean(
	firebaseAdminConfig.projectId &&
	firebaseAdminConfig.clientEmail &&
	firebaseAdminConfig.privateKey
	);
	export function getFirebaseAdminAuth() {
	if (!isFirebaseAdminConfigured) {
	return null;
	}
	if (getApps().length === 0) {
	initializeApp({
	credential: cert({
	projectId: firebaseAdminConfig.projectId,
	clientEmail: firebaseAdminConfig.clientEmail,
	privateKey: firebaseAdminConfig.privateKey
	export function getFirebaseAdminAuth() {
	const projectId =
	process.env.FIREBASE_PROJECT_ID || process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;
	const clientEmail = process.env.FIREBASE_CLIENT_EMAIL;
	const privateKey = process.env.FIREBASE_PRIVATE_KEY?.replace(/\\n/g, '\n');
	if (!projectId || !clientEmail || !privateKey) {
	return null;
	}
	if (getApps().length === 0) {
	initializeApp({
	credential: cert({
	projectId,
	clientEmail,
	privateKey

[Copilot]

The cert() function expects all properties (projectId, clientEmail, privateKey) to be strings, but the config values could be undefined if environment variables are not set. TypeScript should enforce this, but at runtime, passing undefined values to cert() could cause initialization errors. Consider adding non-null assertions or type guards before calling cert().

Suggested change

	projectId: firebaseAdminConfig.projectId,
	clientEmail: firebaseAdminConfig.clientEmail,
	privateKey: firebaseAdminConfig.privateKey
	projectId: firebaseAdminConfig.projectId!,
	clientEmail: firebaseAdminConfig.clientEmail!,
	privateKey: firebaseAdminConfig.privateKey!

[Copilot]

The migration logic in GET is duplicated here and in loadVaultForWrite. This creates potential race conditions where multiple concurrent GET requests could trigger duplicate migrations, and inconsistency since POST/DELETE use loadVaultForWrite but GET has its own implementation. Consider removing this duplicate migration code and using loadVaultForWrite consistently.

Suggested change

	let vaultData = await kv.get<any>(resolved.vaultKey);
	if (vaultData === null && resolved.legacyKey) {
	const legacyVault = await kv.get<any>(resolved.legacyKey);
	if (legacyVault !== null) {
	await kv.set(resolved.vaultKey, legacyVault);
	vaultData = legacyVault;
	}
	}
	let vaultData = await loadVaultForWrite(resolved);