@agnostack/verifyd 2.1.2 → 2.2.0-beta.1

package/dist/umd/index.js

@@ -0,0 +1,1001 @@
+/**
+ * MIT License
+ *
+ * Copyright (c) 2021-present agnoStack, Inc. and Adam Grohs
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+(function (global, factory) {
+  typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
+  typeof define === 'function' && define.amd ? define(['exports'], factory) :
+  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global["@agnostack/verifyd/external"] = {}));
+})(this, (function (exports) { 'use strict';
+
+  /* eslint-disable no-use-before-define */
+
+  // #region lib-core
+  // TODO!!!: keep in sync between next-shopify and lib-core (AND lib-utils-js at bottom)
+
+  const REACT_SYMBOL = Symbol.for('react.element');
+
+  const isArray = (value) => (
+    // eslint-disable-next-line eqeqeq
+    (value != undefined) && Array.isArray(value)
+  );
+
+  const isSet = (value) => (
+    // eslint-disable-next-line eqeqeq
+    (value != undefined) && (value instanceof Set)
+  );
+
+  const isType = (value, type) => (
+    // eslint-disable-next-line eqeqeq, valid-typeof
+    (value != undefined) && (typeof value === type)
+  );
+
+  const isString = (value) => (
+    isType(value, 'string') ||
+    (value instanceof String)
+  );
+
+  const isReact = (value) => (
+    isType(value, 'object') &&
+    (value?.$$typeof === REACT_SYMBOL)
+  );
+
+  const isClass = (value) => (
+    isType(value, 'object') &&
+    (Object.getPrototypeOf(value) !== Object.prototype) &&
+    !isReact(value)
+  );
+
+  const isTypeEnhanced = (value, type) => {
+    switch (true) {
+      case (type === 'boolean'): {
+        return isType(value, type) || ['true', 'false'].includes(value)
+      }
+
+      case (type === 'string'): {
+        return isString(value)
+      }
+
+      case (type === 'set'): {
+        return isSet(value)
+      }
+
+      case (type === 'react'): {
+        return isReact(value)
+      }
+
+      case (type === 'class'): {
+        return isClass(value)
+      }
+
+      case (type === 'array'): {
+        return (
+          isArray(value) &&
+          !isSet(value)
+        )
+      }
+
+      case (type === 'object'): {
+        return (
+          isType(value, type) &&
+          !isArray(value) &&
+          !isClass(value) &&
+          !isString(value) &&
+          !isReact(value)
+        )
+      }
+
+      default: {
+        return isType(value, type)
+      }
+    }
+  };
+
+  const safeTrim = (value) => {
+    if (isTypeEnhanced(value, 'string')) {
+      // eslint-disable-next-line no-param-reassign
+      value = value.trim();
+    }
+
+    return value
+  };
+
+  const isParseable = (value, trim, matchQuoted) => {
+    if (!isTypeEnhanced(value, 'string')) {
+      return false
+    }
+
+    if (trim) {
+      // eslint-disable-next-line no-param-reassign
+      value = safeTrim(value);
+    }
+
+    return isTrue(value.startsWith('{') || value.startsWith('[') || (matchQuoted && value.startsWith('"')))
+  };
+
+  const safeParse = (value, trim) => {
+    switch (true) {
+      case isTypeEnhanced(value, 'object'):
+      case isTypeEnhanced(value, 'array'): {
+        return value
+      }
+
+      case isParseable(value, trim, true): {
+        if (trim) {
+          // eslint-disable-next-line no-param-reassign
+          value = safeTrim(value);
+        }
+
+        try {
+          return JSON.parse(value)
+        } catch (_ignore) {
+          console.info('Ignoring error parsing', _ignore);
+          // TODO: should this be value ?? {}
+          return value
+        }
+      }
+
+      default: {
+        // TODO: should this be value ?? {}
+        return value
+      }
+    }
+  };
+
+  const ensureString = (string) => (
+    string ? `${string}` : ''
+  );
+
+  const ensureArray = (array = []) => (
+    // eslint-disable-next-line no-nested-ternary
+    !array ? [] : Array.isArray(array) ? array : [array]
+  );
+
+  const ensureObject = (object) => (
+    object ?? {}
+  );
+
+  // NOTE: this does not ensure !isType(string)
+  const objectEmpty = (object) => (
+    !object || !Object.keys(object).length
+  );
+
+  const stringNotEmpty = (stringable) => {
+    const string = ensureString(stringable);
+    return ((string.length > 0) && !['null', 'undefined'].includes(string))
+  };
+
+  const stringEmpty = (stringable) => (
+    !stringNotEmpty(stringable)
+  );
+
+  const compareString = (string1, string2) => {
+    if (stringEmpty(string1)) {
+      return 1
+    }
+
+    if (stringEmpty(string2)) {
+      return -1
+    }
+
+    return ensureString(string1).localeCompare(string2)
+  };
+
+  const compareEntryKeys = ([string1], [string2]) => (
+    compareString(string1, string2)
+  );
+
+  const objectToSortedString = (object, separator = '') => (
+    Object.entries(ensureObject(object))
+      .sort(compareEntryKeys)
+      .map(([key, value]) => `${key}=${value}`)
+      .join(separator)
+  );
+
+  const uppercase = (string) => (
+    ensureString(string).toUpperCase()
+  );
+
+  const lowercase = (string, defaultValue = '') => (
+    !stringNotEmpty(string)
+      ? defaultValue
+      : ensureString(string).toLowerCase()
+  );
+
+  const removeLeadingSlash = (string) => (
+    ensureString(string).replace(/^\//, '')
+  );
+
+  const ensureLeadingSlash = (string) => (
+    `/${removeLeadingSlash(string)}`
+  );
+
+  const isTrue = (value, falsy) => {
+    const string = ensureString(value);
+    return ![...ensureArray(falsy), '', 'false'].includes(string)
+  };
+  // #endregion lib-utils-js
+
+  var n,r=((n=function(){return r}).toString=n.toLocaleString=n[Symbol.toPrimitive]=function(){return ""},n.valueOf=function(){return !1},new Proxy(Object.freeze(n),{get:function(n,t){return n.hasOwnProperty(t)?n[t]:r}})),u=function(n){return n===r};
+
+  let win = global.window;
+  let exists = (variable) => !u(variable);
+  let window = typeof win !== "undefined" ? win : r;
+
+  class WebCrypto {
+    constructor({ crypto: _crypto, util: _util } = {}) {
+      this._crypto = _crypto ?? {};
+      this._util = _util ?? {};
+    }
+
+    get subtle() {
+      return this._crypto?.subtle
+    }
+
+    async getWebCrypto() {
+      if (!this._crypto?.subtle) {
+        try {
+          this._crypto = (await import('isomorphic-webcrypto')).default;
+        } catch (_ignore) {
+          console.info('Failed to import isomorphic-webcrypto, retrying w/ node crypto');
+          try {
+            this._crypto = (await import('crypto')).default;
+          } catch (error) {
+            // eslint-disable-next-line max-len
+            console.error(`Failed to import node crypto, ensure 'isomorphic-webcrypto' (or node 'crypto') is installed and/or pass in implementation via 'new WebCrypto({ crypto })'`);
+            throw error
+          }
+        }
+      }
+
+      if (!this._crypto?.subtle) {
+        throw new Error('Invalid crypto, missing subtle')
+      }
+
+      return this._crypto
+    }
+
+    async getTextDecoder() {
+      if (this._util?.TextDecoder) {
+        return this._util.TextDecoder
+      }
+
+      if (exists(window) && typeof window?.TextDecoder === 'function') {
+        return window.TextDecoder
+      }
+
+      try {
+        const TextDecoder = (await import('util')).TextDecoder;
+        this._util.TextDecoder = TextDecoder;
+
+        return TextDecoder
+      } catch (error) {
+        console.error(`Failed to import 'utils.TextDecoder', ensure 'util' is available and/or pass in implementation via 'new WebCrypto({ util })'`);
+        throw error
+      }
+    }
+
+    async getTextEncoder() {
+      if (this._util?.TextEncoder) {
+        return this._util.TextEncoder
+      }
+
+      if (exists(window) && typeof window?.TextEncoder === 'function') {
+        return window.TextEncoder
+      }
+
+      try {
+        const TextEncoder = (await import('util')).TextEncoder;
+        this._util.TextEncoder = TextEncoder;
+
+        return TextEncoder
+      } catch (error) {
+        console.error(`Failed to import 'utils.TextEncoder', ensure 'util' is available and/or pass in implementation via 'new WebCrypto({ util })'`);
+        throw error
+      }
+    }
+
+    timingSafeEqual(value1, value2) {
+      if (
+        (value1 == undefined) ||
+        (value2 == undefined) ||
+        (value1.length !== value2.length)
+      ) {
+        return false
+      }
+
+      let result = 0;
+      // eslint-disable-next-line no-plusplus
+      for (let i = 0; i < value1.length; i++) {
+        // eslint-disable-next-line no-bitwise
+        result |= value1[i] ^ value2[i];
+      }
+
+      return (result === 0)
+    }
+
+    stringToHex(stringValue) {
+      return (
+        Array.from(ensureString(stringValue), (char) => (
+          char.charCodeAt(0).toString(16).padStart(2, '0')
+        )).join('')
+      )
+    }
+
+    hexToString(hexValue) {
+      return (
+        ensureArray(
+          ensureString(hexValue).match(/.{1,2}/g)
+        )
+        .map((byte) => String.fromCharCode(parseInt(byte, 16)))
+        .join('')
+      )
+    }
+
+    async arrayBufferToString(arrayBuffer) {
+      const uint8Array = new Uint8Array(arrayBuffer);
+      const Decoder = await this.getTextDecoder();
+      return new Decoder().decode(uint8Array)
+    }
+
+    arrayToArrayBuffer(array) {
+      return (
+        (ArrayBuffer.from != undefined)
+          ? ArrayBuffer.from(array)
+          : new Uint8Array(array).buffer
+      )
+    }
+
+    ensureArrayBuffer(arrayOrArrayBuffer) {
+      return (
+        (arrayOrArrayBuffer instanceof ArrayBuffer)
+          ? arrayOrArrayBuffer
+          : this.arrayToArrayBuffer(arrayOrArrayBuffer)
+      )
+    }
+
+    getKeyOperations(keyType) {
+      switch (keyType) {
+        case 'paired':
+        case 'private':
+        case 'privateKey': {
+          return ['deriveKey']
+        }
+
+        case 'secret':
+        case 'secretKey':
+        case 'sharedSecret': {
+          return ['encrypt', 'decrypt']
+        }
+
+        default: {
+          return []
+        }
+      }
+    }
+
+    getKeyAlgorythm(keyType) {
+      switch (keyType) {
+        case 'derivedKey':
+        case 'derived':
+        case 'secret':
+        case 'secretKey':
+        case 'sharedSecret': {
+          return {
+            name: 'AES-GCM',
+          }
+        }
+
+        default: {
+          return {
+            name: 'ECDH',
+            namedCurve: 'P-256',
+          }
+        }
+      }
+    }
+
+    async generateKeyPair() {
+      const crypto = await this.getWebCrypto();
+      const keyPair = await crypto.subtle.generateKey(
+        this.getKeyAlgorythm('paired'),
+        true,
+        this.getKeyOperations('paired')
+      );
+
+      return keyPair
+    }
+
+    async generateSharedSecret() {
+      const crypto = await this.getWebCrypto();
+      const keyPair = await crypto.subtle.generateKey(
+        this.getKeyAlgorythm('sharedSecret'),
+        true,
+        this.getKeyOperations('sharedSecret')
+      );
+
+      return keyPair
+    }
+
+    async generateHMAC(message, derivedKey) {
+      if (!message || !derivedKey) {
+        return undefined
+      } 
+
+      const crypto = await this.getWebCrypto();
+      const Encoder = await this.getTextEncoder();
+
+      const signature = await crypto.subtle.sign(
+        'HMAC',
+        derivedKey,
+        new Encoder().encode(message)
+      );
+
+      return this.stringToHex(
+        this.arrayBufferToString(signature)
+      )
+    }
+
+    async verifyHMAC(message, derivedKey, verifiableHMAC) {
+      const calculatedHMAC = await this.generateHMAC(message, derivedKey);
+
+      return this.timingSafeEqual(calculatedHMAC, verifiableHMAC)
+    }
+
+    async getStorableKey(key) {
+      const crypto = await this.getWebCrypto();
+
+      const exportedJWK = await crypto.subtle.exportKey('jwk', key);
+      return this.stringToHex(JSON.stringify(exportedJWK))
+    }
+
+    async restoreStorableKey(keyType, storableHex) {
+      if (!storableHex) {
+        return undefined
+      }
+      const crypto = await this.getWebCrypto();
+
+      const exportedJWK = JSON.parse(this.hexToString(storableHex) || '{}');
+      if (objectEmpty(exportedJWK)) {
+        return undefined
+      }
+
+      return crypto.subtle.importKey(
+        'jwk',
+        exportedJWK,
+        this.getKeyAlgorythm(keyType),
+        true,
+        this.getKeyOperations(keyType)
+      )
+    }
+
+    async getStorableKeyPair(keyPair) {
+      const storableKeys = {};
+
+      // eslint-disable-next-line no-restricted-syntax
+      for (const [keyType, key] of Object.entries(keyPair)) {
+        // eslint-disable-next-line no-await-in-loop
+        storableKeys[keyType] = await this.getStorableKey(key);
+      }
+
+      return storableKeys
+    }
+
+    async restoreStorableKeyPair(keyPair) {
+      const restoredKeys = {};
+
+      // eslint-disable-next-line no-restricted-syntax
+      for (const [keyType, key] of Object.entries(keyPair)) {
+        // eslint-disable-next-line no-await-in-loop
+        restoredKeys[keyType] = await this.restoreStorableKey(keyType, key);
+      }
+
+      return restoredKeys
+    }
+
+    async deriveSharedKey({ publicKey, privateKey }) {
+      if (!publicKey || !privateKey) {
+        return undefined
+      }
+
+      const crypto = await this.getWebCrypto();
+      const derivedKey = await crypto.subtle.deriveKey(
+        {
+          name: 'ECDH',
+          public: publicKey,
+        },
+        privateKey,
+        {
+          name: 'AES-GCM',
+          length: 256,
+        },
+        true,
+        ['encrypt', 'decrypt']
+      );
+      return derivedKey
+    }
+
+    async deriveHMACKey({ publicKey, privateKey }) {
+      if (!publicKey || !privateKey) {
+        return undefined
+      }
+
+      const crypto = await this.getWebCrypto();
+      const derivedKey = await crypto.subtle.deriveKey(
+        {
+          name: 'ECDH',
+          public: publicKey,
+        },
+        privateKey,
+        {
+          name: 'HMAC',
+          hash: { name: 'SHA-256' },
+          length: 256,  // Adjusted key length, e.g., 128 bits
+        },
+        true,
+        ['sign', 'verify']
+      );
+      return derivedKey
+    }
+
+    async getVerificationKeys({ publicKey, privateKey }) {
+      if (!publicKey || !privateKey) {
+        return {}
+      }
+
+      const sharedKeyPair = await this.restoreStorableKeyPair({ publicKey, privateKey });
+      const derivedHMACKey = await this.deriveHMACKey(sharedKeyPair);
+      const derivedSecretKey = await this.deriveSharedKey(sharedKeyPair);
+
+      return {
+        derivedSecretKey,
+        derivedHMACKey,
+      }
+    }
+
+    async encryptMessage(decryptedMessage, derivedKey) {
+      if (!decryptedMessage || !derivedKey) {
+        return undefined
+      }
+
+      const crypto = await this.getWebCrypto();
+      const iv = crypto.getRandomValues(new Uint8Array(12));
+      const Encoder = await this.getTextEncoder();
+      const encodedMessage = new Encoder().encode(decryptedMessage);
+      const ciphertext = await crypto.subtle.encrypt(
+        {
+          name: 'AES-GCM',
+          iv,
+        },
+        derivedKey,
+        encodedMessage
+      );
+
+      const encryptedMessage = new Uint8Array([
+        ...iv,
+        ...new Uint8Array(ciphertext)
+      ]);
+      return Array.from(encryptedMessage)
+    }
+
+    async decryptMessage(encryptedMessage, derivedKey) {
+      if (!encryptedMessage || !derivedKey) {
+        return undefined
+      }
+
+      const crypto = await this.getWebCrypto();
+      // NOTE: this presumed an array or arrayBuffer coming in as encryptedMessage (will fail w/ IV error if its a string)
+      const encryptedArrayBuffer = this.ensureArrayBuffer(encryptedMessage);
+      const iv = encryptedArrayBuffer.slice(0, 12);
+      const ciphertext = encryptedArrayBuffer.slice(12);
+
+      const decryptedArrayBuffer = await crypto.subtle.decrypt(
+        {
+          name: 'AES-GCM',
+          iv,
+        },
+        derivedKey,
+        ciphertext
+      );
+
+      const Decoder = await this.getTextDecoder();
+      const decryptedMessage = new Decoder().decode(decryptedArrayBuffer);
+      return decryptedMessage
+    }
+  }
+
+  const getAuthorizationHelpers = async (sharedSecret, { crypto: _crypto, util: _util } = {}) => {
+    if (stringEmpty(sharedSecret)) {
+      return undefined
+    }
+
+    const webCrypto = new WebCrypto({ crypto: _crypto, util: _util });
+    const sharedKey = await webCrypto.restoreStorableKey(
+      'sharedSecret',
+      sharedSecret
+    );
+
+    return {
+      encrypt: async (decryptedMessage) => (
+        webCrypto.encryptMessage(decryptedMessage, sharedKey)
+      ),
+      decrypt: async (encryptedMessage) => (
+        webCrypto.decryptMessage(encryptedMessage, sharedKey)
+      ),
+    }
+  };
+
+  const TEMP_HOSTNAME = 'xyz.com';
+  const REMOVABLE_KEYS = ['shop', 'host'];
+
+  const HEADER_CONTENT_TYPE = 'Content-Type';
+  const HEADER_PUBLIC_KEY = 'X-Public-Key';
+  const HEADER_EPHEMERAL_KEY = 'X-Ephemeral-Key';
+  const HEADER_AUTHORIZATION_CUSTOM = 'X-Authorization';
+  const HEADER_AUTHORIZATION_TIMESTAMP = 'X-Authorization-Timestamp';
+
+  const CONTENT_TYPES = {
+    APPLICATION_JSON: 'application/json',
+  };
+
+  const getRequestMethod = (body, _method) => {
+    const method = _method ?? (body ? 'POST' : 'GET');
+
+    return uppercase(method)
+  };
+
+  const prepareRequestOptions = ({ method: _method, body: _body, headers: _headers, ...requestOptions } = {}) => {
+    const method = getRequestMethod(_body, _method);
+
+    const _contentType = _headers?.[HEADER_CONTENT_TYPE.toLowerCase()];
+    const headers = {
+      [HEADER_CONTENT_TYPE]: _contentType || CONTENT_TYPES.APPLICATION_JSON,
+      ..._headers,
+    };
+
+    let body = _body;
+    if (body && headers[HEADER_CONTENT_TYPE].startsWith(CONTENT_TYPES.APPLICATION_JSON)) {
+      body = JSON.stringify(safeParse(body));
+    }
+
+    return {
+      method,
+      headers,
+      ...(body && (method !== 'GET')) && { body },
+      ...requestOptions,
+    }
+  };
+
+  const convertToURL = (uri) => {
+    if (stringEmpty(uri)) {
+      return undefined
+    }
+
+    const protocolRegex = /^(https?:\/\/).+/i;
+
+    if (!protocolRegex.test(uri)) {
+      return new URL(`https://${TEMP_HOSTNAME}${ensureLeadingSlash(uri)}`)
+    }
+
+    return new URL(uri)
+  };
+
+  const normalizeURIParts = (uri) => {
+    const urlObject = convertToURL(uri);
+    if (!urlObject) {
+      return undefined
+    }
+
+    REMOVABLE_KEYS.forEach((key) => urlObject.searchParams.delete(key));
+
+    return {
+      ...(urlObject.hostname !== TEMP_HOSTNAME) && {
+        origin: urlObject.origin,
+      },
+      pathname: urlObject.pathname,
+      search: urlObject.search,
+    }
+  };
+
+  const getUnixString = () => {
+    const currentDate = new Date();
+    const unixTimestamp = currentDate.getTime();
+    return Math.floor(unixTimestamp / 1000).toString()
+  };
+
+  const getVerificationKeysData = async (publicKey, { crypto: _crypto, util: _util } = {}) => {
+    if (stringEmpty(publicKey)) {
+      return {}
+    }
+
+    const webCrypto = new WebCrypto({ crypto: _crypto, util: _util });
+
+    const _ephemeralStoreableKeyPair = await webCrypto.getStorableKeyPair(
+      await webCrypto.generateKeyPair()
+    );
+
+    const _verificationKeyPair = await webCrypto.getVerificationKeys({
+      publicKey,
+      privateKey: _ephemeralStoreableKeyPair.privateKey,
+    });
+
+    return {
+      publicKey,
+      ephemeral: _ephemeralStoreableKeyPair,
+      verification: _verificationKeyPair,
+    }
+  };
+
+  // eslint-disable-next-line arrow-body-style
+  const prepareVerificationRequest = ({ keysData: _keysData, disableRecryption: _disableRecryption, crypto: _crypto, util: _util } = {}) => {
+    const webCrypto = new WebCrypto({ crypto: _crypto, util: _util });
+    const disableRecryption = isTrue(_disableRecryption);
+
+    return async (requestPath, { method: rawMethod, body: rawBody, headers: rawHeaders,  ...requestOptions } = {}) => {
+      let parsedBody = safeParse(rawBody);
+      const method = getRequestMethod(parsedBody, rawMethod);
+
+      if (disableRecryption || stringEmpty(_keysData?.publicKey)) {
+        return [
+          requestPath,
+          prepareRequestOptions({
+            method,
+            body: parsedBody,
+            headers: rawHeaders,
+            ...requestOptions,
+          })
+        ]
+      }
+
+      const {
+        verification: {
+          derivedHMACKey,
+          derivedSecretKey,
+        } = {},
+        ephemeral: {
+          publicKey: ephemeralPublicKey,
+        } = {},
+      } = _keysData ?? {};
+
+      if (!derivedHMACKey || !ephemeralPublicKey) {
+        return undefined
+      }
+
+      if (parsedBody && derivedSecretKey) {
+        parsedBody = await webCrypto.encryptMessage(JSON.stringify(parsedBody), derivedSecretKey);
+      }
+
+      const timestamp = getUnixString();
+      const computedHMAC = await webCrypto.generateHMAC(
+        objectToSortedString({
+          body: parsedBody,
+          method,
+          timestamp,
+          ...normalizeURIParts(requestPath),
+        }),
+        derivedHMACKey
+      );
+
+      return [
+        requestPath,
+        prepareRequestOptions({
+          method,
+          body: parsedBody,
+          headers: {
+            'X-Authorization': `HMAC-SHA256 ${computedHMAC}`,
+            'X-Authorization-Timestamp': timestamp,
+            'X-Ephemeral-Key': ephemeralPublicKey,
+            'X-Public-Key': _keysData.publicKey,
+            ...rawHeaders,
+          },
+          ...requestOptions,
+        }),
+        derivedSecretKey
+      ]
+    }
+  };
+
+  const processVerificationResponse = ({ keysData, disableRecryption: _disableRecryption, crypto: _crypto, util: _util } = {}) => {
+    const webCrypto = new WebCrypto({ crypto: _crypto, util: _util });
+    const disableRecryption = isTrue(_disableRecryption);
+
+    return async (encryptedResponse, _derivedSecretKey) => {
+      const derivedSecretKey = _derivedSecretKey ?? keysData.verification?.derivedSecretKey;
+      if (disableRecryption || !encryptedResponse || !derivedSecretKey) {
+        return encryptedResponse
+      }
+    
+      const decryptedMessage = await webCrypto.decryptMessage(encryptedResponse, derivedSecretKey);
+      return safeParse(decryptedMessage)
+    }
+  };
+
+  class VerificationError extends Error {
+    constructor(message, _data) {
+      super(message);
+      const { code = 500, ...data } = _data ?? {};
+      this.code = code;
+      this.data = data;
+      this.name = 'VerificationError';
+      Object.setPrototypeOf(this, VerificationError.prototype);
+    }
+  }
+
+  const getChunkedRawBody = async (req) => {
+    if (req?.rawBody) {
+      return req.rawBody
+    }
+
+    // TODO: move to req.text() after next 13.5: https://github.com/vercel/next.js/discussions/13405
+    try {
+      const _getRawBody = (await import('raw-body')).default;
+
+      if (!req.method || (lowercase(req.method) === 'get')) {
+        return undefined
+      }
+
+      return _getRawBody(req).then((_rawBody) => _rawBody?.toString())
+    } catch (error) {
+      console.error(`Failed to import 'raw-body', please ensure the dependency is installed`);
+      throw error
+    }
+  };
+
+  // TODO: explore returning mutated request object adding on req.rawBody??
+  const ensureRawBody = async (req) => (
+    getChunkedRawBody(req)
+      .catch((error) => {
+        console.error(`Error getting raw body for '${req?.url}'`, error);
+        throw error
+    })
+  );
+
+  /******************************************************************************
+  Copyright (c) Microsoft Corporation.
+
+  Permission to use, copy, modify, and/or distribute this software for any
+  purpose with or without fee is hereby granted.
+
+  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+  REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+  AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+  INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+  LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+  OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+  PERFORMANCE OF THIS SOFTWARE.
+  ***************************************************************************** */
+
+  function __awaiter(thisArg, _arguments, P, generator) {
+      function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+      return new (P || (P = Promise))(function (resolve, reject) {
+          function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+          function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+          function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+          step((generator = generator.apply(thisArg, _arguments || [])).next());
+      });
+  }
+
+  typeof SuppressedError === "function" ? SuppressedError : function (error, suppressed, message) {
+      var e = new Error(message);
+      return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
+  };
+
+  const generateStorableKeyPairs = (...args_1) => __awaiter(void 0, [...args_1], void 0, function* ({ crypto: _crypto, util: _util } = {}) {
+      const webCrypto = new WebCrypto({ crypto: _crypto, util: _util });
+      const sharedKeyPair = yield webCrypto.generateKeyPair();
+      return webCrypto.getStorableKeyPair({
+          publicKey: sharedKeyPair.publicKey,
+          privateKey: sharedKeyPair.privateKey,
+      });
+  });
+  const getVerificationHelpers = ({ keyPairs, util: _util, crypto: _crypto, DISABLE_RECRYPTION, } = { keyPairs: {} }) => {
+      const webCrypto = new WebCrypto({ crypto: _crypto, util: _util });
+      return (req, params) => __awaiter(void 0, void 0, void 0, function* () {
+          var _a;
+          const { [HEADER_PUBLIC_KEY]: _apiKey, [HEADER_PUBLIC_KEY.toLowerCase()]: apiKey = _apiKey, [HEADER_EPHEMERAL_KEY]: _ephemeralPublicKey, [HEADER_EPHEMERAL_KEY.toLowerCase()]: ephemeralPublicKey = _ephemeralPublicKey, [HEADER_AUTHORIZATION_TIMESTAMP]: _customAuthTimestamp, [HEADER_AUTHORIZATION_TIMESTAMP.toLowerCase()]: customAuthTimestamp = _customAuthTimestamp, [HEADER_AUTHORIZATION_CUSTOM]: _customAuth, [HEADER_AUTHORIZATION_CUSTOM.toLowerCase()]: customAuth = _customAuth, } = (_a = req.headers) !== null && _a !== void 0 ? _a : {};
+          const { uri: _uri, disableRecryption: _disableRecryption } = params !== null && params !== void 0 ? params : {};
+          const uri = _uri !== null && _uri !== void 0 ? _uri : req.url;
+          const disableRecryption = isTrue(DISABLE_RECRYPTION) || isTrue(_disableRecryption);
+          let isVerifiable = false;
+          try {
+              const [authProtocol, authSignature] = ensureString(customAuth).split(' ');
+              isVerifiable = isTrue(apiKey &&
+                  ephemeralPublicKey &&
+                  customAuthTimestamp &&
+                  authSignature &&
+                  (authProtocol === 'HMAC-SHA256') &&
+                  (keyPairs === null || keyPairs === void 0 ? void 0 : keyPairs.shared));
+              let verificationKeys;
+              const rawBody = yield ensureRawBody(req);
+              // NOTE: requestBody should be wind up decrypted when isVerifiable (unless disableRecryption, then will pass through)
+              let requestBody = safeParse(rawBody);
+              // TEMP!!! remove isVerifiable check once web widget moved to react
+              if (isVerifiable) {
+                  if (!apiKey ||
+                      !ephemeralPublicKey ||
+                      !customAuthTimestamp ||
+                      !authSignature ||
+                      (authProtocol !== 'HMAC-SHA256') ||
+                      !(keyPairs === null || keyPairs === void 0 ? void 0 : keyPairs.shared) ||
+                      (apiKey !== keyPairs.shared.publicKey)) {
+                      throw new VerificationError('Invalid or missing authorization', { code: 401 });
+                  }
+                  verificationKeys = yield webCrypto.getVerificationKeys({
+                      publicKey: ephemeralPublicKey,
+                      privateKey: keyPairs.shared.privateKey,
+                  });
+                  if (!verificationKeys) {
+                      throw new VerificationError('Invalid or missing verification', { code: 412 });
+                  }
+                  const verificationPayload = objectToSortedString(Object.assign({ method: getRequestMethod(rawBody, req.method), timestamp: customAuthTimestamp, body: requestBody }, normalizeURIParts(uri)));
+                  const isValid = yield webCrypto.verifyHMAC(verificationPayload, verificationKeys.derivedHMACKey, authSignature);
+                  if (!isValid) {
+                      throw new VerificationError('Invalid or missing verification', { code: 403 });
+                  }
+                  if (!disableRecryption && requestBody) {
+                      const decryptedMessage = yield webCrypto.decryptMessage(requestBody, verificationKeys.derivedSecretKey);
+                      requestBody = safeParse(decryptedMessage);
+                  }
+              }
+              const processResponse = (response) => __awaiter(void 0, void 0, void 0, function* () {
+                  if (disableRecryption || !response || !isVerifiable || !(verificationKeys === null || verificationKeys === void 0 ? void 0 : verificationKeys.derivedSecretKey)) {
+                      return response;
+                  }
+                  return webCrypto.encryptMessage(JSON.stringify(response), verificationKeys.derivedSecretKey);
+              });
+              return { rawBody, requestBody, processResponse };
+          }
+          catch (error) {
+              console.error(`Error handling request verification for '${uri}'`, {
+                  error,
+                  isVerifiable,
+                  disableRecryption,
+              });
+              throw error;
+          }
+      });
+  };
+
+  exports.CONTENT_TYPES = CONTENT_TYPES;
+  exports.HEADER_AUTHORIZATION_CUSTOM = HEADER_AUTHORIZATION_CUSTOM;
+  exports.HEADER_AUTHORIZATION_TIMESTAMP = HEADER_AUTHORIZATION_TIMESTAMP;
+  exports.HEADER_CONTENT_TYPE = HEADER_CONTENT_TYPE;
+  exports.HEADER_EPHEMERAL_KEY = HEADER_EPHEMERAL_KEY;
+  exports.HEADER_PUBLIC_KEY = HEADER_PUBLIC_KEY;
+  exports.VerificationError = VerificationError;
+  exports.WebCrypto = WebCrypto;
+  exports.ensureRawBody = ensureRawBody;
+  exports.generateStorableKeyPairs = generateStorableKeyPairs;
+  exports.getAuthorizationHelpers = getAuthorizationHelpers;
+  exports.getRequestMethod = getRequestMethod;
+  exports.getVerificationHelpers = getVerificationHelpers;
+  exports.getVerificationKeysData = getVerificationKeysData;
+  exports.normalizeURIParts = normalizeURIParts;
+  exports.prepareRequestOptions = prepareRequestOptions;
+  exports.prepareVerificationRequest = prepareVerificationRequest;
+  exports.processVerificationResponse = processVerificationResponse;
+
+  Object.defineProperty(exports, '__esModule', { value: true });
+
+}));
+//# sourceMappingURL=index.js.map