@ahoo-wang/fetcher-cosec 2.8.3 → 2.8.6

package/dist/index.es.js

@@ -1,38 +1,39 @@
-import { REQUEST_BODY_INTERCEPTOR_ORDER as A, ResultExtractors as N } from "@ahoo-wang/fetcher";
-import { nanoid as S } from "nanoid";
+import { REQUEST_BODY_INTERCEPTOR_ORDER as A, ResultExtractors as S } from "@ahoo-wang/fetcher";
+import { nanoid as k } from "nanoid";
+import { KeyStorage as d, createListenableStorage as l, IdentitySerializer as P } from "@ahoo-wang/fetcher-storage";
 const a = class a {
 };
 a.DEVICE_ID = "CoSec-Device-Id", a.APP_ID = "CoSec-App-Id", a.AUTHORIZATION = "Authorization", a.REQUEST_ID = "CoSec-Request-Id";
 let o = a;
-const d = class d {
+const E = class E {
 };
-d.UNAUTHORIZED = 401;
-let u = d;
-const B = {
+E.UNAUTHORIZED = 401;
+let u = E;
+const Q = {
   ALLOW: { authorized: !0, reason: "Allow" },
   EXPLICIT_DENY: { authorized: !1, reason: "Explicit Deny" },
   IMPLICIT_DENY: { authorized: !1, reason: "Implicit Deny" },
   TOKEN_EXPIRED: { authorized: !1, reason: "Token Expired" },
   TOO_MANY_REQUESTS: { authorized: !1, reason: "Too Many Requests" }
 };
-class P {
+class w {
   /**
    * Generate a unique request ID.
    *
    * @returns A unique request ID
    */
   generateId() {
-    return S();
+    return k();
   }
 }
-const f = new P(), C = "CoSecRequestInterceptor", p = A + 1e3, g = "Ignore-Refresh-Token";
-class Y {
+const p = new w(), C = "CoSecRequestInterceptor", f = A + 1e3, O = "Ignore-Refresh-Token";
+class H {
   /**
    * Creates a new CoSecRequestInterceptor instance.
    * @param options - The CoSec configuration options including appId, deviceIdStorage, and tokenManager
    */
   constructor(e) {
-    this.name = C, this.order = p, this.options = e;
+    this.name = C, this.order = f, this.options = e;
   }
   /**
    * Intercept requests to add CoSec authentication headers.
@@ -57,19 +58,19 @@ class Y {
    * It will attempt to refresh the token before adding the Authorization header to the request.
    */
   async intercept(e) {
-    const t = f.generateId(), r = this.options.deviceIdStorage.getOrCreate(), n = e.ensureRequestHeaders();
+    const t = p.generateId(), r = this.options.deviceIdStorage.getOrCreate(), n = e.ensureRequestHeaders();
     n[o.APP_ID] = this.options.appId, n[o.DEVICE_ID] = r, n[o.REQUEST_ID] = t;
   }
 }
-const U = "AuthorizationRequestInterceptor", D = p + 1e3;
-class F {
+const U = "AuthorizationRequestInterceptor", y = f + 1e3;
+class Z {
   /**
    * Creates an AuthorizationRequestInterceptor instance.
    *
    * @param options - Configuration options containing the token manager
    */
   constructor(e) {
-    this.options = e, this.name = U, this.order = D;
+    this.options = e, this.name = U, this.order = y;
   }
   /**
    * Intercepts the request exchange to add authorization headers.
@@ -85,17 +86,17 @@ class F {
   async intercept(e) {
     let t = this.options.tokenManager.currentToken;
     const r = e.ensureRequestHeaders();
-    !t || r[o.AUTHORIZATION] || (!e.attributes.has(g) && t.isRefreshNeeded && t.isRefreshable && await this.options.tokenManager.refresh(), t = this.options.tokenManager.currentToken, t && (r[o.AUTHORIZATION] = `Bearer ${t.access.token}`));
+    !t || r[o.AUTHORIZATION] || (!e.attributes.has(O) && t.isRefreshNeeded && t.isRefreshable && await this.options.tokenManager.refresh(), t = this.options.tokenManager.currentToken, t && (r[o.AUTHORIZATION] = `Bearer ${t.access.token}`));
   }
 }
-const z = "AuthorizationResponseInterceptor", v = Number.MIN_SAFE_INTEGER + 1e3;
-class G {
+const D = "AuthorizationResponseInterceptor", m = Number.MIN_SAFE_INTEGER + 1e3;
+class B {
   /**
    * Creates a new AuthorizationResponseInterceptor instance.
    * @param options - The CoSec configuration options including token storage and refresher
    */
   constructor(e) {
-    this.name = z, this.order = v, this.options = e;
+    this.name = D, this.order = m, this.options = e;
   }
   /**
    * Intercepts the response and handles unauthorized responses by refreshing tokens.
@@ -111,239 +112,12 @@ class G {
       }
   }
 }
-function k() {
-  return typeof window < "u";
-}
-class b {
-  constructor() {
-    this.store = /* @__PURE__ */ new Map(), this.listeners = /* @__PURE__ */ new Set();
-  }
-  /**
-   * Gets the number of items stored in the storage.
-   */
-  get length() {
-    return this.store.size;
-  }
-  /**
-   * Clears all items from the storage.
-   */
-  clear() {
-    this.store.clear();
-  }
-  /**
-   * Gets an item from the storage.
-   * @param key - The key of the item to retrieve
-   * @returns The value of the item, or null if the item does not exist
-   */
-  getItem(e) {
-    const t = this.store.get(e);
-    return t !== void 0 ? t : null;
-  }
-  /**
-   * Gets the key at the specified index.
-   * @param index - The index of the key to retrieve
-   * @returns The key at the specified index, or null if the index is out of bounds
-   */
-  key(e) {
-    return Array.from(this.store.keys())[e] || null;
-  }
-  /**
-   * Removes an item from the storage.
-   * @param key - The key of the item to remove
-   */
-  removeItem(e) {
-    const t = this.getItem(e);
-    this.store.has(e) && (this.store.delete(e), this.notifyListeners({
-      key: e,
-      oldValue: t,
-      newValue: null
-    }));
-  }
-  /**
-   * Sets an item in the storage.
-   * @param key - The key of the item to set
-   * @param value - The value to set
-   */
-  setItem(e, t) {
-    const r = this.getItem(e);
-    this.store.set(e, t), this.notifyListeners({ key: e, oldValue: r, newValue: t });
-  }
-  /**
-   * Adds a listener for storage changes.
-   * @param listener - The listener function to be called when storage changes
-   * @returns A function that can be called to remove the listener
-   */
-  addListener(e) {
-    return this.listeners.add(e), () => this.listeners.delete(e);
-  }
-  /**
-   * Notifies all listeners of a storage change by creating and dispatching a StorageEvent.
-   * @param eventInit - The initialization object for the StorageEvent
-   */
-  notifyListeners(e) {
-    k() && window.location && (e.url = e.url || window.location.href), e.storageArea = this, this.listeners.forEach((t) => {
-      try {
-        t(e);
-      } catch (r) {
-        console.error("Error in storage change listener:", r);
-      }
-    });
-  }
-}
-class L {
-  /**
-   * Creates a new BrowserListenableStorage instance.
-   * @param storage - The native Storage object to wrap (e.g., localStorage or sessionStorage)
-   */
-  constructor(e) {
-    this.storage = e;
-  }
-  /**
-   * Gets the number of items stored in the storage.
-   */
-  get length() {
-    return this.storage.length;
-  }
-  /**
-   * Adds a listener for storage changes.
-   * @param listener - The listener function to be called when storage changes
-   * @returns A function that can be called to remove the listener
-   */
-  addListener(e) {
-    const t = (r) => {
-      r.storageArea === this.storage && e(r);
-    };
-    return window.addEventListener(R, t), () => window.removeEventListener(R, t);
-  }
-  /**
-   * Clears all items from the storage.
-   */
-  clear() {
-    this.storage.clear();
-  }
-  /**
-   * Gets an item from the storage.
-   * @param key - The key of the item to retrieve
-   * @returns The value of the item, or null if the item does not exist
-   */
-  getItem(e) {
-    return this.storage.getItem(e);
-  }
-  /**
-   * Gets the key at the specified index.
-   * @param index - The index of the key to retrieve
-   * @returns The key at the specified index, or null if the index is out of bounds
-   */
-  key(e) {
-    return this.storage.key(e);
-  }
-  /**
-   * Removes an item from the storage.
-   * @param key - The key of the item to remove
-   */
-  removeItem(e) {
-    this.storage.removeItem(e);
-  }
-  /**
-   * Sets an item in the storage.
-   * @param key - The key of the item to set
-   * @param value - The value to set
-   */
-  setItem(e, t) {
-    this.storage.setItem(e, t);
-  }
-}
-const R = "storage", l = () => k() ? new L(window.localStorage) : new b();
-class w {
-  /**
-   * Returns the value as-is without serialization
-   * @param value The value to pass through
-   * @returns The same value that was passed in
-   */
-  /**
-   * Returns the value as-is without serialization
-   * @param value The value to pass through
-   * @returns The same value that was passed in
-   */
-  serialize(e) {
-    return e;
-  }
-  /**
-   * Returns the value as-is without deserialization
-   * @template Deserialized The type of the deserialized value
-   * @param value The value to pass through
-   * @returns The same value that was passed in, cast to the target type
-   */
-  /**
-   * Returns the value as-is without deserialization
-   * @param value The value to pass through
-   * @returns The same value that was passed in
-   */
-  deserialize(e) {
-    return e;
-  }
-}
-const M = new w();
-function V() {
-  return M;
-}
-class O {
-  /**
-   * Creates a new KeyStorage instance
-   * @param options Configuration options for the storage
-   */
-  constructor(e) {
-    this.cacheValue = null, this.refreshCacheListener = (t) => {
-      this.cacheValue = null, t.newValue && this.refreshCache(t.newValue);
-    }, this.key = e.key, this.serializer = e.serializer ?? V(), this.storage = e.storage ?? l(), this.addListener(this.refreshCacheListener);
-  }
-  /**
-   * Refreshes the cached value by deserializing the provided string
-   * @param value The serialized value to deserialize and cache
-   */
-  refreshCache(e) {
-    this.cacheValue = this.serializer.deserialize(e);
-  }
-  addListener(e) {
-    const t = (r) => {
-      r.key === this.key && e(r);
-    };
-    return this.storage.addListener(t);
-  }
-  /**
-   * Gets the value associated with the key from storage
-   * Uses cached value if available, otherwise retrieves from storage and caches it
-   * @returns The deserialized value or null if no value is found
-   */
-  get() {
-    if (this.cacheValue)
-      return this.cacheValue;
-    const e = this.storage.getItem(this.key);
-    return e ? (this.refreshCache(e), this.cacheValue) : null;
-  }
-  /**
-   * Sets the value associated with the key in storage
-   * Also updates the cached value
-   * @param value The value to serialize and store
-   */
-  set(e) {
-    const t = this.serializer.serialize(e);
-    this.storage.setItem(this.key, t), this.cacheValue = e;
-  }
-  /**
-   * Removes the value associated with the key from storage
-   * Also clears the cached value
-   */
-  remove() {
-    this.storage.removeItem(this.key), this.cacheValue = null;
-  }
-}
-const q = "cosec-device-id";
-class j extends O {
-  constructor(e = q) {
+const b = "cosec-device-id";
+class L extends d {
+  constructor(e = b) {
     super({
       key: e,
-      serializer: new w(),
+      serializer: new P(),
       storage: l()
     });
   }
@@ -353,7 +127,7 @@ class j extends O {
    * @returns A newly generated device ID
    */
   generateDeviceId() {
-    return f.generateId();
+    return p.generateId();
   }
   /**
    * Get or create a device ID.
@@ -383,7 +157,7 @@ function _(s) {
     return console.error("Failed to parse JWT token", e), null;
   }
 }
-function K(s, e = 0) {
+function z(s, e = 0) {
   const t = typeof s == "string" ? _(s) : s;
   if (!t)
     return !0;
@@ -402,10 +176,10 @@ class T {
    * @returns true if the token is expired, false otherwise
    */
   get isExpired() {
-    return this.payload ? K(this.payload, this.earlyPeriod) : !0;
+    return this.payload ? z(this.payload, this.earlyPeriod) : !0;
   }
 }
-class y {
+class g {
   /**
    * Creates a new JwtCompositeToken instance
    */
@@ -427,7 +201,7 @@ class y {
     return !this.refresh.isExpired;
   }
 }
-class m {
+class N {
   constructor(e = 0) {
     this.earlyPeriod = e;
   }
@@ -438,7 +212,7 @@ class m {
    */
   deserialize(e) {
     const t = JSON.parse(e);
-    return new y(t, this.earlyPeriod);
+    return new g(t, this.earlyPeriod);
   }
   /**
    * Serializes a JwtCompositeToken to a JSON string
@@ -449,8 +223,8 @@ class m {
     return JSON.stringify(e.token);
   }
 }
-const X = new m();
-class W {
+const Y = new N();
+class F {
   /**
    * Creates a new JwtTokenManager instance
    * @param tokenStorage The storage used to persist tokens
@@ -502,8 +276,8 @@ class W {
     return this.currentToken ? this.currentToken.isRefreshable : !1;
   }
 }
-const x = "ResourceAttributionRequestInterceptor", J = Number.MAX_SAFE_INTEGER;
-class $ {
+const M = "ResourceAttributionRequestInterceptor", q = Number.MAX_SAFE_INTEGER;
+class G {
   /**
    * Creates a new ResourceAttributionRequestInterceptor
    * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage
@@ -513,7 +287,7 @@ class $ {
     ownerId: t = "ownerId",
     tokenStorage: r
   }) {
-    this.name = x, this.order = J, this.tenantIdPathKey = e, this.ownerIdPathKey = t, this.tokenStorage = r;
+    this.name = M, this.order = q, this.tenantIdPathKey = e, this.ownerIdPathKey = t, this.tokenStorage = r;
   }
   /**
    * Intercepts outgoing requests and automatically adds tenant and owner ID path parameters
@@ -531,11 +305,11 @@ class $ {
       e.request.url
     ), c = this.tenantIdPathKey, i = e.ensureRequestUrlParams().path, I = r.tenantId;
     I && n.includes(c) && !i[c] && (i[c] = I);
-    const h = this.ownerIdPathKey, E = r.sub;
-    E && n.includes(h) && !i[h] && (i[h] = E);
+    const h = this.ownerIdPathKey, R = r.sub;
+    R && n.includes(h) && !i[h] && (i[h] = R);
   }
 }
-class ee {
+class j {
   /**
    * Creates a new instance of CoSecTokenRefresher.
    *
@@ -557,55 +331,55 @@ class ee {
         body: e
       },
       {
-        resultExtractor: N.Json,
-        attributes: /* @__PURE__ */ new Map([[g, !0]])
+        resultExtractor: S.Json,
+        attributes: /* @__PURE__ */ new Map([[O, !0]])
       }
     );
   }
 }
-const Q = "cosec-token";
-class te extends O {
-  constructor(e = Q, t = 0) {
+const K = "cosec-token";
+class V extends d {
+  constructor(e = K, t = 0) {
     super({
       key: e,
       storage: l(),
-      serializer: new m(t)
+      serializer: new N(t)
     }), this.earlyPeriod = t;
   }
   setCompositeToken(e) {
-    this.set(new y(e));
+    this.set(new g(e));
   }
 }
 export {
   U as AUTHORIZATION_REQUEST_INTERCEPTOR_NAME,
-  D as AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER,
-  z as AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME,
-  v as AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER,
-  F as AuthorizationRequestInterceptor,
-  G as AuthorizationResponseInterceptor,
-  B as AuthorizeResults,
+  y as AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER,
+  D as AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME,
+  m as AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER,
+  Z as AuthorizationRequestInterceptor,
+  B as AuthorizationResponseInterceptor,
+  Q as AuthorizeResults,
   C as COSEC_REQUEST_INTERCEPTOR_NAME,
-  p as COSEC_REQUEST_INTERCEPTOR_ORDER,
+  f as COSEC_REQUEST_INTERCEPTOR_ORDER,
   o as CoSecHeaders,
-  Y as CoSecRequestInterceptor,
-  ee as CoSecTokenRefresher,
-  q as DEFAULT_COSEC_DEVICE_ID_KEY,
-  Q as DEFAULT_COSEC_TOKEN_KEY,
-  j as DeviceIdStorage,
-  g as IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,
-  y as JwtCompositeToken,
-  m as JwtCompositeTokenSerializer,
+  H as CoSecRequestInterceptor,
+  j as CoSecTokenRefresher,
+  b as DEFAULT_COSEC_DEVICE_ID_KEY,
+  K as DEFAULT_COSEC_TOKEN_KEY,
+  L as DeviceIdStorage,
+  O as IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,
+  g as JwtCompositeToken,
+  N as JwtCompositeTokenSerializer,
   T as JwtToken,
-  W as JwtTokenManager,
-  P as NanoIdGenerator,
-  x as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME,
-  J as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER,
-  $ as ResourceAttributionRequestInterceptor,
+  F as JwtTokenManager,
+  w as NanoIdGenerator,
+  M as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME,
+  q as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER,
+  G as ResourceAttributionRequestInterceptor,
   u as ResponseCodes,
-  te as TokenStorage,
-  f as idGenerator,
-  K as isTokenExpired,
-  X as jwtCompositeTokenSerializer,
+  V as TokenStorage,
+  p as idGenerator,
+  z as isTokenExpired,
+  Y as jwtCompositeTokenSerializer,
   _ as parseJwtPayload
 };
 //# sourceMappingURL=index.es.js.map

package/dist/index.es.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.es.js","sources":["../src/types.ts","../src/idGenerator.ts","../src/cosecRequestInterceptor.ts","../src/authorizationRequestInterceptor.ts","../src/authorizationResponseInterceptor.ts","../../storage/dist/index.es.js","../src/deviceIdStorage.ts","../src/jwts.ts","../src/jwtToken.ts","../src/jwtTokenManager.ts","../src/resourceAttributionRequestInterceptor.ts","../src/tokenRefresher.ts","../src/tokenStorage.ts"],"sourcesContent":["/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { DeviceIdStorage } from './deviceIdStorage';\nimport { JwtTokenManager } from './jwtTokenManager';\n\n/**\n * CoSec HTTP headers enumeration.\n */\nexport class CoSecHeaders {\n  static readonly DEVICE_ID = 'CoSec-Device-Id';\n  static readonly APP_ID = 'CoSec-App-Id';\n  static readonly AUTHORIZATION = 'Authorization';\n  static readonly REQUEST_ID = 'CoSec-Request-Id';\n}\n\nexport class ResponseCodes {\n  static readonly UNAUTHORIZED = 401;\n}\n\nexport interface AppIdCapable {\n  /**\n   * Application ID to be sent in the CoSec-App-Id header.\n   */\n  appId: string;\n}\n\nexport interface DeviceIdStorageCapable {\n  deviceIdStorage: DeviceIdStorage;\n}\n\nexport interface JwtTokenManagerCapable {\n  tokenManager: JwtTokenManager;\n}\n\n/**\n * CoSec options interface.\n */\nexport interface CoSecOptions\n  extends AppIdCapable,\n    DeviceIdStorageCapable,\n    JwtTokenManagerCapable {\n}\n\n/**\n * Authorization result interface.\n */\nexport interface AuthorizeResult {\n  authorized: boolean;\n  reason: string;\n}\n\n/**\n * Authorization result constants.\n */\nexport const AuthorizeResults = {\n  ALLOW: { authorized: true, reason: 'Allow' },\n  EXPLICIT_DENY: { authorized: false, reason: 'Explicit Deny' },\n  IMPLICIT_DENY: { authorized: false, reason: 'Implicit Deny' },\n  TOKEN_EXPIRED: { authorized: false, reason: 'Token Expired' },\n  TOO_MANY_REQUESTS: { authorized: false, reason: 'Too Many Requests' },\n};\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { nanoid } from 'nanoid';\n\nexport interface IdGenerator {\n  generateId(): string;\n}\n\n/**\n * Nano ID implementation of IdGenerator.\n * Generates unique request IDs using Nano ID.\n */\nexport class NanoIdGenerator implements IdGenerator {\n  /**\n   * Generate a unique request ID.\n   *\n   * @returns A unique request ID\n   */\n  generateId(): string {\n    return nanoid();\n  }\n}\n\nexport const idGenerator = new NanoIdGenerator();\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  FetchExchange,\n  REQUEST_BODY_INTERCEPTOR_ORDER,\n  type RequestInterceptor,\n} from '@ahoo-wang/fetcher';\nimport { AppIdCapable, CoSecHeaders, DeviceIdStorageCapable } from './types';\nimport { idGenerator } from './idGenerator';\n\nexport interface CoSecRequestOptions\n  extends AppIdCapable,\n    DeviceIdStorageCapable {\n}\n\n/**\n * The name of the CoSecRequestInterceptor.\n */\nexport const COSEC_REQUEST_INTERCEPTOR_NAME = 'CoSecRequestInterceptor';\n\n/**\n * The order of the CoSecRequestInterceptor.\n * Set to REQUEST_BODY_INTERCEPTOR_ORDER + 1000 to ensure it runs after RequestBodyInterceptor.\n */\nexport const COSEC_REQUEST_INTERCEPTOR_ORDER =\n  REQUEST_BODY_INTERCEPTOR_ORDER + 1000;\n\nexport const IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY = 'Ignore-Refresh-Token';\n\n/**\n * Interceptor that automatically adds CoSec authentication headers to requests.\n *\n * This interceptor adds the following headers to each request:\n * - CoSec-Device-Id: Device identifier (stored in localStorage or generated)\n * - CoSec-App-Id: Application identifier\n * - CoSec-Request-Id: Unique request identifier for each request\n *\n * @remarks\n * This interceptor runs after RequestBodyInterceptor but before FetchInterceptor.\n * The order is set to COSEC_REQUEST_INTERCEPTOR_ORDER to ensure it runs after\n * request body processing but before the actual HTTP request is made. This positioning\n * allows for proper authentication header addition after all request body transformations\n * are complete, ensuring that the final request is properly authenticated before\n * being sent over the network.\n */\nexport class CoSecRequestInterceptor implements RequestInterceptor {\n  readonly name = COSEC_REQUEST_INTERCEPTOR_NAME;\n  readonly order = COSEC_REQUEST_INTERCEPTOR_ORDER;\n  private options: CoSecRequestOptions;\n\n  /**\n   * Creates a new CoSecRequestInterceptor instance.\n   * @param options - The CoSec configuration options including appId, deviceIdStorage, and tokenManager\n   */\n  constructor(options: CoSecRequestOptions) {\n    this.options = options;\n  }\n\n  /**\n   * Intercept requests to add CoSec authentication headers.\n   *\n   * This method adds the following headers to each request:\n   * - CoSec-App-Id: The application identifier from the CoSec options\n   * - CoSec-Device-Id: A unique device identifier, either retrieved from storage or generated\n   * - CoSec-Request-Id: A unique identifier for this specific request\n   *\n   * @param exchange - The fetch exchange containing the request to process\n   *\n   * @remarks\n   * This method runs after RequestBodyInterceptor but before FetchInterceptor.\n   * It ensures that authentication headers are added to the request after all\n   * body processing is complete. The positioning allows for proper authentication\n   * header addition after all request body transformations are finished, ensuring\n   * that the final request is properly authenticated before being sent over the network.\n   * This execution order prevents authentication headers from being overwritten by\n   * subsequent request processing interceptors.\n   *\n   * The method also handles token refreshing when the current token is expired but still refreshable.\n   * It will attempt to refresh the token before adding the Authorization header to the request.\n   */\n  async intercept(exchange: FetchExchange) {\n    // Generate a unique request ID for this request\n    const requestId = idGenerator.generateId();\n\n    // Get or create a device ID\n    const deviceId = this.options.deviceIdStorage.getOrCreate();\n\n    // Ensure request headers object exists\n    const requestHeaders = exchange.ensureRequestHeaders();\n\n    // Add CoSec headers to the request\n    requestHeaders[CoSecHeaders.APP_ID] = this.options.appId;\n    requestHeaders[CoSecHeaders.DEVICE_ID] = deviceId;\n    requestHeaders[CoSecHeaders.REQUEST_ID] = requestId;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport {\n  COSEC_REQUEST_INTERCEPTOR_ORDER,\n  IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,\n} from './cosecRequestInterceptor';\nimport { CoSecHeaders, JwtTokenManagerCapable } from './types';\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface AuthorizationInterceptorOptions\n  extends JwtTokenManagerCapable {\n}\n\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_NAME =\n  'AuthorizationRequestInterceptor';\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER =\n  COSEC_REQUEST_INTERCEPTOR_ORDER + 1000;\n\n/**\n * Request interceptor that automatically adds Authorization header to requests.\n *\n * This interceptor handles JWT token management by:\n * 1. Adding Authorization header with Bearer token if not already present\n * 2. Refreshing tokens when needed and possible\n * 3. Skipping refresh when explicitly requested via attributes\n *\n * The interceptor runs after CoSecRequestInterceptor but before FetchInterceptor in the chain.\n */\nexport class AuthorizationRequestInterceptor implements RequestInterceptor {\n  readonly name = AUTHORIZATION_REQUEST_INTERCEPTOR_NAME;\n  readonly order = AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER;\n\n  /**\n   * Creates an AuthorizationRequestInterceptor instance.\n   *\n   * @param options - Configuration options containing the token manager\n   */\n  constructor(private readonly options: AuthorizationInterceptorOptions) {\n  }\n\n  /**\n   * Intercepts the request exchange to add authorization headers.\n   *\n   * This method performs the following operations:\n   * 1. Checks if a token exists and if Authorization header is already set\n   * 2. Refreshes the token if needed, possible, and not explicitly ignored\n   * 3. Adds the Authorization header with Bearer token if a token is available\n   *\n   * @param exchange - The fetch exchange containing request information\n   * @returns Promise that resolves when the interception is complete\n   */\n  async intercept(exchange: FetchExchange): Promise<void> {\n    // Get the current token from token manager\n    let currentToken = this.options.tokenManager.currentToken;\n\n    const requestHeaders = exchange.ensureRequestHeaders();\n\n    // Skip if no token exists or Authorization header is already set\n    if (!currentToken || requestHeaders[CoSecHeaders.AUTHORIZATION]) {\n      return;\n    }\n\n    // Refresh token if needed and refreshable\n    if (\n      !exchange.attributes.has(IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY) &&\n      currentToken.isRefreshNeeded &&\n      currentToken.isRefreshable\n    ) {\n      await this.options.tokenManager.refresh();\n    }\n\n    // Get the current token again (might have been refreshed)\n    currentToken = this.options.tokenManager.currentToken;\n\n    // Add Authorization header if we have a token\n    if (currentToken) {\n      requestHeaders[CoSecHeaders.AUTHORIZATION] =\n        `Bearer ${currentToken.access.token}`;\n    }\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { ResponseCodes } from './types';\nimport { FetchExchange, type ResponseInterceptor } from '@ahoo-wang/fetcher';\nimport { AuthorizationInterceptorOptions } from './authorizationRequestInterceptor';\n\n/**\n * The name of the AuthorizationResponseInterceptor.\n */\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME =\n  'AuthorizationResponseInterceptor';\n\n/**\n * The order of the AuthorizationResponseInterceptor.\n * Set to a high negative value to ensure it runs early in the interceptor chain.\n */\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER =\n  Number.MIN_SAFE_INTEGER + 1000;\n\n/**\n * CoSecResponseInterceptor is responsible for handling unauthorized responses (401)\n * by attempting to refresh the authentication token and retrying the original request.\n *\n * This interceptor:\n * 1. Checks if the response status is 401 (UNAUTHORIZED)\n * 2. If so, and if there's a current token, attempts to refresh it\n * 3. On successful refresh, stores the new token and retries the original request\n * 4. On refresh failure, clears stored tokens and propagates the error\n */\nexport class AuthorizationResponseInterceptor implements ResponseInterceptor {\n  readonly name = AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME;\n  readonly order = AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER;\n  private options: AuthorizationInterceptorOptions;\n\n  /**\n   * Creates a new AuthorizationResponseInterceptor instance.\n   * @param options - The CoSec configuration options including token storage and refresher\n   */\n  constructor(options: AuthorizationInterceptorOptions) {\n    this.options = options;\n  }\n\n  /**\n   * Intercepts the response and handles unauthorized responses by refreshing tokens.\n   * @param exchange - The fetch exchange containing request and response information\n   */\n  async intercept(exchange: FetchExchange): Promise<void> {\n    const response = exchange.response;\n    // If there's no response, nothing to intercept\n    if (!response) {\n      return;\n    }\n\n    // Only handle unauthorized responses (401)\n    if (response.status !== ResponseCodes.UNAUTHORIZED) {\n      return;\n    }\n\n    if (!this.options.tokenManager.isRefreshable) {\n      return;\n    }\n    try {\n      await this.options.tokenManager.refresh();\n      // Retry the original request with the new token\n      await exchange.fetcher.interceptors.exchange(exchange);\n    } catch (error) {\n      // If token refresh fails, clear stored tokens and re-throw the error\n      this.options.tokenManager.tokenStorage.remove();\n      throw error;\n    }\n  }\n}\n","function a() {\n  return typeof window < \"u\";\n}\nclass n {\n  constructor() {\n    this.store = /* @__PURE__ */ new Map(), this.listeners = /* @__PURE__ */ new Set();\n  }\n  /**\n   * Gets the number of items stored in the storage.\n   */\n  get length() {\n    return this.store.size;\n  }\n  /**\n   * Clears all items from the storage.\n   */\n  clear() {\n    this.store.clear();\n  }\n  /**\n   * Gets an item from the storage.\n   * @param key - The key of the item to retrieve\n   * @returns The value of the item, or null if the item does not exist\n   */\n  getItem(e) {\n    const t = this.store.get(e);\n    return t !== void 0 ? t : null;\n  }\n  /**\n   * Gets the key at the specified index.\n   * @param index - The index of the key to retrieve\n   * @returns The key at the specified index, or null if the index is out of bounds\n   */\n  key(e) {\n    return Array.from(this.store.keys())[e] || null;\n  }\n  /**\n   * Removes an item from the storage.\n   * @param key - The key of the item to remove\n   */\n  removeItem(e) {\n    const t = this.getItem(e);\n    this.store.has(e) && (this.store.delete(e), this.notifyListeners({\n      key: e,\n      oldValue: t,\n      newValue: null\n    }));\n  }\n  /**\n   * Sets an item in the storage.\n   * @param key - The key of the item to set\n   * @param value - The value to set\n   */\n  setItem(e, t) {\n    const r = this.getItem(e);\n    this.store.set(e, t), this.notifyListeners({ key: e, oldValue: r, newValue: t });\n  }\n  /**\n   * Adds a listener for storage changes.\n   * @param listener - The listener function to be called when storage changes\n   * @returns A function that can be called to remove the listener\n   */\n  addListener(e) {\n    return this.listeners.add(e), () => this.listeners.delete(e);\n  }\n  /**\n   * Notifies all listeners of a storage change by creating and dispatching a StorageEvent.\n   * @param eventInit - The initialization object for the StorageEvent\n   */\n  notifyListeners(e) {\n    a() && window.location && (e.url = e.url || window.location.href), e.storageArea = this, this.listeners.forEach((t) => {\n      try {\n        t(e);\n      } catch (r) {\n        console.error(\"Error in storage change listener:\", r);\n      }\n    });\n  }\n}\nclass o {\n  /**\n   * Creates a new BrowserListenableStorage instance.\n   * @param storage - The native Storage object to wrap (e.g., localStorage or sessionStorage)\n   */\n  constructor(e) {\n    this.storage = e;\n  }\n  /**\n   * Gets the number of items stored in the storage.\n   */\n  get length() {\n    return this.storage.length;\n  }\n  /**\n   * Adds a listener for storage changes.\n   * @param listener - The listener function to be called when storage changes\n   * @returns A function that can be called to remove the listener\n   */\n  addListener(e) {\n    const t = (r) => {\n      r.storageArea === this.storage && e(r);\n    };\n    return window.addEventListener(i, t), () => window.removeEventListener(i, t);\n  }\n  /**\n   * Clears all items from the storage.\n   */\n  clear() {\n    this.storage.clear();\n  }\n  /**\n   * Gets an item from the storage.\n   * @param key - The key of the item to retrieve\n   * @returns The value of the item, or null if the item does not exist\n   */\n  getItem(e) {\n    return this.storage.getItem(e);\n  }\n  /**\n   * Gets the key at the specified index.\n   * @param index - The index of the key to retrieve\n   * @returns The key at the specified index, or null if the index is out of bounds\n   */\n  key(e) {\n    return this.storage.key(e);\n  }\n  /**\n   * Removes an item from the storage.\n   * @param key - The key of the item to remove\n   */\n  removeItem(e) {\n    this.storage.removeItem(e);\n  }\n  /**\n   * Sets an item in the storage.\n   * @param key - The key of the item to set\n   * @param value - The value to set\n   */\n  setItem(e, t) {\n    this.storage.setItem(e, t);\n  }\n}\nconst i = \"storage\", h = () => a() ? new o(window.localStorage) : new n();\nclass l {\n  /**\n   * Serializes a value to a JSON string\n   * @param value The value to serialize\n   * @returns The JSON string representation of the value\n   */\n  /**\n   * Serializes a value to a JSON string\n   * @param value The value to serialize\n   * @returns The JSON string representation of the value\n   */\n  serialize(e) {\n    return JSON.stringify(e);\n  }\n  /**\n   * Deserializes a JSON string to a value\n   * @template V The type of the deserialized value\n   * @param value The JSON string to deserialize\n   * @returns The deserialized value\n   */\n  /**\n   * Deserializes a JSON string to a value\n   * @param value The JSON string to deserialize\n   * @returns The deserialized value\n   */\n  deserialize(e) {\n    return JSON.parse(e);\n  }\n}\nclass c {\n  /**\n   * Returns the value as-is without serialization\n   * @param value The value to pass through\n   * @returns The same value that was passed in\n   */\n  /**\n   * Returns the value as-is without serialization\n   * @param value The value to pass through\n   * @returns The same value that was passed in\n   */\n  serialize(e) {\n    return e;\n  }\n  /**\n   * Returns the value as-is without deserialization\n   * @template Deserialized The type of the deserialized value\n   * @param value The value to pass through\n   * @returns The same value that was passed in, cast to the target type\n   */\n  /**\n   * Returns the value as-is without deserialization\n   * @param value The value to pass through\n   * @returns The same value that was passed in\n   */\n  deserialize(e) {\n    return e;\n  }\n}\nconst d = new l(), u = new c();\nfunction g() {\n  return u;\n}\nclass w {\n  /**\n   * Creates a new KeyStorage instance\n   * @param options Configuration options for the storage\n   */\n  constructor(e) {\n    this.cacheValue = null, this.refreshCacheListener = (t) => {\n      this.cacheValue = null, t.newValue && this.refreshCache(t.newValue);\n    }, this.key = e.key, this.serializer = e.serializer ?? g(), this.storage = e.storage ?? h(), this.addListener(this.refreshCacheListener);\n  }\n  /**\n   * Refreshes the cached value by deserializing the provided string\n   * @param value The serialized value to deserialize and cache\n   */\n  refreshCache(e) {\n    this.cacheValue = this.serializer.deserialize(e);\n  }\n  addListener(e) {\n    const t = (r) => {\n      r.key === this.key && e(r);\n    };\n    return this.storage.addListener(t);\n  }\n  /**\n   * Gets the value associated with the key from storage\n   * Uses cached value if available, otherwise retrieves from storage and caches it\n   * @returns The deserialized value or null if no value is found\n   */\n  get() {\n    if (this.cacheValue)\n      return this.cacheValue;\n    const e = this.storage.getItem(this.key);\n    return e ? (this.refreshCache(e), this.cacheValue) : null;\n  }\n  /**\n   * Sets the value associated with the key in storage\n   * Also updates the cached value\n   * @param value The value to serialize and store\n   */\n  set(e) {\n    const t = this.serializer.serialize(e);\n    this.storage.setItem(this.key, t), this.cacheValue = e;\n  }\n  /**\n   * Removes the value associated with the key from storage\n   * Also clears the cached value\n   */\n  remove() {\n    this.storage.removeItem(this.key), this.cacheValue = null;\n  }\n}\nexport {\n  o as BrowserListenableStorage,\n  c as IdentitySerializer,\n  n as InMemoryListenableStorage,\n  l as JsonSerializer,\n  w as KeyStorage,\n  i as STORAGE_EVENT_TYPE,\n  h as createListenableStorage,\n  u as identitySerializer,\n  a as isBrowser,\n  d as jsonSerializer,\n  g as typedIdentitySerializer\n};\n//# sourceMappingURL=index.es.js.map\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { idGenerator } from './idGenerator';\nimport {\n  createListenableStorage,\n  IdentitySerializer,\n  KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_DEVICE_ID_KEY = 'cosec-device-id';\n\n/**\n * Storage class for managing device identifiers.\n */\nexport class DeviceIdStorage extends KeyStorage<string> {\n  constructor(key: string = DEFAULT_COSEC_DEVICE_ID_KEY) {\n    super({\n      key,\n      serializer: new IdentitySerializer<string>(),\n      storage: createListenableStorage(),\n    });\n  }\n\n  /**\n   * Generate a new device ID.\n   *\n   * @returns A newly generated device ID\n   */\n  generateDeviceId(): string {\n    return idGenerator.generateId();\n  }\n\n  /**\n   * Get or create a device ID.\n   *\n   * @returns The existing device ID if available, otherwise a newly generated one\n   */\n  getOrCreate(): string {\n    // Try to get existing device ID from storage\n    let deviceId = this.get();\n    if (!deviceId) {\n      // Generate a new device ID and store it\n      deviceId = this.generateDeviceId();\n      this.set(deviceId);\n    }\n\n    return deviceId;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n/**\n * Interface representing a JWT payload as defined in RFC 7519.\n * Contains standard JWT claims as well as custom properties.\n */\nexport interface JwtPayload {\n  /**\n   * JWT ID - provides a unique identifier for the JWT.\n   */\n  jti?: string;\n  /**\n   * Subject - identifies the principal that is the subject of the JWT.\n   */\n  sub?: string;\n  /**\n   * Issuer - identifies the principal that issued the JWT.\n   */\n  iss?: string;\n  /**\n   * Audience - identifies the recipients that the JWT is intended for.\n   * Can be a single string or an array of strings.\n   */\n  aud?: string | string[];\n  /**\n   * Expiration Time - identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  exp?: number;\n  /**\n   * Not Before - identifies the time before which the JWT MUST NOT be accepted for processing.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  nbf?: number;\n  /**\n   * Issued At - identifies the time at which the JWT was issued.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  iat?: number;\n\n  /**\n   * Allows additional custom properties to be included in the payload.\n   */\n  [key: string]: any;\n}\n\n/**\n * Interface representing a JWT payload with CoSec-specific extensions.\n * Extends the standard JwtPayload interface with additional CoSec-specific properties.\n */\nexport interface CoSecJwtPayload extends JwtPayload {\n  /**\n   * Tenant identifier - identifies the tenant scope for the JWT.\n   */\n  tenantId?: string;\n  /**\n   * Policies - array of policy identifiers associated with the JWT.\n   * These are security policies defined internally by Cosec.\n   */\n  policies?: string[];\n  /**\n   * Roles - array of role identifiers associated with the JWT.\n   * Role IDs indicate what roles the token belongs to.\n   */\n  roles?: string[];\n  /**\n   * Attributes - custom key-value pairs providing additional information about the JWT.\n   */\n  attributes?: Record<string, any>;\n}\n\n/**\n * Parses a JWT token and extracts its payload.\n *\n * This function decodes the payload part of a JWT token, handling Base64URL decoding\n * and JSON parsing. It validates the token structure and returns null for invalid tokens.\n *\n * @param token - The JWT token string to parse\n * @returns The parsed JWT payload or null if parsing fails\n */\nexport function parseJwtPayload<T extends JwtPayload>(token: string): T | null {\n  try {\n    const parts = token.split('.');\n    if (parts.length !== 3) {\n      return null;\n    }\n\n    const base64Url = parts[1];\n    const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');\n\n    // Add padding if needed\n    const paddedBase64 = base64.padEnd(\n      base64.length + ((4 - (base64.length % 4)) % 4),\n      '=',\n    );\n\n    const jsonPayload = decodeURIComponent(\n      atob(paddedBase64)\n        .split('')\n        .map(function(c) {\n          return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);\n        })\n        .join(''),\n    );\n    return JSON.parse(jsonPayload) as T;\n  } catch (error) {\n    // Avoid exposing sensitive information in error logs\n    console.error('Failed to parse JWT token', error);\n    return null;\n  }\n}\n\nexport interface EarlyPeriodCapable {\n  /**\n   * The time in seconds before actual expiration when the token should be considered expired (default: 0)\n   */\n  readonly earlyPeriod: number;\n}\n\n/**\n * Checks if a JWT token is expired based on its expiration time (exp claim).\n *\n * This function determines if a JWT token has expired by comparing its exp claim\n * with the current time. If the token is a string, it will be parsed first.\n * Tokens without an exp claim are considered not expired.\n *\n * The early period parameter allows for early token expiration, which is useful\n * for triggering token refresh before the token actually expires. This helps\n * avoid race conditions where a token expires between the time it is checked and\n * the time it is used.\n *\n * @param token - The JWT token to check, either as a string or as a JwtPayload object\n * @param earlyPeriod - The time in seconds before actual expiration when the token should be considered expired (default: 0)\n * @returns true if the token is expired (or will expire within the early period) or cannot be parsed, false otherwise\n */\nexport function isTokenExpired(\n  token: string | CoSecJwtPayload,\n  earlyPeriod: number = 0,\n): boolean {\n  const payload = typeof token === 'string' ? parseJwtPayload(token) : token;\n  if (!payload) {\n    return true;\n  }\n\n  const expAt = payload.exp;\n  if (!expAt) {\n    return false;\n  }\n\n  const now = Date.now() / 1000;\n  return now > expAt - earlyPeriod;\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  CoSecJwtPayload,\n  EarlyPeriodCapable,\n  isTokenExpired,\n  JwtPayload,\n  parseJwtPayload,\n} from './jwts';\nimport { CompositeToken } from './tokenRefresher';\nimport { Serializer } from '@ahoo-wang/fetcher-storage';\n\n/**\n * Interface for JWT token with typed payload\n * @template Payload The type of the JWT payload\n */\nexport interface IJwtToken<Payload extends JwtPayload>\n  extends EarlyPeriodCapable {\n  readonly token: string;\n  readonly payload: Payload | null;\n\n  isExpired: boolean;\n}\n\n/**\n * Class representing a JWT token with typed payload\n * @template Payload The type of the JWT payload\n */\nexport class JwtToken<Payload extends JwtPayload>\n  implements IJwtToken<Payload> {\n  public readonly payload: Payload | null;\n\n  /**\n   * Creates a new JwtToken instance\n   */\n  constructor(\n    public readonly token: string,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    this.payload = parseJwtPayload<Payload>(token);\n  }\n\n  /**\n   * Checks if the token is expired\n   * @returns true if the token is expired, false otherwise\n   */\n  get isExpired(): boolean {\n    if (!this.payload) {\n      return true;\n    }\n    return isTokenExpired(this.payload, this.earlyPeriod);\n  }\n}\n\nexport interface RefreshTokenStatusCapable {\n  /**\n   * Checks if the access token needs to be refreshed\n   * @returns true if the access token is expired, false otherwise\n   */\n  readonly isRefreshNeeded: boolean;\n  /**\n   * Checks if the refresh token is still valid and can be used to refresh the access token\n   * @returns true if the refresh token is not expired, false otherwise\n   */\n  readonly isRefreshable: boolean;\n}\n\n/**\n * Class representing a composite token containing both access and refresh tokens\n */\nexport class JwtCompositeToken\n  implements EarlyPeriodCapable, RefreshTokenStatusCapable {\n  public readonly access: JwtToken<CoSecJwtPayload>;\n  public readonly refresh: JwtToken<JwtPayload>;\n\n  /**\n   * Creates a new JwtCompositeToken instance\n   */\n  constructor(\n    public readonly token: CompositeToken,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    this.access = new JwtToken(token.accessToken, earlyPeriod);\n    this.refresh = new JwtToken(token.refreshToken, earlyPeriod);\n  }\n\n  /**\n   * Checks if the access token needs to be refreshed\n   * @returns true if the access token is expired, false otherwise\n   */\n  get isRefreshNeeded(): boolean {\n    return this.access.isExpired;\n  }\n\n  /**\n   * Checks if the refresh token is still valid and can be used to refresh the access token\n   * @returns true if the refresh token is not expired, false otherwise\n   */\n  get isRefreshable(): boolean {\n    return !this.refresh.isExpired;\n  }\n}\n\n/**\n * Serializer for JwtCompositeToken that handles conversion to and from JSON strings\n */\nexport class JwtCompositeTokenSerializer\n  implements Serializer<string, JwtCompositeToken>, EarlyPeriodCapable {\n  constructor(public readonly earlyPeriod: number = 0) {\n  }\n\n  /**\n   * Deserializes a JSON string to a JwtCompositeToken\n   * @param value The JSON string representation of a composite token\n   * @returns A JwtCompositeToken instance\n   */\n  deserialize(value: string): JwtCompositeToken {\n    const compositeToken = JSON.parse(value) as CompositeToken;\n    return new JwtCompositeToken(compositeToken, this.earlyPeriod);\n  }\n\n  /**\n   * Serializes a JwtCompositeToken to a JSON string\n   * @param value The JwtCompositeToken to serialize\n   * @returns A JSON string representation of the composite token\n   */\n  serialize(value: JwtCompositeToken): string {\n    return JSON.stringify(value.token);\n  }\n}\n\nexport const jwtCompositeTokenSerializer = new JwtCompositeTokenSerializer();\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { TokenStorage } from './tokenStorage';\nimport { CompositeToken, TokenRefresher } from './tokenRefresher';\nimport { JwtCompositeToken, RefreshTokenStatusCapable } from './jwtToken';\n\n/**\n * Manages JWT token refreshing operations and provides status information\n */\nexport class JwtTokenManager implements RefreshTokenStatusCapable {\n  private refreshInProgress?: Promise<void>;\n\n  /**\n   * Creates a new JwtTokenManager instance\n   * @param tokenStorage The storage used to persist tokens\n   * @param tokenRefresher The refresher used to refresh expired tokens\n   */\n  constructor(\n    public readonly tokenStorage: TokenStorage,\n    public readonly tokenRefresher: TokenRefresher,\n  ) {\n  }\n\n  /**\n   * Gets the current JWT composite token from storage\n   * @returns The current token or null if none exists\n   */\n  get currentToken(): JwtCompositeToken | null {\n    return this.tokenStorage.get();\n  }\n\n  /**\n   * Refreshes the JWT token\n   * @param currentToken Optional current token to refresh. If not provided, uses the stored token.\n   * @returns Promise that resolves when refresh is complete\n   * @throws Error if no token is found or refresh fails\n   */\n  async refresh(currentToken?: CompositeToken): Promise<void> {\n    if (!currentToken) {\n      const jwtToken = this.currentToken;\n      if (!jwtToken) {\n        throw new Error('No token found');\n      }\n      currentToken = jwtToken.token;\n    }\n    if (this.refreshInProgress) {\n      return this.refreshInProgress;\n    }\n\n    this.refreshInProgress = this.tokenRefresher\n      .refresh(currentToken)\n      .then(newToken => {\n        this.tokenStorage.setCompositeToken(newToken);\n      })\n      .catch(error => {\n        this.tokenStorage.remove();\n        throw error;\n      })\n      .finally(() => {\n        this.refreshInProgress = undefined;\n      });\n\n    return this.refreshInProgress;\n  }\n\n  /**\n   * Indicates if the current token needs to be refreshed\n   * @returns true if the access token is expired and needs refresh, false otherwise\n   */\n  get isRefreshNeeded(): boolean {\n    if (!this.currentToken) {\n      return false;\n    }\n    return this.currentToken.isRefreshNeeded;\n  }\n\n  /**\n   * Indicates if the current token can be refreshed\n   * @returns true if the refresh token is still valid, false otherwise\n   */\n  get isRefreshable(): boolean {\n    if (!this.currentToken) {\n      return false;\n    }\n    return this.currentToken.isRefreshable;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport { TokenStorage } from './tokenStorage';\n\n/**\n * Configuration options for resource attribution\n */\nexport interface ResourceAttributionOptions {\n  /**\n   * The path parameter key used for tenant ID in URL templates\n   */\n  tenantId?: string;\n  /**\n   * The path parameter key used for owner ID in URL templates\n   */\n  ownerId?: string;\n  /**\n   * Storage mechanism for retrieving current authentication tokens\n   */\n  tokenStorage: TokenStorage;\n}\n\n/**\n * Name identifier for the ResourceAttributionRequestInterceptor\n */\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME =\n  'ResourceAttributionRequestInterceptor';\n/**\n * Order priority for the ResourceAttributionRequestInterceptor, set to maximum safe integer to ensure it runs last\n */\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER =\n  Number.MAX_SAFE_INTEGER;\n\n/**\n * Request interceptor that automatically adds tenant and owner ID path parameters to requests\n * based on the current authentication token. This is useful for multi-tenant applications where\n * requests need to include tenant-specific information in the URL path.\n */\nexport class ResourceAttributionRequestInterceptor\n  implements RequestInterceptor {\n  readonly name = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME;\n  readonly order = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER;\n  private readonly tenantIdPathKey: string;\n  private readonly ownerIdPathKey: string;\n  private readonly tokenStorage: TokenStorage;\n\n  /**\n   * Creates a new ResourceAttributionRequestInterceptor\n   * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage\n   */\n  constructor({\n                tenantId = 'tenantId',\n                ownerId = 'ownerId',\n                tokenStorage,\n              }: ResourceAttributionOptions) {\n    this.tenantIdPathKey = tenantId;\n    this.ownerIdPathKey = ownerId;\n    this.tokenStorage = tokenStorage;\n  }\n\n  /**\n   * Intercepts outgoing requests and automatically adds tenant and owner ID path parameters\n   * if they are defined in the URL template but not provided in the request.\n   * @param exchange - The fetch exchange containing the request information\n   */\n  intercept(exchange: FetchExchange): void {\n    const currentToken = this.tokenStorage.get();\n    if (!currentToken) {\n      return;\n    }\n    const principal = currentToken.access.payload;\n    if (!principal) {\n      return;\n    }\n    if (!principal.tenantId && !principal.sub) {\n      return;\n    }\n\n    // Extract path parameters from the URL template\n    const extractedPathParams =\n      exchange.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(\n        exchange.request.url,\n      );\n    const tenantIdPathKey = this.tenantIdPathKey;\n    const requestPathParams = exchange.ensureRequestUrlParams().path;\n    const tenantId = principal.tenantId;\n\n    // Add tenant ID to path parameters if it's part of the URL template and not already provided\n    if (\n      tenantId &&\n      extractedPathParams.includes(tenantIdPathKey) &&\n      !requestPathParams[tenantIdPathKey]\n    ) {\n      requestPathParams[tenantIdPathKey] = tenantId;\n    }\n\n    const ownerIdPathKey = this.ownerIdPathKey;\n    const ownerId = principal.sub;\n\n    // Add owner ID to path parameters if it's part of the URL template and not already provided\n    if (\n      ownerId &&\n      extractedPathParams.includes(ownerIdPathKey) &&\n      !requestPathParams[ownerIdPathKey]\n    ) {\n      requestPathParams[ownerIdPathKey] = ownerId;\n    }\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Fetcher, ResultExtractors } from '@ahoo-wang/fetcher';\nimport { IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY } from './cosecRequestInterceptor';\n\n/**\n * Interface for access tokens.\n */\nexport interface AccessToken {\n  accessToken: string;\n}\n\n/**\n * Interface for refresh tokens.\n */\nexport interface RefreshToken {\n  refreshToken: string;\n}\n\n/**\n * Composite token interface that contains both access and refresh tokens.\n *\n * accessToken and refreshToken always appear in pairs, no need to split them.\n */\nexport interface CompositeToken extends AccessToken, RefreshToken {\n}\n\n/**\n * Interface for token refreshers.\n *\n * Provides a method to refresh tokens.\n */\nexport interface TokenRefresher {\n  /**\n   * Refresh the given token and return a new CompositeToken.\n   *\n   * @param token The token to refresh\n   * @returns A Promise that resolves to a new CompositeToken\n   */\n  refresh(token: CompositeToken): Promise<CompositeToken>;\n}\n\nexport interface CoSecTokenRefresherOptions {\n  fetcher: Fetcher;\n  endpoint: string;\n}\n\n/**\n * CoSecTokenRefresher is a class that implements the TokenRefresher interface\n * for refreshing composite tokens through a configured endpoint.\n */\nexport class CoSecTokenRefresher implements TokenRefresher {\n  /**\n   * Creates a new instance of CoSecTokenRefresher.\n   *\n   * @param options The configuration options for the token refresher including fetcher and endpoint\n   */\n  constructor(public readonly options: CoSecTokenRefresherOptions) {\n  }\n\n  /**\n   * Refresh the given token and return a new CompositeToken.\n   *\n   * @param token The token to refresh\n   * @returns A Promise that resolves to a new CompositeToken\n   */\n  refresh(token: CompositeToken): Promise<CompositeToken> {\n    // Send a POST request to the configured endpoint with the token as body\n    // and extract the response as JSON to return a new CompositeToken\n\n    return this.options.fetcher.post<CompositeToken>(\n      this.options.endpoint,\n      {\n        body: token,\n      },\n      {\n        resultExtractor: ResultExtractors.Json,\n        attributes: new Map([[IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY, true]]),\n      },\n    );\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { JwtCompositeToken, JwtCompositeTokenSerializer } from './jwtToken';\nimport { CompositeToken } from './tokenRefresher';\nimport { EarlyPeriodCapable } from './jwts';\nimport {\n  createListenableStorage,\n  KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_TOKEN_KEY = 'cosec-token';\n\n/**\n * Storage class for managing access and refresh tokens.\n */\nexport class TokenStorage\n  extends KeyStorage<JwtCompositeToken>\n  implements EarlyPeriodCapable {\n  constructor(\n    key: string = DEFAULT_COSEC_TOKEN_KEY,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    super({\n      key,\n      storage: createListenableStorage(),\n      serializer: new JwtCompositeTokenSerializer(earlyPeriod),\n    });\n  }\n\n  setCompositeToken(compositeToken: CompositeToken) {\n    this.set(new JwtCompositeToken(compositeToken));\n  }\n}\n"],"names":["_CoSecHeaders","CoSecHeaders","_ResponseCodes","ResponseCodes","AuthorizeResults","NanoIdGenerator","nanoid","idGenerator","COSEC_REQUEST_INTERCEPTOR_NAME","COSEC_REQUEST_INTERCEPTOR_ORDER","REQUEST_BODY_INTERCEPTOR_ORDER","IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY","CoSecRequestInterceptor","options","exchange","requestId","deviceId","requestHeaders","AUTHORIZATION_REQUEST_INTERCEPTOR_NAME","AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER","AuthorizationRequestInterceptor","currentToken","AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME","AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER","AuthorizationResponseInterceptor","response","error","a","n","o","i","h","c","u","g","w","DEFAULT_COSEC_DEVICE_ID_KEY","DeviceIdStorage","KeyStorage","key","IdentitySerializer","createListenableStorage","parseJwtPayload","token","parts","base64","paddedBase64","jsonPayload","isTokenExpired","earlyPeriod","payload","expAt","JwtToken","JwtCompositeToken","JwtCompositeTokenSerializer","value","compositeToken","jwtCompositeTokenSerializer","JwtTokenManager","tokenStorage","tokenRefresher","jwtToken","newToken","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER","ResourceAttributionRequestInterceptor","tenantId","ownerId","principal","extractedPathParams","tenantIdPathKey","requestPathParams","ownerIdPathKey","CoSecTokenRefresher","ResultExtractors","DEFAULT_COSEC_TOKEN_KEY","TokenStorage"],"mappings":";;AAmBO,MAAMA,IAAN,MAAMA,EAAa;AAK1B;AAJEA,EAAgB,YAAY,mBAC5BA,EAAgB,SAAS,gBACzBA,EAAgB,gBAAgB,iBAChCA,EAAgB,aAAa;AAJxB,IAAMC,IAAND;AAOA,MAAME,IAAN,MAAMA,EAAc;AAE3B;AADEA,EAAgB,eAAe;AAD1B,IAAMC,IAAND;AAuCA,MAAME,IAAmB;AAAA,EAC9B,OAAO,EAAE,YAAY,IAAM,QAAQ,QAAA;AAAA,EACnC,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,mBAAmB,EAAE,YAAY,IAAO,QAAQ,oBAAA;AAClD;AChDO,MAAMC,EAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMlD,aAAqB;AACnB,WAAOC,EAAA;AAAA,EACT;AACF;AAEO,MAAMC,IAAc,IAAIF,EAAA,GCLlBG,IAAiC,2BAMjCC,IACXC,IAAiC,KAEtBC,IAAqC;AAkB3C,MAAMC,EAAsD;AAAA;AAAA;AAAA;AAAA;AAAA,EASjE,YAAYC,GAA8B;AAR1C,SAAS,OAAOL,GAChB,KAAS,QAAQC,GAQf,KAAK,UAAUI;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBA,MAAM,UAAUC,GAAyB;AAEvC,UAAMC,IAAYR,EAAY,WAAA,GAGxBS,IAAW,KAAK,QAAQ,gBAAgB,YAAA,GAGxCC,IAAiBH,EAAS,qBAAA;AAGhC,IAAAG,EAAehB,EAAa,MAAM,IAAI,KAAK,QAAQ,OACnDgB,EAAehB,EAAa,SAAS,IAAIe,GACzCC,EAAehB,EAAa,UAAU,IAAIc;AAAA,EAC5C;AACF;ACjFO,MAAMG,IACX,mCACWC,IACXV,IAAkC;AAY7B,MAAMW,EAA8D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASzE,YAA6BP,GAA0C;AAA1C,SAAA,UAAAA,GAR7B,KAAS,OAAOK,GAChB,KAAS,QAAQC;AAAA,EAQjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,UAAUL,GAAwC;AAEtD,QAAIO,IAAe,KAAK,QAAQ,aAAa;AAE7C,UAAMJ,IAAiBH,EAAS,qBAAA;AAGhC,IAAI,CAACO,KAAgBJ,EAAehB,EAAa,aAAa,MAM5D,CAACa,EAAS,WAAW,IAAIH,CAAkC,KAC3DU,EAAa,mBACbA,EAAa,iBAEb,MAAM,KAAK,QAAQ,aAAa,QAAA,GAIlCA,IAAe,KAAK,QAAQ,aAAa,cAGrCA,MACFJ,EAAehB,EAAa,aAAa,IACvC,UAAUoB,EAAa,OAAO,KAAK;AAAA,EAEzC;AACF;ACxEO,MAAMC,IACX,oCAMWC,IACX,OAAO,mBAAmB;AAYrB,MAAMC,EAAgE;AAAA;AAAA;AAAA;AAAA;AAAA,EAS3E,YAAYX,GAA0C;AARtD,SAAS,OAAOS,GAChB,KAAS,QAAQC,GAQf,KAAK,UAAUV;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAUC,GAAwC;AACtD,UAAMW,IAAWX,EAAS;AAE1B,QAAKW,KAKDA,EAAS,WAAWtB,EAAc,gBAIjC,KAAK,QAAQ,aAAa;AAG/B,UAAI;AACF,cAAM,KAAK,QAAQ,aAAa,QAAA,GAEhC,MAAMW,EAAS,QAAQ,aAAa,SAASA,CAAQ;AAAA,MACvD,SAASY,GAAO;AAEd,mBAAK,QAAQ,aAAa,aAAa,OAAA,GACjCA;AAAA,MACR;AAAA,EACF;AACF;AClFA,SAASC,IAAI;AACX,SAAO,OAAO,SAAS;AACzB;AACA,MAAMC,EAAE;AAAA,EACN,cAAc;AACZ,SAAK,QAAwB,oBAAI,IAAG,GAAI,KAAK,YAA4B,oBAAI,IAAG;AAAA,EAClF;AAAA;AAAA;AAAA;AAAA,EAIA,IAAI,SAAS;AACX,WAAO,KAAK,MAAM;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAIA,QAAQ;AACN,SAAK,MAAM,MAAK;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAQ,GAAG;AACT,UAAM,IAAI,KAAK,MAAM,IAAI,CAAC;AAC1B,WAAO,MAAM,SAAS,IAAI;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,GAAG;AACL,WAAO,MAAM,KAAK,KAAK,MAAM,MAAM,EAAE,CAAC,KAAK;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA;AAAA,EAKA,WAAW,GAAG;AACZ,UAAM,IAAI,KAAK,QAAQ,CAAC;AACxB,SAAK,MAAM,IAAI,CAAC,MAAM,KAAK,MAAM,OAAO,CAAC,GAAG,KAAK,gBAAgB;AAAA,MAC/D,KAAK;AAAA,MACL,UAAU;AAAA,MACV,UAAU;AAAA,IAChB,CAAK;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAQ,GAAG,GAAG;AACZ,UAAM,IAAI,KAAK,QAAQ,CAAC;AACxB,SAAK,MAAM,IAAI,GAAG,CAAC,GAAG,KAAK,gBAAgB,EAAE,KAAK,GAAG,UAAU,GAAG,UAAU,EAAC,CAAE;AAAA,EACjF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,YAAY,GAAG;AACb,WAAO,KAAK,UAAU,IAAI,CAAC,GAAG,MAAM,KAAK,UAAU,OAAO,CAAC;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAgB,GAAG;AACjB,IAAAD,EAAC,KAAM,OAAO,aAAa,EAAE,MAAM,EAAE,OAAO,OAAO,SAAS,OAAO,EAAE,cAAc,MAAM,KAAK,UAAU,QAAQ,CAAC,MAAM;AACrH,UAAI;AACF,UAAE,CAAC;AAAA,MACL,SAAS,GAAG;AACV,gBAAQ,MAAM,qCAAqC,CAAC;AAAA,MACtD;AAAA,IACF,CAAC;AAAA,EACH;AACF;AACA,MAAME,EAAE;AAAA;AAAA;AAAA;AAAA;AAAA,EAKN,YAAY,GAAG;AACb,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAIA,IAAI,SAAS;AACX,WAAO,KAAK,QAAQ;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,YAAY,GAAG;AACb,UAAM,IAAI,CAAC,MAAM;AACf,QAAE,gBAAgB,KAAK,WAAW,EAAE,CAAC;AAAA,IACvC;AACA,WAAO,OAAO,iBAAiBC,GAAG,CAAC,GAAG,MAAM,OAAO,oBAAoBA,GAAG,CAAC;AAAA,EAC7E;AAAA;AAAA;AAAA;AAAA,EAIA,QAAQ;AACN,SAAK,QAAQ,MAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAQ,GAAG;AACT,WAAO,KAAK,QAAQ,QAAQ,CAAC;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,GAAG;AACL,WAAO,KAAK,QAAQ,IAAI,CAAC;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA,EAKA,WAAW,GAAG;AACZ,SAAK,QAAQ,WAAW,CAAC;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAQ,GAAG,GAAG;AACZ,SAAK,QAAQ,QAAQ,GAAG,CAAC;AAAA,EAC3B;AACF;AACA,MAAMA,IAAI,WAAWC,IAAI,MAAMJ,EAAC,IAAK,IAAIE,EAAE,OAAO,YAAY,IAAI,IAAID,EAAC;AA8BvE,MAAMI,EAAE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWN,UAAU,GAAG;AACX,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,YAAY,GAAG;AACb,WAAO;AAAA,EACT;AACF;AACK,MAAcC,IAAI,IAAID,EAAC;AAC5B,SAASE,IAAI;AACX,SAAOD;AACT;AACA,MAAME,EAAE;AAAA;AAAA;AAAA;AAAA;AAAA,EAKN,YAAY,GAAG;AACb,SAAK,aAAa,MAAM,KAAK,uBAAuB,CAAC,MAAM;AACzD,WAAK,aAAa,MAAM,EAAE,YAAY,KAAK,aAAa,EAAE,QAAQ;AAAA,IACpE,GAAG,KAAK,MAAM,EAAE,KAAK,KAAK,aAAa,EAAE,cAAcD,EAAC,GAAI,KAAK,UAAU,EAAE,WAAWH,EAAC,GAAI,KAAK,YAAY,KAAK,oBAAoB;AAAA,EACzI;AAAA;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,GAAG;AACd,SAAK,aAAa,KAAK,WAAW,YAAY,CAAC;AAAA,EACjD;AAAA,EACA,YAAY,GAAG;AACb,UAAM,IAAI,CAAC,MAAM;AACf,QAAE,QAAQ,KAAK,OAAO,EAAE,CAAC;AAAA,IAC3B;AACA,WAAO,KAAK,QAAQ,YAAY,CAAC;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM;AACJ,QAAI,KAAK;AACP,aAAO,KAAK;AACd,UAAM,IAAI,KAAK,QAAQ,QAAQ,KAAK,GAAG;AACvC,WAAO,KAAK,KAAK,aAAa,CAAC,GAAG,KAAK,cAAc;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,GAAG;AACL,UAAM,IAAI,KAAK,WAAW,UAAU,CAAC;AACrC,SAAK,QAAQ,QAAQ,KAAK,KAAK,CAAC,GAAG,KAAK,aAAa;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS;AACP,SAAK,QAAQ,WAAW,KAAK,GAAG,GAAG,KAAK,aAAa;AAAA,EACvD;AACF;AC3OO,MAAMK,IAA8B;AAKpC,MAAMC,UAAwBC,EAAmB;AAAA,EACtD,YAAYC,IAAcH,GAA6B;AACrD,UAAM;AAAA,MACJ,KAAAG;AAAA,MACA,YAAY,IAAIC,EAAA;AAAA,MAChB,SAASC,EAAA;AAAA,IAAwB,CAClC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,mBAA2B;AACzB,WAAOlC,EAAY,WAAA;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,cAAsB;AAEpB,QAAIS,IAAW,KAAK,IAAA;AACpB,WAAKA,MAEHA,IAAW,KAAK,iBAAA,GAChB,KAAK,IAAIA,CAAQ,IAGZA;AAAA,EACT;AACF;AC+BO,SAAS0B,EAAsCC,GAAyB;AAC7E,MAAI;AACF,UAAMC,IAAQD,EAAM,MAAM,GAAG;AAC7B,QAAIC,EAAM,WAAW;AACnB,aAAO;AAIT,UAAMC,IADYD,EAAM,CAAC,EACA,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,GAGvDE,IAAeD,EAAO;AAAA,MAC1BA,EAAO,UAAW,IAAKA,EAAO,SAAS,KAAM;AAAA,MAC7C;AAAA,IAAA,GAGIE,IAAc;AAAA,MAClB,KAAKD,CAAY,EACd,MAAM,EAAE,EACR,IAAI,SAASd,GAAG;AACf,eAAO,OAAO,OAAOA,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE;AAAA,MAC7D,CAAC,EACA,KAAK,EAAE;AAAA,IAAA;AAEZ,WAAO,KAAK,MAAMe,CAAW;AAAA,EAC/B,SAASrB,GAAO;AAEd,mBAAQ,MAAM,6BAA6BA,CAAK,GACzC;AAAA,EACT;AACF;AAyBO,SAASsB,EACdL,GACAM,IAAsB,GACb;AACT,QAAMC,IAAU,OAAOP,KAAU,WAAWD,EAAgBC,CAAK,IAAIA;AACrE,MAAI,CAACO;AACH,WAAO;AAGT,QAAMC,IAAQD,EAAQ;AACtB,SAAKC,IAIO,KAAK,IAAA,IAAQ,MACZA,IAAQF,IAJZ;AAKX;AC1HO,MAAMG,EACmB;AAAA;AAAA;AAAA;AAAA,EAM9B,YACkBT,GACAM,IAAsB,GACtC;AAFgB,SAAA,QAAAN,GACA,KAAA,cAAAM,GAEhB,KAAK,UAAUP,EAAyBC,CAAK;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,YAAqB;AACvB,WAAK,KAAK,UAGHK,EAAe,KAAK,SAAS,KAAK,WAAW,IAF3C;AAAA,EAGX;AACF;AAkBO,MAAMK,EAC8C;AAAA;AAAA;AAAA;AAAA,EAOzD,YACkBV,GACAM,IAAsB,GACtC;AAFgB,SAAA,QAAAN,GACA,KAAA,cAAAM,GAEhB,KAAK,SAAS,IAAIG,EAAST,EAAM,aAAaM,CAAW,GACzD,KAAK,UAAU,IAAIG,EAAST,EAAM,cAAcM,CAAW;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,kBAA2B;AAC7B,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,gBAAyB;AAC3B,WAAO,CAAC,KAAK,QAAQ;AAAA,EACvB;AACF;AAKO,MAAMK,EAC0D;AAAA,EACrE,YAA4BL,IAAsB,GAAG;AAAzB,SAAA,cAAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAYM,GAAkC;AAC5C,UAAMC,IAAiB,KAAK,MAAMD,CAAK;AACvC,WAAO,IAAIF,EAAkBG,GAAgB,KAAK,WAAW;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,UAAUD,GAAkC;AAC1C,WAAO,KAAK,UAAUA,EAAM,KAAK;AAAA,EACnC;AACF;AAEO,MAAME,IAA8B,IAAIH,EAAA;AC1HxC,MAAMI,EAAqD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQhE,YACkBC,GACAC,GAChB;AAFgB,SAAA,eAAAD,GACA,KAAA,iBAAAC;AAAA,EAElB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,eAAyC;AAC3C,WAAO,KAAK,aAAa,IAAA;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,QAAQvC,GAA8C;AAC1D,QAAI,CAACA,GAAc;AACjB,YAAMwC,IAAW,KAAK;AACtB,UAAI,CAACA;AACH,cAAM,IAAI,MAAM,gBAAgB;AAElC,MAAAxC,IAAewC,EAAS;AAAA,IAC1B;AACA,WAAI,KAAK,oBACA,KAAK,qBAGd,KAAK,oBAAoB,KAAK,eAC3B,QAAQxC,CAAY,EACpB,KAAK,CAAAyC,MAAY;AAChB,WAAK,aAAa,kBAAkBA,CAAQ;AAAA,IAC9C,CAAC,EACA,MAAM,CAAApC,MAAS;AACd,iBAAK,aAAa,OAAA,GACZA;AAAA,IACR,CAAC,EACA,QAAQ,MAAM;AACb,WAAK,oBAAoB;AAAA,IAC3B,CAAC,GAEI,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,kBAA2B;AAC7B,WAAK,KAAK,eAGH,KAAK,aAAa,kBAFhB;AAAA,EAGX;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,gBAAyB;AAC3B,WAAK,KAAK,eAGH,KAAK,aAAa,gBAFhB;AAAA,EAGX;AACF;AC5DO,MAAMqC,IACX,yCAIWC,IACX,OAAO;AAOF,MAAMC,EACmB;AAAA;AAAA;AAAA;AAAA;AAAA,EAW9B,YAAY;AAAA,IACE,UAAAC,IAAW;AAAA,IACX,SAAAC,IAAU;AAAA,IACV,cAAAR;AAAA,EAAA,GAC6B;AAd3C,SAAS,OAAOI,GAChB,KAAS,QAAQC,GAcf,KAAK,kBAAkBE,GACvB,KAAK,iBAAiBC,GACtB,KAAK,eAAeR;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,UAAU7C,GAA+B;AACvC,UAAMO,IAAe,KAAK,aAAa,IAAA;AACvC,QAAI,CAACA;AACH;AAEF,UAAM+C,IAAY/C,EAAa,OAAO;AAItC,QAHI,CAAC+C,KAGD,CAACA,EAAU,YAAY,CAACA,EAAU;AACpC;AAIF,UAAMC,IACJvD,EAAS,QAAQ,WAAW,oBAAoB;AAAA,MAC9CA,EAAS,QAAQ;AAAA,IAAA,GAEfwD,IAAkB,KAAK,iBACvBC,IAAoBzD,EAAS,uBAAA,EAAyB,MACtDoD,IAAWE,EAAU;AAG3B,IACEF,KACAG,EAAoB,SAASC,CAAe,KAC5C,CAACC,EAAkBD,CAAe,MAElCC,EAAkBD,CAAe,IAAIJ;AAGvC,UAAMM,IAAiB,KAAK,gBACtBL,IAAUC,EAAU;AAG1B,IACED,KACAE,EAAoB,SAASG,CAAc,KAC3C,CAACD,EAAkBC,CAAc,MAEjCD,EAAkBC,CAAc,IAAIL;AAAA,EAExC;AACF;AC1DO,MAAMM,GAA8C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMzD,YAA4B5D,GAAqC;AAArC,SAAA,UAAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,QAAQ8B,GAAgD;AAItD,WAAO,KAAK,QAAQ,QAAQ;AAAA,MAC1B,KAAK,QAAQ;AAAA,MACb;AAAA,QACE,MAAMA;AAAA,MAAA;AAAA,MAER;AAAA,QACE,iBAAiB+B,EAAiB;AAAA,QAClC,gCAAgB,IAAI,CAAC,CAAC/D,GAAoC,EAAI,CAAC,CAAC;AAAA,MAAA;AAAA,IAClE;AAAA,EAEJ;AACF;ACvEO,MAAMgE,IAA0B;AAKhC,MAAMC,WACHtC,EACsB;AAAA,EAC9B,YACEC,IAAcoC,GACE1B,IAAsB,GACtC;AACA,UAAM;AAAA,MACJ,KAAAV;AAAA,MACA,SAASE,EAAA;AAAA,MACT,YAAY,IAAIa,EAA4BL,CAAW;AAAA,IAAA,CACxD,GANe,KAAA,cAAAA;AAAA,EAOlB;AAAA,EAEA,kBAAkBO,GAAgC;AAChD,SAAK,IAAI,IAAIH,EAAkBG,CAAc,CAAC;AAAA,EAChD;AACF;"}
+{"version":3,"file":"index.es.js","sources":["../src/types.ts","../src/idGenerator.ts","../src/cosecRequestInterceptor.ts","../src/authorizationRequestInterceptor.ts","../src/authorizationResponseInterceptor.ts","../src/deviceIdStorage.ts","../src/jwts.ts","../src/jwtToken.ts","../src/jwtTokenManager.ts","../src/resourceAttributionRequestInterceptor.ts","../src/tokenRefresher.ts","../src/tokenStorage.ts"],"sourcesContent":["/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { DeviceIdStorage } from './deviceIdStorage';\nimport { JwtTokenManager } from './jwtTokenManager';\n\n/**\n * CoSec HTTP headers enumeration.\n */\nexport class CoSecHeaders {\n  static readonly DEVICE_ID = 'CoSec-Device-Id';\n  static readonly APP_ID = 'CoSec-App-Id';\n  static readonly AUTHORIZATION = 'Authorization';\n  static readonly REQUEST_ID = 'CoSec-Request-Id';\n}\n\nexport class ResponseCodes {\n  static readonly UNAUTHORIZED = 401;\n}\n\nexport interface AppIdCapable {\n  /**\n   * Application ID to be sent in the CoSec-App-Id header.\n   */\n  appId: string;\n}\n\nexport interface DeviceIdStorageCapable {\n  deviceIdStorage: DeviceIdStorage;\n}\n\nexport interface JwtTokenManagerCapable {\n  tokenManager: JwtTokenManager;\n}\n\n/**\n * CoSec options interface.\n */\nexport interface CoSecOptions\n  extends AppIdCapable,\n    DeviceIdStorageCapable,\n    JwtTokenManagerCapable {\n}\n\n/**\n * Authorization result interface.\n */\nexport interface AuthorizeResult {\n  authorized: boolean;\n  reason: string;\n}\n\n/**\n * Authorization result constants.\n */\nexport const AuthorizeResults = {\n  ALLOW: { authorized: true, reason: 'Allow' },\n  EXPLICIT_DENY: { authorized: false, reason: 'Explicit Deny' },\n  IMPLICIT_DENY: { authorized: false, reason: 'Implicit Deny' },\n  TOKEN_EXPIRED: { authorized: false, reason: 'Token Expired' },\n  TOO_MANY_REQUESTS: { authorized: false, reason: 'Too Many Requests' },\n};\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { nanoid } from 'nanoid';\n\nexport interface IdGenerator {\n  generateId(): string;\n}\n\n/**\n * Nano ID implementation of IdGenerator.\n * Generates unique request IDs using Nano ID.\n */\nexport class NanoIdGenerator implements IdGenerator {\n  /**\n   * Generate a unique request ID.\n   *\n   * @returns A unique request ID\n   */\n  generateId(): string {\n    return nanoid();\n  }\n}\n\nexport const idGenerator = new NanoIdGenerator();\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  FetchExchange,\n  REQUEST_BODY_INTERCEPTOR_ORDER,\n  type RequestInterceptor,\n} from '@ahoo-wang/fetcher';\nimport { AppIdCapable, CoSecHeaders, DeviceIdStorageCapable } from './types';\nimport { idGenerator } from './idGenerator';\n\nexport interface CoSecRequestOptions\n  extends AppIdCapable,\n    DeviceIdStorageCapable {\n}\n\n/**\n * The name of the CoSecRequestInterceptor.\n */\nexport const COSEC_REQUEST_INTERCEPTOR_NAME = 'CoSecRequestInterceptor';\n\n/**\n * The order of the CoSecRequestInterceptor.\n * Set to REQUEST_BODY_INTERCEPTOR_ORDER + 1000 to ensure it runs after RequestBodyInterceptor.\n */\nexport const COSEC_REQUEST_INTERCEPTOR_ORDER =\n  REQUEST_BODY_INTERCEPTOR_ORDER + 1000;\n\nexport const IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY = 'Ignore-Refresh-Token';\n\n/**\n * Interceptor that automatically adds CoSec authentication headers to requests.\n *\n * This interceptor adds the following headers to each request:\n * - CoSec-Device-Id: Device identifier (stored in localStorage or generated)\n * - CoSec-App-Id: Application identifier\n * - CoSec-Request-Id: Unique request identifier for each request\n *\n * @remarks\n * This interceptor runs after RequestBodyInterceptor but before FetchInterceptor.\n * The order is set to COSEC_REQUEST_INTERCEPTOR_ORDER to ensure it runs after\n * request body processing but before the actual HTTP request is made. This positioning\n * allows for proper authentication header addition after all request body transformations\n * are complete, ensuring that the final request is properly authenticated before\n * being sent over the network.\n */\nexport class CoSecRequestInterceptor implements RequestInterceptor {\n  readonly name = COSEC_REQUEST_INTERCEPTOR_NAME;\n  readonly order = COSEC_REQUEST_INTERCEPTOR_ORDER;\n  private options: CoSecRequestOptions;\n\n  /**\n   * Creates a new CoSecRequestInterceptor instance.\n   * @param options - The CoSec configuration options including appId, deviceIdStorage, and tokenManager\n   */\n  constructor(options: CoSecRequestOptions) {\n    this.options = options;\n  }\n\n  /**\n   * Intercept requests to add CoSec authentication headers.\n   *\n   * This method adds the following headers to each request:\n   * - CoSec-App-Id: The application identifier from the CoSec options\n   * - CoSec-Device-Id: A unique device identifier, either retrieved from storage or generated\n   * - CoSec-Request-Id: A unique identifier for this specific request\n   *\n   * @param exchange - The fetch exchange containing the request to process\n   *\n   * @remarks\n   * This method runs after RequestBodyInterceptor but before FetchInterceptor.\n   * It ensures that authentication headers are added to the request after all\n   * body processing is complete. The positioning allows for proper authentication\n   * header addition after all request body transformations are finished, ensuring\n   * that the final request is properly authenticated before being sent over the network.\n   * This execution order prevents authentication headers from being overwritten by\n   * subsequent request processing interceptors.\n   *\n   * The method also handles token refreshing when the current token is expired but still refreshable.\n   * It will attempt to refresh the token before adding the Authorization header to the request.\n   */\n  async intercept(exchange: FetchExchange) {\n    // Generate a unique request ID for this request\n    const requestId = idGenerator.generateId();\n\n    // Get or create a device ID\n    const deviceId = this.options.deviceIdStorage.getOrCreate();\n\n    // Ensure request headers object exists\n    const requestHeaders = exchange.ensureRequestHeaders();\n\n    // Add CoSec headers to the request\n    requestHeaders[CoSecHeaders.APP_ID] = this.options.appId;\n    requestHeaders[CoSecHeaders.DEVICE_ID] = deviceId;\n    requestHeaders[CoSecHeaders.REQUEST_ID] = requestId;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport {\n  COSEC_REQUEST_INTERCEPTOR_ORDER,\n  IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,\n} from './cosecRequestInterceptor';\nimport { CoSecHeaders, JwtTokenManagerCapable } from './types';\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface AuthorizationInterceptorOptions\n  extends JwtTokenManagerCapable {\n}\n\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_NAME =\n  'AuthorizationRequestInterceptor';\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER =\n  COSEC_REQUEST_INTERCEPTOR_ORDER + 1000;\n\n/**\n * Request interceptor that automatically adds Authorization header to requests.\n *\n * This interceptor handles JWT token management by:\n * 1. Adding Authorization header with Bearer token if not already present\n * 2. Refreshing tokens when needed and possible\n * 3. Skipping refresh when explicitly requested via attributes\n *\n * The interceptor runs after CoSecRequestInterceptor but before FetchInterceptor in the chain.\n */\nexport class AuthorizationRequestInterceptor implements RequestInterceptor {\n  readonly name = AUTHORIZATION_REQUEST_INTERCEPTOR_NAME;\n  readonly order = AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER;\n\n  /**\n   * Creates an AuthorizationRequestInterceptor instance.\n   *\n   * @param options - Configuration options containing the token manager\n   */\n  constructor(private readonly options: AuthorizationInterceptorOptions) {\n  }\n\n  /**\n   * Intercepts the request exchange to add authorization headers.\n   *\n   * This method performs the following operations:\n   * 1. Checks if a token exists and if Authorization header is already set\n   * 2. Refreshes the token if needed, possible, and not explicitly ignored\n   * 3. Adds the Authorization header with Bearer token if a token is available\n   *\n   * @param exchange - The fetch exchange containing request information\n   * @returns Promise that resolves when the interception is complete\n   */\n  async intercept(exchange: FetchExchange): Promise<void> {\n    // Get the current token from token manager\n    let currentToken = this.options.tokenManager.currentToken;\n\n    const requestHeaders = exchange.ensureRequestHeaders();\n\n    // Skip if no token exists or Authorization header is already set\n    if (!currentToken || requestHeaders[CoSecHeaders.AUTHORIZATION]) {\n      return;\n    }\n\n    // Refresh token if needed and refreshable\n    if (\n      !exchange.attributes.has(IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY) &&\n      currentToken.isRefreshNeeded &&\n      currentToken.isRefreshable\n    ) {\n      await this.options.tokenManager.refresh();\n    }\n\n    // Get the current token again (might have been refreshed)\n    currentToken = this.options.tokenManager.currentToken;\n\n    // Add Authorization header if we have a token\n    if (currentToken) {\n      requestHeaders[CoSecHeaders.AUTHORIZATION] =\n        `Bearer ${currentToken.access.token}`;\n    }\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { ResponseCodes } from './types';\nimport { FetchExchange, type ResponseInterceptor } from '@ahoo-wang/fetcher';\nimport { AuthorizationInterceptorOptions } from './authorizationRequestInterceptor';\n\n/**\n * The name of the AuthorizationResponseInterceptor.\n */\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME =\n  'AuthorizationResponseInterceptor';\n\n/**\n * The order of the AuthorizationResponseInterceptor.\n * Set to a high negative value to ensure it runs early in the interceptor chain.\n */\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER =\n  Number.MIN_SAFE_INTEGER + 1000;\n\n/**\n * CoSecResponseInterceptor is responsible for handling unauthorized responses (401)\n * by attempting to refresh the authentication token and retrying the original request.\n *\n * This interceptor:\n * 1. Checks if the response status is 401 (UNAUTHORIZED)\n * 2. If so, and if there's a current token, attempts to refresh it\n * 3. On successful refresh, stores the new token and retries the original request\n * 4. On refresh failure, clears stored tokens and propagates the error\n */\nexport class AuthorizationResponseInterceptor implements ResponseInterceptor {\n  readonly name = AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME;\n  readonly order = AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER;\n  private options: AuthorizationInterceptorOptions;\n\n  /**\n   * Creates a new AuthorizationResponseInterceptor instance.\n   * @param options - The CoSec configuration options including token storage and refresher\n   */\n  constructor(options: AuthorizationInterceptorOptions) {\n    this.options = options;\n  }\n\n  /**\n   * Intercepts the response and handles unauthorized responses by refreshing tokens.\n   * @param exchange - The fetch exchange containing request and response information\n   */\n  async intercept(exchange: FetchExchange): Promise<void> {\n    const response = exchange.response;\n    // If there's no response, nothing to intercept\n    if (!response) {\n      return;\n    }\n\n    // Only handle unauthorized responses (401)\n    if (response.status !== ResponseCodes.UNAUTHORIZED) {\n      return;\n    }\n\n    if (!this.options.tokenManager.isRefreshable) {\n      return;\n    }\n    try {\n      await this.options.tokenManager.refresh();\n      // Retry the original request with the new token\n      await exchange.fetcher.interceptors.exchange(exchange);\n    } catch (error) {\n      // If token refresh fails, clear stored tokens and re-throw the error\n      this.options.tokenManager.tokenStorage.remove();\n      throw error;\n    }\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { idGenerator } from './idGenerator';\nimport {\n  createListenableStorage,\n  IdentitySerializer,\n  KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_DEVICE_ID_KEY = 'cosec-device-id';\n\n/**\n * Storage class for managing device identifiers.\n */\nexport class DeviceIdStorage extends KeyStorage<string> {\n  constructor(key: string = DEFAULT_COSEC_DEVICE_ID_KEY) {\n    super({\n      key,\n      serializer: new IdentitySerializer<string>(),\n      storage: createListenableStorage(),\n    });\n  }\n\n  /**\n   * Generate a new device ID.\n   *\n   * @returns A newly generated device ID\n   */\n  generateDeviceId(): string {\n    return idGenerator.generateId();\n  }\n\n  /**\n   * Get or create a device ID.\n   *\n   * @returns The existing device ID if available, otherwise a newly generated one\n   */\n  getOrCreate(): string {\n    // Try to get existing device ID from storage\n    let deviceId = this.get();\n    if (!deviceId) {\n      // Generate a new device ID and store it\n      deviceId = this.generateDeviceId();\n      this.set(deviceId);\n    }\n\n    return deviceId;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n/**\n * Interface representing a JWT payload as defined in RFC 7519.\n * Contains standard JWT claims as well as custom properties.\n */\nexport interface JwtPayload {\n  /**\n   * JWT ID - provides a unique identifier for the JWT.\n   */\n  jti?: string;\n  /**\n   * Subject - identifies the principal that is the subject of the JWT.\n   */\n  sub?: string;\n  /**\n   * Issuer - identifies the principal that issued the JWT.\n   */\n  iss?: string;\n  /**\n   * Audience - identifies the recipients that the JWT is intended for.\n   * Can be a single string or an array of strings.\n   */\n  aud?: string | string[];\n  /**\n   * Expiration Time - identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  exp?: number;\n  /**\n   * Not Before - identifies the time before which the JWT MUST NOT be accepted for processing.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  nbf?: number;\n  /**\n   * Issued At - identifies the time at which the JWT was issued.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  iat?: number;\n\n  /**\n   * Allows additional custom properties to be included in the payload.\n   */\n  [key: string]: any;\n}\n\n/**\n * Interface representing a JWT payload with CoSec-specific extensions.\n * Extends the standard JwtPayload interface with additional CoSec-specific properties.\n */\nexport interface CoSecJwtPayload extends JwtPayload {\n  /**\n   * Tenant identifier - identifies the tenant scope for the JWT.\n   */\n  tenantId?: string;\n  /**\n   * Policies - array of policy identifiers associated with the JWT.\n   * These are security policies defined internally by Cosec.\n   */\n  policies?: string[];\n  /**\n   * Roles - array of role identifiers associated with the JWT.\n   * Role IDs indicate what roles the token belongs to.\n   */\n  roles?: string[];\n  /**\n   * Attributes - custom key-value pairs providing additional information about the JWT.\n   */\n  attributes?: Record<string, any>;\n}\n\n/**\n * Parses a JWT token and extracts its payload.\n *\n * This function decodes the payload part of a JWT token, handling Base64URL decoding\n * and JSON parsing. It validates the token structure and returns null for invalid tokens.\n *\n * @param token - The JWT token string to parse\n * @returns The parsed JWT payload or null if parsing fails\n */\nexport function parseJwtPayload<T extends JwtPayload>(token: string): T | null {\n  try {\n    const parts = token.split('.');\n    if (parts.length !== 3) {\n      return null;\n    }\n\n    const base64Url = parts[1];\n    const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');\n\n    // Add padding if needed\n    const paddedBase64 = base64.padEnd(\n      base64.length + ((4 - (base64.length % 4)) % 4),\n      '=',\n    );\n\n    const jsonPayload = decodeURIComponent(\n      atob(paddedBase64)\n        .split('')\n        .map(function(c) {\n          return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);\n        })\n        .join(''),\n    );\n    return JSON.parse(jsonPayload) as T;\n  } catch (error) {\n    // Avoid exposing sensitive information in error logs\n    console.error('Failed to parse JWT token', error);\n    return null;\n  }\n}\n\nexport interface EarlyPeriodCapable {\n  /**\n   * The time in seconds before actual expiration when the token should be considered expired (default: 0)\n   */\n  readonly earlyPeriod: number;\n}\n\n/**\n * Checks if a JWT token is expired based on its expiration time (exp claim).\n *\n * This function determines if a JWT token has expired by comparing its exp claim\n * with the current time. If the token is a string, it will be parsed first.\n * Tokens without an exp claim are considered not expired.\n *\n * The early period parameter allows for early token expiration, which is useful\n * for triggering token refresh before the token actually expires. This helps\n * avoid race conditions where a token expires between the time it is checked and\n * the time it is used.\n *\n * @param token - The JWT token to check, either as a string or as a JwtPayload object\n * @param earlyPeriod - The time in seconds before actual expiration when the token should be considered expired (default: 0)\n * @returns true if the token is expired (or will expire within the early period) or cannot be parsed, false otherwise\n */\nexport function isTokenExpired(\n  token: string | CoSecJwtPayload,\n  earlyPeriod: number = 0,\n): boolean {\n  const payload = typeof token === 'string' ? parseJwtPayload(token) : token;\n  if (!payload) {\n    return true;\n  }\n\n  const expAt = payload.exp;\n  if (!expAt) {\n    return false;\n  }\n\n  const now = Date.now() / 1000;\n  return now > expAt - earlyPeriod;\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  CoSecJwtPayload,\n  EarlyPeriodCapable,\n  isTokenExpired,\n  JwtPayload,\n  parseJwtPayload,\n} from './jwts';\nimport { CompositeToken } from './tokenRefresher';\nimport { Serializer } from '@ahoo-wang/fetcher-storage';\n\n/**\n * Interface for JWT token with typed payload\n * @template Payload The type of the JWT payload\n */\nexport interface IJwtToken<Payload extends JwtPayload>\n  extends EarlyPeriodCapable {\n  readonly token: string;\n  readonly payload: Payload | null;\n\n  isExpired: boolean;\n}\n\n/**\n * Class representing a JWT token with typed payload\n * @template Payload The type of the JWT payload\n */\nexport class JwtToken<Payload extends JwtPayload>\n  implements IJwtToken<Payload> {\n  public readonly payload: Payload | null;\n\n  /**\n   * Creates a new JwtToken instance\n   */\n  constructor(\n    public readonly token: string,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    this.payload = parseJwtPayload<Payload>(token);\n  }\n\n  /**\n   * Checks if the token is expired\n   * @returns true if the token is expired, false otherwise\n   */\n  get isExpired(): boolean {\n    if (!this.payload) {\n      return true;\n    }\n    return isTokenExpired(this.payload, this.earlyPeriod);\n  }\n}\n\nexport interface RefreshTokenStatusCapable {\n  /**\n   * Checks if the access token needs to be refreshed\n   * @returns true if the access token is expired, false otherwise\n   */\n  readonly isRefreshNeeded: boolean;\n  /**\n   * Checks if the refresh token is still valid and can be used to refresh the access token\n   * @returns true if the refresh token is not expired, false otherwise\n   */\n  readonly isRefreshable: boolean;\n}\n\n/**\n * Class representing a composite token containing both access and refresh tokens\n */\nexport class JwtCompositeToken\n  implements EarlyPeriodCapable, RefreshTokenStatusCapable {\n  public readonly access: JwtToken<CoSecJwtPayload>;\n  public readonly refresh: JwtToken<JwtPayload>;\n\n  /**\n   * Creates a new JwtCompositeToken instance\n   */\n  constructor(\n    public readonly token: CompositeToken,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    this.access = new JwtToken(token.accessToken, earlyPeriod);\n    this.refresh = new JwtToken(token.refreshToken, earlyPeriod);\n  }\n\n  /**\n   * Checks if the access token needs to be refreshed\n   * @returns true if the access token is expired, false otherwise\n   */\n  get isRefreshNeeded(): boolean {\n    return this.access.isExpired;\n  }\n\n  /**\n   * Checks if the refresh token is still valid and can be used to refresh the access token\n   * @returns true if the refresh token is not expired, false otherwise\n   */\n  get isRefreshable(): boolean {\n    return !this.refresh.isExpired;\n  }\n}\n\n/**\n * Serializer for JwtCompositeToken that handles conversion to and from JSON strings\n */\nexport class JwtCompositeTokenSerializer\n  implements Serializer<string, JwtCompositeToken>, EarlyPeriodCapable {\n  constructor(public readonly earlyPeriod: number = 0) {\n  }\n\n  /**\n   * Deserializes a JSON string to a JwtCompositeToken\n   * @param value The JSON string representation of a composite token\n   * @returns A JwtCompositeToken instance\n   */\n  deserialize(value: string): JwtCompositeToken {\n    const compositeToken = JSON.parse(value) as CompositeToken;\n    return new JwtCompositeToken(compositeToken, this.earlyPeriod);\n  }\n\n  /**\n   * Serializes a JwtCompositeToken to a JSON string\n   * @param value The JwtCompositeToken to serialize\n   * @returns A JSON string representation of the composite token\n   */\n  serialize(value: JwtCompositeToken): string {\n    return JSON.stringify(value.token);\n  }\n}\n\nexport const jwtCompositeTokenSerializer = new JwtCompositeTokenSerializer();\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { TokenStorage } from './tokenStorage';\nimport { CompositeToken, TokenRefresher } from './tokenRefresher';\nimport { JwtCompositeToken, RefreshTokenStatusCapable } from './jwtToken';\n\n/**\n * Manages JWT token refreshing operations and provides status information\n */\nexport class JwtTokenManager implements RefreshTokenStatusCapable {\n  private refreshInProgress?: Promise<void>;\n\n  /**\n   * Creates a new JwtTokenManager instance\n   * @param tokenStorage The storage used to persist tokens\n   * @param tokenRefresher The refresher used to refresh expired tokens\n   */\n  constructor(\n    public readonly tokenStorage: TokenStorage,\n    public readonly tokenRefresher: TokenRefresher,\n  ) {\n  }\n\n  /**\n   * Gets the current JWT composite token from storage\n   * @returns The current token or null if none exists\n   */\n  get currentToken(): JwtCompositeToken | null {\n    return this.tokenStorage.get();\n  }\n\n  /**\n   * Refreshes the JWT token\n   * @param currentToken Optional current token to refresh. If not provided, uses the stored token.\n   * @returns Promise that resolves when refresh is complete\n   * @throws Error if no token is found or refresh fails\n   */\n  async refresh(currentToken?: CompositeToken): Promise<void> {\n    if (!currentToken) {\n      const jwtToken = this.currentToken;\n      if (!jwtToken) {\n        throw new Error('No token found');\n      }\n      currentToken = jwtToken.token;\n    }\n    if (this.refreshInProgress) {\n      return this.refreshInProgress;\n    }\n\n    this.refreshInProgress = this.tokenRefresher\n      .refresh(currentToken)\n      .then(newToken => {\n        this.tokenStorage.setCompositeToken(newToken);\n      })\n      .catch(error => {\n        this.tokenStorage.remove();\n        throw error;\n      })\n      .finally(() => {\n        this.refreshInProgress = undefined;\n      });\n\n    return this.refreshInProgress;\n  }\n\n  /**\n   * Indicates if the current token needs to be refreshed\n   * @returns true if the access token is expired and needs refresh, false otherwise\n   */\n  get isRefreshNeeded(): boolean {\n    if (!this.currentToken) {\n      return false;\n    }\n    return this.currentToken.isRefreshNeeded;\n  }\n\n  /**\n   * Indicates if the current token can be refreshed\n   * @returns true if the refresh token is still valid, false otherwise\n   */\n  get isRefreshable(): boolean {\n    if (!this.currentToken) {\n      return false;\n    }\n    return this.currentToken.isRefreshable;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport { TokenStorage } from './tokenStorage';\n\n/**\n * Configuration options for resource attribution\n */\nexport interface ResourceAttributionOptions {\n  /**\n   * The path parameter key used for tenant ID in URL templates\n   */\n  tenantId?: string;\n  /**\n   * The path parameter key used for owner ID in URL templates\n   */\n  ownerId?: string;\n  /**\n   * Storage mechanism for retrieving current authentication tokens\n   */\n  tokenStorage: TokenStorage;\n}\n\n/**\n * Name identifier for the ResourceAttributionRequestInterceptor\n */\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME =\n  'ResourceAttributionRequestInterceptor';\n/**\n * Order priority for the ResourceAttributionRequestInterceptor, set to maximum safe integer to ensure it runs last\n */\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER =\n  Number.MAX_SAFE_INTEGER;\n\n/**\n * Request interceptor that automatically adds tenant and owner ID path parameters to requests\n * based on the current authentication token. This is useful for multi-tenant applications where\n * requests need to include tenant-specific information in the URL path.\n */\nexport class ResourceAttributionRequestInterceptor\n  implements RequestInterceptor {\n  readonly name = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME;\n  readonly order = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER;\n  private readonly tenantIdPathKey: string;\n  private readonly ownerIdPathKey: string;\n  private readonly tokenStorage: TokenStorage;\n\n  /**\n   * Creates a new ResourceAttributionRequestInterceptor\n   * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage\n   */\n  constructor({\n                tenantId = 'tenantId',\n                ownerId = 'ownerId',\n                tokenStorage,\n              }: ResourceAttributionOptions) {\n    this.tenantIdPathKey = tenantId;\n    this.ownerIdPathKey = ownerId;\n    this.tokenStorage = tokenStorage;\n  }\n\n  /**\n   * Intercepts outgoing requests and automatically adds tenant and owner ID path parameters\n   * if they are defined in the URL template but not provided in the request.\n   * @param exchange - The fetch exchange containing the request information\n   */\n  intercept(exchange: FetchExchange): void {\n    const currentToken = this.tokenStorage.get();\n    if (!currentToken) {\n      return;\n    }\n    const principal = currentToken.access.payload;\n    if (!principal) {\n      return;\n    }\n    if (!principal.tenantId && !principal.sub) {\n      return;\n    }\n\n    // Extract path parameters from the URL template\n    const extractedPathParams =\n      exchange.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(\n        exchange.request.url,\n      );\n    const tenantIdPathKey = this.tenantIdPathKey;\n    const requestPathParams = exchange.ensureRequestUrlParams().path;\n    const tenantId = principal.tenantId;\n\n    // Add tenant ID to path parameters if it's part of the URL template and not already provided\n    if (\n      tenantId &&\n      extractedPathParams.includes(tenantIdPathKey) &&\n      !requestPathParams[tenantIdPathKey]\n    ) {\n      requestPathParams[tenantIdPathKey] = tenantId;\n    }\n\n    const ownerIdPathKey = this.ownerIdPathKey;\n    const ownerId = principal.sub;\n\n    // Add owner ID to path parameters if it's part of the URL template and not already provided\n    if (\n      ownerId &&\n      extractedPathParams.includes(ownerIdPathKey) &&\n      !requestPathParams[ownerIdPathKey]\n    ) {\n      requestPathParams[ownerIdPathKey] = ownerId;\n    }\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Fetcher, ResultExtractors } from '@ahoo-wang/fetcher';\nimport { IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY } from './cosecRequestInterceptor';\n\n/**\n * Interface for access tokens.\n */\nexport interface AccessToken {\n  accessToken: string;\n}\n\n/**\n * Interface for refresh tokens.\n */\nexport interface RefreshToken {\n  refreshToken: string;\n}\n\n/**\n * Composite token interface that contains both access and refresh tokens.\n *\n * accessToken and refreshToken always appear in pairs, no need to split them.\n */\nexport interface CompositeToken extends AccessToken, RefreshToken {\n}\n\n/**\n * Interface for token refreshers.\n *\n * Provides a method to refresh tokens.\n */\nexport interface TokenRefresher {\n  /**\n   * Refresh the given token and return a new CompositeToken.\n   *\n   * @param token The token to refresh\n   * @returns A Promise that resolves to a new CompositeToken\n   */\n  refresh(token: CompositeToken): Promise<CompositeToken>;\n}\n\nexport interface CoSecTokenRefresherOptions {\n  fetcher: Fetcher;\n  endpoint: string;\n}\n\n/**\n * CoSecTokenRefresher is a class that implements the TokenRefresher interface\n * for refreshing composite tokens through a configured endpoint.\n */\nexport class CoSecTokenRefresher implements TokenRefresher {\n  /**\n   * Creates a new instance of CoSecTokenRefresher.\n   *\n   * @param options The configuration options for the token refresher including fetcher and endpoint\n   */\n  constructor(public readonly options: CoSecTokenRefresherOptions) {\n  }\n\n  /**\n   * Refresh the given token and return a new CompositeToken.\n   *\n   * @param token The token to refresh\n   * @returns A Promise that resolves to a new CompositeToken\n   */\n  refresh(token: CompositeToken): Promise<CompositeToken> {\n    // Send a POST request to the configured endpoint with the token as body\n    // and extract the response as JSON to return a new CompositeToken\n\n    return this.options.fetcher.post<CompositeToken>(\n      this.options.endpoint,\n      {\n        body: token,\n      },\n      {\n        resultExtractor: ResultExtractors.Json,\n        attributes: new Map([[IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY, true]]),\n      },\n    );\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { JwtCompositeToken, JwtCompositeTokenSerializer } from './jwtToken';\nimport { CompositeToken } from './tokenRefresher';\nimport { EarlyPeriodCapable } from './jwts';\nimport {\n  createListenableStorage,\n  KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_TOKEN_KEY = 'cosec-token';\n\n/**\n * Storage class for managing access and refresh tokens.\n */\nexport class TokenStorage\n  extends KeyStorage<JwtCompositeToken>\n  implements EarlyPeriodCapable {\n  constructor(\n    key: string = DEFAULT_COSEC_TOKEN_KEY,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    super({\n      key,\n      storage: createListenableStorage(),\n      serializer: new JwtCompositeTokenSerializer(earlyPeriod),\n    });\n  }\n\n  setCompositeToken(compositeToken: CompositeToken) {\n    this.set(new JwtCompositeToken(compositeToken));\n  }\n}\n"],"names":["_CoSecHeaders","CoSecHeaders","_ResponseCodes","ResponseCodes","AuthorizeResults","NanoIdGenerator","nanoid","idGenerator","COSEC_REQUEST_INTERCEPTOR_NAME","COSEC_REQUEST_INTERCEPTOR_ORDER","REQUEST_BODY_INTERCEPTOR_ORDER","IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY","CoSecRequestInterceptor","options","exchange","requestId","deviceId","requestHeaders","AUTHORIZATION_REQUEST_INTERCEPTOR_NAME","AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER","AuthorizationRequestInterceptor","currentToken","AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME","AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER","AuthorizationResponseInterceptor","response","error","DEFAULT_COSEC_DEVICE_ID_KEY","DeviceIdStorage","KeyStorage","key","IdentitySerializer","createListenableStorage","parseJwtPayload","token","parts","base64","paddedBase64","jsonPayload","c","isTokenExpired","earlyPeriod","payload","expAt","JwtToken","JwtCompositeToken","JwtCompositeTokenSerializer","value","compositeToken","jwtCompositeTokenSerializer","JwtTokenManager","tokenStorage","tokenRefresher","jwtToken","newToken","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER","ResourceAttributionRequestInterceptor","tenantId","ownerId","principal","extractedPathParams","tenantIdPathKey","requestPathParams","ownerIdPathKey","CoSecTokenRefresher","ResultExtractors","DEFAULT_COSEC_TOKEN_KEY","TokenStorage"],"mappings":";;;AAmBO,MAAMA,IAAN,MAAMA,EAAa;AAK1B;AAJEA,EAAgB,YAAY,mBAC5BA,EAAgB,SAAS,gBACzBA,EAAgB,gBAAgB,iBAChCA,EAAgB,aAAa;AAJxB,IAAMC,IAAND;AAOA,MAAME,IAAN,MAAMA,EAAc;AAE3B;AADEA,EAAgB,eAAe;AAD1B,IAAMC,IAAND;AAuCA,MAAME,IAAmB;AAAA,EAC9B,OAAO,EAAE,YAAY,IAAM,QAAQ,QAAA;AAAA,EACnC,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,mBAAmB,EAAE,YAAY,IAAO,QAAQ,oBAAA;AAClD;AChDO,MAAMC,EAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMlD,aAAqB;AACnB,WAAOC,EAAA;AAAA,EACT;AACF;AAEO,MAAMC,IAAc,IAAIF,EAAA,GCLlBG,IAAiC,2BAMjCC,IACXC,IAAiC,KAEtBC,IAAqC;AAkB3C,MAAMC,EAAsD;AAAA;AAAA;AAAA;AAAA;AAAA,EASjE,YAAYC,GAA8B;AAR1C,SAAS,OAAOL,GAChB,KAAS,QAAQC,GAQf,KAAK,UAAUI;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBA,MAAM,UAAUC,GAAyB;AAEvC,UAAMC,IAAYR,EAAY,WAAA,GAGxBS,IAAW,KAAK,QAAQ,gBAAgB,YAAA,GAGxCC,IAAiBH,EAAS,qBAAA;AAGhC,IAAAG,EAAehB,EAAa,MAAM,IAAI,KAAK,QAAQ,OACnDgB,EAAehB,EAAa,SAAS,IAAIe,GACzCC,EAAehB,EAAa,UAAU,IAAIc;AAAA,EAC5C;AACF;ACjFO,MAAMG,IACX,mCACWC,IACXV,IAAkC;AAY7B,MAAMW,EAA8D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASzE,YAA6BP,GAA0C;AAA1C,SAAA,UAAAA,GAR7B,KAAS,OAAOK,GAChB,KAAS,QAAQC;AAAA,EAQjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,UAAUL,GAAwC;AAEtD,QAAIO,IAAe,KAAK,QAAQ,aAAa;AAE7C,UAAMJ,IAAiBH,EAAS,qBAAA;AAGhC,IAAI,CAACO,KAAgBJ,EAAehB,EAAa,aAAa,MAM5D,CAACa,EAAS,WAAW,IAAIH,CAAkC,KAC3DU,EAAa,mBACbA,EAAa,iBAEb,MAAM,KAAK,QAAQ,aAAa,QAAA,GAIlCA,IAAe,KAAK,QAAQ,aAAa,cAGrCA,MACFJ,EAAehB,EAAa,aAAa,IACvC,UAAUoB,EAAa,OAAO,KAAK;AAAA,EAEzC;AACF;ACxEO,MAAMC,IACX,oCAMWC,IACX,OAAO,mBAAmB;AAYrB,MAAMC,EAAgE;AAAA;AAAA;AAAA;AAAA;AAAA,EAS3E,YAAYX,GAA0C;AARtD,SAAS,OAAOS,GAChB,KAAS,QAAQC,GAQf,KAAK,UAAUV;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAUC,GAAwC;AACtD,UAAMW,IAAWX,EAAS;AAE1B,QAAKW,KAKDA,EAAS,WAAWtB,EAAc,gBAIjC,KAAK,QAAQ,aAAa;AAG/B,UAAI;AACF,cAAM,KAAK,QAAQ,aAAa,QAAA,GAEhC,MAAMW,EAAS,QAAQ,aAAa,SAASA,CAAQ;AAAA,MACvD,SAASY,GAAO;AAEd,mBAAK,QAAQ,aAAa,aAAa,OAAA,GACjCA;AAAA,MACR;AAAA,EACF;AACF;AC9DO,MAAMC,IAA8B;AAKpC,MAAMC,UAAwBC,EAAmB;AAAA,EACtD,YAAYC,IAAcH,GAA6B;AACrD,UAAM;AAAA,MACJ,KAAAG;AAAA,MACA,YAAY,IAAIC,EAAA;AAAA,MAChB,SAASC,EAAA;AAAA,IAAwB,CAClC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,mBAA2B;AACzB,WAAOzB,EAAY,WAAA;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,cAAsB;AAEpB,QAAIS,IAAW,KAAK,IAAA;AACpB,WAAKA,MAEHA,IAAW,KAAK,iBAAA,GAChB,KAAK,IAAIA,CAAQ,IAGZA;AAAA,EACT;AACF;AC+BO,SAASiB,EAAsCC,GAAyB;AAC7E,MAAI;AACF,UAAMC,IAAQD,EAAM,MAAM,GAAG;AAC7B,QAAIC,EAAM,WAAW;AACnB,aAAO;AAIT,UAAMC,IADYD,EAAM,CAAC,EACA,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,GAGvDE,IAAeD,EAAO;AAAA,MAC1BA,EAAO,UAAW,IAAKA,EAAO,SAAS,KAAM;AAAA,MAC7C;AAAA,IAAA,GAGIE,IAAc;AAAA,MAClB,KAAKD,CAAY,EACd,MAAM,EAAE,EACR,IAAI,SAASE,GAAG;AACf,eAAO,OAAO,OAAOA,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE;AAAA,MAC7D,CAAC,EACA,KAAK,EAAE;AAAA,IAAA;AAEZ,WAAO,KAAK,MAAMD,CAAW;AAAA,EAC/B,SAASZ,GAAO;AAEd,mBAAQ,MAAM,6BAA6BA,CAAK,GACzC;AAAA,EACT;AACF;AAyBO,SAASc,EACdN,GACAO,IAAsB,GACb;AACT,QAAMC,IAAU,OAAOR,KAAU,WAAWD,EAAgBC,CAAK,IAAIA;AACrE,MAAI,CAACQ;AACH,WAAO;AAGT,QAAMC,IAAQD,EAAQ;AACtB,SAAKC,IAIO,KAAK,IAAA,IAAQ,MACZA,IAAQF,IAJZ;AAKX;AC1HO,MAAMG,EACmB;AAAA;AAAA;AAAA;AAAA,EAM9B,YACkBV,GACAO,IAAsB,GACtC;AAFgB,SAAA,QAAAP,GACA,KAAA,cAAAO,GAEhB,KAAK,UAAUR,EAAyBC,CAAK;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,YAAqB;AACvB,WAAK,KAAK,UAGHM,EAAe,KAAK,SAAS,KAAK,WAAW,IAF3C;AAAA,EAGX;AACF;AAkBO,MAAMK,EAC8C;AAAA;AAAA;AAAA;AAAA,EAOzD,YACkBX,GACAO,IAAsB,GACtC;AAFgB,SAAA,QAAAP,GACA,KAAA,cAAAO,GAEhB,KAAK,SAAS,IAAIG,EAASV,EAAM,aAAaO,CAAW,GACzD,KAAK,UAAU,IAAIG,EAASV,EAAM,cAAcO,CAAW;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,kBAA2B;AAC7B,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,gBAAyB;AAC3B,WAAO,CAAC,KAAK,QAAQ;AAAA,EACvB;AACF;AAKO,MAAMK,EAC0D;AAAA,EACrE,YAA4BL,IAAsB,GAAG;AAAzB,SAAA,cAAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAYM,GAAkC;AAC5C,UAAMC,IAAiB,KAAK,MAAMD,CAAK;AACvC,WAAO,IAAIF,EAAkBG,GAAgB,KAAK,WAAW;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,UAAUD,GAAkC;AAC1C,WAAO,KAAK,UAAUA,EAAM,KAAK;AAAA,EACnC;AACF;AAEO,MAAME,IAA8B,IAAIH,EAAA;AC1HxC,MAAMI,EAAqD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQhE,YACkBC,GACAC,GAChB;AAFgB,SAAA,eAAAD,GACA,KAAA,iBAAAC;AAAA,EAElB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,eAAyC;AAC3C,WAAO,KAAK,aAAa,IAAA;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,QAAQ/B,GAA8C;AAC1D,QAAI,CAACA,GAAc;AACjB,YAAMgC,IAAW,KAAK;AACtB,UAAI,CAACA;AACH,cAAM,IAAI,MAAM,gBAAgB;AAElC,MAAAhC,IAAegC,EAAS;AAAA,IAC1B;AACA,WAAI,KAAK,oBACA,KAAK,qBAGd,KAAK,oBAAoB,KAAK,eAC3B,QAAQhC,CAAY,EACpB,KAAK,CAAAiC,MAAY;AAChB,WAAK,aAAa,kBAAkBA,CAAQ;AAAA,IAC9C,CAAC,EACA,MAAM,CAAA5B,MAAS;AACd,iBAAK,aAAa,OAAA,GACZA;AAAA,IACR,CAAC,EACA,QAAQ,MAAM;AACb,WAAK,oBAAoB;AAAA,IAC3B,CAAC,GAEI,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,kBAA2B;AAC7B,WAAK,KAAK,eAGH,KAAK,aAAa,kBAFhB;AAAA,EAGX;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,gBAAyB;AAC3B,WAAK,KAAK,eAGH,KAAK,aAAa,gBAFhB;AAAA,EAGX;AACF;AC5DO,MAAM6B,IACX,yCAIWC,IACX,OAAO;AAOF,MAAMC,EACmB;AAAA;AAAA;AAAA;AAAA;AAAA,EAW9B,YAAY;AAAA,IACE,UAAAC,IAAW;AAAA,IACX,SAAAC,IAAU;AAAA,IACV,cAAAR;AAAA,EAAA,GAC6B;AAd3C,SAAS,OAAOI,GAChB,KAAS,QAAQC,GAcf,KAAK,kBAAkBE,GACvB,KAAK,iBAAiBC,GACtB,KAAK,eAAeR;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,UAAUrC,GAA+B;AACvC,UAAMO,IAAe,KAAK,aAAa,IAAA;AACvC,QAAI,CAACA;AACH;AAEF,UAAMuC,IAAYvC,EAAa,OAAO;AAItC,QAHI,CAACuC,KAGD,CAACA,EAAU,YAAY,CAACA,EAAU;AACpC;AAIF,UAAMC,IACJ/C,EAAS,QAAQ,WAAW,oBAAoB;AAAA,MAC9CA,EAAS,QAAQ;AAAA,IAAA,GAEfgD,IAAkB,KAAK,iBACvBC,IAAoBjD,EAAS,uBAAA,EAAyB,MACtD4C,IAAWE,EAAU;AAG3B,IACEF,KACAG,EAAoB,SAASC,CAAe,KAC5C,CAACC,EAAkBD,CAAe,MAElCC,EAAkBD,CAAe,IAAIJ;AAGvC,UAAMM,IAAiB,KAAK,gBACtBL,IAAUC,EAAU;AAG1B,IACED,KACAE,EAAoB,SAASG,CAAc,KAC3C,CAACD,EAAkBC,CAAc,MAEjCD,EAAkBC,CAAc,IAAIL;AAAA,EAExC;AACF;AC1DO,MAAMM,EAA8C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMzD,YAA4BpD,GAAqC;AAArC,SAAA,UAAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,QAAQqB,GAAgD;AAItD,WAAO,KAAK,QAAQ,QAAQ;AAAA,MAC1B,KAAK,QAAQ;AAAA,MACb;AAAA,QACE,MAAMA;AAAA,MAAA;AAAA,MAER;AAAA,QACE,iBAAiBgC,EAAiB;AAAA,QAClC,gCAAgB,IAAI,CAAC,CAACvD,GAAoC,EAAI,CAAC,CAAC;AAAA,MAAA;AAAA,IAClE;AAAA,EAEJ;AACF;ACvEO,MAAMwD,IAA0B;AAKhC,MAAMC,UACHvC,EACsB;AAAA,EAC9B,YACEC,IAAcqC,GACE1B,IAAsB,GACtC;AACA,UAAM;AAAA,MACJ,KAAAX;AAAA,MACA,SAASE,EAAA;AAAA,MACT,YAAY,IAAIc,EAA4BL,CAAW;AAAA,IAAA,CACxD,GANe,KAAA,cAAAA;AAAA,EAOlB;AAAA,EAEA,kBAAkBO,GAAgC;AAChD,SAAK,IAAI,IAAIH,EAAkBG,CAAc,CAAC;AAAA,EAChD;AACF;"}

package/dist/index.umd.js

@@ -1,2 +1,2 @@
-(function(r,a){typeof exports=="object"&&typeof module<"u"?a(exports,require("@ahoo-wang/fetcher"),require("nanoid")):typeof define=="function"&&define.amd?define(["exports","@ahoo-wang/fetcher","nanoid"],a):(r=typeof globalThis<"u"?globalThis:r||self,a(r.FetcherCoSec={},r.Fetcher,r.nanoid))})(this,(function(r,a,V){"use strict";const c=class c{};c.DEVICE_ID="CoSec-Device-Id",c.APP_ID="CoSec-App-Id",c.AUTHORIZATION="Authorization",c.REQUEST_ID="CoSec-Request-Id";let i=c;const g=class g{};g.UNAUTHORIZED=401;let E=g;const K={ALLOW:{authorized:!0,reason:"Allow"},EXPLICIT_DENY:{authorized:!1,reason:"Explicit Deny"},IMPLICIT_DENY:{authorized:!1,reason:"Implicit Deny"},TOKEN_EXPIRED:{authorized:!1,reason:"Token Expired"},TOO_MANY_REQUESTS:{authorized:!1,reason:"Too Many Requests"}};class S{generateId(){return V.nanoid()}}const l=new S,A="CoSecRequestInterceptor",R=a.REQUEST_BODY_INTERCEPTOR_ORDER+1e3,T="Ignore-Refresh-Token";class Q{constructor(e){this.name=A,this.order=R,this.options=e}async intercept(e){const t=l.generateId(),s=this.options.deviceIdStorage.getOrCreate(),o=e.ensureRequestHeaders();o[i.APP_ID]=this.options.appId,o[i.DEVICE_ID]=s,o[i.REQUEST_ID]=t}}const p="AuthorizationRequestInterceptor",C=R+1e3;class H{constructor(e){this.options=e,this.name=p,this.order=C}async intercept(e){let t=this.options.tokenManager.currentToken;const s=e.ensureRequestHeaders();!t||s[i.AUTHORIZATION]||(!e.attributes.has(T)&&t.isRefreshNeeded&&t.isRefreshable&&await this.options.tokenManager.refresh(),t=this.options.tokenManager.currentToken,t&&(s[i.AUTHORIZATION]=`Bearer ${t.access.token}`))}}const k="AuthorizationResponseInterceptor",w=Number.MIN_SAFE_INTEGER+1e3;class J{constructor(e){this.name=k,this.order=w,this.options=e}async intercept(e){const t=e.response;if(t&&t.status===E.UNAUTHORIZED&&this.options.tokenManager.isRefreshable)try{await this.options.tokenManager.refresh(),await e.fetcher.interceptors.exchange(e)}catch(s){throw this.options.tokenManager.tokenStorage.remove(),s}}}function y(){return typeof window<"u"}class Z{constructor(){this.store=new Map,this.listeners=new Set}get length(){return this.store.size}clear(){this.store.clear()}getItem(e){const t=this.store.get(e);return t!==void 0?t:null}key(e){return Array.from(this.store.keys())[e]||null}removeItem(e){const t=this.getItem(e);this.store.has(e)&&(this.store.delete(e),this.notifyListeners({key:e,oldValue:t,newValue:null}))}setItem(e,t){const s=this.getItem(e);this.store.set(e,t),this.notifyListeners({key:e,oldValue:s,newValue:t})}addListener(e){return this.listeners.add(e),()=>this.listeners.delete(e)}notifyListeners(e){y()&&window.location&&(e.url=e.url||window.location.href),e.storageArea=this,this.listeners.forEach(t=>{try{t(e)}catch(s){console.error("Error in storage change listener:",s)}})}}class F{constructor(e){this.storage=e}get length(){return this.storage.length}addListener(e){const t=s=>{s.storageArea===this.storage&&e(s)};return window.addEventListener(P,t),()=>window.removeEventListener(P,t)}clear(){this.storage.clear()}getItem(e){return this.storage.getItem(e)}key(e){return this.storage.key(e)}removeItem(e){this.storage.removeItem(e)}setItem(e,t){this.storage.setItem(e,t)}}const P="storage",I=()=>y()?new F(window.localStorage):new Z;class m{serialize(e){return e}deserialize(e){return e}}const B=new m;function Y(){return B}class U{constructor(e){this.cacheValue=null,this.refreshCacheListener=t=>{this.cacheValue=null,t.newValue&&this.refreshCache(t.newValue)},this.key=e.key,this.serializer=e.serializer??Y(),this.storage=e.storage??I(),this.addListener(this.refreshCacheListener)}refreshCache(e){this.cacheValue=this.serializer.deserialize(e)}addListener(e){const t=s=>{s.key===this.key&&e(s)};return this.storage.addListener(t)}get(){if(this.cacheValue)return this.cacheValue;const e=this.storage.getItem(this.key);return e?(this.refreshCache(e),this.cacheValue):null}set(e){const t=this.serializer.serialize(e);this.storage.setItem(this.key,t),this.cacheValue=e}remove(){this.storage.removeItem(this.key),this.cacheValue=null}}const D="cosec-device-id";class G extends U{constructor(e=D){super({key:e,serializer:new m,storage:I()})}generateDeviceId(){return l.generateId()}getOrCreate(){let e=this.get();return e||(e=this.generateDeviceId(),this.set(e)),e}}function d(n){try{const e=n.split(".");if(e.length!==3)return null;const s=e[1].replace(/-/g,"+").replace(/_/g,"/"),o=s.padEnd(s.length+(4-s.length%4)%4,"="),u=decodeURIComponent(atob(o).split("").map(function(h){return"%"+("00"+h.charCodeAt(0).toString(16)).slice(-2)}).join(""));return JSON.parse(u)}catch(e){return console.error("Failed to parse JWT token",e),null}}function z(n,e=0){const t=typeof n=="string"?d(n):n;if(!t)return!0;const s=t.exp;return s?Date.now()/1e3>s-e:!1}class f{constructor(e,t=0){this.token=e,this.earlyPeriod=t,this.payload=d(e)}get isExpired(){return this.payload?z(this.payload,this.earlyPeriod):!0}}class _{constructor(e,t=0){this.token=e,this.earlyPeriod=t,this.access=new f(e.accessToken,t),this.refresh=new f(e.refreshToken,t)}get isRefreshNeeded(){return this.access.isExpired}get isRefreshable(){return!this.refresh.isExpired}}class O{constructor(e=0){this.earlyPeriod=e}deserialize(e){const t=JSON.parse(e);return new _(t,this.earlyPeriod)}serialize(e){return JSON.stringify(e.token)}}const j=new O;class X{constructor(e,t){this.tokenStorage=e,this.tokenRefresher=t}get currentToken(){return this.tokenStorage.get()}async refresh(e){if(!e){const t=this.currentToken;if(!t)throw new Error("No token found");e=t.token}return this.refreshInProgress?this.refreshInProgress:(this.refreshInProgress=this.tokenRefresher.refresh(e).then(t=>{this.tokenStorage.setCompositeToken(t)}).catch(t=>{throw this.tokenStorage.remove(),t}).finally(()=>{this.refreshInProgress=void 0}),this.refreshInProgress)}get isRefreshNeeded(){return this.currentToken?this.currentToken.isRefreshNeeded:!1}get isRefreshable(){return this.currentToken?this.currentToken.isRefreshable:!1}}const M="ResourceAttributionRequestInterceptor",v=Number.MAX_SAFE_INTEGER;class W{constructor({tenantId:e="tenantId",ownerId:t="ownerId",tokenStorage:s}){this.name=M,this.order=v,this.tenantIdPathKey=e,this.ownerIdPathKey=t,this.tokenStorage=s}intercept(e){const t=this.tokenStorage.get();if(!t)return;const s=t.access.payload;if(!s||!s.tenantId&&!s.sub)return;const o=e.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(e.request.url),u=this.tenantIdPathKey,h=e.ensureRequestUrlParams().path,b=s.tenantId;b&&o.includes(u)&&!h[u]&&(h[u]=b);const N=this.ownerIdPathKey,L=s.sub;L&&o.includes(N)&&!h[N]&&(h[N]=L)}}class ${constructor(e){this.options=e}refresh(e){return this.options.fetcher.post(this.options.endpoint,{body:e},{resultExtractor:a.ResultExtractors.Json,attributes:new Map([[T,!0]])})}}const q="cosec-token";class x extends U{constructor(e=q,t=0){super({key:e,storage:I(),serializer:new O(t)}),this.earlyPeriod=t}setCompositeToken(e){this.set(new _(e))}}r.AUTHORIZATION_REQUEST_INTERCEPTOR_NAME=p,r.AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER=C,r.AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME=k,r.AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER=w,r.AuthorizationRequestInterceptor=H,r.AuthorizationResponseInterceptor=J,r.AuthorizeResults=K,r.COSEC_REQUEST_INTERCEPTOR_NAME=A,r.COSEC_REQUEST_INTERCEPTOR_ORDER=R,r.CoSecHeaders=i,r.CoSecRequestInterceptor=Q,r.CoSecTokenRefresher=$,r.DEFAULT_COSEC_DEVICE_ID_KEY=D,r.DEFAULT_COSEC_TOKEN_KEY=q,r.DeviceIdStorage=G,r.IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY=T,r.JwtCompositeToken=_,r.JwtCompositeTokenSerializer=O,r.JwtToken=f,r.JwtTokenManager=X,r.NanoIdGenerator=S,r.RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME=M,r.RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER=v,r.ResourceAttributionRequestInterceptor=W,r.ResponseCodes=E,r.TokenStorage=x,r.idGenerator=l,r.isTokenExpired=z,r.jwtCompositeTokenSerializer=j,r.parseJwtPayload=d,Object.defineProperty(r,Symbol.toStringTag,{value:"Module"})}));
+(function(r,a){typeof exports=="object"&&typeof module<"u"?a(exports,require("@ahoo-wang/fetcher"),require("nanoid"),require("@ahoo-wang/fetcher-storage")):typeof define=="function"&&define.amd?define(["exports","@ahoo-wang/fetcher","nanoid","@ahoo-wang/fetcher-storage"],a):(r=typeof globalThis<"u"?globalThis:r||self,a(r.FetcherCoSec={},r.Fetcher,r.nanoid,r.FetcherStorage))})(this,(function(r,a,q,R){"use strict";const c=class c{};c.DEVICE_ID="CoSec-Device-Id",c.APP_ID="CoSec-App-Id",c.AUTHORIZATION="Authorization",c.REQUEST_ID="CoSec-Request-Id";let i=c;const N=class N{};N.UNAUTHORIZED=401;let h=N;const b={ALLOW:{authorized:!0,reason:"Allow"},EXPLICIT_DENY:{authorized:!1,reason:"Explicit Deny"},IMPLICIT_DENY:{authorized:!1,reason:"Implicit Deny"},TOKEN_EXPIRED:{authorized:!1,reason:"Token Expired"},TOO_MANY_REQUESTS:{authorized:!1,reason:"Too Many Requests"}};class p{generateId(){return q.nanoid()}}const u=new p,A="CoSecRequestInterceptor",I=a.REQUEST_BODY_INTERCEPTOR_ORDER+1e3,d="Ignore-Refresh-Token";class K{constructor(e){this.name=A,this.order=I,this.options=e}async intercept(e){const t=u.generateId(),s=this.options.deviceIdStorage.getOrCreate(),o=e.ensureRequestHeaders();o[i.APP_ID]=this.options.appId,o[i.DEVICE_ID]=s,o[i.REQUEST_ID]=t}}const C="AuthorizationRequestInterceptor",g=I+1e3;class Q{constructor(e){this.options=e,this.name=C,this.order=g}async intercept(e){let t=this.options.tokenManager.currentToken;const s=e.ensureRequestHeaders();!t||s[i.AUTHORIZATION]||(!e.attributes.has(d)&&t.isRefreshNeeded&&t.isRefreshable&&await this.options.tokenManager.refresh(),t=this.options.tokenManager.currentToken,t&&(s[i.AUTHORIZATION]=`Bearer ${t.access.token}`))}}const P="AuthorizationResponseInterceptor",k=Number.MIN_SAFE_INTEGER+1e3;class H{constructor(e){this.name=P,this.order=k,this.options=e}async intercept(e){const t=e.response;if(t&&t.status===h.UNAUTHORIZED&&this.options.tokenManager.isRefreshable)try{await this.options.tokenManager.refresh(),await e.fetcher.interceptors.exchange(e)}catch(s){throw this.options.tokenManager.tokenStorage.remove(),s}}}const U="cosec-device-id";class J extends R.KeyStorage{constructor(e=U){super({key:e,serializer:new R.IdentitySerializer,storage:R.createListenableStorage()})}generateDeviceId(){return u.generateId()}getOrCreate(){let e=this.get();return e||(e=this.generateDeviceId(),this.set(e)),e}}function _(n){try{const e=n.split(".");if(e.length!==3)return null;const s=e[1].replace(/-/g,"+").replace(/_/g,"/"),o=s.padEnd(s.length+(4-s.length%4)%4,"="),T=decodeURIComponent(atob(o).split("").map(function(E){return"%"+("00"+E.charCodeAt(0).toString(16)).slice(-2)}).join(""));return JSON.parse(T)}catch(e){return console.error("Failed to parse JWT token",e),null}}function w(n,e=0){const t=typeof n=="string"?_(n):n;if(!t)return!0;const s=t.exp;return s?Date.now()/1e3>s-e:!1}class O{constructor(e,t=0){this.token=e,this.earlyPeriod=t,this.payload=_(e)}get isExpired(){return this.payload?w(this.payload,this.earlyPeriod):!0}}class l{constructor(e,t=0){this.token=e,this.earlyPeriod=t,this.access=new O(e.accessToken,t),this.refresh=new O(e.refreshToken,t)}get isRefreshNeeded(){return this.access.isExpired}get isRefreshable(){return!this.refresh.isExpired}}class f{constructor(e=0){this.earlyPeriod=e}deserialize(e){const t=JSON.parse(e);return new l(t,this.earlyPeriod)}serialize(e){return JSON.stringify(e.token)}}const v=new f;class Z{constructor(e,t){this.tokenStorage=e,this.tokenRefresher=t}get currentToken(){return this.tokenStorage.get()}async refresh(e){if(!e){const t=this.currentToken;if(!t)throw new Error("No token found");e=t.token}return this.refreshInProgress?this.refreshInProgress:(this.refreshInProgress=this.tokenRefresher.refresh(e).then(t=>{this.tokenStorage.setCompositeToken(t)}).catch(t=>{throw this.tokenStorage.remove(),t}).finally(()=>{this.refreshInProgress=void 0}),this.refreshInProgress)}get isRefreshNeeded(){return this.currentToken?this.currentToken.isRefreshNeeded:!1}get isRefreshable(){return this.currentToken?this.currentToken.isRefreshable:!1}}const D="ResourceAttributionRequestInterceptor",y=Number.MAX_SAFE_INTEGER;class F{constructor({tenantId:e="tenantId",ownerId:t="ownerId",tokenStorage:s}){this.name=D,this.order=y,this.tenantIdPathKey=e,this.ownerIdPathKey=t,this.tokenStorage=s}intercept(e){const t=this.tokenStorage.get();if(!t)return;const s=t.access.payload;if(!s||!s.tenantId&&!s.sub)return;const o=e.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(e.request.url),T=this.tenantIdPathKey,E=e.ensureRequestUrlParams().path,z=s.tenantId;z&&o.includes(T)&&!E[T]&&(E[T]=z);const S=this.ownerIdPathKey,M=s.sub;M&&o.includes(S)&&!E[S]&&(E[S]=M)}}class B{constructor(e){this.options=e}refresh(e){return this.options.fetcher.post(this.options.endpoint,{body:e},{resultExtractor:a.ResultExtractors.Json,attributes:new Map([[d,!0]])})}}const m="cosec-token";class L extends R.KeyStorage{constructor(e=m,t=0){super({key:e,storage:R.createListenableStorage(),serializer:new f(t)}),this.earlyPeriod=t}setCompositeToken(e){this.set(new l(e))}}r.AUTHORIZATION_REQUEST_INTERCEPTOR_NAME=C,r.AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER=g,r.AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME=P,r.AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER=k,r.AuthorizationRequestInterceptor=Q,r.AuthorizationResponseInterceptor=H,r.AuthorizeResults=b,r.COSEC_REQUEST_INTERCEPTOR_NAME=A,r.COSEC_REQUEST_INTERCEPTOR_ORDER=I,r.CoSecHeaders=i,r.CoSecRequestInterceptor=K,r.CoSecTokenRefresher=B,r.DEFAULT_COSEC_DEVICE_ID_KEY=U,r.DEFAULT_COSEC_TOKEN_KEY=m,r.DeviceIdStorage=J,r.IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY=d,r.JwtCompositeToken=l,r.JwtCompositeTokenSerializer=f,r.JwtToken=O,r.JwtTokenManager=Z,r.NanoIdGenerator=p,r.RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME=D,r.RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER=y,r.ResourceAttributionRequestInterceptor=F,r.ResponseCodes=h,r.TokenStorage=L,r.idGenerator=u,r.isTokenExpired=w,r.jwtCompositeTokenSerializer=v,r.parseJwtPayload=_,Object.defineProperty(r,Symbol.toStringTag,{value:"Module"})}));
 //# sourceMappingURL=index.umd.js.map

package/dist/index.umd.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.umd.js","sources":["../src/types.ts","../src/idGenerator.ts","../src/cosecRequestInterceptor.ts","../src/authorizationRequestInterceptor.ts","../src/authorizationResponseInterceptor.ts","../../storage/dist/index.es.js","../src/deviceIdStorage.ts","../src/jwts.ts","../src/jwtToken.ts","../src/jwtTokenManager.ts","../src/resourceAttributionRequestInterceptor.ts","../src/tokenRefresher.ts","../src/tokenStorage.ts"],"sourcesContent":["/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { DeviceIdStorage } from './deviceIdStorage';\nimport { JwtTokenManager } from './jwtTokenManager';\n\n/**\n * CoSec HTTP headers enumeration.\n */\nexport class CoSecHeaders {\n  static readonly DEVICE_ID = 'CoSec-Device-Id';\n  static readonly APP_ID = 'CoSec-App-Id';\n  static readonly AUTHORIZATION = 'Authorization';\n  static readonly REQUEST_ID = 'CoSec-Request-Id';\n}\n\nexport class ResponseCodes {\n  static readonly UNAUTHORIZED = 401;\n}\n\nexport interface AppIdCapable {\n  /**\n   * Application ID to be sent in the CoSec-App-Id header.\n   */\n  appId: string;\n}\n\nexport interface DeviceIdStorageCapable {\n  deviceIdStorage: DeviceIdStorage;\n}\n\nexport interface JwtTokenManagerCapable {\n  tokenManager: JwtTokenManager;\n}\n\n/**\n * CoSec options interface.\n */\nexport interface CoSecOptions\n  extends AppIdCapable,\n    DeviceIdStorageCapable,\n    JwtTokenManagerCapable {\n}\n\n/**\n * Authorization result interface.\n */\nexport interface AuthorizeResult {\n  authorized: boolean;\n  reason: string;\n}\n\n/**\n * Authorization result constants.\n */\nexport const AuthorizeResults = {\n  ALLOW: { authorized: true, reason: 'Allow' },\n  EXPLICIT_DENY: { authorized: false, reason: 'Explicit Deny' },\n  IMPLICIT_DENY: { authorized: false, reason: 'Implicit Deny' },\n  TOKEN_EXPIRED: { authorized: false, reason: 'Token Expired' },\n  TOO_MANY_REQUESTS: { authorized: false, reason: 'Too Many Requests' },\n};\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { nanoid } from 'nanoid';\n\nexport interface IdGenerator {\n  generateId(): string;\n}\n\n/**\n * Nano ID implementation of IdGenerator.\n * Generates unique request IDs using Nano ID.\n */\nexport class NanoIdGenerator implements IdGenerator {\n  /**\n   * Generate a unique request ID.\n   *\n   * @returns A unique request ID\n   */\n  generateId(): string {\n    return nanoid();\n  }\n}\n\nexport const idGenerator = new NanoIdGenerator();\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  FetchExchange,\n  REQUEST_BODY_INTERCEPTOR_ORDER,\n  type RequestInterceptor,\n} from '@ahoo-wang/fetcher';\nimport { AppIdCapable, CoSecHeaders, DeviceIdStorageCapable } from './types';\nimport { idGenerator } from './idGenerator';\n\nexport interface CoSecRequestOptions\n  extends AppIdCapable,\n    DeviceIdStorageCapable {\n}\n\n/**\n * The name of the CoSecRequestInterceptor.\n */\nexport const COSEC_REQUEST_INTERCEPTOR_NAME = 'CoSecRequestInterceptor';\n\n/**\n * The order of the CoSecRequestInterceptor.\n * Set to REQUEST_BODY_INTERCEPTOR_ORDER + 1000 to ensure it runs after RequestBodyInterceptor.\n */\nexport const COSEC_REQUEST_INTERCEPTOR_ORDER =\n  REQUEST_BODY_INTERCEPTOR_ORDER + 1000;\n\nexport const IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY = 'Ignore-Refresh-Token';\n\n/**\n * Interceptor that automatically adds CoSec authentication headers to requests.\n *\n * This interceptor adds the following headers to each request:\n * - CoSec-Device-Id: Device identifier (stored in localStorage or generated)\n * - CoSec-App-Id: Application identifier\n * - CoSec-Request-Id: Unique request identifier for each request\n *\n * @remarks\n * This interceptor runs after RequestBodyInterceptor but before FetchInterceptor.\n * The order is set to COSEC_REQUEST_INTERCEPTOR_ORDER to ensure it runs after\n * request body processing but before the actual HTTP request is made. This positioning\n * allows for proper authentication header addition after all request body transformations\n * are complete, ensuring that the final request is properly authenticated before\n * being sent over the network.\n */\nexport class CoSecRequestInterceptor implements RequestInterceptor {\n  readonly name = COSEC_REQUEST_INTERCEPTOR_NAME;\n  readonly order = COSEC_REQUEST_INTERCEPTOR_ORDER;\n  private options: CoSecRequestOptions;\n\n  /**\n   * Creates a new CoSecRequestInterceptor instance.\n   * @param options - The CoSec configuration options including appId, deviceIdStorage, and tokenManager\n   */\n  constructor(options: CoSecRequestOptions) {\n    this.options = options;\n  }\n\n  /**\n   * Intercept requests to add CoSec authentication headers.\n   *\n   * This method adds the following headers to each request:\n   * - CoSec-App-Id: The application identifier from the CoSec options\n   * - CoSec-Device-Id: A unique device identifier, either retrieved from storage or generated\n   * - CoSec-Request-Id: A unique identifier for this specific request\n   *\n   * @param exchange - The fetch exchange containing the request to process\n   *\n   * @remarks\n   * This method runs after RequestBodyInterceptor but before FetchInterceptor.\n   * It ensures that authentication headers are added to the request after all\n   * body processing is complete. The positioning allows for proper authentication\n   * header addition after all request body transformations are finished, ensuring\n   * that the final request is properly authenticated before being sent over the network.\n   * This execution order prevents authentication headers from being overwritten by\n   * subsequent request processing interceptors.\n   *\n   * The method also handles token refreshing when the current token is expired but still refreshable.\n   * It will attempt to refresh the token before adding the Authorization header to the request.\n   */\n  async intercept(exchange: FetchExchange) {\n    // Generate a unique request ID for this request\n    const requestId = idGenerator.generateId();\n\n    // Get or create a device ID\n    const deviceId = this.options.deviceIdStorage.getOrCreate();\n\n    // Ensure request headers object exists\n    const requestHeaders = exchange.ensureRequestHeaders();\n\n    // Add CoSec headers to the request\n    requestHeaders[CoSecHeaders.APP_ID] = this.options.appId;\n    requestHeaders[CoSecHeaders.DEVICE_ID] = deviceId;\n    requestHeaders[CoSecHeaders.REQUEST_ID] = requestId;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport {\n  COSEC_REQUEST_INTERCEPTOR_ORDER,\n  IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,\n} from './cosecRequestInterceptor';\nimport { CoSecHeaders, JwtTokenManagerCapable } from './types';\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface AuthorizationInterceptorOptions\n  extends JwtTokenManagerCapable {\n}\n\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_NAME =\n  'AuthorizationRequestInterceptor';\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER =\n  COSEC_REQUEST_INTERCEPTOR_ORDER + 1000;\n\n/**\n * Request interceptor that automatically adds Authorization header to requests.\n *\n * This interceptor handles JWT token management by:\n * 1. Adding Authorization header with Bearer token if not already present\n * 2. Refreshing tokens when needed and possible\n * 3. Skipping refresh when explicitly requested via attributes\n *\n * The interceptor runs after CoSecRequestInterceptor but before FetchInterceptor in the chain.\n */\nexport class AuthorizationRequestInterceptor implements RequestInterceptor {\n  readonly name = AUTHORIZATION_REQUEST_INTERCEPTOR_NAME;\n  readonly order = AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER;\n\n  /**\n   * Creates an AuthorizationRequestInterceptor instance.\n   *\n   * @param options - Configuration options containing the token manager\n   */\n  constructor(private readonly options: AuthorizationInterceptorOptions) {\n  }\n\n  /**\n   * Intercepts the request exchange to add authorization headers.\n   *\n   * This method performs the following operations:\n   * 1. Checks if a token exists and if Authorization header is already set\n   * 2. Refreshes the token if needed, possible, and not explicitly ignored\n   * 3. Adds the Authorization header with Bearer token if a token is available\n   *\n   * @param exchange - The fetch exchange containing request information\n   * @returns Promise that resolves when the interception is complete\n   */\n  async intercept(exchange: FetchExchange): Promise<void> {\n    // Get the current token from token manager\n    let currentToken = this.options.tokenManager.currentToken;\n\n    const requestHeaders = exchange.ensureRequestHeaders();\n\n    // Skip if no token exists or Authorization header is already set\n    if (!currentToken || requestHeaders[CoSecHeaders.AUTHORIZATION]) {\n      return;\n    }\n\n    // Refresh token if needed and refreshable\n    if (\n      !exchange.attributes.has(IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY) &&\n      currentToken.isRefreshNeeded &&\n      currentToken.isRefreshable\n    ) {\n      await this.options.tokenManager.refresh();\n    }\n\n    // Get the current token again (might have been refreshed)\n    currentToken = this.options.tokenManager.currentToken;\n\n    // Add Authorization header if we have a token\n    if (currentToken) {\n      requestHeaders[CoSecHeaders.AUTHORIZATION] =\n        `Bearer ${currentToken.access.token}`;\n    }\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { ResponseCodes } from './types';\nimport { FetchExchange, type ResponseInterceptor } from '@ahoo-wang/fetcher';\nimport { AuthorizationInterceptorOptions } from './authorizationRequestInterceptor';\n\n/**\n * The name of the AuthorizationResponseInterceptor.\n */\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME =\n  'AuthorizationResponseInterceptor';\n\n/**\n * The order of the AuthorizationResponseInterceptor.\n * Set to a high negative value to ensure it runs early in the interceptor chain.\n */\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER =\n  Number.MIN_SAFE_INTEGER + 1000;\n\n/**\n * CoSecResponseInterceptor is responsible for handling unauthorized responses (401)\n * by attempting to refresh the authentication token and retrying the original request.\n *\n * This interceptor:\n * 1. Checks if the response status is 401 (UNAUTHORIZED)\n * 2. If so, and if there's a current token, attempts to refresh it\n * 3. On successful refresh, stores the new token and retries the original request\n * 4. On refresh failure, clears stored tokens and propagates the error\n */\nexport class AuthorizationResponseInterceptor implements ResponseInterceptor {\n  readonly name = AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME;\n  readonly order = AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER;\n  private options: AuthorizationInterceptorOptions;\n\n  /**\n   * Creates a new AuthorizationResponseInterceptor instance.\n   * @param options - The CoSec configuration options including token storage and refresher\n   */\n  constructor(options: AuthorizationInterceptorOptions) {\n    this.options = options;\n  }\n\n  /**\n   * Intercepts the response and handles unauthorized responses by refreshing tokens.\n   * @param exchange - The fetch exchange containing request and response information\n   */\n  async intercept(exchange: FetchExchange): Promise<void> {\n    const response = exchange.response;\n    // If there's no response, nothing to intercept\n    if (!response) {\n      return;\n    }\n\n    // Only handle unauthorized responses (401)\n    if (response.status !== ResponseCodes.UNAUTHORIZED) {\n      return;\n    }\n\n    if (!this.options.tokenManager.isRefreshable) {\n      return;\n    }\n    try {\n      await this.options.tokenManager.refresh();\n      // Retry the original request with the new token\n      await exchange.fetcher.interceptors.exchange(exchange);\n    } catch (error) {\n      // If token refresh fails, clear stored tokens and re-throw the error\n      this.options.tokenManager.tokenStorage.remove();\n      throw error;\n    }\n  }\n}\n","function a() {\n  return typeof window < \"u\";\n}\nclass n {\n  constructor() {\n    this.store = /* @__PURE__ */ new Map(), this.listeners = /* @__PURE__ */ new Set();\n  }\n  /**\n   * Gets the number of items stored in the storage.\n   */\n  get length() {\n    return this.store.size;\n  }\n  /**\n   * Clears all items from the storage.\n   */\n  clear() {\n    this.store.clear();\n  }\n  /**\n   * Gets an item from the storage.\n   * @param key - The key of the item to retrieve\n   * @returns The value of the item, or null if the item does not exist\n   */\n  getItem(e) {\n    const t = this.store.get(e);\n    return t !== void 0 ? t : null;\n  }\n  /**\n   * Gets the key at the specified index.\n   * @param index - The index of the key to retrieve\n   * @returns The key at the specified index, or null if the index is out of bounds\n   */\n  key(e) {\n    return Array.from(this.store.keys())[e] || null;\n  }\n  /**\n   * Removes an item from the storage.\n   * @param key - The key of the item to remove\n   */\n  removeItem(e) {\n    const t = this.getItem(e);\n    this.store.has(e) && (this.store.delete(e), this.notifyListeners({\n      key: e,\n      oldValue: t,\n      newValue: null\n    }));\n  }\n  /**\n   * Sets an item in the storage.\n   * @param key - The key of the item to set\n   * @param value - The value to set\n   */\n  setItem(e, t) {\n    const r = this.getItem(e);\n    this.store.set(e, t), this.notifyListeners({ key: e, oldValue: r, newValue: t });\n  }\n  /**\n   * Adds a listener for storage changes.\n   * @param listener - The listener function to be called when storage changes\n   * @returns A function that can be called to remove the listener\n   */\n  addListener(e) {\n    return this.listeners.add(e), () => this.listeners.delete(e);\n  }\n  /**\n   * Notifies all listeners of a storage change by creating and dispatching a StorageEvent.\n   * @param eventInit - The initialization object for the StorageEvent\n   */\n  notifyListeners(e) {\n    a() && window.location && (e.url = e.url || window.location.href), e.storageArea = this, this.listeners.forEach((t) => {\n      try {\n        t(e);\n      } catch (r) {\n        console.error(\"Error in storage change listener:\", r);\n      }\n    });\n  }\n}\nclass o {\n  /**\n   * Creates a new BrowserListenableStorage instance.\n   * @param storage - The native Storage object to wrap (e.g., localStorage or sessionStorage)\n   */\n  constructor(e) {\n    this.storage = e;\n  }\n  /**\n   * Gets the number of items stored in the storage.\n   */\n  get length() {\n    return this.storage.length;\n  }\n  /**\n   * Adds a listener for storage changes.\n   * @param listener - The listener function to be called when storage changes\n   * @returns A function that can be called to remove the listener\n   */\n  addListener(e) {\n    const t = (r) => {\n      r.storageArea === this.storage && e(r);\n    };\n    return window.addEventListener(i, t), () => window.removeEventListener(i, t);\n  }\n  /**\n   * Clears all items from the storage.\n   */\n  clear() {\n    this.storage.clear();\n  }\n  /**\n   * Gets an item from the storage.\n   * @param key - The key of the item to retrieve\n   * @returns The value of the item, or null if the item does not exist\n   */\n  getItem(e) {\n    return this.storage.getItem(e);\n  }\n  /**\n   * Gets the key at the specified index.\n   * @param index - The index of the key to retrieve\n   * @returns The key at the specified index, or null if the index is out of bounds\n   */\n  key(e) {\n    return this.storage.key(e);\n  }\n  /**\n   * Removes an item from the storage.\n   * @param key - The key of the item to remove\n   */\n  removeItem(e) {\n    this.storage.removeItem(e);\n  }\n  /**\n   * Sets an item in the storage.\n   * @param key - The key of the item to set\n   * @param value - The value to set\n   */\n  setItem(e, t) {\n    this.storage.setItem(e, t);\n  }\n}\nconst i = \"storage\", h = () => a() ? new o(window.localStorage) : new n();\nclass l {\n  /**\n   * Serializes a value to a JSON string\n   * @param value The value to serialize\n   * @returns The JSON string representation of the value\n   */\n  /**\n   * Serializes a value to a JSON string\n   * @param value The value to serialize\n   * @returns The JSON string representation of the value\n   */\n  serialize(e) {\n    return JSON.stringify(e);\n  }\n  /**\n   * Deserializes a JSON string to a value\n   * @template V The type of the deserialized value\n   * @param value The JSON string to deserialize\n   * @returns The deserialized value\n   */\n  /**\n   * Deserializes a JSON string to a value\n   * @param value The JSON string to deserialize\n   * @returns The deserialized value\n   */\n  deserialize(e) {\n    return JSON.parse(e);\n  }\n}\nclass c {\n  /**\n   * Returns the value as-is without serialization\n   * @param value The value to pass through\n   * @returns The same value that was passed in\n   */\n  /**\n   * Returns the value as-is without serialization\n   * @param value The value to pass through\n   * @returns The same value that was passed in\n   */\n  serialize(e) {\n    return e;\n  }\n  /**\n   * Returns the value as-is without deserialization\n   * @template Deserialized The type of the deserialized value\n   * @param value The value to pass through\n   * @returns The same value that was passed in, cast to the target type\n   */\n  /**\n   * Returns the value as-is without deserialization\n   * @param value The value to pass through\n   * @returns The same value that was passed in\n   */\n  deserialize(e) {\n    return e;\n  }\n}\nconst d = new l(), u = new c();\nfunction g() {\n  return u;\n}\nclass w {\n  /**\n   * Creates a new KeyStorage instance\n   * @param options Configuration options for the storage\n   */\n  constructor(e) {\n    this.cacheValue = null, this.refreshCacheListener = (t) => {\n      this.cacheValue = null, t.newValue && this.refreshCache(t.newValue);\n    }, this.key = e.key, this.serializer = e.serializer ?? g(), this.storage = e.storage ?? h(), this.addListener(this.refreshCacheListener);\n  }\n  /**\n   * Refreshes the cached value by deserializing the provided string\n   * @param value The serialized value to deserialize and cache\n   */\n  refreshCache(e) {\n    this.cacheValue = this.serializer.deserialize(e);\n  }\n  addListener(e) {\n    const t = (r) => {\n      r.key === this.key && e(r);\n    };\n    return this.storage.addListener(t);\n  }\n  /**\n   * Gets the value associated with the key from storage\n   * Uses cached value if available, otherwise retrieves from storage and caches it\n   * @returns The deserialized value or null if no value is found\n   */\n  get() {\n    if (this.cacheValue)\n      return this.cacheValue;\n    const e = this.storage.getItem(this.key);\n    return e ? (this.refreshCache(e), this.cacheValue) : null;\n  }\n  /**\n   * Sets the value associated with the key in storage\n   * Also updates the cached value\n   * @param value The value to serialize and store\n   */\n  set(e) {\n    const t = this.serializer.serialize(e);\n    this.storage.setItem(this.key, t), this.cacheValue = e;\n  }\n  /**\n   * Removes the value associated with the key from storage\n   * Also clears the cached value\n   */\n  remove() {\n    this.storage.removeItem(this.key), this.cacheValue = null;\n  }\n}\nexport {\n  o as BrowserListenableStorage,\n  c as IdentitySerializer,\n  n as InMemoryListenableStorage,\n  l as JsonSerializer,\n  w as KeyStorage,\n  i as STORAGE_EVENT_TYPE,\n  h as createListenableStorage,\n  u as identitySerializer,\n  a as isBrowser,\n  d as jsonSerializer,\n  g as typedIdentitySerializer\n};\n//# sourceMappingURL=index.es.js.map\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { idGenerator } from './idGenerator';\nimport {\n  createListenableStorage,\n  IdentitySerializer,\n  KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_DEVICE_ID_KEY = 'cosec-device-id';\n\n/**\n * Storage class for managing device identifiers.\n */\nexport class DeviceIdStorage extends KeyStorage<string> {\n  constructor(key: string = DEFAULT_COSEC_DEVICE_ID_KEY) {\n    super({\n      key,\n      serializer: new IdentitySerializer<string>(),\n      storage: createListenableStorage(),\n    });\n  }\n\n  /**\n   * Generate a new device ID.\n   *\n   * @returns A newly generated device ID\n   */\n  generateDeviceId(): string {\n    return idGenerator.generateId();\n  }\n\n  /**\n   * Get or create a device ID.\n   *\n   * @returns The existing device ID if available, otherwise a newly generated one\n   */\n  getOrCreate(): string {\n    // Try to get existing device ID from storage\n    let deviceId = this.get();\n    if (!deviceId) {\n      // Generate a new device ID and store it\n      deviceId = this.generateDeviceId();\n      this.set(deviceId);\n    }\n\n    return deviceId;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n/**\n * Interface representing a JWT payload as defined in RFC 7519.\n * Contains standard JWT claims as well as custom properties.\n */\nexport interface JwtPayload {\n  /**\n   * JWT ID - provides a unique identifier for the JWT.\n   */\n  jti?: string;\n  /**\n   * Subject - identifies the principal that is the subject of the JWT.\n   */\n  sub?: string;\n  /**\n   * Issuer - identifies the principal that issued the JWT.\n   */\n  iss?: string;\n  /**\n   * Audience - identifies the recipients that the JWT is intended for.\n   * Can be a single string or an array of strings.\n   */\n  aud?: string | string[];\n  /**\n   * Expiration Time - identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  exp?: number;\n  /**\n   * Not Before - identifies the time before which the JWT MUST NOT be accepted for processing.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  nbf?: number;\n  /**\n   * Issued At - identifies the time at which the JWT was issued.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  iat?: number;\n\n  /**\n   * Allows additional custom properties to be included in the payload.\n   */\n  [key: string]: any;\n}\n\n/**\n * Interface representing a JWT payload with CoSec-specific extensions.\n * Extends the standard JwtPayload interface with additional CoSec-specific properties.\n */\nexport interface CoSecJwtPayload extends JwtPayload {\n  /**\n   * Tenant identifier - identifies the tenant scope for the JWT.\n   */\n  tenantId?: string;\n  /**\n   * Policies - array of policy identifiers associated with the JWT.\n   * These are security policies defined internally by Cosec.\n   */\n  policies?: string[];\n  /**\n   * Roles - array of role identifiers associated with the JWT.\n   * Role IDs indicate what roles the token belongs to.\n   */\n  roles?: string[];\n  /**\n   * Attributes - custom key-value pairs providing additional information about the JWT.\n   */\n  attributes?: Record<string, any>;\n}\n\n/**\n * Parses a JWT token and extracts its payload.\n *\n * This function decodes the payload part of a JWT token, handling Base64URL decoding\n * and JSON parsing. It validates the token structure and returns null for invalid tokens.\n *\n * @param token - The JWT token string to parse\n * @returns The parsed JWT payload or null if parsing fails\n */\nexport function parseJwtPayload<T extends JwtPayload>(token: string): T | null {\n  try {\n    const parts = token.split('.');\n    if (parts.length !== 3) {\n      return null;\n    }\n\n    const base64Url = parts[1];\n    const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');\n\n    // Add padding if needed\n    const paddedBase64 = base64.padEnd(\n      base64.length + ((4 - (base64.length % 4)) % 4),\n      '=',\n    );\n\n    const jsonPayload = decodeURIComponent(\n      atob(paddedBase64)\n        .split('')\n        .map(function(c) {\n          return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);\n        })\n        .join(''),\n    );\n    return JSON.parse(jsonPayload) as T;\n  } catch (error) {\n    // Avoid exposing sensitive information in error logs\n    console.error('Failed to parse JWT token', error);\n    return null;\n  }\n}\n\nexport interface EarlyPeriodCapable {\n  /**\n   * The time in seconds before actual expiration when the token should be considered expired (default: 0)\n   */\n  readonly earlyPeriod: number;\n}\n\n/**\n * Checks if a JWT token is expired based on its expiration time (exp claim).\n *\n * This function determines if a JWT token has expired by comparing its exp claim\n * with the current time. If the token is a string, it will be parsed first.\n * Tokens without an exp claim are considered not expired.\n *\n * The early period parameter allows for early token expiration, which is useful\n * for triggering token refresh before the token actually expires. This helps\n * avoid race conditions where a token expires between the time it is checked and\n * the time it is used.\n *\n * @param token - The JWT token to check, either as a string or as a JwtPayload object\n * @param earlyPeriod - The time in seconds before actual expiration when the token should be considered expired (default: 0)\n * @returns true if the token is expired (or will expire within the early period) or cannot be parsed, false otherwise\n */\nexport function isTokenExpired(\n  token: string | CoSecJwtPayload,\n  earlyPeriod: number = 0,\n): boolean {\n  const payload = typeof token === 'string' ? parseJwtPayload(token) : token;\n  if (!payload) {\n    return true;\n  }\n\n  const expAt = payload.exp;\n  if (!expAt) {\n    return false;\n  }\n\n  const now = Date.now() / 1000;\n  return now > expAt - earlyPeriod;\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  CoSecJwtPayload,\n  EarlyPeriodCapable,\n  isTokenExpired,\n  JwtPayload,\n  parseJwtPayload,\n} from './jwts';\nimport { CompositeToken } from './tokenRefresher';\nimport { Serializer } from '@ahoo-wang/fetcher-storage';\n\n/**\n * Interface for JWT token with typed payload\n * @template Payload The type of the JWT payload\n */\nexport interface IJwtToken<Payload extends JwtPayload>\n  extends EarlyPeriodCapable {\n  readonly token: string;\n  readonly payload: Payload | null;\n\n  isExpired: boolean;\n}\n\n/**\n * Class representing a JWT token with typed payload\n * @template Payload The type of the JWT payload\n */\nexport class JwtToken<Payload extends JwtPayload>\n  implements IJwtToken<Payload> {\n  public readonly payload: Payload | null;\n\n  /**\n   * Creates a new JwtToken instance\n   */\n  constructor(\n    public readonly token: string,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    this.payload = parseJwtPayload<Payload>(token);\n  }\n\n  /**\n   * Checks if the token is expired\n   * @returns true if the token is expired, false otherwise\n   */\n  get isExpired(): boolean {\n    if (!this.payload) {\n      return true;\n    }\n    return isTokenExpired(this.payload, this.earlyPeriod);\n  }\n}\n\nexport interface RefreshTokenStatusCapable {\n  /**\n   * Checks if the access token needs to be refreshed\n   * @returns true if the access token is expired, false otherwise\n   */\n  readonly isRefreshNeeded: boolean;\n  /**\n   * Checks if the refresh token is still valid and can be used to refresh the access token\n   * @returns true if the refresh token is not expired, false otherwise\n   */\n  readonly isRefreshable: boolean;\n}\n\n/**\n * Class representing a composite token containing both access and refresh tokens\n */\nexport class JwtCompositeToken\n  implements EarlyPeriodCapable, RefreshTokenStatusCapable {\n  public readonly access: JwtToken<CoSecJwtPayload>;\n  public readonly refresh: JwtToken<JwtPayload>;\n\n  /**\n   * Creates a new JwtCompositeToken instance\n   */\n  constructor(\n    public readonly token: CompositeToken,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    this.access = new JwtToken(token.accessToken, earlyPeriod);\n    this.refresh = new JwtToken(token.refreshToken, earlyPeriod);\n  }\n\n  /**\n   * Checks if the access token needs to be refreshed\n   * @returns true if the access token is expired, false otherwise\n   */\n  get isRefreshNeeded(): boolean {\n    return this.access.isExpired;\n  }\n\n  /**\n   * Checks if the refresh token is still valid and can be used to refresh the access token\n   * @returns true if the refresh token is not expired, false otherwise\n   */\n  get isRefreshable(): boolean {\n    return !this.refresh.isExpired;\n  }\n}\n\n/**\n * Serializer for JwtCompositeToken that handles conversion to and from JSON strings\n */\nexport class JwtCompositeTokenSerializer\n  implements Serializer<string, JwtCompositeToken>, EarlyPeriodCapable {\n  constructor(public readonly earlyPeriod: number = 0) {\n  }\n\n  /**\n   * Deserializes a JSON string to a JwtCompositeToken\n   * @param value The JSON string representation of a composite token\n   * @returns A JwtCompositeToken instance\n   */\n  deserialize(value: string): JwtCompositeToken {\n    const compositeToken = JSON.parse(value) as CompositeToken;\n    return new JwtCompositeToken(compositeToken, this.earlyPeriod);\n  }\n\n  /**\n   * Serializes a JwtCompositeToken to a JSON string\n   * @param value The JwtCompositeToken to serialize\n   * @returns A JSON string representation of the composite token\n   */\n  serialize(value: JwtCompositeToken): string {\n    return JSON.stringify(value.token);\n  }\n}\n\nexport const jwtCompositeTokenSerializer = new JwtCompositeTokenSerializer();\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { TokenStorage } from './tokenStorage';\nimport { CompositeToken, TokenRefresher } from './tokenRefresher';\nimport { JwtCompositeToken, RefreshTokenStatusCapable } from './jwtToken';\n\n/**\n * Manages JWT token refreshing operations and provides status information\n */\nexport class JwtTokenManager implements RefreshTokenStatusCapable {\n  private refreshInProgress?: Promise<void>;\n\n  /**\n   * Creates a new JwtTokenManager instance\n   * @param tokenStorage The storage used to persist tokens\n   * @param tokenRefresher The refresher used to refresh expired tokens\n   */\n  constructor(\n    public readonly tokenStorage: TokenStorage,\n    public readonly tokenRefresher: TokenRefresher,\n  ) {\n  }\n\n  /**\n   * Gets the current JWT composite token from storage\n   * @returns The current token or null if none exists\n   */\n  get currentToken(): JwtCompositeToken | null {\n    return this.tokenStorage.get();\n  }\n\n  /**\n   * Refreshes the JWT token\n   * @param currentToken Optional current token to refresh. If not provided, uses the stored token.\n   * @returns Promise that resolves when refresh is complete\n   * @throws Error if no token is found or refresh fails\n   */\n  async refresh(currentToken?: CompositeToken): Promise<void> {\n    if (!currentToken) {\n      const jwtToken = this.currentToken;\n      if (!jwtToken) {\n        throw new Error('No token found');\n      }\n      currentToken = jwtToken.token;\n    }\n    if (this.refreshInProgress) {\n      return this.refreshInProgress;\n    }\n\n    this.refreshInProgress = this.tokenRefresher\n      .refresh(currentToken)\n      .then(newToken => {\n        this.tokenStorage.setCompositeToken(newToken);\n      })\n      .catch(error => {\n        this.tokenStorage.remove();\n        throw error;\n      })\n      .finally(() => {\n        this.refreshInProgress = undefined;\n      });\n\n    return this.refreshInProgress;\n  }\n\n  /**\n   * Indicates if the current token needs to be refreshed\n   * @returns true if the access token is expired and needs refresh, false otherwise\n   */\n  get isRefreshNeeded(): boolean {\n    if (!this.currentToken) {\n      return false;\n    }\n    return this.currentToken.isRefreshNeeded;\n  }\n\n  /**\n   * Indicates if the current token can be refreshed\n   * @returns true if the refresh token is still valid, false otherwise\n   */\n  get isRefreshable(): boolean {\n    if (!this.currentToken) {\n      return false;\n    }\n    return this.currentToken.isRefreshable;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport { TokenStorage } from './tokenStorage';\n\n/**\n * Configuration options for resource attribution\n */\nexport interface ResourceAttributionOptions {\n  /**\n   * The path parameter key used for tenant ID in URL templates\n   */\n  tenantId?: string;\n  /**\n   * The path parameter key used for owner ID in URL templates\n   */\n  ownerId?: string;\n  /**\n   * Storage mechanism for retrieving current authentication tokens\n   */\n  tokenStorage: TokenStorage;\n}\n\n/**\n * Name identifier for the ResourceAttributionRequestInterceptor\n */\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME =\n  'ResourceAttributionRequestInterceptor';\n/**\n * Order priority for the ResourceAttributionRequestInterceptor, set to maximum safe integer to ensure it runs last\n */\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER =\n  Number.MAX_SAFE_INTEGER;\n\n/**\n * Request interceptor that automatically adds tenant and owner ID path parameters to requests\n * based on the current authentication token. This is useful for multi-tenant applications where\n * requests need to include tenant-specific information in the URL path.\n */\nexport class ResourceAttributionRequestInterceptor\n  implements RequestInterceptor {\n  readonly name = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME;\n  readonly order = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER;\n  private readonly tenantIdPathKey: string;\n  private readonly ownerIdPathKey: string;\n  private readonly tokenStorage: TokenStorage;\n\n  /**\n   * Creates a new ResourceAttributionRequestInterceptor\n   * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage\n   */\n  constructor({\n                tenantId = 'tenantId',\n                ownerId = 'ownerId',\n                tokenStorage,\n              }: ResourceAttributionOptions) {\n    this.tenantIdPathKey = tenantId;\n    this.ownerIdPathKey = ownerId;\n    this.tokenStorage = tokenStorage;\n  }\n\n  /**\n   * Intercepts outgoing requests and automatically adds tenant and owner ID path parameters\n   * if they are defined in the URL template but not provided in the request.\n   * @param exchange - The fetch exchange containing the request information\n   */\n  intercept(exchange: FetchExchange): void {\n    const currentToken = this.tokenStorage.get();\n    if (!currentToken) {\n      return;\n    }\n    const principal = currentToken.access.payload;\n    if (!principal) {\n      return;\n    }\n    if (!principal.tenantId && !principal.sub) {\n      return;\n    }\n\n    // Extract path parameters from the URL template\n    const extractedPathParams =\n      exchange.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(\n        exchange.request.url,\n      );\n    const tenantIdPathKey = this.tenantIdPathKey;\n    const requestPathParams = exchange.ensureRequestUrlParams().path;\n    const tenantId = principal.tenantId;\n\n    // Add tenant ID to path parameters if it's part of the URL template and not already provided\n    if (\n      tenantId &&\n      extractedPathParams.includes(tenantIdPathKey) &&\n      !requestPathParams[tenantIdPathKey]\n    ) {\n      requestPathParams[tenantIdPathKey] = tenantId;\n    }\n\n    const ownerIdPathKey = this.ownerIdPathKey;\n    const ownerId = principal.sub;\n\n    // Add owner ID to path parameters if it's part of the URL template and not already provided\n    if (\n      ownerId &&\n      extractedPathParams.includes(ownerIdPathKey) &&\n      !requestPathParams[ownerIdPathKey]\n    ) {\n      requestPathParams[ownerIdPathKey] = ownerId;\n    }\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Fetcher, ResultExtractors } from '@ahoo-wang/fetcher';\nimport { IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY } from './cosecRequestInterceptor';\n\n/**\n * Interface for access tokens.\n */\nexport interface AccessToken {\n  accessToken: string;\n}\n\n/**\n * Interface for refresh tokens.\n */\nexport interface RefreshToken {\n  refreshToken: string;\n}\n\n/**\n * Composite token interface that contains both access and refresh tokens.\n *\n * accessToken and refreshToken always appear in pairs, no need to split them.\n */\nexport interface CompositeToken extends AccessToken, RefreshToken {\n}\n\n/**\n * Interface for token refreshers.\n *\n * Provides a method to refresh tokens.\n */\nexport interface TokenRefresher {\n  /**\n   * Refresh the given token and return a new CompositeToken.\n   *\n   * @param token The token to refresh\n   * @returns A Promise that resolves to a new CompositeToken\n   */\n  refresh(token: CompositeToken): Promise<CompositeToken>;\n}\n\nexport interface CoSecTokenRefresherOptions {\n  fetcher: Fetcher;\n  endpoint: string;\n}\n\n/**\n * CoSecTokenRefresher is a class that implements the TokenRefresher interface\n * for refreshing composite tokens through a configured endpoint.\n */\nexport class CoSecTokenRefresher implements TokenRefresher {\n  /**\n   * Creates a new instance of CoSecTokenRefresher.\n   *\n   * @param options The configuration options for the token refresher including fetcher and endpoint\n   */\n  constructor(public readonly options: CoSecTokenRefresherOptions) {\n  }\n\n  /**\n   * Refresh the given token and return a new CompositeToken.\n   *\n   * @param token The token to refresh\n   * @returns A Promise that resolves to a new CompositeToken\n   */\n  refresh(token: CompositeToken): Promise<CompositeToken> {\n    // Send a POST request to the configured endpoint with the token as body\n    // and extract the response as JSON to return a new CompositeToken\n\n    return this.options.fetcher.post<CompositeToken>(\n      this.options.endpoint,\n      {\n        body: token,\n      },\n      {\n        resultExtractor: ResultExtractors.Json,\n        attributes: new Map([[IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY, true]]),\n      },\n    );\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { JwtCompositeToken, JwtCompositeTokenSerializer } from './jwtToken';\nimport { CompositeToken } from './tokenRefresher';\nimport { EarlyPeriodCapable } from './jwts';\nimport {\n  createListenableStorage,\n  KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_TOKEN_KEY = 'cosec-token';\n\n/**\n * Storage class for managing access and refresh tokens.\n */\nexport class TokenStorage\n  extends KeyStorage<JwtCompositeToken>\n  implements EarlyPeriodCapable {\n  constructor(\n    key: string = DEFAULT_COSEC_TOKEN_KEY,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    super({\n      key,\n      storage: createListenableStorage(),\n      serializer: new JwtCompositeTokenSerializer(earlyPeriod),\n    });\n  }\n\n  setCompositeToken(compositeToken: CompositeToken) {\n    this.set(new JwtCompositeToken(compositeToken));\n  }\n}\n"],"names":["_CoSecHeaders","CoSecHeaders","_ResponseCodes","ResponseCodes","AuthorizeResults","NanoIdGenerator","nanoid","idGenerator","COSEC_REQUEST_INTERCEPTOR_NAME","COSEC_REQUEST_INTERCEPTOR_ORDER","REQUEST_BODY_INTERCEPTOR_ORDER","IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY","CoSecRequestInterceptor","options","exchange","requestId","deviceId","requestHeaders","AUTHORIZATION_REQUEST_INTERCEPTOR_NAME","AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER","AuthorizationRequestInterceptor","currentToken","AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME","AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER","AuthorizationResponseInterceptor","response","error","a","n","r","o","i","h","c","u","g","w","DEFAULT_COSEC_DEVICE_ID_KEY","DeviceIdStorage","KeyStorage","key","IdentitySerializer","createListenableStorage","parseJwtPayload","token","parts","base64","paddedBase64","jsonPayload","isTokenExpired","earlyPeriod","payload","expAt","JwtToken","JwtCompositeToken","JwtCompositeTokenSerializer","value","compositeToken","jwtCompositeTokenSerializer","JwtTokenManager","tokenStorage","tokenRefresher","jwtToken","newToken","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER","ResourceAttributionRequestInterceptor","tenantId","ownerId","principal","extractedPathParams","tenantIdPathKey","requestPathParams","ownerIdPathKey","CoSecTokenRefresher","ResultExtractors","DEFAULT_COSEC_TOKEN_KEY","TokenStorage"],"mappings":"0UAmBO,MAAMA,EAAN,MAAMA,CAAa,CAK1B,EAJEA,EAAgB,UAAY,kBAC5BA,EAAgB,OAAS,eACzBA,EAAgB,cAAgB,gBAChCA,EAAgB,WAAa,mBAJxB,IAAMC,EAAND,EAOA,MAAME,EAAN,MAAMA,CAAc,CAE3B,EADEA,EAAgB,aAAe,IAD1B,IAAMC,EAAND,EAuCA,MAAME,EAAmB,CAC9B,MAAO,CAAE,WAAY,GAAM,OAAQ,OAAA,EACnC,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,kBAAmB,CAAE,WAAY,GAAO,OAAQ,mBAAA,CAClD,EChDO,MAAMC,CAAuC,CAMlD,YAAqB,CACnB,OAAOC,SAAA,CACT,CACF,CAEO,MAAMC,EAAc,IAAIF,ECLlBG,EAAiC,0BAMjCC,EACXC,EAAAA,+BAAiC,IAEtBC,EAAqC,uBAkB3C,MAAMC,CAAsD,CASjE,YAAYC,EAA8B,CAR1C,KAAS,KAAOL,EAChB,KAAS,MAAQC,EAQf,KAAK,QAAUI,CACjB,CAwBA,MAAM,UAAUC,EAAyB,CAEvC,MAAMC,EAAYR,EAAY,WAAA,EAGxBS,EAAW,KAAK,QAAQ,gBAAgB,YAAA,EAGxCC,EAAiBH,EAAS,qBAAA,EAGhCG,EAAehB,EAAa,MAAM,EAAI,KAAK,QAAQ,MACnDgB,EAAehB,EAAa,SAAS,EAAIe,EACzCC,EAAehB,EAAa,UAAU,EAAIc,CAC5C,CACF,CCjFO,MAAMG,EACX,kCACWC,EACXV,EAAkC,IAY7B,MAAMW,CAA8D,CASzE,YAA6BP,EAA0C,CAA1C,KAAA,QAAAA,EAR7B,KAAS,KAAOK,EAChB,KAAS,MAAQC,CAQjB,CAaA,MAAM,UAAUL,EAAwC,CAEtD,IAAIO,EAAe,KAAK,QAAQ,aAAa,aAE7C,MAAMJ,EAAiBH,EAAS,qBAAA,EAG5B,CAACO,GAAgBJ,EAAehB,EAAa,aAAa,IAM5D,CAACa,EAAS,WAAW,IAAIH,CAAkC,GAC3DU,EAAa,iBACbA,EAAa,eAEb,MAAM,KAAK,QAAQ,aAAa,QAAA,EAIlCA,EAAe,KAAK,QAAQ,aAAa,aAGrCA,IACFJ,EAAehB,EAAa,aAAa,EACvC,UAAUoB,EAAa,OAAO,KAAK,IAEzC,CACF,CCxEO,MAAMC,EACX,mCAMWC,EACX,OAAO,iBAAmB,IAYrB,MAAMC,CAAgE,CAS3E,YAAYX,EAA0C,CARtD,KAAS,KAAOS,EAChB,KAAS,MAAQC,EAQf,KAAK,QAAUV,CACjB,CAMA,MAAM,UAAUC,EAAwC,CACtD,MAAMW,EAAWX,EAAS,SAE1B,GAAKW,GAKDA,EAAS,SAAWtB,EAAc,cAIjC,KAAK,QAAQ,aAAa,cAG/B,GAAI,CACF,MAAM,KAAK,QAAQ,aAAa,QAAA,EAEhC,MAAMW,EAAS,QAAQ,aAAa,SAASA,CAAQ,CACvD,OAASY,EAAO,CAEd,WAAK,QAAQ,aAAa,aAAa,OAAA,EACjCA,CACR,CACF,CACF,CClFA,SAASC,GAAI,CACX,OAAO,OAAO,OAAS,GACzB,CACA,MAAMC,CAAE,CACN,aAAc,CACZ,KAAK,MAAwB,IAAI,IAAO,KAAK,UAA4B,IAAI,GAC/E,CAIA,IAAI,QAAS,CACX,OAAO,KAAK,MAAM,IACpB,CAIA,OAAQ,CACN,KAAK,MAAM,MAAK,CAClB,CAMA,QAAQ,EAAG,CACT,MAAM,EAAI,KAAK,MAAM,IAAI,CAAC,EAC1B,OAAO,IAAM,OAAS,EAAI,IAC5B,CAMA,IAAI,EAAG,CACL,OAAO,MAAM,KAAK,KAAK,MAAM,MAAM,EAAE,CAAC,GAAK,IAC7C,CAKA,WAAW,EAAG,CACZ,MAAM,EAAI,KAAK,QAAQ,CAAC,EACxB,KAAK,MAAM,IAAI,CAAC,IAAM,KAAK,MAAM,OAAO,CAAC,EAAG,KAAK,gBAAgB,CAC/D,IAAK,EACL,SAAU,EACV,SAAU,IAChB,CAAK,EACH,CAMA,QAAQ,EAAG,EAAG,CACZ,MAAMC,EAAI,KAAK,QAAQ,CAAC,EACxB,KAAK,MAAM,IAAI,EAAG,CAAC,EAAG,KAAK,gBAAgB,CAAE,IAAK,EAAG,SAAUA,EAAG,SAAU,CAAC,CAAE,CACjF,CAMA,YAAY,EAAG,CACb,OAAO,KAAK,UAAU,IAAI,CAAC,EAAG,IAAM,KAAK,UAAU,OAAO,CAAC,CAC7D,CAKA,gBAAgB,EAAG,CACjBF,EAAC,GAAM,OAAO,WAAa,EAAE,IAAM,EAAE,KAAO,OAAO,SAAS,MAAO,EAAE,YAAc,KAAM,KAAK,UAAU,QAAS,GAAM,CACrH,GAAI,CACF,EAAE,CAAC,CACL,OAASE,EAAG,CACV,QAAQ,MAAM,oCAAqCA,CAAC,CACtD,CACF,CAAC,CACH,CACF,CACA,MAAMC,CAAE,CAKN,YAAY,EAAG,CACb,KAAK,QAAU,CACjB,CAIA,IAAI,QAAS,CACX,OAAO,KAAK,QAAQ,MACtB,CAMA,YAAY,EAAG,CACb,MAAM,EAAKD,GAAM,CACfA,EAAE,cAAgB,KAAK,SAAW,EAAEA,CAAC,CACvC,EACA,OAAO,OAAO,iBAAiBE,EAAG,CAAC,EAAG,IAAM,OAAO,oBAAoBA,EAAG,CAAC,CAC7E,CAIA,OAAQ,CACN,KAAK,QAAQ,MAAK,CACpB,CAMA,QAAQ,EAAG,CACT,OAAO,KAAK,QAAQ,QAAQ,CAAC,CAC/B,CAMA,IAAI,EAAG,CACL,OAAO,KAAK,QAAQ,IAAI,CAAC,CAC3B,CAKA,WAAW,EAAG,CACZ,KAAK,QAAQ,WAAW,CAAC,CAC3B,CAMA,QAAQ,EAAG,EAAG,CACZ,KAAK,QAAQ,QAAQ,EAAG,CAAC,CAC3B,CACF,CACA,MAAMA,EAAI,UAAWC,EAAI,IAAML,EAAC,EAAK,IAAIG,EAAE,OAAO,YAAY,EAAI,IAAIF,EA8BtE,MAAMK,CAAE,CAWN,UAAU,EAAG,CACX,OAAO,CACT,CAYA,YAAY,EAAG,CACb,OAAO,CACT,CACF,CACK,MAAcC,EAAI,IAAID,EAC3B,SAASE,GAAI,CACX,OAAOD,CACT,CACA,MAAME,CAAE,CAKN,YAAY,EAAG,CACb,KAAK,WAAa,KAAM,KAAK,qBAAwB,GAAM,CACzD,KAAK,WAAa,KAAM,EAAE,UAAY,KAAK,aAAa,EAAE,QAAQ,CACpE,EAAG,KAAK,IAAM,EAAE,IAAK,KAAK,WAAa,EAAE,YAAcD,EAAC,EAAI,KAAK,QAAU,EAAE,SAAWH,EAAC,EAAI,KAAK,YAAY,KAAK,oBAAoB,CACzI,CAKA,aAAa,EAAG,CACd,KAAK,WAAa,KAAK,WAAW,YAAY,CAAC,CACjD,CACA,YAAY,EAAG,CACb,MAAM,EAAKH,GAAM,CACfA,EAAE,MAAQ,KAAK,KAAO,EAAEA,CAAC,CAC3B,EACA,OAAO,KAAK,QAAQ,YAAY,CAAC,CACnC,CAMA,KAAM,CACJ,GAAI,KAAK,WACP,OAAO,KAAK,WACd,MAAM,EAAI,KAAK,QAAQ,QAAQ,KAAK,GAAG,EACvC,OAAO,GAAK,KAAK,aAAa,CAAC,EAAG,KAAK,YAAc,IACvD,CAMA,IAAI,EAAG,CACL,MAAM,EAAI,KAAK,WAAW,UAAU,CAAC,EACrC,KAAK,QAAQ,QAAQ,KAAK,IAAK,CAAC,EAAG,KAAK,WAAa,CACvD,CAKA,QAAS,CACP,KAAK,QAAQ,WAAW,KAAK,GAAG,EAAG,KAAK,WAAa,IACvD,CACF,CC3OO,MAAMQ,EAA8B,kBAKpC,MAAMC,UAAwBC,CAAmB,CACtD,YAAYC,EAAcH,EAA6B,CACrD,MAAM,CACJ,IAAAG,EACA,WAAY,IAAIC,EAChB,QAASC,EAAA,CAAwB,CAClC,CACH,CAOA,kBAA2B,CACzB,OAAOnC,EAAY,WAAA,CACrB,CAOA,aAAsB,CAEpB,IAAIS,EAAW,KAAK,IAAA,EACpB,OAAKA,IAEHA,EAAW,KAAK,iBAAA,EAChB,KAAK,IAAIA,CAAQ,GAGZA,CACT,CACF,CC+BO,SAAS2B,EAAsCC,EAAyB,CAC7E,GAAI,CACF,MAAMC,EAAQD,EAAM,MAAM,GAAG,EAC7B,GAAIC,EAAM,SAAW,EACnB,OAAO,KAIT,MAAMC,EADYD,EAAM,CAAC,EACA,QAAQ,KAAM,GAAG,EAAE,QAAQ,KAAM,GAAG,EAGvDE,EAAeD,EAAO,OAC1BA,EAAO,QAAW,EAAKA,EAAO,OAAS,GAAM,EAC7C,GAAA,EAGIE,EAAc,mBAClB,KAAKD,CAAY,EACd,MAAM,EAAE,EACR,IAAI,SAASd,EAAG,CACf,MAAO,KAAO,KAAOA,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,CAC7D,CAAC,EACA,KAAK,EAAE,CAAA,EAEZ,OAAO,KAAK,MAAMe,CAAW,CAC/B,OAAStB,EAAO,CAEd,eAAQ,MAAM,4BAA6BA,CAAK,EACzC,IACT,CACF,CAyBO,SAASuB,EACdL,EACAM,EAAsB,EACb,CACT,MAAMC,EAAU,OAAOP,GAAU,SAAWD,EAAgBC,CAAK,EAAIA,EACrE,GAAI,CAACO,EACH,MAAO,GAGT,MAAMC,EAAQD,EAAQ,IACtB,OAAKC,EAIO,KAAK,IAAA,EAAQ,IACZA,EAAQF,EAJZ,EAKX,CC1HO,MAAMG,CACmB,CAM9B,YACkBT,EACAM,EAAsB,EACtC,CAFgB,KAAA,MAAAN,EACA,KAAA,YAAAM,EAEhB,KAAK,QAAUP,EAAyBC,CAAK,CAC/C,CAMA,IAAI,WAAqB,CACvB,OAAK,KAAK,QAGHK,EAAe,KAAK,QAAS,KAAK,WAAW,EAF3C,EAGX,CACF,CAkBO,MAAMK,CAC8C,CAOzD,YACkBV,EACAM,EAAsB,EACtC,CAFgB,KAAA,MAAAN,EACA,KAAA,YAAAM,EAEhB,KAAK,OAAS,IAAIG,EAAST,EAAM,YAAaM,CAAW,EACzD,KAAK,QAAU,IAAIG,EAAST,EAAM,aAAcM,CAAW,CAC7D,CAMA,IAAI,iBAA2B,CAC7B,OAAO,KAAK,OAAO,SACrB,CAMA,IAAI,eAAyB,CAC3B,MAAO,CAAC,KAAK,QAAQ,SACvB,CACF,CAKO,MAAMK,CAC0D,CACrE,YAA4BL,EAAsB,EAAG,CAAzB,KAAA,YAAAA,CAC5B,CAOA,YAAYM,EAAkC,CAC5C,MAAMC,EAAiB,KAAK,MAAMD,CAAK,EACvC,OAAO,IAAIF,EAAkBG,EAAgB,KAAK,WAAW,CAC/D,CAOA,UAAUD,EAAkC,CAC1C,OAAO,KAAK,UAAUA,EAAM,KAAK,CACnC,CACF,CAEO,MAAME,EAA8B,IAAIH,EC1HxC,MAAMI,CAAqD,CAQhE,YACkBC,EACAC,EAChB,CAFgB,KAAA,aAAAD,EACA,KAAA,eAAAC,CAElB,CAMA,IAAI,cAAyC,CAC3C,OAAO,KAAK,aAAa,IAAA,CAC3B,CAQA,MAAM,QAAQxC,EAA8C,CAC1D,GAAI,CAACA,EAAc,CACjB,MAAMyC,EAAW,KAAK,aACtB,GAAI,CAACA,EACH,MAAM,IAAI,MAAM,gBAAgB,EAElCzC,EAAeyC,EAAS,KAC1B,CACA,OAAI,KAAK,kBACA,KAAK,mBAGd,KAAK,kBAAoB,KAAK,eAC3B,QAAQzC,CAAY,EACpB,KAAK0C,GAAY,CAChB,KAAK,aAAa,kBAAkBA,CAAQ,CAC9C,CAAC,EACA,MAAMrC,GAAS,CACd,WAAK,aAAa,OAAA,EACZA,CACR,CAAC,EACA,QAAQ,IAAM,CACb,KAAK,kBAAoB,MAC3B,CAAC,EAEI,KAAK,kBACd,CAMA,IAAI,iBAA2B,CAC7B,OAAK,KAAK,aAGH,KAAK,aAAa,gBAFhB,EAGX,CAMA,IAAI,eAAyB,CAC3B,OAAK,KAAK,aAGH,KAAK,aAAa,cAFhB,EAGX,CACF,CC5DO,MAAMsC,EACX,wCAIWC,EACX,OAAO,iBAOF,MAAMC,CACmB,CAW9B,YAAY,CACE,SAAAC,EAAW,WACX,QAAAC,EAAU,UACV,aAAAR,CAAA,EAC6B,CAd3C,KAAS,KAAOI,EAChB,KAAS,MAAQC,EAcf,KAAK,gBAAkBE,EACvB,KAAK,eAAiBC,EACtB,KAAK,aAAeR,CACtB,CAOA,UAAU9C,EAA+B,CACvC,MAAMO,EAAe,KAAK,aAAa,IAAA,EACvC,GAAI,CAACA,EACH,OAEF,MAAMgD,EAAYhD,EAAa,OAAO,QAItC,GAHI,CAACgD,GAGD,CAACA,EAAU,UAAY,CAACA,EAAU,IACpC,OAIF,MAAMC,EACJxD,EAAS,QAAQ,WAAW,oBAAoB,kBAC9CA,EAAS,QAAQ,GAAA,EAEfyD,EAAkB,KAAK,gBACvBC,EAAoB1D,EAAS,uBAAA,EAAyB,KACtDqD,EAAWE,EAAU,SAIzBF,GACAG,EAAoB,SAASC,CAAe,GAC5C,CAACC,EAAkBD,CAAe,IAElCC,EAAkBD,CAAe,EAAIJ,GAGvC,MAAMM,EAAiB,KAAK,eACtBL,EAAUC,EAAU,IAIxBD,GACAE,EAAoB,SAASG,CAAc,GAC3C,CAACD,EAAkBC,CAAc,IAEjCD,EAAkBC,CAAc,EAAIL,EAExC,CACF,CC1DO,MAAMM,CAA8C,CAMzD,YAA4B7D,EAAqC,CAArC,KAAA,QAAAA,CAC5B,CAQA,QAAQ+B,EAAgD,CAItD,OAAO,KAAK,QAAQ,QAAQ,KAC1B,KAAK,QAAQ,SACb,CACE,KAAMA,CAAA,EAER,CACE,gBAAiB+B,EAAAA,iBAAiB,KAClC,eAAgB,IAAI,CAAC,CAAChE,EAAoC,EAAI,CAAC,CAAC,CAAA,CAClE,CAEJ,CACF,CCvEO,MAAMiE,EAA0B,cAKhC,MAAMC,UACHtC,CACsB,CAC9B,YACEC,EAAcoC,EACE1B,EAAsB,EACtC,CACA,MAAM,CACJ,IAAAV,EACA,QAASE,EAAA,EACT,WAAY,IAAIa,EAA4BL,CAAW,CAAA,CACxD,EANe,KAAA,YAAAA,CAOlB,CAEA,kBAAkBO,EAAgC,CAChD,KAAK,IAAI,IAAIH,EAAkBG,CAAc,CAAC,CAChD,CACF"}
+{"version":3,"file":"index.umd.js","sources":["../src/types.ts","../src/idGenerator.ts","../src/cosecRequestInterceptor.ts","../src/authorizationRequestInterceptor.ts","../src/authorizationResponseInterceptor.ts","../src/deviceIdStorage.ts","../src/jwts.ts","../src/jwtToken.ts","../src/jwtTokenManager.ts","../src/resourceAttributionRequestInterceptor.ts","../src/tokenRefresher.ts","../src/tokenStorage.ts"],"sourcesContent":["/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { DeviceIdStorage } from './deviceIdStorage';\nimport { JwtTokenManager } from './jwtTokenManager';\n\n/**\n * CoSec HTTP headers enumeration.\n */\nexport class CoSecHeaders {\n  static readonly DEVICE_ID = 'CoSec-Device-Id';\n  static readonly APP_ID = 'CoSec-App-Id';\n  static readonly AUTHORIZATION = 'Authorization';\n  static readonly REQUEST_ID = 'CoSec-Request-Id';\n}\n\nexport class ResponseCodes {\n  static readonly UNAUTHORIZED = 401;\n}\n\nexport interface AppIdCapable {\n  /**\n   * Application ID to be sent in the CoSec-App-Id header.\n   */\n  appId: string;\n}\n\nexport interface DeviceIdStorageCapable {\n  deviceIdStorage: DeviceIdStorage;\n}\n\nexport interface JwtTokenManagerCapable {\n  tokenManager: JwtTokenManager;\n}\n\n/**\n * CoSec options interface.\n */\nexport interface CoSecOptions\n  extends AppIdCapable,\n    DeviceIdStorageCapable,\n    JwtTokenManagerCapable {\n}\n\n/**\n * Authorization result interface.\n */\nexport interface AuthorizeResult {\n  authorized: boolean;\n  reason: string;\n}\n\n/**\n * Authorization result constants.\n */\nexport const AuthorizeResults = {\n  ALLOW: { authorized: true, reason: 'Allow' },\n  EXPLICIT_DENY: { authorized: false, reason: 'Explicit Deny' },\n  IMPLICIT_DENY: { authorized: false, reason: 'Implicit Deny' },\n  TOKEN_EXPIRED: { authorized: false, reason: 'Token Expired' },\n  TOO_MANY_REQUESTS: { authorized: false, reason: 'Too Many Requests' },\n};\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { nanoid } from 'nanoid';\n\nexport interface IdGenerator {\n  generateId(): string;\n}\n\n/**\n * Nano ID implementation of IdGenerator.\n * Generates unique request IDs using Nano ID.\n */\nexport class NanoIdGenerator implements IdGenerator {\n  /**\n   * Generate a unique request ID.\n   *\n   * @returns A unique request ID\n   */\n  generateId(): string {\n    return nanoid();\n  }\n}\n\nexport const idGenerator = new NanoIdGenerator();\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  FetchExchange,\n  REQUEST_BODY_INTERCEPTOR_ORDER,\n  type RequestInterceptor,\n} from '@ahoo-wang/fetcher';\nimport { AppIdCapable, CoSecHeaders, DeviceIdStorageCapable } from './types';\nimport { idGenerator } from './idGenerator';\n\nexport interface CoSecRequestOptions\n  extends AppIdCapable,\n    DeviceIdStorageCapable {\n}\n\n/**\n * The name of the CoSecRequestInterceptor.\n */\nexport const COSEC_REQUEST_INTERCEPTOR_NAME = 'CoSecRequestInterceptor';\n\n/**\n * The order of the CoSecRequestInterceptor.\n * Set to REQUEST_BODY_INTERCEPTOR_ORDER + 1000 to ensure it runs after RequestBodyInterceptor.\n */\nexport const COSEC_REQUEST_INTERCEPTOR_ORDER =\n  REQUEST_BODY_INTERCEPTOR_ORDER + 1000;\n\nexport const IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY = 'Ignore-Refresh-Token';\n\n/**\n * Interceptor that automatically adds CoSec authentication headers to requests.\n *\n * This interceptor adds the following headers to each request:\n * - CoSec-Device-Id: Device identifier (stored in localStorage or generated)\n * - CoSec-App-Id: Application identifier\n * - CoSec-Request-Id: Unique request identifier for each request\n *\n * @remarks\n * This interceptor runs after RequestBodyInterceptor but before FetchInterceptor.\n * The order is set to COSEC_REQUEST_INTERCEPTOR_ORDER to ensure it runs after\n * request body processing but before the actual HTTP request is made. This positioning\n * allows for proper authentication header addition after all request body transformations\n * are complete, ensuring that the final request is properly authenticated before\n * being sent over the network.\n */\nexport class CoSecRequestInterceptor implements RequestInterceptor {\n  readonly name = COSEC_REQUEST_INTERCEPTOR_NAME;\n  readonly order = COSEC_REQUEST_INTERCEPTOR_ORDER;\n  private options: CoSecRequestOptions;\n\n  /**\n   * Creates a new CoSecRequestInterceptor instance.\n   * @param options - The CoSec configuration options including appId, deviceIdStorage, and tokenManager\n   */\n  constructor(options: CoSecRequestOptions) {\n    this.options = options;\n  }\n\n  /**\n   * Intercept requests to add CoSec authentication headers.\n   *\n   * This method adds the following headers to each request:\n   * - CoSec-App-Id: The application identifier from the CoSec options\n   * - CoSec-Device-Id: A unique device identifier, either retrieved from storage or generated\n   * - CoSec-Request-Id: A unique identifier for this specific request\n   *\n   * @param exchange - The fetch exchange containing the request to process\n   *\n   * @remarks\n   * This method runs after RequestBodyInterceptor but before FetchInterceptor.\n   * It ensures that authentication headers are added to the request after all\n   * body processing is complete. The positioning allows for proper authentication\n   * header addition after all request body transformations are finished, ensuring\n   * that the final request is properly authenticated before being sent over the network.\n   * This execution order prevents authentication headers from being overwritten by\n   * subsequent request processing interceptors.\n   *\n   * The method also handles token refreshing when the current token is expired but still refreshable.\n   * It will attempt to refresh the token before adding the Authorization header to the request.\n   */\n  async intercept(exchange: FetchExchange) {\n    // Generate a unique request ID for this request\n    const requestId = idGenerator.generateId();\n\n    // Get or create a device ID\n    const deviceId = this.options.deviceIdStorage.getOrCreate();\n\n    // Ensure request headers object exists\n    const requestHeaders = exchange.ensureRequestHeaders();\n\n    // Add CoSec headers to the request\n    requestHeaders[CoSecHeaders.APP_ID] = this.options.appId;\n    requestHeaders[CoSecHeaders.DEVICE_ID] = deviceId;\n    requestHeaders[CoSecHeaders.REQUEST_ID] = requestId;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport {\n  COSEC_REQUEST_INTERCEPTOR_ORDER,\n  IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,\n} from './cosecRequestInterceptor';\nimport { CoSecHeaders, JwtTokenManagerCapable } from './types';\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface AuthorizationInterceptorOptions\n  extends JwtTokenManagerCapable {\n}\n\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_NAME =\n  'AuthorizationRequestInterceptor';\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER =\n  COSEC_REQUEST_INTERCEPTOR_ORDER + 1000;\n\n/**\n * Request interceptor that automatically adds Authorization header to requests.\n *\n * This interceptor handles JWT token management by:\n * 1. Adding Authorization header with Bearer token if not already present\n * 2. Refreshing tokens when needed and possible\n * 3. Skipping refresh when explicitly requested via attributes\n *\n * The interceptor runs after CoSecRequestInterceptor but before FetchInterceptor in the chain.\n */\nexport class AuthorizationRequestInterceptor implements RequestInterceptor {\n  readonly name = AUTHORIZATION_REQUEST_INTERCEPTOR_NAME;\n  readonly order = AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER;\n\n  /**\n   * Creates an AuthorizationRequestInterceptor instance.\n   *\n   * @param options - Configuration options containing the token manager\n   */\n  constructor(private readonly options: AuthorizationInterceptorOptions) {\n  }\n\n  /**\n   * Intercepts the request exchange to add authorization headers.\n   *\n   * This method performs the following operations:\n   * 1. Checks if a token exists and if Authorization header is already set\n   * 2. Refreshes the token if needed, possible, and not explicitly ignored\n   * 3. Adds the Authorization header with Bearer token if a token is available\n   *\n   * @param exchange - The fetch exchange containing request information\n   * @returns Promise that resolves when the interception is complete\n   */\n  async intercept(exchange: FetchExchange): Promise<void> {\n    // Get the current token from token manager\n    let currentToken = this.options.tokenManager.currentToken;\n\n    const requestHeaders = exchange.ensureRequestHeaders();\n\n    // Skip if no token exists or Authorization header is already set\n    if (!currentToken || requestHeaders[CoSecHeaders.AUTHORIZATION]) {\n      return;\n    }\n\n    // Refresh token if needed and refreshable\n    if (\n      !exchange.attributes.has(IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY) &&\n      currentToken.isRefreshNeeded &&\n      currentToken.isRefreshable\n    ) {\n      await this.options.tokenManager.refresh();\n    }\n\n    // Get the current token again (might have been refreshed)\n    currentToken = this.options.tokenManager.currentToken;\n\n    // Add Authorization header if we have a token\n    if (currentToken) {\n      requestHeaders[CoSecHeaders.AUTHORIZATION] =\n        `Bearer ${currentToken.access.token}`;\n    }\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { ResponseCodes } from './types';\nimport { FetchExchange, type ResponseInterceptor } from '@ahoo-wang/fetcher';\nimport { AuthorizationInterceptorOptions } from './authorizationRequestInterceptor';\n\n/**\n * The name of the AuthorizationResponseInterceptor.\n */\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME =\n  'AuthorizationResponseInterceptor';\n\n/**\n * The order of the AuthorizationResponseInterceptor.\n * Set to a high negative value to ensure it runs early in the interceptor chain.\n */\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER =\n  Number.MIN_SAFE_INTEGER + 1000;\n\n/**\n * CoSecResponseInterceptor is responsible for handling unauthorized responses (401)\n * by attempting to refresh the authentication token and retrying the original request.\n *\n * This interceptor:\n * 1. Checks if the response status is 401 (UNAUTHORIZED)\n * 2. If so, and if there's a current token, attempts to refresh it\n * 3. On successful refresh, stores the new token and retries the original request\n * 4. On refresh failure, clears stored tokens and propagates the error\n */\nexport class AuthorizationResponseInterceptor implements ResponseInterceptor {\n  readonly name = AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME;\n  readonly order = AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER;\n  private options: AuthorizationInterceptorOptions;\n\n  /**\n   * Creates a new AuthorizationResponseInterceptor instance.\n   * @param options - The CoSec configuration options including token storage and refresher\n   */\n  constructor(options: AuthorizationInterceptorOptions) {\n    this.options = options;\n  }\n\n  /**\n   * Intercepts the response and handles unauthorized responses by refreshing tokens.\n   * @param exchange - The fetch exchange containing request and response information\n   */\n  async intercept(exchange: FetchExchange): Promise<void> {\n    const response = exchange.response;\n    // If there's no response, nothing to intercept\n    if (!response) {\n      return;\n    }\n\n    // Only handle unauthorized responses (401)\n    if (response.status !== ResponseCodes.UNAUTHORIZED) {\n      return;\n    }\n\n    if (!this.options.tokenManager.isRefreshable) {\n      return;\n    }\n    try {\n      await this.options.tokenManager.refresh();\n      // Retry the original request with the new token\n      await exchange.fetcher.interceptors.exchange(exchange);\n    } catch (error) {\n      // If token refresh fails, clear stored tokens and re-throw the error\n      this.options.tokenManager.tokenStorage.remove();\n      throw error;\n    }\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { idGenerator } from './idGenerator';\nimport {\n  createListenableStorage,\n  IdentitySerializer,\n  KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_DEVICE_ID_KEY = 'cosec-device-id';\n\n/**\n * Storage class for managing device identifiers.\n */\nexport class DeviceIdStorage extends KeyStorage<string> {\n  constructor(key: string = DEFAULT_COSEC_DEVICE_ID_KEY) {\n    super({\n      key,\n      serializer: new IdentitySerializer<string>(),\n      storage: createListenableStorage(),\n    });\n  }\n\n  /**\n   * Generate a new device ID.\n   *\n   * @returns A newly generated device ID\n   */\n  generateDeviceId(): string {\n    return idGenerator.generateId();\n  }\n\n  /**\n   * Get or create a device ID.\n   *\n   * @returns The existing device ID if available, otherwise a newly generated one\n   */\n  getOrCreate(): string {\n    // Try to get existing device ID from storage\n    let deviceId = this.get();\n    if (!deviceId) {\n      // Generate a new device ID and store it\n      deviceId = this.generateDeviceId();\n      this.set(deviceId);\n    }\n\n    return deviceId;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n/**\n * Interface representing a JWT payload as defined in RFC 7519.\n * Contains standard JWT claims as well as custom properties.\n */\nexport interface JwtPayload {\n  /**\n   * JWT ID - provides a unique identifier for the JWT.\n   */\n  jti?: string;\n  /**\n   * Subject - identifies the principal that is the subject of the JWT.\n   */\n  sub?: string;\n  /**\n   * Issuer - identifies the principal that issued the JWT.\n   */\n  iss?: string;\n  /**\n   * Audience - identifies the recipients that the JWT is intended for.\n   * Can be a single string or an array of strings.\n   */\n  aud?: string | string[];\n  /**\n   * Expiration Time - identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  exp?: number;\n  /**\n   * Not Before - identifies the time before which the JWT MUST NOT be accepted for processing.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  nbf?: number;\n  /**\n   * Issued At - identifies the time at which the JWT was issued.\n   * Represented as NumericDate (seconds since Unix epoch).\n   */\n  iat?: number;\n\n  /**\n   * Allows additional custom properties to be included in the payload.\n   */\n  [key: string]: any;\n}\n\n/**\n * Interface representing a JWT payload with CoSec-specific extensions.\n * Extends the standard JwtPayload interface with additional CoSec-specific properties.\n */\nexport interface CoSecJwtPayload extends JwtPayload {\n  /**\n   * Tenant identifier - identifies the tenant scope for the JWT.\n   */\n  tenantId?: string;\n  /**\n   * Policies - array of policy identifiers associated with the JWT.\n   * These are security policies defined internally by Cosec.\n   */\n  policies?: string[];\n  /**\n   * Roles - array of role identifiers associated with the JWT.\n   * Role IDs indicate what roles the token belongs to.\n   */\n  roles?: string[];\n  /**\n   * Attributes - custom key-value pairs providing additional information about the JWT.\n   */\n  attributes?: Record<string, any>;\n}\n\n/**\n * Parses a JWT token and extracts its payload.\n *\n * This function decodes the payload part of a JWT token, handling Base64URL decoding\n * and JSON parsing. It validates the token structure and returns null for invalid tokens.\n *\n * @param token - The JWT token string to parse\n * @returns The parsed JWT payload or null if parsing fails\n */\nexport function parseJwtPayload<T extends JwtPayload>(token: string): T | null {\n  try {\n    const parts = token.split('.');\n    if (parts.length !== 3) {\n      return null;\n    }\n\n    const base64Url = parts[1];\n    const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');\n\n    // Add padding if needed\n    const paddedBase64 = base64.padEnd(\n      base64.length + ((4 - (base64.length % 4)) % 4),\n      '=',\n    );\n\n    const jsonPayload = decodeURIComponent(\n      atob(paddedBase64)\n        .split('')\n        .map(function(c) {\n          return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);\n        })\n        .join(''),\n    );\n    return JSON.parse(jsonPayload) as T;\n  } catch (error) {\n    // Avoid exposing sensitive information in error logs\n    console.error('Failed to parse JWT token', error);\n    return null;\n  }\n}\n\nexport interface EarlyPeriodCapable {\n  /**\n   * The time in seconds before actual expiration when the token should be considered expired (default: 0)\n   */\n  readonly earlyPeriod: number;\n}\n\n/**\n * Checks if a JWT token is expired based on its expiration time (exp claim).\n *\n * This function determines if a JWT token has expired by comparing its exp claim\n * with the current time. If the token is a string, it will be parsed first.\n * Tokens without an exp claim are considered not expired.\n *\n * The early period parameter allows for early token expiration, which is useful\n * for triggering token refresh before the token actually expires. This helps\n * avoid race conditions where a token expires between the time it is checked and\n * the time it is used.\n *\n * @param token - The JWT token to check, either as a string or as a JwtPayload object\n * @param earlyPeriod - The time in seconds before actual expiration when the token should be considered expired (default: 0)\n * @returns true if the token is expired (or will expire within the early period) or cannot be parsed, false otherwise\n */\nexport function isTokenExpired(\n  token: string | CoSecJwtPayload,\n  earlyPeriod: number = 0,\n): boolean {\n  const payload = typeof token === 'string' ? parseJwtPayload(token) : token;\n  if (!payload) {\n    return true;\n  }\n\n  const expAt = payload.exp;\n  if (!expAt) {\n    return false;\n  }\n\n  const now = Date.now() / 1000;\n  return now > expAt - earlyPeriod;\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  CoSecJwtPayload,\n  EarlyPeriodCapable,\n  isTokenExpired,\n  JwtPayload,\n  parseJwtPayload,\n} from './jwts';\nimport { CompositeToken } from './tokenRefresher';\nimport { Serializer } from '@ahoo-wang/fetcher-storage';\n\n/**\n * Interface for JWT token with typed payload\n * @template Payload The type of the JWT payload\n */\nexport interface IJwtToken<Payload extends JwtPayload>\n  extends EarlyPeriodCapable {\n  readonly token: string;\n  readonly payload: Payload | null;\n\n  isExpired: boolean;\n}\n\n/**\n * Class representing a JWT token with typed payload\n * @template Payload The type of the JWT payload\n */\nexport class JwtToken<Payload extends JwtPayload>\n  implements IJwtToken<Payload> {\n  public readonly payload: Payload | null;\n\n  /**\n   * Creates a new JwtToken instance\n   */\n  constructor(\n    public readonly token: string,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    this.payload = parseJwtPayload<Payload>(token);\n  }\n\n  /**\n   * Checks if the token is expired\n   * @returns true if the token is expired, false otherwise\n   */\n  get isExpired(): boolean {\n    if (!this.payload) {\n      return true;\n    }\n    return isTokenExpired(this.payload, this.earlyPeriod);\n  }\n}\n\nexport interface RefreshTokenStatusCapable {\n  /**\n   * Checks if the access token needs to be refreshed\n   * @returns true if the access token is expired, false otherwise\n   */\n  readonly isRefreshNeeded: boolean;\n  /**\n   * Checks if the refresh token is still valid and can be used to refresh the access token\n   * @returns true if the refresh token is not expired, false otherwise\n   */\n  readonly isRefreshable: boolean;\n}\n\n/**\n * Class representing a composite token containing both access and refresh tokens\n */\nexport class JwtCompositeToken\n  implements EarlyPeriodCapable, RefreshTokenStatusCapable {\n  public readonly access: JwtToken<CoSecJwtPayload>;\n  public readonly refresh: JwtToken<JwtPayload>;\n\n  /**\n   * Creates a new JwtCompositeToken instance\n   */\n  constructor(\n    public readonly token: CompositeToken,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    this.access = new JwtToken(token.accessToken, earlyPeriod);\n    this.refresh = new JwtToken(token.refreshToken, earlyPeriod);\n  }\n\n  /**\n   * Checks if the access token needs to be refreshed\n   * @returns true if the access token is expired, false otherwise\n   */\n  get isRefreshNeeded(): boolean {\n    return this.access.isExpired;\n  }\n\n  /**\n   * Checks if the refresh token is still valid and can be used to refresh the access token\n   * @returns true if the refresh token is not expired, false otherwise\n   */\n  get isRefreshable(): boolean {\n    return !this.refresh.isExpired;\n  }\n}\n\n/**\n * Serializer for JwtCompositeToken that handles conversion to and from JSON strings\n */\nexport class JwtCompositeTokenSerializer\n  implements Serializer<string, JwtCompositeToken>, EarlyPeriodCapable {\n  constructor(public readonly earlyPeriod: number = 0) {\n  }\n\n  /**\n   * Deserializes a JSON string to a JwtCompositeToken\n   * @param value The JSON string representation of a composite token\n   * @returns A JwtCompositeToken instance\n   */\n  deserialize(value: string): JwtCompositeToken {\n    const compositeToken = JSON.parse(value) as CompositeToken;\n    return new JwtCompositeToken(compositeToken, this.earlyPeriod);\n  }\n\n  /**\n   * Serializes a JwtCompositeToken to a JSON string\n   * @param value The JwtCompositeToken to serialize\n   * @returns A JSON string representation of the composite token\n   */\n  serialize(value: JwtCompositeToken): string {\n    return JSON.stringify(value.token);\n  }\n}\n\nexport const jwtCompositeTokenSerializer = new JwtCompositeTokenSerializer();\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { TokenStorage } from './tokenStorage';\nimport { CompositeToken, TokenRefresher } from './tokenRefresher';\nimport { JwtCompositeToken, RefreshTokenStatusCapable } from './jwtToken';\n\n/**\n * Manages JWT token refreshing operations and provides status information\n */\nexport class JwtTokenManager implements RefreshTokenStatusCapable {\n  private refreshInProgress?: Promise<void>;\n\n  /**\n   * Creates a new JwtTokenManager instance\n   * @param tokenStorage The storage used to persist tokens\n   * @param tokenRefresher The refresher used to refresh expired tokens\n   */\n  constructor(\n    public readonly tokenStorage: TokenStorage,\n    public readonly tokenRefresher: TokenRefresher,\n  ) {\n  }\n\n  /**\n   * Gets the current JWT composite token from storage\n   * @returns The current token or null if none exists\n   */\n  get currentToken(): JwtCompositeToken | null {\n    return this.tokenStorage.get();\n  }\n\n  /**\n   * Refreshes the JWT token\n   * @param currentToken Optional current token to refresh. If not provided, uses the stored token.\n   * @returns Promise that resolves when refresh is complete\n   * @throws Error if no token is found or refresh fails\n   */\n  async refresh(currentToken?: CompositeToken): Promise<void> {\n    if (!currentToken) {\n      const jwtToken = this.currentToken;\n      if (!jwtToken) {\n        throw new Error('No token found');\n      }\n      currentToken = jwtToken.token;\n    }\n    if (this.refreshInProgress) {\n      return this.refreshInProgress;\n    }\n\n    this.refreshInProgress = this.tokenRefresher\n      .refresh(currentToken)\n      .then(newToken => {\n        this.tokenStorage.setCompositeToken(newToken);\n      })\n      .catch(error => {\n        this.tokenStorage.remove();\n        throw error;\n      })\n      .finally(() => {\n        this.refreshInProgress = undefined;\n      });\n\n    return this.refreshInProgress;\n  }\n\n  /**\n   * Indicates if the current token needs to be refreshed\n   * @returns true if the access token is expired and needs refresh, false otherwise\n   */\n  get isRefreshNeeded(): boolean {\n    if (!this.currentToken) {\n      return false;\n    }\n    return this.currentToken.isRefreshNeeded;\n  }\n\n  /**\n   * Indicates if the current token can be refreshed\n   * @returns true if the refresh token is still valid, false otherwise\n   */\n  get isRefreshable(): boolean {\n    if (!this.currentToken) {\n      return false;\n    }\n    return this.currentToken.isRefreshable;\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport { TokenStorage } from './tokenStorage';\n\n/**\n * Configuration options for resource attribution\n */\nexport interface ResourceAttributionOptions {\n  /**\n   * The path parameter key used for tenant ID in URL templates\n   */\n  tenantId?: string;\n  /**\n   * The path parameter key used for owner ID in URL templates\n   */\n  ownerId?: string;\n  /**\n   * Storage mechanism for retrieving current authentication tokens\n   */\n  tokenStorage: TokenStorage;\n}\n\n/**\n * Name identifier for the ResourceAttributionRequestInterceptor\n */\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME =\n  'ResourceAttributionRequestInterceptor';\n/**\n * Order priority for the ResourceAttributionRequestInterceptor, set to maximum safe integer to ensure it runs last\n */\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER =\n  Number.MAX_SAFE_INTEGER;\n\n/**\n * Request interceptor that automatically adds tenant and owner ID path parameters to requests\n * based on the current authentication token. This is useful for multi-tenant applications where\n * requests need to include tenant-specific information in the URL path.\n */\nexport class ResourceAttributionRequestInterceptor\n  implements RequestInterceptor {\n  readonly name = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME;\n  readonly order = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER;\n  private readonly tenantIdPathKey: string;\n  private readonly ownerIdPathKey: string;\n  private readonly tokenStorage: TokenStorage;\n\n  /**\n   * Creates a new ResourceAttributionRequestInterceptor\n   * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage\n   */\n  constructor({\n                tenantId = 'tenantId',\n                ownerId = 'ownerId',\n                tokenStorage,\n              }: ResourceAttributionOptions) {\n    this.tenantIdPathKey = tenantId;\n    this.ownerIdPathKey = ownerId;\n    this.tokenStorage = tokenStorage;\n  }\n\n  /**\n   * Intercepts outgoing requests and automatically adds tenant and owner ID path parameters\n   * if they are defined in the URL template but not provided in the request.\n   * @param exchange - The fetch exchange containing the request information\n   */\n  intercept(exchange: FetchExchange): void {\n    const currentToken = this.tokenStorage.get();\n    if (!currentToken) {\n      return;\n    }\n    const principal = currentToken.access.payload;\n    if (!principal) {\n      return;\n    }\n    if (!principal.tenantId && !principal.sub) {\n      return;\n    }\n\n    // Extract path parameters from the URL template\n    const extractedPathParams =\n      exchange.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(\n        exchange.request.url,\n      );\n    const tenantIdPathKey = this.tenantIdPathKey;\n    const requestPathParams = exchange.ensureRequestUrlParams().path;\n    const tenantId = principal.tenantId;\n\n    // Add tenant ID to path parameters if it's part of the URL template and not already provided\n    if (\n      tenantId &&\n      extractedPathParams.includes(tenantIdPathKey) &&\n      !requestPathParams[tenantIdPathKey]\n    ) {\n      requestPathParams[tenantIdPathKey] = tenantId;\n    }\n\n    const ownerIdPathKey = this.ownerIdPathKey;\n    const ownerId = principal.sub;\n\n    // Add owner ID to path parameters if it's part of the URL template and not already provided\n    if (\n      ownerId &&\n      extractedPathParams.includes(ownerIdPathKey) &&\n      !requestPathParams[ownerIdPathKey]\n    ) {\n      requestPathParams[ownerIdPathKey] = ownerId;\n    }\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Fetcher, ResultExtractors } from '@ahoo-wang/fetcher';\nimport { IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY } from './cosecRequestInterceptor';\n\n/**\n * Interface for access tokens.\n */\nexport interface AccessToken {\n  accessToken: string;\n}\n\n/**\n * Interface for refresh tokens.\n */\nexport interface RefreshToken {\n  refreshToken: string;\n}\n\n/**\n * Composite token interface that contains both access and refresh tokens.\n *\n * accessToken and refreshToken always appear in pairs, no need to split them.\n */\nexport interface CompositeToken extends AccessToken, RefreshToken {\n}\n\n/**\n * Interface for token refreshers.\n *\n * Provides a method to refresh tokens.\n */\nexport interface TokenRefresher {\n  /**\n   * Refresh the given token and return a new CompositeToken.\n   *\n   * @param token The token to refresh\n   * @returns A Promise that resolves to a new CompositeToken\n   */\n  refresh(token: CompositeToken): Promise<CompositeToken>;\n}\n\nexport interface CoSecTokenRefresherOptions {\n  fetcher: Fetcher;\n  endpoint: string;\n}\n\n/**\n * CoSecTokenRefresher is a class that implements the TokenRefresher interface\n * for refreshing composite tokens through a configured endpoint.\n */\nexport class CoSecTokenRefresher implements TokenRefresher {\n  /**\n   * Creates a new instance of CoSecTokenRefresher.\n   *\n   * @param options The configuration options for the token refresher including fetcher and endpoint\n   */\n  constructor(public readonly options: CoSecTokenRefresherOptions) {\n  }\n\n  /**\n   * Refresh the given token and return a new CompositeToken.\n   *\n   * @param token The token to refresh\n   * @returns A Promise that resolves to a new CompositeToken\n   */\n  refresh(token: CompositeToken): Promise<CompositeToken> {\n    // Send a POST request to the configured endpoint with the token as body\n    // and extract the response as JSON to return a new CompositeToken\n\n    return this.options.fetcher.post<CompositeToken>(\n      this.options.endpoint,\n      {\n        body: token,\n      },\n      {\n        resultExtractor: ResultExtractors.Json,\n        attributes: new Map([[IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY, true]]),\n      },\n    );\n  }\n}\n","/*\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *      http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { JwtCompositeToken, JwtCompositeTokenSerializer } from './jwtToken';\nimport { CompositeToken } from './tokenRefresher';\nimport { EarlyPeriodCapable } from './jwts';\nimport {\n  createListenableStorage,\n  KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_TOKEN_KEY = 'cosec-token';\n\n/**\n * Storage class for managing access and refresh tokens.\n */\nexport class TokenStorage\n  extends KeyStorage<JwtCompositeToken>\n  implements EarlyPeriodCapable {\n  constructor(\n    key: string = DEFAULT_COSEC_TOKEN_KEY,\n    public readonly earlyPeriod: number = 0,\n  ) {\n    super({\n      key,\n      storage: createListenableStorage(),\n      serializer: new JwtCompositeTokenSerializer(earlyPeriod),\n    });\n  }\n\n  setCompositeToken(compositeToken: CompositeToken) {\n    this.set(new JwtCompositeToken(compositeToken));\n  }\n}\n"],"names":["_CoSecHeaders","CoSecHeaders","_ResponseCodes","ResponseCodes","AuthorizeResults","NanoIdGenerator","nanoid","idGenerator","COSEC_REQUEST_INTERCEPTOR_NAME","COSEC_REQUEST_INTERCEPTOR_ORDER","REQUEST_BODY_INTERCEPTOR_ORDER","IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY","CoSecRequestInterceptor","options","exchange","requestId","deviceId","requestHeaders","AUTHORIZATION_REQUEST_INTERCEPTOR_NAME","AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER","AuthorizationRequestInterceptor","currentToken","AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME","AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER","AuthorizationResponseInterceptor","response","error","DEFAULT_COSEC_DEVICE_ID_KEY","DeviceIdStorage","KeyStorage","key","IdentitySerializer","createListenableStorage","parseJwtPayload","token","parts","base64","paddedBase64","jsonPayload","c","isTokenExpired","earlyPeriod","payload","expAt","JwtToken","JwtCompositeToken","JwtCompositeTokenSerializer","value","compositeToken","jwtCompositeTokenSerializer","JwtTokenManager","tokenStorage","tokenRefresher","jwtToken","newToken","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER","ResourceAttributionRequestInterceptor","tenantId","ownerId","principal","extractedPathParams","tenantIdPathKey","requestPathParams","ownerIdPathKey","CoSecTokenRefresher","ResultExtractors","DEFAULT_COSEC_TOKEN_KEY","TokenStorage"],"mappings":"gaAmBO,MAAMA,EAAN,MAAMA,CAAa,CAK1B,EAJEA,EAAgB,UAAY,kBAC5BA,EAAgB,OAAS,eACzBA,EAAgB,cAAgB,gBAChCA,EAAgB,WAAa,mBAJxB,IAAMC,EAAND,EAOA,MAAME,EAAN,MAAMA,CAAc,CAE3B,EADEA,EAAgB,aAAe,IAD1B,IAAMC,EAAND,EAuCA,MAAME,EAAmB,CAC9B,MAAO,CAAE,WAAY,GAAM,OAAQ,OAAA,EACnC,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,kBAAmB,CAAE,WAAY,GAAO,OAAQ,mBAAA,CAClD,EChDO,MAAMC,CAAuC,CAMlD,YAAqB,CACnB,OAAOC,SAAA,CACT,CACF,CAEO,MAAMC,EAAc,IAAIF,ECLlBG,EAAiC,0BAMjCC,EACXC,EAAAA,+BAAiC,IAEtBC,EAAqC,uBAkB3C,MAAMC,CAAsD,CASjE,YAAYC,EAA8B,CAR1C,KAAS,KAAOL,EAChB,KAAS,MAAQC,EAQf,KAAK,QAAUI,CACjB,CAwBA,MAAM,UAAUC,EAAyB,CAEvC,MAAMC,EAAYR,EAAY,WAAA,EAGxBS,EAAW,KAAK,QAAQ,gBAAgB,YAAA,EAGxCC,EAAiBH,EAAS,qBAAA,EAGhCG,EAAehB,EAAa,MAAM,EAAI,KAAK,QAAQ,MACnDgB,EAAehB,EAAa,SAAS,EAAIe,EACzCC,EAAehB,EAAa,UAAU,EAAIc,CAC5C,CACF,CCjFO,MAAMG,EACX,kCACWC,EACXV,EAAkC,IAY7B,MAAMW,CAA8D,CASzE,YAA6BP,EAA0C,CAA1C,KAAA,QAAAA,EAR7B,KAAS,KAAOK,EAChB,KAAS,MAAQC,CAQjB,CAaA,MAAM,UAAUL,EAAwC,CAEtD,IAAIO,EAAe,KAAK,QAAQ,aAAa,aAE7C,MAAMJ,EAAiBH,EAAS,qBAAA,EAG5B,CAACO,GAAgBJ,EAAehB,EAAa,aAAa,IAM5D,CAACa,EAAS,WAAW,IAAIH,CAAkC,GAC3DU,EAAa,iBACbA,EAAa,eAEb,MAAM,KAAK,QAAQ,aAAa,QAAA,EAIlCA,EAAe,KAAK,QAAQ,aAAa,aAGrCA,IACFJ,EAAehB,EAAa,aAAa,EACvC,UAAUoB,EAAa,OAAO,KAAK,IAEzC,CACF,CCxEO,MAAMC,EACX,mCAMWC,EACX,OAAO,iBAAmB,IAYrB,MAAMC,CAAgE,CAS3E,YAAYX,EAA0C,CARtD,KAAS,KAAOS,EAChB,KAAS,MAAQC,EAQf,KAAK,QAAUV,CACjB,CAMA,MAAM,UAAUC,EAAwC,CACtD,MAAMW,EAAWX,EAAS,SAE1B,GAAKW,GAKDA,EAAS,SAAWtB,EAAc,cAIjC,KAAK,QAAQ,aAAa,cAG/B,GAAI,CACF,MAAM,KAAK,QAAQ,aAAa,QAAA,EAEhC,MAAMW,EAAS,QAAQ,aAAa,SAASA,CAAQ,CACvD,OAASY,EAAO,CAEd,WAAK,QAAQ,aAAa,aAAa,OAAA,EACjCA,CACR,CACF,CACF,CC9DO,MAAMC,EAA8B,kBAKpC,MAAMC,UAAwBC,EAAAA,UAAmB,CACtD,YAAYC,EAAcH,EAA6B,CACrD,MAAM,CACJ,IAAAG,EACA,WAAY,IAAIC,EAAAA,mBAChB,QAASC,EAAAA,wBAAA,CAAwB,CAClC,CACH,CAOA,kBAA2B,CACzB,OAAOzB,EAAY,WAAA,CACrB,CAOA,aAAsB,CAEpB,IAAIS,EAAW,KAAK,IAAA,EACpB,OAAKA,IAEHA,EAAW,KAAK,iBAAA,EAChB,KAAK,IAAIA,CAAQ,GAGZA,CACT,CACF,CC+BO,SAASiB,EAAsCC,EAAyB,CAC7E,GAAI,CACF,MAAMC,EAAQD,EAAM,MAAM,GAAG,EAC7B,GAAIC,EAAM,SAAW,EACnB,OAAO,KAIT,MAAMC,EADYD,EAAM,CAAC,EACA,QAAQ,KAAM,GAAG,EAAE,QAAQ,KAAM,GAAG,EAGvDE,EAAeD,EAAO,OAC1BA,EAAO,QAAW,EAAKA,EAAO,OAAS,GAAM,EAC7C,GAAA,EAGIE,EAAc,mBAClB,KAAKD,CAAY,EACd,MAAM,EAAE,EACR,IAAI,SAASE,EAAG,CACf,MAAO,KAAO,KAAOA,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,CAC7D,CAAC,EACA,KAAK,EAAE,CAAA,EAEZ,OAAO,KAAK,MAAMD,CAAW,CAC/B,OAASZ,EAAO,CAEd,eAAQ,MAAM,4BAA6BA,CAAK,EACzC,IACT,CACF,CAyBO,SAASc,EACdN,EACAO,EAAsB,EACb,CACT,MAAMC,EAAU,OAAOR,GAAU,SAAWD,EAAgBC,CAAK,EAAIA,EACrE,GAAI,CAACQ,EACH,MAAO,GAGT,MAAMC,EAAQD,EAAQ,IACtB,OAAKC,EAIO,KAAK,IAAA,EAAQ,IACZA,EAAQF,EAJZ,EAKX,CC1HO,MAAMG,CACmB,CAM9B,YACkBV,EACAO,EAAsB,EACtC,CAFgB,KAAA,MAAAP,EACA,KAAA,YAAAO,EAEhB,KAAK,QAAUR,EAAyBC,CAAK,CAC/C,CAMA,IAAI,WAAqB,CACvB,OAAK,KAAK,QAGHM,EAAe,KAAK,QAAS,KAAK,WAAW,EAF3C,EAGX,CACF,CAkBO,MAAMK,CAC8C,CAOzD,YACkBX,EACAO,EAAsB,EACtC,CAFgB,KAAA,MAAAP,EACA,KAAA,YAAAO,EAEhB,KAAK,OAAS,IAAIG,EAASV,EAAM,YAAaO,CAAW,EACzD,KAAK,QAAU,IAAIG,EAASV,EAAM,aAAcO,CAAW,CAC7D,CAMA,IAAI,iBAA2B,CAC7B,OAAO,KAAK,OAAO,SACrB,CAMA,IAAI,eAAyB,CAC3B,MAAO,CAAC,KAAK,QAAQ,SACvB,CACF,CAKO,MAAMK,CAC0D,CACrE,YAA4BL,EAAsB,EAAG,CAAzB,KAAA,YAAAA,CAC5B,CAOA,YAAYM,EAAkC,CAC5C,MAAMC,EAAiB,KAAK,MAAMD,CAAK,EACvC,OAAO,IAAIF,EAAkBG,EAAgB,KAAK,WAAW,CAC/D,CAOA,UAAUD,EAAkC,CAC1C,OAAO,KAAK,UAAUA,EAAM,KAAK,CACnC,CACF,CAEO,MAAME,EAA8B,IAAIH,EC1HxC,MAAMI,CAAqD,CAQhE,YACkBC,EACAC,EAChB,CAFgB,KAAA,aAAAD,EACA,KAAA,eAAAC,CAElB,CAMA,IAAI,cAAyC,CAC3C,OAAO,KAAK,aAAa,IAAA,CAC3B,CAQA,MAAM,QAAQ/B,EAA8C,CAC1D,GAAI,CAACA,EAAc,CACjB,MAAMgC,EAAW,KAAK,aACtB,GAAI,CAACA,EACH,MAAM,IAAI,MAAM,gBAAgB,EAElChC,EAAegC,EAAS,KAC1B,CACA,OAAI,KAAK,kBACA,KAAK,mBAGd,KAAK,kBAAoB,KAAK,eAC3B,QAAQhC,CAAY,EACpB,KAAKiC,GAAY,CAChB,KAAK,aAAa,kBAAkBA,CAAQ,CAC9C,CAAC,EACA,MAAM5B,GAAS,CACd,WAAK,aAAa,OAAA,EACZA,CACR,CAAC,EACA,QAAQ,IAAM,CACb,KAAK,kBAAoB,MAC3B,CAAC,EAEI,KAAK,kBACd,CAMA,IAAI,iBAA2B,CAC7B,OAAK,KAAK,aAGH,KAAK,aAAa,gBAFhB,EAGX,CAMA,IAAI,eAAyB,CAC3B,OAAK,KAAK,aAGH,KAAK,aAAa,cAFhB,EAGX,CACF,CC5DO,MAAM6B,EACX,wCAIWC,EACX,OAAO,iBAOF,MAAMC,CACmB,CAW9B,YAAY,CACE,SAAAC,EAAW,WACX,QAAAC,EAAU,UACV,aAAAR,CAAA,EAC6B,CAd3C,KAAS,KAAOI,EAChB,KAAS,MAAQC,EAcf,KAAK,gBAAkBE,EACvB,KAAK,eAAiBC,EACtB,KAAK,aAAeR,CACtB,CAOA,UAAUrC,EAA+B,CACvC,MAAMO,EAAe,KAAK,aAAa,IAAA,EACvC,GAAI,CAACA,EACH,OAEF,MAAMuC,EAAYvC,EAAa,OAAO,QAItC,GAHI,CAACuC,GAGD,CAACA,EAAU,UAAY,CAACA,EAAU,IACpC,OAIF,MAAMC,EACJ/C,EAAS,QAAQ,WAAW,oBAAoB,kBAC9CA,EAAS,QAAQ,GAAA,EAEfgD,EAAkB,KAAK,gBACvBC,EAAoBjD,EAAS,uBAAA,EAAyB,KACtD4C,EAAWE,EAAU,SAIzBF,GACAG,EAAoB,SAASC,CAAe,GAC5C,CAACC,EAAkBD,CAAe,IAElCC,EAAkBD,CAAe,EAAIJ,GAGvC,MAAMM,EAAiB,KAAK,eACtBL,EAAUC,EAAU,IAIxBD,GACAE,EAAoB,SAASG,CAAc,GAC3C,CAACD,EAAkBC,CAAc,IAEjCD,EAAkBC,CAAc,EAAIL,EAExC,CACF,CC1DO,MAAMM,CAA8C,CAMzD,YAA4BpD,EAAqC,CAArC,KAAA,QAAAA,CAC5B,CAQA,QAAQqB,EAAgD,CAItD,OAAO,KAAK,QAAQ,QAAQ,KAC1B,KAAK,QAAQ,SACb,CACE,KAAMA,CAAA,EAER,CACE,gBAAiBgC,EAAAA,iBAAiB,KAClC,eAAgB,IAAI,CAAC,CAACvD,EAAoC,EAAI,CAAC,CAAC,CAAA,CAClE,CAEJ,CACF,CCvEO,MAAMwD,EAA0B,cAKhC,MAAMC,UACHvC,EAAAA,UACsB,CAC9B,YACEC,EAAcqC,EACE1B,EAAsB,EACtC,CACA,MAAM,CACJ,IAAAX,EACA,QAASE,EAAAA,wBAAA,EACT,WAAY,IAAIc,EAA4BL,CAAW,CAAA,CACxD,EANe,KAAA,YAAAA,CAOlB,CAEA,kBAAkBO,EAAgC,CAChD,KAAK,IAAI,IAAIH,EAAkBG,CAAc,CAAC,CAChD,CACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ahoo-wang/fetcher-cosec",
-  "version": "2.8.3",
+  "version": "2.8.6",
   "description": "CoSec authentication integration for Fetcher HTTP client with enterprise-grade security features. Provides automatic token management, device ID persistence, and request tracking.",
   "keywords": [
     "fetch",