@ahoo-wang/fetcher-cosec 3.13.15 → 3.15.1

package/dist/index.es.js

@@ -1,929 +1,273 @@
-import { DEFAULT_INTERCEPTOR_ORDER_STEP as I, FetcherError as y, URL_RESOLVE_INTERCEPTOR_ORDER as m, ResultExtractors as v } from "@ahoo-wang/fetcher";
-import { nanoid as b } from "nanoid";
-import { KeyStorage as p, typedIdentitySerializer as N } from "@ahoo-wang/fetcher-storage";
-import { BroadcastTypedEventBus as R, SerialTypedEventBus as T } from "@ahoo-wang/fetcher-eventbus";
-const a = class a {
+import { DEFAULT_INTERCEPTOR_ORDER_STEP as e, FetcherError as t, ResultExtractors as n, URL_RESOLVE_INTERCEPTOR_ORDER as r } from "@ahoo-wang/fetcher";
+import { nanoid as i } from "nanoid";
+import { KeyStorage as a, typedIdentitySerializer as o } from "@ahoo-wang/fetcher-storage";
+import { BroadcastTypedEventBus as s, SerialTypedEventBus as c } from "@ahoo-wang/fetcher-eventbus";
+//#region src/types.ts
+var l = class {
+	static {
+		this.DEVICE_ID = "CoSec-Device-Id";
+	}
+	static {
+		this.APP_ID = "CoSec-App-Id";
+	}
+	static {
+		this.SPACE_ID = "CoSec-Space-Id";
+	}
+	static {
+		this.AUTHORIZATION = "Authorization";
+	}
+	static {
+		this.REQUEST_ID = "CoSec-Request-Id";
+	}
+}, u = class {
+	static {
+		this.UNAUTHORIZED = 401;
+	}
+	static {
+		this.FORBIDDEN = 403;
+	}
+}, d = {
+	ALLOW: {
+		authorized: !0,
+		reason: "Allow"
+	},
+	EXPLICIT_DENY: {
+		authorized: !1,
+		reason: "Explicit Deny"
+	},
+	IMPLICIT_DENY: {
+		authorized: !1,
+		reason: "Implicit Deny"
+	},
+	TOKEN_EXPIRED: {
+		authorized: !1,
+		reason: "Token Expired"
+	},
+	TOO_MANY_REQUESTS: {
+		authorized: !1,
+		reason: "Too Many Requests"
+	}
+}, f = class {
+	generateId() {
+		return i();
+	}
+}, p = new f(), m = { resolveSpaceId: () => null }, h = "cosec-space-id", g = class extends a {
+	constructor({ key: e = h, eventBus: t = new s({ delegate: new c(h) }), ...n } = {}) {
+		super({
+			key: e,
+			eventBus: t,
+			...n,
+			serializer: o()
+		});
+	}
+}, _ = class {
+	constructor(e) {
+		this.options = e;
+	}
+	resolveSpaceId(e) {
+		return this.options.spacedResourcePredicate.test(e) ? this.options.spaceIdStorage.get() : null;
+	}
+}, v = "CoSecRequestInterceptor", y = -(2 ** 53 - 1) + e, b = "Ignore-Refresh-Token", x = class {
+	constructor({ appId: e, deviceIdStorage: t, spaceIdProvider: n }) {
+		this.name = v, this.order = y, this.appId = e, this.deviceIdStorage = t, this.spaceIdProvider = n ?? m;
+	}
+	async intercept(e) {
+		let t = p.generateId(), n = this.deviceIdStorage.getOrCreate(), r = this.spaceIdProvider.resolveSpaceId(e), i = e.ensureRequestHeaders();
+		i[l.APP_ID] = this.appId, i[l.DEVICE_ID] = n, i[l.REQUEST_ID] = t, r && (i[l.SPACE_ID] = r);
+	}
+}, S = "AuthorizationRequestInterceptor", C = y + e, w = class {
+	constructor(e) {
+		this.options = e, this.name = S, this.order = C;
+	}
+	async intercept(e) {
+		let t = this.options.tokenManager.currentToken, n = e.ensureRequestHeaders();
+		!t || n[l.AUTHORIZATION] || (!e.attributes.has("Ignore-Refresh-Token") && t.isRefreshNeeded && t.isRefreshable && await this.options.tokenManager.refresh(), t = this.options.tokenManager.currentToken, t && (n[l.AUTHORIZATION] = `Bearer ${t.access.token}`));
+	}
+}, T = "AuthorizationResponseInterceptor", E = -(2 ** 53 - 1) + 1e3, D = class {
+	constructor(e) {
+		this.options = e, this.name = T, this.order = E;
+	}
+	async intercept(e) {
+		let t = e.response;
+		if (t && t.status === u.UNAUTHORIZED && this.options.tokenManager.isRefreshable) try {
+			await this.options.tokenManager.refresh(), await e.fetcher.interceptors.exchange(e);
+		} catch (e) {
+			throw this.options.tokenManager.tokenStorage.remove(), e;
+		}
+	}
+}, O = "cosec-device-id", k = class extends a {
+	constructor({ key: e = O, eventBus: t = new s({ delegate: new c(O) }), ...n } = {}) {
+		super({
+			key: e,
+			eventBus: t,
+			...n,
+			serializer: o()
+		});
+	}
+	generateDeviceId() {
+		return p.generateId();
+	}
+	getOrCreate() {
+		let e = this.get();
+		return e || (e = this.generateDeviceId(), this.set(e)), e;
+	}
+}, A = "ForbiddenErrorInterceptor", j = 0, M = class {
+	constructor(e) {
+		this.options = e, this.name = A, this.order = 0;
+	}
+	async intercept(e) {
+		e.response?.status === u.FORBIDDEN && await this.options.onForbidden(e);
+	}
+}, N = class e extends t {
+	constructor(t, n) {
+		super("Refresh token failed.", n), this.token = t, this.name = "RefreshTokenError", Object.setPrototypeOf(this, e.prototype);
+	}
+}, P = class {
+	constructor(e, t) {
+		this.tokenStorage = e, this.tokenRefresher = t;
+	}
+	get currentToken() {
+		return this.tokenStorage.get();
+	}
+	async refresh() {
+		let e = this.currentToken;
+		if (!e) throw Error("No token found");
+		return this.refreshInProgress ||= this.tokenRefresher.refresh(e.token).then((e) => {
+			this.tokenStorage.setCompositeToken(e);
+		}).catch((t) => {
+			throw this.tokenStorage.remove(), new N(e, t);
+		}).finally(() => {
+			this.refreshInProgress = void 0;
+		}), this.refreshInProgress;
+	}
+	get isRefreshNeeded() {
+		return this.currentToken ? this.currentToken.isRefreshNeeded : !1;
+	}
+	get isRefreshable() {
+		return this.currentToken ? this.currentToken.isRefreshable : !1;
+	}
+}, F = "tenantId", I = "ownerId", L = "ResourceAttributionRequestInterceptor", R = r - e, z = class {
+	constructor({ tenantId: e = F, ownerId: t = I, tokenStorage: n }) {
+		this.name = L, this.order = R, this.tenantIdPathKey = e, this.ownerIdPathKey = t, this.tokenStorage = n;
+	}
+	intercept(e) {
+		let t = this.tokenStorage.get();
+		if (!t) return;
+		let n = t.access.payload;
+		if (!n || !n.tenantId && !n.sub) return;
+		let r = e.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(e.request.url), i = this.tenantIdPathKey, a = e.ensureRequestUrlParams().path, o = n.tenantId;
+		o && r.includes(i) && !a[i] && (a[i] = o);
+		let s = this.ownerIdPathKey, c = n.sub;
+		c && r.includes(s) && !a[s] && (a[s] = c);
+	}
 };
-a.DEVICE_ID = "CoSec-Device-Id", a.APP_ID = "CoSec-App-Id", a.SPACE_ID = "CoSec-Space-Id", a.AUTHORIZATION = "Authorization", a.REQUEST_ID = "CoSec-Request-Id";
-let i = a;
-const u = class u {
-};
-u.UNAUTHORIZED = 401, u.FORBIDDEN = 403;
-let h = u;
-const he = {
-  ALLOW: { authorized: !0, reason: "Allow" },
-  EXPLICIT_DENY: { authorized: !1, reason: "Explicit Deny" },
-  IMPLICIT_DENY: { authorized: !1, reason: "Implicit Deny" },
-  TOKEN_EXPIRED: { authorized: !1, reason: "Token Expired" },
-  TOO_MANY_REQUESTS: { authorized: !1, reason: "Too Many Requests" }
-};
-class z {
-  /**
-   * Generate a unique request ID.
-   *
-   * @returns A unique request ID
-   */
-  generateId() {
-    return b();
-  }
-}
-const P = new z(), k = {
-  resolveSpaceId: () => null
-}, O = "cosec-space-id";
-class ue extends p {
-  /**
-   * Creates a new SpaceIdStorage instance.
-   *
-   * @param options - Optional configuration options for the storage
-   * @param options.key - The storage key (defaults to DEFAULT_COSEC_SPACE_ID_KEY)
-   * @param options.eventBus - Custom event bus for cross-tab communication
-   * @param options.storage - Custom storage implementation (defaults to localStorage)
-   * @param options.serializer - Custom serializer (defaults to identity serializer)
-   * @param options.defaultValue - Default value when no space ID is stored
-   *
-   * @throws Error if the underlying storage is unavailable
-   *
-   * @example
-   * ```typescript
-   * // Default configuration
-   * const storage = new SpaceIdStorage();
-   *
-   * // With custom options
-   * const storage = new SpaceIdStorage({
-   *   key: 'custom-space-key',
-   *   storage: sessionStorage,
-   *   defaultValue: 'default-space'
-   * });
-   * ```
-   */
-  constructor({
-    key: e = O,
-    eventBus: t = new R({
-      delegate: new T(O)
-    }),
-    ...r
-  } = {}) {
-    super({ key: e, eventBus: t, ...r, serializer: N() });
-  }
-}
-class de {
-  /**
-   * Creates a new DefaultSpaceIdProvider instance.
-   *
-   * @param options - The configuration options containing the predicate and storage
-   * @param options.spacedResourcePredicate - Determines which requests require space scoping
-   * @param options.spaceIdStorage - Provides access to the persisted space identifier
-   *
-   * @example
-   * ```typescript
-   * const provider = new DefaultSpaceIdProvider({
-   *   spacedResourcePredicate: {
-   *     test: (exchange) => exchange.request.url.includes('/api/')
-   *   },
-   *   spaceIdStorage: new SpaceIdStorage()
-   * });
-   * ```
-   */
-  constructor(e) {
-    this.options = e;
-  }
-  /**
-   * Resolves the space identifier for a given fetch exchange.
-   *
-   * This method first checks if the request requires space scoping by
-   * evaluating the predicate. If the predicate returns true, it retrieves
-   * the space ID from storage. Otherwise, it returns null.
-   *
-   * @param exchange - The fetch exchange containing the HTTP request details
-   * @returns The space identifier if the request requires scoping and one exists,
-   *         otherwise null
-   *
-   * @example
-   * ```typescript
-   * const provider = new DefaultSpaceIdProvider({
-   *   spacedResourcePredicate: {
-   *     test: (exchange) => exchange.request.url.includes('/spaced/')
-   *   },
-   *   spaceIdStorage: new SpaceIdStorage()
-   * });
-   *
-   * // For a request to /api/spaces/workspace-alpha/resources
-   * const exchange = createMockExchange({ url: '/api/spaces/workspace-alpha/resources' });
-   * const spaceId = provider.resolveSpaceId(exchange); // Returns stored space ID
-   *
-   * // For a request to /api/public/resources
-   * const publicExchange = createMockExchange({ url: '/api/public/resources' });
-   * const noSpace = provider.resolveSpaceId(publicExchange); // Returns null
-   * ```
-   */
-  resolveSpaceId(e) {
-    return this.options.spacedResourcePredicate.test(e) ? this.options.spaceIdStorage.get() : null;
-  }
-}
-const M = "CoSecRequestInterceptor", A = Number.MIN_SAFE_INTEGER + I, D = "Ignore-Refresh-Token";
-class q {
-  /**
-   * Creates a new CoSecRequestInterceptor instance.
-   *
-   * @param options - The CoSec configuration options
-   * @param options.appId - The application identifier for CoSec authentication
-   * @param options.deviceIdStorage - Storage for device identifier management
-   * @param options.spaceIdProvider - Optional provider for space identification
-   *
-   * @throws Error if appId is empty or not provided
-   * @throws Error if deviceIdStorage is not provided
-   *
-   * @example
-   * ```typescript
-   * // Basic instantiation
-   * const interceptor = new CoSecRequestInterceptor({
-   *   appId: 'my-web-app',
-   *   deviceIdStorage: new DeviceIdStorage()
-   * });
-   *
-   * // With custom device ID storage
-   * const customStorage = new DeviceIdStorage({
-   *   key: 'custom-device-key',
-   *   storage: sessionStorage
-   * });
-   * const interceptorWithCustom = new CoSecRequestInterceptor({
-   *   appId: 'my-web-app',
-   *   deviceIdStorage: customStorage
-   * });
-   *
-   * // With space support
-   * const spaceStorage = new SpaceIdStorage();
-   * const spaceProvider = new DefaultSpaceIdProvider({
-   *   spacedResourcePredicate: { test: (e) => true },
-   *   spaceIdStorage: spaceStorage
-   * });
-   * const interceptorWithSpace = new CoSecRequestInterceptor({
-   *   appId: 'my-web-app',
-   *   deviceIdStorage,
-   *   spaceIdProvider: spaceProvider
-   * });
-   * ```
-   */
-  constructor({
-    appId: e,
-    deviceIdStorage: t,
-    spaceIdProvider: r
-  }) {
-    this.name = M, this.order = A, this.appId = e, this.deviceIdStorage = t, this.spaceIdProvider = r ?? k;
-  }
-  /**
-   * Intercepts outgoing requests to add CoSec authentication headers.
-   *
-   * This method is called by the Fetcher interceptor chain for each request.
-   * It enriches the request with security headers before the HTTP request is made.
-   *
-   * **Header Injection Process:**
-   * 1. Generates a unique request ID using the idGenerator
-   * 2. Retrieves or creates a device ID from deviceIdStorage
-   * 3. Resolves space ID from spaceIdProvider (if applicable)
-   * 4. Adds all headers to the request
-   *
-   * @param exchange - The fetch exchange containing the request to process
-   *
-   * @remarks
-   * **Header Values:**
-   * - `CoSec-App-Id`: Always set to the configured appId
-   * - `CoSec-Device-Id`: Retrieved from storage or newly generated
-   * - `CoSec-Request-Id`: Unique per request (not persisted)
-   * - `CoSec-Space-Id`: Set only if spaceIdProvider returns a value
-   *
-   * **Error Handling:**
-   * - If deviceIdStorage.getOrCreate() throws, the error propagates
-   * - If spaceIdProvider.resolveSpaceId() throws, the error propagates
-   * - If ensureRequestHeaders() fails, the error propagates
-   *
-   * **Thread Safety:**
-   * - The idGenerator is safe for concurrent use
-   * - deviceIdStorage handles concurrent access internally
-   * - Each request gets a unique request ID
-   *
-   * @example
-   * ```typescript
-   * // The interceptor is called automatically by Fetcher
-   * const fetcher = new Fetcher()
-   *   .addInterceptor(new CoSecRequestInterceptor({
-   *     appId: 'my-app',
-   *     deviceIdStorage: new DeviceIdStorage()
-   *   }));
-   *
-   * // This request will have CoSec headers added
-   * const response = await fetcher.get('/api/data');
-   * ```
-   *
-   * @example
-   * ```typescript
-   * // Headers added to outgoing request:
-   * // GET /api/users HTTP/1.1
-   * // Host: api.example.com
-   * // CoSec-App-Id: my-app
-   * // CoSec-Device-Id: abc123xyz789
-   * // CoSec-Request-Id: req_abc123def456
-   * // CoSec-Space-Id: workspace-alpha  (if space resolved)
-   * ```
-   */
-  async intercept(e) {
-    const t = P.generateId(), r = this.deviceIdStorage.getOrCreate(), o = this.spaceIdProvider.resolveSpaceId(e), n = e.ensureRequestHeaders();
-    n[i.APP_ID] = this.appId, n[i.DEVICE_ID] = r, n[i.REQUEST_ID] = t, o && (n[i.SPACE_ID] = o);
-  }
-}
-const F = "AuthorizationRequestInterceptor", K = A + I;
-class B {
-  /**
-   * Creates an AuthorizationRequestInterceptor instance.
-   *
-   * @param options - Configuration options containing the token manager
-   */
-  constructor(e) {
-    this.options = e, this.name = F, this.order = K;
-  }
-  /**
-   * Intercepts the request exchange to add authorization headers.
-   *
-   * This method performs the following operations:
-   * 1. Checks if a token exists and if Authorization header is already set
-   * 2. Refreshes the token if needed, possible, and not explicitly ignored
-   * 3. Adds the Authorization header with Bearer token if a token is available
-   *
-   * @param exchange - The fetch exchange containing request information
-   * @returns Promise that resolves when the interception is complete
-   */
-  async intercept(e) {
-    let t = this.options.tokenManager.currentToken;
-    const r = e.ensureRequestHeaders();
-    !t || r[i.AUTHORIZATION] || (!e.attributes.has(D) && t.isRefreshNeeded && t.isRefreshable && await this.options.tokenManager.refresh(), t = this.options.tokenManager.currentToken, t && (r[i.AUTHORIZATION] = `Bearer ${t.access.token}`));
-  }
-}
-const H = "AuthorizationResponseInterceptor", Z = Number.MIN_SAFE_INTEGER + 1e3;
-class x {
-  /**
-   * Creates a new AuthorizationResponseInterceptor instance.
-   * @param options - The CoSec configuration options including token storage and refresher
-   */
-  constructor(e) {
-    this.options = e, this.name = H, this.order = Z;
-  }
-  /**
-   * Intercepts the response and handles unauthorized responses by refreshing tokens.
-   * @param exchange - The fetch exchange containing request and response information
-   */
-  async intercept(e) {
-    const t = e.response;
-    if (t && t.status === h.UNAUTHORIZED && this.options.tokenManager.isRefreshable)
-      try {
-        await this.options.tokenManager.refresh(), await e.fetcher.interceptors.exchange(e);
-      } catch (r) {
-        throw this.options.tokenManager.tokenStorage.remove(), r;
-      }
-  }
-}
-const _ = "cosec-device-id";
-class J extends p {
-  constructor({
-    key: e = _,
-    eventBus: t = new R({
-      delegate: new T(_)
-    }),
-    ...r
-  } = {}) {
-    super({ key: e, eventBus: t, ...r, serializer: N() });
-  }
-  /**
-   * Generate a new device ID.
-   *
-   * @returns A newly generated device ID
-   */
-  generateDeviceId() {
-    return P.generateId();
-  }
-  /**
-   * Get or create a device ID.
-   *
-   * @returns The existing device ID if available, otherwise a newly generated one
-   */
-  getOrCreate() {
-    let e = this.get();
-    return e || (e = this.generateDeviceId(), this.set(e)), e;
-  }
-}
-const L = "ForbiddenErrorInterceptor", Q = 0;
-class Y {
-  /**
-   * Creates a new ForbiddenErrorInterceptor instance.
-   *
-   * @param options - Configuration options containing the callback to handle forbidden responses.
-   *                  Must include the `onForbidden` callback function.
-   *
-   * @throws Will throw an error if options are not provided or if `onForbidden` callback is missing.
-   *
-   * @example
-   * ```typescript
-   * const interceptor = new ForbiddenErrorInterceptor({
-   *   onForbidden: async (exchange) => {
-   *     // Handle forbidden access
-   *   }
-   * });
-   * ```
-   */
-  constructor(e) {
-    this.options = e, this.name = L, this.order = Q;
-  }
-  /**
-   * Intercepts fetch exchanges to detect and handle forbidden (403) responses.
-   *
-   * This method examines the response status code and invokes the configured `onForbidden`
-   * callback when a 403 Forbidden response is detected. The method is asynchronous to
-   * allow the callback to perform async operations like API calls, redirects, or UI updates.
-   *
-   * The interceptor only acts on responses with status code 403. Other error codes are
-   * ignored and passed through to other error interceptors in the chain.
-   *
-   * @param exchange - The fetch exchange containing request, response, and error information
-   *                   to be inspected for forbidden status codes. The exchange object provides
-   *                   access to the original request, response details, and any error information.
-   * @returns Promise that resolves when the forbidden error handling is complete.
-   *          Returns void - the method does not modify the exchange or return values.
-   *
-   * @remarks
-   * - Only responds to HTTP 403 status codes
-   * - Does not retry requests or modify responses
-   * - Allows async operations in the callback
-   * - Does not throw exceptions - delegates all error handling to the callback
-   * - Safe to use with other error interceptors
-   *
-   * @example
-   * ```typescript
-   * // The intercept method is called automatically by the fetcher
-   * // No manual invocation needed - this is for documentation purposes
-   * const interceptor = new ForbiddenErrorInterceptor({
-   *   onForbidden: async (exchange) => {
-   *     // exchange.response.status === 403
-   *     // exchange.request contains original request details
-   *     await handleForbiddenAccess(exchange);
-   *   }
-   * });
-   * ```
-   */
-  async intercept(e) {
-    e.response?.status === h.FORBIDDEN && await this.options.onForbidden(e);
-  }
-}
-class d extends y {
-  constructor(e, t) {
-    super("Refresh token failed.", t), this.token = e, this.name = "RefreshTokenError", Object.setPrototypeOf(this, d.prototype);
-  }
-}
-class j {
-  /**
-   * Creates a new JwtTokenManager instance
-   * @param tokenStorage The storage used to persist tokens
-   * @param tokenRefresher The refresher used to refresh expired tokens
-   */
-  constructor(e, t) {
-    this.tokenStorage = e, this.tokenRefresher = t;
-  }
-  /**
-   * Gets the current JWT composite token from storage
-   * @returns The current token or null if none exists
-   */
-  get currentToken() {
-    return this.tokenStorage.get();
-  }
-  /**
-   * Refreshes the JWT token
-   * @returns Promise that resolves when refresh is complete
-   * @throws Error if no token is found or refresh fails
-   */
-  async refresh() {
-    const e = this.currentToken;
-    if (!e)
-      throw new Error("No token found");
-    return this.refreshInProgress ? this.refreshInProgress : (this.refreshInProgress = this.tokenRefresher.refresh(e.token).then((t) => {
-      this.tokenStorage.setCompositeToken(t);
-    }).catch((t) => {
-      throw this.tokenStorage.remove(), new d(e, t);
-    }).finally(() => {
-      this.refreshInProgress = void 0;
-    }), this.refreshInProgress);
-  }
-  /**
-   * Indicates if the current token needs to be refreshed
-   * @returns true if the access token is expired and needs refresh, false otherwise
-   */
-  get isRefreshNeeded() {
-    return this.currentToken ? this.currentToken.isRefreshNeeded : !1;
-  }
-  /**
-   * Indicates if the current token can be refreshed
-   * @returns true if the refresh token is still valid, false otherwise
-   */
-  get isRefreshable() {
-    return this.currentToken ? this.currentToken.isRefreshable : !1;
-  }
-}
-const G = "tenantId", V = "ownerId", W = "ResourceAttributionRequestInterceptor", X = m - I;
-class $ {
-  /**
-   * Creates a new ResourceAttributionRequestInterceptor
-   * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage
-   */
-  constructor({
-    tenantId: e = G,
-    ownerId: t = V,
-    tokenStorage: r
-  }) {
-    this.name = W, this.order = X, this.tenantIdPathKey = e, this.ownerIdPathKey = t, this.tokenStorage = r;
-  }
-  /**
-   * Intercepts outgoing requests and automatically adds tenant and owner ID path parameters
-   * if they are defined in the URL template but not provided in the request.
-   * @param exchange - The fetch exchange containing the request information
-   */
-  intercept(e) {
-    const t = this.tokenStorage.get();
-    if (!t)
-      return;
-    const r = t.access.payload;
-    if (!r || !r.tenantId && !r.sub)
-      return;
-    const o = e.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(
-      e.request.url
-    ), n = this.tenantIdPathKey, c = e.ensureRequestUrlParams().path, l = r.tenantId;
-    l && o.includes(n) && !c[n] && (c[n] = l);
-    const E = this.ownerIdPathKey, f = r.sub;
-    f && o.includes(E) && !c[E] && (c[E] = f);
-  }
-}
-function w(s) {
-  try {
-    if (typeof s != "string")
-      return null;
-    const e = s.split(".");
-    if (e.length !== 3)
-      return null;
-    const r = e[1].replace(/-/g, "+").replace(/_/g, "/"), o = r.padEnd(
-      r.length + (4 - r.length % 4) % 4,
-      "="
-    ), n = decodeURIComponent(
-      atob(o).split("").map(function(c) {
-        return "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2);
-      }).join("")
-    );
-    return JSON.parse(n);
-  } catch (e) {
-    return console.error("Failed to parse JWT token", e), null;
-  }
-}
-function ee(s, e = 0) {
-  const t = typeof s == "string" ? w(s) : s;
-  if (!t)
-    return !0;
-  const r = t.exp;
-  return r ? Date.now() / 1e3 > r - e : !1;
-}
-class g {
-  /**
-   * Creates a new JwtToken instance.
-   *
-   * Parses the JWT token string to extract the payload and stores the early period
-   * for expiration checks.
-   *
-   * @param token The raw JWT token string to parse
-   * @param earlyPeriod The early expiration period in milliseconds (default: 0).
-   *                   Tokens are considered expired this many milliseconds before their actual expiration time.
-   *
-   * @throws Will not throw but payload will be null if token parsing fails
-   */
-  constructor(e, t = 0) {
-    this.token = e, this.earlyPeriod = t, this.payload = w(e);
-  }
-  /**
-   * Checks if the token is expired.
-   *
-   * Considers both the token's expiration time and the early period.
-   * Returns true if the payload is null (parsing failed) or if the token is expired.
-   *
-   * @returns true if the token is expired or invalid, false otherwise
-   */
-  get isExpired() {
-    return this.payload ? ee(this.payload, this.earlyPeriod) : !0;
-  }
-}
-class U {
-  /**
-   * Creates a new JwtCompositeToken instance.
-   *
-   * Initializes both access and refresh token instances with the provided early period.
-   *
-   * @param token The composite token containing access and refresh token strings
-   * @param earlyPeriod The early expiration period in milliseconds (default: 0)
-   */
-  constructor(e, t = 0) {
-    this.token = e, this.earlyPeriod = t, this.access = new g(e.accessToken, t), this.refresh = new g(e.refreshToken, t);
-  }
-  /**
-   * Checks if the access token needs to be refreshed.
-   *
-   * @returns true if the access token is expired, false otherwise
-   */
-  get isRefreshNeeded() {
-    return this.access.isExpired;
-  }
-  /**
-   * Checks if the refresh token is still valid and can be used to refresh the access token.
-   *
-   * @returns true if the refresh token is not expired, false otherwise
-   */
-  get isRefreshable() {
-    return !this.refresh.isExpired;
-  }
-  /**
-   * Checks if the user is currently authenticated (access token is valid).
-   *
-   * @returns true if the access token is not expired, false otherwise
-   */
-  get authenticated() {
-    return !this.access.isExpired;
-  }
-}
-class C {
-  /**
-   * Creates a new JwtCompositeTokenSerializer instance.
-   *
-   * @param earlyPeriod The early expiration period in milliseconds to use for deserialized tokens (default: 0)
-   */
-  constructor(e = 0) {
-    this.earlyPeriod = e;
-  }
-  /**
-   * Deserializes a JSON string to a JwtCompositeToken.
-   *
-   * Parses the JSON string and creates a new JwtCompositeToken instance with the stored tokens.
-   *
-   * @param value The JSON string representation of a composite token
-   * @returns A JwtCompositeToken instance
-   * @throws SyntaxError if the JSON string is invalid
-   * @throws Error if the parsed object doesn't match the expected CompositeToken structure
-   */
-  deserialize(e) {
-    const t = JSON.parse(e);
-    return new U(t, this.earlyPeriod);
-  }
-  /**
-   * Serializes a JwtCompositeToken to a JSON string.
-   *
-   * Converts the composite token to a JSON string for storage.
-   *
-   * @param value The JwtCompositeToken to serialize
-   * @returns A JSON string representation of the composite token
-   */
-  serialize(e) {
-    return JSON.stringify(e.token);
-  }
-}
-const Ee = new C(), S = "cosec-token";
-class te extends p {
-  /**
-   * Creates a new TokenStorage instance.
-   * @param options - Configuration options for the token storage.
-   * @param options.key - The storage key for tokens. Defaults to DEFAULT_COSEC_TOKEN_KEY.
-   * @param options.eventBus - Event bus for token change notifications. Defaults to a BroadcastTypedEventBus with SerialTypedEventBus delegate.
-   * @param options.earlyPeriod - Early period for token refresh in milliseconds. Defaults to 0.
-   * @param reset - Additional options passed to KeyStorage.
-   */
-  constructor({
-    key: e = S,
-    eventBus: t = new R({
-      delegate: new T(S)
-    }),
-    earlyPeriod: r = 0,
-    ...o
-  } = {}) {
-    super({
-      key: e,
-      eventBus: t,
-      ...o,
-      serializer: new C(r)
-    }), this.earlyPeriod = r;
-  }
-  /**
-   * Sets a composite token in storage.
-   * Converts the composite token to a JwtCompositeToken and stores it.
-   * @deprecated Use signIn() instead for better semantic clarity.
-   * @param compositeToken - The composite token containing access and refresh tokens.
-   */
-  setCompositeToken(e) {
-    this.signIn(e);
-  }
-  /**
-   * Signs in by storing the composite token.
-   * @param compositeToken - The composite token to store for authentication.
-   */
-  signIn(e) {
-    this.set(new U(e, this.earlyPeriod));
-  }
-  /**
-   * Signs out by removing the stored token.
-   * Clears the token from storage.
-   */
-  signOut() {
-    this.remove();
-  }
-  /**
-   * Checks if the user is authenticated.
-   * @returns true if a valid token is present and authenticated, false otherwise.
-   */
-  get authenticated() {
-    return this.get()?.authenticated === !0;
-  }
-  /**
-   * Gets the current user's JWT payload.
-   * @returns The JWT payload of the current user if authenticated, null otherwise.
-   */
-  get currentUser() {
-    return this.authenticated ? this.get()?.access.payload ?? null : null;
-  }
-}
-const re = "UnauthorizedErrorInterceptor", se = 0;
-class oe {
-  /**
-   * Creates a new UnauthorizedErrorInterceptor instance.
-   *
-   * @param options - Configuration options containing the callback to handle unauthorized responses
-   */
-  constructor(e) {
-    this.options = e, this.name = re, this.order = se;
-  }
-  /**
-   * Intercepts fetch exchanges to detect and handle unauthorized (401) responses
-   * and RefreshTokenError exceptions.
-   *
-   * This method checks if the response status is 401 (Unauthorized) or if the exchange
-   * contains an error of type `RefreshTokenError`. If either condition is met, it invokes
-   * the configured `onUnauthorized` callback with the exchange details. The method
-   * does not return a value or throw exceptions - all error handling is delegated
-   * to the callback function.
-   *
-   * @param exchange - The fetch exchange containing request, response, and error information
-   *                   to be inspected for unauthorized status codes or refresh token errors
-   * @returns {void} This method does not return a value
-   *
-   * @example
-   * ```typescript
-   * const interceptor = new UnauthorizedErrorInterceptor({
-   *   onUnauthorized: (exchange) => {
-   *      // Custom logic here
-   *   }
-   * });
-   * ```
-   */
-  async intercept(e) {
-    (e.response?.status === h.UNAUTHORIZED || e.error instanceof d) && await this.options.onUnauthorized(e);
-  }
-}
-class Ie {
-  /**
-   * Creates a new CoSecConfigurer instance with the provided configuration.
-   *
-   * The constructor performs dependency initialization:
-   * - Creates or wraps tokenStorage and deviceIdStorage with defaults
-   * - Initializes spaceIdProvider (defaults to NoneSpaceIdProvider)
-   * - Conditionally creates tokenManager only if tokenRefresher is provided
-   *
-   * @param config - CoSec configuration object containing all settings
-   *
-   * @throws Error if appId is not provided
-   * @throws Error if provided dependencies are invalid
-   *
-   * @example
-   * ```typescript
-   * // Full configuration
-   * const configurer = new CoSecConfigurer({
-   *   appId: 'my-app',
-   *   tokenStorage: customTokenStorage,
-   *   deviceIdStorage: customDeviceStorage,
-   *   tokenRefresher: myRefresher,
-   *   spaceIdProvider: mySpaceProvider,
-   *   onUnauthorized: handle401,
-   *   onForbidden: handle403
-   * });
-   *
-   * // Minimal configuration
-   * const configurer = new CoSecConfigurer({
-   *   appId: 'my-app'
-   * });
-   *
-   * // Custom storage with default refresh
-   * const configurer = new CoSecConfigurer({
-   *   appId: 'my-app',
-   *   tokenStorage: encryptedStorage,
-   *   deviceIdStorage: customDeviceStorage
-   * });
-   * ```
-   */
-  constructor(e) {
-    this.config = e, this.tokenStorage = e.tokenStorage ?? new te(), this.deviceIdStorage = e.deviceIdStorage ?? new J(), this.spaceIdProvider = e.spaceIdProvider ?? k, e.tokenRefresher && (this.tokenManager = new j(
-      this.tokenStorage,
-      e.tokenRefresher
-    ));
-  }
-  /**
-   * Applies CoSec interceptors to the specified Fetcher instance.
-   *
-   * This method registers all configured interceptors with the Fetcher's
-   * interceptor chain. The registration is conditional based on the config:
-   *
-   * **Always Registered (Headers & Attribution):**
-   * - CoSecRequestInterceptor: Injects security headers
-   * - ResourceAttributionRequestInterceptor: Adds tenant attribution parameters
-   *
-   * **Conditional Registration (Authentication):**
-   * - AuthorizationRequestInterceptor: Adds Bearer token [requires tokenRefresher]
-   * - AuthorizationResponseInterceptor: Handles 401 refresh [requires tokenRefresher]
-   *
-   * **Conditional Registration (Error Handling):**
-   * - UnauthorizedErrorInterceptor: Custom 401 handling [requires onUnauthorized]
-   * - ForbiddenErrorInterceptor: Custom 403 handling [requires onForbidden]
-   *
-   * @param fetcher - The Fetcher instance to configure with CoSec interceptors
-   *
-   * @throws Error if fetcher is null or undefined
-   *
-   * @example
-   * ```typescript
-   * const fetcher = new Fetcher({ baseUrl: 'https://api.example.com' });
-   *
-   * const configurer = new CoSecConfigurer({
-   *   appId: 'my-app',
-   *   tokenRefresher: myRefresher,
-   *   onUnauthorized: () => redirectToLogin(),
-   *   onForbidden: () => showError()
-   * });
-   *
-   * configurer.applyTo(fetcher);
-   *
-   * // Now fetcher has all CoSec interceptors configured
-   * const data = await fetcher.get('/api/data');
-   * ```
-   *
-   * @example
-   * ```typescript
-   * // Applying to multiple fetchers
-   * const apiFetcher = new Fetcher({ baseUrl: 'https://api.example.com' });
-   * const adminFetcher = new Fetcher({ baseUrl: 'https://admin.example.com' });
-   *
-   * const configurer = new CoSecConfigurer({
-   *   appId: 'my-app',
-   *   tokenRefresher: myRefresher,
-   *   onForbidden: showAccessDenied
-   * });
-   *
-   * // Apply same configuration to multiple fetchers
-   * configurer.applyTo(apiFetcher);
-   * configurer.applyTo(adminFetcher);
-   * ```
-   */
-  applyTo(e) {
-    e.interceptors.request.use(
-      new q({
-        appId: this.config.appId,
-        deviceIdStorage: this.deviceIdStorage,
-        spaceIdProvider: this.spaceIdProvider
-      })
-    ), e.interceptors.request.use(
-      new $({
-        tokenStorage: this.tokenStorage
-      })
-    ), this.tokenManager && (e.interceptors.request.use(
-      new B({
-        tokenManager: this.tokenManager
-      })
-    ), e.interceptors.response.use(
-      new x({
-        tokenManager: this.tokenManager
-      })
-    )), this.config.onUnauthorized && e.interceptors.error.use(
-      new oe({
-        onUnauthorized: this.config.onUnauthorized
-      })
-    ), this.config.onForbidden && e.interceptors.error.use(
-      new Y({
-        onForbidden: this.config.onForbidden
-      })
-    );
-  }
+//#endregion
+//#region src/jwts.ts
+function B(e) {
+	try {
+		if (typeof e != "string") return null;
+		let t = e.split(".");
+		if (t.length !== 3) return null;
+		let n = t[1].replace(/-/g, "+").replace(/_/g, "/"), r = n.padEnd(n.length + (4 - n.length % 4) % 4, "="), i = decodeURIComponent(atob(r).split("").map(function(e) {
+			return "%" + ("00" + e.charCodeAt(0).toString(16)).slice(-2);
+		}).join(""));
+		return JSON.parse(i);
+	} catch (e) {
+		return console.error("Failed to parse JWT token", e), null;
+	}
 }
-class pe {
-  /**
-   * Creates a new instance of CoSecTokenRefresher.
-   *
-   * @param {CoSecTokenRefresherOptions} options - The configuration options for the token refresher.
-   * @param {Fetcher} options.fetcher - The HTTP client instance used for making refresh requests.
-   * @param {string} options.endpoint - The URL endpoint for token refresh operations.
-   *
-   * @example
-   * ```typescript
-   * const refresher = new CoSecTokenRefresher({
-   *   fetcher: myFetcherInstance,
-   *   endpoint: '/api/v1/auth/refresh'
-   * });
-   * ```
-   */
-  constructor(e) {
-    this.options = e;
-  }
-  /**
-   * Refreshes the given composite token by sending a POST request to the configured endpoint.
-   *
-   * This method sends the current token pair to the refresh endpoint and expects
-   * a new CompositeToken in response.
-   *
-   * **CRITICAL**: The request includes a special
-   * attribute `attributes: new Map([[IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY, true]])`
-   * to prevent infinite loops. Without this attribute, the request interceptor
-   * may attempt to refresh the token again, causing a recursive loop.
-   *
-   * @param {CompositeToken} token - The composite token to refresh, containing both access and refresh tokens.
-   * @returns {Promise<CompositeToken>} A promise that resolves to a new CompositeToken with refreshed tokens.
-   * @throws {Error} Throws an error if the HTTP request fails, the server returns an error status, or the response cannot be parsed as JSON.
-   * @throws {NetworkError} Throws a network error if there are connectivity issues.
-   * @throws {AuthenticationError} Throws an authentication error if the refresh token is invalid or expired.
-   *
-   * @example
-   * ```typescript
-   * const refresher = new CoSecTokenRefresher({ fetcher, endpoint: '/auth/refresh' });
-   * const token = { accessToken: 'expired-token', refreshToken: 'valid-refresh-token' };
-   *
-   * try {
-   *   const newToken = await refresher.refresh(token);
-   *   console.log('Refreshed access token:', newToken.accessToken);
-   * } catch (error) {
-   *   console.error('Token refresh failed:', error.message);
-   * }
-   * ```
-   *
-   * @warning **Important**: Always include the `IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY` attribute
-   * in refresh requests to avoid infinite loops caused by recursive token refresh attempts.
-   */
-  refresh(e) {
-    return this.options.fetcher.post(
-      this.options.endpoint,
-      {
-        body: e
-      },
-      {
-        resultExtractor: v.Json,
-        attributes: /* @__PURE__ */ new Map([[D, !0]])
-      }
-    );
-  }
+function V(e, t = 0) {
+	let n = typeof e == "string" ? B(e) : e;
+	if (!n) return !0;
+	let r = n.exp;
+	return r ? Date.now() / 1e3 > r - t : !1;
 }
-export {
-  F as AUTHORIZATION_REQUEST_INTERCEPTOR_NAME,
-  K as AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER,
-  H as AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME,
-  Z as AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER,
-  B as AuthorizationRequestInterceptor,
-  x as AuthorizationResponseInterceptor,
-  he as AuthorizeResults,
-  M as COSEC_REQUEST_INTERCEPTOR_NAME,
-  A as COSEC_REQUEST_INTERCEPTOR_ORDER,
-  Ie as CoSecConfigurer,
-  i as CoSecHeaders,
-  q as CoSecRequestInterceptor,
-  pe as CoSecTokenRefresher,
-  _ as DEFAULT_COSEC_DEVICE_ID_KEY,
-  O as DEFAULT_COSEC_SPACE_ID_KEY,
-  S as DEFAULT_COSEC_TOKEN_KEY,
-  de as DefaultSpaceIdProvider,
-  J as DeviceIdStorage,
-  L as FORBIDDEN_ERROR_INTERCEPTOR_NAME,
-  Q as FORBIDDEN_ERROR_INTERCEPTOR_ORDER,
-  Y as ForbiddenErrorInterceptor,
-  D as IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,
-  U as JwtCompositeToken,
-  C as JwtCompositeTokenSerializer,
-  g as JwtToken,
-  j as JwtTokenManager,
-  z as NanoIdGenerator,
-  k as NoneSpaceIdProvider,
-  W as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME,
-  X as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER,
-  d as RefreshTokenError,
-  $ as ResourceAttributionRequestInterceptor,
-  h as ResponseCodes,
-  ue as SpaceIdStorage,
-  te as TokenStorage,
-  re as UNAUTHORIZED_ERROR_INTERCEPTOR_NAME,
-  se as UNAUTHORIZED_ERROR_INTERCEPTOR_ORDER,
-  oe as UnauthorizedErrorInterceptor,
-  P as idGenerator,
-  ee as isTokenExpired,
-  Ee as jwtCompositeTokenSerializer,
-  w as parseJwtPayload
+//#endregion
+//#region src/jwtToken.ts
+var H = class {
+	constructor(e, t = 0) {
+		this.token = e, this.earlyPeriod = t, this.payload = B(e);
+	}
+	get isExpired() {
+		return this.payload ? V(this.payload, this.earlyPeriod) : !0;
+	}
+}, U = class {
+	constructor(e, t = 0) {
+		this.token = e, this.earlyPeriod = t, this.access = new H(e.accessToken, t), this.refresh = new H(e.refreshToken, t);
+	}
+	get isRefreshNeeded() {
+		return this.access.isExpired;
+	}
+	get isRefreshable() {
+		return !this.refresh.isExpired;
+	}
+	get authenticated() {
+		return !this.access.isExpired;
+	}
+}, W = class {
+	constructor(e = 0) {
+		this.earlyPeriod = e;
+	}
+	deserialize(e) {
+		return new U(JSON.parse(e), this.earlyPeriod);
+	}
+	serialize(e) {
+		return JSON.stringify(e.token);
+	}
+}, G = new W(), K = "cosec-token", q = class extends a {
+	constructor({ key: e = K, eventBus: t = new s({ delegate: new c(K) }), earlyPeriod: n = 0, ...r } = {}) {
+		super({
+			key: e,
+			eventBus: t,
+			...r,
+			serializer: new W(n)
+		}), this.earlyPeriod = n;
+	}
+	setCompositeToken(e) {
+		this.signIn(e);
+	}
+	signIn(e) {
+		this.set(new U(e, this.earlyPeriod));
+	}
+	signOut() {
+		this.remove();
+	}
+	get authenticated() {
+		return this.get()?.authenticated === !0;
+	}
+	get currentUser() {
+		return this.authenticated ? this.get()?.access.payload ?? null : null;
+	}
+}, J = "UnauthorizedErrorInterceptor", Y = 0, X = class {
+	constructor(e) {
+		this.options = e, this.name = J, this.order = 0;
+	}
+	async intercept(e) {
+		(e.response?.status === u.UNAUTHORIZED || e.error instanceof N) && await this.options.onUnauthorized(e);
+	}
+}, Z = class {
+	constructor(e) {
+		this.config = e, this.tokenStorage = e.tokenStorage ?? new q(), this.deviceIdStorage = e.deviceIdStorage ?? new k(), this.spaceIdProvider = e.spaceIdProvider ?? m, e.tokenRefresher && (this.tokenManager = new P(this.tokenStorage, e.tokenRefresher));
+	}
+	applyTo(e) {
+		e.interceptors.request.use(new x({
+			appId: this.config.appId,
+			deviceIdStorage: this.deviceIdStorage,
+			spaceIdProvider: this.spaceIdProvider
+		})), e.interceptors.request.use(new z({ tokenStorage: this.tokenStorage })), this.tokenManager && (e.interceptors.request.use(new w({ tokenManager: this.tokenManager })), e.interceptors.response.use(new D({ tokenManager: this.tokenManager }))), this.config.onUnauthorized && e.interceptors.error.use(new X({ onUnauthorized: this.config.onUnauthorized })), this.config.onForbidden && e.interceptors.error.use(new M({ onForbidden: this.config.onForbidden }));
+	}
+}, Q = class {
+	constructor(e) {
+		this.options = e;
+	}
+	refresh(e) {
+		return this.options.fetcher.post(this.options.endpoint, { body: e }, {
+			resultExtractor: n.Json,
+			attributes: new Map([[b, !0]])
+		});
+	}
 };
-//# sourceMappingURL=index.es.js.map
+//#endregion
+export { S as AUTHORIZATION_REQUEST_INTERCEPTOR_NAME, C as AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER, T as AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME, E as AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER, w as AuthorizationRequestInterceptor, D as AuthorizationResponseInterceptor, d as AuthorizeResults, v as COSEC_REQUEST_INTERCEPTOR_NAME, y as COSEC_REQUEST_INTERCEPTOR_ORDER, Z as CoSecConfigurer, l as CoSecHeaders, x as CoSecRequestInterceptor, Q as CoSecTokenRefresher, O as DEFAULT_COSEC_DEVICE_ID_KEY, h as DEFAULT_COSEC_SPACE_ID_KEY, K as DEFAULT_COSEC_TOKEN_KEY, _ as DefaultSpaceIdProvider, k as DeviceIdStorage, A as FORBIDDEN_ERROR_INTERCEPTOR_NAME, j as FORBIDDEN_ERROR_INTERCEPTOR_ORDER, M as ForbiddenErrorInterceptor, b as IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY, U as JwtCompositeToken, W as JwtCompositeTokenSerializer, H as JwtToken, P as JwtTokenManager, f as NanoIdGenerator, m as NoneSpaceIdProvider, L as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME, R as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER, N as RefreshTokenError, z as ResourceAttributionRequestInterceptor, u as ResponseCodes, g as SpaceIdStorage, q as TokenStorage, J as UNAUTHORIZED_ERROR_INTERCEPTOR_NAME, Y as UNAUTHORIZED_ERROR_INTERCEPTOR_ORDER, X as UnauthorizedErrorInterceptor, p as idGenerator, V as isTokenExpired, G as jwtCompositeTokenSerializer, B as parseJwtPayload };
+
+//# sourceMappingURL=index.es.js.map