@alepha/react 0.12.0 → 0.13.0

package/dist/auth/index.js

@@ -1,8 +1,8 @@
-import { $atom, $context, $env, $hook, $inject, $module, $use, Alepha, AlephaError, Atom, Descriptor, KIND, createDescriptor, t } from "alepha";
+import { $atom, $env, $hook, $inject, $module, $use, Alepha, AlephaError, Atom, Descriptor, KIND, createDescriptor, t } from "alepha";
 import { AlephaDateTime, DateTimeProvider } from "alepha/datetime";
-import { $route, AlephaServer, BadRequestError, HttpClient, ServerProvider, ServerRouterProvider, ServerTimingProvider, UnauthorizedError } from "alepha/server";
+import { AlephaServer, HttpClient, ServerProvider, ServerRouterProvider, ServerTimingProvider } from "alepha/server";
 import { AlephaServerCache } from "alepha/server/cache";
-import { AlephaServerLinks, LinkProvider, ServerLinksProvider, apiLinksResponseSchema } from "alepha/server/links";
+import { AlephaServerLinks, LinkProvider, ServerLinksProvider } from "alepha/server/links";
 import { $logger } from "alepha/logger";
 import React, { StrictMode, createContext, createElement, memo, use, useContext, useEffect, useMemo, useRef, useState } from "react";
 import { Fragment, jsx, jsxs } from "react/jsx-runtime";
@@ -11,8 +11,7 @@ import { join } from "node:path";
 import { ServerStaticProvider } from "alepha/server/static";
 import { renderToString } from "react-dom/server";
 import { RouterProvider } from "alepha/router";
-import { $cookie, AlephaServerCookies, ServerCookiesProvider } from "alepha/server/cookies";
-import { SecurityError, SecurityProvider, userAccountInfoSchema } from "alepha/security";
+import { $auth, AlephaServerAuth, alephaServerAuthRoutes, tokenResponseSchema, userinfoResponseSchema } from "alepha/server/auth";
 
 //#region src/core/services/ReactPageService.ts
 var ReactPageService = class {
@@ -72,7 +71,7 @@ var ReactPageService = class {
 * const userProfile = $page({
 *   path: "/users/:id",
 *   schema: {
-*     params: t.object({ id: t.int() }),
+*     params: t.object({ id: t.integer() }),
 *     query: t.object({ tab: t.optional(t.text()) })
 *   },
 *   resolve: async ({ params }) => {
@@ -161,11 +160,11 @@ $page[KIND] = PageDescriptor;
 * - you want to avoid server-side rendering for a specific part of your application
 * - you want to prevent pre-rendering of a component
 */
-const ClientOnly = (props$1) => {
+const ClientOnly = (props) => {
 	const [mounted, setMounted] = useState(false);
 	useEffect(() => setMounted(true), []);
-	if (props$1.disabled) return props$1.children;
-	return mounted ? props$1.children : props$1.fallback;
+	if (props.disabled) return props.children;
+	return mounted ? props.children : props.fallback;
 };
 var ClientOnly_default = ClientOnly;
 
@@ -432,8 +431,8 @@ const useRouterState = () => {
 * in any part of the React component tree.
 */
 var ErrorBoundary = class extends React.Component {
-	constructor(props$1) {
-		super(props$1);
+	constructor(props) {
+		super(props);
 		this.state = {};
 	}
 	/**
@@ -479,7 +478,7 @@ var ErrorBoundary_default = ErrorBoundary;
 * }
 * ```
 */
-const NestedView = (props$1) => {
+const NestedView = (props) => {
 	const index = use(RouterLayerContext)?.index ?? 0;
 	const state = useRouterState();
 	const [view, setView] = useState(state.layers[index]?.element);
@@ -517,7 +516,7 @@ const NestedView = (props$1) => {
 			}
 		}
 	}, []);
-	let element = view ?? props$1.children ?? null;
+	let element = view ?? props.children ?? null;
 	if (animation) element = /* @__PURE__ */ jsx("div", {
 		style: {
 			display: "flex",
@@ -537,9 +536,9 @@ const NestedView = (props$1) => {
 			children: element
 		})
 	});
-	if (props$1.errorBoundary === false) return /* @__PURE__ */ jsx(Fragment, { children: element });
-	if (props$1.errorBoundary) return /* @__PURE__ */ jsx(ErrorBoundary_default, {
-		fallback: props$1.errorBoundary,
+	if (props.errorBoundary === false) return /* @__PURE__ */ jsx(Fragment, { children: element });
+	if (props.errorBoundary) return /* @__PURE__ */ jsx(ErrorBoundary_default, {
+		fallback: props.errorBoundary,
 		children: element
 	});
 	return /* @__PURE__ */ jsx(ErrorBoundary_default, {
@@ -580,7 +579,7 @@ function parseAnimation(animationLike, state, type = "enter") {
 
 //#endregion
 //#region src/core/components/NotFound.tsx
-function NotFoundPage(props$1) {
+function NotFoundPage(props) {
 	return /* @__PURE__ */ jsx("div", {
 		style: {
 			height: "100vh",
@@ -591,7 +590,7 @@ function NotFoundPage(props$1) {
 			textAlign: "center",
 			fontFamily: "sans-serif",
 			padding: "1rem",
-			...props$1.style
+			...props.style
 		},
 		children: /* @__PURE__ */ jsx("h1", {
 			style: {
@@ -671,7 +670,7 @@ var ReactPageProvider = class {
 		if (t.schema.isObject(schema) && typeof value === "object") {
 			for (const key in schema.properties) if (t.schema.isObject(schema.properties[key]) && typeof value[key] === "string") try {
 				value[key] = this.alepha.codec.decode(schema.properties[key], decodeURIComponent(value[key]));
-			} catch (e$1) {}
+			} catch (e) {}
 		}
 		return value;
 	};
@@ -696,14 +695,14 @@ var ReactPageProvider = class {
 			try {
 				this.convertStringObjectToObject(route$1.schema?.query, state.query);
 				config.query = route$1.schema?.query ? this.alepha.codec.decode(route$1.schema.query, state.query) : {};
-			} catch (e$1) {
-				it.error = e$1;
+			} catch (e) {
+				it.error = e;
 				break;
 			}
 			try {
 				config.params = route$1.schema?.params ? this.alepha.codec.decode(route$1.schema.params, state.params) : {};
-			} catch (e$1) {
-				it.error = e$1;
+			} catch (e) {
+				it.error = e;
 				break;
 			}
 			it.config = { ...config };
@@ -731,23 +730,23 @@ var ReactPageProvider = class {
 			try {
 				const args = Object.create(state);
 				Object.assign(args, config, context);
-				const props$1 = await route$1.resolve?.(args) ?? {};
-				it.props = { ...props$1 };
+				const props = await route$1.resolve?.(args) ?? {};
+				it.props = { ...props };
 				context = {
 					...context,
-					...props$1
+					...props
 				};
-			} catch (e$1) {
-				if (e$1 instanceof Redirection) return { redirect: e$1.redirect };
-				this.log.error("Page resolver has failed", e$1);
-				it.error = e$1;
+			} catch (e) {
+				if (e instanceof Redirection) return { redirect: e.redirect };
+				this.log.error("Page resolver has failed", e);
+				it.error = e;
 				break;
 			}
 		}
 		let acc = "";
 		for (let i = 0; i < stack.length; i++) {
 			const it = stack[i];
-			const props$1 = it.props ?? {};
+			const props = it.props ?? {};
 			const params = { ...it.config?.params };
 			for (const key of Object.keys(params)) params[key] = String(params[key]);
 			acc += "/";
@@ -764,12 +763,12 @@ var ReactPageProvider = class {
 			}
 			if (!it.error) try {
 				const element = await this.createElement(it.route, {
-					...props$1,
+					...props,
 					...context
 				});
 				state.layers.push({
 					name: it.route.name,
-					props: props$1,
+					props,
 					part: it.route.path,
 					config: it.config,
 					element: this.renderView(i + 1, path, element, it.route),
@@ -778,8 +777,8 @@ var ReactPageProvider = class {
 					route: it.route,
 					cache: it.cache
 				});
-			} catch (e$1) {
-				it.error = e$1;
+			} catch (e) {
+				it.error = e;
 			}
 			if (it.error) try {
 				let element = await state.onError(it.error, state);
@@ -787,7 +786,7 @@ var ReactPageProvider = class {
 				if (element instanceof Redirection) return { redirect: element.redirect };
 				if (element === null) element = this.renderError(it.error);
 				state.layers.push({
-					props: props$1,
+					props,
 					error: it.error,
 					name: it.route.name,
 					part: it.route.path,
@@ -798,9 +797,9 @@ var ReactPageProvider = class {
 					route: it.route
 				});
 				break;
-			} catch (e$1) {
-				if (e$1 instanceof Redirection) return { redirect: e$1.redirect };
-				throw e$1;
+			} catch (e) {
+				if (e instanceof Redirection) return { redirect: e.redirect };
+				throw e;
 			}
 		}
 		return { state };
@@ -816,10 +815,10 @@ var ReactPageProvider = class {
 			parent = parent.parent;
 		}
 	}
-	async createElement(page, props$1) {
+	async createElement(page, props) {
 		if (page.lazy && page.component) this.log.warn(`Page ${page.name} has both lazy and component options, lazy will be used`);
-		if (page.lazy) return createElement((await page.lazy()).default, props$1);
-		if (page.component) return createElement(page.component, props$1);
+		if (page.lazy) return createElement((await page.lazy()).default, props);
+		if (page.component) return createElement(page.component, props);
 	}
 	renderError(error) {
 		return createElement(ErrorViewer_default, {
@@ -1307,20 +1306,20 @@ var ReactBrowserRouterProvider = class extends RouterProvider {
 			});
 			await this.alepha.events.emit("react:action:success", { type: "transition" });
 			await this.alepha.events.emit("react:transition:success", { state });
-		} catch (e$1) {
-			this.log.error("Transition has failed", e$1);
+		} catch (e) {
+			this.log.error("Transition has failed", e);
 			state.layers = [{
 				name: "error",
-				element: this.pageApi.renderError(e$1),
+				element: this.pageApi.renderError(e),
 				index: 0,
 				path: "/"
 			}];
 			await this.alepha.events.emit("react:action:error", {
 				type: "transition",
-				error: e$1
+				error: e
 			});
 			await this.alepha.events.emit("react:transition:error", {
-				error: e$1,
+				error: e,
 				state
 			});
 		}
@@ -1401,12 +1400,12 @@ var ReactBrowserProvider = class {
 		if (replace) this.history.replaceState({}, "", url);
 		else this.history.pushState({}, "", url);
 	}
-	async invalidate(props$1) {
+	async invalidate(props) {
 		const previous = [];
 		this.log.trace("Invalidating layers");
-		if (props$1) {
-			const [key] = Object.keys(props$1);
-			const value = props$1[key];
+		if (props) {
+			const [key] = Object.keys(props);
+			const value = props[key];
 			for (const layer of this.state.layers) {
 				if (layer.props?.[key]) {
 					previous.push({
@@ -1528,7 +1527,7 @@ var ReactRouter = class {
 	path(name, config = {}) {
 		return this.pageApi.pathname(name, {
 			params: {
-				...this.state.params,
+				...this.state?.params,
 				...config.params
 			},
 			query: config.query
@@ -1570,8 +1569,8 @@ var ReactRouter = class {
 	async forward() {
 		this.browser?.history.forward();
 	}
-	async invalidate(props$1) {
-		await this.browser?.invalidate(props$1);
+	async invalidate(props) {
+		await this.browser?.invalidate(props);
 	}
 	async go(path, options) {
 		for (const page of this.pages) if (page.name === path) {
@@ -1644,1411 +1643,30 @@ const AlephaReact = $module({
 });
 
 //#endregion
-//#region ../../node_modules/oauth4webapi/build/index.js
-let USER_AGENT$1;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT$1 = `oauth4webapi/v3.8.2`;
-function looseInstanceOf(input, expected) {
-	if (input == null) return false;
-	try {
-		return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
-	} catch {
-		return false;
-	}
-}
-const ERR_INVALID_ARG_VALUE$1 = "ERR_INVALID_ARG_VALUE";
-const ERR_INVALID_ARG_TYPE$1 = "ERR_INVALID_ARG_TYPE";
-function CodedTypeError$1(message, code, cause) {
-	const err = new TypeError(message, { cause });
-	Object.assign(err, { code });
-	return err;
-}
-const allowInsecureRequests$1 = Symbol();
-const clockSkew$1 = Symbol();
-const clockTolerance$1 = Symbol();
-const customFetch$1 = Symbol();
-const modifyAssertion$1 = Symbol();
-const jweDecrypt = Symbol();
-const encoder = new TextEncoder();
-const decoder$1 = new TextDecoder();
-function buf(input) {
-	if (typeof input === "string") return encoder.encode(input);
-	return decoder$1.decode(input);
-}
-let encodeBase64Url;
-if (Uint8Array.prototype.toBase64) encodeBase64Url = (input) => {
-	if (input instanceof ArrayBuffer) input = new Uint8Array(input);
-	return input.toBase64({
-		alphabet: "base64url",
-		omitPadding: true
-	});
-};
-else {
-	const CHUNK_SIZE = 32768;
-	encodeBase64Url = (input) => {
-		if (input instanceof ArrayBuffer) input = new Uint8Array(input);
-		const arr = [];
-		for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
-		return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-	};
-}
-let decodeBase64Url;
-if (Uint8Array.fromBase64) decodeBase64Url = (input) => {
-	try {
-		return Uint8Array.fromBase64(input, { alphabet: "base64url" });
-	} catch (cause) {
-		throw CodedTypeError$1("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE$1, cause);
-	}
-};
-else decodeBase64Url = (input) => {
-	try {
-		const binary = atob(input.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""));
-		const bytes = new Uint8Array(binary.length);
-		for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
-		return bytes;
-	} catch (cause) {
-		throw CodedTypeError$1("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE$1, cause);
-	}
-};
-function b64u(input) {
-	if (typeof input === "string") return decodeBase64Url(input);
-	return encodeBase64Url(input);
-}
-var UnsupportedOperationError = class extends Error {
-	code;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		this.code = UNSUPPORTED_OPERATION;
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-var OperationProcessingError = class extends Error {
-	code;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		if (options?.code) this.code = options?.code;
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-function OPE(message, code, cause) {
-	return new OperationProcessingError(message, {
-		code,
-		cause
-	});
-}
-function isJsonObject(input) {
-	if (input === null || typeof input !== "object" || Array.isArray(input)) return false;
-	return true;
-}
-function prepareHeaders(input) {
-	if (looseInstanceOf(input, Headers)) input = Object.fromEntries(input.entries());
-	const headers$1 = new Headers(input ?? {});
-	if (USER_AGENT$1 && !headers$1.has("user-agent")) headers$1.set("user-agent", USER_AGENT$1);
-	if (headers$1.has("authorization")) throw CodedTypeError$1("\"options.headers\" must not include the \"authorization\" header name", ERR_INVALID_ARG_VALUE$1);
-	return headers$1;
-}
-function signal$1(url, value) {
-	if (value !== void 0) {
-		if (typeof value === "function") value = value(url.href);
-		if (!(value instanceof AbortSignal)) throw CodedTypeError$1("\"options.signal\" must return or be an instance of AbortSignal", ERR_INVALID_ARG_TYPE$1);
-		return value;
-	}
-}
-function replaceDoubleSlash(pathname) {
-	if (pathname.includes("//")) return pathname.replace("//", "/");
-	return pathname;
-}
-function prependWellKnown(url, wellKnown, allowTerminatingSlash = false) {
-	if (url.pathname === "/") url.pathname = wellKnown;
-	else url.pathname = replaceDoubleSlash(`${wellKnown}/${allowTerminatingSlash ? url.pathname : url.pathname.replace(/(\/)$/, "")}`);
-	return url;
-}
-function appendWellKnown(url, wellKnown) {
-	url.pathname = replaceDoubleSlash(`${url.pathname}/${wellKnown}`);
-	return url;
-}
-async function performDiscovery$1(input, urlName, transform, options) {
-	if (!(input instanceof URL)) throw CodedTypeError$1(`"${urlName}" must be an instance of URL`, ERR_INVALID_ARG_TYPE$1);
-	checkProtocol(input, options?.[allowInsecureRequests$1] !== true);
-	const url = transform(new URL(input.href));
-	const headers$1 = prepareHeaders(options?.headers);
-	headers$1.set("accept", "application/json");
-	return (options?.[customFetch$1] || fetch)(url.href, {
-		body: void 0,
-		headers: Object.fromEntries(headers$1.entries()),
-		method: "GET",
-		redirect: "manual",
-		signal: signal$1(url, options?.signal)
-	});
-}
-async function discoveryRequest(issuerIdentifier, options) {
-	return performDiscovery$1(issuerIdentifier, "issuerIdentifier", (url) => {
-		switch (options?.algorithm) {
-			case void 0:
-			case "oidc":
-				appendWellKnown(url, ".well-known/openid-configuration");
-				break;
-			case "oauth2":
-				prependWellKnown(url, ".well-known/oauth-authorization-server");
-				break;
-			default: throw CodedTypeError$1("\"options.algorithm\" must be \"oidc\" (default), or \"oauth2\"", ERR_INVALID_ARG_VALUE$1);
-		}
-		return url;
-	}, options);
-}
-function assertNumber(input, allow0, it, code, cause) {
-	try {
-		if (typeof input !== "number" || !Number.isFinite(input)) throw CodedTypeError$1(`${it} must be a number`, ERR_INVALID_ARG_TYPE$1, cause);
-		if (input > 0) return;
-		if (allow0) {
-			if (input !== 0) throw CodedTypeError$1(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE$1, cause);
-			return;
-		}
-		throw CodedTypeError$1(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE$1, cause);
-	} catch (err) {
-		if (code) throw OPE(err.message, code, cause);
-		throw err;
-	}
-}
-function assertString$1(input, it, code, cause) {
-	try {
-		if (typeof input !== "string") throw CodedTypeError$1(`${it} must be a string`, ERR_INVALID_ARG_TYPE$1, cause);
-		if (input.length === 0) throw CodedTypeError$1(`${it} must not be empty`, ERR_INVALID_ARG_VALUE$1, cause);
-	} catch (err) {
-		if (code) throw OPE(err.message, code, cause);
-		throw err;
-	}
-}
-async function processDiscoveryResponse(expectedIssuerIdentifier, response) {
-	const expected = expectedIssuerIdentifier;
-	if (!(expected instanceof URL) && expected !== _nodiscoverycheck) throw CodedTypeError$1("\"expectedIssuerIdentifier\" must be an instance of URL", ERR_INVALID_ARG_TYPE$1);
-	if (!looseInstanceOf(response, Response)) throw CodedTypeError$1("\"response\" must be an instance of Response", ERR_INVALID_ARG_TYPE$1);
-	if (response.status !== 200) throw OPE("\"response\" is not a conform Authorization Server Metadata response (unexpected HTTP status code)", RESPONSE_IS_NOT_CONFORM, response);
-	assertReadableResponse(response);
-	const json = await getResponseJsonBody(response);
-	assertString$1(json.issuer, "\"response\" body \"issuer\" property", INVALID_RESPONSE, { body: json });
-	if (expected !== _nodiscoverycheck && new URL(json.issuer).href !== expected.href) throw OPE("\"response\" body \"issuer\" property does not match the expected value", JSON_ATTRIBUTE_COMPARISON, {
-		expected: expected.href,
-		body: json,
-		attribute: "issuer"
-	});
-	return json;
-}
-function assertApplicationJson(response) {
-	assertContentType(response, "application/json");
-}
-function notJson(response, ...types) {
-	let msg = "\"response\" content-type must be ";
-	if (types.length > 2) {
-		const last = types.pop();
-		msg += `${types.join(", ")}, or ${last}`;
-	} else if (types.length === 2) msg += `${types[0]} or ${types[1]}`;
-	else msg += types[0];
-	return OPE(msg, RESPONSE_IS_NOT_JSON, response);
-}
-function assertContentType(response, contentType) {
-	if (getContentType(response) !== contentType) throw notJson(response, contentType);
-}
-function randomBytes() {
-	return b64u(crypto.getRandomValues(new Uint8Array(32)));
-}
-function generateRandomCodeVerifier() {
-	return randomBytes();
-}
-function generateRandomState() {
-	return randomBytes();
-}
-async function calculatePKCECodeChallenge$1(codeVerifier) {
-	assertString$1(codeVerifier, "codeVerifier");
-	return b64u(await crypto.subtle.digest("SHA-256", buf(codeVerifier)));
-}
-function getClockSkew(client) {
-	const skew = client?.[clockSkew$1];
-	return typeof skew === "number" && Number.isFinite(skew) ? skew : 0;
-}
-function getClockTolerance(client) {
-	const tolerance = client?.[clockTolerance$1];
-	return typeof tolerance === "number" && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
-}
-function epochTime() {
-	return Math.floor(Date.now() / 1e3);
-}
-function assertAs(as) {
-	if (typeof as !== "object" || as === null) throw CodedTypeError$1("\"as\" must be an object", ERR_INVALID_ARG_TYPE$1);
-	assertString$1(as.issuer, "\"as.issuer\"");
-}
-function assertClient(client) {
-	if (typeof client !== "object" || client === null) throw CodedTypeError$1("\"client\" must be an object", ERR_INVALID_ARG_TYPE$1);
-	assertString$1(client.client_id, "\"client.client_id\"");
-}
-function ClientSecretPost$1(clientSecret) {
-	assertString$1(clientSecret, "\"clientSecret\"");
-	return (_as, client, body, _headers) => {
-		body.set("client_id", client.client_id);
-		body.set("client_secret", clientSecret);
-	};
-}
-function None$1() {
-	return (_as, client, body, _headers) => {
-		body.set("client_id", client.client_id);
-	};
-}
-const URLParse = URL.parse ? (url, base) => URL.parse(url, base) : (url, base) => {
-	try {
-		return new URL(url, base);
-	} catch {
-		return null;
-	}
-};
-function checkProtocol(url, enforceHttps) {
-	if (enforceHttps && url.protocol !== "https:") throw OPE("only requests to HTTPS are allowed", HTTP_REQUEST_FORBIDDEN, url);
-	if (url.protocol !== "https:" && url.protocol !== "http:") throw OPE("only HTTP and HTTPS requests are allowed", REQUEST_PROTOCOL_FORBIDDEN, url);
-}
-function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {
-	let url;
-	if (typeof value !== "string" || !(url = URLParse(value))) throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === void 0 ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint });
-	checkProtocol(url, enforceHttps);
-	return url;
-}
-function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {
-	if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);
-	return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);
-}
-function isDPoPNonceError(err) {
-	if (err instanceof WWWAuthenticateChallengeError) {
-		const { 0: challenge, length } = err.cause;
-		return length === 1 && challenge.scheme === "dpop" && challenge.parameters.error === "use_dpop_nonce";
-	}
-	if (err instanceof ResponseBodyError) return err.error === "use_dpop_nonce";
-	return false;
-}
-var ResponseBodyError = class extends Error {
-	cause;
-	code;
-	error;
-	status;
-	error_description;
-	response;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		this.code = RESPONSE_BODY_ERROR;
-		this.cause = options.cause;
-		this.error = options.cause.error;
-		this.status = options.response.status;
-		this.error_description = options.cause.error_description;
-		Object.defineProperty(this, "response", {
-			enumerable: false,
-			value: options.response
-		});
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-var AuthorizationResponseError = class extends Error {
-	cause;
-	code;
-	error;
-	error_description;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		this.code = AUTHORIZATION_RESPONSE_ERROR;
-		this.cause = options.cause;
-		this.error = options.cause.get("error");
-		this.error_description = options.cause.get("error_description") ?? void 0;
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-var WWWAuthenticateChallengeError = class extends Error {
-	cause;
-	code;
-	response;
-	status;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		this.code = WWW_AUTHENTICATE_CHALLENGE;
-		this.cause = options.cause;
-		this.status = options.response.status;
-		this.response = options.response;
-		Object.defineProperty(this, "response", { enumerable: false });
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-const tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
-const token68Match = "[a-zA-Z0-9\\-\\._\\~\\+\\/]+[=]{0,2}";
-const quotedParamMatcher = "(" + tokenMatch + ")\\s*=\\s*\"((?:[^\"\\\\]|\\\\.)*)\"";
-const paramMatcher = "(" + tokenMatch + ")\\s*=\\s*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)";
-const schemeRE = /* @__PURE__ */ new RegExp("^[,\\s]*(" + tokenMatch + ")\\s(.*)");
-const quotedParamRE = /* @__PURE__ */ new RegExp("^[,\\s]*" + quotedParamMatcher + "[,\\s]*(.*)");
-const unquotedParamRE = /* @__PURE__ */ new RegExp("^[,\\s]*" + paramMatcher + "[,\\s]*(.*)");
-const token68ParamRE = /* @__PURE__ */ new RegExp("^(" + token68Match + ")(?:$|[,\\s])(.*)");
-function parseWwwAuthenticateChallenges(response) {
-	if (!looseInstanceOf(response, Response)) throw CodedTypeError$1("\"response\" must be an instance of Response", ERR_INVALID_ARG_TYPE$1);
-	const header = response.headers.get("www-authenticate");
-	if (header === null) return;
-	const challenges = [];
-	let rest = header;
-	while (rest) {
-		let match = rest.match(schemeRE);
-		const scheme = match?.["1"].toLowerCase();
-		rest = match?.["2"];
-		if (!scheme) return;
-		const parameters = {};
-		let token68;
-		while (rest) {
-			let key;
-			let value;
-			if (match = rest.match(quotedParamRE)) {
-				[, key, value, rest] = match;
-				if (value.includes("\\")) try {
-					value = JSON.parse(`"${value}"`);
-				} catch {}
-				parameters[key.toLowerCase()] = value;
-				continue;
-			}
-			if (match = rest.match(unquotedParamRE)) {
-				[, key, value, rest] = match;
-				parameters[key.toLowerCase()] = value;
-				continue;
-			}
-			if (match = rest.match(token68ParamRE)) {
-				if (Object.keys(parameters).length) break;
-				[, token68, rest] = match;
-				break;
-			}
-			return;
-		}
-		const challenge = {
-			scheme,
-			parameters
-		};
-		if (token68) challenge.token68 = token68;
-		challenges.push(challenge);
-	}
-	if (!challenges.length) return;
-	return challenges;
-}
-async function parseOAuthResponseErrorBody(response) {
-	if (response.status > 399 && response.status < 500) {
-		assertReadableResponse(response);
-		assertApplicationJson(response);
-		try {
-			const json = await response.clone().json();
-			if (isJsonObject(json) && typeof json.error === "string" && json.error.length) return json;
-		} catch {}
-	}
-}
-async function checkOAuthBodyError(response, expected, label) {
-	if (response.status !== expected) {
-		checkAuthenticationChallenges(response);
-		let err;
-		if (err = await parseOAuthResponseErrorBody(response)) {
-			await response.body?.cancel();
-			throw new ResponseBodyError("server responded with an error in the response body", {
-				cause: err,
-				response
-			});
-		}
-		throw OPE(`"response" is not a conform ${label} response (unexpected HTTP status code)`, RESPONSE_IS_NOT_CONFORM, response);
-	}
-}
-function assertDPoP(option) {
-	if (!branded.has(option)) throw CodedTypeError$1("\"options.DPoP\" is not a valid DPoPHandle", ERR_INVALID_ARG_VALUE$1);
-}
-const skipSubjectCheck$1 = Symbol();
-function getContentType(input) {
-	return input.headers.get("content-type")?.split(";")[0];
-}
-async function authenticatedRequest(as, client, clientAuthentication, url, body, headers$1, options) {
-	await clientAuthentication(as, client, body, headers$1);
-	headers$1.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8");
-	return (options?.[customFetch$1] || fetch)(url.href, {
-		body,
-		headers: Object.fromEntries(headers$1.entries()),
-		method: "POST",
-		redirect: "manual",
-		signal: signal$1(url, options?.signal)
-	});
-}
-async function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
-	const url = resolveEndpoint(as, "token_endpoint", client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests$1] !== true);
-	parameters.set("grant_type", grantType);
-	const headers$1 = prepareHeaders(options?.headers);
-	headers$1.set("accept", "application/json");
-	if (options?.DPoP !== void 0) {
-		assertDPoP(options.DPoP);
-		await options.DPoP.addProof(url, headers$1, "POST");
-	}
-	const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers$1, options);
-	options?.DPoP?.cacheNonce(response, url);
-	return response;
-}
-async function refreshTokenGrantRequest(as, client, clientAuthentication, refreshToken, options) {
-	assertAs(as);
-	assertClient(client);
-	assertString$1(refreshToken, "\"refreshToken\"");
-	const parameters = new URLSearchParams(options?.additionalParameters);
-	parameters.set("refresh_token", refreshToken);
-	return tokenEndpointRequest(as, client, clientAuthentication, "refresh_token", parameters, options);
-}
-const idTokenClaims = /* @__PURE__ */ new WeakMap();
-const jwtRefs = /* @__PURE__ */ new WeakMap();
-function getValidatedIdTokenClaims(ref) {
-	if (!ref.id_token) return;
-	const claims = idTokenClaims.get(ref);
-	if (!claims) throw CodedTypeError$1("\"ref\" was already garbage collected or did not resolve from the proper sources", ERR_INVALID_ARG_VALUE$1);
-	return claims;
-}
-async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {
-	assertAs(as);
-	assertClient(client);
-	if (!looseInstanceOf(response, Response)) throw CodedTypeError$1("\"response\" must be an instance of Response", ERR_INVALID_ARG_TYPE$1);
-	await checkOAuthBodyError(response, 200, "Token Endpoint");
-	assertReadableResponse(response);
-	const json = await getResponseJsonBody(response);
-	assertString$1(json.access_token, "\"response\" body \"access_token\" property", INVALID_RESPONSE, { body: json });
-	assertString$1(json.token_type, "\"response\" body \"token_type\" property", INVALID_RESPONSE, { body: json });
-	json.token_type = json.token_type.toLowerCase();
-	if (json.expires_in !== void 0) {
-		let expiresIn = typeof json.expires_in !== "number" ? parseFloat(json.expires_in) : json.expires_in;
-		assertNumber(expiresIn, true, "\"response\" body \"expires_in\" property", INVALID_RESPONSE, { body: json });
-		json.expires_in = expiresIn;
-	}
-	if (json.refresh_token !== void 0) assertString$1(json.refresh_token, "\"response\" body \"refresh_token\" property", INVALID_RESPONSE, { body: json });
-	if (json.scope !== void 0 && typeof json.scope !== "string") throw OPE("\"response\" body \"scope\" property must be a string", INVALID_RESPONSE, { body: json });
-	if (json.id_token !== void 0) {
-		assertString$1(json.id_token, "\"response\" body \"id_token\" property", INVALID_RESPONSE, { body: json });
-		const requiredClaims = [
-			"aud",
-			"exp",
-			"iat",
-			"iss",
-			"sub"
-		];
-		if (client.require_auth_time === true) requiredClaims.push("auth_time");
-		if (client.default_max_age !== void 0) {
-			assertNumber(client.default_max_age, true, "\"client.default_max_age\"");
-			requiredClaims.push("auth_time");
-		}
-		if (additionalRequiredIdTokenClaims?.length) requiredClaims.push(...additionalRequiredIdTokenClaims);
-		const { claims, jwt } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(void 0, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, "RS256"), getClockSkew(client), getClockTolerance(client), decryptFn).then(validatePresence.bind(void 0, requiredClaims)).then(validateIssuer.bind(void 0, as)).then(validateAudience.bind(void 0, client.client_id));
-		if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
-			if (claims.azp === void 0) throw OPE("ID Token \"aud\" (audience) claim includes additional untrusted audiences", JWT_CLAIM_COMPARISON, {
-				claims,
-				claim: "aud"
-			});
-			if (claims.azp !== client.client_id) throw OPE("unexpected ID Token \"azp\" (authorized party) claim value", JWT_CLAIM_COMPARISON, {
-				expected: client.client_id,
-				claims,
-				claim: "azp"
-			});
-		}
-		if (claims.auth_time !== void 0) assertNumber(claims.auth_time, true, "ID Token \"auth_time\" (authentication time)", INVALID_RESPONSE, { claims });
-		jwtRefs.set(response, jwt);
-		idTokenClaims.set(json, claims);
-	}
-	if (recognizedTokenTypes?.[json.token_type] !== void 0) recognizedTokenTypes[json.token_type](response, json);
-	else if (json.token_type !== "dpop" && json.token_type !== "bearer") throw new UnsupportedOperationError("unsupported `token_type` value", { cause: { body: json } });
-	return json;
-}
-function checkAuthenticationChallenges(response) {
-	let challenges;
-	if (challenges = parseWwwAuthenticateChallenges(response)) throw new WWWAuthenticateChallengeError("server responded with a challenge in the WWW-Authenticate HTTP Header", {
-		cause: challenges,
-		response
-	});
-}
-async function processRefreshTokenResponse(as, client, response, options) {
-	return processGenericAccessTokenResponse(as, client, response, void 0, options?.[jweDecrypt], options?.recognizedTokenTypes);
-}
-function validateAudience(expected, result) {
-	if (Array.isArray(result.claims.aud)) {
-		if (!result.claims.aud.includes(expected)) throw OPE("unexpected JWT \"aud\" (audience) claim value", JWT_CLAIM_COMPARISON, {
-			expected,
-			claims: result.claims,
-			claim: "aud"
-		});
-	} else if (result.claims.aud !== expected) throw OPE("unexpected JWT \"aud\" (audience) claim value", JWT_CLAIM_COMPARISON, {
-		expected,
-		claims: result.claims,
-		claim: "aud"
-	});
-	return result;
-}
-function validateIssuer(as, result) {
-	const expected = as[_expectedIssuer]?.(result) ?? as.issuer;
-	if (result.claims.iss !== expected) throw OPE("unexpected JWT \"iss\" (issuer) claim value", JWT_CLAIM_COMPARISON, {
-		expected,
-		claims: result.claims,
-		claim: "iss"
-	});
-	return result;
-}
-const branded = /* @__PURE__ */ new WeakSet();
-function brand(searchParams) {
-	branded.add(searchParams);
-	return searchParams;
-}
-const nopkce = Symbol();
-async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {
-	assertAs(as);
-	assertClient(client);
-	if (!branded.has(callbackParameters)) throw CodedTypeError$1("\"callbackParameters\" must be an instance of URLSearchParams obtained from \"validateAuthResponse()\", or \"validateJwtAuthResponse()", ERR_INVALID_ARG_VALUE$1);
-	assertString$1(redirectUri, "\"redirectUri\"");
-	const code = getURLSearchParameter(callbackParameters, "code");
-	if (!code) throw OPE("no authorization code in \"callbackParameters\"", INVALID_RESPONSE);
-	const parameters = new URLSearchParams(options?.additionalParameters);
-	parameters.set("redirect_uri", redirectUri);
-	parameters.set("code", code);
-	if (codeVerifier !== nopkce) {
-		assertString$1(codeVerifier, "\"codeVerifier\"");
-		parameters.set("code_verifier", codeVerifier);
-	}
-	return tokenEndpointRequest(as, client, clientAuthentication, "authorization_code", parameters, options);
-}
-const jwtClaimNames = {
-	aud: "audience",
-	c_hash: "code hash",
-	client_id: "client id",
-	exp: "expiration time",
-	iat: "issued at",
-	iss: "issuer",
-	jti: "jwt id",
-	nonce: "nonce",
-	s_hash: "state hash",
-	sub: "subject",
-	ath: "access token hash",
-	htm: "http method",
-	htu: "http uri",
-	cnf: "confirmation",
-	auth_time: "authentication time"
-};
-function validatePresence(required, result) {
-	for (const claim of required) if (result.claims[claim] === void 0) throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, { claims: result.claims });
-	return result;
-}
-const expectNoNonce = Symbol();
-const skipAuthTimeCheck = Symbol();
-async function processAuthorizationCodeResponse(as, client, response, options) {
-	if (typeof options?.expectedNonce === "string" || typeof options?.maxAge === "number" || options?.requireIdToken) return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);
-	return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);
-}
-async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {
-	const additionalRequiredClaims = [];
-	switch (expectedNonce) {
-		case void 0:
-			expectedNonce = expectNoNonce;
-			break;
-		case expectNoNonce: break;
-		default:
-			assertString$1(expectedNonce, "\"expectedNonce\" argument");
-			additionalRequiredClaims.push("nonce");
-	}
-	maxAge ??= client.default_max_age;
-	switch (maxAge) {
-		case void 0:
-			maxAge = skipAuthTimeCheck;
-			break;
-		case skipAuthTimeCheck: break;
-		default:
-			assertNumber(maxAge, true, "\"maxAge\" argument");
-			additionalRequiredClaims.push("auth_time");
-	}
-	const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);
-	assertString$1(result.id_token, "\"response\" body \"id_token\" property", INVALID_RESPONSE, { body: result });
-	const claims = getValidatedIdTokenClaims(result);
-	if (maxAge !== skipAuthTimeCheck) {
-		const now = epochTime() + getClockSkew(client);
-		const tolerance = getClockTolerance(client);
-		if (claims.auth_time + maxAge < now - tolerance) throw OPE("too much time has elapsed since the last End-User authentication", JWT_TIMESTAMP_CHECK, {
-			claims,
-			now,
-			tolerance,
-			claim: "auth_time"
-		});
-	}
-	if (expectedNonce === expectNoNonce) {
-		if (claims.nonce !== void 0) throw OPE("unexpected ID Token \"nonce\" claim value", JWT_CLAIM_COMPARISON, {
-			expected: void 0,
-			claims,
-			claim: "nonce"
-		});
-	} else if (claims.nonce !== expectedNonce) throw OPE("unexpected ID Token \"nonce\" claim value", JWT_CLAIM_COMPARISON, {
-		expected: expectedNonce,
-		claims,
-		claim: "nonce"
-	});
-	return result;
-}
-async function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {
-	const result = await processGenericAccessTokenResponse(as, client, response, void 0, decryptFn, recognizedTokenTypes);
-	const claims = getValidatedIdTokenClaims(result);
-	if (claims) {
-		if (client.default_max_age !== void 0) {
-			assertNumber(client.default_max_age, true, "\"client.default_max_age\"");
-			const now = epochTime() + getClockSkew(client);
-			const tolerance = getClockTolerance(client);
-			if (claims.auth_time + client.default_max_age < now - tolerance) throw OPE("too much time has elapsed since the last End-User authentication", JWT_TIMESTAMP_CHECK, {
-				claims,
-				now,
-				tolerance,
-				claim: "auth_time"
-			});
-		}
-		if (claims.nonce !== void 0) throw OPE("unexpected ID Token \"nonce\" claim value", JWT_CLAIM_COMPARISON, {
-			expected: void 0,
-			claims,
-			claim: "nonce"
-		});
-	}
-	return result;
-}
-const WWW_AUTHENTICATE_CHALLENGE = "OAUTH_WWW_AUTHENTICATE_CHALLENGE";
-const RESPONSE_BODY_ERROR = "OAUTH_RESPONSE_BODY_ERROR";
-const UNSUPPORTED_OPERATION = "OAUTH_UNSUPPORTED_OPERATION";
-const AUTHORIZATION_RESPONSE_ERROR = "OAUTH_AUTHORIZATION_RESPONSE_ERROR";
-const PARSE_ERROR = "OAUTH_PARSE_ERROR";
-const INVALID_RESPONSE = "OAUTH_INVALID_RESPONSE";
-const RESPONSE_IS_NOT_JSON = "OAUTH_RESPONSE_IS_NOT_JSON";
-const RESPONSE_IS_NOT_CONFORM = "OAUTH_RESPONSE_IS_NOT_CONFORM";
-const HTTP_REQUEST_FORBIDDEN = "OAUTH_HTTP_REQUEST_FORBIDDEN";
-const REQUEST_PROTOCOL_FORBIDDEN = "OAUTH_REQUEST_PROTOCOL_FORBIDDEN";
-const JWT_TIMESTAMP_CHECK = "OAUTH_JWT_TIMESTAMP_CHECK_FAILED";
-const JWT_CLAIM_COMPARISON = "OAUTH_JWT_CLAIM_COMPARISON_FAILED";
-const JSON_ATTRIBUTE_COMPARISON = "OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED";
-const MISSING_SERVER_METADATA = "OAUTH_MISSING_SERVER_METADATA";
-const INVALID_SERVER_METADATA = "OAUTH_INVALID_SERVER_METADATA";
-function assertReadableResponse(response) {
-	if (response.bodyUsed) throw CodedTypeError$1("\"response\" body has been used already", ERR_INVALID_ARG_VALUE$1);
-}
-async function validateJwt(jws, checkAlg, clockSkew$2, clockTolerance$2, decryptJwt) {
-	let { 0: protectedHeader, 1: payload, length } = jws.split(".");
-	if (length === 5) if (decryptJwt !== void 0) {
-		jws = await decryptJwt(jws);
-		({0: protectedHeader, 1: payload, length} = jws.split("."));
-	} else throw new UnsupportedOperationError("JWE decryption is not configured", { cause: jws });
-	if (length !== 3) throw OPE("Invalid JWT", INVALID_RESPONSE, jws);
-	let header;
-	try {
-		header = JSON.parse(buf(b64u(protectedHeader)));
-	} catch (cause) {
-		throw OPE("failed to parse JWT Header body as base64url encoded JSON", PARSE_ERROR, cause);
-	}
-	if (!isJsonObject(header)) throw OPE("JWT Header must be a top level object", INVALID_RESPONSE, jws);
-	checkAlg(header);
-	if (header.crit !== void 0) throw new UnsupportedOperationError("no JWT \"crit\" header parameter extensions are supported", { cause: { header } });
-	let claims;
-	try {
-		claims = JSON.parse(buf(b64u(payload)));
-	} catch (cause) {
-		throw OPE("failed to parse JWT Payload body as base64url encoded JSON", PARSE_ERROR, cause);
-	}
-	if (!isJsonObject(claims)) throw OPE("JWT Payload must be a top level object", INVALID_RESPONSE, jws);
-	const now = epochTime() + clockSkew$2;
-	if (claims.exp !== void 0) {
-		if (typeof claims.exp !== "number") throw OPE("unexpected JWT \"exp\" (expiration time) claim type", INVALID_RESPONSE, { claims });
-		if (claims.exp <= now - clockTolerance$2) throw OPE("unexpected JWT \"exp\" (expiration time) claim value, expiration is past current timestamp", JWT_TIMESTAMP_CHECK, {
-			claims,
-			now,
-			tolerance: clockTolerance$2,
-			claim: "exp"
-		});
-	}
-	if (claims.iat !== void 0) {
-		if (typeof claims.iat !== "number") throw OPE("unexpected JWT \"iat\" (issued at) claim type", INVALID_RESPONSE, { claims });
-	}
-	if (claims.iss !== void 0) {
-		if (typeof claims.iss !== "string") throw OPE("unexpected JWT \"iss\" (issuer) claim type", INVALID_RESPONSE, { claims });
-	}
-	if (claims.nbf !== void 0) {
-		if (typeof claims.nbf !== "number") throw OPE("unexpected JWT \"nbf\" (not before) claim type", INVALID_RESPONSE, { claims });
-		if (claims.nbf > now + clockTolerance$2) throw OPE("unexpected JWT \"nbf\" (not before) claim value", JWT_TIMESTAMP_CHECK, {
-			claims,
-			now,
-			tolerance: clockTolerance$2,
-			claim: "nbf"
-		});
-	}
-	if (claims.aud !== void 0) {
-		if (typeof claims.aud !== "string" && !Array.isArray(claims.aud)) throw OPE("unexpected JWT \"aud\" (audience) claim type", INVALID_RESPONSE, { claims });
-	}
-	return {
-		header,
-		claims,
-		jwt: jws
-	};
-}
-async function consumeStream(request) {
-	if (request.bodyUsed) throw CodedTypeError$1("form_post Request instances must contain a readable body", ERR_INVALID_ARG_VALUE$1, { cause: request });
-	return request.text();
-}
-async function formPostResponse(request) {
-	if (request.method !== "POST") throw CodedTypeError$1("form_post responses are expected to use the POST method", ERR_INVALID_ARG_VALUE$1, { cause: request });
-	if (getContentType(request) !== "application/x-www-form-urlencoded") throw CodedTypeError$1("form_post responses are expected to use the application/x-www-form-urlencoded content-type", ERR_INVALID_ARG_VALUE$1, { cause: request });
-	return consumeStream(request);
-}
-function checkSigningAlgorithm(client, issuer, fallback, header) {
-	if (client !== void 0) {
-		if (typeof client === "string" ? header.alg !== client : !client.includes(header.alg)) throw OPE("unexpected JWT \"alg\" header parameter", INVALID_RESPONSE, {
-			header,
-			expected: client,
-			reason: "client configuration"
-		});
-		return;
-	}
-	if (Array.isArray(issuer)) {
-		if (!issuer.includes(header.alg)) throw OPE("unexpected JWT \"alg\" header parameter", INVALID_RESPONSE, {
-			header,
-			expected: issuer,
-			reason: "authorization server metadata"
-		});
-		return;
-	}
-	if (fallback !== void 0) {
-		if (typeof fallback === "string" ? header.alg !== fallback : typeof fallback === "function" ? !fallback(header.alg) : !fallback.includes(header.alg)) throw OPE("unexpected JWT \"alg\" header parameter", INVALID_RESPONSE, {
-			header,
-			expected: fallback,
-			reason: "default value"
-		});
-		return;
-	}
-	throw OPE("missing client or server configuration to verify used JWT \"alg\" header parameter", void 0, {
-		client,
-		issuer,
-		fallback
-	});
-}
-function getURLSearchParameter(parameters, name) {
-	const { 0: value, length } = parameters.getAll(name);
-	if (length > 1) throw OPE(`"${name}" parameter must be provided only once`, INVALID_RESPONSE);
-	return value;
-}
-const skipStateCheck$1 = Symbol();
-const expectNoState = Symbol();
-function validateAuthResponse(as, client, parameters, expectedState) {
-	assertAs(as);
-	assertClient(client);
-	if (parameters instanceof URL) parameters = parameters.searchParams;
-	if (!(parameters instanceof URLSearchParams)) throw CodedTypeError$1("\"parameters\" must be an instance of URLSearchParams, or URL", ERR_INVALID_ARG_TYPE$1);
-	if (getURLSearchParameter(parameters, "response")) throw OPE("\"parameters\" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()", INVALID_RESPONSE, { parameters });
-	const iss = getURLSearchParameter(parameters, "iss");
-	const state = getURLSearchParameter(parameters, "state");
-	if (!iss && as.authorization_response_iss_parameter_supported) throw OPE("response parameter \"iss\" (issuer) missing", INVALID_RESPONSE, { parameters });
-	if (iss && iss !== as.issuer) throw OPE("unexpected \"iss\" (issuer) response parameter value", INVALID_RESPONSE, {
-		expected: as.issuer,
-		parameters
-	});
-	switch (expectedState) {
-		case void 0:
-		case expectNoState:
-			if (state !== void 0) throw OPE("unexpected \"state\" response parameter encountered", INVALID_RESPONSE, {
-				expected: void 0,
-				parameters
-			});
-			break;
-		case skipStateCheck$1: break;
-		default:
-			assertString$1(expectedState, "\"expectedState\" argument");
-			if (state !== expectedState) throw OPE(state === void 0 ? "response parameter \"state\" missing" : "unexpected \"state\" response parameter value", INVALID_RESPONSE, {
-				expected: expectedState,
-				parameters
-			});
-	}
-	if (getURLSearchParameter(parameters, "error")) throw new AuthorizationResponseError("authorization response from the server is an error", { cause: parameters });
-	const id_token = getURLSearchParameter(parameters, "id_token");
-	const token = getURLSearchParameter(parameters, "token");
-	if (id_token !== void 0 || token !== void 0) throw new UnsupportedOperationError("implicit and hybrid flows are not supported");
-	return brand(new URLSearchParams(parameters));
-}
-async function getResponseJsonBody(response, check = assertApplicationJson) {
-	let json;
-	try {
-		json = await response.json();
-	} catch (cause) {
-		check(response);
-		throw OPE("failed to parse \"response\" body as JSON", PARSE_ERROR, cause);
-	}
-	if (!isJsonObject(json)) throw OPE("\"response\" body must be a top level object", INVALID_RESPONSE, { body: json });
-	return json;
-}
-const _nodiscoverycheck = Symbol();
-const _expectedIssuer = Symbol();
-
-//#endregion
-//#region ../../node_modules/openid-client/build/index.js
-let headers;
-let USER_AGENT;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
-	USER_AGENT = `openid-client/v6.8.1`;
-	headers = { "user-agent": USER_AGENT };
-}
-const int = (config) => {
-	return props.get(config);
-};
-let props;
-let tbi;
-function ClientSecretPost(clientSecret) {
-	if (clientSecret !== void 0) return ClientSecretPost$1(clientSecret);
-	tbi ||= /* @__PURE__ */ new WeakMap();
-	return (as, client, body, headers$1) => {
-		let auth;
-		if (!(auth = tbi.get(client))) {
-			assertString(client.client_secret, "\"metadata.client_secret\"");
-			auth = ClientSecretPost$1(client.client_secret);
-			tbi.set(client, auth);
-		}
-		return auth(as, client, body, headers$1);
-	};
-}
-function assertString(input, it) {
-	if (typeof input !== "string") throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE);
-	if (input.length === 0) throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE);
-}
-function None() {
-	return None$1();
-}
-const skipStateCheck = skipStateCheck$1;
-const skipSubjectCheck = skipSubjectCheck$1;
-const customFetch = customFetch$1;
-const modifyAssertion = modifyAssertion$1;
-const clockSkew = clockSkew$1;
-const clockTolerance = clockTolerance$1;
-const ERR_INVALID_ARG_VALUE = "ERR_INVALID_ARG_VALUE";
-const ERR_INVALID_ARG_TYPE = "ERR_INVALID_ARG_TYPE";
-function CodedTypeError(message, code, cause) {
-	const err = new TypeError(message, { cause });
-	Object.assign(err, { code });
-	return err;
-}
-function calculatePKCECodeChallenge(codeVerifier) {
-	return calculatePKCECodeChallenge$1(codeVerifier);
-}
-function randomPKCECodeVerifier() {
-	return generateRandomCodeVerifier();
-}
-function randomState() {
-	return generateRandomState();
-}
-var ClientError = class extends Error {
-	code;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		this.code = options?.code;
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-const decoder = new TextDecoder();
-function e(msg, cause, code) {
-	return new ClientError(msg, {
-		cause,
-		code
-	});
-}
-function errorHandler(err) {
-	if (err instanceof TypeError || err instanceof ClientError || err instanceof ResponseBodyError || err instanceof AuthorizationResponseError || err instanceof WWWAuthenticateChallengeError) throw err;
-	if (err instanceof OperationProcessingError) switch (err.code) {
-		case HTTP_REQUEST_FORBIDDEN: throw e("only requests to HTTPS are allowed", err, err.code);
-		case REQUEST_PROTOCOL_FORBIDDEN: throw e("only requests to HTTP or HTTPS are allowed", err, err.code);
-		case RESPONSE_IS_NOT_CONFORM: throw e("unexpected HTTP response status code", err.cause, err.code);
-		case RESPONSE_IS_NOT_JSON: throw e("unexpected response content-type", err.cause, err.code);
-		case PARSE_ERROR: throw e("parsing error occured", err, err.code);
-		case INVALID_RESPONSE: throw e("invalid response encountered", err, err.code);
-		case JWT_CLAIM_COMPARISON: throw e("unexpected JWT claim value encountered", err, err.code);
-		case JSON_ATTRIBUTE_COMPARISON: throw e("unexpected JSON attribute value encountered", err, err.code);
-		case JWT_TIMESTAMP_CHECK: throw e("JWT timestamp claim value failed validation", err, err.code);
-		default: throw e(err.message, err, err.code);
-	}
-	if (err instanceof UnsupportedOperationError) throw e("unsupported operation", err, err.code);
-	if (err instanceof DOMException) switch (err.name) {
-		case "OperationError": throw e("runtime operation error", err, UNSUPPORTED_OPERATION);
-		case "NotSupportedError": throw e("runtime unsupported operation", err, UNSUPPORTED_OPERATION);
-		case "TimeoutError": throw e("operation timed out", err, "OAUTH_TIMEOUT");
-		case "AbortError": throw e("operation aborted", err, "OAUTH_ABORT");
-	}
-	throw new ClientError("something went wrong", { cause: err });
-}
-function handleEntraId(server, as, options) {
-	if (server.origin === "https://login.microsoftonline.com" && (!options?.algorithm || options.algorithm === "oidc")) {
-		as[kEntraId] = true;
-		return true;
-	}
-	return false;
-}
-function handleB2Clogin(server, options) {
-	if (server.hostname.endsWith(".b2clogin.com") && (!options?.algorithm || options.algorithm === "oidc")) return true;
-	return false;
-}
-async function discovery(server, clientId, metadata, clientAuthentication, options) {
-	const instance = new Configuration(await performDiscovery(server, options), clientId, metadata, clientAuthentication);
-	let internals = int(instance);
-	if (options?.[customFetch]) internals.fetch = options[customFetch];
-	if (options?.timeout) internals.timeout = options.timeout;
-	if (options?.execute) for (const extension of options.execute) extension(instance);
-	return instance;
-}
-async function performDiscovery(server, options) {
-	if (!(server instanceof URL)) throw CodedTypeError("\"server\" must be an instance of URL", ERR_INVALID_ARG_TYPE);
-	const resolve = !server.href.includes("/.well-known/");
-	const timeout = options?.timeout ?? 30;
-	const signal$2 = AbortSignal.timeout(timeout * 1e3);
-	const as = await (resolve ? discoveryRequest(server, {
-		algorithm: options?.algorithm,
-		[customFetch$1]: options?.[customFetch],
-		[allowInsecureRequests$1]: options?.execute?.includes(allowInsecureRequests),
-		signal: signal$2,
-		headers: new Headers(headers)
-	}) : (options?.[customFetch] || fetch)((() => {
-		checkProtocol(server, options?.execute?.includes(allowInsecureRequests) ? false : true);
-		return server.href;
-	})(), {
-		headers: Object.fromEntries(new Headers({
-			accept: "application/json",
-			...headers
-		}).entries()),
-		body: void 0,
-		method: "GET",
-		redirect: "manual",
-		signal: signal$2
-	})).then((response) => processDiscoveryResponse(_nodiscoverycheck, response)).catch(errorHandler);
-	if (resolve && new URL(as.issuer).href !== server.href) handleEntraId(server, as, options) || handleB2Clogin(server, options) || (() => {
-		throw new ClientError("discovered metadata issuer does not match the expected issuer", {
-			code: JSON_ATTRIBUTE_COMPARISON,
-			cause: {
-				expected: server.href,
-				body: as,
-				attribute: "issuer"
-			}
-		});
-	})();
-	return as;
-}
-function getServerHelpers(metadata) {
-	return { supportsPKCE: {
-		__proto__: null,
-		value(method = "S256") {
-			return metadata.code_challenge_methods_supported?.includes(method) === true;
-		}
-	} };
-}
-function addServerHelpers(metadata) {
-	Object.defineProperties(metadata, getServerHelpers(metadata));
-}
-const kEntraId = Symbol();
-var Configuration = class {
-	constructor(server, clientId, metadata, clientAuthentication) {
-		if (typeof clientId !== "string" || !clientId.length) throw CodedTypeError("\"clientId\" must be a non-empty string", ERR_INVALID_ARG_TYPE);
-		if (typeof metadata === "string") metadata = { client_secret: metadata };
-		if (metadata?.client_id !== void 0 && clientId !== metadata.client_id) throw CodedTypeError("\"clientId\" and \"metadata.client_id\" must be the same", ERR_INVALID_ARG_VALUE);
-		const client = {
-			...structuredClone(metadata),
-			client_id: clientId
-		};
-		client[clockSkew$1] = metadata?.[clockSkew$1] ?? 0;
-		client[clockTolerance$1] = metadata?.[clockTolerance$1] ?? 30;
-		let auth;
-		if (clientAuthentication) auth = clientAuthentication;
-		else if (typeof client.client_secret === "string" && client.client_secret.length) auth = ClientSecretPost(client.client_secret);
-		else auth = None();
-		let c = Object.freeze(client);
-		const clone = structuredClone(server);
-		if (kEntraId in server) clone[_expectedIssuer] = ({ claims: { tid } }) => server.issuer.replace("{tenantid}", tid);
-		let as = Object.freeze(clone);
-		props ||= /* @__PURE__ */ new WeakMap();
-		props.set(this, {
-			__proto__: null,
-			as,
-			c,
-			auth,
-			tlsOnly: true,
-			jwksCache: {}
-		});
-	}
-	serverMetadata() {
-		const metadata = structuredClone(int(this).as);
-		addServerHelpers(metadata);
-		return metadata;
-	}
-	clientMetadata() {
-		return structuredClone(int(this).c);
-	}
-	get timeout() {
-		return int(this).timeout;
-	}
-	set timeout(value) {
-		int(this).timeout = value;
-	}
-	get [customFetch]() {
-		return int(this).fetch;
-	}
-	set [customFetch](value) {
-		int(this).fetch = value;
-	}
-};
-Object.freeze(Configuration.prototype);
-function getHelpers(response) {
-	let exp = void 0;
-	if (response.expires_in !== void 0) {
-		const now = /* @__PURE__ */ new Date();
-		now.setSeconds(now.getSeconds() + response.expires_in);
-		exp = now.getTime();
-	}
-	return {
-		expiresIn: {
-			__proto__: null,
-			value() {
-				if (exp) {
-					const now = Date.now();
-					if (exp > now) return Math.floor((exp - now) / 1e3);
-					return 0;
-				}
-			}
-		},
-		claims: {
-			__proto__: null,
-			value() {
-				try {
-					return getValidatedIdTokenClaims(this);
-				} catch {
-					return;
-				}
-			}
-		}
-	};
-}
-function addHelpers(response) {
-	Object.defineProperties(response, getHelpers(response));
-}
-function allowInsecureRequests(config) {
-	int(config).tlsOnly = false;
-}
-function stripParams(url) {
-	url = new URL(url);
-	url.search = "";
-	url.hash = "";
-	return url.href;
-}
-function webInstanceOf(input, toStringTag) {
-	try {
-		return Object.getPrototypeOf(input)[Symbol.toStringTag] === toStringTag;
-	} catch {
-		return false;
-	}
-}
-async function authorizationCodeGrant(config, currentUrl, checks, tokenEndpointParameters, options) {
-	checkConfig(config);
-	if (options?.flag !== retry && !(currentUrl instanceof URL) && !webInstanceOf(currentUrl, "Request")) throw CodedTypeError("\"currentUrl\" must be an instance of URL, or Request", ERR_INVALID_ARG_TYPE);
-	let authResponse;
-	let redirectUri;
-	const { as, c, auth, fetch: fetch$1, tlsOnly, jarm, hybrid, nonRepudiation, timeout, decrypt, implicit } = int(config);
-	if (options?.flag === retry) {
-		authResponse = options.authResponse;
-		redirectUri = options.redirectUri;
-	} else {
-		if (!(currentUrl instanceof URL)) {
-			const request = currentUrl;
-			currentUrl = new URL(currentUrl.url);
-			switch (request.method) {
-				case "GET": break;
-				case "POST":
-					const params = new URLSearchParams(await formPostResponse(request));
-					if (hybrid) currentUrl.hash = params.toString();
-					else for (const [k, v] of params.entries()) currentUrl.searchParams.append(k, v);
-					break;
-				default: throw CodedTypeError("unexpected Request HTTP method", ERR_INVALID_ARG_VALUE);
-			}
-		}
-		redirectUri = stripParams(currentUrl);
-		switch (true) {
-			case !!jarm:
-				authResponse = await jarm(currentUrl, checks?.expectedState);
-				break;
-			case !!hybrid:
-				authResponse = await hybrid(currentUrl, checks?.expectedNonce, checks?.expectedState, checks?.maxAge);
-				break;
-			case !!implicit: throw new TypeError("authorizationCodeGrant() cannot be used by response_type=id_token clients");
-			default: try {
-				authResponse = validateAuthResponse(as, c, currentUrl.searchParams, checks?.expectedState);
-			} catch (err) {
-				errorHandler(err);
+//#region src/auth/providers/ReactAuthProvider.ts
+var ReactAuthProvider = class {
+	alepha = $inject(Alepha);
+	onRender = $hook({
+		on: "react:server:render:begin",
+		handler: async ({ request, state }) => {
+			if (request?.user) {
+				const { token, realm, ...user } = request.user;
+				this.alepha.state.set("alepha.server.request.user", user);
+				state.user = user;
 			}
 		}
-	}
-	const response = await authorizationCodeGrantRequest(as, c, auth, authResponse, redirectUri, checks?.pkceCodeVerifier || nopkce, {
-		additionalParameters: tokenEndpointParameters,
-		[customFetch$1]: fetch$1,
-		[allowInsecureRequests$1]: !tlsOnly,
-		DPoP: options?.DPoP,
-		headers: new Headers(headers),
-		signal: signal(timeout)
-	}).catch(errorHandler);
-	if (typeof checks?.expectedNonce === "string" || typeof checks?.maxAge === "number") checks.idTokenExpected = true;
-	const p = processAuthorizationCodeResponse(as, c, response, {
-		expectedNonce: checks?.expectedNonce,
-		maxAge: checks?.maxAge,
-		requireIdToken: checks?.idTokenExpected,
-		[jweDecrypt]: decrypt
 	});
-	let result;
-	try {
-		result = await p;
-	} catch (err) {
-		if (retryable(err, options)) return authorizationCodeGrant(config, void 0, checks, tokenEndpointParameters, {
-			...options,
-			flag: retry,
-			authResponse,
-			redirectUri
-		});
-		errorHandler(err);
-	}
-	result.id_token && await nonRepudiation?.(response);
-	addHelpers(result);
-	return result;
-}
-async function refreshTokenGrant(config, refreshToken, parameters, options) {
-	checkConfig(config);
-	parameters = new URLSearchParams(parameters);
-	const { as, c, auth, fetch: fetch$1, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);
-	const response = await refreshTokenGrantRequest(as, c, auth, refreshToken, {
-		[customFetch$1]: fetch$1,
-		[allowInsecureRequests$1]: !tlsOnly,
-		additionalParameters: parameters,
-		DPoP: options?.DPoP,
-		headers: new Headers(headers),
-		signal: signal(timeout)
-	}).catch(errorHandler);
-	const p = processRefreshTokenResponse(as, c, response, { [jweDecrypt]: decrypt });
-	let result;
-	try {
-		result = await p;
-	} catch (err) {
-		if (retryable(err, options)) return refreshTokenGrant(config, refreshToken, parameters, {
-			...options,
-			flag: retry
-		});
-		errorHandler(err);
-	}
-	result.id_token && await nonRepudiation?.(response);
-	addHelpers(result);
-	return result;
-}
-function buildAuthorizationUrl(config, parameters) {
-	checkConfig(config);
-	const { as, c, tlsOnly, hybrid, jarm, implicit } = int(config);
-	const authorizationEndpoint = resolveEndpoint(as, "authorization_endpoint", false, tlsOnly);
-	parameters = new URLSearchParams(parameters);
-	if (!parameters.has("client_id")) parameters.set("client_id", c.client_id);
-	if (!parameters.has("request_uri") && !parameters.has("request")) {
-		if (!parameters.has("response_type")) parameters.set("response_type", hybrid ? "code id_token" : implicit ? "id_token" : "code");
-		if (implicit && !parameters.has("nonce")) throw CodedTypeError("response_type=id_token clients must provide a nonce parameter in their authorization request parameters", ERR_INVALID_ARG_VALUE);
-		if (jarm) parameters.set("response_mode", "jwt");
-	}
-	for (const [k, v] of parameters.entries()) authorizationEndpoint.searchParams.append(k, v);
-	return authorizationEndpoint;
-}
-function buildEndSessionUrl(config, parameters) {
-	checkConfig(config);
-	const { as, c, tlsOnly } = int(config);
-	const endSessionEndpoint = resolveEndpoint(as, "end_session_endpoint", false, tlsOnly);
-	parameters = new URLSearchParams(parameters);
-	if (!parameters.has("client_id")) parameters.set("client_id", c.client_id);
-	for (const [k, v] of parameters.entries()) endSessionEndpoint.searchParams.append(k, v);
-	return endSessionEndpoint;
-}
-function checkConfig(input) {
-	if (!(input instanceof Configuration)) throw CodedTypeError("\"config\" must be an instance of Configuration", ERR_INVALID_ARG_TYPE);
-	if (Object.getPrototypeOf(input) !== Configuration.prototype) throw CodedTypeError("subclassing Configuration is not allowed", ERR_INVALID_ARG_VALUE);
-}
-function signal(timeout) {
-	return timeout ? AbortSignal.timeout(timeout * 1e3) : void 0;
-}
-function retryable(err, options) {
-	if (options?.DPoP && options.flag !== retry) return isDPoPNonceError(err);
-	return false;
-}
-const retry = Symbol();
-
-//#endregion
-//#region src/auth/descriptors/$auth.ts
-/**
-* Creates an authentication provider descriptor for handling user login flows.
-*
-* Supports multiple authentication strategies: credentials (username/password), OAuth2,
-* and OIDC (OpenID Connect). Handles token management, user profile retrieval, and
-* integration with both external identity providers (Auth0, Keycloak) and internal realms.
-*
-* **Authentication Types**: Credentials, OAuth2 (Google, GitHub), OIDC, External providers
-*
-* @example
-* ```ts
-* class AuthProviders {
-*   // Internal credentials-based auth
-*   credentials = $auth({
-*     realm: this.userRealm,
-*     credentials: {
-*       account: async ({ username, password }) => {
-*         return await this.validateUser(username, password);
-*       }
-*     }
-*   });
-*
-*   // External OIDC provider
-*   keycloak = $auth({
-*     oidc: {
-*       issuer: "https://auth.example.com",
-*       clientId: "my-app",
-*       clientSecret: "secret",
-*       redirectUri: "/auth/callback"
-*     }
-*   });
-* }
-* ```
-*/
-const $auth = (options) => {
-	return createDescriptor(AuthDescriptor, options);
 };
-var AuthDescriptor = class extends Descriptor {
-	securityProvider = $inject(SecurityProvider);
-	dateTimeProvider = $inject(DateTimeProvider);
-	oauth;
-	get name() {
-		return this.options.name ?? this.config.propertyKey;
-	}
-	get jwks_uri() {
-		const jwks = this.oauth?.serverMetadata().jwks_uri;
-		if (!jwks) throw new AlephaError("No JWKS URI available for the auth provider");
-		return jwks;
-	}
-	get scope() {
-		if ("oauth" in this.options) return this.options.oauth.scope;
-		if ("oidc" in this.options) return this.options.oidc.scope || "openid profile email";
-		throw new AlephaError("No OAuth2 or OIDC configuration available for the auth provider");
-	}
-	get redirect_uri() {
-		if ("oauth" in this.options) return this.options.oauth.redirectUri;
-		if ("oidc" in this.options) return this.options.oidc.redirectUri;
-		throw new AlephaError("No OAuth2 or OIDC configuration available for the auth provider");
-	}
-	/**
-	* Refreshes the access token using the refresh token.
-	* Can be used on oauth2, oidc or credentials auth providers.
-	*/
-	async refresh(refreshToken, accessToken) {
-		if ("realm" in this.options) return this.options.realm.refreshToken(refreshToken, accessToken).then((it) => it.tokens).catch((error) => {
-			throw new SecurityError("Failed to refresh access token using the refresh token (realm)", { cause: error });
-		});
-		else if (this.oauth) try {
-			return {
-				...await refreshTokenGrant(this.oauth, refreshToken),
-				issued_at: this.dateTimeProvider.now().unix()
-			};
-		} catch (error) {
-			throw new SecurityError("Failed to refresh access token using the refresh token (oauth2)", { cause: error });
-		}
-		throw new AlephaError("No realm or OAuth2 configuration available for refreshing the access token");
-	}
-	/**
-	* Extracts user information from the access token.
-	* This is used to create a user account from the access token.
-	*/
-	async user(tokens) {
-		try {
-			if ("oauth" in this.options) {
-				const profile = await this.options.oauth.userinfo(tokens);
-				if (this.options.oauth.account) return this.options.oauth.account({
-					...tokens,
-					user: profile
-				});
-				return this.securityProvider.createUserFromPayload(profile);
-			}
-			if ("oidc" in this.options) {
-				const payload = this.getUserFromIdToken(tokens.id_token || "");
-				if (this.options.oidc.account) return this.options.oidc.account({
-					...tokens,
-					user: payload
-				});
-				return this.securityProvider.createUserFromPayload(payload);
-			}
-		} catch (error) {
-			throw new SecurityError("Failed to extract user from identity provider tokens", { cause: error });
-		}
-		throw new AlephaError("This authentication does not support user extraction from tokens");
-	}
-	getUserFromIdToken(idToken) {
-		try {
-			return JSON.parse(Buffer.from(idToken.split(".")[1], "base64").toString("utf8"));
-		} catch (error) {
-			throw new AlephaError("Failed to parse ID Token payload", { cause: error });
-		}
-	}
-	async prepare() {
-		const addons = [];
-		addons.push(allowInsecureRequests);
-		if ("oidc" in this.options) {
-			const { oidc } = this.options;
-			this.oauth = await discovery(new URL(oidc.issuer), oidc.clientId, { client_secret: oidc.clientSecret }, void 0, { execute: addons });
-		}
-		if ("oauth" in this.options) {
-			const { oauth } = this.options;
-			this.oauth = new Configuration({
-				authorization_endpoint: oauth.authorization,
-				token_endpoint: oauth.token,
-				issuer: oauth.authorization,
-				jwks_uri: void 0,
-				end_session_endpoint: void 0
-			}, oauth.clientId, { client_secret: oauth.clientSecret });
-		}
-	}
-};
-$auth[KIND] = AuthDescriptor;
-
-//#endregion
-//#region src/auth/schemas/tokensSchema.ts
-const tokensSchema = t.object({
-	provider: t.text(),
-	access_token: t.text({ size: "rich" }),
-	issued_at: t.number(),
-	expires_in: t.optional(t.number()),
-	refresh_token: t.optional(t.text({ size: "rich" })),
-	refresh_token_expires_in: t.optional(t.number()),
-	refresh_expires_in: t.optional(t.number({ description: "Alias of `refresh_token_expires_in` for compatibility with some providers." })),
-	id_token: t.optional(t.text({ size: "rich" })),
-	scope: t.optional(t.text())
-});
-
-//#endregion
-//#region src/auth/schemas/tokenResponseSchema.ts
-const tokenResponseSchema = t.extend(tokensSchema, {
-	user: userAccountInfoSchema,
-	api: apiLinksResponseSchema
-});
-
-//#endregion
-//#region src/auth/schemas/userinfoResponseSchema.ts
-const userinfoResponseSchema = t.object({
-	user: t.optional(userAccountInfoSchema),
-	api: apiLinksResponseSchema
-});
 
 //#endregion
 //#region src/auth/services/ReactAuth.ts
 /**
 * Browser, SSR friendly, service to handle authentication.
 */
-var ReactAuth = class ReactAuth {
+var ReactAuth = class {
 	log = $logger();
 	alepha = $inject(Alepha);
 	httpClient = $inject(HttpClient);
-	static path = {
-		login: "/oauth/login",
-		callback: "/oauth/callback",
-		logout: "/oauth/logout",
-		token: "/_auth/token",
-		refresh: "/_auth/refresh",
-		userinfo: "/_auth/userinfo"
-	};
 	onBeginTransition = $hook({
 		on: "react:transition:begin",
 		handler: async (event) => {
@@ -3070,14 +1688,14 @@ var ReactAuth = class ReactAuth {
 		return this.alepha.state.get("alepha.server.request.user");
 	}
 	async ping() {
-		const { data } = await this.httpClient.fetch(ReactAuth.path.userinfo, { schema: { response: userinfoResponseSchema } });
+		const { data } = await this.httpClient.fetch(alephaServerAuthRoutes.userinfo, { schema: { response: userinfoResponseSchema } });
 		this.alepha.state.set("alepha.server.request.apiLinks", data.api);
 		this.alepha.state.set("alepha.server.request.user", data.user);
 		return data.user;
 	}
 	async login(provider, options) {
 		if (options.username || options.password) {
-			const { data } = await this.httpClient.fetch(`${options.hostname || ""}${ReactAuth.path.token}?provider=${provider}`, {
+			const { data } = await this.httpClient.fetch(`${options.hostname || ""}${alephaServerAuthRoutes.token}?provider=${provider}`, {
 				method: "POST",
 				body: JSON.stringify({
 					username: options.username,
@@ -3093,483 +1711,18 @@ var ReactAuth = class ReactAuth {
 		if (this.alepha.isBrowser()) {
 			const browser = this.alepha.inject(ReactBrowserProvider);
 			const redirect = options.redirect || (browser.transitioning ? window.location.origin + browser.transitioning.to : window.location.href);
-			const href = `${window.location.origin}${ReactAuth.path.login}?provider=${provider}&redirect_uri=${encodeURIComponent(redirect)}`;
+			const href = `${window.location.origin}${alephaServerAuthRoutes.login}?provider=${provider}&redirect_uri=${encodeURIComponent(redirect)}`;
 			if (browser.transitioning) throw new Redirection(href);
 			else {
 				window.location.href = href;
 				return {};
 			}
 		}
-		throw new Redirection(`${ReactAuth.path.login}?provider=${provider}&redirect_uri=${options.redirect || "/"}`);
+		throw new Redirection(`${alephaServerAuthRoutes.login}?provider=${provider}&redirect_uri=${options.redirect || "/"}`);
 	}
 	logout() {
-		window.location.href = `${ReactAuth.path.logout}?post_logout_redirect_uri=${encodeURIComponent(window.location.origin)}`;
-	}
-};
-
-//#endregion
-//#region src/auth/providers/ReactAuthProvider.ts
-var ReactAuthProvider = class {
-	log = $logger();
-	alepha = $inject(Alepha);
-	serverCookiesProvider = $inject(ServerCookiesProvider);
-	dateTimeProvider = $inject(DateTimeProvider);
-	serverLinksProvider = $inject(ServerLinksProvider);
-	reactAuth = $inject(ReactAuth);
-	authorizationCode = $cookie({
-		name: "authorizationCode",
-		ttl: [15, "minutes"],
-		httpOnly: true,
-		schema: t.object({
-			provider: t.text(),
-			codeVerifier: t.optional(t.text({ size: "long" })),
-			redirectUri: t.optional(t.text({ size: "long" })),
-			state: t.optional(t.text()),
-			nonce: t.optional(t.text())
-		})
-	});
-	tokens = $cookie({
-		name: "tokens",
-		ttl: [30, "days"],
-		httpOnly: true,
-		compress: true,
-		encrypt: true,
-		schema: tokensSchema
-	});
-	onRender = $hook({
-		on: "react:server:render:begin",
-		handler: async ({ request, state }) => {
-			if (request?.user) {
-				const { token, realm, ...user } = request.user;
-				this.alepha.state.set("alepha.server.request.user", user);
-				state.user = user;
-			}
-		}
-	});
-	get identities() {
-		return this.alepha.descriptors($auth).filter((auth) => !auth.options.disabled);
+		window.location.href = `${alephaServerAuthRoutes.logout}?post_logout_redirect_uri=${encodeURIComponent(window.location.origin)}`;
 	}
-	configure = $hook({
-		on: "configure",
-		handler: async () => {
-			for (const identity of this.identities) await identity.prepare();
-		}
-	});
-	getAccessTokens(tokens) {
-		const idp = this.provider(tokens.provider);
-		if ("oidc" in idp.options && !("realm" in idp.options) && idp.options.oidc?.useIdToken) return tokens.id_token;
-		return tokens.access_token;
-	}
-	/**
-	* Fill request headers with access token from cookies or fallback to provider's fallback function.
-	*/
-	onRequest = $hook({
-		on: "server:onRequest",
-		after: this.serverCookiesProvider,
-		handler: async ({ request }) => {
-			const cookies = request.cookies;
-			if (cookies) {
-				const tokens = await this.cookiesToTokens(cookies);
-				if (tokens) {
-					request.headers.authorization = `Bearer ${this.getAccessTokens(tokens)}`;
-					this.log.trace("Access token set in request headers", { provider: tokens.provider });
-				}
-			}
-			if (!request.headers.authorization) {
-				for (const provider of this.identities) if (!("realm" in provider.options) && !!provider.options.fallback) {
-					const token = await provider.options.fallback();
-					if (token) {
-						request.headers.authorization = `Bearer ${token}`;
-						break;
-					}
-				}
-			}
-		}
-	});
-	/**
-	* Convert cookies to tokens.
-	* If the tokens are expired, try to refresh them using the refresh token.
-	*/
-	async cookiesToTokens(cookies) {
-		const tokens = this.tokens.get({ cookies });
-		if (!tokens) {
-			this.log.trace("No tokens found in cookies");
-			return;
-		}
-		this.log.trace("Tokens found in cookies", {
-			expires_in: tokens.expires_in,
-			issued_at: tokens.issued_at
-		});
-		const refreshedTokens = await this.refreshTokens(tokens);
-		if (!refreshedTokens) {
-			this.tokens.del({ cookies });
-			return;
-		}
-		if (refreshedTokens.access_token !== tokens.access_token) this.setTokens(refreshedTokens, cookies);
-		return refreshedTokens;
-	}
-	async refreshTokens(tokens) {
-		if (tokens.expires_in && tokens.issued_at) {
-			if (tokens.issued_at + (tokens.expires_in - 10) < this.dateTimeProvider.now().unix()) {
-				this.log.trace("Tokens are expired");
-				if (tokens.refresh_token) {
-					this.log.trace("Trying to refresh tokens using refresh token");
-					try {
-						const newTokens = {
-							...await this.provider(tokens).refresh(tokens.refresh_token, tokens.access_token),
-							provider: tokens.provider,
-							issued_at: this.dateTimeProvider.now().unix()
-						};
-						this.log.debug("Tokens refreshed successfully");
-						return newTokens;
-					} catch (e$1) {
-						this.log.warn("Failed to refresh token", e$1);
-					}
-				}
-				return;
-			}
-		}
-		if (!tokens.issued_at && tokens.access_token) return;
-		return tokens;
-	}
-	/**
-	* Get user information.
-	*/
-	userinfo = $route({
-		path: ReactAuth.path.userinfo,
-		schema: { response: userinfoResponseSchema },
-		handler: async ({ user, headers: headers$1, cookies }) => {
-			const tokens = this.tokens.get({ cookies });
-			if (tokens) {
-				const provider = this.provider(tokens);
-				if (!("realm" in provider.options)) {
-					const user$1 = await provider.user(tokens);
-					return {
-						api: await this.serverLinksProvider.getUserApiLinks({
-							authorization: headers$1.authorization,
-							user: user$1
-						}),
-						user: user$1
-					};
-				}
-			}
-			return {
-				api: await this.serverLinksProvider.getUserApiLinks({
-					authorization: headers$1.authorization,
-					user
-				}),
-				user
-			};
-		}
-	});
-	/**
-	* Refresh a token for internal providers.
-	*/
-	refresh = $route({
-		path: ReactAuth.path.refresh,
-		method: "POST",
-		schema: {
-			query: t.object({ provider: t.text() }),
-			body: t.object({
-				refresh_token: t.text({ size: "rich" }),
-				access_token: t.optional(t.text({
-					size: "rich",
-					description: "Required if provider has stateless refresh token on credentials mode"
-				}))
-			}),
-			response: tokensSchema
-		},
-		handler: async ({ query, body, cookies }) => {
-			const provider = this.provider(query);
-			const tokens = {
-				provider: query.provider,
-				...await provider.refresh(body.refresh_token, body.access_token)
-			};
-			this.setTokens(tokens, cookies);
-			return tokens;
-		}
-	});
-	/**
-	* Login for local password-based authentication.
-	*/
-	token = $route({
-		path: ReactAuth.path.token,
-		method: "POST",
-		schema: {
-			query: t.object({ provider: t.text() }),
-			body: t.object({
-				username: t.text(),
-				password: t.text()
-			}),
-			response: tokenResponseSchema
-		},
-		handler: async ({ query, body, cookies }) => {
-			const provider = this.provider(query);
-			const realm = "realm" in provider.options && provider.options.realm;
-			if (!realm) throw new SecurityError(`Auth provider '${query.provider}' does not support password grant`);
-			const credentials = "credentials" in provider.options && provider.options.credentials;
-			if (!credentials) throw new SecurityError(`Auth provider '${query.provider}' does not support password grant`);
-			let user;
-			try {
-				user = await credentials.account(body);
-			} catch (e$1) {
-				throw new UnauthorizedError(`Failed to authenticate user`, { cause: e$1 });
-			}
-			const tokens = {
-				provider: query.provider,
-				...await realm.createToken(user)
-			};
-			this.setTokens(tokens, cookies);
-			const api = await this.serverLinksProvider.getUserApiLinks({ user });
-			return {
-				...tokens,
-				user,
-				api
-			};
-		}
-	});
-	/**
-	* Oauth2/OIDC login route.
-	*/
-	login = $route({
-		path: ReactAuth.path.login,
-		schema: { query: t.object({
-			provider: t.text(),
-			redirect_uri: t.optional(t.text({ size: "rich" }))
-		}) },
-		handler: async ({ query, url, reply }) => {
-			const provider = this.provider(query);
-			const oauth = provider.oauth;
-			if (!oauth) throw new SecurityError(`Auth provider '${query.provider}' does not support OAuth2`);
-			const scope = provider.scope;
-			let redirect_uri = provider.redirect_uri || ReactAuth.path.callback;
-			if (redirect_uri.startsWith("/")) redirect_uri = `${url.protocol}//${url.host}${redirect_uri}`;
-			const oidc = "oidc" in provider.options && provider.options.oidc;
-			if (!oauth.serverMetadata().supportsPKCE()) {
-				const state = randomState();
-				const parameters$1 = {
-					redirect_uri,
-					state
-				};
-				if (oidc) parameters$1.nonce = randomState();
-				if (scope) parameters$1.scope = scope;
-				this.authorizationCode.set({
-					state,
-					nonce: parameters$1.nonce,
-					redirectUri: query.redirect_uri ?? "/",
-					provider: query.provider
-				});
-				reply.redirect(buildAuthorizationUrl(oauth, parameters$1).toString());
-				return;
-			}
-			const codeVerifier = randomPKCECodeVerifier();
-			const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
-			const parameters = {
-				redirect_uri,
-				code_challenge: codeChallenge,
-				code_challenge_method: "S256"
-			};
-			if (scope) parameters.scope = scope;
-			this.authorizationCode.set({
-				codeVerifier,
-				redirectUri: query.redirect_uri ?? "/",
-				provider: query.provider
-			});
-			reply.redirect(buildAuthorizationUrl(oauth, parameters).toString());
-		}
-	});
-	/**
-	* Callback for OAuth2/OIDC providers.
-	* It handles the authorization code flow and retrieves the access token.
-	*/
-	callback = $route({
-		path: ReactAuth.path.callback,
-		handler: async ({ url, reply, cookies }) => {
-			const authorizationCode = this.authorizationCode.get({ cookies });
-			if (!authorizationCode) throw new BadRequestError("Missing code verifier");
-			const provider = this.provider(authorizationCode);
-			const oauth = provider.oauth;
-			if (!oauth) throw new SecurityError(`Auth provider '${provider.name}' does not support OAuth2`);
-			const redirectUri = authorizationCode.redirectUri ?? "/";
-			const externalTokens = await authorizationCodeGrant(oauth, url, {
-				pkceCodeVerifier: authorizationCode.codeVerifier,
-				expectedState: authorizationCode.state,
-				expectedNonce: authorizationCode.nonce
-			}).then((tokens$1) => ({
-				issued_at: this.dateTimeProvider.now().unix(),
-				provider: provider.name,
-				...tokens$1
-			})).catch((e$1) => {
-				this.log.error("Failed to get access token", e$1);
-				throw new SecurityError("Failed to get access token", { cause: e$1 });
-			});
-			this.authorizationCode.del({ cookies });
-			const realm = "realm" in provider.options && provider.options.realm;
-			if (!realm) {
-				this.setTokens(externalTokens, cookies);
-				reply.redirect(redirectUri);
-				return;
-			}
-			const user = await provider.user(externalTokens);
-			const tokens = await realm.createToken(user);
-			this.setTokens({
-				...tokens,
-				issued_at: this.dateTimeProvider.now().unix(),
-				provider: provider.name
-			}, cookies);
-			reply.redirect(redirectUri);
-		}
-	});
-	/**
-	* Logout route for OAuth2/OIDC providers.
-	*/
-	logout = $route({
-		path: ReactAuth.path.logout,
-		method: "GET",
-		schema: { query: t.object({ post_logout_redirect_uri: t.optional(t.text()) }) },
-		handler: async ({ query, reply, cookies }) => {
-			const redirect = query.post_logout_redirect_uri ?? "/";
-			const tokens = this.tokens.get({ cookies });
-			if (!tokens) {
-				reply.redirect(redirect);
-				return;
-			}
-			const provider = this.provider(tokens.provider);
-			this.tokens.del({ cookies });
-			if ("realm" in provider.options && tokens.refresh_token) {
-				const onDeleteSession = provider.options.realm.options.settings?.onDeleteSession;
-				if (onDeleteSession) try {
-					await onDeleteSession(tokens.refresh_token);
-				} catch (e$1) {
-					this.log.error("Failed to delete session", e$1);
-				}
-			}
-			const oauth = provider.oauth;
-			if (!oauth) {
-				reply.redirect(redirect);
-				return;
-			}
-			const params = new URLSearchParams();
-			const idToken = tokens?.id_token;
-			params.set("post_logout_redirect_uri", redirect);
-			if (idToken) params.set("id_token_hint", idToken);
-			const customLogoutUri = "oidc" in provider.options ? provider.options.oidc?.logoutUri : void 0;
-			if (customLogoutUri) {
-				reply.redirect(`${customLogoutUri}?${params}`);
-				return;
-			}
-			if (!oauth.serverMetadata().end_session_endpoint) {
-				reply.redirect(redirect);
-				return;
-			}
-			reply.redirect(buildEndSessionUrl(oauth, params).toString());
-		}
-	});
-	provider(opts) {
-		const name = typeof opts === "string" ? opts : opts.provider;
-		const identity = this.identities.find((identity$1) => identity$1.name === name);
-		if (!identity) throw new SecurityError(`Auth provider '${name}' not found`);
-		return identity;
-	}
-	setTokens(tokens, cookies) {
-		const exp = tokens.refresh_token_expires_in || tokens.refresh_expires_in || tokens.expires_in;
-		const ttl = exp ? this.dateTimeProvider.duration(exp, "seconds") : void 0;
-		this.tokens.set(tokens, {
-			cookies,
-			ttl
-		});
-	}
-};
-
-//#endregion
-//#region src/auth/descriptors/$authGithub.ts
-/**
-* Already configured GitHub authentication descriptor.
-*
-* Uses OAuth2 to authenticate users via their GitHub accounts.
-* Upon successful authentication, it links the GitHub account to a user session.
-*
-* Environment Variables:
-* - `GITHUB_CLIENT_ID`: The client ID obtained from the GitHub Developer Settings.
-* - `GITHUB_CLIENT_SECRET`: The client secret obtained from the GitHub Developer Settings.
-*/
-const $authGithub = (realm, options) => {
-	const { alepha } = $context();
-	const env = alepha.parseEnv(t.object({
-		GITHUB_CLIENT_ID: t.string(),
-		GITHUB_CLIENT_SECRET: t.string()
-	}));
-	return $auth({
-		realm,
-		name: "github",
-		oauth: {
-			clientId: env.GITHUB_CLIENT_ID,
-			clientSecret: env.GITHUB_CLIENT_SECRET,
-			authorization: "https://github.com/login/oauth/authorize",
-			token: "https://github.com/login/oauth/access_token",
-			scope: "read:user user:email",
-			userinfo: async (tokens) => {
-				const BASE_URL = "https://api.github.com";
-				const res = await fetch(`${BASE_URL}/user`, { headers: {
-					Authorization: `Bearer ${tokens.access_token}`,
-					"User-Agent": "Alepha"
-				} }).then((res$1) => res$1.json());
-				const user = { sub: res.id.toString() };
-				if (res.email) user.email = res.email;
-				if (res.name) user.name = res.name.trim();
-				if (res.avatar_url) user.picture = res.avatar_url;
-				if (!user.email) {
-					const res$1 = await fetch(`${BASE_URL}/user/emails`, { headers: {
-						Authorization: `Bearer ${tokens.access_token}`,
-						"User-Agent": "Alepha"
-					} });
-					if (res$1.ok) {
-						const emails = await res$1.json();
-						user.email = (emails.find((e$1) => e$1.primary) ?? emails[0]).email;
-					}
-				}
-				return user;
-			},
-			...options
-		}
-	});
-};
-
-//#endregion
-//#region src/auth/descriptors/$authGoogle.ts
-/**
-* Already configured Google authentication descriptor.
-*
-* Uses OpenID Connect (OIDC) to authenticate users via their Google accounts.
-* Upon successful authentication, it links the Google account to a user session.
-*
-* Environment Variables:
-* - `GOOGLE_CLIENT_ID`: The client ID obtained from the Google Developer Console.
-* - `GOOGLE_CLIENT_SECRET`: The client secret obtained from the Google Developer Console.
-*/
-const $authGoogle = (realm, options) => {
-	const { alepha } = $context();
-	const env = alepha.parseEnv(t.object({
-		GOOGLE_CLIENT_ID: t.string(),
-		GOOGLE_CLIENT_SECRET: t.string()
-	}));
-	return $auth({
-		realm,
-		name: "google",
-		oidc: {
-			issuer: "https://accounts.google.com",
-			clientId: env.GOOGLE_CLIENT_ID,
-			clientSecret: env.GOOGLE_CLIENT_SECRET,
-			...options
-		}
-	});
-};
-
-//#endregion
-//#region src/auth/errors/SessionExpiredError.ts
-var SessionExpiredError = class extends AlephaError {
-	name = "SessionExpiredError";
-	status = 401;
 };
 
 //#endregion
@@ -3604,12 +1757,13 @@ const AlephaReactAuth = $module({
 	descriptors: [$auth],
 	services: [
 		AlephaReact,
-		AlephaServerCookies,
+		AlephaServerLinks,
+		AlephaServerAuth,
 		ReactAuthProvider,
 		ReactAuth
 	]
 });
 
 //#endregion
-export { $auth, $authGithub, $authGoogle, AlephaReactAuth, AuthDescriptor, ReactAuth, ReactAuthProvider, SessionExpiredError, useAuth };
+export { AlephaReactAuth, ReactAuth, ReactAuthProvider, useAuth };
 //# sourceMappingURL=index.js.map