@auth0/auth0-spa-js 2.17.0 → 2.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/README.md +1 -1
  2. package/dist/auth0-spa-js.development.js +1007 -810
  3. package/dist/auth0-spa-js.development.js.map +1 -1
  4. package/dist/auth0-spa-js.production.esm.js +1 -1
  5. package/dist/auth0-spa-js.production.esm.js.map +1 -1
  6. package/dist/auth0-spa-js.production.js +1 -1
  7. package/dist/auth0-spa-js.production.js.map +1 -1
  8. package/dist/auth0-spa-js.worker.development.js +14 -14
  9. package/dist/auth0-spa-js.worker.development.js.map +1 -1
  10. package/dist/auth0-spa-js.worker.production.js +1 -1
  11. package/dist/auth0-spa-js.worker.production.js.map +1 -1
  12. package/dist/lib/auth0-spa-js.cjs.js +1113 -902
  13. package/dist/lib/auth0-spa-js.cjs.js.map +1 -1
  14. package/dist/typings/Auth0Client.d.ts +24 -0
  15. package/dist/typings/global.d.ts +42 -0
  16. package/dist/typings/version.d.ts +1 -1
  17. package/package.json +7 -8
  18. package/src/Auth0Client.ts +57 -2
  19. package/src/global.ts +44 -0
  20. package/src/utils.ts +9 -4
  21. package/src/version.ts +1 -1
package/dist/auth0-spa-js.development.js CHANGED
@@ -1,7 +1,7 @@
1
1
  (function(global, factory) {
2
2
  typeof exports === "object" && typeof module !== "undefined" ? factory(exports) : typeof define === "function" && define.amd ? define([ "exports" ], factory) : (global = typeof globalThis !== "undefined" ? globalThis : global || self,
3
3
  factory(global.auth0 = {}));
4
- })(this, (function(exports) {
4
+ })(this, function(exports) {
5
5
  "use strict";
6
6
  function __rest(s, e) {
7
7
  var t = {};
@@ -15,7 +15,7 @@
15
15
  var e = new Error(message);
16
16
  return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
17
17
  };
18
- var version = "2.17.0";
18
+ var version = "2.18.0";
19
19
  const DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS = 60;
20
20
  const DEFAULT_POPUP_CONFIG_OPTIONS = {
21
21
  timeoutInSeconds: DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS
@@ -143,7 +143,7 @@
143
143
  };
144
144
  const runIframe = function runIframe(authorizeUrl, eventOrigin) {
145
145
  let timeoutInSeconds = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS;
146
- return new Promise(((res, rej) => {
146
+ return new Promise((res, rej) => {
147
147
  const iframe = window.document.createElement("iframe");
148
148
  iframe.setAttribute("width", "0");
149
149
  iframe.setAttribute("height", "0");
@@ -155,10 +155,10 @@
155
155
  }
156
156
  };
157
157
  let _iframeEventHandler;
158
- const timeoutSetTimeoutId = setTimeout((() => {
158
+ const timeoutSetTimeoutId = setTimeout(() => {
159
159
  rej(new TimeoutError);
160
160
  removeIframe();
161
- }), timeoutInSeconds * 1e3);
161
+ }, timeoutInSeconds * 1e3);
162
162
  _iframeEventHandler = function iframeEventHandler(e) {
163
163
  if (e.origin != eventOrigin) return;
164
164
  if (!e.data || e.data.type !== "authorization_response") return;
@@ -174,7 +174,7 @@
174
174
  window.addEventListener("message", _iframeEventHandler, false);
175
175
  window.document.body.appendChild(iframe);
176
176
  iframe.setAttribute("src", authorizeUrl);
177
- }));
177
+ });
178
178
  };
179
179
  const openPopup = url => {
180
180
  const width = 400;
@@ -183,21 +183,21 @@
183
183
  const top = window.screenY + (window.innerHeight - height) / 2;
184
184
  return window.open(url, "auth0:authorize:popup", "left=".concat(left, ",top=").concat(top, ",width=").concat(width, ",height=").concat(height, ",resizable,scrollbars=yes,status=1"));
185
185
  };
186
- const runPopup = config => new Promise(((resolve, reject) => {
186
+ const runPopup = config => new Promise((resolve, reject) => {
187
187
  let _popupEventListener;
188
- const popupTimer = setInterval((() => {
188
+ const popupTimer = setInterval(() => {
189
189
  if (config.popup && config.popup.closed) {
190
190
  clearInterval(popupTimer);
191
191
  clearTimeout(timeoutId);
192
192
  window.removeEventListener("message", _popupEventListener, false);
193
193
  reject(new PopupCancelledError(config.popup));
194
194
  }
195
- }), 1e3);
196
- const timeoutId = setTimeout((() => {
195
+ }, 1e3);
196
+ const timeoutId = setTimeout(() => {
197
197
  clearInterval(popupTimer);
198
198
  reject(new PopupTimeoutError(config.popup));
199
199
  window.removeEventListener("message", _popupEventListener, false);
200
- }), (config.timeoutInSeconds || DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS) * 1e3);
200
+ }, (config.timeoutInSeconds || DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS) * 1e3);
201
201
  _popupEventListener = function popupEventListener(e) {
202
202
  if (!e.data || e.data.type !== "authorization_response") {
203
203
  return;
@@ -214,19 +214,26 @@
214
214
  resolve(e.data.response);
215
215
  };
216
216
  window.addEventListener("message", _popupEventListener);
217
- }));
217
+ });
218
218
  const getCrypto = () => window.crypto;
219
219
  const createRandomString = () => {
220
220
  const charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.";
221
+ const validMax = 256 - 256 % charset.length;
221
222
  let random = "";
222
- const randomValues = Array.from(getCrypto().getRandomValues(new Uint8Array(43)));
223
- randomValues.forEach((v => random += charset[v % charset.length]));
223
+ while (random.length < 43) {
224
+ const bytes = getCrypto().getRandomValues(new Uint8Array(43 - random.length));
225
+ for (const byte of bytes) {
226
+ if (random.length < 43 && byte < validMax) {
227
+ random += charset[byte % charset.length];
228
+ }
229
+ }
230
+ }
224
231
  return random;
225
232
  };
226
233
  const encode$2 = value => btoa(value);
227
- const stripUndefined = params => Object.keys(params).filter((k => typeof params[k] !== "undefined")).reduce(((acc, key) => Object.assign(Object.assign({}, acc), {
234
+ const stripUndefined = params => Object.keys(params).filter(k => typeof params[k] !== "undefined").reduce((acc, key) => Object.assign(Object.assign({}, acc), {
228
235
  [key]: params[key]
229
- })), {});
236
+ }), {});
230
237
  const ALLOWED_AUTH0CLIENT_PROPERTIES = [ {
231
238
  key: "name",
232
239
  type: [ "string" ]
@@ -239,16 +246,16 @@
239
246
  } ];
240
247
  const stripAuth0Client = function stripAuth0Client(auth0Client) {
241
248
  let excludeEnv = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : false;
242
- return Object.keys(auth0Client).reduce(((acc, key) => {
249
+ return Object.keys(auth0Client).reduce((acc, key) => {
243
250
  if (excludeEnv && key === "env") {
244
251
  return acc;
245
252
  }
246
- const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find((p => p.key === key));
253
+ const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find(p => p.key === key);
247
254
  if (allowedProperty && allowedProperty.type.includes(typeof auth0Client[key])) {
248
255
  acc[key] = auth0Client[key];
249
256
  }
250
257
  return acc;
251
- }), {});
258
+ }, {});
252
259
  };
253
260
  const createQueryParams = _a => {
254
261
  var {clientId: client_id} = _a, params = __rest(_a, [ "clientId" ]);
@@ -268,9 +275,9 @@
268
275
  "/": "_",
269
276
  "=": ""
270
277
  };
271
- return input.replace(/[+/=]/g, (m => b64Chars[m]));
278
+ return input.replace(/[+/=]/g, m => b64Chars[m]);
272
279
  };
273
- const decodeB64 = input => decodeURIComponent(atob(input).split("").map((c => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2))).join(""));
280
+ const decodeB64 = input => decodeURIComponent(atob(input).split("").map(c => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join(""));
274
281
  const urlDecodeB64 = input => decodeB64(input.replace(/_/g, "/").replace(/-/g, "+"));
275
282
  const bufferToBase64UrlEncoded = input => {
276
283
  const ie11SafeInput = new Uint8Array(input);
@@ -302,11 +309,11 @@
302
309
  }
303
310
  return parseInt(value, 10) || undefined;
304
311
  };
305
- const fromEntries = iterable => [ ...iterable ].reduce(((obj, _ref) => {
312
+ const fromEntries = iterable => [ ...iterable ].reduce((obj, _ref) => {
306
313
  let [key, val] = _ref;
307
314
  obj[key] = val;
308
315
  return obj;
309
- }), {});
316
+ }, {});
310
317
  var commonjsGlobal = typeof globalThis !== "undefined" ? globalThis : typeof window !== "undefined" ? window : typeof global !== "undefined" ? global : typeof self !== "undefined" ? self : {};
311
318
  var browserTabsLock = {};
312
319
  var processLock = {};
@@ -336,14 +343,14 @@
336
343
  return _this.locked.has(key);
337
344
  };
338
345
  this.lock = function(key) {
339
- return new Promise((function(resolve, reject) {
346
+ return new Promise(function(resolve, reject) {
340
347
  if (_this.isLocked(key)) {
341
348
  _this.addToLocked(key, resolve);
342
349
  } else {
343
350
  _this.addToLocked(key);
344
351
  resolve();
345
352
  }
346
- }));
353
+ });
347
354
  };
348
355
  this.unlock = function(key) {
349
356
  var callbacks = _this.locked.get(key);
@@ -371,7 +378,7 @@
371
378
  }
372
379
  processLock.default = getLock;
373
380
  var __awaiter = commonjsGlobal && commonjsGlobal.__awaiter || function(thisArg, _arguments, P, generator) {
374
- return new (P || (P = Promise))((function(resolve, reject) {
381
+ return new (P || (P = Promise))(function(resolve, reject) {
375
382
  function fulfilled(value) {
376
383
  try {
377
384
  step(generator.next(value));
@@ -387,12 +394,12 @@
387
394
  }
388
395
  }
389
396
  function step(result) {
390
- result.done ? resolve(result.value) : new P((function(resolve) {
397
+ result.done ? resolve(result.value) : new P(function(resolve) {
391
398
  resolve(result.value);
392
- })).then(fulfilled, rejected);
399
+ }).then(fulfilled, rejected);
393
400
  }
394
401
  step((generator = generator.apply(thisArg, _arguments || [])).next());
395
- }));
402
+ });
396
403
  };
397
404
  var __generator = commonjsGlobal && commonjsGlobal.__generator || function(thisArg, body) {
398
405
  var _ = {
@@ -491,39 +498,39 @@
491
498
  var LOCK_STORAGE_KEY = "browser-tabs-lock-key";
492
499
  var DEFAULT_STORAGE_HANDLER = {
493
500
  key: function(index) {
494
- return __awaiter(_this, void 0, void 0, (function() {
495
- return __generator(this, (function(_a) {
501
+ return __awaiter(_this, void 0, void 0, function() {
502
+ return __generator(this, function(_a) {
496
503
  throw new Error("Unsupported");
497
- }));
498
- }));
504
+ });
505
+ });
499
506
  },
500
507
  getItem: function(key) {
501
- return __awaiter(_this, void 0, void 0, (function() {
502
- return __generator(this, (function(_a) {
508
+ return __awaiter(_this, void 0, void 0, function() {
509
+ return __generator(this, function(_a) {
503
510
  throw new Error("Unsupported");
504
- }));
505
- }));
511
+ });
512
+ });
506
513
  },
507
514
  clear: function() {
508
- return __awaiter(_this, void 0, void 0, (function() {
509
- return __generator(this, (function(_a) {
515
+ return __awaiter(_this, void 0, void 0, function() {
516
+ return __generator(this, function(_a) {
510
517
  return [ 2, window.localStorage.clear() ];
511
- }));
512
- }));
518
+ });
519
+ });
513
520
  },
514
521
  removeItem: function(key) {
515
- return __awaiter(_this, void 0, void 0, (function() {
516
- return __generator(this, (function(_a) {
522
+ return __awaiter(_this, void 0, void 0, function() {
523
+ return __generator(this, function(_a) {
517
524
  throw new Error("Unsupported");
518
- }));
519
- }));
525
+ });
526
+ });
520
527
  },
521
528
  setItem: function(key, value) {
522
- return __awaiter(_this, void 0, void 0, (function() {
523
- return __generator(this, (function(_a) {
529
+ return __awaiter(_this, void 0, void 0, function() {
530
+ return __generator(this, function(_a) {
524
531
  throw new Error("Unsupported");
525
- }));
526
- }));
532
+ });
533
+ });
527
534
  },
528
535
  keySync: function(index) {
529
536
  return window.localStorage.key(index);
@@ -542,9 +549,9 @@
542
549
  }
543
550
  };
544
551
  function delay(milliseconds) {
545
- return new Promise((function(resolve) {
552
+ return new Promise(function(resolve) {
546
553
  return setTimeout(resolve, milliseconds);
547
- }));
554
+ });
548
555
  }
549
556
  function generateRandomString(length) {
550
557
  var CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz";
@@ -577,9 +584,9 @@
577
584
  if (timeout === void 0) {
578
585
  timeout = 5e3;
579
586
  }
580
- return __awaiter(this, void 0, void 0, (function() {
587
+ return __awaiter(this, void 0, void 0, function() {
581
588
  var iat, MAX_TIME, STORAGE_KEY, STORAGE, lockObj, TIMEOUT_KEY, lockObjPostDelay, parsedLockObjPostDelay;
582
- return __generator(this, (function(_a) {
589
+ return __generator(this, function(_a) {
583
590
  switch (_a.label) {
584
591
  case 0:
585
592
  iat = Date.now() + generateRandomString(4);
@@ -638,17 +645,17 @@
638
645
  case 8:
639
646
  return [ 2, false ];
640
647
  }
641
- }));
642
- }));
648
+ });
649
+ });
643
650
  };
644
651
  SuperTokensLock.prototype.refreshLockWhileAcquired = function(storageKey, iat) {
645
- return __awaiter(this, void 0, void 0, (function() {
652
+ return __awaiter(this, void 0, void 0, function() {
646
653
  var _this = this;
647
- return __generator(this, (function(_a) {
648
- setTimeout((function() {
649
- return __awaiter(_this, void 0, void 0, (function() {
654
+ return __generator(this, function(_a) {
655
+ setTimeout(function() {
656
+ return __awaiter(_this, void 0, void 0, function() {
650
657
  var STORAGE, lockObj, parsedLockObj;
651
- return __generator(this, (function(_a) {
658
+ return __generator(this, function(_a) {
652
659
  switch (_a.label) {
653
660
  case 0:
654
661
  return [ 4, processLock_1.default().lock(iat) ];
@@ -673,19 +680,19 @@
673
680
  this.refreshLockWhileAcquired(storageKey, iat);
674
681
  return [ 2 ];
675
682
  }
676
- }));
677
- }));
678
- }), 1e3);
683
+ });
684
+ });
685
+ }, 1e3);
679
686
  return [ 2 ];
680
- }));
681
- }));
687
+ });
688
+ });
682
689
  };
683
690
  SuperTokensLock.prototype.waitForSomethingToChange = function(MAX_TIME) {
684
- return __awaiter(this, void 0, void 0, (function() {
685
- return __generator(this, (function(_a) {
691
+ return __awaiter(this, void 0, void 0, function() {
692
+ return __generator(this, function(_a) {
686
693
  switch (_a.label) {
687
694
  case 0:
688
- return [ 4, new Promise((function(resolve) {
695
+ return [ 4, new Promise(function(resolve) {
689
696
  var resolvedCalled = false;
690
697
  var startedAt = Date.now();
691
698
  var MIN_TIME_TO_WAIT = 50;
@@ -710,14 +717,14 @@
710
717
  window.addEventListener("storage", stopWaiting);
711
718
  SuperTokensLock.addToWaiting(stopWaiting);
712
719
  var timeOutId = setTimeout(stopWaiting, Math.max(0, MAX_TIME - Date.now()));
713
- })) ];
720
+ }) ];
714
721
 
715
722
  case 1:
716
723
  _a.sent();
717
724
  return [ 2 ];
718
725
  }
719
- }));
720
- }));
726
+ });
727
+ });
721
728
  };
722
729
  SuperTokensLock.addToWaiting = function(func) {
723
730
  this.removeFromWaiting(func);
@@ -730,22 +737,22 @@
730
737
  if (SuperTokensLock.waiters === undefined) {
731
738
  return;
732
739
  }
733
- SuperTokensLock.waiters = SuperTokensLock.waiters.filter((function(i) {
740
+ SuperTokensLock.waiters = SuperTokensLock.waiters.filter(function(i) {
734
741
  return i !== func;
735
- }));
742
+ });
736
743
  };
737
744
  SuperTokensLock.notifyWaiters = function() {
738
745
  if (SuperTokensLock.waiters === undefined) {
739
746
  return;
740
747
  }
741
748
  var waiters = SuperTokensLock.waiters.slice();
742
- waiters.forEach((function(i) {
749
+ waiters.forEach(function(i) {
743
750
  return i();
744
- }));
751
+ });
745
752
  };
746
753
  SuperTokensLock.prototype.releaseLock = function(lockKey) {
747
- return __awaiter(this, void 0, void 0, (function() {
748
- return __generator(this, (function(_a) {
754
+ return __awaiter(this, void 0, void 0, function() {
755
+ return __generator(this, function(_a) {
749
756
  switch (_a.label) {
750
757
  case 0:
751
758
  return [ 4, this.releaseLock__private__(lockKey) ];
@@ -753,13 +760,13 @@
753
760
  case 1:
754
761
  return [ 2, _a.sent() ];
755
762
  }
756
- }));
757
- }));
763
+ });
764
+ });
758
765
  };
759
766
  SuperTokensLock.prototype.releaseLock__private__ = function(lockKey) {
760
- return __awaiter(this, void 0, void 0, (function() {
767
+ return __awaiter(this, void 0, void 0, function() {
761
768
  var STORAGE, STORAGE_KEY, lockObj, parsedlockObj;
762
- return __generator(this, (function(_a) {
769
+ return __generator(this, function(_a) {
763
770
  switch (_a.label) {
764
771
  case 0:
765
772
  STORAGE = this.storageHandler === undefined ? DEFAULT_STORAGE_HANDLER : this.storageHandler;
@@ -783,8 +790,8 @@
783
790
  case 2:
784
791
  return [ 2 ];
785
792
  }
786
- }));
787
- }));
793
+ });
794
+ });
788
795
  };
789
796
  SuperTokensLock.lockCorrector = function(storageHandler) {
790
797
  var MIN_ALLOWED_TIME = Date.now() - 5e3;
@@ -824,16 +831,16 @@
824
831
  class WebLocksApiManager {
825
832
  async runWithLock(key, timeout, callback) {
826
833
  const controller = new AbortController;
827
- const timeoutId = setTimeout((() => controller.abort()), timeout);
834
+ const timeoutId = setTimeout(() => controller.abort(), timeout);
828
835
  try {
829
836
  return await navigator.locks.request(key, {
830
837
  mode: "exclusive",
831
838
  signal: controller.signal
832
- }, (async lock => {
839
+ }, async lock => {
833
840
  clearTimeout(timeoutId);
834
841
  if (!lock) throw new Error("Lock not available");
835
842
  return await callback();
836
- }));
843
+ });
837
844
  } catch (error) {
838
845
  clearTimeout(timeoutId);
839
846
  if ((error === null || error === void 0 ? void 0 : error.name) === "AbortError") throw new TimeoutError;
@@ -846,7 +853,7 @@
846
853
  this.activeLocks = new Set;
847
854
  this.lock = new _default;
848
855
  this.pagehideHandler = () => {
849
- this.activeLocks.forEach((key => this.lock.releaseLock(key)));
856
+ this.activeLocks.forEach(key => this.lock.releaseLock(key));
850
857
  this.activeLocks.clear();
851
858
  };
852
859
  }
@@ -1198,7 +1205,7 @@
1198
1205
  function isGrantTypeSupported(grantType) {
1199
1206
  return SUPPORTED_GRANT_TYPES.includes(grantType);
1200
1207
  }
1201
- const sendMessage = (message, to) => new Promise((function(resolve, reject) {
1208
+ const sendMessage = (message, to) => new Promise(function(resolve, reject) {
1202
1209
  const messageChannel = new MessageChannel;
1203
1210
  messageChannel.port1.onmessage = function(event) {
1204
1211
  if (event.data.error) {
@@ -1209,7 +1216,7 @@
1209
1216
  messageChannel.port1.close();
1210
1217
  };
1211
1218
  to.postMessage(message, [ messageChannel.port2 ]);
1212
- }));
1219
+ });
1213
1220
  const createAbortController = () => new AbortController;
1214
1221
  const dofetch = async (fetchUrl, fetchOptions) => {
1215
1222
  const response = await fetch(fetchUrl, fetchOptions);
@@ -1223,14 +1230,14 @@
1223
1230
  const controller = createAbortController();
1224
1231
  fetchOptions.signal = controller.signal;
1225
1232
  let timeoutId;
1226
- return Promise.race([ dofetch(fetchUrl, fetchOptions), new Promise(((_, reject) => {
1227
- timeoutId = setTimeout((() => {
1233
+ return Promise.race([ dofetch(fetchUrl, fetchOptions), new Promise((_, reject) => {
1234
+ timeoutId = setTimeout(() => {
1228
1235
  controller.abort();
1229
1236
  reject(new Error("Timeout when executing 'fetch'"));
1230
- }), timeout);
1231
- })) ]).finally((() => {
1237
+ }, timeout);
1238
+ }) ]).finally(() => {
1232
1239
  clearTimeout(timeoutId);
1233
- }));
1240
+ });
1234
1241
  };
1235
1242
  const fetchWithWorker = async (fetchUrl, audience, scope, fetchOptions, timeout, worker, useFormData, useMrrt) => sendMessage({
1236
1243
  auth: {
@@ -1345,10 +1352,10 @@
1345
1352
  let requestedScopes = {
1346
1353
  [DEFAULT_AUDIENCE]: getUniqueScopes(openIdScope, ...extraScopes)
1347
1354
  };
1348
- Object.keys(authScopes).forEach((key => {
1355
+ Object.keys(authScopes).forEach(key => {
1349
1356
  const audienceScopes = authScopes[key];
1350
1357
  requestedScopes[key] = getUniqueScopes(openIdScope, audienceScopes, ...extraScopes);
1351
- }));
1358
+ });
1352
1359
  return requestedScopes;
1353
1360
  };
1354
1361
  const scopesToRequest = (authScopes, methodScopes, audience) => {
@@ -1411,7 +1418,7 @@
1411
1418
  localStorage.removeItem(key);
1412
1419
  }
1413
1420
  allKeys() {
1414
- return Object.keys(window.localStorage).filter((key => key.startsWith(CACHE_KEY_PREFIX)));
1421
+ return Object.keys(window.localStorage).filter(key => key.startsWith(CACHE_KEY_PREFIX));
1415
1422
  }
1416
1423
  }
1417
1424
  class InMemoryCache {
@@ -1546,10 +1553,10 @@
1546
1553
  var _a;
1547
1554
  const keys = await this.getCacheKeys();
1548
1555
  if (!keys) return;
1549
- await keys.filter((key => clientId ? key.includes(clientId) : true)).reduce((async (memo, key) => {
1556
+ await keys.filter(key => clientId ? key.includes(clientId) : true).reduce(async (memo, key) => {
1550
1557
  await memo;
1551
1558
  await this.cache.remove(key);
1552
- }), Promise.resolve());
1559
+ }, Promise.resolve());
1553
1560
  await ((_a = this.keyManifest) === null || _a === void 0 ? void 0 : _a.clear());
1554
1561
  }
1555
1562
  async wrapCacheEntry(entry) {
@@ -1574,14 +1581,14 @@
1574
1581
  }, CACHE_KEY_PREFIX, CACHE_KEY_ID_TOKEN_SUFFIX).toKey();
1575
1582
  }
1576
1583
  matchExistingCacheKey(keyToMatch, allKeys) {
1577
- return allKeys.filter((key => {
1584
+ return allKeys.filter(key => {
1578
1585
  var _a;
1579
1586
  const cacheKey = CacheKey.fromKey(key);
1580
1587
  const scopeSet = new Set(cacheKey.scope && cacheKey.scope.split(" "));
1581
1588
  const scopesToMatch = ((_a = keyToMatch.scope) === null || _a === void 0 ? void 0 : _a.split(" ")) || [];
1582
- const hasAllScopes = cacheKey.scope && scopesToMatch.reduce(((acc, current) => acc && scopeSet.has(current)), true);
1589
+ const hasAllScopes = cacheKey.scope && scopesToMatch.reduce((acc, current) => acc && scopeSet.has(current), true);
1583
1590
  return cacheKey.prefix === CACHE_KEY_PREFIX && cacheKey.clientId === keyToMatch.clientId && cacheKey.audience === keyToMatch.audience && hasAllScopes;
1584
- }))[0];
1591
+ })[0];
1585
1592
  }
1586
1593
  async getEntryWithRefreshToken(keyToMatch, allKeys) {
1587
1594
  var _a;
@@ -1645,12 +1652,12 @@
1645
1652
  __raw: token
1646
1653
  };
1647
1654
  const user = {};
1648
- Object.keys(payloadJSON).forEach((k => {
1655
+ Object.keys(payloadJSON).forEach(k => {
1649
1656
  claims[k] = payloadJSON[k];
1650
1657
  if (!idTokendecoded.includes(k)) {
1651
1658
  user[k] = payloadJSON[k];
1652
1659
  }
1653
- }));
1660
+ });
1654
1661
  return {
1655
1662
  encoded: {
1656
1663
  header: header,
@@ -1942,15 +1949,15 @@
1942
1949
  return new Worker(url, options);
1943
1950
  };
1944
1951
  }
1945
- var WorkerFactory = createBase64WorkerFactory("Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwooZnVuY3Rpb24oKSB7CiAgICAidXNlIHN0cmljdCI7CiAgICBjbGFzcyBHZW5lcmljRXJyb3IgZXh0ZW5kcyBFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uKSB7CiAgICAgICAgICAgIHN1cGVyKGVycm9yX2Rlc2NyaXB0aW9uKTsKICAgICAgICAgICAgdGhpcy5lcnJvciA9IGVycm9yOwogICAgICAgICAgICB0aGlzLmVycm9yX2Rlc2NyaXB0aW9uID0gZXJyb3JfZGVzY3JpcHRpb247CiAgICAgICAgICAgIE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLCBHZW5lcmljRXJyb3IucHJvdG90eXBlKTsKICAgICAgICB9CiAgICAgICAgc3RhdGljIGZyb21QYXlsb2FkKF9yZWYpIHsKICAgICAgICAgICAgbGV0IHtlcnJvcjogZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvcl9kZXNjcmlwdGlvbn0gPSBfcmVmOwogICAgICAgICAgICByZXR1cm4gbmV3IEdlbmVyaWNFcnJvcihlcnJvciwgZXJyb3JfZGVzY3JpcHRpb24pOwogICAgICAgIH0KICAgIH0KICAgIGNsYXNzIE1pc3NpbmdSZWZyZXNoVG9rZW5FcnJvciBleHRlbmRzIEdlbmVyaWNFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoYXVkaWVuY2UsIHNjb3BlKSB7CiAgICAgICAgICAgIHN1cGVyKCJtaXNzaW5nX3JlZnJlc2hfdG9rZW4iLCAiTWlzc2luZyBSZWZyZXNoIFRva2VuIChhdWRpZW5jZTogJyIuY29uY2F0KHZhbHVlT3JFbXB0eVN0cmluZyhhdWRpZW5jZSwgWyAiZGVmYXVsdCIgXSksICInLCBzY29wZTogJyIpLmNvbmNhdCh2YWx1ZU9yRW1wdHlTdHJpbmcoc2NvcGUpLCAiJykiKSk7CiAgICAgICAgICAgIHRoaXMuYXVkaWVuY2UgPSBhdWRpZW5jZTsKICAgICAgICAgICAgdGhpcy5zY29wZSA9IHNjb3BlOwogICAgICAgICAgICBPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcywgTWlzc2luZ1JlZnJlc2hUb2tlbkVycm9yLnByb3RvdHlwZSk7CiAgICAgICAgfQogICAgfQogICAgZnVuY3Rpb24gdmFsdWVPckVtcHR5U3RyaW5nKHZhbHVlKSB7CiAgICAgICAgbGV0IGV4Y2x1ZGUgPSBhcmd1bWVudHMubGVuZ3RoID4gMSAmJiBhcmd1bWVudHNbMV0gIT09IHVuZGVmaW5lZCA/IGFyZ3VtZW50c1sxXSA6IFtdOwogICAgICAgIHJldHVybiB2YWx1ZSAmJiAhZXhjbHVkZS5pbmNsdWRlcyh2YWx1ZSkgPyB2YWx1ZSA6ICIiOwogICAgfQogICAgZnVuY3Rpb24gX19yZXN0KHMsIGUpIHsKICAgICAgICB2YXIgdCA9IHt9OwogICAgICAgIGZvciAodmFyIHAgaW4gcykgaWYgKE9iamVjdC5wcm90b3R5cGUuaGFzT3duUHJvcGVydHkuY2FsbChzLCBwKSAmJiBlLmluZGV4T2YocCkgPCAwKSB0W3BdID0gc1twXTsKICAgICAgICBpZiAocyAhPSBudWxsICYmIHR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzID09PSAiZnVuY3Rpb24iKSBmb3IgKHZhciBpID0gMCwgcCA9IE9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMocyk7IGkgPCBwLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgIGlmIChlLmluZGV4T2YocFtpXSkgPCAwICYmIE9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChzLCBwW2ldKSkgdFtwW2ldXSA9IHNbcFtpXV07CiAgICAgICAgfQogICAgICAgIHJldHVybiB0OwogICAgfQogICAgdHlwZW9mIFN1cHByZXNzZWRFcnJvciA9PT0gImZ1bmN0aW9uIiA/IFN1cHByZXNzZWRFcnJvciA6IGZ1bmN0aW9uKGVycm9yLCBzdXBwcmVzc2VkLCBtZXNzYWdlKSB7CiAgICAgICAgdmFyIGUgPSBuZXcgRXJyb3IobWVzc2FnZSk7CiAgICAgICAgcmV0dXJuIGUubmFtZSA9ICJTdXBwcmVzc2VkRXJyb3IiLCBlLmVycm9yID0gZXJyb3IsIGUuc3VwcHJlc3NlZCA9IHN1cHByZXNzZWQsIGU7CiAgICB9OwogICAgY29uc3Qgc3RyaXBVbmRlZmluZWQgPSBwYXJhbXMgPT4gT2JqZWN0LmtleXMocGFyYW1zKS5maWx0ZXIoKGsgPT4gdHlwZW9mIHBhcmFtc1trXSAhPT0gInVuZGVmaW5lZCIpKS5yZWR1Y2UoKChhY2MsIGtleSkgPT4gT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LCBhY2MpLCB7CiAgICAgICAgW2tleV06IHBhcmFtc1trZXldCiAgICB9KSksIHt9KTsKICAgIGNvbnN0IGNyZWF0ZVF1ZXJ5UGFyYW1zID0gX2EgPT4gewogICAgICAgIHZhciB7Y2xpZW50SWQ6IGNsaWVudF9pZH0gPSBfYSwgcGFyYW1zID0gX19yZXN0KF9hLCBbICJjbGllbnRJZCIgXSk7CiAgICAgICAgcmV0dXJuIG5ldyBVUkxTZWFyY2hQYXJhbXMoc3RyaXBVbmRlZmluZWQoT2JqZWN0LmFzc2lnbih7CiAgICAgICAgICAgIGNsaWVudF9pZDogY2xpZW50X2lkCiAgICAgICAgfSwgcGFyYW1zKSkpLnRvU3RyaW5nKCk7CiAgICB9OwogICAgY29uc3QgZnJvbUVudHJpZXMgPSBpdGVyYWJsZSA9PiBbIC4uLml0ZXJhYmxlIF0ucmVkdWNlKCgob2JqLCBfcmVmKSA9PiB7CiAgICAgICAgbGV0IFtrZXksIHZhbF0gPSBfcmVmOwogICAgICAgIG9ialtrZXldID0gdmFsOwogICAgICAgIHJldHVybiBvYmo7CiAgICB9KSwge30pOwogICAgbGV0IHJlZnJlc2hUb2tlbnMgPSB7fTsKICAgIGNvbnN0IGNhY2hlS2V5ID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gIiIuY29uY2F0KGF1ZGllbmNlLCAifCIpLmNvbmNhdChzY29wZSk7CiAgICBjb25zdCBjYWNoZUtleUNvbnRhaW5zQXVkaWVuY2UgPSAoYXVkaWVuY2UsIGNhY2hlS2V5KSA9PiBjYWNoZUtleS5zdGFydHNXaXRoKCIiLmNvbmNhdChhdWRpZW5jZSwgInwiKSk7CiAgICBjb25zdCBnZXRSZWZyZXNoVG9rZW4gPSAoYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldOwogICAgY29uc3Qgc2V0UmVmcmVzaFRva2VuID0gKHJlZnJlc2hUb2tlbiwgYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldID0gcmVmcmVzaFRva2VuOwogICAgY29uc3QgZGVsZXRlUmVmcmVzaFRva2VuID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gZGVsZXRlIHJlZnJlc2hUb2tlbnNbY2FjaGVLZXkoYXVkaWVuY2UsIHNjb3BlKV07CiAgICBjb25zdCB3YWl0ID0gdGltZSA9PiBuZXcgUHJvbWlzZSgocmVzb2x2ZSA9PiBzZXRUaW1lb3V0KHJlc29sdmUsIHRpbWUpKSk7CiAgICBjb25zdCBmb3JtRGF0YVRvT2JqZWN0ID0gZm9ybURhdGEgPT4gewogICAgICAgIGNvbnN0IHF1ZXJ5UGFyYW1zID0gbmV3IFVSTFNlYXJjaFBhcmFtcyhmb3JtRGF0YSk7CiAgICAgICAgY29uc3QgcGFyc2VkUXVlcnkgPSB7fTsKICAgICAgICBxdWVyeVBhcmFtcy5mb3JFYWNoKCgodmFsLCBrZXkpID0+IHsKICAgICAgICAgICAgcGFyc2VkUXVlcnlba2V5XSA9IHZhbDsKICAgICAgICB9KSk7CiAgICAgICAgcmV0dXJuIHBhcnNlZFF1ZXJ5OwogICAgfTsKICAgIGNvbnN0IHVwZGF0ZVJlZnJlc2hUb2tlbnMgPSAob2xkUmVmcmVzaFRva2VuLCBuZXdSZWZyZXNoVG9rZW4pID0+IHsKICAgICAgICBPYmplY3QuZW50cmllcyhyZWZyZXNoVG9rZW5zKS5mb3JFYWNoKChfcmVmID0+IHsKICAgICAgICAgICAgbGV0IFtrZXksIHRva2VuXSA9IF9yZWY7CiAgICAgICAgICAgIGlmICh0b2tlbiA9PT0gb2xkUmVmcmVzaFRva2VuKSB7CiAgICAgICAgICAgICAgICByZWZyZXNoVG9rZW5zW2tleV0gPSBuZXdSZWZyZXNoVG9rZW47CiAgICAgICAgICAgIH0KICAgICAgICB9KSk7CiAgICB9OwogICAgY29uc3QgY2hlY2tEb3duc2NvcGluZyA9IChzY29wZSwgYXVkaWVuY2UpID0+IHsKICAgICAgICBjb25zdCBmaW5kQ29pbmNpZGVuY2UgPSBPYmplY3Qua2V5cyhyZWZyZXNoVG9rZW5zKS5maW5kKChrZXkgPT4gewogICAgICAgICAgICBpZiAoa2V5ICE9PSAibGF0ZXN0X3JlZnJlc2hfdG9rZW4iKSB7CiAgICAgICAgICAgICAgICBjb25zdCBpc1NhbWVBdWRpZW5jZSA9IGNhY2hlS2V5Q29udGFpbnNBdWRpZW5jZShhdWRpZW5jZSwga2V5KTsKICAgICAgICAgICAgICAgIGNvbnN0IHNjb3Blc0tleSA9IGtleS5zcGxpdCgifCIpWzFdLnNwbGl0KCIgIik7CiAgICAgICAgICAgICAgICBjb25zdCByZXF1ZXN0ZWRTY29wZXMgPSBzY29wZS5zcGxpdCgiICIpOwogICAgICAgICAgICAgICAgY29uc3Qgc2NvcGVzQXJlSW5jbHVkZWQgPSByZXF1ZXN0ZWRTY29wZXMuZXZlcnkoKGtleSA9PiBzY29wZXNLZXkuaW5jbHVkZXMoa2V5KSkpOwogICAgICAgICAgICAgICAgcmV0dXJuIGlzU2FtZUF1ZGllbmNlICYmIHNjb3Blc0FyZUluY2x1ZGVkOwogICAgICAgICAgICB9CiAgICAgICAgfSkpOwogICAgICAgIHJldHVybiBmaW5kQ29pbmNpZGVuY2UgPyB0cnVlIDogZmFsc2U7CiAgICB9OwogICAgY29uc3QgbWVzc2FnZUhhbmRsZXIgPSBhc3luYyBfcmVmMiA9PiB7CiAgICAgICAgbGV0IHtkYXRhOiB7dGltZW91dDogdGltZW91dCwgYXV0aDogYXV0aCwgZmV0Y2hVcmw6IGZldGNoVXJsLCBmZXRjaE9wdGlvbnM6IGZldGNoT3B0aW9ucywgdXNlRm9ybURhdGE6IHVzZUZvcm1EYXRhLCB1c2VNcnJ0OiB1c2VNcnJ0fSwgcG9ydHM6IFtwb3J0XX0gPSBfcmVmMjsKICAgICAgICBsZXQgaGVhZGVycyA9IHt9OwogICAgICAgIGxldCBqc29uOwogICAgICAgIGxldCByZWZyZXNoVG9rZW47CiAgICAgICAgY29uc3Qge2F1ZGllbmNlOiBhdWRpZW5jZSwgc2NvcGU6IHNjb3BlfSA9IGF1dGggfHwge307CiAgICAgICAgdHJ5IHsKICAgICAgICAgICAgY29uc3QgYm9keSA9IHVzZUZvcm1EYXRhID8gZm9ybURhdGFUb09iamVjdChmZXRjaE9wdGlvbnMuYm9keSkgOiBKU09OLnBhcnNlKGZldGNoT3B0aW9ucy5ib2R5KTsKICAgICAgICAgICAgaWYgKCFib2R5LnJlZnJlc2hfdG9rZW4gJiYgYm9keS5ncmFudF90eXBlID09PSAicmVmcmVzaF90b2tlbiIpIHsKICAgICAgICAgICAgICAgIHJlZnJlc2hUb2tlbiA9IGdldFJlZnJlc2hUb2tlbihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgaWYgKCFyZWZyZXNoVG9rZW4gJiYgdXNlTXJydCkgewogICAgICAgICAgICAgICAgICAgIGNvbnN0IGxhdGVzdFJlZnJlc2hUb2tlbiA9IHJlZnJlc2hUb2tlbnNbImxhdGVzdF9yZWZyZXNoX3Rva2VuIl07CiAgICAgICAgICAgICAgICAgICAgY29uc3QgaXNEb3duc2NvcGluZyA9IGNoZWNrRG93bnNjb3Bpbmcoc2NvcGUsIGF1ZGllbmNlKTsKICAgICAgICAgICAgICAgICAgICBpZiAobGF0ZXN0UmVmcmVzaFRva2VuICYmICFpc0Rvd25zY29waW5nKSB7CiAgICAgICAgICAgICAgICAgICAgICAgIHJlZnJlc2hUb2tlbiA9IGxhdGVzdFJlZnJlc2hUb2tlbjsKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICBpZiAoIXJlZnJlc2hUb2tlbikgewogICAgICAgICAgICAgICAgICAgIHRocm93IG5ldyBNaXNzaW5nUmVmcmVzaFRva2VuRXJyb3IoYXVkaWVuY2UsIHNjb3BlKTsKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIGZldGNoT3B0aW9ucy5ib2R5ID0gdXNlRm9ybURhdGEgPyBjcmVhdGVRdWVyeVBhcmFtcyhPYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sIGJvZHkpLCB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaF90b2tlbjogcmVmcmVzaFRva2VuCiAgICAgICAgICAgICAgICB9KSkgOiBKU09OLnN0cmluZ2lmeShPYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sIGJvZHkpLCB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaF90b2tlbjogcmVmcmVzaFRva2VuCiAgICAgICAgICAgICAgICB9KSk7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgbGV0IGFib3J0Q29udHJvbGxlcjsKICAgICAgICAgICAgaWYgKHR5cGVvZiBBYm9ydENvbnRyb2xsZXIgPT09ICJmdW5jdGlvbiIpIHsKICAgICAgICAgICAgICAgIGFib3J0Q29udHJvbGxlciA9IG5ldyBBYm9ydENvbnRyb2xsZXI7CiAgICAgICAgICAgICAgICBmZXRjaE9wdGlvbnMuc2lnbmFsID0gYWJvcnRDb250cm9sbGVyLnNpZ25hbDsKICAgICAgICAgICAgfQogICAgICAgICAgICBsZXQgcmVzcG9uc2U7CiAgICAgICAgICAgIHRyeSB7CiAgICAgICAgICAgICAgICByZXNwb25zZSA9IGF3YWl0IFByb21pc2UucmFjZShbIHdhaXQodGltZW91dCksIGZldGNoKGZldGNoVXJsLCBPYmplY3QuYXNzaWduKHt9LCBmZXRjaE9wdGlvbnMpKSBdKTsKICAgICAgICAgICAgfSBjYXRjaCAoZXJyb3IpIHsKICAgICAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgICAgIGVycm9yOiBlcnJvci5tZXNzYWdlCiAgICAgICAgICAgICAgICB9KTsKICAgICAgICAgICAgICAgIHJldHVybjsKICAgICAgICAgICAgfQogICAgICAgICAgICBpZiAoIXJlc3BvbnNlKSB7CiAgICAgICAgICAgICAgICBpZiAoYWJvcnRDb250cm9sbGVyKSBhYm9ydENvbnRyb2xsZXIuYWJvcnQoKTsKICAgICAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgICAgIGVycm9yOiAiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIgogICAgICAgICAgICAgICAgfSk7CiAgICAgICAgICAgICAgICByZXR1cm47CiAgICAgICAgICAgIH0KICAgICAgICAgICAgaGVhZGVycyA9IGZyb21FbnRyaWVzKHJlc3BvbnNlLmhlYWRlcnMpOwogICAgICAgICAgICBqc29uID0gYXdhaXQgcmVzcG9uc2UuanNvbigpOwogICAgICAgICAgICBpZiAoanNvbi5yZWZyZXNoX3Rva2VuKSB7CiAgICAgICAgICAgICAgICBpZiAodXNlTXJydCkgewogICAgICAgICAgICAgICAgICAgIHJlZnJlc2hUb2tlbnNbImxhdGVzdF9yZWZyZXNoX3Rva2VuIl0gPSBqc29uLnJlZnJlc2hfdG9rZW47CiAgICAgICAgICAgICAgICAgICAgdXBkYXRlUmVmcmVzaFRva2VucyhyZWZyZXNoVG9rZW4sIGpzb24ucmVmcmVzaF90b2tlbik7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICBzZXRSZWZyZXNoVG9rZW4oanNvbi5yZWZyZXNoX3Rva2VuLCBhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgZGVsZXRlIGpzb24ucmVmcmVzaF90b2tlbjsKICAgICAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgICAgIGRlbGV0ZVJlZnJlc2hUb2tlbihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICB9CiAgICAgICAgICAgIHBvcnQucG9zdE1lc3NhZ2UoewogICAgICAgICAgICAgICAgb2s6IHJlc3BvbnNlLm9rLAogICAgICAgICAgICAgICAganNvbjoganNvbiwKICAgICAgICAgICAgICAgIGhlYWRlcnM6IGhlYWRlcnMKICAgICAgICAgICAgfSk7CiAgICAgICAgfSBjYXRjaCAoZXJyb3IpIHsKICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICBvazogZmFsc2UsCiAgICAgICAgICAgICAgICBqc29uOiB7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6IGVycm9yLmVycm9yLAogICAgICAgICAgICAgICAgICAgIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvci5tZXNzYWdlCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgaGVhZGVyczogaGVhZGVycwogICAgICAgICAgICB9KTsKICAgICAgICB9CiAgICB9OwogICAgewogICAgICAgIGFkZEV2ZW50TGlzdGVuZXIoIm1lc3NhZ2UiLCBtZXNzYWdlSGFuZGxlcik7CiAgICB9Cn0pKCk7Cgo=", null, false);
1952
+ var WorkerFactory = createBase64WorkerFactory("Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwooZnVuY3Rpb24oKSB7CiAgICAidXNlIHN0cmljdCI7CiAgICBjbGFzcyBHZW5lcmljRXJyb3IgZXh0ZW5kcyBFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uKSB7CiAgICAgICAgICAgIHN1cGVyKGVycm9yX2Rlc2NyaXB0aW9uKTsKICAgICAgICAgICAgdGhpcy5lcnJvciA9IGVycm9yOwogICAgICAgICAgICB0aGlzLmVycm9yX2Rlc2NyaXB0aW9uID0gZXJyb3JfZGVzY3JpcHRpb247CiAgICAgICAgICAgIE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLCBHZW5lcmljRXJyb3IucHJvdG90eXBlKTsKICAgICAgICB9CiAgICAgICAgc3RhdGljIGZyb21QYXlsb2FkKF9yZWYpIHsKICAgICAgICAgICAgbGV0IHtlcnJvcjogZXJyb3IsIGVycm9yX2Rlc2NyaXB0aW9uOiBlcnJvcl9kZXNjcmlwdGlvbn0gPSBfcmVmOwogICAgICAgICAgICByZXR1cm4gbmV3IEdlbmVyaWNFcnJvcihlcnJvciwgZXJyb3JfZGVzY3JpcHRpb24pOwogICAgICAgIH0KICAgIH0KICAgIGNsYXNzIE1pc3NpbmdSZWZyZXNoVG9rZW5FcnJvciBleHRlbmRzIEdlbmVyaWNFcnJvciB7CiAgICAgICAgY29uc3RydWN0b3IoYXVkaWVuY2UsIHNjb3BlKSB7CiAgICAgICAgICAgIHN1cGVyKCJtaXNzaW5nX3JlZnJlc2hfdG9rZW4iLCAiTWlzc2luZyBSZWZyZXNoIFRva2VuIChhdWRpZW5jZTogJyIuY29uY2F0KHZhbHVlT3JFbXB0eVN0cmluZyhhdWRpZW5jZSwgWyAiZGVmYXVsdCIgXSksICInLCBzY29wZTogJyIpLmNvbmNhdCh2YWx1ZU9yRW1wdHlTdHJpbmcoc2NvcGUpLCAiJykiKSk7CiAgICAgICAgICAgIHRoaXMuYXVkaWVuY2UgPSBhdWRpZW5jZTsKICAgICAgICAgICAgdGhpcy5zY29wZSA9IHNjb3BlOwogICAgICAgICAgICBPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcywgTWlzc2luZ1JlZnJlc2hUb2tlbkVycm9yLnByb3RvdHlwZSk7CiAgICAgICAgfQogICAgfQogICAgZnVuY3Rpb24gdmFsdWVPckVtcHR5U3RyaW5nKHZhbHVlKSB7CiAgICAgICAgbGV0IGV4Y2x1ZGUgPSBhcmd1bWVudHMubGVuZ3RoID4gMSAmJiBhcmd1bWVudHNbMV0gIT09IHVuZGVmaW5lZCA/IGFyZ3VtZW50c1sxXSA6IFtdOwogICAgICAgIHJldHVybiB2YWx1ZSAmJiAhZXhjbHVkZS5pbmNsdWRlcyh2YWx1ZSkgPyB2YWx1ZSA6ICIiOwogICAgfQogICAgZnVuY3Rpb24gX19yZXN0KHMsIGUpIHsKICAgICAgICB2YXIgdCA9IHt9OwogICAgICAgIGZvciAodmFyIHAgaW4gcykgaWYgKE9iamVjdC5wcm90b3R5cGUuaGFzT3duUHJvcGVydHkuY2FsbChzLCBwKSAmJiBlLmluZGV4T2YocCkgPCAwKSB0W3BdID0gc1twXTsKICAgICAgICBpZiAocyAhPSBudWxsICYmIHR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzID09PSAiZnVuY3Rpb24iKSBmb3IgKHZhciBpID0gMCwgcCA9IE9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMocyk7IGkgPCBwLmxlbmd0aDsgaSsrKSB7CiAgICAgICAgICAgIGlmIChlLmluZGV4T2YocFtpXSkgPCAwICYmIE9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChzLCBwW2ldKSkgdFtwW2ldXSA9IHNbcFtpXV07CiAgICAgICAgfQogICAgICAgIHJldHVybiB0OwogICAgfQogICAgdHlwZW9mIFN1cHByZXNzZWRFcnJvciA9PT0gImZ1bmN0aW9uIiA/IFN1cHByZXNzZWRFcnJvciA6IGZ1bmN0aW9uKGVycm9yLCBzdXBwcmVzc2VkLCBtZXNzYWdlKSB7CiAgICAgICAgdmFyIGUgPSBuZXcgRXJyb3IobWVzc2FnZSk7CiAgICAgICAgcmV0dXJuIGUubmFtZSA9ICJTdXBwcmVzc2VkRXJyb3IiLCBlLmVycm9yID0gZXJyb3IsIGUuc3VwcHJlc3NlZCA9IHN1cHByZXNzZWQsIGU7CiAgICB9OwogICAgY29uc3Qgc3RyaXBVbmRlZmluZWQgPSBwYXJhbXMgPT4gT2JqZWN0LmtleXMocGFyYW1zKS5maWx0ZXIoayA9PiB0eXBlb2YgcGFyYW1zW2tdICE9PSAidW5kZWZpbmVkIikucmVkdWNlKChhY2MsIGtleSkgPT4gT2JqZWN0LmFzc2lnbihPYmplY3QuYXNzaWduKHt9LCBhY2MpLCB7CiAgICAgICAgW2tleV06IHBhcmFtc1trZXldCiAgICB9KSwge30pOwogICAgY29uc3QgY3JlYXRlUXVlcnlQYXJhbXMgPSBfYSA9PiB7CiAgICAgICAgdmFyIHtjbGllbnRJZDogY2xpZW50X2lkfSA9IF9hLCBwYXJhbXMgPSBfX3Jlc3QoX2EsIFsgImNsaWVudElkIiBdKTsKICAgICAgICByZXR1cm4gbmV3IFVSTFNlYXJjaFBhcmFtcyhzdHJpcFVuZGVmaW5lZChPYmplY3QuYXNzaWduKHsKICAgICAgICAgICAgY2xpZW50X2lkOiBjbGllbnRfaWQKICAgICAgICB9LCBwYXJhbXMpKSkudG9TdHJpbmcoKTsKICAgIH07CiAgICBjb25zdCBmcm9tRW50cmllcyA9IGl0ZXJhYmxlID0+IFsgLi4uaXRlcmFibGUgXS5yZWR1Y2UoKG9iaiwgX3JlZikgPT4gewogICAgICAgIGxldCBba2V5LCB2YWxdID0gX3JlZjsKICAgICAgICBvYmpba2V5XSA9IHZhbDsKICAgICAgICByZXR1cm4gb2JqOwogICAgfSwge30pOwogICAgbGV0IHJlZnJlc2hUb2tlbnMgPSB7fTsKICAgIGNvbnN0IGNhY2hlS2V5ID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gIiIuY29uY2F0KGF1ZGllbmNlLCAifCIpLmNvbmNhdChzY29wZSk7CiAgICBjb25zdCBjYWNoZUtleUNvbnRhaW5zQXVkaWVuY2UgPSAoYXVkaWVuY2UsIGNhY2hlS2V5KSA9PiBjYWNoZUtleS5zdGFydHNXaXRoKCIiLmNvbmNhdChhdWRpZW5jZSwgInwiKSk7CiAgICBjb25zdCBnZXRSZWZyZXNoVG9rZW4gPSAoYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldOwogICAgY29uc3Qgc2V0UmVmcmVzaFRva2VuID0gKHJlZnJlc2hUb2tlbiwgYXVkaWVuY2UsIHNjb3BlKSA9PiByZWZyZXNoVG9rZW5zW2NhY2hlS2V5KGF1ZGllbmNlLCBzY29wZSldID0gcmVmcmVzaFRva2VuOwogICAgY29uc3QgZGVsZXRlUmVmcmVzaFRva2VuID0gKGF1ZGllbmNlLCBzY29wZSkgPT4gZGVsZXRlIHJlZnJlc2hUb2tlbnNbY2FjaGVLZXkoYXVkaWVuY2UsIHNjb3BlKV07CiAgICBjb25zdCB3YWl0ID0gdGltZSA9PiBuZXcgUHJvbWlzZShyZXNvbHZlID0+IHNldFRpbWVvdXQocmVzb2x2ZSwgdGltZSkpOwogICAgY29uc3QgZm9ybURhdGFUb09iamVjdCA9IGZvcm1EYXRhID0+IHsKICAgICAgICBjb25zdCBxdWVyeVBhcmFtcyA9IG5ldyBVUkxTZWFyY2hQYXJhbXMoZm9ybURhdGEpOwogICAgICAgIGNvbnN0IHBhcnNlZFF1ZXJ5ID0ge307CiAgICAgICAgcXVlcnlQYXJhbXMuZm9yRWFjaCgodmFsLCBrZXkpID0+IHsKICAgICAgICAgICAgcGFyc2VkUXVlcnlba2V5XSA9IHZhbDsKICAgICAgICB9KTsKICAgICAgICByZXR1cm4gcGFyc2VkUXVlcnk7CiAgICB9OwogICAgY29uc3QgdXBkYXRlUmVmcmVzaFRva2VucyA9IChvbGRSZWZyZXNoVG9rZW4sIG5ld1JlZnJlc2hUb2tlbikgPT4gewogICAgICAgIE9iamVjdC5lbnRyaWVzKHJlZnJlc2hUb2tlbnMpLmZvckVhY2goX3JlZiA9PiB7CiAgICAgICAgICAgIGxldCBba2V5LCB0b2tlbl0gPSBfcmVmOwogICAgICAgICAgICBpZiAodG9rZW4gPT09IG9sZFJlZnJlc2hUb2tlbikgewogICAgICAgICAgICAgICAgcmVmcmVzaFRva2Vuc1trZXldID0gbmV3UmVmcmVzaFRva2VuOwogICAgICAgICAgICB9CiAgICAgICAgfSk7CiAgICB9OwogICAgY29uc3QgY2hlY2tEb3duc2NvcGluZyA9IChzY29wZSwgYXVkaWVuY2UpID0+IHsKICAgICAgICBjb25zdCBmaW5kQ29pbmNpZGVuY2UgPSBPYmplY3Qua2V5cyhyZWZyZXNoVG9rZW5zKS5maW5kKGtleSA9PiB7CiAgICAgICAgICAgIGlmIChrZXkgIT09ICJsYXRlc3RfcmVmcmVzaF90b2tlbiIpIHsKICAgICAgICAgICAgICAgIGNvbnN0IGlzU2FtZUF1ZGllbmNlID0gY2FjaGVLZXlDb250YWluc0F1ZGllbmNlKGF1ZGllbmNlLCBrZXkpOwogICAgICAgICAgICAgICAgY29uc3Qgc2NvcGVzS2V5ID0ga2V5LnNwbGl0KCJ8IilbMV0uc3BsaXQoIiAiKTsKICAgICAgICAgICAgICAgIGNvbnN0IHJlcXVlc3RlZFNjb3BlcyA9IHNjb3BlLnNwbGl0KCIgIik7CiAgICAgICAgICAgICAgICBjb25zdCBzY29wZXNBcmVJbmNsdWRlZCA9IHJlcXVlc3RlZFNjb3Blcy5ldmVyeShrZXkgPT4gc2NvcGVzS2V5LmluY2x1ZGVzKGtleSkpOwogICAgICAgICAgICAgICAgcmV0dXJuIGlzU2FtZUF1ZGllbmNlICYmIHNjb3Blc0FyZUluY2x1ZGVkOwogICAgICAgICAgICB9CiAgICAgICAgfSk7CiAgICAgICAgcmV0dXJuIGZpbmRDb2luY2lkZW5jZSA/IHRydWUgOiBmYWxzZTsKICAgIH07CiAgICBjb25zdCBtZXNzYWdlSGFuZGxlciA9IGFzeW5jIF9yZWYyID0+IHsKICAgICAgICBsZXQge2RhdGE6IHt0aW1lb3V0OiB0aW1lb3V0LCBhdXRoOiBhdXRoLCBmZXRjaFVybDogZmV0Y2hVcmwsIGZldGNoT3B0aW9uczogZmV0Y2hPcHRpb25zLCB1c2VGb3JtRGF0YTogdXNlRm9ybURhdGEsIHVzZU1ycnQ6IHVzZU1ycnR9LCBwb3J0czogW3BvcnRdfSA9IF9yZWYyOwogICAgICAgIGxldCBoZWFkZXJzID0ge307CiAgICAgICAgbGV0IGpzb247CiAgICAgICAgbGV0IHJlZnJlc2hUb2tlbjsKICAgICAgICBjb25zdCB7YXVkaWVuY2U6IGF1ZGllbmNlLCBzY29wZTogc2NvcGV9ID0gYXV0aCB8fCB7fTsKICAgICAgICB0cnkgewogICAgICAgICAgICBjb25zdCBib2R5ID0gdXNlRm9ybURhdGEgPyBmb3JtRGF0YVRvT2JqZWN0KGZldGNoT3B0aW9ucy5ib2R5KSA6IEpTT04ucGFyc2UoZmV0Y2hPcHRpb25zLmJvZHkpOwogICAgICAgICAgICBpZiAoIWJvZHkucmVmcmVzaF90b2tlbiAmJiBib2R5LmdyYW50X3R5cGUgPT09ICJyZWZyZXNoX3Rva2VuIikgewogICAgICAgICAgICAgICAgcmVmcmVzaFRva2VuID0gZ2V0UmVmcmVzaFRva2VuKGF1ZGllbmNlLCBzY29wZSk7CiAgICAgICAgICAgICAgICBpZiAoIXJlZnJlc2hUb2tlbiAmJiB1c2VNcnJ0KSB7CiAgICAgICAgICAgICAgICAgICAgY29uc3QgbGF0ZXN0UmVmcmVzaFRva2VuID0gcmVmcmVzaFRva2Vuc1sibGF0ZXN0X3JlZnJlc2hfdG9rZW4iXTsKICAgICAgICAgICAgICAgICAgICBjb25zdCBpc0Rvd25zY29waW5nID0gY2hlY2tEb3duc2NvcGluZyhzY29wZSwgYXVkaWVuY2UpOwogICAgICAgICAgICAgICAgICAgIGlmIChsYXRlc3RSZWZyZXNoVG9rZW4gJiYgIWlzRG93bnNjb3BpbmcpIHsKICAgICAgICAgICAgICAgICAgICAgICAgcmVmcmVzaFRva2VuID0gbGF0ZXN0UmVmcmVzaFRva2VuOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIGlmICghcmVmcmVzaFRva2VuKSB7CiAgICAgICAgICAgICAgICAgICAgdGhyb3cgbmV3IE1pc3NpbmdSZWZyZXNoVG9rZW5FcnJvcihhdWRpZW5jZSwgc2NvcGUpOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgZmV0Y2hPcHRpb25zLmJvZHkgPSB1c2VGb3JtRGF0YSA/IGNyZWF0ZVF1ZXJ5UGFyYW1zKE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSwgYm9keSksIHsKICAgICAgICAgICAgICAgICAgICByZWZyZXNoX3Rva2VuOiByZWZyZXNoVG9rZW4KICAgICAgICAgICAgICAgIH0pKSA6IEpTT04uc3RyaW5naWZ5KE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSwgYm9keSksIHsKICAgICAgICAgICAgICAgICAgICByZWZyZXNoX3Rva2VuOiByZWZyZXNoVG9rZW4KICAgICAgICAgICAgICAgIH0pKTsKICAgICAgICAgICAgfQogICAgICAgICAgICBsZXQgYWJvcnRDb250cm9sbGVyOwogICAgICAgICAgICBpZiAodHlwZW9mIEFib3J0Q29udHJvbGxlciA9PT0gImZ1bmN0aW9uIikgewogICAgICAgICAgICAgICAgYWJvcnRDb250cm9sbGVyID0gbmV3IEFib3J0Q29udHJvbGxlcjsKICAgICAgICAgICAgICAgIGZldGNoT3B0aW9ucy5zaWduYWwgPSBhYm9ydENvbnRyb2xsZXIuc2lnbmFsOwogICAgICAgICAgICB9CiAgICAgICAgICAgIGxldCByZXNwb25zZTsKICAgICAgICAgICAgdHJ5IHsKICAgICAgICAgICAgICAgIHJlc3BvbnNlID0gYXdhaXQgUHJvbWlzZS5yYWNlKFsgd2FpdCh0aW1lb3V0KSwgZmV0Y2goZmV0Y2hVcmwsIE9iamVjdC5hc3NpZ24oe30sIGZldGNoT3B0aW9ucykpIF0pOwogICAgICAgICAgICB9IGNhdGNoIChlcnJvcikgewogICAgICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6IGVycm9yLm1lc3NhZ2UKICAgICAgICAgICAgICAgIH0pOwogICAgICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICAgICB9CiAgICAgICAgICAgIGlmICghcmVzcG9uc2UpIHsKICAgICAgICAgICAgICAgIGlmIChhYm9ydENvbnRyb2xsZXIpIGFib3J0Q29udHJvbGxlci5hYm9ydCgpOwogICAgICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICAgICAgZXJyb3I6ICJUaW1lb3V0IHdoZW4gZXhlY3V0aW5nICdmZXRjaCciCiAgICAgICAgICAgICAgICB9KTsKICAgICAgICAgICAgICAgIHJldHVybjsKICAgICAgICAgICAgfQogICAgICAgICAgICBoZWFkZXJzID0gZnJvbUVudHJpZXMocmVzcG9uc2UuaGVhZGVycyk7CiAgICAgICAgICAgIGpzb24gPSBhd2FpdCByZXNwb25zZS5qc29uKCk7CiAgICAgICAgICAgIGlmIChqc29uLnJlZnJlc2hfdG9rZW4pIHsKICAgICAgICAgICAgICAgIGlmICh1c2VNcnJ0KSB7CiAgICAgICAgICAgICAgICAgICAgcmVmcmVzaFRva2Vuc1sibGF0ZXN0X3JlZnJlc2hfdG9rZW4iXSA9IGpzb24ucmVmcmVzaF90b2tlbjsKICAgICAgICAgICAgICAgICAgICB1cGRhdGVSZWZyZXNoVG9rZW5zKHJlZnJlc2hUb2tlbiwganNvbi5yZWZyZXNoX3Rva2VuKTsKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIHNldFJlZnJlc2hUb2tlbihqc29uLnJlZnJlc2hfdG9rZW4sIGF1ZGllbmNlLCBzY29wZSk7CiAgICAgICAgICAgICAgICBkZWxldGUganNvbi5yZWZyZXNoX3Rva2VuOwogICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgZGVsZXRlUmVmcmVzaFRva2VuKGF1ZGllbmNlLCBzY29wZSk7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgcG9ydC5wb3N0TWVzc2FnZSh7CiAgICAgICAgICAgICAgICBvazogcmVzcG9uc2Uub2ssCiAgICAgICAgICAgICAgICBqc29uOiBqc29uLAogICAgICAgICAgICAgICAgaGVhZGVyczogaGVhZGVycwogICAgICAgICAgICB9KTsKICAgICAgICB9IGNhdGNoIChlcnJvcikgewogICAgICAgICAgICBwb3J0LnBvc3RNZXNzYWdlKHsKICAgICAgICAgICAgICAgIG9rOiBmYWxzZSwKICAgICAgICAgICAgICAgIGpzb246IHsKICAgICAgICAgICAgICAgICAgICBlcnJvcjogZXJyb3IuZXJyb3IsCiAgICAgICAgICAgICAgICAgICAgZXJyb3JfZGVzY3JpcHRpb246IGVycm9yLm1lc3NhZ2UKICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICBoZWFkZXJzOiBoZWFkZXJzCiAgICAgICAgICAgIH0pOwogICAgICAgIH0KICAgIH07CiAgICB7CiAgICAgICAgYWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsIG1lc3NhZ2VIYW5kbGVyKTsKICAgIH0KfSkoKTsKCg==", null, false);
1946
1953
  const singlePromiseMap = {};
1947
1954
  const singlePromise = (cb, key) => {
1948
1955
  let promise = singlePromiseMap[key];
1949
1956
  if (!promise) {
1950
- promise = cb().finally((() => {
1957
+ promise = cb().finally(() => {
1951
1958
  delete singlePromiseMap[key];
1952
1959
  promise = null;
1953
- }));
1960
+ });
1954
1961
  singlePromiseMap[key] = promise;
1955
1962
  }
1956
1963
  return promise;
@@ -2027,12 +2034,12 @@
2027
2034
  const allScopesAreIncluded = (scopeToInclude, scopes) => {
2028
2035
  const scopeGroup = (scopes === null || scopes === void 0 ? void 0 : scopes.split(" ")) || [];
2029
2036
  const scopesToInclude = (scopeToInclude === null || scopeToInclude === void 0 ? void 0 : scopeToInclude.split(" ")) || [];
2030
- return scopesToInclude.every((key => scopeGroup.includes(key)));
2037
+ return scopesToInclude.every(key => scopeGroup.includes(key));
2031
2038
  };
2032
2039
  const getMissingScopes = (requestedScope, respondedScope) => {
2033
2040
  const requestedScopes = (requestedScope === null || requestedScope === void 0 ? void 0 : requestedScope.split(" ")) || [];
2034
2041
  const respondedScopes = (respondedScope === null || respondedScope === void 0 ? void 0 : respondedScope.split(" ")) || [];
2035
- const missingScopes = requestedScopes.filter((scope => respondedScopes.indexOf(scope) == -1));
2042
+ const missingScopes = requestedScopes.filter(scope => respondedScopes.indexOf(scope) == -1);
2036
2043
  return missingScopes.join(",");
2037
2044
  };
2038
2045
  const getScopeToRequest = (useMrrt, authorizationParams, cachedAudience, cachedScope) => {
@@ -2043,7 +2050,7 @@
2043
2050
  }
2044
2051
  const cachedScopes = cachedScope.split(" ");
2045
2052
  const newScopes = ((_a = authorizationParams.scope) === null || _a === void 0 ? void 0 : _a.split(" ")) || [];
2046
- const newScopesAreIncluded = newScopes.every((scope => cachedScopes.includes(scope)));
2053
+ const newScopesAreIncluded = newScopes.every(scope => cachedScopes.includes(scope));
2047
2054
  return cachedScopes.length >= newScopes.length && newScopesAreIncluded ? cachedScope : authorizationParams.scope;
2048
2055
  }
2049
2056
  return authorizationParams.scope;
@@ -2070,11 +2077,11 @@
2070
2077
  }
2071
2078
  createDbHandle() {
2072
2079
  const req = window.indexedDB.open(NAME, this.getVersion());
2073
- return new Promise(((resolve, reject) => {
2074
- req.onupgradeneeded = () => Object.values(TABLES).forEach((t => req.result.createObjectStore(t)));
2080
+ return new Promise((resolve, reject) => {
2081
+ req.onupgradeneeded = () => Object.values(TABLES).forEach(t => req.result.createObjectStore(t));
2075
2082
  req.onerror = () => reject(req.error);
2076
2083
  req.onsuccess = () => resolve(req.result);
2077
- }));
2084
+ });
2078
2085
  }
2079
2086
  async getDbHandle() {
2080
2087
  if (!this.dbHandle) {
@@ -2087,10 +2094,10 @@
2087
2094
  const txn = db.transaction(table, mode);
2088
2095
  const store = txn.objectStore(table);
2089
2096
  const request = requestFactory(store);
2090
- return new Promise(((resolve, reject) => {
2097
+ return new Promise((resolve, reject) => {
2091
2098
  request.onsuccess = () => resolve(request.result);
2092
2099
  request.onerror = () => reject(request.error);
2093
- }));
2100
+ });
2094
2101
  }
2095
2102
  buildKey(id) {
2096
2103
  const finalId = id ? "_".concat(id) : AUTH0_NONCE_ID;
@@ -2103,7 +2110,7 @@
2103
2110
  return this.save(TABLES.KEYPAIR, this.buildKey(), keyPair);
2104
2111
  }
2105
2112
  async save(table, key, obj) {
2106
- return void await this.executeDbRequest(table, "readwrite", (table => table.put(obj, key)));
2113
+ return void await this.executeDbRequest(table, "readwrite", table => table.put(obj, key));
2107
2114
  }
2108
2115
  findNonce(id) {
2109
2116
  return this.find(TABLES.NONCE, this.buildKey(id));
@@ -2112,14 +2119,14 @@
2112
2119
  return this.find(TABLES.KEYPAIR, this.buildKey());
2113
2120
  }
2114
2121
  find(table, key) {
2115
- return this.executeDbRequest(table, "readonly", (table => table.get(key)));
2122
+ return this.executeDbRequest(table, "readonly", table => table.get(key));
2116
2123
  }
2117
2124
  async deleteBy(table, predicate) {
2118
- const allKeys = await this.executeDbRequest(table, "readonly", (table => table.getAllKeys()));
2119
- allKeys === null || allKeys === void 0 ? void 0 : allKeys.filter(predicate).map((k => this.executeDbRequest(table, "readwrite", (table => table.delete(k)))));
2125
+ const allKeys = await this.executeDbRequest(table, "readonly", table => table.getAllKeys());
2126
+ allKeys === null || allKeys === void 0 ? void 0 : allKeys.filter(predicate).map(k => this.executeDbRequest(table, "readwrite", table => table.delete(k)));
2120
2127
  }
2121
2128
  deleteByClientId(table, clientId) {
2122
- return this.deleteBy(table, (k => typeof k === "string" && k.startsWith("".concat(clientId, "::"))));
2129
+ return this.deleteBy(table, k => typeof k === "string" && k.startsWith("".concat(clientId, "::")));
2123
2130
  }
2124
2131
  clearNonces() {
2125
2132
  return this.deleteByClientId(TABLES.NONCE, this.clientId);
@@ -2429,20 +2436,20 @@
2429
2436
  var t = Object.keys(e);
2430
2437
  if (Object.getOwnPropertySymbols) {
2431
2438
  var o = Object.getOwnPropertySymbols(e);
2432
- r && (o = o.filter((function(r) {
2439
+ r && (o = o.filter(function(r) {
2433
2440
  return Object.getOwnPropertyDescriptor(e, r).enumerable;
2434
- }))), t.push.apply(t, o);
2441
+ })), t.push.apply(t, o);
2435
2442
  }
2436
2443
  return t;
2437
2444
  }
2438
2445
  function _objectSpread2(e) {
2439
2446
  for (var r = 1; r < arguments.length; r++) {
2440
2447
  var t = null != arguments[r] ? arguments[r] : {};
2441
- r % 2 ? ownKeys(Object(t), !0).forEach((function(r) {
2448
+ r % 2 ? ownKeys(Object(t), !0).forEach(function(r) {
2442
2449
  _defineProperty(e, r, t[r]);
2443
- })) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach((function(r) {
2450
+ }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function(r) {
2444
2451
  Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r));
2445
- }));
2452
+ });
2446
2453
  }
2447
2454
  return e;
2448
2455
  }
@@ -2484,56 +2491,41 @@
2484
2491
  };
2485
2492
  }
2486
2493
  function AsyncGenerator(e) {
2487
- var r, t;
2488
- function resume(r, t) {
2494
+ var t, n;
2495
+ function resume(t, n) {
2489
2496
  try {
2490
- var n = e[r](t), o = n.value, u = o instanceof _OverloadYield;
2491
- Promise.resolve(u ? o.v : o).then((function(t) {
2497
+ var r = e[t](n), o = r.value, u = o instanceof _OverloadYield;
2498
+ Promise.resolve(u ? o.v : o).then(function(n) {
2492
2499
  if (u) {
2493
- var i = "return" === r ? "return" : "next";
2494
- if (!o.k || t.done) return resume(i, t);
2495
- t = e[i](t).value;
2500
+ var i = "return" === t && o.k ? t : "next";
2501
+ if (!o.k || n.done) return resume(i, n);
2502
+ n = e[i](n).value;
2496
2503
  }
2497
- settle(n.done ? "return" : "normal", t);
2498
- }), (function(e) {
2504
+ settle(!!r.done, n);
2505
+ }, function(e) {
2499
2506
  resume("throw", e);
2500
- }));
2507
+ });
2501
2508
  } catch (e) {
2502
- settle("throw", e);
2509
+ settle(2, e);
2503
2510
  }
2504
2511
  }
2505
- function settle(e, n) {
2506
- switch (e) {
2507
- case "return":
2508
- r.resolve({
2509
- value: n,
2510
- done: !0
2511
- });
2512
- break;
2513
-
2514
- case "throw":
2515
- r.reject(n);
2516
- break;
2517
-
2518
- default:
2519
- r.resolve({
2520
- value: n,
2521
- done: !1
2522
- });
2523
- }
2524
- (r = r.next) ? resume(r.key, r.arg) : t = null;
2512
+ function settle(e, r) {
2513
+ 2 === e ? t.reject(r) : t.resolve({
2514
+ value: r,
2515
+ done: e
2516
+ }), (t = t.next) ? resume(t.key, t.arg) : n = null;
2525
2517
  }
2526
- this._invoke = function(e, n) {
2527
- return new Promise((function(o, u) {
2518
+ this._invoke = function(e, r) {
2519
+ return new Promise(function(o, u) {
2528
2520
  var i = {
2529
2521
  key: e,
2530
- arg: n,
2522
+ arg: r,
2531
2523
  resolve: o,
2532
2524
  reject: u,
2533
2525
  next: null
2534
2526
  };
2535
- t ? t = t.next = i : (r = t = i, resume(e, n));
2536
- }));
2527
+ n ? n = n.next = i : (t = n = i, resume(e, r));
2528
+ });
2537
2529
  }, "function" != typeof e.return && (this.return = void 0);
2538
2530
  }
2539
2531
  AsyncGenerator.prototype["function" == typeof Symbol && Symbol.asyncIterator || "@@asyncIterator"] = function() {
@@ -2549,7 +2541,7 @@
2549
2541
  let USER_AGENT$2;
2550
2542
  if (typeof navigator === "undefined" || !((_navigator$userAgent$2 = navigator.userAgent) !== null && _navigator$userAgent$2 !== void 0 && (_navigator$userAgent$$2 = _navigator$userAgent$2.startsWith) !== null && _navigator$userAgent$$2 !== void 0 && _navigator$userAgent$$2.call(_navigator$userAgent$2, "Mozilla/5.0 "))) {
2551
2543
  const NAME = "oauth4webapi";
2552
- const VERSION = "v3.8.3";
2544
+ const VERSION = "v3.8.5";
2553
2545
  USER_AGENT$2 = "".concat(NAME, "/").concat(VERSION);
2554
2546
  }
2555
2547
  function looseInstanceOf(input, expected) {
@@ -2748,7 +2740,7 @@
2748
2740
  });
2749
2741
  }
2750
2742
  async function discoveryRequest(issuerIdentifier, options) {
2751
- return performDiscovery$1(issuerIdentifier, "issuerIdentifier", (url => {
2743
+ return performDiscovery$1(issuerIdentifier, "issuerIdentifier", url => {
2752
2744
  switch (options === null || options === void 0 ? void 0 : options.algorithm) {
2753
2745
  case undefined:
2754
2746
  case "oidc":
@@ -2763,7 +2755,7 @@
2763
2755
  throw CodedTypeError$1('"options.algorithm" must be "oidc" (default), or "oauth2"', ERR_INVALID_ARG_VALUE$1);
2764
2756
  }
2765
2757
  return url;
2766
- }), options);
2758
+ }, options);
2767
2759
  }
2768
2760
  function assertNumber(input, allow0, it, code, cause) {
2769
2761
  try {
@@ -3999,10 +3991,10 @@
3999
3991
  for (var _len = arguments.length, buffers = new Array(_len), _key = 0; _key < _len; _key++) {
4000
3992
  buffers[_key] = arguments[_key];
4001
3993
  }
4002
- const size = buffers.reduce(((acc, _ref) => {
3994
+ const size = buffers.reduce((acc, _ref) => {
4003
3995
  let {length: length} = _ref;
4004
3996
  return acc + length;
4005
- }), 0);
3997
+ }, 0);
4006
3998
  const buf = new Uint8Array(size);
4007
3999
  let i = 0;
4008
4000
  for (const buffer of buffers) {
@@ -4050,6 +4042,135 @@
4050
4042
  throw new TypeError("The input to be decoded is not correctly encoded.");
4051
4043
  }
4052
4044
  }
4045
+ const unusable = function unusable(name) {
4046
+ let prop = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : "algorithm.name";
4047
+ return new TypeError("CryptoKey does not support this operation, its ".concat(prop, " must be ").concat(name));
4048
+ };
4049
+ const isAlgorithm = (algorithm, name) => algorithm.name === name;
4050
+ function getHashLength(hash) {
4051
+ return parseInt(hash.name.slice(4), 10);
4052
+ }
4053
+ function checkHashLength(algorithm, expected) {
4054
+ const actual = getHashLength(algorithm.hash);
4055
+ if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
4056
+ }
4057
+ function getNamedCurve(alg) {
4058
+ switch (alg) {
4059
+ case "ES256":
4060
+ return "P-256";
4061
+
4062
+ case "ES384":
4063
+ return "P-384";
4064
+
4065
+ case "ES512":
4066
+ return "P-521";
4067
+
4068
+ default:
4069
+ throw new Error("unreachable");
4070
+ }
4071
+ }
4072
+ function checkUsage(key, usage) {
4073
+ if (usage && !key.usages.includes(usage)) {
4074
+ throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(usage, "."));
4075
+ }
4076
+ }
4077
+ function checkSigCryptoKey(key, alg, usage) {
4078
+ switch (alg) {
4079
+ case "HS256":
4080
+ case "HS384":
4081
+ case "HS512":
4082
+ {
4083
+ if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
4084
+ checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
4085
+ break;
4086
+ }
4087
+
4088
+ case "RS256":
4089
+ case "RS384":
4090
+ case "RS512":
4091
+ {
4092
+ if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
4093
+ checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
4094
+ break;
4095
+ }
4096
+
4097
+ case "PS256":
4098
+ case "PS384":
4099
+ case "PS512":
4100
+ {
4101
+ if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
4102
+ checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
4103
+ break;
4104
+ }
4105
+
4106
+ case "Ed25519":
4107
+ case "EdDSA":
4108
+ {
4109
+ if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
4110
+ break;
4111
+ }
4112
+
4113
+ case "ML-DSA-44":
4114
+ case "ML-DSA-65":
4115
+ case "ML-DSA-87":
4116
+ {
4117
+ if (!isAlgorithm(key.algorithm, alg)) throw unusable(alg);
4118
+ break;
4119
+ }
4120
+
4121
+ case "ES256":
4122
+ case "ES384":
4123
+ case "ES512":
4124
+ {
4125
+ if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
4126
+ const expected = getNamedCurve(alg);
4127
+ const actual = key.algorithm.namedCurve;
4128
+ if (actual !== expected) throw unusable(expected, "algorithm.namedCurve");
4129
+ break;
4130
+ }
4131
+
4132
+ default:
4133
+ throw new TypeError("CryptoKey does not support this operation");
4134
+ }
4135
+ checkUsage(key, usage);
4136
+ }
4137
+ function message(msg, actual) {
4138
+ for (var _len = arguments.length, types = new Array(_len > 2 ? _len - 2 : 0), _key = 2; _key < _len; _key++) {
4139
+ types[_key - 2] = arguments[_key];
4140
+ }
4141
+ types = types.filter(Boolean);
4142
+ if (types.length > 2) {
4143
+ const last = types.pop();
4144
+ msg += "one of type ".concat(types.join(", "), ", or ").concat(last, ".");
4145
+ } else if (types.length === 2) {
4146
+ msg += "one of type ".concat(types[0], " or ").concat(types[1], ".");
4147
+ } else {
4148
+ msg += "of type ".concat(types[0], ".");
4149
+ }
4150
+ if (actual == null) {
4151
+ msg += " Received ".concat(actual);
4152
+ } else if (typeof actual === "function" && actual.name) {
4153
+ msg += " Received function ".concat(actual.name);
4154
+ } else if (typeof actual === "object" && actual != null) {
4155
+ var _actual$constructor;
4156
+ if ((_actual$constructor = actual.constructor) !== null && _actual$constructor !== void 0 && _actual$constructor.name) {
4157
+ msg += " Received an instance of ".concat(actual.constructor.name);
4158
+ }
4159
+ }
4160
+ return msg;
4161
+ }
4162
+ const invalidKeyInput = function invalidKeyInput(actual) {
4163
+ for (var _len2 = arguments.length, types = new Array(_len2 > 1 ? _len2 - 1 : 0), _key2 = 1; _key2 < _len2; _key2++) {
4164
+ types[_key2 - 1] = arguments[_key2];
4165
+ }
4166
+ return message("Key must be ", actual, ...types);
4167
+ };
4168
+ const withAlg = function withAlg(alg, actual) {
4169
+ for (var _len3 = arguments.length, types = new Array(_len3 > 2 ? _len3 - 2 : 0), _key3 = 2; _key3 < _len3; _key3++) {
4170
+ types[_key3 - 2] = arguments[_key3];
4171
+ }
4172
+ return message("Key for the ".concat(alg, " algorithm must be "), actual, ...types);
4173
+ };
4053
4174
  class JOSEError extends Error {
4054
4175
  constructor(message, options) {
4055
4176
  var _Error$captureStackTr;
@@ -4197,147 +4318,37 @@
4197
4318
  }
4198
4319
  }
4199
4320
  _defineProperty(JWSSignatureVerificationFailed, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
4200
- const unusable = function unusable(name) {
4201
- let prop = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : "algorithm.name";
4202
- return new TypeError("CryptoKey does not support this operation, its ".concat(prop, " must be ").concat(name));
4321
+ const isCryptoKey = key => {
4322
+ if ((key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "CryptoKey") return true;
4323
+ try {
4324
+ return key instanceof CryptoKey;
4325
+ } catch (_unused) {
4326
+ return false;
4327
+ }
4203
4328
  };
4204
- const isAlgorithm = (algorithm, name) => algorithm.name === name;
4205
- function getHashLength(hash) {
4206
- return parseInt(hash.name.slice(4), 10);
4207
- }
4208
- function getNamedCurve(alg) {
4209
- switch (alg) {
4210
- case "ES256":
4211
- return "P-256";
4212
-
4213
- case "ES384":
4214
- return "P-384";
4215
-
4216
- case "ES512":
4217
- return "P-521";
4218
-
4219
- default:
4220
- throw new Error("unreachable");
4329
+ const isKeyObject = key => (key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "KeyObject";
4330
+ const isKeyLike = key => isCryptoKey(key) || isKeyObject(key);
4331
+ function decodeBase64url(value, label, ErrorClass) {
4332
+ try {
4333
+ return decode(value);
4334
+ } catch (_unused) {
4335
+ throw new ErrorClass("Failed to base64url decode the ".concat(label));
4221
4336
  }
4222
4337
  }
4223
- function checkUsage(key, usage) {
4224
- if (usage && !key.usages.includes(usage)) {
4225
- throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(usage, "."));
4338
+ const isObjectLike = value => typeof value === "object" && value !== null;
4339
+ function isObject(input) {
4340
+ if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
4341
+ return false;
4226
4342
  }
4227
- }
4228
- function checkSigCryptoKey(key, alg, usage) {
4229
- switch (alg) {
4230
- case "HS256":
4231
- case "HS384":
4232
- case "HS512":
4233
- {
4234
- if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
4235
- const expected = parseInt(alg.slice(2), 10);
4236
- const actual = getHashLength(key.algorithm.hash);
4237
- if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
4238
- break;
4239
- }
4240
-
4241
- case "RS256":
4242
- case "RS384":
4243
- case "RS512":
4244
- {
4245
- if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
4246
- const expected = parseInt(alg.slice(2), 10);
4247
- const actual = getHashLength(key.algorithm.hash);
4248
- if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
4249
- break;
4250
- }
4251
-
4252
- case "PS256":
4253
- case "PS384":
4254
- case "PS512":
4255
- {
4256
- if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
4257
- const expected = parseInt(alg.slice(2), 10);
4258
- const actual = getHashLength(key.algorithm.hash);
4259
- if (actual !== expected) throw unusable("SHA-".concat(expected), "algorithm.hash");
4260
- break;
4261
- }
4262
-
4263
- case "Ed25519":
4264
- case "EdDSA":
4265
- {
4266
- if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
4267
- break;
4268
- }
4269
-
4270
- case "ML-DSA-44":
4271
- case "ML-DSA-65":
4272
- case "ML-DSA-87":
4273
- {
4274
- if (!isAlgorithm(key.algorithm, alg)) throw unusable(alg);
4275
- break;
4276
- }
4277
-
4278
- case "ES256":
4279
- case "ES384":
4280
- case "ES512":
4281
- {
4282
- if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
4283
- const expected = getNamedCurve(alg);
4284
- const actual = key.algorithm.namedCurve;
4285
- if (actual !== expected) throw unusable(expected, "algorithm.namedCurve");
4286
- break;
4287
- }
4288
-
4289
- default:
4290
- throw new TypeError("CryptoKey does not support this operation");
4291
- }
4292
- checkUsage(key, usage);
4293
- }
4294
- function message(msg, actual) {
4295
- for (var _len = arguments.length, types = new Array(_len > 2 ? _len - 2 : 0), _key = 2; _key < _len; _key++) {
4296
- types[_key - 2] = arguments[_key];
4297
- }
4298
- types = types.filter(Boolean);
4299
- if (types.length > 2) {
4300
- const last = types.pop();
4301
- msg += "one of type ".concat(types.join(", "), ", or ").concat(last, ".");
4302
- } else if (types.length === 2) {
4303
- msg += "one of type ".concat(types[0], " or ").concat(types[1], ".");
4304
- } else {
4305
- msg += "of type ".concat(types[0], ".");
4343
+ if (Object.getPrototypeOf(input) === null) {
4344
+ return true;
4306
4345
  }
4307
- if (actual == null) {
4308
- msg += " Received ".concat(actual);
4309
- } else if (typeof actual === "function" && actual.name) {
4310
- msg += " Received function ".concat(actual.name);
4311
- } else if (typeof actual === "object" && actual != null) {
4312
- var _actual$constructor;
4313
- if ((_actual$constructor = actual.constructor) !== null && _actual$constructor !== void 0 && _actual$constructor.name) {
4314
- msg += " Received an instance of ".concat(actual.constructor.name);
4315
- }
4346
+ let proto = input;
4347
+ while (Object.getPrototypeOf(proto) !== null) {
4348
+ proto = Object.getPrototypeOf(proto);
4316
4349
  }
4317
- return msg;
4350
+ return Object.getPrototypeOf(input) === proto;
4318
4351
  }
4319
- const invalidKeyInput = function invalidKeyInput(actual) {
4320
- for (var _len2 = arguments.length, types = new Array(_len2 > 1 ? _len2 - 1 : 0), _key2 = 1; _key2 < _len2; _key2++) {
4321
- types[_key2 - 1] = arguments[_key2];
4322
- }
4323
- return message("Key must be ", actual, ...types);
4324
- };
4325
- const withAlg = function withAlg(alg, actual) {
4326
- for (var _len3 = arguments.length, types = new Array(_len3 > 2 ? _len3 - 2 : 0), _key3 = 2; _key3 < _len3; _key3++) {
4327
- types[_key3 - 2] = arguments[_key3];
4328
- }
4329
- return message("Key for the ".concat(alg, " algorithm must be "), actual, ...types);
4330
- };
4331
- const isCryptoKey = key => {
4332
- if ((key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "CryptoKey") return true;
4333
- try {
4334
- return key instanceof CryptoKey;
4335
- } catch (_unused) {
4336
- return false;
4337
- }
4338
- };
4339
- const isKeyObject = key => (key === null || key === void 0 ? void 0 : key[Symbol.toStringTag]) === "KeyObject";
4340
- const isKeyLike = key => isCryptoKey(key) || isKeyObject(key);
4341
4352
  function isDisjoint() {
4342
4353
  for (var _len = arguments.length, headers = new Array(_len), _key = 0; _key < _len; _key++) {
4343
4354
  headers[_key] = arguments[_key];
@@ -4362,20 +4373,10 @@
4362
4373
  }
4363
4374
  return true;
4364
4375
  }
4365
- const isObjectLike = value => typeof value === "object" && value !== null;
4366
- function isObject(input) {
4367
- if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
4368
- return false;
4369
- }
4370
- if (Object.getPrototypeOf(input) === null) {
4371
- return true;
4372
- }
4373
- let proto = input;
4374
- while (Object.getPrototypeOf(proto) !== null) {
4375
- proto = Object.getPrototypeOf(proto);
4376
- }
4377
- return Object.getPrototypeOf(input) === proto;
4378
- }
4376
+ const isJWK = key => isObject(key) && typeof key.kty === "string";
4377
+ const isPrivateJWK = key => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
4378
+ const isPublicJWK = key => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
4379
+ const isSecretJWK = key => key.kty === "oct" && typeof key.k === "string";
4379
4380
  function checkKeyLength(alg, key) {
4380
4381
  if (alg.startsWith("RS") || alg.startsWith("PS")) {
4381
4382
  const {modulusLength: modulusLength} = key.algorithm;
@@ -4384,198 +4385,84 @@
4384
4385
  }
4385
4386
  }
4386
4387
  }
4387
- const bytesEqual = (a, b) => {
4388
- if (a.byteLength !== b.length) return false;
4389
- for (let i = 0; i < a.byteLength; i++) {
4390
- if (a[i] !== b[i]) return false;
4391
- }
4392
- return true;
4393
- };
4394
- const createASN1State = data => ({
4395
- data: data,
4396
- pos: 0
4397
- });
4398
- const parseLength = state => {
4399
- const first = state.data[state.pos++];
4400
- if (first & 128) {
4401
- const lengthOfLen = first & 127;
4402
- let length = 0;
4403
- for (let i = 0; i < lengthOfLen; i++) {
4404
- length = length << 8 | state.data[state.pos++];
4405
- }
4406
- return length;
4407
- }
4408
- return first;
4409
- };
4410
- const expectTag = (state, expectedTag, errorMessage) => {
4411
- if (state.data[state.pos++] !== expectedTag) {
4412
- throw new Error(errorMessage);
4413
- }
4414
- };
4415
- const getSubarray = (state, length) => {
4416
- const result = state.data.subarray(state.pos, state.pos + length);
4417
- state.pos += length;
4418
- return result;
4419
- };
4420
- const parseAlgorithmOID = state => {
4421
- expectTag(state, 6, "Expected algorithm OID");
4422
- const oidLen = parseLength(state);
4423
- return getSubarray(state, oidLen);
4424
- };
4425
- function parsePKCS8Header(state) {
4426
- expectTag(state, 48, "Invalid PKCS#8 structure");
4427
- parseLength(state);
4428
- expectTag(state, 2, "Expected version field");
4429
- const verLen = parseLength(state);
4430
- state.pos += verLen;
4431
- expectTag(state, 48, "Expected algorithm identifier");
4432
- const algIdLen = parseLength(state);
4433
- const algIdStart = state.pos;
4434
- return {
4435
- algIdStart: algIdStart,
4436
- algIdLength: algIdLen
4437
- };
4438
- }
4439
- const parseECAlgorithmIdentifier = state => {
4440
- const algOid = parseAlgorithmOID(state);
4441
- if (bytesEqual(algOid, [ 43, 101, 110 ])) {
4442
- return "X25519";
4443
- }
4444
- if (!bytesEqual(algOid, [ 42, 134, 72, 206, 61, 2, 1 ])) {
4445
- throw new Error("Unsupported key algorithm");
4446
- }
4447
- expectTag(state, 6, "Expected curve OID");
4448
- const curveOidLen = parseLength(state);
4449
- const curveOid = getSubarray(state, curveOidLen);
4450
- for (const {name: name, oid: oid} of [ {
4451
- name: "P-256",
4452
- oid: [ 42, 134, 72, 206, 61, 3, 1, 7 ]
4453
- }, {
4454
- name: "P-384",
4455
- oid: [ 43, 129, 4, 0, 34 ]
4456
- }, {
4457
- name: "P-521",
4458
- oid: [ 43, 129, 4, 0, 35 ]
4459
- } ]) {
4460
- if (bytesEqual(curveOid, oid)) {
4461
- return name;
4462
- }
4463
- }
4464
- throw new Error("Unsupported named curve");
4465
- };
4466
- const genericImport = async (keyFormat, keyData, alg, options) => {
4467
- var _options$extractable;
4468
- let algorithm;
4469
- let keyUsages;
4470
- const isPublic = keyFormat === "spki";
4471
- const getSigUsages = () => isPublic ? [ "verify" ] : [ "sign" ];
4472
- const getEncUsages = () => isPublic ? [ "encrypt", "wrapKey" ] : [ "decrypt", "unwrapKey" ];
4388
+ function subtleAlgorithm(alg, algorithm) {
4389
+ const hash = "SHA-".concat(alg.slice(-3));
4473
4390
  switch (alg) {
4391
+ case "HS256":
4392
+ case "HS384":
4393
+ case "HS512":
4394
+ return {
4395
+ hash: hash,
4396
+ name: "HMAC"
4397
+ };
4398
+
4474
4399
  case "PS256":
4475
4400
  case "PS384":
4476
4401
  case "PS512":
4477
- algorithm = {
4402
+ return {
4403
+ hash: hash,
4478
4404
  name: "RSA-PSS",
4479
- hash: "SHA-".concat(alg.slice(-3))
4405
+ saltLength: parseInt(alg.slice(-3), 10) >> 3
4480
4406
  };
4481
- keyUsages = getSigUsages();
4482
- break;
4483
4407
 
4484
4408
  case "RS256":
4485
4409
  case "RS384":
4486
4410
  case "RS512":
4487
- algorithm = {
4488
- name: "RSASSA-PKCS1-v1_5",
4489
- hash: "SHA-".concat(alg.slice(-3))
4490
- };
4491
- keyUsages = getSigUsages();
4492
- break;
4493
-
4494
- case "RSA-OAEP":
4495
- case "RSA-OAEP-256":
4496
- case "RSA-OAEP-384":
4497
- case "RSA-OAEP-512":
4498
- algorithm = {
4499
- name: "RSA-OAEP",
4500
- hash: "SHA-".concat(parseInt(alg.slice(-3), 10) || 1)
4411
+ return {
4412
+ hash: hash,
4413
+ name: "RSASSA-PKCS1-v1_5"
4501
4414
  };
4502
- keyUsages = getEncUsages();
4503
- break;
4504
4415
 
4505
4416
  case "ES256":
4506
4417
  case "ES384":
4507
4418
  case "ES512":
4508
- {
4509
- const curveMap = {
4510
- ES256: "P-256",
4511
- ES384: "P-384",
4512
- ES512: "P-521"
4513
- };
4514
- algorithm = {
4515
- name: "ECDSA",
4516
- namedCurve: curveMap[alg]
4517
- };
4518
- keyUsages = getSigUsages();
4519
- break;
4520
- }
4521
-
4522
- case "ECDH-ES":
4523
- case "ECDH-ES+A128KW":
4524
- case "ECDH-ES+A192KW":
4525
- case "ECDH-ES+A256KW":
4526
- {
4527
- try {
4528
- const namedCurve = options.getNamedCurve(keyData);
4529
- algorithm = namedCurve === "X25519" ? {
4530
- name: "X25519"
4531
- } : {
4532
- name: "ECDH",
4533
- namedCurve: namedCurve
4534
- };
4535
- } catch (cause) {
4536
- throw new JOSENotSupported("Invalid or unsupported key format");
4537
- }
4538
- keyUsages = isPublic ? [] : [ "deriveBits" ];
4539
- break;
4540
- }
4419
+ return {
4420
+ hash: hash,
4421
+ name: "ECDSA",
4422
+ namedCurve: algorithm.namedCurve
4423
+ };
4541
4424
 
4542
4425
  case "Ed25519":
4543
4426
  case "EdDSA":
4544
- algorithm = {
4427
+ return {
4545
4428
  name: "Ed25519"
4546
4429
  };
4547
- keyUsages = getSigUsages();
4548
- break;
4549
4430
 
4550
4431
  case "ML-DSA-44":
4551
4432
  case "ML-DSA-65":
4552
4433
  case "ML-DSA-87":
4553
- algorithm = {
4434
+ return {
4554
4435
  name: alg
4555
4436
  };
4556
- keyUsages = getSigUsages();
4557
- break;
4558
4437
 
4559
4438
  default:
4560
- throw new JOSENotSupported('Invalid or unsupported "alg" (Algorithm) value');
4439
+ throw new JOSENotSupported("alg ".concat(alg, " is not supported either by JOSE or your javascript runtime"));
4561
4440
  }
4562
- return crypto.subtle.importKey(keyFormat, keyData, algorithm, (_options$extractable = options === null || options === void 0 ? void 0 : options.extractable) !== null && _options$extractable !== void 0 ? _options$extractable : isPublic ? true : false, keyUsages);
4563
- };
4564
- const processPEMData = (pem, pattern) => decodeBase64(pem.replace(pattern, ""));
4565
- const fromPKCS8 = (pem, alg, options) => {
4566
- var _alg$startsWith;
4567
- const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
4568
- let opts = options;
4569
- if (alg !== null && alg !== void 0 && (_alg$startsWith = alg.startsWith) !== null && _alg$startsWith !== void 0 && _alg$startsWith.call(alg, "ECDH-ES")) {
4570
- opts || (opts = {});
4571
- opts.getNamedCurve = keyData => {
4572
- const state = createASN1State(keyData);
4573
- parsePKCS8Header(state);
4574
- return parseECAlgorithmIdentifier(state);
4575
- };
4441
+ }
4442
+ async function getSigKey(alg, key, usage) {
4443
+ if (key instanceof Uint8Array) {
4444
+ if (!alg.startsWith("HS")) {
4445
+ throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
4446
+ }
4447
+ return crypto.subtle.importKey("raw", key, {
4448
+ hash: "SHA-".concat(alg.slice(-3)),
4449
+ name: "HMAC"
4450
+ }, false, [ usage ]);
4576
4451
  }
4577
- return genericImport("pkcs8", keyData, alg, opts);
4578
- };
4452
+ checkSigCryptoKey(key, alg, usage);
4453
+ return key;
4454
+ }
4455
+ async function verify(alg, key, signature, data) {
4456
+ const cryptoKey = await getSigKey(alg, key, "verify");
4457
+ checkKeyLength(alg, cryptoKey);
4458
+ const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
4459
+ try {
4460
+ return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
4461
+ } catch (_unused) {
4462
+ return false;
4463
+ }
4464
+ }
4465
+ const unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
4579
4466
  function subtleMapping(jwk) {
4580
4467
  let algorithm;
4581
4468
  let keyUsages;
@@ -4593,7 +4480,7 @@
4593
4480
  break;
4594
4481
 
4595
4482
  default:
4596
- throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
4483
+ throw new JOSENotSupported(unsupportedAlg);
4597
4484
  }
4598
4485
  break;
4599
4486
  }
@@ -4633,7 +4520,7 @@
4633
4520
  break;
4634
4521
 
4635
4522
  default:
4636
- throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
4523
+ throw new JOSENotSupported(unsupportedAlg);
4637
4524
  }
4638
4525
  break;
4639
4526
  }
@@ -4642,25 +4529,15 @@
4642
4529
  {
4643
4530
  switch (jwk.alg) {
4644
4531
  case "ES256":
4645
- algorithm = {
4646
- name: "ECDSA",
4647
- namedCurve: "P-256"
4648
- };
4649
- keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
4650
- break;
4651
-
4652
4532
  case "ES384":
4653
- algorithm = {
4654
- name: "ECDSA",
4655
- namedCurve: "P-384"
4656
- };
4657
- keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
4658
- break;
4659
-
4660
4533
  case "ES512":
4661
4534
  algorithm = {
4662
4535
  name: "ECDSA",
4663
- namedCurve: "P-521"
4536
+ namedCurve: {
4537
+ ES256: "P-256",
4538
+ ES384: "P-384",
4539
+ ES512: "P-521"
4540
+ }[jwk.alg]
4664
4541
  };
4665
4542
  keyUsages = jwk.d ? [ "sign" ] : [ "verify" ];
4666
4543
  break;
@@ -4677,7 +4554,7 @@
4677
4554
  break;
4678
4555
 
4679
4556
  default:
4680
- throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
4557
+ throw new JOSENotSupported(unsupportedAlg);
4681
4558
  }
4682
4559
  break;
4683
4560
  }
@@ -4704,7 +4581,7 @@
4704
4581
  break;
4705
4582
 
4706
4583
  default:
4707
- throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
4584
+ throw new JOSENotSupported(unsupportedAlg);
4708
4585
  }
4709
4586
  break;
4710
4587
  }
@@ -4730,102 +4607,7 @@
4730
4607
  delete keyData.use;
4731
4608
  return crypto.subtle.importKey("jwk", keyData, algorithm, (_jwk$ext = jwk.ext) !== null && _jwk$ext !== void 0 ? _jwk$ext : jwk.d || jwk.priv ? false : true, (_jwk$key_ops = jwk.key_ops) !== null && _jwk$key_ops !== void 0 ? _jwk$key_ops : keyUsages);
4732
4609
  }
4733
- async function importPKCS8(pkcs8, alg, options) {
4734
- if (typeof pkcs8 !== "string" || pkcs8.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) {
4735
- throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
4736
- }
4737
- return fromPKCS8(pkcs8, alg, options);
4738
- }
4739
- async function importJWK(jwk, alg, options) {
4740
- var _options$extractable;
4741
- if (!isObject(jwk)) {
4742
- throw new TypeError("JWK must be an object");
4743
- }
4744
- let ext;
4745
- alg !== null && alg !== void 0 ? alg : alg = jwk.alg;
4746
- ext !== null && ext !== void 0 ? ext : ext = (_options$extractable = options === null || options === void 0 ? void 0 : options.extractable) !== null && _options$extractable !== void 0 ? _options$extractable : jwk.ext;
4747
- switch (jwk.kty) {
4748
- case "oct":
4749
- if (typeof jwk.k !== "string" || !jwk.k) {
4750
- throw new TypeError('missing "k" (Key Value) Parameter value');
4751
- }
4752
- return decode(jwk.k);
4753
-
4754
- case "RSA":
4755
- if ("oth" in jwk && jwk.oth !== undefined) {
4756
- throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
4757
- }
4758
- return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
4759
- alg: alg,
4760
- ext: ext
4761
- }));
4762
-
4763
- case "AKP":
4764
- {
4765
- if (typeof jwk.alg !== "string" || !jwk.alg) {
4766
- throw new TypeError('missing "alg" (Algorithm) Parameter value');
4767
- }
4768
- if (alg !== undefined && alg !== jwk.alg) {
4769
- throw new TypeError("JWK alg and alg option value mismatch");
4770
- }
4771
- return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
4772
- ext: ext
4773
- }));
4774
- }
4775
-
4776
- case "EC":
4777
- case "OKP":
4778
- return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
4779
- alg: alg,
4780
- ext: ext
4781
- }));
4782
-
4783
- default:
4784
- throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
4785
- }
4786
- }
4787
- function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
4788
- if (joseHeader.crit !== undefined && (protectedHeader === null || protectedHeader === void 0 ? void 0 : protectedHeader.crit) === undefined) {
4789
- throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
4790
- }
4791
- if (!protectedHeader || protectedHeader.crit === undefined) {
4792
- return new Set;
4793
- }
4794
- if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input => typeof input !== "string" || input.length === 0))) {
4795
- throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
4796
- }
4797
- let recognized;
4798
- if (recognizedOption !== undefined) {
4799
- recognized = new Map([ ...Object.entries(recognizedOption), ...recognizedDefault.entries() ]);
4800
- } else {
4801
- recognized = recognizedDefault;
4802
- }
4803
- for (const parameter of protectedHeader.crit) {
4804
- if (!recognized.has(parameter)) {
4805
- throw new JOSENotSupported('Extension Header Parameter "'.concat(parameter, '" is not recognized'));
4806
- }
4807
- if (joseHeader[parameter] === undefined) {
4808
- throw new Err('Extension Header Parameter "'.concat(parameter, '" is missing'));
4809
- }
4810
- if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
4811
- throw new Err('Extension Header Parameter "'.concat(parameter, '" MUST be integrity protected'));
4812
- }
4813
- }
4814
- return new Set(protectedHeader.crit);
4815
- }
4816
- function validateAlgorithms(option, algorithms) {
4817
- if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s => typeof s !== "string")))) {
4818
- throw new TypeError('"'.concat(option, '" option must be an array of strings'));
4819
- }
4820
- if (!algorithms) {
4821
- return undefined;
4822
- }
4823
- return new Set(algorithms);
4824
- }
4825
- const isJWK = key => isObject(key) && typeof key.kty === "string";
4826
- const isPrivateJWK = key => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
4827
- const isPublicJWK = key => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
4828
- const isSecretJWK = key => key.kty === "oct" && typeof key.k === "string";
4610
+ const unusableForAlg = "given KeyObject instance cannot be used for this algorithm";
4829
4611
  let cache;
4830
4612
  const handleJWK = async function handleJWK(key, jwk, alg) {
4831
4613
  let freeze = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
@@ -4865,13 +4647,13 @@
4865
4647
  break;
4866
4648
 
4867
4649
  default:
4868
- throw new TypeError("given KeyObject instance cannot be used for this algorithm");
4650
+ throw new TypeError(unusableForAlg);
4869
4651
  }
4870
4652
  cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : [ "deriveBits" ]);
4871
4653
  }
4872
4654
  if (keyObject.asymmetricKeyType === "ed25519") {
4873
4655
  if (alg !== "EdDSA" && alg !== "Ed25519") {
4874
- throw new TypeError("given KeyObject instance cannot be used for this algorithm");
4656
+ throw new TypeError(unusableForAlg);
4875
4657
  }
4876
4658
  cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [ isPublic ? "verify" : "sign" ]);
4877
4659
  }
@@ -4881,7 +4663,7 @@
4881
4663
  case "ml-dsa-87":
4882
4664
  {
4883
4665
  if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
4884
- throw new TypeError("given KeyObject instance cannot be used for this algorithm");
4666
+ throw new TypeError(unusableForAlg);
4885
4667
  }
4886
4668
  cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [ isPublic ? "verify" : "sign" ]);
4887
4669
  }
@@ -4912,7 +4694,7 @@
4912
4694
  break;
4913
4695
 
4914
4696
  default:
4915
- throw new TypeError("given KeyObject instance cannot be used for this algorithm");
4697
+ throw new TypeError(unusableForAlg);
4916
4698
  }
4917
4699
  if (alg.startsWith("RSA-OAEP")) {
4918
4700
  return keyObject.toCryptoKey({
@@ -4930,21 +4712,14 @@
4930
4712
  const nist = new Map([ [ "prime256v1", "P-256" ], [ "secp384r1", "P-384" ], [ "secp521r1", "P-521" ] ]);
4931
4713
  const namedCurve = nist.get((_keyObject$asymmetric = keyObject.asymmetricKeyDetails) === null || _keyObject$asymmetric === void 0 ? void 0 : _keyObject$asymmetric.namedCurve);
4932
4714
  if (!namedCurve) {
4933
- throw new TypeError("given KeyObject instance cannot be used for this algorithm");
4934
- }
4935
- if (alg === "ES256" && namedCurve === "P-256") {
4936
- cryptoKey = keyObject.toCryptoKey({
4937
- name: "ECDSA",
4938
- namedCurve: namedCurve
4939
- }, extractable, [ isPublic ? "verify" : "sign" ]);
4940
- }
4941
- if (alg === "ES384" && namedCurve === "P-384") {
4942
- cryptoKey = keyObject.toCryptoKey({
4943
- name: "ECDSA",
4944
- namedCurve: namedCurve
4945
- }, extractable, [ isPublic ? "verify" : "sign" ]);
4715
+ throw new TypeError(unusableForAlg);
4946
4716
  }
4947
- if (alg === "ES512" && namedCurve === "P-521") {
4717
+ const expectedCurve = {
4718
+ ES256: "P-256",
4719
+ ES384: "P-384",
4720
+ ES512: "P-521"
4721
+ };
4722
+ if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
4948
4723
  cryptoKey = keyObject.toCryptoKey({
4949
4724
  name: "ECDSA",
4950
4725
  namedCurve: namedCurve
@@ -4957,50 +4732,334 @@
4957
4732
  }, extractable, isPublic ? [] : [ "deriveBits" ]);
4958
4733
  }
4959
4734
  }
4960
- if (!cryptoKey) {
4961
- throw new TypeError("given KeyObject instance cannot be used for this algorithm");
4735
+ if (!cryptoKey) {
4736
+ throw new TypeError(unusableForAlg);
4737
+ }
4738
+ if (!cached) {
4739
+ cache.set(keyObject, {
4740
+ [alg]: cryptoKey
4741
+ });
4742
+ } else {
4743
+ cached[alg] = cryptoKey;
4744
+ }
4745
+ return cryptoKey;
4746
+ };
4747
+ async function normalizeKey(key, alg) {
4748
+ if (key instanceof Uint8Array) {
4749
+ return key;
4750
+ }
4751
+ if (isCryptoKey(key)) {
4752
+ return key;
4753
+ }
4754
+ if (isKeyObject(key)) {
4755
+ if (key.type === "secret") {
4756
+ return key.export();
4757
+ }
4758
+ if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
4759
+ try {
4760
+ return handleKeyObject(key, alg);
4761
+ } catch (err) {
4762
+ if (err instanceof TypeError) {
4763
+ throw err;
4764
+ }
4765
+ }
4766
+ }
4767
+ let jwk = key.export({
4768
+ format: "jwk"
4769
+ });
4770
+ return handleJWK(key, jwk, alg);
4771
+ }
4772
+ if (isJWK(key)) {
4773
+ if (key.k) {
4774
+ return decode(key.k);
4775
+ }
4776
+ return handleJWK(key, key, alg, true);
4777
+ }
4778
+ throw new Error("unreachable");
4779
+ }
4780
+ const bytesEqual = (a, b) => {
4781
+ if (a.byteLength !== b.length) return false;
4782
+ for (let i = 0; i < a.byteLength; i++) {
4783
+ if (a[i] !== b[i]) return false;
4784
+ }
4785
+ return true;
4786
+ };
4787
+ const createASN1State = data => ({
4788
+ data: data,
4789
+ pos: 0
4790
+ });
4791
+ const parseLength = state => {
4792
+ const first = state.data[state.pos++];
4793
+ if (first & 128) {
4794
+ const lengthOfLen = first & 127;
4795
+ let length = 0;
4796
+ for (let i = 0; i < lengthOfLen; i++) {
4797
+ length = length << 8 | state.data[state.pos++];
4798
+ }
4799
+ return length;
4800
+ }
4801
+ return first;
4802
+ };
4803
+ const expectTag = (state, expectedTag, errorMessage) => {
4804
+ if (state.data[state.pos++] !== expectedTag) {
4805
+ throw new Error(errorMessage);
4806
+ }
4807
+ };
4808
+ const getSubarray = (state, length) => {
4809
+ const result = state.data.subarray(state.pos, state.pos + length);
4810
+ state.pos += length;
4811
+ return result;
4812
+ };
4813
+ const parseAlgorithmOID = state => {
4814
+ expectTag(state, 6, "Expected algorithm OID");
4815
+ const oidLen = parseLength(state);
4816
+ return getSubarray(state, oidLen);
4817
+ };
4818
+ function parsePKCS8Header(state) {
4819
+ expectTag(state, 48, "Invalid PKCS#8 structure");
4820
+ parseLength(state);
4821
+ expectTag(state, 2, "Expected version field");
4822
+ const verLen = parseLength(state);
4823
+ state.pos += verLen;
4824
+ expectTag(state, 48, "Expected algorithm identifier");
4825
+ const algIdLen = parseLength(state);
4826
+ const algIdStart = state.pos;
4827
+ return {
4828
+ algIdStart: algIdStart,
4829
+ algIdLength: algIdLen
4830
+ };
4831
+ }
4832
+ const parseECAlgorithmIdentifier = state => {
4833
+ const algOid = parseAlgorithmOID(state);
4834
+ if (bytesEqual(algOid, [ 43, 101, 110 ])) {
4835
+ return "X25519";
4836
+ }
4837
+ if (!bytesEqual(algOid, [ 42, 134, 72, 206, 61, 2, 1 ])) {
4838
+ throw new Error("Unsupported key algorithm");
4839
+ }
4840
+ expectTag(state, 6, "Expected curve OID");
4841
+ const curveOidLen = parseLength(state);
4842
+ const curveOid = getSubarray(state, curveOidLen);
4843
+ for (const {name: name, oid: oid} of [ {
4844
+ name: "P-256",
4845
+ oid: [ 42, 134, 72, 206, 61, 3, 1, 7 ]
4846
+ }, {
4847
+ name: "P-384",
4848
+ oid: [ 43, 129, 4, 0, 34 ]
4849
+ }, {
4850
+ name: "P-521",
4851
+ oid: [ 43, 129, 4, 0, 35 ]
4852
+ } ]) {
4853
+ if (bytesEqual(curveOid, oid)) {
4854
+ return name;
4855
+ }
4856
+ }
4857
+ throw new Error("Unsupported named curve");
4858
+ };
4859
+ const genericImport = async (keyFormat, keyData, alg, options) => {
4860
+ var _options$extractable;
4861
+ let algorithm;
4862
+ let keyUsages;
4863
+ const isPublic = keyFormat === "spki";
4864
+ const getSigUsages = () => isPublic ? [ "verify" ] : [ "sign" ];
4865
+ const getEncUsages = () => isPublic ? [ "encrypt", "wrapKey" ] : [ "decrypt", "unwrapKey" ];
4866
+ switch (alg) {
4867
+ case "PS256":
4868
+ case "PS384":
4869
+ case "PS512":
4870
+ algorithm = {
4871
+ name: "RSA-PSS",
4872
+ hash: "SHA-".concat(alg.slice(-3))
4873
+ };
4874
+ keyUsages = getSigUsages();
4875
+ break;
4876
+
4877
+ case "RS256":
4878
+ case "RS384":
4879
+ case "RS512":
4880
+ algorithm = {
4881
+ name: "RSASSA-PKCS1-v1_5",
4882
+ hash: "SHA-".concat(alg.slice(-3))
4883
+ };
4884
+ keyUsages = getSigUsages();
4885
+ break;
4886
+
4887
+ case "RSA-OAEP":
4888
+ case "RSA-OAEP-256":
4889
+ case "RSA-OAEP-384":
4890
+ case "RSA-OAEP-512":
4891
+ algorithm = {
4892
+ name: "RSA-OAEP",
4893
+ hash: "SHA-".concat(parseInt(alg.slice(-3), 10) || 1)
4894
+ };
4895
+ keyUsages = getEncUsages();
4896
+ break;
4897
+
4898
+ case "ES256":
4899
+ case "ES384":
4900
+ case "ES512":
4901
+ {
4902
+ const curveMap = {
4903
+ ES256: "P-256",
4904
+ ES384: "P-384",
4905
+ ES512: "P-521"
4906
+ };
4907
+ algorithm = {
4908
+ name: "ECDSA",
4909
+ namedCurve: curveMap[alg]
4910
+ };
4911
+ keyUsages = getSigUsages();
4912
+ break;
4913
+ }
4914
+
4915
+ case "ECDH-ES":
4916
+ case "ECDH-ES+A128KW":
4917
+ case "ECDH-ES+A192KW":
4918
+ case "ECDH-ES+A256KW":
4919
+ {
4920
+ try {
4921
+ const namedCurve = options.getNamedCurve(keyData);
4922
+ algorithm = namedCurve === "X25519" ? {
4923
+ name: "X25519"
4924
+ } : {
4925
+ name: "ECDH",
4926
+ namedCurve: namedCurve
4927
+ };
4928
+ } catch (cause) {
4929
+ throw new JOSENotSupported("Invalid or unsupported key format");
4930
+ }
4931
+ keyUsages = isPublic ? [] : [ "deriveBits" ];
4932
+ break;
4933
+ }
4934
+
4935
+ case "Ed25519":
4936
+ case "EdDSA":
4937
+ algorithm = {
4938
+ name: "Ed25519"
4939
+ };
4940
+ keyUsages = getSigUsages();
4941
+ break;
4942
+
4943
+ case "ML-DSA-44":
4944
+ case "ML-DSA-65":
4945
+ case "ML-DSA-87":
4946
+ algorithm = {
4947
+ name: alg
4948
+ };
4949
+ keyUsages = getSigUsages();
4950
+ break;
4951
+
4952
+ default:
4953
+ throw new JOSENotSupported('Invalid or unsupported "alg" (Algorithm) value');
4954
+ }
4955
+ return crypto.subtle.importKey(keyFormat, keyData, algorithm, (_options$extractable = options === null || options === void 0 ? void 0 : options.extractable) !== null && _options$extractable !== void 0 ? _options$extractable : isPublic ? true : false, keyUsages);
4956
+ };
4957
+ const processPEMData = (pem, pattern) => decodeBase64(pem.replace(pattern, ""));
4958
+ const fromPKCS8 = (pem, alg, options) => {
4959
+ var _alg$startsWith;
4960
+ const keyData = processPEMData(pem, /(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);
4961
+ let opts = options;
4962
+ if (alg !== null && alg !== void 0 && (_alg$startsWith = alg.startsWith) !== null && _alg$startsWith !== void 0 && _alg$startsWith.call(alg, "ECDH-ES")) {
4963
+ opts || (opts = {});
4964
+ opts.getNamedCurve = keyData => {
4965
+ const state = createASN1State(keyData);
4966
+ parsePKCS8Header(state);
4967
+ return parseECAlgorithmIdentifier(state);
4968
+ };
4969
+ }
4970
+ return genericImport("pkcs8", keyData, alg, opts);
4971
+ };
4972
+ async function importPKCS8(pkcs8, alg, options) {
4973
+ if (typeof pkcs8 !== "string" || pkcs8.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) {
4974
+ throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
4975
+ }
4976
+ return fromPKCS8(pkcs8, alg, options);
4977
+ }
4978
+ async function importJWK(jwk, alg, options) {
4979
+ var _options$extractable;
4980
+ if (!isObject(jwk)) {
4981
+ throw new TypeError("JWK must be an object");
4982
+ }
4983
+ let ext;
4984
+ alg !== null && alg !== void 0 ? alg : alg = jwk.alg;
4985
+ ext !== null && ext !== void 0 ? ext : ext = (_options$extractable = options === null || options === void 0 ? void 0 : options.extractable) !== null && _options$extractable !== void 0 ? _options$extractable : jwk.ext;
4986
+ switch (jwk.kty) {
4987
+ case "oct":
4988
+ if (typeof jwk.k !== "string" || !jwk.k) {
4989
+ throw new TypeError('missing "k" (Key Value) Parameter value');
4990
+ }
4991
+ return decode(jwk.k);
4992
+
4993
+ case "RSA":
4994
+ if ("oth" in jwk && jwk.oth !== undefined) {
4995
+ throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
4996
+ }
4997
+ return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
4998
+ alg: alg,
4999
+ ext: ext
5000
+ }));
5001
+
5002
+ case "AKP":
5003
+ {
5004
+ if (typeof jwk.alg !== "string" || !jwk.alg) {
5005
+ throw new TypeError('missing "alg" (Algorithm) Parameter value');
5006
+ }
5007
+ if (alg !== undefined && alg !== jwk.alg) {
5008
+ throw new TypeError("JWK alg and alg option value mismatch");
5009
+ }
5010
+ return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
5011
+ ext: ext
5012
+ }));
5013
+ }
5014
+
5015
+ case "EC":
5016
+ case "OKP":
5017
+ return jwkToKey(_objectSpread2(_objectSpread2({}, jwk), {}, {
5018
+ alg: alg,
5019
+ ext: ext
5020
+ }));
5021
+
5022
+ default:
5023
+ throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
5024
+ }
5025
+ }
5026
+ function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
5027
+ if (joseHeader.crit !== undefined && (protectedHeader === null || protectedHeader === void 0 ? void 0 : protectedHeader.crit) === undefined) {
5028
+ throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
4962
5029
  }
4963
- if (!cached) {
4964
- cache.set(keyObject, {
4965
- [alg]: cryptoKey
4966
- });
4967
- } else {
4968
- cached[alg] = cryptoKey;
5030
+ if (!protectedHeader || protectedHeader.crit === undefined) {
5031
+ return new Set;
4969
5032
  }
4970
- return cryptoKey;
4971
- };
4972
- async function normalizeKey(key, alg) {
4973
- if (key instanceof Uint8Array) {
4974
- return key;
5033
+ if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some(input => typeof input !== "string" || input.length === 0)) {
5034
+ throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
4975
5035
  }
4976
- if (isCryptoKey(key)) {
4977
- return key;
5036
+ let recognized;
5037
+ if (recognizedOption !== undefined) {
5038
+ recognized = new Map([ ...Object.entries(recognizedOption), ...recognizedDefault.entries() ]);
5039
+ } else {
5040
+ recognized = recognizedDefault;
4978
5041
  }
4979
- if (isKeyObject(key)) {
4980
- if (key.type === "secret") {
4981
- return key.export();
5042
+ for (const parameter of protectedHeader.crit) {
5043
+ if (!recognized.has(parameter)) {
5044
+ throw new JOSENotSupported('Extension Header Parameter "'.concat(parameter, '" is not recognized'));
4982
5045
  }
4983
- if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
4984
- try {
4985
- return handleKeyObject(key, alg);
4986
- } catch (err) {
4987
- if (err instanceof TypeError) {
4988
- throw err;
4989
- }
4990
- }
5046
+ if (joseHeader[parameter] === undefined) {
5047
+ throw new Err('Extension Header Parameter "'.concat(parameter, '" is missing'));
4991
5048
  }
4992
- let jwk = key.export({
4993
- format: "jwk"
4994
- });
4995
- return handleJWK(key, jwk, alg);
4996
- }
4997
- if (isJWK(key)) {
4998
- if (key.k) {
4999
- return decode(key.k);
5049
+ if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
5050
+ throw new Err('Extension Header Parameter "'.concat(parameter, '" MUST be integrity protected'));
5000
5051
  }
5001
- return handleJWK(key, key, alg, true);
5002
5052
  }
5003
- throw new Error("unreachable");
5053
+ return new Set(protectedHeader.crit);
5054
+ }
5055
+ function validateAlgorithms(option, algorithms) {
5056
+ if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some(s => typeof s !== "string"))) {
5057
+ throw new TypeError('"'.concat(option, '" option must be an array of strings'));
5058
+ }
5059
+ if (!algorithms) {
5060
+ return undefined;
5061
+ }
5062
+ return new Set(algorithms);
5004
5063
  }
5005
5064
  const tag = key => key === null || key === void 0 ? void 0 : key[Symbol.toStringTag];
5006
5065
  const jwkMatchesOp = (alg, key, usage) => {
@@ -5131,7 +5190,7 @@
5131
5190
  let USER_AGENT$1;
5132
5191
  if (typeof navigator === "undefined" || !((_navigator$userAgent$1 = navigator.userAgent) !== null && _navigator$userAgent$1 !== void 0 && (_navigator$userAgent$$1 = _navigator$userAgent$1.startsWith) !== null && _navigator$userAgent$$1 !== void 0 && _navigator$userAgent$$1.call(_navigator$userAgent$1, "Mozilla/5.0 "))) {
5133
5192
  const NAME = "openid-client";
5134
- const VERSION = "v6.8.1";
5193
+ const VERSION = "v6.8.2";
5135
5194
  USER_AGENT$1 = "".concat(NAME, "/").concat(VERSION);
5136
5195
  headers = {
5137
5196
  "user-agent": USER_AGENT$1
@@ -5321,7 +5380,7 @@
5321
5380
  method: "GET",
5322
5381
  redirect: "manual",
5323
5382
  signal: signal
5324
- })).then((response => processDiscoveryResponse(_nodiscoverycheck, response))).catch(errorHandler);
5383
+ })).then(response => processDiscoveryResponse(_nodiscoverycheck, response)).catch(errorHandler);
5325
5384
  if (resolve && new URL(as.issuer).href !== server.href) {
5326
5385
  handleEntraId(server, as, options) || handleB2Clogin(server, options) || (() => {
5327
5386
  throw new ClientError("discovered metadata issuer does not match the expected issuer", {
@@ -5487,7 +5546,7 @@
5487
5546
  }
5488
5547
  }
5489
5548
  function wait(duration, signal) {
5490
- return new Promise(((resolve, reject) => {
5549
+ return new Promise((resolve, reject) => {
5491
5550
  const waitStep = remaining => {
5492
5551
  try {
5493
5552
  signal.throwIfAborted();
@@ -5500,10 +5559,10 @@
5500
5559
  return;
5501
5560
  }
5502
5561
  const currentWait = Math.min(remaining, 5);
5503
- setTimeout((() => waitStep(remaining - currentWait)), currentWait * 1e3);
5562
+ setTimeout(() => waitStep(remaining - currentWait), currentWait * 1e3);
5504
5563
  };
5505
5564
  waitStep(duration);
5506
- }));
5565
+ });
5507
5566
  }
5508
5567
  async function initiateBackchannelAuthentication(config, parameters) {
5509
5568
  checkConfig(config);
@@ -5513,7 +5572,7 @@
5513
5572
  [allowInsecureRequests$1]: !tlsOnly,
5514
5573
  headers: new Headers(headers),
5515
5574
  signal: signal(timeout)
5516
- }).then((response => processBackchannelAuthenticationResponse(as, c, response))).catch(errorHandler);
5575
+ }).then(response => processBackchannelAuthenticationResponse(as, c, response)).catch(errorHandler);
5517
5576
  }
5518
5577
  async function pollBackchannelAuthenticationGrant(config, backchannelAuthenticationResponse, parameters, options) {
5519
5578
  var _backchannelAuthentic, _options$signal2;
@@ -5825,7 +5884,7 @@
5825
5884
  DPoP: options === null || options === void 0 ? void 0 : options.DPoP,
5826
5885
  headers: new Headers(headers),
5827
5886
  signal: signal(timeout)
5828
- }).then((response => {
5887
+ }).then(response => {
5829
5888
  let recognizedTokenTypes;
5830
5889
  if (grantType === "urn:ietf:params:oauth:grant-type:token-exchange") {
5831
5890
  recognizedTokenTypes = {
@@ -5836,87 +5895,10 @@
5836
5895
  [jweDecrypt]: decrypt,
5837
5896
  recognizedTokenTypes: recognizedTokenTypes
5838
5897
  });
5839
- })).catch(errorHandler);
5898
+ }).catch(errorHandler);
5840
5899
  addHelpers(result);
5841
5900
  return result;
5842
5901
  }
5843
- function subtleAlgorithm(alg, algorithm) {
5844
- const hash = "SHA-".concat(alg.slice(-3));
5845
- switch (alg) {
5846
- case "HS256":
5847
- case "HS384":
5848
- case "HS512":
5849
- return {
5850
- hash: hash,
5851
- name: "HMAC"
5852
- };
5853
-
5854
- case "PS256":
5855
- case "PS384":
5856
- case "PS512":
5857
- return {
5858
- hash: hash,
5859
- name: "RSA-PSS",
5860
- saltLength: parseInt(alg.slice(-3), 10) >> 3
5861
- };
5862
-
5863
- case "RS256":
5864
- case "RS384":
5865
- case "RS512":
5866
- return {
5867
- hash: hash,
5868
- name: "RSASSA-PKCS1-v1_5"
5869
- };
5870
-
5871
- case "ES256":
5872
- case "ES384":
5873
- case "ES512":
5874
- return {
5875
- hash: hash,
5876
- name: "ECDSA",
5877
- namedCurve: algorithm.namedCurve
5878
- };
5879
-
5880
- case "Ed25519":
5881
- case "EdDSA":
5882
- return {
5883
- name: "Ed25519"
5884
- };
5885
-
5886
- case "ML-DSA-44":
5887
- case "ML-DSA-65":
5888
- case "ML-DSA-87":
5889
- return {
5890
- name: alg
5891
- };
5892
-
5893
- default:
5894
- throw new JOSENotSupported("alg ".concat(alg, " is not supported either by JOSE or your javascript runtime"));
5895
- }
5896
- }
5897
- async function getSigKey(alg, key, usage) {
5898
- if (key instanceof Uint8Array) {
5899
- if (!alg.startsWith("HS")) {
5900
- throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
5901
- }
5902
- return crypto.subtle.importKey("raw", key, {
5903
- hash: "SHA-".concat(alg.slice(-3)),
5904
- name: "HMAC"
5905
- }, false, [ usage ]);
5906
- }
5907
- checkSigCryptoKey(key, alg, usage);
5908
- return key;
5909
- }
5910
- async function verify(alg, key, signature, data) {
5911
- const cryptoKey = await getSigKey(alg, key, "verify");
5912
- checkKeyLength(alg, cryptoKey);
5913
- const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
5914
- try {
5915
- return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
5916
- } catch (_unused) {
5917
- return false;
5918
- }
5919
- }
5920
5902
  async function flattenedVerify(jws, key, options) {
5921
5903
  if (!isObject(jws)) {
5922
5904
  throw new JWSInvalid("Flattened JWS must be an object");
@@ -5979,12 +5961,7 @@
5979
5961
  }
5980
5962
  checkKeyType(alg, key, "verify");
5981
5963
  const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array, encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
5982
- let signature;
5983
- try {
5984
- signature = decode(jws.signature);
5985
- } catch (_unused2) {
5986
- throw new JWSInvalid("Failed to base64url decode the signature");
5987
- }
5964
+ const signature = decodeBase64url(jws.signature, "signature", JWSInvalid);
5988
5965
  const k = await normalizeKey(key, alg);
5989
5966
  const verified = await verify(alg, k, signature, data);
5990
5967
  if (!verified) {
@@ -5992,11 +5969,7 @@
5992
5969
  }
5993
5970
  let payload;
5994
5971
  if (b64) {
5995
- try {
5996
- payload = decode(jws.payload);
5997
- } catch (_unused3) {
5998
- throw new JWSInvalid("Failed to base64url decode the payload");
5999
- }
5972
+ payload = decodeBase64url(jws.payload, "payload", JWSInvalid);
6000
5973
  } else if (typeof jws.payload === "string") {
6001
5974
  payload = encoder.encode(jws.payload);
6002
5975
  } else {
@@ -6264,7 +6237,7 @@
6264
6237
  async getKey(protectedHeader, token) {
6265
6238
  const {alg: alg, kid: kid} = _objectSpread2(_objectSpread2({}, protectedHeader), token === null || token === void 0 ? void 0 : token.header);
6266
6239
  const kty = getKtyFromAlg(alg);
6267
- const candidates = _classPrivateFieldGet2(_jwks$1, this).keys.filter((jwk => {
6240
+ const candidates = _classPrivateFieldGet2(_jwks$1, this).keys.filter(jwk => {
6268
6241
  let candidate = kty === jwk.kty;
6269
6242
  if (candidate && typeof kid === "string") {
6270
6243
  candidate = kid === jwk.kid;
@@ -6299,7 +6272,7 @@
6299
6272
  }
6300
6273
  }
6301
6274
  return candidate;
6302
- }));
6275
+ });
6303
6276
  const {0: jwk, length: length} = candidates;
6304
6277
  if (length === 0) {
6305
6278
  throw new JWKSNoMatchingKey;
@@ -6307,13 +6280,13 @@
6307
6280
  if (length !== 1) {
6308
6281
  const error = new JWKSMultipleMatchingKeys;
6309
6282
  const _cached = _classPrivateFieldGet2(_cached2, this);
6310
- error[Symbol.asyncIterator] = _wrapAsyncGenerator((function*() {
6283
+ error[Symbol.asyncIterator] = _wrapAsyncGenerator(function*() {
6311
6284
  for (const jwk of candidates) {
6312
6285
  try {
6313
6286
  yield yield _awaitAsyncGenerator(importWithAlgCache(_cached, jwk, alg));
6314
6287
  } catch (_unused) {}
6315
6288
  }
6316
- }));
6289
+ });
6317
6290
  throw error;
6318
6291
  }
6319
6292
  return importWithAlgCache(_classPrivateFieldGet2(_cached2, this), jwk, alg);
@@ -6352,7 +6325,7 @@
6352
6325
  let USER_AGENT;
6353
6326
  if (typeof navigator === "undefined" || !((_navigator$userAgent = navigator.userAgent) !== null && _navigator$userAgent !== void 0 && (_navigator$userAgent$ = _navigator$userAgent.startsWith) !== null && _navigator$userAgent$ !== void 0 && _navigator$userAgent$.call(_navigator$userAgent, "Mozilla/5.0 "))) {
6354
6327
  const NAME = "jose";
6355
- const VERSION = "v6.1.3";
6328
+ const VERSION = "v6.2.2";
6356
6329
  USER_AGENT = "".concat(NAME, "/").concat(VERSION);
6357
6330
  }
6358
6331
  const customFetch = Symbol();
@@ -6363,12 +6336,12 @@
6363
6336
  signal: signal,
6364
6337
  redirect: "manual",
6365
6338
  headers: headers
6366
- }).catch((err => {
6339
+ }).catch(err => {
6367
6340
  if (err.name === "TimeoutError") {
6368
6341
  throw new JWKSTimeout;
6369
6342
  }
6370
6343
  throw err;
6371
- }));
6344
+ });
6372
6345
  if (response.status !== 200) {
6373
6346
  throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
6374
6347
  }
@@ -6470,7 +6443,7 @@
6470
6443
  if (_classPrivateFieldGet2(_pendingFetch, this) && isCloudflareWorkers()) {
6471
6444
  _classPrivateFieldSet2(_pendingFetch, this, undefined);
6472
6445
  }
6473
- _classPrivateFieldGet2(_pendingFetch, this) || _classPrivateFieldSet2(_pendingFetch, this, fetchJwks(_classPrivateFieldGet2(_url, this).href, _classPrivateFieldGet2(_headers, this), AbortSignal.timeout(_classPrivateFieldGet2(_timeoutDuration, this)), _classPrivateFieldGet2(_customFetch$1, this)).then((json => {
6446
+ _classPrivateFieldGet2(_pendingFetch, this) || _classPrivateFieldSet2(_pendingFetch, this, fetchJwks(_classPrivateFieldGet2(_url, this).href, _classPrivateFieldGet2(_headers, this), AbortSignal.timeout(_classPrivateFieldGet2(_timeoutDuration, this)), _classPrivateFieldGet2(_customFetch$1, this)).then(json => {
6474
6447
  _classPrivateFieldSet2(_local, this, createLocalJWKSet(json));
6475
6448
  if (_classPrivateFieldGet2(_cache, this)) {
6476
6449
  _classPrivateFieldGet2(_cache, this).uat = Date.now();
@@ -6478,10 +6451,10 @@
6478
6451
  }
6479
6452
  _classPrivateFieldSet2(_jwksTimestamp, this, Date.now());
6480
6453
  _classPrivateFieldSet2(_pendingFetch, this, undefined);
6481
- })).catch((err => {
6454
+ }).catch(err => {
6482
6455
  _classPrivateFieldSet2(_pendingFetch, this, undefined);
6483
6456
  throw err;
6484
- })));
6457
+ }));
6485
6458
  await _classPrivateFieldGet2(_pendingFetch, this);
6486
6459
  }
6487
6460
  }
@@ -6520,7 +6493,7 @@
6520
6493
  return remoteJWKSet;
6521
6494
  }
6522
6495
  const _excluded = [ "mfaToken" ], _excluded2 = [ "mfaToken" ];
6523
- var _baseUrl, _clientId, _customFetch, _configuration, _serverMetadata, _options, _jwks, _Class8_brand;
6496
+ var _baseUrl, _clientId, _customFetch, _entries, _ttlMs, _maxEntries, _configuration, _serverMetadata, _clientAuthPromise, _options, _customFetch2, _jwks, _discoveryCache, _inFlightDiscovery, _jwksCache, _Class9_brand;
6524
6497
  var NotSupportedError = class NotSupportedError extends Error {
6525
6498
  constructor(code, message) {
6526
6499
  super(message);
@@ -6612,12 +6585,12 @@
6612
6585
  }
6613
6586
  };
6614
6587
  function stripUndefinedProperties(value) {
6615
- return Object.entries(value).filter((_ref => {
6588
+ return Object.entries(value).filter(_ref => {
6616
6589
  let [, value2] = _ref;
6617
6590
  return typeof value2 !== "undefined";
6618
- })).reduce(((acc, curr) => _objectSpread2(_objectSpread2({}, acc), {}, {
6591
+ }).reduce((acc, curr) => _objectSpread2(_objectSpread2({}, acc), {}, {
6619
6592
  [curr[0]]: curr[1]
6620
- })), {});
6593
+ }), {});
6621
6594
  }
6622
6595
  var MfaError$1 = class MfaError extends Error {
6623
6596
  constructor(code, message, cause) {
@@ -6682,7 +6655,9 @@
6682
6655
  oobChannel: api.oob_channel,
6683
6656
  oobCode: api.oob_code,
6684
6657
  bindingMethod: api.binding_method,
6685
- id: api.id
6658
+ id: api.id,
6659
+ barcodeUri: api.barcode_uri,
6660
+ recoveryCodes: api.recovery_codes
6686
6661
  };
6687
6662
  }
6688
6663
  throw new Error("Unexpected authenticator type: ".concat(api.authenticator_type));
@@ -6800,6 +6775,40 @@
6800
6775
  return transformChallengeResponse(apiResponse);
6801
6776
  }
6802
6777
  });
6778
+ function createTelemetryFetch(baseFetch, config) {
6779
+ if (config.enabled === false) {
6780
+ return baseFetch;
6781
+ }
6782
+ const telemetryData = {
6783
+ name: config.name,
6784
+ version: config.version
6785
+ };
6786
+ const headerValue = btoa(JSON.stringify(telemetryData));
6787
+ return async (input, init) => {
6788
+ const headers = input instanceof Request ? new Headers(input.headers) : new Headers;
6789
+ if (init !== null && init !== void 0 && init.headers) {
6790
+ const initHeaders = new Headers(init.headers);
6791
+ initHeaders.forEach((value, key) => {
6792
+ headers.set(key, value);
6793
+ });
6794
+ }
6795
+ headers.set("Auth0-Client", headerValue);
6796
+ return baseFetch(input, _objectSpread2(_objectSpread2({}, init), {}, {
6797
+ headers: headers
6798
+ }));
6799
+ };
6800
+ }
6801
+ function getTelemetryConfig(config) {
6802
+ var _config$name, _config$version;
6803
+ if ((config === null || config === void 0 ? void 0 : config.enabled) === false) {
6804
+ return config;
6805
+ }
6806
+ return {
6807
+ enabled: true,
6808
+ name: (_config$name = config === null || config === void 0 ? void 0 : config.name) !== null && _config$name !== void 0 ? _config$name : "@auth0/auth0-auth-js",
6809
+ version: (_config$version = config === null || config === void 0 ? void 0 : config.version) !== null && _config$version !== void 0 ? _config$version : "1.5.0"
6810
+ };
6811
+ }
6803
6812
  var TokenResponse = class _TokenResponse {
6804
6813
  constructor(accessToken, expiresAt, idToken, refreshToken, scope, claims, authorizationDetails) {
6805
6814
  _defineProperty(this, "accessToken", void 0);
@@ -6827,6 +6836,75 @@
6827
6836
  return tokenResponse;
6828
6837
  }
6829
6838
  };
6839
+ var LruCache = (_entries = new WeakMap, _ttlMs = new WeakMap, _maxEntries = new WeakMap,
6840
+ class LruCache {
6841
+ constructor(maxEntries, ttlMs) {
6842
+ _classPrivateFieldInitSpec(this, _entries, new Map);
6843
+ _classPrivateFieldInitSpec(this, _ttlMs, void 0);
6844
+ _classPrivateFieldInitSpec(this, _maxEntries, void 0);
6845
+ _classPrivateFieldSet2(_maxEntries, this, Math.max(1, Math.floor(maxEntries)));
6846
+ _classPrivateFieldSet2(_ttlMs, this, Math.max(0, Math.floor(ttlMs)));
6847
+ }
6848
+ get(key) {
6849
+ const entry = _classPrivateFieldGet2(_entries, this).get(key);
6850
+ if (!entry) {
6851
+ return;
6852
+ }
6853
+ if (Date.now() >= entry.expiresAt) {
6854
+ _classPrivateFieldGet2(_entries, this).delete(key);
6855
+ return;
6856
+ }
6857
+ _classPrivateFieldGet2(_entries, this).delete(key);
6858
+ _classPrivateFieldGet2(_entries, this).set(key, entry);
6859
+ return entry.value;
6860
+ }
6861
+ set(key, value) {
6862
+ if (_classPrivateFieldGet2(_entries, this).has(key)) {
6863
+ _classPrivateFieldGet2(_entries, this).delete(key);
6864
+ }
6865
+ _classPrivateFieldGet2(_entries, this).set(key, {
6866
+ value: value,
6867
+ expiresAt: Date.now() + _classPrivateFieldGet2(_ttlMs, this)
6868
+ });
6869
+ while (_classPrivateFieldGet2(_entries, this).size > _classPrivateFieldGet2(_maxEntries, this)) {
6870
+ const oldestKey = _classPrivateFieldGet2(_entries, this).keys().next().value;
6871
+ if (oldestKey === void 0) {
6872
+ break;
6873
+ }
6874
+ _classPrivateFieldGet2(_entries, this).delete(oldestKey);
6875
+ }
6876
+ }
6877
+ });
6878
+ var globalCaches = new Map;
6879
+ function getGlobalCache(key) {
6880
+ return globalCaches.get(key);
6881
+ }
6882
+ function getGlobalCacheKey(maxEntries, ttlMs) {
6883
+ return "".concat(maxEntries, ":").concat(ttlMs);
6884
+ }
6885
+ function resolveCacheConfig(options) {
6886
+ const ttlSeconds = typeof (options === null || options === void 0 ? void 0 : options.ttl) === "number" ? options.ttl : 600;
6887
+ const maxEntries = typeof (options === null || options === void 0 ? void 0 : options.maxEntries) === "number" && options.maxEntries > 0 ? options.maxEntries : 100;
6888
+ const ttlMs = ttlSeconds * 1e3;
6889
+ return {
6890
+ ttlMs: ttlMs,
6891
+ maxEntries: maxEntries
6892
+ };
6893
+ }
6894
+ var DiscoveryCacheFactory = class {
6895
+ static createDiscoveryCache(config) {
6896
+ const cacheKey = getGlobalCacheKey(config.maxEntries, config.ttlMs);
6897
+ let cache = getGlobalCache(cacheKey);
6898
+ if (!cache) {
6899
+ cache = new LruCache(config.maxEntries, config.ttlMs);
6900
+ globalCaches.set(cacheKey, cache);
6901
+ }
6902
+ return cache;
6903
+ }
6904
+ static createJwksCache() {
6905
+ return {};
6906
+ }
6907
+ };
6830
6908
  var DEFAULT_SCOPES = "openid profile email offline_access";
6831
6909
  var MAX_ARRAY_VALUES_PER_KEY = 20;
6832
6910
  var PARAM_DENYLIST = Object.freeze(new Set([ "grant_type", "client_id", "client_secret", "client_assertion", "client_assertion_type", "subject_token", "subject_token_type", "requested_token_type", "actor_token", "actor_token_type", "audience", "aud", "resource", "resources", "resource_indicator", "scope", "connection", "login_hint", "organization", "assertion" ]));
@@ -6855,9 +6933,9 @@
6855
6933
  if (parameterValue.length > MAX_ARRAY_VALUES_PER_KEY) {
6856
6934
  throw new TokenExchangeError("Parameter '".concat(parameterKey, "' exceeds maximum array size of ").concat(MAX_ARRAY_VALUES_PER_KEY));
6857
6935
  }
6858
- parameterValue.forEach((arrayItem => {
6936
+ parameterValue.forEach(arrayItem => {
6859
6937
  params.append(parameterKey, arrayItem);
6860
- }));
6938
+ });
6861
6939
  } else {
6862
6940
  params.append(parameterKey, parameterValue);
6863
6941
  }
@@ -6868,39 +6946,58 @@
6868
6946
  var SUBJECT_TYPE_REFRESH_TOKEN = "urn:ietf:params:oauth:token-type:refresh_token";
6869
6947
  var SUBJECT_TYPE_ACCESS_TOKEN = "urn:ietf:params:oauth:token-type:access_token";
6870
6948
  var REQUESTED_TOKEN_TYPE_FEDERATED_CONNECTION_ACCESS_TOKEN = "http://auth0.com/oauth/token-type/federated-connection-access-token";
6871
- var AuthClient = (_configuration = new WeakMap, _serverMetadata = new WeakMap, _options = new WeakMap,
6872
- _jwks = new WeakMap, _Class8_brand = new WeakSet, class AuthClient {
6949
+ var AuthClient = (_configuration = new WeakMap, _serverMetadata = new WeakMap, _clientAuthPromise = new WeakMap,
6950
+ _options = new WeakMap, _customFetch2 = new WeakMap, _jwks = new WeakMap, _discoveryCache = new WeakMap,
6951
+ _inFlightDiscovery = new WeakMap, _jwksCache = new WeakMap, _Class9_brand = new WeakSet,
6952
+ class AuthClient {
6873
6953
  constructor(_options2) {
6874
- _classPrivateMethodInitSpec(this, _Class8_brand);
6954
+ var _options2$customFetch;
6955
+ _classPrivateMethodInitSpec(this, _Class9_brand);
6875
6956
  _classPrivateFieldInitSpec(this, _configuration, void 0);
6876
6957
  _classPrivateFieldInitSpec(this, _serverMetadata, void 0);
6958
+ _classPrivateFieldInitSpec(this, _clientAuthPromise, void 0);
6877
6959
  _classPrivateFieldInitSpec(this, _options, void 0);
6960
+ _classPrivateFieldInitSpec(this, _customFetch2, void 0);
6878
6961
  _classPrivateFieldInitSpec(this, _jwks, void 0);
6962
+ _classPrivateFieldInitSpec(this, _discoveryCache, void 0);
6963
+ _classPrivateFieldInitSpec(this, _inFlightDiscovery, void 0);
6964
+ _classPrivateFieldInitSpec(this, _jwksCache, void 0);
6879
6965
  _defineProperty(this, "mfa", void 0);
6880
6966
  _classPrivateFieldSet2(_options, this, _options2);
6881
6967
  if (_options2.useMtls && !_options2.customFetch) {
6882
6968
  throw new NotSupportedError("mtls_without_custom_fetch_not_supported", "Using mTLS without a custom fetch implementation is not supported");
6883
6969
  }
6970
+ _classPrivateFieldSet2(_customFetch2, this, createTelemetryFetch((_options2$customFetch = _options2.customFetch) !== null && _options2$customFetch !== void 0 ? _options2$customFetch : function() {
6971
+ return fetch(...arguments);
6972
+ }, getTelemetryConfig(_options2.telemetry)));
6973
+ const cacheConfig = resolveCacheConfig(_options2.discoveryCache);
6974
+ _classPrivateFieldSet2(_discoveryCache, this, DiscoveryCacheFactory.createDiscoveryCache(cacheConfig));
6975
+ _classPrivateFieldSet2(_inFlightDiscovery, this, new Map);
6976
+ _classPrivateFieldSet2(_jwksCache, this, DiscoveryCacheFactory.createJwksCache());
6884
6977
  this.mfa = new MfaClient({
6885
6978
  domain: _classPrivateFieldGet2(_options, this).domain,
6886
6979
  clientId: _classPrivateFieldGet2(_options, this).clientId,
6887
- customFetch: _classPrivateFieldGet2(_options, this).customFetch
6980
+ customFetch: _classPrivateFieldGet2(_customFetch2, this)
6888
6981
  });
6889
6982
  }
6983
+ async getServerMetadata() {
6984
+ const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
6985
+ return serverMetadata;
6986
+ }
6890
6987
  async buildAuthorizationUrl(options) {
6891
- const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
6988
+ const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
6892
6989
  if (options !== null && options !== void 0 && options.pushedAuthorizationRequests && !serverMetadata.pushed_authorization_request_endpoint) {
6893
6990
  throw new NotSupportedError("par_not_supported_error", "The Auth0 tenant does not have pushed authorization requests enabled. Learn how to enable it here: https://auth0.com/docs/get-started/applications/configure-par");
6894
6991
  }
6895
6992
  try {
6896
- return await _assertClassBrand(_Class8_brand, this, _buildAuthorizationUrl).call(this, options);
6993
+ return await _assertClassBrand(_Class9_brand, this, _buildAuthorizationUrl).call(this, options);
6897
6994
  } catch (e) {
6898
6995
  throw new BuildAuthorizationUrlError(e);
6899
6996
  }
6900
6997
  }
6901
6998
  async buildLinkUserUrl(options) {
6902
6999
  try {
6903
- const result = await _assertClassBrand(_Class8_brand, this, _buildAuthorizationUrl).call(this, {
7000
+ const result = await _assertClassBrand(_Class9_brand, this, _buildAuthorizationUrl).call(this, {
6904
7001
  authorizationParams: _objectSpread2(_objectSpread2({}, options.authorizationParams), {}, {
6905
7002
  requested_connection: options.connection,
6906
7003
  requested_connection_scope: options.connectionScope,
@@ -6918,7 +7015,7 @@
6918
7015
  }
6919
7016
  async buildUnlinkUserUrl(options) {
6920
7017
  try {
6921
- const result = await _assertClassBrand(_Class8_brand, this, _buildAuthorizationUrl).call(this, {
7018
+ const result = await _assertClassBrand(_Class9_brand, this, _buildAuthorizationUrl).call(this, {
6922
7019
  authorizationParams: _objectSpread2(_objectSpread2({}, options.authorizationParams), {}, {
6923
7020
  requested_connection: options.connection,
6924
7021
  scope: "openid unlink_account",
@@ -6934,7 +7031,7 @@
6934
7031
  }
6935
7032
  }
6936
7033
  async backchannelAuthentication(options) {
6937
- const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7034
+ const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
6938
7035
  const additionalParams = stripUndefinedProperties(_objectSpread2(_objectSpread2({}, _classPrivateFieldGet2(_options, this).authorizationParams), options === null || options === void 0 ? void 0 : options.authorizationParams));
6939
7036
  const params = new URLSearchParams(_objectSpread2(_objectSpread2({
6940
7037
  scope: DEFAULT_SCOPES
@@ -6962,7 +7059,7 @@
6962
7059
  }
6963
7060
  }
6964
7061
  async initiateBackchannelAuthentication(options) {
6965
- const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7062
+ const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
6966
7063
  const additionalParams = stripUndefinedProperties(_objectSpread2(_objectSpread2({}, _classPrivateFieldGet2(_options, this).authorizationParams), options === null || options === void 0 ? void 0 : options.authorizationParams));
6967
7064
  const params = new URLSearchParams(_objectSpread2(_objectSpread2({
6968
7065
  scope: DEFAULT_SCOPES
@@ -6994,7 +7091,7 @@
6994
7091
  }
6995
7092
  async backchannelAuthenticationGrant(_ref2) {
6996
7093
  let {authReqId: authReqId} = _ref2;
6997
- const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7094
+ const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
6998
7095
  const params = new URLSearchParams({
6999
7096
  auth_req_id: authReqId
7000
7097
  });
@@ -7029,10 +7126,10 @@
7029
7126
  }
7030
7127
  }
7031
7128
  async exchangeToken(options) {
7032
- return "connection" in options ? _assertClassBrand(_Class8_brand, this, _exchangeTokenVaultToken).call(this, options) : _assertClassBrand(_Class8_brand, this, _exchangeProfileToken).call(this, options);
7129
+ return "connection" in options ? _assertClassBrand(_Class9_brand, this, _exchangeTokenVaultToken).call(this, options) : _assertClassBrand(_Class9_brand, this, _exchangeProfileToken).call(this, options);
7033
7130
  }
7034
7131
  async getTokenByCode(url, options) {
7035
- const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7132
+ const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
7036
7133
  try {
7037
7134
  const tokenEndpointResponse = await authorizationCodeGrant(configuration, url, {
7038
7135
  pkceCodeVerifier: options.codeVerifier
@@ -7043,16 +7140,23 @@
7043
7140
  }
7044
7141
  }
7045
7142
  async getTokenByRefreshToken(options) {
7046
- const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7143
+ const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
7144
+ const additionalParameters = new URLSearchParams;
7145
+ if (options.audience) {
7146
+ additionalParameters.append("audience", options.audience);
7147
+ }
7148
+ if (options.scope) {
7149
+ additionalParameters.append("scope", options.scope);
7150
+ }
7047
7151
  try {
7048
- const tokenEndpointResponse = await refreshTokenGrant(configuration, options.refreshToken);
7152
+ const tokenEndpointResponse = await refreshTokenGrant(configuration, options.refreshToken, additionalParameters);
7049
7153
  return TokenResponse.fromTokenEndpointResponse(tokenEndpointResponse);
7050
7154
  } catch (e) {
7051
7155
  throw new TokenByRefreshTokenError("The access token has expired and there was an error while trying to refresh it.", e);
7052
7156
  }
7053
7157
  }
7054
7158
  async getTokenByClientCredentials(options) {
7055
- const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7159
+ const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
7056
7160
  try {
7057
7161
  const params = new URLSearchParams({
7058
7162
  audience: options.audience
@@ -7067,7 +7171,7 @@
7067
7171
  }
7068
7172
  }
7069
7173
  async buildLogoutUrl(options) {
7070
- const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7174
+ const {configuration: configuration, serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
7071
7175
  if (!serverMetadata.end_session_endpoint) {
7072
7176
  const url = new URL("https://".concat(_classPrivateFieldGet2(_options, this).domain, "/v2/logout"));
7073
7177
  url.searchParams.set("returnTo", options.returnTo);
@@ -7079,9 +7183,13 @@
7079
7183
  });
7080
7184
  }
7081
7185
  async verifyLogoutToken(options) {
7082
- const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7083
- _classPrivateFieldGet2(_jwks, this) || _classPrivateFieldSet2(_jwks, this, createRemoteJWKSet(new URL(serverMetadata.jwks_uri), {
7084
- [customFetch]: _classPrivateFieldGet2(_options, this).customFetch
7186
+ const {serverMetadata: serverMetadata} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
7187
+ const cacheConfig = resolveCacheConfig(_classPrivateFieldGet2(_options, this).discoveryCache);
7188
+ const jwksUri = serverMetadata.jwks_uri;
7189
+ _classPrivateFieldGet2(_jwks, this) || _classPrivateFieldSet2(_jwks, this, createRemoteJWKSet(new URL(jwksUri), {
7190
+ cacheMaxAge: cacheConfig.ttlMs,
7191
+ [customFetch]: _classPrivateFieldGet2(_customFetch2, this),
7192
+ [jwksCache]: _classPrivateFieldGet2(_jwksCache, this)
7085
7193
  }));
7086
7194
  const {payload: payload} = await jwtVerify(options.logoutToken, _classPrivateFieldGet2(_jwks, this), {
7087
7195
  issuer: serverMetadata.issuer,
@@ -7119,6 +7227,16 @@
7119
7227
  };
7120
7228
  }
7121
7229
  });
7230
+ function _getDiscoveryCacheKey() {
7231
+ const domain = _classPrivateFieldGet2(_options, this).domain.toLowerCase();
7232
+ return "".concat(domain, "|mtls:").concat(_classPrivateFieldGet2(_options, this).useMtls ? "1" : "0");
7233
+ }
7234
+ async function _createConfiguration(serverMetadata) {
7235
+ const clientAuth = await _assertClassBrand(_Class9_brand, this, _getClientAuth).call(this);
7236
+ const configuration = new Configuration(serverMetadata, _classPrivateFieldGet2(_options, this).clientId, _classPrivateFieldGet2(_options, this).clientSecret, clientAuth);
7237
+ configuration[customFetch$1] = _classPrivateFieldGet2(_customFetch2, this);
7238
+ return configuration;
7239
+ }
7122
7240
  async function _discover() {
7123
7241
  if (_classPrivateFieldGet2(_configuration, this) && _classPrivateFieldGet2(_serverMetadata, this)) {
7124
7242
  return {
@@ -7126,14 +7244,58 @@
7126
7244
  serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
7127
7245
  };
7128
7246
  }
7129
- const clientAuth = await _assertClassBrand(_Class8_brand, this, _getClientAuth).call(this);
7130
- _classPrivateFieldSet2(_configuration, this, await discovery(new URL("https://".concat(_classPrivateFieldGet2(_options, this).domain)), _classPrivateFieldGet2(_options, this).clientId, {
7131
- use_mtls_endpoint_aliases: _classPrivateFieldGet2(_options, this).useMtls
7132
- }, clientAuth, {
7133
- [customFetch$1]: _classPrivateFieldGet2(_options, this).customFetch
7134
- }));
7135
- _classPrivateFieldSet2(_serverMetadata, this, _classPrivateFieldGet2(_configuration, this).serverMetadata());
7136
- _classPrivateFieldGet2(_configuration, this)[customFetch$1] = _classPrivateFieldGet2(_options, this).customFetch || fetch;
7247
+ const cacheKey = _assertClassBrand(_Class9_brand, this, _getDiscoveryCacheKey).call(this);
7248
+ const cached = _classPrivateFieldGet2(_discoveryCache, this).get(cacheKey);
7249
+ if (cached) {
7250
+ _classPrivateFieldSet2(_serverMetadata, this, cached.serverMetadata);
7251
+ _classPrivateFieldSet2(_configuration, this, await _assertClassBrand(_Class9_brand, this, _createConfiguration).call(this, cached.serverMetadata));
7252
+ return {
7253
+ configuration: _classPrivateFieldGet2(_configuration, this),
7254
+ serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
7255
+ };
7256
+ }
7257
+ const inFlight = _classPrivateFieldGet2(_inFlightDiscovery, this).get(cacheKey);
7258
+ if (inFlight) {
7259
+ const entry = await inFlight;
7260
+ _classPrivateFieldSet2(_serverMetadata, this, entry.serverMetadata);
7261
+ _classPrivateFieldSet2(_configuration, this, await _assertClassBrand(_Class9_brand, this, _createConfiguration).call(this, entry.serverMetadata));
7262
+ return {
7263
+ configuration: _classPrivateFieldGet2(_configuration, this),
7264
+ serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
7265
+ };
7266
+ }
7267
+ const discoveryPromise = (async () => {
7268
+ const clientAuth = await _assertClassBrand(_Class9_brand, this, _getClientAuth).call(this);
7269
+ const configuration = await discovery(new URL("https://".concat(_classPrivateFieldGet2(_options, this).domain)), _classPrivateFieldGet2(_options, this).clientId, {
7270
+ use_mtls_endpoint_aliases: _classPrivateFieldGet2(_options, this).useMtls
7271
+ }, clientAuth, {
7272
+ [customFetch$1]: _classPrivateFieldGet2(_customFetch2, this)
7273
+ });
7274
+ const serverMetadata = configuration.serverMetadata();
7275
+ _classPrivateFieldGet2(_discoveryCache, this).set(cacheKey, {
7276
+ serverMetadata: serverMetadata
7277
+ });
7278
+ return {
7279
+ configuration: configuration,
7280
+ serverMetadata: serverMetadata
7281
+ };
7282
+ })();
7283
+ const inFlightEntry = discoveryPromise.then(_ref3 => {
7284
+ let {serverMetadata: serverMetadata} = _ref3;
7285
+ return {
7286
+ serverMetadata: serverMetadata
7287
+ };
7288
+ });
7289
+ void inFlightEntry.catch(() => void 0);
7290
+ _classPrivateFieldGet2(_inFlightDiscovery, this).set(cacheKey, inFlightEntry);
7291
+ try {
7292
+ const {configuration: configuration, serverMetadata: serverMetadata} = await discoveryPromise;
7293
+ _classPrivateFieldSet2(_configuration, this, configuration);
7294
+ _classPrivateFieldSet2(_serverMetadata, this, serverMetadata);
7295
+ _classPrivateFieldGet2(_configuration, this)[customFetch$1] = _classPrivateFieldGet2(_customFetch2, this);
7296
+ } finally {
7297
+ _classPrivateFieldGet2(_inFlightDiscovery, this).delete(cacheKey);
7298
+ }
7137
7299
  return {
7138
7300
  configuration: _classPrivateFieldGet2(_configuration, this),
7139
7301
  serverMetadata: _classPrivateFieldGet2(_serverMetadata, this)
@@ -7141,7 +7303,7 @@
7141
7303
  }
7142
7304
  async function _exchangeTokenVaultToken(options) {
7143
7305
  var _options$subjectToken, _options$requestedTok;
7144
- const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7306
+ const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
7145
7307
  if ("audience" in options || "resource" in options) {
7146
7308
  throw new TokenExchangeError("audience and resource parameters are not supported for Token Vault exchanges");
7147
7309
  }
@@ -7167,7 +7329,7 @@
7167
7329
  }
7168
7330
  }
7169
7331
  async function _exchangeProfileToken(options) {
7170
- const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7332
+ const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
7171
7333
  validateSubjectToken(options.subjectToken);
7172
7334
  const tokenRequestParams = new URLSearchParams({
7173
7335
  subject_token_type: options.subjectTokenType,
@@ -7194,20 +7356,28 @@
7194
7356
  }
7195
7357
  }
7196
7358
  async function _getClientAuth() {
7197
- if (!_classPrivateFieldGet2(_options, this).clientSecret && !_classPrivateFieldGet2(_options, this).clientAssertionSigningKey && !_classPrivateFieldGet2(_options, this).useMtls) {
7198
- throw new MissingClientAuthError;
7199
- }
7200
- if (_classPrivateFieldGet2(_options, this).useMtls) {
7201
- return TlsClientAuth();
7202
- }
7203
- let clientPrivateKey = _classPrivateFieldGet2(_options, this).clientAssertionSigningKey;
7204
- if (clientPrivateKey && !(clientPrivateKey instanceof CryptoKey)) {
7205
- clientPrivateKey = await importPKCS8(clientPrivateKey, _classPrivateFieldGet2(_options, this).clientAssertionSigningAlg || "RS256");
7359
+ if (!_classPrivateFieldGet2(_clientAuthPromise, this)) {
7360
+ _classPrivateFieldSet2(_clientAuthPromise, this, (async () => {
7361
+ if (!_classPrivateFieldGet2(_options, this).clientSecret && !_classPrivateFieldGet2(_options, this).clientAssertionSigningKey && !_classPrivateFieldGet2(_options, this).useMtls) {
7362
+ throw new MissingClientAuthError;
7363
+ }
7364
+ if (_classPrivateFieldGet2(_options, this).useMtls) {
7365
+ return TlsClientAuth();
7366
+ }
7367
+ let clientPrivateKey = _classPrivateFieldGet2(_options, this).clientAssertionSigningKey;
7368
+ if (clientPrivateKey && !(clientPrivateKey instanceof CryptoKey)) {
7369
+ clientPrivateKey = await importPKCS8(clientPrivateKey, _classPrivateFieldGet2(_options, this).clientAssertionSigningAlg || "RS256");
7370
+ }
7371
+ return clientPrivateKey ? PrivateKeyJwt(clientPrivateKey) : ClientSecretPost(_classPrivateFieldGet2(_options, this).clientSecret);
7372
+ })().catch(error => {
7373
+ _classPrivateFieldSet2(_clientAuthPromise, this, void 0);
7374
+ throw error;
7375
+ }));
7206
7376
  }
7207
- return clientPrivateKey ? PrivateKeyJwt(clientPrivateKey) : ClientSecretPost(_classPrivateFieldGet2(_options, this).clientSecret);
7377
+ return _classPrivateFieldGet2(_clientAuthPromise, this);
7208
7378
  }
7209
7379
  async function _buildAuthorizationUrl(options) {
7210
- const {configuration: configuration} = await _assertClassBrand(_Class8_brand, this, _discover).call(this);
7380
+ const {configuration: configuration} = await _assertClassBrand(_Class9_brand, this, _discover).call(this);
7211
7381
  const codeChallengeMethod = "S256";
7212
7382
  const codeVerifier = randomPKCECodeVerifier();
7213
7383
  const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
@@ -7323,15 +7493,15 @@
7323
7493
  if (!((_a = context === null || context === void 0 ? void 0 : context.mfaRequirements) === null || _a === void 0 ? void 0 : _a.challenge) || context.mfaRequirements.challenge.length === 0) {
7324
7494
  throw new MfaListAuthenticatorsError("invalid_request", "challengeType is required and must contain at least one challenge type, please check mfa_required error payload");
7325
7495
  }
7326
- const challengeTypes = context.mfaRequirements.challenge.map((c => c.type));
7496
+ const challengeTypes = context.mfaRequirements.challenge.map(c => c.type);
7327
7497
  try {
7328
7498
  const allAuthenticators = await this.authJsMfaClient.listAuthenticators({
7329
7499
  mfaToken: mfaToken
7330
7500
  });
7331
- return allAuthenticators.filter((auth => {
7501
+ return allAuthenticators.filter(auth => {
7332
7502
  if (!auth.type) return false;
7333
7503
  return challengeTypes.includes(auth.type);
7334
- }));
7504
+ });
7335
7505
  } catch (error) {
7336
7506
  if (error instanceof MfaListAuthenticatorsError$1) {
7337
7507
  throw new MfaListAuthenticatorsError((_b = error.cause) === null || _b === void 0 ? void 0 : _b.error, error.message);
@@ -7521,6 +7691,31 @@
7521
7691
  });
7522
7692
  }
7523
7693
  }
7694
+ _extractSessionTransferToken(paramName) {
7695
+ const params = new URLSearchParams(window.location.search);
7696
+ return params.get(paramName) || undefined;
7697
+ }
7698
+ _clearSessionTransferTokenFromUrl(paramName) {
7699
+ try {
7700
+ const url = new URL(window.location.href);
7701
+ if (url.searchParams.has(paramName)) {
7702
+ url.searchParams.delete(paramName);
7703
+ window.history.replaceState({}, "", url.toString());
7704
+ }
7705
+ } catch (_a) {}
7706
+ }
7707
+ _applySessionTransferToken(authorizationParams) {
7708
+ const paramName = this.options.sessionTransferTokenQueryParamName;
7709
+ if (!paramName || authorizationParams.session_transfer_token) {
7710
+ return authorizationParams;
7711
+ }
7712
+ const token = this._extractSessionTransferToken(paramName);
7713
+ if (!token) return authorizationParams;
7714
+ this._clearSessionTransferTokenFromUrl(paramName);
7715
+ return Object.assign(Object.assign({}, authorizationParams), {
7716
+ session_transfer_token: token
7717
+ });
7718
+ }
7524
7719
  async _prepareAuthorizeUrl(authorizationParams, authorizeOptions, fallbackRedirectUri) {
7525
7720
  var _a;
7526
7721
  const state = encode$2(createRandomString());
@@ -7551,7 +7746,8 @@
7551
7746
  throw new PopupOpenError;
7552
7747
  }
7553
7748
  }
7554
- const params = await this._prepareAuthorizeUrl(options.authorizationParams || {}, {
7749
+ const authorizationParams = this._applySessionTransferToken(options.authorizationParams || {});
7750
+ const params = await this._prepareAuthorizeUrl(authorizationParams, {
7555
7751
  response_mode: "web_message"
7556
7752
  }, window.location.origin);
7557
7753
  config.popup.location.href = params.url;
@@ -7589,7 +7785,8 @@
7589
7785
  var _a;
7590
7786
  const _b = patchOpenUrlWithOnRedirect(options), {openUrl: openUrl, fragment: fragment, appState: appState} = _b, urlOptions = __rest(_b, [ "openUrl", "fragment", "appState" ]);
7591
7787
  const organization = ((_a = urlOptions.authorizationParams) === null || _a === void 0 ? void 0 : _a.organization) || this.options.authorizationParams.organization;
7592
- const _c = await this._prepareAuthorizeUrl(urlOptions.authorizationParams || {}), {url: url} = _c, transaction = __rest(_c, [ "url" ]);
7788
+ const authorizationParams = this._applySessionTransferToken(urlOptions.authorizationParams || {});
7789
+ const _c = await this._prepareAuthorizeUrl(authorizationParams), {url: url} = _c, transaction = __rest(_c, [ "url" ]);
7593
7790
  this.transactionManager.create(Object.assign(Object.assign(Object.assign({}, transaction), {
7594
7791
  appState: appState,
7595
7792
  response_type: exports.ResponseType.Code
@@ -7696,7 +7893,7 @@
7696
7893
  scope: scopesToRequest(this.scope, (_a = options.authorizationParams) === null || _a === void 0 ? void 0 : _a.scope, ((_b = options.authorizationParams) === null || _b === void 0 ? void 0 : _b.audience) || this.options.authorizationParams.audience)
7697
7894
  })
7698
7895
  });
7699
- const result = await singlePromise((() => this._getTokenSilently(localOptions)), "".concat(this.options.clientId, "::").concat(localOptions.authorizationParams.audience, "::").concat(localOptions.authorizationParams.scope));
7896
+ const result = await singlePromise(() => this._getTokenSilently(localOptions), "".concat(this.options.clientId, "::").concat(localOptions.authorizationParams.audience, "::").concat(localOptions.authorizationParams.scope));
7700
7897
  return options.detailedResponse ? result : result === null || result === void 0 ? void 0 : result.access_token;
7701
7898
  }
7702
7899
  async _getTokenSilently(options) {
@@ -7717,7 +7914,7 @@
7717
7914
  }
7718
7915
  const lockKey = buildGetTokenSilentlyLockKey(this.options.clientId, getTokenOptions.authorizationParams.audience || "default");
7719
7916
  try {
7720
- return await this.lockManager.runWithLock(lockKey, 5e3, (async () => {
7917
+ return await this.lockManager.runWithLock(lockKey, 5e3, async () => {
7721
7918
  if (cacheMode !== "off") {
7722
7919
  const entry = await this._getEntryFromCache({
7723
7920
  scope: getTokenOptions.authorizationParams.scope,
@@ -7739,7 +7936,7 @@
7739
7936
  } : null), {
7740
7937
  expires_in: expires_in
7741
7938
  });
7742
- }));
7939
+ });
7743
7940
  } catch (error) {
7744
7941
  if (this._isInteractiveError(error) && this.options.interactiveErrorHandler === "popup") {
7745
7942
  return await this._handleInteractiveErrorWithPopup(getTokenOptions);
@@ -7833,7 +8030,7 @@
7833
8030
  async _getTokenFromIFrame(options) {
7834
8031
  const iframeLockKey = buildIframeLockKey(this.options.clientId);
7835
8032
  try {
7836
- return await this.lockManager.runWithLock(iframeLockKey, 5e3, (async () => {
8033
+ return await this.lockManager.runWithLock(iframeLockKey, 5e3, async () => {
7837
8034
  const params = Object.assign(Object.assign({}, options.authorizationParams), {
7838
8035
  prompt: "none"
7839
8036
  });
@@ -7873,7 +8070,7 @@
7873
8070
  oauthTokenScope: tokenResult.scope,
7874
8071
  audience: audience
7875
8072
  });
7876
- }));
8073
+ });
7877
8074
  } catch (e) {
7878
8075
  if (e.error === "login_required") {
7879
8076
  const shouldSkipLogoutForMfaStepUp = e instanceof GenericError && this._isIframeMfaError(e) && this.options.interactiveErrorHandler === "popup";
@@ -8160,5 +8357,5 @@
8160
8357
  Object.defineProperty(exports, "__esModule", {
8161
8358
  value: true
8162
8359
  });
8163
- }));
8360
+ });
8164
8361
  //# sourceMappingURL=auth0-spa-js.development.js.map