@authsignal/browser 1.5.1 → 1.6.1

package/dist/api/passkey-api-client.d.ts

@@ -11,7 +11,7 @@ export declare class PasskeyApiClient {
     authenticationOptions({ token, challengeId, }: {
         token?: string;
     } & AuthenticationOptsRequest): Promise<AuthenticationOptsResponse | ErrorResponse>;
-    addAuthenticator({ token, challengeId, registrationCredential, }: {
+    addAuthenticator({ token, challengeId, registrationCredential, conditionalCreate, }: {
         token: string;
     } & AddAuthenticatorRequest): Promise<AddAuthenticatorResponse | ErrorResponse>;
     verify({ token, challengeId, authenticationCredential, deviceId, }: {

package/dist/api/qr-code-api-client.d.ts

@@ -0,0 +1,14 @@
+import { ApiClientOptions, ErrorResponse } from "./types/shared";
+import { QrCodeChallengeResponse, QrCodeVerifyResponse } from "./types/qr-code";
+export declare class QrCodeApiClient {
+    tenantId: string;
+    baseUrl: string;
+    constructor({ baseUrl, tenantId }: ApiClientOptions);
+    challenge({ action }: {
+        action: string;
+    }): Promise<QrCodeChallengeResponse | ErrorResponse>;
+    verify({ challengeId, deviceCode, }: {
+        challengeId: string;
+        deviceCode: string;
+    }): Promise<QrCodeVerifyResponse | ErrorResponse>;
+}

package/dist/api/security-key-api-client.d.ts

@@ -1,4 +1,4 @@
-import { AuthenticationResponseJSON, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON } from "@simplewebauthn/types";
+import { AuthenticationResponseJSON, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON } from "@simplewebauthn/browser";
 import { AddAuthenticatorResponse, ErrorResponse, VerifyResponse } from "./types/passkey";
 import { ApiClientOptions } from "./types/shared";
 export declare class SecurityKeyApiClient {

package/dist/api/types/passkey.d.ts

@@ -1,4 +1,4 @@
-import { AuthenticationResponseJSON, AuthenticatorAttachment, PublicKeyCredentialCreationOptionsJSON, RegistrationResponseJSON } from "@simplewebauthn/types";
+import { AuthenticationResponseJSON, AuthenticatorAttachment, PublicKeyCredentialCreationOptionsJSON, RegistrationResponseJSON } from "@simplewebauthn/browser";
 import { Authenticator } from "./shared";
 export type RegistrationOptsRequest = {
     username?: string;
@@ -18,6 +18,7 @@ export type AuthenticationOptsResponse = {
 export type AddAuthenticatorRequest = {
     challengeId: string;
     registrationCredential: RegistrationResponseJSON;
+    conditionalCreate?: boolean;
 };
 export type AddAuthenticatorResponse = {
     isVerified: boolean;

package/dist/api/types/qr-code.d.ts

@@ -0,0 +1,10 @@
+export type QrCodeChallengeResponse = {
+    challengeId: string;
+    deviceCode: string;
+};
+export type QrCodeVerifyResponse = {
+    isClaimed: boolean;
+    isVerified: boolean;
+    isConsumed: boolean;
+    token?: string;
+};

package/dist/api/types/shared.d.ts

@@ -1,4 +1,4 @@
-import { CredentialDeviceType } from "@simplewebauthn/types";
+import { CredentialDeviceType } from "@simplewebauthn/browser";
 export type ApiClientOptions = {
     baseUrl: string;
     tenantId: string;
@@ -37,7 +37,8 @@ export declare enum VerificationMethod {
     VERIFF = "VERIFF",
     IPROOV = "IPROOV",
     PALM_BIOMETRICS_RR = "PALM_BIOMETRICS_RR",
-    IDVERSE = "IDVERSE"
+    IDVERSE = "IDVERSE",
+    DEVICE = "DEVICE"
 }
 declare enum SmsChannel {
     "DEFAULT" = "DEFAULT",

package/dist/authsignal.d.ts

@@ -5,6 +5,7 @@ import { Email } from "./email";
 import { Sms } from "./sms";
 import { EmailMagicLink } from "./email-magic-link";
 import { SecurityKey } from "./security-key";
+import { QrCode } from "./qr-code";
 export declare class Authsignal {
     anonymousId: string;
     profilingId: string;
@@ -16,6 +17,7 @@ export declare class Authsignal {
     emailML: EmailMagicLink;
     sms: Sms;
     securityKey: SecurityKey;
+    qrCode: QrCode;
     constructor({ cookieDomain, cookieName, baseUrl, tenantId, onTokenExpired, }: AuthsignalOptions);
     setToken(token: string): void;
     launch(url: string, options?: {

package/dist/index.d.ts

@@ -2,3 +2,4 @@ export * from "./authsignal";
 export * from "./types";
 export type { Authenticator, VerificationMethod, EnrollResponse, ChallengeResponse } from "./api/types/shared";
 export type { EnrollTotpResponse } from "./api/types/totp";
+export type { QrCodeChallengeResponse, QrCodeVerifyResponse } from "./api/types/qr-code";

package/dist/index.js

@@ -139,7 +139,12 @@ function __generator(thisArg, body) {
     }
 }
 
-/* [@simplewebauthn/browser@11.0.0] */
+/**
+ * Convert the given array buffer into a Base64URL-encoded string. Ideal for converting various
+ * credential response ArrayBuffers to string for sending back to the server as JSON.
+ *
+ * Helper method to compliment `base64URLStringToBuffer`
+ */
 function bufferToBase64URLString(buffer) {
     const bytes = new Uint8Array(buffer);
     let str = '';
@@ -150,11 +155,28 @@ function bufferToBase64URLString(buffer) {
     return base64String.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
 }
 
+/**
+ * Convert from a Base64URL-encoded string to an Array Buffer. Best used when converting a
+ * credential ID from a JSON string to an ArrayBuffer, like in allowCredentials or
+ * excludeCredentials
+ *
+ * Helper method to compliment `bufferToBase64URLString`
+ */
 function base64URLStringToBuffer(base64URLString) {
+    // Convert from Base64URL to Base64
     const base64 = base64URLString.replace(/-/g, '+').replace(/_/g, '/');
+    /**
+     * Pad with '=' until it's a multiple of four
+     * (4 - (85 % 4 = 1) = 3) % 4 = 3 padding
+     * (4 - (86 % 4 = 2) = 2) % 4 = 2 padding
+     * (4 - (87 % 4 = 3) = 1) % 4 = 1 padding
+     * (4 - (88 % 4 = 0) = 4) % 4 = 0 padding
+     */
     const padLength = (4 - (base64.length % 4)) % 4;
     const padded = base64.padEnd(base64.length + padLength, '=');
+    // Convert to a binary string
     const binary = atob(padded);
+    // Convert binary string to buffer
     const buffer = new ArrayBuffer(binary.length);
     const bytes = new Uint8Array(buffer);
     for (let i = 0; i < binary.length; i++) {
@@ -163,33 +185,85 @@ function base64URLStringToBuffer(base64URLString) {
     return buffer;
 }
 
+/**
+ * Determine if the browser is capable of Webauthn
+ */
 function browserSupportsWebAuthn() {
-    return (window?.PublicKeyCredential !== undefined &&
-        typeof window.PublicKeyCredential === 'function');
+    return _browserSupportsWebAuthnInternals.stubThis(globalThis?.PublicKeyCredential !== undefined &&
+        typeof globalThis.PublicKeyCredential === 'function');
 }
+/**
+ * Make it possible to stub the return value during testing
+ * @ignore Don't include this in docs output
+ */
+const _browserSupportsWebAuthnInternals = {
+    stubThis: (value) => value,
+};
 
 function toPublicKeyCredentialDescriptor(descriptor) {
     const { id } = descriptor;
     return {
         ...descriptor,
         id: base64URLStringToBuffer(id),
+        /**
+         * `descriptor.transports` is an array of our `AuthenticatorTransportFuture` that includes newer
+         * transports that TypeScript's DOM lib is ignorant of. Convince TS that our list of transports
+         * are fine to pass to WebAuthn since browsers will recognize the new value.
+         */
         transports: descriptor.transports,
     };
 }
 
+/**
+ * A simple test to determine if a hostname is a properly-formatted domain name
+ *
+ * A "valid domain" is defined here: https://url.spec.whatwg.org/#valid-domain
+ *
+ * Regex sourced from here:
+ * https://www.oreilly.com/library/view/regular-expressions-cookbook/9781449327453/ch08s15.html
+ */
 function isValidDomain(hostname) {
-    return (hostname === 'localhost' ||
+    return (
+    // Consider localhost valid as well since it's okay wrt Secure Contexts
+    hostname === 'localhost' ||
         /^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(hostname));
 }
 
+/**
+ * A custom Error used to return a more nuanced error detailing _why_ one of the eight documented
+ * errors in the spec was raised after calling `navigator.credentials.create()` or
+ * `navigator.credentials.get()`:
+ *
+ * - `AbortError`
+ * - `ConstraintError`
+ * - `InvalidStateError`
+ * - `NotAllowedError`
+ * - `NotSupportedError`
+ * - `SecurityError`
+ * - `TypeError`
+ * - `UnknownError`
+ *
+ * Error messages were determined through investigation of the spec to determine under which
+ * scenarios a given error would be raised.
+ */
 class WebAuthnError extends Error {
     constructor({ message, code, cause, name, }) {
+        // @ts-ignore: help Rollup understand that `cause` is okay to set
         super(message, { cause });
+        Object.defineProperty(this, "code", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
         this.name = name ?? cause.name;
         this.code = code;
     }
 }
 
+/**
+ * Attempt to intuit _why_ an error was raised after calling `navigator.credentials.create()`
+ */
 function identifyRegistrationError({ error, options, }) {
     const { publicKey } = options;
     if (!publicKey) {
@@ -197,6 +271,7 @@ function identifyRegistrationError({ error, options, }) {
     }
     if (error.name === 'AbortError') {
         if (options.signal instanceof AbortSignal) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16)
             return new WebAuthnError({
                 message: 'Registration ceremony was sent an abort signal',
                 code: 'ERROR_CEREMONY_ABORTED',
@@ -206,14 +281,18 @@ function identifyRegistrationError({ error, options, }) {
     }
     else if (error.name === 'ConstraintError') {
         if (publicKey.authenticatorSelection?.requireResidentKey === true) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 4)
             return new WebAuthnError({
                 message: 'Discoverable credentials were required but no available authenticator supported it',
                 code: 'ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT',
                 cause: error,
             });
         }
-        else if (options.mediation === 'conditional' &&
+        else if (
+        // @ts-ignore: `mediation` doesn't yet exist on CredentialCreationOptions but it's possible as of Sept 2024
+        options.mediation === 'conditional' &&
             publicKey.authenticatorSelection?.userVerification === 'required') {
+            // https://w3c.github.io/webauthn/#sctn-createCredential (Step 22.4)
             return new WebAuthnError({
                 message: 'User verification was required during automatic registration but it could not be performed',
                 code: 'ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE',
@@ -221,6 +300,7 @@ function identifyRegistrationError({ error, options, }) {
             });
         }
         else if (publicKey.authenticatorSelection?.userVerification === 'required') {
+            // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 5)
             return new WebAuthnError({
                 message: 'User verification was required but no available authenticator supported it',
                 code: 'ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT',
@@ -229,6 +309,8 @@ function identifyRegistrationError({ error, options, }) {
         }
     }
     else if (error.name === 'InvalidStateError') {
+        // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 20)
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 3)
         return new WebAuthnError({
             message: 'The authenticator was previously registered',
             code: 'ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED',
@@ -236,6 +318,10 @@ function identifyRegistrationError({ error, options, }) {
         });
     }
     else if (error.name === 'NotAllowedError') {
+        /**
+         * Pass the error directly through. Platforms are overloading this error beyond what the spec
+         * defines and we don't want to overwrite potentially useful error messages.
+         */
         return new WebAuthnError({
             message: error.message,
             code: 'ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY',
@@ -245,12 +331,14 @@ function identifyRegistrationError({ error, options, }) {
     else if (error.name === 'NotSupportedError') {
         const validPubKeyCredParams = publicKey.pubKeyCredParams.filter((param) => param.type === 'public-key');
         if (validPubKeyCredParams.length === 0) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 10)
             return new WebAuthnError({
                 message: 'No entry in pubKeyCredParams was of type "public-key"',
                 code: 'ERROR_MALFORMED_PUBKEYCREDPARAMS',
                 cause: error,
             });
         }
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 2)
         return new WebAuthnError({
             message: 'No available authenticator supported any of the specified pubKeyCredParams algorithms',
             code: 'ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG',
@@ -258,15 +346,17 @@ function identifyRegistrationError({ error, options, }) {
         });
     }
     else if (error.name === 'SecurityError') {
-        const effectiveDomain = window.location.hostname;
+        const effectiveDomain = globalThis.location.hostname;
         if (!isValidDomain(effectiveDomain)) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 7)
             return new WebAuthnError({
-                message: `${window.location.hostname} is an invalid domain`,
+                message: `${globalThis.location.hostname} is an invalid domain`,
                 code: 'ERROR_INVALID_DOMAIN',
                 cause: error,
             });
         }
         else if (publicKey.rp.id !== effectiveDomain) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 8)
             return new WebAuthnError({
                 message: `The RP ID "${publicKey.rp.id}" is invalid for this domain`,
                 code: 'ERROR_INVALID_RP_ID',
@@ -276,6 +366,7 @@ function identifyRegistrationError({ error, options, }) {
     }
     else if (error.name === 'TypeError') {
         if (publicKey.user.id.byteLength < 1 || publicKey.user.id.byteLength > 64) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 5)
             return new WebAuthnError({
                 message: 'User ID was not between 1 and 64 characters',
                 code: 'ERROR_INVALID_USER_ID_LENGTH',
@@ -284,6 +375,8 @@ function identifyRegistrationError({ error, options, }) {
         }
     }
     else if (error.name === 'UnknownError') {
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 1)
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 8)
         return new WebAuthnError({
             message: 'The authenticator was unable to process the specified options, or could not create a new credential',
             code: 'ERROR_AUTHENTICATOR_GENERAL_ERROR',
@@ -294,7 +387,16 @@ function identifyRegistrationError({ error, options, }) {
 }
 
 class BaseWebAuthnAbortService {
+    constructor() {
+        Object.defineProperty(this, "controller", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+    }
     createNewAbortSignal() {
+        // Abort any existing calls to navigator.credentials.create() or navigator.credentials.get()
         if (this.controller) {
             const abortError = new Error('Cancelling existing WebAuthn API call for new one');
             abortError.name = 'AbortError';
@@ -313,9 +415,19 @@ class BaseWebAuthnAbortService {
         }
     }
 }
+/**
+ * A service singleton to help ensure that only a single WebAuthn ceremony is active at a time.
+ *
+ * Users of **@simplewebauthn/browser** shouldn't typically need to use this, but it can help e.g.
+ * developers building projects that use client-side routing to better control the behavior of
+ * their UX in response to router navigation events.
+ */
 const WebAuthnAbortService = new BaseWebAuthnAbortService();
 
 const attachments = ['cross-platform', 'platform'];
+/**
+ * If possible coerce a `string` value into a known `AuthenticatorAttachment`
+ */
 function toAuthenticatorAttachment(attachment) {
     if (!attachment) {
         return;
@@ -326,11 +438,24 @@ function toAuthenticatorAttachment(attachment) {
     return attachment;
 }
 
+/**
+ * Begin authenticator "registration" via WebAuthn attestation
+ *
+ * @param optionsJSON Output from **@simplewebauthn/server**'s `generateRegistrationOptions()`
+ * @param useAutoRegister (Optional) Try to silently create a passkey with the password manager that the user just signed in with. Defaults to `false`.
+ */
 async function startRegistration(options) {
+    // @ts-ignore: Intentionally check for old call structure to warn about improper API call
+    if (!options.optionsJSON && options.challenge) {
+        console.warn('startRegistration() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information.');
+        // @ts-ignore: Reassign the options, passed in as a positional argument, to the expected variable
+        options = { optionsJSON: options };
+    }
     const { optionsJSON, useAutoRegister = false } = options;
     if (!browserSupportsWebAuthn()) {
         throw new Error('WebAuthn is not supported in this browser');
     }
+    // We need to convert some values to Uint8Arrays before passing the credentials to the navigator
     const publicKey = {
         ...optionsJSON,
         challenge: base64URLStringToBuffer(optionsJSON.challenge),
@@ -340,12 +465,22 @@ async function startRegistration(options) {
         },
         excludeCredentials: optionsJSON.excludeCredentials?.map(toPublicKeyCredentialDescriptor),
     };
+    // Prepare options for `.create()`
     const createOptions = {};
+    /**
+     * Try to use conditional create to register a passkey for the user with the password manager
+     * the user just used to authenticate with. The user won't be shown any prominent UI by the
+     * browser.
+     */
     if (useAutoRegister) {
+        // @ts-ignore: `mediation` doesn't yet exist on CredentialCreationOptions but it's possible as of Sept 2024
         createOptions.mediation = 'conditional';
     }
+    // Finalize options
     createOptions.publicKey = publicKey;
+    // Set up the ability to cancel this request if the user attempts another
     createOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+    // Wait for the user to complete attestation
     let credential;
     try {
         credential = (await navigator.credentials.create(createOptions));
@@ -357,10 +492,12 @@ async function startRegistration(options) {
         throw new Error('Registration was not completed');
     }
     const { id, rawId, response, type } = credential;
+    // Continue to play it safe with `getTransports()` for now, even when L3 types say it's required
     let transports = undefined;
     if (typeof response.getTransports === 'function') {
         transports = response.getTransports();
     }
+    // L3 says this is required, but browser and webview support are still not guaranteed.
     let responsePublicKeyAlgorithm = undefined;
     if (typeof response.getPublicKeyAlgorithm === 'function') {
         try {
@@ -382,6 +519,7 @@ async function startRegistration(options) {
             warnOnBrokenImplementation('getPublicKey()', error);
         }
     }
+    // L3 says this is required, but browser and webview support are still not guaranteed.
     let responseAuthenticatorData;
     if (typeof response.getAuthenticatorData === 'function') {
         try {
@@ -407,22 +545,43 @@ async function startRegistration(options) {
         authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment),
     };
 }
+/**
+ * Visibly warn when we detect an issue related to a passkey provider intercepting WebAuthn API
+ * calls
+ */
 function warnOnBrokenImplementation(methodName, cause) {
     console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${methodName}. You should report this error to them.\n`, cause);
 }
 
+/**
+ * Determine if the browser supports conditional UI, so that WebAuthn credentials can
+ * be shown to the user in the browser's typical password autofill popup.
+ */
 function browserSupportsWebAuthnAutofill() {
     if (!browserSupportsWebAuthn()) {
-        return new Promise((resolve) => resolve(false));
+        return _browserSupportsWebAuthnAutofillInternals.stubThis(new Promise((resolve) => resolve(false)));
     }
-    const globalPublicKeyCredential = window
+    /**
+     * I don't like the `as unknown` here but there's a `declare var PublicKeyCredential` in
+     * TS' DOM lib that's making it difficult for me to just go `as PublicKeyCredentialFuture` as I
+     * want. I think I'm fine with this for now since it's _supposed_ to be temporary, until TS types
+     * have a chance to catch up.
+     */
+    const globalPublicKeyCredential = globalThis
         .PublicKeyCredential;
-    if (globalPublicKeyCredential.isConditionalMediationAvailable === undefined) {
-        return new Promise((resolve) => resolve(false));
+    if (globalPublicKeyCredential?.isConditionalMediationAvailable === undefined) {
+        return _browserSupportsWebAuthnAutofillInternals.stubThis(new Promise((resolve) => resolve(false)));
     }
-    return globalPublicKeyCredential.isConditionalMediationAvailable();
+    return _browserSupportsWebAuthnAutofillInternals.stubThis(globalPublicKeyCredential.isConditionalMediationAvailable());
 }
+// Make it possible to stub the return value during testing
+const _browserSupportsWebAuthnAutofillInternals = {
+    stubThis: (value) => value,
+};
 
+/**
+ * Attempt to intuit _why_ an error was raised after calling `navigator.credentials.get()`
+ */
 function identifyAuthenticationError({ error, options, }) {
     const { publicKey } = options;
     if (!publicKey) {
@@ -430,6 +589,7 @@ function identifyAuthenticationError({ error, options, }) {
     }
     if (error.name === 'AbortError') {
         if (options.signal instanceof AbortSignal) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16)
             return new WebAuthnError({
                 message: 'Authentication ceremony was sent an abort signal',
                 code: 'ERROR_CEREMONY_ABORTED',
@@ -438,6 +598,10 @@ function identifyAuthenticationError({ error, options, }) {
         }
     }
     else if (error.name === 'NotAllowedError') {
+        /**
+         * Pass the error directly through. Platforms are overloading this error beyond what the spec
+         * defines and we don't want to overwrite potentially useful error messages.
+         */
         return new WebAuthnError({
             message: error.message,
             code: 'ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY',
@@ -445,15 +609,17 @@ function identifyAuthenticationError({ error, options, }) {
         });
     }
     else if (error.name === 'SecurityError') {
-        const effectiveDomain = window.location.hostname;
+        const effectiveDomain = globalThis.location.hostname;
         if (!isValidDomain(effectiveDomain)) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 5)
             return new WebAuthnError({
-                message: `${window.location.hostname} is an invalid domain`,
+                message: `${globalThis.location.hostname} is an invalid domain`,
                 code: 'ERROR_INVALID_DOMAIN',
                 cause: error,
             });
         }
         else if (publicKey.rpId !== effectiveDomain) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 6)
             return new WebAuthnError({
                 message: `The RP ID "${publicKey.rpId}" is invalid for this domain`,
                 code: 'ERROR_INVALID_RP_ID',
@@ -462,6 +628,8 @@ function identifyAuthenticationError({ error, options, }) {
         }
     }
     else if (error.name === 'UnknownError') {
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 1)
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 12)
         return new WebAuthnError({
             message: 'The authenticator was unable to process the specified options, or could not create a new assertion signature',
             code: 'ERROR_AUTHENTICATOR_GENERAL_ERROR',
@@ -471,34 +639,63 @@ function identifyAuthenticationError({ error, options, }) {
     return error;
 }
 
+/**
+ * Begin authenticator "login" via WebAuthn assertion
+ *
+ * @param optionsJSON Output from **@simplewebauthn/server**'s `generateAuthenticationOptions()`
+ * @param useBrowserAutofill (Optional) Initialize conditional UI to enable logging in via browser autofill prompts. Defaults to `false`.
+ * @param verifyBrowserAutofillInput (Optional) Ensure a suitable `<input>` element is present when `useBrowserAutofill` is `true`. Defaults to `true`.
+ */
 async function startAuthentication(options) {
+    // @ts-ignore: Intentionally check for old call structure to warn about improper API call
+    if (!options.optionsJSON && options.challenge) {
+        console.warn('startAuthentication() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information.');
+        // @ts-ignore: Reassign the options, passed in as a positional argument, to the expected variable
+        options = { optionsJSON: options };
+    }
     const { optionsJSON, useBrowserAutofill = false, verifyBrowserAutofillInput = true, } = options;
     if (!browserSupportsWebAuthn()) {
         throw new Error('WebAuthn is not supported in this browser');
     }
+    // We need to avoid passing empty array to avoid blocking retrieval
+    // of public key
     let allowCredentials;
     if (optionsJSON.allowCredentials?.length !== 0) {
         allowCredentials = optionsJSON.allowCredentials?.map(toPublicKeyCredentialDescriptor);
     }
+    // We need to convert some values to Uint8Arrays before passing the credentials to the navigator
     const publicKey = {
         ...optionsJSON,
         challenge: base64URLStringToBuffer(optionsJSON.challenge),
         allowCredentials,
     };
+    // Prepare options for `.get()`
     const getOptions = {};
+    /**
+     * Set up the page to prompt the user to select a credential for authentication via the browser's
+     * input autofill mechanism.
+     */
     if (useBrowserAutofill) {
         if (!(await browserSupportsWebAuthnAutofill())) {
             throw Error('Browser does not support WebAuthn autofill');
         }
+        // Check for an <input> with "webauthn" in its `autocomplete` attribute
         const eligibleInputs = document.querySelectorAll("input[autocomplete$='webauthn']");
+        // WebAuthn autofill requires at least one valid input
         if (eligibleInputs.length < 1 && verifyBrowserAutofillInput) {
             throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');
         }
+        // `CredentialMediationRequirement` doesn't know about "conditional" yet as of
+        // typescript@4.6.3
         getOptions.mediation = 'conditional';
+        // Conditional UI requires an empty allow list
         publicKey.allowCredentials = [];
     }
+    // Finalize options
     getOptions.publicKey = publicKey;
+    // Set up the ability to cancel this request if the user attempts another
     getOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+    // Wait for the user to complete assertion
     let credential;
     try {
         credential = (await navigator.credentials.get(getOptions));
@@ -514,6 +711,7 @@ async function startAuthentication(options) {
     if (response.userHandle) {
         userHandle = bufferToBase64URLString(response.userHandle);
     }
+    // Convert values to base64 to make it easier to send back to the server
     return {
         id,
         rawId: bufferToBase64URLString(rawId),
@@ -670,13 +868,14 @@ var PasskeyApiClient = /** @class */ (function () {
     PasskeyApiClient.prototype.addAuthenticator = function (_a) {
         return __awaiter(this, arguments, void 0, function (_b) {
             var body, response, responseJson;
-            var token = _b.token, challengeId = _b.challengeId, registrationCredential = _b.registrationCredential;
+            var token = _b.token, challengeId = _b.challengeId, registrationCredential = _b.registrationCredential, conditionalCreate = _b.conditionalCreate;
             return __generator(this, function (_c) {
                 switch (_c.label) {
                     case 0:
                         body = {
                             challengeId: challengeId,
                             registrationCredential: registrationCredential,
+                            conditionalCreate: conditionalCreate,
                         };
                         return [4 /*yield*/, fetch("".concat(this.baseUrl, "/client/user-authenticators/passkey"), {
                                 method: "POST",
@@ -799,6 +998,14 @@ var Passkey = /** @class */ (function () {
                         if (!userToken) {
                             return [2 /*return*/, this.cache.handleTokenNotSetError()];
                         }
+                        if (!useAutoRegister) return [3 /*break*/, 2];
+                        return [4 /*yield*/, this.doesBrowserSupportConditionalCreate()];
+                    case 1:
+                        if (!(_e.sent())) {
+                            throw new Error("CONDITIONAL_CREATE_NOT_SUPPORTED");
+                        }
+                        _e.label = 2;
+                    case 2:
                         optionsInput = {
                             username: username,
                             displayName: displayName,
@@ -806,23 +1013,24 @@ var Passkey = /** @class */ (function () {
                             authenticatorAttachment: authenticatorAttachment,
                         };
                         return [4 /*yield*/, this.api.registrationOptions(optionsInput)];
-                    case 1:
+                    case 3:
                         optionsResponse = _e.sent();
                         if ("error" in optionsResponse) {
                             return [2 /*return*/, handleErrorResponse(optionsResponse)];
                         }
-                        _e.label = 2;
-                    case 2:
-                        _e.trys.push([2, 5, , 6]);
+                        _e.label = 4;
+                    case 4:
+                        _e.trys.push([4, 7, , 8]);
                         return [4 /*yield*/, startRegistration({ optionsJSON: optionsResponse.options, useAutoRegister: useAutoRegister })];
-                    case 3:
+                    case 5:
                         registrationResponse = _e.sent();
                         return [4 /*yield*/, this.api.addAuthenticator({
                                 challengeId: optionsResponse.challengeId,
                                 registrationCredential: registrationResponse,
                                 token: userToken,
+                                conditionalCreate: useAutoRegister,
                             })];
-                    case 4:
+                    case 6:
                         addAuthenticatorResponse = _e.sent();
                         if ("error" in addAuthenticatorResponse) {
                             return [2 /*return*/, handleErrorResponse(addAuthenticatorResponse)];
@@ -840,12 +1048,12 @@ var Passkey = /** @class */ (function () {
                                     registrationResponse: registrationResponse,
                                 },
                             }];
-                    case 5:
+                    case 7:
                         e_1 = _e.sent();
                         autofillRequestPending = false;
                         handleWebAuthnError(e_1);
                         throw e_1;
-                    case 6: return [2 /*return*/];
+                    case 8: return [2 /*return*/];
                 }
             });
         });
@@ -999,6 +1207,25 @@ var Passkey = /** @class */ (function () {
         }
         localStorage.setItem(this.passkeyLocalStorageKey, JSON.stringify(credentialsMap));
     };
+    Passkey.prototype.doesBrowserSupportConditionalCreate = function () {
+        return __awaiter(this, void 0, void 0, function () {
+            var capabilities;
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        if (!(window.PublicKeyCredential && PublicKeyCredential.getClientCapabilities)) return [3 /*break*/, 2];
+                        return [4 /*yield*/, PublicKeyCredential.getClientCapabilities()];
+                    case 1:
+                        capabilities = _a.sent();
+                        if (capabilities.conditionalCreate) {
+                            return [2 /*return*/, true];
+                        }
+                        _a.label = 2;
+                    case 2: return [2 /*return*/, false];
+                }
+            });
+        });
+    };
     return Passkey;
 }());
 
@@ -2338,6 +2565,97 @@ var SecurityKey = /** @class */ (function () {
     return SecurityKey;
 }());
 
+var QrCodeApiClient = /** @class */ (function () {
+    function QrCodeApiClient(_a) {
+        var baseUrl = _a.baseUrl, tenantId = _a.tenantId;
+        this.tenantId = tenantId;
+        this.baseUrl = baseUrl;
+    }
+    QrCodeApiClient.prototype.challenge = function (_a) {
+        return __awaiter(this, arguments, void 0, function (_b) {
+            var body, response, responseJson;
+            var action = _b.action;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0:
+                        body = { action: action };
+                        return [4 /*yield*/, fetch("".concat(this.baseUrl, "/client/challenge/qr-code"), {
+                                method: "POST",
+                                headers: buildHeaders({ tenantId: this.tenantId }),
+                                body: JSON.stringify(body),
+                            })];
+                    case 1:
+                        response = _c.sent();
+                        return [4 /*yield*/, response.json()];
+                    case 2:
+                        responseJson = _c.sent();
+                        return [2 /*return*/, responseJson];
+                }
+            });
+        });
+    };
+    QrCodeApiClient.prototype.verify = function (_a) {
+        return __awaiter(this, arguments, void 0, function (_b) {
+            var body, response, responseJson;
+            var challengeId = _b.challengeId, deviceCode = _b.deviceCode;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0:
+                        body = { challengeId: challengeId, deviceCode: deviceCode };
+                        return [4 /*yield*/, fetch("".concat(this.baseUrl, "/client/verify/qr-code"), {
+                                method: "POST",
+                                headers: buildHeaders({ tenantId: this.tenantId }),
+                                body: JSON.stringify(body),
+                            })];
+                    case 1:
+                        response = _c.sent();
+                        return [4 /*yield*/, response.json()];
+                    case 2:
+                        responseJson = _c.sent();
+                        return [2 /*return*/, responseJson];
+                }
+            });
+        });
+    };
+    return QrCodeApiClient;
+}());
+
+var QrCode = /** @class */ (function () {
+    function QrCode(_a) {
+        var baseUrl = _a.baseUrl, tenantId = _a.tenantId;
+        this.api = new QrCodeApiClient({ baseUrl: baseUrl, tenantId: tenantId });
+    }
+    QrCode.prototype.challenge = function (_a) {
+        return __awaiter(this, arguments, void 0, function (_b) {
+            var response;
+            var action = _b.action;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0: return [4 /*yield*/, this.api.challenge({ action: action })];
+                    case 1:
+                        response = _c.sent();
+                        return [2 /*return*/, handleApiResponse(response)];
+                }
+            });
+        });
+    };
+    QrCode.prototype.verify = function (_a) {
+        return __awaiter(this, arguments, void 0, function (_b) {
+            var response;
+            var challengeId = _b.challengeId, deviceCode = _b.deviceCode;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0: return [4 /*yield*/, this.api.verify({ challengeId: challengeId, deviceCode: deviceCode })];
+                    case 1:
+                        response = _c.sent();
+                        return [2 /*return*/, handleApiResponse(response)];
+                }
+            });
+        });
+    };
+    return QrCode;
+}());
+
 var DEFAULT_COOKIE_NAME = "__as_aid";
 var DEFAULT_PROFILING_COOKIE_NAME = "__as_pid";
 var DEFAULT_BASE_URL = "https://api.authsignal.com/v1";
@@ -2374,6 +2692,7 @@ var Authsignal = /** @class */ (function () {
         this.emailML = new EmailMagicLink({ tenantId: tenantId, baseUrl: baseUrl, onTokenExpired: onTokenExpired });
         this.sms = new Sms({ tenantId: tenantId, baseUrl: baseUrl, onTokenExpired: onTokenExpired });
         this.securityKey = new SecurityKey({ tenantId: tenantId, baseUrl: baseUrl, onTokenExpired: onTokenExpired });
+        this.qrCode = new QrCode({ tenantId: tenantId, baseUrl: baseUrl });
     }
     Authsignal.prototype.setToken = function (token) {
         TokenCache.shared.token = token;

package/dist/index.min.js

@@ -1 +1 @@
-var authsignal=function(e){"use strict";let t;const n=new Uint8Array(16);function o(){if(!t&&(t="undefined"!=typeof crypto&&crypto.getRandomValues&&crypto.getRandomValues.bind(crypto),!t))throw new Error("crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported");return t(n)}const r=[];for(let e=0;e<256;++e)r.push((e+256).toString(16).slice(1));var i={randomUUID:"undefined"!=typeof crypto&&crypto.randomUUID&&crypto.randomUUID.bind(crypto)};function s(e,t,n){if(i.randomUUID&&!t&&!e)return i.randomUUID();const s=(e=e||{}).random||(e.rng||o)();if(s[6]=15&s[6]|64,s[8]=63&s[8]|128,t){n=n||0;for(let e=0;e<16;++e)t[n+e]=s[e];return t}return function(e,t=0){return(r[e[t+0]]+r[e[t+1]]+r[e[t+2]]+r[e[t+3]]+"-"+r[e[t+4]]+r[e[t+5]]+"-"+r[e[t+6]]+r[e[t+7]]+"-"+r[e[t+8]]+r[e[t+9]]+"-"+r[e[t+10]]+r[e[t+11]]+r[e[t+12]]+r[e[t+13]]+r[e[t+14]]+r[e[t+15]]).toLowerCase()}(s)}var a=function(){return a=Object.assign||function(e){for(var t,n=1,o=arguments.length;n<o;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},a.apply(this,arguments)};function c(e,t,n,o){return new(n||(n=Promise))((function(r,i){function s(e){try{c(o.next(e))}catch(e){i(e)}}function a(e){try{c(o.throw(e))}catch(e){i(e)}}function c(e){var t;e.done?r(e.value):(t=e.value,t instanceof n?t:new n((function(e){e(t)}))).then(s,a)}c((o=o.apply(e,t||[])).next())}))}function u(e,t){var n,o,r,i,s={label:0,sent:function(){if(1&r[0])throw r[1];return r[1]},trys:[],ops:[]};return i={next:a(0),throw:a(1),return:a(2)},"function"==typeof Symbol&&(i[Symbol.iterator]=function(){return this}),i;function a(i){return function(a){return function(i){if(n)throw new TypeError("Generator is already executing.");for(;s;)try{if(n=1,o&&(r=2&i[0]?o.return:i[0]?o.throw||((r=o.return)&&r.call(o),0):o.next)&&!(r=r.call(o,i[1])).done)return r;switch(o=0,r&&(i=[2&i[0],r.value]),i[0]){case 0:case 1:r=i;break;case 4:return s.label++,{value:i[1],done:!1};case 5:s.label++,o=i[1],i=[0];continue;case 7:i=s.ops.pop(),s.trys.pop();continue;default:if(!(r=s.trys,(r=r.length>0&&r[r.length-1])||6!==i[0]&&2!==i[0])){s=0;continue}if(3===i[0]&&(!r||i[1]>r[0]&&i[1]<r[3])){s.label=i[1];break}if(6===i[0]&&s.label<r[1]){s.label=r[1],r=i;break}if(r&&s.label<r[2]){s.label=r[2],s.ops.push(i);break}r[2]&&s.ops.pop(),s.trys.pop();continue}i=t.call(e,s)}catch(e){i=[6,e],o=0}finally{n=r=0}if(5&i[0])throw i[1];return{value:i[0]?i[1]:void 0,done:!0}}([i,a])}}}function h(e){const t=new Uint8Array(e);let n="";for(const e of t)n+=String.fromCharCode(e);return btoa(n).replace(/\+/g,"-").replace(/\//g,"_").replace(/=/g,"")}function l(e){const t=e.replace(/-/g,"+").replace(/_/g,"/"),n=(4-t.length%4)%4,o=t.padEnd(t.length+n,"="),r=atob(o),i=new ArrayBuffer(r.length),s=new Uint8Array(i);for(let e=0;e<r.length;e++)s[e]=r.charCodeAt(e);return i}function d(){return void 0!==window?.PublicKeyCredential&&"function"==typeof window.PublicKeyCredential}function p(e){const{id:t}=e;return{...e,id:l(t),transports:e.transports}}function f(e){return"localhost"===e||/^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(e)}class y extends Error{constructor({message:e,code:t,cause:n,name:o}){super(e,{cause:n}),this.name=o??n.name,this.code=t}}const m=new class{createNewAbortSignal(){if(this.controller){const e=new Error("Cancelling existing WebAuthn API call for new one");e.name="AbortError",this.controller.abort(e)}const e=new AbortController;return this.controller=e,e.signal}cancelCeremony(){if(this.controller){const e=new Error("Manually cancelling existing WebAuthn API call");e.name="AbortError",this.controller.abort(e),this.controller=void 0}}},v=["cross-platform","platform"];function w(e){if(e&&!(v.indexOf(e)<0))return e}async function b(e){const{optionsJSON:t,useAutoRegister:n=!1}=e;if(!d())throw new Error("WebAuthn is not supported in this browser");const o={...t,challenge:l(t.challenge),user:{...t.user,id:l(t.user.id)},excludeCredentials:t.excludeCredentials?.map(p)},r={};let i;n&&(r.mediation="conditional"),r.publicKey=o,r.signal=m.createNewAbortSignal();try{i=await navigator.credentials.create(r)}catch(e){throw function({error:e,options:t}){const{publicKey:n}=t;if(!n)throw Error("options was missing required publicKey property");if("AbortError"===e.name){if(t.signal instanceof AbortSignal)return new y({message:"Registration ceremony was sent an abort signal",code:"ERROR_CEREMONY_ABORTED",cause:e})}else if("ConstraintError"===e.name){if(!0===n.authenticatorSelection?.requireResidentKey)return new y({message:"Discoverable credentials were required but no available authenticator supported it",code:"ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT",cause:e});if("conditional"===t.mediation&&"required"===n.authenticatorSelection?.userVerification)return new y({message:"User verification was required during automatic registration but it could not be performed",code:"ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE",cause:e});if("required"===n.authenticatorSelection?.userVerification)return new y({message:"User verification was required but no available authenticator supported it",code:"ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT",cause:e})}else{if("InvalidStateError"===e.name)return new y({message:"The authenticator was previously registered",code:"ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED",cause:e});if("NotAllowedError"===e.name)return new y({message:e.message,code:"ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",cause:e});if("NotSupportedError"===e.name)return 0===n.pubKeyCredParams.filter((e=>"public-key"===e.type)).length?new y({message:'No entry in pubKeyCredParams was of type "public-key"',code:"ERROR_MALFORMED_PUBKEYCREDPARAMS",cause:e}):new y({message:"No available authenticator supported any of the specified pubKeyCredParams algorithms",code:"ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG",cause:e});if("SecurityError"===e.name){const t=window.location.hostname;if(!f(t))return new y({message:`${window.location.hostname} is an invalid domain`,code:"ERROR_INVALID_DOMAIN",cause:e});if(n.rp.id!==t)return new y({message:`The RP ID "${n.rp.id}" is invalid for this domain`,code:"ERROR_INVALID_RP_ID",cause:e})}else if("TypeError"===e.name){if(n.user.id.byteLength<1||n.user.id.byteLength>64)return new y({message:"User ID was not between 1 and 64 characters",code:"ERROR_INVALID_USER_ID_LENGTH",cause:e})}else if("UnknownError"===e.name)return new y({message:"The authenticator was unable to process the specified options, or could not create a new credential",code:"ERROR_AUTHENTICATOR_GENERAL_ERROR",cause:e})}return e}({error:e,options:r})}if(!i)throw new Error("Registration was not completed");const{id:s,rawId:a,response:c,type:u}=i;let v,b,g,E;if("function"==typeof c.getTransports&&(v=c.getTransports()),"function"==typeof c.getPublicKeyAlgorithm)try{b=c.getPublicKeyAlgorithm()}catch(e){k("getPublicKeyAlgorithm()",e)}if("function"==typeof c.getPublicKey)try{const e=c.getPublicKey();null!==e&&(g=h(e))}catch(e){k("getPublicKey()",e)}if("function"==typeof c.getAuthenticatorData)try{E=h(c.getAuthenticatorData())}catch(e){k("getAuthenticatorData()",e)}return{id:s,rawId:h(a),response:{attestationObject:h(c.attestationObject),clientDataJSON:h(c.clientDataJSON),transports:v,publicKeyAlgorithm:b,publicKey:g,authenticatorData:E},type:u,clientExtensionResults:i.getClientExtensionResults(),authenticatorAttachment:w(i.authenticatorAttachment)}}function k(e,t){console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${e}. You should report this error to them.\n`,t)}async function g(e){const{optionsJSON:t,useBrowserAutofill:n=!1,verifyBrowserAutofillInput:o=!0}=e;if(!d())throw new Error("WebAuthn is not supported in this browser");let r;0!==t.allowCredentials?.length&&(r=t.allowCredentials?.map(p));const i={...t,challenge:l(t.challenge),allowCredentials:r},s={};if(n){if(!await function(){if(!d())return new Promise((e=>e(!1)));const e=window.PublicKeyCredential;return void 0===e.isConditionalMediationAvailable?new Promise((e=>e(!1))):e.isConditionalMediationAvailable()}())throw Error("Browser does not support WebAuthn autofill");if(document.querySelectorAll("input[autocomplete$='webauthn']").length<1&&o)throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');s.mediation="conditional",i.allowCredentials=[]}let a;s.publicKey=i,s.signal=m.createNewAbortSignal();try{a=await navigator.credentials.get(s)}catch(e){throw function({error:e,options:t}){const{publicKey:n}=t;if(!n)throw Error("options was missing required publicKey property");if("AbortError"===e.name){if(t.signal instanceof AbortSignal)return new y({message:"Authentication ceremony was sent an abort signal",code:"ERROR_CEREMONY_ABORTED",cause:e})}else{if("NotAllowedError"===e.name)return new y({message:e.message,code:"ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",cause:e});if("SecurityError"===e.name){const t=window.location.hostname;if(!f(t))return new y({message:`${window.location.hostname} is an invalid domain`,code:"ERROR_INVALID_DOMAIN",cause:e});if(n.rpId!==t)return new y({message:`The RP ID "${n.rpId}" is invalid for this domain`,code:"ERROR_INVALID_RP_ID",cause:e})}else if("UnknownError"===e.name)return new y({message:"The authenticator was unable to process the specified options, or could not create a new assertion signature",code:"ERROR_AUTHENTICATOR_GENERAL_ERROR",cause:e})}return e}({error:e,options:s})}if(!a)throw new Error("Authentication was not completed");const{id:c,rawId:u,response:v,type:b}=a;let k;return v.userHandle&&(k=h(v.userHandle)),{id:c,rawId:h(u),response:{authenticatorData:h(v.authenticatorData),clientDataJSON:h(v.clientDataJSON),signature:h(v.signature),userHandle:k},type:b,clientExtensionResults:a.getClientExtensionResults(),authenticatorAttachment:w(a.authenticatorAttachment)}}function E(e){var t=e.name,n=e.value,o=e.expire,r=e.domain,i=e.secure,s=o===1/0?" expires=Fri, 31 Dec 9999 23:59:59 GMT":"; max-age="+o;document.cookie=encodeURIComponent(t)+"="+n+"; path=/;"+s+(r?"; domain="+r:"")+(i?"; secure":"")}function T(e){var t,n=null!==(t=e.errorDescription)&&void 0!==t?t:e.error;return console.error(n),{error:n}}function I(e){var t;if(e&&"object"==typeof e&&"error"in e){var n=null!==(t=e.errorDescription)&&void 0!==t?t:e.error;return console.error(n),{error:n}}if(e&&"object"==typeof e&&"accessToken"in e&&"string"==typeof e.accessToken){var o=e.accessToken,r=function(e,t){var n={};for(var o in e)Object.prototype.hasOwnProperty.call(e,o)&&t.indexOf(o)<0&&(n[o]=e[o]);if(null!=e&&"function"==typeof Object.getOwnPropertySymbols){var r=0;for(o=Object.getOwnPropertySymbols(e);r<o.length;r++)t.indexOf(o[r])<0&&Object.prototype.propertyIsEnumerable.call(e,o[r])&&(n[o[r]]=e[o[r]])}return n}(e,["accessToken"]);return{data:a(a({},r),{token:o})}}return{data:e}}function A(e){var t,n;if(e instanceof y&&"ERROR_INVALID_RP_ID"===e.code){var o=(null===(n=null===(t=e.message)||void 0===t?void 0:t.match(/"([^"]*)"/))||void 0===n?void 0:n[1])||"";console.error('[Authsignal] The Relying Party ID "'.concat(o,'" is invalid for this domain.\n To learn more, visit https://docs.authsignal.com/scenarios/passkeys-prebuilt-ui#defining-the-relying-party'))}}function S(e){var t=e.token,n=e.tenantId;return{"Content-Type":"application/json",Authorization:t?"Bearer ".concat(t):"Basic ".concat(window.btoa(encodeURIComponent(n)))}}function R(e){var t=e.response,n=e.onTokenExpired;"error"in t&&"expired_token"===t.errorCode&&n&&n()}e.AuthsignalWindowMessage=void 0,(e.AuthsignalWindowMessage||(e.AuthsignalWindowMessage={})).AUTHSIGNAL_CLOSE_POPUP="AUTHSIGNAL_CLOSE_POPUP";var O=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.registrationOptions=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.username,i=e.authenticatorAttachment;return u(this,(function(e){switch(e.label){case 0:return t=Boolean(i)?{username:r,authenticatorAttachment:i}:{username:r},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/passkey/registration-options"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return R({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.authenticationOptions=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.challengeId;return u(this,(function(e){switch(e.label){case 0:return t={challengeId:r},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/passkey/authentication-options"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return R({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.addAuthenticator=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.challengeId,i=e.registrationCredential;return u(this,(function(e){switch(e.label){case 0:return t={challengeId:r,registrationCredential:i},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/passkey"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return R({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.challengeId,i=e.authenticationCredential,s=e.deviceId;return u(this,(function(e){switch(e.label){case 0:return t={challengeId:r,authenticationCredential:i,deviceId:s},[4,fetch("".concat(this.baseUrl,"/client/verify/passkey"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return R({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.getPasskeyAuthenticator=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.credentialIds;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/passkey?credentialIds=").concat(n),{method:"GET",headers:S({tenantId:this.tenantId})})];case 1:if(!(t=e.sent()).ok)throw new Error(t.statusText);return[2,t.json()]}}))}))},e.prototype.challenge=function(e){return c(this,void 0,void 0,(function(){var t;return u(this,(function(n){switch(n.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/challenge"),{method:"POST",headers:S({tenantId:this.tenantId}),body:JSON.stringify({action:e})})];case 1:return[4,n.sent().json()];case 2:return R({response:t=n.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e}(),x=function(){function e(){this.token=null}return e.prototype.handleTokenNotSetError=function(){var e="A token has not been set. Call 'setToken' first.";return console.error("Error: ".concat(e)),{error:"TOKEN_NOT_SET",errorDescription:e}},e.shared=new e,e}(),_=!1,U=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.anonymousId,r=e.onTokenExpired;this.passkeyLocalStorageKey="as_user_passkey_map",this.cache=x.shared,this.api=new O({baseUrl:t,tenantId:n,onTokenExpired:r}),this.anonymousId=o}return e.prototype.signUp=function(e){return c(this,arguments,void 0,(function(e){var t,n,o,r,i,s,c=e.username,h=e.displayName,l=e.token,d=e.authenticatorAttachment,p=void 0===d?"platform":d,f=e.useAutoRegister,y=void 0!==f&&f;return u(this,(function(e){switch(e.label){case 0:return(t=null!=l?l:this.cache.token)?(n={username:c,displayName:h,token:t,authenticatorAttachment:p},[4,this.api.registrationOptions(n)]):[2,this.cache.handleTokenNotSetError()];case 1:if("error"in(o=e.sent()))return[2,T(o)];e.label=2;case 2:return e.trys.push([2,5,,6]),[4,b({optionsJSON:o.options,useAutoRegister:y})];case 3:return r=e.sent(),[4,this.api.addAuthenticator({challengeId:o.challengeId,registrationCredential:r,token:t})];case 4:return"error"in(i=e.sent())?[2,T(i)]:(i.isVerified&&this.storeCredentialAgainstDevice(a(a({},r),{userId:i.userId})),i.accessToken&&(this.cache.token=i.accessToken),[2,{data:{token:i.accessToken,userAuthenticator:i.userAuthenticator,registrationResponse:r}}]);case 5:throw s=e.sent(),_=!1,A(s),s;case 6:return[2]}}))}))},e.prototype.signIn=function(e){return c(this,void 0,void 0,(function(){var t,n,o,r,i,s,c,h,l,d,p,f;return u(this,(function(u){switch(u.label){case 0:if((null==e?void 0:e.token)&&e.autofill)throw new Error("autofill is not supported when providing a token");if((null==e?void 0:e.action)&&e.token)throw new Error("action is not supported when providing a token");if(null==e?void 0:e.autofill){if(_)return[2,{}];_=!0}return(null==e?void 0:e.action)?[4,this.api.challenge(e.action)]:[3,2];case 1:return n=u.sent(),[3,3];case 2:n=null,u.label=3;case 3:return(t=n)&&"error"in t?(_=!1,[2,T(t)]):[4,this.api.authenticationOptions({token:null==e?void 0:e.token,challengeId:null==t?void 0:t.challengeId})];case 4:if("error"in(o=u.sent()))return _=!1,[2,T(o)];u.label=5;case 5:return u.trys.push([5,8,,9]),[4,g({optionsJSON:o.options,useBrowserAutofill:null==e?void 0:e.autofill})];case 6:return r=u.sent(),(null==e?void 0:e.onVerificationStarted)&&e.onVerificationStarted(),[4,this.api.verify({challengeId:o.challengeId,authenticationCredential:r,token:null==e?void 0:e.token,deviceId:this.anonymousId})];case 7:return"error"in(i=u.sent())?(_=!1,[2,T(i)]):(i.isVerified&&this.storeCredentialAgainstDevice(a(a({},r),{userId:i.userId})),i.accessToken&&(this.cache.token=i.accessToken),s=i.accessToken,c=i.userId,h=i.userAuthenticatorId,l=i.username,d=i.userDisplayName,p=i.isVerified,_=!1,[2,{data:{isVerified:p,token:s,userId:c,userAuthenticatorId:h,username:l,displayName:d,authenticationResponse:r}}]);case 8:throw f=u.sent(),_=!1,A(f),f;case 9:return[2]}}))}))},e.prototype.isAvailableOnDevice=function(e){return c(this,arguments,void 0,(function(e){var t,n,o,r,i=e.userId;return u(this,(function(e){switch(e.label){case 0:if(!i)throw new Error("userId is required");if(!(t=localStorage.getItem(this.passkeyLocalStorageKey)))return[2,!1];if(n=JSON.parse(t),0===(o=null!==(r=n[i])&&void 0!==r?r:[]).length)return[2,!1];e.label=1;case 1:return e.trys.push([1,3,,4]),[4,this.api.getPasskeyAuthenticator({credentialIds:o})];case 2:return e.sent(),[2,!0];case 3:return e.sent(),[2,!1];case 4:return[2]}}))}))},e.prototype.storeCredentialAgainstDevice=function(e){var t=e.id,n=e.authenticatorAttachment,o=e.userId,r=void 0===o?"":o;if("cross-platform"!==n){var i=localStorage.getItem(this.passkeyLocalStorageKey),s=i?JSON.parse(i):{};s[r]?s[r].includes(t)||s[r].push(t):s[r]=[t],localStorage.setItem(this.passkeyLocalStorageKey,JSON.stringify(s))}},e}(),N=function(){function e(){this.windowRef=null}return e.prototype.show=function(e){var t=e.url,n=e.width,o=void 0===n?400:n,r=e.height,i=function(e){var t=e.url,n=e.width,o=e.height,r=e.win;if(!r.top)return null;var i=r.top.outerHeight/2+r.top.screenY-o/2,s=r.top.outerWidth/2+r.top.screenX-n/2;return window.open(t,"","toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=no, resizable=no, copyhistory=no, width=".concat(n,", height=").concat(o,", top=").concat(i,", left=").concat(s))}({url:t,width:o,height:void 0===r?500:r,win:window});if(!i)throw new Error("Window is not initialized");return this.windowRef=i,i},e.prototype.close=function(){if(!this.windowRef)throw new Error("Window is not initialized");this.windowRef.close()},e}();const C=":not([inert]):not([inert] *)",P=':not([tabindex^="-"])',$=":not(:disabled)";var D=[`a[href]${C}${P}`,`area[href]${C}${P}`,`input:not([type="hidden"]):not([type="radio"])${C}${P}${$}`,`input[type="radio"]${C}${P}${$}`,`select${C}${P}${$}`,`textarea${C}${P}${$}`,`button${C}${P}${$}`,`details${C} > summary:first-of-type${P}`,`iframe${C}${P}`,`audio[controls]${C}${P}`,`video[controls]${C}${P}`,`[contenteditable]${C}${P}`,`[tabindex]${C}${P}`];function L(e){(e.querySelector("[autofocus]")||e).focus()}function j(e,t){if(t&&V(e))return e;if(!((n=e).shadowRoot&&"-1"===n.getAttribute("tabindex")||n.matches(":disabled,[hidden],[inert]")))if(e.shadowRoot){let n=K(e.shadowRoot,t);for(;n;){const e=j(n,t);if(e)return e;n=J(n,t)}}else if("slot"===e.localName){const n=e.assignedElements({flatten:!0});t||n.reverse();for(const e of n){const n=j(e,t);if(n)return n}}else{let n=K(e,t);for(;n;){const e=j(n,t);if(e)return e;n=J(n,t)}}var n;return!t&&V(e)?e:null}function K(e,t){return t?e.firstElementChild:e.lastElementChild}function J(e,t){return t?e.nextElementSibling:e.previousElementSibling}const V=e=>!e.shadowRoot?.delegatesFocus&&(e.matches(D.join(","))&&!(e=>!(!e.matches("details:not([open]) *")||e.matches("details>summary:first-of-type"))||!(e.offsetWidth||e.offsetHeight||e.getClientRects().length))(e));function W(e=document){const t=e.activeElement;return t?t.shadowRoot?W(t.shadowRoot)||document.activeElement:t:null}function M(e,t){const[n,o]=function(e){const t=j(e,!0);return[t,t?j(e,!1)||t:null]}(e);if(!n)return t.preventDefault();const r=W();t.shiftKey&&r===n?(o.focus(),t.preventDefault()):t.shiftKey||r!==o||(n.focus(),t.preventDefault())}class q{$el;id;previouslyFocused;shown;constructor(e){this.$el=e,this.id=this.$el.getAttribute("data-a11y-dialog")||this.$el.id,this.previouslyFocused=null,this.shown=!1,this.maintainFocus=this.maintainFocus.bind(this),this.bindKeypress=this.bindKeypress.bind(this),this.handleTriggerClicks=this.handleTriggerClicks.bind(this),this.show=this.show.bind(this),this.hide=this.hide.bind(this),this.$el.setAttribute("aria-hidden","true"),this.$el.setAttribute("aria-modal","true"),this.$el.setAttribute("tabindex","-1"),this.$el.hasAttribute("role")||this.$el.setAttribute("role","dialog"),document.addEventListener("click",this.handleTriggerClicks,!0)}destroy(){return this.hide(),document.removeEventListener("click",this.handleTriggerClicks,!0),this.$el.replaceWith(this.$el.cloneNode(!0)),this.fire("destroy"),this}show(e){return this.shown||(this.shown=!0,this.$el.removeAttribute("aria-hidden"),this.previouslyFocused=W(),"BODY"===this.previouslyFocused?.tagName&&e?.target&&(this.previouslyFocused=e.target),"focus"===e?.type?this.maintainFocus(e):L(this.$el),document.body.addEventListener("focus",this.maintainFocus,!0),this.$el.addEventListener("keydown",this.bindKeypress,!0),this.fire("show",e)),this}hide(e){return this.shown?(this.shown=!1,this.$el.setAttribute("aria-hidden","true"),this.previouslyFocused?.focus?.(),document.body.removeEventListener("focus",this.maintainFocus,!0),this.$el.removeEventListener("keydown",this.bindKeypress,!0),this.fire("hide",e),this):this}on(e,t,n){return this.$el.addEventListener(e,t,n),this}off(e,t,n){return this.$el.removeEventListener(e,t,n),this}fire(e,t){this.$el.dispatchEvent(new CustomEvent(e,{detail:t,cancelable:!0}))}handleTriggerClicks(e){const t=e.target;t.closest(`[data-a11y-dialog-show="${this.id}"]`)&&this.show(e),(t.closest(`[data-a11y-dialog-hide="${this.id}"]`)||t.closest("[data-a11y-dialog-hide]")&&t.closest('[aria-modal="true"]')===this.$el)&&this.hide(e)}bindKeypress(e){if(document.activeElement?.closest('[aria-modal="true"]')!==this.$el)return;let t=!1;try{t=!!this.$el.querySelector('[popover]:not([popover="manual"]):popover-open')}catch{}"Escape"!==e.key||"alertdialog"===this.$el.getAttribute("role")||t||(e.preventDefault(),this.hide(e)),"Tab"===e.key&&M(this.$el,e)}maintainFocus(e){e.target.closest('[aria-modal="true"], [data-a11y-dialog-ignore-focus-trap]')||L(this.$el)}}function H(){for(const e of document.querySelectorAll("[data-a11y-dialog]"))new q(e)}"undefined"!=typeof document&&("loading"===document.readyState?document.addEventListener("DOMContentLoaded",H):H());var F="__authsignal-popup-container",G="__authsignal-popup-content",B="__authsignal-popup-overlay",z="__authsignal-popup-style",Y="__authsignal-popup-iframe",X="385px",Q=function(){function e(e){var t=e.width,n=e.isClosable;if(this.popup=null,document.querySelector("#".concat(F)))throw new Error("Multiple instances of Authsignal popup is not supported.");this.create({width:t,isClosable:n})}return e.prototype.create=function(e){var t=this,n=e.width,o=void 0===n?X:n,r=e.isClosable,i=void 0===r||r,s=o;CSS.supports("width",o)||(console.warn("Invalid CSS value for `popupOptions.width`. Using default value instead."),s=X);var a=document.createElement("div");a.setAttribute("id",F),a.setAttribute("aria-hidden","true"),i||a.setAttribute("role","alertdialog");var c=document.createElement("div");c.setAttribute("id",B),i&&c.setAttribute("data-a11y-dialog-hide","true");var u=document.createElement("div");u.setAttribute("id",G),document.body.appendChild(a);var h=document.createElement("style");h.setAttribute("id",z),h.textContent="\n      #".concat(F,",\n      #").concat(B," {\n        position: fixed;\n        top: 0;\n        right: 0;\n        bottom: 0;\n        left: 0;\n      }\n\n      #").concat(F," {\n        z-index: 2147483647;\n        display: flex;\n      }\n\n      #").concat(F,"[aria-hidden='true'] {\n        display: none;\n      }\n\n      #").concat(B," {\n        background-color: rgba(0, 0, 0, 0.18);\n      }\n\n      #").concat(G," {\n        margin: auto;\n        z-index: 2147483647;\n        position: relative;\n        background-color: transparent;\n        border-radius: 8px;\n        width: ").concat(s,";\n      }\n\n      #").concat(G," iframe {\n        width: 1px;\n        min-width: 100%;\n        border-radius: inherit;\n        max-height: 95vh;\n        height: ").concat("384px",";\n      }\n    "),document.head.insertAdjacentElement("beforeend",h),a.appendChild(c),a.appendChild(u),this.popup=new q(a),a.focus(),this.popup.on("hide",(function(){t.destroy()}))},e.prototype.destroy=function(){var e=document.querySelector("#".concat(F)),t=document.querySelector("#".concat(z));e&&t&&(document.body.removeChild(e),document.head.removeChild(t)),window.removeEventListener("message",Z)},e.prototype.show=function(e){var t,n=e.url;if(!this.popup)throw new Error("Popup is not initialized");var o=document.createElement("iframe");o.setAttribute("id",Y),o.setAttribute("name","authsignal"),o.setAttribute("title","Authsignal multi-factor authentication"),o.setAttribute("src",n),o.setAttribute("frameborder","0"),o.setAttribute("allow","publickey-credentials-get *; publickey-credentials-create *; clipboard-write");var r=document.querySelector("#".concat(G));r&&r.appendChild(o),window.addEventListener("message",Z),null===(t=this.popup)||void 0===t||t.show()},e.prototype.close=function(){if(!this.popup)throw new Error("Popup is not initialized");this.popup.hide()},e.prototype.on=function(e,t){if(!this.popup)throw new Error("Popup is not initialized");this.popup.on(e,t)},e}();function Z(e){var t=document.querySelector("#".concat(Y));t&&e.data.height&&(t.style.height=e.data.height+"px")}var ee=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/totp"),{method:"POST",headers:S({token:n,tenantId:this.tenantId})})];case 1:return[4,e.sent().json()];case 2:return R({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.code;return u(this,(function(e){switch(e.label){case 0:return t={verificationCode:r},[4,fetch("".concat(this.baseUrl,"/client/verify/totp"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return R({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e}(),te=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.cache=x.shared,this.api=new ee({baseUrl:t,tenantId:n,onTokenExpired:o})}return e.prototype.enroll=function(){return c(this,void 0,void 0,(function(){return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.enroll({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,I(e.sent())]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.code;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.verify({token:this.cache.token,code:n})]:[2,this.cache.handleTokenNotSetError()];case 1:return"accessToken"in(t=e.sent())&&t.accessToken&&(this.cache.token=t.accessToken),[2,I(t)]}}))}))},e}(),ne=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.email;return u(this,(function(e){switch(e.label){case 0:return t={email:r},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/email-otp"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return R({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.challenge=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/challenge/email-otp"),{method:"POST",headers:S({token:n,tenantId:this.tenantId})})];case 1:return[4,e.sent().json()];case 2:return R({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.code;return u(this,(function(e){switch(e.label){case 0:return t={verificationCode:r},[4,fetch("".concat(this.baseUrl,"/client/verify/email-otp"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return R({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e}(),oe=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.cache=x.shared,this.api=new ne({baseUrl:t,tenantId:n,onTokenExpired:o})}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t=e.email;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.enroll({token:this.cache.token,email:t})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,I(e.sent())]}}))}))},e.prototype.challenge=function(){return c(this,void 0,void 0,(function(){return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.challenge({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,I(e.sent())]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.code;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.verify({token:this.cache.token,code:n})]:[2,this.cache.handleTokenNotSetError()];case 1:return"accessToken"in(t=e.sent())&&t.accessToken&&(this.cache.token=t.accessToken),[2,I(t)]}}))}))},e}(),re=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.phoneNumber;return u(this,(function(e){switch(e.label){case 0:return t={phoneNumber:r},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/sms"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return R({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.challenge=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/challenge/sms"),{method:"POST",headers:S({token:n,tenantId:this.tenantId})})];case 1:return[4,e.sent().json()];case 2:return R({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.code;return u(this,(function(e){switch(e.label){case 0:return t={verificationCode:r},[4,fetch("".concat(this.baseUrl,"/client/verify/sms"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return R({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e}(),ie=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.cache=x.shared,this.api=new re({baseUrl:t,tenantId:n,onTokenExpired:o})}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t=e.phoneNumber;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.enroll({token:this.cache.token,phoneNumber:t})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,I(e.sent())]}}))}))},e.prototype.challenge=function(){return c(this,void 0,void 0,(function(){return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.challenge({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,I(e.sent())]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.code;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.verify({token:this.cache.token,code:n})]:[2,this.cache.handleTokenNotSetError()];case 1:return"accessToken"in(t=e.sent())&&t.accessToken&&(this.cache.token=t.accessToken),[2,I(t)]}}))}))},e}(),se=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.email;return u(this,(function(e){switch(e.label){case 0:return t={email:r},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/email-magic-link"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return R({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.challenge=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/challenge/email-magic-link"),{method:"POST",headers:S({token:n,tenantId:this.tenantId})})];case 1:return[4,e.sent().json()];case 2:return R({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.checkVerificationStatus=function(e){return c(this,arguments,void 0,(function(e){var t,n=this,o=e.token;return u(this,(function(e){switch(e.label){case 0:return t=function(){return c(n,void 0,void 0,(function(){var e,n=this;return u(this,(function(r){switch(r.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/verify/email-magic-link/finalize"),{method:"POST",headers:S({token:o,tenantId:this.tenantId}),body:JSON.stringify({})})];case 1:return[4,r.sent().json()];case 2:return R({response:e=r.sent(),onTokenExpired:this.onTokenExpired}),e.isVerified?[2,e]:[2,new Promise((function(e){setTimeout((function(){return c(n,void 0,void 0,(function(){var n;return u(this,(function(o){switch(o.label){case 0:return n=e,[4,t()];case 1:return n.apply(void 0,[o.sent()]),[2]}}))}))}),1e3)}))]}}))}))},[4,t()];case 1:return[2,e.sent()]}}))}))},e}(),ae=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.cache=x.shared,this.api=new se({baseUrl:t,tenantId:n,onTokenExpired:o})}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t=e.email;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.enroll({token:this.cache.token,email:t})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,I(e.sent())]}}))}))},e.prototype.challenge=function(){return c(this,void 0,void 0,(function(){return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.challenge({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,I(e.sent())]}}))}))},e.prototype.checkVerificationStatus=function(){return c(this,void 0,void 0,(function(){var e;return u(this,(function(t){switch(t.label){case 0:return this.cache.token?[4,this.api.checkVerificationStatus({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:return"accessToken"in(e=t.sent())&&e.accessToken&&(this.cache.token=e.accessToken),[2,I(e)]}}))}))},e}(),ce=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.registrationOptions=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/security-key/registration-options"),{method:"POST",headers:S({token:n,tenantId:this.tenantId}),body:JSON.stringify({})})];case 1:return[4,e.sent().json()];case 2:return R({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.authenticationOptions=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/security-key/authentication-options"),{method:"POST",headers:S({token:n,tenantId:this.tenantId}),body:JSON.stringify({})})];case 1:return[4,e.sent().json()];case 2:return R({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.addAuthenticator=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token,o=e.registrationCredential;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/security-key"),{method:"POST",headers:S({token:n,tenantId:this.tenantId}),body:JSON.stringify(o)})];case 1:return[4,e.sent().json()];case 2:return R({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token,o=e.authenticationCredential;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/verify/security-key"),{method:"POST",headers:S({token:n,tenantId:this.tenantId}),body:JSON.stringify(o)})];case 1:return[4,e.sent().json()];case 2:return R({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e}(),ue=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.cache=x.shared,this.api=new ce({baseUrl:t,tenantId:n,onTokenExpired:o})}return e.prototype.enroll=function(){return c(this,void 0,void 0,(function(){var e,t,n,o,r;return u(this,(function(i){switch(i.label){case 0:return this.cache.token?(e={token:this.cache.token},[4,this.api.registrationOptions(e)]):[2,this.cache.handleTokenNotSetError()];case 1:if("error"in(t=i.sent()))return[2,T(t)];i.label=2;case 2:return i.trys.push([2,5,,6]),[4,b({optionsJSON:t})];case 3:return n=i.sent(),[4,this.api.addAuthenticator({registrationCredential:n,token:this.cache.token})];case 4:return"error"in(o=i.sent())?[2,T(o)]:(o.accessToken&&(this.cache.token=o.accessToken),[2,{data:{token:o.accessToken,registrationResponse:n}}]);case 5:throw A(r=i.sent()),r;case 6:return[2]}}))}))},e.prototype.verify=function(){return c(this,void 0,void 0,(function(){var e,t,n,o,r;return u(this,(function(i){switch(i.label){case 0:return this.cache.token?[4,this.api.authenticationOptions({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:if("error"in(e=i.sent()))return[2,T(e)];i.label=2;case 2:return i.trys.push([2,5,,6]),[4,g({optionsJSON:e})];case 3:return t=i.sent(),[4,this.api.verify({authenticationCredential:t,token:this.cache.token})];case 4:return"error"in(n=i.sent())?[2,T(n)]:(n.accessToken&&(this.cache.token=n.accessToken),o=n.accessToken,[2,{data:{isVerified:n.isVerified,token:o,authenticationResponse:t}}]);case 5:throw A(r=i.sent()),r;case 6:return[2]}}))}))},e}(),he="4a08uqve",le=function(){function t(e){var t=e.cookieDomain,n=e.cookieName,o=void 0===n?"__as_aid":n,r=e.baseUrl,i=void 0===r?"https://api.authsignal.com/v1":r,a=e.tenantId,c=e.onTokenExpired;if(this.anonymousId="",this.profilingId="",this.cookieDomain="",this.anonymousIdCookieName="",this.cookieDomain=t||document.location.hostname.replace("www.",""),this.anonymousIdCookieName=o,!a)throw new Error("tenantId is required");var u,h=(u=this.anonymousIdCookieName)&&decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*"+encodeURIComponent(u).replace(/[\-\.\+\*]/g,"\\$&")+"\\s*\\=\\s*([^;]*).*$)|^.*$"),"$1"))||null;h?this.anonymousId=h:(this.anonymousId=s(),E({name:this.anonymousIdCookieName,value:this.anonymousId,expire:1/0,domain:this.cookieDomain,secure:"http:"!==document.location.protocol})),this.passkey=new U({tenantId:a,baseUrl:i,anonymousId:this.anonymousId,onTokenExpired:c}),this.totp=new te({tenantId:a,baseUrl:i,onTokenExpired:c}),this.email=new oe({tenantId:a,baseUrl:i,onTokenExpired:c}),this.emailML=new ae({tenantId:a,baseUrl:i,onTokenExpired:c}),this.sms=new ie({tenantId:a,baseUrl:i,onTokenExpired:c}),this.securityKey=new ue({tenantId:a,baseUrl:i,onTokenExpired:c})}return t.prototype.setToken=function(e){x.shared.token=e},t.prototype.launch=function(e,t){switch(null==t?void 0:t.mode){case"window":return this.launchWithWindow(e,t);case"popup":return this.launchWithPopup(e,t);default:this.launchWithRedirect(e)}},t.prototype.initAdvancedProfiling=function(e){var t=s();this.profilingId=t,E({name:"__as_pid",value:t,expire:1/0,domain:this.cookieDomain,secure:"http:"!==document.location.protocol});var n=e?"".concat(e,"/fp/tags.js?org_id=").concat(he,"&session_id=").concat(t):"https://h.online-metrix.net/fp/tags.js?org_id=".concat(he,"&session_id=").concat(t),o=document.createElement("script");o.src=n,o.async=!1,o.id="as_adv_profile",document.head.appendChild(o);var r=document.createElement("noscript");r.setAttribute("id","as_adv_profile_pixel"),r.setAttribute("aria-hidden","true");var i=document.createElement("iframe"),a=e?"".concat(e,"/fp/tags?org_id=").concat(he,"&session_id=").concat(t):"https://h.online-metrix.net/fp/tags?org_id=".concat(he,"&session_id=").concat(t);i.setAttribute("id","as_adv_profile_pixel"),i.setAttribute("src",a),i.setAttribute("style","width: 100px; height: 100px; border: 0; position: absolute; top: -5000px;"),r&&(r.appendChild(i),document.body.prepend(r))},t.prototype.launchWithRedirect=function(e){window.location.href=e},t.prototype.launchWithPopup=function(t,n){var o=n.popupOptions,r=new Q({width:null==o?void 0:o.width,isClosable:null==o?void 0:o.isClosable}),i="".concat(t,"&mode=popup");return r.show({url:i}),new Promise((function(t){var n=void 0;r.on("hide",(function(){t({token:n})})),window.addEventListener("message",(function(t){var o=null;try{o=JSON.parse(t.data)}catch(e){}(null==o?void 0:o.event)===e.AuthsignalWindowMessage.AUTHSIGNAL_CLOSE_POPUP&&(n=o.token,r.close())}),!1)}))},t.prototype.launchWithWindow=function(t,n){var o=n.windowOptions,r=new N,i="".concat(t,"&mode=popup");return r.show({url:i,width:null==o?void 0:o.width,height:null==o?void 0:o.height}),new Promise((function(t){window.addEventListener("message",(function(n){var o=null;try{o=JSON.parse(n.data)}catch(e){}(null==o?void 0:o.event)===e.AuthsignalWindowMessage.AUTHSIGNAL_CLOSE_POPUP&&(r.close(),t({token:o.token}))}),!1)}))},t}();return e.Authsignal=le,e.WebAuthnError=y,Object.defineProperty(e,"__esModule",{value:!0}),e}({});
+var authsignal=function(e){"use strict";let t;const n=new Uint8Array(16);function o(){if(!t&&(t="undefined"!=typeof crypto&&crypto.getRandomValues&&crypto.getRandomValues.bind(crypto),!t))throw new Error("crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported");return t(n)}const r=[];for(let e=0;e<256;++e)r.push((e+256).toString(16).slice(1));var i={randomUUID:"undefined"!=typeof crypto&&crypto.randomUUID&&crypto.randomUUID.bind(crypto)};function s(e,t,n){if(i.randomUUID&&!t&&!e)return i.randomUUID();const s=(e=e||{}).random||(e.rng||o)();if(s[6]=15&s[6]|64,s[8]=63&s[8]|128,t){n=n||0;for(let e=0;e<16;++e)t[n+e]=s[e];return t}return function(e,t=0){return(r[e[t+0]]+r[e[t+1]]+r[e[t+2]]+r[e[t+3]]+"-"+r[e[t+4]]+r[e[t+5]]+"-"+r[e[t+6]]+r[e[t+7]]+"-"+r[e[t+8]]+r[e[t+9]]+"-"+r[e[t+10]]+r[e[t+11]]+r[e[t+12]]+r[e[t+13]]+r[e[t+14]]+r[e[t+15]]).toLowerCase()}(s)}var a=function(){return a=Object.assign||function(e){for(var t,n=1,o=arguments.length;n<o;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},a.apply(this,arguments)};function c(e,t,n,o){return new(n||(n=Promise))((function(r,i){function s(e){try{c(o.next(e))}catch(e){i(e)}}function a(e){try{c(o.throw(e))}catch(e){i(e)}}function c(e){var t;e.done?r(e.value):(t=e.value,t instanceof n?t:new n((function(e){e(t)}))).then(s,a)}c((o=o.apply(e,t||[])).next())}))}function u(e,t){var n,o,r,i,s={label:0,sent:function(){if(1&r[0])throw r[1];return r[1]},trys:[],ops:[]};return i={next:a(0),throw:a(1),return:a(2)},"function"==typeof Symbol&&(i[Symbol.iterator]=function(){return this}),i;function a(i){return function(a){return function(i){if(n)throw new TypeError("Generator is already executing.");for(;s;)try{if(n=1,o&&(r=2&i[0]?o.return:i[0]?o.throw||((r=o.return)&&r.call(o),0):o.next)&&!(r=r.call(o,i[1])).done)return r;switch(o=0,r&&(i=[2&i[0],r.value]),i[0]){case 0:case 1:r=i;break;case 4:return s.label++,{value:i[1],done:!1};case 5:s.label++,o=i[1],i=[0];continue;case 7:i=s.ops.pop(),s.trys.pop();continue;default:if(!(r=s.trys,(r=r.length>0&&r[r.length-1])||6!==i[0]&&2!==i[0])){s=0;continue}if(3===i[0]&&(!r||i[1]>r[0]&&i[1]<r[3])){s.label=i[1];break}if(6===i[0]&&s.label<r[1]){s.label=r[1],r=i;break}if(r&&s.label<r[2]){s.label=r[2],s.ops.push(i);break}r[2]&&s.ops.pop(),s.trys.pop();continue}i=t.call(e,s)}catch(e){i=[6,e],o=0}finally{n=r=0}if(5&i[0])throw i[1];return{value:i[0]?i[1]:void 0,done:!0}}([i,a])}}}function l(e){const t=new Uint8Array(e);let n="";for(const e of t)n+=String.fromCharCode(e);return btoa(n).replace(/\+/g,"-").replace(/\//g,"_").replace(/=/g,"")}function h(e){const t=e.replace(/-/g,"+").replace(/_/g,"/"),n=(4-t.length%4)%4,o=t.padEnd(t.length+n,"="),r=atob(o),i=new ArrayBuffer(r.length),s=new Uint8Array(i);for(let e=0;e<r.length;e++)s[e]=r.charCodeAt(e);return i}function d(){return p.stubThis(void 0!==globalThis?.PublicKeyCredential&&"function"==typeof globalThis.PublicKeyCredential)}const p={stubThis:e=>e};function f(e){const{id:t}=e;return{...e,id:h(t),transports:e.transports}}function y(e){return"localhost"===e||/^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(e)}class b extends Error{constructor({message:e,code:t,cause:n,name:o}){super(e,{cause:n}),Object.defineProperty(this,"code",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),this.name=o??n.name,this.code=t}}const v=new class{constructor(){Object.defineProperty(this,"controller",{enumerable:!0,configurable:!0,writable:!0,value:void 0})}createNewAbortSignal(){if(this.controller){const e=new Error("Cancelling existing WebAuthn API call for new one");e.name="AbortError",this.controller.abort(e)}const e=new AbortController;return this.controller=e,e.signal}cancelCeremony(){if(this.controller){const e=new Error("Manually cancelling existing WebAuthn API call");e.name="AbortError",this.controller.abort(e),this.controller=void 0}}},m=["cross-platform","platform"];function g(e){if(e&&!(m.indexOf(e)<0))return e}async function w(e){!e.optionsJSON&&e.challenge&&(console.warn("startRegistration() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information."),e={optionsJSON:e});const{optionsJSON:t,useAutoRegister:n=!1}=e;if(!d())throw new Error("WebAuthn is not supported in this browser");const o={...t,challenge:h(t.challenge),user:{...t.user,id:h(t.user.id)},excludeCredentials:t.excludeCredentials?.map(f)},r={};let i;n&&(r.mediation="conditional"),r.publicKey=o,r.signal=v.createNewAbortSignal();try{i=await navigator.credentials.create(r)}catch(e){throw function({error:e,options:t}){const{publicKey:n}=t;if(!n)throw Error("options was missing required publicKey property");if("AbortError"===e.name){if(t.signal instanceof AbortSignal)return new b({message:"Registration ceremony was sent an abort signal",code:"ERROR_CEREMONY_ABORTED",cause:e})}else if("ConstraintError"===e.name){if(!0===n.authenticatorSelection?.requireResidentKey)return new b({message:"Discoverable credentials were required but no available authenticator supported it",code:"ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT",cause:e});if("conditional"===t.mediation&&"required"===n.authenticatorSelection?.userVerification)return new b({message:"User verification was required during automatic registration but it could not be performed",code:"ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE",cause:e});if("required"===n.authenticatorSelection?.userVerification)return new b({message:"User verification was required but no available authenticator supported it",code:"ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT",cause:e})}else{if("InvalidStateError"===e.name)return new b({message:"The authenticator was previously registered",code:"ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED",cause:e});if("NotAllowedError"===e.name)return new b({message:e.message,code:"ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",cause:e});if("NotSupportedError"===e.name)return 0===n.pubKeyCredParams.filter((e=>"public-key"===e.type)).length?new b({message:'No entry in pubKeyCredParams was of type "public-key"',code:"ERROR_MALFORMED_PUBKEYCREDPARAMS",cause:e}):new b({message:"No available authenticator supported any of the specified pubKeyCredParams algorithms",code:"ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG",cause:e});if("SecurityError"===e.name){const t=globalThis.location.hostname;if(!y(t))return new b({message:`${globalThis.location.hostname} is an invalid domain`,code:"ERROR_INVALID_DOMAIN",cause:e});if(n.rp.id!==t)return new b({message:`The RP ID "${n.rp.id}" is invalid for this domain`,code:"ERROR_INVALID_RP_ID",cause:e})}else if("TypeError"===e.name){if(n.user.id.byteLength<1||n.user.id.byteLength>64)return new b({message:"User ID was not between 1 and 64 characters",code:"ERROR_INVALID_USER_ID_LENGTH",cause:e})}else if("UnknownError"===e.name)return new b({message:"The authenticator was unable to process the specified options, or could not create a new credential",code:"ERROR_AUTHENTICATOR_GENERAL_ERROR",cause:e})}return e}({error:e,options:r})}if(!i)throw new Error("Registration was not completed");const{id:s,rawId:a,response:c,type:u}=i;let p,m,w,E;if("function"==typeof c.getTransports&&(p=c.getTransports()),"function"==typeof c.getPublicKeyAlgorithm)try{m=c.getPublicKeyAlgorithm()}catch(e){k("getPublicKeyAlgorithm()",e)}if("function"==typeof c.getPublicKey)try{const e=c.getPublicKey();null!==e&&(w=l(e))}catch(e){k("getPublicKey()",e)}if("function"==typeof c.getAuthenticatorData)try{E=l(c.getAuthenticatorData())}catch(e){k("getAuthenticatorData()",e)}return{id:s,rawId:l(a),response:{attestationObject:l(c.attestationObject),clientDataJSON:l(c.clientDataJSON),transports:p,publicKeyAlgorithm:m,publicKey:w,authenticatorData:E},type:u,clientExtensionResults:i.getClientExtensionResults(),authenticatorAttachment:g(i.authenticatorAttachment)}}function k(e,t){console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${e}. You should report this error to them.\n`,t)}const E={stubThis:e=>e};async function T(e){!e.optionsJSON&&e.challenge&&(console.warn("startAuthentication() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information."),e={optionsJSON:e});const{optionsJSON:t,useBrowserAutofill:n=!1,verifyBrowserAutofillInput:o=!0}=e;if(!d())throw new Error("WebAuthn is not supported in this browser");let r;0!==t.allowCredentials?.length&&(r=t.allowCredentials?.map(f));const i={...t,challenge:h(t.challenge),allowCredentials:r},s={};if(n){if(!await function(){if(!d())return E.stubThis(new Promise((e=>e(!1))));const e=globalThis.PublicKeyCredential;return void 0===e?.isConditionalMediationAvailable?E.stubThis(new Promise((e=>e(!1)))):E.stubThis(e.isConditionalMediationAvailable())}())throw Error("Browser does not support WebAuthn autofill");if(document.querySelectorAll("input[autocomplete$='webauthn']").length<1&&o)throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');s.mediation="conditional",i.allowCredentials=[]}let a;s.publicKey=i,s.signal=v.createNewAbortSignal();try{a=await navigator.credentials.get(s)}catch(e){throw function({error:e,options:t}){const{publicKey:n}=t;if(!n)throw Error("options was missing required publicKey property");if("AbortError"===e.name){if(t.signal instanceof AbortSignal)return new b({message:"Authentication ceremony was sent an abort signal",code:"ERROR_CEREMONY_ABORTED",cause:e})}else{if("NotAllowedError"===e.name)return new b({message:e.message,code:"ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",cause:e});if("SecurityError"===e.name){const t=globalThis.location.hostname;if(!y(t))return new b({message:`${globalThis.location.hostname} is an invalid domain`,code:"ERROR_INVALID_DOMAIN",cause:e});if(n.rpId!==t)return new b({message:`The RP ID "${n.rpId}" is invalid for this domain`,code:"ERROR_INVALID_RP_ID",cause:e})}else if("UnknownError"===e.name)return new b({message:"The authenticator was unable to process the specified options, or could not create a new assertion signature",code:"ERROR_AUTHENTICATOR_GENERAL_ERROR",cause:e})}return e}({error:e,options:s})}if(!a)throw new Error("Authentication was not completed");const{id:c,rawId:u,response:p,type:m}=a;let w;return p.userHandle&&(w=l(p.userHandle)),{id:c,rawId:l(u),response:{authenticatorData:l(p.authenticatorData),clientDataJSON:l(p.clientDataJSON),signature:l(p.signature),userHandle:w},type:m,clientExtensionResults:a.getClientExtensionResults(),authenticatorAttachment:g(a.authenticatorAttachment)}}function I(e){var t=e.name,n=e.value,o=e.expire,r=e.domain,i=e.secure,s=o===1/0?" expires=Fri, 31 Dec 9999 23:59:59 GMT":"; max-age="+o;document.cookie=encodeURIComponent(t)+"="+n+"; path=/;"+s+(r?"; domain="+r:"")+(i?"; secure":"")}function A(e){var t,n=null!==(t=e.errorDescription)&&void 0!==t?t:e.error;return console.error(n),{error:n}}function S(e){var t;if(e&&"object"==typeof e&&"error"in e){var n=null!==(t=e.errorDescription)&&void 0!==t?t:e.error;return console.error(n),{error:n}}if(e&&"object"==typeof e&&"accessToken"in e&&"string"==typeof e.accessToken){var o=e.accessToken,r=function(e,t){var n={};for(var o in e)Object.prototype.hasOwnProperty.call(e,o)&&t.indexOf(o)<0&&(n[o]=e[o]);if(null!=e&&"function"==typeof Object.getOwnPropertySymbols){var r=0;for(o=Object.getOwnPropertySymbols(e);r<o.length;r++)t.indexOf(o[r])<0&&Object.prototype.propertyIsEnumerable.call(e,o[r])&&(n[o[r]]=e[o[r]])}return n}(e,["accessToken"]);return{data:a(a({},r),{token:o})}}return{data:e}}function O(e){var t,n;if(e instanceof b&&"ERROR_INVALID_RP_ID"===e.code){var o=(null===(n=null===(t=e.message)||void 0===t?void 0:t.match(/"([^"]*)"/))||void 0===n?void 0:n[1])||"";console.error('[Authsignal] The Relying Party ID "'.concat(o,'" is invalid for this domain.\n To learn more, visit https://docs.authsignal.com/scenarios/passkeys-prebuilt-ui#defining-the-relying-party'))}}function R(e){var t=e.token,n=e.tenantId;return{"Content-Type":"application/json",Authorization:t?"Bearer ".concat(t):"Basic ".concat(window.btoa(encodeURIComponent(n)))}}function x(e){var t=e.response,n=e.onTokenExpired;"error"in t&&"expired_token"===t.errorCode&&n&&n()}e.AuthsignalWindowMessage=void 0,(e.AuthsignalWindowMessage||(e.AuthsignalWindowMessage={})).AUTHSIGNAL_CLOSE_POPUP="AUTHSIGNAL_CLOSE_POPUP";var C=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.registrationOptions=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.username,i=e.authenticatorAttachment;return u(this,(function(e){switch(e.label){case 0:return t=Boolean(i)?{username:r,authenticatorAttachment:i}:{username:r},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/passkey/registration-options"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return x({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.authenticationOptions=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.challengeId;return u(this,(function(e){switch(e.label){case 0:return t={challengeId:r},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/passkey/authentication-options"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return x({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.addAuthenticator=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.challengeId,i=e.registrationCredential,s=e.conditionalCreate;return u(this,(function(e){switch(e.label){case 0:return t={challengeId:r,registrationCredential:i,conditionalCreate:s},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/passkey"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return x({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.challengeId,i=e.authenticationCredential,s=e.deviceId;return u(this,(function(e){switch(e.label){case 0:return t={challengeId:r,authenticationCredential:i,deviceId:s},[4,fetch("".concat(this.baseUrl,"/client/verify/passkey"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return x({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.getPasskeyAuthenticator=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.credentialIds;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/passkey?credentialIds=").concat(n),{method:"GET",headers:R({tenantId:this.tenantId})})];case 1:if(!(t=e.sent()).ok)throw new Error(t.statusText);return[2,t.json()]}}))}))},e.prototype.challenge=function(e){return c(this,void 0,void 0,(function(){var t;return u(this,(function(n){switch(n.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/challenge"),{method:"POST",headers:R({tenantId:this.tenantId}),body:JSON.stringify({action:e})})];case 1:return[4,n.sent().json()];case 2:return x({response:t=n.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e}(),U=function(){function e(){this.token=null}return e.prototype.handleTokenNotSetError=function(){var e="A token has not been set. Call 'setToken' first.";return console.error("Error: ".concat(e)),{error:"TOKEN_NOT_SET",errorDescription:e}},e.shared=new e,e}(),_=!1,N=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.anonymousId,r=e.onTokenExpired;this.passkeyLocalStorageKey="as_user_passkey_map",this.cache=U.shared,this.api=new C({baseUrl:t,tenantId:n,onTokenExpired:r}),this.anonymousId=o}return e.prototype.signUp=function(e){return c(this,arguments,void 0,(function(e){var t,n,o,r,i,s,c=e.username,l=e.displayName,h=e.token,d=e.authenticatorAttachment,p=void 0===d?"platform":d,f=e.useAutoRegister,y=void 0!==f&&f;return u(this,(function(e){switch(e.label){case 0:return(t=null!=h?h:this.cache.token)?y?[4,this.doesBrowserSupportConditionalCreate()]:[3,2]:[2,this.cache.handleTokenNotSetError()];case 1:if(!e.sent())throw new Error("CONDITIONAL_CREATE_NOT_SUPPORTED");e.label=2;case 2:return n={username:c,displayName:l,token:t,authenticatorAttachment:p},[4,this.api.registrationOptions(n)];case 3:if("error"in(o=e.sent()))return[2,A(o)];e.label=4;case 4:return e.trys.push([4,7,,8]),[4,w({optionsJSON:o.options,useAutoRegister:y})];case 5:return r=e.sent(),[4,this.api.addAuthenticator({challengeId:o.challengeId,registrationCredential:r,token:t,conditionalCreate:y})];case 6:return"error"in(i=e.sent())?[2,A(i)]:(i.isVerified&&this.storeCredentialAgainstDevice(a(a({},r),{userId:i.userId})),i.accessToken&&(this.cache.token=i.accessToken),[2,{data:{token:i.accessToken,userAuthenticator:i.userAuthenticator,registrationResponse:r}}]);case 7:throw s=e.sent(),_=!1,O(s),s;case 8:return[2]}}))}))},e.prototype.signIn=function(e){return c(this,void 0,void 0,(function(){var t,n,o,r,i,s,c,l,h,d,p,f;return u(this,(function(u){switch(u.label){case 0:if((null==e?void 0:e.token)&&e.autofill)throw new Error("autofill is not supported when providing a token");if((null==e?void 0:e.action)&&e.token)throw new Error("action is not supported when providing a token");if(null==e?void 0:e.autofill){if(_)return[2,{}];_=!0}return(null==e?void 0:e.action)?[4,this.api.challenge(e.action)]:[3,2];case 1:return n=u.sent(),[3,3];case 2:n=null,u.label=3;case 3:return(t=n)&&"error"in t?(_=!1,[2,A(t)]):[4,this.api.authenticationOptions({token:null==e?void 0:e.token,challengeId:null==t?void 0:t.challengeId})];case 4:if("error"in(o=u.sent()))return _=!1,[2,A(o)];u.label=5;case 5:return u.trys.push([5,8,,9]),[4,T({optionsJSON:o.options,useBrowserAutofill:null==e?void 0:e.autofill})];case 6:return r=u.sent(),(null==e?void 0:e.onVerificationStarted)&&e.onVerificationStarted(),[4,this.api.verify({challengeId:o.challengeId,authenticationCredential:r,token:null==e?void 0:e.token,deviceId:this.anonymousId})];case 7:return"error"in(i=u.sent())?(_=!1,[2,A(i)]):(i.isVerified&&this.storeCredentialAgainstDevice(a(a({},r),{userId:i.userId})),i.accessToken&&(this.cache.token=i.accessToken),s=i.accessToken,c=i.userId,l=i.userAuthenticatorId,h=i.username,d=i.userDisplayName,p=i.isVerified,_=!1,[2,{data:{isVerified:p,token:s,userId:c,userAuthenticatorId:l,username:h,displayName:d,authenticationResponse:r}}]);case 8:throw f=u.sent(),_=!1,O(f),f;case 9:return[2]}}))}))},e.prototype.isAvailableOnDevice=function(e){return c(this,arguments,void 0,(function(e){var t,n,o,r,i=e.userId;return u(this,(function(e){switch(e.label){case 0:if(!i)throw new Error("userId is required");if(!(t=localStorage.getItem(this.passkeyLocalStorageKey)))return[2,!1];if(n=JSON.parse(t),0===(o=null!==(r=n[i])&&void 0!==r?r:[]).length)return[2,!1];e.label=1;case 1:return e.trys.push([1,3,,4]),[4,this.api.getPasskeyAuthenticator({credentialIds:o})];case 2:return e.sent(),[2,!0];case 3:return e.sent(),[2,!1];case 4:return[2]}}))}))},e.prototype.storeCredentialAgainstDevice=function(e){var t=e.id,n=e.authenticatorAttachment,o=e.userId,r=void 0===o?"":o;if("cross-platform"!==n){var i=localStorage.getItem(this.passkeyLocalStorageKey),s=i?JSON.parse(i):{};s[r]?s[r].includes(t)||s[r].push(t):s[r]=[t],localStorage.setItem(this.passkeyLocalStorageKey,JSON.stringify(s))}},e.prototype.doesBrowserSupportConditionalCreate=function(){return c(this,void 0,void 0,(function(){return u(this,(function(e){switch(e.label){case 0:return window.PublicKeyCredential&&PublicKeyCredential.getClientCapabilities?[4,PublicKeyCredential.getClientCapabilities()]:[3,2];case 1:if(e.sent().conditionalCreate)return[2,!0];e.label=2;case 2:return[2,!1]}}))}))},e}(),P=function(){function e(){this.windowRef=null}return e.prototype.show=function(e){var t=e.url,n=e.width,o=void 0===n?400:n,r=e.height,i=function(e){var t=e.url,n=e.width,o=e.height,r=e.win;if(!r.top)return null;var i=r.top.outerHeight/2+r.top.screenY-o/2,s=r.top.outerWidth/2+r.top.screenX-n/2;return window.open(t,"","toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=no, resizable=no, copyhistory=no, width=".concat(n,", height=").concat(o,", top=").concat(i,", left=").concat(s))}({url:t,width:o,height:void 0===r?500:r,win:window});if(!i)throw new Error("Window is not initialized");return this.windowRef=i,i},e.prototype.close=function(){if(!this.windowRef)throw new Error("Window is not initialized");this.windowRef.close()},e}();const $=":not([inert]):not([inert] *)",D=':not([tabindex^="-"])',L=":not(:disabled)";var j=[`a[href]${$}${D}`,`area[href]${$}${D}`,`input:not([type="hidden"]):not([type="radio"])${$}${D}${L}`,`input[type="radio"]${$}${D}${L}`,`select${$}${D}${L}`,`textarea${$}${D}${L}`,`button${$}${D}${L}`,`details${$} > summary:first-of-type${D}`,`iframe${$}${D}`,`audio[controls]${$}${D}`,`video[controls]${$}${D}`,`[contenteditable]${$}${D}`,`[tabindex]${$}${D}`];function K(e){(e.querySelector("[autofocus]")||e).focus()}function J(e,t){if(t&&q(e))return e;if(!((n=e).shadowRoot&&"-1"===n.getAttribute("tabindex")||n.matches(":disabled,[hidden],[inert]")))if(e.shadowRoot){let n=V(e.shadowRoot,t);for(;n;){const e=J(n,t);if(e)return e;n=W(n,t)}}else if("slot"===e.localName){const n=e.assignedElements({flatten:!0});t||n.reverse();for(const e of n){const n=J(e,t);if(n)return n}}else{let n=V(e,t);for(;n;){const e=J(n,t);if(e)return e;n=W(n,t)}}var n;return!t&&q(e)?e:null}function V(e,t){return t?e.firstElementChild:e.lastElementChild}function W(e,t){return t?e.nextElementSibling:e.previousElementSibling}const q=e=>!e.shadowRoot?.delegatesFocus&&(e.matches(j.join(","))&&!(e=>!(!e.matches("details:not([open]) *")||e.matches("details>summary:first-of-type"))||!(e.offsetWidth||e.offsetHeight||e.getClientRects().length))(e));function M(e=document){const t=e.activeElement;return t?t.shadowRoot?M(t.shadowRoot)||document.activeElement:t:null}function H(e,t){const[n,o]=function(e){const t=J(e,!0);return[t,t?J(e,!1)||t:null]}(e);if(!n)return t.preventDefault();const r=M();t.shiftKey&&r===n?(o.focus(),t.preventDefault()):t.shiftKey||r!==o||(n.focus(),t.preventDefault())}class F{$el;id;previouslyFocused;shown;constructor(e){this.$el=e,this.id=this.$el.getAttribute("data-a11y-dialog")||this.$el.id,this.previouslyFocused=null,this.shown=!1,this.maintainFocus=this.maintainFocus.bind(this),this.bindKeypress=this.bindKeypress.bind(this),this.handleTriggerClicks=this.handleTriggerClicks.bind(this),this.show=this.show.bind(this),this.hide=this.hide.bind(this),this.$el.setAttribute("aria-hidden","true"),this.$el.setAttribute("aria-modal","true"),this.$el.setAttribute("tabindex","-1"),this.$el.hasAttribute("role")||this.$el.setAttribute("role","dialog"),document.addEventListener("click",this.handleTriggerClicks,!0)}destroy(){return this.hide(),document.removeEventListener("click",this.handleTriggerClicks,!0),this.$el.replaceWith(this.$el.cloneNode(!0)),this.fire("destroy"),this}show(e){return this.shown||(this.shown=!0,this.$el.removeAttribute("aria-hidden"),this.previouslyFocused=M(),"BODY"===this.previouslyFocused?.tagName&&e?.target&&(this.previouslyFocused=e.target),"focus"===e?.type?this.maintainFocus(e):K(this.$el),document.body.addEventListener("focus",this.maintainFocus,!0),this.$el.addEventListener("keydown",this.bindKeypress,!0),this.fire("show",e)),this}hide(e){return this.shown?(this.shown=!1,this.$el.setAttribute("aria-hidden","true"),this.previouslyFocused?.focus?.(),document.body.removeEventListener("focus",this.maintainFocus,!0),this.$el.removeEventListener("keydown",this.bindKeypress,!0),this.fire("hide",e),this):this}on(e,t,n){return this.$el.addEventListener(e,t,n),this}off(e,t,n){return this.$el.removeEventListener(e,t,n),this}fire(e,t){this.$el.dispatchEvent(new CustomEvent(e,{detail:t,cancelable:!0}))}handleTriggerClicks(e){const t=e.target;t.closest(`[data-a11y-dialog-show="${this.id}"]`)&&this.show(e),(t.closest(`[data-a11y-dialog-hide="${this.id}"]`)||t.closest("[data-a11y-dialog-hide]")&&t.closest('[aria-modal="true"]')===this.$el)&&this.hide(e)}bindKeypress(e){if(document.activeElement?.closest('[aria-modal="true"]')!==this.$el)return;let t=!1;try{t=!!this.$el.querySelector('[popover]:not([popover="manual"]):popover-open')}catch{}"Escape"!==e.key||"alertdialog"===this.$el.getAttribute("role")||t||(e.preventDefault(),this.hide(e)),"Tab"===e.key&&H(this.$el,e)}maintainFocus(e){e.target.closest('[aria-modal="true"], [data-a11y-dialog-ignore-focus-trap]')||K(this.$el)}}function G(){for(const e of document.querySelectorAll("[data-a11y-dialog]"))new F(e)}"undefined"!=typeof document&&("loading"===document.readyState?document.addEventListener("DOMContentLoaded",G):G());var B="__authsignal-popup-container",z="__authsignal-popup-content",Y="__authsignal-popup-overlay",X="__authsignal-popup-style",Q="__authsignal-popup-iframe",Z="385px",ee=function(){function e(e){var t=e.width,n=e.isClosable;if(this.popup=null,document.querySelector("#".concat(B)))throw new Error("Multiple instances of Authsignal popup is not supported.");this.create({width:t,isClosable:n})}return e.prototype.create=function(e){var t=this,n=e.width,o=void 0===n?Z:n,r=e.isClosable,i=void 0===r||r,s=o;CSS.supports("width",o)||(console.warn("Invalid CSS value for `popupOptions.width`. Using default value instead."),s=Z);var a=document.createElement("div");a.setAttribute("id",B),a.setAttribute("aria-hidden","true"),i||a.setAttribute("role","alertdialog");var c=document.createElement("div");c.setAttribute("id",Y),i&&c.setAttribute("data-a11y-dialog-hide","true");var u=document.createElement("div");u.setAttribute("id",z),document.body.appendChild(a);var l=document.createElement("style");l.setAttribute("id",X),l.textContent="\n      #".concat(B,",\n      #").concat(Y," {\n        position: fixed;\n        top: 0;\n        right: 0;\n        bottom: 0;\n        left: 0;\n      }\n\n      #").concat(B," {\n        z-index: 2147483647;\n        display: flex;\n      }\n\n      #").concat(B,"[aria-hidden='true'] {\n        display: none;\n      }\n\n      #").concat(Y," {\n        background-color: rgba(0, 0, 0, 0.18);\n      }\n\n      #").concat(z," {\n        margin: auto;\n        z-index: 2147483647;\n        position: relative;\n        background-color: transparent;\n        border-radius: 8px;\n        width: ").concat(s,";\n      }\n\n      #").concat(z," iframe {\n        width: 1px;\n        min-width: 100%;\n        border-radius: inherit;\n        max-height: 95vh;\n        height: ").concat("384px",";\n      }\n    "),document.head.insertAdjacentElement("beforeend",l),a.appendChild(c),a.appendChild(u),this.popup=new F(a),a.focus(),this.popup.on("hide",(function(){t.destroy()}))},e.prototype.destroy=function(){var e=document.querySelector("#".concat(B)),t=document.querySelector("#".concat(X));e&&t&&(document.body.removeChild(e),document.head.removeChild(t)),window.removeEventListener("message",te)},e.prototype.show=function(e){var t,n=e.url;if(!this.popup)throw new Error("Popup is not initialized");var o=document.createElement("iframe");o.setAttribute("id",Q),o.setAttribute("name","authsignal"),o.setAttribute("title","Authsignal multi-factor authentication"),o.setAttribute("src",n),o.setAttribute("frameborder","0"),o.setAttribute("allow","publickey-credentials-get *; publickey-credentials-create *; clipboard-write");var r=document.querySelector("#".concat(z));r&&r.appendChild(o),window.addEventListener("message",te),null===(t=this.popup)||void 0===t||t.show()},e.prototype.close=function(){if(!this.popup)throw new Error("Popup is not initialized");this.popup.hide()},e.prototype.on=function(e,t){if(!this.popup)throw new Error("Popup is not initialized");this.popup.on(e,t)},e}();function te(e){var t=document.querySelector("#".concat(Q));t&&e.data.height&&(t.style.height=e.data.height+"px")}var ne=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/totp"),{method:"POST",headers:R({token:n,tenantId:this.tenantId})})];case 1:return[4,e.sent().json()];case 2:return x({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.code;return u(this,(function(e){switch(e.label){case 0:return t={verificationCode:r},[4,fetch("".concat(this.baseUrl,"/client/verify/totp"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return x({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e}(),oe=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.cache=U.shared,this.api=new ne({baseUrl:t,tenantId:n,onTokenExpired:o})}return e.prototype.enroll=function(){return c(this,void 0,void 0,(function(){return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.enroll({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,S(e.sent())]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.code;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.verify({token:this.cache.token,code:n})]:[2,this.cache.handleTokenNotSetError()];case 1:return"accessToken"in(t=e.sent())&&t.accessToken&&(this.cache.token=t.accessToken),[2,S(t)]}}))}))},e}(),re=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.email;return u(this,(function(e){switch(e.label){case 0:return t={email:r},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/email-otp"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return x({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.challenge=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/challenge/email-otp"),{method:"POST",headers:R({token:n,tenantId:this.tenantId})})];case 1:return[4,e.sent().json()];case 2:return x({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.code;return u(this,(function(e){switch(e.label){case 0:return t={verificationCode:r},[4,fetch("".concat(this.baseUrl,"/client/verify/email-otp"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return x({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e}(),ie=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.cache=U.shared,this.api=new re({baseUrl:t,tenantId:n,onTokenExpired:o})}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t=e.email;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.enroll({token:this.cache.token,email:t})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,S(e.sent())]}}))}))},e.prototype.challenge=function(){return c(this,void 0,void 0,(function(){return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.challenge({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,S(e.sent())]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.code;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.verify({token:this.cache.token,code:n})]:[2,this.cache.handleTokenNotSetError()];case 1:return"accessToken"in(t=e.sent())&&t.accessToken&&(this.cache.token=t.accessToken),[2,S(t)]}}))}))},e}(),se=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.phoneNumber;return u(this,(function(e){switch(e.label){case 0:return t={phoneNumber:r},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/sms"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return x({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.challenge=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/challenge/sms"),{method:"POST",headers:R({token:n,tenantId:this.tenantId})})];case 1:return[4,e.sent().json()];case 2:return x({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.code;return u(this,(function(e){switch(e.label){case 0:return t={verificationCode:r},[4,fetch("".concat(this.baseUrl,"/client/verify/sms"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return x({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e}(),ae=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.cache=U.shared,this.api=new se({baseUrl:t,tenantId:n,onTokenExpired:o})}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t=e.phoneNumber;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.enroll({token:this.cache.token,phoneNumber:t})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,S(e.sent())]}}))}))},e.prototype.challenge=function(){return c(this,void 0,void 0,(function(){return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.challenge({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,S(e.sent())]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.code;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.verify({token:this.cache.token,code:n})]:[2,this.cache.handleTokenNotSetError()];case 1:return"accessToken"in(t=e.sent())&&t.accessToken&&(this.cache.token=t.accessToken),[2,S(t)]}}))}))},e}(),ce=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t,n,o=e.token,r=e.email;return u(this,(function(e){switch(e.label){case 0:return t={email:r},[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/email-magic-link"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return x({response:n=e.sent(),onTokenExpired:this.onTokenExpired}),[2,n]}}))}))},e.prototype.challenge=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/challenge/email-magic-link"),{method:"POST",headers:R({token:n,tenantId:this.tenantId})})];case 1:return[4,e.sent().json()];case 2:return x({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.checkVerificationStatus=function(e){return c(this,arguments,void 0,(function(e){var t,n=this,o=e.token;return u(this,(function(e){switch(e.label){case 0:return t=function(){return c(n,void 0,void 0,(function(){var e,n=this;return u(this,(function(r){switch(r.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/verify/email-magic-link/finalize"),{method:"POST",headers:R({token:o,tenantId:this.tenantId}),body:JSON.stringify({})})];case 1:return[4,r.sent().json()];case 2:return x({response:e=r.sent(),onTokenExpired:this.onTokenExpired}),e.isVerified?[2,e]:[2,new Promise((function(e){setTimeout((function(){return c(n,void 0,void 0,(function(){var n;return u(this,(function(o){switch(o.label){case 0:return n=e,[4,t()];case 1:return n.apply(void 0,[o.sent()]),[2]}}))}))}),1e3)}))]}}))}))},[4,t()];case 1:return[2,e.sent()]}}))}))},e}(),ue=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.cache=U.shared,this.api=new ce({baseUrl:t,tenantId:n,onTokenExpired:o})}return e.prototype.enroll=function(e){return c(this,arguments,void 0,(function(e){var t=e.email;return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.enroll({token:this.cache.token,email:t})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,S(e.sent())]}}))}))},e.prototype.challenge=function(){return c(this,void 0,void 0,(function(){return u(this,(function(e){switch(e.label){case 0:return this.cache.token?[4,this.api.challenge({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:return[2,S(e.sent())]}}))}))},e.prototype.checkVerificationStatus=function(){return c(this,void 0,void 0,(function(){var e;return u(this,(function(t){switch(t.label){case 0:return this.cache.token?[4,this.api.checkVerificationStatus({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:return"accessToken"in(e=t.sent())&&e.accessToken&&(this.cache.token=e.accessToken),[2,S(e)]}}))}))},e}(),le=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.tenantId=n,this.baseUrl=t,this.onTokenExpired=o}return e.prototype.registrationOptions=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/security-key/registration-options"),{method:"POST",headers:R({token:n,tenantId:this.tenantId}),body:JSON.stringify({})})];case 1:return[4,e.sent().json()];case 2:return x({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.authenticationOptions=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/security-key/authentication-options"),{method:"POST",headers:R({token:n,tenantId:this.tenantId}),body:JSON.stringify({})})];case 1:return[4,e.sent().json()];case 2:return x({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.addAuthenticator=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token,o=e.registrationCredential;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/user-authenticators/security-key"),{method:"POST",headers:R({token:n,tenantId:this.tenantId}),body:JSON.stringify(o)})];case 1:return[4,e.sent().json()];case 2:return x({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.token,o=e.authenticationCredential;return u(this,(function(e){switch(e.label){case 0:return[4,fetch("".concat(this.baseUrl,"/client/verify/security-key"),{method:"POST",headers:R({token:n,tenantId:this.tenantId}),body:JSON.stringify(o)})];case 1:return[4,e.sent().json()];case 2:return x({response:t=e.sent(),onTokenExpired:this.onTokenExpired}),[2,t]}}))}))},e}(),he=function(){function e(e){var t=e.baseUrl,n=e.tenantId,o=e.onTokenExpired;this.cache=U.shared,this.api=new le({baseUrl:t,tenantId:n,onTokenExpired:o})}return e.prototype.enroll=function(){return c(this,void 0,void 0,(function(){var e,t,n,o,r;return u(this,(function(i){switch(i.label){case 0:return this.cache.token?(e={token:this.cache.token},[4,this.api.registrationOptions(e)]):[2,this.cache.handleTokenNotSetError()];case 1:if("error"in(t=i.sent()))return[2,A(t)];i.label=2;case 2:return i.trys.push([2,5,,6]),[4,w({optionsJSON:t})];case 3:return n=i.sent(),[4,this.api.addAuthenticator({registrationCredential:n,token:this.cache.token})];case 4:return"error"in(o=i.sent())?[2,A(o)]:(o.accessToken&&(this.cache.token=o.accessToken),[2,{data:{token:o.accessToken,registrationResponse:n}}]);case 5:throw O(r=i.sent()),r;case 6:return[2]}}))}))},e.prototype.verify=function(){return c(this,void 0,void 0,(function(){var e,t,n,o,r;return u(this,(function(i){switch(i.label){case 0:return this.cache.token?[4,this.api.authenticationOptions({token:this.cache.token})]:[2,this.cache.handleTokenNotSetError()];case 1:if("error"in(e=i.sent()))return[2,A(e)];i.label=2;case 2:return i.trys.push([2,5,,6]),[4,T({optionsJSON:e})];case 3:return t=i.sent(),[4,this.api.verify({authenticationCredential:t,token:this.cache.token})];case 4:return"error"in(n=i.sent())?[2,A(n)]:(n.accessToken&&(this.cache.token=n.accessToken),o=n.accessToken,[2,{data:{isVerified:n.isVerified,token:o,authenticationResponse:t}}]);case 5:throw O(r=i.sent()),r;case 6:return[2]}}))}))},e}(),de=function(){function e(e){var t=e.baseUrl,n=e.tenantId;this.tenantId=n,this.baseUrl=t}return e.prototype.challenge=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.action;return u(this,(function(e){switch(e.label){case 0:return t={action:n},[4,fetch("".concat(this.baseUrl,"/client/challenge/qr-code"),{method:"POST",headers:R({tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return[2,e.sent()]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t,n=e.challengeId,o=e.deviceCode;return u(this,(function(e){switch(e.label){case 0:return t={challengeId:n,deviceCode:o},[4,fetch("".concat(this.baseUrl,"/client/verify/qr-code"),{method:"POST",headers:R({tenantId:this.tenantId}),body:JSON.stringify(t)})];case 1:return[4,e.sent().json()];case 2:return[2,e.sent()]}}))}))},e}(),pe=function(){function e(e){var t=e.baseUrl,n=e.tenantId;this.api=new de({baseUrl:t,tenantId:n})}return e.prototype.challenge=function(e){return c(this,arguments,void 0,(function(e){var t=e.action;return u(this,(function(e){switch(e.label){case 0:return[4,this.api.challenge({action:t})];case 1:return[2,S(e.sent())]}}))}))},e.prototype.verify=function(e){return c(this,arguments,void 0,(function(e){var t=e.challengeId,n=e.deviceCode;return u(this,(function(e){switch(e.label){case 0:return[4,this.api.verify({challengeId:t,deviceCode:n})];case 1:return[2,S(e.sent())]}}))}))},e}(),fe="4a08uqve",ye=function(){function t(e){var t=e.cookieDomain,n=e.cookieName,o=void 0===n?"__as_aid":n,r=e.baseUrl,i=void 0===r?"https://api.authsignal.com/v1":r,a=e.tenantId,c=e.onTokenExpired;if(this.anonymousId="",this.profilingId="",this.cookieDomain="",this.anonymousIdCookieName="",this.cookieDomain=t||document.location.hostname.replace("www.",""),this.anonymousIdCookieName=o,!a)throw new Error("tenantId is required");var u,l=(u=this.anonymousIdCookieName)&&decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*"+encodeURIComponent(u).replace(/[\-\.\+\*]/g,"\\$&")+"\\s*\\=\\s*([^;]*).*$)|^.*$"),"$1"))||null;l?this.anonymousId=l:(this.anonymousId=s(),I({name:this.anonymousIdCookieName,value:this.anonymousId,expire:1/0,domain:this.cookieDomain,secure:"http:"!==document.location.protocol})),this.passkey=new N({tenantId:a,baseUrl:i,anonymousId:this.anonymousId,onTokenExpired:c}),this.totp=new oe({tenantId:a,baseUrl:i,onTokenExpired:c}),this.email=new ie({tenantId:a,baseUrl:i,onTokenExpired:c}),this.emailML=new ue({tenantId:a,baseUrl:i,onTokenExpired:c}),this.sms=new ae({tenantId:a,baseUrl:i,onTokenExpired:c}),this.securityKey=new he({tenantId:a,baseUrl:i,onTokenExpired:c}),this.qrCode=new pe({tenantId:a,baseUrl:i})}return t.prototype.setToken=function(e){U.shared.token=e},t.prototype.launch=function(e,t){switch(null==t?void 0:t.mode){case"window":return this.launchWithWindow(e,t);case"popup":return this.launchWithPopup(e,t);default:this.launchWithRedirect(e)}},t.prototype.initAdvancedProfiling=function(e){var t=s();this.profilingId=t,I({name:"__as_pid",value:t,expire:1/0,domain:this.cookieDomain,secure:"http:"!==document.location.protocol});var n=e?"".concat(e,"/fp/tags.js?org_id=").concat(fe,"&session_id=").concat(t):"https://h.online-metrix.net/fp/tags.js?org_id=".concat(fe,"&session_id=").concat(t),o=document.createElement("script");o.src=n,o.async=!1,o.id="as_adv_profile",document.head.appendChild(o);var r=document.createElement("noscript");r.setAttribute("id","as_adv_profile_pixel"),r.setAttribute("aria-hidden","true");var i=document.createElement("iframe"),a=e?"".concat(e,"/fp/tags?org_id=").concat(fe,"&session_id=").concat(t):"https://h.online-metrix.net/fp/tags?org_id=".concat(fe,"&session_id=").concat(t);i.setAttribute("id","as_adv_profile_pixel"),i.setAttribute("src",a),i.setAttribute("style","width: 100px; height: 100px; border: 0; position: absolute; top: -5000px;"),r&&(r.appendChild(i),document.body.prepend(r))},t.prototype.launchWithRedirect=function(e){window.location.href=e},t.prototype.launchWithPopup=function(t,n){var o=n.popupOptions,r=new ee({width:null==o?void 0:o.width,isClosable:null==o?void 0:o.isClosable}),i="".concat(t,"&mode=popup");return r.show({url:i}),new Promise((function(t){var n=void 0;r.on("hide",(function(){t({token:n})})),window.addEventListener("message",(function(t){var o=null;try{o=JSON.parse(t.data)}catch(e){}(null==o?void 0:o.event)===e.AuthsignalWindowMessage.AUTHSIGNAL_CLOSE_POPUP&&(n=o.token,r.close())}),!1)}))},t.prototype.launchWithWindow=function(t,n){var o=n.windowOptions,r=new P,i="".concat(t,"&mode=popup");return r.show({url:i,width:null==o?void 0:o.width,height:null==o?void 0:o.height}),new Promise((function(t){window.addEventListener("message",(function(n){var o=null;try{o=JSON.parse(n.data)}catch(e){}(null==o?void 0:o.event)===e.AuthsignalWindowMessage.AUTHSIGNAL_CLOSE_POPUP&&(r.close(),t({token:o.token}))}),!1)}))},t}();return e.Authsignal=ye,e.WebAuthnError=b,Object.defineProperty(e,"__esModule",{value:!0}),e}({});

package/dist/passkey.d.ts

@@ -1,5 +1,5 @@
+import { AuthenticationResponseJSON, RegistrationResponseJSON, AuthenticatorAttachment } from "@simplewebauthn/browser";
 import { PasskeyApiClient } from "./api/passkey-api-client";
-import { AuthenticationResponseJSON, RegistrationResponseJSON, AuthenticatorAttachment } from "@simplewebauthn/types";
 import { AuthsignalResponse } from "./types";
 import { Authenticator } from "./api/types/shared";
 type PasskeyOptions = {
@@ -47,5 +47,6 @@ export declare class Passkey {
         userId: string;
     }): Promise<boolean>;
     private storeCredentialAgainstDevice;
+    private doesBrowserSupportConditionalCreate;
 }
 export {};

package/dist/qr-code.d.ts

@@ -0,0 +1,20 @@
+import { QrCodeChallengeResponse, QrCodeVerifyResponse } from "./api/types/qr-code";
+import { AuthsignalResponse } from "./types";
+type QrCodeOptions = {
+    baseUrl: string;
+    tenantId: string;
+};
+type ChallengeParams = {
+    action: string;
+};
+type VerifyParams = {
+    challengeId: string;
+    deviceCode: string;
+};
+export declare class QrCode {
+    private api;
+    constructor({ baseUrl, tenantId }: QrCodeOptions);
+    challenge({ action }: ChallengeParams): Promise<AuthsignalResponse<QrCodeChallengeResponse>>;
+    verify({ challengeId, deviceCode }: VerifyParams): Promise<AuthsignalResponse<QrCodeVerifyResponse>>;
+}
+export {};

package/dist/security-key.d.ts

@@ -1,4 +1,4 @@
-import { AuthenticationResponseJSON, RegistrationResponseJSON } from "@simplewebauthn/types";
+import { AuthenticationResponseJSON, RegistrationResponseJSON } from "@simplewebauthn/browser";
 import { AuthsignalResponse } from "./types";
 import { SecurityKeyApiClient } from "./api/security-key-api-client";
 type SecurityKeyOptions = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@authsignal/browser",
-  "version": "1.5.1",
+  "version": "1.6.1",
   "type": "module",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -28,8 +28,7 @@
   },
   "dependencies": {
     "@fingerprintjs/fingerprintjs": "^3.3.6",
-    "@simplewebauthn/browser": "^11.0.0",
-    "@simplewebauthn/types": "^11.0.0",
+    "@simplewebauthn/browser": "^13.1.0",
     "a11y-dialog": "8.0.4",
     "uuid": "^9.0.0"
   },