@azure/keyvault-common 2.0.2-alpha.20260227.1 → 2.0.2-alpha.20260303.1

package/dist/browser/index.d.ts

@@ -1,5 +1,5 @@
 export * from "./keyVaultAuthenticationPolicy.js";
 export * from "./parseKeyVaultIdentifier.js";
-export * from "./extendedClientOptions.js";
+export type * from "./extendedClientOptions.js";
 export type { AdditionalPolicyConfig } from "@azure-rest/core-client";
 //# sourceMappingURL=index.d.ts.map

package/dist/browser/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,mCAAmC,CAAC;AAClD,cAAc,8BAA8B,CAAC;AAC7C,cAAc,4BAA4B,CAAC;AAC3C,YAAY,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,mCAAmC,CAAC;AAClD,cAAc,8BAA8B,CAAC;AAC7C,mBAAmB,4BAA4B,CAAC;AAChD,YAAY,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/browser/index.js

@@ -2,5 +2,4 @@
 // Licensed under the MIT License.
 export * from "./keyVaultAuthenticationPolicy.js";
 export * from "./parseKeyVaultIdentifier.js";
-export * from "./extendedClientOptions.js";
 //# sourceMappingURL=index.js.map

package/dist/browser/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,cAAc,mCAAmC,CAAC;AAClD,cAAc,8BAA8B,CAAC;AAC7C,cAAc,4BAA4B,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nexport * from \"./keyVaultAuthenticationPolicy.js\";\nexport * from \"./parseKeyVaultIdentifier.js\";\nexport * from \"./extendedClientOptions.js\";\nexport type { AdditionalPolicyConfig } from \"@azure-rest/core-client\";\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,cAAc,mCAAmC,CAAC;AAClD,cAAc,8BAA8B,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nexport * from \"./keyVaultAuthenticationPolicy.js\";\nexport * from \"./parseKeyVaultIdentifier.js\";\nexport type * from \"./extendedClientOptions.js\";\nexport type { AdditionalPolicyConfig } from \"@azure-rest/core-client\";\n"]}

package/dist/commonjs/extendedClientOptions.js

@@ -1,5 +1,15 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=extendedClientOptions.js.map
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var extendedClientOptions_exports = {};
+module.exports = __toCommonJS(extendedClientOptions_exports);

package/dist/commonjs/extendedClientOptions.js.map

@@ -1 +1,7 @@
-{"version":3,"file":"extendedClientOptions.js","sourceRoot":"","sources":["../../src/extendedClientOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { HttpClient, PipelineOptions } from \"@azure/core-rest-pipeline\";\nimport type { AdditionalPolicyConfig } from \"@azure-rest/core-client\";\n\n/**\n * The common set of options that high level clients are expected to expose.\n */\nexport interface CommonClientOptions extends PipelineOptions {\n  /**\n   * The HttpClient that will be used to send HTTP requests.\n   */\n  httpClient?: HttpClient;\n  /**\n   * Set to true if the request is sent over HTTP instead of HTTPS\n   */\n  allowInsecureConnection?: boolean;\n  /**\n   * Additional policies to include in the HTTP pipeline.\n   */\n  additionalPolicies?: AdditionalPolicyConfig[];\n}\n\n/**\n * Options for keep alive behavior of HTTP connections.\n */\nexport interface KeepAliveOptions {\n  /**\n   * When true, connections will be kept alive for multiple requests.\n   * Defaults to true.\n   */\n  enable?: boolean;\n}\n\n/**\n * Options for how redirect responses are handled.\n */\nexport interface RedirectOptions {\n  /**\n   * When true, redirect responses are followed. Defaults to true.\n   */\n  handleRedirects?: boolean;\n\n  /**\n   * The maximum number of times the redirect URL will be tried before\n   * failing. Defaults to 20.\n   */\n  maxRetries?: number;\n}\n\n/**\n * Extended common client options that include keep alive and redirect options.\n * This type combines the standard CommonClientOptions with additional options\n * for controlling HTTP connection keep-alive and redirect behavior.\n */\nexport type ExtendedCommonClientOptions = CommonClientOptions & {\n  /**\n   * Options to configure keep alive behavior for HTTP connections.\n   */\n  keepAliveOptions?: KeepAliveOptions;\n  /**\n   * Options to configure how redirect responses are handled.\n   */\n  redirectOptions?: RedirectOptions;\n};\n"]}
+{
+  "version": 3,
+  "sources": ["/mnt/vss/_work/1/s/sdk/keyvault/keyvault-common/src/extendedClientOptions.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { HttpClient, PipelineOptions } from \"@azure/core-rest-pipeline\";\nimport type { AdditionalPolicyConfig } from \"@azure-rest/core-client\";\n\n/**\n * The common set of options that high level clients are expected to expose.\n */\nexport interface CommonClientOptions extends PipelineOptions {\n  /**\n   * The HttpClient that will be used to send HTTP requests.\n   */\n  httpClient?: HttpClient;\n  /**\n   * Set to true if the request is sent over HTTP instead of HTTPS\n   */\n  allowInsecureConnection?: boolean;\n  /**\n   * Additional policies to include in the HTTP pipeline.\n   */\n  additionalPolicies?: AdditionalPolicyConfig[];\n}\n\n/**\n * Options for keep alive behavior of HTTP connections.\n */\nexport interface KeepAliveOptions {\n  /**\n   * When true, connections will be kept alive for multiple requests.\n   * Defaults to true.\n   */\n  enable?: boolean;\n}\n\n/**\n * Options for how redirect responses are handled.\n */\nexport interface RedirectOptions {\n  /**\n   * When true, redirect responses are followed. Defaults to true.\n   */\n  handleRedirects?: boolean;\n\n  /**\n   * The maximum number of times the redirect URL will be tried before\n   * failing. Defaults to 20.\n   */\n  maxRetries?: number;\n}\n\n/**\n * Extended common client options that include keep alive and redirect options.\n * This type combines the standard CommonClientOptions with additional options\n * for controlling HTTP connection keep-alive and redirect behavior.\n */\nexport type ExtendedCommonClientOptions = CommonClientOptions & {\n  /**\n   * Options to configure keep alive behavior for HTTP connections.\n   */\n  keepAliveOptions?: KeepAliveOptions;\n  /**\n   * Options to configure how redirect responses are handled.\n   */\n  redirectOptions?: RedirectOptions;\n};\n"],
+  "mappings": ";;;;;;;;;;;;;AAAA;AAAA;",
+  "names": []
+}

package/dist/commonjs/index.d.ts

@@ -1,5 +1,5 @@
 export * from "./keyVaultAuthenticationPolicy.js";
 export * from "./parseKeyVaultIdentifier.js";
-export * from "./extendedClientOptions.js";
+export type * from "./extendedClientOptions.js";
 export type { AdditionalPolicyConfig } from "@azure-rest/core-client";
 //# sourceMappingURL=index.d.ts.map

package/dist/commonjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,mCAAmC,CAAC;AAClD,cAAc,8BAA8B,CAAC;AAC7C,cAAc,4BAA4B,CAAC;AAC3C,YAAY,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,mCAAmC,CAAC;AAClD,cAAc,8BAA8B,CAAC;AAC7C,mBAAmB,4BAA4B,CAAC;AAChD,YAAY,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/commonjs/index.js

@@ -1,9 +1,18 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-const tslib_1 = require("tslib");
-tslib_1.__exportStar(require("./keyVaultAuthenticationPolicy.js"), exports);
-tslib_1.__exportStar(require("./parseKeyVaultIdentifier.js"), exports);
-tslib_1.__exportStar(require("./extendedClientOptions.js"), exports);
-//# sourceMappingURL=index.js.map
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var src_exports = {};
+module.exports = __toCommonJS(src_exports);
+__reExport(src_exports, require("./keyVaultAuthenticationPolicy.js"), module.exports);
+__reExport(src_exports, require("./parseKeyVaultIdentifier.js"), module.exports);

package/dist/commonjs/index.js.map

@@ -1 +1,7 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAElC,4EAAkD;AAClD,uEAA6C;AAC7C,qEAA2C","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nexport * from \"./keyVaultAuthenticationPolicy.js\";\nexport * from \"./parseKeyVaultIdentifier.js\";\nexport * from \"./extendedClientOptions.js\";\nexport type { AdditionalPolicyConfig } from \"@azure-rest/core-client\";\n"]}
+{
+  "version": 3,
+  "sources": ["/mnt/vss/_work/1/s/sdk/keyvault/keyvault-common/src/index.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nexport * from \"./keyVaultAuthenticationPolicy.js\";\nexport * from \"./parseKeyVaultIdentifier.js\";\nexport type * from \"./extendedClientOptions.js\";\nexport type { AdditionalPolicyConfig } from \"@azure-rest/core-client\";\n"],
+  "mappings": ";;;;;;;;;;;;;;AAAA;AAAA;AAGA,wBAAc,8CAHd;AAIA,wBAAc,yCAJd;",
+  "names": []
+}

package/dist/commonjs/keyVaultAuthenticationPolicy.js

@@ -1,168 +1,157 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.keyVaultAuthenticationPolicyName = void 0;
-exports.keyVaultAuthenticationPolicy = keyVaultAuthenticationPolicy;
-const parseWWWAuthenticate_js_1 = require("./parseWWWAuthenticate.js");
-const tokenCycler_js_1 = require("./tokenCycler.js");
-const logger_js_1 = require("./logger.js");
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var keyVaultAuthenticationPolicy_exports = {};
+__export(keyVaultAuthenticationPolicy_exports, {
+  keyVaultAuthenticationPolicy: () => keyVaultAuthenticationPolicy,
+  keyVaultAuthenticationPolicyName: () => keyVaultAuthenticationPolicyName
+});
+module.exports = __toCommonJS(keyVaultAuthenticationPolicy_exports);
+var import_parseWWWAuthenticate = require("./parseWWWAuthenticate.js");
+var import_tokenCycler = require("./tokenCycler.js");
+var import_logger = require("./logger.js");
 function verifyChallengeResource(scope, request) {
-    let scopeAsUrl;
-    try {
-        scopeAsUrl = new URL(scope);
-    }
-    catch (e) {
-        throw new Error(`The challenge contains invalid scope '${scope}'`);
-    }
-    const requestUrl = new URL(request.url);
-    if (!requestUrl.hostname.endsWith(`.${scopeAsUrl.hostname}`)) {
-        throw new Error(`The challenge resource '${scopeAsUrl.hostname}' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information.`);
-    }
+  let scopeAsUrl;
+  try {
+    scopeAsUrl = new URL(scope);
+  } catch (e) {
+    throw new Error(`The challenge contains invalid scope '${scope}'`);
+  }
+  const requestUrl = new URL(request.url);
+  if (!requestUrl.hostname.endsWith(`.${scopeAsUrl.hostname}`)) {
+    throw new Error(
+      `The challenge resource '${scopeAsUrl.hostname}' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information.`
+    );
+  }
 }
-/**
- * Name of the Key Vault authentication policy.
- */
-exports.keyVaultAuthenticationPolicyName = "keyVaultAuthenticationPolicy";
-/**
- * A custom implementation of the bearer-token authentication policy that handles Key Vault and CAE challenges.
- *
- * Key Vault supports other authentication schemes, but we ensure challenge authentication
- * is used by first sending a copy of the request, without authorization or content.
- *
- * when the challenge is received, it will be authenticated and used to send the original
- * request with authorization.
- *
- * Following the first request of a client, follow-up requests will get the cached token
- * if possible.
- *
- */
+const keyVaultAuthenticationPolicyName = "keyVaultAuthenticationPolicy";
 function keyVaultAuthenticationPolicy(credential, options = {}) {
-    const { disableChallengeResourceVerification } = options;
-    let challengeState = { status: "none" };
-    const getAccessToken = (0, tokenCycler_js_1.createTokenCycler)(credential);
-    function requestToOptions(request) {
-        return {
-            abortSignal: request.abortSignal,
-            requestOptions: {
-                timeout: request.timeout > 0 ? request.timeout : undefined,
-            },
-            tracingOptions: request.tracingOptions,
+  const { disableChallengeResourceVerification } = options;
+  let challengeState = { status: "none" };
+  const getAccessToken = (0, import_tokenCycler.createTokenCycler)(credential);
+  function requestToOptions(request) {
+    return {
+      abortSignal: request.abortSignal,
+      requestOptions: {
+        timeout: request.timeout > 0 ? request.timeout : void 0
+      },
+      tracingOptions: request.tracingOptions
+    };
+  }
+  async function authorizeRequest(request) {
+    const requestOptions = requestToOptions(request);
+    switch (challengeState.status) {
+      case "none":
+        challengeState = {
+          status: "started",
+          originalBody: request.body
         };
-    }
-    async function authorizeRequest(request) {
-        const requestOptions = requestToOptions(request);
-        switch (challengeState.status) {
-            case "none":
-                challengeState = {
-                    status: "started",
-                    originalBody: request.body,
-                };
-                request.body = null;
-                break;
-            case "started":
-                break; // Retry, we should not overwrite the original body
-            case "complete": {
-                const token = await getAccessToken(challengeState.scopes, {
-                    ...requestOptions,
-                    enableCae: true,
-                    tenantId: challengeState.tenantId,
-                });
-                if (token) {
-                    request.headers.set("authorization", `Bearer ${token.token}`);
-                }
-                break;
-            }
-        }
-    }
-    async function handleChallenge(request, response, next) {
-        // If status is not 401, this is a no-op
-        if (response.status !== 401) {
-            return response;
-        }
-        if (request.body === null && challengeState.status === "started") {
-            // Reset the original body before doing anything else.
-            // Note: If successful status will be "complete", otherwise "none" will
-            // restart the process.
-            request.body = challengeState.originalBody;
-        }
-        const getTokenOptions = requestToOptions(request);
-        const challenge = response.headers.get("WWW-Authenticate");
-        if (!challenge) {
-            logger_js_1.logger.warning("keyVaultAuthentication policy encountered a 401 response without a corresponding WWW-Authenticate header. This is unexpected. Not handling the 401 response.");
-            return response;
-        }
-        const parsedChallenge = (0, parseWWWAuthenticate_js_1.parseWWWAuthenticateHeader)(challenge);
-        const scope = parsedChallenge.resource
-            ? parsedChallenge.resource + "/.default"
-            : parsedChallenge.scope;
-        if (!scope) {
-            // Cannot handle this kind of challenge here (if scope is not present, may be a CAE challenge)
-            return response;
-        }
-        if (!disableChallengeResourceVerification) {
-            verifyChallengeResource(scope, request);
-        }
-        const accessToken = await getAccessToken([scope], {
-            ...getTokenOptions,
-            enableCae: true,
-            tenantId: parsedChallenge.tenantId,
+        request.body = null;
+        break;
+      case "started":
+        break;
+      // Retry, we should not overwrite the original body
+      case "complete": {
+        const token = await getAccessToken(challengeState.scopes, {
+          ...requestOptions,
+          enableCae: true,
+          tenantId: challengeState.tenantId
         });
-        if (!accessToken) {
-            // No access token provided, treat as no-op
-            return response;
+        if (token) {
+          request.headers.set("authorization", `Bearer ${token.token}`);
         }
-        request.headers.set("Authorization", `Bearer ${accessToken.token}`);
-        challengeState = {
-            status: "complete",
-            scopes: [scope],
-            tenantId: parsedChallenge.tenantId,
-        };
-        // We have a token now, so try send the request again
-        return next(request);
+        break;
+      }
     }
-    async function handleCaeChallenge(request, response, next) {
-        // Cannot handle CAE challenge if a regular challenge has not been completed first
-        if (challengeState.status !== "complete") {
-            return response;
-        }
-        // If status is not 401, this is a no-op
-        if (response.status !== 401) {
-            return response;
-        }
-        const getTokenOptions = requestToOptions(request);
-        const challenge = response.headers.get("WWW-Authenticate");
-        if (!challenge) {
-            return response;
-        }
-        const { claims: base64EncodedClaims, error } = (0, parseWWWAuthenticate_js_1.parseWWWAuthenticateHeader)(challenge);
-        if (error !== "insufficient_claims" || base64EncodedClaims === undefined) {
-            return response;
-        }
-        const claims = atob(base64EncodedClaims);
-        const accessToken = await getAccessToken(challengeState.scopes, {
-            ...getTokenOptions,
-            enableCae: true,
-            tenantId: challengeState.tenantId,
-            claims,
-        });
-        request.headers.set("Authorization", `Bearer ${accessToken.token}`);
-        return next(request);
+  }
+  async function handleChallenge(request, response, next) {
+    if (response.status !== 401) {
+      return response;
     }
-    async function sendRequest(request, next) {
-        // Add token if possible
-        await authorizeRequest(request);
-        // Try send request (first attempt)
-        let response = await next(request);
-        // Handle standard challenge if present
-        response = await handleChallenge(request, response, next);
-        // Handle CAE challenge if present
-        response = await handleCaeChallenge(request, response, next);
-        return response;
+    if (request.body === null && challengeState.status === "started") {
+      request.body = challengeState.originalBody;
     }
-    return {
-        name: exports.keyVaultAuthenticationPolicyName,
-        sendRequest,
+    const getTokenOptions = requestToOptions(request);
+    const challenge = response.headers.get("WWW-Authenticate");
+    if (!challenge) {
+      import_logger.logger.warning(
+        "keyVaultAuthentication policy encountered a 401 response without a corresponding WWW-Authenticate header. This is unexpected. Not handling the 401 response."
+      );
+      return response;
+    }
+    const parsedChallenge = (0, import_parseWWWAuthenticate.parseWWWAuthenticateHeader)(challenge);
+    const scope = parsedChallenge.resource ? parsedChallenge.resource + "/.default" : parsedChallenge.scope;
+    if (!scope) {
+      return response;
+    }
+    if (!disableChallengeResourceVerification) {
+      verifyChallengeResource(scope, request);
+    }
+    const accessToken = await getAccessToken([scope], {
+      ...getTokenOptions,
+      enableCae: true,
+      tenantId: parsedChallenge.tenantId
+    });
+    if (!accessToken) {
+      return response;
+    }
+    request.headers.set("Authorization", `Bearer ${accessToken.token}`);
+    challengeState = {
+      status: "complete",
+      scopes: [scope],
+      tenantId: parsedChallenge.tenantId
     };
+    return next(request);
+  }
+  async function handleCaeChallenge(request, response, next) {
+    if (challengeState.status !== "complete") {
+      return response;
+    }
+    if (response.status !== 401) {
+      return response;
+    }
+    const getTokenOptions = requestToOptions(request);
+    const challenge = response.headers.get("WWW-Authenticate");
+    if (!challenge) {
+      return response;
+    }
+    const { claims: base64EncodedClaims, error } = (0, import_parseWWWAuthenticate.parseWWWAuthenticateHeader)(challenge);
+    if (error !== "insufficient_claims" || base64EncodedClaims === void 0) {
+      return response;
+    }
+    const claims = atob(base64EncodedClaims);
+    const accessToken = await getAccessToken(challengeState.scopes, {
+      ...getTokenOptions,
+      enableCae: true,
+      tenantId: challengeState.tenantId,
+      claims
+    });
+    request.headers.set("Authorization", `Bearer ${accessToken.token}`);
+    return next(request);
+  }
+  async function sendRequest(request, next) {
+    await authorizeRequest(request);
+    let response = await next(request);
+    response = await handleChallenge(request, response, next);
+    response = await handleCaeChallenge(request, response, next);
+    return response;
+  }
+  return {
+    name: keyVaultAuthenticationPolicyName,
+    sendRequest
+  };
 }
-//# sourceMappingURL=keyVaultAuthenticationPolicy.js.map

package/dist/commonjs/keyVaultAuthenticationPolicy.js.map

@@ -1 +1,7 @@
-{"version":3,"file":"keyVaultAuthenticationPolicy.js","sourceRoot":"","sources":["../../src/keyVaultAuthenticationPolicy.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAyFlC,oEA8KC;AA7PD,uEAAuE;AAGvE,qDAAqD;AACrD,2CAAqC;AAwCrC,SAAS,uBAAuB,CAAC,KAAa,EAAE,OAAwB;IACtE,IAAI,UAAe,CAAC;IACpB,IAAI,CAAC;QACH,UAAU,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,yCAAyC,KAAK,GAAG,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAExC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,2BAA2B,UAAU,CAAC,QAAQ,0LAA0L,CACzO,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACU,QAAA,gCAAgC,GAAG,8BAA8B,CAAC;AAE/E;;;;;;;;;;;;GAYG;AACH,SAAgB,4BAA4B,CAC1C,UAA2B,EAC3B,UAA+C,EAAE;IAEjD,MAAM,EAAE,oCAAoC,EAAE,GAAG,OAAO,CAAC;IACzD,IAAI,cAAc,GAAmB,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IACxD,MAAM,cAAc,GAAG,IAAA,kCAAiB,EAAC,UAAU,CAAC,CAAC;IAErD,SAAS,gBAAgB,CAAC,OAAwB;QAChD,OAAO;YACL,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,cAAc,EAAE;gBACd,OAAO,EAAE,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;aAC3D;YACD,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,gBAAgB,CAAC,OAAwB;QACtD,MAAM,cAAc,GAAoB,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAElE,QAAQ,cAAc,CAAC,MAAM,EAAE,CAAC;YAC9B,KAAK,MAAM;gBACT,cAAc,GAAG;oBACf,MAAM,EAAE,SAAS;oBACjB,YAAY,EAAE,OAAO,CAAC,IAAI;iBAC3B,CAAC;gBACF,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;gBACpB,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,CAAC,mDAAmD;YAC5D,KAAK,UAAU,CAAC,CAAC,CAAC;gBAChB,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,cAAc,CAAC,MAAM,EAAE;oBACxD,GAAG,cAAc;oBACjB,SAAS,EAAE,IAAI;oBACf,QAAQ,EAAE,cAAc,CAAC,QAAQ;iBAClC,CAAC,CAAC;gBACH,IAAI,KAAK,EAAE,CAAC;oBACV,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;gBAChE,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,UAAU,eAAe,CAC5B,OAAwB,EACxB,QAA0B,EAC1B,IAAiB;QAEjB,wCAAwC;QACxC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,KAAK,IAAI,IAAI,cAAc,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACjE,sDAAsD;YACtD,uEAAuE;YACvE,uBAAuB;YACvB,OAAO,CAAC,IAAI,GAAG,cAAc,CAAC,YAAY,CAAC;QAC7C,CAAC;QAED,MAAM,eAAe,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAElD,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,kBAAM,CAAC,OAAO,CACZ,8JAA8J,CAC/J,CAAC;YACF,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,MAAM,eAAe,GAAoB,IAAA,oDAA0B,EAAC,SAAS,CAAC,CAAC;QAE/E,MAAM,KAAK,GAAG,eAAe,CAAC,QAAQ;YACpC,CAAC,CAAC,eAAe,CAAC,QAAQ,GAAG,WAAW;YACxC,CAAC,CAAC,eAAe,CAAC,KAAK,CAAC;QAE1B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,8FAA8F;YAC9F,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,oCAAoC,EAAE,CAAC;YAC1C,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,CAAC,KAAK,CAAC,EAAE;YAChD,GAAG,eAAe;YAClB,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,eAAe,CAAC,QAAQ;SACnC,CAAC,CAAC;QAEH,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,2CAA2C;YAC3C,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC;QAEpE,cAAc,GAAG;YACf,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,CAAC,KAAK,CAAC;YACf,QAAQ,EAAE,eAAe,CAAC,QAAQ;SACnC,CAAC;QAEF,qDAAqD;QACrD,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC;IAED,KAAK,UAAU,kBAAkB,CAC/B,OAAwB,EACxB,QAA0B,EAC1B,IAAiB;QAEjB,kFAAkF;QAClF,IAAI,cAAc,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACzC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,wCAAwC;QACxC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,eAAe,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAElD,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,MAAM,EAAE,MAAM,EAAE,mBAAmB,EAAE,KAAK,EAAE,GAC1C,IAAA,oDAA0B,EAAC,SAAS,CAAC,CAAC;QAExC,IAAI,KAAK,KAAK,qBAAqB,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;YACzE,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,mBAAmB,CAAC,CAAC;QAEzC,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,cAAc,CAAC,MAAM,EAAE;YAC9D,GAAG,eAAe;YAClB,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,cAAc,CAAC,QAAQ;YACjC,MAAM;SACP,CAAC,CAAC;QAEH,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC;QAEpE,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC;IAED,KAAK,UAAU,WAAW,CACxB,OAAwB,EACxB,IAAiB;QAEjB,wBAAwB;QACxB,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEhC,mCAAmC;QACnC,IAAI,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,CAAC;QAEnC,uCAAuC;QACvC,QAAQ,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;QAE1D,kCAAkC;QAClC,QAAQ,GAAG,MAAM,kBAAkB,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;QAE7D,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO;QACL,IAAI,EAAE,wCAAgC;QACtC,WAAW;KACZ,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type {\n  PipelinePolicy,\n  PipelineRequest,\n  PipelineResponse,\n  RequestBodyType,\n  SendRequest,\n} from \"@azure/core-rest-pipeline\";\nimport type { WWWAuthenticate } from \"./parseWWWAuthenticate.js\";\nimport { parseWWWAuthenticateHeader } from \"./parseWWWAuthenticate.js\";\n\nimport type { GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { createTokenCycler } from \"./tokenCycler.js\";\nimport { logger } from \"./logger.js\";\n\n/**\n * @internal\n * Holds the state of Challenge Auth.\n * When making the first request we force Key Vault to begin a challenge\n * by clearing out the request body and storing it locally.\n *\n * Later on, the authorizeRequestOnChallenge callback will process the\n * challenge and, if ready to resend the original request, reset the body\n * so that it may be sent again.\n *\n * Once a client has succeeded once, we can start skipping CAE.\n */\ntype ChallengeState =\n  | {\n      status: \"none\";\n    }\n  | {\n      status: \"started\";\n      originalBody?: RequestBodyType;\n    }\n  | {\n      status: \"complete\";\n      scopes: string[];\n      tenantId?: string;\n    };\n\n/**\n * Additional options for the challenge based authentication policy.\n */\nexport interface KeyVaultAuthenticationPolicyOptions {\n  /**\n   * Whether to disable verification that the challenge resource matches the Key Vault or Managed HSM domain.\n   *\n   * Defaults to false.\n   */\n  disableChallengeResourceVerification?: boolean;\n}\n\nfunction verifyChallengeResource(scope: string, request: PipelineRequest): void {\n  let scopeAsUrl: URL;\n  try {\n    scopeAsUrl = new URL(scope);\n  } catch (e) {\n    throw new Error(`The challenge contains invalid scope '${scope}'`);\n  }\n\n  const requestUrl = new URL(request.url);\n\n  if (!requestUrl.hostname.endsWith(`.${scopeAsUrl.hostname}`)) {\n    throw new Error(\n      `The challenge resource '${scopeAsUrl.hostname}' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information.`,\n    );\n  }\n}\n\n/**\n * Name of the Key Vault authentication policy.\n */\nexport const keyVaultAuthenticationPolicyName = \"keyVaultAuthenticationPolicy\";\n\n/**\n * A custom implementation of the bearer-token authentication policy that handles Key Vault and CAE challenges.\n *\n * Key Vault supports other authentication schemes, but we ensure challenge authentication\n * is used by first sending a copy of the request, without authorization or content.\n *\n * when the challenge is received, it will be authenticated and used to send the original\n * request with authorization.\n *\n * Following the first request of a client, follow-up requests will get the cached token\n * if possible.\n *\n */\nexport function keyVaultAuthenticationPolicy(\n  credential: TokenCredential,\n  options: KeyVaultAuthenticationPolicyOptions = {},\n): PipelinePolicy {\n  const { disableChallengeResourceVerification } = options;\n  let challengeState: ChallengeState = { status: \"none\" };\n  const getAccessToken = createTokenCycler(credential);\n\n  function requestToOptions(request: PipelineRequest): GetTokenOptions {\n    return {\n      abortSignal: request.abortSignal,\n      requestOptions: {\n        timeout: request.timeout > 0 ? request.timeout : undefined,\n      },\n      tracingOptions: request.tracingOptions,\n    };\n  }\n\n  async function authorizeRequest(request: PipelineRequest): Promise<void> {\n    const requestOptions: GetTokenOptions = requestToOptions(request);\n\n    switch (challengeState.status) {\n      case \"none\":\n        challengeState = {\n          status: \"started\",\n          originalBody: request.body,\n        };\n        request.body = null;\n        break;\n      case \"started\":\n        break; // Retry, we should not overwrite the original body\n      case \"complete\": {\n        const token = await getAccessToken(challengeState.scopes, {\n          ...requestOptions,\n          enableCae: true,\n          tenantId: challengeState.tenantId,\n        });\n        if (token) {\n          request.headers.set(\"authorization\", `Bearer ${token.token}`);\n        }\n        break;\n      }\n    }\n  }\n\n  async function handleChallenge(\n    request: PipelineRequest,\n    response: PipelineResponse,\n    next: SendRequest,\n  ): Promise<PipelineResponse> {\n    // If status is not 401, this is a no-op\n    if (response.status !== 401) {\n      return response;\n    }\n\n    if (request.body === null && challengeState.status === \"started\") {\n      // Reset the original body before doing anything else.\n      // Note: If successful status will be \"complete\", otherwise \"none\" will\n      // restart the process.\n      request.body = challengeState.originalBody;\n    }\n\n    const getTokenOptions = requestToOptions(request);\n\n    const challenge = response.headers.get(\"WWW-Authenticate\");\n    if (!challenge) {\n      logger.warning(\n        \"keyVaultAuthentication policy encountered a 401 response without a corresponding WWW-Authenticate header. This is unexpected. Not handling the 401 response.\",\n      );\n      return response;\n    }\n    const parsedChallenge: WWWAuthenticate = parseWWWAuthenticateHeader(challenge);\n\n    const scope = parsedChallenge.resource\n      ? parsedChallenge.resource + \"/.default\"\n      : parsedChallenge.scope;\n\n    if (!scope) {\n      // Cannot handle this kind of challenge here (if scope is not present, may be a CAE challenge)\n      return response;\n    }\n\n    if (!disableChallengeResourceVerification) {\n      verifyChallengeResource(scope, request);\n    }\n\n    const accessToken = await getAccessToken([scope], {\n      ...getTokenOptions,\n      enableCae: true,\n      tenantId: parsedChallenge.tenantId,\n    });\n\n    if (!accessToken) {\n      // No access token provided, treat as no-op\n      return response;\n    }\n\n    request.headers.set(\"Authorization\", `Bearer ${accessToken.token}`);\n\n    challengeState = {\n      status: \"complete\",\n      scopes: [scope],\n      tenantId: parsedChallenge.tenantId,\n    };\n\n    // We have a token now, so try send the request again\n    return next(request);\n  }\n\n  async function handleCaeChallenge(\n    request: PipelineRequest,\n    response: PipelineResponse,\n    next: SendRequest,\n  ): Promise<PipelineResponse> {\n    // Cannot handle CAE challenge if a regular challenge has not been completed first\n    if (challengeState.status !== \"complete\") {\n      return response;\n    }\n\n    // If status is not 401, this is a no-op\n    if (response.status !== 401) {\n      return response;\n    }\n\n    const getTokenOptions = requestToOptions(request);\n\n    const challenge = response.headers.get(\"WWW-Authenticate\");\n    if (!challenge) {\n      return response;\n    }\n    const { claims: base64EncodedClaims, error }: WWWAuthenticate =\n      parseWWWAuthenticateHeader(challenge);\n\n    if (error !== \"insufficient_claims\" || base64EncodedClaims === undefined) {\n      return response;\n    }\n\n    const claims = atob(base64EncodedClaims);\n\n    const accessToken = await getAccessToken(challengeState.scopes, {\n      ...getTokenOptions,\n      enableCae: true,\n      tenantId: challengeState.tenantId,\n      claims,\n    });\n\n    request.headers.set(\"Authorization\", `Bearer ${accessToken.token}`);\n\n    return next(request);\n  }\n\n  async function sendRequest(\n    request: PipelineRequest,\n    next: SendRequest,\n  ): Promise<PipelineResponse> {\n    // Add token if possible\n    await authorizeRequest(request);\n\n    // Try send request (first attempt)\n    let response = await next(request);\n\n    // Handle standard challenge if present\n    response = await handleChallenge(request, response, next);\n\n    // Handle CAE challenge if present\n    response = await handleCaeChallenge(request, response, next);\n\n    return response;\n  }\n\n  return {\n    name: keyVaultAuthenticationPolicyName,\n    sendRequest,\n  };\n}\n"]}
+{
+  "version": 3,
+  "sources": ["/mnt/vss/_work/1/s/sdk/keyvault/keyvault-common/src/keyVaultAuthenticationPolicy.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type {\n  PipelinePolicy,\n  PipelineRequest,\n  PipelineResponse,\n  RequestBodyType,\n  SendRequest,\n} from \"@azure/core-rest-pipeline\";\nimport type { WWWAuthenticate } from \"./parseWWWAuthenticate.js\";\nimport { parseWWWAuthenticateHeader } from \"./parseWWWAuthenticate.js\";\n\nimport type { GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { createTokenCycler } from \"./tokenCycler.js\";\nimport { logger } from \"./logger.js\";\n\n/**\n * @internal\n * Holds the state of Challenge Auth.\n * When making the first request we force Key Vault to begin a challenge\n * by clearing out the request body and storing it locally.\n *\n * Later on, the authorizeRequestOnChallenge callback will process the\n * challenge and, if ready to resend the original request, reset the body\n * so that it may be sent again.\n *\n * Once a client has succeeded once, we can start skipping CAE.\n */\ntype ChallengeState =\n  | {\n      status: \"none\";\n    }\n  | {\n      status: \"started\";\n      originalBody?: RequestBodyType;\n    }\n  | {\n      status: \"complete\";\n      scopes: string[];\n      tenantId?: string;\n    };\n\n/**\n * Additional options for the challenge based authentication policy.\n */\nexport interface KeyVaultAuthenticationPolicyOptions {\n  /**\n   * Whether to disable verification that the challenge resource matches the Key Vault or Managed HSM domain.\n   *\n   * Defaults to false.\n   */\n  disableChallengeResourceVerification?: boolean;\n}\n\nfunction verifyChallengeResource(scope: string, request: PipelineRequest): void {\n  let scopeAsUrl: URL;\n  try {\n    scopeAsUrl = new URL(scope);\n  } catch (e) {\n    throw new Error(`The challenge contains invalid scope '${scope}'`);\n  }\n\n  const requestUrl = new URL(request.url);\n\n  if (!requestUrl.hostname.endsWith(`.${scopeAsUrl.hostname}`)) {\n    throw new Error(\n      `The challenge resource '${scopeAsUrl.hostname}' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information.`,\n    );\n  }\n}\n\n/**\n * Name of the Key Vault authentication policy.\n */\nexport const keyVaultAuthenticationPolicyName = \"keyVaultAuthenticationPolicy\";\n\n/**\n * A custom implementation of the bearer-token authentication policy that handles Key Vault and CAE challenges.\n *\n * Key Vault supports other authentication schemes, but we ensure challenge authentication\n * is used by first sending a copy of the request, without authorization or content.\n *\n * when the challenge is received, it will be authenticated and used to send the original\n * request with authorization.\n *\n * Following the first request of a client, follow-up requests will get the cached token\n * if possible.\n *\n */\nexport function keyVaultAuthenticationPolicy(\n  credential: TokenCredential,\n  options: KeyVaultAuthenticationPolicyOptions = {},\n): PipelinePolicy {\n  const { disableChallengeResourceVerification } = options;\n  let challengeState: ChallengeState = { status: \"none\" };\n  const getAccessToken = createTokenCycler(credential);\n\n  function requestToOptions(request: PipelineRequest): GetTokenOptions {\n    return {\n      abortSignal: request.abortSignal,\n      requestOptions: {\n        timeout: request.timeout > 0 ? request.timeout : undefined,\n      },\n      tracingOptions: request.tracingOptions,\n    };\n  }\n\n  async function authorizeRequest(request: PipelineRequest): Promise<void> {\n    const requestOptions: GetTokenOptions = requestToOptions(request);\n\n    switch (challengeState.status) {\n      case \"none\":\n        challengeState = {\n          status: \"started\",\n          originalBody: request.body,\n        };\n        request.body = null;\n        break;\n      case \"started\":\n        break; // Retry, we should not overwrite the original body\n      case \"complete\": {\n        const token = await getAccessToken(challengeState.scopes, {\n          ...requestOptions,\n          enableCae: true,\n          tenantId: challengeState.tenantId,\n        });\n        if (token) {\n          request.headers.set(\"authorization\", `Bearer ${token.token}`);\n        }\n        break;\n      }\n    }\n  }\n\n  async function handleChallenge(\n    request: PipelineRequest,\n    response: PipelineResponse,\n    next: SendRequest,\n  ): Promise<PipelineResponse> {\n    // If status is not 401, this is a no-op\n    if (response.status !== 401) {\n      return response;\n    }\n\n    if (request.body === null && challengeState.status === \"started\") {\n      // Reset the original body before doing anything else.\n      // Note: If successful status will be \"complete\", otherwise \"none\" will\n      // restart the process.\n      request.body = challengeState.originalBody;\n    }\n\n    const getTokenOptions = requestToOptions(request);\n\n    const challenge = response.headers.get(\"WWW-Authenticate\");\n    if (!challenge) {\n      logger.warning(\n        \"keyVaultAuthentication policy encountered a 401 response without a corresponding WWW-Authenticate header. This is unexpected. Not handling the 401 response.\",\n      );\n      return response;\n    }\n    const parsedChallenge: WWWAuthenticate = parseWWWAuthenticateHeader(challenge);\n\n    const scope = parsedChallenge.resource\n      ? parsedChallenge.resource + \"/.default\"\n      : parsedChallenge.scope;\n\n    if (!scope) {\n      // Cannot handle this kind of challenge here (if scope is not present, may be a CAE challenge)\n      return response;\n    }\n\n    if (!disableChallengeResourceVerification) {\n      verifyChallengeResource(scope, request);\n    }\n\n    const accessToken = await getAccessToken([scope], {\n      ...getTokenOptions,\n      enableCae: true,\n      tenantId: parsedChallenge.tenantId,\n    });\n\n    if (!accessToken) {\n      // No access token provided, treat as no-op\n      return response;\n    }\n\n    request.headers.set(\"Authorization\", `Bearer ${accessToken.token}`);\n\n    challengeState = {\n      status: \"complete\",\n      scopes: [scope],\n      tenantId: parsedChallenge.tenantId,\n    };\n\n    // We have a token now, so try send the request again\n    return next(request);\n  }\n\n  async function handleCaeChallenge(\n    request: PipelineRequest,\n    response: PipelineResponse,\n    next: SendRequest,\n  ): Promise<PipelineResponse> {\n    // Cannot handle CAE challenge if a regular challenge has not been completed first\n    if (challengeState.status !== \"complete\") {\n      return response;\n    }\n\n    // If status is not 401, this is a no-op\n    if (response.status !== 401) {\n      return response;\n    }\n\n    const getTokenOptions = requestToOptions(request);\n\n    const challenge = response.headers.get(\"WWW-Authenticate\");\n    if (!challenge) {\n      return response;\n    }\n    const { claims: base64EncodedClaims, error }: WWWAuthenticate =\n      parseWWWAuthenticateHeader(challenge);\n\n    if (error !== \"insufficient_claims\" || base64EncodedClaims === undefined) {\n      return response;\n    }\n\n    const claims = atob(base64EncodedClaims);\n\n    const accessToken = await getAccessToken(challengeState.scopes, {\n      ...getTokenOptions,\n      enableCae: true,\n      tenantId: challengeState.tenantId,\n      claims,\n    });\n\n    request.headers.set(\"Authorization\", `Bearer ${accessToken.token}`);\n\n    return next(request);\n  }\n\n  async function sendRequest(\n    request: PipelineRequest,\n    next: SendRequest,\n  ): Promise<PipelineResponse> {\n    // Add token if possible\n    await authorizeRequest(request);\n\n    // Try send request (first attempt)\n    let response = await next(request);\n\n    // Handle standard challenge if present\n    response = await handleChallenge(request, response, next);\n\n    // Handle CAE challenge if present\n    response = await handleCaeChallenge(request, response, next);\n\n    return response;\n  }\n\n  return {\n    name: keyVaultAuthenticationPolicyName,\n    sendRequest,\n  };\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAWA,kCAA2C;AAG3C,yBAAkC;AAClC,oBAAuB;AAwCvB,SAAS,wBAAwB,OAAe,SAAgC;AAC9E,MAAI;AACJ,MAAI;AACF,iBAAa,IAAI,IAAI,KAAK;AAAA,EAC5B,SAAS,GAAG;AACV,UAAM,IAAI,MAAM,yCAAyC,KAAK,GAAG;AAAA,EACnE;AAEA,QAAM,aAAa,IAAI,IAAI,QAAQ,GAAG;AAEtC,MAAI,CAAC,WAAW,SAAS,SAAS,IAAI,WAAW,QAAQ,EAAE,GAAG;AAC5D,UAAM,IAAI;AAAA,MACR,2BAA2B,WAAW,QAAQ;AAAA,IAChD;AAAA,EACF;AACF;AAKO,MAAM,mCAAmC;AAezC,SAAS,6BACd,YACA,UAA+C,CAAC,GAChC;AAChB,QAAM,EAAE,qCAAqC,IAAI;AACjD,MAAI,iBAAiC,EAAE,QAAQ,OAAO;AACtD,QAAM,qBAAiB,sCAAkB,UAAU;AAEnD,WAAS,iBAAiB,SAA2C;AACnE,WAAO;AAAA,MACL,aAAa,QAAQ;AAAA,MACrB,gBAAgB;AAAA,QACd,SAAS,QAAQ,UAAU,IAAI,QAAQ,UAAU;AAAA,MACnD;AAAA,MACA,gBAAgB,QAAQ;AAAA,IAC1B;AAAA,EACF;AAEA,iBAAe,iBAAiB,SAAyC;AACvE,UAAM,iBAAkC,iBAAiB,OAAO;AAEhE,YAAQ,eAAe,QAAQ;AAAA,MAC7B,KAAK;AACH,yBAAiB;AAAA,UACf,QAAQ;AAAA,UACR,cAAc,QAAQ;AAAA,QACxB;AACA,gBAAQ,OAAO;AACf;AAAA,MACF,KAAK;AACH;AAAA;AAAA,MACF,KAAK,YAAY;AACf,cAAM,QAAQ,MAAM,eAAe,eAAe,QAAQ;AAAA,UACxD,GAAG;AAAA,UACH,WAAW;AAAA,UACX,UAAU,eAAe;AAAA,QAC3B,CAAC;AACD,YAAI,OAAO;AACT,kBAAQ,QAAQ,IAAI,iBAAiB,UAAU,MAAM,KAAK,EAAE;AAAA,QAC9D;AACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,iBAAe,gBACb,SACA,UACA,MAC2B;AAE3B,QAAI,SAAS,WAAW,KAAK;AAC3B,aAAO;AAAA,IACT;AAEA,QAAI,QAAQ,SAAS,QAAQ,eAAe,WAAW,WAAW;AAIhE,cAAQ,OAAO,eAAe;AAAA,IAChC;AAEA,UAAM,kBAAkB,iBAAiB,OAAO;AAEhD,UAAM,YAAY,SAAS,QAAQ,IAAI,kBAAkB;AACzD,QAAI,CAAC,WAAW;AACd,2BAAO;AAAA,QACL;AAAA,MACF;AACA,aAAO;AAAA,IACT;AACA,UAAM,sBAAmC,wDAA2B,SAAS;AAE7E,UAAM,QAAQ,gBAAgB,WAC1B,gBAAgB,WAAW,cAC3B,gBAAgB;AAEpB,QAAI,CAAC,OAAO;AAEV,aAAO;AAAA,IACT;AAEA,QAAI,CAAC,sCAAsC;AACzC,8BAAwB,OAAO,OAAO;AAAA,IACxC;AAEA,UAAM,cAAc,MAAM,eAAe,CAAC,KAAK,GAAG;AAAA,MAChD,GAAG;AAAA,MACH,WAAW;AAAA,MACX,UAAU,gBAAgB;AAAA,IAC5B,CAAC;AAED,QAAI,CAAC,aAAa;AAEhB,aAAO;AAAA,IACT;AAEA,YAAQ,QAAQ,IAAI,iBAAiB,UAAU,YAAY,KAAK,EAAE;AAElE,qBAAiB;AAAA,MACf,QAAQ;AAAA,MACR,QAAQ,CAAC,KAAK;AAAA,MACd,UAAU,gBAAgB;AAAA,IAC5B;AAGA,WAAO,KAAK,OAAO;AAAA,EACrB;AAEA,iBAAe,mBACb,SACA,UACA,MAC2B;AAE3B,QAAI,eAAe,WAAW,YAAY;AACxC,aAAO;AAAA,IACT;AAGA,QAAI,SAAS,WAAW,KAAK;AAC3B,aAAO;AAAA,IACT;AAEA,UAAM,kBAAkB,iBAAiB,OAAO;AAEhD,UAAM,YAAY,SAAS,QAAQ,IAAI,kBAAkB;AACzD,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,IACT;AACA,UAAM,EAAE,QAAQ,qBAAqB,MAAM,QACzC,wDAA2B,SAAS;AAEtC,QAAI,UAAU,yBAAyB,wBAAwB,QAAW;AACxE,aAAO;AAAA,IACT;AAEA,UAAM,SAAS,KAAK,mBAAmB;AAEvC,UAAM,cAAc,MAAM,eAAe,eAAe,QAAQ;AAAA,MAC9D,GAAG;AAAA,MACH,WAAW;AAAA,MACX,UAAU,eAAe;AAAA,MACzB;AAAA,IACF,CAAC;AAED,YAAQ,QAAQ,IAAI,iBAAiB,UAAU,YAAY,KAAK,EAAE;AAElE,WAAO,KAAK,OAAO;AAAA,EACrB;AAEA,iBAAe,YACb,SACA,MAC2B;AAE3B,UAAM,iBAAiB,OAAO;AAG9B,QAAI,WAAW,MAAM,KAAK,OAAO;AAGjC,eAAW,MAAM,gBAAgB,SAAS,UAAU,IAAI;AAGxD,eAAW,MAAM,mBAAmB,SAAS,UAAU,IAAI;AAE3D,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/commonjs/logger.js

@@ -1,8 +1,24 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.logger = void 0;
-const logger_1 = require("@azure/logger");
-exports.logger = (0, logger_1.createClientLogger)("keyvault-common");
-//# sourceMappingURL=logger.js.map
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var logger_exports = {};
+__export(logger_exports, {
+  logger: () => logger
+});
+module.exports = __toCommonJS(logger_exports);
+var import_logger = require("@azure/logger");
+const logger = (0, import_logger.createClientLogger)("keyvault-common");

package/dist/commonjs/logger.js.map

@@ -1 +1,7 @@
-{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/logger.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAElC,0CAAmD;AAEtC,QAAA,MAAM,GAAG,IAAA,2BAAkB,EAAC,iBAAiB,CAAC,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport { createClientLogger } from \"@azure/logger\";\n\nexport const logger = createClientLogger(\"keyvault-common\");\n"]}
+{
+  "version": 3,
+  "sources": ["/mnt/vss/_work/1/s/sdk/keyvault/keyvault-common/src/logger.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport { createClientLogger } from \"@azure/logger\";\n\nexport const logger = createClientLogger(\"keyvault-common\");\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,oBAAmC;AAE5B,MAAM,aAAS,kCAAmB,iBAAiB;",
+  "names": []
+}