@botparty/sdk 0.0.30 → 0.0.34
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +2 -2
- package/dist/index.d.cts +8 -3
- package/dist/index.d.ts +8 -3
- package/dist/index.js +2 -2
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
"use strict";var re=Object.defineProperty;var Xe=Object.getOwnPropertyDescriptor;var qe=Object.getOwnPropertyNames;var ze=Object.prototype.hasOwnProperty;var Qe=(t,e)=>{for(var r in e)re(t,r,{get:e[r],enumerable:!0})},Ze=(t,e,r,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of qe(e))!ze.call(t,n)&&n!==r&&re(t,n,{get:()=>e[n],enumerable:!(s=Xe(e,n))||s.enumerable});return t};var et=t=>Ze(re({},"__esModule",{value:!0}),t);var Mt={};Qe(Mt,{BotPartyClient:()=>ee,BotPartyError:()=>u,InsufficientPermissionError:()=>q,Key:()=>Q,KeyManager:()=>Z,LinkRequiredError:()=>z,NamespaceLockedError:()=>V,PaymentRequiredError:()=>X,botpartyFetch:()=>Bt});module.exports=et(Mt);var U=new TextEncoder,N=new TextDecoder,Gt=2**32;function Ae(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function L(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function W(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function J(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function be(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:N.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=N.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return J(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function H(t){let e=t;return typeof e=="string"&&(e=U.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):W(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var y=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),b=(t,e)=>t.name===e;function tt(t){return parseInt(t.name.slice(4),10)}function se(t,e){if(tt(t.hash)!==e)throw y(`SHA-${e}`,"algorithm.hash")}function rt(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function st(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function xe(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!b(t.algorithm,"HMAC"))throw y("HMAC");se(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!b(t.algorithm,"RSASSA-PKCS1-v1_5"))throw y("RSASSA-PKCS1-v1_5");se(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!b(t.algorithm,"RSA-PSS"))throw y("RSA-PSS");se(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!b(t.algorithm,"Ed25519"))throw y("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!b(t.algorithm,e))throw y(e);break}case"ES256":case"ES384":case"ES512":{if(!b(t.algorithm,"ECDSA"))throw y("ECDSA");let s=rt(e);if(t.algorithm.namedCurve!==s)throw y(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}st(t,r)}function Pe(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var $=(t,...e)=>Pe("Key must be ",t,...e),ne=(t,e,...r)=>Pe(`Key for the ${t} algorithm must be `,e,...r);var T=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var d=class extends T{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var g=class extends T{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},B=class extends T{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var v=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},I=t=>t?.[Symbol.toStringTag]==="KeyObject",ie=t=>v(t)||I(t);var tr=Symbol();function oe(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var nt=t=>typeof t=="object"&&t!==null;function ae(t){if(!nt(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function Ke(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var C=t=>ae(t)&&typeof t.kty=="string",Re=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),Te=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,ve=t=>t.kty==="oct"&&typeof t.k=="string";function ot(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function at(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new d(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function ct(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError($(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return xe(e,t,r),e}async function Ie(t,e,r){let s=await ct(t,e,"sign");ot(t,s);let n=await crypto.subtle.sign(at(t,s.algorithm),s,r);return new Uint8Array(n)}var M='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function pt(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new d(M)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new d(M)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new d(M)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new d(M)}break}default:throw new d('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function Ce(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=pt(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var x="given KeyObject instance cannot be used for this algorithm",P,_e=async(t,e,r,s=!1)=>{P||=new WeakMap;let n=P.get(t);if(n?.[r])return n[r];let i=await Ce({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:P.set(t,{[r]:i}),i},dt=(t,e)=>{P||=new WeakMap;let r=P.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(x)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(x);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(x);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(x)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(x);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(x);return r?r[e]=i:P.set(t,{[e]:i}),i};async function De(t,e){if(t instanceof Uint8Array||v(t))return t;if(I(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return dt(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return _e(t,r,e)}if(C(t))return t.k?be(t.k):_e(t,t,e,!0);throw new Error("unreachable")}var ut=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
1
|
+
"use strict";var ne=Object.defineProperty;var Qe=Object.getOwnPropertyDescriptor;var Ze=Object.getOwnPropertyNames;var et=Object.prototype.hasOwnProperty;var tt=(t,e)=>{for(var r in e)ne(t,r,{get:e[r],enumerable:!0})},rt=(t,e,r,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of Ze(e))!et.call(t,n)&&n!==r&&ne(t,n,{get:()=>e[n],enumerable:!(s=Qe(e,n))||s.enumerable});return t};var st=t=>rt(ne({},"__esModule",{value:!0}),t);var Ft={};tt(Ft,{BotPartyClient:()=>se,BotPartyError:()=>u,InsufficientPermissionError:()=>W,Key:()=>te,KeyManager:()=>re,LinkRequiredError:()=>H,NamespaceLockedError:()=>Z,PaymentRequiredError:()=>ee,botpartyFetch:()=>Bt,toProxyUrl:()=>we});module.exports=st(Ft);var J=new TextEncoder,$=new TextDecoder,jt=2**32;function be(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function M(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function B(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function F(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function xe(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:$.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=$.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return F(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function G(t){let e=t;return typeof e=="string"&&(e=J.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):B(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var E=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),K=(t,e)=>t.name===e;function nt(t){return parseInt(t.name.slice(4),10)}function ie(t,e){if(nt(t.hash)!==e)throw E(`SHA-${e}`,"algorithm.hash")}function it(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function ot(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Pe(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!K(t.algorithm,"HMAC"))throw E("HMAC");ie(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!K(t.algorithm,"RSASSA-PKCS1-v1_5"))throw E("RSASSA-PKCS1-v1_5");ie(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!K(t.algorithm,"RSA-PSS"))throw E("RSA-PSS");ie(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!K(t.algorithm,"Ed25519"))throw E("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!K(t.algorithm,e))throw E(e);break}case"ES256":case"ES384":case"ES512":{if(!K(t.algorithm,"ECDSA"))throw E("ECDSA");let s=it(e);if(t.algorithm.namedCurve!==s)throw E(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ot(t,r)}function Ke(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var j=(t,...e)=>Ke("Key must be ",t,...e),oe=(t,e,...r)=>Ke(`Key for the ${t} algorithm must be `,e,...r);var I=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var d=class extends I{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var S=class extends I{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},Y=class extends I{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var C=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},_=t=>t?.[Symbol.toStringTag]==="KeyObject",ae=t=>C(t)||_(t);var rr=Symbol();function ce(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var at=t=>typeof t=="object"&&t!==null;function pe(t){if(!at(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function Re(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var D=t=>pe(t)&&typeof t.kty=="string",Te=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),ve=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Ie=t=>t.kty==="oct"&&typeof t.k=="string";function pt(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function dt(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new d(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function ut(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(j(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Pe(e,t,r),e}async function Ce(t,e,r){let s=await ut(t,e,"sign");pt(t,s);let n=await crypto.subtle.sign(dt(t,s.algorithm),s,r);return new Uint8Array(n)}var X='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function lt(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new d(X)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new d(X)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new d(X)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new d(X)}break}default:throw new d('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function _e(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=lt(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var R="given KeyObject instance cannot be used for this algorithm",T,De=async(t,e,r,s=!1)=>{T||=new WeakMap;let n=T.get(t);if(n?.[r])return n[r];let i=await _e({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:T.set(t,{[r]:i}),i},ft=(t,e)=>{T||=new WeakMap;let r=T.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(R)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(R);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(R)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(R);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(R);return r?r[e]=i:T.set(t,{[e]:i}),i};async function Ue(t,e){if(t instanceof Uint8Array||C(t))return t;if(_(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return ft(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return De(t,r,e)}if(D(t))return t.k?xe(t.k):De(t,t,e,!0);throw new Error("unreachable")}var ht=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
2
2
|
`);return`-----BEGIN ${e}-----
|
|
3
3
|
${r}
|
|
4
|
-
-----END ${e}-----`},Oe=async(t,e,r)=>{if(I(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!v(r))throw new TypeError($(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return ut(W(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},ke=t=>Oe("public","spki",t),Ue=t=>Oe("private","pkcs8",t),ce=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},lt=t=>({data:t,pos:0}),_=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var D=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Ne=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},ft=t=>{D(t,6,"Expected algorithm OID");let e=_(t);return Ne(t,e)};function ht(t){D(t,48,"Invalid PKCS#8 structure"),_(t),D(t,2,"Expected version field");let e=_(t);t.pos+=e,D(t,48,"Expected algorithm identifier");let r=_(t);return{algIdStart:t.pos,algIdLength:r}}var mt=t=>{let e=ft(t);if(ce(e,[43,101,110]))return"X25519";if(!ce(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");D(t,6,"Expected curve OID");let r=_(t),s=Ne(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ce(s,i))return n;throw new Error("Unsupported named curve")},yt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new d("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new d('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},gt=(t,e)=>J(t.replace(e,"")),Le=(t,e,r)=>{let s=gt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=lt(i);return ht(o),mt(o)}),yt("pkcs8",s,e,n)};async function F(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Le(t,e,r)}async function pe(t){return ke(t)}async function de(t){return Ue(t)}function We(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new d(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var K=t=>t?.[Symbol.toStringTag],ue=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},Et=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(C(e)){if(ve(e)&&ue(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!ie(e))throw new TypeError(ne(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${K(e)} instances for symmetric algorithms must be of type "secret"`)}},St=(t,e,r)=>{if(C(e))switch(r){case"decrypt":case"sign":if(Re(e)&&ue(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Te(e)&&ue(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!ie(e))throw new TypeError(ne(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${K(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${K(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${K(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${K(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${K(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Je(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":Et(t,e,r);break;default:St(t,e,r)}}var E=t=>Math.floor(t.getTime()/1e3),He=60,$e=He*60,fe=$e*24,wt=fe*7,At=fe*365.25,bt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function le(t){let e=bt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*He);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*$e);break;case"day":case"days":case"d":n=Math.round(r*fe);break;case"week":case"weeks":case"w":n=Math.round(r*wt);break;default:n=Math.round(r*At);break}return e[1]==="-"||e[4]==="ago"?-n:n}function S(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var G=class{#e;constructor(e){if(!ae(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return U.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=S("setNotBefore",e):e instanceof Date?this.#e.nbf=S("setNotBefore",E(e)):this.#e.nbf=E(new Date)+le(e)}set exp(e){typeof e=="number"?this.#e.exp=S("setExpirationTime",e):e instanceof Date?this.#e.exp=S("setExpirationTime",E(e)):this.#e.exp=E(new Date)+le(e)}set iat(e){e===void 0?this.#e.iat=E(new Date):e instanceof Date?this.#e.iat=S("setIssuedAt",E(e)):typeof e=="string"?this.#e.iat=S("setIssuedAt",E(new Date)+le(e)):this.#e.iat=S("setIssuedAt",e)}};var w=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return oe(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return oe(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new g("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Ke(this.#t,this.#r))throw new g("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=We(g,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new g('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new g('JWS "alg" (Algorithm) Header Parameter missing or invalid');Je(o,e,"sign");let a,c;i?(a=H(this.#e),c=L(a)):(c=this.#e,a="");let p,m;this.#t?(p=H(JSON.stringify(this.#t)),m=L(p)):(p="",m=new Uint8Array);let k=Ae(m,L("."),c),te=await De(e,o),R=await Ie(o,te,k),f={signature:H(R),payload:a};return this.#r&&(f.header=this.#r),this.#t&&(f.protected=p),f}};var j=class{#e;constructor(e){this.#e=new w(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var O=class{#e;#t;constructor(e={}){this.#t=new G(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new j(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new B("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function he(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new d("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function me(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:he(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:he(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:he(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new d("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new d('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}var l=require("node:fs"),A=require("node:path"),Fe=require("node:os"),we=require("node:crypto"),Pt="https://id.botparty.club",Kt="EdDSA",Rt=15,Tt=6e4,vt="5m",It=3,Ct=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],_t=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],u=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},V=class extends u{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},X=class extends u{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},q=class extends u{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},z=class extends u{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Be(t){let e=(0,we.randomBytes)(4);return t[e.readUInt32BE(0)%t.length]}function Dt(){return`${Be(Ct)}-${Be(_t)}`}function Ot(){let t=Dt(),e=(0,we.randomBytes)(2).toString("hex");return`${t}-${e}`}function kt(){return(0,A.join)((0,Fe.homedir)(),".botparty")}function Ge(t){(0,l.existsSync)(t)||(0,l.mkdirSync)(t,{recursive:!0,mode:448})}function Ut(t){let e=(0,A.join)(t,"identity.json");if(!(0,l.existsSync)(e))return null;try{return JSON.parse((0,l.readFileSync)(e,"utf-8"))}catch{return null}}function je(t,e){Ge(t);let r=(0,A.join)(t,"identity.json");(0,l.writeFileSync)(r,JSON.stringify(e,null,2),{mode:384})}function Nt(t){let e=(0,A.join)(t,"private.pem");if(!(0,l.existsSync)(e))return null;try{return(0,l.readFileSync)(e,"utf-8")}catch{return null}}function Ye(t,e){Ge(t);let r=(0,A.join)(t,"private.pem");(0,l.writeFileSync)(r,e,{mode:384})}function Me(t){for(let e of["identity.json","private.pem"]){let r=(0,A.join)(t,e);(0,l.existsSync)(r)&&(0,l.unlinkSync)(r)}}async function Ve(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await me(t,e),n=await de(r),i=await pe(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Lt(t,e,r){let s=await F(e,r);return(await new w(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function Se(t,e,r,s,n){let i=s,o=await F(r,i);return new O({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(vt).sign(o)}async function h(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}async function ye(t){try{return await t.clone().json()}catch{return null}}function Y(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl,i=t;return{code:r,message:s,actionUrl:n,extra:i}}var Q=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},Z=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new u({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new u({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await Ve(r.algorithm),o=await Se(r.namespace,r.keyId,s,r.algorithm),a=await h(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return Ye(this.client.stateDir,i.privatePem),je(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},ee=class{serverUrl;stateDir;keys;algorithm;rotationTTL;inviteToken;constructor(e={}){this.serverUrl=(e.serverUrl||Ee("BOTPARTY_SERVER_URL")||Pt).replace(/\/$/,""),this.stateDir=e.stateDir||Ee("BOTPARTY_STATE_DIR")||kt(),this.algorithm=e.algorithm||Kt,this.rotationTTL=e.rotationTTL||Rt,this.inviteToken=e.inviteToken||Ee("BOTPARTY_INVITE_TOKEN"),this.keys=new Z(this)}getIdentity(){return Ut(this.stateDir)}getPrivateKey(){return Nt(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<It;){n||(n=Ot());let a=r||n,c=await Ve(this.algorithm),p=await h(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),m=await p.json();if(m.status==="already_registered")throw new u({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new u({code:m.error||"REGISTRATION_FAILED",message:m.message||m.error||"Registration failed",statusCode:p.status});let k=m.challenge,te=await Lt(k,c.privatePem,this.algorithm),R=await h(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:k,signature:te})});if(!R.ok)throw await this._apiError(R);let f=await R.json();return Ye(this.stateDir,c.privatePem),je(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:f.keyId,algorithm:this.algorithm,rotatedAt:f.rotatedAt,rotationTTL:f.rotationTTL,label:a,...f.parentNamespace&&{parentNamespace:f.parentNamespace},...f.inheritedScopes&&{inheritedScopes:f.inheritedScopes}}),f}throw new u({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;Date.now()>=s-Tt&&await this.keys.rotateCurrent()}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return Se(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=new Headers(r.headers);n.set("X-Proxy-Authorization",`Bearer ${s}`);let i=await fetch(e,{...r,headers:n});if(i.status===401){let o=await ye(i);if(o){let{code:a}=Y(o);if(a==="KEY_STALE"){await this.keys.rotateCurrent();let c=await this.generateToken(),p=new Headers(r.headers);p.set("X-Proxy-Authorization",`Bearer ${c}`),i=await fetch(e,{...r,headers:p})}}}if([401,402,403,423].includes(i.status)){let o=await ye(i);if(o){let{code:a}=Y(o);Jt(a)&&Ht(i.status,o,this.getIdentity(),this.serverUrl)}}return i}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await h(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await h(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);Me(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await Se(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new Q(this,e)}reset(){Me(this.stateDir)}async _apiError(e){let r=await ye(e);if(!r)return new u({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=Y(r);return new u({code:s,message:n,statusCode:e.status,actionUrl:i})}},Wt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Jt(t){return Wt.has(t)}function Ht(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=Y(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new V({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new X({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new z({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new q({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new u({code:n,message:i,statusCode:t,actionUrl:o})}var ge=null;function $t(t){return ge||(ge=new ee(t)),ge}async function Bt(t,e={}){let{serverUrl:r,stateDir:s,...n}=e;return $t({serverUrl:r,stateDir:s}).fetch(t,n)}function Ee(t){if(typeof process<"u"&&process.env)return process.env[t]}0&&(module.exports={BotPartyClient,BotPartyError,InsufficientPermissionError,Key,KeyManager,LinkRequiredError,NamespaceLockedError,PaymentRequiredError,botpartyFetch});
|
|
4
|
+
-----END ${e}-----`},Oe=async(t,e,r)=>{if(_(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!C(r))throw new TypeError(j(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return ht(B(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},ke=t=>Oe("public","spki",t),Ne=t=>Oe("private","pkcs8",t),de=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},mt=t=>({data:t,pos:0}),U=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var O=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Le=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},yt=t=>{O(t,6,"Expected algorithm OID");let e=U(t);return Le(t,e)};function gt(t){O(t,48,"Invalid PKCS#8 structure"),U(t),O(t,2,"Expected version field");let e=U(t);t.pos+=e,O(t,48,"Expected algorithm identifier");let r=U(t);return{algIdStart:t.pos,algIdLength:r}}var Et=t=>{let e=yt(t);if(de(e,[43,101,110]))return"X25519";if(!de(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");O(t,6,"Expected curve OID");let r=U(t),s=Le(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(de(s,i))return n;throw new Error("Unsupported named curve")},St=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new d("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new d('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},wt=(t,e)=>F(t.replace(e,"")),We=(t,e,r)=>{let s=wt(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=mt(i);return gt(o),Et(o)}),St("pkcs8",s,e,n)};async function V(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return We(t,e,r)}async function ue(t){return ke(t)}async function le(t){return Ne(t)}function He(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new d(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var v=t=>t?.[Symbol.toStringTag],fe=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},At=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(D(e)){if(Ie(e)&&fe(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!ae(e))throw new TypeError(oe(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${v(e)} instances for symmetric algorithms must be of type "secret"`)}},bt=(t,e,r)=>{if(D(e))switch(r){case"decrypt":case"sign":if(Te(e)&&fe(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(ve(e)&&fe(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!ae(e))throw new TypeError(oe(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${v(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${v(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${v(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${v(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${v(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Je(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":At(t,e,r);break;default:bt(t,e,r)}}var A=t=>Math.floor(t.getTime()/1e3),$e=60,Me=$e*60,me=Me*24,xt=me*7,Pt=me*365.25,Kt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function he(t){let e=Kt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*$e);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Me);break;case"day":case"days":case"d":n=Math.round(r*me);break;case"week":case"weeks":case"w":n=Math.round(r*xt);break;default:n=Math.round(r*Pt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function b(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var q=class{#e;constructor(e){if(!pe(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return J.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=b("setNotBefore",e):e instanceof Date?this.#e.nbf=b("setNotBefore",A(e)):this.#e.nbf=A(new Date)+he(e)}set exp(e){typeof e=="number"?this.#e.exp=b("setExpirationTime",e):e instanceof Date?this.#e.exp=b("setExpirationTime",A(e)):this.#e.exp=A(new Date)+he(e)}set iat(e){e===void 0?this.#e.iat=A(new Date):e instanceof Date?this.#e.iat=b("setIssuedAt",A(e)):typeof e=="string"?this.#e.iat=b("setIssuedAt",A(new Date)+he(e)):this.#e.iat=b("setIssuedAt",e)}};var x=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return ce(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return ce(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new S("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Re(this.#t,this.#r))throw new S("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=He(S,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new S('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new S('JWS "alg" (Algorithm) Header Parameter missing or invalid');Je(o,e,"sign");let a,c;i?(a=G(this.#e),c=M(a)):(c=this.#e,a="");let p,f;this.#t?(p=G(JSON.stringify(this.#t)),f=M(p)):(p="",f=new Uint8Array);let y=be(f,M("."),c),w=await Ue(e,o),g=await Ce(o,w,y),h={signature:G(g),payload:a};return this.#r&&(h.header=this.#r),this.#t&&(h.protected=p),h}};var z=class{#e;constructor(e){this.#e=new x(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var k=class{#e;#t;constructor(e={}){this.#t=new q(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new z(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new Y("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function ye(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new d("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ge(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:ye(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new d("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new d('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}var l=require("node:fs"),P=require("node:path"),Ye=require("node:os"),Ae=require("node:crypto"),Tt="https://id.botparty.club",vt="EdDSA",It=15,Ct=6e4,_t="5m",Dt=3,Ut=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],Ot=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],u=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},Z=class extends u{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},ee=class extends u{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},W=class extends u{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},H=class extends u{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Be(t){let e=(0,Ae.randomBytes)(4);return t[e.readUInt32BE(0)%t.length]}function kt(){return`${Be(Ut)}-${Be(Ot)}`}function Nt(){let t=kt(),e=(0,Ae.randomBytes)(2).toString("hex");return`${t}-${e}`}function Lt(){return(0,P.join)((0,Ye.homedir)(),".botparty")}function Xe(t){(0,l.existsSync)(t)||(0,l.mkdirSync)(t,{recursive:!0,mode:448})}function Wt(t){let e=(0,P.join)(t,"identity.json");if(!(0,l.existsSync)(e))return null;try{return JSON.parse((0,l.readFileSync)(e,"utf-8"))}catch{return null}}function Ve(t,e){Xe(t);let r=(0,P.join)(t,"identity.json");(0,l.writeFileSync)(r,JSON.stringify(e,null,2),{mode:384})}function Ht(t){let e=(0,P.join)(t,"private.pem");if(!(0,l.existsSync)(e))return null;try{return(0,l.readFileSync)(e,"utf-8")}catch{return null}}function qe(t,e){Xe(t);let r=(0,P.join)(t,"private.pem");(0,l.writeFileSync)(r,e,{mode:384})}function Fe(t){for(let e of["identity.json","private.pem"]){let r=(0,P.join)(t,e);(0,l.existsSync)(r)&&(0,l.unlinkSync)(r)}}async function ze(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ge(t,e),n=await le(r),i=await ue(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Jt(t,e,r){let s=await V(e,r);return(await new x(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function Se(t,e,r,s,n){let i=s,o=await V(r,i);return new k({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(_t).sign(o)}async function m(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function we(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function Q(t){try{return await t.clone().json()}catch{return null}}function L(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var te=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},re=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await m(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new u({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await m(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new u({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await ze(r.algorithm),o=await Se(r.namespace,r.keyId,s,r.algorithm),a=await m(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return qe(this.client.stateDir,i.privatePem),Ve(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await m(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},se=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;constructor(e={}){this.serverUrl=(e.serverUrl||N("BOTPARTY_SERVER_URL")||Tt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||N("BOTPARTY_PROXY_URL")||N("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||N("BOTPARTY_STATE_DIR")||Lt(),this.algorithm=e.algorithm||vt,this.rotationTTL=e.rotationTTL||It,this.inviteToken=e.inviteToken||N("BOTPARTY_INVITE_TOKEN"),this.keys=new re(this)}getIdentity(){return Wt(this.stateDir)}getPrivateKey(){return Ht(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Dt;){n||(n=Nt());let a=r||n,c=await ze(this.algorithm),p=await m(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),f=await p.json();if(f.status==="already_registered")throw new u({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new u({code:f.error||"REGISTRATION_FAILED",message:f.message||f.error||"Registration failed",statusCode:p.status});let y=f.challenge,w=await Jt(y,c.privatePem,this.algorithm),g=await m(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:y,signature:w})});if(!g.ok)throw await this._apiError(g);let h=await g.json();return qe(this.stateDir,c.privatePem),Ve(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:h.keyId,algorithm:this.algorithm,rotatedAt:h.rotatedAt,rotationTTL:h.rotationTTL,label:a,...h.parentNamespace&&{parentNamespace:h.parentNamespace},...h.inheritedScopes&&{inheritedScopes:h.inheritedScopes}}),h}throw new u({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;Date.now()>=s-Ct&&await this.keys.rotateCurrent()}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return Se(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=we(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await Q(o);if(a){let{code:c}=L(a);if(c==="KEY_STALE"){await this.keys.rotateCurrent();let p=await this.generateToken(),f=new Headers(r.headers);f.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:f})}}}if(o.status===403){let a=await Q(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let y=a.proxyUrl.replace(/\/$/,""),w=we(e,y),g=new Headers(r.headers);return g.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(w,{...r,headers:g})}let p=a.approval_url||a.authorizationUrl;if(p){let y=c==="scope_refused",w=a.missing_scopes||a.missingScopes;throw y||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new W({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:w}):new H({message:a.message||"Missing required credentials",actionUrl:p})}let{code:f}=L(a);Ge(f)&&je(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await Q(o);if(a){let{code:c}=L(a);(Ge(c)||o.status===402||o.status===423)&&je(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await m(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await m(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);Fe(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await Se(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new te(this,e)}reset(){Fe(this.stateDir)}async _apiError(e){let r=await Q(e);if(!r)return new u({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=L(r);return new u({code:s,message:n,statusCode:e.status,actionUrl:i})}},$t=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Ge(t){return $t.has(t.toUpperCase())}function je(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=L(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new Z({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new ee({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new H({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new W({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new u({code:n,message:i,statusCode:t,actionUrl:o})}var Ee=null;function Mt(t){return Ee||(Ee=new se(t)),Ee}async function Bt(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Mt({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function N(t){if(typeof process<"u"&&process.env)return process.env[t]}0&&(module.exports={BotPartyClient,BotPartyError,InsufficientPermissionError,Key,KeyManager,LinkRequiredError,NamespaceLockedError,PaymentRequiredError,botpartyFetch,toProxyUrl});
|
package/dist/index.d.cts
CHANGED
|
@@ -17,6 +17,7 @@ export interface BotPartyOptions {
|
|
|
17
17
|
algorithm?: SupportedAlgorithm;
|
|
18
18
|
rotationTTL?: number;
|
|
19
19
|
inviteToken?: string;
|
|
20
|
+
proxyUrl?: string;
|
|
20
21
|
}
|
|
21
22
|
export interface Identity {
|
|
22
23
|
serverUrl: string;
|
|
@@ -89,6 +90,7 @@ export interface UpdateKeyOptions {
|
|
|
89
90
|
export interface BotPartyFetchOptions extends RequestInit {
|
|
90
91
|
serverUrl?: string;
|
|
91
92
|
stateDir?: string;
|
|
93
|
+
proxyUrl?: string;
|
|
92
94
|
}
|
|
93
95
|
export declare class BotPartyError extends Error {
|
|
94
96
|
readonly code: string;
|
|
@@ -135,6 +137,7 @@ export declare class LinkRequiredError extends BotPartyError {
|
|
|
135
137
|
actionUrl: string;
|
|
136
138
|
});
|
|
137
139
|
}
|
|
140
|
+
export declare function toProxyUrl(url: string, proxyBaseUrl: string): string;
|
|
138
141
|
export declare class Key {
|
|
139
142
|
private client;
|
|
140
143
|
private keyId;
|
|
@@ -162,6 +165,7 @@ export declare class KeyManager {
|
|
|
162
165
|
export declare class BotPartyClient {
|
|
163
166
|
readonly serverUrl: string;
|
|
164
167
|
readonly stateDir: string;
|
|
168
|
+
readonly proxyUrl: string;
|
|
165
169
|
readonly keys: KeyManager;
|
|
166
170
|
private algorithm;
|
|
167
171
|
private rotationTTL;
|
|
@@ -195,10 +199,11 @@ export declare class BotPartyClient {
|
|
|
195
199
|
*/
|
|
196
200
|
generateToken(claims?: Record<string, unknown>): Promise<string>;
|
|
197
201
|
/**
|
|
198
|
-
* Fetch a URL with BotParty authentication.
|
|
202
|
+
* Fetch a URL through the credential proxy with BotParty authentication.
|
|
199
203
|
*
|
|
200
|
-
*
|
|
201
|
-
*
|
|
204
|
+
* Rewrites the target URL to route through the proxy (e.g. keychains.dev),
|
|
205
|
+
* attaches a signed JWT via X-Proxy-Authorization, and handles credential
|
|
206
|
+
* errors (approval URLs, wrong_proxy redirects, stale keys) automatically.
|
|
202
207
|
*/
|
|
203
208
|
fetch(url: string, options?: RequestInit): Promise<Response>;
|
|
204
209
|
info(namespace?: string): Promise<NamespaceInfo>;
|
package/dist/index.d.ts
CHANGED
|
@@ -17,6 +17,7 @@ export interface BotPartyOptions {
|
|
|
17
17
|
algorithm?: SupportedAlgorithm;
|
|
18
18
|
rotationTTL?: number;
|
|
19
19
|
inviteToken?: string;
|
|
20
|
+
proxyUrl?: string;
|
|
20
21
|
}
|
|
21
22
|
export interface Identity {
|
|
22
23
|
serverUrl: string;
|
|
@@ -89,6 +90,7 @@ export interface UpdateKeyOptions {
|
|
|
89
90
|
export interface BotPartyFetchOptions extends RequestInit {
|
|
90
91
|
serverUrl?: string;
|
|
91
92
|
stateDir?: string;
|
|
93
|
+
proxyUrl?: string;
|
|
92
94
|
}
|
|
93
95
|
export declare class BotPartyError extends Error {
|
|
94
96
|
readonly code: string;
|
|
@@ -135,6 +137,7 @@ export declare class LinkRequiredError extends BotPartyError {
|
|
|
135
137
|
actionUrl: string;
|
|
136
138
|
});
|
|
137
139
|
}
|
|
140
|
+
export declare function toProxyUrl(url: string, proxyBaseUrl: string): string;
|
|
138
141
|
export declare class Key {
|
|
139
142
|
private client;
|
|
140
143
|
private keyId;
|
|
@@ -162,6 +165,7 @@ export declare class KeyManager {
|
|
|
162
165
|
export declare class BotPartyClient {
|
|
163
166
|
readonly serverUrl: string;
|
|
164
167
|
readonly stateDir: string;
|
|
168
|
+
readonly proxyUrl: string;
|
|
165
169
|
readonly keys: KeyManager;
|
|
166
170
|
private algorithm;
|
|
167
171
|
private rotationTTL;
|
|
@@ -195,10 +199,11 @@ export declare class BotPartyClient {
|
|
|
195
199
|
*/
|
|
196
200
|
generateToken(claims?: Record<string, unknown>): Promise<string>;
|
|
197
201
|
/**
|
|
198
|
-
* Fetch a URL with BotParty authentication.
|
|
202
|
+
* Fetch a URL through the credential proxy with BotParty authentication.
|
|
199
203
|
*
|
|
200
|
-
*
|
|
201
|
-
*
|
|
204
|
+
* Rewrites the target URL to route through the proxy (e.g. keychains.dev),
|
|
205
|
+
* attaches a signed JWT via X-Proxy-Authorization, and handles credential
|
|
206
|
+
* errors (approval URLs, wrong_proxy redirects, stale keys) automatically.
|
|
202
207
|
*/
|
|
203
208
|
fetch(url: string, options?: RequestInit): Promise<Response>;
|
|
204
209
|
info(namespace?: string): Promise<NamespaceInfo>;
|
package/dist/index.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
var
|
|
1
|
+
var L=new TextEncoder,W=new TextDecoder,Jt=2**32;function Se(...t){let e=t.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(e),s=0;for(let n of t)r.set(n,s),s+=n.length;return r}function H(t){let e=new Uint8Array(t.length);for(let r=0;r<t.length;r++){let s=t.charCodeAt(r);if(s>127)throw new TypeError("non-ASCII string encountered in encode()");e[r]=s}return e}function J(t){if(Uint8Array.prototype.toBase64)return t.toBase64();let e=32768,r=[];for(let s=0;s<t.length;s+=e)r.push(String.fromCharCode.apply(null,t.subarray(s,s+e)));return btoa(r.join(""))}function $(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(t);let e=atob(t),r=new Uint8Array(e.length);for(let s=0;s<e.length;s++)r[s]=e.charCodeAt(s);return r}function we(t){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof t=="string"?t:W.decode(t),{alphabet:"base64url"});let e=t;e instanceof Uint8Array&&(e=W.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/");try{return $(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function M(t){let e=t;return typeof e=="string"&&(e=L.encode(e)),Uint8Array.prototype.toBase64?e.toBase64({alphabet:"base64url",omitPadding:!0}):J(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var g=(t,e="algorithm.name")=>new TypeError(`CryptoKey does not support this operation, its ${e} must be ${t}`),x=(t,e)=>t.name===e;function Qe(t){return parseInt(t.name.slice(4),10)}function Z(t,e){if(Qe(t.hash)!==e)throw g(`SHA-${e}`,"algorithm.hash")}function Ze(t){switch(t){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function et(t,e){if(e&&!t.usages.includes(e))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${e}.`)}function Ae(t,e,r){switch(e){case"HS256":case"HS384":case"HS512":{if(!x(t.algorithm,"HMAC"))throw g("HMAC");Z(t.algorithm,parseInt(e.slice(2),10));break}case"RS256":case"RS384":case"RS512":{if(!x(t.algorithm,"RSASSA-PKCS1-v1_5"))throw g("RSASSA-PKCS1-v1_5");Z(t.algorithm,parseInt(e.slice(2),10));break}case"PS256":case"PS384":case"PS512":{if(!x(t.algorithm,"RSA-PSS"))throw g("RSA-PSS");Z(t.algorithm,parseInt(e.slice(2),10));break}case"Ed25519":case"EdDSA":{if(!x(t.algorithm,"Ed25519"))throw g("Ed25519");break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{if(!x(t.algorithm,e))throw g(e);break}case"ES256":case"ES384":case"ES512":{if(!x(t.algorithm,"ECDSA"))throw g("ECDSA");let s=Ze(e);if(t.algorithm.namedCurve!==s)throw g(s,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}et(t,r)}function be(t,e,...r){if(r=r.filter(Boolean),r.length>2){let s=r.pop();t+=`one of type ${r.join(", ")}, or ${s}.`}else r.length===2?t+=`one of type ${r[0]} or ${r[1]}.`:t+=`of type ${r[0]}.`;return e==null?t+=` Received ${e}`:typeof e=="function"&&e.name?t+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor?.name&&(t+=` Received an instance of ${e.constructor.name}`),t}var B=(t,...e)=>be("Key must be ",t,...e),ee=(t,e,...r)=>be(`Key for the ${t} algorithm must be `,e,...r);var v=class extends Error{static code="ERR_JOSE_GENERIC";code="ERR_JOSE_GENERIC";constructor(e,r){super(e,r),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}};var d=class extends v{static code="ERR_JOSE_NOT_SUPPORTED";code="ERR_JOSE_NOT_SUPPORTED"};var E=class extends v{static code="ERR_JWS_INVALID";code="ERR_JWS_INVALID"},F=class extends v{static code="ERR_JWT_INVALID";code="ERR_JWT_INVALID"};var I=t=>{if(t?.[Symbol.toStringTag]==="CryptoKey")return!0;try{return t instanceof CryptoKey}catch{return!1}},C=t=>t?.[Symbol.toStringTag]==="KeyObject",te=t=>I(t)||C(t);var qt=Symbol();function re(t,e){if(t)throw new TypeError(`${e} can only be called once`)}var tt=t=>typeof t=="object"&&t!==null;function se(t){if(!tt(t)||Object.prototype.toString.call(t)!=="[object Object]")return!1;if(Object.getPrototypeOf(t)===null)return!0;let e=t;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(t)===e}function xe(...t){let e=t.filter(Boolean);if(e.length===0||e.length===1)return!0;let r;for(let s of e){let n=Object.keys(s);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0}var _=t=>se(t)&&typeof t.kty=="string",Pe=t=>t.kty!=="oct"&&(t.kty==="AKP"&&typeof t.priv=="string"||typeof t.d=="string"),Ke=t=>t.kty!=="oct"&&t.d===void 0&&t.priv===void 0,Re=t=>t.kty==="oct"&&typeof t.k=="string";function st(t,e){if(t.startsWith("RS")||t.startsWith("PS")){let{modulusLength:r}=e.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}function nt(t,e){let r=`SHA-${t.slice(-3)}`;switch(t){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:parseInt(t.slice(-3),10)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:e.namedCurve};case"Ed25519":case"EdDSA":return{name:"Ed25519"};case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":return{name:t};default:throw new d(`alg ${t} is not supported either by JOSE or your javascript runtime`)}}async function it(t,e,r){if(e instanceof Uint8Array){if(!t.startsWith("HS"))throw new TypeError(B(e,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",e,{hash:`SHA-${t.slice(-3)}`,name:"HMAC"},!1,[r])}return Ae(e,t,r),e}async function Te(t,e,r){let s=await it(t,e,"sign");st(t,s);let n=await crypto.subtle.sign(nt(t,s.algorithm),s,r);return new Uint8Array(n)}var G='Invalid or unsupported JWK "alg" (Algorithm) Parameter value';function ot(t){let e,r;switch(t.kty){case"AKP":{switch(t.alg){case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":e={name:t.alg},r=t.priv?["sign"]:["verify"];break;default:throw new d(G)}break}case"RSA":{switch(t.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.alg.slice(-3)}`},r=t.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(t.alg.slice(-3),10)||1}`},r=t.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new d(G)}break}case"EC":{switch(t.alg){case"ES256":case"ES384":case"ES512":e={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[t.alg]},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new d(G)}break}case"OKP":{switch(t.alg){case"Ed25519":case"EdDSA":e={name:"Ed25519"},r=t.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:t.crv},r=t.d?["deriveBits"]:[];break;default:throw new d(G)}break}default:throw new d('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:r}}async function ve(t){if(!t.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:e,keyUsages:r}=ot(t),s={...t};return s.kty!=="AKP"&&delete s.alg,delete s.use,crypto.subtle.importKey("jwk",s,e,t.ext??!(t.d||t.priv),t.key_ops??r)}var P="given KeyObject instance cannot be used for this algorithm",K,Ie=async(t,e,r,s=!1)=>{K||=new WeakMap;let n=K.get(t);if(n?.[r])return n[r];let i=await ve({...e,alg:r});return s&&Object.freeze(t),n?n[r]=i:K.set(t,{[r]:i}),i},at=(t,e)=>{K||=new WeakMap;let r=K.get(t);if(r?.[e])return r[e];let s=t.type==="public",n=!!s,i;if(t.asymmetricKeyType==="x25519"){switch(e){case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":break;default:throw new TypeError(P)}i=t.toCryptoKey(t.asymmetricKeyType,n,s?[]:["deriveBits"])}if(t.asymmetricKeyType==="ed25519"){if(e!=="EdDSA"&&e!=="Ed25519")throw new TypeError(P);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}switch(t.asymmetricKeyType){case"ml-dsa-44":case"ml-dsa-65":case"ml-dsa-87":{if(e!==t.asymmetricKeyType.toUpperCase())throw new TypeError(P);i=t.toCryptoKey(t.asymmetricKeyType,n,[s?"verify":"sign"])}}if(t.asymmetricKeyType==="rsa"){let o;switch(e){case"RSA-OAEP":o="SHA-1";break;case"RS256":case"PS256":case"RSA-OAEP-256":o="SHA-256";break;case"RS384":case"PS384":case"RSA-OAEP-384":o="SHA-384";break;case"RS512":case"PS512":case"RSA-OAEP-512":o="SHA-512";break;default:throw new TypeError(P)}if(e.startsWith("RSA-OAEP"))return t.toCryptoKey({name:"RSA-OAEP",hash:o},n,s?["encrypt"]:["decrypt"]);i=t.toCryptoKey({name:e.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:o},n,[s?"verify":"sign"])}if(t.asymmetricKeyType==="ec"){let a=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(t.asymmetricKeyDetails?.namedCurve);if(!a)throw new TypeError(P);let c={ES256:"P-256",ES384:"P-384",ES512:"P-521"};c[e]&&a===c[e]&&(i=t.toCryptoKey({name:"ECDSA",namedCurve:a},n,[s?"verify":"sign"])),e.startsWith("ECDH-ES")&&(i=t.toCryptoKey({name:"ECDH",namedCurve:a},n,s?[]:["deriveBits"]))}if(!i)throw new TypeError(P);return r?r[e]=i:K.set(t,{[e]:i}),i};async function Ce(t,e){if(t instanceof Uint8Array||I(t))return t;if(C(t)){if(t.type==="secret")return t.export();if("toCryptoKey"in t&&typeof t.toCryptoKey=="function")try{return at(t,e)}catch(s){if(s instanceof TypeError)throw s}let r=t.export({format:"jwk"});return Ie(t,r,e)}if(_(t))return t.k?we(t.k):Ie(t,t,e,!0);throw new Error("unreachable")}var ct=(t,e)=>{let r=(t.match(/.{1,64}/g)||[]).join(`
|
|
2
2
|
`);return`-----BEGIN ${e}-----
|
|
3
3
|
${r}
|
|
4
|
-
-----END ${e}-----`},_e=async(t,e,r)=>{if(v(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!T(r))throw new TypeError(H(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return it(L(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},De=t=>_e("public","spki",t),Oe=t=>_e("private","pkcs8",t),ee=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},ot=t=>({data:t,pos:0}),C=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var _=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},ke=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},at=t=>{_(t,6,"Expected algorithm OID");let e=C(t);return ke(t,e)};function ct(t){_(t,48,"Invalid PKCS#8 structure"),C(t),_(t,2,"Expected version field");let e=C(t);t.pos+=e,_(t,48,"Expected algorithm identifier");let r=C(t);return{algIdStart:t.pos,algIdLength:r}}var pt=t=>{let e=at(t);if(ee(e,[43,101,110]))return"X25519";if(!ee(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");_(t,6,"Expected curve OID");let r=C(t),s=ke(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ee(s,i))return n;throw new Error("Unsupported named curve")},dt=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new d("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new d('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},ut=(t,e)=>W(t.replace(e,"")),Ue=(t,e,r)=>{let s=ut(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=ot(i);return ct(o),pt(o)}),dt("pkcs8",s,e,n)};async function M(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Ue(t,e,r)}async function te(t){return De(t)}async function re(t){return Oe(t)}function Ne(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new d(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var x=t=>t?.[Symbol.toStringTag],se=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},lt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(I(e)){if(Re(e)&&se(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!z(e))throw new TypeError(q(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${x(e)} instances for symmetric algorithms must be of type "secret"`)}},ft=(t,e,r)=>{if(I(e))switch(r){case"decrypt":case"sign":if(Pe(e)&&se(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Ke(e)&&se(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!z(e))throw new TypeError(q(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${x(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${x(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${x(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${x(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${x(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Le(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":lt(t,e,r);break;default:ft(t,e,r)}}var g=t=>Math.floor(t.getTime()/1e3),We=60,Je=We*60,ie=Je*24,ht=ie*7,mt=ie*365.25,yt=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function ne(t){let e=yt.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*We);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*Je);break;case"day":case"days":case"d":n=Math.round(r*ie);break;case"week":case"weeks":case"w":n=Math.round(r*ht);break;default:n=Math.round(r*mt);break}return e[1]==="-"||e[4]==="ago"?-n:n}function E(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var F=class{#e;constructor(e){if(!Z(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return k.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=E("setNotBefore",e):e instanceof Date?this.#e.nbf=E("setNotBefore",g(e)):this.#e.nbf=g(new Date)+ne(e)}set exp(e){typeof e=="number"?this.#e.exp=E("setExpirationTime",e):e instanceof Date?this.#e.exp=E("setExpirationTime",g(e)):this.#e.exp=g(new Date)+ne(e)}set iat(e){e===void 0?this.#e.iat=g(new Date):e instanceof Date?this.#e.iat=E("setIssuedAt",g(e)):typeof e=="string"?this.#e.iat=E("setIssuedAt",g(new Date)+ne(e)):this.#e.iat=E("setIssuedAt",e)}};var S=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return Q(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return Q(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new y("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!xe(this.#t,this.#r))throw new y("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=Ne(y,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new y('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new y('JWS "alg" (Algorithm) Header Parameter missing or invalid');Le(o,e,"sign");let a,c;i?(a=J(this.#e),c=N(a)):(c=this.#e,a="");let p,h;this.#t?(p=J(JSON.stringify(this.#t)),h=N(p)):(p="",h=new Uint8Array);let O=Se(h,N("."),c),V=await Ce(e,o),K=await Te(o,V,O),l={signature:J(K),payload:a};return this.#r&&(l.header=this.#r),this.#t&&(l.protected=p),l}};var G=class{#e;constructor(e){this.#e=new S(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var D=class{#e;#t;constructor(e={}){this.#t=new F(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new G(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new $("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function oe(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new d("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ae(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:oe(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:oe(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:oe(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new d("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new d('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}import{readFileSync as Be,writeFileSync as Me,mkdirSync as Et,existsSync as Y,unlinkSync as St}from"node:fs";import{join as P}from"node:path";import{homedir as wt}from"node:os";import{randomBytes as Fe}from"node:crypto";var At="https://id.botparty.club",bt="EdDSA",xt=15,Pt=6e4,Kt="5m",Rt=3,Tt=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],vt=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],u=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},ue=class extends u{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},le=class extends u{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},fe=class extends u{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},he=class extends u{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function He(t){let e=Fe(4);return t[e.readUInt32BE(0)%t.length]}function It(){return`${He(Tt)}-${He(vt)}`}function Ct(){let t=It(),e=Fe(2).toString("hex");return`${t}-${e}`}function _t(){return P(wt(),".botparty")}function Ge(t){Y(t)||Et(t,{recursive:!0,mode:448})}function Dt(t){let e=P(t,"identity.json");if(!Y(e))return null;try{return JSON.parse(Be(e,"utf-8"))}catch{return null}}function je(t,e){Ge(t);let r=P(t,"identity.json");Me(r,JSON.stringify(e,null,2),{mode:384})}function Ot(t){let e=P(t,"private.pem");if(!Y(e))return null;try{return Be(e,"utf-8")}catch{return null}}function Ye(t,e){Ge(t);let r=P(t,"private.pem");Me(r,e,{mode:384})}function $e(t){for(let e of["identity.json","private.pem"]){let r=P(t,e);Y(r)&&St(r)}}async function Ve(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ae(t,e),n=await re(r),i=await te(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function kt(t,e,r){let s=await M(e,r);return(await new S(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function me(t,e,r,s,n){let i=s,o=await M(r,i);return new D({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(Kt).sign(o)}async function f(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}async function ce(t){try{return await t.clone().json()}catch{return null}}function j(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl,i=t;return{code:r,message:s,actionUrl:n,extra:i}}var ye=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},ge=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await f(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new u({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await f(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await f(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await f(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new u({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await Ve(r.algorithm),o=await me(r.namespace,r.keyId,s,r.algorithm),a=await f(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return Ye(this.client.stateDir,i.privatePem),je(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await f(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},Ee=class{serverUrl;stateDir;keys;algorithm;rotationTTL;inviteToken;constructor(e={}){this.serverUrl=(e.serverUrl||de("BOTPARTY_SERVER_URL")||At).replace(/\/$/,""),this.stateDir=e.stateDir||de("BOTPARTY_STATE_DIR")||_t(),this.algorithm=e.algorithm||bt,this.rotationTTL=e.rotationTTL||xt,this.inviteToken=e.inviteToken||de("BOTPARTY_INVITE_TOKEN"),this.keys=new ge(this)}getIdentity(){return Dt(this.stateDir)}getPrivateKey(){return Ot(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<Rt;){n||(n=Ct());let a=r||n,c=await Ve(this.algorithm),p=await f(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),h=await p.json();if(h.status==="already_registered")throw new u({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new u({code:h.error||"REGISTRATION_FAILED",message:h.message||h.error||"Registration failed",statusCode:p.status});let O=h.challenge,V=await kt(O,c.privatePem,this.algorithm),K=await f(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:O,signature:V})});if(!K.ok)throw await this._apiError(K);let l=await K.json();return Ye(this.stateDir,c.privatePem),je(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:l.keyId,algorithm:this.algorithm,rotatedAt:l.rotatedAt,rotationTTL:l.rotationTTL,label:a,...l.parentNamespace&&{parentNamespace:l.parentNamespace},...l.inheritedScopes&&{inheritedScopes:l.inheritedScopes}}),l}throw new u({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;Date.now()>=s-Pt&&await this.keys.rotateCurrent()}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return me(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=new Headers(r.headers);n.set("X-Proxy-Authorization",`Bearer ${s}`);let i=await fetch(e,{...r,headers:n});if(i.status===401){let o=await ce(i);if(o){let{code:a}=j(o);if(a==="KEY_STALE"){await this.keys.rotateCurrent();let c=await this.generateToken(),p=new Headers(r.headers);p.set("X-Proxy-Authorization",`Bearer ${c}`),i=await fetch(e,{...r,headers:p})}}}if([401,402,403,423].includes(i.status)){let o=await ce(i);if(o){let{code:a}=j(o);Nt(a)&&Lt(i.status,o,this.getIdentity(),this.serverUrl)}}return i}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await f(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await f(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);$e(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await me(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new ye(this,e)}reset(){$e(this.stateDir)}async _apiError(e){let r=await ce(e);if(!r)return new u({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=j(r);return new u({code:s,message:n,statusCode:e.status,actionUrl:i})}},Ut=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Nt(t){return Ut.has(t)}function Lt(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=j(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new ue({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new le({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new he({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new fe({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new u({code:n,message:i,statusCode:t,actionUrl:o})}var pe=null;function Wt(t){return pe||(pe=new Ee(t)),pe}async function os(t,e={}){let{serverUrl:r,stateDir:s,...n}=e;return Wt({serverUrl:r,stateDir:s}).fetch(t,n)}function de(t){if(typeof process<"u"&&process.env)return process.env[t]}export{Ee as BotPartyClient,u as BotPartyError,fe as InsufficientPermissionError,ye as Key,ge as KeyManager,he as LinkRequiredError,ue as NamespaceLockedError,le as PaymentRequiredError,os as botpartyFetch};
|
|
4
|
+
-----END ${e}-----`},_e=async(t,e,r)=>{if(C(r)){if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return r.export({format:"pem",type:e})}if(!I(r))throw new TypeError(B(r,"CryptoKey","KeyObject"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==t)throw new TypeError(`key is not a ${t} key`);return ct(J(new Uint8Array(await crypto.subtle.exportKey(e,r))),`${t.toUpperCase()} KEY`)},De=t=>_e("public","spki",t),Ue=t=>_e("private","pkcs8",t),ne=(t,e)=>{if(t.byteLength!==e.length)return!1;for(let r=0;r<t.byteLength;r++)if(t[r]!==e[r])return!1;return!0},pt=t=>({data:t,pos:0}),D=t=>{let e=t.data[t.pos++];if(e&128){let r=e&127,s=0;for(let n=0;n<r;n++)s=s<<8|t.data[t.pos++];return s}return e};var U=(t,e,r)=>{if(t.data[t.pos++]!==e)throw new Error(r)},Oe=(t,e)=>{let r=t.data.subarray(t.pos,t.pos+e);return t.pos+=e,r},dt=t=>{U(t,6,"Expected algorithm OID");let e=D(t);return Oe(t,e)};function ut(t){U(t,48,"Invalid PKCS#8 structure"),D(t),U(t,2,"Expected version field");let e=D(t);t.pos+=e,U(t,48,"Expected algorithm identifier");let r=D(t);return{algIdStart:t.pos,algIdLength:r}}var lt=t=>{let e=dt(t);if(ne(e,[43,101,110]))return"X25519";if(!ne(e,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");U(t,6,"Expected curve OID");let r=D(t),s=Oe(t,r);for(let{name:n,oid:i}of[{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(ne(s,i))return n;throw new Error("Unsupported named curve")},ft=async(t,e,r,s)=>{let n,i,o=t==="spki",a=()=>o?["verify"]:["sign"],c=()=>o?["encrypt","wrapKey"]:["decrypt","unwrapKey"];switch(r){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.slice(-3)}`},i=a();break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(r.slice(-3),10)||1}`},i=c();break;case"ES256":case"ES384":case"ES512":{n={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[r]},i=a();break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{try{let p=s.getNamedCurve(e);n=p==="X25519"?{name:"X25519"}:{name:"ECDH",namedCurve:p}}catch{throw new d("Invalid or unsupported key format")}i=o?[]:["deriveBits"];break}case"Ed25519":case"EdDSA":n={name:"Ed25519"},i=a();break;case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":n={name:r},i=a();break;default:throw new d('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(t,e,n,s?.extractable??!!o,i)},ht=(t,e)=>$(t.replace(e,"")),ke=(t,e,r)=>{let s=ht(t,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g),n=r;return e?.startsWith?.("ECDH-ES")&&(n||={},n.getNamedCurve=i=>{let o=pt(i);return ut(o),lt(o)}),ft("pkcs8",s,e,n)};async function j(t,e,r){if(typeof t!="string"||t.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return ke(t,e,r)}async function ie(t){return De(t)}async function oe(t){return Ue(t)}function Ne(t,e,r,s,n){if(n.crit!==void 0&&s?.crit===void 0)throw new t('"crit" (Critical) Header Parameter MUST be integrity protected');if(!s||s.crit===void 0)return new Set;if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some(o=>typeof o!="string"||o.length===0))throw new t('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...e.entries()]):i=e;for(let o of s.crit){if(!i.has(o))throw new d(`Extension Header Parameter "${o}" is not recognized`);if(n[o]===void 0)throw new t(`Extension Header Parameter "${o}" is missing`);if(i.get(o)&&s[o]===void 0)throw new t(`Extension Header Parameter "${o}" MUST be integrity protected`)}return new Set(s.crit)}var R=t=>t?.[Symbol.toStringTag],ae=(t,e,r)=>{if(e.use!==void 0){let s;switch(r){case"sign":case"verify":s="sig";break;case"encrypt":case"decrypt":s="enc";break}if(e.use!==s)throw new TypeError(`Invalid key for this operation, its "use" must be "${s}" when present`)}if(e.alg!==void 0&&e.alg!==t)throw new TypeError(`Invalid key for this operation, its "alg" must be "${t}" when present`);if(Array.isArray(e.key_ops)){let s;switch(!0){case(r==="sign"||r==="verify"):case t==="dir":case t.includes("CBC-HS"):s=r;break;case t.startsWith("PBES2"):s="deriveBits";break;case/^A\d{3}(?:GCM)?(?:KW)?$/.test(t):!t.includes("GCM")&&t.endsWith("KW")?s=r==="encrypt"?"wrapKey":"unwrapKey":s=r;break;case(r==="encrypt"&&t.startsWith("RSA")):s="wrapKey";break;case r==="decrypt":s=t.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(s&&e.key_ops?.includes?.(s)===!1)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${s}" when present`)}return!0},mt=(t,e,r)=>{if(!(e instanceof Uint8Array)){if(_(e)){if(Re(e)&&ae(t,e,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!te(e))throw new TypeError(ee(t,e,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(e.type!=="secret")throw new TypeError(`${R(e)} instances for symmetric algorithms must be of type "secret"`)}},yt=(t,e,r)=>{if(_(e))switch(r){case"decrypt":case"sign":if(Pe(e)&&ae(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case"encrypt":case"verify":if(Ke(e)&&ae(t,e,r))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!te(e))throw new TypeError(ee(t,e,"CryptoKey","KeyObject","JSON Web Key"));if(e.type==="secret")throw new TypeError(`${R(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.type==="public")switch(r){case"sign":throw new TypeError(`${R(e)} instances for asymmetric algorithm signing must be of type "private"`);case"decrypt":throw new TypeError(`${R(e)} instances for asymmetric algorithm decryption must be of type "private"`)}if(e.type==="private")switch(r){case"verify":throw new TypeError(`${R(e)} instances for asymmetric algorithm verifying must be of type "public"`);case"encrypt":throw new TypeError(`${R(e)} instances for asymmetric algorithm encryption must be of type "public"`)}};function Le(t,e,r){switch(t.substring(0,2)){case"A1":case"A2":case"di":case"HS":case"PB":mt(t,e,r);break;default:yt(t,e,r)}}var w=t=>Math.floor(t.getTime()/1e3),We=60,He=We*60,pe=He*24,gt=pe*7,Et=pe*365.25,St=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function ce(t){let e=St.exec(t);if(!e||e[4]&&e[1])throw new TypeError("Invalid time period format");let r=parseFloat(e[2]),s=e[3].toLowerCase(),n;switch(s){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*We);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*He);break;case"day":case"days":case"d":n=Math.round(r*pe);break;case"week":case"weeks":case"w":n=Math.round(r*gt);break;default:n=Math.round(r*Et);break}return e[1]==="-"||e[4]==="ago"?-n:n}function A(t,e){if(!Number.isFinite(e))throw new TypeError(`Invalid ${t} input`);return e}var Y=class{#e;constructor(e){if(!se(e))throw new TypeError("JWT Claims Set MUST be an object");this.#e=structuredClone(e)}data(){return L.encode(JSON.stringify(this.#e))}get iss(){return this.#e.iss}set iss(e){this.#e.iss=e}get sub(){return this.#e.sub}set sub(e){this.#e.sub=e}get aud(){return this.#e.aud}set aud(e){this.#e.aud=e}set jti(e){this.#e.jti=e}set nbf(e){typeof e=="number"?this.#e.nbf=A("setNotBefore",e):e instanceof Date?this.#e.nbf=A("setNotBefore",w(e)):this.#e.nbf=w(new Date)+ce(e)}set exp(e){typeof e=="number"?this.#e.exp=A("setExpirationTime",e):e instanceof Date?this.#e.exp=A("setExpirationTime",w(e)):this.#e.exp=w(new Date)+ce(e)}set iat(e){e===void 0?this.#e.iat=w(new Date):e instanceof Date?this.#e.iat=A("setIssuedAt",w(e)):typeof e=="string"?this.#e.iat=A("setIssuedAt",w(new Date)+ce(e)):this.#e.iat=A("setIssuedAt",e)}};var b=class{#e;#t;#r;constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this.#e=e}setProtectedHeader(e){return re(this.#t,"setProtectedHeader"),this.#t=e,this}setUnprotectedHeader(e){return re(this.#r,"setUnprotectedHeader"),this.#r=e,this}async sign(e,r){if(!this.#t&&!this.#r)throw new E("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!xe(this.#t,this.#r))throw new E("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let s={...this.#t,...this.#r},n=Ne(E,new Map([["b64",!0]]),r?.crit,this.#t,s),i=!0;if(n.has("b64")&&(i=this.#t.b64,typeof i!="boolean"))throw new E('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:o}=s;if(typeof o!="string"||!o)throw new E('JWS "alg" (Algorithm) Header Parameter missing or invalid');Le(o,e,"sign");let a,c;i?(a=M(this.#e),c=H(a)):(c=this.#e,a="");let p,u;this.#t?(p=M(JSON.stringify(this.#t)),u=H(p)):(p="",u=new Uint8Array);let m=Se(u,H("."),c),S=await Ce(e,o),y=await Te(o,S,m),f={signature:M(y),payload:a};return this.#r&&(f.header=this.#r),this.#t&&(f.protected=p),f}};var X=class{#e;constructor(e){this.#e=new b(e)}setProtectedHeader(e){return this.#e.setProtectedHeader(e),this}async sign(e,r){let s=await this.#e.sign(e,r);if(s.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${s.protected}.${s.payload}.${s.signature}`}};var O=class{#e;#t;constructor(e={}){this.#t=new Y(e)}setIssuer(e){return this.#t.iss=e,this}setSubject(e){return this.#t.sub=e,this}setAudience(e){return this.#t.aud=e,this}setJti(e){return this.#t.jti=e,this}setNotBefore(e){return this.#t.nbf=e,this}setExpirationTime(e){return this.#t.exp=e,this}setIssuedAt(e){return this.#t.iat=e,this}setProtectedHeader(e){return this.#e=e,this}async sign(e,r){let s=new X(this.#t.data());if(s.setProtectedHeader(this.#e),Array.isArray(this.#e?.crit)&&this.#e.crit.includes("b64")&&this.#e.b64===!1)throw new F("JWTs MUST NOT use unencoded payload");return s.sign(e,r)}};function de(t){let e=t?.modulusLength??2048;if(typeof e!="number"||e<2048)throw new d("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return e}async function ue(t,e){let r,s;switch(t){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${t.slice(-3)}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(t.slice(-3),10)||1}`,publicExponent:Uint8Array.of(1,0,1),modulusLength:de(e)},s=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},s=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},s=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},s=["sign","verify"];break;case"Ed25519":case"EdDSA":{s=["sign","verify"],r={name:"Ed25519"};break}case"ML-DSA-44":case"ML-DSA-65":case"ML-DSA-87":{s=["sign","verify"],r={name:t};break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{s=["deriveBits"];let n=e?.crv??"P-256";switch(n){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:n};break}case"X25519":r={name:"X25519"};break;default:throw new d("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519")}break}default:throw new d('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return crypto.subtle.generateKey(r,e?.extractable??!1,s)}import{readFileSync as Ge,writeFileSync as je,mkdirSync as At,existsSync as Q,unlinkSync as bt}from"node:fs";import{join as T}from"node:path";import{homedir as xt}from"node:os";import{randomBytes as Ye}from"node:crypto";var Pt="https://id.botparty.club",Kt="EdDSA",Rt=15,Tt=6e4,vt="5m",It=3,Ct=["brave","calm","cosmic","eager","fair","gentle","happy","keen","lively","noble","proud","quick","rare","sharp","swift","true","vivid","warm","wild","bold","cool","fast","grand","just","kind","lean","mild","neat","pale","rich","safe","tall","vast","wise","bright","dark","fierce","quiet","free","glad"],_t=["lion","hawk","wolf","bear","fox","deer","owl","crane","whale","tiger","eagle","shark","raven","puma","lynx","orca","swan","viper","bison","cobra","finch","gecko","heron","ibex","jay","kite","lark","moth","newt","otter","perch","quail","robin","seal","toad","wren","yak","zebra","ant","bee"],l=class extends Error{code;statusCode;actionUrl;details;constructor(e){super(e.message),this.name="BotPartyError",this.code=e.code,this.statusCode=e.statusCode,this.actionUrl=e.actionUrl,this.details=e.details}},fe=class extends l{constructor(e){super({code:"NAMESPACE_LOCKED",message:e.message,statusCode:423,actionUrl:e.actionUrl,details:{lockedAt:e.lockedAt,reason:e.reason}}),this.name="NamespaceLockedError"}},he=class extends l{amount;service;constructor(e){super({code:"PAYMENT_REQUIRED",message:e.message,statusCode:402,actionUrl:e.actionUrl}),this.name="PaymentRequiredError",this.amount=e.amount,this.service=e.service}},q=class extends l{missingScopes;constructor(e){super({code:"INSUFFICIENT_PERMISSION",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="InsufficientPermissionError",this.missingScopes=e.missingScopes}},z=class extends l{constructor(e){super({code:"LINK_REQUIRED",message:e.message,statusCode:403,actionUrl:e.actionUrl}),this.name="LinkRequiredError"}};function Je(t){let e=Ye(4);return t[e.readUInt32BE(0)%t.length]}function Dt(){return`${Je(Ct)}-${Je(_t)}`}function Ut(){let t=Dt(),e=Ye(2).toString("hex");return`${t}-${e}`}function Ot(){return T(xt(),".botparty")}function Xe(t){Q(t)||At(t,{recursive:!0,mode:448})}function kt(t){let e=T(t,"identity.json");if(!Q(e))return null;try{return JSON.parse(Ge(e,"utf-8"))}catch{return null}}function Ve(t,e){Xe(t);let r=T(t,"identity.json");je(r,JSON.stringify(e,null,2),{mode:384})}function Nt(t){let e=T(t,"private.pem");if(!Q(e))return null;try{return Ge(e,"utf-8")}catch{return null}}function qe(t,e){Xe(t);let r=T(t,"private.pem");je(r,e,{mode:384})}function $e(t){for(let e of["identity.json","private.pem"]){let r=T(t,e);Q(r)&&bt(r)}}async function ze(t){let e={extractable:!0};t==="EdDSA"&&(e.crv="Ed25519");let{privateKey:r,publicKey:s}=await ue(t,e),n=await oe(r),i=await ie(s);return{privateKey:r,publicKey:s,privatePem:n,publicPem:i}}async function Lt(t,e,r){let s=await j(e,r);return(await new b(new TextEncoder().encode(t)).setProtectedHeader({alg:r}).sign(s)).signature}async function me(t,e,r,s,n){let i=s,o=await j(r,i);return new O({...n}).setProtectedHeader({alg:i,kid:e}).setIssuer(t).setSubject(t).setIssuedAt().setExpirationTime(vt).sign(o)}async function h(t,e,r={}){let{token:s,...n}=r,i=new Headers(n.headers);return i.set("Content-Type","application/json"),s&&i.set("Authorization",`Bearer ${s}`),fetch(`${t}${e}`,{...n,headers:i})}function Me(t,e){try{let r=new URL(t),s=new URL(e);return r.hostname===s.hostname&&r.port===s.port&&r.protocol===s.protocol?t:`${e}/${r.hostname}${r.pathname}${r.search}`}catch{return`${e}/${t}`}}async function V(t){try{return await t.clone().json()}catch{return null}}function N(t){let e=t.error,r,s,n,i={};if(typeof e=="object"&&e!==null){let o=e;r=o.code||"UNKNOWN",s=o.message||t.message||"Request failed",n=o.actionUrl||t.actionUrl||o.payTo||t.payTo,i=o}else r=(typeof e=="string"?e:t.code)||"UNKNOWN",s=t.message||(typeof e=="string"?e:"Request failed"),n=t.actionUrl||t.payTo,i=t;return{code:r.toUpperCase(),message:s,actionUrl:n,extra:i}}var ye=class{constructor(e,r){this.client=e;this.keyId=r}get id(){return this.keyId}async info(){return this.client.keys.get(this.keyId)}async update(e){return this.client.keys.update(this.keyId,e)}async delete(){return this.client.keys.delete(this.keyId)}async rotate(){return this.client.keys.rotate(this.keyId)}async invalidate(e){return this.client.keys.invalidate(this.keyId,e)}},ge=class{constructor(e){this.client=e}async list(){let e=await this.client.generateToken(),r=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{token:e});if(!r.ok)throw await this.client._apiError(r);return(await r.json()).data}async get(e){let s=(await this.list()).find(n=>n.id===e);if(!s)throw new l({code:"KEY_NOT_FOUND",message:`Key ${e} not found`,statusCode:404});return s}async add(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,"/api/v1/namespaces/keys",{method:"POST",token:r,body:JSON.stringify(e)});if(!s.ok)throw await this.client._apiError(s);return s.json()}async update(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"PATCH",token:s,body:JSON.stringify(r)});if(!n.ok)throw await this.client._apiError(n);return n.json()}async delete(e){let r=await this.client.generateToken(),s=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}`,{method:"DELETE",token:r});if(!s.ok&&s.status!==204)throw await this.client._apiError(s)}async rotate(e){let r=this.client.getIdentity();if(!r)throw new Error("Not registered");let s=this.client.getPrivateKey();if(!s)throw new Error("Private key not found");let n=e||r.keyId;if(n!==r.keyId)throw new l({code:"CANNOT_ROTATE_OTHER_KEY",message:"Can only rotate the current machine key from this client. Use the server API directly for other keys.",statusCode:400});let i=await ze(r.algorithm),o=await me(r.namespace,r.keyId,s,r.algorithm),a=await h(r.serverUrl,`/api/v1/namespaces/keys/${n}/rotate`,{method:"POST",token:o,body:JSON.stringify({newPublicKey:i.publicPem})});if(!a.ok)throw await this.client._apiError(a);let c=await a.json();return qe(this.client.stateDir,i.privatePem),Ve(this.client.stateDir,{...r,rotatedAt:c.rotatedAt}),c}async rotateCurrent(){return this.rotate()}async invalidate(e,r){let s=await this.client.generateToken(),n=await h(this.client.serverUrl,`/api/v1/namespaces/keys/${e}/invalidate`,{method:"POST",token:s,body:JSON.stringify({reason:r})});if(!n.ok)throw await this.client._apiError(n)}},Ee=class{serverUrl;stateDir;proxyUrl;keys;algorithm;rotationTTL;inviteToken;constructor(e={}){this.serverUrl=(e.serverUrl||k("BOTPARTY_SERVER_URL")||Pt).replace(/\/$/,""),this.proxyUrl=(e.proxyUrl||k("BOTPARTY_PROXY_URL")||k("KEYCHAINS_PROXY_URL")||"https://keychains.dev").replace(/\/$/,""),this.stateDir=e.stateDir||k("BOTPARTY_STATE_DIR")||Ot(),this.algorithm=e.algorithm||Kt,this.rotationTTL=e.rotationTTL||Rt,this.inviteToken=e.inviteToken||k("BOTPARTY_INVITE_TOKEN"),this.keys=new ge(this)}getIdentity(){return kt(this.stateDir)}getPrivateKey(){return Nt(this.stateDir)}isRegistered(){return this.getIdentity()!==null&&this.getPrivateKey()!==null}async register(e,r,s){let n=e,i=0,o=s?.inviteToken||this.inviteToken;for(;i<It;){n||(n=Ut());let a=r||n,c=await ze(this.algorithm),p=await h(this.serverUrl,"/api/v1/namespaces/register",{method:"POST",body:JSON.stringify({namespace:n,publicKey:c.publicPem,rotationTTL:this.rotationTTL,...o&&{inviteToken:o}})}),u=await p.json();if(u.status==="already_registered")throw new l({code:"ALREADY_REGISTERED",message:`Namespace "${n}" is already registered`,statusCode:409});if(p.status===409&&!e){n=void 0,i++;continue}if(!p.ok)throw new l({code:u.error||"REGISTRATION_FAILED",message:u.message||u.error||"Registration failed",statusCode:p.status});let m=u.challenge,S=await Lt(m,c.privatePem,this.algorithm),y=await h(this.serverUrl,"/api/v1/namespaces/register/verify",{method:"POST",body:JSON.stringify({namespace:n,challenge:m,signature:S})});if(!y.ok)throw await this._apiError(y);let f=await y.json();return qe(this.stateDir,c.privatePem),Ve(this.stateDir,{serverUrl:this.serverUrl,namespace:n,keyId:f.keyId,algorithm:this.algorithm,rotatedAt:f.rotatedAt,rotationTTL:f.rotationTTL,label:a,...f.parentNamespace&&{parentNamespace:f.parentNamespace},...f.inheritedScopes&&{inheritedScopes:f.inheritedScopes}}),f}throw new l({code:"REGISTRATION_FAILED",message:"Failed to find available namespace after retries",statusCode:409})}async ensureRegistered(){let e=this.getIdentity();if(e&&this.getPrivateKey())return e;await this.register(void 0,void 0,{inviteToken:this.inviteToken});let r=this.getIdentity();if(!r)throw new Error("Registration succeeded but identity could not be read");return r}async ensureFreshKey(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let s=new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4;Date.now()>=s-Tt&&await this.keys.rotateCurrent()}async generateToken(e){await this.ensureRegistered(),await this.ensureFreshKey();let r=this.getIdentity(),s=this.getPrivateKey();return me(r.namespace,r.keyId,s,r.algorithm,e)}async fetch(e,r={}){let s=await this.generateToken(),n=Me(e,this.proxyUrl),i=new Headers(r.headers);i.set("X-Proxy-Authorization",`Bearer ${s}`);let o=await fetch(n,{...r,headers:i});if(o.status===401){let a=await V(o);if(a){let{code:c}=N(a);if(c==="KEY_STALE"){await this.keys.rotateCurrent();let p=await this.generateToken(),u=new Headers(r.headers);u.set("X-Proxy-Authorization",`Bearer ${p}`),o=await fetch(n,{...r,headers:u})}}}if(o.status===403){let a=await V(o);if(a){let c=typeof a.error=="string"?a.error:a.error?.code;if(c==="wrong_proxy"&&a.proxyUrl){let m=a.proxyUrl.replace(/\/$/,""),S=Me(e,m),y=new Headers(r.headers);return y.set("X-Proxy-Authorization",`Bearer ${s}`),fetch(S,{...r,headers:y})}let p=a.approval_url||a.authorizationUrl;if(p){let m=c==="scope_refused",S=a.missing_scopes||a.missingScopes;throw m||c==="insufficient_scope"||c==="permission_denied"||c==="scope_not_approved"||c==="permission_needs_revalidation"?new q({message:a.message||"Missing required credentials",actionUrl:p,missingScopes:S}):new z({message:a.message||"Missing required credentials",actionUrl:p})}let{code:u}=N(a);Be(u)&&Fe(o.status,a,this.getIdentity(),this.serverUrl)}}if([401,402,423].includes(o.status)){let a=await V(o);if(a){let{code:c}=N(a);(Be(c)||o.status===402||o.status===423)&&Fe(o.status,a,this.getIdentity(),this.serverUrl)}}return o}async info(e){let r=e||this.getIdentity()?.namespace;if(!r)throw new Error("Not registered and no namespace provided");let s=await h(this.serverUrl,`/api/v1/namespaces/${r}/info`);if(!s.ok)throw await this._apiError(s);return s.json()}async destroy(){let e=await this.generateToken(),r=await h(this.serverUrl,"/api/v1/namespaces",{method:"DELETE",token:e});if(!r.ok&&r.status!==204)throw await this._apiError(r);$e(this.stateDir)}async link(){let e=this.getIdentity();if(!e)throw new Error("Not registered");let r=this.getPrivateKey();if(!r)throw new Error("Private key not found");let s=await me(e.namespace,e.keyId,r,e.algorithm,{act:"link"});return{url:`${e.serverUrl}/namespaces/${e.namespace}/link?jwt=${s}`}}whoami(){let e=this.getIdentity();if(!e)return null;let r=new Date(new Date(e.rotatedAt).getTime()+e.rotationTTL*6e4).toISOString();return{namespace:e.namespace,keyId:e.keyId,algorithm:e.algorithm,rotationTTL:e.rotationTTL,rotatedAt:e.rotatedAt,staleAt:r,label:e.label,serverUrl:e.serverUrl}}key(e){return new ye(this,e)}reset(){$e(this.stateDir)}async _apiError(e){let r=await V(e);if(!r)return new l({code:"UNKNOWN",message:`Request failed with status ${e.status}`,statusCode:e.status});let{code:s,message:n,actionUrl:i}=N(r);return new l({code:s,message:n,statusCode:e.status,actionUrl:i})}},Wt=new Set(["NAMESPACE_LOCKED","LOCKUP_TRIGGERED","PAYMENT_REQUIRED","LINK_REQUIRED","INSUFFICIENT_SCOPE","PERMISSION_DENIED","KEY_STALE","KEY_EXPIRED"]);function Be(t){return Wt.has(t.toUpperCase())}function Fe(t,e,r,s){let{code:n,message:i,actionUrl:o,extra:a}=N(e),c=r?.namespace||"",p=r?.serverUrl||s;throw n==="NAMESPACE_LOCKED"||n==="LOCKUP_TRIGGERED"||t===423?new fe({message:i||"Namespace is locked",actionUrl:o||`${p}/namespaces/${c}/unlock`,lockedAt:a.lockedAt,reason:a.reason}):n==="PAYMENT_REQUIRED"||t===402?new he({message:i,actionUrl:o,amount:a.amount||e.amount,service:a.service||e.service}):n==="LINK_REQUIRED"?new z({message:i,actionUrl:o||`${p}/namespaces/${c}/link`}):n==="INSUFFICIENT_SCOPE"||n==="PERMISSION_DENIED"||t===403?new q({message:i,actionUrl:o,missingScopes:a.missingScopes||a.missing_scopes}):new l({code:n,message:i,statusCode:t,actionUrl:o})}var le=null;function Ht(t){return le||(le=new Ee(t)),le}async function as(t,e={}){let{serverUrl:r,stateDir:s,proxyUrl:n,...i}=e;return Ht({serverUrl:r,stateDir:s,proxyUrl:n}).fetch(t,i)}function k(t){if(typeof process<"u"&&process.env)return process.env[t]}export{Ee as BotPartyClient,l as BotPartyError,q as InsufficientPermissionError,ye as Key,ge as KeyManager,z as LinkRequiredError,fe as NamespaceLockedError,he as PaymentRequiredError,as as botpartyFetch,Me as toProxyUrl};
|