@crossauth/backend 0.0.14 → 0.0.16

package/dist/index.js

@@ -2,20 +2,20 @@ var Ae = Object.defineProperty;
 var Ie = (S, s, e) => s in S ? Ae(S, s, { enumerable: !0, configurable: !0, writable: !0, value: e }) : S[s] = e;
 var h = (S, s, e) => Ie(S, typeof s != "symbol" ? s + "" : s, e);
 import { CrossauthError as o, ErrorCode as l, UserState as E, CrossauthLogger as u, j as f, OAuthFlows as b, KeyPrefix as U, OAuthTokenConsumerBase as Pe, OAuthClientBase as Ke } from "@crossauth/common";
-import { PrismaClient as oe, Prisma as X } from "@prisma/client";
-import ge from "ldapjs";
-import { timingSafeEqual as me, randomBytes as ce, randomUUID as Fe, createHash as Oe, pbkdf2 as Ne, createHmac as we, createCipheriv as Re, createDecipheriv as De, randomInt as ee } from "node:crypto";
-import { promisify as xe } from "node:util";
+import { PrismaClient as ce, Prisma as X } from "@prisma/client";
+import ye from "ldapjs";
+import { timingSafeEqual as he, randomBytes as ue, randomUUID as Fe, createHash as Oe, pbkdf2 as Ne, createHmac as ie, createCipheriv as Re, createDecipheriv as xe, randomInt as ee } from "node:crypto";
+import { promisify as De } from "node:util";
 import W from "nunjucks";
 import Ee from "nodemailer";
 import Be from "twilio";
-import ze from "qrcode";
-import { authenticator as de } from "otplib";
-import ie from "jsonwebtoken";
-import { createPublicKey as Le } from "crypto";
+import Le from "qrcode";
+import { authenticator as fe } from "otplib";
+import se from "jsonwebtoken";
+import { createPublicKey as ze } from "crypto";
 import te from "node:fs";
 import * as He from "jose";
-var g = /* @__PURE__ */ ((S) => (S[S.String = 0] = "String", S[S.Number = 1] = "Number", S[S.Boolean = 2] = "Boolean", S[S.Json = 3] = "Json", S[S.JsonArray = 4] = "JsonArray", S))(g || {});
+var m = /* @__PURE__ */ ((S) => (S[S.String = 0] = "String", S[S.Number = 1] = "Number", S[S.Boolean = 2] = "Boolean", S[S.Json = 3] = "Json", S[S.JsonArray = 4] = "JsonArray", S))(m || {});
 function Me(S, s) {
   let e = S.split("."), t = s;
   for (let r in e) {
@@ -25,7 +25,7 @@ function Me(S, s) {
   }
   return t;
 }
-function ye(S, s) {
+function pe(S, s) {
   let e = S.split("."), t = s;
   for (let r in e) {
     const i = e[r];
@@ -59,11 +59,11 @@ function Ve(S, s, e, t) {
       break;
   }
 }
-function m(S, s, e, t, r, i = !1) {
+function w(S, s, e, t, r, i = !1) {
   const a = "CROSSAUTH_" + r;
-  if (i && !ye(S, t) && !(a && a in process.env))
+  if (i && !pe(S, t) && !(a && a in process.env))
     throw new o(l.Configuration, S + " is required");
-  ye(S, t) ? je(e, S, t) : r && a in process.env && process.env[a] != null && Ve(e, S, s, a);
+  pe(S, t) ? je(e, S, t) : r && a in process.env && process.env[a] != null && Ve(e, S, s, a);
 }
 class H {
   /**
@@ -75,7 +75,7 @@ class H {
     h(this, "adminEditableFields", []);
     h(this, "normalizeUsername", !0);
     h(this, "normalizeEmail", !0);
-    m("userEditableFields", g.JsonArray, this, s, "USER_EDITABLE_FIELDS"), m("adminEditableFields", g.JsonArray, this, s, "ADMIN_EDITABLE_FIELDS"), m("normalizeUsername", g.JsonArray, this, s, "NORMALIZE_USERNAME"), m("normalizeEmail", g.JsonArray, this, s, "NORMALIZE_EMAIL");
+    w("userEditableFields", m.JsonArray, this, s, "USER_EDITABLE_FIELDS"), w("adminEditableFields", m.JsonArray, this, s, "ADMIN_EDITABLE_FIELDS"), w("normalizeUsername", m.JsonArray, this, s, "NORMALIZE_USERNAME"), w("normalizeEmail", m.JsonArray, this, s, "NORMALIZE_EMAIL");
   }
   /**
    * Creates a user with the given details and secrets.
@@ -98,7 +98,7 @@ class H {
     return s.normalize("NFD").replace(new RegExp("\\p{Diacritic}", "gu"), "").toLowerCase();
   }
 }
-class z {
+class L {
   /**
    * Returns an object decoded from the data field as a JSON string
    * @param data the JSON string to decode
@@ -150,7 +150,7 @@ class z {
       return e in s ? (delete s[e], !0) : !1;
   }
 }
-class ue {
+class me {
   /**
    * Constructor
    * @param _options see {@link OAuthClientStorageOptions}
@@ -158,7 +158,7 @@ class ue {
   constructor(s = {}) {
   }
 }
-class fe {
+class we {
   /**
    * Constructor
    * @param _options see {@link OAuthAuthorizationStorageOptions}
@@ -181,9 +181,9 @@ class G extends H {
     h(this, "includes", ["secrets"]);
     h(this, "includesObject", {});
     h(this, "forceIdToNumber", !0);
-    m("userTable", g.String, this, e, "USER_TABLE"), m("userSecretsTable", g.String, this, e, "USER_SECRETS_TABLE"), m("idColumn", g.String, this, e, "USER_ID_COLUMN"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), m("includes", g.String, this, e, "USER_INCLUDES"), m("forceIdToNumber", g.String, this, e, "USER_FORCE_ID_TO_NUMBER"), this.includes.forEach((t) => {
+    w("userTable", m.String, this, e, "USER_TABLE"), w("userSecretsTable", m.String, this, e, "USER_SECRETS_TABLE"), w("idColumn", m.String, this, e, "USER_ID_COLUMN"), w("useridForeignKeyColumn", m.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), w("includes", m.String, this, e, "USER_INCLUDES"), w("forceIdToNumber", m.String, this, e, "USER_FORCE_ID_TO_NUMBER"), this.includes.forEach((t) => {
       this.includesObject[t] = !0;
-    }), e && e.prismaClient ? this.prismaClient = e.prismaClient : this.prismaClient = new oe();
+    }), e && e.prismaClient ? this.prismaClient = e.prismaClient : this.prismaClient = new ce();
   }
   async getUser(e, t, r) {
     let i, a;
@@ -223,6 +223,17 @@ class G extends H {
     const r = G.normalize(e);
     return this.getUser("username_normalized", r, t);
   }
+  /**
+   * Returns user matching the given field, or throws an exception.  
+   * 
+   * @param field the field to match
+   * @param value the value to match (case sensitive)
+   * @param options optionally turn off checks.  Used internally
+   * @throws CrossauthException with ErrorCode either `UserNotExist` or whatever pg throws
+   */
+  async getUserBy(e, t, r) {
+    return this.getUser(e, t, r);
+  }
   /**
    * Returns a {@link @crossauth/common!User} and {@link @crossauth/common!UserSecrets} instance matching the given email address, or throws an Exception.
    * 
@@ -277,7 +288,7 @@ class G extends H {
           });
         } catch {
         }
-        let { userid: w, ...y } = d ?? {};
+        let { userid: g, ...y } = d ?? {};
         n = { ...y, ...n }, await c[this.userTable].update({
           where: {
             [this.idColumn]: e.id
@@ -402,7 +413,7 @@ class G extends H {
     }
   }
 }
-class vt extends z {
+class kt extends L {
   /**
    * Constructor with user storage object to use plus optional parameters.
    * 
@@ -414,7 +425,7 @@ class vt extends z {
     h(this, "prismaClient");
     h(this, "transactionTimeout", 5e3);
     h(this, "useridForeignKeyColumn", "userid");
-    m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.Number, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.keyTable && (this.keyTable = e.keyTable), e.prismaClient == null ? this.prismaClient = new oe() : this.prismaClient = e.prismaClient;
+    w("transactionTimeout", m.Number, this, e, "TRANSACTION_TIMEOUT"), w("useridForeignKeyColumn", m.Number, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.keyTable && (this.keyTable = e.keyTable), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
   }
   async getKey(e) {
     return await this.getKeyWithTransaction(e, this.prismaClient);
@@ -672,7 +683,7 @@ class vt extends z {
     }
   }
 }
-class Tt extends ue {
+class Et extends me {
   /**
    * Constructor with user storage object to use plus optional parameters.
    * 
@@ -688,7 +699,7 @@ class Tt extends ue {
     h(this, "transactionTimeout", 5e3);
     h(this, "updateMode", "DeleteAndInsert");
     h(this, "useridForeignKeyColumn", "userid");
-    m("clientTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), m("redirectUriTable", g.String, this, e, "OAUTH_REDIRECTURI_TABLE"), m("validFlowTable", g.String, this, e, "OAUTH_VALID_FLOW_TABLE"), m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("updateMode", g.String, this, e, "OAUTHCLIENT_UPDATE_MODE"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new oe() : this.prismaClient = e.prismaClient;
+    w("clientTable", m.String, this, e, "OAUTH_CLIENT_TABLE"), w("redirectUriTable", m.String, this, e, "OAUTH_REDIRECTURI_TABLE"), w("validFlowTable", m.String, this, e, "OAUTH_VALID_FLOW_TABLE"), w("transactionTimeout", m.Number, this, e, "TRANSACTION_TIMEOUT"), w("updateMode", m.String, this, e, "OAUTHCLIENT_UPDATE_MODE"), w("useridForeignKeyColumn", m.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
   }
   async getClientById(e) {
     return (await this.getClientWithTransaction("client_id", e, this.prismaClient, !0, void 0))[0];
@@ -706,14 +717,14 @@ class Tt extends ue {
             ...n
           },
           include: { redirect_uri: !0, valid_flow: !0 }
-        }), d = c.redirect_uri, w = c.valid_flow;
+        }), d = c.redirect_uri, g = c.valid_flow;
         let y = c[this.useridForeignKeyColumn];
         return y === null && (y = void 0), this.useridForeignKeyColumn != "userid" && delete c[this.useridForeignKeyColumn], [{
           ...c,
           userid: y,
           client_secret: c.client_secret ?? void 0,
           redirect_uri: d.map((p) => p.uri),
-          valid_flow: w.map((p) => p.flow)
+          valid_flow: g.map((p) => p.flow)
         }];
       } else {
         const c = await r[this.clientTable].findMany({
@@ -724,9 +735,9 @@ class Tt extends ue {
           include: { redirect_uri: !0, valid_flow: !0 }
         });
         for (let d of c) {
-          const w = d.redirect_uri, y = d.valid_flow;
+          const g = d.redirect_uri, y = d.valid_flow;
           let p = d[this.useridForeignKeyColumn];
-          p == null && (p = void 0), d.userid = p, this.useridForeignKeyColumn != "userid" && delete d[this.useridForeignKeyColumn], d.client_secret = d.client_secret ?? void 0, d.redirect_uri = w.map((_) => _.uri), d.valid_flow = y.map((_) => _.flow);
+          p == null && (p = void 0), d.userid = p, this.useridForeignKeyColumn != "userid" && delete d[this.useridForeignKeyColumn], d.client_secret = d.client_secret ?? void 0, d.redirect_uri = g.map((_) => _.uri), d.valid_flow = y.map((_) => _.flow);
         }
         return c;
       }
@@ -935,7 +946,7 @@ class Tt extends ue {
     }
   }
 }
-class _t extends fe {
+class bt extends we {
   /**
    * Constructor with user storage object to use plus optional parameters.
    * 
@@ -948,7 +959,7 @@ class _t extends fe {
     // PrismaClient;
     h(this, "transactionTimeout", 5e3);
     h(this, "useridForeignKeyColumn", "userid");
-    m("authorizationTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new oe() : this.prismaClient = e.prismaClient;
+    w("authorizationTable", m.String, this, e, "OAUTH_CLIENT_TABLE"), w("transactionTimeout", m.Number, this, e, "TRANSACTION_TIMEOUT"), w("useridForeignKeyColumn", m.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
   }
   async getAuthorizations(e, t) {
     try {
@@ -1000,10 +1011,10 @@ class _t extends fe {
     }
   }
 }
-class kt extends H {
+class Ut extends H {
   /**
    * Creates a InMemoryUserStorage object, optionally overriding defaults.
-   * @param options @see {@link InMemoryUserStorageOptions}
+   * @param options see {@link InMemoryUserStorageOptions}
   */
   constructor(e = {}) {
     super(e);
@@ -1089,6 +1100,16 @@ class kt extends H {
       this.getUserByUsername(e, t)
     );
   }
+  /**
+   * Returns a {@link User } and {@link UserSecrets } instance matching the given email address, or throws an Exception.
+   * 
+   * @param email the emaila ddress to look up
+   * @returns a {@link User } and {@link UserSecrets } instance, ie including the password hash.
+   * @throws {@link @crossauth/common!CrossauthError } with {@link @crossauth/common!ErrorCode } set to either `UserNotExist`.
+   */
+  async getUserBy(e, t, r) {
+    throw new o(l.NotImplemented);
+  }
   /**
    * If the given session key exist in the database, update it with the passed values.  If it doesn't
    * exist, throw a CreossauthError with InvalidKey.
@@ -1136,7 +1157,7 @@ class kt extends H {
     return i;
   }
 }
-class Et extends z {
+class At extends L {
   /**
    * Constructor
    */
@@ -1289,7 +1310,7 @@ class Et extends z {
     this.deleteDataInternal(i, t) && (r.data = JSON.stringify(i));
   }
 }
-class bt extends ue {
+class It extends me {
   /**
    * Constructor
    */
@@ -1380,7 +1401,7 @@ class bt extends ue {
     return a;
   }
 }
-class Ut extends fe {
+class Pt extends we {
   /**
    * Constructor
    */
@@ -1418,7 +1439,7 @@ class Ut extends fe {
 function $e(S, s) {
   return { username: Array.isArray(s.uid) ? s.uid[0] : s.uid, state: "active", ...S };
 }
-class ae extends H {
+class oe extends H {
   /**
    * Constructor.
    * @param localStorage the underlying storage where users are kept (without passwords)
@@ -1431,7 +1452,7 @@ class ae extends H {
     h(this, "ldapUserSearchBase", "");
     h(this, "ldapUsernameAttribute", "cn");
     h(this, "createUserFn", $e);
-    this.localStorage = e, m("ldapUrls", g.JsonArray, this, t, "LDAP_URL", !0), m("ldapUserSearchBase", g.String, this, t, "LDAP_USER_SEARCH_BASE"), m("ldapUsernameAttribute", g.String, this, t, "LDAP_USENAME_ATTRIBUTE"), t.createUserFn && (this.createUserFn = t.createUserFn);
+    this.localStorage = e, w("ldapUrls", m.JsonArray, this, t, "LDAP_URL", !0), w("ldapUserSearchBase", m.String, this, t, "LDAP_USER_SEARCH_BASE"), w("ldapUsernameAttribute", m.String, this, t, "LDAP_USENAME_ATTRIBUTE"), t.createUserFn && (this.createUserFn = t.createUserFn);
   }
   /**
    * Authenticates the user in LDAP and, if valid, creates a user in local
@@ -1474,7 +1495,18 @@ class ae extends H {
    * @throws {@link @crossauth/common!CrossauthError} with {@link @crossauth/common!ErrorCode} `UsernameOrPasswordInvalid` or `Connection`
    */
   async getUserByEmail(e, t) {
-    return await this.getUserByEmail(e, t);
+    return await this.localStorage.getUserByEmail(e, t);
+  }
+  /**
+   * Returns user matching the given field, or throws an exception.  
+   * 
+   * @param field the field to match
+   * @param value the value to match (case sensitive)
+   * @param options optionally turn off checks.  Used internally
+   * @throws CrossauthException with ErrorCode either `UserNotExist` or whatever pg throws
+   */
+  async getUserBy(e, t, r) {
+    return await this.localStorage.getUserBy(e, t, r);
   }
   async getUsers(e, t) {
     return await this.localStorage.getUsers(e, t);
@@ -1514,20 +1546,20 @@ class ae extends H {
   async getLdapUser(e, t) {
     let r;
     try {
-      const i = ae.sanitizeLdapDnForSerach(e), a = [this.ldapUsernameAttribute + "=" + i, this.ldapUserSearchBase].join(",");
+      const i = oe.sanitizeLdapDnForSerach(e), a = [this.ldapUsernameAttribute + "=" + i, this.ldapUserSearchBase].join(",");
       if (!t) throw new o(l.PasswordInvalid);
       return u.logger.debug(f({ msg: "LDAP search " + a })), r = await this.ldapBind(a, t), await this.searchUser(r, a);
     } catch (i) {
       u.logger.debug(f({ err: i }));
       const a = o.asCrossauthError(i);
-      throw i instanceof ge.InvalidCredentialsError ? new o(l.UsernameOrPasswordInvalid) : a.code != l.UnknownError ? a : new o(l.Connection, "LDAP error getting user");
+      throw i instanceof ye.InvalidCredentialsError ? new o(l.UsernameOrPasswordInvalid) : a.code != l.UnknownError ? a : new o(l.Connection, "LDAP error getting user");
     }
   }
   // bind and return the ldap client
   // from https://github.com/shaozi/ldap-authentication/blob/master/index.js
   ldapBind(e, t) {
     return new Promise((r, i) => {
-      let a = ge.createClient({ url: this.ldapUrls });
+      let a = ye.createClient({ url: this.ldapUrls });
       a.on("connect", function() {
         a.bind(e, t, function(n) {
           if (n) {
@@ -1559,17 +1591,17 @@ class ae extends H {
         t,
         n,
         function(c, d) {
-          let w;
+          let g;
           if (c) {
             a(c), e.unbind();
             return;
           }
           d.on("searchEntry", function(y) {
-            w = ae.searchResultToUser(y.pojo);
+            g = oe.searchResultToUser(y.pojo);
           }), d.on("error", function(y) {
             a(y), e.unbind();
           }), d.on("end", function(y) {
-            y.status != 0 ? a(new o(l.Connection, "LDAP  onnection failed")) : w ? i(w) : a(new o(l.UsernameOrPasswordInvalid)), e.unbind();
+            y.status != 0 ? a(new o(l.Connection, "LDAP  onnection failed")) : g ? i(g) : a(new o(l.UsernameOrPasswordInvalid)), e.unbind();
           });
         }
       );
@@ -1595,7 +1627,7 @@ class ae extends H {
    * @returns a sanitized dn
    */
   static sanitizeLdapDnForSerach(e) {
-    return ae.sanitizeLdapDn(e).replace("*", "*").replace("(", "(").replace(")", ")");
+    return oe.sanitizeLdapDn(e).replace("*", "*").replace("(", "(").replace(")", ")");
   }
 }
 class Y extends H {
@@ -1612,7 +1644,7 @@ class Y extends H {
     h(this, "useridForeignKeyColumn", "userid");
     h(this, "forceIdToNumber", !0);
     h(this, "dbPool");
-    this.dbPool = e, m("userTable", g.String, this, t, "USER_TABLE"), m("userSecretsTable", g.String, this, t, "USER_SECRETS_TABLE"), m("idColumn", g.String, this, t, "USER_ID_COLUMN"), m("forceIdToNumber", g.String, this, t, "USER_FORCE_ID_TO_NUMBER"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN");
+    this.dbPool = e, w("userTable", m.String, this, t, "USER_TABLE"), w("userSecretsTable", m.String, this, t, "USER_SECRETS_TABLE"), w("idColumn", m.String, this, t, "USER_ID_COLUMN"), w("forceIdToNumber", m.String, this, t, "USER_FORCE_ID_TO_NUMBER"), w("useridForeignKeyColumn", m.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN");
   }
   /**
    * Returns user matching the given id, or throws an exception.  
@@ -1649,29 +1681,40 @@ class Y extends H {
     const r = this.normalizeEmail ? Y.normalize(e) : e;
     return this.getUser("email_normalized", r, t);
   }
+  /**
+   * Returns user matching the given field, or throws an exception.  
+   * 
+   * @param field the field to match
+   * @param value the value to match (case sensitive)
+   * @param options optionally turn off checks.  Used internally
+   * @throws CrossauthException with ErrorCode either `UserNotExist` or whatever pg throws
+   */
+  async getUserBy(e, t, r) {
+    return await this.getUser(e, t, r);
+  }
   async getUser(e, t, r) {
-    let i = await this.dbPool.connect(), a, n;
+    let i = await this.dbPool.connect(), a, n, c = this.dbPool.parameters();
     try {
       await i.startTransaction();
-      let c = `select * from ${this.userTable} where ${e} = $1`, d = await i.execute(c, [t]);
-      if (d.length == 0)
+      let d = `select * from ${this.userTable} where ${e} = ` + c.nextParameter(), g = await i.execute(d, [t]);
+      if (g.length == 0)
         throw new o(l.UserNotExist);
-      let w, y, p;
-      if (this.idColumn in d[0]) w = d[0][this.idColumn];
+      let y, p, _;
+      if (this.idColumn in g[0]) y = g[0][this.idColumn];
       else throw new o(l.Configuration, "ID column " + this.idColumn + " not present in user table");
-      if ("username" in d[0]) y = d[0].username;
+      if ("username" in g[0]) p = g[0].username;
       else throw new o(l.Configuration, "username column " + this.idColumn + " not present in user table");
-      if ("state" in d[0]) p = d[0].state;
+      if ("state" in g[0]) _ = g[0].state;
       else throw new o(l.Configuration, "state column " + this.idColumn + " not present in user table");
       if (a = {
-        ...d[0],
-        id: w,
-        username: y,
-        state: p
+        ...g[0],
+        id: y,
+        username: p,
+        state: _
       }, !a) throw new o(l.UserNotExist);
-      if (c = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = $1`, d = await i.execute(c, [a.id]), d.length == 0)
+      if (c = this.dbPool.parameters(), d = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = ` + c.nextParameter(), g = await i.execute(d, [a.id]), g.length == 0)
         throw new o(l.UserNotExist);
-      if (d.length > 0 ? n = { userid: a.id, ...d[0] } : n = { userid: a.id }, !n) throw new o(l.UserNotExist);
+      if (g.length > 0 ? n = { userid: a.id, ...g[0] } : n = { userid: a.id }, !n) throw new o(l.UserNotExist);
       if (this.useridForeignKeyColumn != "userid" && this.useridForeignKeyColumn in n && delete n[this.useridForeignKeyColumn], await i.commit(), (r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.awaitingTwoFactorSetup)
         throw u.logger.debug(f({ msg: "2FA setup is not complete" })), new o(l.TwoFactorIncomplete);
       if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.disabled)
@@ -1685,8 +1728,8 @@ class Y extends H {
       if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.factor2ResetNeeded)
         throw u.logger.debug(f({ msg: "2FA reset required" })), new o(l.Factor2ResetNeeded);
       return { user: a, secrets: n };
-    } catch (c) {
-      throw await i.rollback(), c;
+    } catch (d) {
+      throw await i.rollback(), d;
     } finally {
       i.release();
     }
@@ -1702,7 +1745,7 @@ class Y extends H {
     let i = [], a = [], n = "", c = "", d = this.dbPool.parameters();
     e && (c = "OFFSET " + d.nextParameter()), t && (a.push(t), n = "LIMIT " + d.nextParameter());
     try {
-      let w = `select * from ${this.userTable} ${n} ${c} order by username_normalized asc`, y = await r.execute(w, a);
+      let g = `select * from ${this.userTable} ${n} ${c} order by username_normalized asc`, y = await r.execute(g, a);
       if (y.length == 0)
         throw new o(l.UserNotExist);
       for (let p of y) {
@@ -1722,8 +1765,8 @@ class Y extends H {
         i.push(k);
       }
       return i;
-    } catch (w) {
-      throw w;
+    } catch (g) {
+      throw g;
     } finally {
       r.release();
     }
@@ -1748,21 +1791,21 @@ class Y extends H {
         throw new o(l.UserNotExist);
       let c = { ...e }, d = t ? { ...t } : void 0;
       "email" in c && c.email && (c = { email_normalized: this.normalizeEmail ? Y.normalize(c.email) : c.email, ...c }), "username" in c && c.username && (c = { username_normalized: this.normalizeUsername ? Y.normalize(c.username) : c.username, ...c }), i = this.dbPool.parameters();
-      let w = [], y = [];
+      let g = [], y = [];
       for (let p in c)
-        c[p] != null && p != "id" && (w.push(p + "= " + i.nextParameter()), y.push(c[p]));
-      if (w.length > 0) {
-        let p = w.join(", ");
+        c[p] != null && p != "id" && (g.push(p + "= " + i.nextParameter()), y.push(c[p]));
+      if (g.length > 0) {
+        let p = g.join(", ");
         y.push(e.id);
         let _ = `update ${this.userTable} set ${p} where ${this.idColumn} = ` + i.nextParameter();
         await r.execute(_, y);
       }
       if (t) {
-        w = [], y = [], i = this.dbPool.parameters();
+        g = [], y = [], i = this.dbPool.parameters();
         for (let p in d)
-          d[p] != null && p != "userid" && (w.push(p + "= " + i.nextParameter()), y.push(d[p]));
-        if (w.length > 0) {
-          let p = w.join(", ");
+          d[p] != null && p != "userid" && (g.push(p + "= " + i.nextParameter()), y.push(d[p]));
+        if (g.length > 0) {
+          let p = g.join(", ");
           y.push(e.id);
           let _ = `update ${this.userSecretsTable} set ${p} where userid = ` + i.nextParameter();
           await r.execute(_, y);
@@ -1793,27 +1836,27 @@ class Y extends H {
       await r.startTransaction();
       let a = { ...e }, n = t ? { ...t } : void 0;
       "email" in a && a.email && (a = { email_normalized: this.normalizeEmail ? Y.normalize(a.email) : a.email, ...a }), "username" in a && a.username && (a = { username_normalized: this.normalizeUsername ? Y.normalize(a.username) : a.username, ...a });
-      let c = [], d = [], w = [];
+      let c = [], d = [], g = [];
       const y = this.dbPool.parameters();
       for (let _ in a)
-        a[_] != null && _ != "id" && (c.push(_), d.push(y.nextParameter()), w.push(a[_]));
+        a[_] != null && _ != "id" && (c.push(_), d.push(y.nextParameter()), g.push(a[_]));
       if (c.length > 0) {
         let _ = c.join(", "), C = d.join(", ");
-        const v = `insert into ${this.userTable} (${_}) values (${C}) returning ${this.idColumn}`, k = await r.execute(v, w);
+        const v = `insert into ${this.userTable} (${_}) values (${C}) returning ${this.idColumn}`, k = await r.execute(v, g);
         if (k.length == 0 || !k[0][this.idColumn]) throw new o(l.Connection, "Couldn't create user");
         i = k[0][this.idColumn];
       }
       if (!i) throw new o(l.Connection, "Couldn't create user");
       if (t) {
-        c = [], d = [], w = [];
+        c = [], d = [], g = [];
         const _ = this.dbPool.parameters();
-        c.push("userid"), d.push(_.nextParameter()), w.push(i);
+        c.push("userid"), d.push(_.nextParameter()), g.push(i);
         for (let C in n)
-          n[C] != null && C != "userid" && (c.push(C), d.push(_.nextParameter()), w.push(n[C]));
+          n[C] != null && C != "userid" && (c.push(C), d.push(_.nextParameter()), g.push(n[C]));
         if (c.length > 0) {
           let C = c.join(", "), v = d.join(", ");
           const k = `insert into ${this.userSecretsTable} (${C}) values (${v})`;
-          u.logger.debug(f({ msg: "Executing query", query: k })), await r.execute(k, w);
+          u.logger.debug(f({ msg: "Executing query", query: k })), await r.execute(k, g);
         }
       }
       return await r.commit(), (await this.getUserById(i)).user;
@@ -1830,8 +1873,8 @@ class Y extends H {
     let { user: r } = await this.getUserByUsername(e), i = r.id;
     try {
       await t.startTransaction();
-      let a = `delete from ${this.userSecretsTable} where ${this.useridForeignKeyColumn}=$1`;
-      await t.execute(a, [i]), a = `delete from ${this.userTable} where username=$1`, await t.execute(a, [e]), await t.commit();
+      let a = this.dbPool.parameters(), n = `delete from ${this.userSecretsTable} where ${this.useridForeignKeyColumn}=` + a.nextParameter();
+      await t.execute(n, [i]), a = this.dbPool.parameters(), n = `delete from ${this.userTable} where username=` + a.nextParameter(), await t.execute(n, [e]), await t.commit();
     } catch (a) {
       throw await t.rollback(), a;
     } finally {
@@ -1851,8 +1894,8 @@ class Y extends H {
     const t = await this.dbPool.connect();
     try {
       await t.startTransaction();
-      let r = `delete from ${this.userSecretsTable} where ${this.useridForeignKeyColumn}=$1`;
-      await t.execute(r, [e]), r = `delete from ${this.userTable} where ${this.idColumn}=$1`, await t.execute(r, [e]), await t.commit();
+      let r = this.dbPool.parameters(), i = `delete from ${this.userSecretsTable} where ${this.useridForeignKeyColumn}=` + r.nextParameter();
+      await t.execute(i, [e]), r = this.dbPool.parameters(), i = `delete from ${this.userTable} where ${this.idColumn}=` + r.nextParameter(), await t.execute(i, [e]), await t.commit();
     } catch (r) {
       throw await t.rollback(), r;
     } finally {
@@ -1860,7 +1903,7 @@ class Y extends H {
     }
   }
 }
-class qe extends z {
+class qe extends L {
   /**
    * Constructor with user storage object to use plus optional parameters.
    * 
@@ -1872,7 +1915,7 @@ class qe extends z {
     h(this, "keyTable", "keys");
     h(this, "dbPool");
     h(this, "useridForeignKeyColumn", "userid");
-    m("transactionTimeout", g.Number, this, t, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), t.keyTable && (this.keyTable = t.keyTable), this.dbPool = e;
+    w("transactionTimeout", m.Number, this, t, "TRANSACTION_TIMEOUT"), w("useridForeignKeyColumn", m.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), t.keyTable && (this.keyTable = t.keyTable), this.dbPool = e;
   }
   async getKey(e) {
     const t = await this.dbPool.connect();
@@ -1919,14 +1962,17 @@ class qe extends z {
    * @throws {@link @crossauth/common!CrossauthError } if the key could not be stored.
    */
   async saveKey(e, t, r, i, a, n = {}) {
-    let c, d = [this.useridForeignKeyColumn, "value", "created", "expires", "data"], w = ["$1", "$2", "$3", "$4", "$5"], y = [e ?? null, t, r, i ?? null, a ?? ""], p = 6;
+    let c, d = [this.useridForeignKeyColumn, "value", "created", "expires", "data"], g = this.dbPool.parameters(), y = [];
+    for (let k = 0; k < 5; ++k)
+      y.push(g.nextParameter());
+    let p = [e ?? null, t, r, i ?? null, a ?? ""];
     for (let k in n)
-      d.push(k), w.push("$" + p++), y.push(n[k]);
-    let _ = d.join(", "), C = w.join(", ");
+      d.push(k), y.push(g.nextParameter()), p.push(n[k]);
+    let _ = d.join(", "), C = y.join(", ");
     const v = await this.dbPool.connect();
     try {
       const k = `insert into ${this.keyTable} (${_}) values (${C})`;
-      await v.execute(k, y);
+      await v.execute(k, p);
     } catch (k) {
       o.asCrossauthError(k).code == l.ConstraintViolation ? (u.logger.warn(f({ msg: "Attempt to create key that already exists. Stack trace follows" })), u.logger.debug(f({ err: k })), c = new o(l.KeyExists)) : (u.logger.debug(f({ err: k })), c = new o(l.Connection, "Error saving key"));
     } finally {
@@ -1938,8 +1984,8 @@ class qe extends z {
   async deleteKey(e) {
     const t = await this.dbPool.connect();
     try {
-      let r = `delete from ${this.keyTable} where value=$1`;
-      u.logger.debug(f({ msg: "Executing query", query: r })), await t.execute(r, [e]);
+      let r = this.dbPool.parameters(), i = `delete from ${this.keyTable} where value=`;
+      i += r.nextParameter(), u.logger.debug(f({ msg: "Executing query", query: i })), await t.execute(i, [e]);
     } finally {
       t.release();
     }
@@ -1947,8 +1993,15 @@ class qe extends z {
   async deleteAllForUser(e, t, r) {
     const i = await this.dbPool.connect();
     try {
-      let a, n = [], c = "", d = 1;
-      e ? (a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = $1 and value like $2 `, n = [e], d++) : a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like $1`, n.push(t + "%"), d++, r && (c = "and value != $" + d, n.push(r)), a += " " + c, u.logger.debug(f({ msg: "Executing query", query: a })), await i.execute(a, n);
+      let a, n = [], c = "", d = this.dbPool.parameters();
+      if (e) {
+        const g = d.nextParameter(), y = d.nextParameter();
+        a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${g} and value like ${y} `, n = [e];
+      } else {
+        const g = d.nextParameter();
+        a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${g}`;
+      }
+      n.push(t + "%"), r && (c = "and value != " + d.nextParameter(), n.push(r)), a += " " + c, u.logger.debug(f({ msg: "Executing query", query: a })), await i.execute(a, n);
     } catch (a) {
       throw a;
     } finally {
@@ -1961,8 +2014,8 @@ class qe extends z {
       let r = [], i = [];
       const a = this.dbPool.parameters();
       for (let d in e) {
-        let w = d == "userid" ? this.useridForeignKeyColumn : d;
-        e[d] == null ? r.push(w + " is null") : (r.push(w + " = " + a.nextParameter()), i.push(e[d]));
+        let g = d == "userid" ? this.useridForeignKeyColumn : d;
+        e[d] == null ? r.push(g + " is null") : (r.push(g + " = " + a.nextParameter()), i.push(e[d]));
       }
       let n = r.join(" and "), c = `delete from ${this.keyTable} where ${n}`;
       await t.execute(c, i);
@@ -2001,8 +2054,8 @@ class qe extends z {
       if (c.length == 0)
         return [];
       for (let d of c) {
-        let w = this.makeKey(d);
-        this.useridForeignKeyColumn != "userid" && (w.userid = w[this.useridForeignKeyColumn], delete w[this.useridForeignKeyColumn]), r.push(w);
+        let g = this.makeKey(d);
+        this.useridForeignKeyColumn != "userid" && (g.userid = g[this.useridForeignKeyColumn], delete g[this.useridForeignKeyColumn]), r.push(g);
       }
       return r;
     } catch (r) {
@@ -2101,7 +2154,7 @@ class qe extends z {
     }
   }
 }
-class We extends ue {
+class We extends me {
   /**
    * Constructor with user storage object to use plus optional parameters.
    * 
@@ -2114,7 +2167,7 @@ class We extends ue {
     h(this, "validFlowTable", "oauthclientvalidflow");
     h(this, "dbPool");
     h(this, "useridForeignKeyColumn", "userid");
-    m("clientTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), m("redirectUriTable", g.String, this, t, "OAUTH_REDIRECTURI_TABLE"), m("validFlowTable", g.String, this, t, "OAUTH_VALID_FLOW_TABLE"), m("updateMode", g.String, this, t, "OAUTHCLIENT_UPDATE_MODE"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
+    w("clientTable", m.String, this, t, "OAUTH_CLIENT_TABLE"), w("redirectUriTable", m.String, this, t, "OAUTH_REDIRECTURI_TABLE"), w("validFlowTable", m.String, this, t, "OAUTH_VALID_FLOW_TABLE"), w("updateMode", m.String, this, t, "OAUTHCLIENT_UPDATE_MODE"), w("useridForeignKeyColumn", m.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
   }
   async getClientById(e) {
     let t = await this.dbPool.connect();
@@ -2157,12 +2210,12 @@ class We extends ue {
     };
   }
   async getClientWithTransaction(e, t, r, i, a, n) {
-    let c = [], d = this.dbPool.parameters(), w = [], y = `select c.*, r.uri as uri, null as flow from ${this.clientTable} as c left join ${this.redirectUriTable} r on c.client_id = r.client_id `, p = "";
-    t && r && (p = `where c.${t} = ` + d.nextParameter(), w.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), w.push(i)));
+    let c = [], d = this.dbPool.parameters(), g = [], y = `select c.*, r.uri as uri, null as flow from ${this.clientTable} as c left join ${this.redirectUriTable} r on c.client_id = r.client_id `, p = "";
+    t && r && (p = `where c.${t} = ` + d.nextParameter(), g.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), g.push(i)));
     let _ = `select c.*, null as uri, f.flow as flow from ${this.clientTable} as c left join ${this.validFlowTable} f on c.client_id = f.client_id `, C = "";
-    t && r && (C = `where c.${t} = ` + d.nextParameter(), w.push(r)), i !== null && i == null || (C == "" ? C = "where " : C += " and ", i == null ? C += "userid is null" : (C += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), w.push(i))), n && (a || (a = 0), a = Number(a), n = Number(n), p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`, C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`), y += p, _ += C;
+    t && r && (C = `where c.${t} = ` + d.nextParameter(), g.push(r)), i !== null && i == null || (C == "" ? C = "where " : C += " and ", i == null ? C += "userid is null" : (C += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), g.push(i))), n && (a || (a = 0), a = Number(a), n = Number(n), p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`, C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`), y += p, _ += C;
     let v = y + " union " + _ + " order by client_id";
-    const k = await e.execute(v, w);
+    const k = await e.execute(v, g);
     let A;
     for (let M of k)
       (!A || M.client_id != A.client_id) && (A && c.push(A), A = this.makeClient(M), A.valid_flow = [], A.redirect_uri = []), M.uri && A.redirect_uri.push(M.uri), M.flow && A.valid_flow.push(M.flow);
@@ -2202,14 +2255,14 @@ class We extends ue {
       for (let C = 0; C < i.length; ++C)
         if (!b.isValidFlow(i[C])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[C]);
     }
-    let c = [], d = [], w = [], y = this.dbPool.parameters();
+    let c = [], d = [], g = [], y = this.dbPool.parameters();
     try {
       for (let C in n)
-        c.push(C), d.push(y.nextParameter()), w.push(n[C]);
+        c.push(C), d.push(y.nextParameter()), g.push(n[C]);
       if (c.length > 0) {
         let C = c.join(", "), v = d.join(", ");
         const k = `insert into ${this.clientTable} (${C}) values (${v})`;
-        await e.execute(k, w);
+        await e.execute(k, g);
       }
     } catch (C) {
       throw typeof C == "object" && C != null && "code" in C && typeof C.code == "string" && (C.code.startsWith("22") || C.code.startsWith("23")) ? (u.logger.debug(f({ err: C })), new o(l.InvalidClientId, "Attempt to create an OAuth client with a client_id that already exists. Maximum attempts failed")) : (u.logger.debug(f({ err: C })), new o(l.Connection, "Error saving OAuth client"));
@@ -2220,15 +2273,15 @@ class We extends ue {
     let _ = p[0];
     if (r)
       for (let C = 0; C < r.length; ++C) {
-        w = [], y = this.dbPool.parameters();
+        g = [], y = this.dbPool.parameters();
         let v = `insert into ${this.redirectUriTable} (client_id, uri) values (` + y.nextParameter() + ", " + y.nextParameter() + ")";
-        w.push(_.client_id), w.push(r[C]), await e.execute(v, w);
+        g.push(_.client_id), g.push(r[C]), await e.execute(v, g);
       }
     if (i)
       for (let C = 0; C < i.length; ++C) {
-        w = [], y = this.dbPool.parameters();
+        g = [], y = this.dbPool.parameters();
         let v = `insert into ${this.validFlowTable} (client_id, flow) values (` + y.nextParameter() + ", " + y.nextParameter() + ")";
-        w.push(_.client_id), w.push(i[C]), await e.execute(v, w);
+        g.push(_.client_id), g.push(i[C]), await e.execute(v, g);
       }
     return { ..._, redirect_uri: r, valid_flow: i };
   }
@@ -2290,26 +2343,26 @@ class We extends ue {
     if (!t.client_id) throw new o(l.InvalidClientId, "No client ig given");
     let { client_id: a, redirect_uri: n, valid_flow: c, ...d } = t;
     n || (n = []), c || (c = []);
-    let w = this.dbPool.parameters(), y = `delete from ${this.redirectUriTable} where client_id = ` + w.nextParameter();
-    await e.execute(y, [t.client_id]), w = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + w.nextParameter(), await e.execute(y, [t.client_id]);
+    let g = this.dbPool.parameters(), y = `delete from ${this.redirectUriTable} where client_id = ` + g.nextParameter();
+    await e.execute(y, [t.client_id]), g = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + g.nextParameter(), await e.execute(y, [t.client_id]);
     let p = [], _ = [], C = [];
-    w = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + w.nextParameter();
+    g = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + g.nextParameter();
     for (let v in d)
-      p.push(v), _.push(w.nextParameter()), C.push(d[v]);
+      p.push(v), _.push(g.nextParameter()), C.push(d[v]);
     if (p.length > 0) {
       let v = p.join(", "), k = _.join(", ");
       y = `update ${this.clientTable} set (${v}) values (${k})`, await e.execute(y, C);
     }
     if (n)
       for (let v = 0; v < n.length; ++v) {
-        C = [], w = this.dbPool.parameters();
-        let k = `insert into ${this.redirectUriTable} (client_id, uri) values (` + w.nextParameter() + ", " + w.nextParameter() + ")";
+        C = [], g = this.dbPool.parameters();
+        let k = `insert into ${this.redirectUriTable} (client_id, uri) values (` + g.nextParameter() + ", " + g.nextParameter() + ")";
         C.push(t.client_id), C.push(n[v]), await e.execute(k, C);
       }
     if (c)
       for (let v = 0; v < c.length; ++v) {
-        C = [], w = this.dbPool.parameters();
-        let k = `insert into ${this.validFlowTable} (client_id, flow) values (` + w.nextParameter() + ", " + w.nextParameter() + ")";
+        C = [], g = this.dbPool.parameters();
+        let k = `insert into ${this.validFlowTable} (client_id, flow) values (` + g.nextParameter() + ", " + g.nextParameter() + ")";
         C.push(t.client_id), C.push(c[v]), await e.execute(k, C);
       }
   }
@@ -2326,7 +2379,7 @@ class We extends ue {
     }
   }
 }
-class Je extends fe {
+class Je extends we {
   /**
    * Constructor with user storage object to use plus optional parameters.
    * 
@@ -2337,14 +2390,14 @@ class Je extends fe {
     h(this, "authorizationTable", "oauthauthorization");
     h(this, "useridForeignKeyColumn", "userid");
     h(this, "dbPool");
-    m("authorizationTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
+    w("authorizationTable", m.String, this, t, "OAUTH_CLIENT_TABLE"), w("useridForeignKeyColumn", m.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
   }
   async getAuthorizations(e, t) {
     let r = await this.dbPool.connect();
     try {
       const i = this.dbPool.parameters(), a = [];
       let n = `select scope from ${this.authorizationTable} where client_id = ` + i.nextParameter();
-      return a.push(e), t === null ? n += ` and ${this.useridForeignKeyColumn} is null` : t && (n += ` and ${this.useridForeignKeyColumn} = ` + i.nextParameter(), a.push(t)), (await r.execute(n, a)).map((w) => w.scope);
+      return a.push(e), t === null ? n += ` and ${this.useridForeignKeyColumn} is null` : t && (n += ` and ${this.useridForeignKeyColumn} = ` + i.nextParameter(), a.push(t)), (await r.execute(n, a)).map((g) => g.scope);
     } catch (i) {
       throw i;
     } finally {
@@ -2377,7 +2430,7 @@ class Ge {
 }
 class Ze {
 }
-class le extends Ye {
+class de extends Ye {
   constructor(e) {
     super();
     h(this, "pgPool");
@@ -2435,44 +2488,44 @@ class Qe extends Ge {
     return "$" + this.nextParam++;
   }
 }
-class At extends Y {
+class Kt extends Y {
   /**
    * Creates a PostgresUserStorage object, optionally overriding defaults.
    * @param pgPool the instance of the Posrgres client. 
    * @param options see {@link PostgresUserStorageOptions}.
    */
   constructor(s, e = {}) {
-    super(new le(s), e);
+    super(new de(s), e);
   }
 }
-class It extends qe {
+class Ft extends qe {
   /**
    * Creates a PostgresKeyStorage object, optionally overriding defaults.
    * @param pgPool the instance of the Posrgres client. 
    * @param options see {@link PostgresKeyStorageOptions}.
    */
   constructor(s, e = {}) {
-    super(new le(s), e);
+    super(new de(s), e);
   }
 }
-class Pt extends We {
+class Ot extends We {
   /**
    * Creates a PostgresOAuthClientStorage object, optionally overriding defaults.
    * @param pgPool the instance of the Posrgres client. 
-   * @param options see {@link PostgresOAuthStorageOptions}.
+   * @param options see {@link PostgresOAuthClientStorageOptions}.
    */
   constructor(s, e = {}) {
-    super(new le(s), e);
+    super(new de(s), e);
   }
 }
-class Kt extends Je {
+class Nt extends Je {
   /**
-   * Creates a PostgresOAuthStorage object, optionally overriding defaults.
+   * Creates a PostgresOAuthClientStorage object, optionally overriding defaults.
    * @param pgPool the instance of the Posrgres client. 
    * @param options see {@link PostgresOAuthAuthorizationStorageOptions}.
    */
   constructor(s, e = {}) {
-    super(new le(s), e);
+    super(new de(s), e);
   }
 }
 class re {
@@ -2513,7 +2566,7 @@ class be extends re {
     return "none";
   }
 }
-const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2_ITERATIONS || 6e5), Se = Number(process.env.PBKDF2_KEYLENGTH || 32), et = Number(process.env.PBKDF2_KEYLENGTH || 16), ve = "sha256", q = class q {
+const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2_ITERATIONS || 6e5), ve = Number(process.env.PBKDF2_KEYLENGTH || 32), et = Number(process.env.PBKDF2_KEYLENGTH || 16), ae = "sha256", q = class q {
   /**
    * Returns true if the plaintext password, when hashed, equals the one in the hash, using
    * it's hasher settings
@@ -2533,7 +2586,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
     });
     if (i.length != r.hashedPassword.length)
       throw new o(l.PasswordInvalid);
-    return me(Buffer.from(i), Buffer.from(r.hashedPassword));
+    return he(Buffer.from(i), Buffer.from(r.hashedPassword));
   }
   /**
    * Decodes a string from base64 to UTF-89
@@ -2541,7 +2594,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
    * @returns URF-8 text
    */
   static base64Decode(s) {
-    return Buffer.from(s, "base64").toString("utf-8");
+    return Buffer.from(s, "base64url").toString("utf-8");
   }
   /**
    * Base64-encodes UTF-8 text
@@ -2549,7 +2602,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
    * @returns Base64 text
    */
   static base64Encode(s) {
-    return Buffer.from(s, "utf-8").toString("base64");
+    return Buffer.from(s, "utf-8").toString("base64url");
   }
   /**
    * Splits a hashed password into its component parts.  Return it as a {@link PasswordHash }.
@@ -2609,7 +2662,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
    * @returns the random value as a string.  Number of bytes will be greater as it is base64 encoded.
    */
   static randomValue(s) {
-    return ce(s).toString("base64url");
+    return ue(s).toString("base64url");
   }
   // not real base32 - omits 1,i,0,o
   /**
@@ -2619,7 +2672,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
    */
   static randomBase32(s, e) {
     var i;
-    const r = [...ce(s)].map((a) => q.Base32[a % 32]).join("");
+    const r = [...ue(s)].map((a) => q.Base32[a % 32]).join("");
     return e ? ((i = r.match(/(.{1,4})/g)) == null ? void 0 : i.join("-")) ?? r : r;
   }
   /**
@@ -2660,21 +2713,21 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
     t || (t = q.randomSalt());
     let a = r != null, n = a ? t + "!" + r : t;
     i == null && (i = !1);
-    let w = (await xe(Ne)(
+    let g = (await De(Ne)(
       s,
       n,
-      e.iterations ?? Ce,
-      e.keyLen ?? Se,
-      e.digest ?? pe
+      e.iterations ?? Se,
+      e.keyLen ?? ve,
+      e.digest ?? Ce
     )).toString("base64url");
-    return i && (w = this.encodePasswordHash(
-      w,
+    return i && (g = this.encodePasswordHash(
+      g,
       t,
       a,
-      e.iterations ?? Ce,
-      e.keyLen ?? Se,
-      e.digest ?? pe
-    )), w;
+      e.iterations ?? Se,
+      e.keyLen ?? ve,
+      e.digest ?? Ce
+    )), g;
   }
   /**
    * For creating non-JWT tokens (eg password reset tokens.)  The
@@ -2699,9 +2752,21 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
    * @returns Base64-url encoded hash
    */
   static sign(s, e, t, r) {
-    typeof s != "string" && (s = q.signableToken(s, t, r));
-    const i = we(ve, e);
-    return s + "." + i.update(s).digest("base64url");
+    const i = q.signableToken(s, t, r), a = ie(ae, e);
+    return i + "." + a.update(i).digest("base64url");
+  }
+  /**
+   * This can be called for a string payload that is a cryptographically
+   * secure random string.  No salt is added and the token is assumed to
+   * be Base64Url already
+   * 
+   * @param payload string to sign 
+   * @param secret the secret to sign with
+   * @returns Base64-url encoded hash
+   */
+  static signSecureToken(s, e) {
+    const t = ie(ae, e);
+    return s + "." + t.update(s).digest("base64url");
   }
   /**
    * Validates a signature and, if valid, return the unstringified payload
@@ -2719,13 +2784,33 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
     const i = r[0], a = r[1], n = JSON.parse(Buffer.from(i, "base64url").toString());
     if (t && n.t + t * 1e3 > (/* @__PURE__ */ new Date()).getTime())
       throw new o(l.Expired);
-    const d = we(ve, e).update(i).digest("base64url");
+    const d = ie(ae, e).update(i).digest("base64url");
     if (d.length != a.length)
       throw new o(l.InvalidKey, "Signature does not match payload");
-    if (!me(Buffer.from(d), Buffer.from(a)))
+    if (!he(Buffer.from(d), Buffer.from(a)))
       throw new o(l.InvalidKey, "Signature does not match payload");
     return n;
   }
+  /**
+   * Validates a signature signed with `signSecureToken` and, if valid, 
+   * return the unstringified payload
+   * @param signedMessage signed message (base64-url encoded)
+   * @param secret secret key, which must be a string
+   * @returns if signature is valid, the payload as a string
+   * @throws {@link @crossauth/common!CrossauthError} with 
+   *         {@link @crossauth/common!ErrorCode} of `InvalidKey` if signature
+   *         is invalid or has expired.  
+   */
+  static unsignSecureToken(s, e) {
+    const t = s.split(".");
+    if (t.length != 2) throw new o(l.InvalidKey);
+    const r = t[0], i = t[1], a = r, c = ie(ae, e).update(r).digest("base64url");
+    if (c.length != i.length)
+      throw new o(l.InvalidKey, "Signature does not match payload");
+    if (!he(Buffer.from(c), Buffer.from(i)))
+      throw new o(l.InvalidKey, "Signature does not match payload");
+    return a;
+  }
   /**
    * XOR's two arrays of base64url-encoded strings
    * @param value to XOR
@@ -2744,7 +2829,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
    * @returns Encrypted text Base64-url encoded.
    */
   static symmetricEncrypt(s, e, t = void 0) {
-    t || (t = ce(16));
+    t || (t = ue(16));
     let r = Buffer.from(e, "base64url");
     var i = Re("aes-256-cbc", r, t);
     let a = i.update(s);
@@ -2762,7 +2847,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
     const r = s.split(".");
     if (r.length != 2) throw new o(l.InvalidHash, "Not AES-256-CBC ciphertext");
     let i = Buffer.from(r[0], "base64url"), a = Buffer.from(r[1], "base64url");
-    var n = De("aes-256-cbc", t, i);
+    var n = xe("aes-256-cbc", t, i);
     let c = n.update(a);
     return c = Buffer.concat([c, n.final()]), c.toString();
   }
@@ -2778,7 +2863,7 @@ function tt(S) {
   }
   return s;
 }
-const ne = class ne extends be {
+const le = class le extends be {
   /**
    * Create a new authenticator.
    * 
@@ -2802,7 +2887,7 @@ const ne = class ne extends be {
     h(this, "pbkdf2KeyLength", 32);
     /** See {@link LocalPasswordAuthenticatorOptions.validatePasswordFn}  */
     h(this, "validatePasswordFn", tt);
-    m("secret", g.String, this, t, "HASHER_SECRET"), m("enableSecretForPasswordHash", g.Boolean, this, t, "ENABLE_SECRET_FOR_PASSWORDS"), m("pbkdf2Digest", g.String, this, t, "PASSWORD_PBKDF2_DIGEST"), m("pbkdf2Iterations", g.String, this, t, "PASSWORD_PBKDF2_ITERATIONS"), m("pbkdf2SaltLength", g.String, this, t, "PASSWORD_PBKDF2_SALTLENGTH"), m("pbkdf2KeyLength", g.String, this, t, "PASSWORD_PBKDF2_KEYLENGTH"), t.validatePasswordFn && (this.validatePasswordFn = t.validatePasswordFn);
+    w("secret", m.String, this, t, "HASHER_SECRET"), w("enableSecretForPasswordHash", m.Boolean, this, t, "ENABLE_SECRET_FOR_PASSWORDS"), w("pbkdf2Digest", m.String, this, t, "PASSWORD_PBKDF2_DIGEST"), w("pbkdf2Iterations", m.String, this, t, "PASSWORD_PBKDF2_ITERATIONS"), w("pbkdf2SaltLength", m.String, this, t, "PASSWORD_PBKDF2_SALTLENGTH"), w("pbkdf2KeyLength", m.String, this, t, "PASSWORD_PBKDF2_KEYLENGTH"), t.validatePasswordFn && (this.validatePasswordFn = t.validatePasswordFn);
   }
   /**
    * Authenticates the user, returning a the user as a {@link User} object.
@@ -2877,7 +2962,7 @@ const ne = class ne extends be {
    * @returns true if match, false otherwise
    */
   async passwordMatchesHash(e, t, r) {
-    return t == ne.NoPassword ? !1 : await T.passwordsEqual(e, t, r);
+    return t == le.NoPassword ? !1 : await T.passwordsEqual(e, t, r);
   }
   /**
    * This will return p hash of the passed password.
@@ -2934,8 +3019,8 @@ const ne = class ne extends be {
   async reprepareConfiguration(e, t) {
   }
 };
-h(ne, "NoPassword", "********");
-let Te = ne;
+h(le, "NoPassword", "********");
+let Te = le;
 class Z extends re {
   /**
    * Constructor
@@ -2956,7 +3041,7 @@ class Z extends re {
     h(this, "smtpPassword");
     h(this, "emailAuthenticatorTokenExpires", 60 * 5);
     h(this, "render");
-    m("views", g.String, this, e, "VIEWS"), m("emailAuthenticatorTextBody", g.String, this, e, "EMAIL_AUTHENTICATOR_TEXT_BODY"), m("emailAuthenticatorHtmlBody", g.String, this, e, "EMAIL_AUTHENTICATOR_HTML_BODY"), m("emailAuthenticatorSubject", g.String, this, e, "EMAIL_AUTHENTICATOR_SUBJECT"), m("emailFrom", g.String, this, e, "EMAIL_FROM", !0), m("smtpHost", g.String, this, e, "SMTP_HOST", !0), m("smtpPort", g.Number, this, e, "SMTP_PORT"), m("smtpUsername", g.String, this, e, "SMTP_USERNAME"), m("smtpPassword", g.String, this, e, "SMTP_PASSWORD"), m("smtpUseTls", g.Boolean, this, e, "SMTP_USE_TLS"), m("emailAuthenticatorTokenExpires", g.Number, this, e, "EMAIL_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
+    w("views", m.String, this, e, "VIEWS"), w("emailAuthenticatorTextBody", m.String, this, e, "EMAIL_AUTHENTICATOR_TEXT_BODY"), w("emailAuthenticatorHtmlBody", m.String, this, e, "EMAIL_AUTHENTICATOR_HTML_BODY"), w("emailAuthenticatorSubject", m.String, this, e, "EMAIL_AUTHENTICATOR_SUBJECT"), w("emailFrom", m.String, this, e, "EMAIL_FROM", !0), w("smtpHost", m.String, this, e, "SMTP_HOST", !0), w("smtpPort", m.Number, this, e, "SMTP_PORT"), w("smtpUsername", m.String, this, e, "SMTP_USERNAME"), w("smtpPassword", m.String, this, e, "SMTP_PASSWORD"), w("smtpUseTls", m.Boolean, this, e, "SMTP_USE_TLS"), w("emailAuthenticatorTokenExpires", m.Number, this, e, "EMAIL_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
   }
   /**
    * Used by the OAuth password_mfa grant type.
@@ -3027,7 +3112,7 @@ class Z extends re {
    * @returns 
    */
   async reprepareConfiguration(e, t) {
-    const r = z.decodeData(t.data)["2fa"], i = Z.zeroPad(ee(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.emailAuthenticatorTokenExpires).getTime(), c = this.sendToken(r.email, i);
+    const r = L.decodeData(t.data)["2fa"], i = Z.zeroPad(ee(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.emailAuthenticatorTokenExpires).getTime(), c = this.sendToken(r.email, i);
     return u.logger.info(f({
       msg: "Sent factor otp email",
       emailMessageId: c,
@@ -3164,7 +3249,7 @@ class Q extends re {
     h(this, "smsAuthenticatorFrom", "");
     h(this, "smsAuthenticatorTokenExpires", 60 * 5);
     h(this, "render");
-    m("views", g.String, this, e, "VIEWS"), m("smsAuthenticatorBody", g.String, this, e, "SMS_AUTHENTICATOR_BODY"), m("smsAuthenticatorFrom", g.String, this, e, "SMS_AUTHENTICATOR_FROM", !0), m("smsAuthenticatorTokenExpires", g.Number, this, e, "SMS_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
+    w("views", m.String, this, e, "VIEWS"), w("smsAuthenticatorBody", m.String, this, e, "SMS_AUTHENTICATOR_BODY"), w("smsAuthenticatorFrom", m.String, this, e, "SMS_AUTHENTICATOR_FROM", !0), w("smsAuthenticatorTokenExpires", m.Number, this, e, "SMS_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
   }
   /**
    * Used by the OAuth password_mfa grant type.
@@ -3204,7 +3289,7 @@ class Q extends re {
       otp: t
     };
     let d = { otp: t };
-    const w = this.render ? this.render(this.smsAuthenticatorBody, d) : W.render(this.smsAuthenticatorBody, d), y = this.sendSms(r, w);
+    const g = this.render ? this.render(this.smsAuthenticatorBody, d) : W.render(this.smsAuthenticatorBody, d), y = this.sendSms(r, g);
     return u.logger.info(f({
       msg: "Sent factor otp sms",
       smsMessageId: y,
@@ -3218,7 +3303,7 @@ class Q extends re {
    * @returns 
    */
   async reprepareConfiguration(e, t) {
-    const r = z.decodeData(t.data)["2fa"], i = Q.zeroPad(ee(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.smsAuthenticatorTokenExpires).getTime(), c = this.sendSms(r.phone, i);
+    const r = L.decodeData(t.data)["2fa"], i = Q.zeroPad(ee(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.smsAuthenticatorTokenExpires).getTime(), c = this.sendSms(r.phone, i);
     return u.logger.info(f({
       msg: "Sent factor otp sms",
       smsMessageId: c,
@@ -3382,7 +3467,7 @@ class Ue extends Q {
     return (await Be(this.accountSid, this.authToken).messages.create(r)).sid;
   }
 }
-class Ft extends re {
+class Rt extends re {
   /**
    * Constructor
    * 
@@ -3437,7 +3522,7 @@ class Ft extends re {
    * @returns 
    */
   async reprepareConfiguration(e, t) {
-    const r = z.decodeData(t.data)["2fa"], i = this.code, a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * 60).getTime();
+    const r = L.decodeData(t.data)["2fa"], i = this.code, a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * 60).getTime();
     return {
       userData: { factor2: r.factor2, otp: i },
       secrets: {},
@@ -3472,9 +3557,7 @@ class Ft extends re {
   }
   /**
    * Creates and emails a new one-time code.
-   * @param user the user to create it for.  Uses the `email` field if 
-   *             present, `username` otherwise (which in this case is 
-   *             expected to contain an email address)
+   * @param _user ignored
    * @returns `otp` and `expiry` as a Unix time (number).
    */
   async createOneTimeSecrets(e) {
@@ -3545,7 +3628,7 @@ class Ft extends re {
     return Array(+(r > 0 && r)).join("0") + e;
   }
 }
-class Ot extends be {
+class xt extends be {
   /**
    * Create a new authenticator.
    * 
@@ -3556,7 +3639,7 @@ class Ot extends be {
     super({ friendlyName: "LDAP", ...t });
     h(this, "ldapAutoCreateAccount", !1);
     h(this, "ldapStorage");
-    m("ldapAutoCreateAccount", g.Boolean, this, t, "LDAP_AUTO_CREATE_ACCOUNT"), this.ldapStorage = e;
+    w("ldapAutoCreateAccount", m.Boolean, this, t, "LDAP_AUTO_CREATE_ACCOUNT"), this.ldapStorage = e;
   }
   /**
    * Authenticates the user, returning a the user as a {@link User} object.
@@ -3638,7 +3721,7 @@ class Ot extends be {
   async reprepareConfiguration(e, t) {
   }
 }
-class Nt extends re {
+class Dt extends re {
   /**
    * Constructor
    * @param appName this forms part of the QR code that users scan into 
@@ -3663,9 +3746,9 @@ class Nt extends re {
     return "none";
   }
   async createSecret(e, t) {
-    t || (t = de.generateSecret());
+    t || (t = fe.generateSecret());
     let r = "";
-    return await ze.toDataURL(de.keyuri(e, this.appName, t)).then((i) => {
+    return await Le.toDataURL(fe.keyuri(e, this.appName, t)).then((i) => {
       r = i;
     }).catch((i) => {
       throw u.logger.debug(f({ err: i })), new o(
@@ -3675,7 +3758,7 @@ class Nt extends re {
     }), { qrUrl: r, secret: t };
   }
   async getSecretFromSession(e, t) {
-    const r = z.decodeData(t.data);
+    const r = L.decodeData(t.data);
     if (!("totpsecret" in r))
       throw new o(
         l.Unauthorized,
@@ -3748,7 +3831,7 @@ class Nt extends re {
         "TOTP secret or code not given"
       );
     const i = r.otp, a = t.totpsecret;
-    if (!de.check(i, a))
+    if (!fe.check(i, a))
       throw new o(
         l.InvalidToken,
         "Invalid TOTP code"
@@ -3818,8 +3901,8 @@ class Nt extends re {
     return !1;
   }
 }
-const se = 16;
-class D {
+const ne = 16;
+class x {
   /**
    * Construct a new EmailVerifier.
    * 
@@ -3850,7 +3933,7 @@ class D {
     h(this, "verifyEmailExpires", 60 * 60 * 24);
     h(this, "passwordResetExpires", 60 * 60 * 24);
     h(this, "render");
-    this.userStorage = s, this.keyStorage = e, m("siteUrl", g.String, this, t, "SITE_URL", !0), m("prefix", g.String, this, t, "PREFIX"), m("views", g.String, this, t, "VIEWS"), m("emailVerificationTextBody", g.String, this, t, "EMAIL_VERIFICATION_TEXT_BODY"), m("emailVerificationHtmlBody", g.String, this, t, "EMAIL_VERIFICATION_HTML_BODY"), m("emailVerificationSubject", g.String, this, t, "EMAIL_VERIFICATION_SUBJECT"), m("passwordResetTextBody", g.String, this, t, "PASSWORD_RESET_TEXT_BODY"), m("passwordResetHtmlBody", g.String, this, t, "PASSWORD_RESET_HTML_BODY"), m("passwordResetSubject", g.String, this, t, "PASSWORD_RESET_SUBJECT"), m("emailFrom", g.String, this, t, "EMAIL_FROM", !0), m("smtpHost", g.String, this, t, "SMTP_HOST", !0), m("smtpPort", g.Number, this, t, "SMTP_PORT"), m("smtpUsername", g.String, this, t, "SMTP_USERNAME"), m("smtpPassword", g.String, this, t, "SMTP_PASSWORD"), m("smtpUseTls", g.Boolean, this, t, "SMTP_USE_TLS"), m("verifyEmailExpires", g.Boolean, this, t, "VERIFY_EMAIL_EXPIRES"), m("passwordResetExpires", g.String, this, t, "PASSWORD_RESET_EXPIRES"), t.render ? this.render = t.render : W.configure(this.views, { autoescape: !0 });
+    this.userStorage = s, this.keyStorage = e, w("siteUrl", m.String, this, t, "SITE_URL", !0), w("prefix", m.String, this, t, "PREFIX"), w("views", m.String, this, t, "VIEWS"), w("emailVerificationTextBody", m.String, this, t, "EMAIL_VERIFICATION_TEXT_BODY"), w("emailVerificationHtmlBody", m.String, this, t, "EMAIL_VERIFICATION_HTML_BODY"), w("emailVerificationSubject", m.String, this, t, "EMAIL_VERIFICATION_SUBJECT"), w("passwordResetTextBody", m.String, this, t, "PASSWORD_RESET_TEXT_BODY"), w("passwordResetHtmlBody", m.String, this, t, "PASSWORD_RESET_HTML_BODY"), w("passwordResetSubject", m.String, this, t, "PASSWORD_RESET_SUBJECT"), w("emailFrom", m.String, this, t, "EMAIL_FROM", !0), w("smtpHost", m.String, this, t, "SMTP_HOST", !0), w("smtpPort", m.Number, this, t, "SMTP_PORT"), w("smtpUsername", m.String, this, t, "SMTP_USERNAME"), w("smtpPassword", m.String, this, t, "SMTP_PASSWORD"), w("smtpUseTls", m.Boolean, this, t, "SMTP_USE_TLS"), w("verifyEmailExpires", m.Boolean, this, t, "VERIFY_EMAIL_EXPIRES"), w("passwordResetExpires", m.String, this, t, "PASSWORD_RESET_EXPIRES"), t.render ? this.render = t.render : W.configure(this.views, { autoescape: !0 });
   }
   createEmailer() {
     let s = {};
@@ -3879,11 +3962,11 @@ class D {
     let r = 0;
     const i = /* @__PURE__ */ new Date(), a = new Date(i.getTime() + 1e3 * this.verifyEmailExpires);
     for (; r < 10; ) {
-      let n = T.randomValue(se), c = D.hashEmailVerificationToken(n);
+      let n = T.randomValue(ne), c = x.hashEmailVerificationToken(n);
       try {
         return await this.keyStorage.saveKey(s, c, i, a, e), n;
       } catch {
-        n = T.randomValue(se), c = D.hashEmailVerificationToken(n), r++;
+        n = T.randomValue(ne), c = x.hashEmailVerificationToken(n), r++;
       }
     }
     throw new o(l.Connection, "failed creating a unique key");
@@ -3924,7 +4007,7 @@ class D {
         "Either emailVerificationTextBody or emailVerificationHtmlBody must be set to send email verification emails"
       );
     let { user: r } = await this.userStorage.getUserById(s, { skipEmailVerifiedCheck: !0 }), i = e;
-    i != "" ? D.validateEmail(i) : (i = r.email ?? r.username, i || (i = r.username), D.validateEmail(i)), D.validateEmail(i);
+    i != "" ? x.validateEmail(i) : (i = r.email ?? r.username, i || (i = r.username), x.validateEmail(i)), x.validateEmail(i);
     const a = await this.createAndSaveEmailVerificationToken(s, e), n = await this._sendEmailVerificationToken(a, i, t);
     u.logger.info(f({ msg: "Sent email verification email", emailMessageId: n, email: i }));
   }
@@ -3944,20 +4027,20 @@ class D {
    *          address the user is validating
    */
   async verifyEmailVerificationToken(s) {
-    const e = D.hashEmailVerificationToken(s);
+    const e = x.hashEmailVerificationToken(s);
     let t = await this.keyStorage.getKey(e);
     try {
       if (!t.userid || !t.expires) throw new o(l.InvalidKey);
       const { user: r } = await this.userStorage.getUserById(t.userid, { skipEmailVerifiedCheck: !0 });
       let i = (r.email ?? r.username).toLowerCase();
-      if (i || (i = r.username.toLowerCase()), D.validateEmail(i), (/* @__PURE__ */ new Date()).getTime() > t.expires.getTime()) throw new o(l.Expired);
+      if (i || (i = r.username.toLowerCase()), x.validateEmail(i), (/* @__PURE__ */ new Date()).getTime() > t.expires.getTime()) throw new o(l.Expired);
       return { userid: t.userid, newEmail: t.data ?? "" };
     } finally {
     }
   }
   async deleteEmailVerificationToken(s) {
     try {
-      const e = D.hashEmailVerificationToken(s);
+      const e = x.hashEmailVerificationToken(s);
       await this.keyStorage.deleteKey(e);
     } catch (e) {
       const t = o.asCrossauthError(e);
@@ -3968,11 +4051,11 @@ class D {
     let t = 0;
     const r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.passwordResetExpires);
     for (; t < 10; ) {
-      let a = T.randomValue(se), n = D.hashPasswordResetToken(a);
+      let a = T.randomValue(ne), n = x.hashPasswordResetToken(a);
       try {
         return await this.keyStorage.saveKey(s, n, r, i), a;
       } catch {
-        a = T.randomValue(se), n = D.hashPasswordResetToken(a), t++;
+        a = T.randomValue(ne), n = x.hashPasswordResetToken(a), t++;
       }
     }
     throw new o(l.Connection, "failed creating a unique key");
@@ -3992,7 +4075,7 @@ class D {
    * @returns the user that the token is for
    */
   async verifyPasswordResetToken(s) {
-    const e = D.hashPasswordResetToken(s);
+    const e = x.hashPasswordResetToken(s);
     u.logger.debug("verifyPasswordResetToken " + s + " " + e);
     let t = await this.keyStorage.getKey(e);
     if (!t.userid) throw new o(l.InvalidKey);
@@ -4041,7 +4124,7 @@ class D {
     if (!t && r.state != E.active && r.state != E.passwordResetNeeded && r.state != E.passwordAndFactor2ResetNeeded)
       throw new o(l.UserNotActive);
     let i = (r.email ?? r.username).toLowerCase();
-    i || (i = r.username.toLowerCase()), D.validateEmail(i);
+    i || (i = r.username.toLowerCase()), x.validateEmail(i);
     const a = await this.createAndSavePasswordResetToken(s), n = await this._sendPasswordResetToken(a, i, e);
     u.logger.info(f({ msg: "Sent password reset email", emailMessageId: n, email: i }));
   }
@@ -4063,11 +4146,11 @@ class D {
    * @param email the email to validate
    */
   static validateEmail(s) {
-    if (s == null || !D.isEmailValid(s)) throw new o(l.InvalidEmail);
+    if (s == null || !x.isEmailValid(s)) throw new o(l.InvalidEmail);
   }
 }
 const _e = 16, ke = 16;
-function Rt(S) {
+function Bt(S) {
   return {
     ...S,
     path: S.path ?? "/"
@@ -4094,7 +4177,7 @@ class rt {
     h(this, "sameSite", "lax");
     // hasher settings
     h(this, "secret", "");
-    m("headerName", g.String, this, s, "CSRF_HEADER_NAME"), m("cookieName", g.String, this, s, "CSRF_COOKIE_NAME"), m("domain", g.String, this, s, "CSRF_COOKIE_DOMAIN"), m("httpOnly", g.Boolean, this, s, "CSRF_COOKIE_HTTPONLY"), m("path", g.String, this, s, "CSRF_COOKIE_PATH"), m("secure", g.Boolean, this, s, "CSRF_COOKIE_SECURE"), m("sameSite", g.String, this, s, "CSRF_COOKIE_SAMESITE"), m("secret", g.String, this, s, "SECRET", !0);
+    w("headerName", m.String, this, s, "CSRF_HEADER_NAME"), w("cookieName", m.String, this, s, "CSRF_COOKIE_NAME"), w("domain", m.String, this, s, "CSRF_COOKIE_DOMAIN"), w("httpOnly", m.Boolean, this, s, "CSRF_COOKIE_HTTPONLY"), w("path", m.String, this, s, "CSRF_COOKIE_PATH"), w("secure", m.Boolean, this, s, "CSRF_COOKIE_SECURE"), w("sameSite", m.String, this, s, "CSRF_COOKIE_SAMESITE"), w("secret", m.String, this, s, "SECRET", !0);
   }
   /**
    * Creates a session key and saves in storage
@@ -4109,13 +4192,11 @@ class rt {
   /**
    * Returns a {@link Cookie } object with the given session key.
    * 
-   * This class is compatible, for example, with Express.
-   * 
    * @param token the value of the csrf token, with signature
    * @returns a {@link Cookie } object,
    */
   makeCsrfCookie(s) {
-    const e = T.sign({ v: s }, this.secret, "");
+    const e = T.signSecureToken(s, this.secret);
     let t = {};
     return this.domain && (t.domain = this.domain), this.path && (t.path = this.path), t.sameSite = this.sameSite, this.httpOnly && (t.httpOnly = this.httpOnly), this.secure && (t.secure = this.secure), {
       name: this.cookieName,
@@ -4127,7 +4208,7 @@ class rt {
     return this.maskCsrfToken(s);
   }
   unsignCookie(s) {
-    return T.unsign(s, this.secret).v;
+    return T.unsignSecureToken(s, this.secret);
   }
   /**
    * Takes a session ID and creates a string representation of the cookie (value of the HTTP `Cookie` header).
@@ -4156,7 +4237,7 @@ class rt {
    *     * The signature in the cookie must match the token in the cookie
    *     * The token in the cookie must matched the value in the form or header after unmasking
    * 
-   * @param cookieValue the CSRDF cookie value to validate.
+   * @param cookieValue the CSRF cookie value to validate.
    * @param formOrHeaderValue the value from the csrfToken form header or the X-CROSSAUTH-CSRF header.
    * @throws {@link @crossauth/common!CrossauthError} with {@link @crossauth/common!ErrorCode} of `InvalidKey`
    */
@@ -4164,7 +4245,7 @@ class rt {
     const t = this.unmaskCsrfToken(e);
     let r;
     try {
-      r = T.unsign(s, this.secret).v;
+      r = T.unsignSecureToken(s, this.secret);
     } catch (i) {
       throw u.logger.error(f({ err: i })), new o(l.InvalidCsrf, "Invalid CSRF cookie");
     }
@@ -4183,13 +4264,13 @@ class rt {
    */
   validateCsrfCookie(s) {
     try {
-      return T.unsign(s, this.secret).v;
+      return T.unsignSecureToken(s, this.secret);
     } catch (e) {
       throw u.logger.error(f({ err: e })), new o(l.InvalidCsrf, "Invalid CSRF cookie");
     }
   }
 }
-class x {
+class D {
   /**
    * Constructor.
    * 
@@ -4218,7 +4299,7 @@ class x {
     h(this, "sameSite", "lax");
     // hasher settings
     h(this, "secret", "");
-    e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = s, m("idleTimeout", g.Number, this, e, "SESSION_IDLE_TIMEOUT"), m("persist", g.Boolean, this, e, "PERSIST_SESSION_ID"), this.filterFunction = e.filterFunction, m("cookieName", g.String, this, e, "SESSION_COOKIE_NAME"), m("maxAge", g.String, this, e, "SESSION_COOKIE_MAX_AGE"), m("domain", g.String, this, e, "SESSION_COOKIE_DOMAIN"), m("httpOnly", g.Boolean, this, e, "SESSIONCOOKIE_HTTPONLY"), m("path", g.String, this, e, "SESSION_COOKIE_PATH"), m("secure", g.Boolean, this, e, "SESSION_COOKIE_SECURE"), m("sameSite", g.String, this, e, "SESSION_COOKIE_SAMESITE"), m("secret", g.String, this, e, "SECRET", !0);
+    e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = s, w("idleTimeout", m.Number, this, e, "SESSION_IDLE_TIMEOUT"), w("persist", m.Boolean, this, e, "PERSIST_SESSION_ID"), this.filterFunction = e.filterFunction, w("cookieName", m.String, this, e, "SESSION_COOKIE_NAME"), w("maxAge", m.String, this, e, "SESSION_COOKIE_MAX_AGE"), w("domain", m.String, this, e, "SESSION_COOKIE_DOMAIN"), w("httpOnly", m.Boolean, this, e, "SESSIONCOOKIE_HTTPONLY"), w("path", m.String, this, e, "SESSION_COOKIE_PATH"), w("secure", m.Boolean, this, e, "SESSION_COOKIE_SECURE"), w("sameSite", m.String, this, e, "SESSION_COOKIE_SAMESITE"), w("secret", m.String, this, e, "SECRET", !0);
   }
   expiry(s) {
     let e;
@@ -4255,16 +4336,16 @@ class x {
     const a = /* @__PURE__ */ new Date();
     let n = this.expiry(a), c = !1;
     for (; r < 10 && !c; ) {
-      const d = x.hashSessionId(i);
+      const d = D.hashSessionId(i);
       try {
         this.idleTimeout > 0 && s && (e = { ...e, lastActivity: /* @__PURE__ */ new Date() }), await this.keyStorage.saveKey(s, d, a, n, void 0, e), c = !0;
-      } catch (w) {
-        let y = o.asCrossauthError(w);
+      } catch (g) {
+        let y = o.asCrossauthError(g);
         if (y.code == l.KeyExists || y.code == l.InvalidKey) {
           if (r++, i = T.randomValue(ke), r > 10)
             throw u.logger.error(f({ msg: "Max attempts exceeded trying to create session ID" })), new o(l.KeyExists);
         } else
-          throw u.logger.debug(f({ err: w })), w;
+          throw u.logger.debug(f({ err: g })), g;
       }
     }
     return {
@@ -4284,7 +4365,7 @@ class x {
    * @returns a {@link Cookie } object,
    */
   makeCookie(s, e) {
-    let t = T.sign({ v: s.value }, this.secret, ""), r = {};
+    let t = T.signSecureToken(s.value, this.secret), r = {};
     return e == null && (e = this.persist), this.domain && (r.domain = this.domain), s.expires && e && (r.expires = s.expires), this.path && (r.path = this.path), r.sameSite = this.sameSite, this.httpOnly && (r.httpOnly = this.httpOnly), this.secure && (r.secure = this.secure), {
       name: this.cookieName,
       value: t,
@@ -4311,7 +4392,7 @@ class x {
    */
   async updateSessionKey(s) {
     if (!s.value) throw new o(l.InvalidKey, "No session when updating activity");
-    s.value = x.hashSessionId(s.value), await this.keyStorage.updateKey(s);
+    s.value = D.hashSessionId(s.value), await this.keyStorage.updateKey(s);
   }
   /**
    * Unsigns a cookie and returns the original value.
@@ -4321,7 +4402,7 @@ class x {
    *         is invalid. 
    */
   unsignCookie(s) {
-    return T.unsign(s, this.secret).v;
+    return T.unsignSecureToken(s, this.secret);
   }
   /**
    * Returns the user matching the given session key in session storage, or throws an exception.
@@ -4359,7 +4440,7 @@ class x {
    *         `Expired` or `UserNotExist`.
    */
   async getSessionKey(s) {
-    const e = Date.now(), t = x.hashSessionId(s), r = await this.keyStorage.getKey(t);
+    const e = Date.now(), t = D.hashSessionId(s), r = await this.keyStorage.getKey(t);
     if (r.value = s, r.expires && e > r.expires.getTime())
       throw u.logger.warn(f({ msg: "Session id in cookie expired in key storage", hashedSessionCookie: T.hash(s) })), new o(l.Expired);
     if (r.userid && this.idleTimeout > 0 && r.lastactive && e > r.lastactive.getTime() + this.idleTimeout * 1e3)
@@ -4374,10 +4455,10 @@ class x {
    * @param except if defined, don't delete this key
    */
   async deleteAllForUser(s, e) {
-    e && (e = x.hashSessionId(e)), await this.keyStorage.deleteAllForUser(s, U.session, e);
+    e && (e = D.hashSessionId(e)), await this.keyStorage.deleteAllForUser(s, U.session, e);
   }
 }
-class Dt {
+class Lt {
   /**
    * Constructor
    * @param keyStorage  the {@link KeyStorage} instance to use, eg {@link PrismaKeyStorage}.
@@ -4399,9 +4480,9 @@ class Dt {
     t.userStorage && (this.userStorage = t.userStorage), this.keyStorage = s, this.authenticators = e;
     for (let r in this.authenticators)
       this.authenticators[r].factorName = r;
-    if (this.session = new x(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new rt({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), m("allowedFactor2", g.JsonArray, this, t, "ALLOWED_FACTOR2"), m("enableEmailVerification", g.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), m("enablePasswordReset", g.Boolean, this, t, "ENABLE_PASSWORD_RESET"), this.emailTokenStorage = this.keyStorage, this.userStorage && (this.enableEmailVerification || this.enablePasswordReset)) {
+    if (this.session = new D(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new rt({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), w("allowedFactor2", m.JsonArray, this, t, "ALLOWED_FACTOR2"), w("enableEmailVerification", m.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), w("enablePasswordReset", m.Boolean, this, t, "ENABLE_PASSWORD_RESET"), this.emailTokenStorage = this.keyStorage, this.userStorage && (this.enableEmailVerification || this.enablePasswordReset)) {
       let r = this.keyStorage;
-      t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new D(this.userStorage, r, t);
+      t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new x(this.userStorage, r, t);
     }
   }
   /**
@@ -4477,7 +4558,7 @@ class Dt {
       const p = await this.session.createSessionKey(i.id, t);
       c = this.session.makeCookie(p, r);
     }
-    const d = this.csrfTokens.createCsrfToken(), w = this.csrfTokens.makeCsrfCookie(d), y = this.csrfTokens.makeCsrfFormOrHeaderToken(d);
+    const d = this.csrfTokens.createCsrfToken(), g = this.csrfTokens.makeCsrfCookie(d), y = this.csrfTokens.makeCsrfFormOrHeaderToken(d);
     try {
       this.emailTokenStorage.deleteAllForUser(
         i.id,
@@ -4488,7 +4569,7 @@ class Dt {
     }
     return {
       sessionCookie: c,
-      csrfCookie: w,
+      csrfCookie: g,
       csrfFormOrHeaderValue: y,
       user: i,
       secrets: n
@@ -4521,7 +4602,7 @@ class Dt {
    */
   async logout(s) {
     const e = await this.session.getSessionKey(s);
-    return await this.keyStorage.deleteKey(x.hashSessionId(e.value));
+    return await this.keyStorage.deleteKey(D.hashSessionId(e.value));
   }
   /**
    * Logs a user out from all sessions.
@@ -4669,7 +4750,7 @@ class Dt {
    * @param value new value to store
    */
   async updateSessionData(s, e, t) {
-    const r = x.hashSessionId(s);
+    const r = D.hashSessionId(s);
     u.logger.debug(f({ msg: `Updating session data value${e}`, hashedSessionCookie: T.hash(s) })), await this.keyStorage.updateData(r, e, t);
   }
   /**
@@ -4678,12 +4759,11 @@ class Dt {
    * The `data` field in the session entry is assumed to be a JSON string.
    * The field with the given name is updated or set if not already set.
    * @param sessionId the session Id to update.
-   * @param name of the field.
-   * @param value new value to store
+   * @param dataArray names and values.
    */
   async updateManySessionData(s, e) {
-    const t = x.hashSessionId(s);
-    u.logger.debug(f({ msg: `Updating session data value${name}`, hashedSessionCookie: T.hash(s) })), await this.keyStorage.updateManyData(t, e);
+    const t = D.hashSessionId(s);
+    u.logger.debug(f({ msg: "Updating session data", hashedSessionCookie: T.hash(s) })), await this.keyStorage.updateManyData(t, e);
   }
   /**
   * Deletes a field from the session data.
@@ -4694,7 +4774,7 @@ class Dt {
   * @param name of the field.
   */
   async deleteSessionData(s, e) {
-    const t = x.hashSessionId(s);
+    const t = D.hashSessionId(s);
     u.logger.debug(f({ msg: `Updating session data value${e}`, hashedSessionCookie: T.hash(s) })), await this.keyStorage.deleteData(t, e);
   }
   /**
@@ -4703,7 +4783,7 @@ class Dt {
    * @param sessionId the session Id to delete
    */
   async deleteSession(s) {
-    return await this.keyStorage.deleteKey(x.hashSessionId(s));
+    return await this.keyStorage.deleteKey(D.hashSessionId(s));
   }
   /**
    * Creates a new user, sending an email verification message if necessary.
@@ -4758,7 +4838,7 @@ class Dt {
     if (!this.authenticators[s.factor2]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
     const a = await this.authenticators[s.factor2].prepareConfiguration(s), n = a == null ? {} : a.userData, c = a == null ? {} : a.sessionData, d = await this.authenticators[s.factor1].createPersistentSecrets(s.username, e, r);
     return s.state = "awaitingtwofactorsetup", await this.keyStorage.updateData(
-      x.hashSessionId(t),
+      D.hashSessionId(t),
       "2fa",
       c
     ), { userid: (await this.userStorage.createUser(s, d)).id, userData: n };
@@ -4778,13 +4858,13 @@ class Dt {
       if (!this.authenticators[e]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
       const i = await this.authenticators[e].prepareConfiguration(s), a = i == null ? {} : i.userData, n = i == null ? {} : i.sessionData;
       return await this.keyStorage.updateData(
-        x.hashSessionId(t),
+        D.hashSessionId(t),
         "2fa",
         n
       ), a;
     }
     return await this.userStorage.updateUser({ id: s.id, factor2: e ?? "" }), await this.keyStorage.updateData(
-      x.hashSessionId(t),
+      D.hashSessionId(t),
       "2fa",
       void 0
     ), {};
@@ -4804,10 +4884,10 @@ class Dt {
    */
   async repeatTwoFactorSignup(s) {
     if (!this.userStorage) throw new o(l.Configuration, "Cannot call repeatTwoFactorSignup if no user storage provided");
-    const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = x.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a), d = c == null ? {} : c.userData, w = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
+    const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = D.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a), d = c == null ? {} : c.userData, g = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
     y && await this.keyStorage.updateData(i, "2fa", y);
     const { user: p } = await this.userStorage.getUserByUsername(t, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
-    return { userid: p.id, userData: d, secrets: w };
+    return { userid: p.id, userData: d, secrets: g };
   }
   /**
    * Authenticates with the second factor.  
@@ -4828,14 +4908,14 @@ class Dt {
     if (r && r.state != E.active && r.state != E.factor2ResetNeeded)
       throw new o(l.UserNotActive);
     if (!i) throw new o(l.InvalidKey, "Session key not found");
-    let a = z.decodeData(i.data)["2fa"];
+    let a = L.decodeData(i.data)["2fa"];
     if (!(a != null && a.factor2) || !(a != null && a.username)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
     let n = a.username;
     const c = this.authenticators[a.factor2];
     if (!c) throw new o(l.Configuration, "Unrecognised second factor authentication");
-    const d = {}, w = c.secretNames();
+    const d = {}, g = c.secretNames();
     for (let C in a)
-      w.includes(C) && (d[C] = a[C]);
+      g.includes(C) && (d[C] = a[C]);
     await c.authenticateUser(void 0, a, s), r || (t = !0, r = (await this.userStorage.getUserByUsername(n, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 })).user);
     const y = c.skipEmailVerificationOnSignup() == !0;
     if (!r) throw new o(l.UserNotExist, "Couldn't fetch user");
@@ -4844,7 +4924,7 @@ class Dt {
       state: !y && this.enableEmailVerification ? "awaitingemailverification" : "active",
       factor2: a.factor2
     };
-    return c.secretNames().length > 0 ? await this.userStorage.updateUser(p, d) : await this.userStorage.updateUser(p), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((_ = this.tokenEmailer) == null ? void 0 : _.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(x.hashSessionId(i.value), "2fa", void 0), { ...r, ...p };
+    return c.secretNames().length > 0 ? await this.userStorage.updateUser(p, d) : await this.userStorage.updateUser(p), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((_ = this.tokenEmailer) == null ? void 0 : _.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(D.hashSessionId(i.value), "2fa", void 0), { ...r, ...p };
   }
   /**
    * Initiates the two factor login process.
@@ -4874,14 +4954,14 @@ class Dt {
    */
   async initiateTwoFactorPageVisit(s, e, t, r, i) {
     const n = await this.authenticators[s.factor2].createOneTimeSecrets(s);
-    let c, d, w;
-    const y = x.hashSessionId(e);
+    let c, d, g;
+    const y = D.hashSessionId(e);
     u.logger.debug("initiateTwoFactorPageVisit " + s.username + " " + e + " " + y);
     let p = { username: s.username, factor2: s.factor2, secrets: n, body: t, url: r };
     return i && (p["content-type"] = i), await this.keyStorage.updateData(y, "pre2fa", p), {
       sessionCookie: c,
       csrfCookie: d,
-      csrfFormOrHeaderValue: w
+      csrfFormOrHeaderValue: g
     };
   }
   /**
@@ -4897,14 +4977,14 @@ class Dt {
     if (!this.userStorage) throw new o(l.Configuration, "Cannot call completeTwoFactorPageVisit if no user storage provided");
     let { key: t } = await this.session.getUserForSessionId(e);
     if (!t) throw new o(l.InvalidKey, "Session key not found");
-    let r = z.decodeData(t.data);
+    let r = L.decodeData(t.data);
     if (!("pre2fa" in r)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
     const { secrets: i } = await this.userStorage.getUserByUsername(r.pre2fa.username), a = this.authenticators[r.pre2fa.factor2];
     if (!a) throw new o(l.Configuration, "Unrecognised second factor authentication");
     const n = {}, c = a.secretNames();
     for (let d in i)
       c.includes(d) && d in i && (n[d] = i[d]);
-    await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(x.hashSessionId(t.value), "pre2fa", void 0);
+    await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(D.hashSessionId(t.value), "pre2fa", void 0);
   }
   /**
    * Cancels the 2FA that was previously initiated but not completed..  
@@ -4918,9 +4998,9 @@ class Dt {
   async cancelTwoFactorPageVisit(s) {
     let { key: e } = await this.session.getUserForSessionId(s);
     if (!e) throw new o(l.InvalidKey, "Session key not found");
-    let t = z.decodeData(e.data);
+    let t = L.decodeData(e.data);
     if (!("pre2fa" in t)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
-    return await this.keyStorage.updateData(x.hashSessionId(e.value), "pre2fa", void 0), t.pre2fa;
+    return await this.keyStorage.updateData(D.hashSessionId(e.value), "pre2fa", void 0), t.pre2fa;
   }
   /**
    * Performs the second factor authentication as the second step of the login
@@ -4943,12 +5023,12 @@ class Dt {
     if (!this.userStorage) throw new o(l.Configuration, "Cannot call completeTwoFactorLogin if no user storage provided");
     let { key: i } = await this.session.getUserForSessionId(e);
     if (!i || !i.data || i.data == "") throw new o(l.Unauthorized);
-    let a = z.decodeData(i.data)["2fa"], n = a.username, c = a.factor2;
-    const { user: d, secrets: w } = await this.userStorage.getUserByUsername(n), y = this.authenticators[c];
+    let a = L.decodeData(i.data)["2fa"], n = a.username, c = a.factor2;
+    const { user: d, secrets: g } = await this.userStorage.getUserByUsername(n), y = this.authenticators[c];
     if (!y) throw new o(l.Configuration, "Second factor " + c + " not enabled");
-    await y.authenticateUser(d, { ...w, ...a }, s);
+    await y.authenticateUser(d, { ...g, ...a }, s);
     const p = await this.session.createSessionKey(d.id, t);
-    await this.keyStorage.deleteKey(x.hashSessionId(i.value));
+    await this.keyStorage.deleteKey(D.hashSessionId(i.value));
     const _ = this.session.makeCookie(p, r), C = this.csrfTokens.createCsrfToken(), v = this.csrfTokens.makeCsrfCookie(C), k = this.csrfTokens.makeCsrfFormOrHeaderToken(C);
     try {
       this.emailTokenStorage.deleteAllForUser(
@@ -5026,8 +5106,8 @@ class Dt {
         a.id,
         U.passwordResetToken
       );
-    } catch (w) {
-      u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: s })), u.logger.debug(f({ err: w }));
+    } catch (g) {
+      u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: s })), u.logger.debug(f({ err: g }));
     }
     return a;
   }
@@ -5047,19 +5127,19 @@ class Dt {
       throw new o(l.UserNotExist, "Please specify a userername");
     let { email: a, username: n, password: c, ...d } = e;
     d.userid = s.userid;
-    let w = !1;
+    let g = !1;
     if (a)
-      i = a, D.validateEmail(i), w = !0;
+      i = a, x.validateEmail(i), g = !0;
     else if (n) {
       i = n;
       try {
-        D.validateEmail(s.username), w = !0;
+        x.validateEmail(s.username), g = !0;
       } catch {
       }
-      w && D.validateEmail(i);
+      g && x.validateEmail(i);
     }
-    return !t && this.enableEmailVerification && w ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (d.email = a), n && (d.username = n)), (e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded) && await ((p = this.tokenEmailer) == null ? void 0 : p.sendPasswordResetToken(s.id, {}, r)), await this.userStorage.updateUser(d), {
-      emailVerificationTokenSent: !t && this.enableEmailVerification && w,
+    return !t && this.enableEmailVerification && g ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (d.email = a), n && (d.username = n)), (e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded) && await ((p = this.tokenEmailer) == null ? void 0 : p.sendPasswordResetToken(s.id, {}, r)), await this.userStorage.updateUser(d), {
+      emailVerificationTokenSent: !t && this.enableEmailVerification && g,
       passwordResetTokenSent: e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded
     };
   }
@@ -5095,7 +5175,7 @@ class Dt {
     return { ...i, state: n };
   }
 }
-class he {
+class ge {
   /**
    * Constructor.
    * 
@@ -5112,7 +5192,7 @@ class he {
     h(this, "prefix", U.apiKey);
     /** The name of the speak in the Authorization header.  Defaults to "ApiKey" */
     h(this, "authScheme", "ApiKey");
-    this.apiKeyStorage = s, m("secret", g.String, this, e, "SECRET", !0), m("keyLength", g.String, this, e, "APIKEY_LENGTH"), m("prefix", g.String, this, e, "APIKEY_PREFIX"), m("authScheme", g.String, this, e, "APIKEY_AUTHSCHEME");
+    this.apiKeyStorage = s, w("secret", m.String, this, e, "SECRET", !0), w("keyLength", m.String, this, e, "APIKEY_LENGTH"), w("prefix", m.String, this, e, "APIKEY_PREFIX"), w("authScheme", m.String, this, e, "APIKEY_AUTHSCHEME");
   }
   /**
    * Creates a new random key and returns it, unsigned.  It is also persisted in the key storage as a 
@@ -5133,11 +5213,11 @@ class he {
    *          Authorization header (with the signature appended.)
    */
   async createKey(s, e, t, r, i) {
-    const a = T.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, d = he.hashApiKeyValue(a), w = {
+    const a = T.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, d = ge.hashApiKeyValue(a), g = {
       name: s,
       value: a,
       userid: e,
-      data: z.encodeData(t),
+      data: L.encodeData(t),
       expires: c,
       created: n,
       ...i
@@ -5147,11 +5227,11 @@ class he {
       this.prefix + d,
       n,
       c,
-      w.data,
+      g.data,
       { name: s, ...i }
     );
     const y = this.signApiKeyValue(a);
-    return { key: w, token: y };
+    return { key: g, token: y };
   }
   static hashApiKeyValue(s) {
     return T.hash(s);
@@ -5178,7 +5258,7 @@ class he {
       const i = new RegExp(`^${this.authScheme} `);
       s = s.replace(i, "");
     }
-    const e = this.unsignApiKeyValue(s), t = he.hashApiKeyValue(e), r = await this.apiKeyStorage.getKey(this.prefix + t);
+    const e = this.unsignApiKeyValue(s), t = ge.hashApiKeyValue(e), r = await this.apiKeyStorage.getKey(this.prefix + t);
     if (!("name" in r)) throw new o(l.InvalidKey, "Not a valid API key");
     return { ...r, name: r.name };
   }
@@ -5210,7 +5290,7 @@ class J {
       l.Configuration,
       "Must specify clientStorage when adding a client manager"
     );
-    this.clientStorage = s.clientStorage, m("oauthPbkdf2Digest", g.String, this, s, "OAUTH_PBKDF2_DIGEST"), m("oauthPbkdf2KeyLength", g.String, this, s, "OAUTH_PBKDF2_KEYLENGTH"), m("requireRedirectUriRegistration", g.Boolean, this, s, "OAUTH_REQUIRE_REDIRECT_URI_REGISTRATION");
+    this.clientStorage = s.clientStorage, w("oauthPbkdf2Digest", m.String, this, s, "OAUTH_PBKDF2_DIGEST"), w("oauthPbkdf2KeyLength", m.String, this, s, "OAUTH_PBKDF2_KEYLENGTH"), w("requireRedirectUriRegistration", m.Boolean, this, s, "OAUTH_REQUIRE_REDIRECT_URI_REGISTRATION");
   }
   /**
    * Creates a client and puts it in the storage
@@ -5244,10 +5324,10 @@ class J {
       valid_flow: t,
       userid: i
     };
-    let w;
+    let g;
     for (let y = 0; y < 5; ++y)
       try {
-        w = await this.clientStorage.createClient(d);
+        g = await this.clientStorage.createClient(d);
         break;
       } catch (p) {
         if (y == 4) {
@@ -5255,8 +5335,8 @@ class J {
         } else
           d.client_id = J.randomClientId();
       }
-    if (!w) throw new o(l.ClientExists);
-    return w.client_secret && c && (w.client_secret = c), w;
+    if (!g) throw new o(l.ClientExists);
+    return g.client_secret && c && (g.client_secret = c), g;
   }
   /**
    * Updates a client
@@ -5340,7 +5420,7 @@ function at(S) {
     "Invalid JWT signing algorithm " + S
   );
 }
-class xt {
+class zt {
   /**
    * Constructor
    * 
@@ -5402,9 +5482,9 @@ class xt {
     h(this, "validFlows", ["all"]);
     /** Set from options.  See {@link OAuthAuthorizationServerOptions.allowedFactor2} */
     h(this, "allowedFactor2", []);
-    this.clientStorage = s, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: s, ...r }), m("oauthIssuer", g.String, this, r, "AUTH_SERVER_BASE_URL", !0), m("audience", g.String, this, r, "OAUTH_AUDIENCE"), m("oauthPbkdf2Iterations", g.String, this, r, "OAUTH_PBKDF2_ITERATIONS"), m("requireClientSecretOrChallenge", g.Boolean, this, r, "OAUTH_REQUIRE_CLIENT_SECRET_OR_CHALLENGE"), m("jwtAlgorithm", g.String, this, r, "JWT_ALGORITHM"), m("codeLength", g.Number, this, r, "OAUTH_CODE_LENGTH"), m("jwtKeyType", g.String, this, r, "JWT_KEY_TYPE"), m("jwtSecretKeyFile", g.String, this, r, "JWT_SECRET_KEY_FILE"), m("jwtPublicKeyFile", g.String, this, r, "JWT_PUBLIC_KEY_FILE"), m("jwtPrivateKeyFile", g.String, this, r, "JWT_PRIVATE_KEY_FILE"), m("jwtSecretKey", g.String, this, r, "JWT_SECRET_KEY"), m("jwtPublicKey", g.String, this, r, "JWT_PUBLIC_KEY"), m("jwtPrivateKey", g.String, this, r, "JWT_PRIVATE_KEY"), m("jwtKid", g.String, this, r, "JWT_KID"), m("persistAccessToken", g.String, this, r, "OAUTH_PERSIST_ACCESS_TOKEN"), m("issueRefreshToken", g.String, this, r, "OAUTH_ISSUE_REFRESH_TOKEN"), m("opaqueAccessToken", g.String, this, r, "OAUTH_OPAQUE_ACCESS_TOKEN"), m("accessTokenExpiry", g.Number, this, r, "OAUTH_ACCESS_TOKEN_EXPIRY"), m("refreshTokenExpiry", g.Number, this, r, "OAUTH_REFRESH_TOKEN_EXPIRY"), m("rollingRefreshToken", g.Boolean, this, r, "OAUTH_ROLLING_REFRESH_TOKEN"), m("authorizationCodeExpiry", g.Number, this, r, "OAUTH_AUTHORIZATION_CODE_EXPIRY"), m("mfaTokenExpiry", g.Number, this, r, "OAUTH_MFA_TOKEN_EXPIRY"), m("clockTolerance", g.Number, this, r, "OAUTH_CLOCK_TOLERANCE"), m("validateScopes", g.Boolean, this, r, "OAUTH_VALIDATE_SCOPES"), m("emptyScopeIsValid", g.Boolean, this, r, "OAUTH_EMPTY_SCOPE_VALID"), m("validScopes", g.JsonArray, this, r, "OAUTH_VALID_SCOPES"), m("validFlows", g.JsonArray, this, r, "OAUTH_validFlows"), m("idTokenClaims", g.Json, this, r, "OAUTH_ID_TOKEN_CLAIMS"), m("allowedFactor2", g.JsonArray, this, r, "ALLOWED_FACTOR2"), m("userCodeExpiry", g.Number, this, r, "DEVICECODE_USERCODE_EXPIRY"), m("userCodeThrottle", g.Number, this, r, "DEVICECODE_USERCODE_THROTTLE"), m("deviceCodePollInterval", g.Number, this, r, "DEVICECODE_POLL_INTERVAL"), m("deviceCodeLength", g.Number, this, r, "DEVICECODE_LENGTH"), m("userCodeLength", g.Number, this, r, "DEVICECODE_USERCODE_LENGTH");
+    this.clientStorage = s, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: s, ...r }), w("oauthIssuer", m.String, this, r, "AUTH_SERVER_BASE_URL", !0), w("audience", m.String, this, r, "OAUTH_AUDIENCE"), w("oauthPbkdf2Iterations", m.String, this, r, "OAUTH_PBKDF2_ITERATIONS"), w("requireClientSecretOrChallenge", m.Boolean, this, r, "OAUTH_REQUIRE_CLIENT_SECRET_OR_CHALLENGE"), w("jwtAlgorithm", m.String, this, r, "JWT_ALGORITHM"), w("codeLength", m.Number, this, r, "OAUTH_CODE_LENGTH"), w("jwtKeyType", m.String, this, r, "JWT_KEY_TYPE"), w("jwtSecretKeyFile", m.String, this, r, "JWT_SECRET_KEY_FILE"), w("jwtPublicKeyFile", m.String, this, r, "JWT_PUBLIC_KEY_FILE"), w("jwtPrivateKeyFile", m.String, this, r, "JWT_PRIVATE_KEY_FILE"), w("jwtSecretKey", m.String, this, r, "JWT_SECRET_KEY"), w("jwtPublicKey", m.String, this, r, "JWT_PUBLIC_KEY"), w("jwtPrivateKey", m.String, this, r, "JWT_PRIVATE_KEY"), w("jwtKid", m.String, this, r, "JWT_KID"), w("persistAccessToken", m.String, this, r, "OAUTH_PERSIST_ACCESS_TOKEN"), w("issueRefreshToken", m.String, this, r, "OAUTH_ISSUE_REFRESH_TOKEN"), w("opaqueAccessToken", m.String, this, r, "OAUTH_OPAQUE_ACCESS_TOKEN"), w("accessTokenExpiry", m.Number, this, r, "OAUTH_ACCESS_TOKEN_EXPIRY"), w("refreshTokenExpiry", m.Number, this, r, "OAUTH_REFRESH_TOKEN_EXPIRY"), w("rollingRefreshToken", m.Boolean, this, r, "OAUTH_ROLLING_REFRESH_TOKEN"), w("authorizationCodeExpiry", m.Number, this, r, "OAUTH_AUTHORIZATION_CODE_EXPIRY"), w("mfaTokenExpiry", m.Number, this, r, "OAUTH_MFA_TOKEN_EXPIRY"), w("clockTolerance", m.Number, this, r, "OAUTH_CLOCK_TOLERANCE"), w("validateScopes", m.Boolean, this, r, "OAUTH_VALIDATE_SCOPES"), w("emptyScopeIsValid", m.Boolean, this, r, "OAUTH_EMPTY_SCOPE_VALID"), w("validScopes", m.JsonArray, this, r, "OAUTH_VALID_SCOPES"), w("validFlows", m.JsonArray, this, r, "OAUTH_validFlows"), w("idTokenClaims", m.Json, this, r, "OAUTH_ID_TOKEN_CLAIMS"), w("allowedFactor2", m.JsonArray, this, r, "ALLOWED_FACTOR2"), w("userCodeExpiry", m.Number, this, r, "DEVICECODE_USERCODE_EXPIRY"), w("userCodeThrottle", m.Number, this, r, "DEVICECODE_USERCODE_THROTTLE"), w("deviceCodePollInterval", m.Number, this, r, "DEVICECODE_POLL_INTERVAL"), w("deviceCodeLength", m.Number, this, r, "DEVICECODE_LENGTH"), w("userCodeLength", m.Number, this, r, "DEVICECODE_USERCODE_LENGTH");
     let i = {};
-    if (m("userCodeDashEvery", g.String, i, r, "DEVICECODE_USERCODE_DASH_EVERY"), i.userCodeDashEvery)
+    if (w("userCodeDashEvery", m.String, i, r, "DEVICECODE_USERCODE_DASH_EVERY"), i.userCodeDashEvery)
       if (i.userCodeDashEvery == "" || i.userCodeDashEvery.toLowerCase() == "null") this.userCodeDashEvery = null;
       else
         try {
@@ -5415,7 +5495,7 @@ class xt {
             "userCodeDashEvery must be a number or null"
           );
         }
-    if (m("deviceCodeVerificationUri", g.String, this, r, "DEVICECODE_VERIFICATION_URI"), this.validFlows.length == 1 && this.validFlows[0] == b.All && (this.validFlows = b.allFlows()), this.jwtAlgorithmChecked = at(this.jwtAlgorithm), this.jwtSecretKey || this.jwtSecretKeyFile) {
+    if (w("deviceCodeVerificationUri", m.String, this, r, "DEVICECODE_VERIFICATION_URI"), this.validFlows.length == 1 && this.validFlows[0] == b.All && (this.validFlows = b.allFlows()), this.jwtAlgorithmChecked = at(this.jwtAlgorithm), this.jwtSecretKey || this.jwtSecretKeyFile) {
       if (this.jwtPublicKey || this.jwtPublicKeyFile || this.jwtPrivateKey || this.jwtPrivateKeyFile)
         throw new o(
           l.Configuration,
@@ -5492,9 +5572,9 @@ class xt {
         error: "unsupported_response_type",
         error_description: "Unsupported response type " + s
       };
-    let w;
+    let g;
     try {
-      w = await this.clientStorage.getClientById(e);
+      g = await this.clientStorage.getClientById(e);
     } catch (v) {
       return u.logger.debug(f({ err: v })), {
         error: "unauthorized_client",
@@ -5516,7 +5596,7 @@ class xt {
         error: "access_denied",
         error_description: "Unsupported flow type " + C
       };
-    if (!w.valid_flow.includes(C))
+    if (!g.valid_flow.includes(C))
       return {
         error: "unauthorized_client",
         error_description: "Client does not support " + C
@@ -5530,7 +5610,7 @@ class xt {
       };
     }
     return s == "code" ? await this.getAuthorizationCode(
-      w,
+      g,
       t,
       y,
       i,
@@ -5673,7 +5753,7 @@ class xt {
     refreshToken: n,
     username: c,
     password: d,
-    mfaToken: w,
+    mfaToken: g,
     oobCode: y,
     bindingCode: p,
     otp: _,
@@ -5706,7 +5786,7 @@ class xt {
       };
     let j = !1;
     this.issueRefreshToken && v != b.RefreshToken && (j = !0), this.issueRefreshToken && v == b.RefreshToken && this.rollingRefreshToken && (j = !0);
-    let R;
+    let N;
     if (s == "authorization_code")
       return this.requireClientSecretOrChallenge && A && A.client_secret && !i && !a ? {
         error: "access_denied",
@@ -5725,22 +5805,22 @@ class xt {
         error_description: "No authorization code provided for authorization code flow"
       };
     if (s == "refresh_token") {
-      const N = await this.getRefreshTokenData(n);
-      if (!n || !N || !this.userStorage)
+      const R = await this.getRefreshTokenData(n);
+      if (!n || !R || !this.userStorage)
         return {
           error: "access_denied",
           error_description: "Refresh token is invalid"
         };
       let P;
-      if (N.username)
+      if (R.username)
         try {
-          const { user: F } = await ((K = this.userStorage) == null ? void 0 : K.getUserByUsername(N.username));
+          const { user: F } = await ((K = this.userStorage) == null ? void 0 : K.getUserByUsername(R.username));
           P = F;
         } catch (F) {
           return u.logger.error(f({
             err: F,
             msg: "Couldn't get user for refresh token.  Doesn't exist?",
-            username: N.username
+            username: R.username
           })), {
             error: "access_denied",
             error_description: "Refresh token is invalid"
@@ -5758,12 +5838,12 @@ class xt {
         client_secret: i,
         codeVerifier: a,
         issueRefreshToken: j,
-        scopes: N.scope,
+        scopes: R.scope,
         user: P
       });
     } else if (s == "client_credentials") {
       const {
-        scopes: N,
+        scopes: R,
         error: P,
         error_description: F
       } = await this.validateAndPersistScope(e, t, void 0);
@@ -5774,7 +5854,7 @@ class xt {
         client: A,
         client_secret: i,
         codeVerifier: a,
-        scopes: N,
+        scopes: R,
         issueRefreshToken: j
       });
     } else if (s == "password") {
@@ -5789,17 +5869,17 @@ class xt {
             error: "server_error",
             error_description: "Password authentication not configured"
           };
-        const { user: I, secrets: $ } = await this.userStorage.getUserByUsername(c), L = this.authenticators[I.factor1];
-        if (!L || !L.secretNames().includes("password"))
+        const { user: I, secrets: $ } = await this.userStorage.getUserByUsername(c), z = this.authenticators[I.factor1];
+        if (!z || !z.secretNames().includes("password"))
           return {
             error: "access_denied",
             error_description: "Password flow used but factor 1 authenticator does not accept passwords"
           };
-        await L.authenticateUser(
+        await z.authenticateUser(
           I,
           $,
           { password: d }
-        ), R = I;
+        ), N = I;
       } catch (I) {
         return u.logger.debug(f({ err: I })), {
           error: "access_denied",
@@ -5807,27 +5887,27 @@ class xt {
         };
       }
       const {
-        scopes: N,
+        scopes: R,
         error: P,
         error_description: F
-      } = await this.validateAndPersistScope(e, t, R);
+      } = await this.validateAndPersistScope(e, t, N);
       return P ? {
         error: P,
         error_description: F
-      } : R.factor2 ? this.allowedFactor2.length > 0 && (R.state == E.factor2ResetNeeded || !this.allowedFactor2.includes(R.factor2 ? R.factor2 : "none")) ? {
+      } : N.factor2 ? this.allowedFactor2.length > 0 && (N.state == E.factor2ResetNeeded || !this.allowedFactor2.includes(N.factor2 ? N.factor2 : "none")) ? {
         error: "access_denied",
         error_description: "2FA method not allowed or needs to be reconfigured"
-      } : await this.createMfaRequest(R) : await this.makeAccessToken({
+      } : await this.createMfaRequest(N) : await this.makeAccessToken({
         client: A,
         client_secret: i,
         codeVerifier: a,
-        scopes: N,
+        scopes: R,
         issueRefreshToken: j,
-        user: R
+        user: N
       });
     } else if (s == "http://auth0.com/oauth/grant-type/mfa-otp") {
       const {
-        scopes: N,
+        scopes: R,
         error: P,
         error_description: F
       } = await this.validateAndPersistScope(e, t, void 0);
@@ -5841,26 +5921,26 @@ class xt {
           error: "access_denied",
           error_description: "OTP not provided"
         };
-      if (!w)
+      if (!g)
         return {
           error: "access_denied",
           error_description: "MFA token not provided"
         };
-      const I = await this.validateMfaToken(w), $ = U.mfaToken + T.hash(w);
+      const I = await this.validateMfaToken(g), $ = U.mfaToken + T.hash(g);
       if (!I.user || !I.key)
         return {
           error: "access_denied",
           error_description: "Invalid MFA token"
         };
-      const L = this.authenticators[I.user.factor2];
-      if (!L || !this.userStorage)
+      const z = this.authenticators[I.user.factor2];
+      if (!z || !this.userStorage)
         return {
           error: "access_denied",
           error_description: "MFA type is not supported for OAuth"
         };
       try {
         const { secrets: V } = await this.userStorage.getUserById(I.user.id);
-        await L.authenticateUser(
+        await z.authenticateUser(
           I.user,
           V,
           { otp: _ }
@@ -5884,13 +5964,13 @@ class xt {
         client: A,
         client_secret: i,
         codeVerifier: a,
-        scopes: N,
+        scopes: R,
         issueRefreshToken: j,
         user: I.user
       });
     } else if (s == "http://auth0.com/oauth/grant-type/mfa-oob") {
       const {
-        scopes: N,
+        scopes: R,
         error: P,
         error_description: F
       } = await this.validateAndPersistScope(e, t, void 0);
@@ -5904,12 +5984,12 @@ class xt {
           error: "access_denied",
           error_description: "OOB code or binding code not provided"
         };
-      if (!w)
+      if (!g)
         return {
           error: "access_denied",
           error_description: "MFA token not provided"
         };
-      const I = await this.validateMfaToken(w);
+      const I = await this.validateMfaToken(g);
       if (!I.user || !I.key)
         return {
           error: "access_denied",
@@ -5922,7 +6002,7 @@ class xt {
           error_description: "MFA type is not supported for OAuth"
         };
       try {
-        const { secrets: L } = await this.userStorage.getUserById(I.user.id), V = z.decodeData(I.key.data).omfa;
+        const { secrets: z } = await this.userStorage.getUserById(I.user.id), V = L.decodeData(I.key.data).omfa;
         if (!V || !V.otp || !V.oobCode)
           return {
             error: "server_error",
@@ -5935,20 +6015,20 @@ class xt {
           };
         await $.authenticateUser(
           I.user,
-          { ...L, otp: V.otp, expiry: (O = I.key.expires) == null ? void 0 : O.getTime() },
+          { ...z, otp: V.otp, expiry: (O = I.key.expires) == null ? void 0 : O.getTime() },
           { otp: p }
         );
-      } catch (L) {
-        return u.logger.debug(f({ err: L })), {
+      } catch (z) {
+        return u.logger.debug(f({ err: z })), {
           error: "access_denied",
           error_description: "Invalid OTP"
         };
       }
       try {
         await this.keyStorage.deleteKey(I.key.value);
-      } catch (L) {
-        u.logger.debug(f({ err: L })), u.logger.warn(f({
-          cerr: L,
+      } catch (z) {
+        u.logger.debug(f({ err: z })), u.logger.warn(f({
+          cerr: z,
           msg: "Couldn't delete mfa token",
           hashedMfaToken: I.key.value
         }));
@@ -5957,7 +6037,7 @@ class xt {
         client: A,
         client_secret: i,
         codeVerifier: a,
-        scopes: N,
+        scopes: R,
         issueRefreshToken: j,
         user: I.user
       });
@@ -5967,9 +6047,9 @@ class xt {
           error: "invalid_request",
           error_description: "No device code given"
         };
-      let N;
+      let R;
       try {
-        N = await this.keyStorage.getKey(U.deviceCode + C);
+        R = await this.keyStorage.getKey(U.deviceCode + C);
       } catch (P) {
         const F = o.asCrossauthError(P);
         return u.logger.debug(f({ err: F })), u.logger.error(f({ msg: "Couldn't get device code", cerr: F })), {
@@ -5978,8 +6058,8 @@ class xt {
         };
       }
       try {
-        const P = JSON.parse(N.data ?? "{}"), F = (/* @__PURE__ */ new Date()).getTime();
-        if (N.expires && F > N.expires.getTime())
+        const P = JSON.parse(R.data ?? "{}"), F = (/* @__PURE__ */ new Date()).getTime();
+        if (R.expires && F > R.expires.getTime())
           return await this.deleteDeviceCode(C), {
             error: "expired_token",
             error_description: "Code has expired"
@@ -6076,13 +6156,13 @@ class xt {
       };
     }
     let c, d = !1;
-    const w = /* @__PURE__ */ new Date(), y = this.userCodeExpiry, p = new Date(w.getTime() + this.userCodeExpiry * 1e3 + this.clockTolerance * 1e3);
+    const g = /* @__PURE__ */ new Date(), y = this.userCodeExpiry, p = new Date(g.getTime() + this.userCodeExpiry * 1e3 + this.clockTolerance * 1e3);
     for (let v = 0; v < 10 && !d; ++v)
       try {
         c = T.randomValue(this.deviceCodeLength), await this.keyStorage.saveKey(
           void 0,
           U.deviceCode + c,
-          w,
+          g,
           p,
           JSON.stringify({ scope: e, client_id: s })
         ), d = !0;
@@ -6101,7 +6181,7 @@ class xt {
         _ = T.randomBase32(this.userCodeLength), await this.keyStorage.saveKey(
           void 0,
           U.userCode + _,
-          w,
+          g,
           p,
           JSON.stringify({ deviceCode: c })
         ), d = !0;
@@ -6141,7 +6221,7 @@ class xt {
     userCode: s,
     user: e
   }) {
-    var w;
+    var g;
     s = s.replace(/[ -]*/g, "");
     let t, r = {};
     try {
@@ -6187,7 +6267,7 @@ class xt {
         error_description: "Unexpected or incomplete data in device code key"
       };
     }
-    if ((/* @__PURE__ */ new Date()).getTime() > ((w = r.expires) == null ? void 0 : w.getTime()))
+    if ((/* @__PURE__ */ new Date()).getTime() > ((g = r.expires) == null ? void 0 : g.getTime()))
       return await this.deleteUserCode(s), {
         ok: !1,
         error: "expired_token",
@@ -6367,7 +6447,7 @@ class xt {
         error_description: "Invalid MFA token"
       };
     try {
-      if (z.decodeData(t.data).omfaaid != e.factor2)
+      if (L.decodeData(t.data).omfaaid != e.factor2)
         return {
           error: "access_denied",
           error_description: "authenticatorId not valid for user"
@@ -6428,9 +6508,9 @@ class xt {
     if (!n.client) return n;
     const c = n.client, d = await this.authenticateClient(a, c, t);
     if (d.error) return d;
-    const w = await this.validateMfaToken(s);
-    if (!w.user || !w.key) return w;
-    if (w.user.factor2 != i)
+    const g = await this.validateMfaToken(s);
+    if (!g.user || !g.key) return g;
+    if (g.user.factor2 != i)
       return {
         error: "access_denied",
         error_description: "Invalid MFA authenticator"
@@ -6445,15 +6525,15 @@ class xt {
       oobCode: T.randomValue(this.codeLength)
     });
     try {
-      const p = this.authenticators[w.user.factor2];
+      const p = this.authenticators[g.user.factor2];
       if (!p)
         throw new o(
           l.Configuration,
           "User's authenticator has not been loaded"
         );
-      const _ = await p.createOneTimeSecrets(w.user);
+      const _ = await p.createOneTimeSecrets(g.user);
       await this.keyStorage.updateData(
-        w.key.value,
+        g.key.value,
         "omfa",
         { ...y, ..._ }
       );
@@ -6520,7 +6600,7 @@ class xt {
         error: "invalid_request",
         error_description: `The redirect uri ${e} is invalid`
       };
-    const d = /* @__PURE__ */ new Date(), w = this.authorizationCodeExpiry ? new Date(d.getTime() + this.authorizationCodeExpiry * 1e3 + this.clockTolerance * 1e3) : void 0, y = {};
+    const d = /* @__PURE__ */ new Date(), g = this.authorizationCodeExpiry ? new Date(d.getTime() + this.authorizationCodeExpiry * 1e3 + this.clockTolerance * 1e3) : void 0, y = {};
     t && (y.scope = t), i && (y.challengeMethod = a, y.challenge = T.hash(i)), n && (y.username = n.username, y.id = n.id);
     const p = JSON.stringify(y);
     let _ = !1, C = "";
@@ -6530,7 +6610,7 @@ class xt {
           void 0,
           U.authorizationCode + T.hash(C),
           d,
-          w,
+          g,
           p
         ), _ = !0;
       } catch {
@@ -6562,8 +6642,8 @@ class xt {
         t ?? "",
         s.client_secret ?? ""
       ));
-    } catch (R) {
-      return u.logger.error(f({ err: R })), { error: "server_error", error_description: "Couldn't validate client" };
+    } catch (N) {
+      return u.logger.error(f({ err: N })), { error: "server_error", error_description: "Couldn't validate client" };
     }
     if (!c) return {
       error: "access_denied",
@@ -6571,9 +6651,9 @@ class xt {
     };
     let d = {};
     if (e) {
-      let R;
+      let N;
       try {
-        R = await this.keyStorage.getKey(U.authorizationCode + T.hash(e)), d = z.decodeData(R.data);
+        N = await this.keyStorage.getKey(U.authorizationCode + T.hash(e)), d = L.decodeData(N.data);
       } catch (K) {
         return u.logger.debug(f({ err: K })), {
           error: "access_denied",
@@ -6581,7 +6661,7 @@ class xt {
         };
       }
       try {
-        await this.keyStorage.deleteKey(R.value);
+        await this.keyStorage.deleteKey(N.value);
       } catch (K) {
         u.logger.warn(f({
           err: K,
@@ -6597,14 +6677,14 @@ class xt {
         error_description: "Invalid code challenge/code challenge method method for authorization code"
       };
     if (d.challenge) {
-      const R = d.challengeMethod == "plain" ? r ?? "" : T.sha256(r ?? "");
-      if (T.hash(R) != d.challenge)
+      const N = d.challengeMethod == "plain" ? r ?? "" : T.sha256(r ?? "");
+      if (T.hash(N) != d.challenge)
         return {
           error: "access_denied",
           error_description: "Code verifier is incorrect"
         };
     }
-    const w = /* @__PURE__ */ new Date(), y = Math.ceil(w.getTime() / 1e3);
+    const g = /* @__PURE__ */ new Date(), y = Math.ceil(g.getTime() / 1e3);
     let p;
     const _ = T.uuid(), C = {
       jti: _,
@@ -6613,14 +6693,14 @@ class xt {
       sub: d.username,
       type: "access"
     };
-    i && (C.scope = i), this.accessTokenExpiry != null && (C.exp = y + this.accessTokenExpiry, p = new Date(w.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience);
-    const v = await new Promise((R, K) => {
-      ie.sign(
+    i && (C.scope = i), this.accessTokenExpiry != null && (C.exp = y + this.accessTokenExpiry, p = new Date(g.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience);
+    const v = await new Promise((N, K) => {
+      se.sign(
         C,
         this.secretOrPrivateKey,
         { algorithm: this.jwtAlgorithmChecked, keyid: "1" },
         (O, B) => {
-          B ? R(B) : K(O || new o(
+          B ? N(B) : K(O || new o(
             l.Unauthorized,
             "Couldn't create jwt"
           ));
@@ -6631,7 +6711,7 @@ class xt {
       void 0,
       // to avoid user storage dependency, we don't set this
       U.accessToken + T.hash(_),
-      w,
+      g,
       p
     ));
     let k;
@@ -6646,8 +6726,10 @@ class xt {
             error_description: "Couldn't load user data"
           };
         }
+      const N = T.uuid();
       let K = {
-        jti: T.uuid(),
+        aud: s.client_id,
+        jti: N,
         iat: y,
         iss: this.oauthIssuer,
         sub: d.username,
@@ -6697,15 +6779,15 @@ class xt {
         }
       }
       K.scope = i, this.accessTokenExpiry != null && (K.exp = y + this.accessTokenExpiry), k = await new Promise((O, B) => {
-        ie.sign(
+        se.sign(
           K,
           this.secretOrPrivateKey,
           {
             algorithm: this.jwtAlgorithmChecked,
             keyid: this.jwtKid
           },
-          (N, P) => {
-            P ? O(P) : B(N || new o(
+          (R, P) => {
+            P ? O(P) : B(R || new o(
               l.Unauthorized,
               "Couldn't create jwt"
             ));
@@ -6715,11 +6797,11 @@ class xt {
     }
     let A;
     if (a) {
-      const R = {
+      const N = {
         username: d.username,
         client_id: s.client_id
       };
-      i && (R.scope = i);
+      i && (N.scope = i);
       let K;
       const B = {
         jti: T.uuid(),
@@ -6728,13 +6810,13 @@ class xt {
         sub: d.username,
         type: "access"
       };
-      this.refreshTokenExpiry != null && (B.exp = y + this.refreshTokenExpiry, K = this.refreshTokenExpiry ? new Date(y + this.refreshTokenExpiry * 1e3 + this.clockTolerance * 1e3) : void 0), this.audience && (C.aud = this.oauthIssuer), A = await new Promise((N, P) => {
-        ie.sign(
+      this.refreshTokenExpiry != null && (B.exp = y + this.refreshTokenExpiry, K = this.refreshTokenExpiry ? new Date(y + this.refreshTokenExpiry * 1e3 + this.clockTolerance * 1e3) : void 0), this.audience && (C.aud = this.oauthIssuer), A = await new Promise((R, P) => {
+        se.sign(
           B,
           this.secretOrPrivateKey,
           { algorithm: this.jwtAlgorithmChecked, keyid: "1" },
           (F, I) => {
-            I ? N(I) : P(F || new o(
+            I ? R(I) : P(F || new o(
               l.Unauthorized,
               "Couldn't create jwt"
             ));
@@ -6744,9 +6826,9 @@ class xt {
         void 0,
         // to avoid user storage dependency
         U.refreshToken + T.hash(A),
-        w,
+        g,
         K,
-        JSON.stringify(R)
+        JSON.stringify(N)
       ));
     }
     return {
@@ -6840,7 +6922,7 @@ class xt {
   }
   async validateJwt(s, e) {
     return new Promise((t, r) => {
-      ie.verify(
+      se.verify(
         s,
         this.secretOrPublicKey,
         { clockTolerance: this.clockTolerance, complete: !0 },
@@ -6982,7 +7064,7 @@ class xt {
   jwks() {
     let s = [];
     if (this.jwtPublicKey) {
-      const e = Le(this.jwtPublicKey).export({ format: "jwk" });
+      const e = ze(this.jwtPublicKey).export({ format: "jwk" });
       e.kid = "1", e.alg = this.jwtKeyType, s.push(e);
     }
     return { keys: s };
@@ -7028,10 +7110,10 @@ class nt extends Pe {
    * 
    * @param options see {@link OAuthTokenConsumerOptions}
    */
-  constructor(e = {}) {
-    const t = { audience: "" };
-    m("jwtKeyType", g.String, t, e, "JWT_KEY_TYPE"), m("audience", g.String, t, e, "OAUTH_AUDIENCE", !0);
-    super(t.audience, { ...e, ...t });
+  constructor(e, t = {}) {
+    const r = {};
+    w("jwtKeyType", m.String, r, t, "JWT_KEY_TYPE");
+    super(e, { ...t, ...r });
     /**
      * Value passed to the constructor.  The `aud` claim must match it
      */
@@ -7044,7 +7126,7 @@ class nt extends Pe {
     h(this, "keyStorage");
     h(this, "jwtSecretKeyFile", "");
     h(this, "jwtPublicKeyFile", "");
-    if (this.audience = t.audience, m("authServerBaseUrl", g.String, this, e, "AUTH_SERVER_BASE_URL", !0), m("jwtSecretKeyFile", g.String, this, e, "JWT_SECRET_KEY_FILE"), m("jwtPublicKeyFile", g.String, this, e, "JWT_PUBLIC_KEY_FILE"), m("jwtSecretKey", g.String, this, e, "JWT_SECRET_KEY"), m("jwtPublicKey", g.String, this, e, "JWT_PUBLIC_KEY"), m("clockTolerance", g.Number, this, e, "OAUTH_CLOCK_TOLERANCE"), m("persistAccessToken", g.Boolean, this, e, "OAUTH_PERSIST_ACCESS_TOKEN"), this.keyStorage = e.keyStorage, this.jwtSecretKey || this.jwtSecretKeyFile) {
+    if (this.audience = e, w("authServerBaseUrl", m.String, this, t, "AUTH_SERVER_BASE_URL", !0), w("jwtSecretKeyFile", m.String, this, t, "JWT_SECRET_KEY_FILE"), w("jwtPublicKeyFile", m.String, this, t, "JWT_PUBLIC_KEY_FILE"), w("jwtSecretKey", m.String, this, t, "JWT_SECRET_KEY"), w("jwtPublicKey", m.String, this, t, "JWT_PUBLIC_KEY"), w("clockTolerance", m.Number, this, t, "OAUTH_CLOCK_TOLERANCE"), w("persistAccessToken", m.Boolean, this, t, "OAUTH_PERSIST_ACCESS_TOKEN"), this.keyStorage = t.keyStorage, this.jwtSecretKey || this.jwtSecretKeyFile) {
       if (this.jwtPublicKey || this.jwtPublicKeyFile)
         throw new o(
           l.Configuration,
@@ -7087,7 +7169,6 @@ class nt extends Pe {
    * @param token The token to validate
    * @param tokenType If defined, the `type` claim in the payload must
    *        match this value
-   * @returns 
    */
   async tokenAuthorized(e, t) {
     var i;
@@ -7109,7 +7190,7 @@ class nt extends Pe {
     return r;
   }
 }
-class Bt extends Ke {
+class Ht extends Ke {
   /**
    * Constructor
    * @param authServerBaseUrl bsae URI for the authorization server
@@ -7121,20 +7202,28 @@ class Bt extends Ke {
     const r = {
       client_id: ""
     };
-    m("client_id", g.String, r, t, "OAUTH_CLIENT_ID", !0);
+    w("client_id", m.String, r, t, "OAUTH_CLIENT_ID", !0);
     super({
       authServerBaseUrl: e,
-      tokenConsumer: new nt({
-        audience: r.client_id,
-        authServerBaseUrl: e,
-        ...t
-      }),
+      tokenConsumer: new nt(
+        r.client_id,
+        {
+          audience: r.client_id,
+          authServerBaseUrl: e,
+          ...t
+        }
+      ),
       ...t
     });
     h(this, "deviceAuthorizationUrl", "device_authorization");
+    h(this, "userCreationType", "idToken");
+    h(this, "userMatchField", "username");
+    h(this, "idTokenMatchField", "sub");
+    h(this, "userCreationFn");
+    h(this, "userStorage");
     this.client_id = r.client_id;
     let i = {};
-    m("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), m("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), m("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), m("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), m("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret);
+    w("stateLength", m.String, this, t, "OAUTH_STATE_LENGTH"), w("verifierLength", m.String, this, t, "OAUTH_VERIFIER_LENGTH"), w("client_secret", m.String, i, t, "OAUTH_CLIENT_SECRET"), w("codeChallengeMethod", m.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), w("deviceAuthorizationUrl", m.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), w("userCreationType", m.String, this, t, "OAUTH_USER_CREATION_TYPE"), w("userMatchField", m.String, this, t, "OAUTH_USER_MATCH_FIELD"), w("idTokenMatchField", m.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = ot : this.userCreationType == "embed" ? this.userCreationFn = lt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = ct, t.userStorage && (this.userStorage = t.userStorage);
   }
   /**
    * Uses {@link @crossauth/backend!Crypto.randomValue} to create a random string
@@ -7154,7 +7243,38 @@ class Bt extends Ke {
     return T.sha256(e);
   }
 }
-class zt {
+async function ot(S, s, e, t) {
+  if (!s) throw new o(l.Configuration, "userCreationType set to merge but no user storage set");
+  try {
+    let r;
+    return e == "username" ? r = await s.getUserByUsername(S[t]) : e == "username" ? r = await s.getUserByEmail(S[t]) : r = await s.getUserBy(e, S[t]), { ...S, ...r.user };
+  } catch (r) {
+    const i = o.asCrossauthError(r);
+    if (i.code == l.UserNotExist || i.code == l.UserNotActive)
+      return;
+    throw u.logger.error(f({ err: r })), r;
+  }
+}
+async function lt(S, s, e, t) {
+  if (!s) throw new o(l.Configuration, "userCreationType set to embed but no user storage set");
+  try {
+    let r;
+    return e == "username" ? r = await s.getUserByUsername(S[t]) : e == "username" ? r = await s.getUserByEmail(S[t]) : r = await s.getUserBy(e, S[t]), { ...r.user, idToken: S };
+  } catch (r) {
+    const i = o.asCrossauthError(r);
+    if (i.code == l.UserNotExist || i.code == l.UserNotActive)
+      return;
+    throw u.logger.error({ err: r }), r;
+  }
+}
+async function ct(S, s, e, t) {
+  return {
+    id: S.userid ?? S.sub,
+    username: S.sub,
+    state: S.state ?? "active"
+  };
+}
+class Mt {
   /**
    * Constructor
    * @param tokenConsumers one or more consumers that will process
@@ -7163,10 +7283,12 @@ class zt {
    *        at present
    */
   constructor(s, e = {}) {
-    /** The token consumer that validates the access tokens.  Required */
-    h(this, "tokenConsumers", {});
-    for (let t of s)
-      this.tokenConsumers[t.authServerBaseUrl] = t;
+    /** The token consumer that validates the access tokens.
+     * Keyed on auth server base URL then audience.  The latter may be ""
+     * for none
+     */
+    h(this, "tokenConsumers");
+    this.tokenConsumers = [...s];
   }
   /**
    * Returns a token payload if the access token has a valid signature
@@ -7184,8 +7306,9 @@ class zt {
   async accessTokenAuthorized(s) {
     try {
       const e = He.decodeJwt(s);
-      if (e.iss && e.iss in this.tokenConsumers)
-        return await this.tokenConsumers[e.iss].tokenAuthorized(s, "access");
+      for (let t of this.tokenConsumers)
+        if (e.iss == t.authServerBaseUrl && (e.aud == t.audience || e.aud == null && t.audience == ""))
+          return await t.tokenAuthorized(s, "access");
       throw new o(l.Unauthorized, "Invalid issuer in access token");
     } catch (e) {
       u.logger.warn(f({ err: e }));
@@ -7194,44 +7317,44 @@ class zt {
   }
 }
 export {
-  he as ApiKeyManager,
+  ge as ApiKeyManager,
   re as Authenticator,
   T as Crypto,
   rt as DoubleSubmitCsrfToken,
-  Ft as DummyFactor2Authenticator,
+  Rt as DummyFactor2Authenticator,
   Z as EmailAuthenticator,
-  Et as InMemoryKeyStorage,
-  Ut as InMemoryOAuthAuthorizationStorage,
-  bt as InMemoryOAuthClientStorage,
-  kt as InMemoryUserStorage,
-  z as KeyStorage,
-  Ot as LdapAuthenticator,
-  ae as LdapUserStorage,
+  At as InMemoryKeyStorage,
+  Pt as InMemoryOAuthAuthorizationStorage,
+  It as InMemoryOAuthClientStorage,
+  Ut as InMemoryUserStorage,
+  L as KeyStorage,
+  xt as LdapAuthenticator,
+  oe as LdapUserStorage,
   Te as LocalPasswordAuthenticator,
-  xt as OAuthAuthorizationServer,
-  fe as OAuthAuthorizationStorage,
-  Bt as OAuthClientBackend,
+  zt as OAuthAuthorizationServer,
+  we as OAuthAuthorizationStorage,
+  Ht as OAuthClientBackend,
   J as OAuthClientManager,
-  ue as OAuthClientStorage,
-  zt as OAuthResourceServer,
+  me as OAuthClientStorage,
+  Mt as OAuthResourceServer,
   nt as OAuthTokenConsumer,
-  g as ParamType,
+  m as ParamType,
   be as PasswordAuthenticator,
-  It as PostgresKeyStorage,
-  Kt as PostgresOAuthAuthorizationStorage,
-  Pt as PostgresOAuthClientStorage,
-  At as PostgresUserStorage,
-  vt as PrismaKeyStorage,
-  _t as PrismaOAuthAuthorizationStorage,
-  Tt as PrismaOAuthClientStorage,
+  Ft as PostgresKeyStorage,
+  Nt as PostgresOAuthAuthorizationStorage,
+  Ot as PostgresOAuthClientStorage,
+  Kt as PostgresUserStorage,
+  kt as PrismaKeyStorage,
+  bt as PrismaOAuthAuthorizationStorage,
+  Et as PrismaOAuthClientStorage,
   G as PrismaUserStorage,
-  x as SessionCookie,
-  Dt as SessionManager,
+  D as SessionCookie,
+  Lt as SessionManager,
   Q as SmsAuthenticator,
-  D as TokenEmailer,
-  Nt as TotpAuthenticator,
+  x as TokenEmailer,
+  Dt as TotpAuthenticator,
   Ue as TwilioAuthenticator,
   H as UserStorage,
-  m as setParameter,
-  Rt as toCookieSerializeOptions
+  w as setParameter,
+  Bt as toCookieSerializeOptions
 };