@crossauth/backend 0.0.39 → 0.0.40

package/dist/index.js

@@ -1,19 +1,19 @@
 var Ae = Object.defineProperty;
 var Ie = (S, s, e) => s in S ? Ae(S, s, { enumerable: !0, configurable: !0, writable: !0, value: e }) : S[s] = e;
 var h = (S, s, e) => Ie(S, typeof s != "symbol" ? s + "" : s, e);
-import { CrossauthError as o, ErrorCode as l, UserState as E, CrossauthLogger as u, j as f, OAuthFlows as b, KeyPrefix as U, OAuthTokenConsumerBase as Pe, OAuthClientBase as Ke } from "@crossauth/common";
+import { CrossauthError as o, ErrorCode as l, UserState as E, CrossauthLogger as u, j as f, OAuthFlows as U, KeyPrefix as b, OAuthTokenConsumerBase as Pe, OAuthClientBase as Ke } from "@crossauth/common";
 import { PrismaClient as ce, Prisma as X } from "@prisma/client";
 import ye from "@mbakereth/ldapjs";
-import { timingSafeEqual as he, randomBytes as ue, randomUUID as Fe, createHash as Oe, pbkdf2 as Ne, createHmac as ie, createCipheriv as Re, createDecipheriv as De, randomInt as ee } from "node:crypto";
+import { timingSafeEqual as he, randomBytes as ue, randomUUID as Oe, createHash as Fe, pbkdf2 as Ne, createHmac as se, createCipheriv as De, createDecipheriv as Re, randomInt as te } from "node:crypto";
 import { promisify as xe } from "node:util";
 import W from "nunjucks";
 import Ee from "nodemailer";
 import Be from "twilio";
-import Le from "qrcode";
+import ze from "qrcode";
 import { authenticator as fe } from "otplib";
-import se from "jsonwebtoken";
-import { createPublicKey as ze } from "crypto";
-import te from "node:fs";
+import ee from "jsonwebtoken";
+import re from "node:fs";
+import { createPublicKey as Le } from "crypto";
 import * as He from "jose";
 var g = /* @__PURE__ */ ((S) => (S[S.String = 0] = "String", S[S.Number = 1] = "Number", S[S.Boolean = 2] = "Boolean", S[S.Json = 3] = "Json", S[S.JsonArray = 4] = "JsonArray", S))(g || {});
 function je(S, s) {
@@ -98,7 +98,7 @@ class L {
     return s.normalize("NFD").replace(new RegExp("\\p{Diacritic}", "gu"), "").toLowerCase();
   }
 }
-class x {
+class z {
   /**
    * Returns an object decoded from the data field as a JSON string
    * @param data the JSON string to decode
@@ -413,7 +413,7 @@ class G extends L {
     }
   }
 }
-class kt extends x {
+class Et extends z {
   /**
    * Constructor with user storage object to use plus optional parameters.
    * 
@@ -683,7 +683,7 @@ class kt extends x {
     }
   }
 }
-class Et extends me {
+class bt extends me {
   /**
    * Constructor with user storage object to use plus optional parameters.
    * 
@@ -778,7 +778,7 @@ class Et extends me {
       }
     if (i) {
       for (let d = 0; d < i.length; ++d)
-        if (!b.isValidFlow(i[d])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[d]);
+        if (!U.isValidFlow(i[d])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[d]);
     }
     try {
       c = await t[this.clientTable].create({
@@ -865,7 +865,7 @@ class Et extends me {
       }
     if (i) {
       for (let a = 0; a < i.length; ++a)
-        if (!b.isValidFlow(i[a])) throw new o(l.InvalidOAuthFlow, "Redirect Uri's may not contain page fragments");
+        if (!U.isValidFlow(i[a])) throw new o(l.InvalidOAuthFlow, "Redirect Uri's may not contain page fragments");
     }
     try {
       let a = { ...e };
@@ -946,7 +946,7 @@ class Et extends me {
     }
   }
 }
-class bt extends we {
+class Ut extends we {
   /**
    * Constructor with user storage object to use plus optional parameters.
    * 
@@ -1011,7 +1011,7 @@ class bt extends we {
     }
   }
 }
-class Ut extends L {
+class At extends L {
   /**
    * Creates a InMemoryUserStorage object, optionally overriding defaults.
    * @param options see {@link InMemoryUserStorageOptions}
@@ -1157,7 +1157,7 @@ class Ut extends L {
     return i;
   }
 }
-class At extends x {
+class It extends z {
   /**
    * Constructor
    */
@@ -1310,7 +1310,7 @@ class At extends x {
     this.deleteDataInternal(i, t) && (r.data = JSON.stringify(i));
   }
 }
-class It extends me {
+class Pt extends me {
   /**
    * Constructor
    */
@@ -1401,7 +1401,7 @@ class It extends me {
     return a;
   }
 }
-class Pt extends we {
+class Kt extends we {
   /**
    * Constructor
    */
@@ -1903,7 +1903,7 @@ class Y extends L {
     }
   }
 }
-class qe extends x {
+class qe extends z {
   /**
    * Constructor with user storage object to use plus optional parameters.
    * 
@@ -2216,10 +2216,10 @@ class We extends me {
     t && r && (p = `where c.${t} = ` + d.nextParameter(), w.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), w.push(i))), n && (a || (a = 0), a = Number(a), n = Number(n), C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`, p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`), y += C, v += p;
     let T = y + " union " + v + " order by client_id";
     const k = await e.execute(T, w);
-    let A;
-    for (let z of k)
-      (!A || z.client_id != A.client_id) && (A && c.push(A), A = this.makeClient(z), A.valid_flow = [], A.redirect_uri = []), z.uri && A.redirect_uri.push(z.uri), z.flow && A.valid_flow.push(z.flow);
-    return A && c.push(A), c;
+    let P;
+    for (let H of k)
+      (!P || H.client_id != P.client_id) && (P && c.push(P), P = this.makeClient(H), P.valid_flow = [], P.redirect_uri = []), H.uri && P.redirect_uri.push(H.uri), H.flow && P.valid_flow.push(H.flow);
+    return P && c.push(P), c;
   }
   /**
    * Saves a key in the session table.
@@ -2253,7 +2253,7 @@ class We extends me {
       }
     if (i) {
       for (let p = 0; p < i.length; ++p)
-        if (!b.isValidFlow(i[p])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[p]);
+        if (!U.isValidFlow(i[p])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[p]);
     }
     let c = [], d = [], w = [], y = this.dbPool.parameters();
     try {
@@ -2338,7 +2338,7 @@ class We extends me {
       }
     if (i) {
       for (let T = 0; T < i.length; ++T)
-        if (!b.isValidFlow(i[T])) throw new o(l.InvalidOAuthFlow, "Redirect Uri's may not contain page fragments");
+        if (!U.isValidFlow(i[T])) throw new o(l.InvalidOAuthFlow, "Redirect Uri's may not contain page fragments");
     }
     if (!t.client_id) throw new o(l.InvalidClientId, "No client ig given");
     let { client_id: a, redirect_uri: n, valid_flow: c, ...d } = t;
@@ -2488,7 +2488,7 @@ class Qe extends Ge {
     return "$" + this.nextParam++;
   }
 }
-class Kt extends Y {
+class Ot extends Y {
   /**
    * Creates a PostgresUserStorage object, optionally overriding defaults.
    * @param pgPool the instance of the Posrgres client. 
@@ -2508,7 +2508,7 @@ class Ft extends qe {
     super(new de(s), e);
   }
 }
-class Ot extends We {
+class Nt extends We {
   /**
    * Creates a PostgresOAuthClientStorage object, optionally overriding defaults.
    * @param pgPool the instance of the Posrgres client. 
@@ -2518,7 +2518,7 @@ class Ot extends We {
     super(new de(s), e);
   }
 }
-class Nt extends Je {
+class Dt extends Je {
   /**
    * Creates a PostgresOAuthClientStorage object, optionally overriding defaults.
    * @param pgPool the instance of the Posrgres client. 
@@ -2528,7 +2528,7 @@ class Nt extends Je {
     super(new de(s), e);
   }
 }
-class re {
+class ie {
   // overridden when registered to backend
   /** 
    * Constructor.
@@ -2555,7 +2555,7 @@ class re {
     return !0;
   }
 }
-class be extends re {
+class be extends ie {
   /** @returns `password` */
   secretNames() {
     return ["password"];
@@ -2686,7 +2686,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
    * Creates a UUID
    */
   static uuid() {
-    return Fe();
+    return Oe();
   }
   /**
    * Standard hash using SHA256 (not PBKDF2 or HMAC)
@@ -2704,7 +2704,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
    * @returns the string containing the hash 
    */
   static sha256(s) {
-    return Oe("sha256").update(s).digest("base64url");
+    return Fe("sha256").update(s).digest("base64url");
   }
   /**
    * Hashes a password and returns it as a base64 or base64url encoded string
@@ -2759,7 +2759,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
    * @returns Base64-url encoded hash
    */
   static sign(s, e, t, r) {
-    const i = q.signableToken(s, t, r), a = ie(ae, e);
+    const i = q.signableToken(s, t, r), a = se(ae, e);
     return i + "." + a.update(i).digest("base64url");
   }
   /**
@@ -2772,7 +2772,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
    * @returns Base64-url encoded hash
    */
   static signSecureToken(s, e) {
-    const t = ie(ae, e);
+    const t = se(ae, e);
     return s + "." + t.update(s).digest("base64url");
   }
   /**
@@ -2791,7 +2791,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
     const i = r[0], a = r[1], n = JSON.parse(Buffer.from(i, "base64url").toString());
     if (t && n.t + t * 1e3 > (/* @__PURE__ */ new Date()).getTime())
       throw new o(l.Expired);
-    const d = ie(ae, e).update(i).digest("base64url");
+    const d = se(ae, e).update(i).digest("base64url");
     if (d.length != a.length)
       throw new o(l.InvalidKey, "Signature does not match payload");
     if (!he(Buffer.from(d), Buffer.from(a)))
@@ -2811,7 +2811,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
   static unsignSecureToken(s, e) {
     const t = s.split(".");
     if (t.length != 2) throw new o(l.InvalidKey);
-    const r = t[0], i = t[1], a = r, c = ie(ae, e).update(r).digest("base64url");
+    const r = t[0], i = t[1], a = r, c = se(ae, e).update(r).digest("base64url");
     if (c.length != i.length)
       throw new o(l.InvalidKey, "Signature does not match payload");
     if (!he(Buffer.from(c), Buffer.from(i)))
@@ -2838,7 +2838,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
   static symmetricEncrypt(s, e, t = void 0) {
     t || (t = ue(16));
     let r = Buffer.from(e, "base64url");
-    var i = Re("aes-256-cbc", r, t);
+    var i = De("aes-256-cbc", r, t);
     let a = i.update(s);
     return a = Buffer.concat([a, i.final()]), t.toString("base64url") + "." + a.toString("base64url");
   }
@@ -2854,7 +2854,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
     const r = s.split(".");
     if (r.length != 2) throw new o(l.InvalidHash, "Not AES-256-CBC ciphertext");
     let i = Buffer.from(r[0], "base64url"), a = Buffer.from(r[1], "base64url");
-    var n = De("aes-256-cbc", t, i);
+    var n = Re("aes-256-cbc", t, i);
     let c = n.update(a);
     return c = Buffer.concat([c, n.final()]), c.toString();
   }
@@ -3028,7 +3028,7 @@ const le = class le extends be {
 };
 h(le, "NoPassword", "********");
 let ve = le;
-class Z extends re {
+class Z extends ie {
   /**
    * Constructor
    * 
@@ -3094,7 +3094,7 @@ class Z extends re {
       l.Configuration,
       "Please set factorName on EmailAuthenticator before using"
     );
-    const t = Z.zeroPad(ee(999999), 6), r = e.email ? e.email : e.username;
+    const t = Z.zeroPad(te(999999), 6), r = e.email ? e.email : e.username;
     Z.validateEmail(r);
     const i = /* @__PURE__ */ new Date(), a = new Date(i.getTime() + 1e3 * this.emailAuthenticatorTokenExpires).getTime(), n = {
       username: e.username,
@@ -3119,7 +3119,7 @@ class Z extends re {
    * @returns 
    */
   async reprepareConfiguration(e, t) {
-    const r = x.decodeData(t.data)["2fa"], i = Z.zeroPad(ee(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.emailAuthenticatorTokenExpires).getTime(), c = this.sendToken(r.email, i);
+    const r = z.decodeData(t.data)["2fa"], i = Z.zeroPad(te(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.emailAuthenticatorTokenExpires).getTime(), c = this.sendToken(r.email, i);
     return u.logger.info(f({
       msg: "Sent factor otp email",
       emailMessageId: c,
@@ -3164,7 +3164,7 @@ class Z extends re {
    * @returns `otp` and `expiry` as a Unix time (number).
    */
   async createOneTimeSecrets(e) {
-    const t = Z.zeroPad(ee(999999), 6), r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.emailAuthenticatorTokenExpires).getTime(), a = e.email || e.username, n = this.sendToken(a, t);
+    const t = Z.zeroPad(te(999999), 6), r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.emailAuthenticatorTokenExpires).getTime(), a = e.email || e.username, n = this.sendToken(a, t);
     return u.logger.info(f({
       msg: "Sent factor otp email",
       emailMessageId: n,
@@ -3244,7 +3244,7 @@ class Z extends re {
     return Array(+(r > 0 && r)).join("0") + e;
   }
 }
-class Q extends re {
+class Q extends ie {
   /**
    * Constructor
    * @param options see {@link SmsAuthenticatorOptions}
@@ -3283,7 +3283,7 @@ class Q extends re {
       l.Configuration,
       "Please set factorName on SmsAuthenticator before using"
     );
-    const t = Q.zeroPad(ee(999999), 6), r = e.phone;
+    const t = Q.zeroPad(te(999999), 6), r = e.phone;
     Q.validatePhone(r);
     const i = /* @__PURE__ */ new Date(), a = new Date(i.getTime() + 1e3 * this.smsAuthenticatorTokenExpires).getTime(), n = {
       username: e.username,
@@ -3310,7 +3310,7 @@ class Q extends re {
    * @returns 
    */
   async reprepareConfiguration(e, t) {
-    const r = x.decodeData(t.data)["2fa"], i = Q.zeroPad(ee(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.smsAuthenticatorTokenExpires).getTime(), c = this.sendSms(r.phone, i);
+    const r = z.decodeData(t.data)["2fa"], i = Q.zeroPad(te(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.smsAuthenticatorTokenExpires).getTime(), c = this.sendSms(r.phone, i);
     return u.logger.info(f({
       msg: "Sent factor otp sms",
       smsMessageId: c,
@@ -3354,7 +3354,7 @@ class Q extends re {
    * @returns `otp` and `expiry` as a Unix time (number).
    */
   async createOneTimeSecrets(e) {
-    const t = Q.zeroPad(ee(999999), 6), r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.smsAuthenticatorTokenExpires).getTime(), a = e.phone, n = this.sendSms(a, t);
+    const t = Q.zeroPad(te(999999), 6), r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.smsAuthenticatorTokenExpires).getTime(), a = e.phone, n = this.sendSms(a, t);
     return u.logger.info(f({
       msg: "Sent factor otp sms",
       smsMessageId: n,
@@ -3474,7 +3474,7 @@ class Ue extends Q {
     return (await Be(this.accountSid, this.authToken).messages.create(r)).sid;
   }
 }
-class Rt extends re {
+class Rt extends ie {
   /**
    * Constructor
    * 
@@ -3529,7 +3529,7 @@ class Rt extends re {
    * @returns 
    */
   async reprepareConfiguration(e, t) {
-    const r = x.decodeData(t.data)["2fa"], i = this.code, a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * 60).getTime();
+    const r = z.decodeData(t.data)["2fa"], i = this.code, a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * 60).getTime();
     return {
       userData: { factor2: r.factor2, otp: i },
       secrets: {},
@@ -3635,7 +3635,7 @@ class Rt extends re {
     return Array(+(r > 0 && r)).join("0") + e;
   }
 }
-class Dt extends be {
+class xt extends be {
   /**
    * Create a new authenticator.
    * 
@@ -3736,7 +3736,7 @@ class Dt extends be {
   async reprepareConfiguration(e, t) {
   }
 }
-class xt extends re {
+class Bt extends ie {
   /**
    * Constructor
    * @param appName this forms part of the QR code that users scan into 
@@ -3763,7 +3763,7 @@ class xt extends re {
   async createSecret(e, t) {
     t || (t = fe.generateSecret());
     let r = "";
-    return await Le.toDataURL(fe.keyuri(e, this.appName, t)).then((i) => {
+    return await ze.toDataURL(fe.keyuri(e, this.appName, t)).then((i) => {
       r = i;
     }).catch((i) => {
       throw u.logger.debug(f({ err: i })), new o(
@@ -3773,7 +3773,7 @@ class xt extends re {
     }), { qrUrl: r, secret: t };
   }
   async getSecretFromSession(e, t) {
-    let r = x.decodeData(t.data);
+    let r = z.decodeData(t.data);
     if (r && r["2fa"] && (r = r["2fa"]), !("totpsecret" in r))
       throw new o(
         l.Unauthorized,
@@ -3917,7 +3917,7 @@ class xt extends re {
   }
 }
 const ne = 16;
-class R {
+class D {
   /**
    * Construct a new EmailVerifier.
    * 
@@ -3964,24 +3964,24 @@ class R {
    * correct prefix for inserting into storage.
    */
   static hashEmailVerificationToken(s) {
-    return U.emailVerificationToken + _.hash(s);
+    return b.emailVerificationToken + _.hash(s);
   }
   /**
    * Produces a hash of the given password reset token with the
    * correct prefix for inserting into storage.
    */
   static hashPasswordResetToken(s) {
-    return U.passwordResetToken + _.hash(s);
+    return b.passwordResetToken + _.hash(s);
   }
   async createAndSaveEmailVerificationToken(s, e = "") {
     let r = 0;
     const i = /* @__PURE__ */ new Date(), a = new Date(i.getTime() + 1e3 * this.verifyEmailExpires);
     for (; r < 10; ) {
-      let n = _.randomValue(ne), c = R.hashEmailVerificationToken(n);
+      let n = _.randomValue(ne), c = D.hashEmailVerificationToken(n);
       try {
         return await this.keyStorage.saveKey(s, c, i, a, e), n;
       } catch {
-        n = _.randomValue(ne), c = R.hashEmailVerificationToken(n), r++;
+        n = _.randomValue(ne), c = D.hashEmailVerificationToken(n), r++;
       }
     }
     throw new o(l.Connection, "failed creating a unique key");
@@ -4022,7 +4022,7 @@ class R {
         "Either emailVerificationTextBody or emailVerificationHtmlBody must be set to send email verification emails"
       );
     let { user: r } = await this.userStorage.getUserById(s, { skipEmailVerifiedCheck: !0 }), i = e;
-    i != "" ? R.validateEmail(i) : (i = r.email ?? r.username, i || (i = r.username), R.validateEmail(i)), R.validateEmail(i);
+    i != "" ? D.validateEmail(i) : (i = r.email ?? r.username, i || (i = r.username), D.validateEmail(i)), D.validateEmail(i);
     const a = await this.createAndSaveEmailVerificationToken(s, e), n = await this._sendEmailVerificationToken(a, i, t);
     u.logger.info(f({ msg: "Sent email verification email", emailMessageId: n, email: i }));
   }
@@ -4042,20 +4042,20 @@ class R {
    *          address the user is validating
    */
   async verifyEmailVerificationToken(s) {
-    const e = R.hashEmailVerificationToken(s);
+    const e = D.hashEmailVerificationToken(s);
     let t = await this.keyStorage.getKey(e);
     try {
       if (!t.userid || !t.expires) throw new o(l.InvalidKey);
       const { user: r } = await this.userStorage.getUserById(t.userid, { skipEmailVerifiedCheck: !0 });
       let i = (r.email ?? r.username).toLowerCase();
-      if (i || (i = r.username.toLowerCase()), R.validateEmail(i), (/* @__PURE__ */ new Date()).getTime() > t.expires.getTime()) throw new o(l.Expired);
+      if (i || (i = r.username.toLowerCase()), D.validateEmail(i), (/* @__PURE__ */ new Date()).getTime() > t.expires.getTime()) throw new o(l.Expired);
       return { userid: t.userid, newEmail: t.data ?? "" };
     } finally {
     }
   }
   async deleteEmailVerificationToken(s) {
     try {
-      const e = R.hashEmailVerificationToken(s);
+      const e = D.hashEmailVerificationToken(s);
       await this.keyStorage.deleteKey(e);
     } catch (e) {
       const t = o.asCrossauthError(e);
@@ -4066,11 +4066,11 @@ class R {
     let t = 0;
     const r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.passwordResetExpires);
     for (; t < 10; ) {
-      let a = _.randomValue(ne), n = R.hashPasswordResetToken(a);
+      let a = _.randomValue(ne), n = D.hashPasswordResetToken(a);
       try {
         return await this.keyStorage.saveKey(s, n, r, i), a;
       } catch {
-        a = _.randomValue(ne), n = R.hashPasswordResetToken(a), t++;
+        a = _.randomValue(ne), n = D.hashPasswordResetToken(a), t++;
       }
     }
     throw new o(l.Connection, "failed creating a unique key");
@@ -4090,7 +4090,7 @@ class R {
    * @returns the user that the token is for
    */
   async verifyPasswordResetToken(s) {
-    const e = R.hashPasswordResetToken(s);
+    const e = D.hashPasswordResetToken(s);
     u.logger.debug("verifyPasswordResetToken " + s + " " + e);
     let t = await this.keyStorage.getKey(e);
     if (!t.userid) throw new o(l.InvalidKey);
@@ -4139,7 +4139,7 @@ class R {
     if (!t && r.state != E.active && r.state != E.passwordResetNeeded && r.state != E.passwordAndFactor2ResetNeeded)
       throw new o(l.UserNotActive);
     let i = (r.email ?? r.username).toLowerCase();
-    i || (i = r.username.toLowerCase()), R.validateEmail(i);
+    i || (i = r.username.toLowerCase()), D.validateEmail(i);
     const a = await this.createAndSavePasswordResetToken(s), n = await this._sendPasswordResetToken(a, i, e);
     u.logger.info(f({ msg: "Sent password reset email", emailMessageId: n, email: i }));
   }
@@ -4161,11 +4161,11 @@ class R {
    * @param email the email to validate
    */
   static validateEmail(s) {
-    if (s == null || !R.isEmailValid(s)) throw new o(l.InvalidEmail);
+    if (s == null || !D.isEmailValid(s)) throw new o(l.InvalidEmail);
   }
 }
 const _e = 16, ke = 16;
-function Bt(S) {
+function zt(S) {
   return {
     ...S,
     path: S.path ?? "/"
@@ -4285,7 +4285,7 @@ class rt {
     }
   }
 }
-class D {
+class R {
   /**
    * Constructor.
    * 
@@ -4328,7 +4328,7 @@ class D {
    * @returns a base64-url-encoded string that can go into the storage
    */
   static hashSessionId(s) {
-    return U.session + _.hash(s);
+    return b.session + _.hash(s);
   }
   /**
    * Creates a session key and saves in storage
@@ -4351,7 +4351,7 @@ class D {
     const a = /* @__PURE__ */ new Date();
     let n = this.expiry(a), c = !1;
     for (; r < 10 && !c; ) {
-      const d = D.hashSessionId(i);
+      const d = R.hashSessionId(i);
       try {
         this.idleTimeout > 0 && s && (e = { ...e, lastActivity: /* @__PURE__ */ new Date() }), await this.keyStorage.saveKey(s, d, a, n, void 0, e), c = !0;
       } catch (w) {
@@ -4407,7 +4407,7 @@ class D {
    */
   async updateSessionKey(s) {
     if (!s.value) throw new o(l.InvalidKey, "No session when updating activity");
-    s.value = D.hashSessionId(s.value), await this.keyStorage.updateKey(s);
+    s.value = R.hashSessionId(s.value), await this.keyStorage.updateKey(s);
   }
   /**
    * Unsigns a cookie and returns the original value.
@@ -4455,7 +4455,7 @@ class D {
    *         `Expired` or `UserNotExist`.
    */
   async getSessionKey(s) {
-    const e = Date.now(), t = D.hashSessionId(s), r = await this.keyStorage.getKey(t);
+    const e = Date.now(), t = R.hashSessionId(s), r = await this.keyStorage.getKey(t);
     if (r.value = s, r.expires && e > r.expires.getTime())
       throw u.logger.warn(f({ msg: "Session id in cookie expired in key storage", hashedSessionCookie: _.hash(s) })), new o(l.Expired);
     if (r.userid && this.idleTimeout > 0 && r.lastactive && e > r.lastactive.getTime() + this.idleTimeout * 1e3)
@@ -4470,7 +4470,7 @@ class D {
    * @param except if defined, don't delete this key
    */
   async deleteAllForUser(s, e) {
-    e && (e = D.hashSessionId(e)), await this.keyStorage.deleteAllForUser(s, U.session, e);
+    e && (e = R.hashSessionId(e)), await this.keyStorage.deleteAllForUser(s, b.session, e);
   }
 }
 class Lt {
@@ -4495,9 +4495,9 @@ class Lt {
     t.userStorage && (this.userStorage = t.userStorage), this.keyStorage = s, this.authenticators = e;
     for (let r in this.authenticators)
       this.authenticators[r].factorName = r;
-    if (this.session = new D(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new rt({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), m("allowedFactor2", g.JsonArray, this, t, "ALLOWED_FACTOR2"), m("enableEmailVerification", g.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), m("enablePasswordReset", g.Boolean, this, t, "ENABLE_PASSWORD_RESET"), this.emailTokenStorage = this.keyStorage, this.userStorage && (this.enableEmailVerification || this.enablePasswordReset)) {
+    if (this.session = new R(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new rt({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), m("allowedFactor2", g.JsonArray, this, t, "ALLOWED_FACTOR2"), m("enableEmailVerification", g.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), m("enablePasswordReset", g.Boolean, this, t, "ENABLE_PASSWORD_RESET"), this.emailTokenStorage = this.keyStorage, this.userStorage && (this.enableEmailVerification || this.enablePasswordReset)) {
       let r = this.keyStorage;
-      t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new R(this.userStorage, r, t);
+      t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new D(this.userStorage, r, t);
     }
   }
   /**
@@ -4586,7 +4586,7 @@ class Lt {
     try {
       this.emailTokenStorage.deleteAllForUser(
         i.id,
-        U.passwordResetToken
+        b.passwordResetToken
       );
     } catch (v) {
       u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: s })), u.logger.debug(f({ err: v }));
@@ -4626,7 +4626,7 @@ class Lt {
    */
   async logout(s) {
     const e = await this.session.getSessionKey(s);
-    return await this.keyStorage.deleteKey(D.hashSessionId(e.value));
+    return await this.keyStorage.deleteKey(R.hashSessionId(e.value));
   }
   /**
    * Logs a user out from all sessions.
@@ -4774,8 +4774,8 @@ class Lt {
    * @param value new value to store
    */
   async updateSessionData(s, e, t) {
-    const r = D.hashSessionId(s);
-    u.logger.debug(f({ msg: `Updating session data value${e}`, hashedSessionCookie: _.hash(s) })), await this.keyStorage.updateData(r, e, t);
+    const r = R.hashSessionId(s);
+    u.logger.debug(f({ msg: `Updating session data value ${e}`, hashedSessionCookie: _.hash(s) })), await this.keyStorage.updateData(r, e, t);
   }
   /**
    * Update field sin the session data.
@@ -4786,7 +4786,7 @@ class Lt {
    * @param dataArray names and values.
    */
   async updateManySessionData(s, e) {
-    const t = D.hashSessionId(s);
+    const t = R.hashSessionId(s);
     u.logger.debug(f({ msg: "Updating session data", hashedSessionCookie: _.hash(s) })), await this.keyStorage.updateManyData(t, e);
   }
   /**
@@ -4798,8 +4798,8 @@ class Lt {
   * @param name of the field.
   */
   async deleteSessionData(s, e) {
-    const t = D.hashSessionId(s);
-    u.logger.debug(f({ msg: `Updating session data value${e}`, hashedSessionCookie: _.hash(s) })), await this.keyStorage.deleteData(t, e);
+    const t = R.hashSessionId(s);
+    u.logger.debug(f({ msg: `Updating session data value ${e}`, hashedSessionCookie: _.hash(s) })), await this.keyStorage.deleteData(t, e);
   }
   /**
    * Deletes the given session ID from the key storage (not the cookie)
@@ -4807,7 +4807,7 @@ class Lt {
    * @param sessionId the session Id to delete
    */
   async deleteSession(s) {
-    return await this.keyStorage.deleteKey(D.hashSessionId(s));
+    return await this.keyStorage.deleteKey(R.hashSessionId(s));
   }
   /**
    * Creates a new user, sending an email verification message if necessary.
@@ -4862,7 +4862,7 @@ class Lt {
     if (!this.authenticators[s.factor2]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
     const a = await this.authenticators[s.factor2].prepareConfiguration(s), n = a == null ? {} : a.userData, c = a == null ? {} : a.sessionData, d = await this.authenticators[s.factor1].createPersistentSecrets(s.username, e, r);
     return s.state = "awaitingtwofactorsetup", await this.keyStorage.updateData(
-      D.hashSessionId(t),
+      R.hashSessionId(t),
       "2fa",
       c
     ), { userid: (await this.userStorage.createUser(s, d)).id, userData: n };
@@ -4882,13 +4882,13 @@ class Lt {
       if (!this.authenticators[e]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
       const i = await this.authenticators[e].prepareConfiguration(s), a = i == null ? {} : i.userData, n = i == null ? {} : i.sessionData;
       return n && (n.userData = a), await this.keyStorage.updateData(
-        D.hashSessionId(t),
+        R.hashSessionId(t),
         "2fa",
         n
       ), a;
     }
     return await this.userStorage.updateUser({ id: s.id, factor2: e ?? "" }), await this.keyStorage.updateData(
-      D.hashSessionId(t),
+      R.hashSessionId(t),
       "2fa",
       void 0
     ), {};
@@ -4908,7 +4908,7 @@ class Lt {
    */
   async repeatTwoFactorSignup(s) {
     if (!this.userStorage) throw new o(l.Configuration, "Cannot call repeatTwoFactorSignup if no user storage provided");
-    const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = D.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a), d = c == null ? {} : c.userData, w = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
+    const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = R.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a), d = c == null ? {} : c.userData, w = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
     y && await this.keyStorage.updateData(i, "2fa", y);
     const { user: C } = await this.userStorage.getUserByUsername(t, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
     return { userid: C.id, userData: d, secrets: w };
@@ -4932,7 +4932,7 @@ class Lt {
     if (r && r.state != E.active && r.state != E.factor2ResetNeeded)
       throw new o(l.UserNotActive);
     if (!i) throw new o(l.InvalidKey, "Session key not found");
-    let a = x.decodeData(i.data)["2fa"];
+    let a = z.decodeData(i.data)["2fa"];
     if (!(a != null && a.factor2) || !(a != null && a.username)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
     let n = a.username;
     const c = this.authenticators[a.factor2];
@@ -4948,7 +4948,7 @@ class Lt {
       state: !y && this.enableEmailVerification ? "awaitingemailverification" : "active",
       factor2: a.factor2
     };
-    return c.secretNames().length > 0 ? await this.userStorage.updateUser(C, d) : await this.userStorage.updateUser(C), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((v = this.tokenEmailer) == null ? void 0 : v.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(D.hashSessionId(i.value), "2fa", void 0), { ...r, ...C };
+    return c.secretNames().length > 0 ? await this.userStorage.updateUser(C, d) : await this.userStorage.updateUser(C), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((v = this.tokenEmailer) == null ? void 0 : v.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(R.hashSessionId(i.value), "2fa", void 0), { ...r, ...C };
   }
   /**
    * Initiates the two factor login process.
@@ -4979,7 +4979,7 @@ class Lt {
   async initiateTwoFactorPageVisit(s, e, t, r, i) {
     const n = await this.authenticators[s.factor2].createOneTimeSecrets(s);
     let c, d, w;
-    const y = D.hashSessionId(e);
+    const y = R.hashSessionId(e);
     u.logger.debug("initiateTwoFactorPageVisit " + s.username + " " + e + " " + y);
     let C = { username: s.username, factor2: s.factor2, secrets: n, body: t, url: r };
     return i && (C["content-type"] = i), await this.keyStorage.updateData(y, "pre2fa", C), {
@@ -5001,14 +5001,14 @@ class Lt {
     if (!this.userStorage) throw new o(l.Configuration, "Cannot call completeTwoFactorPageVisit if no user storage provided");
     let { key: t } = await this.session.getUserForSessionId(e);
     if (!t) throw new o(l.InvalidKey, "Session key not found");
-    let r = x.decodeData(t.data);
+    let r = z.decodeData(t.data);
     if (!("pre2fa" in r)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
     const { secrets: i } = await this.userStorage.getUserByUsername(r.pre2fa.username), a = this.authenticators[r.pre2fa.factor2];
     if (!a) throw new o(l.Configuration, "Unrecognised second factor authentication");
     const n = {}, c = a.secretNames();
     for (let d in i)
       c.includes(d) && d in i && (n[d] = i[d]);
-    await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(D.hashSessionId(t.value), "pre2fa", void 0);
+    await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(R.hashSessionId(t.value), "pre2fa", void 0);
   }
   /**
    * Cancels the 2FA that was previously initiated but not completed..  
@@ -5022,9 +5022,9 @@ class Lt {
   async cancelTwoFactorPageVisit(s) {
     let { key: e } = await this.session.getUserForSessionId(s);
     if (!e) throw new o(l.InvalidKey, "Session key not found");
-    let t = x.decodeData(e.data);
+    let t = z.decodeData(e.data);
     if (!("pre2fa" in t)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
-    return await this.keyStorage.updateData(D.hashSessionId(e.value), "pre2fa", void 0), t.pre2fa;
+    return await this.keyStorage.updateData(R.hashSessionId(e.value), "pre2fa", void 0), t.pre2fa;
   }
   /**
    * Performs the second factor authentication as the second step of the login
@@ -5047,20 +5047,20 @@ class Lt {
     if (!this.userStorage) throw new o(l.Configuration, "Cannot call completeTwoFactorLogin if no user storage provided");
     let { key: i } = await this.session.getUserForSessionId(e);
     if (!i || !i.data || i.data == "") throw new o(l.Unauthorized);
-    let a = x.decodeData(i.data)["2fa"], n = a.username, c = a.factor2;
+    let a = z.decodeData(i.data)["2fa"], n = a.username, c = a.factor2;
     const { user: d, secrets: w } = await this.userStorage.getUserByUsername(n), y = this.authenticators[c];
     if (!y) throw new o(l.Configuration, "Second factor " + c + " not enabled");
     await y.authenticateUser(d, { ...w, ...a }, s);
     const C = await this.session.createSessionKey(d.id, t);
-    await this.keyStorage.deleteKey(D.hashSessionId(i.value));
+    await this.keyStorage.deleteKey(R.hashSessionId(i.value));
     const v = this.session.makeCookie(C, r), p = this.csrfTokens.createCsrfToken(), T = this.csrfTokens.makeCsrfCookie(p), k = this.csrfTokens.makeCsrfFormOrHeaderToken(p);
     try {
       this.emailTokenStorage.deleteAllForUser(
         d.id,
-        U.passwordResetToken
+        b.passwordResetToken
       );
-    } catch (A) {
-      u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: n })), u.logger.debug(f({ err: A }));
+    } catch (P) {
+      u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: n })), u.logger.debug(f({ err: P }));
     }
     return {
       sessionCookie: v,
@@ -5128,7 +5128,7 @@ class Lt {
     try {
       this.emailTokenStorage.deleteAllForUser(
         a.id,
-        U.passwordResetToken
+        b.passwordResetToken
       );
     } catch (w) {
       u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: s })), u.logger.debug(f({ err: w }));
@@ -5153,14 +5153,14 @@ class Lt {
     d.userid = s.userid;
     let w = !1;
     if (a)
-      i = a, R.validateEmail(i), w = !0;
+      i = a, D.validateEmail(i), w = !0;
     else if (n) {
       i = n;
       try {
-        R.validateEmail(s.username), w = !0;
+        D.validateEmail(s.username), w = !0;
       } catch {
       }
-      w && R.validateEmail(i);
+      w && D.validateEmail(i);
     }
     return !t && this.enableEmailVerification && w ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (d.email = a), n && (d.username = n)), (e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded) && await ((C = this.tokenEmailer) == null ? void 0 : C.sendPasswordResetToken(s.id, {}, r)), await this.userStorage.updateUser(d), {
       emailVerificationTokenSent: !t && this.enableEmailVerification && w,
@@ -5191,7 +5191,7 @@ class Lt {
     try {
       await this.emailTokenStorage.deleteAllForUser(
         i.id,
-        U.passwordResetToken
+        b.passwordResetToken
       );
     } catch (c) {
       u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: i.username })), u.logger.debug(f({ err: c }));
@@ -5213,7 +5213,7 @@ class ge {
     /** The prefix to add to the hashed key in storage.  Defaults to 
      * {@link @crossauth/common!KeyPrefix}.apiKey
      */
-    h(this, "prefix", U.apiKey);
+    h(this, "prefix", b.apiKey);
     /** The name of the speak in the Authorization header.  Defaults to "ApiKey" */
     h(this, "authScheme", "ApiKey");
     this.apiKeyStorage = s, m("secret", g.String, this, e, "SECRET", !0), m("keyLength", g.String, this, e, "APIKEY_LENGTH"), m("prefix", g.String, this, e, "APIKEY_PREFIX"), m("authScheme", g.String, this, e, "APIKEY_AUTHSCHEME");
@@ -5241,7 +5241,7 @@ class ge {
       name: s,
       value: a,
       userid: e,
-      data: x.encodeData(t),
+      data: z.encodeData(t),
       expires: c,
       created: n,
       ...i
@@ -5338,7 +5338,7 @@ class J {
       digest: this.oauthPbkdf2Digest
     })), e.forEach((y) => {
       J.validateUri(y);
-    }), t || (t = b.allFlows());
+    }), t || (t = U.allFlows());
     const d = {
       client_id: a,
       client_secret: n,
@@ -5422,7 +5422,178 @@ class J {
       );
   }
 }
-function at(S) {
+class at extends Pe {
+  /**
+   * Constructor
+   * 
+   * @param options see {@link OAuthTokenConsumerOptions}
+   */
+  constructor(e, t = {}) {
+    const r = {};
+    m("jwtKeyType", g.String, r, t, "JWT_KEY_TYPE");
+    super(e, { ...t, ...r });
+    /**
+     * Value passed to the constructor.  The `aud` claim must match it
+     */
+    h(this, "audience");
+    /**
+     * Value passed to the constructor. If true, access tokens are saved
+     * in storage,
+     */
+    h(this, "persistAccessToken", !1);
+    h(this, "keyStorage");
+    h(this, "jwtSecretKeyFile", "");
+    h(this, "jwtPublicKeyFile", "");
+    if (this.audience = e, m("authServerBaseUrl", g.String, this, t, "AUTH_SERVER_BASE_URL", !0), m("jwtSecretKeyFile", g.String, this, t, "JWT_SECRET_KEY_FILE"), m("jwtPublicKeyFile", g.String, this, t, "JWT_PUBLIC_KEY_FILE"), m("jwtSecretKey", g.String, this, t, "JWT_SECRET_KEY"), m("jwtPublicKey", g.String, this, t, "JWT_PUBLIC_KEY"), m("clockTolerance", g.Number, this, t, "OAUTH_CLOCK_TOLERANCE"), m("persistAccessToken", g.Boolean, this, t, "OAUTH_PERSIST_ACCESS_TOKEN"), this.keyStorage = t.keyStorage, this.jwtSecretKey || this.jwtSecretKeyFile) {
+      if (this.jwtPublicKey || this.jwtPublicKeyFile)
+        throw new o(
+          l.Configuration,
+          "Cannot specify symmetric and public/private JWT keys"
+        );
+      if (this.jwtSecretKey && this.jwtSecretKeyFile)
+        throw new o(
+          l.Configuration,
+          "Cannot specify symmetric key and file"
+        );
+      this.jwtSecretKeyFile && (this.jwtSecretKey = re.readFileSync(this.jwtSecretKeyFile, "utf8"));
+    } else if (this.jwtPublicKey || this.jwtPublicKeyFile) {
+      if (this.jwtPublicKeyFile && this.jwtPublicKey)
+        throw new o(
+          l.Configuration,
+          "Cannot specify both public key and public key file"
+        );
+      this.jwtPublicKeyFile && (this.jwtPublicKey = re.readFileSync(this.jwtPublicKeyFile, "utf8"));
+    }
+  }
+  /**
+   * Uses {@link Crypto.hash} to hash the given string.
+   * 
+   * @param plaintext the string to hash
+   * @returns Base64-url-encoded hash
+   */
+  async hash(e) {
+    return _.hash(e);
+  }
+  /**
+   * If the given token is valid, the paylaod is returned.  Otherwise
+   * undefined is returned.  
+   * 
+   * The signature must be valid, the expiry must not have passed and,
+   * if `tokenType` is defined,. the `type` claim in the payload must
+   * match it.
+   * 
+   * Doesn't throw exceptions.
+   * 
+   * @param token The token to validate
+   * @param tokenType If defined, the `type` claim in the payload must
+   *        match this value
+   */
+  async tokenAuthorized(e, t, r) {
+    var a;
+    const i = await super.tokenAuthorized(e, t, r);
+    if (i && t == "access" && this.persistAccessToken && this.keyStorage)
+      try {
+        const n = b.accessToken + _.hash(i.jti ? i.jti : i.sid ? i.sid : ""), c = await this.keyStorage.getKey(n), d = /* @__PURE__ */ new Date();
+        if (c.expires && ((a = c.expires) == null ? void 0 : a.getTime()) < d.getTime()) {
+          u.logger.error(f({ msg: "Access token expired in storage but not in JWT" }));
+          return;
+        }
+      } catch (n) {
+        u.logger.warn(f({
+          msg: "Couldn't get token from database - is it valid?",
+          hashedAccessToken: _.hash(i.jti ? i.jti : i.sid ? i.sid : "")
+        })), u.logger.debug(f({ err: n }));
+        return;
+      }
+    return i;
+  }
+}
+class nt extends Ke {
+  /**
+   * Constructor
+   * @param authServerBaseUrl bsae URI for the authorization server
+   *        expected to issue access tokens.  If the `iss` field in a JWT
+   *        does not match this, it is rejected.
+   * @param options See {@link OAuthClientOptions}
+   */
+  constructor(e, t) {
+    const r = {
+      client_id: ""
+    };
+    m("client_id", g.String, r, t, "OAUTH_CLIENT_ID", !0);
+    super({
+      authServerBaseUrl: e,
+      tokenConsumer: new at(
+        r.client_id,
+        {
+          audience: r.client_id,
+          authServerBaseUrl: e,
+          ...t
+        }
+      ),
+      ...t
+    });
+    h(this, "deviceAuthorizationUrl", "device_authorization");
+    h(this, "userCreationType", "idToken");
+    h(this, "userMatchField", "username");
+    h(this, "idTokenMatchField", "sub");
+    h(this, "userCreationFn");
+    h(this, "userStorage");
+    this.client_id = r.client_id;
+    let i = {};
+    if (m("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), m("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), m("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), m("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), m("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), m("oauthLogFetch", g.Boolean, this, t, "OAUTH_LOG_FETCH"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), m("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), m("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), m("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = ot : this.userCreationType == "embed" ? this.userCreationFn = lt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = ct, t.userStorage && (this.userStorage = t.userStorage), m("oauthPostType", g.String, this, t, "OAUTH_POST_TYPE"), m("oauthUseUserInfoEndpoint", g.Boolean, this, t, "OAUTH_USE_USER_INFO_ENDPOINT"), m("oauthAuthorizeRedirect", g.String, this, t, "OAUTH_AUTHORIZE_REDIRECT"), this.oauthPostType != "json" && this.oauthPostType != "form")
+      throw new o(l.Configuration, "oauthPostType must be json or form");
+  }
+  /**
+   * Uses {@link @crossauth/backend!Crypto.randomValue} to create a random string
+   * @param length the length of the random array of bytes before
+   *        base64-url-encoding
+   * @returns the Base64-URL-encoded random string
+   */
+  randomValue(e) {
+    return _.randomValue(e);
+  }
+  /**
+   * Uses {@link @crossauth/backend!Crypto.sha256} to create hash a string using SHA256
+   * @param plaintext the text to hash
+   * @returns the Base64-URL-encoded hash
+   */
+  async sha256(e) {
+    return _.sha256(e);
+  }
+}
+async function ot(S, s, e, t) {
+  if (!s) throw new o(l.Configuration, "userCreationType set to merge but no user storage set");
+  try {
+    let r;
+    return e == "username" ? r = await s.getUserByUsername(S[t]) : e == "username" ? r = await s.getUserByEmail(S[t]) : r = await s.getUserBy(e, S[t]), { ...S, ...r.user };
+  } catch (r) {
+    const i = o.asCrossauthError(r);
+    if (i.code == l.UserNotExist || i.code == l.UserNotActive)
+      return;
+    throw u.logger.error(f({ err: r })), r;
+  }
+}
+async function lt(S, s, e, t) {
+  if (!s) throw new o(l.Configuration, "userCreationType set to embed but no user storage set");
+  try {
+    let r;
+    return e == "username" ? r = await s.getUserByUsername(S[t]) : e == "username" ? r = await s.getUserByEmail(S[t]) : r = await s.getUserBy(e, S[t]), { ...r.user, idToken: S };
+  } catch (r) {
+    const i = o.asCrossauthError(r);
+    if (i.code == l.UserNotExist || i.code == l.UserNotActive)
+      return;
+    throw u.logger.error({ err: r }), r;
+  }
+}
+async function ct(S, s, e, t) {
+  return {
+    id: S.userid ?? S.sub,
+    username: S.sub,
+    state: S.state ?? "active"
+  };
+}
+function dt(S) {
   switch (S) {
     case "HS256":
     case "HS384":
@@ -5444,7 +5615,7 @@ function at(S) {
     "Invalid JWT signing algorithm " + S
   );
 }
-class zt {
+class Ht {
   /**
    * Constructor
    * 
@@ -5495,6 +5666,15 @@ class zt {
     h(this, "validScopes", []);
     h(this, "idTokenClaims", {});
     h(this, "accessTokenClaims", {});
+    ///// Upstream AUth server config
+    /**
+     * The OAuth client to the upstream authz server if configured
+     */
+    h(this, "upstreamClient");
+    /**
+     * The OAuth client to the upstream authz server if configured
+     */
+    h(this, "upstreamClientOptions");
     // device code
     h(this, "userCodeExpiry", 60 * 5);
     h(this, "userCodeThrottle", 1500);
@@ -5521,7 +5701,9 @@ class zt {
             "userCodeDashEvery must be a number or null"
           );
         }
-    if (m("deviceCodeVerificationUri", g.String, this, r, "DEVICECODE_VERIFICATION_URI"), this.validFlows.length == 1 && this.validFlows[0] == b.All && (this.validFlows = b.allFlows()), this.jwtAlgorithmChecked = at(this.jwtAlgorithm), this.jwtSecretKey || this.jwtSecretKeyFile) {
+    if (m("deviceCodeVerificationUri", g.String, this, r, "DEVICECODE_VERIFICATION_URI"), r.upstreamClient && (this.upstreamClientOptions = r.upstreamClient, this.upstreamClient = new nt(r.upstreamClient.authServerBaseUrl, r.upstreamClient.options), !r.upstreamClient.options.redirect_uri))
+      throw new o(l.Configuration, "Must define redirect_uri in upstreamClient options");
+    if (this.validFlows.length == 1 && this.validFlows[0] == U.All && (this.validFlows = U.allFlows()), this.jwtAlgorithmChecked = dt(this.jwtAlgorithm), this.jwtSecretKey || this.jwtSecretKeyFile) {
       if (this.jwtPublicKey || this.jwtPublicKeyFile || this.jwtPrivateKey || this.jwtPrivateKeyFile)
         throw new o(
           l.Configuration,
@@ -5532,14 +5714,14 @@ class zt {
           l.Configuration,
           "Cannot specify symmetric key and file"
         );
-      this.jwtSecretKeyFile && (this.jwtSecretKey = te.readFileSync(this.jwtSecretKeyFile, "utf8"));
+      this.jwtSecretKeyFile && (this.jwtSecretKey = re.readFileSync(this.jwtSecretKeyFile, "utf8"));
     } else if ((this.jwtPrivateKey || this.jwtPrivateKeyFile) && (this.jwtPublicKey || this.jwtPublicKeyFile)) {
       if (this.jwtPrivateKeyFile && this.jwtPrivateKey)
         throw new o(
           l.Configuration,
           "Cannot specify both private key and private key file"
         );
-      if (this.jwtPrivateKeyFile && (this.jwtPrivateKey = te.readFileSync(
+      if (this.jwtPrivateKeyFile && (this.jwtPrivateKey = re.readFileSync(
         this.jwtPrivateKeyFile,
         "utf8"
       )), this.jwtPublicKeyFile && this.jwtPublicKey)
@@ -5547,7 +5729,7 @@ class zt {
           l.Configuration,
           "Cannot specify both public key and public key file"
         );
-      this.jwtPublicKeyFile && (this.jwtPublicKey = te.readFileSync(
+      this.jwtPublicKeyFile && (this.jwtPublicKey = re.readFileSync(
         this.jwtPublicKeyFile,
         "utf8"
       ));
@@ -5561,7 +5743,7 @@ class zt {
         l.Configuration,
         "If setting jwtPublicKey or jwtPrivate key, must also set jwtKeyType"
       );
-    if (this.opaqueAccessToken && (this.persistAccessToken = !0), (this.validFlows.includes(b.Password) || this.validFlows.includes(b.PasswordMfa)) && (!this.userStorage || Object.keys(this.authenticators).length == 0))
+    if (this.opaqueAccessToken && (this.persistAccessToken = !0), (this.validFlows.includes(U.Password) || this.validFlows.includes(U.PasswordMfa)) && (!this.userStorage || Object.keys(this.authenticators).length == 0))
       throw new o(
         l.Configuration,
         "If password flow or password MFA flow is enabled, userStorage and authenticators must be provided"
@@ -5711,21 +5893,21 @@ class zt {
   async authenticateClient(s, e, t) {
     let r = !1;
     switch (s) {
-      case b.AuthorizationCode:
-      case b.AuthorizationCodeWithPKCE:
+      case U.AuthorizationCode:
+      case U.AuthorizationCodeWithPKCE:
         r = e.confidential == !0 || e.client_secret != null || t != null;
         break;
-      case b.ClientCredentials:
+      case U.ClientCredentials:
         r = !0;
         break;
-      case b.Password:
-      case b.PasswordMfa:
+      case U.Password:
+      case U.PasswordMfa:
         r = e.confidential == !0 || e.client_secret != null || t != null;
         break;
-      case b.RefreshToken:
+      case U.RefreshToken:
         r = e.confidential == !0 || e.client_secret != null || t != null;
         break;
-      case b.DeviceCode:
+      case U.DeviceCode:
         r = e.confidential == !0 || e.client_secret != null || t != null;
         break;
     }
@@ -5785,7 +5967,7 @@ class zt {
     otp: v,
     deviceCode: p
   }) {
-    var O, V, j;
+    var F, $, M;
     const T = this.inferFlowFromPost(s, a);
     if (!T) return {
       error: "server_error",
@@ -5793,9 +5975,9 @@ class zt {
     };
     const k = await this.getClientById(e);
     if (!k.client) return k;
-    const A = k.client, z = await this.authenticateClient(T, A, i);
-    if (z.error) return z;
-    if (T == b.Password && !this.validFlows.includes(T) && !this.validFlows.includes(b.PasswordMfa))
+    const P = k.client, H = await this.authenticateClient(T, P, i);
+    if (H.error) return H;
+    if (T == U.Password && !this.validFlows.includes(T) && !this.validFlows.includes(U.PasswordMfa))
       return {
         error: "access_denied",
         error_description: "Unsupported flow type " + T
@@ -5805,46 +5987,78 @@ class zt {
         error: "access_denied",
         error_description: "Unsupported flow type " + T
       };
-    if (A && !A.valid_flow.includes(T))
+    if (P && !P.valid_flow.includes(T))
       return {
         error: "unauthorized_client",
         error_description: "Client does not support " + T
       };
-    let H = !1;
-    this.issueRefreshToken && T != b.RefreshToken && (H = !0), this.issueRefreshToken && T == b.RefreshToken && this.rollingRefreshToken && (H = !0);
-    let K;
+    let j = !1;
+    this.issueRefreshToken && T != U.RefreshToken && (j = !0), this.issueRefreshToken && T == U.RefreshToken && this.rollingRefreshToken && (j = !0);
+    let O;
     if (s == "authorization_code")
-      return this.requireClientSecretOrChallenge && A && A.client_secret && !i && !a ? {
+      return this.requireClientSecretOrChallenge && P && P.client_secret && !i && !a ? {
         error: "access_denied",
         error_description: "Must provide either a client secret or use PKCE"
-      } : A && A.client_secret && !i ? {
+      } : P && P.client_secret && !i ? {
         error: "access_denied",
         error_description: "No client secret or code verifier provided for authorization coode flow"
       } : r ? await this.makeAccessToken({
-        client: A,
+        client: P,
         code: r,
         client_secret: i,
         codeVerifier: a,
-        issueRefreshToken: H
+        issueRefreshToken: j
       }) : {
         error: "access_denied",
         error_description: "No authorization code provided for authorization code flow"
       };
     if (s == "refresh_token") {
+      if (this.upstreamClient && this.upstreamClientOptions) {
+        if (!n)
+          return {
+            error: "invalid_request",
+            error_description: "If executing the refresh token flow, must  provide a refresh token"
+          };
+        let A = await this.upstreamClient.refreshTokenFlow(n);
+        if (!A.access_token)
+          return {
+            error: "access_denied",
+            error_description: "Didn't receive an access token"
+          };
+        let I = A.access_token;
+        if (this.upstreamClientOptions.accessTokenIsJwt && (I = await this.upstreamClient.validateAccessToken(A.access_token, !1), !I))
+          return {
+            error: "access_denied",
+            error_description: "Couldn't decode access token"
+          };
+        const x = await this.upstreamClientOptions.tokenMergeFn(I, A.id_payload, this.userStorage);
+        if (x.authorized) {
+          const B = await this.createTokensFromPayload(
+            e,
+            x.access_payload,
+            x.id_payload
+          );
+          return A.access_token = B.access_token, A.id_token = B.id_token, A.id_payload = B.id_payload, A;
+        } else
+          return u.logger.warn(f({ msg: x.error_description })), {
+            error: x.error,
+            error_description: x.error_description
+          };
+      }
       const N = await this.getRefreshTokenData(n);
       if (!n || !N || !this.userStorage)
         return {
           error: "access_denied",
           error_description: "Refresh token is invalid"
         };
-      let P;
+      let K;
       if (N.username)
         try {
-          const { user: F } = await ((O = this.userStorage) == null ? void 0 : O.getUserByUsername(N.username));
-          P = F;
-        } catch (F) {
+          const { user: A } = await ((F = this.userStorage) == null ? void 0 : F.getUserByUsername(N.username));
+          K = A;
+        } catch (A) {
           return u.logger.error(f({
-            err: F,
+            err: A,
             msg: "Couldn't get user for refresh token.  Doesn't exist?",
             username: N.username
           })), {
@@ -5853,35 +6067,35 @@ class zt {
           };
         }
       try {
-        const F = U.refreshToken + _.hash(n);
-        await this.keyStorage.deleteKey(F);
-      } catch (F) {
-        const I = o.asCrossauthError(F);
-        u.logger.debug(f({ err: F })), u.logger.warn(f({ msg: "Cannot delete refresh token", cerr: I }));
+        const A = b.refreshToken + _.hash(n);
+        await this.keyStorage.deleteKey(A);
+      } catch (A) {
+        const I = o.asCrossauthError(A);
+        u.logger.debug(f({ err: A })), u.logger.warn(f({ msg: "Cannot delete refresh token", cerr: I }));
       }
       return await this.makeAccessToken({
-        client: A,
+        client: P,
         client_secret: i,
         codeVerifier: a,
-        issueRefreshToken: H,
+        issueRefreshToken: j,
         scopes: N.scope,
-        user: P
+        user: K
       });
     } else if (s == "client_credentials") {
       const {
         scopes: N,
-        error: P,
-        error_description: F
+        error: K,
+        error_description: A
       } = await this.validateAndPersistScope(e, t, void 0);
-      return P ? {
-        error: P,
-        error_description: F
+      return K ? {
+        error: K,
+        error_description: A
       } : await this.makeAccessToken({
-        client: A,
+        client: P,
         client_secret: i,
         codeVerifier: a,
         scopes: N,
-        issueRefreshToken: H
+        issueRefreshToken: j
       });
     } else if (s == "password") {
       if (!c || !d)
@@ -5895,7 +6109,7 @@ class zt {
             error: "server_error",
             error_description: "Password authentication not configured"
           };
-        const { user: I, secrets: $ } = await this.userStorage.getUserByUsername(c), B = this.authenticators[I.factor1];
+        const { user: I, secrets: x } = await this.userStorage.getUserByUsername(c), B = this.authenticators[I.factor1];
         if (!B || !B.secretNames().includes("password"))
           return {
             error: "access_denied",
@@ -5903,9 +6117,9 @@ class zt {
           };
         await B.authenticateUser(
           I,
-          $,
+          x,
           { password: d }
-        ), K = I;
+        ), O = I;
       } catch (I) {
         return u.logger.debug(f({ err: I })), {
           error: "access_denied",
@@ -5914,33 +6128,33 @@ class zt {
       }
       const {
         scopes: N,
-        error: P,
-        error_description: F
-      } = await this.validateAndPersistScope(e, t, K);
-      return P ? {
-        error: P,
-        error_description: F
-      } : K.factor2 ? this.allowedFactor2.length > 0 && (K.state == E.factor2ResetNeeded || !this.allowedFactor2.includes(K.factor2 ? K.factor2 : "none")) ? {
+        error: K,
+        error_description: A
+      } = await this.validateAndPersistScope(e, t, O);
+      return K ? {
+        error: K,
+        error_description: A
+      } : O.factor2 ? this.allowedFactor2.length > 0 && (O.state == E.factor2ResetNeeded || !this.allowedFactor2.includes(O.factor2 ? O.factor2 : "none")) ? {
         error: "access_denied",
         error_description: "2FA method not allowed or needs to be reconfigured"
-      } : await this.createMfaRequest(K) : await this.makeAccessToken({
-        client: A,
+      } : await this.createMfaRequest(O) : await this.makeAccessToken({
+        client: P,
         client_secret: i,
         codeVerifier: a,
         scopes: N,
-        issueRefreshToken: H,
-        user: K
+        issueRefreshToken: j,
+        user: O
       });
     } else if (s == "http://auth0.com/oauth/grant-type/mfa-otp") {
       const {
         scopes: N,
-        error: P,
-        error_description: F
+        error: K,
+        error_description: A
       } = await this.validateAndPersistScope(e, t, void 0);
-      if (P)
+      if (K)
         return {
-          error: P,
-          error_description: F
+          error: K,
+          error_description: A
         };
       if (!v)
         return {
@@ -5952,7 +6166,7 @@ class zt {
           error: "access_denied",
           error_description: "MFA token not provided"
         };
-      const I = await this.validateMfaToken(w), $ = U.mfaToken + _.hash(w);
+      const I = await this.validateMfaToken(w), x = b.mfaToken + _.hash(w);
       if (!I.user || !I.key)
         return {
           error: "access_denied",
@@ -5965,45 +6179,45 @@ class zt {
           error_description: "MFA type is not supported for OAuth"
         };
       try {
-        const { secrets: M } = await this.userStorage.getUserById(I.user.id);
+        const { secrets: V } = await this.userStorage.getUserById(I.user.id);
         await B.authenticateUser(
           I.user,
-          M,
+          V,
           { otp: v }
         );
-      } catch (M) {
-        return u.logger.debug(f({ err: M })), {
+      } catch (V) {
+        return u.logger.debug(f({ err: V })), {
           error: "access_denied",
           error_description: "Invalid OTP"
         };
       }
       try {
-        await this.keyStorage.deleteKey($);
-      } catch (M) {
-        u.logger.debug(f({ err: M })), u.logger.warn(f({
-          cerr: M,
+        await this.keyStorage.deleteKey(x);
+      } catch (V) {
+        u.logger.debug(f({ err: V })), u.logger.warn(f({
+          cerr: V,
           msg: "Couldn't delete mfa token",
           hashedMfaToken: I.key.value
         }));
       }
       return await this.makeAccessToken({
-        client: A,
+        client: P,
         client_secret: i,
         codeVerifier: a,
         scopes: N,
-        issueRefreshToken: H,
+        issueRefreshToken: j,
         user: I.user
       });
     } else if (s == "http://auth0.com/oauth/grant-type/mfa-oob") {
       const {
         scopes: N,
-        error: P,
-        error_description: F
+        error: K,
+        error_description: A
       } = await this.validateAndPersistScope(e, t, void 0);
-      if (P)
+      if (K)
         return {
-          error: P,
-          error_description: F
+          error: K,
+          error_description: A
         };
       if (!y || !C)
         return {
@@ -6021,27 +6235,27 @@ class zt {
           error: "access_denied",
           error_description: "Invalid MFA token"
         };
-      const $ = this.authenticators[I.user.factor2];
-      if (!$ || !this.userStorage)
+      const x = this.authenticators[I.user.factor2];
+      if (!x || !this.userStorage)
         return {
           error: "access_denied",
           error_description: "MFA type is not supported for OAuth"
         };
       try {
-        const { secrets: B } = await this.userStorage.getUserById(I.user.id), M = x.decodeData(I.key.data).omfa;
-        if (!M || !M.otp || !M.oobCode)
+        const { secrets: B } = await this.userStorage.getUserById(I.user.id), V = z.decodeData(I.key.data).omfa;
+        if (!V || !V.otp || !V.oobCode)
           return {
             error: "server_error",
             error_description: "Cannot retrieve email OTP"
           };
-        if (M.oobCode != y)
+        if (V.oobCode != y)
           return {
             error: "access_denied",
             error_description: "Invalid OOB code"
           };
-        await $.authenticateUser(
+        await x.authenticateUser(
           I.user,
-          { ...B, otp: M.otp, expiry: (V = I.key.expires) == null ? void 0 : V.getTime() },
+          { ...B, otp: V.otp, expiry: ($ = I.key.expires) == null ? void 0 : $.getTime() },
           { otp: C }
         );
       } catch (B) {
@@ -6060,11 +6274,11 @@ class zt {
         }));
       }
       return await this.makeAccessToken({
-        client: A,
+        client: P,
         client_secret: i,
         codeVerifier: a,
         scopes: N,
-        issueRefreshToken: H,
+        issueRefreshToken: j,
         user: I.user
       });
     } else if (s == "urn:ietf:params:oauth:grant-type:device_code") {
@@ -6075,40 +6289,40 @@ class zt {
         };
       let N;
       try {
-        N = await this.keyStorage.getKey(U.deviceCode + p);
-      } catch (P) {
-        const F = o.asCrossauthError(P);
-        return u.logger.debug(f({ err: F })), u.logger.error(f({ msg: "Couldn't get device code", cerr: F })), {
+        N = await this.keyStorage.getKey(b.deviceCode + p);
+      } catch (K) {
+        const A = o.asCrossauthError(K);
+        return u.logger.debug(f({ err: A })), u.logger.error(f({ msg: "Couldn't get device code", cerr: A })), {
           error: "accerss_denied",
           error_description: "Invalid device code"
         };
       }
       try {
-        const P = JSON.parse(N.data ?? "{}"), F = (/* @__PURE__ */ new Date()).getTime();
-        if (N.expires && F > N.expires.getTime())
+        const K = JSON.parse(N.data ?? "{}"), A = (/* @__PURE__ */ new Date()).getTime();
+        if (N.expires && A > N.expires.getTime())
           return await this.deleteDeviceCode(p), {
             error: "expired_token",
             error_description: "Code has expired"
           };
-        if (P.ok != !0)
+        if (K.ok != !0)
           return {
             error: "authorization_pending",
             error_description: "Waiting for user code to be entered"
           };
         {
-          let I = P.scope ? P.scope.split(" ") : void 0, $ = P.userid ? await ((j = this.userStorage) == null ? void 0 : j.getUserById(P.userid)) : void 0;
+          let I = K.scope ? K.scope.split(" ") : void 0, x = K.userid ? await ((M = this.userStorage) == null ? void 0 : M.getUserById(K.userid)) : void 0;
           return await this.deleteDeviceCode(p), await this.makeAccessToken({
-            client: A,
+            client: P,
             client_secret: i,
             codeVerifier: a,
             scopes: I,
-            issueRefreshToken: H,
-            user: $ == null ? void 0 : $.user
+            issueRefreshToken: j,
+            user: x == null ? void 0 : x.user
           });
         }
-      } catch (P) {
-        const F = o.asCrossauthError(P);
-        return u.logger.debug(f({ err: F })), u.logger.error(f({ msg: "Couldn't get device code", cerr: F })), await this.deleteDeviceCode(p), {
+      } catch (K) {
+        const A = o.asCrossauthError(K);
+        return u.logger.debug(f({ err: A })), u.logger.error(f({ msg: "Couldn't get device code", cerr: A })), await this.deleteDeviceCode(p), {
           error: "accerss_denied",
           error_description: "Invalid device code"
         };
@@ -6121,7 +6335,7 @@ class zt {
   }
   async deleteDeviceCode(s) {
     try {
-      await this.keyStorage.deleteKey(U.deviceCode + s);
+      await this.keyStorage.deleteKey(b.deviceCode + s);
     } catch (e) {
       const t = o.asCrossauthError(e);
       u.logger.debug(f({ err: t })), u.logger.error(f({ msg: "Couldn't delete device code", cerr: t }));
@@ -6129,7 +6343,7 @@ class zt {
   }
   async deleteUserCode(s) {
     try {
-      await this.keyStorage.deleteKey(U.userCode + s);
+      await this.keyStorage.deleteKey(b.userCode + s);
     } catch (e) {
       const t = o.asCrossauthError(e);
       u.logger.debug(f({ err: t })), u.logger.error(f({ msg: "Couldn't delete user code", cerr: t }));
@@ -6165,7 +6379,7 @@ class zt {
         error_description: "Invalid deviceCodeVerificationUri"
       };
     }
-    const r = b.DeviceCode, i = await this.getClientById(s);
+    const r = U.DeviceCode, i = await this.getClientById(s);
     if (!i.client) return i;
     const a = i.client, n = await this.authenticateClient(r, a, t);
     if (n.error) return n;
@@ -6187,7 +6401,7 @@ class zt {
       try {
         c = _.randomValue(this.deviceCodeLength), await this.keyStorage.saveKey(
           void 0,
-          U.deviceCode + c,
+          b.deviceCode + c,
           w,
           C,
           JSON.stringify({ scope: e, client_id: s })
@@ -6206,7 +6420,7 @@ class zt {
       try {
         v = _.randomBase32(this.userCodeLength), await this.keyStorage.saveKey(
           void 0,
-          U.userCode + v,
+          b.userCode + v,
           w,
           C,
           JSON.stringify({ deviceCode: c })
@@ -6251,7 +6465,7 @@ class zt {
     s = s.replace(/[ -]*/g, "");
     let t, r = {};
     try {
-      t = await this.keyStorage.getKey(U.userCode + s), r = JSON.parse((t == null ? void 0 : t.data) ?? "{}");
+      t = await this.keyStorage.getKey(b.userCode + s), r = JSON.parse((t == null ? void 0 : t.data) ?? "{}");
     } catch {
       return {
         ok: !1,
@@ -6267,7 +6481,7 @@ class zt {
       };
     let i;
     try {
-      i = await this.keyStorage.getKey(U.deviceCode + r.deviceCode);
+      i = await this.keyStorage.getKey(b.deviceCode + r.deviceCode);
     } catch (y) {
       const C = o.asCrossauthError(y);
       return u.logger.debug(f({ err: C })), u.logger.error(f({
@@ -6321,7 +6535,7 @@ class zt {
       [null]
     ), !d) {
       try {
-        e != null && e.id && await this.keyStorage.updateData(U.deviceCode + r.deviceCode, "userid", e.id);
+        e != null && e.id && await this.keyStorage.updateData(b.deviceCode + r.deviceCode, "userid", e.id);
       } catch (y) {
         const C = o.asCrossauthError(y);
         return u.logger.debug(f({ err: C })), u.logger.warn(f({ msg: "Couldn't update user id on user code entry - deleting", cerr: C })), await this.deleteUserCode(s), await this.deleteDeviceCode(r.deviceCode), {
@@ -6339,7 +6553,7 @@ class zt {
       };
     }
     try {
-      e != null && e.id && await this.keyStorage.updateData(U.deviceCode + r.deviceCode, "userid", e.id), await this.keyStorage.updateData(U.deviceCode + r.deviceCode, "ok", !0);
+      e != null && e.id && await this.keyStorage.updateData(b.deviceCode + r.deviceCode, "userid", e.id), await this.keyStorage.updateData(b.deviceCode + r.deviceCode, "ok", !0);
     } catch (y) {
       const C = o.asCrossauthError(y);
       return u.logger.debug(f({ err: C })), u.logger.warn(f({ msg: "Couldn't update status on user code entry - deleting", cerr: C })), await this.deleteUserCode(s), await this.deleteDeviceCode(r.deviceCode), {
@@ -6359,7 +6573,7 @@ class zt {
     s = s.replace(/[ -]*/g, "");
     let e, t = {};
     try {
-      e = await this.keyStorage.getKey(U.userCode + s), t = JSON.parse((e == null ? void 0 : e.data) ?? "{}");
+      e = await this.keyStorage.getKey(b.userCode + s), t = JSON.parse((e == null ? void 0 : e.data) ?? "{}");
     } catch {
       return {
         ok: !1,
@@ -6375,7 +6589,7 @@ class zt {
       };
     let r;
     try {
-      r = await this.keyStorage.getKey(U.deviceCode + t.deviceCode);
+      r = await this.keyStorage.getKey(b.deviceCode + t.deviceCode);
     } catch (n) {
       const c = o.asCrossauthError(n);
       return u.logger.debug(f({ err: c })), u.logger.error(f({
@@ -6402,7 +6616,7 @@ class zt {
       };
     }
     try {
-      await this.keyStorage.updateData(U.deviceCode + t.deviceCode, "ok", !0);
+      await this.keyStorage.updateData(b.deviceCode + t.deviceCode, "ok", !0);
     } catch (n) {
       const c = o.asCrossauthError(n);
       return u.logger.debug(f({ err: c })), u.logger.warn(f({ msg: "Couldn't update status on user code entry - deleting", cerr: c })), await this.deleteUserCode(s), await this.deleteDeviceCode(t.deviceCode), {
@@ -6419,7 +6633,7 @@ class zt {
     };
   }
   async createMfaRequest(s) {
-    const e = _.randomValue(this.codeLength), t = U.mfaToken + _.hash(e), r = /* @__PURE__ */ new Date();
+    const e = _.randomValue(this.codeLength), t = b.mfaToken + _.hash(e), r = /* @__PURE__ */ new Date();
     try {
       await this.keyStorage.saveKey(
         s.id,
@@ -6445,7 +6659,7 @@ class zt {
     var r;
     let e, t;
     try {
-      const i = U.mfaToken + _.hash(s);
+      const i = b.mfaToken + _.hash(s);
       if (t = await this.keyStorage.getKey(i), !t.userid)
         return {
           error: "access_denied",
@@ -6473,7 +6687,7 @@ class zt {
         error_description: "Invalid MFA token"
       };
     try {
-      if (x.decodeData(t.data).omfaaid != e.factor2)
+      if (z.decodeData(t.data).omfaaid != e.factor2)
         return {
           error: "access_denied",
           error_description: "authenticatorId not valid for user"
@@ -6530,7 +6744,7 @@ class zt {
    * @returns respond as defined by the Password MFA spec
    */
   async mfaChallengeEndpoint(s, e, t, r, i) {
-    const a = b.PasswordMfa, n = await this.getClientById(e);
+    const a = U.PasswordMfa, n = await this.getClientById(e);
     if (!n.client) return n;
     const c = n.client, d = await this.authenticateClient(a, c, t);
     if (d.error) return d;
@@ -6587,9 +6801,9 @@ class zt {
    */
   inferFlowFromGet(s, e, t) {
     if (s == "code" && !e.includes("openid"))
-      return t ? b.AuthorizationCodeWithPKCE : b.AuthorizationCode;
+      return t ? U.AuthorizationCodeWithPKCE : U.AuthorizationCode;
     if (e.includes("openid") && s == "code")
-      return t ? b.AuthorizationCodeWithPKCE : b.AuthorizationCode;
+      return t ? U.AuthorizationCodeWithPKCE : U.AuthorizationCode;
   }
   /**
    * Returns the OAuth flow type that corresonds to the given 
@@ -6600,19 +6814,19 @@ class zt {
    */
   inferFlowFromPost(s, e) {
     if (s == "authorization_code")
-      return e ? b.AuthorizationCodeWithPKCE : b.AuthorizationCode;
+      return e ? U.AuthorizationCodeWithPKCE : U.AuthorizationCode;
     if (s == "client_credentials")
-      return b.ClientCredentials;
+      return U.ClientCredentials;
     if (s == "refresh_token")
-      return b.RefreshToken;
+      return U.RefreshToken;
     if (s == "urn:ietf:params:oauth:grant-type:device_code")
-      return b.DeviceCode;
+      return U.DeviceCode;
     if (s == "password")
-      return b.Password;
+      return U.Password;
     if (s == "http://auth0.com/oauth/grant-type/mfa-otp")
-      return b.PasswordMfa;
+      return U.PasswordMfa;
     if (s == "http://auth0.com/oauth/grant-type/mfa-oob")
-      return b.PasswordMfa;
+      return U.PasswordMfa;
   }
   async getAuthorizationCode(s, e, t, r, i, a, n) {
     if (i && (a || (a = "S256"), a != "S256" && a != "plain"))
@@ -6626,7 +6840,10 @@ class zt {
         error: "invalid_request",
         error_description: `The redirect uri ${e} is invalid`
       };
-    const d = /* @__PURE__ */ new Date(), w = this.authorizationCodeExpiry ? new Date(d.getTime() + this.authorizationCodeExpiry * 1e3 + this.clockTolerance * 1e3) : void 0, y = {};
+    const d = /* @__PURE__ */ new Date(), w = this.authorizationCodeExpiry ? new Date(d.getTime() + this.authorizationCodeExpiry * 1e3 + this.clockTolerance * 1e3) : void 0, y = {
+      client_id: s.client_id,
+      redirect_uri: e
+    };
     t && (y.scope = t), i && (y.challengeMethod = a, y.challenge = _.hash(i)), n && (y.username = n.username, y.id = n.id);
     const C = JSON.stringify(y);
     let v = !1, p = "";
@@ -6634,7 +6851,7 @@ class zt {
       try {
         p = _.randomValue(this.codeLength), await this.keyStorage.saveKey(
           void 0,
-          U.authorizationCode + _.hash(p),
+          b.authorizationCode + _.hash(p),
           d,
           w,
           C
@@ -6649,6 +6866,30 @@ class zt {
       );
     return { code: p, state: r };
   }
+  async getAuthorizationCodeData(s) {
+    let e, t = {};
+    try {
+      e = await this.keyStorage.getKey(b.authorizationCode + _.hash(s)), t = z.decodeData(e.data);
+    } catch (r) {
+      u.logger.debug(f({ err: r }));
+      return;
+    }
+    return t;
+  }
+  async deleteAuthorizationCodeData(s) {
+    try {
+      await this.keyStorage.deleteKey(b.authorizationCode + _.hash(s));
+    } catch (e) {
+      u.logger.warn(f({
+        err: e,
+        msg: "Couldn't delete authorization code from storage"
+      }));
+    }
+  }
+  async setAuthorizationCodeData(s, e) {
+    const t = await this.keyStorage.getKey(b.authorizationCode + _.hash(s));
+    t.data = JSON.stringify(e), this.keyStorage.updateKey(t);
+  }
   /**
    * Create an access token
    */
@@ -6661,15 +6902,15 @@ class zt {
     issueRefreshToken: a = !1,
     user: n
   }) {
-    var z, H;
+    var H, j;
     let c = !0;
     try {
       s.client_secret != null && (c = await _.passwordsEqual(
         t ?? "",
         s.client_secret ?? ""
       ));
-    } catch (K) {
-      return u.logger.error(f({ err: K })), { error: "server_error", error_description: "Couldn't validate client" };
+    } catch (O) {
+      return u.logger.error(f({ err: O })), { error: "server_error", error_description: "Couldn't validate client" };
     }
     if (!c) return {
       error: "access_denied",
@@ -6677,20 +6918,20 @@ class zt {
     };
     let d = {};
     if (e) {
-      let K;
+      let O;
       try {
-        K = await this.keyStorage.getKey(U.authorizationCode + _.hash(e)), d = x.decodeData(K.data);
-      } catch (O) {
-        return u.logger.debug(f({ err: O })), {
+        O = await this.keyStorage.getKey(b.authorizationCode + _.hash(e)), d = z.decodeData(O.data);
+      } catch (F) {
+        return u.logger.debug(f({ err: F })), {
           error: "access_denied",
           error_description: "Invalid or expired authorization code"
         };
       }
       try {
-        await this.keyStorage.deleteKey(K.value);
-      } catch (O) {
+        await this.keyStorage.deleteKey(O.value);
+      } catch (F) {
         u.logger.warn(f({
-          err: O,
+          err: F,
           msg: "Couldn't delete authorization code from storatge",
           client_id: s == null ? void 0 : s.client_id
         }));
@@ -6703,8 +6944,8 @@ class zt {
         error_description: "Invalid code challenge/code challenge method method for authorization code"
       };
     if (d.challenge) {
-      const K = d.challengeMethod == "plain" ? r ?? "" : _.sha256(r ?? "");
-      if (_.hash(K) != d.challenge)
+      const O = d.challengeMethod == "plain" ? r ?? "" : _.sha256(r ?? "");
+      if (_.hash(O) != d.challenge)
         return {
           error: "access_denied",
           error_description: "Code verifier is incorrect"
@@ -6714,10 +6955,10 @@ class zt {
     let C;
     if ((i && i.includes("openid") || Object.keys(this.accessTokenClaims).length > 0) && this.userStorage && d.username)
       try {
-        const { user: K } = await this.userStorage.getUserByUsername(d.username);
-        n = K;
-      } catch (K) {
-        return u.logger.error(f({ err: K })), {
+        const { user: O } = await this.userStorage.getUserByUsername(d.username);
+        n = O;
+      } catch (O) {
+        return u.logger.error(f({ err: O })), {
           error: "server_error",
           error_description: "Couldn't load user data"
         };
@@ -6731,39 +6972,39 @@ class zt {
       type: "access"
     };
     p = this.addClaims(p, this.accessTokenClaims, i, n), i && (p.scope = i), this.accessTokenExpiry != null && (p.exp = y + this.accessTokenExpiry, C = new Date(w.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (p.aud = this.audience);
-    const T = await new Promise((K, O) => {
-      se.sign(
+    const T = await new Promise((O, F) => {
+      ee.sign(
         p,
         this.secretOrPrivateKey,
         { algorithm: this.jwtAlgorithmChecked, keyid: "1" },
-        (V, j) => {
-          j ? K(j) : O(V || new o(
+        ($, M) => {
+          M ? O(M) : F($ || new o(
             l.Unauthorized,
             "Couldn't create jwt"
           ));
         }
       );
     });
-    this.persistAccessToken && this.keyStorage && await ((z = this.keyStorage) == null ? void 0 : z.saveKey(
+    this.persistAccessToken && this.keyStorage && await ((H = this.keyStorage) == null ? void 0 : H.saveKey(
       void 0,
       // to avoid user storage dependency, we don't set this
-      U.accessToken + _.hash(v),
+      b.accessToken + _.hash(v),
       w,
       C
     ));
     let k;
     if (i && i.includes("openid")) {
-      const K = _.uuid();
-      let O = {
+      const O = _.uuid();
+      let F = {
         aud: s.client_id,
-        jti: K,
+        jti: O,
         iat: y,
         iss: this.oauthIssuer,
         sub: d.username,
         type: "id"
       };
-      if (i.includes("email") && (n != null && n.email) && (O.email = n.email), i.includes("address") && n && "address" in n && (O.address = n.address), i.includes("phone") && n && "phone" in n && (O.phone = n.phone), i.includes("profile") && n)
-        for (let V of [
+      if (i.includes("email") && (n != null && n.email) && (F.email = n.email), i.includes("address") && n && "address" in n && (F.address = n.address), i.includes("phone") && n && "phone" in n && (F.phone = n.phone), i.includes("profile") && n)
+        for (let $ of [
           "name",
           "family_name",
           "given_name",
@@ -6779,17 +7020,17 @@ class zt {
           "locale",
           "updated_at"
         ])
-          O[V] = n[V];
-      O = this.addClaims(O, this.idTokenClaims, i, n), O.scope = i, this.accessTokenExpiry != null && (O.exp = y + this.accessTokenExpiry), k = await new Promise((V, j) => {
-        se.sign(
-          O,
+          F[$] = n[$];
+      F = this.addClaims(F, this.idTokenClaims, i, n), F.scope = i, this.accessTokenExpiry != null && (F.exp = y + this.accessTokenExpiry), k = await new Promise(($, M) => {
+        ee.sign(
+          F,
           this.secretOrPrivateKey,
           {
             algorithm: this.jwtAlgorithmChecked,
             keyid: this.jwtKid
           },
-          (N, P) => {
-            P ? V(P) : j(N || new o(
+          (N, K) => {
+            K ? $(K) : M(N || new o(
               l.Unauthorized,
               "Couldn't create jwt"
             ));
@@ -6797,51 +7038,125 @@ class zt {
         );
       });
     }
-    let A;
+    let P;
     if (a) {
-      const K = {
+      const O = {
         username: d.username,
         client_id: s.client_id
       };
-      i && (K.scope = i);
-      let O;
-      const j = {
+      i && (O.scope = i);
+      let F;
+      const M = {
         jti: _.uuid(),
         iat: y,
         iss: this.oauthIssuer,
         sub: d.username,
         type: "refresh"
       };
-      this.refreshTokenExpiry != null && (j.exp = y + this.refreshTokenExpiry, O = this.refreshTokenExpiry ? new Date(y + this.refreshTokenExpiry * 1e3 + this.clockTolerance * 1e3) : void 0), this.oauthIssuer && (j.aud = this.oauthIssuer), A = await new Promise((N, P) => {
-        se.sign(
-          j,
+      this.refreshTokenExpiry != null && (M.exp = y + this.refreshTokenExpiry, F = this.refreshTokenExpiry ? new Date(y + this.refreshTokenExpiry * 1e3 + this.clockTolerance * 1e3) : void 0), this.oauthIssuer && (M.aud = this.oauthIssuer), P = await new Promise((N, K) => {
+        ee.sign(
+          M,
           this.secretOrPrivateKey,
           { algorithm: this.jwtAlgorithmChecked, keyid: "1" },
-          (F, I) => {
-            I ? N(I) : P(F || new o(
+          (A, I) => {
+            I ? N(I) : K(A || new o(
               l.Unauthorized,
               "Couldn't create jwt"
             ));
           }
         );
-      }), A && await ((H = this.keyStorage) == null ? void 0 : H.saveKey(
+      }), P && await ((j = this.keyStorage) == null ? void 0 : j.saveKey(
         void 0,
         // to avoid user storage dependency
-        U.refreshToken + _.hash(A),
+        b.refreshToken + _.hash(P),
         w,
-        O,
-        JSON.stringify(K)
+        F,
+        JSON.stringify(O)
       ));
     }
     return {
       access_token: T,
       id_token: k,
-      refresh_token: A,
+      refresh_token: P,
       expires_in: this.accessTokenExpiry == null ? void 0 : this.accessTokenExpiry,
       token_type: "Bearer",
       scope: i ? i.join(" ") : void 0
     };
   }
+  /**
+   * Create an access token
+   */
+  async createTokensFromPayload(s, e, t) {
+    var w;
+    const r = /* @__PURE__ */ new Date(), i = Math.ceil(r.getTime() / 1e3);
+    let a, n, c, d;
+    if (e) {
+      const y = _.uuid();
+      let C = {
+        ...e,
+        jti: y,
+        iat: i,
+        iss: this.oauthIssuer,
+        type: "access"
+      };
+      this.accessTokenExpiry != null && (C.exp = i + this.accessTokenExpiry, a = new Date(r.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience), n = await new Promise((v, p) => {
+        ee.sign(
+          C,
+          this.secretOrPrivateKey,
+          { algorithm: this.jwtAlgorithmChecked, keyid: "1" },
+          (T, k) => {
+            k ? v(k) : p(T || new o(
+              l.Unauthorized,
+              "Couldn't create jwt"
+            ));
+          }
+        );
+      }), d = C, this.persistAccessToken && this.keyStorage && await ((w = this.keyStorage) == null ? void 0 : w.saveKey(
+        void 0,
+        // to avoid user storage dependency, we don't set this
+        b.accessToken + _.hash(y),
+        r,
+        a
+      ));
+    }
+    if (t != null) {
+      const y = _.uuid();
+      if (t = {
+        ...t,
+        aud: s,
+        jti: y,
+        iat: i,
+        iss: this.oauthIssuer,
+        type: "id"
+      }, t) {
+        const C = t;
+        c = await new Promise((v, p) => {
+          ee.sign(
+            C,
+            this.secretOrPrivateKey,
+            {
+              algorithm: this.jwtAlgorithmChecked,
+              keyid: this.jwtKid
+            },
+            (T, k) => {
+              k ? v(k) : p(T || new o(
+                l.Unauthorized,
+                "Couldn't create jwt"
+              ));
+            }
+          );
+        });
+      }
+    }
+    return {
+      access_token: n,
+      id_token: c,
+      access_payload: d,
+      id_payload: t,
+      expires_in: this.accessTokenExpiry == null ? void 0 : this.accessTokenExpiry,
+      token_type: "Bearer"
+    };
+  }
   addClaims(s, e, t, r) {
     if (r) {
       if (t) {
@@ -6881,7 +7196,7 @@ class zt {
    */
   async validAuthorizationCode(s) {
     try {
-      const e = U.authorizationCode + _.hash(s);
+      const e = b.authorizationCode + _.hash(s);
       return await this.keyStorage.getKey(e), !0;
     } catch (e) {
       return u.logger.debug(f({ err: e })), !1;
@@ -6895,7 +7210,7 @@ class zt {
    */
   async validRefreshToken(s) {
     try {
-      const e = U.refreshToken + _.hash(s);
+      const e = b.refreshToken + _.hash(s);
       return await this.keyStorage.getKey(e), !0;
     } catch (e) {
       return u.logger.debug(f({ err: e })), !1;
@@ -6910,7 +7225,7 @@ class zt {
   async getRefreshTokenData(s) {
     if (s)
       try {
-        const e = U.refreshToken + _.hash(s), t = await this.keyStorage.getKey(e);
+        const e = b.refreshToken + _.hash(s), t = await this.keyStorage.getKey(e);
         return JSON.parse(t.data || "{}");
       } catch (e) {
         u.logger.debug(f({ err: e }));
@@ -6944,7 +7259,7 @@ class zt {
     try {
       const e = await this.validateJwt(s, "access");
       if (this.persistAccessToken) {
-        const t = U.accessToken + _.hash(e.payload.jti);
+        const t = b.accessToken + _.hash(e.payload.jti);
         await this.keyStorage.getKey(t);
       }
       return e;
@@ -6955,7 +7270,7 @@ class zt {
   }
   async validateJwt(s, e) {
     return new Promise((t, r) => {
-      se.verify(
+      ee.verify(
         s,
         this.secretOrPublicKey,
         { clockTolerance: this.clockTolerance, complete: !0 },
@@ -7018,7 +7333,7 @@ class zt {
    */
   responseTypesSupported() {
     let s = [];
-    return (this.validFlows.includes(b.AuthorizationCode) || this.validFlows.includes(b.AuthorizationCodeWithPKCE) || this.validFlows.includes(b.OidcAuthorizationCode)) && s.push("code"), s;
+    return (this.validFlows.includes(U.AuthorizationCode) || this.validFlows.includes(U.AuthorizationCodeWithPKCE) || this.validFlows.includes(U.OidcAuthorizationCode)) && s.push("code"), s;
   }
   /**
    * Returns an OIDC configuration object based on this authorization
@@ -7040,7 +7355,7 @@ class zt {
   }) {
     let i = [];
     this.validFlows.forEach((n) => {
-      const c = b.grantType(n);
+      const c = U.grantType(n);
       c && (i = [...i, ...c]);
     });
     const a = [
@@ -7097,7 +7412,7 @@ class zt {
   jwks() {
     let s = [];
     if (this.jwtPublicKey) {
-      const e = ze(this.jwtPublicKey).export({ format: "jwk" });
+      const e = Le(this.jwtPublicKey).export({ format: "jwk" });
       e.kid = "1", e.alg = this.jwtKeyType, s.push(e);
     }
     return { keys: s };
@@ -7137,177 +7452,6 @@ class zt {
     } : {};
   }
 }
-class nt extends Pe {
-  /**
-   * Constructor
-   * 
-   * @param options see {@link OAuthTokenConsumerOptions}
-   */
-  constructor(e, t = {}) {
-    const r = {};
-    m("jwtKeyType", g.String, r, t, "JWT_KEY_TYPE");
-    super(e, { ...t, ...r });
-    /**
-     * Value passed to the constructor.  The `aud` claim must match it
-     */
-    h(this, "audience");
-    /**
-     * Value passed to the constructor. If true, access tokens are saved
-     * in storage,
-     */
-    h(this, "persistAccessToken", !1);
-    h(this, "keyStorage");
-    h(this, "jwtSecretKeyFile", "");
-    h(this, "jwtPublicKeyFile", "");
-    if (this.audience = e, m("authServerBaseUrl", g.String, this, t, "AUTH_SERVER_BASE_URL", !0), m("jwtSecretKeyFile", g.String, this, t, "JWT_SECRET_KEY_FILE"), m("jwtPublicKeyFile", g.String, this, t, "JWT_PUBLIC_KEY_FILE"), m("jwtSecretKey", g.String, this, t, "JWT_SECRET_KEY"), m("jwtPublicKey", g.String, this, t, "JWT_PUBLIC_KEY"), m("clockTolerance", g.Number, this, t, "OAUTH_CLOCK_TOLERANCE"), m("persistAccessToken", g.Boolean, this, t, "OAUTH_PERSIST_ACCESS_TOKEN"), this.keyStorage = t.keyStorage, this.jwtSecretKey || this.jwtSecretKeyFile) {
-      if (this.jwtPublicKey || this.jwtPublicKeyFile)
-        throw new o(
-          l.Configuration,
-          "Cannot specify symmetric and public/private JWT keys"
-        );
-      if (this.jwtSecretKey && this.jwtSecretKeyFile)
-        throw new o(
-          l.Configuration,
-          "Cannot specify symmetric key and file"
-        );
-      this.jwtSecretKeyFile && (this.jwtSecretKey = te.readFileSync(this.jwtSecretKeyFile, "utf8"));
-    } else if (this.jwtPublicKey || this.jwtPublicKeyFile) {
-      if (this.jwtPublicKeyFile && this.jwtPublicKey)
-        throw new o(
-          l.Configuration,
-          "Cannot specify both public key and public key file"
-        );
-      this.jwtPublicKeyFile && (this.jwtPublicKey = te.readFileSync(this.jwtPublicKeyFile, "utf8"));
-    }
-  }
-  /**
-   * Uses {@link Crypto.hash} to hash the given string.
-   * 
-   * @param plaintext the string to hash
-   * @returns Base64-url-encoded hash
-   */
-  async hash(e) {
-    return _.hash(e);
-  }
-  /**
-   * If the given token is valid, the paylaod is returned.  Otherwise
-   * undefined is returned.  
-   * 
-   * The signature must be valid, the expiry must not have passed and,
-   * if `tokenType` is defined,. the `type` claim in the payload must
-   * match it.
-   * 
-   * Doesn't throw exceptions.
-   * 
-   * @param token The token to validate
-   * @param tokenType If defined, the `type` claim in the payload must
-   *        match this value
-   */
-  async tokenAuthorized(e, t) {
-    var i;
-    const r = await super.tokenAuthorized(e, t);
-    if (r && t == "access" && this.persistAccessToken && this.keyStorage)
-      try {
-        const a = U.accessToken + _.hash(r.jti ? r.jti : r.sid ? r.sid : ""), n = await this.keyStorage.getKey(a), c = /* @__PURE__ */ new Date();
-        if (n.expires && ((i = n.expires) == null ? void 0 : i.getTime()) < c.getTime()) {
-          u.logger.error(f({ msg: "Access token expired in storage but not in JWT" }));
-          return;
-        }
-      } catch (a) {
-        u.logger.warn(f({
-          msg: "Couldn't get token from database - is it valid?",
-          hashedAccessToken: _.hash(r.jti ? r.jti : r.sid ? r.sid : "")
-        })), u.logger.debug(f({ err: a }));
-        return;
-      }
-    return r;
-  }
-}
-class Ht extends Ke {
-  /**
-   * Constructor
-   * @param authServerBaseUrl bsae URI for the authorization server
-   *        expected to issue access tokens.  If the `iss` field in a JWT
-   *        does not match this, it is rejected.
-   * @param options See {@link OAuthClientOptions}
-   */
-  constructor(e, t) {
-    const r = {
-      client_id: ""
-    };
-    m("client_id", g.String, r, t, "OAUTH_CLIENT_ID", !0);
-    super({
-      authServerBaseUrl: e,
-      tokenConsumer: new nt(
-        r.client_id,
-        {
-          audience: r.client_id,
-          authServerBaseUrl: e,
-          ...t
-        }
-      ),
-      ...t
-    });
-    h(this, "deviceAuthorizationUrl", "device_authorization");
-    h(this, "userCreationType", "idToken");
-    h(this, "userMatchField", "username");
-    h(this, "idTokenMatchField", "sub");
-    h(this, "userCreationFn");
-    h(this, "userStorage");
-    this.client_id = r.client_id;
-    let i = {};
-    if (m("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), m("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), m("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), m("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), m("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), m("oauthLogFetch", g.Boolean, this, t, "OAUTH_LOG_FETCH"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), m("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), m("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), m("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = ot : this.userCreationType == "embed" ? this.userCreationFn = lt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = ct, t.userStorage && (this.userStorage = t.userStorage), m("oauthPostType", g.String, this, t, "OAUTH_POST_TYPE"), m("oauthUseUserInfoEndpoint", g.Boolean, this, t, "OAUTH_USE_USER_INFO_ENDPOINT"), m("oauthAuthorizeRedirect", g.String, this, t, "OAUTH_AUTHORIZE_REDIRECT"), this.oauthPostType != "json" && this.oauthPostType != "form")
-      throw new o(l.Configuration, "oauthPostType must be json or form");
-  }
-  /**
-   * Uses {@link @crossauth/backend!Crypto.randomValue} to create a random string
-   * @param length the length of the random array of bytes before
-   *        base64-url-encoding
-   * @returns the Base64-URL-encoded random string
-   */
-  randomValue(e) {
-    return _.randomValue(e);
-  }
-  /**
-   * Uses {@link @crossauth/backend!Crypto.sha256} to create hash a string using SHA256
-   * @param plaintext the text to hash
-   * @returns the Base64-URL-encoded hash
-   */
-  async sha256(e) {
-    return _.sha256(e);
-  }
-}
-async function ot(S, s, e, t) {
-  if (!s) throw new o(l.Configuration, "userCreationType set to merge but no user storage set");
-  try {
-    let r;
-    return e == "username" ? r = await s.getUserByUsername(S[t]) : e == "username" ? r = await s.getUserByEmail(S[t]) : r = await s.getUserBy(e, S[t]), { ...S, ...r.user };
-  } catch (r) {
-    const i = o.asCrossauthError(r);
-    if (i.code == l.UserNotExist || i.code == l.UserNotActive)
-      return;
-    throw u.logger.error(f({ err: r })), r;
-  }
-}
-async function lt(S, s, e, t) {
-  if (!s) throw new o(l.Configuration, "userCreationType set to embed but no user storage set");
-  try {
-    let r;
-    return e == "username" ? r = await s.getUserByUsername(S[t]) : e == "username" ? r = await s.getUserByEmail(S[t]) : r = await s.getUserBy(e, S[t]), { ...r.user, idToken: S };
-  } catch (r) {
-    const i = o.asCrossauthError(r);
-    if (i.code == l.UserNotExist || i.code == l.UserNotActive)
-      return;
-    throw u.logger.error({ err: r }), r;
-  }
-}
-async function ct(S, s, e, t) {
-  return {
-    id: S.userid ?? S.sub,
-    username: S.sub,
-    state: S.state ?? "active"
-  };
-}
 class jt {
   /**
    * Constructor
@@ -7352,43 +7496,43 @@ class jt {
 }
 export {
   ge as ApiKeyManager,
-  re as Authenticator,
+  ie as Authenticator,
   _ as Crypto,
   rt as DoubleSubmitCsrfToken,
   Rt as DummyFactor2Authenticator,
   Z as EmailAuthenticator,
-  At as InMemoryKeyStorage,
-  Pt as InMemoryOAuthAuthorizationStorage,
-  It as InMemoryOAuthClientStorage,
-  Ut as InMemoryUserStorage,
-  x as KeyStorage,
-  Dt as LdapAuthenticator,
+  It as InMemoryKeyStorage,
+  Kt as InMemoryOAuthAuthorizationStorage,
+  Pt as InMemoryOAuthClientStorage,
+  At as InMemoryUserStorage,
+  z as KeyStorage,
+  xt as LdapAuthenticator,
   oe as LdapUserStorage,
   ve as LocalPasswordAuthenticator,
-  zt as OAuthAuthorizationServer,
+  Ht as OAuthAuthorizationServer,
   we as OAuthAuthorizationStorage,
-  Ht as OAuthClientBackend,
+  nt as OAuthClientBackend,
   J as OAuthClientManager,
   me as OAuthClientStorage,
   jt as OAuthResourceServer,
-  nt as OAuthTokenConsumer,
+  at as OAuthTokenConsumer,
   g as ParamType,
   be as PasswordAuthenticator,
   Ft as PostgresKeyStorage,
-  Nt as PostgresOAuthAuthorizationStorage,
-  Ot as PostgresOAuthClientStorage,
-  Kt as PostgresUserStorage,
-  kt as PrismaKeyStorage,
-  bt as PrismaOAuthAuthorizationStorage,
-  Et as PrismaOAuthClientStorage,
+  Dt as PostgresOAuthAuthorizationStorage,
+  Nt as PostgresOAuthClientStorage,
+  Ot as PostgresUserStorage,
+  Et as PrismaKeyStorage,
+  Ut as PrismaOAuthAuthorizationStorage,
+  bt as PrismaOAuthClientStorage,
   G as PrismaUserStorage,
-  D as SessionCookie,
+  R as SessionCookie,
   Lt as SessionManager,
   Q as SmsAuthenticator,
-  R as TokenEmailer,
-  xt as TotpAuthenticator,
+  D as TokenEmailer,
+  Bt as TotpAuthenticator,
   Ue as TwilioAuthenticator,
   L as UserStorage,
   m as setParameter,
-  Bt as toCookieSerializeOptions
+  zt as toCookieSerializeOptions
 };