npm - @crossauth/backend - Versions diffs - 1.1.4 → 1.1.6 - Mend

@crossauth/backend 1.1.4 → 1.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cookieauth.d.ts.map +1 -1
package/dist/index.cjs +2 -2
package/dist/index.js +169 -167
package/dist/oauth/authserver.d.ts.map +1 -1
package/package.json +2 -2

package/dist/index.js CHANGED Viewed

@@ -13,7 +13,7 @@ import Z from "nunjucks";
 import xe from "nodemailer";
 import Ze from "twilio";
 import Xe from "qrcode";
-import { authenticator as _e } from "otplib";
+import { authenticator as ke } from "otplib";
 import ae from "jsonwebtoken";
 import ue from "node:fs";
 import { createPublicKey as Qe } from "crypto";
@@ -916,8 +916,8 @@ class jt extends ve {
           ...d,
           userid: C,
           client_secret: d.client_secret ?? void 0,
-          redirect_uri: f.map((_) => _.uri),
-          valid_flow: y.map((_) => _.flow)
+          redirect_uri: f.map((k) => k.uri),
+          valid_flow: y.map((k) => k.flow)
         }];
       } else {
         const d = await r[this.clientTable].findMany({
@@ -929,8 +929,8 @@ class jt extends ve {
         });
         for (let f of d) {
           const y = f.redirect_uri, C = f.valid_flow;
-          let _ = f[this.useridForeignKeyColumn];
-          _ == null && (_ = void 0), f.userid = _, this.useridForeignKeyColumn != "userid" && delete f[this.useridForeignKeyColumn], f.client_secret = f.client_secret ?? void 0, f.redirect_uri = y.map((p) => p.uri), f.valid_flow = C.map((p) => p.flow);
+          let k = f[this.useridForeignKeyColumn];
+          k == null && (k = void 0), f.userid = k, this.useridForeignKeyColumn != "userid" && delete f[this.useridForeignKeyColumn], f.client_secret = f.client_secret ?? void 0, f.redirect_uri = y.map((p) => p.uri), f.valid_flow = C.map((p) => p.flow);
         }
         return d;
       }
@@ -1899,18 +1899,18 @@ class te extends q {
       let d = `select * from ${this.userTable} where ${e} = ` + c.nextParameter(), f = await i.execute(d, [t]);
       if (f.length == 0)
         throw new o(l.UserNotExist);
-      let y, C, _;
+      let y, C, k;
       if (this.idColumn in f[0]) y = f[0][this.idColumn];
       else throw new o(l.Configuration, "ID column " + this.idColumn + " not present in user table");
       if ("username" in f[0]) C = f[0].username;
       else throw new o(l.Configuration, "username column " + this.idColumn + " not present in user table");
-      if ("state" in f[0]) _ = f[0].state;
+      if ("state" in f[0]) k = f[0].state;
       else throw new o(l.Configuration, "state column " + this.idColumn + " not present in user table");
       if (s = {
         ...f[0],
         id: y,
         username: C,
-        state: _
+        state: k
       }, !s) throw new o(l.UserNotExist);
       if (c = this.dbPool.parameters(), d = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = ` + c.nextParameter(), f = await i.execute(d, [s.id]), f.length == 0)
         throw new o(l.UserNotExist);
@@ -1949,8 +1949,8 @@ class te extends q {
       if (y.length == 0)
         throw new o(l.UserNotExist);
       for (let C of y) {
-        let _, p, T;
-        if (this.idColumn in C) _ = C[this.idColumn];
+        let k, p, T;
+        if (this.idColumn in C) k = C[this.idColumn];
         else throw new o(l.Configuration, "ID column " + this.idColumn + " not present in user table");
         if ("username" in C) p = C.username;
         else throw new o(l.Configuration, "username column " + this.idColumn + " not present in user table");
@@ -1958,7 +1958,7 @@ class te extends q {
         else throw new o(l.Configuration, "state column " + this.idColumn + " not present in user table");
         let v = {
           ...C,
-          id: _,
+          id: k,
           username: p,
           state: T
         };
@@ -1997,8 +1997,8 @@ class te extends q {
       if (f.length > 0) {
         let C = f.join(", ");
         y.push(e.id);
-        let _ = `update ${this.userTable} set ${C} where ${this.idColumn} = ` + i.nextParameter();
-        await r.execute(_, y);
+        let k = `update ${this.userTable} set ${C} where ${this.idColumn} = ` + i.nextParameter();
+        await r.execute(k, y);
       }
       if (t) {
         f = [], y = [], i = this.dbPool.parameters();
@@ -2007,8 +2007,8 @@ class te extends q {
         if (f.length > 0) {
           let C = f.join(", ");
           y.push(e.id);
-          let _ = `update ${this.userSecretsTable} set ${C} where userid = ` + i.nextParameter();
-          await r.execute(_, y);
+          let k = `update ${this.userSecretsTable} set ${C} where userid = ` + i.nextParameter();
+          await r.execute(k, y);
         }
       }
       await r.commit();
@@ -2038,21 +2038,21 @@ class te extends q {
       "email" in s && s.email && (s = { email_normalized: this.normalizeEmail ? te.normalize(s.email) : s.email, ...s }), "username" in s && s.username && (s = { username_normalized: this.normalizeUsername ? te.normalize(s.username) : s.username, ...s });
       let c = [], d = [], f = [];
       const y = this.dbPool.parameters();
-      for (let _ in s)
-        s[_] != null && _ != "id" && (c.push(_), d.push(y.nextParameter()), f.push(s[_]));
+      for (let k in s)
+        s[k] != null && k != "id" && (c.push(k), d.push(y.nextParameter()), f.push(s[k]));
       if (c.length > 0) {
-        let _ = c.join(", "), p = d.join(", ");
-        const T = `insert into ${this.userTable} (${_}) values (${p}) returning ${this.idColumn}`, v = await r.execute(T, f);
+        let k = c.join(", "), p = d.join(", ");
+        const T = `insert into ${this.userTable} (${k}) values (${p}) returning ${this.idColumn}`, v = await r.execute(T, f);
         if (v.length == 0 || !v[0][this.idColumn]) throw new o(l.Connection, "Couldn't create user");
         i = v[0][this.idColumn];
       }
       if (!i) throw new o(l.Connection, "Couldn't create user");
       if (t) {
         c = [], d = [], f = [];
-        const _ = this.dbPool.parameters();
-        c.push("userid"), d.push(_.nextParameter()), f.push(i);
+        const k = this.dbPool.parameters();
+        c.push("userid"), d.push(k.nextParameter()), f.push(i);
         for (let p in n)
-          n[p] != null && p != "userid" && (c.push(p), d.push(_.nextParameter()), f.push(n[p]));
+          n[p] != null && p != "userid" && (c.push(p), d.push(k.nextParameter()), f.push(n[p]));
         if (c.length > 0) {
           let p = c.join(", "), T = d.join(", ");
           const v = `insert into ${this.userSecretsTable} (${p}) values (${T})`;
@@ -2168,10 +2168,10 @@ class ot extends V {
     let C = [e ?? null, t, r, i ?? null, s ?? ""];
     for (let v in n)
       d.push(v), y.push(f.nextParameter()), C.push(n[v]);
-    let _ = d.join(", "), p = y.join(", ");
+    let k = d.join(", "), p = y.join(", ");
     const T = await this.dbPool.connect();
     try {
-      const v = `insert into ${this.keyTable} (${_}) values (${p})`;
+      const v = `insert into ${this.keyTable} (${k}) values (${p})`;
       await T.execute(v, C);
     } catch (v) {
       o.asCrossauthError(v).code == l.ConstraintViolation ? (h.logger.warn(m({ msg: "Attempt to create key that already exists. Stack trace follows" })), h.logger.debug(m({ err: v })), c = new o(l.KeyExists)) : (h.logger.debug(m({ err: v })), c = new o(l.Connection, "Error saving key"));
@@ -2412,9 +2412,9 @@ class lt extends ve {
   async getClientWithTransaction(e, t, r, i, s, n) {
     let c = [], d = this.dbPool.parameters(), f = [], y = `select c.*, r.uri as uri, null as flow from ${this.clientTable} as c left join ${this.redirectUriTable} r on c.client_id = r.client_id `, C = "";
     t && r && (C = `where c.${t} = ` + d.nextParameter(), f.push(r)), i !== null && i == null || (C == "" ? C = "where " : C += " and ", i == null ? C += "userid is null" : (C += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), f.push(i)));
-    let _ = `select c.*, null as uri, f.flow as flow from ${this.clientTable} as c left join ${this.validFlowTable} f on c.client_id = f.client_id `, p = "";
-    t && r && (p = `where c.${t} = ` + d.nextParameter(), f.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), f.push(i))), n && (s || (s = 0), s = Number(s), n = Number(n), C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${s})`, p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${s})`), y += C, _ += p;
-    let T = y + " union " + _ + " order by client_id";
+    let k = `select c.*, null as uri, f.flow as flow from ${this.clientTable} as c left join ${this.validFlowTable} f on c.client_id = f.client_id `, p = "";
+    t && r && (p = `where c.${t} = ` + d.nextParameter(), f.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), f.push(i))), n && (s || (s = 0), s = Number(s), n = Number(n), C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${s})`, p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${s})`), y += C, k += p;
+    let T = y + " union " + k + " order by client_id";
     const v = await e.execute(T, f);
     let b;
     for (let M of v)
@@ -2470,20 +2470,20 @@ class lt extends ve {
     let C = await this.getClientWithTransaction(e, "client_id", t.client_id, t.userid);
     if (C.length == 0)
       throw h.logger.error(m({ msg: "Attempt to create key that already exists. Stack trace follows" })), new o(l.KeyExists);
-    let _ = C[0];
+    let k = C[0];
     if (r)
       for (let p = 0; p < r.length; ++p) {
         f = [], y = this.dbPool.parameters();
         let T = `insert into ${this.redirectUriTable} (client_id, uri) values (` + y.nextParameter() + ", " + y.nextParameter() + ")";
-        f.push(_.client_id), f.push(r[p]), await e.execute(T, f);
+        f.push(k.client_id), f.push(r[p]), await e.execute(T, f);
       }
     if (i)
       for (let p = 0; p < i.length; ++p) {
         f = [], y = this.dbPool.parameters();
         let T = `insert into ${this.validFlowTable} (client_id, flow) values (` + y.nextParameter() + ", " + y.nextParameter() + ")";
-        f.push(_.client_id), f.push(i[p]), await e.execute(T, f);
+        f.push(k.client_id), f.push(i[p]), await e.execute(T, f);
       }
-    return { ..._, redirect_uri: r, valid_flow: i };
+    return { ...k, redirect_uri: r, valid_flow: i };
   }
   /**
    *
@@ -2545,12 +2545,12 @@ class lt extends ve {
     n || (n = []), c || (c = []);
     let f = this.dbPool.parameters(), y = `delete from ${this.redirectUriTable} where client_id = ` + f.nextParameter();
     await e.execute(y, [t.client_id]), f = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + f.nextParameter(), await e.execute(y, [t.client_id]);
-    let C = [], _ = [], p = [];
+    let C = [], k = [], p = [];
     f = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + f.nextParameter();
     for (let T in d)
-      C.push(T), _.push(f.nextParameter()), p.push(d[T]);
+      C.push(T), k.push(f.nextParameter()), p.push(d[T]);
     if (C.length > 0) {
-      let T = C.join(", "), v = _.join(", ");
+      let T = C.join(", "), v = k.join(", ");
       y = `update ${this.clientTable} set (${T}) values (${v})`, await e.execute(y, p);
     }
     if (n)
@@ -3060,7 +3060,7 @@ const Ie = process.env.PBKDF2_DIGEST || "sha256", Pe = Number(process.env.PBKDF2
   }
 };
 u(G, "Base32", "ABCDEFGHJKLMNPQRSTUVWXYZ23456789".split(""));
-let k = G;
+let _ = G;
 function wt(S) {
   let a = [];
   if (!S.password) a.push("Password not provided");
@@ -3114,7 +3114,7 @@ const we = class we extends Re {
   async authenticateUser(e, t, r) {
     if (!r.password) throw new o(l.PasswordInvalid, "Password not provided");
     if (!t.password) throw new o(l.PasswordInvalid);
-    if (!await k.passwordsEqual(r.password, t.password, this.secret))
+    if (!await _.passwordsEqual(r.password, t.password, this.secret))
       throw h.logger.debug(m({ msg: "Invalid password hash", user: e.username })), new o(l.PasswordInvalid);
     if (e.state == E.awaitingTwoFactorSetup) throw new o(l.TwoFactorIncomplete);
     if (e.state == E.awaitingEmailVerification) throw new o(l.EmailNotVerified);
@@ -3144,7 +3144,7 @@ const we = class we extends Re {
    * @returns the encoded hash string.
    */
   async createPasswordHash(e, t, r = !0) {
-    return await k.passwordHash(e, {
+    return await _.passwordHash(e, {
       salt: t,
       encode: r,
       secret: this.enableSecretForPasswords ? this.secret : void 0,
@@ -3169,7 +3169,7 @@ const we = class we extends Re {
    * @returns true if match, false otherwise
    */
   async passwordMatchesHash(e, t, r) {
-    return t == we.NoPassword ? !1 : await k.passwordsEqual(e, t, r);
+    return t == we.NoPassword ? !1 : await _.passwordsEqual(e, t, r);
   }
   /**
    * This will return p hash of the passed password.
@@ -3963,9 +3963,9 @@ class Qt extends de {
     return "none";
   }
   async createSecret(e, t) {
-    t || (t = _e.generateSecret());
+    t || (t = ke.generateSecret());
     let r = "";
-    return await Xe.toDataURL(_e.keyuri(e, this.appName, t)).then((i) => {
+    return await Xe.toDataURL(ke.keyuri(e, this.appName, t)).then((i) => {
       r = i;
     }).catch((i) => {
       throw h.logger.debug(m({ err: i })), new o(
@@ -4048,7 +4048,7 @@ class Qt extends de {
         "TOTP secret or code not given"
       );
     const i = r.otp, s = t.totpsecret;
-    if (!_e.check(i, s))
+    if (!ke.check(i, s))
       throw new o(
         l.InvalidToken,
         "Invalid TOTP code"
@@ -4270,24 +4270,24 @@ class L {
    * correct prefix for inserting into storage.
    */
   static hashEmailVerificationToken(a) {
-    return U.emailVerificationToken + k.hash(a);
+    return U.emailVerificationToken + _.hash(a);
   }
   /**
    * Produces a hash of the given password reset token with the
    * correct prefix for inserting into storage.
    */
   static hashPasswordResetToken(a) {
-    return U.passwordResetToken + k.hash(a);
+    return U.passwordResetToken + _.hash(a);
   }
   async createAndSaveEmailVerificationToken(a, e = "") {
     let r = 0;
     const i = /* @__PURE__ */ new Date(), s = new Date(i.getTime() + 1e3 * this.verifyEmailExpires);
     for (; r < 10; ) {
-      let n = k.randomValue(fe), c = L.hashEmailVerificationToken(n);
+      let n = _.randomValue(fe), c = L.hashEmailVerificationToken(n);
       try {
         return await this.keyStorage.saveKey(a, c, i, s, e), n;
       } catch {
-        n = k.randomValue(fe), c = L.hashEmailVerificationToken(n), r++;
+        n = _.randomValue(fe), c = L.hashEmailVerificationToken(n), r++;
       }
     }
     throw new o(l.Connection, "failed creating a unique key");
@@ -4372,11 +4372,11 @@ class L {
     let t = 0;
     const r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.passwordResetExpires);
     for (; t < 10; ) {
-      let s = k.randomValue(fe), n = L.hashPasswordResetToken(s);
+      let s = _.randomValue(fe), n = L.hashPasswordResetToken(s);
       try {
         return await this.keyStorage.saveKey(a, n, r, i), s;
       } catch {
-        s = k.randomValue(fe), n = L.hashPasswordResetToken(s), t++;
+        s = _.randomValue(fe), n = L.hashPasswordResetToken(s), t++;
       }
     }
     throw new o(l.Connection, "failed creating a unique key");
@@ -4508,7 +4508,7 @@ class yt {
    * @returns a random CSRF token.
    */
   createCsrfToken() {
-    return k.randomValue(Fe);
+    return _.randomValue(Fe);
   }
   /**
    * Returns a {@link Cookie } object with the given session key.
@@ -4517,7 +4517,7 @@ class yt {
    * @returns a {@link Cookie } object,
    */
   makeCsrfCookie(a) {
-    const e = k.signSecureToken(a, this.secret);
+    const e = _.signSecureToken(a, this.secret);
     let t = {};
     return this.domain && (t.domain = this.domain), this.path && (t.path = this.path), t.sameSite = this.sameSite, this.httpOnly && (t.httpOnly = this.httpOnly), this.secure && (t.secure = this.secure), {
       name: this.cookieName,
@@ -4529,7 +4529,7 @@ class yt {
     return this.maskCsrfToken(a);
   }
   unsignCookie(a) {
-    return k.unsignSecureToken(a, this.secret);
+    return _.unsignSecureToken(a, this.secret);
   }
   /**
    * Takes a session ID and creates a string representation of the cookie (value of the HTTP `Cookie` header).
@@ -4542,14 +4542,14 @@ class yt {
     return this.domain && (e += "; " + this.domain), this.path && (e += "; " + this.path), this.httpOnly && (e += "; httpOnly"), this.secure && (e += "; secure"), e;
   }
   maskCsrfToken(a) {
-    const e = k.randomValue(Fe), t = k.xor(a, e);
+    const e = _.randomValue(Fe), t = _.xor(a, e);
     return e + "." + t;
   }
   unmaskCsrfToken(a) {
     const e = a.split(".");
     if (e.length != 2) throw new o(l.InvalidCsrf, "CSRF token in header or form not in correct format");
     const t = e[0], r = e[1];
-    return k.xor(r, t);
+    return _.xor(r, t);
   }
   /**
    * Validates the passed CSRF token.
@@ -4566,12 +4566,12 @@ class yt {
     const t = this.unmaskCsrfToken(e);
     let r;
     try {
-      r = k.unsignSecureToken(a, this.secret);
+      r = _.unsignSecureToken(a, this.secret);
     } catch (i) {
       throw h.logger.error(m({ err: i })), new o(l.InvalidCsrf, "Invalid CSRF cookie");
     }
     if (r != t)
-      throw h.logger.warn(m({ msg: "Invalid CSRF token received - form/header value does not match", csrfCookieHash: k.hash(a) })), new o(l.InvalidCsrf);
+      throw h.logger.warn(m({ msg: "Invalid CSRF token received - form/header value does not match", csrfCookieHash: _.hash(a) })), new o(l.InvalidCsrf);
   }
   /**
    * Validates the passed CSRF cookie (doesn't check it matches the token, just that the cookie is valid).
@@ -4585,7 +4585,7 @@ class yt {
    */
   validateCsrfCookie(a) {
     try {
-      return k.unsignSecureToken(a, this.secret);
+      return _.unsignSecureToken(a, this.secret);
     } catch (e) {
       throw h.logger.error(m({ err: e })), new o(l.InvalidCsrf, "Invalid CSRF cookie");
     }
@@ -4620,7 +4620,7 @@ class j {
     u(this, "sameSite", "lax");
     // hasher settings
     u(this, "secret", "");
-    e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = a, w("idleTimeout", g.Number, this, e, "SESSION_IDLE_TIMEOUT"), w("persist", g.Boolean, this, e, "PERSIST_SESSION_ID"), this.filterFunction = e.filterFunction, w("cookieName", g.String, this, e, "SESSION_COOKIE_NAME"), w("maxAge", g.String, this, e, "SESSION_COOKIE_MAX_AGE"), w("domain", g.String, this, e, "SESSION_COOKIE_DOMAIN"), w("httpOnly", g.Boolean, this, e, "SESSIONCOOKIE_HTTPONLY"), w("path", g.String, this, e, "SESSION_COOKIE_PATH"), w("secure", g.Boolean, this, e, "SESSION_COOKIE_SECURE"), w("sameSite", g.String, this, e, "SESSION_COOKIE_SAMESITE"), w("secret", g.String, this, e, "SECRET", !0);
+    e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = a, w("idleTimeout", g.Number, this, e, "SESSION_IDLE_TIMEOUT"), w("persist", g.Boolean, this, e, "PERSIST_SESSION_ID"), this.filterFunction = e.filterFunction, w("cookieName", g.String, this, e, "SESSION_COOKIE_NAME"), w("maxAge", g.String, this, e, "SESSION_COOKIE_MAX_AGE"), w("domain", g.String, this, e, "SESSION_COOKIE_DOMAIN"), w("httpOnly", g.Boolean, this, e, "SESSION_COOKIE_HTTPONLY"), w("path", g.String, this, e, "SESSION_COOKIE_PATH"), w("secure", g.Boolean, this, e, "SESSION_COOKIE_SECURE"), w("sameSite", g.String, this, e, "SESSION_COOKIE_SAMESITE"), w("secret", g.String, this, e, "SECRET", !0);
   }
   expiry(a) {
     let e;
@@ -4634,7 +4634,7 @@ class j {
    * @returns a base64-url-encoded string that can go into the storage
    */
   static hashSessionId(a) {
-    return U.session + k.hash(a);
+    return U.session + _.hash(a);
   }
   /**
    * Creates a session key and saves in storage
@@ -4653,7 +4653,7 @@ class j {
    *          attempts exceeded trying to create a unique session id
    */
   async createSessionKey(a, e = {}) {
-    let r = 0, i = k.randomValue(Ne);
+    let r = 0, i = _.randomValue(Ne);
     const s = /* @__PURE__ */ new Date();
     let n = this.expiry(s), c = !1;
     for (; r < 10 && !c; ) {
@@ -4663,7 +4663,7 @@ class j {
       } catch (f) {
         let y = o.asCrossauthError(f);
         if (y.code == l.KeyExists || y.code == l.InvalidKey) {
-          if (r++, i = k.randomValue(Ne), r > 10)
+          if (r++, i = _.randomValue(Ne), r > 10)
             throw h.logger.error(m({ msg: "Max attempts exceeded trying to create session ID" })), new o(l.KeyExists);
         } else
           throw h.logger.debug(m({ err: f })), f;
@@ -4686,8 +4686,8 @@ class j {
    * @returns a {@link Cookie } object,
    */
   makeCookie(a, e) {
-    let t = k.signSecureToken(a.value, this.secret), r = {};
-    return e == null && (e = this.persist), this.domain && (r.domain = this.domain), a.expires && e && (r.expires = a.expires), this.path && (r.path = this.path), r.sameSite = this.sameSite, this.httpOnly && (r.httpOnly = this.httpOnly), this.secure && (r.secure = this.secure), {
+    let t = _.signSecureToken(a.value, this.secret), r = {};
+    return e == null && (e = this.persist), this.domain && (r.domain = this.domain), a.expires && e && (r.expires = a.expires), this.path && (r.path = this.path), r.sameSite = this.sameSite, this.httpOnly ? r.httpOnly = this.httpOnly : this.httpOnly === !1 && (r.httpOnly = this.httpOnly), this.secure ? r.secure = this.secure : this.secure === !1 && (r.secure = this.secure), h.logger.debug(m({ msg: `Setting session cookie ${this.cookieName} options ${JSON.stringify(r)}` })), {
       name: this.cookieName,
       value: t,
       options: r
@@ -4723,7 +4723,7 @@ class j {
    *         is invalid.
    */
   unsignCookie(a) {
-    return k.unsignSecureToken(a, this.secret);
+    return _.unsignSecureToken(a, this.secret);
   }
   /**
    * Returns the user matching the given session key in session storage, or throws an exception.
@@ -4763,11 +4763,11 @@ class j {
   async getSessionKey(a) {
     const e = Date.now(), t = j.hashSessionId(a), r = await this.keyStorage.getKey(t);
     if (r.value = a, r.expires && e > r.expires.getTime())
-      throw h.logger.warn(m({ msg: "Session id in cookie expired in key storage", hashedSessionCookie: k.hash(a) })), new o(l.Expired);
+      throw h.logger.warn(m({ msg: "Session id in cookie expired in key storage", hashedSessionCookie: _.hash(a) })), new o(l.Expired);
     if (r.userid && this.idleTimeout > 0 && r.lastactive && e > r.lastactive.getTime() + this.idleTimeout * 1e3)
-      throw h.logger.warn(m({ msg: "Session cookie with expired idle time received", hashedSessionCookie: k.hash(a) })), new o(l.Expired);
+      throw h.logger.warn(m({ msg: "Session cookie with expired idle time received", hashedSessionCookie: _.hash(a) })), new o(l.Expired);
     if (this.filterFunction && !this.filterFunction(r))
-      throw h.logger.warn(m({ msg: "Filter function on session id in cookie failed", hashedSessionCookie: k.hash(a) })), new o(l.InvalidKey);
+      throw h.logger.warn(m({ msg: "Filter function on session id in cookie failed", hashedSessionCookie: _.hash(a) })), new o(l.InvalidKey);
     return r;
   }
   /**
@@ -4863,17 +4863,17 @@ class rr {
     if (i)
       n = (await this.userStorage.getUserByUsername(i.username, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 })).secrets;
     else {
-      let _ = { username: "", state: "active" };
+      let k = { username: "", state: "active" };
       try {
         let T = await this.userStorage.getUserByUsername(a, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
-        n = T.secrets, i = T.user, _ = T.user;
+        n = T.secrets, i = T.user, k = T.user;
       } catch (T) {
         if (o.asCrossauthError(T).code == l.Connection) throw T;
         for (let b in this.authenticators)
-          this.authenticators[b].requireUserEntry() || (_ = { username: e.username, state: "active" }, c = b);
+          this.authenticators[b].requireUserEntry() || (k = { username: e.username, state: "active" }, c = b);
       }
-      if (_.username == "") throw new o(l.UserNotExist);
-      await this.authenticators[(i == null ? void 0 : i.factor1) ?? c].authenticateUser(_, n, e);
+      if (k.username == "") throw new o(l.UserNotExist);
+      await this.authenticators[(i == null ? void 0 : i.factor1) ?? c].authenticateUser(k, n, e);
       let p = await this.userStorage.getUserByUsername(a, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
       n = p.secrets, i = p.user;
     }
@@ -4883,11 +4883,11 @@ class rr {
     else if (i.state == E.factor2ResetNeeded)
       d = (await this.createAnonymousSession({ data: JSON.stringify({ factor2change: { username: i.username } }) })).sessionCookie;
     else if (!s && i.factor2 && i.factor2 != "") {
-      const { sessionCookie: _ } = await this.initiateTwoFactorLogin(i);
-      d = _;
+      const { sessionCookie: k } = await this.initiateTwoFactorLogin(i);
+      d = k;
     } else {
-      const _ = await this.session.createSessionKey(i.id, t);
-      d = this.session.makeCookie(_, r);
+      const k = await this.session.createSessionKey(i.id, t);
+      d = this.session.makeCookie(k, r);
     }
     const f = this.csrfTokens.createCsrfToken(), y = this.csrfTokens.makeCsrfCookie(f), C = this.csrfTokens.makeCsrfFormOrHeaderToken(f);
     try {
@@ -4895,8 +4895,8 @@ class rr {
         i.id,
         U.passwordResetToken
       );
-    } catch (_) {
-      h.logger.warn(m({ msg: "Couldn't delete password reset tokens while logging in", user: a })), h.logger.debug(m({ err: _ }));
+    } catch (k) {
+      h.logger.warn(m({ msg: "Couldn't delete password reset tokens while logging in", user: a })), h.logger.debug(m({ err: k }));
     }
     return {
       sessionCookie: d,
@@ -5082,7 +5082,7 @@ class rr {
    */
   async updateSessionData(a, e, t) {
     const r = j.hashSessionId(a);
-    h.logger.debug(m({ msg: `Updating session data value ${e}`, hashedSessionCookie: k.hash(a) })), await this.keyStorage.updateData(r, e, t);
+    h.logger.debug(m({ msg: `Updating session data value ${e}`, hashedSessionCookie: _.hash(a) })), await this.keyStorage.updateData(r, e, t);
   }
   /**
    * Update field sin the session data.
@@ -5094,7 +5094,7 @@ class rr {
    */
   async updateManySessionData(a, e) {
     const t = j.hashSessionId(a);
-    h.logger.debug(m({ msg: "Updating session data", hashedSessionCookie: k.hash(a) })), await this.keyStorage.updateManyData(t, e);
+    h.logger.debug(m({ msg: "Updating session data", hashedSessionCookie: _.hash(a) })), await this.keyStorage.updateManyData(t, e);
   }
   /**
   * Deletes a field from the session data.
@@ -5106,7 +5106,7 @@ class rr {
   */
   async deleteSessionData(a, e) {
     const t = j.hashSessionId(a);
-    h.logger.debug(m({ msg: `Updating session data value ${e}`, hashedSessionCookie: k.hash(a) })), await this.keyStorage.deleteData(t, e);
+    h.logger.debug(m({ msg: `Updating session data value ${e}`, hashedSessionCookie: _.hash(a) })), await this.keyStorage.deleteData(t, e);
   }
   /**
    * Deletes the given session ID from the key storage (not the cookie)
@@ -5245,8 +5245,8 @@ class rr {
     const n = this.authenticators[i.factor2];
     if (!n) throw new o(l.Configuration, "Unrecognised second factor authentication");
     const c = {}, d = n.secretNames();
-    for (let _ in i)
-      d.includes(_) && (c[_] = i[_]);
+    for (let k in i)
+      d.includes(k) && (c[k] = i[k]);
     if (await n.authenticateUser(void 0, i, a), t || (t = (await this.userStorage.getUserByUsername(s, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 })).user), !t) throw new o(l.UserNotExist, "Couldn't fetch user");
     let f = E.active;
     t.state == E.awaitingTwoFactorSetupAndEmailVerification && (f = E.awaitingEmailVerification);
@@ -5360,7 +5360,7 @@ class rr {
     await y.authenticateUser(d, { ...f, ...s }, a);
     const C = await this.session.createSessionKey(d.id, t);
     await this.keyStorage.deleteKey(j.hashSessionId(i.value));
-    const _ = this.session.makeCookie(C, r), p = this.csrfTokens.createCsrfToken(), T = this.csrfTokens.makeCsrfCookie(p), v = this.csrfTokens.makeCsrfFormOrHeaderToken(p);
+    const k = this.session.makeCookie(C, r), p = this.csrfTokens.createCsrfToken(), T = this.csrfTokens.makeCsrfCookie(p), v = this.csrfTokens.makeCsrfFormOrHeaderToken(p);
     try {
       this.emailTokenStorage.deleteAllForUser(
         d.id,
@@ -5370,7 +5370,7 @@ class rr {
       h.logger.warn(m({ msg: "Couldn't delete password reset tokens while logging in", user: n })), h.logger.debug(m({ err: b }));
     }
     return {
-      sessionCookie: _,
+      sessionCookie: k,
       csrfCookie: T,
       csrfFormOrHeaderValue: v,
       user: d
@@ -5506,7 +5506,7 @@ class rr {
     return { ...i, state: n };
   }
 }
-class ke {
+class _e {
   /**
    * Constructor.
    *
@@ -5544,7 +5544,7 @@ class ke {
    *          Authorization header (with the signature appended.)
    */
   async createKey(a, e, t, r, i) {
-    const s = k.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, d = ke.hashApiKeyValue(s), f = {
+    const s = _.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, d = _e.hashApiKeyValue(s), f = {
       name: a,
       value: s,
       userid: e,
@@ -5565,7 +5565,7 @@ class ke {
     return { key: f, token: y };
   }
   static hashApiKeyValue(a) {
-    return k.hash(a);
+    return _.hash(a);
   }
   /**
    * Returns the hash of the bearer value from the Authorization header.
@@ -5576,20 +5576,20 @@ class ke {
    * @returns a hash of the value (without the prefix).
    */
   static hashSignedApiKeyValue(a) {
-    return k.hash(a.split(".")[0]);
+    return _.hash(a.split(".")[0]);
   }
   unsignApiKeyValue(a) {
-    return k.unsign(a, this.secret).v;
+    return _.unsign(a, this.secret).v;
   }
   signApiKeyValue(a) {
-    return k.sign({ v: a }, this.secret);
+    return _.sign({ v: a }, this.secret);
   }
   async getKey(a) {
     if (this.authScheme != "" && a.startsWith(this.authScheme + " ")) {
       const i = new RegExp(`^${this.authScheme} `);
       a = a.replace(i, "");
     }
-    const e = this.unsignApiKeyValue(a), t = ke.hashApiKeyValue(e), r = await this.apiKeyStorage.getKey(this.prefix + t);
+    const e = this.unsignApiKeyValue(a), t = _e.hashApiKeyValue(e), r = await this.apiKeyStorage.getKey(this.prefix + t);
     if (!("name" in r)) throw new o(l.InvalidKey, "Not a valid API key");
     return { ...r, name: r.name };
   }
@@ -5638,7 +5638,7 @@ class Q {
   async createClient(a, e, t, r = !0, i) {
     const s = Q.randomClientId();
     let n, c;
-    r && (c = Q.randomClientSecret(), n = await k.passwordHash(c, {
+    r && (c = Q.randomClientSecret(), n = await _.passwordHash(c, {
       encode: !0,
       iterations: this.oauthPbkdf2Iterations,
       keyLen: this.oauthPbkdf2KeyLength,
@@ -5681,7 +5681,7 @@ class Q {
   async updateClient(a, e, t = !1) {
     const r = await this.clientStorage.getClientById(a);
     let i = !1, s;
-    e.confidential === !0 && !r.confidential || e.confidential === !0 && t ? (s = Q.randomClientSecret(), e.client_secret = await k.passwordHash(s, {
+    e.confidential === !0 && !r.confidential || e.confidential === !0 && t ? (s = Q.randomClientSecret(), e.client_secret = await _.passwordHash(s, {
       encode: !0,
       iterations: this.oauthPbkdf2Iterations,
       keyLen: this.oauthPbkdf2KeyLength,
@@ -5696,13 +5696,13 @@ class Q {
    * Create a random OAuth client id
    */
   static randomClientId() {
-    return k.randomValue(pt);
+    return _.randomValue(pt);
   }
   /**
   * Create a random OAuth client secret
   */
   static randomClientSecret() {
-    return k.randomValue(Ct);
+    return _.randomValue(Ct);
   }
   /** If the passed redirect URI is not in the set of valid ones,
    * throw {@link @crossauth/common!CrossauthError} with
@@ -5779,7 +5779,7 @@ class St extends je {
    * @returns Base64-url-encoded hash
    */
   async hash(e) {
-    return k.hash(e);
+    return _.hash(e);
   }
   /**
    * If the given token is valid, the paylaod is returned.  Otherwise
@@ -5800,7 +5800,7 @@ class St extends je {
     const i = await super.tokenAuthorized(e, t, r);
     if (i && t == "access" && this.persistAccessToken && this.keyStorage)
       try {
-        const n = U.accessToken + k.hash(i.jti ? i.jti : i.sid ? i.sid : ""), c = await this.keyStorage.getKey(n), d = /* @__PURE__ */ new Date();
+        const n = U.accessToken + _.hash(i.jti ? i.jti : i.sid ? i.sid : ""), c = await this.keyStorage.getKey(n), d = /* @__PURE__ */ new Date();
         if (c.expires && ((s = c.expires) == null ? void 0 : s.getTime()) < d.getTime()) {
           h.logger.error(m({ msg: "Access token expired in storage but not in JWT" }));
           return;
@@ -5808,7 +5808,7 @@ class St extends je {
       } catch (n) {
         h.logger.warn(m({
           msg: "Couldn't get token from database - is it valid?",
-          hashedAccessToken: k.hash(i.jti ? i.jti : i.sid ? i.sid : "")
+          hashedAccessToken: _.hash(i.jti ? i.jti : i.sid ? i.sid : "")
         })), h.logger.debug(m({ err: n }));
         return;
       }
@@ -5848,7 +5848,7 @@ class De extends He {
     u(this, "userStorage");
     this.client_id = r.client_id;
     let i = {};
-    if (w("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), w("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), w("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), w("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), w("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), w("oauthLogFetch", g.Boolean, this, t, "OAUTH_LOG_FETCH"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), w("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), w("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), w("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = Tt : this.userCreationType == "embed" ? this.userCreationFn = _t : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = kt, t.userStorage && (this.userStorage = t.userStorage), w("oauthPostType", g.String, this, t, "OAUTH_POST_TYPE"), w("oauthUseUserInfoEndpoint", g.Boolean, this, t, "OAUTH_USE_USER_INFO_ENDPOINT"), w("oauthAuthorizeRedirect", g.String, this, t, "OAUTH_AUTHORIZE_REDIRECT"), this.oauthPostType != "json" && this.oauthPostType != "form")
+    if (w("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), w("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), w("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), w("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), w("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), w("oauthLogFetch", g.Boolean, this, t, "OAUTH_LOG_FETCH"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), w("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), w("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), w("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = Tt : this.userCreationType == "embed" ? this.userCreationFn = kt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = _t, t.userStorage && (this.userStorage = t.userStorage), w("oauthPostType", g.String, this, t, "OAUTH_POST_TYPE"), w("oauthUseUserInfoEndpoint", g.Boolean, this, t, "OAUTH_USE_USER_INFO_ENDPOINT"), w("oauthAuthorizeRedirect", g.String, this, t, "OAUTH_AUTHORIZE_REDIRECT"), this.oauthPostType != "json" && this.oauthPostType != "form")
       throw new o(l.Configuration, "oauthPostType must be json or form");
   }
   /**
@@ -5858,7 +5858,7 @@ class De extends He {
    * @returns the Base64-URL-encoded random string
    */
   randomValue(e) {
-    return k.randomValue(e);
+    return _.randomValue(e);
   }
   /**
    * Uses {@link @crossauth/backend!Crypto.sha256} to create hash a string using SHA256
@@ -5866,7 +5866,7 @@ class De extends He {
    * @returns the Base64-URL-encoded hash
    */
   async sha256(e) {
-    return k.sha256(e);
+    return _.sha256(e);
   }
 }
 async function Tt(S, a, e, t) {
@@ -5881,7 +5881,7 @@ async function Tt(S, a, e, t) {
     throw h.logger.error(m({ err: r })), r;
   }
 }
-async function _t(S, a, e, t) {
+async function kt(S, a, e, t) {
   if (!a) throw new o(l.Configuration, "userCreationType set to embed but no user storage set");
   try {
     let r;
@@ -5893,7 +5893,7 @@ async function _t(S, a, e, t) {
     throw h.logger.error({ err: r }), r;
   }
 }
-async function kt(S, a, e, t) {
+async function _t(S, a, e, t) {
   return {
     ...S,
     id: S.userid ?? S.sub,
@@ -6122,11 +6122,11 @@ class ir {
     const {
       scopes: y,
       error: C,
-      error_description: _
+      error_description: k
     } = await this.validateAndPersistScope(e, r, c);
     if (C) return {
       error: C,
-      error_description: _
+      error_description: k
     };
     const p = this.inferFlowFromGet(a, y || [], s);
     if (!p || !this.validFlows.includes(p))
@@ -6247,7 +6247,7 @@ class ir {
     } : r && (!t || !e.client_secret) ? {
       error: "access_denied",
       error_description: "Client is confidential but either secret not passed or is missing in database"
-    } : r && !await k.passwordsEqual(
+    } : r && !await _.passwordsEqual(
       t ?? "",
       e.client_secret ?? ""
     ) ? {
@@ -6294,7 +6294,7 @@ class ir {
     mfaToken: f,
     oobCode: y,
     bindingCode: C,
-    otp: _,
+    otp: k,
     deviceCode: p
   }) {
     var R, Y, W, ie;
@@ -6366,6 +6366,7 @@ class ir {
       }
       if (n)
         if (h.logger.debug(m({ msg: "token endpoint: refresh token flow" })), F && D && K && P) {
+          h.logger.debug(m({ msg: "token endpoint: refreshing locally and upstream" }));
           let A;
           if (F.username)
             try {
@@ -6383,7 +6384,7 @@ class ir {
             }
           let x = F.scope;
           try {
-            const H = U.refreshToken + k.hash(n);
+            const H = U.refreshToken + _.hash(n);
             await this.keyStorage.deleteKey(H);
           } catch (H) {
             const J = o.asCrossauthError(H);
@@ -6435,6 +6436,7 @@ class ir {
               error_description: z.error_description
             };
         } else if (D && K && P) {
+          h.logger.debug(m({ msg: "token endpoint: refreshing upstream" }));
           let A = await K.refreshTokenFlow(D);
           if (!A.access_token)
             return {
@@ -6461,7 +6463,7 @@ class ir {
               error_description: B.error_description
             };
         } else {
-          if (F = await this.getRefreshTokenData(n), !n || !F || !this.userStorage)
+          if (h.logger.debug(m({ msg: "token endpoint: refreshing locally" })), F = await this.getRefreshTokenData(n), !n || !F || !this.userStorage)
             return {
               error: "access_denied",
               error_description: "Refresh token is invalid"
@@ -6483,7 +6485,7 @@ class ir {
             }
           let X = F.scopes;
           try {
-            const z = U.refreshToken + k.hash(n);
+            const z = U.refreshToken + _.hash(n);
             await this.keyStorage.deleteKey(z);
           } catch (z) {
             const H = o.asCrossauthError(z);
@@ -6615,7 +6617,7 @@ class ir {
           error: P,
           error_description: D
         };
-      if (!_)
+      if (!k)
         return {
           error: "access_denied",
           error_description: "OTP not provided"
@@ -6625,7 +6627,7 @@ class ir {
           error: "access_denied",
           error_description: "MFA token not provided"
         };
-      const O = await this.validateMfaToken(f), F = U.mfaToken + k.hash(f);
+      const O = await this.validateMfaToken(f), F = U.mfaToken + _.hash(f);
       if (!O.user || !O.key)
         return {
           error: "access_denied",
@@ -6642,7 +6644,7 @@ class ir {
         await A.authenticateUser(
           O.user,
           x,
-          { otp: _ }
+          { otp: k }
         );
       } catch (x) {
         return h.logger.debug(m({ err: x })), {
@@ -6858,7 +6860,7 @@ class ir {
     const f = /* @__PURE__ */ new Date(), y = this.userCodeExpiry, C = new Date(f.getTime() + this.userCodeExpiry * 1e3 + this.clockTolerance * 1e3);
     for (let T = 0; T < 10 && !d; ++T)
       try {
-        c = k.randomValue(this.deviceCodeLength), await this.keyStorage.saveKey(
+        c = _.randomValue(this.deviceCodeLength), await this.keyStorage.saveKey(
           void 0,
           U.deviceCode + c,
           f,
@@ -6873,13 +6875,13 @@ class ir {
         error: "server_error",
         error_description: "Couldn't create device code"
       };
-    let _;
+    let k;
     d = !1;
     for (let T = 0; T < 10 && !d; ++T)
       try {
-        _ = k.randomBase32(this.userCodeLength), await this.keyStorage.saveKey(
+        k = _.randomBase32(this.userCodeLength), await this.keyStorage.saveKey(
           void 0,
-          U.userCode + _,
+          U.userCode + k,
           f,
           C,
           JSON.stringify({ deviceCode: c })
@@ -6887,20 +6889,20 @@ class ir {
       } catch {
         h.logger.debug(m({ msg: `Attempt number${T} at creating a unique authozation code failed` }));
       }
-    if (!d || !_)
+    if (!d || !k)
       return await this.deleteDeviceCode(c), {
         error: "server_error",
         error_description: "Couldn't create device code"
       };
-    if (_ && this.userCodeDashEvery) {
+    if (k && this.userCodeDashEvery) {
       const T = new RegExp(String.raw`(.{1,${this.userCodeDashEvery}})`, "g");
-      _ = (p = _.match(T)) == null ? void 0 : p.join("-");
+      k = (p = k.match(T)) == null ? void 0 : p.join("-");
     }
     return {
       device_code: c,
-      user_code: _,
+      user_code: k,
       verification_uri: this.deviceCodeVerificationUri,
-      verification_uri_complete: this.deviceCodeVerificationUri + "?user_code=" + _,
+      verification_uri_complete: this.deviceCodeVerificationUri + "?user_code=" + k,
       expires_in: y,
       interval: this.deviceCodePollInterval
     };
@@ -6933,7 +6935,7 @@ class ir {
       };
     }
     if (!r.deviceCode)
-      return h.logger.error(m({ msg: "No device code for user code", userCodeHash: k.hash(a) })), await this.deleteUserCode(a), {
+      return h.logger.error(m({ msg: "No device code for user code", userCodeHash: _.hash(a) })), await this.deleteUserCode(a), {
         ok: !1,
         error: "server_error",
         error_description: "No device code for user code"
@@ -6945,8 +6947,8 @@ class ir {
       const C = o.asCrossauthError(y);
       return h.logger.debug(m({ err: C })), h.logger.error(m({
         msg: "Invalid device code for user code",
-        userCodeHash: k.hash(a),
-        deviceCodeHash: k.hash(r.deviceCode),
+        userCodeHash: _.hash(a),
+        deviceCodeHash: _.hash(r.deviceCode),
         cerr: C
       })), await this.deleteUserCode(a), {
         ok: !1,
@@ -7041,7 +7043,7 @@ class ir {
       };
     }
     if (!t.deviceCode)
-      return h.logger.error(m({ msg: "No device code for user code", userCodeHash: k.hash(a) })), await this.deleteUserCode(a), {
+      return h.logger.error(m({ msg: "No device code for user code", userCodeHash: _.hash(a) })), await this.deleteUserCode(a), {
         ok: !1,
         error: "server_error",
         error_description: "No device code for user code"
@@ -7053,8 +7055,8 @@ class ir {
       const c = o.asCrossauthError(n);
       return h.logger.debug(m({ err: c })), h.logger.error(m({
         msg: "Invalid device code for user code",
-        userCodeHash: k.hash(a),
-        deviceCodeHash: k.hash(t.deviceCode),
+        userCodeHash: _.hash(a),
+        deviceCodeHash: _.hash(t.deviceCode),
         cerr: c
       })), await this.deleteUserCode(a), {
         ok: !1,
@@ -7092,7 +7094,7 @@ class ir {
     };
   }
   async createMfaRequest(a) {
-    const e = k.randomValue(this.codeLength), t = U.mfaToken + k.hash(e), r = /* @__PURE__ */ new Date();
+    const e = _.randomValue(this.codeLength), t = U.mfaToken + _.hash(e), r = /* @__PURE__ */ new Date();
     try {
       await this.keyStorage.saveKey(
         a.id,
@@ -7118,7 +7120,7 @@ class ir {
     var r;
     let e, t;
     try {
-      const i = U.mfaToken + k.hash(a);
+      const i = U.mfaToken + _.hash(a);
       if (t = await this.keyStorage.getKey(i), !t.userid)
         return {
           error: "access_denied",
@@ -7221,7 +7223,7 @@ class ir {
       };
     let y = {};
     r == "oob" && (y = {
-      oobCode: k.randomValue(this.codeLength)
+      oobCode: _.randomValue(this.codeLength)
     });
     try {
       const C = this.authenticators[f.user.factor2];
@@ -7230,11 +7232,11 @@ class ir {
           l.Configuration,
           "User's authenticator has not been loaded"
         );
-      const _ = await C.createOneTimeSecrets(f.user);
+      const k = await C.createOneTimeSecrets(f.user);
       await this.keyStorage.updateData(
         f.key.value,
         "omfa",
-        { ...y, ..._ }
+        { ...y, ...k }
       );
     } catch (C) {
       return h.logger.debug(m({ err: C })), {
@@ -7303,22 +7305,22 @@ class ir {
       client_id: a.client_id,
       redirect_uri: e
     };
-    t && (y.scope = t), i && (y.challengeMethod = s, y.challenge = k.hash(i)), n && (y.username = n.username, y.id = n.id);
+    t && (y.scope = t), i && (y.challengeMethod = s, y.challenge = _.hash(i)), n && (y.username = n.username, y.id = n.id);
     const C = JSON.stringify(y);
-    let _ = !1, p = "";
-    for (let T = 0; T < 10 && !_; ++T)
+    let k = !1, p = "";
+    for (let T = 0; T < 10 && !k; ++T)
       try {
-        p = k.randomValue(this.codeLength), await this.keyStorage.saveKey(
+        p = _.randomValue(this.codeLength), await this.keyStorage.saveKey(
           void 0,
-          U.authorizationCode + k.hash(p),
+          U.authorizationCode + _.hash(p),
           d,
           f,
           C
-        ), _ = !0;
+        ), k = !0;
       } catch {
         h.logger.debug(m({ msg: `Attempt number${T} at creating a unique authozation code failed` }));
       }
-    if (!_)
+    if (!k)
       throw new o(
         l.KeyExists,
         "Couldn't create a authorization code"
@@ -7328,7 +7330,7 @@ class ir {
   async getAuthorizationCodeData(a) {
     let e, t = {};
     try {
-      e = await this.keyStorage.getKey(U.authorizationCode + k.hash(a)), t = V.decodeData(e.data);
+      e = await this.keyStorage.getKey(U.authorizationCode + _.hash(a)), t = V.decodeData(e.data);
     } catch (r) {
       h.logger.debug(m({ err: r }));
       return;
@@ -7337,7 +7339,7 @@ class ir {
   }
   async deleteAuthorizationCodeData(a) {
     try {
-      await this.keyStorage.deleteKey(U.authorizationCode + k.hash(a));
+      await this.keyStorage.deleteKey(U.authorizationCode + _.hash(a));
     } catch (e) {
       h.logger.warn(m({
         err: e,
@@ -7346,7 +7348,7 @@ class ir {
     }
   }
   async setAuthorizationCodeData(a, e) {
-    const t = await this.keyStorage.getKey(U.authorizationCode + k.hash(a));
+    const t = await this.keyStorage.getKey(U.authorizationCode + _.hash(a));
     t.data = JSON.stringify(e), this.keyStorage.updateKey(t);
   }
   /**
@@ -7364,7 +7366,7 @@ class ir {
     var M, $;
     let c = !0;
     try {
-      a.client_secret != null && (c = await k.passwordsEqual(
+      a.client_secret != null && (c = await _.passwordsEqual(
         t ?? "",
         a.client_secret ?? ""
       ));
@@ -7379,7 +7381,7 @@ class ir {
     if (e) {
       let N;
       try {
-        N = await this.keyStorage.getKey(U.authorizationCode + k.hash(e)), d = V.decodeData(N.data);
+        N = await this.keyStorage.getKey(U.authorizationCode + _.hash(e)), d = V.decodeData(N.data);
       } catch (R) {
         return h.logger.debug(m({ err: R })), {
           error: "access_denied",
@@ -7403,8 +7405,8 @@ class ir {
         error_description: "Invalid code challenge/code challenge method method for authorization code"
       };
     if (d.challenge) {
-      const N = d.challengeMethod == "plain" ? r ?? "" : k.sha256(r ?? "");
-      if (k.hash(N) != d.challenge)
+      const N = d.challengeMethod == "plain" ? r ?? "" : _.sha256(r ?? "");
+      if (_.hash(N) != d.challenge)
         return {
           error: "access_denied",
           error_description: "Code verifier is incorrect"
@@ -7422,9 +7424,9 @@ class ir {
           error_description: "Couldn't load user data"
         };
       }
-    const _ = k.uuid();
+    const k = _.uuid();
     let p = {
-      jti: _,
+      jti: k,
       iat: y,
       iss: this.oauthIssuer,
       sub: d.username,
@@ -7447,13 +7449,13 @@ class ir {
     this.persistAccessToken && this.keyStorage && await ((M = this.keyStorage) == null ? void 0 : M.saveKey(
       void 0,
       // to avoid user storage dependency, we don't set this
-      U.accessToken + k.hash(_),
+      U.accessToken + _.hash(k),
       f,
       C
     ));
     let v;
     if (i && i.includes("openid")) {
-      const N = k.uuid();
+      const N = _.uuid();
       let R = {
         aud: a.client_id,
         jti: N,
@@ -7506,7 +7508,7 @@ class ir {
       i && (N.scope = i);
       let R;
       const W = {
-        jti: k.uuid(),
+        jti: _.uuid(),
         iat: y,
         iss: this.oauthIssuer,
         sub: d.username,
@@ -7527,7 +7529,7 @@ class ir {
       }), b && await (($ = this.keyStorage) == null ? void 0 : $.saveKey(
         void 0,
         // to avoid user storage dependency
-        U.refreshToken + k.hash(b),
+        U.refreshToken + _.hash(b),
         f,
         R,
         JSON.stringify(N)
@@ -7560,7 +7562,7 @@ class ir {
     r && (y.scope = r), e && (y.upstreamRefreshToken = e, y.upstreamLabel = t);
     let C;
     const p = {
-      jti: k.uuid(),
+      jti: _.uuid(),
       iat: d,
       iss: this.oauthIssuer,
       sub: i,
@@ -7582,7 +7584,7 @@ class ir {
       return f && await ((T = this.keyStorage) == null ? void 0 : T.saveKey(
         void 0,
         // to avoid user storage dependency
-        U.refreshToken + k.hash(f),
+        U.refreshToken + _.hash(f),
         c,
         C,
         JSON.stringify(y)
@@ -7596,7 +7598,7 @@ class ir {
     const r = /* @__PURE__ */ new Date(), i = Math.ceil(r.getTime() / 1e3);
     let s, n, c, d;
     if (e) {
-      const y = k.uuid();
+      const y = _.uuid();
       let C = {
         ...e,
         jti: y,
@@ -7604,13 +7606,13 @@ class ir {
         iss: this.oauthIssuer,
         type: "access"
       };
-      this.accessTokenExpiry != null && (C.exp = i + this.accessTokenExpiry, s = new Date(r.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience), n = await new Promise((_, p) => {
+      this.accessTokenExpiry != null && (C.exp = i + this.accessTokenExpiry, s = new Date(r.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience), n = await new Promise((k, p) => {
         ae.sign(
           C,
           this.secretOrPrivateKey,
           { algorithm: this.jwtAlgorithmChecked, keyid: "1" },
           (T, v) => {
-            v ? _(v) : p(T || new o(
+            v ? k(v) : p(T || new o(
               l.Unauthorized,
               "Couldn't create jwt"
             ));
@@ -7619,13 +7621,13 @@ class ir {
       }), d = C, this.persistAccessToken && this.keyStorage && await ((f = this.keyStorage) == null ? void 0 : f.saveKey(
         void 0,
         // to avoid user storage dependency, we don't set this
-        U.accessToken + k.hash(y),
+        U.accessToken + _.hash(y),
         r,
         s
       ));
     }
     if (t != null) {
-      const y = k.uuid();
+      const y = _.uuid();
       if (t = {
         ...t,
         aud: a,
@@ -7635,7 +7637,7 @@ class ir {
         type: "id"
       }, t) {
         const C = t;
-        c = await new Promise((_, p) => {
+        c = await new Promise((k, p) => {
           ae.sign(
             C,
             this.secretOrPrivateKey,
@@ -7644,7 +7646,7 @@ class ir {
               keyid: this.jwtKid
             },
             (T, v) => {
-              v ? _(v) : p(T || new o(
+              v ? k(v) : p(T || new o(
                 l.Unauthorized,
                 "Couldn't create jwt"
               ));
@@ -7701,7 +7703,7 @@ class ir {
    */
   async validAuthorizationCode(a) {
     try {
-      const e = U.authorizationCode + k.hash(a);
+      const e = U.authorizationCode + _.hash(a);
       return await this.keyStorage.getKey(e), !0;
     } catch (e) {
       return h.logger.debug(m({ err: e })), !1;
@@ -7715,7 +7717,7 @@ class ir {
    */
   async validRefreshToken(a) {
     try {
-      const e = U.refreshToken + k.hash(a);
+      const e = U.refreshToken + _.hash(a);
       return await this.keyStorage.getKey(e), !0;
     } catch (e) {
       return h.logger.debug(m({ err: e })), !1;
@@ -7730,7 +7732,7 @@ class ir {
   async getRefreshTokenData(a) {
     if (a)
       try {
-        const e = U.refreshToken + k.hash(a), t = await this.keyStorage.getKey(e);
+        const e = U.refreshToken + _.hash(a), t = await this.keyStorage.getKey(e);
         return JSON.parse(t.data || "{}");
       } catch (e) {
         h.logger.debug(m({ err: e }));
@@ -7764,7 +7766,7 @@ class ir {
     try {
       const e = await this.validateJwt(a, "access");
       if (this.persistAccessToken) {
-        const t = U.accessToken + k.hash(e.payload.jti);
+        const t = U.accessToken + _.hash(e.payload.jti);
         await this.keyStorage.getKey(t);
       }
       return e;
@@ -8000,9 +8002,9 @@ class ar {
   }
 }
 export {
-  ke as ApiKeyManager,
+  _e as ApiKeyManager,
   de as Authenticator,
-  k as Crypto,
+  _ as Crypto,
   yt as DoubleSubmitCsrfToken,
   Zt as DummyFactor2Authenticator,
   ne as EmailAuthenticator,