@crossauth/common 0.0.14 → 0.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/dist/error.d.ts +3 -3
  2. package/dist/index.cjs +1 -1
  3. package/dist/index.d.ts +1 -1
  4. package/dist/index.d.ts.map +1 -1
  5. package/dist/index.iife.js +1 -1
  6. package/dist/index.js +325 -317
  7. package/dist/interfaces.d.ts +3 -6
  8. package/dist/interfaces.d.ts.map +1 -1
  9. package/dist/logger.d.ts +1 -1
  10. package/dist/oauth/client.d.ts +7 -2
  11. package/dist/oauth/client.d.ts.map +1 -1
  12. package/dist/oauth/tokenconsumer.d.ts +2 -2
  13. package/dist/oauth/tokenconsumer.d.ts.map +1 -1
  14. package/dist/oauth/wellknown.d.ts +1 -1
  15. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -4,34 +4,34 @@ var G = (e) => {
4
4
  };
5
5
  var pe = (e, t, r) => t in e ? fe(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
6
6
  var a = (e, t, r) => pe(e, typeof t != "symbol" ? t + "" : t, r), Y = (e, t, r) => t.has(e) || G("Cannot " + r);
7
- var u = (e, t, r) => (Y(e, t, "read from private field"), r ? r.call(e) : t.get(e)), O = (e, t, r) => t.has(e) ? G("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), _ = (e, t, r, n) => (Y(e, t, "write to private field"), n ? n.call(e, r) : t.set(e, r), r);
8
- class k {
7
+ var f = (e, t, r) => (Y(e, t, "read from private field"), r ? r.call(e) : t.get(e)), K = (e, t, r) => t.has(e) ? G("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), S = (e, t, r, n) => (Y(e, t, "write to private field"), n ? n.call(e, r) : t.set(e, r), r);
8
+ class P {
9
9
  }
10
10
  /** Ordinary, active user who can log in freely */
11
- a(k, "active", "active"), /** Deactivated account. User cannot log in */
12
- a(k, "disabled", "disabled"), /** Two factor authentication has been actived for this user
11
+ a(P, "active", "active"), /** Deactivated account. User cannot log in */
12
+ a(P, "disabled", "disabled"), /** Two factor authentication has been actived for this user
13
13
  * but has not yet been configured. Once a user logs in,
14
14
  * they will be directed to a page to configure 2FA and will
15
15
  * not be able to do anything else (that requires login) until
16
16
  * they have done so.
17
17
  */
18
- a(k, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Email verification has been turned on but user has not
18
+ a(P, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Email verification has been turned on but user has not
19
19
  * verified his or her email address. Cannot log on until it has
20
20
  * been verified.
21
21
  */
22
- a(k, "awaitingEmailVerification", "awaitingemailverification"), /**
22
+ a(P, "awaitingEmailVerification", "awaitingemailverification"), /**
23
23
  * If the state is set to this, the user may not access any
24
24
  * login-required functions unless he or she has changed their password.
25
25
  *
26
26
  * Upon login, the user is redirected to the change password page.
27
27
  */
28
- a(k, "passwordChangeNeeded", "passwordchangeneeded"), /**
28
+ a(P, "passwordChangeNeeded", "passwordchangeneeded"), /**
29
29
  * If the state is set to this, the user may not access any
30
30
  * login-required functions unless he or she has reset their password.
31
31
  *
32
32
  * Upon login, the user is redirected to the reset password page.
33
33
  */
34
- a(k, "passwordResetNeeded", "passwordresetneeded"), /**
34
+ a(P, "passwordResetNeeded", "passwordresetneeded"), /**
35
35
  * If the state is set to this, the user may not access any
36
36
  * login-required functions unless he or she has reset their second
37
37
  * factor configuration.
@@ -42,14 +42,14 @@ a(k, "passwordResetNeeded", "passwordresetneeded"), /**
42
42
  * this value and the user will then be prompted to configure 2FA
43
43
  * upon login.
44
44
  */
45
- a(k, "factor2ResetNeeded", "factor2resetneeded"), /**
45
+ a(P, "factor2ResetNeeded", "factor2resetneeded"), /**
46
46
  * If the state is set to this, the user may not access any
47
47
  * login-required functions unless he or she has reset their password
48
48
  * and then resets factor2.
49
49
  *
50
50
  * Upon login, the user is redirected to the reset password page.
51
51
  */
52
- a(k, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
52
+ a(P, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
53
53
  class C {
54
54
  }
55
55
  /** Session ID */
@@ -72,8 +72,8 @@ class g extends Error {
72
72
  * @param message if provided, this error will display. Otherwise a default one for the error code will be used.
73
73
  */
74
74
  constructor(r, n = void 0) {
75
- let i, s = 500;
76
- r == 0 ? (i = "User does not exist", s = 401) : r == 1 ? (i = "Password doesn't match", s = 401) : r == 3 ? (i = "Username or password incorrect", s = 401) : r == 4 ? (i = "Client id is invalid", s = 401) : r == 5 ? (i = "Client ID or name already exists", s = 500) : r == 6 ? (i = "Client secret is invalid", s = 401) : r == 7 ? (i = "Client id or secret is invalid", s = 401) : r == 8 ? (i = "Redirect Uri is not registered", s = 401) : r == 9 ? (i = "Invalid OAuth flow type", s = 500) : r == 2 ? (i = "No user exists with that email address", s = 401) : r == 10 ? (i = "Account is not active", s = 403) : r == 33 ? (i = "Username is not in an allowed format", s = 400) : r == 31 ? (i = "Email is not in an allowed format", s = 400) : r == 32 ? (i = "Phone number is not in an allowed format", s = 400) : r == 11 ? (i = "Email address has not been verified", s = 403) : r == 12 ? (i = "Two-factor setup is not complete", s = 403) : r == 13 ? (i = "Not authorized", s = 401) : r == 14 ? (i = "Client not authorized", s = 401) : r == 15 ? (i = "Invalid scope", s = 403) : r == 16 ? (i = "Insufficient scope", s = 403) : r == 23 ? i = "Connection failure" : r == 22 ? (i = "Token has expired", s = 401) : r == 24 ? i = "Hash is not in a valid format" : r == 19 ? (i = "Key is invalid", s = 401) : r == 18 ? (i = "You do not have permission to access this resource", s = 403) : r == 17 ? (i = "You do not have the right privileges to access this resource", s = 401) : r == 20 ? (i = "CSRF token is invalid", s = 401) : r == 21 ? (i = "Session cookie is invalid", s = 401) : r == 25 ? i = "Algorithm not supported" : r == 26 ? i = "Attempt to create a key that already exists" : r == 27 ? (i = "User must change password", s = 403) : r == 28 ? (i = "User must reset password", s = 403) : r == 29 ? (i = "User must reset 2FA", s = 403) : r == 30 ? i = "There was an error in the configuration" : r == 34 ? (i = "Passwords do not match", s = 401) : r == 35 ? (i = "Token is not valid", s = 401) : r == 36 ? (i = "MFA is required", s = 401) : r == 37 ? (i = "Password format was incorrect", s = 401) : r == 40 ? (i = "User already exists", s = 400) : r == 42 ? (i = "The request is invalid", s = 400) : r == 38 ? (i = "Session data has unexpected format", s = 500) : r == 39 ? (i = "Couldn't execute a fetch", s = 500) : r == 43 ? (i = "Waiting for authorization", s = 200) : r == 44 ? (i = "Slow polling down by 5 seconds", s = 200) : r == 45 ? (i = "Token has expired", s = 401) : r == 46 ? (i = "Database update/insert caused a constraint violation", s = 500) : r == 47 ? (i = "This method has not been implemented", s = 500) : (i = "Unknown error", s = 500), n != null && !Array.isArray(n) ? i = n : Array.isArray(n) && (i = n.join(". "));
75
+ let i, o = 500;
76
+ r == 0 ? (i = "User does not exist", o = 401) : r == 1 ? (i = "Password doesn't match", o = 401) : r == 3 ? (i = "Username or password incorrect", o = 401) : r == 4 ? (i = "Client id is invalid", o = 401) : r == 5 ? (i = "Client ID or name already exists", o = 500) : r == 6 ? (i = "Client secret is invalid", o = 401) : r == 7 ? (i = "Client id or secret is invalid", o = 401) : r == 8 ? (i = "Redirect Uri is not registered", o = 401) : r == 9 ? (i = "Invalid OAuth flow type", o = 500) : r == 2 ? (i = "No user exists with that email address", o = 401) : r == 10 ? (i = "Account is not active", o = 403) : r == 33 ? (i = "Username is not in an allowed format", o = 400) : r == 31 ? (i = "Email is not in an allowed format", o = 400) : r == 32 ? (i = "Phone number is not in an allowed format", o = 400) : r == 11 ? (i = "Email address has not been verified", o = 403) : r == 12 ? (i = "Two-factor setup is not complete", o = 403) : r == 13 ? (i = "Not authorized", o = 401) : r == 14 ? (i = "Client not authorized", o = 401) : r == 15 ? (i = "Invalid scope", o = 403) : r == 16 ? (i = "Insufficient scope", o = 403) : r == 23 ? i = "Connection failure" : r == 22 ? (i = "Token has expired", o = 401) : r == 24 ? i = "Hash is not in a valid format" : r == 19 ? (i = "Key is invalid", o = 401) : r == 18 ? (i = "You do not have permission to access this resource", o = 403) : r == 17 ? (i = "You do not have the right privileges to access this resource", o = 401) : r == 20 ? (i = "CSRF token is invalid", o = 401) : r == 21 ? (i = "Session cookie is invalid", o = 401) : r == 25 ? i = "Algorithm not supported" : r == 26 ? i = "Attempt to create a key that already exists" : r == 27 ? (i = "User must change password", o = 403) : r == 28 ? (i = "User must reset password", o = 403) : r == 29 ? (i = "User must reset 2FA", o = 403) : r == 30 ? i = "There was an error in the configuration" : r == 34 ? (i = "Passwords do not match", o = 401) : r == 35 ? (i = "Token is not valid", o = 401) : r == 36 ? (i = "MFA is required", o = 401) : r == 37 ? (i = "Password format was incorrect", o = 401) : r == 40 ? (i = "User already exists", o = 400) : r == 42 ? (i = "The request is invalid", o = 400) : r == 38 ? (i = "Session data has unexpected format", o = 500) : r == 39 ? (i = "Couldn't execute a fetch", o = 500) : r == 43 ? (i = "Waiting for authorization", o = 200) : r == 44 ? (i = "Slow polling down by 5 seconds", o = 200) : r == 45 ? (i = "Token has expired", o = 401) : r == 46 ? (i = "Database update/insert caused a constraint violation", o = 500) : r == 47 ? (i = "This method has not been implemented", o = 500) : (i = "Unknown error", o = 500), n != null && !Array.isArray(n) ? i = n : Array.isArray(n) && (i = n.join(". "));
77
77
  super(i);
78
78
  /** `typeof` won't work on this class. To determine if the
79
79
  * object is a `CrossauthError`, check for presence of this member.
@@ -90,13 +90,13 @@ class g extends Error {
90
90
  * it will be a concatenation of them with `". "` in between.
91
91
  */
92
92
  a(this, "messages");
93
- this.code = r, this.codeName = y[r], this.httpStatus = s, this.name = "CrossauthError", Array.isArray(n) ? this.messages = n : this.messages = [i], Object.setPrototypeOf(this, g.prototype);
93
+ this.code = r, this.codeName = y[r], this.httpStatus = o, this.name = "CrossauthError", Array.isArray(n) ? this.messages = n : this.messages = [i], Object.setPrototypeOf(this, g.prototype);
94
94
  }
95
95
  /**
96
96
  * OAuth defines certain error types. To convert the error in an OAuth
97
97
  * response into a CrossauthError object, call this function.
98
98
  *
99
- * @param error as returned by an OAuth call (converted to an {@link @crossauth/common!ErrorCode}).
99
+ * @param error as returned by an OAuth call (converted to an {@link ErrorCode}).
100
100
  * @param error_description as returned by an OAuth call (put in the `message`)
101
101
  * @returns a `CrossauthError` instance.
102
102
  */
@@ -180,7 +180,7 @@ class g extends Error {
180
180
  * it.
181
181
  * If not and it is an object with `errorCode` in it, creates a
182
182
  * CrossauthError from that and `errorMessage`, if present.
183
- * Otherwise creates a `CrossauthError` object with {@link @crossauth/common!ErrorCode}
183
+ * Otherwise creates a `CrossauthError` object with {@link ErrorCode}
184
184
  * of `Unknown` from it, setting the `message` if possible.
185
185
  *
186
186
  * @param e the error to convert.
@@ -190,13 +190,13 @@ class g extends Error {
190
190
  if (r instanceof Error)
191
191
  return "isCrossauthError" in r ? r : new g(48, r.message);
192
192
  if ("errorCode" in r) {
193
- let s = 48;
193
+ let o = 48;
194
194
  try {
195
- s = Number(r.errorCode) ?? 48;
195
+ o = Number(r.errorCode) ?? 48;
196
196
  } catch {
197
197
  }
198
- let o = n ?? y[s];
199
- return "errorMessage" in r ? o = r.errorMessage : "message" in r && (o = r.message), new g(s, o);
198
+ let s = n ?? y[o];
199
+ return "errorMessage" in r ? s = r.errorMessage : "message" in r && (s = r.message), new g(o, s);
200
200
  }
201
201
  let i = n ?? y[
202
202
  48
@@ -326,7 +326,7 @@ a(m, "Error", 1), /** Log errors and warning */
326
326
  a(m, "Warn", 2), /** Log errors, warnings and info messages */
327
327
  a(m, "Info", 3), /** Log everything */
328
328
  a(m, "Debug", 4), a(m, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
329
- let d = m;
329
+ let l = m;
330
330
  function h(e) {
331
331
  let t;
332
332
  typeof e == "object" && "err" in e && typeof e.err == "object" && (t = e.err.stack);
@@ -348,7 +348,7 @@ function h(e) {
348
348
  }
349
349
  return typeof e == "string" || globalThis.crossauthLoggerAcceptsJson ? e : JSON.stringify(e);
350
350
  }
351
- globalThis.crossauthLogger = new d(d.None);
351
+ globalThis.crossauthLogger = new l(l.None);
352
352
  globalThis.crossauthLoggerAcceptsJson = !0;
353
353
  const te = {
354
354
  issuer: "",
@@ -367,7 +367,7 @@ const te = {
367
367
  require_request_uri_registration: !1
368
368
  }, F = crypto, re = (e) => e instanceof CryptoKey, H = new TextEncoder(), z = new TextDecoder();
369
369
  function ge(...e) {
370
- const t = e.reduce((i, { length: s }) => i + s, 0), r = new Uint8Array(t);
370
+ const t = e.reduce((i, { length: o }) => i + o, 0), r = new Uint8Array(t);
371
371
  let n = 0;
372
372
  for (const i of e)
373
373
  r.set(i, n), n += i.length;
@@ -378,7 +378,7 @@ const ye = (e) => {
378
378
  for (let n = 0; n < t.length; n++)
379
379
  r[n] = t.charCodeAt(n);
380
380
  return r;
381
- }, K = (e) => {
381
+ }, N = (e) => {
382
382
  let t = e;
383
383
  t instanceof Uint8Array && (t = z.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
384
384
  try {
@@ -412,7 +412,7 @@ class v extends $ {
412
412
  return "ERR_JWS_INVALID";
413
413
  }
414
414
  }
415
- class E extends $ {
415
+ class O extends $ {
416
416
  constructor() {
417
417
  super(...arguments), this.code = "ERR_JWT_INVALID";
418
418
  }
@@ -428,7 +428,7 @@ class me extends $ {
428
428
  return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
429
429
  }
430
430
  }
431
- function A(e, t = "algorithm.name") {
431
+ function k(e, t = "algorithm.name") {
432
432
  return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
433
433
  }
434
434
  function J(e, t) {
@@ -459,51 +459,51 @@ function ve(e, t) {
459
459
  throw new TypeError(r);
460
460
  }
461
461
  }
462
- function Se(e, t, ...r) {
462
+ function _e(e, t, ...r) {
463
463
  switch (t) {
464
464
  case "HS256":
465
465
  case "HS384":
466
466
  case "HS512": {
467
467
  if (!J(e.algorithm, "HMAC"))
468
- throw A("HMAC");
468
+ throw k("HMAC");
469
469
  const n = parseInt(t.slice(2), 10);
470
470
  if (L(e.algorithm.hash) !== n)
471
- throw A(`SHA-${n}`, "algorithm.hash");
471
+ throw k(`SHA-${n}`, "algorithm.hash");
472
472
  break;
473
473
  }
474
474
  case "RS256":
475
475
  case "RS384":
476
476
  case "RS512": {
477
477
  if (!J(e.algorithm, "RSASSA-PKCS1-v1_5"))
478
- throw A("RSASSA-PKCS1-v1_5");
478
+ throw k("RSASSA-PKCS1-v1_5");
479
479
  const n = parseInt(t.slice(2), 10);
480
480
  if (L(e.algorithm.hash) !== n)
481
- throw A(`SHA-${n}`, "algorithm.hash");
481
+ throw k(`SHA-${n}`, "algorithm.hash");
482
482
  break;
483
483
  }
484
484
  case "PS256":
485
485
  case "PS384":
486
486
  case "PS512": {
487
487
  if (!J(e.algorithm, "RSA-PSS"))
488
- throw A("RSA-PSS");
488
+ throw k("RSA-PSS");
489
489
  const n = parseInt(t.slice(2), 10);
490
490
  if (L(e.algorithm.hash) !== n)
491
- throw A(`SHA-${n}`, "algorithm.hash");
491
+ throw k(`SHA-${n}`, "algorithm.hash");
492
492
  break;
493
493
  }
494
494
  case "EdDSA": {
495
495
  if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448")
496
- throw A("Ed25519 or Ed448");
496
+ throw k("Ed25519 or Ed448");
497
497
  break;
498
498
  }
499
499
  case "ES256":
500
500
  case "ES384":
501
501
  case "ES512": {
502
502
  if (!J(e.algorithm, "ECDSA"))
503
- throw A("ECDSA");
503
+ throw k("ECDSA");
504
504
  const n = we(t);
505
505
  if (e.algorithm.namedCurve !== n)
506
- throw A(n, "algorithm.namedCurve");
506
+ throw k(n, "algorithm.namedCurve");
507
507
  break;
508
508
  }
509
509
  default:
@@ -523,7 +523,7 @@ const X = (e, ...t) => ie("Key must be ", e, ...t);
523
523
  function ne(e, t, ...r) {
524
524
  return ie(`Key for the ${e} algorithm must be `, t, ...r);
525
525
  }
526
- const se = (e) => re(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", M = ["CryptoKey"], _e = (...e) => {
526
+ const oe = (e) => re(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", M = ["CryptoKey"], Se = (...e) => {
527
527
  const t = e.filter(Boolean);
528
528
  if (t.length === 0 || t.length === 1)
529
529
  return !0;
@@ -534,10 +534,10 @@ const se = (e) => re(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) ===
534
534
  r = new Set(i);
535
535
  continue;
536
536
  }
537
- for (const s of i) {
538
- if (r.has(s))
537
+ for (const o of i) {
538
+ if (r.has(o))
539
539
  return !1;
540
- r.add(s);
540
+ r.add(o);
541
541
  }
542
542
  }
543
543
  return !0;
@@ -634,7 +634,7 @@ function Ae(e) {
634
634
  }
635
635
  return { algorithm: t, keyUsages: r };
636
636
  }
637
- const oe = async (e) => {
637
+ const se = async (e) => {
638
638
  if (!e.alg)
639
639
  throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
640
640
  const { algorithm: t, keyUsages: r } = Ae(e), n = [
@@ -643,99 +643,99 @@ const oe = async (e) => {
643
643
  e.key_ops ?? r
644
644
  ], i = { ...e };
645
645
  return delete i.alg, delete i.use, F.subtle.importKey("jwk", i, ...n);
646
- }, ae = (e) => K(e);
646
+ }, ae = (e) => N(e);
647
647
  let V, j;
648
648
  const ce = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", de = async (e, t, r, n) => {
649
649
  let i = e.get(t);
650
650
  if (i != null && i[n])
651
651
  return i[n];
652
- const s = await oe({ ...r, alg: n });
653
- return i ? i[n] = s : e.set(t, { [n]: s }), s;
654
- }, Pe = (e, t) => {
652
+ const o = await se({ ...r, alg: n });
653
+ return i ? i[n] = o : e.set(t, { [n]: o }), o;
654
+ }, ke = (e, t) => {
655
655
  if (ce(e)) {
656
656
  let r = e.export({ format: "jwk" });
657
657
  return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? ae(r.k) : (j || (j = /* @__PURE__ */ new WeakMap()), de(j, e, r, t));
658
658
  }
659
659
  return e;
660
- }, ke = (e, t) => {
660
+ }, Ie = (e, t) => {
661
661
  if (ce(e)) {
662
662
  let r = e.export({ format: "jwk" });
663
663
  return r.k ? ae(r.k) : (V || (V = /* @__PURE__ */ new WeakMap()), de(V, e, r, t));
664
664
  }
665
665
  return e;
666
- }, Ie = { normalizePublicKey: Pe, normalizePrivateKey: ke }, I = (e, t, r = 0) => {
666
+ }, Pe = { normalizePublicKey: ke, normalizePrivateKey: Ie }, T = (e, t, r = 0) => {
667
667
  r === 0 && (t.unshift(t.length), t.unshift(6));
668
668
  const n = e.indexOf(t[0], r);
669
669
  if (n === -1)
670
670
  return !1;
671
671
  const i = e.subarray(n, n + t.length);
672
- return i.length !== t.length ? !1 : i.every((s, o) => s === t[o]) || I(e, t, n + 1);
672
+ return i.length !== t.length ? !1 : i.every((o, s) => o === t[s]) || T(e, t, n + 1);
673
673
  }, Q = (e) => {
674
674
  switch (!0) {
675
- case I(e, [42, 134, 72, 206, 61, 3, 1, 7]):
675
+ case T(e, [42, 134, 72, 206, 61, 3, 1, 7]):
676
676
  return "P-256";
677
- case I(e, [43, 129, 4, 0, 34]):
677
+ case T(e, [43, 129, 4, 0, 34]):
678
678
  return "P-384";
679
- case I(e, [43, 129, 4, 0, 35]):
679
+ case T(e, [43, 129, 4, 0, 35]):
680
680
  return "P-521";
681
- case I(e, [43, 101, 110]):
681
+ case T(e, [43, 101, 110]):
682
682
  return "X25519";
683
- case I(e, [43, 101, 111]):
683
+ case T(e, [43, 101, 111]):
684
684
  return "X448";
685
- case I(e, [43, 101, 112]):
685
+ case T(e, [43, 101, 112]):
686
686
  return "Ed25519";
687
- case I(e, [43, 101, 113]):
687
+ case T(e, [43, 101, 113]):
688
688
  return "Ed448";
689
689
  default:
690
690
  throw new b("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
691
691
  }
692
692
  }, le = async (e, t, r, n, i) => {
693
- let s, o;
694
- const l = new Uint8Array(atob(r.replace(e, "")).split("").map((p) => p.charCodeAt(0))), f = t === "spki";
693
+ let o, s;
694
+ const c = new Uint8Array(atob(r.replace(e, "")).split("").map((p) => p.charCodeAt(0))), u = t === "spki";
695
695
  switch (n) {
696
696
  case "PS256":
697
697
  case "PS384":
698
698
  case "PS512":
699
- s = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, o = f ? ["verify"] : ["sign"];
699
+ o = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, s = u ? ["verify"] : ["sign"];
700
700
  break;
701
701
  case "RS256":
702
702
  case "RS384":
703
703
  case "RS512":
704
- s = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, o = f ? ["verify"] : ["sign"];
704
+ o = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, s = u ? ["verify"] : ["sign"];
705
705
  break;
706
706
  case "RSA-OAEP":
707
707
  case "RSA-OAEP-256":
708
708
  case "RSA-OAEP-384":
709
709
  case "RSA-OAEP-512":
710
- s = {
710
+ o = {
711
711
  name: "RSA-OAEP",
712
712
  hash: `SHA-${parseInt(n.slice(-3), 10) || 1}`
713
- }, o = f ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
713
+ }, s = u ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
714
714
  break;
715
715
  case "ES256":
716
- s = { name: "ECDSA", namedCurve: "P-256" }, o = f ? ["verify"] : ["sign"];
716
+ o = { name: "ECDSA", namedCurve: "P-256" }, s = u ? ["verify"] : ["sign"];
717
717
  break;
718
718
  case "ES384":
719
- s = { name: "ECDSA", namedCurve: "P-384" }, o = f ? ["verify"] : ["sign"];
719
+ o = { name: "ECDSA", namedCurve: "P-384" }, s = u ? ["verify"] : ["sign"];
720
720
  break;
721
721
  case "ES512":
722
- s = { name: "ECDSA", namedCurve: "P-521" }, o = f ? ["verify"] : ["sign"];
722
+ o = { name: "ECDSA", namedCurve: "P-521" }, s = u ? ["verify"] : ["sign"];
723
723
  break;
724
724
  case "ECDH-ES":
725
725
  case "ECDH-ES+A128KW":
726
726
  case "ECDH-ES+A192KW":
727
727
  case "ECDH-ES+A256KW": {
728
- const p = Q(l);
729
- s = p.startsWith("P-") ? { name: "ECDH", namedCurve: p } : { name: p }, o = f ? [] : ["deriveBits"];
728
+ const p = Q(c);
729
+ o = p.startsWith("P-") ? { name: "ECDH", namedCurve: p } : { name: p }, s = u ? [] : ["deriveBits"];
730
730
  break;
731
731
  }
732
732
  case "EdDSA":
733
- s = { name: Q(l) }, o = f ? ["verify"] : ["sign"];
733
+ o = { name: Q(c) }, s = u ? ["verify"] : ["sign"];
734
734
  break;
735
735
  default:
736
736
  throw new b('Invalid or unsupported "alg" (Algorithm) value');
737
737
  }
738
- return F.subtle.importKey(t, l, s, !1, o);
738
+ return F.subtle.importKey(t, c, o, !1, s);
739
739
  }, Te = (e, t, r) => le(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", e, t), Re = (e, t, r) => le(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
740
740
  async function Ee(e, t, r) {
741
741
  if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
@@ -754,26 +754,26 @@ async function Z(e, t) {
754
754
  case "oct":
755
755
  if (typeof e.k != "string" || !e.k)
756
756
  throw new TypeError('missing "k" (Key Value) Parameter value');
757
- return K(e.k);
757
+ return N(e.k);
758
758
  case "RSA":
759
759
  if (e.oth !== void 0)
760
760
  throw new b('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
761
761
  case "EC":
762
762
  case "OKP":
763
- return oe({ ...e, alg: t });
763
+ return se({ ...e, alg: t });
764
764
  default:
765
765
  throw new b('Unsupported "kty" (Key Type) Parameter value');
766
766
  }
767
767
  }
768
768
  const q = (e) => e == null ? void 0 : e[Symbol.toStringTag], Ke = (e, t) => {
769
769
  if (!(t instanceof Uint8Array)) {
770
- if (!se(t))
770
+ if (!oe(t))
771
771
  throw new TypeError(ne(e, t, ...M, "Uint8Array"));
772
772
  if (t.type !== "secret")
773
773
  throw new TypeError(`${q(t)} instances for symmetric algorithms must be of type "secret"`);
774
774
  }
775
775
  }, Ne = (e, t, r) => {
776
- if (!se(t))
776
+ if (!oe(t))
777
777
  throw new TypeError(ne(e, t, ...M));
778
778
  if (t.type === "secret")
779
779
  throw new TypeError(`${q(t)} instances for asymmetric algorithms must not be of type "secret"`);
@@ -789,17 +789,17 @@ function xe(e, t, r, n, i) {
789
789
  throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
790
790
  if (!n || n.crit === void 0)
791
791
  return /* @__PURE__ */ new Set();
792
- if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((o) => typeof o != "string" || o.length === 0))
792
+ if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((s) => typeof s != "string" || s.length === 0))
793
793
  throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
794
- let s;
795
- s = t;
796
- for (const o of n.crit) {
797
- if (!s.has(o))
798
- throw new b(`Extension Header Parameter "${o}" is not recognized`);
799
- if (i[o] === void 0)
800
- throw new e(`Extension Header Parameter "${o}" is missing`);
801
- if (s.get(o) && n[o] === void 0)
802
- throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`);
794
+ let o;
795
+ o = t;
796
+ for (const s of n.crit) {
797
+ if (!o.has(s))
798
+ throw new b(`Extension Header Parameter "${s}" is not recognized`);
799
+ if (i[s] === void 0)
800
+ throw new e(`Extension Header Parameter "${s}" is missing`);
801
+ if (o.get(s) && n[s] === void 0)
802
+ throw new e(`Extension Header Parameter "${s}" MUST be integrity protected`);
803
803
  }
804
804
  return new Set(n.crit);
805
805
  }
@@ -828,9 +828,9 @@ function ze(e, t) {
828
828
  throw new b(`alg ${e} is not supported either by JOSE or your javascript runtime`);
829
829
  }
830
830
  }
831
- async function We(e, t, r) {
832
- if (t = await Ie.normalizePublicKey(t, e), re(t))
833
- return Se(t, e, r), t;
831
+ async function De(e, t, r) {
832
+ if (t = await Pe.normalizePublicKey(t, e), re(t))
833
+ return _e(t, e, r), t;
834
834
  if (t instanceof Uint8Array) {
835
835
  if (!e.startsWith("HS"))
836
836
  throw new TypeError(X(t, ...M));
@@ -838,12 +838,12 @@ async function We(e, t, r) {
838
838
  }
839
839
  throw new TypeError(X(t, ...M, "Uint8Array"));
840
840
  }
841
- const De = async (e, t, r, n) => {
842
- const i = await We(e, t, "verify");
841
+ const We = async (e, t, r, n) => {
842
+ const i = await De(e, t, "verify");
843
843
  be(e, i);
844
- const s = ze(e, i.algorithm);
844
+ const o = ze(e, i.algorithm);
845
845
  try {
846
- return await F.subtle.verify(s, i, r, n);
846
+ return await F.subtle.verify(o, i, r, n);
847
847
  } catch {
848
848
  return !1;
849
849
  }
@@ -864,60 +864,60 @@ async function He(e, t, r) {
864
864
  let n = {};
865
865
  if (e.protected)
866
866
  try {
867
- const ue = K(e.protected);
867
+ const ue = N(e.protected);
868
868
  n = JSON.parse(z.decode(ue));
869
869
  } catch {
870
870
  throw new v("JWS Protected Header is invalid");
871
871
  }
872
- if (!_e(n, e.header))
872
+ if (!Se(n, e.header))
873
873
  throw new v("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
874
874
  const i = {
875
875
  ...n,
876
876
  ...e.header
877
- }, s = xe(v, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, i);
878
- let o = !0;
879
- if (s.has("b64") && (o = n.b64, typeof o != "boolean"))
877
+ }, o = xe(v, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, i);
878
+ let s = !0;
879
+ if (o.has("b64") && (s = n.b64, typeof s != "boolean"))
880
880
  throw new v('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
881
- const { alg: l } = i;
882
- if (typeof l != "string" || !l)
881
+ const { alg: c } = i;
882
+ if (typeof c != "string" || !c)
883
883
  throw new v('JWS "alg" (Algorithm) Header Parameter missing or invalid');
884
- if (o) {
884
+ if (s) {
885
885
  if (typeof e.payload != "string")
886
886
  throw new v("JWS Payload must be a string");
887
887
  } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
888
888
  throw new v("JWS Payload must be a string or an Uint8Array instance");
889
- let f = !1;
890
- typeof t == "function" && (t = await t(n, e), f = !0), Ue(l, t, "verify");
889
+ let u = !1;
890
+ typeof t == "function" && (t = await t(n, e), u = !0), Ue(c, t, "verify");
891
891
  const p = ge(H.encode(e.protected ?? ""), H.encode("."), typeof e.payload == "string" ? H.encode(e.payload) : e.payload);
892
- let P;
892
+ let I;
893
893
  try {
894
- P = K(e.signature);
894
+ I = N(e.signature);
895
895
  } catch {
896
896
  throw new v("Failed to base64url decode the signature");
897
897
  }
898
- if (!await De(l, t, P, p))
898
+ if (!await We(c, t, I, p))
899
899
  throw new me();
900
- let W;
901
- if (o)
900
+ let D;
901
+ if (s)
902
902
  try {
903
- W = K(e.payload);
903
+ D = N(e.payload);
904
904
  } catch {
905
905
  throw new v("Failed to base64url decode the payload");
906
906
  }
907
- else typeof e.payload == "string" ? W = H.encode(e.payload) : W = e.payload;
908
- const D = { payload: W };
909
- return e.protected !== void 0 && (D.protectedHeader = n), e.header !== void 0 && (D.unprotectedHeader = e.header), f ? { ...D, key: t } : D;
907
+ else typeof e.payload == "string" ? D = H.encode(e.payload) : D = e.payload;
908
+ const W = { payload: D };
909
+ return e.protected !== void 0 && (W.protectedHeader = n), e.header !== void 0 && (W.unprotectedHeader = e.header), u ? { ...W, key: t } : W;
910
910
  }
911
911
  async function Je(e, t, r) {
912
912
  if (e instanceof Uint8Array && (e = z.decode(e)), typeof e != "string")
913
913
  throw new v("Compact JWS must be a string or Uint8Array");
914
- const { 0: n, 1: i, 2: s, length: o } = e.split(".");
915
- if (o !== 3)
914
+ const { 0: n, 1: i, 2: o, length: s } = e.split(".");
915
+ if (s !== 3)
916
916
  throw new v("Invalid Compact JWS");
917
- const l = await He({ payload: i, protected: n, signature: s }, t, r), f = { payload: l.payload, protectedHeader: l.protectedHeader };
918
- return typeof t == "function" ? { ...f, key: l.key } : f;
917
+ const c = await He({ payload: i, protected: n, signature: o }, t, r), u = { payload: c.payload, protectedHeader: c.protectedHeader };
918
+ return typeof t == "function" ? { ...u, key: c.key } : u;
919
919
  }
920
- const he = K;
920
+ const he = N;
921
921
  function qe(e) {
922
922
  let t;
923
923
  if (typeof e == "string") {
@@ -941,31 +941,31 @@ function qe(e) {
941
941
  }
942
942
  function Me(e) {
943
943
  if (typeof e != "string")
944
- throw new E("JWTs must use Compact JWS serialization, JWT must be a string");
944
+ throw new O("JWTs must use Compact JWS serialization, JWT must be a string");
945
945
  const { 1: t, length: r } = e.split(".");
946
946
  if (r === 5)
947
- throw new E("Only JWTs using Compact JWS serialization can be decoded");
947
+ throw new O("Only JWTs using Compact JWS serialization can be decoded");
948
948
  if (r !== 3)
949
- throw new E("Invalid JWT");
949
+ throw new O("Invalid JWT");
950
950
  if (!t)
951
- throw new E("JWTs must contain a payload");
951
+ throw new O("JWTs must contain a payload");
952
952
  let n;
953
953
  try {
954
954
  n = he(t);
955
955
  } catch {
956
- throw new E("Failed to base64url decode the payload");
956
+ throw new O("Failed to base64url decode the payload");
957
957
  }
958
958
  let i;
959
959
  try {
960
960
  i = JSON.parse(z.decode(n));
961
961
  } catch {
962
- throw new E("Failed to parse the decoded payload as JSON");
962
+ throw new O("Failed to parse the decoded payload as JSON");
963
963
  }
964
964
  if (!x(i))
965
- throw new E("Invalid JWT Claims Set");
965
+ throw new O("Invalid JWT Claims Set");
966
966
  return i;
967
967
  }
968
- const c = class c {
968
+ const d = class d {
969
969
  /**
970
970
  * Returns a user-friendly name for the given flow strings.
971
971
  *
@@ -976,7 +976,7 @@ const c = class c {
976
976
  static flowNames(t) {
977
977
  let r = {};
978
978
  return t.forEach((n) => {
979
- n in c.flowName && (r[n] = c.flowName[n]);
979
+ n in d.flowName && (r[n] = d.flowName[n]);
980
980
  }), r;
981
981
  }
982
982
  /**
@@ -985,7 +985,7 @@ const c = class c {
985
985
  * @returns true or false.
986
986
  */
987
987
  static isValidFlow(t) {
988
- return c.allFlows().includes(t);
988
+ return d.allFlows().includes(t);
989
989
  }
990
990
  /**
991
991
  * Returns true only if all given strings are valid flows
@@ -995,19 +995,19 @@ const c = class c {
995
995
  static areAllValidFlows(t) {
996
996
  let r = !0;
997
997
  return t.forEach((n) => {
998
- c.isValidFlow(n) || (r = !1);
998
+ d.isValidFlow(n) || (r = !1);
999
999
  }), r;
1000
1000
  }
1001
1001
  static allFlows() {
1002
1002
  return [
1003
- c.AuthorizationCode,
1004
- c.AuthorizationCodeWithPKCE,
1005
- c.ClientCredentials,
1006
- c.RefreshToken,
1007
- c.DeviceCode,
1008
- c.Password,
1009
- c.PasswordMfa,
1010
- c.OidcAuthorizationCode
1003
+ d.AuthorizationCode,
1004
+ d.AuthorizationCodeWithPKCE,
1005
+ d.ClientCredentials,
1006
+ d.RefreshToken,
1007
+ d.DeviceCode,
1008
+ d.Password,
1009
+ d.PasswordMfa,
1010
+ d.OidcAuthorizationCode
1011
1011
  ];
1012
1012
  }
1013
1013
  /**
@@ -1018,51 +1018,51 @@ const c = class c {
1018
1018
  */
1019
1019
  static grantType(t) {
1020
1020
  switch (t) {
1021
- case c.AuthorizationCode:
1022
- case c.AuthorizationCodeWithPKCE:
1023
- case c.OidcAuthorizationCode:
1021
+ case d.AuthorizationCode:
1022
+ case d.AuthorizationCodeWithPKCE:
1023
+ case d.OidcAuthorizationCode:
1024
1024
  return ["authorization_code"];
1025
- case c.ClientCredentials:
1025
+ case d.ClientCredentials:
1026
1026
  return ["client_credentials"];
1027
- case c.RefreshToken:
1027
+ case d.RefreshToken:
1028
1028
  return ["refresh_token"];
1029
- case c.Password:
1029
+ case d.Password:
1030
1030
  return ["password"];
1031
- case c.PasswordMfa:
1031
+ case d.PasswordMfa:
1032
1032
  return ["http://auth0.com/oauth/grant-type/mfa-otp", "http://auth0.com/oauth/grant-type/mfa-oob"];
1033
- case c.DeviceCode:
1033
+ case d.DeviceCode:
1034
1034
  return ["urn:ietf:params:oauth:grant-type:device_code"];
1035
1035
  }
1036
1036
  }
1037
1037
  };
1038
1038
  /** All flows are allowed */
1039
- a(c, "All", "all"), /** OAuth authorization code flow (without PKCE) */
1040
- a(c, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
1041
- a(c, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
1042
- a(c, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
1043
- a(c, "RefreshToken", "refreshToken"), /** OAuth device code flow */
1044
- a(c, "DeviceCode", "deviceCode"), /** OAuth password flow */
1045
- a(c, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
1046
- a(c, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
1039
+ a(d, "All", "all"), /** OAuth authorization code flow (without PKCE) */
1040
+ a(d, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
1041
+ a(d, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
1042
+ a(d, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
1043
+ a(d, "RefreshToken", "refreshToken"), /** OAuth device code flow */
1044
+ a(d, "DeviceCode", "deviceCode"), /** OAuth password flow */
1045
+ a(d, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
1046
+ a(d, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
1047
1047
  * PKCE.
1048
1048
  */
1049
- a(c, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
1049
+ a(d, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
1050
1050
  *
1051
1051
  * For example, if you pass "authorizationCode"
1052
1052
  * (`OAuthFlows.AuthorizationCode`) you will get `"Authorization Code"`.
1053
1053
  */
1054
- a(c, "flowName", {
1055
- [c.AuthorizationCode]: "Authorization Code",
1056
- [c.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
1057
- [c.ClientCredentials]: "Client Credentials",
1058
- [c.RefreshToken]: "Refresh Token",
1059
- [c.DeviceCode]: "Device Code",
1060
- [c.Password]: "Password",
1061
- [c.PasswordMfa]: "Password MFA",
1062
- [c.OidcAuthorizationCode]: "OIDC Authorization Code"
1054
+ a(d, "flowName", {
1055
+ [d.AuthorizationCode]: "Authorization Code",
1056
+ [d.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
1057
+ [d.ClientCredentials]: "Client Credentials",
1058
+ [d.RefreshToken]: "Refresh Token",
1059
+ [d.DeviceCode]: "Device Code",
1060
+ [d.Password]: "Password",
1061
+ [d.PasswordMfa]: "Password MFA",
1062
+ [d.OidcAuthorizationCode]: "OIDC Authorization Code"
1063
1063
  });
1064
- let ee = c;
1065
- var w, S, N, T, R;
1064
+ let ee = d;
1065
+ var w, _, U, R, E;
1066
1066
  class Be {
1067
1067
  /**
1068
1068
  * Constructor.
@@ -1096,23 +1096,23 @@ class Be {
1096
1096
  client_id: r,
1097
1097
  client_secret: n,
1098
1098
  redirect_uri: i,
1099
- codeChallengeMethod: s,
1100
- stateLength: o,
1101
- verifierLength: l,
1102
- tokenConsumer: f,
1099
+ codeChallengeMethod: o,
1100
+ stateLength: s,
1101
+ verifierLength: c,
1102
+ tokenConsumer: u,
1103
1103
  authServerCredentials: p,
1104
- authServerMode: P,
1105
- authServerHeaders: U
1104
+ authServerMode: I,
1105
+ authServerHeaders: A
1106
1106
  }) {
1107
1107
  a(this, "authServerBaseUrl", "");
1108
- O(this, w);
1109
- O(this, S);
1110
- O(this, N);
1108
+ K(this, w);
1109
+ K(this, _);
1110
+ K(this, U);
1111
1111
  a(this, "codeChallengeMethod", "S256");
1112
- O(this, T);
1112
+ K(this, R);
1113
1113
  a(this, "verifierLength", 32);
1114
1114
  a(this, "redirect_uri");
1115
- O(this, R, "");
1115
+ K(this, E, "");
1116
1116
  a(this, "stateLength", 32);
1117
1117
  a(this, "authzCode", "");
1118
1118
  a(this, "oidcConfig");
@@ -1120,22 +1120,22 @@ class Be {
1120
1120
  a(this, "authServerHeaders", {});
1121
1121
  a(this, "authServerMode");
1122
1122
  a(this, "authServerCredentials");
1123
- this.tokenConsumer = f, this.authServerBaseUrl = t, l && (this.verifierLength = l), o && (this.stateLength = o), r && _(this, w, r), n && _(this, S, n), i && (this.redirect_uri = i), s && (this.codeChallengeMethod = s), this.authServerBaseUrl = t, p && (this.authServerCredentials = p), P && (this.authServerMode = P), U && (this.authServerHeaders = U);
1123
+ this.tokenConsumer = u, this.authServerBaseUrl = t, c && (this.verifierLength = c), s && (this.stateLength = s), r && S(this, w, r), n && S(this, _, n), i && (this.redirect_uri = i), o && (this.codeChallengeMethod = o), this.authServerBaseUrl = t, p && (this.authServerCredentials = p), I && (this.authServerMode = I), A && (this.authServerHeaders = A);
1124
1124
  }
1125
1125
  set client_id(t) {
1126
- _(this, w, t);
1126
+ S(this, w, t);
1127
1127
  }
1128
1128
  set client_secret(t) {
1129
- _(this, S, t);
1129
+ S(this, _, t);
1130
1130
  }
1131
1131
  set codeVerifier(t) {
1132
- _(this, T, t);
1132
+ S(this, R, t);
1133
1133
  }
1134
1134
  set codeChallenge(t) {
1135
- _(this, N, t);
1135
+ S(this, U, t);
1136
1136
  }
1137
1137
  set state(t) {
1138
- _(this, R, t);
1138
+ S(this, E, t);
1139
1139
  }
1140
1140
  /**
1141
1141
  * Loads OpenID Connect configuration so that the client can determine
@@ -1145,12 +1145,12 @@ class Be {
1145
1145
  * Otherwise, performs a fetch by appending
1146
1146
  * `/.well-known/openid-configuration` to the
1147
1147
  * `authServerBaseUrl`.
1148
- * @throws {@link @crossauth/common!CrossauthError} with the following {@link @crossauth/common!ErrorCode}s
1148
+ * @throws {@link CrossauthError} with the following {@link ErrorCode}s
1149
1149
  * - `Connection` if data from the URL could not be fetched or parsed.
1150
1150
  */
1151
1151
  async loadConfig(t) {
1152
1152
  if (t) {
1153
- d.logger.debug(h({ msg: "Reading OIDC config locally" })), this.oidcConfig = t;
1153
+ l.logger.debug(h({ msg: "Reading OIDC config locally" })), this.oidcConfig = t;
1154
1154
  return;
1155
1155
  }
1156
1156
  let r;
@@ -1158,11 +1158,11 @@ class Be {
1158
1158
  const n = new URL(
1159
1159
  this.authServerBaseUrl + "/.well-known/openid-configuration"
1160
1160
  );
1161
- d.logger.debug(h({ msg: `Fetching OIDC config from ${n}` }));
1161
+ l.logger.debug(h({ msg: `Fetching OIDC config from ${n}` }));
1162
1162
  let i = { headers: this.authServerHeaders };
1163
1163
  this.authServerMode && (i.mode = this.authServerMode), this.authServerCredentials && (i.credentials = this.authServerCredentials), r = await fetch(n, i);
1164
1164
  } catch (n) {
1165
- d.logger.error(h({ err: n }));
1165
+ l.logger.error(h({ err: n }));
1166
1166
  }
1167
1167
  if (!r || !r.ok)
1168
1168
  throw new g(
@@ -1172,8 +1172,8 @@ class Be {
1172
1172
  this.oidcConfig = { ...te };
1173
1173
  try {
1174
1174
  const n = await r.json();
1175
- for (const [i, s] of Object.entries(n))
1176
- this.oidcConfig[i] = s;
1175
+ for (const [i, o] of Object.entries(n))
1176
+ this.oidcConfig[i] = o;
1177
1177
  } catch {
1178
1178
  throw new g(
1179
1179
  y.Connection,
@@ -1204,18 +1204,18 @@ class Be {
1204
1204
  * if no error
1205
1205
  */
1206
1206
  async startAuthorizationCodeFlow(t, r = !1) {
1207
- var s, o, l;
1208
- if (d.logger.debug(h({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.response_types_supported.includes("code")) || !((o = this.oidcConfig) != null && o.response_modes_supported.includes("query")))
1207
+ var o, s, c;
1208
+ if (l.logger.debug(h({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.response_types_supported.includes("code")) || !((s = this.oidcConfig) != null && s.response_modes_supported.includes("query")))
1209
1209
  return {
1210
1210
  error: "invalid_request",
1211
1211
  error_description: "Server does not support authorization code flow"
1212
1212
  };
1213
- if (!((l = this.oidcConfig) != null && l.authorization_endpoint))
1213
+ if (!((c = this.oidcConfig) != null && c.authorization_endpoint))
1214
1214
  return {
1215
1215
  error: "server_error",
1216
1216
  error_description: "Cannot get authorize endpoint"
1217
1217
  };
1218
- if (_(this, R, this.randomValue(this.stateLength)), !u(this, w)) return {
1218
+ if (S(this, E, this.randomValue(this.stateLength)), !f(this, w)) return {
1219
1219
  error: "invalid_request",
1220
1220
  error_description: "Cannot make authorization code flow without client id"
1221
1221
  };
@@ -1223,8 +1223,8 @@ class Be {
1223
1223
  error: "invalid_request",
1224
1224
  error_description: "Cannot make authorization code flow without Redirect Uri"
1225
1225
  };
1226
- let i = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(u(this, w)) + "&state=" + encodeURIComponent(u(this, R)) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
1227
- return t && (i += "&scope=" + encodeURIComponent(t)), r && (_(this, T, this.randomValue(this.verifierLength)), _(this, N, this.codeChallengeMethod == "plain" ? u(this, T) : await this.sha256(u(this, T))), i += "&code_challenge=" + u(this, N)), { url: i };
1226
+ let i = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(f(this, w)) + "&state=" + encodeURIComponent(f(this, E)) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
1227
+ return t && (i += "&scope=" + encodeURIComponent(t)), r && (S(this, R, this.randomValue(this.verifierLength)), S(this, U, this.codeChallengeMethod == "plain" ? f(this, R) : await this.sha256(f(this, R))), i += "&code_challenge=" + f(this, U)), { url: i };
1228
1228
  }
1229
1229
  /**
1230
1230
  * This implements the functionality behind the redirect URI
@@ -1247,34 +1247,35 @@ class Be {
1247
1247
  * request, or `error` and `error_description`.
1248
1248
  */
1249
1249
  async redirectEndpoint(t, r, n, i) {
1250
- var p, P;
1250
+ var p, I;
1251
1251
  if (this.oidcConfig || await this.loadConfig(), n || !t)
1252
1252
  return n || (n = "server_error"), i || (i = "Unknown error"), { error: n, error_description: i };
1253
- if (u(this, R) && r != u(this, R))
1253
+ if (f(this, E) && r != f(this, E))
1254
1254
  return { error: "access_denied", error_description: "State is not valid" };
1255
1255
  if (this.authzCode = t, !((p = this.oidcConfig) != null && p.grant_types_supported.includes("authorization_code")))
1256
1256
  return {
1257
1257
  error: "invalid_request",
1258
1258
  error_description: "Server does not support authorization code grant"
1259
1259
  };
1260
- if (!((P = this.oidcConfig) != null && P.token_endpoint))
1260
+ if (!((I = this.oidcConfig) != null && I.token_endpoint))
1261
1261
  return {
1262
1262
  error: "server_error",
1263
1263
  error_description: "Cannot get token endpoint"
1264
1264
  };
1265
- const s = this.oidcConfig.token_endpoint;
1266
- let o, l;
1267
- o = "authorization_code", l = u(this, S);
1268
- let f = {
1269
- grant_type: o,
1270
- client_id: u(this, w),
1265
+ const o = this.oidcConfig.token_endpoint;
1266
+ let s, c;
1267
+ s = "authorization_code", c = f(this, _);
1268
+ let u = {
1269
+ grant_type: s,
1270
+ client_id: f(this, w),
1271
1271
  code: this.authzCode
1272
1272
  };
1273
- l && (f.client_secret = l), f.code_verifier = u(this, T);
1273
+ c && (u.client_secret = c), u.code_verifier = f(this, R);
1274
1274
  try {
1275
- return this.post(s, f, this.authServerHeaders);
1276
- } catch (U) {
1277
- return d.logger.error(h({ err: U })), {
1275
+ const A = await this.post(o, u, this.authServerHeaders);
1276
+ return A.id_token && !await this.validateIdToken(A.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : A;
1277
+ } catch (A) {
1278
+ return l.logger.error(h({ err: A })), {
1278
1279
  error: "server_error",
1279
1280
  error_description: "Unable to get access token from server"
1280
1281
  };
@@ -1295,29 +1296,29 @@ class Be {
1295
1296
  * request, or `error` and `error_description`.
1296
1297
  */
1297
1298
  async clientCredentialsFlow(t) {
1298
- var i, s;
1299
- if (d.logger.debug(h({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("client_credentials")))
1299
+ var i, o;
1300
+ if (l.logger.debug(h({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("client_credentials")))
1300
1301
  return {
1301
1302
  error: "invalid_request",
1302
1303
  error_description: "Server does not support client credentials grant"
1303
1304
  };
1304
- if (!((s = this.oidcConfig) != null && s.token_endpoint))
1305
+ if (!((o = this.oidcConfig) != null && o.token_endpoint))
1305
1306
  return { error: "server_error", error_description: "Cannot get token endpoint" };
1306
- if (!u(this, w)) return {
1307
+ if (!f(this, w)) return {
1307
1308
  error: "invalid_request",
1308
1309
  error_description: "Cannot make client credentials flow without client id"
1309
1310
  };
1310
1311
  const r = this.oidcConfig.token_endpoint;
1311
1312
  let n = {
1312
1313
  grant_type: "client_credentials",
1313
- client_id: u(this, w),
1314
- client_secret: u(this, S)
1314
+ client_id: f(this, w),
1315
+ client_secret: f(this, _)
1315
1316
  };
1316
1317
  t && (n.scope = t);
1317
1318
  try {
1318
1319
  return await this.post(r, n, this.authServerHeaders);
1319
- } catch (o) {
1320
- return d.logger.error(h({ err: o })), {
1320
+ } catch (s) {
1321
+ return l.logger.error(h({ err: s })), {
1321
1322
  error: "server_error",
1322
1323
  error_description: "Error connecting to authorization server"
1323
1324
  };
@@ -1339,30 +1340,31 @@ class Be {
1339
1340
  *
1340
1341
  */
1341
1342
  async passwordFlow(t, r, n) {
1342
- var o, l;
1343
- if (d.logger.debug(h({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("password")))
1343
+ var s, c;
1344
+ if (l.logger.debug(h({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("password")))
1344
1345
  return {
1345
1346
  error: "invalid_request",
1346
1347
  error_description: "Server does not support password grant"
1347
1348
  };
1348
- if (!((l = this.oidcConfig) != null && l.token_endpoint))
1349
+ if (!((c = this.oidcConfig) != null && c.token_endpoint))
1349
1350
  return {
1350
1351
  error: "server_error",
1351
1352
  error_description: "Cannot get token endpoint"
1352
1353
  };
1353
1354
  const i = this.oidcConfig.token_endpoint;
1354
- let s = {
1355
+ let o = {
1355
1356
  grant_type: "password",
1356
- client_id: u(this, w),
1357
- client_secret: u(this, S),
1357
+ client_id: f(this, w),
1358
+ client_secret: f(this, _),
1358
1359
  username: t,
1359
1360
  password: r
1360
1361
  };
1361
- n && (s.scope = n);
1362
+ n && (o.scope = n);
1362
1363
  try {
1363
- return await this.post(i, s, this.authServerHeaders);
1364
- } catch (f) {
1365
- return d.logger.error(h({ err: f })), {
1364
+ let u = await this.post(i, o, this.authServerHeaders);
1365
+ return u.id_token && !await this.validateIdToken(u.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : u;
1366
+ } catch (u) {
1367
+ return l.logger.error(h({ err: u })), {
1366
1368
  error: "server_error",
1367
1369
  error_description: "Error connecting to authorization server"
1368
1370
  };
@@ -1382,13 +1384,13 @@ class Be {
1382
1384
  * documentation
1383
1385
  */
1384
1386
  async mfaAuthenticators(t) {
1385
- var s, o, l;
1386
- if (d.logger.debug(h({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && ((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
1387
+ var o, s, c;
1388
+ if (l.logger.debug(h({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && ((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
1387
1389
  return {
1388
1390
  error: "invalid_request",
1389
1391
  error_description: "Server does not support password_mfa grant"
1390
1392
  };
1391
- if (!((l = this.oidcConfig) != null && l.issuer))
1393
+ if (!((c = this.oidcConfig) != null && c.issuer))
1392
1394
  return { error: "server_error", error_description: "Cannot get issuer" };
1393
1395
  const r = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators", n = await this.get(r, { authorization: "Bearer " + t, ...this.authServerHeaders });
1394
1396
  if (!Array.isArray(n))
@@ -1397,8 +1399,8 @@ class Be {
1397
1399
  error_description: "Expected array of authenticators in mfa/authenticators response"
1398
1400
  };
1399
1401
  let i = [];
1400
- for (let f = 0; f < n.length; ++f) {
1401
- const p = n[f];
1402
+ for (let u = 0; u < n.length; ++u) {
1403
+ const p = n[u];
1402
1404
  if (!p.id || !p.authenticator_type || !p.active)
1403
1405
  return {
1404
1406
  error: "server_error",
@@ -1427,17 +1429,17 @@ class Be {
1427
1429
  * from the `mfaAuthenticators` request.
1428
1430
  */
1429
1431
  async mfaOtpRequest(t, r) {
1430
- var s, o;
1431
- if (d.logger.debug(h({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
1432
+ var o, s;
1433
+ if (l.logger.debug(h({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
1432
1434
  return {
1433
1435
  error: "invalid_request",
1434
1436
  error_description: "Server does not support password_mfa grant"
1435
1437
  };
1436
- if (!((o = this.oidcConfig) != null && o.issuer))
1438
+ if (!((s = this.oidcConfig) != null && s.issuer))
1437
1439
  return { error: "server_error", error_description: "Cannot get issuer" };
1438
1440
  const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
1439
- client_id: u(this, w),
1440
- client_secret: u(this, S),
1441
+ client_id: f(this, w),
1442
+ client_secret: f(this, _),
1441
1443
  challenge_type: "otp",
1442
1444
  mfa_token: t,
1443
1445
  authenticator_id: r
@@ -1465,32 +1467,32 @@ class Be {
1465
1467
  * - `error_description` friendly error message
1466
1468
  */
1467
1469
  async mfaOtpComplete(t, r, n) {
1468
- var o, l;
1469
- if (d.logger.debug(h({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
1470
+ var s, c;
1471
+ if (l.logger.debug(h({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
1470
1472
  return {
1471
1473
  error: "invalid_request",
1472
1474
  error_description: "Server does not support password_mfa grant"
1473
1475
  };
1474
- if (!((l = this.oidcConfig) != null && l.issuer))
1476
+ if (!((c = this.oidcConfig) != null && c.issuer))
1475
1477
  return { error: "server_error", error_description: "Cannot get issuer" };
1476
- const i = this.oidcConfig.token_endpoint, s = await this.post(i, {
1478
+ const i = this.oidcConfig.token_endpoint, o = await this.post(i, {
1477
1479
  grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
1478
- client_id: u(this, w),
1479
- client_secret: u(this, S),
1480
+ client_id: f(this, w),
1481
+ client_secret: f(this, _),
1480
1482
  challenge_type: "otp",
1481
1483
  mfa_token: t,
1482
1484
  otp: r,
1483
1485
  scope: n
1484
1486
  }, this.authServerHeaders);
1485
1487
  return {
1486
- id_token: s.id_token,
1487
- access_token: s.access_token,
1488
- refresh_token: s.refresh_token,
1489
- expires_in: Number(s.expires_in),
1490
- scope: s.scope,
1491
- token_type: s.token_type,
1492
- error: s.error,
1493
- error_description: s.error_description
1488
+ id_token: o.id_token,
1489
+ access_token: o.access_token,
1490
+ refresh_token: o.refresh_token,
1491
+ expires_in: Number(o.expires_in),
1492
+ scope: o.scope,
1493
+ token_type: o.token_type,
1494
+ error: o.error,
1495
+ error_description: o.error_description
1494
1496
  };
1495
1497
  }
1496
1498
  /**
@@ -1512,17 +1514,17 @@ class Be {
1512
1514
  * - `error_description` friendly error message
1513
1515
  */
1514
1516
  async mfaOobRequest(t, r) {
1515
- var s, o;
1516
- if (d.logger.debug(h({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
1517
+ var o, s;
1518
+ if (l.logger.debug(h({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
1517
1519
  return {
1518
1520
  error: "invalid_request",
1519
1521
  error_description: "Server does not support password_mfa grant"
1520
1522
  };
1521
- if (!((o = this.oidcConfig) != null && o.issuer))
1523
+ if (!((s = this.oidcConfig) != null && s.issuer))
1522
1524
  return { error: "server_error", error_description: "Cannot get issuer" };
1523
1525
  const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
1524
- client_id: u(this, w),
1525
- client_secret: u(this, S),
1526
+ client_id: f(this, w),
1527
+ client_secret: f(this, _),
1526
1528
  challenge_type: "oob",
1527
1529
  mfa_token: t,
1528
1530
  authenticator_id: r
@@ -1547,63 +1549,64 @@ class Be {
1547
1549
  * an error instead of the response fields.
1548
1550
  */
1549
1551
  async mfaOobComplete(t, r, n, i) {
1550
- var l, f;
1551
- if (d.logger.debug(h({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((l = this.oidcConfig) != null && l.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
1552
+ var c, u;
1553
+ if (l.logger.debug(h({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((c = this.oidcConfig) != null && c.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
1552
1554
  return {
1553
1555
  error: "invalid_request",
1554
1556
  error_description: "Server does not support password_mfa grant"
1555
1557
  };
1556
- if (!((f = this.oidcConfig) != null && f.issuer))
1558
+ if (!((u = this.oidcConfig) != null && u.issuer))
1557
1559
  return { error: "server_error", error_description: "Cannot get issuer" };
1558
- const s = this.oidcConfig.token_endpoint, o = await this.post(s, {
1560
+ const o = this.oidcConfig.token_endpoint, s = await this.post(o, {
1559
1561
  grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
1560
- client_id: u(this, w),
1561
- client_secret: u(this, S),
1562
+ client_id: f(this, w),
1563
+ client_secret: f(this, _),
1562
1564
  challenge_type: "otp",
1563
1565
  mfa_token: t,
1564
1566
  oob_code: r,
1565
1567
  binding_code: n,
1566
1568
  scope: i
1567
1569
  }, this.authServerHeaders);
1568
- return o.error ? {
1569
- error: o.error,
1570
- error_description: o.error_description
1571
- } : {
1572
- id_token: o.id_token,
1573
- access_token: o.access_token,
1574
- refresh_token: o.refresh_token,
1575
- expires_in: "expires_in" in o ? Number(o.expires_in) : void 0,
1576
- scope: o.scope,
1577
- token_type: o.token_type
1570
+ return s.error ? {
1571
+ error: s.error,
1572
+ error_description: s.error_description
1573
+ } : s.id_token && !await this.validateIdToken(s.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : {
1574
+ id_token: s.id_token,
1575
+ access_token: s.access_token,
1576
+ refresh_token: s.refresh_token,
1577
+ expires_in: "expires_in" in s ? Number(s.expires_in) : void 0,
1578
+ scope: s.scope,
1579
+ token_type: s.token_type
1578
1580
  };
1579
1581
  }
1580
1582
  //////////////////////////////////////////////////////////////////////
1581
1583
  // Refresh Token Flow
1582
1584
  async refreshTokenFlow(t) {
1583
- var s, o;
1584
- if (d.logger.debug(h({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("refresh_token")))
1585
+ var o, s;
1586
+ if (l.logger.debug(h({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("refresh_token")))
1585
1587
  return {
1586
1588
  error: "invalid_request",
1587
1589
  error_description: "Server does not support refresh_token grant"
1588
1590
  };
1589
- if (!((o = this.oidcConfig) != null && o.token_endpoint))
1591
+ if (!((s = this.oidcConfig) != null && s.token_endpoint))
1590
1592
  return {
1591
1593
  error: "server_error",
1592
1594
  error_description: "Cannot get token endpoint"
1593
1595
  };
1594
1596
  const r = this.oidcConfig.token_endpoint;
1595
1597
  let n;
1596
- n = u(this, S);
1598
+ n = f(this, _);
1597
1599
  let i = {
1598
1600
  grant_type: "refresh_token",
1599
1601
  refresh_token: t,
1600
- client_id: u(this, w)
1602
+ client_id: f(this, w)
1601
1603
  };
1602
1604
  n && (i.client_secret = n);
1603
1605
  try {
1604
- return await this.post(r, i, this.authServerHeaders);
1605
- } catch (l) {
1606
- return d.logger.error(h({ err: l })), {
1606
+ let c = await this.post(r, i, this.authServerHeaders);
1607
+ return c.id_token && !await this.validateIdToken(c.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : c;
1608
+ } catch (c) {
1609
+ return l.logger.error(h({ err: c })), {
1607
1610
  error: "server_error",
1608
1611
  error_description: "Error connecting to authorization server"
1609
1612
  };
@@ -1619,21 +1622,22 @@ class Be {
1619
1622
  */
1620
1623
  async startDeviceCodeFlow(t, r) {
1621
1624
  var i;
1622
- if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
1625
+ if (l.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
1623
1626
  return {
1624
1627
  error: "invalid_request",
1625
1628
  error_description: "Server does not support device code grant"
1626
1629
  };
1627
1630
  let n = {
1628
1631
  grant_type: "urn:ietf:params:oauth:grant-type:device_code",
1629
- client_id: u(this, w),
1630
- client_secret: u(this, S)
1632
+ client_id: f(this, w),
1633
+ client_secret: f(this, _)
1631
1634
  };
1632
1635
  r && (n.scope = r);
1633
1636
  try {
1634
- return await this.post(t, n, this.authServerHeaders);
1635
- } catch (s) {
1636
- return d.logger.error(h({ err: s })), {
1637
+ let o = await this.post(t, n, this.authServerHeaders);
1638
+ return o.id_token && !await this.validateIdToken(o.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : o;
1639
+ } catch (o) {
1640
+ return l.logger.error(h({ err: o })), {
1637
1641
  error: "server_error",
1638
1642
  error_description: "Error connecting to authorization server"
1639
1643
  };
@@ -1647,8 +1651,8 @@ class Be {
1647
1651
  * @returns See {@link OAuthDeviceResponse}
1648
1652
  */
1649
1653
  async pollDeviceCodeFlow(t) {
1650
- var n, i, s;
1651
- if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
1654
+ var n, i, o;
1655
+ if (l.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
1652
1656
  return {
1653
1657
  error: "invalid_request",
1654
1658
  error_description: "Server does not support device code grant"
@@ -1660,15 +1664,15 @@ class Be {
1660
1664
  };
1661
1665
  let r = {
1662
1666
  grant_type: "urn:ietf:params:oauth:grant-type:device_code",
1663
- client_id: u(this, w),
1664
- client_secret: u(this, S),
1667
+ client_id: f(this, w),
1668
+ client_secret: f(this, _),
1665
1669
  device_code: t
1666
1670
  };
1667
1671
  try {
1668
- const o = await this.post((s = this.oidcConfig) == null ? void 0 : s.token_endpoint, r, this.authServerHeaders);
1669
- return o.error, o;
1670
- } catch (o) {
1671
- return d.logger.error(h({ err: o })), {
1672
+ const s = await this.post((o = this.oidcConfig) == null ? void 0 : o.token_endpoint, r, this.authServerHeaders);
1673
+ return s.error ? s : s.id_token && !await this.validateIdToken(s.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : s;
1674
+ } catch (s) {
1675
+ return l.logger.error(h({ err: s })), {
1672
1676
  error: "server_error",
1673
1677
  error_description: "Error connecting to authorization server"
1674
1678
  };
@@ -1683,7 +1687,7 @@ class Be {
1683
1687
  * @throws any exception raised by `fetch()`
1684
1688
  */
1685
1689
  async post(t, r, n = {}) {
1686
- d.logger.debug(h({
1690
+ l.logger.debug(h({
1687
1691
  msg: "Fetch POST",
1688
1692
  url: t,
1689
1693
  params: Object.keys(r)
@@ -1709,7 +1713,7 @@ class Be {
1709
1713
  * @throws any exception raised by `fetch()`
1710
1714
  */
1711
1715
  async get(t, r = {}) {
1712
- d.logger.debug(h({ msg: "Fetch GET", url: t }));
1716
+ l.logger.debug(h({ msg: "Fetch GET", url: t }));
1713
1717
  let n = {};
1714
1718
  return this.authServerCredentials && (n.credentials = this.authServerCredentials), this.authServerMode && (n.mode = this.authServerMode), await (await fetch(t, {
1715
1719
  method: "GET",
@@ -1748,7 +1752,7 @@ class Be {
1748
1752
  try {
1749
1753
  return await this.tokenConsumer.tokenAuthorized(t, "id");
1750
1754
  } catch (r) {
1751
- d.logger.warn(h({ err: r }));
1755
+ l.logger.warn(h({ err: r }));
1752
1756
  return;
1753
1757
  }
1754
1758
  }
@@ -1756,7 +1760,7 @@ class Be {
1756
1760
  return Me(t);
1757
1761
  }
1758
1762
  }
1759
- w = new WeakMap(), S = new WeakMap(), N = new WeakMap(), T = new WeakMap(), R = new WeakMap();
1763
+ w = new WeakMap(), _ = new WeakMap(), U = new WeakMap(), R = new WeakMap(), E = new WeakMap();
1760
1764
  class Le {
1761
1765
  /**
1762
1766
  * Constrctor
@@ -1824,7 +1828,7 @@ class Le {
1824
1828
  await this.loadJwks();
1825
1829
  }
1826
1830
  } catch (t) {
1827
- throw d.logger.debug(h({ err: t })), new g(y.Connection, "Couldn't load keys");
1831
+ throw l.logger.debug(h({ err: t })), new g(y.Connection, "Couldn't load keys");
1828
1832
  }
1829
1833
  }
1830
1834
  /**
@@ -1833,7 +1837,7 @@ class Le {
1833
1837
  * to `authServerBaseUrl` )
1834
1838
  * @param oidcConfig the configuration, or undefined to load it from
1835
1839
  * the authorization server
1836
- * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
1840
+ * @throws a {@link CrossauthError} object with {@link ErrorCode} of
1837
1841
  * - `Connection` if the fetch to the authorization server failed.
1838
1842
  */
1839
1843
  async loadConfig(t) {
@@ -1847,15 +1851,15 @@ class Le {
1847
1851
  try {
1848
1852
  r = await fetch(new URL("/.well-known/openid-configuration", this.authServerBaseUrl));
1849
1853
  } catch (n) {
1850
- d.logger.error(h({ err: n }));
1854
+ l.logger.error(h({ err: n }));
1851
1855
  }
1852
1856
  if (!r || !r.ok)
1853
1857
  throw new g(y.Connection, "Couldn't get OIDC configuration");
1854
1858
  this.oidcConfig = { ...te };
1855
1859
  try {
1856
1860
  const n = await r.json();
1857
- for (const [i, s] of Object.entries(n))
1858
- this.oidcConfig[i] = s;
1861
+ for (const [i, o] of Object.entries(n))
1862
+ this.oidcConfig[i] = o;
1859
1863
  } catch {
1860
1864
  throw new g(y.Connection, "Unrecognized response from OIDC configuration endpoint");
1861
1865
  }
@@ -1865,7 +1869,7 @@ class Le {
1865
1869
  * authorization server (using the URL in the OIDC configuration).
1866
1870
  * @param jwks the keys to load, or undefined to fetch them from
1867
1871
  * the authorization server.
1868
- * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
1872
+ * @throws a {@link CrossauthError} object with {@link ErrorCode} of
1869
1873
  * - `Connection` if the fetch to the authorization server failed,
1870
1874
  * the OIDC configuration wasn't set or the keys could not be parsed.
1871
1875
  */
@@ -1883,7 +1887,7 @@ class Le {
1883
1887
  try {
1884
1888
  r = await fetch(new URL(this.oidcConfig.jwks_uri));
1885
1889
  } catch (n) {
1886
- d.logger.error(h({ err: n }));
1890
+ l.logger.error(h({ err: n }));
1887
1891
  }
1888
1892
  if (!r || !r.ok)
1889
1893
  throw new g(y.Connection, "Couldn't get OIDC configuration");
@@ -1894,15 +1898,15 @@ class Le {
1894
1898
  throw new g(y.Connection, "Couldn't fetch keys");
1895
1899
  for (let i = 0; i < n.keys.length; ++i)
1896
1900
  try {
1897
- let s = "_default";
1898
- "kid" in n.keys[i] && typeof n.keys[i] == "string" && (s = String(n.keys[i]));
1899
- const o = await Z(n.keys[i]);
1900
- this.keys[s] = o;
1901
- } catch (s) {
1902
- throw d.logger.error(h({ err: s })), new g(y.Connection, "Couldn't load keys");
1901
+ let o = "_default";
1902
+ "kid" in n.keys[i] && typeof n.keys[i] == "string" && (o = String(n.keys[i]));
1903
+ const s = await Z(n.keys[i]);
1904
+ this.keys[o] = s;
1905
+ } catch (o) {
1906
+ throw l.logger.error(h({ err: o })), new g(y.Connection, "Couldn't load keys");
1903
1907
  }
1904
1908
  } catch (n) {
1905
- throw d.logger.error(h({ err: n })), new g(y.Connection, "Unrecognized response from OIDC jwks endpoint");
1909
+ throw l.logger.error(h({ err: n })), new g(y.Connection, "Unrecognized response from OIDC jwks endpoint");
1906
1910
  }
1907
1911
  }
1908
1912
  }
@@ -1921,24 +1925,28 @@ class Le {
1921
1925
  (!this.keys || Object.keys(this.keys).length == 0) && await this.loadKeys();
1922
1926
  const n = await this.validateToken(t);
1923
1927
  if (n) {
1924
- if (n.type != r && d.logger.error(h({ msg: r + " expected but got " + n.type })), n.iss != this.authServerBaseUrl) {
1925
- d.logger.error(h({ msg: `Invalid issuer ${n.iss} in access token`, hashedAccessToken: await this.hash(n.jti) }));
1928
+ if (n.type != r) {
1929
+ l.logger.error(h({ msg: r + " expected but got " + n.type }));
1930
+ return;
1931
+ }
1932
+ if (n.iss != this.authServerBaseUrl) {
1933
+ l.logger.error(h({ msg: `Invalid issuer ${n.iss} in access token`, hashedAccessToken: await this.hash(n.jti) }));
1926
1934
  return;
1927
1935
  }
1928
1936
  if (n.aud && (Array.isArray(n.aud) && !n.aud.includes(this.audience) || !Array.isArray(n.aud) && n.aud != this.audience)) {
1929
- d.logger.error(h({ msg: `Invalid audience ${n.aud} in access token`, hashedAccessToken: await this.hash(n.jti) }));
1937
+ l.logger.error(h({ msg: `Invalid audience ${n.aud} in access token`, hashedAccessToken: await this.hash(n.jti) }));
1930
1938
  return;
1931
1939
  }
1932
1940
  return n;
1933
1941
  }
1934
1942
  }
1935
1943
  async validateToken(t) {
1936
- (!this.keys || Object.keys(this.keys).length == 0) && d.logger.warn("No keys loaded so cannot validate tokens");
1944
+ (!this.keys || Object.keys(this.keys).length == 0) && l.logger.warn("No keys loaded so cannot validate tokens");
1937
1945
  let r;
1938
1946
  try {
1939
1947
  r = qe(t).kid;
1940
1948
  } catch {
1941
- d.logger.warn(h({ msg: "Invalid access token format" }));
1949
+ l.logger.warn(h({ msg: "Invalid access token format" }));
1942
1950
  return;
1943
1951
  }
1944
1952
  let n;
@@ -1949,32 +1957,32 @@ class Le {
1949
1957
  break;
1950
1958
  }
1951
1959
  if (!n) {
1952
- d.logger.warn(h({ msg: "No matching keys found for access token" }));
1960
+ l.logger.warn(h({ msg: "No matching keys found for access token" }));
1953
1961
  return;
1954
1962
  }
1955
1963
  try {
1956
- const { payload: i } = await Je(t, n), s = JSON.parse(new TextDecoder().decode(i));
1957
- if (s.exp * 1e3 < Date.now() + this.clockTolerance) {
1958
- d.logger.warn(h({ msg: "Access token has expired" }));
1964
+ const { payload: i } = await Je(t, n), o = JSON.parse(new TextDecoder().decode(i));
1965
+ if (o.exp * 1e3 < Date.now() + this.clockTolerance) {
1966
+ l.logger.warn(h({ msg: "Access token has expired" }));
1959
1967
  return;
1960
1968
  }
1961
- return s;
1969
+ return o;
1962
1970
  } catch {
1963
- d.logger.warn(h({ msg: "Access token did not validate" }));
1971
+ l.logger.warn(h({ msg: "Access token did not validate" }));
1964
1972
  return;
1965
1973
  }
1966
1974
  }
1967
1975
  }
1968
1976
  export {
1969
1977
  g as CrossauthError,
1970
- d as CrossauthLogger,
1978
+ l as CrossauthLogger,
1971
1979
  te as DEFAULT_OIDCCONFIG,
1972
1980
  y as ErrorCode,
1973
1981
  C as KeyPrefix,
1974
1982
  Be as OAuthClientBase,
1975
1983
  ee as OAuthFlows,
1976
1984
  Le as OAuthTokenConsumerBase,
1977
- k as UserState,
1985
+ P as UserState,
1978
1986
  $e as httpStatus,
1979
1987
  h as j
1980
1988
  };