@crossauth/common 1.0.1 → 1.1.0

package/dist/index.js

@@ -1,37 +1,43 @@
-var ue = Object.defineProperty;
-var B = (e) => {
+var ye = Object.defineProperty;
+var Y = (e) => {
   throw TypeError(e);
 };
-var he = (e, t, r) => t in e ? ue(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
-var a = (e, t, r) => he(e, typeof t != "symbol" ? t + "" : t, r), j = (e, t, r) => t.has(e) || B("Cannot " + r);
-var p = (e, t, r) => (j(e, t, "read from private field"), r ? r.call(e) : t.get(e)), F = (e, t, r) => t.has(e) ? B("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), K = (e, t, r, n) => (j(e, t, "write to private field"), n ? n.call(e, r) : t.set(e, r), r);
-class P {
+var me = (e, t, r) => t in e ? ye(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
+var a = (e, t, r) => me(e, typeof t != "symbol" ? t + "" : t, r), X = (e, t, r) => t.has(e) || Y("Cannot " + r);
+var p = (e, t, r) => (X(e, t, "read from private field"), r ? r.call(e) : t.get(e)), $ = (e, t, r) => t.has(e) ? Y("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), D = (e, t, r, n) => (X(e, t, "write to private field"), n ? n.call(e, r) : t.set(e, r), r);
+class E {
 }
 /** Ordinary, active user who can log in freely */
-a(P, "active", "active"), /** Deactivated account.  User cannot log in */
-a(P, "disabled", "disabled"), /** Two factor authentication has been actived for this user
+a(E, "active", "active"), /** Deactivated account.  User cannot log in */
+a(E, "disabled", "disabled"), /** Two factor authentication has been actived for this user
  * but has not yet been configured.  Once a user logs in,
  * they will be directed to a page to configure 2FA and will
  * not be able to do anything else (that requires login) until
  * they have done so.
  */
-a(P, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Email verification has been turned on but user has not
+a(E, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Two factor authentication has been actived for this user
+ * but has not yet been configured.  Once a user logs in,
+ * they will be directed to a page to configure 2FA and will
+ * not be able to do anything else (that requires login) until
+ * they have done so.  They will then have to verify their email
+ */
+a(E, "awaitingTwoFactorSetupAndEmailVerification", "awaitingtwofactorsetupandemailverification"), /** Email verification has been turned on but user has not
  * verified his or her email address.  Cannot log on until it has
  * been verified.
  */
-a(P, "awaitingEmailVerification", "awaitingemailverification"), /**
+a(E, "awaitingEmailVerification", "awaitingemailverification"), /**
  * If the state is set to this, the user may not access any
  * login-required functions unless he or she has changed their password.
  * 
  * Upon login, the user is redirected to the change password page.
  */
-a(P, "passwordChangeNeeded", "passwordchangeneeded"), /**
+a(E, "passwordChangeNeeded", "passwordchangeneeded"), /**
  * If the state is set to this, the user may not access any
  * login-required functions unless he or she has reset their password.
  * 
  * Upon login, the user is redirected to the reset password page.
  */
-a(P, "passwordResetNeeded", "passwordresetneeded"), /**
+a(E, "passwordResetNeeded", "passwordresetneeded"), /**
  * If the state is set to this, the user may not access any
  * login-required functions unless he or she has reset their second
  * factor configuration.
@@ -42,27 +48,27 @@ a(P, "passwordResetNeeded", "passwordresetneeded"), /**
  * this value and the user will then be prompted to configure 2FA 
  * upon login.
  */
-a(P, "factor2ResetNeeded", "factor2resetneeded"), /**
+a(E, "factor2ResetNeeded", "factor2resetneeded"), /**
  * If the state is set to this, the user may not access any
  * login-required functions unless he or she has reset their password
  * and then resets factor2.
  * 
  * Upon login, the user is redirected to the reset password page.
  */
-a(P, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
-class C {
+a(E, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
+class A {
 }
 /** Session ID */
-a(C, "session", "s:"), /** Password Reset Token */
-a(C, "passwordResetToken", "p:"), /** Email verification token */
-a(C, "emailVerificationToken", "e:"), /** API key */
-a(C, "apiKey", "api:"), /** OAuth authorization code */
-a(C, "authorizationCode", "authz:"), /** OAuth access token */
-a(C, "accessToken", "access:"), /** OAuth refresh token */
-a(C, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
-a(C, "mfaToken", "omfa:"), /** Device code device code */
-a(C, "deviceCode", "dc:"), /** Device code flow user code */
-a(C, "userCode", "uc:");
+a(A, "session", "s:"), /** Password Reset Token */
+a(A, "passwordResetToken", "p:"), /** Email verification token */
+a(A, "emailVerificationToken", "e:"), /** API key */
+a(A, "apiKey", "api:"), /** OAuth authorization code */
+a(A, "authorizationCode", "authz:"), /** OAuth access token */
+a(A, "accessToken", "access:"), /** OAuth refresh token */
+a(A, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
+a(A, "mfaToken", "omfa:"), /** Device code device code */
+a(A, "deviceCode", "dc:"), /** Device code flow user code */
+a(A, "userCode", "uc:");
 var y = /* @__PURE__ */ ((e) => (e[e.UserNotExist = 0] = "UserNotExist", e[e.PasswordInvalid = 1] = "PasswordInvalid", e[e.EmailNotExist = 2] = "EmailNotExist", e[e.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", e[e.InvalidClientId = 4] = "InvalidClientId", e[e.ClientExists = 5] = "ClientExists", e[e.InvalidClientSecret = 6] = "InvalidClientSecret", e[e.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", e[e.InvalidRedirectUri = 8] = "InvalidRedirectUri", e[e.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", e[e.UserNotActive = 10] = "UserNotActive", e[e.EmailNotVerified = 11] = "EmailNotVerified", e[e.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", e[e.Unauthorized = 13] = "Unauthorized", e[e.UnauthorizedClient = 14] = "UnauthorizedClient", e[e.InvalidScope = 15] = "InvalidScope", e[e.InsufficientScope = 16] = "InsufficientScope", e[e.InsufficientPriviledges = 17] = "InsufficientPriviledges", e[e.Forbidden = 18] = "Forbidden", e[e.InvalidKey = 19] = "InvalidKey", e[e.InvalidCsrf = 20] = "InvalidCsrf", e[e.InvalidSession = 21] = "InvalidSession", e[e.Expired = 22] = "Expired", e[e.Connection = 23] = "Connection", e[e.InvalidHash = 24] = "InvalidHash", e[e.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", e[e.KeyExists = 26] = "KeyExists", e[e.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", e[e.PasswordResetNeeded = 28] = "PasswordResetNeeded", e[e.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", e[e.Configuration = 30] = "Configuration", e[e.InvalidEmail = 31] = "InvalidEmail", e[e.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", e[e.InvalidUsername = 33] = "InvalidUsername", e[e.PasswordMatch = 34] = "PasswordMatch", e[e.InvalidToken = 35] = "InvalidToken", e[e.MfaRequired = 36] = "MfaRequired", e[e.PasswordFormat = 37] = "PasswordFormat", e[e.DataFormat = 38] = "DataFormat", e[e.FetchError = 39] = "FetchError", e[e.UserExists = 40] = "UserExists", e[e.FormEntry = 41] = "FormEntry", e[e.BadRequest = 42] = "BadRequest", e[e.AuthorizationPending = 43] = "AuthorizationPending", e[e.SlowDown = 44] = "SlowDown", e[e.ExpiredToken = 45] = "ExpiredToken", e[e.ConstraintViolation = 46] = "ConstraintViolation", e[e.NotImplemented = 47] = "NotImplemented", e[e.UnknownError = 48] = "UnknownError", e))(y || {});
 class g extends Error {
   /**
@@ -205,10 +211,10 @@ class g extends Error {
     return "message" in r && (i = r.message), new g(48, i);
   }
 }
-function Fe(e) {
-  return typeof e == "number" && (e = "" + e), e in q ? q[e] : q[500];
+function it(e) {
+  return typeof e == "number" && (e = "" + e), e in B ? B[e] : B[500];
 }
-const q = {
+const B = {
   200: "OK",
   201: "Created",
   202: "Accepted",
@@ -350,7 +356,7 @@ function u(e) {
 }
 globalThis.crossauthLogger = new l();
 globalThis.crossauthLoggerAcceptsJson = !0;
-const Z = {
+const ie = {
   issuer: "",
   authorization_endpoint: "",
   token_endpoint: "",
@@ -365,79 +371,129 @@ const Z = {
   request_parameter_supported: !1,
   request_uri_parameter_supported: !0,
   require_request_uri_registration: !1
-}, H = crypto, ee = (e) => e instanceof CryptoKey, x = new TextEncoder(), N = new TextDecoder();
-function fe(...e) {
+}, q = crypto, ne = (e) => e instanceof CryptoKey, M = new TextEncoder(), H = new TextDecoder();
+function we(...e) {
   const t = e.reduce((i, { length: o }) => i + o, 0), r = new Uint8Array(t);
   let n = 0;
   for (const i of e)
     r.set(i, n), n += i.length;
   return r;
 }
-const pe = (e) => {
+const _e = (e) => {
   const t = atob(e), r = new Uint8Array(t.length);
   for (let n = 0; n < t.length; n++)
     r[n] = t.charCodeAt(n);
   return r;
-}, O = (e) => {
+}, K = (e) => {
   let t = e;
-  t instanceof Uint8Array && (t = N.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
+  t instanceof Uint8Array && (t = H.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
   try {
-    return pe(t);
+    return _e(t);
   } catch {
     throw new TypeError("The input to be decoded is not correctly encoded.");
   }
 };
-class J extends Error {
-  static get code() {
-    return "ERR_JOSE_GENERIC";
+class S extends Error {
+  constructor(t, r) {
+    var n;
+    super(t, r), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
   }
-  constructor(t) {
-    var r;
-    super(t), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
+}
+S.code = "ERR_JOSE_GENERIC";
+class ve extends S {
+  constructor(t, r, n = "unspecified", i = "unspecified") {
+    super(t, { cause: { claim: n, reason: i, payload: r } }), this.code = "ERR_JWT_CLAIM_VALIDATION_FAILED", this.claim = n, this.reason = i, this.payload = r;
+  }
+}
+ve.code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+class Se extends S {
+  constructor(t, r, n = "unspecified", i = "unspecified") {
+    super(t, { cause: { claim: n, reason: i, payload: r } }), this.code = "ERR_JWT_EXPIRED", this.claim = n, this.reason = i, this.payload = r;
+  }
+}
+Se.code = "ERR_JWT_EXPIRED";
+class be extends S {
+  constructor() {
+    super(...arguments), this.code = "ERR_JOSE_ALG_NOT_ALLOWED";
   }
 }
-class b extends J {
+be.code = "ERR_JOSE_ALG_NOT_ALLOWED";
+class C extends S {
   constructor() {
     super(...arguments), this.code = "ERR_JOSE_NOT_SUPPORTED";
   }
-  static get code() {
-    return "ERR_JOSE_NOT_SUPPORTED";
+}
+C.code = "ERR_JOSE_NOT_SUPPORTED";
+class Ce extends S {
+  constructor(t = "decryption operation failed", r) {
+    super(t, r), this.code = "ERR_JWE_DECRYPTION_FAILED";
   }
 }
-class v extends J {
+Ce.code = "ERR_JWE_DECRYPTION_FAILED";
+class Ae extends S {
   constructor() {
-    super(...arguments), this.code = "ERR_JWS_INVALID";
+    super(...arguments), this.code = "ERR_JWE_INVALID";
   }
-  static get code() {
-    return "ERR_JWS_INVALID";
+}
+Ae.code = "ERR_JWE_INVALID";
+class w extends S {
+  constructor() {
+    super(...arguments), this.code = "ERR_JWS_INVALID";
   }
 }
-class R extends J {
+w.code = "ERR_JWS_INVALID";
+class P extends S {
   constructor() {
     super(...arguments), this.code = "ERR_JWT_INVALID";
   }
-  static get code() {
-    return "ERR_JWT_INVALID";
+}
+P.code = "ERR_JWT_INVALID";
+class Ie extends S {
+  constructor() {
+    super(...arguments), this.code = "ERR_JWK_INVALID";
   }
 }
-class ge extends J {
+Ie.code = "ERR_JWK_INVALID";
+class Ee extends S {
   constructor() {
-    super(...arguments), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED", this.message = "signature verification failed";
+    super(...arguments), this.code = "ERR_JWKS_INVALID";
   }
-  static get code() {
-    return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+}
+Ee.code = "ERR_JWKS_INVALID";
+class Te extends S {
+  constructor(t = "no applicable key found in the JSON Web Key Set", r) {
+    super(t, r), this.code = "ERR_JWKS_NO_MATCHING_KEY";
   }
 }
-function A(e, t = "algorithm.name") {
+Te.code = "ERR_JWKS_NO_MATCHING_KEY";
+class Re extends S {
+  constructor(t = "multiple matching keys found in the JSON Web Key Set", r) {
+    super(t, r), this.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+  }
+}
+Re.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+class Pe extends S {
+  constructor(t = "request timed out", r) {
+    super(t, r), this.code = "ERR_JWKS_TIMEOUT";
+  }
+}
+Pe.code = "ERR_JWKS_TIMEOUT";
+class oe extends S {
+  constructor(t = "signature verification failed", r) {
+    super(t, r), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  }
+}
+oe.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+function I(e, t = "algorithm.name") {
   return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
 }
 function z(e, t) {
   return e.name === t;
 }
-function M(e) {
+function V(e) {
   return parseInt(e.name.slice(4), 10);
 }
-function ye(e) {
+function ke(e) {
   switch (e) {
     case "ES256":
       return "P-256";
@@ -449,7 +505,7 @@ function ye(e) {
       throw new Error("unreachable");
   }
 }
-function me(e, t) {
+function Ke(e, t) {
   if (t.length && !t.some((r) => e.usages.includes(r))) {
     let r = "CryptoKey does not support this operation, its usages must include ";
     if (t.length > 2) {
@@ -459,71 +515,76 @@ function me(e, t) {
     throw new TypeError(r);
   }
 }
-function we(e, t, ...r) {
+function Oe(e, t, ...r) {
   switch (t) {
     case "HS256":
     case "HS384":
     case "HS512": {
       if (!z(e.algorithm, "HMAC"))
-        throw A("HMAC");
+        throw I("HMAC");
       const n = parseInt(t.slice(2), 10);
-      if (M(e.algorithm.hash) !== n)
-        throw A(`SHA-${n}`, "algorithm.hash");
+      if (V(e.algorithm.hash) !== n)
+        throw I(`SHA-${n}`, "algorithm.hash");
       break;
     }
     case "RS256":
     case "RS384":
     case "RS512": {
       if (!z(e.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw A("RSASSA-PKCS1-v1_5");
+        throw I("RSASSA-PKCS1-v1_5");
       const n = parseInt(t.slice(2), 10);
-      if (M(e.algorithm.hash) !== n)
-        throw A(`SHA-${n}`, "algorithm.hash");
+      if (V(e.algorithm.hash) !== n)
+        throw I(`SHA-${n}`, "algorithm.hash");
       break;
     }
     case "PS256":
     case "PS384":
     case "PS512": {
       if (!z(e.algorithm, "RSA-PSS"))
-        throw A("RSA-PSS");
+        throw I("RSA-PSS");
       const n = parseInt(t.slice(2), 10);
-      if (M(e.algorithm.hash) !== n)
-        throw A(`SHA-${n}`, "algorithm.hash");
+      if (V(e.algorithm.hash) !== n)
+        throw I(`SHA-${n}`, "algorithm.hash");
       break;
     }
     case "EdDSA": {
       if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448")
-        throw A("Ed25519 or Ed448");
+        throw I("Ed25519 or Ed448");
+      break;
+    }
+    case "Ed25519": {
+      if (!z(e.algorithm, "Ed25519"))
+        throw I("Ed25519");
       break;
     }
     case "ES256":
     case "ES384":
     case "ES512": {
       if (!z(e.algorithm, "ECDSA"))
-        throw A("ECDSA");
-      const n = ye(t);
+        throw I("ECDSA");
+      const n = ke(t);
       if (e.algorithm.namedCurve !== n)
-        throw A(n, "algorithm.namedCurve");
+        throw I(n, "algorithm.namedCurve");
       break;
     }
     default:
       throw new TypeError("CryptoKey does not support this operation");
   }
-  me(e, r);
+  Ke(e, r);
 }
-function te(e, t, ...r) {
+function se(e, t, ...r) {
   var n;
-  if (r.length > 2) {
+  if (r = r.filter(Boolean), r.length > 2) {
     const i = r.pop();
     e += `one of type ${r.join(", ")}, or ${i}.`;
   } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
   return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
 }
-const V = (e, ...t) => te("Key must be ", e, ...t);
-function re(e, t, ...r) {
-  return te(`Key for the ${e} algorithm must be `, t, ...r);
+const Q = (e, ...t) => se("Key must be ", e, ...t);
+function ae(e, t, ...r) {
+  return se(`Key for the ${e} algorithm must be `, t, ...r);
 }
-const ie = (e) => ee(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", D = ["CryptoKey"], ve = (...e) => {
+const ce = (e) => ne(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", L = ["CryptoKey"], We = (...e) => {
   const t = e.filter(Boolean);
   if (t.length === 0 || t.length === 1)
     return !0;
@@ -542,11 +603,11 @@ const ie = (e) => ee(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) ===
   }
   return !0;
 };
-function _e(e) {
+function Ne(e) {
   return typeof e == "object" && e !== null;
 }
-function U(e) {
-  if (!_e(e) || Object.prototype.toString.call(e) !== "[object Object]")
+function x(e) {
+  if (!Ne(e) || Object.prototype.toString.call(e) !== "[object Object]")
     return !1;
   if (Object.getPrototypeOf(e) === null)
     return !0;
@@ -555,14 +616,26 @@ function U(e) {
     t = Object.getPrototypeOf(t);
   return Object.getPrototypeOf(e) === t;
 }
-const Se = (e, t) => {
+const Je = (e, t) => {
   if (e.startsWith("RS") || e.startsWith("PS")) {
     const { modulusLength: r } = t.algorithm;
     if (typeof r != "number" || r < 2048)
       throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
   }
 };
-function Ce(e) {
+function U(e) {
+  return x(e) && typeof e.kty == "string";
+}
+function xe(e) {
+  return e.kty !== "oct" && typeof e.d == "string";
+}
+function Ue(e) {
+  return e.kty !== "oct" && typeof e.d > "u";
+}
+function De(e) {
+  return U(e) && e.kty === "oct" && typeof e.k == "string";
+}
+function ze(e) {
   let t, r;
   switch (e.kty) {
     case "RSA": {
@@ -587,7 +660,7 @@ function Ce(e) {
           }, r = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new C('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
@@ -609,12 +682,15 @@ function Ce(e) {
           t = { name: "ECDH", namedCurve: e.crv }, r = e.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new C('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
     case "OKP": {
       switch (e.alg) {
+        case "Ed25519":
+          t = { name: "Ed25519" }, r = e.d ? ["sign"] : ["verify"];
+          break;
         case "EdDSA":
           t = { name: e.crv }, r = e.d ? ["sign"] : ["verify"];
           break;
@@ -625,71 +701,71 @@ function Ce(e) {
           t = { name: e.crv }, r = e.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new C('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
     default:
-      throw new b('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+      throw new C('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
   }
   return { algorithm: t, keyUsages: r };
 }
-const ne = async (e) => {
+const de = async (e) => {
   if (!e.alg)
     throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-  const { algorithm: t, keyUsages: r } = Ce(e), n = [
+  const { algorithm: t, keyUsages: r } = ze(e), n = [
     t,
     e.ext ?? !1,
     e.key_ops ?? r
   ], i = { ...e };
-  return delete i.alg, delete i.use, H.subtle.importKey("jwk", i, ...n);
-}, oe = (e) => O(e);
-let $, L;
-const se = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", ae = async (e, t, r, n) => {
-  let i = e.get(t);
-  if (i != null && i[n])
-    return i[n];
-  const o = await ne({ ...r, alg: n });
-  return i ? i[n] = o : e.set(t, { [n]: o }), o;
-}, be = (e, t) => {
-  if (se(e)) {
+  return delete i.alg, delete i.use, q.subtle.importKey("jwk", i, ...n);
+}, le = (e) => K(e);
+let W, N;
+const ue = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", F = async (e, t, r, n, i = !1) => {
+  let o = e.get(t);
+  if (o != null && o[n])
+    return o[n];
+  const s = await de({ ...r, alg: n });
+  return i && Object.freeze(t), o ? o[n] = s : e.set(t, { [n]: s }), s;
+}, He = (e, t) => {
+  if (ue(e)) {
     let r = e.export({ format: "jwk" });
-    return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? oe(r.k) : (L || (L = /* @__PURE__ */ new WeakMap()), ae(L, e, r, t));
+    return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? le(r.k) : (N || (N = /* @__PURE__ */ new WeakMap()), F(N, e, r, t));
   }
-  return e;
-}, Ae = (e, t) => {
-  if (se(e)) {
+  return U(e) ? e.k ? K(e.k) : (N || (N = /* @__PURE__ */ new WeakMap()), F(N, e, e, t, !0)) : e;
+}, Me = (e, t) => {
+  if (ue(e)) {
     let r = e.export({ format: "jwk" });
-    return r.k ? oe(r.k) : ($ || ($ = /* @__PURE__ */ new WeakMap()), ae($, e, r, t));
+    return r.k ? le(r.k) : (W || (W = /* @__PURE__ */ new WeakMap()), F(W, e, r, t));
   }
-  return e;
-}, ke = { normalizePublicKey: be, normalizePrivateKey: Ae }, T = (e, t, r = 0) => {
+  return U(e) ? e.k ? K(e.k) : (W || (W = /* @__PURE__ */ new WeakMap()), F(W, e, e, t, !0)) : e;
+}, Le = { normalizePublicKey: He, normalizePrivateKey: Me }, k = (e, t, r = 0) => {
   r === 0 && (t.unshift(t.length), t.unshift(6));
   const n = e.indexOf(t[0], r);
   if (n === -1)
     return !1;
   const i = e.subarray(n, n + t.length);
-  return i.length !== t.length ? !1 : i.every((o, s) => o === t[s]) || T(e, t, n + 1);
-}, G = (e) => {
+  return i.length !== t.length ? !1 : i.every((o, s) => o === t[s]) || k(e, t, n + 1);
+}, Z = (e) => {
   switch (!0) {
-    case T(e, [42, 134, 72, 206, 61, 3, 1, 7]):
+    case k(e, [42, 134, 72, 206, 61, 3, 1, 7]):
       return "P-256";
-    case T(e, [43, 129, 4, 0, 34]):
+    case k(e, [43, 129, 4, 0, 34]):
       return "P-384";
-    case T(e, [43, 129, 4, 0, 35]):
+    case k(e, [43, 129, 4, 0, 35]):
       return "P-521";
-    case T(e, [43, 101, 110]):
+    case k(e, [43, 101, 110]):
       return "X25519";
-    case T(e, [43, 101, 111]):
+    case k(e, [43, 101, 111]):
       return "X448";
-    case T(e, [43, 101, 112]):
+    case k(e, [43, 101, 112]):
       return "Ed25519";
-    case T(e, [43, 101, 113]):
+    case k(e, [43, 101, 113]):
       return "Ed448";
     default:
-      throw new b("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
+      throw new C("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
   }
-}, ce = async (e, t, r, n, i) => {
+}, he = async (e, t, r, n, i) => {
   let o, s;
   const c = new Uint8Array(atob(r.replace(e, "")).split("").map((f) => f.charCodeAt(0))), d = t === "spki";
   switch (n) {
@@ -725,66 +801,101 @@ const se = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject",
     case "ECDH-ES+A128KW":
     case "ECDH-ES+A192KW":
     case "ECDH-ES+A256KW": {
-      const f = G(c);
+      const f = Z(c);
       o = f.startsWith("P-") ? { name: "ECDH", namedCurve: f } : { name: f }, s = d ? [] : ["deriveBits"];
       break;
     }
+    case "Ed25519":
+      o = { name: "Ed25519" }, s = d ? ["verify"] : ["sign"];
+      break;
     case "EdDSA":
-      o = { name: G(c) }, s = d ? ["verify"] : ["sign"];
+      o = { name: Z(c) }, s = d ? ["verify"] : ["sign"];
       break;
     default:
-      throw new b('Invalid or unsupported "alg" (Algorithm) value');
+      throw new C('Invalid or unsupported "alg" (Algorithm) value');
   }
-  return H.subtle.importKey(t, c, o, !1, s);
-}, Ie = (e, t, r) => ce(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", e, t), Pe = (e, t, r) => ce(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
-async function Te(e, t, r) {
+  return q.subtle.importKey(t, c, o, !1, s);
+}, Fe = (e, t, r) => he(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", e, t), qe = (e, t, r) => he(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
+async function $e(e, t, r) {
   if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
     throw new TypeError('"spki" must be SPKI formatted string');
-  return Pe(e, t);
+  return qe(e, t);
 }
-async function Re(e, t, r) {
+async function Be(e, t, r) {
   if (typeof e != "string" || e.indexOf("-----BEGIN PRIVATE KEY-----") !== 0)
     throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
-  return Ie(e, t);
+  return Fe(e, t);
 }
-async function Y(e, t) {
-  if (!U(e))
+async function j(e, t) {
+  if (!x(e))
     throw new TypeError("JWK must be an object");
   switch (t || (t = e.alg), e.kty) {
     case "oct":
       if (typeof e.k != "string" || !e.k)
         throw new TypeError('missing "k" (Key Value) Parameter value');
-      return O(e.k);
+      return K(e.k);
     case "RSA":
-      if (e.oth !== void 0)
-        throw new b('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      if ("oth" in e && e.oth !== void 0)
+        throw new C('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
     case "EC":
     case "OKP":
-      return ne({ ...e, alg: t });
+      return de({ ...e, alg: t });
     default:
-      throw new b('Unsupported "kty" (Key Type) Parameter value');
+      throw new C('Unsupported "kty" (Key Type) Parameter value');
   }
 }
-const W = (e) => e == null ? void 0 : e[Symbol.toStringTag], Ee = (e, t) => {
+const J = (e) => e == null ? void 0 : e[Symbol.toStringTag], G = (e, t, r) => {
+  var n, i;
+  if (t.use !== void 0 && t.use !== "sig")
+    throw new TypeError("Invalid key for this operation, when present its use must be sig");
+  if (t.key_ops !== void 0 && ((i = (n = t.key_ops).includes) == null ? void 0 : i.call(n, r)) !== !0)
+    throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${r}`);
+  if (t.alg !== void 0 && t.alg !== e)
+    throw new TypeError(`Invalid key for this operation, when present its alg must be ${e}`);
+  return !0;
+}, Ve = (e, t, r, n) => {
   if (!(t instanceof Uint8Array)) {
-    if (!ie(t))
-      throw new TypeError(re(e, t, ...D, "Uint8Array"));
+    if (n && U(t)) {
+      if (De(t) && G(e, t, r))
+        return;
+      throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
+    }
+    if (!ce(t))
+      throw new TypeError(ae(e, t, ...L, "Uint8Array", n ? "JSON Web Key" : null));
     if (t.type !== "secret")
-      throw new TypeError(`${W(t)} instances for symmetric algorithms must be of type "secret"`);
+      throw new TypeError(`${J(t)} instances for symmetric algorithms must be of type "secret"`);
   }
-}, Oe = (e, t, r) => {
-  if (!ie(t))
-    throw new TypeError(re(e, t, ...D));
+}, je = (e, t, r, n) => {
+  if (n && U(t))
+    switch (r) {
+      case "sign":
+        if (xe(t) && G(e, t, r))
+          return;
+        throw new TypeError("JSON Web Key for this operation be a private JWK");
+      case "verify":
+        if (Ue(t) && G(e, t, r))
+          return;
+        throw new TypeError("JSON Web Key for this operation be a public JWK");
+    }
+  if (!ce(t))
+    throw new TypeError(ae(e, t, ...L, n ? "JSON Web Key" : null));
   if (t.type === "secret")
-    throw new TypeError(`${W(t)} instances for asymmetric algorithms must not be of type "secret"`);
+    throw new TypeError(`${J(t)} instances for asymmetric algorithms must not be of type "secret"`);
+  if (r === "sign" && t.type === "public")
+    throw new TypeError(`${J(t)} instances for asymmetric algorithm signing must be of type "private"`);
+  if (r === "decrypt" && t.type === "public")
+    throw new TypeError(`${J(t)} instances for asymmetric algorithm decryption must be of type "private"`);
   if (t.algorithm && r === "verify" && t.type === "private")
-    throw new TypeError(`${W(t)} instances for asymmetric algorithm verifying must be of type "public"`);
+    throw new TypeError(`${J(t)} instances for asymmetric algorithm verifying must be of type "public"`);
   if (t.algorithm && r === "encrypt" && t.type === "private")
-    throw new TypeError(`${W(t)} instances for asymmetric algorithm encryption must be of type "public"`);
-}, Ke = (e, t, r) => {
-  e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(e) ? Ee(e, t) : Oe(e, t, r);
+    throw new TypeError(`${J(t)} instances for asymmetric algorithm encryption must be of type "public"`);
 };
-function Ue(e, t, r, n, i) {
+function fe(e, t, r, n) {
+  t.startsWith("HS") || t === "dir" || t.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(t) ? Ve(t, r, n, e) : je(t, r, n, e);
+}
+fe.bind(void 0, !1);
+const ee = fe.bind(void 0, !0);
+function Ge(e, t, r, n, i) {
   if (i.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
     throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
   if (!n || n.crit === void 0)
@@ -795,7 +906,7 @@ function Ue(e, t, r, n, i) {
   o = t;
   for (const s of n.crit) {
     if (!o.has(s))
-      throw new b(`Extension Header Parameter "${s}" is not recognized`);
+      throw new C(`Extension Header Parameter "${s}" is not recognized`);
     if (i[s] === void 0)
       throw new e(`Extension Header Parameter "${s}" is missing`);
     if (o.get(s) && n[s] === void 0)
@@ -803,7 +914,7 @@ function Ue(e, t, r, n, i) {
   }
   return new Set(n.crit);
 }
-function Ne(e, t) {
+function Ye(e, t) {
   const r = `SHA-${e.slice(-3)}`;
   switch (e) {
     case "HS256":
@@ -822,103 +933,105 @@ function Ne(e, t) {
     case "ES384":
     case "ES512":
       return { hash: r, name: "ECDSA", namedCurve: t.namedCurve };
+    case "Ed25519":
+      return { name: "Ed25519" };
     case "EdDSA":
       return { name: t.name };
     default:
-      throw new b(`alg ${e} is not supported either by JOSE or your javascript runtime`);
+      throw new C(`alg ${e} is not supported either by JOSE or your javascript runtime`);
   }
 }
-async function xe(e, t, r) {
-  if (t = await ke.normalizePublicKey(t, e), ee(t))
-    return we(t, e, r), t;
+async function Xe(e, t, r) {
+  if (t = await Le.normalizePublicKey(t, e), ne(t))
+    return Oe(t, e, r), t;
   if (t instanceof Uint8Array) {
     if (!e.startsWith("HS"))
-      throw new TypeError(V(t, ...D));
-    return H.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
+      throw new TypeError(Q(t, ...L));
+    return q.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
   }
-  throw new TypeError(V(t, ...D, "Uint8Array"));
+  throw new TypeError(Q(t, ...L, "Uint8Array", "JSON Web Key"));
 }
-const ze = async (e, t, r, n) => {
-  const i = await xe(e, t, "verify");
-  Se(e, i);
-  const o = Ne(e, i.algorithm);
+const Qe = async (e, t, r, n) => {
+  const i = await Xe(e, t, "verify");
+  Je(e, i);
+  const o = Ye(e, i.algorithm);
   try {
-    return await H.subtle.verify(o, i, r, n);
+    return await q.subtle.verify(o, i, r, n);
   } catch {
     return !1;
   }
 };
-async function We(e, t, r) {
-  if (!U(e))
-    throw new v("Flattened JWS must be an object");
+async function Ze(e, t, r) {
+  if (!x(e))
+    throw new w("Flattened JWS must be an object");
   if (e.protected === void 0 && e.header === void 0)
-    throw new v('Flattened JWS must have either of the "protected" or "header" members');
+    throw new w('Flattened JWS must have either of the "protected" or "header" members');
   if (e.protected !== void 0 && typeof e.protected != "string")
-    throw new v("JWS Protected Header incorrect type");
+    throw new w("JWS Protected Header incorrect type");
   if (e.payload === void 0)
-    throw new v("JWS Payload missing");
+    throw new w("JWS Payload missing");
   if (typeof e.signature != "string")
-    throw new v("JWS Signature missing or incorrect type");
-  if (e.header !== void 0 && !U(e.header))
-    throw new v("JWS Unprotected Header incorrect type");
+    throw new w("JWS Signature missing or incorrect type");
+  if (e.header !== void 0 && !x(e.header))
+    throw new w("JWS Unprotected Header incorrect type");
   let n = {};
   if (e.protected)
     try {
-      const le = O(e.protected);
-      n = JSON.parse(N.decode(le));
+      const ge = K(e.protected);
+      n = JSON.parse(H.decode(ge));
     } catch {
-      throw new v("JWS Protected Header is invalid");
+      throw new w("JWS Protected Header is invalid");
     }
-  if (!ve(n, e.header))
-    throw new v("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  if (!We(n, e.header))
+    throw new w("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
   const i = {
     ...n,
     ...e.header
-  }, o = Ue(v, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, i);
+  }, o = Ge(w, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, i);
   let s = !0;
   if (o.has("b64") && (s = n.b64, typeof s != "boolean"))
-    throw new v('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+    throw new w('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
   const { alg: c } = i;
   if (typeof c != "string" || !c)
-    throw new v('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    throw new w('JWS "alg" (Algorithm) Header Parameter missing or invalid');
   if (s) {
     if (typeof e.payload != "string")
-      throw new v("JWS Payload must be a string");
+      throw new w("JWS Payload must be a string");
   } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
-    throw new v("JWS Payload must be a string or an Uint8Array instance");
+    throw new w("JWS Payload must be a string or an Uint8Array instance");
   let d = !1;
-  typeof t == "function" && (t = await t(n, e), d = !0), Ke(c, t, "verify");
-  const f = fe(x.encode(e.protected ?? ""), x.encode("."), typeof e.payload == "string" ? x.encode(e.payload) : e.payload);
-  let k;
+  typeof t == "function" ? (t = await t(n, e), d = !0, ee(c, t, "verify"), U(t) && (t = await j(t, c))) : ee(c, t, "verify");
+  const f = we(M.encode(e.protected ?? ""), M.encode("."), typeof e.payload == "string" ? M.encode(e.payload) : e.payload);
+  let T;
   try {
-    k = O(e.signature);
+    T = K(e.signature);
   } catch {
-    throw new v("Failed to base64url decode the signature");
+    throw new w("Failed to base64url decode the signature");
   }
-  if (!await ze(c, t, k, f))
-    throw new ge();
-  let S;
+  if (!await Qe(c, t, T, f))
+    throw new oe();
+  let b;
   if (s)
     try {
-      S = O(e.payload);
+      b = K(e.payload);
     } catch {
-      throw new v("Failed to base64url decode the payload");
+      throw new w("Failed to base64url decode the payload");
     }
-  else typeof e.payload == "string" ? S = x.encode(e.payload) : S = e.payload;
-  const I = { payload: S };
-  return e.protected !== void 0 && (I.protectedHeader = n), e.header !== void 0 && (I.unprotectedHeader = e.header), d ? { ...I, key: t } : I;
+  else typeof e.payload == "string" ? b = M.encode(e.payload) : b = e.payload;
+  const R = { payload: b };
+  return e.protected !== void 0 && (R.protectedHeader = n), e.header !== void 0 && (R.unprotectedHeader = e.header), d ? { ...R, key: t } : R;
 }
-async function De(e, t, r) {
-  if (e instanceof Uint8Array && (e = N.decode(e)), typeof e != "string")
-    throw new v("Compact JWS must be a string or Uint8Array");
+async function et(e, t, r) {
+  if (e instanceof Uint8Array && (e = H.decode(e)), typeof e != "string")
+    throw new w("Compact JWS must be a string or Uint8Array");
   const { 0: n, 1: i, 2: o, length: s } = e.split(".");
   if (s !== 3)
-    throw new v("Invalid Compact JWS");
-  const c = await We({ payload: i, protected: n, signature: o }, t, r), d = { payload: c.payload, protectedHeader: c.protectedHeader };
+    throw new w("Invalid Compact JWS");
+  const c = await Ze({ payload: i, protected: n, signature: o }, t, r), d = { payload: c.payload, protectedHeader: c.protectedHeader };
   return typeof t == "function" ? { ...d, key: c.key } : d;
 }
-const de = O;
-function X(e) {
+const pe = K;
+function te(e) {
   let t;
   if (typeof e == "string") {
     const r = e.split(".");
@@ -931,38 +1044,38 @@ function X(e) {
   try {
     if (typeof t != "string" || !t)
       throw new Error();
-    const r = JSON.parse(N.decode(de(t)));
-    if (!U(r))
+    const r = JSON.parse(H.decode(pe(t)));
+    if (!x(r))
       throw new Error();
     return r;
   } catch {
     throw new TypeError("Invalid Token or Protected Header formatting");
   }
 }
-function He(e) {
+function tt(e) {
   if (typeof e != "string")
-    throw new R("JWTs must use Compact JWS serialization, JWT must be a string");
+    throw new P("JWTs must use Compact JWS serialization, JWT must be a string");
   const { 1: t, length: r } = e.split(".");
   if (r === 5)
-    throw new R("Only JWTs using Compact JWS serialization can be decoded");
+    throw new P("Only JWTs using Compact JWS serialization can be decoded");
   if (r !== 3)
-    throw new R("Invalid JWT");
+    throw new P("Invalid JWT");
   if (!t)
-    throw new R("JWTs must contain a payload");
+    throw new P("JWTs must contain a payload");
   let n;
   try {
-    n = de(t);
+    n = pe(t);
   } catch {
-    throw new R("Failed to base64url decode the payload");
+    throw new P("Failed to base64url decode the payload");
   }
   let i;
   try {
-    i = JSON.parse(N.decode(n));
+    i = JSON.parse(H.decode(n));
   } catch {
-    throw new R("Failed to parse the decoded payload as JSON");
+    throw new P("Failed to parse the decoded payload as JSON");
   }
-  if (!U(i))
-    throw new R("Invalid JWT Claims Set");
+  if (!x(i))
+    throw new P("Invalid JWT Claims Set");
   return i;
 }
 const h = class h {
@@ -1061,9 +1174,9 @@ a(h, "flowName", {
   [h.PasswordMfa]: "Password MFA",
   [h.OidcAuthorizationCode]: "OIDC Authorization Code"
 });
-let Q = h;
-var w, _;
-class qe {
+let re = h;
+var _, v;
+class nt {
   /**
    * Constructor.
    * 
@@ -1101,12 +1214,12 @@ class qe {
     verifierLength: c,
     tokenConsumer: d,
     authServerCredentials: f,
-    authServerMode: k,
-    authServerHeaders: E
+    authServerMode: T,
+    authServerHeaders: O
   }) {
     a(this, "authServerBaseUrl", "");
-    F(this, w);
-    F(this, _);
+    $(this, _);
+    $(this, v);
     a(this, "codeChallengeMethod", "S256");
     a(this, "verifierLength", 32);
     a(this, "redirect_uri");
@@ -1121,13 +1234,13 @@ class qe {
     a(this, "oauthLogFetch", !1);
     a(this, "oauthUseUserInfoEndpoint", !1);
     a(this, "oauthAuthorizeRedirect");
-    this.tokenConsumer = d, this.authServerBaseUrl = t, c && (this.verifierLength = c), s && (this.stateLength = s), r && K(this, w, r), n && K(this, _, n), i && (this.redirect_uri = i), o && (this.codeChallengeMethod = o), this.authServerBaseUrl = t, f && (this.authServerCredentials = f), k && (this.authServerMode = k), E && (this.authServerHeaders = E);
+    this.tokenConsumer = d, this.authServerBaseUrl = t, c && (this.verifierLength = c), s && (this.stateLength = s), r && D(this, _, r), n && D(this, v, n), i && (this.redirect_uri = i), o && (this.codeChallengeMethod = o), this.authServerBaseUrl = t, f && (this.authServerCredentials = f), T && (this.authServerMode = T), O && (this.authServerHeaders = O);
   }
   set client_id(t) {
-    K(this, w, t);
+    D(this, _, t);
   }
   set client_secret(t) {
-    K(this, _, t);
+    D(this, v, t);
   }
   /**
    * Loads OpenID Connect configuration so that the client can determine
@@ -1161,7 +1274,7 @@ class qe {
         y.Connection,
         "Couldn't get OIDC configuration from URL" + this.authServerBaseUrl + "/.well-known/openid-configuration"
       );
-    this.oidcConfig = { ...Z };
+    this.oidcConfig = { ...ie };
     try {
       const n = await r.json();
       for (const [i, o] of Object.entries(n))
@@ -1207,7 +1320,7 @@ class qe {
         error: "server_error",
         error_description: "Cannot get authorize endpoint"
       };
-    if (!p(this, w)) return {
+    if (!p(this, _)) return {
       error: "invalid_request",
       error_description: "Cannot make authorization code flow without client id"
     };
@@ -1217,7 +1330,7 @@ class qe {
     };
     let o = this.oidcConfig.authorization_endpoint;
     this.oauthAuthorizeRedirect && (o = this.oauthAuthorizeRedirect);
-    let s = o + "?response_type=code&client_id=" + encodeURIComponent(p(this, w)) + "&state=" + encodeURIComponent(t) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
+    let s = o + "?response_type=code&client_id=" + encodeURIComponent(p(this, _)) + "&state=" + encodeURIComponent(t) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
     return r && (s += "&scope=" + encodeURIComponent(r)), i && n && (s += "&code_challenge=" + n), { url: s };
   }
   async codeChallengeAndVerifier() {
@@ -1273,40 +1386,40 @@ class qe {
    *          request, or `error` and `error_description`.
    */
   async redirectEndpoint(t, r, n, i, o) {
-    var k, E;
+    var T, O;
     if (this.oidcConfig || await this.loadConfig(), i || !t)
       return i || (i = "server_error"), o || (o = "Unknown error"), { error: i, error_description: o };
-    if (this.authzCode = t, !((k = this.oidcConfig) != null && k.grant_types_supported.includes("authorization_code")))
+    if (this.authzCode = t, !((T = this.oidcConfig) != null && T.grant_types_supported.includes("authorization_code")))
       return {
         error: "invalid_request",
         error_description: "Server does not support authorization code grant"
       };
-    if (!((E = this.oidcConfig) != null && E.token_endpoint))
+    if (!((O = this.oidcConfig) != null && O.token_endpoint))
       return {
         error: "server_error",
         error_description: "Cannot get token endpoint"
       };
     const s = this.oidcConfig.token_endpoint;
     let c, d;
-    c = "authorization_code", d = p(this, _);
+    c = "authorization_code", d = p(this, v);
     let f = {
       grant_type: c,
-      client_id: p(this, w),
+      client_id: p(this, _),
       code: this.authzCode,
       redirect_uri: this.redirect_uri
     };
     r && (f.scope = r), d && (f.client_secret = d), n && (f.code_verifier = n);
     try {
-      let S = await this.post(s, f, this.authServerHeaders);
-      if (S.id_token) {
-        const I = await this.getIdPayload(S.id_token, S.access_token);
-        if (I.error)
-          return I;
-        S.id_payload = I.payload;
+      let b = await this.post(s, f, this.authServerHeaders);
+      if (b.id_token) {
+        const R = await this.getIdPayload(b.id_token, b.access_token);
+        if (R.error)
+          return R;
+        b.id_payload = R.payload;
       }
-      return S;
-    } catch (S) {
-      return l.logger.error(u({ err: S })), {
+      return b;
+    } catch (b) {
+      return l.logger.error(u({ err: b })), {
         error: "server_error",
         error_description: "Unable to get access token from server"
       };
@@ -1335,15 +1448,15 @@ class qe {
       };
     if (!((o = this.oidcConfig) != null && o.token_endpoint))
       return { error: "server_error", error_description: "Cannot get token endpoint" };
-    if (!p(this, w)) return {
+    if (!p(this, _)) return {
       error: "invalid_request",
       error_description: "Cannot make client credentials flow without client id"
     };
     const r = this.oidcConfig.token_endpoint;
     let n = {
       grant_type: "client_credentials",
-      client_id: p(this, w),
-      client_secret: p(this, _)
+      client_id: p(this, _),
+      client_secret: p(this, v)
     };
     t && (n.scope = t);
     try {
@@ -1392,8 +1505,8 @@ class qe {
     const i = this.oidcConfig.token_endpoint;
     let o = {
       grant_type: "password",
-      client_id: p(this, w),
-      client_secret: p(this, _),
+      client_id: p(this, _),
+      client_secret: p(this, v),
       username: t,
       password: r
     };
@@ -1482,8 +1595,8 @@ class qe {
     if (!((s = this.oidcConfig) != null && s.issuer))
       return { error: "server_error", error_description: "Cannot get issuer" };
     const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
-      client_id: p(this, w),
-      client_secret: p(this, _),
+      client_id: p(this, _),
+      client_secret: p(this, v),
       challenge_type: "otp",
       mfa_token: t,
       authenticator_id: r
@@ -1521,8 +1634,8 @@ class qe {
       return { error: "server_error", error_description: "Cannot get issuer" };
     const i = this.oidcConfig.token_endpoint, o = await this.post(i, {
       grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
-      client_id: p(this, w),
-      client_secret: p(this, _),
+      client_id: p(this, _),
+      client_secret: p(this, v),
       challenge_type: "otp",
       mfa_token: t,
       otp: r,
@@ -1573,8 +1686,8 @@ class qe {
     if (!((s = this.oidcConfig) != null && s.issuer))
       return { error: "server_error", error_description: "Cannot get issuer" };
     const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
-      client_id: p(this, w),
-      client_secret: p(this, _),
+      client_id: p(this, _),
+      client_secret: p(this, v),
       challenge_type: "oob",
       mfa_token: t,
       authenticator_id: r
@@ -1609,8 +1722,8 @@ class qe {
       return { error: "server_error", error_description: "Cannot get issuer" };
     const o = this.oidcConfig.token_endpoint, s = await this.post(o, {
       grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
-      client_id: p(this, w),
-      client_secret: p(this, _),
+      client_id: p(this, _),
+      client_secret: p(this, v),
       challenge_type: "otp",
       mfa_token: t,
       oob_code: r,
@@ -1653,11 +1766,11 @@ class qe {
       };
     const r = this.oidcConfig.token_endpoint;
     let n;
-    n = p(this, _);
+    n = p(this, v);
     let i = {
       grant_type: "refresh_token",
       refresh_token: t,
-      client_id: p(this, w)
+      client_id: p(this, _)
     };
     n && (i.client_secret = n);
     try {
@@ -1693,8 +1806,8 @@ class qe {
       };
     let n = {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-      client_id: p(this, w),
-      client_secret: p(this, _)
+      client_id: p(this, _),
+      client_secret: p(this, v)
     };
     r && (n.scope = r);
     try {
@@ -1728,8 +1841,8 @@ class qe {
       };
     let r = {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-      client_id: p(this, w),
-      client_secret: p(this, _),
+      client_id: p(this, _),
+      client_secret: p(this, v),
       device_code: t
     };
     try {
@@ -1869,11 +1982,11 @@ class qe {
     }
   }
   getTokenPayload(t) {
-    return He(t);
+    return tt(t);
   }
 }
-w = new WeakMap(), _ = new WeakMap();
-class Me {
+_ = new WeakMap(), v = new WeakMap();
+class ot {
   /**
    * Constrctor
    * 
@@ -1922,14 +2035,14 @@ class Me {
             y.Configuration,
             "Must specify jwtKeyType if setting jwtSecretKey"
           );
-        this.keys._default = await Re(this.jwtSecretKey, this.jwtKeyType);
+        this.keys._default = await Be(this.jwtSecretKey, this.jwtKeyType);
       } else if (this.jwtPublicKey) {
         if (!this.jwtKeyType)
           throw new g(
             y.Configuration,
             "Must specify jwtKeyType if setting jwtPublicKey"
           );
-        const r = await Te(this.jwtPublicKey, this.jwtKeyType);
+        const r = await $e(this.jwtPublicKey, this.jwtKeyType);
         this.keys._default = r;
       } else {
         if (this.oidcConfig || await this.loadConfig(), !this.oidcConfig)
@@ -1968,7 +2081,7 @@ class Me {
     }
     if (!r || !r.ok)
       throw new g(y.Connection, "Couldn't get OIDC configuration");
-    this.oidcConfig = { ...Z };
+    this.oidcConfig = { ...ie };
     try {
       const n = await r.json();
       for (const [i, o] of Object.entries(n))
@@ -1990,8 +2103,8 @@ class Me {
     if (t) {
       this.keys = {};
       for (let n = 0; n < t.keys.length; ++n) {
-        const i = t.keys[n];
-        this.keys[i.kid ?? "_default"] = await Y(t.keys[n]);
+        const i = t.keys[n], o = "kid" in i && i.kid ? i.kid : "_default";
+        this.keys[o] = await j(t.keys[n]);
       }
     } else {
       if (!this.oidcConfig)
@@ -2019,7 +2132,7 @@ class Me {
                 l.logger.debug(u({ msg: "Skipping key with " + c.kty }));
                 continue;
               }
-            const d = await Y(c);
+            const d = await j(c);
             this.keys[s] = d;
           } catch (s) {
             throw l.logger.error(u({ err: s })), new g(y.Connection, "Couldn't load keys");
@@ -2042,7 +2155,7 @@ class Me {
    */
   async tokenAuthorized(t, r, n) {
     if (!this.keys || Object.keys(this.keys).length == 0) {
-      const o = X(t);
+      const o = te(t);
       await this.loadKeys(o.alg);
     }
     const i = await this.validateToken(t);
@@ -2066,7 +2179,7 @@ class Me {
     (!this.keys || Object.keys(this.keys).length == 0) && l.logger.warn("No keys loaded so cannot validate tokens");
     let r;
     try {
-      r = X(t).kid;
+      r = te(t).kid;
     } catch {
       l.logger.warn(u({ msg: "Invalid access token format" }));
       return;
@@ -2082,7 +2195,7 @@ class Me {
       return;
     }
     try {
-      const { payload: i } = await De(t, n), o = JSON.parse(new TextDecoder().decode(i));
+      const { payload: i } = await et(t, n), o = JSON.parse(new TextDecoder().decode(i));
       if (o.exp * 1e3 < Date.now() + this.clockTolerance) {
         l.logger.warn(u({ msg: "Access token has expired" }));
         return;
@@ -2098,13 +2211,13 @@ class Me {
 export {
   g as CrossauthError,
   l as CrossauthLogger,
-  Z as DEFAULT_OIDCCONFIG,
+  ie as DEFAULT_OIDCCONFIG,
   y as ErrorCode,
-  C as KeyPrefix,
-  qe as OAuthClientBase,
-  Q as OAuthFlows,
-  Me as OAuthTokenConsumerBase,
-  P as UserState,
-  Fe as httpStatus,
+  A as KeyPrefix,
+  nt as OAuthClientBase,
+  re as OAuthFlows,
+  ot as OAuthTokenConsumerBase,
+  E as UserState,
+  it as httpStatus,
   u as j
 };