@crossauth/common 1.1.2 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/index.cjs +1 -1
  2. package/dist/index.iife.js +1 -1
  3. package/dist/index.js +338 -318
  4. package/dist/oauth/client.d.ts +14 -3
  5. package/dist/oauth/client.d.ts.map +1 -1
  6. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -3,41 +3,41 @@ var Y = (e) => {
3
3
  throw TypeError(e);
4
4
  };
5
5
  var me = (e, t, r) => t in e ? ye(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
6
- var a = (e, t, r) => me(e, typeof t != "symbol" ? t + "" : t, r), X = (e, t, r) => t.has(e) || Y("Cannot " + r);
7
- var p = (e, t, r) => (X(e, t, "read from private field"), r ? r.call(e) : t.get(e)), $ = (e, t, r) => t.has(e) ? Y("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), D = (e, t, r, n) => (X(e, t, "write to private field"), n ? n.call(e, r) : t.set(e, r), r);
8
- class E {
6
+ var c = (e, t, r) => me(e, typeof t != "symbol" ? t + "" : t, r), X = (e, t, r) => t.has(e) || Y("Cannot " + r);
7
+ var g = (e, t, r) => (X(e, t, "read from private field"), r ? r.call(e) : t.get(e)), $ = (e, t, r) => t.has(e) ? Y("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), D = (e, t, r, n) => (X(e, t, "write to private field"), n ? n.call(e, r) : t.set(e, r), r);
8
+ class R {
9
9
  }
10
10
  /** Ordinary, active user who can log in freely */
11
- a(E, "active", "active"), /** Deactivated account. User cannot log in */
12
- a(E, "disabled", "disabled"), /** Two factor authentication has been actived for this user
11
+ c(R, "active", "active"), /** Deactivated account. User cannot log in */
12
+ c(R, "disabled", "disabled"), /** Two factor authentication has been actived for this user
13
13
  * but has not yet been configured. Once a user logs in,
14
14
  * they will be directed to a page to configure 2FA and will
15
15
  * not be able to do anything else (that requires login) until
16
16
  * they have done so.
17
17
  */
18
- a(E, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Two factor authentication has been actived for this user
18
+ c(R, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Two factor authentication has been actived for this user
19
19
  * but has not yet been configured. Once a user logs in,
20
20
  * they will be directed to a page to configure 2FA and will
21
21
  * not be able to do anything else (that requires login) until
22
22
  * they have done so. They will then have to verify their email
23
23
  */
24
- a(E, "awaitingTwoFactorSetupAndEmailVerification", "awaitingtwofactorsetupandemailverification"), /** Email verification has been turned on but user has not
24
+ c(R, "awaitingTwoFactorSetupAndEmailVerification", "awaitingtwofactorsetupandemailverification"), /** Email verification has been turned on but user has not
25
25
  * verified his or her email address. Cannot log on until it has
26
26
  * been verified.
27
27
  */
28
- a(E, "awaitingEmailVerification", "awaitingemailverification"), /**
28
+ c(R, "awaitingEmailVerification", "awaitingemailverification"), /**
29
29
  * If the state is set to this, the user may not access any
30
30
  * login-required functions unless he or she has changed their password.
31
31
  *
32
32
  * Upon login, the user is redirected to the change password page.
33
33
  */
34
- a(E, "passwordChangeNeeded", "passwordchangeneeded"), /**
34
+ c(R, "passwordChangeNeeded", "passwordchangeneeded"), /**
35
35
  * If the state is set to this, the user may not access any
36
36
  * login-required functions unless he or she has reset their password.
37
37
  *
38
38
  * Upon login, the user is redirected to the reset password page.
39
39
  */
40
- a(E, "passwordResetNeeded", "passwordresetneeded"), /**
40
+ c(R, "passwordResetNeeded", "passwordresetneeded"), /**
41
41
  * If the state is set to this, the user may not access any
42
42
  * login-required functions unless he or she has reset their second
43
43
  * factor configuration.
@@ -48,29 +48,29 @@ a(E, "passwordResetNeeded", "passwordresetneeded"), /**
48
48
  * this value and the user will then be prompted to configure 2FA
49
49
  * upon login.
50
50
  */
51
- a(E, "factor2ResetNeeded", "factor2resetneeded"), /**
51
+ c(R, "factor2ResetNeeded", "factor2resetneeded"), /**
52
52
  * If the state is set to this, the user may not access any
53
53
  * login-required functions unless he or she has reset their password
54
54
  * and then resets factor2.
55
55
  *
56
56
  * Upon login, the user is redirected to the reset password page.
57
57
  */
58
- a(E, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
59
- class A {
58
+ c(R, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
59
+ class I {
60
60
  }
61
61
  /** Session ID */
62
- a(A, "session", "s:"), /** Password Reset Token */
63
- a(A, "passwordResetToken", "p:"), /** Email verification token */
64
- a(A, "emailVerificationToken", "e:"), /** API key */
65
- a(A, "apiKey", "api:"), /** OAuth authorization code */
66
- a(A, "authorizationCode", "authz:"), /** OAuth access token */
67
- a(A, "accessToken", "access:"), /** OAuth refresh token */
68
- a(A, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
69
- a(A, "mfaToken", "omfa:"), /** Device code device code */
70
- a(A, "deviceCode", "dc:"), /** Device code flow user code */
71
- a(A, "userCode", "uc:");
72
- var y = /* @__PURE__ */ ((e) => (e[e.UserNotExist = 0] = "UserNotExist", e[e.PasswordInvalid = 1] = "PasswordInvalid", e[e.EmailNotExist = 2] = "EmailNotExist", e[e.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", e[e.InvalidClientId = 4] = "InvalidClientId", e[e.ClientExists = 5] = "ClientExists", e[e.InvalidClientSecret = 6] = "InvalidClientSecret", e[e.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", e[e.InvalidRedirectUri = 8] = "InvalidRedirectUri", e[e.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", e[e.UserNotActive = 10] = "UserNotActive", e[e.EmailNotVerified = 11] = "EmailNotVerified", e[e.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", e[e.Unauthorized = 13] = "Unauthorized", e[e.UnauthorizedClient = 14] = "UnauthorizedClient", e[e.InvalidScope = 15] = "InvalidScope", e[e.InsufficientScope = 16] = "InsufficientScope", e[e.InsufficientPriviledges = 17] = "InsufficientPriviledges", e[e.Forbidden = 18] = "Forbidden", e[e.InvalidKey = 19] = "InvalidKey", e[e.InvalidCsrf = 20] = "InvalidCsrf", e[e.InvalidSession = 21] = "InvalidSession", e[e.Expired = 22] = "Expired", e[e.Connection = 23] = "Connection", e[e.InvalidHash = 24] = "InvalidHash", e[e.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", e[e.KeyExists = 26] = "KeyExists", e[e.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", e[e.PasswordResetNeeded = 28] = "PasswordResetNeeded", e[e.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", e[e.Configuration = 30] = "Configuration", e[e.InvalidEmail = 31] = "InvalidEmail", e[e.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", e[e.InvalidUsername = 33] = "InvalidUsername", e[e.PasswordMatch = 34] = "PasswordMatch", e[e.InvalidToken = 35] = "InvalidToken", e[e.MfaRequired = 36] = "MfaRequired", e[e.PasswordFormat = 37] = "PasswordFormat", e[e.DataFormat = 38] = "DataFormat", e[e.FetchError = 39] = "FetchError", e[e.UserExists = 40] = "UserExists", e[e.FormEntry = 41] = "FormEntry", e[e.BadRequest = 42] = "BadRequest", e[e.AuthorizationPending = 43] = "AuthorizationPending", e[e.SlowDown = 44] = "SlowDown", e[e.ExpiredToken = 45] = "ExpiredToken", e[e.ConstraintViolation = 46] = "ConstraintViolation", e[e.NotImplemented = 47] = "NotImplemented", e[e.UnknownError = 48] = "UnknownError", e))(y || {});
73
- class g extends Error {
62
+ c(I, "session", "s:"), /** Password Reset Token */
63
+ c(I, "passwordResetToken", "p:"), /** Email verification token */
64
+ c(I, "emailVerificationToken", "e:"), /** API key */
65
+ c(I, "apiKey", "api:"), /** OAuth authorization code */
66
+ c(I, "authorizationCode", "authz:"), /** OAuth access token */
67
+ c(I, "accessToken", "access:"), /** OAuth refresh token */
68
+ c(I, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
69
+ c(I, "mfaToken", "omfa:"), /** Device code device code */
70
+ c(I, "deviceCode", "dc:"), /** Device code flow user code */
71
+ c(I, "userCode", "uc:");
72
+ var m = /* @__PURE__ */ ((e) => (e[e.UserNotExist = 0] = "UserNotExist", e[e.PasswordInvalid = 1] = "PasswordInvalid", e[e.EmailNotExist = 2] = "EmailNotExist", e[e.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", e[e.InvalidClientId = 4] = "InvalidClientId", e[e.ClientExists = 5] = "ClientExists", e[e.InvalidClientSecret = 6] = "InvalidClientSecret", e[e.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", e[e.InvalidRedirectUri = 8] = "InvalidRedirectUri", e[e.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", e[e.UserNotActive = 10] = "UserNotActive", e[e.EmailNotVerified = 11] = "EmailNotVerified", e[e.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", e[e.Unauthorized = 13] = "Unauthorized", e[e.UnauthorizedClient = 14] = "UnauthorizedClient", e[e.InvalidScope = 15] = "InvalidScope", e[e.InsufficientScope = 16] = "InsufficientScope", e[e.InsufficientPriviledges = 17] = "InsufficientPriviledges", e[e.Forbidden = 18] = "Forbidden", e[e.InvalidKey = 19] = "InvalidKey", e[e.InvalidCsrf = 20] = "InvalidCsrf", e[e.InvalidSession = 21] = "InvalidSession", e[e.Expired = 22] = "Expired", e[e.Connection = 23] = "Connection", e[e.InvalidHash = 24] = "InvalidHash", e[e.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", e[e.KeyExists = 26] = "KeyExists", e[e.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", e[e.PasswordResetNeeded = 28] = "PasswordResetNeeded", e[e.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", e[e.Configuration = 30] = "Configuration", e[e.InvalidEmail = 31] = "InvalidEmail", e[e.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", e[e.InvalidUsername = 33] = "InvalidUsername", e[e.PasswordMatch = 34] = "PasswordMatch", e[e.InvalidToken = 35] = "InvalidToken", e[e.MfaRequired = 36] = "MfaRequired", e[e.PasswordFormat = 37] = "PasswordFormat", e[e.DataFormat = 38] = "DataFormat", e[e.FetchError = 39] = "FetchError", e[e.UserExists = 40] = "UserExists", e[e.FormEntry = 41] = "FormEntry", e[e.BadRequest = 42] = "BadRequest", e[e.AuthorizationPending = 43] = "AuthorizationPending", e[e.SlowDown = 44] = "SlowDown", e[e.ExpiredToken = 45] = "ExpiredToken", e[e.ConstraintViolation = 46] = "ConstraintViolation", e[e.NotImplemented = 47] = "NotImplemented", e[e.UnknownError = 48] = "UnknownError", e))(m || {});
73
+ class p extends Error {
74
74
  /**
75
75
  * Creates a new error to throw,
76
76
  *
@@ -84,19 +84,19 @@ class g extends Error {
84
84
  /** `typeof` won't work on this class. To determine if the
85
85
  * object is a `CrossauthError`, check for presence of this member.
86
86
  */
87
- a(this, "isCrossauthError", !0);
87
+ c(this, "isCrossauthError", !0);
88
88
  /** The best HTTP status to report */
89
- a(this, "httpStatus");
89
+ c(this, "httpStatus");
90
90
  /** All Crossauth errors have an error code */
91
- a(this, "code");
91
+ c(this, "code");
92
92
  /** All Crossauth errors have an error code */
93
- a(this, "codeName");
93
+ c(this, "codeName");
94
94
  /** A vector of error messages. If there was only one, it will still be in this array.
95
95
  * The inherited property `message` is also always available. If there were multiple messages,
96
96
  * it will be a concatenation of them with `". "` in between.
97
97
  */
98
- a(this, "messages");
99
- this.code = r, this.codeName = y[r], this.httpStatus = o, this.name = "CrossauthError", Array.isArray(n) ? this.messages = n : this.messages = [i], Object.setPrototypeOf(this, g.prototype);
98
+ c(this, "messages");
99
+ this.code = r, this.codeName = m[r], this.httpStatus = o, this.name = "CrossauthError", Array.isArray(n) ? this.messages = n : this.messages = [i], Object.setPrototypeOf(this, p.prototype);
100
100
  }
101
101
  /**
102
102
  * OAuth defines certain error types. To convert the error in an OAuth
@@ -151,7 +151,7 @@ class g extends Error {
151
151
  default:
152
152
  i = 48;
153
153
  }
154
- return new g(i, n);
154
+ return new p(i, n);
155
155
  }
156
156
  get oauthErrorCode() {
157
157
  switch (this.code) {
@@ -194,21 +194,21 @@ class g extends Error {
194
194
  */
195
195
  static asCrossauthError(r, n) {
196
196
  if (r instanceof Error)
197
- return "isCrossauthError" in r ? r : new g(48, r.message);
197
+ return "isCrossauthError" in r ? r : new p(48, r.message);
198
198
  if ("errorCode" in r) {
199
199
  let o = 48;
200
200
  try {
201
201
  o = Number(r.errorCode) ?? 48;
202
202
  } catch {
203
203
  }
204
- let s = n ?? y[o];
205
- return "errorMessage" in r ? s = r.errorMessage : "message" in r && (s = r.message), new g(o, s);
204
+ let s = n ?? m[o];
205
+ return "errorMessage" in r ? s = r.errorMessage : "message" in r && (s = r.message), new p(o, s);
206
206
  }
207
- let i = n ?? y[
207
+ let i = n ?? m[
208
208
  48
209
209
  /* UnknownError */
210
210
  ];
211
- return "message" in r && (i = r.message), new g(48, i);
211
+ return "message" in r && (i = r.message), new p(48, i);
212
212
  }
213
213
  }
214
214
  function it(e) {
@@ -256,20 +256,20 @@ const B = {
256
256
  503: "Service Unavailable",
257
257
  504: "Gateway Timeout",
258
258
  505: "HTTP Version Not Supported"
259
- }, m = class m {
259
+ }, w = class w {
260
260
  /**
261
261
  * Create a logger with the given level
262
262
  * @param level the level to report to
263
263
  */
264
264
  constructor(t) {
265
265
  /** the log level. This can be set dynamically */
266
- a(this, "level");
266
+ c(this, "level");
267
267
  if (t) this.level = t;
268
268
  else if (typeof process < "u" && "CROSSAUTH_LOG_LEVEL" in process.env) {
269
269
  const r = (process.env.CROSSAUTH_LOG_LEVEL ?? "ERROR").toUpperCase();
270
- m.levelName.includes(r) ? this.level = m.levelName.indexOf(r) : this.level = m.Error;
270
+ w.levelName.includes(r) ? this.level = w.levelName.indexOf(r) : this.level = w.Error;
271
271
  } else
272
- this.level = m.Error;
272
+ this.level = w.Error;
273
273
  }
274
274
  /**
275
275
  * Return the singleton instance of the logger.
@@ -282,35 +282,35 @@ const B = {
282
282
  this.level = t;
283
283
  }
284
284
  log(t, r) {
285
- t <= this.level && (typeof r == "string" ? console.log("Crossauth " + m.levelName[t] + " " + (/* @__PURE__ */ new Date()).toISOString(), r) : console.log(JSON.stringify({ level: m.levelName[t], time: (/* @__PURE__ */ new Date()).toISOString(), ...r })));
285
+ t <= this.level && (typeof r == "string" ? console.log("Crossauth " + w.levelName[t] + " " + (/* @__PURE__ */ new Date()).toISOString(), r) : console.log(JSON.stringify({ level: w.levelName[t], time: (/* @__PURE__ */ new Date()).toISOString(), ...r })));
286
286
  }
287
287
  /**
288
288
  * Report an error
289
289
  * @param output object to output
290
290
  */
291
291
  error(t) {
292
- this.log(m.Error, t);
292
+ this.log(w.Error, t);
293
293
  }
294
294
  /**
295
295
  * Report an warning
296
296
  * @param output object to output
297
297
  */
298
298
  warn(t) {
299
- this.log(m.Warn, t);
299
+ this.log(w.Warn, t);
300
300
  }
301
301
  /**
302
302
  * Report information
303
303
  * @param output object to output
304
304
  */
305
305
  info(t) {
306
- this.log(m.Info, t);
306
+ this.log(w.Info, t);
307
307
  }
308
308
  /**
309
309
  * Print a debugging message
310
310
  * @param output object to output
311
311
  */
312
312
  debug(t) {
313
- this.log(m.Debug, t);
313
+ this.log(w.Debug, t);
314
314
  }
315
315
  /**
316
316
  * Override the default logger.
@@ -327,12 +327,12 @@ const B = {
327
327
  }
328
328
  };
329
329
  /** Don't log anything */
330
- a(m, "None", 0), /** Only log errors */
331
- a(m, "Error", 1), /** Log errors and warning */
332
- a(m, "Warn", 2), /** Log errors, warnings and info messages */
333
- a(m, "Info", 3), /** Log everything */
334
- a(m, "Debug", 4), a(m, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
335
- let l = m;
330
+ c(w, "None", 0), /** Only log errors */
331
+ c(w, "Error", 1), /** Log errors and warning */
332
+ c(w, "Warn", 2), /** Log errors, warnings and info messages */
333
+ c(w, "Info", 3), /** Log everything */
334
+ c(w, "Debug", 4), c(w, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
335
+ let l = w;
336
336
  function u(e) {
337
337
  let t;
338
338
  typeof e == "object" && "err" in e && typeof e.err == "object" && (t = e.err.stack);
@@ -384,7 +384,7 @@ const _e = (e) => {
384
384
  for (let n = 0; n < t.length; n++)
385
385
  r[n] = t.charCodeAt(n);
386
386
  return r;
387
- }, K = (e) => {
387
+ }, O = (e) => {
388
388
  let t = e;
389
389
  t instanceof Uint8Array && (t = H.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
390
390
  try {
@@ -393,98 +393,98 @@ const _e = (e) => {
393
393
  throw new TypeError("The input to be decoded is not correctly encoded.");
394
394
  }
395
395
  };
396
- class S extends Error {
396
+ class b extends Error {
397
397
  constructor(t, r) {
398
398
  var n;
399
399
  super(t, r), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
400
400
  }
401
401
  }
402
- S.code = "ERR_JOSE_GENERIC";
403
- class ve extends S {
402
+ b.code = "ERR_JOSE_GENERIC";
403
+ class ve extends b {
404
404
  constructor(t, r, n = "unspecified", i = "unspecified") {
405
405
  super(t, { cause: { claim: n, reason: i, payload: r } }), this.code = "ERR_JWT_CLAIM_VALIDATION_FAILED", this.claim = n, this.reason = i, this.payload = r;
406
406
  }
407
407
  }
408
408
  ve.code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
409
- class Se extends S {
409
+ class Se extends b {
410
410
  constructor(t, r, n = "unspecified", i = "unspecified") {
411
411
  super(t, { cause: { claim: n, reason: i, payload: r } }), this.code = "ERR_JWT_EXPIRED", this.claim = n, this.reason = i, this.payload = r;
412
412
  }
413
413
  }
414
414
  Se.code = "ERR_JWT_EXPIRED";
415
- class be extends S {
415
+ class be extends b {
416
416
  constructor() {
417
417
  super(...arguments), this.code = "ERR_JOSE_ALG_NOT_ALLOWED";
418
418
  }
419
419
  }
420
420
  be.code = "ERR_JOSE_ALG_NOT_ALLOWED";
421
- class C extends S {
421
+ class A extends b {
422
422
  constructor() {
423
423
  super(...arguments), this.code = "ERR_JOSE_NOT_SUPPORTED";
424
424
  }
425
425
  }
426
- C.code = "ERR_JOSE_NOT_SUPPORTED";
427
- class Ce extends S {
426
+ A.code = "ERR_JOSE_NOT_SUPPORTED";
427
+ class Ce extends b {
428
428
  constructor(t = "decryption operation failed", r) {
429
429
  super(t, r), this.code = "ERR_JWE_DECRYPTION_FAILED";
430
430
  }
431
431
  }
432
432
  Ce.code = "ERR_JWE_DECRYPTION_FAILED";
433
- class Ae extends S {
433
+ class Ae extends b {
434
434
  constructor() {
435
435
  super(...arguments), this.code = "ERR_JWE_INVALID";
436
436
  }
437
437
  }
438
438
  Ae.code = "ERR_JWE_INVALID";
439
- class w extends S {
439
+ class _ extends b {
440
440
  constructor() {
441
441
  super(...arguments), this.code = "ERR_JWS_INVALID";
442
442
  }
443
443
  }
444
- w.code = "ERR_JWS_INVALID";
445
- class P extends S {
444
+ _.code = "ERR_JWS_INVALID";
445
+ class k extends b {
446
446
  constructor() {
447
447
  super(...arguments), this.code = "ERR_JWT_INVALID";
448
448
  }
449
449
  }
450
- P.code = "ERR_JWT_INVALID";
451
- class Ie extends S {
450
+ k.code = "ERR_JWT_INVALID";
451
+ class Ie extends b {
452
452
  constructor() {
453
453
  super(...arguments), this.code = "ERR_JWK_INVALID";
454
454
  }
455
455
  }
456
456
  Ie.code = "ERR_JWK_INVALID";
457
- class Ee extends S {
457
+ class Ee extends b {
458
458
  constructor() {
459
459
  super(...arguments), this.code = "ERR_JWKS_INVALID";
460
460
  }
461
461
  }
462
462
  Ee.code = "ERR_JWKS_INVALID";
463
- class Te extends S {
463
+ class Re extends b {
464
464
  constructor(t = "no applicable key found in the JSON Web Key Set", r) {
465
465
  super(t, r), this.code = "ERR_JWKS_NO_MATCHING_KEY";
466
466
  }
467
467
  }
468
- Te.code = "ERR_JWKS_NO_MATCHING_KEY";
469
- class Re extends S {
468
+ Re.code = "ERR_JWKS_NO_MATCHING_KEY";
469
+ class Te extends b {
470
470
  constructor(t = "multiple matching keys found in the JSON Web Key Set", r) {
471
471
  super(t, r), this.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
472
472
  }
473
473
  }
474
- Re.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
475
- class Pe extends S {
474
+ Te.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
475
+ class Pe extends b {
476
476
  constructor(t = "request timed out", r) {
477
477
  super(t, r), this.code = "ERR_JWKS_TIMEOUT";
478
478
  }
479
479
  }
480
480
  Pe.code = "ERR_JWKS_TIMEOUT";
481
- class oe extends S {
481
+ class oe extends b {
482
482
  constructor(t = "signature verification failed", r) {
483
483
  super(t, r), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
484
484
  }
485
485
  }
486
486
  oe.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
487
- function I(e, t = "algorithm.name") {
487
+ function E(e, t = "algorithm.name") {
488
488
  return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
489
489
  }
490
490
  function z(e, t) {
@@ -521,50 +521,50 @@ function Oe(e, t, ...r) {
521
521
  case "HS384":
522
522
  case "HS512": {
523
523
  if (!z(e.algorithm, "HMAC"))
524
- throw I("HMAC");
524
+ throw E("HMAC");
525
525
  const n = parseInt(t.slice(2), 10);
526
526
  if (V(e.algorithm.hash) !== n)
527
- throw I(`SHA-${n}`, "algorithm.hash");
527
+ throw E(`SHA-${n}`, "algorithm.hash");
528
528
  break;
529
529
  }
530
530
  case "RS256":
531
531
  case "RS384":
532
532
  case "RS512": {
533
533
  if (!z(e.algorithm, "RSASSA-PKCS1-v1_5"))
534
- throw I("RSASSA-PKCS1-v1_5");
534
+ throw E("RSASSA-PKCS1-v1_5");
535
535
  const n = parseInt(t.slice(2), 10);
536
536
  if (V(e.algorithm.hash) !== n)
537
- throw I(`SHA-${n}`, "algorithm.hash");
537
+ throw E(`SHA-${n}`, "algorithm.hash");
538
538
  break;
539
539
  }
540
540
  case "PS256":
541
541
  case "PS384":
542
542
  case "PS512": {
543
543
  if (!z(e.algorithm, "RSA-PSS"))
544
- throw I("RSA-PSS");
544
+ throw E("RSA-PSS");
545
545
  const n = parseInt(t.slice(2), 10);
546
546
  if (V(e.algorithm.hash) !== n)
547
- throw I(`SHA-${n}`, "algorithm.hash");
547
+ throw E(`SHA-${n}`, "algorithm.hash");
548
548
  break;
549
549
  }
550
550
  case "EdDSA": {
551
551
  if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448")
552
- throw I("Ed25519 or Ed448");
552
+ throw E("Ed25519 or Ed448");
553
553
  break;
554
554
  }
555
555
  case "Ed25519": {
556
556
  if (!z(e.algorithm, "Ed25519"))
557
- throw I("Ed25519");
557
+ throw E("Ed25519");
558
558
  break;
559
559
  }
560
560
  case "ES256":
561
561
  case "ES384":
562
562
  case "ES512": {
563
563
  if (!z(e.algorithm, "ECDSA"))
564
- throw I("ECDSA");
564
+ throw E("ECDSA");
565
565
  const n = ke(t);
566
566
  if (e.algorithm.namedCurve !== n)
567
- throw I(n, "algorithm.namedCurve");
567
+ throw E(n, "algorithm.namedCurve");
568
568
  break;
569
569
  }
570
570
  default:
@@ -584,7 +584,7 @@ const Q = (e, ...t) => se("Key must be ", e, ...t);
584
584
  function ae(e, t, ...r) {
585
585
  return se(`Key for the ${e} algorithm must be `, t, ...r);
586
586
  }
587
- const ce = (e) => ne(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", L = ["CryptoKey"], We = (...e) => {
587
+ const ce = (e) => ne(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", L = ["CryptoKey"], Ne = (...e) => {
588
588
  const t = e.filter(Boolean);
589
589
  if (t.length === 0 || t.length === 1)
590
590
  return !0;
@@ -603,11 +603,11 @@ const ce = (e) => ne(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) ===
603
603
  }
604
604
  return !0;
605
605
  };
606
- function Ne(e) {
606
+ function We(e) {
607
607
  return typeof e == "object" && e !== null;
608
608
  }
609
609
  function x(e) {
610
- if (!Ne(e) || Object.prototype.toString.call(e) !== "[object Object]")
610
+ if (!We(e) || Object.prototype.toString.call(e) !== "[object Object]")
611
611
  return !1;
612
612
  if (Object.getPrototypeOf(e) === null)
613
613
  return !0;
@@ -660,7 +660,7 @@ function ze(e) {
660
660
  }, r = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
661
661
  break;
662
662
  default:
663
- throw new C('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
663
+ throw new A('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
664
664
  }
665
665
  break;
666
666
  }
@@ -682,7 +682,7 @@ function ze(e) {
682
682
  t = { name: "ECDH", namedCurve: e.crv }, r = e.d ? ["deriveBits"] : [];
683
683
  break;
684
684
  default:
685
- throw new C('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
685
+ throw new A('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
686
686
  }
687
687
  break;
688
688
  }
@@ -701,12 +701,12 @@ function ze(e) {
701
701
  t = { name: e.crv }, r = e.d ? ["deriveBits"] : [];
702
702
  break;
703
703
  default:
704
- throw new C('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
704
+ throw new A('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
705
705
  }
706
706
  break;
707
707
  }
708
708
  default:
709
- throw new C('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
709
+ throw new A('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
710
710
  }
711
711
  return { algorithm: t, keyUsages: r };
712
712
  }
@@ -719,8 +719,8 @@ const de = async (e) => {
719
719
  e.key_ops ?? r
720
720
  ], i = { ...e };
721
721
  return delete i.alg, delete i.use, q.subtle.importKey("jwk", i, ...n);
722
- }, le = (e) => K(e);
723
- let W, N;
722
+ }, le = (e) => O(e);
723
+ let N, W;
724
724
  const ue = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", F = async (e, t, r, n, i = !1) => {
725
725
  let o = e.get(t);
726
726
  if (o != null && o[n])
@@ -730,44 +730,44 @@ const ue = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject",
730
730
  }, He = (e, t) => {
731
731
  if (ue(e)) {
732
732
  let r = e.export({ format: "jwk" });
733
- return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? le(r.k) : (N || (N = /* @__PURE__ */ new WeakMap()), F(N, e, r, t));
733
+ return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? le(r.k) : (W || (W = /* @__PURE__ */ new WeakMap()), F(W, e, r, t));
734
734
  }
735
- return U(e) ? e.k ? K(e.k) : (N || (N = /* @__PURE__ */ new WeakMap()), F(N, e, e, t, !0)) : e;
735
+ return U(e) ? e.k ? O(e.k) : (W || (W = /* @__PURE__ */ new WeakMap()), F(W, e, e, t, !0)) : e;
736
736
  }, Me = (e, t) => {
737
737
  if (ue(e)) {
738
738
  let r = e.export({ format: "jwk" });
739
- return r.k ? le(r.k) : (W || (W = /* @__PURE__ */ new WeakMap()), F(W, e, r, t));
739
+ return r.k ? le(r.k) : (N || (N = /* @__PURE__ */ new WeakMap()), F(N, e, r, t));
740
740
  }
741
- return U(e) ? e.k ? K(e.k) : (W || (W = /* @__PURE__ */ new WeakMap()), F(W, e, e, t, !0)) : e;
742
- }, Le = { normalizePublicKey: He, normalizePrivateKey: Me }, k = (e, t, r = 0) => {
741
+ return U(e) ? e.k ? O(e.k) : (N || (N = /* @__PURE__ */ new WeakMap()), F(N, e, e, t, !0)) : e;
742
+ }, Le = { normalizePublicKey: He, normalizePrivateKey: Me }, K = (e, t, r = 0) => {
743
743
  r === 0 && (t.unshift(t.length), t.unshift(6));
744
744
  const n = e.indexOf(t[0], r);
745
745
  if (n === -1)
746
746
  return !1;
747
747
  const i = e.subarray(n, n + t.length);
748
- return i.length !== t.length ? !1 : i.every((o, s) => o === t[s]) || k(e, t, n + 1);
748
+ return i.length !== t.length ? !1 : i.every((o, s) => o === t[s]) || K(e, t, n + 1);
749
749
  }, Z = (e) => {
750
750
  switch (!0) {
751
- case k(e, [42, 134, 72, 206, 61, 3, 1, 7]):
751
+ case K(e, [42, 134, 72, 206, 61, 3, 1, 7]):
752
752
  return "P-256";
753
- case k(e, [43, 129, 4, 0, 34]):
753
+ case K(e, [43, 129, 4, 0, 34]):
754
754
  return "P-384";
755
- case k(e, [43, 129, 4, 0, 35]):
755
+ case K(e, [43, 129, 4, 0, 35]):
756
756
  return "P-521";
757
- case k(e, [43, 101, 110]):
757
+ case K(e, [43, 101, 110]):
758
758
  return "X25519";
759
- case k(e, [43, 101, 111]):
759
+ case K(e, [43, 101, 111]):
760
760
  return "X448";
761
- case k(e, [43, 101, 112]):
761
+ case K(e, [43, 101, 112]):
762
762
  return "Ed25519";
763
- case k(e, [43, 101, 113]):
763
+ case K(e, [43, 101, 113]):
764
764
  return "Ed448";
765
765
  default:
766
- throw new C("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
766
+ throw new A("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
767
767
  }
768
768
  }, he = async (e, t, r, n, i) => {
769
769
  let o, s;
770
- const c = new Uint8Array(atob(r.replace(e, "")).split("").map((f) => f.charCodeAt(0))), d = t === "spki";
770
+ const a = new Uint8Array(atob(r.replace(e, "")).split("").map((f) => f.charCodeAt(0))), d = t === "spki";
771
771
  switch (n) {
772
772
  case "PS256":
773
773
  case "PS384":
@@ -801,7 +801,7 @@ const ue = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject",
801
801
  case "ECDH-ES+A128KW":
802
802
  case "ECDH-ES+A192KW":
803
803
  case "ECDH-ES+A256KW": {
804
- const f = Z(c);
804
+ const f = Z(a);
805
805
  o = f.startsWith("P-") ? { name: "ECDH", namedCurve: f } : { name: f }, s = d ? [] : ["deriveBits"];
806
806
  break;
807
807
  }
@@ -809,12 +809,12 @@ const ue = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject",
809
809
  o = { name: "Ed25519" }, s = d ? ["verify"] : ["sign"];
810
810
  break;
811
811
  case "EdDSA":
812
- o = { name: Z(c) }, s = d ? ["verify"] : ["sign"];
812
+ o = { name: Z(a) }, s = d ? ["verify"] : ["sign"];
813
813
  break;
814
814
  default:
815
- throw new C('Invalid or unsupported "alg" (Algorithm) value');
815
+ throw new A('Invalid or unsupported "alg" (Algorithm) value');
816
816
  }
817
- return q.subtle.importKey(t, c, o, !1, s);
817
+ return q.subtle.importKey(t, a, o, !1, s);
818
818
  }, Fe = (e, t, r) => he(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", e, t), qe = (e, t, r) => he(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
819
819
  async function $e(e, t, r) {
820
820
  if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
@@ -833,15 +833,15 @@ async function j(e, t) {
833
833
  case "oct":
834
834
  if (typeof e.k != "string" || !e.k)
835
835
  throw new TypeError('missing "k" (Key Value) Parameter value');
836
- return K(e.k);
836
+ return O(e.k);
837
837
  case "RSA":
838
838
  if ("oth" in e && e.oth !== void 0)
839
- throw new C('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
839
+ throw new A('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
840
840
  case "EC":
841
841
  case "OKP":
842
842
  return de({ ...e, alg: t });
843
843
  default:
844
- throw new C('Unsupported "kty" (Key Type) Parameter value');
844
+ throw new A('Unsupported "kty" (Key Type) Parameter value');
845
845
  }
846
846
  }
847
847
  const J = (e) => e == null ? void 0 : e[Symbol.toStringTag], G = (e, t, r) => {
@@ -906,7 +906,7 @@ function Ge(e, t, r, n, i) {
906
906
  o = t;
907
907
  for (const s of n.crit) {
908
908
  if (!o.has(s))
909
- throw new C(`Extension Header Parameter "${s}" is not recognized`);
909
+ throw new A(`Extension Header Parameter "${s}" is not recognized`);
910
910
  if (i[s] === void 0)
911
911
  throw new e(`Extension Header Parameter "${s}" is missing`);
912
912
  if (o.get(s) && n[s] === void 0)
@@ -938,7 +938,7 @@ function Ye(e, t) {
938
938
  case "EdDSA":
939
939
  return { name: t.name };
940
940
  default:
941
- throw new C(`alg ${e} is not supported either by JOSE or your javascript runtime`);
941
+ throw new A(`alg ${e} is not supported either by JOSE or your javascript runtime`);
942
942
  }
943
943
  }
944
944
  async function Xe(e, t, r) {
@@ -963,74 +963,74 @@ const Qe = async (e, t, r, n) => {
963
963
  };
964
964
  async function Ze(e, t, r) {
965
965
  if (!x(e))
966
- throw new w("Flattened JWS must be an object");
966
+ throw new _("Flattened JWS must be an object");
967
967
  if (e.protected === void 0 && e.header === void 0)
968
- throw new w('Flattened JWS must have either of the "protected" or "header" members');
968
+ throw new _('Flattened JWS must have either of the "protected" or "header" members');
969
969
  if (e.protected !== void 0 && typeof e.protected != "string")
970
- throw new w("JWS Protected Header incorrect type");
970
+ throw new _("JWS Protected Header incorrect type");
971
971
  if (e.payload === void 0)
972
- throw new w("JWS Payload missing");
972
+ throw new _("JWS Payload missing");
973
973
  if (typeof e.signature != "string")
974
- throw new w("JWS Signature missing or incorrect type");
974
+ throw new _("JWS Signature missing or incorrect type");
975
975
  if (e.header !== void 0 && !x(e.header))
976
- throw new w("JWS Unprotected Header incorrect type");
976
+ throw new _("JWS Unprotected Header incorrect type");
977
977
  let n = {};
978
978
  if (e.protected)
979
979
  try {
980
- const ge = K(e.protected);
980
+ const ge = O(e.protected);
981
981
  n = JSON.parse(H.decode(ge));
982
982
  } catch {
983
- throw new w("JWS Protected Header is invalid");
983
+ throw new _("JWS Protected Header is invalid");
984
984
  }
985
- if (!We(n, e.header))
986
- throw new w("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
985
+ if (!Ne(n, e.header))
986
+ throw new _("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
987
987
  const i = {
988
988
  ...n,
989
989
  ...e.header
990
- }, o = Ge(w, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, i);
990
+ }, o = Ge(_, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, i);
991
991
  let s = !0;
992
992
  if (o.has("b64") && (s = n.b64, typeof s != "boolean"))
993
- throw new w('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
994
- const { alg: c } = i;
995
- if (typeof c != "string" || !c)
996
- throw new w('JWS "alg" (Algorithm) Header Parameter missing or invalid');
993
+ throw new _('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
994
+ const { alg: a } = i;
995
+ if (typeof a != "string" || !a)
996
+ throw new _('JWS "alg" (Algorithm) Header Parameter missing or invalid');
997
997
  if (s) {
998
998
  if (typeof e.payload != "string")
999
- throw new w("JWS Payload must be a string");
999
+ throw new _("JWS Payload must be a string");
1000
1000
  } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
1001
- throw new w("JWS Payload must be a string or an Uint8Array instance");
1001
+ throw new _("JWS Payload must be a string or an Uint8Array instance");
1002
1002
  let d = !1;
1003
- typeof t == "function" ? (t = await t(n, e), d = !0, ee(c, t, "verify"), U(t) && (t = await j(t, c))) : ee(c, t, "verify");
1003
+ typeof t == "function" ? (t = await t(n, e), d = !0, ee(a, t, "verify"), U(t) && (t = await j(t, a))) : ee(a, t, "verify");
1004
1004
  const f = we(M.encode(e.protected ?? ""), M.encode("."), typeof e.payload == "string" ? M.encode(e.payload) : e.payload);
1005
- let T;
1005
+ let y;
1006
1006
  try {
1007
- T = K(e.signature);
1007
+ y = O(e.signature);
1008
1008
  } catch {
1009
- throw new w("Failed to base64url decode the signature");
1009
+ throw new _("Failed to base64url decode the signature");
1010
1010
  }
1011
- if (!await Qe(c, t, T, f))
1011
+ if (!await Qe(a, t, y, f))
1012
1012
  throw new oe();
1013
- let b;
1013
+ let C;
1014
1014
  if (s)
1015
1015
  try {
1016
- b = K(e.payload);
1016
+ C = O(e.payload);
1017
1017
  } catch {
1018
- throw new w("Failed to base64url decode the payload");
1018
+ throw new _("Failed to base64url decode the payload");
1019
1019
  }
1020
- else typeof e.payload == "string" ? b = M.encode(e.payload) : b = e.payload;
1021
- const R = { payload: b };
1022
- return e.protected !== void 0 && (R.protectedHeader = n), e.header !== void 0 && (R.unprotectedHeader = e.header), d ? { ...R, key: t } : R;
1020
+ else typeof e.payload == "string" ? C = M.encode(e.payload) : C = e.payload;
1021
+ const P = { payload: C };
1022
+ return e.protected !== void 0 && (P.protectedHeader = n), e.header !== void 0 && (P.unprotectedHeader = e.header), d ? { ...P, key: t } : P;
1023
1023
  }
1024
1024
  async function et(e, t, r) {
1025
1025
  if (e instanceof Uint8Array && (e = H.decode(e)), typeof e != "string")
1026
- throw new w("Compact JWS must be a string or Uint8Array");
1026
+ throw new _("Compact JWS must be a string or Uint8Array");
1027
1027
  const { 0: n, 1: i, 2: o, length: s } = e.split(".");
1028
1028
  if (s !== 3)
1029
- throw new w("Invalid Compact JWS");
1030
- const c = await Ze({ payload: i, protected: n, signature: o }, t, r), d = { payload: c.payload, protectedHeader: c.protectedHeader };
1031
- return typeof t == "function" ? { ...d, key: c.key } : d;
1029
+ throw new _("Invalid Compact JWS");
1030
+ const a = await Ze({ payload: i, protected: n, signature: o }, t, r), d = { payload: a.payload, protectedHeader: a.protectedHeader };
1031
+ return typeof t == "function" ? { ...d, key: a.key } : d;
1032
1032
  }
1033
- const pe = K;
1033
+ const pe = O;
1034
1034
  function te(e) {
1035
1035
  let t;
1036
1036
  if (typeof e == "string") {
@@ -1054,28 +1054,28 @@ function te(e) {
1054
1054
  }
1055
1055
  function tt(e) {
1056
1056
  if (typeof e != "string")
1057
- throw new P("JWTs must use Compact JWS serialization, JWT must be a string");
1057
+ throw new k("JWTs must use Compact JWS serialization, JWT must be a string");
1058
1058
  const { 1: t, length: r } = e.split(".");
1059
1059
  if (r === 5)
1060
- throw new P("Only JWTs using Compact JWS serialization can be decoded");
1060
+ throw new k("Only JWTs using Compact JWS serialization can be decoded");
1061
1061
  if (r !== 3)
1062
- throw new P("Invalid JWT");
1062
+ throw new k("Invalid JWT");
1063
1063
  if (!t)
1064
- throw new P("JWTs must contain a payload");
1064
+ throw new k("JWTs must contain a payload");
1065
1065
  let n;
1066
1066
  try {
1067
1067
  n = pe(t);
1068
1068
  } catch {
1069
- throw new P("Failed to base64url decode the payload");
1069
+ throw new k("Failed to base64url decode the payload");
1070
1070
  }
1071
1071
  let i;
1072
1072
  try {
1073
1073
  i = JSON.parse(H.decode(n));
1074
1074
  } catch {
1075
- throw new P("Failed to parse the decoded payload as JSON");
1075
+ throw new k("Failed to parse the decoded payload as JSON");
1076
1076
  }
1077
1077
  if (!x(i))
1078
- throw new P("Invalid JWT Claims Set");
1078
+ throw new k("Invalid JWT Claims Set");
1079
1079
  return i;
1080
1080
  }
1081
1081
  const h = class h {
@@ -1149,22 +1149,22 @@ const h = class h {
1149
1149
  }
1150
1150
  };
1151
1151
  /** All flows are allowed */
1152
- a(h, "All", "all"), /** OAuth authorization code flow (without PKCE) */
1153
- a(h, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
1154
- a(h, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
1155
- a(h, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
1156
- a(h, "RefreshToken", "refreshToken"), /** OAuth device code flow */
1157
- a(h, "DeviceCode", "deviceCode"), /** OAuth password flow */
1158
- a(h, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
1159
- a(h, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
1152
+ c(h, "All", "all"), /** OAuth authorization code flow (without PKCE) */
1153
+ c(h, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
1154
+ c(h, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
1155
+ c(h, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
1156
+ c(h, "RefreshToken", "refreshToken"), /** OAuth device code flow */
1157
+ c(h, "DeviceCode", "deviceCode"), /** OAuth password flow */
1158
+ c(h, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
1159
+ c(h, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
1160
1160
  * PKCE.
1161
1161
  */
1162
- a(h, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
1162
+ c(h, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
1163
1163
  *
1164
1164
  * For example, if you pass "authorizationCode"
1165
1165
  * (`OAuthFlows.AuthorizationCode`) you will get `"Authorization Code"`.
1166
1166
  */
1167
- a(h, "flowName", {
1167
+ c(h, "flowName", {
1168
1168
  [h.AuthorizationCode]: "Authorization Code",
1169
1169
  [h.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
1170
1170
  [h.ClientCredentials]: "Client Credentials",
@@ -1175,7 +1175,7 @@ a(h, "flowName", {
1175
1175
  [h.OidcAuthorizationCode]: "OIDC Authorization Code"
1176
1176
  });
1177
1177
  let re = h;
1178
- var _, v;
1178
+ var v, S;
1179
1179
  class nt {
1180
1180
  /**
1181
1181
  * Constructor.
@@ -1211,36 +1211,36 @@ class nt {
1211
1211
  redirect_uri: i,
1212
1212
  codeChallengeMethod: o,
1213
1213
  stateLength: s,
1214
- verifierLength: c,
1214
+ verifierLength: a,
1215
1215
  tokenConsumer: d,
1216
1216
  authServerCredentials: f,
1217
- authServerMode: T,
1218
- authServerHeaders: O
1217
+ authServerMode: y,
1218
+ authServerHeaders: T
1219
1219
  }) {
1220
- a(this, "authServerBaseUrl", "");
1221
- $(this, _);
1220
+ c(this, "authServerBaseUrl", "");
1222
1221
  $(this, v);
1223
- a(this, "codeChallengeMethod", "S256");
1224
- a(this, "verifierLength", 32);
1225
- a(this, "redirect_uri");
1226
- a(this, "stateLength", 32);
1227
- a(this, "authzCode", "");
1228
- a(this, "oidcConfig");
1229
- a(this, "tokenConsumer");
1230
- a(this, "authServerHeaders", {});
1231
- a(this, "authServerMode");
1232
- a(this, "authServerCredentials");
1233
- a(this, "oauthPostType", "json");
1234
- a(this, "oauthLogFetch", !1);
1235
- a(this, "oauthUseUserInfoEndpoint", !1);
1236
- a(this, "oauthAuthorizeRedirect");
1237
- this.tokenConsumer = d, this.authServerBaseUrl = t, c && (this.verifierLength = c), s && (this.stateLength = s), r && D(this, _, r), n && D(this, v, n), i && (this.redirect_uri = i), o && (this.codeChallengeMethod = o), this.authServerBaseUrl = t, f && (this.authServerCredentials = f), T && (this.authServerMode = T), O && (this.authServerHeaders = O);
1222
+ $(this, S);
1223
+ c(this, "codeChallengeMethod", "S256");
1224
+ c(this, "verifierLength", 32);
1225
+ c(this, "redirect_uri");
1226
+ c(this, "stateLength", 32);
1227
+ c(this, "authzCode", "");
1228
+ c(this, "oidcConfig");
1229
+ c(this, "tokenConsumer");
1230
+ c(this, "authServerHeaders", {});
1231
+ c(this, "authServerMode");
1232
+ c(this, "authServerCredentials");
1233
+ c(this, "oauthPostType", "json");
1234
+ c(this, "oauthLogFetch", !1);
1235
+ c(this, "oauthUseUserInfoEndpoint", !1);
1236
+ c(this, "oauthAuthorizeRedirect");
1237
+ this.tokenConsumer = d, this.authServerBaseUrl = t, a && (this.verifierLength = a), s && (this.stateLength = s), r && D(this, v, r), n && D(this, S, n), i && (this.redirect_uri = i), o && (this.codeChallengeMethod = o), this.authServerBaseUrl = t, f && (this.authServerCredentials = f), y && (this.authServerMode = y), T && (this.authServerHeaders = T);
1238
1238
  }
1239
1239
  set client_id(t) {
1240
- D(this, _, t);
1240
+ D(this, v, t);
1241
1241
  }
1242
1242
  set client_secret(t) {
1243
- D(this, v, t);
1243
+ D(this, S, t);
1244
1244
  }
1245
1245
  /**
1246
1246
  * Loads OpenID Connect configuration so that the client can determine
@@ -1270,8 +1270,8 @@ class nt {
1270
1270
  l.logger.error(u({ err: n }));
1271
1271
  }
1272
1272
  if (!r || !r.ok)
1273
- throw new g(
1274
- y.Connection,
1273
+ throw new p(
1274
+ m.Connection,
1275
1275
  "Couldn't get OIDC configuration from URL" + this.authServerBaseUrl + "/.well-known/openid-configuration"
1276
1276
  );
1277
1277
  this.oidcConfig = { ...ie };
@@ -1280,8 +1280,8 @@ class nt {
1280
1280
  for (const [i, o] of Object.entries(n))
1281
1281
  this.oidcConfig[i] = o;
1282
1282
  } catch {
1283
- throw new g(
1284
- y.Connection,
1283
+ throw new p(
1284
+ m.Connection,
1285
1285
  "Unrecognized response from OIDC configuration endpoint"
1286
1286
  );
1287
1287
  }
@@ -1308,19 +1308,24 @@ class nt {
1308
1308
  * - `error_description` friendly error message or undefined
1309
1309
  * if no error
1310
1310
  */
1311
- async startAuthorizationCodeFlow(t, r, n, i = !1) {
1312
- var c, d, f;
1313
- if (l.logger.debug(u({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((c = this.oidcConfig) != null && c.response_types_supported.includes("code")) || !((d = this.oidcConfig) != null && d.response_modes_supported.includes("query")))
1311
+ async startAuthorizationCodeFlow(t, {
1312
+ scope: r,
1313
+ codeChallenge: n,
1314
+ pkce: i = !1,
1315
+ upstream: o
1316
+ }) {
1317
+ var d, f, y;
1318
+ if (l.logger.debug(u({ msg: "Starting authorization code flow, scope " + r })), this.oidcConfig || await this.loadConfig(), !((d = this.oidcConfig) != null && d.response_types_supported.includes("code")) || !((f = this.oidcConfig) != null && f.response_modes_supported.includes("query")))
1314
1319
  return {
1315
1320
  error: "invalid_request",
1316
1321
  error_description: "Server does not support authorization code flow"
1317
1322
  };
1318
- if (!((f = this.oidcConfig) != null && f.authorization_endpoint))
1323
+ if (!((y = this.oidcConfig) != null && y.authorization_endpoint))
1319
1324
  return {
1320
1325
  error: "server_error",
1321
1326
  error_description: "Cannot get authorize endpoint"
1322
1327
  };
1323
- if (!p(this, _)) return {
1328
+ if (!g(this, v)) return {
1324
1329
  error: "invalid_request",
1325
1330
  error_description: "Cannot make authorization code flow without client id"
1326
1331
  };
@@ -1328,10 +1333,10 @@ class nt {
1328
1333
  error: "invalid_request",
1329
1334
  error_description: "Cannot make authorization code flow without Redirect Uri"
1330
1335
  };
1331
- let o = this.oidcConfig.authorization_endpoint;
1332
- this.oauthAuthorizeRedirect && (o = this.oauthAuthorizeRedirect);
1333
- let s = o + "?response_type=code&client_id=" + encodeURIComponent(p(this, _)) + "&state=" + encodeURIComponent(t) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
1334
- return r && (s += "&scope=" + encodeURIComponent(r)), i && n && (s += "&code_challenge=" + n), { url: s };
1336
+ let s = this.oidcConfig.authorization_endpoint;
1337
+ this.oauthAuthorizeRedirect && (s = this.oauthAuthorizeRedirect);
1338
+ let a = s + "?response_type=code&client_id=" + encodeURIComponent(g(this, v)) + "&state=" + encodeURIComponent(t) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
1339
+ return r && (a += "&scope=" + encodeURIComponent(r)), i && n && (a += "&code_challenge=" + n), { url: a };
1335
1340
  }
1336
1341
  async codeChallengeAndVerifier() {
1337
1342
  const t = this.randomValue(this.verifierLength);
@@ -1351,7 +1356,7 @@ class nt {
1351
1356
  }
1352
1357
  return { payload: o };
1353
1358
  } catch (o) {
1354
- const s = g.asCrossauthError(o);
1359
+ const s = p.asCrossauthError(o);
1355
1360
  return l.logger.debug(u({ err: s })), l.logger.error(u({ msg: "Couldn't get user info", cerr: s })), n = s.oauthErrorCode, i = "Couldn't get user info: " + s.message, { error: n, error_description: i };
1356
1361
  }
1357
1362
  }
@@ -1361,7 +1366,7 @@ class nt {
1361
1366
  let o;
1362
1367
  return o = await this.validateAccessToken(t, r), o ? { payload: o } : (n = "access_denied", i = "Invalid access token received", { error: n, error_description: i });
1363
1368
  } catch (o) {
1364
- const s = g.asCrossauthError(o);
1369
+ const s = p.asCrossauthError(o);
1365
1370
  return l.logger.debug(u({ err: s })), l.logger.error(u({ msg: "Couldn't get user info", cerr: s })), n = s.oauthErrorCode, i = "Couldn't get user info: " + s.message, { error: n, error_description: i };
1366
1371
  }
1367
1372
  }
@@ -1385,41 +1390,47 @@ class nt {
1385
1390
  * @returns The {@link OAuthTokenResponse} from the `token` endpoint
1386
1391
  * request, or `error` and `error_description`.
1387
1392
  */
1388
- async redirectEndpoint(t, r, n, i, o) {
1389
- var T, O;
1393
+ async redirectEndpoint({
1394
+ code: t,
1395
+ scope: r,
1396
+ codeVerifier: n,
1397
+ error: i,
1398
+ errorDescription: o
1399
+ }) {
1400
+ var y, T;
1390
1401
  if (this.oidcConfig || await this.loadConfig(), i || !t)
1391
1402
  return i || (i = "server_error"), o || (o = "Unknown error"), { error: i, error_description: o };
1392
- if (this.authzCode = t, !((T = this.oidcConfig) != null && T.grant_types_supported.includes("authorization_code")))
1403
+ if (this.authzCode = t, !((y = this.oidcConfig) != null && y.grant_types_supported.includes("authorization_code")))
1393
1404
  return {
1394
1405
  error: "invalid_request",
1395
1406
  error_description: "Server does not support authorization code grant"
1396
1407
  };
1397
- if (!((O = this.oidcConfig) != null && O.token_endpoint))
1408
+ if (!((T = this.oidcConfig) != null && T.token_endpoint))
1398
1409
  return {
1399
1410
  error: "server_error",
1400
1411
  error_description: "Cannot get token endpoint"
1401
1412
  };
1402
1413
  const s = this.oidcConfig.token_endpoint;
1403
- let c, d;
1404
- c = "authorization_code", d = p(this, v);
1414
+ let a, d;
1415
+ a = "authorization_code", d = g(this, S);
1405
1416
  let f = {
1406
- grant_type: c,
1407
- client_id: p(this, _),
1417
+ grant_type: a,
1418
+ client_id: g(this, v),
1408
1419
  code: this.authzCode,
1409
1420
  redirect_uri: this.redirect_uri
1410
1421
  };
1411
1422
  r && (f.scope = r), d && (f.client_secret = d), n && (f.code_verifier = n);
1412
1423
  try {
1413
- let b = await this.post(s, f, this.authServerHeaders);
1414
- if (b.id_token) {
1415
- const R = await this.getIdPayload(b.id_token, b.access_token);
1416
- if (R.error)
1417
- return R;
1418
- b.id_payload = R.payload;
1424
+ let C = await this.post(s, f, this.authServerHeaders);
1425
+ if (C.id_token) {
1426
+ const P = await this.getIdPayload(C.id_token, C.access_token);
1427
+ if (P.error)
1428
+ return P;
1429
+ C.id_payload = P.payload;
1419
1430
  }
1420
- return b;
1421
- } catch (b) {
1422
- return l.logger.error(u({ err: b })), {
1431
+ return C;
1432
+ } catch (C) {
1433
+ return l.logger.error(u({ err: C })), {
1423
1434
  error: "server_error",
1424
1435
  error_description: "Unable to get access token from server"
1425
1436
  };
@@ -1448,24 +1459,24 @@ class nt {
1448
1459
  };
1449
1460
  if (!((o = this.oidcConfig) != null && o.token_endpoint))
1450
1461
  return { error: "server_error", error_description: "Cannot get token endpoint" };
1451
- if (!p(this, _)) return {
1462
+ if (!g(this, v)) return {
1452
1463
  error: "invalid_request",
1453
1464
  error_description: "Cannot make client credentials flow without client id"
1454
1465
  };
1455
1466
  const r = this.oidcConfig.token_endpoint;
1456
1467
  let n = {
1457
1468
  grant_type: "client_credentials",
1458
- client_id: p(this, _),
1459
- client_secret: p(this, v)
1469
+ client_id: g(this, v),
1470
+ client_secret: g(this, S)
1460
1471
  };
1461
1472
  t && (n.scope = t);
1462
1473
  try {
1463
1474
  let s = await this.post(r, n, this.authServerHeaders);
1464
1475
  if (s.id_token) {
1465
- const c = await this.getIdPayload(s.id_token, s.access_token);
1466
- if (c.error)
1467
- return c;
1468
- s.id_payload = c.payload;
1476
+ const a = await this.getIdPayload(s.id_token, s.access_token);
1477
+ if (a.error)
1478
+ return a;
1479
+ s.id_payload = a.payload;
1469
1480
  }
1470
1481
  return s;
1471
1482
  } catch (s) {
@@ -1491,13 +1502,13 @@ class nt {
1491
1502
  *
1492
1503
  */
1493
1504
  async passwordFlow(t, r, n) {
1494
- var s, c;
1505
+ var s, a;
1495
1506
  if (l.logger.debug(u({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("password")))
1496
1507
  return {
1497
1508
  error: "invalid_request",
1498
1509
  error_description: "Server does not support password grant"
1499
1510
  };
1500
- if (!((c = this.oidcConfig) != null && c.token_endpoint))
1511
+ if (!((a = this.oidcConfig) != null && a.token_endpoint))
1501
1512
  return {
1502
1513
  error: "server_error",
1503
1514
  error_description: "Cannot get token endpoint"
@@ -1505,8 +1516,8 @@ class nt {
1505
1516
  const i = this.oidcConfig.token_endpoint;
1506
1517
  let o = {
1507
1518
  grant_type: "password",
1508
- client_id: p(this, _),
1509
- client_secret: p(this, v),
1519
+ client_id: g(this, v),
1520
+ client_secret: g(this, S),
1510
1521
  username: t,
1511
1522
  password: r
1512
1523
  };
@@ -1541,13 +1552,13 @@ class nt {
1541
1552
  * documentation
1542
1553
  */
1543
1554
  async mfaAuthenticators(t) {
1544
- var o, s, c;
1555
+ var o, s, a;
1545
1556
  if (l.logger.debug(u({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && ((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
1546
1557
  return {
1547
1558
  error: "invalid_request",
1548
1559
  error_description: "Server does not support password_mfa grant"
1549
1560
  };
1550
- if (!((c = this.oidcConfig) != null && c.issuer))
1561
+ if (!((a = this.oidcConfig) != null && a.issuer))
1551
1562
  return { error: "server_error", error_description: "Cannot get issuer" };
1552
1563
  const r = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators", n = await this.get(r, { authorization: "Bearer " + t, ...this.authServerHeaders });
1553
1564
  if (!Array.isArray(n))
@@ -1595,8 +1606,8 @@ class nt {
1595
1606
  if (!((s = this.oidcConfig) != null && s.issuer))
1596
1607
  return { error: "server_error", error_description: "Cannot get issuer" };
1597
1608
  const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
1598
- client_id: p(this, _),
1599
- client_secret: p(this, v),
1609
+ client_id: g(this, v),
1610
+ client_secret: g(this, S),
1600
1611
  challenge_type: "otp",
1601
1612
  mfa_token: t,
1602
1613
  authenticator_id: r
@@ -1624,18 +1635,18 @@ class nt {
1624
1635
  * - `error_description` friendly error message
1625
1636
  */
1626
1637
  async mfaOtpComplete(t, r, n) {
1627
- var s, c;
1638
+ var s, a;
1628
1639
  if (l.logger.debug(u({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
1629
1640
  return {
1630
1641
  error: "invalid_request",
1631
1642
  error_description: "Server does not support password_mfa grant"
1632
1643
  };
1633
- if (!((c = this.oidcConfig) != null && c.issuer))
1644
+ if (!((a = this.oidcConfig) != null && a.issuer))
1634
1645
  return { error: "server_error", error_description: "Cannot get issuer" };
1635
1646
  const i = this.oidcConfig.token_endpoint, o = await this.post(i, {
1636
1647
  grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
1637
- client_id: p(this, _),
1638
- client_secret: p(this, v),
1648
+ client_id: g(this, v),
1649
+ client_secret: g(this, S),
1639
1650
  challenge_type: "otp",
1640
1651
  mfa_token: t,
1641
1652
  otp: r,
@@ -1686,8 +1697,8 @@ class nt {
1686
1697
  if (!((s = this.oidcConfig) != null && s.issuer))
1687
1698
  return { error: "server_error", error_description: "Cannot get issuer" };
1688
1699
  const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
1689
- client_id: p(this, _),
1690
- client_secret: p(this, v),
1700
+ client_id: g(this, v),
1701
+ client_secret: g(this, S),
1691
1702
  challenge_type: "oob",
1692
1703
  mfa_token: t,
1693
1704
  authenticator_id: r
@@ -1712,8 +1723,8 @@ class nt {
1712
1723
  * an error instead of the response fields.
1713
1724
  */
1714
1725
  async mfaOobComplete(t, r, n, i) {
1715
- var c, d;
1716
- if (l.logger.debug(u({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((c = this.oidcConfig) != null && c.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
1726
+ var a, d;
1727
+ if (l.logger.debug(u({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((a = this.oidcConfig) != null && a.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
1717
1728
  return {
1718
1729
  error: "invalid_request",
1719
1730
  error_description: "Server does not support password_mfa grant"
@@ -1722,8 +1733,8 @@ class nt {
1722
1733
  return { error: "server_error", error_description: "Cannot get issuer" };
1723
1734
  const o = this.oidcConfig.token_endpoint, s = await this.post(o, {
1724
1735
  grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
1725
- client_id: p(this, _),
1726
- client_secret: p(this, v),
1736
+ client_id: g(this, v),
1737
+ client_secret: g(this, S),
1727
1738
  challenge_type: "otp",
1728
1739
  mfa_token: t,
1729
1740
  oob_code: r,
@@ -1766,24 +1777,24 @@ class nt {
1766
1777
  };
1767
1778
  const r = this.oidcConfig.token_endpoint;
1768
1779
  let n;
1769
- n = p(this, v);
1780
+ n = g(this, S);
1770
1781
  let i = {
1771
1782
  grant_type: "refresh_token",
1772
1783
  refresh_token: t,
1773
- client_id: p(this, _)
1784
+ client_id: g(this, v)
1774
1785
  };
1775
1786
  n && (i.client_secret = n);
1776
1787
  try {
1777
- let c = await this.post(r, i, this.authServerHeaders);
1778
- if (c.id_token) {
1779
- const d = await this.getIdPayload(c.id_token, c.access_token);
1788
+ let a = await this.post(r, i, this.authServerHeaders);
1789
+ if (a.id_token) {
1790
+ const d = await this.getIdPayload(a.id_token, a.access_token);
1780
1791
  if (d.error)
1781
1792
  return d;
1782
- c.id_payload = d.payload;
1793
+ a.id_payload = d.payload;
1783
1794
  }
1784
- return c;
1785
- } catch (c) {
1786
- return l.logger.error(u({ err: c })), {
1795
+ return a;
1796
+ } catch (a) {
1797
+ return l.logger.error(u({ err: a })), {
1787
1798
  error: "server_error",
1788
1799
  error_description: "Error connecting to authorization server"
1789
1800
  };
@@ -1806,8 +1817,8 @@ class nt {
1806
1817
  };
1807
1818
  let n = {
1808
1819
  grant_type: "urn:ietf:params:oauth:grant-type:device_code",
1809
- client_id: p(this, _),
1810
- client_secret: p(this, v)
1820
+ client_id: g(this, v),
1821
+ client_secret: g(this, S)
1811
1822
  };
1812
1823
  r && (n.scope = r);
1813
1824
  try {
@@ -1841,18 +1852,18 @@ class nt {
1841
1852
  };
1842
1853
  let r = {
1843
1854
  grant_type: "urn:ietf:params:oauth:grant-type:device_code",
1844
- client_id: p(this, _),
1845
- client_secret: p(this, v),
1855
+ client_id: g(this, v),
1856
+ client_secret: g(this, S),
1846
1857
  device_code: t
1847
1858
  };
1848
1859
  try {
1849
1860
  const s = await this.post((o = this.oidcConfig) == null ? void 0 : o.token_endpoint, r, this.authServerHeaders);
1850
1861
  if (s.error) return s;
1851
1862
  if (s.id_token) {
1852
- const c = await this.getIdPayload(s.id_token, s.access_token);
1853
- if (c.error)
1854
- return c;
1855
- s.id_payload = c.payload;
1863
+ const a = await this.getIdPayload(s.id_token, s.access_token);
1864
+ if (a.error)
1865
+ return a;
1866
+ s.id_payload = a.payload;
1856
1867
  }
1857
1868
  return s;
1858
1869
  } catch (s) {
@@ -1882,35 +1893,44 @@ class nt {
1882
1893
  * @returns the parsed JSON response as an object.
1883
1894
  * @throws any exception raised by `fetch()`
1884
1895
  */
1885
- async post(t, r, n = {}) {
1896
+ async post(t, r, n = {}, i) {
1886
1897
  l.logger.debug(u({
1887
1898
  msg: "Fetch POST",
1888
1899
  url: t,
1889
1900
  params: Object.keys(r)
1890
1901
  }));
1891
- let i = {};
1892
- this.authServerCredentials && (i.credentials = this.authServerCredentials), this.authServerMode && (i.mode = this.authServerMode);
1893
- let o = "", s = "";
1902
+ let o = {};
1903
+ this.authServerCredentials && (o.credentials = this.authServerCredentials), this.authServerMode && (o.mode = this.authServerMode);
1904
+ let s = "", a = "";
1894
1905
  if (this.oauthPostType == "json")
1895
- o = JSON.stringify(r), s = "application/json";
1906
+ s = JSON.stringify(r), a = "application/json";
1896
1907
  else {
1897
- o = "";
1898
- for (let f in r)
1899
- o != "" && (o += "&"), o += encodeURIComponent(f) + "=" + encodeURIComponent(r[f]);
1900
- s = "application/x-www-form-urlencoded";
1908
+ s = "";
1909
+ for (let y in r)
1910
+ s != "" && (s += "&"), s += encodeURIComponent(y) + "=" + encodeURIComponent(r[y]);
1911
+ a = "application/x-www-form-urlencoded";
1901
1912
  }
1902
- this.oauthLogFetch && l.logger.debug(u({ msg: "OAuth fetch", method: "POST", url: t, body: o }));
1903
- const d = await (await fetch(t, {
1913
+ this.oauthLogFetch && l.logger.debug(u({ msg: "OAuth fetch", method: "POST", url: t, body: s }));
1914
+ let d = {};
1915
+ i && (d = i);
1916
+ const f = await fetch(t, {
1904
1917
  method: "POST",
1905
- ...i,
1918
+ ...o,
1906
1919
  headers: {
1907
1920
  Accept: "application/json",
1908
- "Content-Type": s,
1921
+ "Content-Type": a,
1909
1922
  ...n
1910
1923
  },
1911
- body: o
1912
- })).json();
1913
- return this.oauthLogFetch && l.logger.debug(u({ msg: "OAuth fetch response", body: JSON.stringify(d) })), d;
1924
+ ...d,
1925
+ body: s
1926
+ });
1927
+ try {
1928
+ const y = await f.clone().json();
1929
+ return this.oauthLogFetch && l.logger.debug(u({ msg: "OAuth fetch response", body: JSON.stringify(y) })), await f.json(), y;
1930
+ } catch (y) {
1931
+ let T = p.asCrossauthError(y);
1932
+ throw s = await f.text(), l.logger.debug(u({ msg: "Response is not JSON", response: s })), T;
1933
+ }
1914
1934
  }
1915
1935
  /**
1916
1936
  * Makes a GET request to the given URL using `fetch()`.
@@ -1985,7 +2005,7 @@ class nt {
1985
2005
  return tt(t);
1986
2006
  }
1987
2007
  }
1988
- _ = new WeakMap(), v = new WeakMap();
2008
+ v = new WeakMap(), S = new WeakMap();
1989
2009
  class ot {
1990
2010
  /**
1991
2011
  * Constrctor
@@ -1995,27 +2015,27 @@ class ot {
1995
2015
  * @param options See {@link OAuthTokenConsumerBaseOptions}.
1996
2016
  */
1997
2017
  constructor(t, r = {}) {
1998
- a(this, "audience");
1999
- a(this, "jwtKeyType");
2000
- a(this, "jwtSecretKey");
2001
- a(this, "jwtPublicKey");
2002
- a(this, "clockTolerance", 10);
2003
- a(this, "authServerBaseUrl", "");
2018
+ c(this, "audience");
2019
+ c(this, "jwtKeyType");
2020
+ c(this, "jwtSecretKey");
2021
+ c(this, "jwtPublicKey");
2022
+ c(this, "clockTolerance", 10);
2023
+ c(this, "authServerBaseUrl", "");
2004
2024
  /**
2005
2025
  * The OpenID Connect configuration for the authorization server,
2006
2026
  * either passed to the constructor or fetched from the authorization
2007
2027
  * server.
2008
2028
  */
2009
- a(this, "oidcConfig");
2029
+ c(this, "oidcConfig");
2010
2030
  /**
2011
2031
  * The RSA public keys or symmetric keys for the authorization server,
2012
2032
  * either passed to the constructor or fetched from the authorization
2013
2033
  * server.
2014
2034
  */
2015
- a(this, "keys", {});
2035
+ c(this, "keys", {});
2016
2036
  if (this.audience = t, r.authServerBaseUrl && (this.authServerBaseUrl = r.authServerBaseUrl), r.jwtKeyType && (this.jwtKeyType = r.jwtKeyType), r.jwtSecretKey && (this.jwtSecretKey = r.jwtSecretKey), r.jwtPublicKey && (this.jwtPublicKey = r.jwtPublicKey), r.clockTolerance && (this.clockTolerance = r.clockTolerance), r.oidcConfig && (this.oidcConfig = r.oidcConfig), this.jwtPublicKey && !this.jwtKeyType)
2017
- throw new g(
2018
- y.Configuration,
2037
+ throw new p(
2038
+ m.Configuration,
2019
2039
  "If specifying jwtPublic key, must also specify jwtKeyType"
2020
2040
  );
2021
2041
  }
@@ -2031,29 +2051,29 @@ class ot {
2031
2051
  try {
2032
2052
  if (this.jwtSecretKey) {
2033
2053
  if (!this.jwtKeyType)
2034
- throw new g(
2035
- y.Configuration,
2054
+ throw new p(
2055
+ m.Configuration,
2036
2056
  "Must specify jwtKeyType if setting jwtSecretKey"
2037
2057
  );
2038
2058
  this.keys._default = await Be(this.jwtSecretKey, this.jwtKeyType);
2039
2059
  } else if (this.jwtPublicKey) {
2040
2060
  if (!this.jwtKeyType)
2041
- throw new g(
2042
- y.Configuration,
2061
+ throw new p(
2062
+ m.Configuration,
2043
2063
  "Must specify jwtKeyType if setting jwtPublicKey"
2044
2064
  );
2045
2065
  const r = await $e(this.jwtPublicKey, this.jwtKeyType);
2046
2066
  this.keys._default = r;
2047
2067
  } else {
2048
2068
  if (this.oidcConfig || await this.loadConfig(), !this.oidcConfig)
2049
- throw new g(
2050
- y.Connection,
2069
+ throw new p(
2070
+ m.Connection,
2051
2071
  "Load OIDC config before Jwks"
2052
2072
  );
2053
2073
  await this.loadJwks(void 0, t);
2054
2074
  }
2055
2075
  } catch (r) {
2056
- throw l.logger.debug(u({ err: r })), new g(y.Connection, "Couldn't load keys");
2076
+ throw l.logger.debug(u({ err: r })), new p(m.Connection, "Couldn't load keys");
2057
2077
  }
2058
2078
  }
2059
2079
  /**
@@ -2071,7 +2091,7 @@ class ot {
2071
2091
  return;
2072
2092
  }
2073
2093
  if (!this.authServerBaseUrl)
2074
- throw new g(y.Connection, "Couldn't get OIDC configuration. Either set authServerBaseUrl or set config manually");
2094
+ throw new p(m.Connection, "Couldn't get OIDC configuration. Either set authServerBaseUrl or set config manually");
2075
2095
  let r;
2076
2096
  try {
2077
2097
  let n = this.authServerBaseUrl;
@@ -2080,14 +2100,14 @@ class ot {
2080
2100
  l.logger.error(u({ err: n }));
2081
2101
  }
2082
2102
  if (!r || !r.ok)
2083
- throw new g(y.Connection, "Couldn't get OIDC configuration");
2103
+ throw new p(m.Connection, "Couldn't get OIDC configuration");
2084
2104
  this.oidcConfig = { ...ie };
2085
2105
  try {
2086
2106
  const n = await r.json();
2087
2107
  for (const [i, o] of Object.entries(n))
2088
2108
  this.oidcConfig[i] = o;
2089
2109
  } catch {
2090
- throw new g(y.Connection, "Unrecognized response from OIDC configuration endpoint");
2110
+ throw new p(m.Connection, "Unrecognized response from OIDC configuration endpoint");
2091
2111
  }
2092
2112
  }
2093
2113
  /**
@@ -2108,7 +2128,7 @@ class ot {
2108
2128
  }
2109
2129
  } else {
2110
2130
  if (!this.oidcConfig)
2111
- throw new g(y.Connection, "Load OIDC config before Jwks");
2131
+ throw new p(m.Connection, "Load OIDC config before Jwks");
2112
2132
  let n;
2113
2133
  try {
2114
2134
  n = await fetch(new URL(this.oidcConfig.jwks_uri));
@@ -2116,29 +2136,29 @@ class ot {
2116
2136
  l.logger.error(u({ err: i }));
2117
2137
  }
2118
2138
  if (!n || !n.ok)
2119
- throw new g(y.Connection, "Couldn't get OIDC configuration");
2139
+ throw new p(m.Connection, "Couldn't get OIDC configuration");
2120
2140
  this.keys = {};
2121
2141
  try {
2122
2142
  const i = await n.json();
2123
2143
  if (!("keys" in i) || !Array.isArray(i.keys))
2124
- throw new g(y.Connection, "Couldn't fetch keys");
2144
+ throw new p(m.Connection, "Couldn't fetch keys");
2125
2145
  for (let o = 0; o < i.keys.length; ++o)
2126
2146
  try {
2127
- let s = "_default", c = { ...i.keys[o] };
2128
- if ("kid" in c && typeof c.kid == "string" && (s = String(c.kid)), c && !c.alg && !c.jwk_alg && r)
2129
- if (r.startsWith("RS") && c.kty == "RSA")
2130
- c.alg = r;
2147
+ let s = "_default", a = { ...i.keys[o] };
2148
+ if ("kid" in a && typeof a.kid == "string" && (s = String(a.kid)), a && !a.alg && !a.jwk_alg && r)
2149
+ if (r.startsWith("RS") && a.kty == "RSA")
2150
+ a.alg = r;
2131
2151
  else {
2132
- l.logger.debug(u({ msg: "Skipping key with " + c.kty }));
2152
+ l.logger.debug(u({ msg: "Skipping key with " + a.kty }));
2133
2153
  continue;
2134
2154
  }
2135
- const d = await j(c);
2155
+ const d = await j(a);
2136
2156
  this.keys[s] = d;
2137
2157
  } catch (s) {
2138
- throw l.logger.error(u({ err: s })), new g(y.Connection, "Couldn't load keys");
2158
+ throw l.logger.error(u({ err: s })), new p(m.Connection, "Couldn't load keys");
2139
2159
  }
2140
2160
  } catch (i) {
2141
- throw l.logger.error(u({ err: i })), new g(y.Connection, "Unrecognized response from OIDC jwks endpoint");
2161
+ throw l.logger.error(u({ err: i })), new p(m.Connection, "Unrecognized response from OIDC jwks endpoint");
2142
2162
  }
2143
2163
  }
2144
2164
  }
@@ -2202,22 +2222,22 @@ class ot {
2202
2222
  }
2203
2223
  return o;
2204
2224
  } catch (i) {
2205
- const o = g.asCrossauthError(i);
2225
+ const o = p.asCrossauthError(i);
2206
2226
  l.logger.debug(u({ err: o })), l.logger.warn(u({ msg: "Access token did not validate", cerr: o }));
2207
2227
  return;
2208
2228
  }
2209
2229
  }
2210
2230
  }
2211
2231
  export {
2212
- g as CrossauthError,
2232
+ p as CrossauthError,
2213
2233
  l as CrossauthLogger,
2214
2234
  ie as DEFAULT_OIDCCONFIG,
2215
- y as ErrorCode,
2216
- A as KeyPrefix,
2235
+ m as ErrorCode,
2236
+ I as KeyPrefix,
2217
2237
  nt as OAuthClientBase,
2218
2238
  re as OAuthFlows,
2219
2239
  ot as OAuthTokenConsumerBase,
2220
- E as UserState,
2240
+ R as UserState,
2221
2241
  it as httpStatus,
2222
2242
  u as j
2223
2243
  };