npm - @crossauth/frontend - Versions diffs - 0.0.38 → 0.0.40 - Mend

@crossauth/frontend 0.0.38 → 0.0.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -7,33 +7,33 @@ var f = (r, e, t) => Oe(r, typeof e != "symbol" ? e + "" : e, t), de = (r, e, t)
 var p = (r, e, t) => (de(r, e, "read from private field"), t ? t.call(r) : e.get(r)), E = (r, e, t) => e.has(r) ? ce("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), T = (r, e, t, o) => (de(r, e, "write to private field"), o ? o.call(r, t) : e.set(r, t), t);
 var Ne = Object.defineProperty, ye = (r) => {
   throw TypeError(r);
-}, He = (r, e, t) => e in r ? Ne(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t, l = (r, e, t) => He(r, typeof e != "symbol" ? e + "" : e, t), we = (r, e, t) => e.has(r) || ye("Cannot " + t), w = (r, e, t) => (we(r, e, "read from private field"), e.get(r)), he = (r, e, t) => e.has(r) ? ye("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), Y = (r, e, t, o) => (we(r, e, "write to private field"), e.set(r, t), t);
+}, He = (r, e, t) => e in r ? Ne(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t, u = (r, e, t) => He(r, typeof e != "symbol" ? e + "" : e, t), we = (r, e, t) => e.has(r) || ye("Cannot " + t), w = (r, e, t) => (we(r, e, "read from private field"), e.get(r)), he = (r, e, t) => e.has(r) ? ye("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), Y = (r, e, t, o) => (we(r, e, "write to private field"), e.set(r, t), t);
 class H {
 }
-l(H, "active", "active"), /** Deactivated account.  User cannot log in */
-l(H, "disabled", "disabled"), /** Two factor authentication has been actived for this user
+u(H, "active", "active"), /** Deactivated account.  User cannot log in */
+u(H, "disabled", "disabled"), /** Two factor authentication has been actived for this user
 * but has not yet been configured.  Once a user logs in,
 * they will be directed to a page to configure 2FA and will
 * not be able to do anything else (that requires login) until
 * they have done so.
 */
-l(H, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Email verification has been turned on but user has not
+u(H, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Email verification has been turned on but user has not
 * verified his or her email address.  Cannot log on until it has
 * been verified.
 */
-l(H, "awaitingEmailVerification", "awaitingemailverification"), /**
+u(H, "awaitingEmailVerification", "awaitingemailverification"), /**
 * If the state is set to this, the user may not access any
 * login-required functions unless he or she has changed their password.
 *
 * Upon login, the user is redirected to the change password page.
 */
-l(H, "passwordChangeNeeded", "passwordchangeneeded"), /**
+u(H, "passwordChangeNeeded", "passwordchangeneeded"), /**
 * If the state is set to this, the user may not access any
 * login-required functions unless he or she has reset their password.
 *
 * Upon login, the user is redirected to the reset password page.
 */
-l(H, "passwordResetNeeded", "passwordresetneeded"), /**
+u(H, "passwordResetNeeded", "passwordresetneeded"), /**
 * If the state is set to this, the user may not access any
 * login-required functions unless he or she has reset their second
 * factor configuration.
@@ -44,26 +44,26 @@ l(H, "passwordResetNeeded", "passwordresetneeded"), /**
 * this value and the user will then be prompted to configure 2FA
 * upon login.
 */
-l(H, "factor2ResetNeeded", "factor2resetneeded"), /**
+u(H, "factor2ResetNeeded", "factor2resetneeded"), /**
 * If the state is set to this, the user may not access any
 * login-required functions unless he or she has reset their password
 * and then resets factor2.
 *
 * Upon login, the user is redirected to the reset password page.
 */
-l(H, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
+u(H, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
 class R {
 }
-l(R, "session", "s:"), /** Password Reset Token */
-l(R, "passwordResetToken", "p:"), /** Email verification token */
-l(R, "emailVerificationToken", "e:"), /** API key */
-l(R, "apiKey", "api:"), /** OAuth authorization code */
-l(R, "authorizationCode", "authz:"), /** OAuth access token */
-l(R, "accessToken", "access:"), /** OAuth refresh token */
-l(R, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
-l(R, "mfaToken", "omfa:"), /** Device code device code */
-l(R, "deviceCode", "dc:"), /** Device code flow user code */
-l(R, "userCode", "uc:");
+u(R, "session", "s:"), /** Password Reset Token */
+u(R, "passwordResetToken", "p:"), /** Email verification token */
+u(R, "emailVerificationToken", "e:"), /** API key */
+u(R, "apiKey", "api:"), /** OAuth authorization code */
+u(R, "authorizationCode", "authz:"), /** OAuth access token */
+u(R, "accessToken", "access:"), /** OAuth refresh token */
+u(R, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
+u(R, "mfaToken", "omfa:"), /** Device code device code */
+u(R, "deviceCode", "dc:"), /** Device code flow user code */
+u(R, "userCode", "uc:");
 var m = /* @__PURE__ */ ((r) => (r[r.UserNotExist = 0] = "UserNotExist", r[r.PasswordInvalid = 1] = "PasswordInvalid", r[r.EmailNotExist = 2] = "EmailNotExist", r[r.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", r[r.InvalidClientId = 4] = "InvalidClientId", r[r.ClientExists = 5] = "ClientExists", r[r.InvalidClientSecret = 6] = "InvalidClientSecret", r[r.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", r[r.InvalidRedirectUri = 8] = "InvalidRedirectUri", r[r.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", r[r.UserNotActive = 10] = "UserNotActive", r[r.EmailNotVerified = 11] = "EmailNotVerified", r[r.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", r[r.Unauthorized = 13] = "Unauthorized", r[r.UnauthorizedClient = 14] = "UnauthorizedClient", r[r.InvalidScope = 15] = "InvalidScope", r[r.InsufficientScope = 16] = "InsufficientScope", r[r.InsufficientPriviledges = 17] = "InsufficientPriviledges", r[r.Forbidden = 18] = "Forbidden", r[r.InvalidKey = 19] = "InvalidKey", r[r.InvalidCsrf = 20] = "InvalidCsrf", r[r.InvalidSession = 21] = "InvalidSession", r[r.Expired = 22] = "Expired", r[r.Connection = 23] = "Connection", r[r.InvalidHash = 24] = "InvalidHash", r[r.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", r[r.KeyExists = 26] = "KeyExists", r[r.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", r[r.PasswordResetNeeded = 28] = "PasswordResetNeeded", r[r.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", r[r.Configuration = 30] = "Configuration", r[r.InvalidEmail = 31] = "InvalidEmail", r[r.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", r[r.InvalidUsername = 33] = "InvalidUsername", r[r.PasswordMatch = 34] = "PasswordMatch", r[r.InvalidToken = 35] = "InvalidToken", r[r.MfaRequired = 36] = "MfaRequired", r[r.PasswordFormat = 37] = "PasswordFormat", r[r.DataFormat = 38] = "DataFormat", r[r.FetchError = 39] = "FetchError", r[r.UserExists = 40] = "UserExists", r[r.FormEntry = 41] = "FormEntry", r[r.BadRequest = 42] = "BadRequest", r[r.AuthorizationPending = 43] = "AuthorizationPending", r[r.SlowDown = 44] = "SlowDown", r[r.ExpiredToken = 45] = "ExpiredToken", r[r.ConstraintViolation = 46] = "ConstraintViolation", r[r.NotImplemented = 47] = "NotImplemented", r[r.UnknownError = 48] = "UnknownError", r))(m || {});
 class g extends Error {
   /**
@@ -74,7 +74,7 @@ class g extends Error {
    */
   constructor(e, t = void 0) {
     let o, i = 500;
-    e == 0 ? (o = "User does not exist", i = 401) : e == 1 ? (o = "Password doesn't match", i = 401) : e == 3 ? (o = "Username or password incorrect", i = 401) : e == 4 ? (o = "Client id is invalid", i = 401) : e == 5 ? (o = "Client ID or name already exists", i = 500) : e == 6 ? (o = "Client secret is invalid", i = 401) : e == 7 ? (o = "Client id or secret is invalid", i = 401) : e == 8 ? (o = "Redirect Uri is not registered", i = 401) : e == 9 ? (o = "Invalid OAuth flow type", i = 500) : e == 2 ? (o = "No user exists with that email address", i = 401) : e == 10 ? (o = "Account is not active", i = 403) : e == 33 ? (o = "Username is not in an allowed format", i = 400) : e == 31 ? (o = "Email is not in an allowed format", i = 400) : e == 32 ? (o = "Phone number is not in an allowed format", i = 400) : e == 11 ? (o = "Email address has not been verified", i = 403) : e == 12 ? (o = "Two-factor setup is not complete", i = 403) : e == 13 ? (o = "Not authorized", i = 401) : e == 14 ? (o = "Client not authorized", i = 401) : e == 15 ? (o = "Invalid scope", i = 403) : e == 16 ? (o = "Insufficient scope", i = 403) : e == 23 ? o = "Connection failure" : e == 22 ? (o = "Token has expired", i = 401) : e == 24 ? o = "Hash is not in a valid format" : e == 19 ? (o = "Key is invalid", i = 401) : e == 18 ? (o = "You do not have permission to access this resource", i = 403) : e == 17 ? (o = "You do not have the right privileges to access this resource", i = 401) : e == 20 ? (o = "CSRF token is invalid", i = 401) : e == 21 ? (o = "Session cookie is invalid", i = 401) : e == 25 ? o = "Algorithm not supported" : e == 26 ? o = "Attempt to create a key that already exists" : e == 27 ? (o = "User must change password", i = 403) : e == 28 ? (o = "User must reset password", i = 403) : e == 29 ? (o = "User must reset 2FA", i = 403) : e == 30 ? o = "There was an error in the configuration" : e == 34 ? (o = "Passwords do not match", i = 401) : e == 35 ? (o = "Token is not valid", i = 401) : e == 36 ? (o = "MFA is required", i = 401) : e == 37 ? (o = "Password format was incorrect", i = 401) : e == 40 ? (o = "User already exists", i = 400) : e == 42 ? (o = "The request is invalid", i = 400) : e == 38 ? (o = "Session data has unexpected format", i = 500) : e == 39 ? (o = "Couldn't execute a fetch", i = 500) : e == 43 ? (o = "Waiting for authorization", i = 200) : e == 44 ? (o = "Slow polling down by 5 seconds", i = 200) : e == 45 ? (o = "Token has expired", i = 401) : e == 46 ? (o = "Database update/insert caused a constraint violation", i = 500) : e == 47 ? (o = "This method has not been implemented", i = 500) : (o = "Unknown error", i = 500), t != null && !Array.isArray(t) ? o = t : Array.isArray(t) && (o = t.join(". ")), super(o), l(this, "isCrossauthError", !0), l(this, "httpStatus"), l(this, "code"), l(this, "codeName"), l(this, "messages"), this.code = e, this.codeName = m[e], this.httpStatus = i, this.name = "CrossauthError", Array.isArray(t) ? this.messages = t : this.messages = [o], Object.setPrototypeOf(this, g.prototype);
+    e == 0 ? (o = "User does not exist", i = 401) : e == 1 ? (o = "Password doesn't match", i = 401) : e == 3 ? (o = "Username or password incorrect", i = 401) : e == 4 ? (o = "Client id is invalid", i = 401) : e == 5 ? (o = "Client ID or name already exists", i = 500) : e == 6 ? (o = "Client secret is invalid", i = 401) : e == 7 ? (o = "Client id or secret is invalid", i = 401) : e == 8 ? (o = "Redirect Uri is not registered", i = 401) : e == 9 ? (o = "Invalid OAuth flow type", i = 500) : e == 2 ? (o = "No user exists with that email address", i = 401) : e == 10 ? (o = "Account is not active", i = 403) : e == 33 ? (o = "Username is not in an allowed format", i = 400) : e == 31 ? (o = "Email is not in an allowed format", i = 400) : e == 32 ? (o = "Phone number is not in an allowed format", i = 400) : e == 11 ? (o = "Email address has not been verified", i = 403) : e == 12 ? (o = "Two-factor setup is not complete", i = 403) : e == 13 ? (o = "Not authorized", i = 401) : e == 14 ? (o = "Client not authorized", i = 401) : e == 15 ? (o = "Invalid scope", i = 403) : e == 16 ? (o = "Insufficient scope", i = 403) : e == 23 ? o = "Connection failure" : e == 22 ? (o = "Token has expired", i = 401) : e == 24 ? o = "Hash is not in a valid format" : e == 19 ? (o = "Key is invalid", i = 401) : e == 18 ? (o = "You do not have permission to access this resource", i = 403) : e == 17 ? (o = "You do not have the right privileges to access this resource", i = 401) : e == 20 ? (o = "CSRF token is invalid", i = 401) : e == 21 ? (o = "Session cookie is invalid", i = 401) : e == 25 ? o = "Algorithm not supported" : e == 26 ? o = "Attempt to create a key that already exists" : e == 27 ? (o = "User must change password", i = 403) : e == 28 ? (o = "User must reset password", i = 403) : e == 29 ? (o = "User must reset 2FA", i = 403) : e == 30 ? o = "There was an error in the configuration" : e == 34 ? (o = "Passwords do not match", i = 401) : e == 35 ? (o = "Token is not valid", i = 401) : e == 36 ? (o = "MFA is required", i = 401) : e == 37 ? (o = "Password format was incorrect", i = 401) : e == 40 ? (o = "User already exists", i = 400) : e == 42 ? (o = "The request is invalid", i = 400) : e == 38 ? (o = "Session data has unexpected format", i = 500) : e == 39 ? (o = "Couldn't execute a fetch", i = 500) : e == 43 ? (o = "Waiting for authorization", i = 200) : e == 44 ? (o = "Slow polling down by 5 seconds", i = 200) : e == 45 ? (o = "Token has expired", i = 401) : e == 46 ? (o = "Database update/insert caused a constraint violation", i = 500) : e == 47 ? (o = "This method has not been implemented", i = 500) : (o = "Unknown error", i = 500), t != null && !Array.isArray(t) ? o = t : Array.isArray(t) && (o = t.join(". ")), super(o), u(this, "isCrossauthError", !0), u(this, "httpStatus"), u(this, "code"), u(this, "codeName"), u(this, "messages"), this.code = e, this.codeName = m[e], this.httpStatus = i, this.name = "CrossauthError", Array.isArray(t) ? this.messages = t : this.messages = [o], Object.setPrototypeOf(this, g.prototype);
   }
   /**
    * OAuth defines certain error types.  To convert the error in an OAuth
@@ -195,7 +195,7 @@ const W = class P {
    * @param level the level to report to
    */
   constructor(e) {
-    if (l(this, "level"), e) this.level = e;
+    if (u(this, "level"), e) this.level = e;
     else if (typeof process < "u" && "CROSSAUTH_LOG_LEVEL" in process.env) {
       const t = (process.env.CROSSAUTH_LOG_LEVEL ?? "ERROR").toUpperCase();
       P.levelName.includes(t) ? this.level = P.levelName.indexOf(t) : this.level = P.Error;
@@ -257,11 +257,11 @@ const W = class P {
     globalThis.crossauthLogger = e, globalThis.crossauthLoggerAcceptsJson = t;
   }
 };
-l(W, "None", 0), /** Only log errors */
-l(W, "Error", 1), /** Log errors and warning */
-l(W, "Warn", 2), /** Log errors, warnings and info messages */
-l(W, "Info", 3), /** Log everything */
-l(W, "Debug", 4), l(W, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
+u(W, "None", 0), /** Only log errors */
+u(W, "Error", 1), /** Log errors and warning */
+u(W, "Warn", 2), /** Log errors, warnings and info messages */
+u(W, "Info", 3), /** Log everything */
+u(W, "Debug", 4), u(W, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
 let d = W;
 function h(r) {
   let e;
@@ -627,7 +627,7 @@ const be = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject",
   }
 }, Ee = async (r, e, t, o, i) => {
   let n, s;
-  const a = new Uint8Array(atob(t.replace(r, "")).split("").map((u) => u.charCodeAt(0))), c = e === "spki";
+  const a = new Uint8Array(atob(t.replace(r, "")).split("").map((l) => l.charCodeAt(0))), c = e === "spki";
   switch (o) {
     case "PS256":
     case "PS384":
@@ -661,8 +661,8 @@ const be = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject",
     case "ECDH-ES+A128KW":
     case "ECDH-ES+A192KW":
     case "ECDH-ES+A256KW": {
-      const u = ue(a);
-      n = u.startsWith("P-") ? { name: "ECDH", namedCurve: u } : { name: u }, s = c ? [] : ["deriveBits"];
+      const l = ue(a);
+      n = l.startsWith("P-") ? { name: "ECDH", namedCurve: l } : { name: l }, s = c ? [] : ["deriveBits"];
       break;
     }
     case "EdDSA":
@@ -824,14 +824,14 @@ async function sr(r, e, t) {
     throw new S("JWS Payload must be a string or an Uint8Array instance");
   let c = !1;
   typeof e == "function" && (e = await e(o, r), c = !0), er(a, e, "verify");
-  const u = je(X.encode(r.protected ?? ""), X.encode("."), typeof r.payload == "string" ? X.encode(r.payload) : r.payload);
+  const l = je(X.encode(r.protected ?? ""), X.encode("."), typeof r.payload == "string" ? X.encode(r.payload) : r.payload);
   let y;
   try {
     y = F(r.signature);
   } catch {
     throw new S("Failed to base64url decode the signature");
   }
-  if (!await ir(a, e, y, u))
+  if (!await ir(a, e, y, l))
     throw new Ke();
   let k;
   if (s)
@@ -841,8 +841,8 @@ async function sr(r, e, t) {
       throw new S("Failed to base64url decode the payload");
     }
   else typeof r.payload == "string" ? k = X.encode(r.payload) : k = r.payload;
-  const A = { payload: k };
-  return r.protected !== void 0 && (A.protectedHeader = o), r.header !== void 0 && (A.unprotectedHeader = r.header), c ? { ...A, key: e } : A;
+  const b = { payload: k };
+  return r.protected !== void 0 && (b.protectedHeader = o), r.header !== void 0 && (b.unprotectedHeader = r.header), c ? { ...b, key: e } : b;
 }
 async function nr(r, e, t) {
   if (r instanceof Uint8Array && (r = G.decode(r)), typeof r != "string")
@@ -971,22 +971,22 @@ const C = class v {
     }
   }
 };
-l(C, "All", "all"), /** OAuth authorization code flow (without PKCE) */
-l(C, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
-l(C, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
-l(C, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
-l(C, "RefreshToken", "refreshToken"), /** OAuth device code flow */
-l(C, "DeviceCode", "deviceCode"), /** OAuth password flow */
-l(C, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
-l(C, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
+u(C, "All", "all"), /** OAuth authorization code flow (without PKCE) */
+u(C, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
+u(C, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
+u(C, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
+u(C, "RefreshToken", "refreshToken"), /** OAuth device code flow */
+u(C, "DeviceCode", "deviceCode"), /** OAuth password flow */
+u(C, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
+u(C, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
 * PKCE.
 */
-l(C, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
+u(C, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
 *
 * For example, if you pass "authorizationCode"
 * (`OAuthFlows.AuthorizationCode`) you will get `"Authorization Code"`.
 */
-l(C, "flowName", {
+u(C, "flowName", {
   [C.AuthorizationCode]: "Authorization Code",
   [C.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
   [C.ClientCredentials]: "Client Credentials",
@@ -996,7 +996,7 @@ l(C, "flowName", {
   [C.PasswordMfa]: "Password MFA",
   [C.OidcAuthorizationCode]: "OIDC Authorization Code"
 });
-var _, b;
+var _, A;
 class cr {
   /**
    * Constructor.
@@ -1034,17 +1034,17 @@ class cr {
     stateLength: s,
     verifierLength: a,
     tokenConsumer: c,
-    authServerCredentials: u,
+    authServerCredentials: l,
     authServerMode: y,
     authServerHeaders: k
   }) {
-    l(this, "authServerBaseUrl", ""), he(this, _), he(this, b), l(this, "codeChallengeMethod", "S256"), l(this, "verifierLength", 32), l(this, "redirect_uri"), l(this, "stateLength", 32), l(this, "authzCode", ""), l(this, "oidcConfig"), l(this, "tokenConsumer"), l(this, "authServerHeaders", {}), l(this, "authServerMode"), l(this, "authServerCredentials"), l(this, "oauthPostType", "json"), l(this, "oauthLogFetch", !1), l(this, "oauthUseUserInfoEndpoint", !1), l(this, "oauthAuthorizeRedirect"), this.tokenConsumer = c, this.authServerBaseUrl = e, a && (this.verifierLength = a), s && (this.stateLength = s), t && Y(this, _, t), o && Y(this, b, o), i && (this.redirect_uri = i), n && (this.codeChallengeMethod = n), this.authServerBaseUrl = e, u && (this.authServerCredentials = u), y && (this.authServerMode = y), k && (this.authServerHeaders = k);
+    u(this, "authServerBaseUrl", ""), he(this, _), he(this, A), u(this, "codeChallengeMethod", "S256"), u(this, "verifierLength", 32), u(this, "redirect_uri"), u(this, "stateLength", 32), u(this, "authzCode", ""), u(this, "oidcConfig"), u(this, "tokenConsumer"), u(this, "authServerHeaders", {}), u(this, "authServerMode"), u(this, "authServerCredentials"), u(this, "oauthPostType", "json"), u(this, "oauthLogFetch", !1), u(this, "oauthUseUserInfoEndpoint", !1), u(this, "oauthAuthorizeRedirect"), this.tokenConsumer = c, this.authServerBaseUrl = e, a && (this.verifierLength = a), s && (this.stateLength = s), t && Y(this, _, t), o && Y(this, A, o), i && (this.redirect_uri = i), n && (this.codeChallengeMethod = n), this.authServerBaseUrl = e, l && (this.authServerCredentials = l), y && (this.authServerMode = y), k && (this.authServerHeaders = k);
   }
   set client_id(e) {
     Y(this, _, e);
   }
   set client_secret(e) {
-    Y(this, b, e);
+    Y(this, A, e);
   }
   /**
    * Loads OpenID Connect configuration so that the client can determine
@@ -1134,8 +1134,8 @@ class cr {
     };
     let c = this.oidcConfig.authorization_endpoint;
     this.oauthAuthorizeRedirect && (c = this.oauthAuthorizeRedirect);
-    let u = c + "?response_type=code&client_id=" + encodeURIComponent(w(this, _)) + "&state=" + encodeURIComponent(e) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
-    return t && (u += "&scope=" + encodeURIComponent(t)), i && o && (u += "&code_challenge=" + o), { url: u };
+    let l = c + "?response_type=code&client_id=" + encodeURIComponent(w(this, _)) + "&state=" + encodeURIComponent(e) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
+    return t && (l += "&scope=" + encodeURIComponent(t)), i && o && (l += "&code_challenge=" + o), { url: l };
   }
   async codeChallengeAndVerifier() {
     const e = this.randomValue(this.verifierLength);
@@ -1159,6 +1159,16 @@ class cr {
       return d.logger.debug(h({ err: s })), d.logger.error(h({ msg: "Couldn't get user info", cerr: s })), o = s.oauthErrorCode, i = "Couldn't get user info: " + s.message, { error: o, error_description: i };
     }
   }
+  async getAccessPayload(e, t) {
+    let o, i;
+    try {
+      let n;
+      return n = await this.validateAccessToken(e, t), n ? { payload: n } : (o = "access_denied", i = "Invalid access token received", { error: o, error_description: i });
+    } catch (n) {
+      const s = g.asCrossauthError(n);
+      return d.logger.debug(h({ err: s })), d.logger.error(h({ msg: "Couldn't get user info", cerr: s })), o = s.oauthErrorCode, i = "Couldn't get user info: " + s.message, { error: o, error_description: i };
+    }
+  }
   /**
    * This implements the functionality behind the redirect URI
    *
@@ -1194,26 +1204,26 @@ class cr {
         error_description: "Cannot get token endpoint"
       };
     const c = this.oidcConfig.token_endpoint;
-    let u, y;
-    u = "authorization_code", y = w(this, b);
+    let l, y;
+    l = "authorization_code", y = w(this, A);
     let k = {
-      grant_type: u,
+      grant_type: l,
       client_id: w(this, _),
       code: this.authzCode,
       redirect_uri: this.redirect_uri
     };
     t && (k.scope = t), y && (k.client_secret = y), o && (k.code_verifier = o);
     try {
-      let A = await this.post(c, k, this.authServerHeaders);
-      if (A.id_token) {
-        const L = await this.getIdPayload(A.id_token, A.access_token);
+      let b = await this.post(c, k, this.authServerHeaders);
+      if (b.id_token) {
+        const L = await this.getIdPayload(b.id_token, b.access_token);
         if (L.error)
           return L;
-        A.id_payload = L.payload;
+        b.id_payload = L.payload;
       }
-      return A;
-    } catch (A) {
-      return d.logger.error(h({ err: A })), {
+      return b;
+    } catch (b) {
+      return d.logger.error(h({ err: b })), {
         error: "server_error",
         error_description: "Unable to get access token from server"
       };
@@ -1250,7 +1260,7 @@ class cr {
     let n = {
       grant_type: "client_credentials",
       client_id: w(this, _),
-      client_secret: w(this, b)
+      client_secret: w(this, A)
     };
     e && (n.scope = e);
     try {
@@ -1300,7 +1310,7 @@ class cr {
     let a = {
       grant_type: "password",
       client_id: w(this, _),
-      client_secret: w(this, b),
+      client_secret: w(this, A),
       username: e,
       password: t
     };
@@ -1308,10 +1318,10 @@ class cr {
     try {
       let c = await this.post(s, a, this.authServerHeaders);
       if (c.id_token) {
-        const u = await this.getIdPayload(c.id_token, c.access_token);
-        if (u.error)
-          return u;
-        c.id_payload = u.payload;
+        const l = await this.getIdPayload(c.id_token, c.access_token);
+        if (l.error)
+          return l;
+        c.id_payload = l.payload;
       }
       return c;
     } catch (c) {
@@ -1351,18 +1361,18 @@ class cr {
       };
     let a = [];
     for (let c = 0; c < s.length; ++c) {
-      const u = s[c];
-      if (!u.id || !u.authenticator_type || !u.active)
+      const l = s[c];
+      if (!l.id || !l.authenticator_type || !l.active)
         return {
           error: "server_error",
           error_description: "Invalid mfa/authenticators response"
         };
       a.push({
-        id: u.id,
-        authenticator_type: u.authenticator_type,
-        active: u.active,
-        name: u.name,
-        oob_channel: u.oob_channel
+        id: l.id,
+        authenticator_type: l.authenticator_type,
+        active: l.active,
+        name: l.name,
+        oob_channel: l.oob_channel
       });
     }
     return { authenticators: a };
@@ -1390,7 +1400,7 @@ class cr {
       return { error: "server_error", error_description: "Cannot get issuer" };
     const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", s = await this.post(n, {
       client_id: w(this, _),
-      client_secret: w(this, b),
+      client_secret: w(this, A),
       challenge_type: "otp",
       mfa_token: e,
       authenticator_id: t
@@ -1429,7 +1439,7 @@ class cr {
     const s = this.oidcConfig.token_endpoint, a = await this.post(s, {
       grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
       client_id: w(this, _),
-      client_secret: w(this, b),
+      client_secret: w(this, A),
       challenge_type: "otp",
       mfa_token: e,
       otp: t,
@@ -1481,7 +1491,7 @@ class cr {
       return { error: "server_error", error_description: "Cannot get issuer" };
     const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", s = await this.post(n, {
       client_id: w(this, _),
-      client_secret: w(this, b),
+      client_secret: w(this, A),
       challenge_type: "oob",
       mfa_token: e,
       authenticator_id: t
@@ -1517,7 +1527,7 @@ class cr {
     const a = this.oidcConfig.token_endpoint, c = await this.post(a, {
       grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
       client_id: w(this, _),
-      client_secret: w(this, b),
+      client_secret: w(this, A),
       challenge_type: "otp",
       mfa_token: e,
       oob_code: t,
@@ -1530,10 +1540,10 @@ class cr {
         error_description: c.error_description
       };
     if (c.id_token) {
-      const u = await this.getIdPayload(c.id_token, c.access_token);
-      if (u.error)
-        return u;
-      c.id_payload = u.payload;
+      const l = await this.getIdPayload(c.id_token, c.access_token);
+      if (l.error)
+        return l;
+      c.id_payload = l.payload;
     }
     return {
       id_token: c.id_token,
@@ -1560,7 +1570,7 @@ class cr {
       };
     const i = this.oidcConfig.token_endpoint;
     let n;
-    n = w(this, b);
+    n = w(this, A);
     let s = {
       grant_type: "refresh_token",
       refresh_token: e,
@@ -1601,7 +1611,7 @@ class cr {
     let i = {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
       client_id: w(this, _),
-      client_secret: w(this, b)
+      client_secret: w(this, A)
     };
     t && (i.scope = t);
     try {
@@ -1636,7 +1646,7 @@ class cr {
     let n = {
       grant_type: "urn:ietf:params:oauth:grant-type:device_code",
       client_id: w(this, _),
-      client_secret: w(this, b),
+      client_secret: w(this, A),
       device_code: e
     };
     try {
@@ -1744,6 +1754,22 @@ class cr {
       return;
     }
   }
+  /**
+   * Validates an access token, returning undefined if it is invalid.
+   *
+   * Does not raise exceptions.
+   *
+   * @param token the token to validate.  To be valid, the signature must
+   *        be valid and the `type` claim in the payload must be set to `id`.
+   * @returns the parsed payload or undefined if the token is invalid.
+   */
+  async validateAccessToken(e, t) {
+    try {
+      return await this.tokenConsumer.tokenAuthorized(e, "access", t);
+    } catch {
+      return;
+    }
+  }
   /**
    * Validatesd a token using the token consumer.
    *
@@ -1751,11 +1777,11 @@ class cr {
    * @returns the parsed JSON of the payload, or undefinedf if it is not
    * valid.
    */
-  async idTokenAuthorized(e) {
+  async idTokenAuthorized(e, t) {
     try {
-      return await this.tokenConsumer.tokenAuthorized(e, "id");
-    } catch (t) {
-      d.logger.warn(h({ err: t }));
+      return await this.tokenConsumer.tokenAuthorized(e, "id", t);
+    } catch (o) {
+      d.logger.warn(h({ err: o }));
       return;
     }
   }
@@ -1763,7 +1789,7 @@ class cr {
     return ar(e);
   }
 }
-_ = /* @__PURE__ */ new WeakMap(), b = /* @__PURE__ */ new WeakMap();
+_ = /* @__PURE__ */ new WeakMap(), A = /* @__PURE__ */ new WeakMap();
 class dr {
   /**
    * Constrctor
@@ -1773,7 +1799,7 @@ class dr {
    * @param options See {@link OAuthTokenConsumerBaseOptions}.
    */
   constructor(e, t = {}) {
-    if (l(this, "audience"), l(this, "jwtKeyType"), l(this, "jwtSecretKey"), l(this, "jwtPublicKey"), l(this, "clockTolerance", 10), l(this, "authServerBaseUrl", ""), l(this, "oidcConfig"), l(this, "keys", {}), this.audience = e, t.authServerBaseUrl && (this.authServerBaseUrl = t.authServerBaseUrl), t.jwtKeyType && (this.jwtKeyType = t.jwtKeyType), t.jwtSecretKey && (this.jwtSecretKey = t.jwtSecretKey), t.jwtPublicKey && (this.jwtPublicKey = t.jwtPublicKey), t.clockTolerance && (this.clockTolerance = t.clockTolerance), t.oidcConfig && (this.oidcConfig = t.oidcConfig), this.jwtPublicKey && !this.jwtKeyType)
+    if (u(this, "audience"), u(this, "jwtKeyType"), u(this, "jwtSecretKey"), u(this, "jwtPublicKey"), u(this, "clockTolerance", 10), u(this, "authServerBaseUrl", ""), u(this, "oidcConfig"), u(this, "keys", {}), this.audience = e, t.authServerBaseUrl && (this.authServerBaseUrl = t.authServerBaseUrl), t.jwtKeyType && (this.jwtKeyType = t.jwtKeyType), t.jwtSecretKey && (this.jwtSecretKey = t.jwtSecretKey), t.jwtPublicKey && (this.jwtPublicKey = t.jwtPublicKey), t.clockTolerance && (this.clockTolerance = t.clockTolerance), t.oidcConfig && (this.oidcConfig = t.oidcConfig), this.jwtPublicKey && !this.jwtKeyType)
       throw new g(
         m.Configuration,
         "If specifying jwtPublic key, must also specify jwtKeyType"
@@ -1834,7 +1860,8 @@ class dr {
       throw new g(m.Connection, "Couldn't get OIDC configuration.  Either set authServerBaseUrl or set config manually");
     let t;
     try {
-      t = await fetch(new URL("/.well-known/openid-configuration", this.authServerBaseUrl));
+      let o = this.authServerBaseUrl;
+      o.endsWith("/") || (o += "/"), t = await fetch(new URL(".well-known/openid-configuration", o));
     } catch (o) {
       d.logger.error(h({ err: o }));
     }
@@ -1912,26 +1939,26 @@ class dr {
    *        fails.
    * @returns the JWT payload if the token is valid, `undefined` otherwise.
    */
-  async tokenAuthorized(e, t) {
+  async tokenAuthorized(e, t, o) {
     if (!this.keys || Object.keys(this.keys).length == 0) {
-      const i = ge(e);
-      await this.loadKeys(i.alg);
+      const n = ge(e);
+      await this.loadKeys(n.alg);
     }
-    const o = await this.validateToken(e);
-    if (o) {
-      if (o.iss != this.authServerBaseUrl) {
-        const i = o.jti ? o.jti : o.sid ? o.sid : "";
-        d.logger.error(h({ msg: `Invalid issuer ${o.iss} in access token`, hashedAccessToken: await this.hash(i) }));
+    const i = await this.validateToken(e);
+    if (i) {
+      if (i.iss != this.authServerBaseUrl) {
+        const n = i.jti ? i.jti : i.sid ? i.sid : "";
+        d.logger.error(h({ msg: `Invalid issuer ${i.iss} ${t} token`, hashedAccessToken: await this.hash(n) }));
         return;
       }
-      if (o.aud) {
-        const i = o.jti ? o.jti : o.sid ? o.sid : "";
-        if (Array.isArray(o.aud) && !o.aud.includes(this.audience) || !Array.isArray(o.aud) && o.aud != this.audience) {
-          d.logger.error(h({ msg: `Invalid audience ${o.aud} in access token`, hashedAccessToken: await this.hash(i) }));
+      if (o != !1 && i.aud) {
+        const n = i.jti ? i.jti : i.sid ? i.sid : "";
+        if (Array.isArray(i.aud) && !i.aud.includes(this.audience) || !Array.isArray(i.aud) && i.aud != this.audience) {
+          d.logger.error(h({ msg: `Invalid audience ${i.aud} in ${t} token`, hashedAccessToken: await this.hash(n) }));
           return;
         }
       }
-      return o;
+      return i;
     }
   }
   async validateToken(e) {
@@ -1960,8 +1987,9 @@ class dr {
         return;
       }
       return n;
-    } catch {
-      d.logger.warn(h({ msg: "Access token did not validate" }));
+    } catch (i) {
+      const n = g.asCrossauthError(i);
+      d.logger.debug(h({ err: n })), d.logger.warn(h({ msg: "Access token did not validate", cerr: n }));
       return;
     }
   }
@@ -2005,28 +2033,29 @@ class Re {
     this.autoRefreshActive = !1, d.logger.debug(h({ msg: "Stopping auto refresh" }));
   }
   async scheduleAutoRefresh(e, t) {
-    const o = this.tokenProvider.getCsrfToken(), i = o ? await o : void 0, n = await this.tokenProvider.getTokenExpiries([...e, "refresh"], i);
-    if (n.refresh == null) {
+    let o;
+    const i = this.tokenProvider.getCsrfToken(), n = i ? await i : void 0, s = await this.tokenProvider.getTokenExpiries([...e, "refresh"], n);
+    if (s.refresh == null) {
       d.logger.debug(h({ msg: "No refresh token found" }));
       return;
     }
-    const s = Date.now();
-    let a = n.id;
-    if ((!a || n.access && n.access < a) && (a = n.access), !a) {
+    const a = Date.now();
+    let c = s.id;
+    if ((!c || s.access && s.access < c) && (c = s.access), !c) {
       d.logger.debug(h({ msg: "No tokens expire" }));
       return;
     }
-    const c = a * 1e3 - s - pe;
-    if (c < 0) {
+    let l = c * 1e3 - a - pe;
+    if (l < 0 && o != null && o <= 0) {
       d.logger.debug(h({ msg: "Expiry time has passed" }));
       return;
     }
-    if (n.refresh && n.refresh - pe < c) {
+    if (l < 0 && (l = 0), s.refresh && s.refresh - pe < l) {
       d.logger.debug(h({ msg: "Refresh token has expired" }));
       return;
     }
-    let u = (y) => new Promise((k) => setTimeout(k, y));
-    d.logger.debug(h({ msg: `Waiting ${c} before refreshing tokens` })), await u(c), await this.autoRefresh(e, i, t);
+    let y = (k) => new Promise((b) => setTimeout(b, k));
+    d.logger.debug(h({ msg: `Waiting ${l} before refreshing tokens` })), o = l, await y(l), await this.autoRefresh(e, n, t);
   }
   async autoRefresh(e, t, o) {
     if (this.autoRefreshActive) {
@@ -2052,19 +2081,25 @@ class Re {
             },
             "refresh"
           );
-          if (c.ok || d.logger.error(h({ msg: "Failed auto refreshing tokens", status: c.status })), i = await c.json(), i != null && i.ok) {
+          c.ok || d.logger.error(h({ msg: "Failed auto refreshing tokens", status: c.status }));
+          try {
+            i = await c.json();
+          } catch {
+            d.logger.error(h({ msg: "/refresh returned a non-JSON response " + (i ? await i.text() : void 0) })), i = { ok: !1, error: "Unknown" };
+          }
+          if (i != null && i.ok) {
             await this.scheduleAutoRefresh(e, o), n = !0;
             try {
               await this.tokenProvider.receiveTokens(i);
-            } catch (u) {
-              const y = g.asCrossauthError(u);
-              o ? o("Couldn't receive tokens", y) : (d.logger.debug(h({ err: u })), d.logger.error(h({ msg: "Error receiving tokens", cerr: y })));
+            } catch (l) {
+              const y = g.asCrossauthError(l);
+              o ? o("Couldn't receive tokens", y) : (d.logger.debug(h({ err: l })), d.logger.error(h({ msg: "Error receiving tokens", cerr: y })));
             }
           } else
             s < Q ? (d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${ae} seconds` })), await ((y) => new Promise((k) => setTimeout(k, y)))(ae * 1e3)) : (d.logger.error(h({ msg: "Failed auto refreshing tokens.  Number of retries exceeded" })), o && o("Failed auto refreshing tokens")), s++;
         } catch (a) {
           const c = g.asCrossauthError(a);
-          d.logger.debug(h({ err: c })), s < Q ? (d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${Q} seconds` })), await ((y) => new Promise((k) => setTimeout(k, y)))(ae)) : (d.logger.error(h({ msg: "Failed auto refreshing tokens.  Number of retries exceeded" })), o && o(c.message, c)), s++;
+          d.logger.debug(h({ err: c })), s < Q ? (d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${Q} seconds` })), await ((y) => new Promise((k) => setTimeout(k, y)))(ae * 1e3)) : (d.logger.error(h({ msg: "Failed auto refreshing tokens.  Number of retries exceeded" })), o && o(c.message, c)), s++;
         }
     }
   }
@@ -2134,7 +2169,7 @@ class Ie {
             this.pollingActive = !1, o("expired_token", "Timeout waiting for authorization");
           else if (s.error == "authorization_pending" || s.error == "slow_down") {
             s.error == "slow_down" && (t += 5);
-            let a = s.interval ?? t, c = (u) => new Promise((y) => setTimeout(y, u));
+            let a = s.interval ?? t, c = (l) => new Promise((y) => setTimeout(y, l));
             d.logger.debug(h({ msg: "device code poll: waiting " + String(a) + " seconds" })), await c(a * 1e3), this.pollingActive && this.poll(e, t, o);
           } else s.error ? (this.pollingActive = !1, o("error", s.error_description ?? s.error)) : (this.pollingActive = !1, o("complete"));
         }
@@ -2374,13 +2409,22 @@ class ur {
    *          expire, or `undefined` if the token does not exist
    */
   async getTokenExpiries(e, t) {
-    const o = await this.getTokens(t), i = e.includes("id") ? (o == null ? void 0 : o.id_token) ?? null : null, n = e.includes("access") ? (o == null ? void 0 : o.access_token) ?? null : null, s = e.includes("refresh") ? (o == null ? void 0 : o.refresh_token) ?? null : null;
-    let a, c, u;
-    return i && (a = i.exp ? i.exp : null), n && (c = n.exp ? n.exp : null), s && (u = s.exp ? s.exp : null), {
-      id: a,
-      access: c,
-      refresh: u
-    };
+    const o = await this.getTokens(t);
+    try {
+      const i = e.includes("id") ? (o == null ? void 0 : o.id_token) ?? null : null, n = e.includes("access") ? (o == null ? void 0 : o.access_token) ?? null : null, s = e.includes("refresh") ? (o == null ? void 0 : o.refresh_token) ?? null : null;
+      let a, c, l;
+      return i && (a = i.exp ? i.exp : null), n && (c = n.exp ? n.exp : null), s && (l = s.exp ? s.exp : null), {
+        id: a,
+        access: c,
+        refresh: l
+      };
+    } catch {
+      return d.logger.error(h({ msg: "getTokenExpiries received non JSON response " + o })), {
+        id: 0,
+        access: 0,
+        refresh: 0
+      };
+    }
   }
   /**
    * Makes a fetch, adding in the requested token
@@ -2559,12 +2603,12 @@ class gr extends cr {
     if (t.origin + t.pathname != this.redirect_uri) return;
     const o = new URLSearchParams(window.location.search);
     let i, n, s, a;
-    for (const [u, y] of o)
-      u == "code" && (i = y), u == "state" && (n = y), u == "error" && (s = y), u == "error_description" && (a = y);
+    for (const [l, y] of o)
+      l == "code" && (i = y), l == "state" && (n = y), l == "error" && (s = y), l == "error_description" && (a = y);
     if (!s && !i) return;
     if (s) {
-      const u = g.fromOAuthError(s, a);
-      throw d.logger.debug(h({ err: u })), d.logger.error(h({ cerr: u, msg: "Error from authorize endpoint: " + s })), u;
+      const l = g.fromOAuthError(s, a);
+      throw d.logger.debug(h({ err: l })), d.logger.error(h({ cerr: l, msg: "Error from authorize endpoint: " + s })), l;
     }
     if (p(this, B) && n != p(this, B))
       return {
@@ -2573,8 +2617,8 @@ class gr extends cr {
       };
     const c = await this.redirectEndpoint(i, this.scope, p(this, V), s, a);
     if (c.error) {
-      const u = g.fromOAuthError(c.error, a);
-      throw d.logger.debug(h({ err: u })), d.logger.error(h({ cerr: u, msg: "Error from redirect endpoint: " + c.error })), u;
+      const l = g.fromOAuthError(c.error, a);
+      throw d.logger.debug(h({ err: l })), d.logger.error(h({ cerr: l, msg: "Error from redirect endpoint: " + c.error })), l;
     }
     return await this.receiveTokens(c), c;
   }
@@ -2662,8 +2706,8 @@ class gr extends cr {
         ...s
       }
     );
-    let u = null;
-    return c.body && (u = await c.json()), { status: c.status, body: u };
+    let l = null;
+    return c.body && (l = await c.json()), { status: c.status, body: l };
   }
   ///////////////////////////////////////////////////////////
   // OAuthTokenProvider interface