@crossauth/frontend 0.0.5 → 0.0.7

package/dist/index.cjs

@@ -1,3005 +1 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __typeError = (msg) => {
-  throw TypeError(msg);
-};
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
-var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
-var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
-var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
-var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
-var _accessToken, _refreshToken, _idTokenPayload, _accessTokenPayload, _refreshTokenPayload, _client_id, _client_secret;
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-var fe = Object.defineProperty;
-var G = (e) => {
-  throw TypeError(e);
-};
-var pe = (e, t, r) => t in e ? fe(e, t, { enumerable: true, configurable: true, writable: true, value: r }) : e[t] = r;
-var a = (e, t, r) => pe(e, typeof t != "symbol" ? t + "" : t, r), Y = (e, t, r) => t.has(e) || G("Cannot " + r);
-var u = (e, t, r) => (Y(e, t, "read from private field"), r ? r.call(e) : t.get(e)), O = (e, t, r) => t.has(e) ? G("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), _ = (e, t, r, n) => (Y(e, t, "write to private field"), t.set(e, r), r);
-class k {
-}
-a(k, "active", "active"), /** Deactivated account.  User cannot log in */
-a(k, "disabled", "disabled"), /** Two factor authentication has been actived for this user
-* but has not yet been configured.  Once a user logs in,
-* they will be directed to a page to configure 2FA and will
-* not be able to do anything else (that requires login) until
-* they have done so.
-*/
-a(k, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Email verification has been turned on but user has not
-* verified his or her email address.  Cannot log on until it has
-* been verified.
-*/
-a(k, "awaitingEmailVerification", "awaitingemailverification"), /**
-* If the state is set to this, the user may not access any
-* login-required functions unless he or she has changed their password.
-* 
-* Upon login, the user is redirected to the change password page.
-*/
-a(k, "passwordChangeNeeded", "passwordchangeneeded"), /**
-* If the state is set to this, the user may not access any
-* login-required functions unless he or she has reset their password.
-* 
-* Upon login, the user is redirected to the reset password page.
-*/
-a(k, "passwordResetNeeded", "passwordresetneeded"), /**
-* If the state is set to this, the user may not access any
-* login-required functions unless he or she has reset their second
-* factor configuration.
-* 
-* Upon login, the user is redirected to the 2FA configuration page.
-* 
-* If you create a user and 2FA is mandatory, you can set state to 
-* this value and the user will then be prompted to configure 2FA 
-* upon login.
-*/
-a(k, "factor2ResetNeeded", "factor2resetneeded"), /**
-* If the state is set to this, the user may not access any
-* login-required functions unless he or she has reset their password
-* and then resets factor2.
-* 
-* Upon login, the user is redirected to the reset password page.
-*/
-a(k, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
-class C {
-}
-a(C, "session", "s:"), /** Password Reset Token */
-a(C, "passwordResetToken", "p:"), /** Email verification token */
-a(C, "emailVerificationToken", "e:"), /** API key */
-a(C, "apiKey", "api:"), /** OAuth authorization code */
-a(C, "authorizationCode", "authz:"), /** OAuth access token */
-a(C, "accessToken", "access:"), /** OAuth refresh token */
-a(C, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
-a(C, "mfaToken", "omfa:"), /** Device code device code */
-a(C, "deviceCode", "dc:"), /** Device code flow user code */
-a(C, "userCode", "uc:");
-var y = /* @__PURE__ */ ((e) => (e[e.UserNotExist = 0] = "UserNotExist", e[e.PasswordInvalid = 1] = "PasswordInvalid", e[e.EmailNotExist = 2] = "EmailNotExist", e[e.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", e[e.InvalidClientId = 4] = "InvalidClientId", e[e.ClientExists = 5] = "ClientExists", e[e.InvalidClientSecret = 6] = "InvalidClientSecret", e[e.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", e[e.InvalidRedirectUri = 8] = "InvalidRedirectUri", e[e.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", e[e.UserNotActive = 10] = "UserNotActive", e[e.EmailNotVerified = 11] = "EmailNotVerified", e[e.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", e[e.Unauthorized = 13] = "Unauthorized", e[e.UnauthorizedClient = 14] = "UnauthorizedClient", e[e.InvalidScope = 15] = "InvalidScope", e[e.InsufficientScope = 16] = "InsufficientScope", e[e.InsufficientPriviledges = 17] = "InsufficientPriviledges", e[e.Forbidden = 18] = "Forbidden", e[e.InvalidKey = 19] = "InvalidKey", e[e.InvalidCsrf = 20] = "InvalidCsrf", e[e.InvalidSession = 21] = "InvalidSession", e[e.Expired = 22] = "Expired", e[e.Connection = 23] = "Connection", e[e.InvalidHash = 24] = "InvalidHash", e[e.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", e[e.KeyExists = 26] = "KeyExists", e[e.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", e[e.PasswordResetNeeded = 28] = "PasswordResetNeeded", e[e.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", e[e.Configuration = 30] = "Configuration", e[e.InvalidEmail = 31] = "InvalidEmail", e[e.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", e[e.InvalidUsername = 33] = "InvalidUsername", e[e.PasswordMatch = 34] = "PasswordMatch", e[e.InvalidToken = 35] = "InvalidToken", e[e.MfaRequired = 36] = "MfaRequired", e[e.PasswordFormat = 37] = "PasswordFormat", e[e.DataFormat = 38] = "DataFormat", e[e.FetchError = 39] = "FetchError", e[e.UserExists = 40] = "UserExists", e[e.FormEntry = 41] = "FormEntry", e[e.BadRequest = 42] = "BadRequest", e[e.AuthorizationPending = 43] = "AuthorizationPending", e[e.SlowDown = 44] = "SlowDown", e[e.ExpiredToken = 45] = "ExpiredToken", e[e.ConstraintViolation = 46] = "ConstraintViolation", e[e.NotImplemented = 47] = "NotImplemented", e[e.UnknownError = 48] = "UnknownError", e))(y || {});
-class g extends Error {
-  /**
-   * Creates a new error to throw,
-   * 
-   * @param code describes the type of error
-   * @param message if provided, this error will display.  Otherwise a default one for the error code will be used.
-   */
-  constructor(r, n = void 0) {
-    let i, s = 500;
-    r == 0 ? (i = "User does not exist", s = 401) : r == 1 ? (i = "Password doesn't match", s = 401) : r == 3 ? (i = "Username or password incorrect", s = 401) : r == 4 ? (i = "Client id is invalid", s = 401) : r == 5 ? (i = "Client ID or name already exists", s = 500) : r == 6 ? (i = "Client secret is invalid", s = 401) : r == 7 ? (i = "Client id or secret is invalid", s = 401) : r == 8 ? (i = "Redirect Uri is not registered", s = 401) : r == 9 ? (i = "Invalid OAuth flow type", s = 500) : r == 2 ? (i = "No user exists with that email address", s = 401) : r == 10 ? (i = "Account is not active", s = 403) : r == 33 ? (i = "Username is not in an allowed format", s = 400) : r == 31 ? (i = "Email is not in an allowed format", s = 400) : r == 32 ? (i = "Phone number is not in an allowed format", s = 400) : r == 11 ? (i = "Email address has not been verified", s = 403) : r == 12 ? (i = "Two-factor setup is not complete", s = 403) : r == 13 ? (i = "Not authorized", s = 401) : r == 14 ? (i = "Client not authorized", s = 401) : r == 15 ? (i = "Invalid scope", s = 403) : r == 16 ? (i = "Insufficient scope", s = 403) : r == 23 ? i = "Connection failure" : r == 22 ? (i = "Token has expired", s = 401) : r == 24 ? i = "Hash is not in a valid format" : r == 19 ? (i = "Key is invalid", s = 401) : r == 18 ? (i = "You do not have permission to access this resource", s = 403) : r == 17 ? (i = "You do not have the right privileges to access this resource", s = 401) : r == 20 ? (i = "CSRF token is invalid", s = 401) : r == 21 ? (i = "Session cookie is invalid", s = 401) : r == 25 ? i = "Algorithm not supported" : r == 26 ? i = "Attempt to create a key that already exists" : r == 27 ? (i = "User must change password", s = 403) : r == 28 ? (i = "User must reset password", s = 403) : r == 29 ? (i = "User must reset 2FA", s = 403) : r == 30 ? i = "There was an error in the configuration" : r == 34 ? (i = "Passwords do not match", s = 401) : r == 35 ? (i = "Token is not valid", s = 401) : r == 36 ? (i = "MFA is required", s = 401) : r == 37 ? (i = "Password format was incorrect", s = 401) : r == 40 ? (i = "User already exists", s = 400) : r == 42 ? (i = "The request is invalid", s = 400) : r == 38 ? (i = "Session data has unexpected format", s = 500) : r == 39 ? (i = "Couldn't execute a fetch", s = 500) : r == 43 ? (i = "Waiting for authorization", s = 200) : r == 44 ? (i = "Slow polling down by 5 seconds", s = 200) : r == 45 ? (i = "Token has expired", s = 401) : r == 46 ? (i = "Database update/insert caused a constraint violation", s = 500) : r == 47 ? (i = "This method has not been implemented", s = 500) : (i = "Unknown error", s = 500), n != null && !Array.isArray(n) ? i = n : Array.isArray(n) && (i = n.join(". "));
-    super(i);
-    a(this, "isCrossauthError", true);
-    a(this, "httpStatus");
-    a(this, "code");
-    a(this, "codeName");
-    a(this, "messages");
-    this.code = r, this.codeName = y[r], this.httpStatus = s, this.name = "CrossauthError", Array.isArray(n) ? this.messages = n : this.messages = [i], Object.setPrototypeOf(this, g.prototype);
-  }
-  /**
-   * OAuth defines certain error types.  To convert the error in an OAuth
-   * response into a CrossauthError object, call this function.
-   * 
-   * @param error as returned by an OAuth call (converted to an {@link @crossauth/common!ErrorCode}).
-   * @param error_description as returned by an OAuth call (put in the `message`)
-   * @returns a `CrossauthError` instance.
-   */
-  static fromOAuthError(r, n) {
-    let i;
-    switch (r) {
-      case "invalid_request":
-        i = 42;
-        break;
-      case "unauthorized_client":
-        i = 14;
-        break;
-      case "access_denied":
-        i = 13;
-        break;
-      case "unsupported_response_type":
-        i = 42;
-        break;
-      case "invalid_scope":
-        i = 15;
-        break;
-      case "server_error":
-        i = 48;
-        break;
-      case "temporarily_unavailable":
-        i = 23;
-        break;
-      case "invalid_token":
-        i = 35;
-        break;
-      case "expired_token":
-        i = 45;
-        break;
-      case "insufficient_scope":
-        i = 35;
-        break;
-      case "mfa_required":
-        i = 36;
-        break;
-      case "authorization_pending":
-        i = 43;
-        break;
-      case "slow_down":
-        i = 44;
-        break;
-      default:
-        i = 48;
-    }
-    return new g(i, n);
-  }
-  get oauthErrorCode() {
-    switch (this.code) {
-      case 42:
-        return "invalid_request";
-      case 14:
-        return "unauthorized_client";
-      case 13:
-        return "access_denied";
-      case 15:
-        return "invalid_scope";
-      case 23:
-        return "temporarily_unavailable";
-      case 35:
-        return "invalid_token";
-      case 36:
-        return "mfa_required";
-      case 43:
-        return "authorization_pending";
-      case 44:
-        return "slow_down";
-      case 45:
-        return "expired_token";
-      case 22:
-        return "expired_token";
-      default:
-        return "server_error";
-    }
-  }
-  /**
-   * If the passed object is a `CrossauthError` instance, simply returns
-   * it.  
-   * If not and it is an object with `errorCode` in it, creates a 
-   * CrossauthError from that and `errorMessage`, if present.
-   * Otherwise creates a `CrossauthError` object with {@link @crossauth/common!ErrorCode}
-   * of `Unknown` from it, setting the `message` if possible.
-   * 
-   * @param e the error to convert.
-   * @returns  a `CrossauthError` instance.
-   */
-  static asCrossauthError(r, n) {
-    if (r instanceof Error)
-      return "isCrossauthError" in r ? r : new g(48, r.message);
-    if ("errorCode" in r) {
-      let s = 48;
-      try {
-        s = Number(r.errorCode) ?? 48;
-      } catch {
-      }
-      let o = n ?? y[s];
-      return "errorMessage" in r ? o = r.errorMessage : "message" in r && (o = r.message), new g(s, o);
-    }
-    let i = n ?? y[
-      48
-      /* UnknownError */
-    ];
-    return "message" in r && (i = r.message), new g(48, i);
-  }
-}
-const m = class m2 {
-  /**
-   * Create a logger with the given level
-   * @param level the level to report to
-   */
-  constructor(t) {
-    a(this, "level");
-    if (t) this.level = t;
-    else if (typeof process < "u" && "CROSSAUTH_LOG_LEVEL" in process.env) {
-      const r = (process.env.CROSSAUTH_LOG_LEVEL ?? "ERROR").toUpperCase();
-      m2.levelName.includes(r) ? this.level = m2.levelName.indexOf(r) : this.level = m2.Error;
-    } else
-      this.level = m2.Error;
-  }
-  /**
-   * Return the singleton instance of the logger.
-   * @returns the logger
-   */
-  static get logger() {
-    return globalThis.crossauthLogger;
-  }
-  setLevel(t) {
-    this.level = t;
-  }
-  log(t, r) {
-    t <= this.level && (typeof r == "string" ? console.log("Crossauth " + m2.levelName[t] + " " + (/* @__PURE__ */ new Date()).toISOString(), r) : console.log(JSON.stringify({ level: m2.levelName[t], time: (/* @__PURE__ */ new Date()).toISOString(), ...r })));
-  }
-  /**
-   * Report an error
-   * @param output object to output
-   */
-  error(t) {
-    this.log(m2.Error, t);
-  }
-  /**
-   * Report an warning
-   * @param output object to output
-   */
-  warn(t) {
-    this.log(m2.Warn, t);
-  }
-  /**
-   * Report information
-   * @param output object to output
-   */
-  info(t) {
-    this.log(m2.Info, t);
-  }
-  /**
-   * Print a debugging message
-   * @param output object to output
-   */
-  debug(t) {
-    this.log(m2.Debug, t);
-  }
-  /** 
-   * Override the default logger.
-   * 
-   * The only requirement is that the logger has the functions `error()`, `warn()`, `info()` and `debug()`.
-   * These functions must accept either an object or a string.  If they can only accept a string,
-   * set `acceptsJson` to false.  
-   * 
-   * @param logger a new logger instance of any supported class
-   * @param acceptsJson set this to false if the logger can only take strings.
-   */
-  static setLogger(t, r) {
-    globalThis.crossauthLogger = t, globalThis.crossauthLoggerAcceptsJson = r;
-  }
-};
-a(m, "None", 0), /** Only log errors */
-a(m, "Error", 1), /** Log errors and warning */
-a(m, "Warn", 2), /** Log errors, warnings and info messages */
-a(m, "Info", 3), /** Log everything */
-a(m, "Debug", 4), a(m, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
-let d = m;
-function h(e) {
-  let t;
-  typeof e == "object" && "err" in e && typeof e.err == "object" && (t = e.err.stack);
-  try {
-    typeof e == "object" && "err" in e && typeof e.err == "object" && e.err && "message" in e.err && !("msg" in e) && (e.msg = e.err.message);
-  } catch {
-  }
-  try {
-    typeof e == "object" && "err" in e && typeof e.err == "object" && (e.err = { ...e.err, stack: t });
-  } catch {
-  }
-  try {
-    typeof e == "object" && "err" in e && !("msg" in e) && (e.msg = e.msg = "An unknown error occurred");
-  } catch {
-  }
-  try {
-    typeof e == "object" && "cerr" in e && "isCrossauthError" in e.cerr && e.cerr && (e.errorCode = e.cerr.code, e.errorCodeName = e.cerr.codeName, e.httpStatus = e.cerr.httpStatus, "msg" in e || (e.msg = e.cerr.message), delete e.cerr);
-  } catch {
-  }
-  return typeof e == "string" || globalThis.crossauthLoggerAcceptsJson ? e : JSON.stringify(e);
-}
-globalThis.crossauthLogger = new d(d.None);
-globalThis.crossauthLoggerAcceptsJson = true;
-const te = {
-  issuer: "",
-  authorization_endpoint: "",
-  token_endpoint: "",
-  jwks_uri: "",
-  response_types_supported: [],
-  subject_types_supported: [],
-  response_modes_supported: ["query", "fragment"],
-  grant_types_supported: ["authorization_code", "implicit"],
-  id_token_signing_alg_values_supported: [],
-  claim_types_supported: ["normal"],
-  claims_parameter_supported: false,
-  request_parameter_supported: false,
-  request_uri_parameter_supported: true,
-  require_request_uri_registration: false
-}, F = crypto, re = (e) => e instanceof CryptoKey, H = new TextEncoder(), z = new TextDecoder();
-function ge(...e) {
-  const t = e.reduce((i, { length: s }) => i + s, 0), r = new Uint8Array(t);
-  let n = 0;
-  for (const i of e)
-    r.set(i, n), n += i.length;
-  return r;
-}
-const ye = (e) => {
-  const t = atob(e), r = new Uint8Array(t.length);
-  for (let n = 0; n < t.length; n++)
-    r[n] = t.charCodeAt(n);
-  return r;
-}, K = (e) => {
-  let t = e;
-  t instanceof Uint8Array && (t = z.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
-  try {
-    return ye(t);
-  } catch {
-    throw new TypeError("The input to be decoded is not correctly encoded.");
-  }
-};
-class $ extends Error {
-  static get code() {
-    return "ERR_JOSE_GENERIC";
-  }
-  constructor(t) {
-    var r;
-    super(t), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
-  }
-}
-class b extends $ {
-  constructor() {
-    super(...arguments), this.code = "ERR_JOSE_NOT_SUPPORTED";
-  }
-  static get code() {
-    return "ERR_JOSE_NOT_SUPPORTED";
-  }
-}
-class v extends $ {
-  constructor() {
-    super(...arguments), this.code = "ERR_JWS_INVALID";
-  }
-  static get code() {
-    return "ERR_JWS_INVALID";
-  }
-}
-class E extends $ {
-  constructor() {
-    super(...arguments), this.code = "ERR_JWT_INVALID";
-  }
-  static get code() {
-    return "ERR_JWT_INVALID";
-  }
-}
-class me extends $ {
-  constructor() {
-    super(...arguments), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED", this.message = "signature verification failed";
-  }
-  static get code() {
-    return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-  }
-}
-function A(e, t = "algorithm.name") {
-  return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
-}
-function J(e, t) {
-  return e.name === t;
-}
-function L(e) {
-  return parseInt(e.name.slice(4), 10);
-}
-function we(e) {
-  switch (e) {
-    case "ES256":
-      return "P-256";
-    case "ES384":
-      return "P-384";
-    case "ES512":
-      return "P-521";
-    default:
-      throw new Error("unreachable");
-  }
-}
-function ve(e, t) {
-  if (t.length && !t.some((r) => e.usages.includes(r))) {
-    let r = "CryptoKey does not support this operation, its usages must include ";
-    if (t.length > 2) {
-      const n = t.pop();
-      r += `one of ${t.join(", ")}, or ${n}.`;
-    } else t.length === 2 ? r += `one of ${t[0]} or ${t[1]}.` : r += `${t[0]}.`;
-    throw new TypeError(r);
-  }
-}
-function Se(e, t, ...r) {
-  switch (t) {
-    case "HS256":
-    case "HS384":
-    case "HS512": {
-      if (!J(e.algorithm, "HMAC"))
-        throw A("HMAC");
-      const n = parseInt(t.slice(2), 10);
-      if (L(e.algorithm.hash) !== n)
-        throw A(`SHA-${n}`, "algorithm.hash");
-      break;
-    }
-    case "RS256":
-    case "RS384":
-    case "RS512": {
-      if (!J(e.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw A("RSASSA-PKCS1-v1_5");
-      const n = parseInt(t.slice(2), 10);
-      if (L(e.algorithm.hash) !== n)
-        throw A(`SHA-${n}`, "algorithm.hash");
-      break;
-    }
-    case "PS256":
-    case "PS384":
-    case "PS512": {
-      if (!J(e.algorithm, "RSA-PSS"))
-        throw A("RSA-PSS");
-      const n = parseInt(t.slice(2), 10);
-      if (L(e.algorithm.hash) !== n)
-        throw A(`SHA-${n}`, "algorithm.hash");
-      break;
-    }
-    case "EdDSA": {
-      if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448")
-        throw A("Ed25519 or Ed448");
-      break;
-    }
-    case "ES256":
-    case "ES384":
-    case "ES512": {
-      if (!J(e.algorithm, "ECDSA"))
-        throw A("ECDSA");
-      const n = we(t);
-      if (e.algorithm.namedCurve !== n)
-        throw A(n, "algorithm.namedCurve");
-      break;
-    }
-    default:
-      throw new TypeError("CryptoKey does not support this operation");
-  }
-  ve(e, r);
-}
-function ie(e, t, ...r) {
-  var n;
-  if (r.length > 2) {
-    const i = r.pop();
-    e += `one of type ${r.join(", ")}, or ${i}.`;
-  } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
-  return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
-}
-const X = (e, ...t) => ie("Key must be ", e, ...t);
-function ne(e, t, ...r) {
-  return ie(`Key for the ${e} algorithm must be `, t, ...r);
-}
-const se = (e) => re(e) ? true : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", M = ["CryptoKey"], _e = (...e) => {
-  const t = e.filter(Boolean);
-  if (t.length === 0 || t.length === 1)
-    return true;
-  let r;
-  for (const n of t) {
-    const i = Object.keys(n);
-    if (!r || r.size === 0) {
-      r = new Set(i);
-      continue;
-    }
-    for (const s of i) {
-      if (r.has(s))
-        return false;
-      r.add(s);
-    }
-  }
-  return true;
-};
-function Ce(e) {
-  return typeof e == "object" && e !== null;
-}
-function x(e) {
-  if (!Ce(e) || Object.prototype.toString.call(e) !== "[object Object]")
-    return false;
-  if (Object.getPrototypeOf(e) === null)
-    return true;
-  let t = e;
-  for (; Object.getPrototypeOf(t) !== null; )
-    t = Object.getPrototypeOf(t);
-  return Object.getPrototypeOf(e) === t;
-}
-const be = (e, t) => {
-  if (e.startsWith("RS") || e.startsWith("PS")) {
-    const { modulusLength: r } = t.algorithm;
-    if (typeof r != "number" || r < 2048)
-      throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
-  }
-};
-function Ae(e) {
-  let t, r;
-  switch (e.kty) {
-    case "RSA": {
-      switch (e.alg) {
-        case "PS256":
-        case "PS384":
-        case "PS512":
-          t = { name: "RSA-PSS", hash: `SHA-${e.alg.slice(-3)}` }, r = e.d ? ["sign"] : ["verify"];
-          break;
-        case "RS256":
-        case "RS384":
-        case "RS512":
-          t = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${e.alg.slice(-3)}` }, r = e.d ? ["sign"] : ["verify"];
-          break;
-        case "RSA-OAEP":
-        case "RSA-OAEP-256":
-        case "RSA-OAEP-384":
-        case "RSA-OAEP-512":
-          t = {
-            name: "RSA-OAEP",
-            hash: `SHA-${parseInt(e.alg.slice(-3), 10) || 1}`
-          }, r = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
-          break;
-        default:
-          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
-    case "EC": {
-      switch (e.alg) {
-        case "ES256":
-          t = { name: "ECDSA", namedCurve: "P-256" }, r = e.d ? ["sign"] : ["verify"];
-          break;
-        case "ES384":
-          t = { name: "ECDSA", namedCurve: "P-384" }, r = e.d ? ["sign"] : ["verify"];
-          break;
-        case "ES512":
-          t = { name: "ECDSA", namedCurve: "P-521" }, r = e.d ? ["sign"] : ["verify"];
-          break;
-        case "ECDH-ES":
-        case "ECDH-ES+A128KW":
-        case "ECDH-ES+A192KW":
-        case "ECDH-ES+A256KW":
-          t = { name: "ECDH", namedCurve: e.crv }, r = e.d ? ["deriveBits"] : [];
-          break;
-        default:
-          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
-    case "OKP": {
-      switch (e.alg) {
-        case "EdDSA":
-          t = { name: e.crv }, r = e.d ? ["sign"] : ["verify"];
-          break;
-        case "ECDH-ES":
-        case "ECDH-ES+A128KW":
-        case "ECDH-ES+A192KW":
-        case "ECDH-ES+A256KW":
-          t = { name: e.crv }, r = e.d ? ["deriveBits"] : [];
-          break;
-        default:
-          throw new b('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-      }
-      break;
-    }
-    default:
-      throw new b('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
-  }
-  return { algorithm: t, keyUsages: r };
-}
-const oe = async (e) => {
-  if (!e.alg)
-    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-  const { algorithm: t, keyUsages: r } = Ae(e), n = [
-    t,
-    e.ext ?? false,
-    e.key_ops ?? r
-  ], i = { ...e };
-  return delete i.alg, delete i.use, F.subtle.importKey("jwk", i, ...n);
-}, ae = (e) => K(e);
-let V, j;
-const ce = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", de = async (e, t, r, n) => {
-  let i = e.get(t);
-  if (i != null && i[n])
-    return i[n];
-  const s = await oe({ ...r, alg: n });
-  return i ? i[n] = s : e.set(t, { [n]: s }), s;
-}, Pe = (e, t) => {
-  if (ce(e)) {
-    let r = e.export({ format: "jwk" });
-    return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? ae(r.k) : (j || (j = /* @__PURE__ */ new WeakMap()), de(j, e, r, t));
-  }
-  return e;
-}, ke = (e, t) => {
-  if (ce(e)) {
-    let r = e.export({ format: "jwk" });
-    return r.k ? ae(r.k) : (V || (V = /* @__PURE__ */ new WeakMap()), de(V, e, r, t));
-  }
-  return e;
-}, Ie = { normalizePublicKey: Pe, normalizePrivateKey: ke }, I = (e, t, r = 0) => {
-  r === 0 && (t.unshift(t.length), t.unshift(6));
-  const n = e.indexOf(t[0], r);
-  if (n === -1)
-    return false;
-  const i = e.subarray(n, n + t.length);
-  return i.length !== t.length ? false : i.every((s, o) => s === t[o]) || I(e, t, n + 1);
-}, Q = (e) => {
-  switch (true) {
-    case I(e, [42, 134, 72, 206, 61, 3, 1, 7]):
-      return "P-256";
-    case I(e, [43, 129, 4, 0, 34]):
-      return "P-384";
-    case I(e, [43, 129, 4, 0, 35]):
-      return "P-521";
-    case I(e, [43, 101, 110]):
-      return "X25519";
-    case I(e, [43, 101, 111]):
-      return "X448";
-    case I(e, [43, 101, 112]):
-      return "Ed25519";
-    case I(e, [43, 101, 113]):
-      return "Ed448";
-    default:
-      throw new b("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
-  }
-}, le = async (e, t, r, n, i) => {
-  let s, o;
-  const l = new Uint8Array(atob(r.replace(e, "")).split("").map((p) => p.charCodeAt(0))), f = t === "spki";
-  switch (n) {
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      s = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, o = f ? ["verify"] : ["sign"];
-      break;
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      s = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, o = f ? ["verify"] : ["sign"];
-      break;
-    case "RSA-OAEP":
-    case "RSA-OAEP-256":
-    case "RSA-OAEP-384":
-    case "RSA-OAEP-512":
-      s = {
-        name: "RSA-OAEP",
-        hash: `SHA-${parseInt(n.slice(-3), 10) || 1}`
-      }, o = f ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
-      break;
-    case "ES256":
-      s = { name: "ECDSA", namedCurve: "P-256" }, o = f ? ["verify"] : ["sign"];
-      break;
-    case "ES384":
-      s = { name: "ECDSA", namedCurve: "P-384" }, o = f ? ["verify"] : ["sign"];
-      break;
-    case "ES512":
-      s = { name: "ECDSA", namedCurve: "P-521" }, o = f ? ["verify"] : ["sign"];
-      break;
-    case "ECDH-ES":
-    case "ECDH-ES+A128KW":
-    case "ECDH-ES+A192KW":
-    case "ECDH-ES+A256KW": {
-      const p = Q(l);
-      s = p.startsWith("P-") ? { name: "ECDH", namedCurve: p } : { name: p }, o = f ? [] : ["deriveBits"];
-      break;
-    }
-    case "EdDSA":
-      s = { name: Q(l) }, o = f ? ["verify"] : ["sign"];
-      break;
-    default:
-      throw new b('Invalid or unsupported "alg" (Algorithm) value');
-  }
-  return F.subtle.importKey(t, l, s, false, o);
-}, Te = (e, t, r) => le(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", e, t), Re = (e, t, r) => le(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
-async function Ee(e, t, r) {
-  if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
-    throw new TypeError('"spki" must be SPKI formatted string');
-  return Re(e, t);
-}
-async function Oe(e, t, r) {
-  if (typeof e != "string" || e.indexOf("-----BEGIN PRIVATE KEY-----") !== 0)
-    throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
-  return Te(e, t);
-}
-async function Z(e, t) {
-  if (!x(e))
-    throw new TypeError("JWK must be an object");
-  switch (t || (t = e.alg), e.kty) {
-    case "oct":
-      if (typeof e.k != "string" || !e.k)
-        throw new TypeError('missing "k" (Key Value) Parameter value');
-      return K(e.k);
-    case "RSA":
-      if (e.oth !== void 0)
-        throw new b('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
-    case "EC":
-    case "OKP":
-      return oe({ ...e, alg: t });
-    default:
-      throw new b('Unsupported "kty" (Key Type) Parameter value');
-  }
-}
-const q = (e) => e == null ? void 0 : e[Symbol.toStringTag], Ke = (e, t) => {
-  if (!(t instanceof Uint8Array)) {
-    if (!se(t))
-      throw new TypeError(ne(e, t, ...M, "Uint8Array"));
-    if (t.type !== "secret")
-      throw new TypeError(`${q(t)} instances for symmetric algorithms must be of type "secret"`);
-  }
-}, Ne = (e, t, r) => {
-  if (!se(t))
-    throw new TypeError(ne(e, t, ...M));
-  if (t.type === "secret")
-    throw new TypeError(`${q(t)} instances for asymmetric algorithms must not be of type "secret"`);
-  if (t.algorithm && r === "verify" && t.type === "private")
-    throw new TypeError(`${q(t)} instances for asymmetric algorithm verifying must be of type "public"`);
-  if (t.algorithm && r === "encrypt" && t.type === "private")
-    throw new TypeError(`${q(t)} instances for asymmetric algorithm encryption must be of type "public"`);
-}, Ue = (e, t, r) => {
-  e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(e) ? Ke(e, t) : Ne(e, t, r);
-};
-function xe(e, t, r, n, i) {
-  if (i.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
-    throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
-  if (!n || n.crit === void 0)
-    return /* @__PURE__ */ new Set();
-  if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((o) => typeof o != "string" || o.length === 0))
-    throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  let s;
-  s = t;
-  for (const o of n.crit) {
-    if (!s.has(o))
-      throw new b(`Extension Header Parameter "${o}" is not recognized`);
-    if (i[o] === void 0)
-      throw new e(`Extension Header Parameter "${o}" is missing`);
-    if (s.get(o) && n[o] === void 0)
-      throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`);
-  }
-  return new Set(n.crit);
-}
-function ze(e, t) {
-  const r = `SHA-${e.slice(-3)}`;
-  switch (e) {
-    case "HS256":
-    case "HS384":
-    case "HS512":
-      return { hash: r, name: "HMAC" };
-    case "PS256":
-    case "PS384":
-    case "PS512":
-      return { hash: r, name: "RSA-PSS", saltLength: e.slice(-3) >> 3 };
-    case "RS256":
-    case "RS384":
-    case "RS512":
-      return { hash: r, name: "RSASSA-PKCS1-v1_5" };
-    case "ES256":
-    case "ES384":
-    case "ES512":
-      return { hash: r, name: "ECDSA", namedCurve: t.namedCurve };
-    case "EdDSA":
-      return { name: t.name };
-    default:
-      throw new b(`alg ${e} is not supported either by JOSE or your javascript runtime`);
-  }
-}
-async function We(e, t, r) {
-  if (t = await Ie.normalizePublicKey(t, e), re(t))
-    return Se(t, e, r), t;
-  if (t instanceof Uint8Array) {
-    if (!e.startsWith("HS"))
-      throw new TypeError(X(t, ...M));
-    return F.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, false, [r]);
-  }
-  throw new TypeError(X(t, ...M, "Uint8Array"));
-}
-const De = async (e, t, r, n) => {
-  const i = await We(e, t, "verify");
-  be(e, i);
-  const s = ze(e, i.algorithm);
-  try {
-    return await F.subtle.verify(s, i, r, n);
-  } catch {
-    return false;
-  }
-};
-async function He(e, t, r) {
-  if (!x(e))
-    throw new v("Flattened JWS must be an object");
-  if (e.protected === void 0 && e.header === void 0)
-    throw new v('Flattened JWS must have either of the "protected" or "header" members');
-  if (e.protected !== void 0 && typeof e.protected != "string")
-    throw new v("JWS Protected Header incorrect type");
-  if (e.payload === void 0)
-    throw new v("JWS Payload missing");
-  if (typeof e.signature != "string")
-    throw new v("JWS Signature missing or incorrect type");
-  if (e.header !== void 0 && !x(e.header))
-    throw new v("JWS Unprotected Header incorrect type");
-  let n = {};
-  if (e.protected)
-    try {
-      const ue = K(e.protected);
-      n = JSON.parse(z.decode(ue));
-    } catch {
-      throw new v("JWS Protected Header is invalid");
-    }
-  if (!_e(n, e.header))
-    throw new v("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
-  const i = {
-    ...n,
-    ...e.header
-  }, s = xe(v, /* @__PURE__ */ new Map([["b64", true]]), void 0, n, i);
-  let o = true;
-  if (s.has("b64") && (o = n.b64, typeof o != "boolean"))
-    throw new v('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
-  const { alg: l } = i;
-  if (typeof l != "string" || !l)
-    throw new v('JWS "alg" (Algorithm) Header Parameter missing or invalid');
-  if (o) {
-    if (typeof e.payload != "string")
-      throw new v("JWS Payload must be a string");
-  } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
-    throw new v("JWS Payload must be a string or an Uint8Array instance");
-  let f = false;
-  typeof t == "function" && (t = await t(n, e), f = true), Ue(l, t, "verify");
-  const p = ge(H.encode(e.protected ?? ""), H.encode("."), typeof e.payload == "string" ? H.encode(e.payload) : e.payload);
-  let P;
-  try {
-    P = K(e.signature);
-  } catch {
-    throw new v("Failed to base64url decode the signature");
-  }
-  if (!await De(l, t, P, p))
-    throw new me();
-  let W;
-  if (o)
-    try {
-      W = K(e.payload);
-    } catch {
-      throw new v("Failed to base64url decode the payload");
-    }
-  else typeof e.payload == "string" ? W = H.encode(e.payload) : W = e.payload;
-  const D = { payload: W };
-  return e.protected !== void 0 && (D.protectedHeader = n), e.header !== void 0 && (D.unprotectedHeader = e.header), f ? { ...D, key: t } : D;
-}
-async function Je(e, t, r) {
-  if (e instanceof Uint8Array && (e = z.decode(e)), typeof e != "string")
-    throw new v("Compact JWS must be a string or Uint8Array");
-  const { 0: n, 1: i, 2: s, length: o } = e.split(".");
-  if (o !== 3)
-    throw new v("Invalid Compact JWS");
-  const l = await He({ payload: i, protected: n, signature: s }, t), f = { payload: l.payload, protectedHeader: l.protectedHeader };
-  return typeof t == "function" ? { ...f, key: l.key } : f;
-}
-const he = K;
-function qe(e) {
-  let t;
-  if (typeof e == "string") {
-    const r = e.split(".");
-    (r.length === 3 || r.length === 5) && ([t] = r);
-  } else if (typeof e == "object" && e)
-    if ("protected" in e)
-      t = e.protected;
-    else
-      throw new TypeError("Token does not contain a Protected Header");
-  try {
-    if (typeof t != "string" || !t)
-      throw new Error();
-    const r = JSON.parse(z.decode(he(t)));
-    if (!x(r))
-      throw new Error();
-    return r;
-  } catch {
-    throw new TypeError("Invalid Token or Protected Header formatting");
-  }
-}
-function Me(e) {
-  if (typeof e != "string")
-    throw new E("JWTs must use Compact JWS serialization, JWT must be a string");
-  const { 1: t, length: r } = e.split(".");
-  if (r === 5)
-    throw new E("Only JWTs using Compact JWS serialization can be decoded");
-  if (r !== 3)
-    throw new E("Invalid JWT");
-  if (!t)
-    throw new E("JWTs must contain a payload");
-  let n;
-  try {
-    n = he(t);
-  } catch {
-    throw new E("Failed to base64url decode the payload");
-  }
-  let i;
-  try {
-    i = JSON.parse(z.decode(n));
-  } catch {
-    throw new E("Failed to parse the decoded payload as JSON");
-  }
-  if (!x(i))
-    throw new E("Invalid JWT Claims Set");
-  return i;
-}
-const c = class c2 {
-  /**
-   * Returns a user-friendly name for the given flow strings.
-   * 
-   * The value returned is the one in `flowName`.
-   * @param flows the flows to return the names of
-   * @returns an array of strings
-   */
-  static flowNames(t) {
-    let r = {};
-    return t.forEach((n) => {
-      n in c2.flowName && (r[n] = c2.flowName[n]);
-    }), r;
-  }
-  /**
-   * Returns true if the given string is a valid flow name.
-   * @param flow the flow to check
-   * @returns true or false.
-   */
-  static isValidFlow(t) {
-    return c2.allFlows().includes(t);
-  }
-  /**
-   * Returns true only if all given strings are valid flows
-   * @param flows the flows to check
-   * @returns true or false.
-   */
-  static areAllValidFlows(t) {
-    let r = true;
-    return t.forEach((n) => {
-      c2.isValidFlow(n) || (r = false);
-    }), r;
-  }
-  static allFlows() {
-    return [
-      c2.AuthorizationCode,
-      c2.AuthorizationCodeWithPKCE,
-      c2.ClientCredentials,
-      c2.RefreshToken,
-      c2.DeviceCode,
-      c2.Password,
-      c2.PasswordMfa,
-      c2.OidcAuthorizationCode
-    ];
-  }
-  /**
-   * Returns the OAuth grant types that are valid for a given flow, or 
-   * `undefined` if it is not a valid flow.
-   * @param oauthFlow the flow to get the grant type for.
-   * @returns a {@link GrantType} value
-   */
-  static grantType(t) {
-    switch (t) {
-      case c2.AuthorizationCode:
-      case c2.AuthorizationCodeWithPKCE:
-      case c2.OidcAuthorizationCode:
-        return ["authorization_code"];
-      case c2.ClientCredentials:
-        return ["client_credentials"];
-      case c2.RefreshToken:
-        return ["refresh_token"];
-      case c2.Password:
-        return ["password"];
-      case c2.PasswordMfa:
-        return ["http://auth0.com/oauth/grant-type/mfa-otp", "http://auth0.com/oauth/grant-type/mfa-oob"];
-      case c2.DeviceCode:
-        return ["urn:ietf:params:oauth:grant-type:device_code"];
-    }
-  }
-};
-a(c, "All", "all"), /** OAuth authorization code flow (without PKCE) */
-a(c, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
-a(c, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
-a(c, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
-a(c, "RefreshToken", "refreshToken"), /** OAuth device code flow */
-a(c, "DeviceCode", "deviceCode"), /** OAuth password flow */
-a(c, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
-a(c, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
-* PKCE.
-*/
-a(c, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
-* 
-* For example, if you pass "authorizationCode" 
-* (`OAuthFlows.AuthorizationCode`) you will get `"Authorization Code"`.
-*/
-a(c, "flowName", {
-  [c.AuthorizationCode]: "Authorization Code",
-  [c.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
-  [c.ClientCredentials]: "Client Credentials",
-  [c.RefreshToken]: "Refresh Token",
-  [c.DeviceCode]: "Device Code",
-  [c.Password]: "Password",
-  [c.PasswordMfa]: "Password MFA",
-  [c.OidcAuthorizationCode]: "OIDC Authorization Code"
-});
-var w, S, N, T, R;
-class Be {
-  /**
-   * Constructor.
-   * 
-   * @param options options:
-   *      - `authServerBaseUrl` the base URI for OAuth calls.  This is
-   *        the value in the isser field of a JWT.  The client will
-   *        reject any JWTs that are not from this issuer.
-   *      - `client_id` the client ID for this client.
-   *      - `redriectUri` when making OAuth calls, this value is put
-   *        in the redirect_uri field.
-   *      - `number` of characters (before base64-url-encoding) for generating
-   *        state values in OAuth calls.
-   *      - `verifierLength` of characters (before base64-url-encoding) for
-   *        generating PKCE values in OAuth calls.
-   *      - `tokenConsumer` to keep this class independent of frontend 
-   *        and backend specific funtionality (eg classes not available
-   *        in browsers), the token consumer, which determines if a token
-   *        is valid or not, is abstracted out.
-   *      - authServerCredentials credentials flag for fetch calls to the
-   *        authorization server
-   *      - authServerMode mode flag for fetch calls to the 
-   *        authorization server
-   *      - authServerHeaders headers flag for calls to the
-   *        authorization server
-   *      - `receiveTokensFn` if defined, this will be called when tokens
-   *        are received
-   */
-  constructor({
-    authServerBaseUrl: t,
-    client_id: r,
-    client_secret: n,
-    redirect_uri: i,
-    codeChallengeMethod: s,
-    stateLength: o,
-    verifierLength: l,
-    tokenConsumer: f,
-    authServerCredentials: p,
-    authServerMode: P,
-    authServerHeaders: U
-  }) {
-    a(this, "authServerBaseUrl", "");
-    O(this, w);
-    O(this, S);
-    O(this, N);
-    a(this, "codeChallengeMethod", "S256");
-    O(this, T);
-    a(this, "verifierLength", 32);
-    a(this, "redirect_uri");
-    O(this, R, "");
-    a(this, "stateLength", 32);
-    a(this, "authzCode", "");
-    a(this, "oidcConfig");
-    a(this, "tokenConsumer");
-    a(this, "authServerHeaders", {});
-    a(this, "authServerMode");
-    a(this, "authServerCredentials");
-    this.tokenConsumer = f, this.authServerBaseUrl = t, l && (this.verifierLength = l), o && (this.stateLength = o), r && _(this, w, r), n && _(this, S, n), i && (this.redirect_uri = i), s && (this.codeChallengeMethod = s), this.authServerBaseUrl = t, p && (this.authServerCredentials = p), P && (this.authServerMode = P), U && (this.authServerHeaders = U);
-  }
-  set client_id(t) {
-    _(this, w, t);
-  }
-  set client_secret(t) {
-    _(this, S, t);
-  }
-  set codeVerifier(t) {
-    _(this, T, t);
-  }
-  set codeChallenge(t) {
-    _(this, N, t);
-  }
-  set state(t) {
-    _(this, R, t);
-  }
-  /**
-   * Loads OpenID Connect configuration so that the client can determine
-   * the URLs it can call and the features the authorization server provides.
-   * 
-   * @param oidcConfig if defined, loadsa the config from this object.
-   *        Otherwise, performs a fetch by appending
-   *        `/.well-known/openid-configuration` to the 
-   *        `authServerBaseUrl`.
-   * @throws {@link @crossauth/common!CrossauthError} with the following {@link @crossauth/common!ErrorCode}s
-   *   - `Connection` if data from the URL could not be fetched or parsed.
-   */
-  async loadConfig(t) {
-    if (t) {
-      d.logger.debug(h({ msg: "Reading OIDC config locally" })), this.oidcConfig = t;
-      return;
-    }
-    let r;
-    try {
-      const n = new URL(
-        this.authServerBaseUrl + "/.well-known/openid-configuration"
-      );
-      d.logger.debug(h({ msg: `Fetching OIDC config from ${n}` }));
-      let i = { headers: this.authServerHeaders };
-      this.authServerMode && (i.mode = this.authServerMode), this.authServerCredentials && (i.credentials = this.authServerCredentials), r = await fetch(n, i);
-    } catch (n) {
-      d.logger.error(h({ err: n }));
-    }
-    if (!r || !r.ok)
-      throw new g(
-        y.Connection,
-        "Couldn't get OIDC configuration from URL" + this.authServerBaseUrl + "/.well-known/openid-configuration"
-      );
-    this.oidcConfig = { ...te };
-    try {
-      const n = await r.json();
-      for (const [i, s] of Object.entries(n))
-        this.oidcConfig[i] = s;
-    } catch {
-      throw new g(
-        y.Connection,
-        "Unrecognized response from OIDC configuration endpoint"
-      );
-    }
-  }
-  getOidcConfig() {
-    return this.oidcConfig;
-  }
-  //////////////////////////////////////////////////////////////////////
-  // Authorization Code Flow
-  /**
-   * Starts the authorizatuin code flow, optionally with PKCE.
-   * 
-   * Doesn't actually call the endpoint but rather returns its URL
-   * 
-   * @param scope optionally specify the scopes to ask the user to
-   *        authorize (space separated, non URL-encoded)
-   * @param pkce if true, initiate the Authorization Code Flow with PKCE,
-   *        otherwiswe without PKCE.
-   * @returns an object with
-   *          - `url` - the full `authorize` URL to fetch, if there was no
-   *            error, undefined otherwise
-   *          - `error` OAuth error if there was an error, undefined
-   *            otherwise.  See OAuth specification for authorize endpoint
-   *          - `error_description` friendly error message or undefined
-   *            if no error
-   */
-  async startAuthorizationCodeFlow(t, r = false) {
-    var s, o, l;
-    if (d.logger.debug(h({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.response_types_supported.includes("code")) || !((o = this.oidcConfig) != null && o.response_modes_supported.includes("query")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support authorization code flow"
-      };
-    if (!((l = this.oidcConfig) != null && l.authorization_endpoint))
-      return {
-        error: "server_error",
-        error_description: "Cannot get authorize endpoint"
-      };
-    if (_(this, R, this.randomValue(this.stateLength)), !u(this, w)) return {
-      error: "invalid_request",
-      error_description: "Cannot make authorization code flow without client id"
-    };
-    if (!this.redirect_uri) return {
-      error: "invalid_request",
-      error_description: "Cannot make authorization code flow without Redirect Uri"
-    };
-    let i = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(u(this, w)) + "&state=" + encodeURIComponent(u(this, R)) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
-    return t && (i += "&scope=" + encodeURIComponent(t)), r && (_(this, T, this.randomValue(this.verifierLength)), _(this, N, this.codeChallengeMethod == "plain" ? u(this, T) : await this.sha256(u(this, T))), i += "&code_challenge=" + u(this, N)), { url: i };
-  }
-  /**
-   * This implements the functionality behind the redirect URI
-   * 
-   * Does not throw exceptions.
-   *
-   * If an error wasn't reported,  a POST request to the `token` endpoint with 
-   * the authorization code to get an access token, etc.  If there was 
-   * an error, this is just passed through without calling and further
-   * endpoints.
-   * 
-   * @param code the authorization code
-   * @param state the random state variable
-   * @param error if defined, it will be returned as an error.  This is
-   *              for cascading errors from previous requests.
-   * @param errorDescription if error is defined, this text is returned
-   *        as the `error_description`  It is set to `Unknown error` 
-   *        otherwise
-   * @returns The {@link OAuthTokenResponse} from the `token` endpoint
-   *          request, or `error` and `error_description`.
-   */
-  async redirectEndpoint(t, r, n, i) {
-    var p, P;
-    if (this.oidcConfig || await this.loadConfig(), n || !t)
-      return n || (n = "server_error"), i || (i = "Unknown error"), { error: n, error_description: i };
-    if (u(this, R) && r != u(this, R))
-      return { error: "access_denied", error_description: "State is not valid" };
-    if (this.authzCode = t, !((p = this.oidcConfig) != null && p.grant_types_supported.includes("authorization_code")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support authorization code grant"
-      };
-    if (!((P = this.oidcConfig) != null && P.token_endpoint))
-      return {
-        error: "server_error",
-        error_description: "Cannot get token endpoint"
-      };
-    const s = this.oidcConfig.token_endpoint;
-    let o, l;
-    o = "authorization_code", l = u(this, S);
-    let f = {
-      grant_type: o,
-      client_id: u(this, w),
-      code: this.authzCode
-    };
-    l && (f.client_secret = l), f.code_verifier = u(this, T);
-    try {
-      return this.post(s, f, this.authServerHeaders);
-    } catch (U) {
-      return d.logger.error(h({ err: U })), {
-        error: "server_error",
-        error_description: "Unable to get access token from server"
-      };
-    }
-  }
-  //////////////////////////////////////////////////////////////////////
-  // Client Credentials Flow
-  /**
-   * Performs the client credentials flow.
-   * 
-   * Does not throw exceptions.
-   * 
-   * Makes a POST request to the `token` endpoint with the
-   * authorization code to get an access token, etc.
-   * 
-   * @param scope the scopes to authorize for the client (optional)
-   * @returns The {@link OAuthTokenResponse} from the `token` endpoint
-   *          request, or `error` and `error_description`.
-   */
-  async clientCredentialsFlow(t) {
-    var i, s;
-    if (d.logger.debug(h({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("client_credentials")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support client credentials grant"
-      };
-    if (!((s = this.oidcConfig) != null && s.token_endpoint))
-      return { error: "server_error", error_description: "Cannot get token endpoint" };
-    if (!u(this, w)) return {
-      error: "invalid_request",
-      error_description: "Cannot make client credentials flow without client id"
-    };
-    const r = this.oidcConfig.token_endpoint;
-    let n = {
-      grant_type: "client_credentials",
-      client_id: u(this, w),
-      client_secret: u(this, S)
-    };
-    t && (n.scope = t);
-    try {
-      return await this.post(r, n, this.authServerHeaders);
-    } catch (o) {
-      return d.logger.error(h({ err: o })), {
-        error: "server_error",
-        error_description: "Error connecting to authorization server"
-      };
-    }
-  }
-  //////////////////////////////////////////////////////////////////////
-  // Password and Password MFA Flows
-  /** Initiates the Password Flow.
-   * 
-   * Does not throw exceptions.
-   * 
-   * @param username the username
-   * @param password the user's password
-   * @param scope the scopes to authorize (optional)
-   * @returns An {@link OAuthTokenResponse} which may contain data or
-   * the OAuth error fields.  If 2FA is enabled for this user on the
-   * authorization server, the Password MFA flow is followed.  See
-   * {@link https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors}.
-   * 
-   */
-  async passwordFlow(t, r, n) {
-    var o, l;
-    if (d.logger.debug(h({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("password")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support password grant"
-      };
-    if (!((l = this.oidcConfig) != null && l.token_endpoint))
-      return {
-        error: "server_error",
-        error_description: "Cannot get token endpoint"
-      };
-    const i = this.oidcConfig.token_endpoint;
-    let s = {
-      grant_type: "password",
-      client_id: u(this, w),
-      client_secret: u(this, S),
-      username: t,
-      password: r
-    };
-    n && (s.scope = n);
-    try {
-      return await this.post(i, s, this.authServerHeaders);
-    } catch (f) {
-      return d.logger.error(h({ err: f })), {
-        error: "server_error",
-        error_description: "Error connecting to authorization server"
-      };
-    }
-  }
-  /** Request valid authenticators using the Password MFA flow, 
-   * after the Password flow has been initiated.
-   * 
-   * Does not throw exceptions.
-   * 
-   * @param mfaToken the MFA token that was returned by the authorization
-   *        server in the response from the Password Flow.
-   * @returns Either
-   *   - authenticators an array of {@link MfaAuthenticatorResponse} objects,
-   *     as per Auth0's Password MFA documentation
-   *   - an `error` and `error_description`, also as per Auth0's Password MFA 
-   *     documentation
-   */
-  async mfaAuthenticators(t) {
-    var s, o, l;
-    if (d.logger.debug(h({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && ((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support password_mfa grant"
-      };
-    if (!((l = this.oidcConfig) != null && l.issuer))
-      return { error: "server_error", error_description: "Cannot get issuer" };
-    const r = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators", n = await this.get(r, { authorization: "Bearer " + t, ...this.authServerHeaders });
-    if (!Array.isArray(n))
-      return {
-        error: "server_error",
-        error_description: "Expected array of authenticators in mfa/authenticators response"
-      };
-    let i = [];
-    for (let f = 0; f < n.length; ++f) {
-      const p = n[f];
-      if (!p.id || !p.authenticator_type || !p.active)
-        return {
-          error: "server_error",
-          error_description: "Invalid mfa/authenticators response"
-        };
-      i.push({
-        id: p.id,
-        authenticator_type: p.authenticator_type,
-        active: p.active,
-        name: p.name,
-        oob_channel: p.oob_channel
-      });
-    }
-    return { authenticators: i };
-  }
-  /** 
-   * This is part of the Auth0 Password MFA flow.  Once the client has
-   * received a list of valid authenticators, if it wishes to initiate
-   * OTP, call this function
-   * 
-   * Does not throw exceptions.
-   * 
-   * @param mfaToken the MFA token that was returned by the authorization
-   *        server in the response from the Password Flow.
-   * @param authenticatorId the authenticator ID, as returned in the response
-   * from the `mfaAuthenticators` request.
-   */
-  async mfaOtpRequest(t, r) {
-    var s, o;
-    if (d.logger.debug(h({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support password_mfa grant"
-      };
-    if (!((o = this.oidcConfig) != null && o.issuer))
-      return { error: "server_error", error_description: "Cannot get issuer" };
-    const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
-      client_id: u(this, w),
-      client_secret: u(this, S),
-      challenge_type: "otp",
-      mfa_token: t,
-      authenticator_id: r
-    }, this.authServerHeaders);
-    return i.challenge_type != "otp" ? {
-      error: i.error ?? "server_error",
-      error_description: i.error_description ?? "Invalid OTP challenge response"
-    } : i;
-  }
-  /**
-   * Completes the Password MFA OTP flow.
-   * @param mfaToken the MFA token that was returned by the authorization
-   *        server in the response from the Password Flow.
-   * @param otp the OTP entered by the user
-   * @returns an object with some of the following fields, depending on
-   *          authorization server configuration and whether there were
-   *          errors:
-   *   - `access_token` an OAuth access token
-   *   - `refresh_token` an OAuth access token
-   *   - `id_token` an OpenID Connect ID token
-   *   - `expires_in` number of seconds when the access token expires
-   *   - `scope` the scopes the user authorized
-   *   - `token_type` the OAuth token type
-   *   - `error` as per Auth0 Password MFA documentation
-   *   - `error_description` friendly error message
-   */
-  async mfaOtpComplete(t, r, n) {
-    var o, l;
-    if (d.logger.debug(h({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support password_mfa grant"
-      };
-    if (!((l = this.oidcConfig) != null && l.issuer))
-      return { error: "server_error", error_description: "Cannot get issuer" };
-    const i = this.oidcConfig.token_endpoint, s = await this.post(i, {
-      grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
-      client_id: u(this, w),
-      client_secret: u(this, S),
-      challenge_type: "otp",
-      mfa_token: t,
-      otp: r,
-      scope: n
-    }, this.authServerHeaders);
-    return {
-      id_token: s.id_token,
-      access_token: s.access_token,
-      refresh_token: s.refresh_token,
-      expires_in: Number(s.expires_in),
-      scope: s.scope,
-      token_type: s.token_type,
-      error: s.error,
-      error_description: s.error_description
-    };
-  }
-  /** 
-   * This is part of the Auth0 Password MFA flow.  Once the client has
-   * received a list of valid authenticators, if it wishes to initiate
-   * OOB (out of band) login, call this function
-   * 
-   * Does not throw exceptions.
-   * 
-   * @param mfaToken the MFA token that was returned by the authorization
-   *        server in the response from the Password Flow.
-   * @param authenticatorId the authenticator ID, as returned in the response
-   * from the `mfaAuthenticators` request.
-   * @returns an object with one or more of the following defined:
-   *   - `challenge_type` as per the Auth0 MFA documentation
-   *   - `oob_code` as per the Auth0 MFA documentation
-   *   - `binding_method` as per the Auth0 MFA documentation
-   *   - `error` as per Auth0 Password MFA documentation
-   *   - `error_description` friendly error message
-   */
-  async mfaOobRequest(t, r) {
-    var s, o;
-    if (d.logger.debug(h({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support password_mfa grant"
-      };
-    if (!((o = this.oidcConfig) != null && o.issuer))
-      return { error: "server_error", error_description: "Cannot get issuer" };
-    const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
-      client_id: u(this, w),
-      client_secret: u(this, S),
-      challenge_type: "oob",
-      mfa_token: t,
-      authenticator_id: r
-    }, this.authServerHeaders);
-    return i.challenge_type != "oob" || !i.oob_code || !i.binding_method ? { error: i.error ?? "server_error", error_description: i.error_description ?? "Invalid OOB challenge response" } : {
-      challenge_type: i.challenge_type,
-      oob_code: i.oob_code,
-      binding_method: i.binding_method,
-      error: i.error,
-      error_description: i.error_description
-    };
-  }
-  /**
-   * Completes the Password MFA OTP flow.
-   * 
-   * Does not throw exceptions.
-   * 
-   * @param mfaToken the MFA token that was returned by the authorization
-   *        server in the response from the Password Flow.
-   * @param oobCode the code entered by the user
-   * @returns an {@link OAuthTokenResponse} object, which may contain
-   *          an error instead of the response fields.
-   */
-  async mfaOobComplete(t, r, n, i) {
-    var l, f;
-    if (d.logger.debug(h({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((l = this.oidcConfig) != null && l.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support password_mfa grant"
-      };
-    if (!((f = this.oidcConfig) != null && f.issuer))
-      return { error: "server_error", error_description: "Cannot get issuer" };
-    const s = this.oidcConfig.token_endpoint, o = await this.post(s, {
-      grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
-      client_id: u(this, w),
-      client_secret: u(this, S),
-      challenge_type: "otp",
-      mfa_token: t,
-      oob_code: r,
-      binding_code: n,
-      scope: i
-    }, this.authServerHeaders);
-    return o.error ? {
-      error: o.error,
-      error_description: o.error_description
-    } : {
-      id_token: o.id_token,
-      access_token: o.access_token,
-      refresh_token: o.refresh_token,
-      expires_in: "expires_in" in o ? Number(o.expires_in) : void 0,
-      scope: o.scope,
-      token_type: o.token_type
-    };
-  }
-  //////////////////////////////////////////////////////////////////////
-  // Refresh Token Flow
-  async refreshTokenFlow(t) {
-    var s, o;
-    if (d.logger.debug(h({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("refresh_token")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support refresh_token grant"
-      };
-    if (!((o = this.oidcConfig) != null && o.token_endpoint))
-      return {
-        error: "server_error",
-        error_description: "Cannot get token endpoint"
-      };
-    const r = this.oidcConfig.token_endpoint;
-    let n;
-    n = u(this, S);
-    let i = {
-      grant_type: "refresh_token",
-      refresh_token: t,
-      client_id: u(this, w)
-    };
-    n && (i.client_secret = n);
-    try {
-      return await this.post(r, i, this.authServerHeaders);
-    } catch (l) {
-      return d.logger.error(h({ err: l })), {
-        error: "server_error",
-        error_description: "Error connecting to authorization server"
-      };
-    }
-  }
-  //////////////////////////////////////////////////////////////////////
-  // Device Code Flow
-  /**
-   * Starts the Device Code Flow on the primary device (the one wanting an access token)
-   * @param url The URl for the device_authorization endpoint, as it is not defined in the OIDC configuration
-   * @param scope optional scope to request authorization for
-   * @returns See {@link OAuthDeviceAuthorizationResponse}
-   */
-  async startDeviceCodeFlow(t, r) {
-    var i;
-    if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support device code grant"
-      };
-    let n = {
-      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-      client_id: u(this, w),
-      client_secret: u(this, S)
-    };
-    r && (n.scope = r);
-    try {
-      return await this.post(t, n, this.authServerHeaders);
-    } catch (s) {
-      return d.logger.error(h({ err: s })), {
-        error: "server_error",
-        error_description: "Error connecting to authorization server"
-      };
-    }
-  }
-  /**
-   * Polls the device endpoint to check if the device code flow has been
-   * authorized by the user.
-   * 
-   * @param deviceCode the device code to poll
-   * @returns See {@link OAuthDeviceResponse}
-   */
-  async pollDeviceCodeFlow(t) {
-    var n, i, s;
-    if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
-      return {
-        error: "invalid_request",
-        error_description: "Server does not support device code grant"
-      };
-    if (!((i = this.oidcConfig) != null && i.token_endpoint))
-      return {
-        error: "server_error",
-        error_description: "Cannot get token endpoint"
-      };
-    let r = {
-      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-      client_id: u(this, w),
-      client_secret: u(this, S),
-      device_code: t
-    };
-    try {
-      const o = await this.post((s = this.oidcConfig) == null ? void 0 : s.token_endpoint, r, this.authServerHeaders);
-      return o.error, o;
-    } catch (o) {
-      return d.logger.error(h({ err: o })), {
-        error: "server_error",
-        error_description: "Error connecting to authorization server"
-      };
-    }
-  }
-  /**
-   * Makes a POST request to the given URL using `fetch()`.
-   * 
-   * @param url the URL to fetch
-   * @param params the body parameters, which are passed as JSON.
-   * @returns the parsed JSON response as an object.
-   * @throws any exception raised by `fetch()`
-   */
-  async post(t, r, n = {}) {
-    d.logger.debug(h({
-      msg: "Fetch POST",
-      url: t,
-      params: Object.keys(r)
-    }));
-    let i = {};
-    return this.authServerCredentials && (i.credentials = this.authServerCredentials), this.authServerMode && (i.mode = this.authServerMode), await (await fetch(t, {
-      method: "POST",
-      ...i,
-      headers: {
-        Accept: "application/json",
-        "Content-Type": "application/json",
-        ...n
-      },
-      body: JSON.stringify(r)
-    })).json();
-  }
-  /**
-   * Makes a GET request to the given URL using `fetch()`.
-   * 
-   * @param url the URL to fetch
-   * @param headers any headers to add to the request
-   * @returns the parsed JSON response as an object.
-   * @throws any exception raised by `fetch()`
-   */
-  async get(t, r = {}) {
-    d.logger.debug(h({ msg: "Fetch GET", url: t }));
-    let n = {};
-    return this.authServerCredentials && (n.credentials = this.authServerCredentials), this.authServerMode && (n.mode = this.authServerMode), await (await fetch(t, {
-      method: "GET",
-      ...n,
-      headers: {
-        Accept: "application/json",
-        "Content-Type": "application/json",
-        ...r
-      }
-    })).json();
-  }
-  /**
-   * Validates an OpenID ID token, returning undefined if it is invalid.
-   * 
-   * Does not raise exceptions.
-   * 
-   * @param token the token to validate.  To be valid, the signature must
-   *        be valid and the `type` claim in the payload must be set to `id`.
-   * @returns the parsed payload or undefined if the token is invalid.
-   */
-  async validateIdToken(t) {
-    try {
-      return await this.tokenConsumer.tokenAuthorized(t, "id");
-    } catch {
-      return;
-    }
-  }
-  /**
-   * Validatesd a token using the token consumer.
-   * 
-   * @param idToken the token to validate
-   * @returns the parsed JSON of the payload, or undefinedf if it is not
-   * valid.
-   */
-  async idTokenAuthorized(t) {
-    try {
-      return await this.tokenConsumer.tokenAuthorized(t, "id");
-    } catch (r) {
-      d.logger.warn(h({ err: r }));
-      return;
-    }
-  }
-  getTokenPayload(t) {
-    return Me(t);
-  }
-}
-w = /* @__PURE__ */ new WeakMap(), S = /* @__PURE__ */ new WeakMap(), N = /* @__PURE__ */ new WeakMap(), T = /* @__PURE__ */ new WeakMap(), R = /* @__PURE__ */ new WeakMap();
-class Le {
-  /**
-   * Constrctor
-   * 
-   * @param audience : this is the value expected in the `aud` field
-   *        of the JWT.  The token is rejected if it doesn't match.
-   * @param options See {@link OAuthTokenConsumerBaseOptions}.
-   */
-  constructor(t, r = {}) {
-    a(this, "audience");
-    a(this, "jwtKeyType");
-    a(this, "jwtSecretKey");
-    a(this, "jwtPublicKey");
-    a(this, "clockTolerance", 10);
-    a(this, "authServerBaseUrl", "");
-    a(this, "oidcConfig");
-    a(this, "keys", {});
-    if (this.audience = t, r.authServerBaseUrl && (this.authServerBaseUrl = r.authServerBaseUrl), r.jwtKeyType && (this.jwtKeyType = r.jwtKeyType), r.jwtSecretKey && (this.jwtSecretKey = r.jwtSecretKey), r.jwtPublicKey && (this.jwtPublicKey = r.jwtPublicKey), r.clockTolerance && (this.clockTolerance = r.clockTolerance), r.oidcConfig && (this.oidcConfig = r.oidcConfig), this.jwtPublicKey && !this.jwtKeyType)
-      throw new g(
-        y.Configuration,
-        "If specifying jwtPublic key, must also specify jwtKeyType"
-      );
-  }
-  /**
-   * This loads keys either from the ones passed in the constructor
-   * or by fetching from the authorization server.
-   * 
-   * Note that even if you pass the keys to the constructor, you must
-   * still call this function.  This is because key loading is
-   * asynchronous, and constructors may not be async.
-   */
-  async loadKeys() {
-    try {
-      if (this.jwtSecretKey) {
-        if (!this.jwtKeyType)
-          throw new g(
-            y.Configuration,
-            "Must specify jwtKeyType if setting jwtSecretKey"
-          );
-        this.keys._default = await Oe(this.jwtSecretKey, this.jwtKeyType);
-      } else if (this.jwtPublicKey) {
-        if (!this.jwtKeyType)
-          throw new g(
-            y.Configuration,
-            "Must specify jwtKeyType if setting jwtPublicKey"
-          );
-        const t = await Ee(this.jwtPublicKey, this.jwtKeyType);
-        this.keys._default = t;
-      } else {
-        if (this.oidcConfig || await this.loadConfig(), !this.oidcConfig)
-          throw new g(
-            y.Connection,
-            "Load OIDC config before Jwks"
-          );
-        await this.loadJwks();
-      }
-    } catch (t) {
-      throw d.logger.debug(h({ err: t })), new g(y.Connection, "Couldn't load keys");
-    }
-  }
-  /**
-   * Loads OpenID Connect configuration, or fetches it from the 
-   * authorization server (using the well-known enpoint appended
-   * to `authServerBaseUrl` )
-   * @param oidcConfig the configuration, or undefined to load it from
-   *        the authorization server
-   * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
-   *   - `Connection` if the fetch to the authorization server failed.
-   */
-  async loadConfig(t) {
-    if (t) {
-      this.oidcConfig = t;
-      return;
-    }
-    if (!this.authServerBaseUrl)
-      throw new g(y.Connection, "Couldn't get OIDC configuration.  Either set authServerBaseUrl or set config manually");
-    let r;
-    try {
-      r = await fetch(new URL("/.well-known/openid-configuration", this.authServerBaseUrl));
-    } catch (n) {
-      d.logger.error(h({ err: n }));
-    }
-    if (!r || !r.ok)
-      throw new g(y.Connection, "Couldn't get OIDC configuration");
-    this.oidcConfig = { ...te };
-    try {
-      const n = await r.json();
-      for (const [i, s] of Object.entries(n))
-        this.oidcConfig[i] = s;
-    } catch {
-      throw new g(y.Connection, "Unrecognized response from OIDC configuration endpoint");
-    }
-  }
-  /**
-   * Loads the JWT signature validation keys, or fetches them from the 
-   * authorization server (using the URL in the OIDC configuration).
-   * @param jwks the keys to load, or undefined to fetch them from
-   *        the authorization server.
-   * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
-   *   - `Connection` if the fetch to the authorization server failed,
-   *     the OIDC configuration wasn't set or the keys could not be parsed.
-   */
-  async loadJwks(t) {
-    if (t) {
-      this.keys = {};
-      for (let r = 0; r < t.keys.length; ++r) {
-        const n = t.keys[r];
-        this.keys[n.kid ?? "_default"] = await Z(t.keys[r]);
-      }
-    } else {
-      if (!this.oidcConfig)
-        throw new g(y.Connection, "Load OIDC config before Jwks");
-      let r;
-      try {
-        r = await fetch(new URL(this.oidcConfig.jwks_uri));
-      } catch (n) {
-        d.logger.error(h({ err: n }));
-      }
-      if (!r || !r.ok)
-        throw new g(y.Connection, "Couldn't get OIDC configuration");
-      this.keys = {};
-      try {
-        const n = await r.json();
-        if (!("keys" in n) || !Array.isArray(n.keys))
-          throw new g(y.Connection, "Couldn't fetch keys");
-        for (let i = 0; i < n.keys.length; ++i)
-          try {
-            let s = "_default";
-            "kid" in n.keys[i] && typeof n.keys[i] == "string" && (s = String(n.keys[i]));
-            const o = await Z(n.keys[i]);
-            this.keys[s] = o;
-          } catch (s) {
-            throw d.logger.error(h({ err: s })), new g(y.Connection, "Couldn't load keys");
-          }
-      } catch (n) {
-        throw d.logger.error(h({ err: n })), new g(y.Connection, "Unrecognized response from OIDC jwks endpoint");
-      }
-    }
-  }
-  /**
-   * Returns JWT payload if the token is valid, undefined otherwise.
-   * 
-   * Doesn't throw exceptions.
-   * 
-   * @param token the token to validate
-   * @param tokenType either `access`, `refresh` or `id`.  If the
-   *        `type` field in the JWT payload doesn't match this, validation
-   *        fails.
-   * @returns the JWT payload if the token is valid, `undefined` otherwise.
-   */
-  async tokenAuthorized(t, r) {
-    (!this.keys || Object.keys(this.keys).length == 0) && await this.loadKeys();
-    const n = await this.validateToken(t);
-    if (n) {
-      if (n.type != r && d.logger.error(h({ msg: r + " expected but got " + n.type })), n.iss != this.authServerBaseUrl) {
-        d.logger.error(h({ msg: `Invalid issuer ${n.iss} in access token`, hashedAccessToken: await this.hash(n.jti) }));
-        return;
-      }
-      if (n.aud && (Array.isArray(n.aud) && !n.aud.includes(this.audience) || !Array.isArray(n.aud) && n.aud != this.audience)) {
-        d.logger.error(h({ msg: `Invalid audience ${n.aud} in access token`, hashedAccessToken: await this.hash(n.jti) }));
-        return;
-      }
-      return n;
-    }
-  }
-  async validateToken(t) {
-    (!this.keys || Object.keys(this.keys).length == 0) && d.logger.warn("No keys loaded so cannot validate tokens");
-    let r;
-    try {
-      r = qe(t).kid;
-    } catch {
-      d.logger.warn(h({ msg: "Invalid access token format" }));
-      return;
-    }
-    let n;
-    "_default" in this.keys && (n = this.keys._default);
-    for (let i in this.keys)
-      if (r == i) {
-        n = this.keys[i];
-        break;
-      }
-    if (!n) {
-      d.logger.warn(h({ msg: "No matching keys found for access token" }));
-      return;
-    }
-    try {
-      const { payload: i } = await Je(t, n), s = JSON.parse(new TextDecoder().decode(i));
-      if (s.exp * 1e3 < Date.now() + this.clockTolerance) {
-        d.logger.warn(h({ msg: "Access token has expired" }));
-        return;
-      }
-      return s;
-    } catch {
-      d.logger.warn(h({ msg: "Access token did not validate" }));
-      return;
-    }
-  }
-}
-const TOLERANCE_SECONDS = 30;
-const AUTOREFRESH_RETRIES = 2;
-const AUTOREFRESH_RETRY_INTERVAL_SECS = 30;
-class OAuthAutoRefresher {
-  /**
-   * Constructor
-   * 
-   * @param options
-   *   - `autoRefreshUrl` the URL to call to perform the refresh  Default is `/autorefresh`
-   *   - `csrfHeader` the header to put CSRF tokens into 
-   *        (default `X-CROSSAUTH-CSRF`))
-   *   - `mode` overrides the default `mode` in fetch calls
-   *   - `credentials` - overrides the default `credentials` for fetch calls
-   *   - `headers` - adds headers to fetfh calls
-   *   - `tokenProvider` - class for fetching tokens and adding them to requests
-   */
-  constructor(options) {
-    __publicField(this, "autoRefreshUrl", "/autorefresh");
-    __publicField(this, "csrfHeader", "X-CROSSAUTH-CSRF");
-    __publicField(this, "headers", {});
-    __publicField(this, "autoRefreshActive", false);
-    __publicField(this, "mode", "cors");
-    __publicField(this, "credentials", "same-origin");
-    __publicField(this, "tokenProvider");
-    this.tokenProvider = options.tokenProvider;
-    this.autoRefreshUrl = options.autoRefreshUrl;
-    if (options.csrfHeader) this.csrfHeader = options.csrfHeader;
-    if (options.headers) this.headers = options.headers;
-    if (options.mode) this.mode = options.mode;
-    if (options.credentials) this.credentials = options.credentials;
-  }
-  async startAutoRefresh(tokensToFetch = ["access", "id"], errorFn) {
-    if (!this.autoRefreshActive) {
-      this.autoRefreshActive = true;
-      d.logger.debug(h({ msg: "Starting auto refresh" }));
-      await this.scheduleAutoRefresh(tokensToFetch, errorFn);
-    }
-  }
-  stopAutoRefresh() {
-    this.autoRefreshActive = false;
-    d.logger.debug(h({ msg: "Stopping auto refresh" }));
-  }
-  async scheduleAutoRefresh(tokensToFetch, errorFn) {
-    const csrfTokenPromise = this.tokenProvider.getCsrfToken();
-    const csrfToken = csrfTokenPromise ? await csrfTokenPromise : void 0;
-    const expiries = await this.tokenProvider.getTokenExpiries([...tokensToFetch, "refresh"], csrfToken);
-    if (expiries.refresh == void 0) {
-      d.logger.debug(h({ msg: `No refresh token found` }));
-      return;
-    }
-    const now = Date.now();
-    let tokenExpiry = expiries.id;
-    if (!tokenExpiry || expiries.access && expiries.access < tokenExpiry) tokenExpiry = expiries.access;
-    if (!tokenExpiry) {
-      d.logger.debug(h({ msg: `No tokens expire` }));
-      return;
-    }
-    const renewTime = tokenExpiry * 1e3 - now - TOLERANCE_SECONDS;
-    if (renewTime < 0) {
-      d.logger.debug(h({ msg: `Expiry time has passed` }));
-      return;
-    }
-    if (expiries.refresh && expiries.refresh - TOLERANCE_SECONDS < renewTime) {
-      d.logger.debug(h({ msg: `Refresh token has expired` }));
-      return;
-    }
-    let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
-    d.logger.debug(h({ msg: `Waiting ${renewTime} before refreshing tokens` }));
-    await wait(renewTime);
-    await this.autoRefresh(tokensToFetch, csrfToken, errorFn);
-  }
-  async autoRefresh(tokensToFetch, csrfToken, errorFn) {
-    if (this.autoRefreshActive) {
-      let reply = void 0;
-      let success = false;
-      let tries = 0;
-      while (!success && tries <= AUTOREFRESH_RETRIES) {
-        try {
-          let headers = { ...this.headers };
-          if (csrfToken) {
-            headers[this.csrfHeader] = csrfToken;
-          }
-          d.logger.debug(h({ msg: `Initiating auto refresh` }));
-          const resp = await this.tokenProvider.jsonFetchWithToken(
-            this.autoRefreshUrl,
-            {
-              method: "POST",
-              headers: {
-                "Accept": "application/json",
-                "Content-Type": "application/json",
-                ...headers
-              },
-              mode: this.mode,
-              credentials: this.credentials,
-              body: {
-                csrfToken
-              }
-            },
-            "refresh"
-          );
-          if (!resp.ok) {
-            d.logger.error(h({ msg: "Failed auto refreshing tokens", status: resp.status }));
-          }
-          reply = await resp.json();
-          if (reply == null ? void 0 : reply.ok) {
-            await this.scheduleAutoRefresh(tokensToFetch, errorFn);
-            success = true;
-            try {
-              await this.tokenProvider.receiveTokens(reply);
-            } catch (e) {
-              const cerr = g.asCrossauthError(e);
-              if (errorFn) {
-                errorFn("Couldn't receive tokens", cerr);
-              } else {
-                d.logger.debug(h({ err: e }));
-                d.logger.error(h({ msg: "Error receiving tokens", cerr }));
-              }
-            }
-          } else {
-            if (tries < AUTOREFRESH_RETRIES) {
-              d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${AUTOREFRESH_RETRY_INTERVAL_SECS} seconds` }));
-              let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
-              await wait(AUTOREFRESH_RETRY_INTERVAL_SECS * 1e3);
-            } else {
-              d.logger.error(h({ msg: `Failed auto refreshing tokens.  Number of retries exceeded` }));
-              if (errorFn) {
-                errorFn("Failed auto refreshing tokens");
-              }
-            }
-            tries++;
-          }
-        } catch (e) {
-          const ce2 = g.asCrossauthError(e);
-          d.logger.debug(h({ err: ce2 }));
-          if (tries < AUTOREFRESH_RETRIES) {
-            d.logger.error(h({ msg: `Failed auto refreshing tokens.  Retrying in ${AUTOREFRESH_RETRIES} seconds` }));
-            let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
-            await wait(AUTOREFRESH_RETRY_INTERVAL_SECS);
-          } else {
-            d.logger.error(h({ msg: `Failed auto refreshing tokens.  Number of retries exceeded` }));
-            if (errorFn) {
-              errorFn(ce2.message, ce2);
-            }
-          }
-          tries++;
-        }
-      }
-    }
-  }
-}
-class OAuthDeviceCodePoller {
-  /**
-   * Constructor
-   * 
-   * @param options
-   *   - `deviceCodePollUrl` the URL to call to poll for authorization.  Default `/devicecodepoll`
-   *   - `mode` overrides the default `mode` in fetch calls
-   *   - `credentials` - overrides the default `credentials` for fetch calls
-   *   - `headers` - adds headers to fetfh calls
-   */
-  constructor(options) {
-    __publicField(this, "deviceCodePollUrl", "/devicecodepoll");
-    __publicField(this, "headers", {});
-    __publicField(this, "pollingActive", false);
-    __publicField(this, "mode", "cors");
-    __publicField(this, "credentials", "same-origin");
-    __publicField(this, "respectRedirect", true);
-    __publicField(this, "oauthClient");
-    this.oauthClient = options.oauthClient;
-    if (options.deviceCodePollUrl != void 0) this.deviceCodePollUrl = options.deviceCodePollUrl;
-    if (options.headers) this.headers = options.headers;
-    if (options.mode) this.mode = options.mode;
-    if (options.credentials) this.credentials = options.credentials;
-  }
-  async startPolling(deviceCode, pollResultFn, interval = 5) {
-    if (!this.pollingActive) {
-      this.pollingActive = true;
-      d.logger.debug(h({ msg: "Starting auto refresh" }));
-      await this.poll(deviceCode, interval, pollResultFn);
-    }
-  }
-  stopPolling() {
-    this.pollingActive = false;
-    d.logger.debug(h({ msg: "Stopping auto refresh" }));
-  }
-  async poll(deviceCode, interval, pollResultFn) {
-    var _a;
-    if (!deviceCode) {
-      d.logger.debug(h({ msg: "device code poll: no device code provided" }));
-      pollResultFn("error", "Error waiting for authorization");
-    } else {
-      try {
-        d.logger.debug(h({ msg: "device code poll: poll" }));
-        if (!this.deviceCodePollUrl && this.oauthClient) {
-          if (!this.oauthClient.getOidcConfig()) await this.oauthClient.loadConfig();
-          if (!((_a = this.oauthClient.getOidcConfig()) == null ? void 0 : _a.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob"))) {
-            return {
-              error: "invalid_request",
-              error_description: "Server does not support password_mfa grant"
-            };
-          }
-          let config = this.oauthClient.getOidcConfig();
-          if (!(config == null ? void 0 : config.token_endpoint)) return {
-            error: "server_error",
-            error_description: "Couldn't get OIDC configuration"
-          };
-          this.deviceCodePollUrl = config.token_endpoint;
-        }
-        if (!this.deviceCodePollUrl) {
-          return {
-            error: "server_error",
-            error_description: "Must either provide deviceCodePollUrl or an oauthClient to fetch it from"
-          };
-        }
-        const resp = await fetch(this.deviceCodePollUrl, {
-          method: "POST",
-          body: JSON.stringify({ device_code: deviceCode }),
-          headers: { "content-type": "application/json" }
-        });
-        if (resp.redirected) {
-          this.pollingActive = false;
-          if (resp.redirected) {
-            pollResultFn("completeAndRedirect", void 0, resp.url);
-          }
-        } else if (!resp.ok) {
-          this.pollingActive = false;
-          pollResultFn("error", "Received an error from the authorization server");
-        } else {
-          const body = await resp.json();
-          d.logger.debug(h({ msg: "device code poll: received" + JSON.stringify(body) }));
-          if (body.error == "expired_token") {
-            this.pollingActive = false;
-            pollResultFn("expired_token", "Timeout waiting for authorization");
-          } else if (body.error == "authorization_pending" || body.error == "slow_down") {
-            if (body.error == "slow_down") interval += 5;
-            let waitseconds = body.interval ?? interval;
-            let wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
-            d.logger.debug(h({ msg: "device code poll: waiting " + String(waitseconds) + " seconds" }));
-            await wait(waitseconds * 1e3);
-            if (this.pollingActive) this.poll(deviceCode, interval, pollResultFn);
-          } else if (body.error) {
-            this.pollingActive = false;
-            pollResultFn("error", body.error_description ?? body.error);
-          } else {
-            this.pollingActive = false;
-            pollResultFn("complete");
-          }
-        }
-      } catch (e) {
-        this.pollingActive = false;
-        const ce2 = g.asCrossauthError(e);
-        d.logger.debug(h({ err: ce2 }));
-        d.logger.error(h({ msg: "Polling failed", cerr: ce2 }));
-        pollResultFn("error", ce2.message);
-      }
-    }
-  }
-}
-class OAuthBffClient {
-  /**
-   * Constructor
-   * 
-   * @param options
-   *   - `bffPrefix` the base url for BFF calls to the OAuth client
-   *        (eg `bff`, which is the default)
-   *   - `csrfHeader` the header to put CSRF tokens into 
-   *        (default `X-CROSSAUTH-CSRF`))
-   *   - `getCsrfTokenUrl` URL to use to fetch CSRF tokens.  Default is
-   *        `/api/getcsrftoken`
-   *   - `autoRefreshUrl` URL to use to refresh tokens.  Default is
-   *        `/api/refreshtokens`
-   *   - `tokensUrl` URL to use to fetch token payloads.  Default is
-   *        `/tokens`
-   *   - `deviceCodePollUrl` URL for polling for device code authorization.  
-   *      Default is `/devicecodepoll`
-   *   - `mode` overrides the default `mode` in fetch calls
-   *   - `credentials` - overrides the default `credentials` for fetch calls
-   *   - `headers` - adds headers to fetfh calls
-   */
-  constructor(options = {}) {
-    __publicField(this, "bffPrefix", "/bff");
-    __publicField(this, "csrfHeader", "X-CROSSAUTH-CSRF");
-    __publicField(this, "enableCsrfProtection", true);
-    __publicField(this, "headers", {});
-    __publicField(this, "mode", "cors");
-    __publicField(this, "credentials", "same-origin");
-    __publicField(this, "autoRefresher");
-    __publicField(this, "deviceCodePoller");
-    __publicField(this, "getCsrfTokenUrl", "/api/getcsrftoken");
-    __publicField(this, "autoRefreshUrl", "/api/refreshtokens");
-    __publicField(this, "tokensUrl", "/tokens");
-    if (options.bffPrefix) this.bffPrefix = options.bffPrefix;
-    if (options.csrfHeader) this.csrfHeader = options.csrfHeader;
-    if (options.enableCsrfProtection != void 0) this.enableCsrfProtection = options.enableCsrfProtection;
-    if (options.getCsrfTokenUrl) this.getCsrfTokenUrl = options.getCsrfTokenUrl;
-    if (options.tokensUrl) this.tokensUrl = options.tokensUrl;
-    if (options.autoRefreshUrl) this.autoRefreshUrl = options.autoRefreshUrl;
-    if (!this.bffPrefix.endsWith("/")) this.bffPrefix += "/";
-    if (options.headers) this.headers = options.headers;
-    if (options.mode) this.mode = options.mode;
-    if (options.credentials) this.credentials = options.credentials;
-    this.autoRefresher = new OAuthAutoRefresher({
-      ...options,
-      autoRefreshUrl: this.autoRefreshUrl,
-      tokenProvider: this
-    });
-    this.deviceCodePoller = new OAuthDeviceCodePoller({ ...options, oauthClient: void 0 });
-  }
-  /**
-   * Gets a CSRF token from the server
-   * @returns the CSRF token that can be included in
-   *          the `X-CROSSAUTH-CSRF` header
-   */
-  async getCsrfToken() {
-    if (!this.enableCsrfProtection) return void 0;
-    try {
-      const resp = await fetch(this.getCsrfTokenUrl, {
-        headers: this.headers,
-        credentials: this.credentials,
-        mode: this.mode
-      });
-      const json = await resp.json();
-      if (!json.ok) throw g.asCrossauthError(json);
-      return json.csrfToken;
-    } catch (e) {
-      throw g.asCrossauthError(e);
-    }
-  }
-  /**
-   * Fetches the ID token from the client.
-   * 
-   * This only returns something if the ID token was returned to the BFF
-   * client in a previous OAuth call.  Otherwise it returns an empty JSON.
-   * 
-   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
-   *        making the request
-   * @returns the ID token payload or an empty object if there isn't one
-   */
-  async getIdToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    return (tokens == null ? void 0 : tokens.id_token) ?? null;
-  }
-  /**
-   * Returns whether or not there is an ID token stored in the BFF server
-   * for this client.
-   * 
-   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
-   *        making the request
-   * @returns true or false
-   */
-  async haveIdToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    if (tokens == null) return false;
-    if (tokens.have_id_token != void 0) return tokens.have_id_token;
-    return "id_token" in tokens;
-  }
-  /**
-   * Fetches the access token from the client.
-   * 
-   * This only returns something if the access token was returned to the BFF
-   * client in a previous OAuth call.  Otherwise it returns an empty JSON.
-   * 
-   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
-   *        making the request
-   * @param headers any additional headers to add (will be added to
-   *         the ones given with {@link OAuthBffClient.addHeader} )
-   * @returns the access token payload or an empty object if there isn't one
-   */
-  async getAccessToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    return (tokens == null ? void 0 : tokens.access_token) ?? null;
-  }
-  /**
-   * Returns whether or not there is an access token stored in the BFF server
-   * for this client.
-   * 
-   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
-   *        making the request
-   * @returns true or false
-   */
-  async haveAccessToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    if (tokens == null) return false;
-    if (tokens.have_access_token != void 0) return tokens.have_access_token;
-    return "access_token" in tokens;
-  }
-  /**
-   * Fetches the refresh token from the client.
-   * 
-   * This only returns something if the refresh token was returned to the BFF
-   * client in a previous OAuth call.  Otherwise it returns an empty JSON.
-   * 
-   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
-   *        making the request
-   * @returns the refresh token payload or an empty object if there isn't one
-   */
-  async getRefreshToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    return (tokens == null ? void 0 : tokens.refresh_token) ?? null;
-  }
-  /**
-   * Returns whether or not there is a refresh token stored in the BFF server
-   * for this client.
-   * 
-   * @param crfToken the CSRF token.  If emtpy, one will be fetched before
-   *        making the request
-   * @returns true or false
-   */
-  async haveRefreshToken(csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    if (tokens == null) return false;
-    if (tokens.have_refresh_token != void 0) return tokens.have_refresh_token;
-    return "refresh_token" in tokens;
-  }
-  /**
-   * Calls an API endpoint via the BFF server
-   * @param method the HTTP method 
-   * @param endpoint the endpoint to call, relative to `bffPrefix` 
-   * @param body : the body to pass to the call
-   * @param csrfToken : the CSRF token
-   * @returns the HTTP status code and the body or null
-   */
-  async api(method, endpoint, body, csrfToken) {
-    let headers = { ...this.headers };
-    if (!csrfToken && !["GET", "HEAD", "OPTIONS"].includes(method)) {
-      csrfToken = await this.getCsrfToken();
-      if (csrfToken) headers[this.csrfHeader] = csrfToken;
-    }
-    if (endpoint.startsWith("/")) endpoint = endpoint.substring(1);
-    let params = {};
-    if (body) params.body = JSON.stringify(body);
-    const resp = await fetch(
-      this.bffPrefix + endpoint,
-      {
-        headers,
-        method,
-        mode: this.mode,
-        credentials: this.credentials,
-        ...params
-      }
-    );
-    let responseBody = null;
-    if (resp.body) responseBody = await resp.json();
-    return { status: resp.status, body: responseBody };
-  }
-  /**
-   * Return all tokens that the client has been enabled to return.
-   * 
-   * @param csrfToken the CSRF token if one is needed
-   * @returns an object with the following (whichever are enabled at the client)
-   *   - `id_token`
-   *   - `access_token`
-   *   - `refresh_token`
-   *   - `have_id_token`
-   *   - `have_access_token`
-   *   - `have_refresh_token`
-   */
-  async getTokens(csrfToken) {
-    if (!csrfToken) csrfToken = await this.getCsrfToken();
-    let headers = { ...this.headers };
-    if (csrfToken)
-      headers[this.csrfHeader] = csrfToken;
-    try {
-      const resp = await fetch(this.tokensUrl, {
-        method: "POST",
-        headers,
-        mode: this.mode,
-        credentials: this.credentials
-      });
-      if (resp.status == 204) {
-        return {};
-      }
-      const body = await resp.json();
-      return body;
-    } catch (e) {
-      throw g.asCrossauthError(e);
-    }
-  }
-  /**
-   * Turns auto refresh of tokens on
-   * @param tokensToFetch which tokens to fetch
-   * @param errorFn what to call in case of error
-   */
-  async startAutoRefresh(tokensToFetch = ["access", "id"], errorFn) {
-    return this.autoRefresher.startAutoRefresh(tokensToFetch, errorFn);
-  }
-  /**
-   * Turns auto refresh of tokens off
-   */
-  stopAutoRefresh() {
-    return this.autoRefresher.stopAutoRefresh();
-  }
-  /**
-   * Turns polling for a device code
-   * @param tokensToFetch which tokens to fetch
-   * @param errorFn what to call in case of error
-   */
-  async startDeviceCodePolling(deviceCode, pollResultFn, interval = 5) {
-    return this.deviceCodePoller.startPolling(deviceCode, pollResultFn, interval);
-  }
-  /**
-   * Turns off polling for a device code
-   */
-  stopDeviceCodePolling() {
-    return this.deviceCodePoller.stopPolling();
-  }
-  ///////////////////////////////////////////////////////////
-  // OAuthTokenProvider interface
-  /**
-   * Fetches the expiry times for each token.
-   * @param crfToken the CSRF token.  If emtpy
-   * , one will be fetched before
-   *        making the request
-   * @returns for each token, either the expiry, `null` if it does not
-   *          expire, or `undefined` if the token does not exist
-   */
-  async getTokenExpiries(tokensToFetch, csrfToken) {
-    const tokens = await this.getTokens(csrfToken);
-    const idToken = tokensToFetch.includes("id") ? (tokens == null ? void 0 : tokens.id_token) ?? null : null;
-    const accessToken = tokensToFetch.includes("access") ? (tokens == null ? void 0 : tokens.access_token) ?? null : null;
-    const refreshToken = tokensToFetch.includes("refresh") ? (tokens == null ? void 0 : tokens.refresh_token) ?? null : null;
-    let idTokenExpiry = void 0;
-    let accessTokenExpiry = void 0;
-    let refreshTokenExpiry = void 0;
-    if (idToken) {
-      idTokenExpiry = idToken.exp ? idToken.exp : null;
-    }
-    if (accessToken) {
-      accessTokenExpiry = accessToken.exp ? accessToken.exp : null;
-    }
-    if (refreshToken) {
-      refreshTokenExpiry = refreshToken.exp ? refreshToken.exp : null;
-    }
-    return {
-      id: idTokenExpiry,
-      access: accessTokenExpiry,
-      refresh: refreshTokenExpiry
-    };
-  }
-  /**
-   * Makes a fetch, adding in the requested token
-   * @param url the URL to fetch
-   * @param params parameters to add to the fetch
-   * @param token which token to add
-   * @returns parsed JSON response
-   */
-  async jsonFetchWithToken(url, params, _token) {
-    if (typeof params.body != "string") params.body = JSON.stringify(params.body);
-    return await fetch(url, params);
-  }
-  receiveTokens(_tokens) {
-    return new Promise((_resolve) => {
-    });
-  }
-}
-class OAuthTokenConsumer extends Le {
-  /**
-   * SHA256 and Base64-url-encodes the given test
-   * @param plaintext the text to encode
-   * @returns the SHA256 hash, Base64-url-encode
-   */
-  async hash(plaintext) {
-    const encoder = new TextEncoder();
-    const data = encoder.encode(plaintext);
-    const hash = await crypto.subtle.digest("SHA-256", data);
-    const hashArray = Array.from(new Uint8Array(hash));
-    return btoa(hashArray.reduce((acc, current) => acc + String.fromCharCode(current), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
-  }
-}
-class OAuthClient extends Be {
-  /**
-   * Constructor
-   * 
-   * @param options
-   *   - `authServerBaseUrl` the base url the authorization server.
-   *      For example, the authorize endpoint would be
-   *      `authServerBaseUrl + "authorize"`.
-   *       Required: no default
-   *   - `resServerBaseUrl` the base url the resource server.
-   *      For example, Relative URLs to the resource server are relative
-   *      to this.  If you always give absolute URLs, this is optional.
-   *      If you don't give it and you do make relative URLs, it will be
-   *      relative to the page you are on.  Default: empty string.
-   *   - `redirect_uri` a URL on the site serving this app which the
-   *      authorization server will redirect to with an authorization
-   *      code.  See description in class documentation.
-   *      This is not required if you are not using OAuth flows
-   *      which require a redirect URI (eg the password flow).
-   *   - `accessTokenResponseType` where to store access tokens.  See
-   *     class documentation.  Default `return`.
-   *   - `refreshTokenResponseType` where to store refresh tokens.  See
-   *     class documentation.  Default `return`.
-   *   - `idTokenResponseType` where to store id tokens.  See
-   *     class documentation.  Default `return`.
-   *   - `accessTokenName` name for access token in local or session
-   *     storage, depending on `accessTokenResponseType`
-   *   - `refreshTokenName` name for refresh token in local or session
-   *     storage, depending on `refreshTokenResponseType`
-   *   - `idTokenName` name for id token in local or session
-   *     storage, depending on `idTokenResponseType`
-   *   - `mresServerMode` overrides the default `mode` in fetch calls
-   *   - `resServerCredentials` - overrides the default `credentials` for fetch calls
-   *   - `resServerHeaders` - adds headers to fetfh calls
-   *   - `autoRefresh` - if set and tokens are present in local or session storage, 
-   *      automatically turn on auto refresh
-   *   - `deviceAuthorization` URL, relative to the authorization server base, 
-   *      for starting the device code flow.  Default `device_authorization`
-   *      Default is `/devicecodepoll`
-   *  For other options see {@link @crossauth/common/OAuthClientBase}.
-   */
-  constructor(options) {
-    if (!options.tokenConsumer) {
-      options.tokenConsumer = new OAuthTokenConsumer(
-        options.client_id,
-        {
-          authServerBaseUrl: options.authServerBaseUrl
-        }
-      );
-    }
-    super(options);
-    __publicField(this, "resServerBaseUrl", "");
-    __publicField(this, "resServerHeaders", {});
-    __publicField(this, "resServerMode", "cors");
-    __publicField(this, "resServerCredentials", "same-origin");
-    __publicField(this, "accessTokenResponseType", "memory");
-    __publicField(this, "refreshTokenResponseType", "memory");
-    __publicField(this, "idTokenResponseType", "memory");
-    __publicField(this, "accessTokenName", "CROSSAUTH_AT");
-    __publicField(this, "refreshTokenName", "CROSSAUTH_RT");
-    __publicField(this, "idTokenName", "CROSSAUTH_IT");
-    __privateAdd(this, _accessToken);
-    __privateAdd(this, _refreshToken);
-    __privateAdd(this, _idTokenPayload);
-    __privateAdd(this, _accessTokenPayload);
-    __privateAdd(this, _refreshTokenPayload);
-    __privateAdd(this, _client_id);
-    __privateAdd(this, _client_secret);
-    __publicField(this, "autoRefresher");
-    __publicField(this, "deviceCodePoller");
-    __publicField(this, "deviceAuthorizationUrl", "device_authorization");
-    if (this.resServerBaseUrl != void 0) {
-      this.resServerBaseUrl = options.resServerBaseUrl ?? "";
-      if (this.resServerBaseUrl.length > 0 && !this.resServerBaseUrl.endsWith("/")) {
-        this.resServerBaseUrl += "/";
-      }
-    }
-    if (options.accessTokenResponseType) this.accessTokenResponseType = options.accessTokenResponseType;
-    if (options.idTokenResponseType) this.idTokenResponseType = options.idTokenResponseType;
-    if (options.refreshTokenResponseType) this.refreshTokenResponseType = options.refreshTokenResponseType;
-    if (options.accessTokenName) this.accessTokenName = options.accessTokenName;
-    if (options.idTokenName) this.idTokenName = options.idTokenName;
-    if (options.refreshTokenName) this.refreshTokenName = options.refreshTokenName;
-    if (options.resServerHeaders) this.resServerHeaders = options.resServerHeaders;
-    if (options.resServerMode) this.resServerMode = options.resServerMode;
-    if (options.resServerCredentials) this.resServerCredentials = options.resServerCredentials;
-    if (options.client_id) __privateSet(this, _client_id, options.client_id);
-    if (options.client_secret) __privateSet(this, _client_secret, options.client_secret);
-    if (options.deviceAuthorizationUrl) this.deviceAuthorizationUrl = options.deviceAuthorizationUrl;
-    this.autoRefresher = new OAuthAutoRefresher({
-      ...options,
-      autoRefreshUrl: this.authServerBaseUrl + "/token",
-      tokenProvider: this
-    });
-    this.deviceCodePoller = new OAuthDeviceCodePoller({ ...options, oauthClient: this, deviceCodePollUrl: null });
-    let idToken;
-    let accessToken;
-    let refreshToken;
-    if (this.idTokenResponseType == "sessionStorage") {
-      idToken = sessionStorage.getItem(this.idTokenName);
-    } else if (this.idTokenResponseType == "localStorage") {
-      idToken = localStorage.getItem(this.idTokenName);
-    }
-    if (this.accessTokenResponseType == "sessionStorage") {
-      accessToken = sessionStorage.getItem(this.accessTokenName);
-    } else if (this.accessTokenResponseType == "localStorage") {
-      accessToken = localStorage.getItem(this.accessTokenName);
-    }
-    if (this.refreshTokenResponseType == "sessionStorage") {
-      refreshToken = sessionStorage.getItem(this.refreshTokenName);
-    } else if (this.refreshTokenResponseType == "localStorage") {
-      refreshToken = localStorage.getItem(this.refreshTokenName);
-    }
-    this.receiveTokens({
-      access_token: accessToken,
-      id_token: idToken,
-      refresh_token: refreshToken
-    });
-    if (accessToken) {
-      const payload = this.getTokenPayload(accessToken);
-      if (payload) {
-        __privateSet(this, _accessToken, accessToken);
-        __privateSet(this, _accessTokenPayload, payload);
-      }
-    }
-    if (refreshToken) {
-      const payload = this.getTokenPayload(refreshToken);
-      if (payload) {
-        __privateSet(this, _refreshToken, refreshToken);
-        __privateSet(this, _refreshTokenPayload, payload);
-      }
-    }
-    if (idToken) {
-      this.validateIdToken(idToken).then((payload) => {
-        __privateSet(this, _idTokenPayload, payload);
-        if (options.autoRefresh) {
-          this.startAutoRefresh(options.autoRefresh).then().catch((err) => {
-            d.logger.debug(h({ err, msg: "Couldn't start auto refresh" }));
-          });
-        }
-      }).catch((err) => {
-        d.logger.debug(h({ err, msg: "Couldn't validate ID token" }));
-      });
-    } else if (__privateGet(this, _accessToken) && options.autoRefresh && refreshToken) {
-      this.startAutoRefresh(options.autoRefresh).then().catch((err) => {
-        d.logger.debug(h({ err, msg: "Couldn't start auto refresh" }));
-      });
-    } else if (refreshToken && !accessToken) {
-      this.refreshTokenFlow(refreshToken).then((_resp) => {
-        d.logger.debug(h({ msg: "Refreshed tokens" }));
-        if (options.autoRefresh) {
-          this.startAutoRefresh(options.autoRefresh).then().catch((err) => {
-            d.logger.debug(h({ err, msg: "Couldn't start auto refresh" }));
-          });
-        }
-      }).catch((err) => {
-        const ce2 = g.asCrossauthError(err);
-        d.logger.debug(h({ err: ce2 }));
-        d.logger.error(h({ msg: "failed refreshing tokens", cerr: ce2 }));
-      });
-    }
-  }
-  get idTokenPayload() {
-    return __privateGet(this, _idTokenPayload);
-  }
-  /**
-   * Processes the query parameters for a Redirect URI request if they
-   * exist in the URL.
-   * 
-   * Call this on page load to see if it was called as redirect URI.
-   * 
-   * If this URL doesn't match the redirect URI passed in the constructor,
-   * or this URL was not called with OAuth Redirect URI query parameters,
-   * undefined is returned.
-   * 
-   * If this URL contains the error query parameter, `errorFn` is called.
-   * It is also called if the state does not match.
-   * 
-   * If an authorization code was in the query parameters, the token
-   * endpoint is called.  Depending on whether that returned an error,
-   * either `receiveTokenFn` or `errorFn` will be called.
-   * 
-   * @param receiveTokenFn if defined, called if a token is returned.
-   *        
-   * @param errorFn if defined, called if any OAuth endpoint returned `error`, 
-   *        or if the `state` was not correct.
-   * 
-   * @returns the result of `receiveTokenFn`, `errorFn` or `undefined`.  If
-   *          `receiveTokenFn`/`errorFn` is not defined, rather than calling
-   *          it, this function just returns the OAuth response.
-   *       
-   */
-  async handleRedirectUri() {
-    const url = new URL(window.location.href);
-    if (url.origin + url.pathname != this.redirect_uri) return void 0;
-    const params = new URLSearchParams(window.location.search);
-    let code = void 0;
-    let state = void 0;
-    let error = void 0;
-    let error_description = void 0;
-    for (const [key, value] of params) {
-      if (key == "code") code = value;
-      if (key == "state") state = value;
-      if (key == "error") error = value;
-      if (key == "error_description") error_description = value;
-    }
-    if (!error && !code) return void 0;
-    if (error) {
-      const cerr = g.fromOAuthError(error, error_description);
-      d.logger.debug(h({ err: cerr }));
-      d.logger.error(h({ cerr, msg: "Error from authorize endpoint: " + error }));
-      throw cerr;
-    }
-    const resp = await this.redirectEndpoint(code, state, error, error_description);
-    if (resp.error) {
-      const cerr = g.fromOAuthError(resp.error, error_description);
-      d.logger.debug(h({ err: cerr }));
-      d.logger.error(h({ cerr, msg: "Error from redirect endpoint: " + resp.error }));
-      throw cerr;
-    }
-    await this.receiveTokens(resp);
-    return resp;
-  }
-  /**
-   * Turns auto refresh of tokens on
-   * @param tokensToFetch which tokens to fetch
-   * @param errorFn what to call in case of error
-   */
-  async startAutoRefresh(tokensToFetch = ["access", "id"], errorFn) {
-    return this.autoRefresher.startAutoRefresh(tokensToFetch, errorFn);
-  }
-  /**
-   * Turns auto refresh of tokens off
-   */
-  stopAutoRefresh() {
-    return this.autoRefresher.stopAutoRefresh();
-  }
-  /**
-   * Turns polling for a device code
-   * @param tokensToFetch which tokens to fetch
-   * @param errorFn what to call in case of error
-   */
-  async startDeviceCodePolling(deviceCode, pollResultFn, interval = 5) {
-    return this.deviceCodePoller.startPolling(deviceCode, pollResultFn, interval);
-  }
-  /**
-   * Turns off polling for a device code
-   */
-  stopDeviceCodePolling() {
-    return this.deviceCodePoller.stopPolling();
-  }
-  /**
-   * Return the ID token payload
-   * 
-   * This does the same thign as {@link idTokenPayload}.  We have it here
-   * as well for consistency with {@link OAuthBffClient}.
-   * 
-   * @returns the payload as an object
-   */
-  getIdToken() {
-    return __privateGet(this, _idTokenPayload);
-  }
-  ///////
-  // Implementation of abstract methods
-  /**
-   * Produce a random Base64-url-encoded string, whose length before 
-   * base64-url-encoding is the given length,
-   * @param length the length of the random array before base64-url-encoding.
-   * @returns the random value as a Base64-url-encoded srting
-   */
-  randomValue(length) {
-    const array = new Uint8Array(length);
-    self.crypto.getRandomValues(array);
-    return btoa(array.reduce((acc, current) => acc + String.fromCharCode(current), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
-  }
-  /**
-   * SHA256 and Base64-url-encodes the given test
-   * @param plaintext the text to encode
-   * @returns the SHA256 hash, Base64-url-encode
-   */
-  async sha256(plaintext) {
-    const encoder = new TextEncoder();
-    const data = encoder.encode(plaintext);
-    const hash = await crypto.subtle.digest("SHA-256", data);
-    const hashArray = Array.from(new Uint8Array(hash));
-    return btoa(hashArray.reduce((acc, current) => acc + String.fromCharCode(current), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
-  }
-  /**
-   * Calls an API endpoint on the resource server
-   * @param method the HTTP method 
-   * @param endpoint the endpoint to call, relative to `resServerBaseUrl` 
-   * @param body : the body to pass to the call
-   * @returns the HTTP status code and the body or null
-   */
-  async api(method, endpoint, body) {
-    let headers = { ...this.resServerHeaders };
-    if (endpoint.startsWith("/")) endpoint = endpoint.substring(1);
-    let params = {};
-    if (body) params.body = JSON.stringify(body);
-    let accessToken;
-    if (this.accessTokenResponseType == "sessionStorage") {
-      accessToken = sessionStorage.getItem(this.accessTokenName);
-    } else if (this.accessTokenResponseType == "localStorage") {
-      accessToken = localStorage.getItem(this.accessTokenName);
-    }
-    headers.authorization = "Bearer " + accessToken;
-    const resp = await fetch(
-      this.resServerBaseUrl + endpoint,
-      {
-        headers,
-        method,
-        mode: this.resServerMode,
-        credentials: this.resServerCredentials,
-        ...params
-      }
-    );
-    let responseBody = null;
-    if (resp.body) responseBody = await resp.json();
-    return { status: resp.status, body: responseBody };
-  }
-  ///////////////////////////////////////////////////////////
-  // OAuthTokenProvider interface
-  /**
-   * Fetches the expiry times for each token.
-   * @param crfToken the CSRF token.  If emtpy
-   * , one will be fetched before
-   *        making the request
-   * @returns for each token, either the expiry, `null` if it does not
-   *          expire, or `undefined` if the token does not exist
-   */
-  async getTokenExpiries(_tokensToFetch, _csrfToken) {
-    let idTokenExpiry = void 0;
-    let accessTokenExpiry = void 0;
-    let refreshTokenExpiry = void 0;
-    if (__privateGet(this, _idTokenPayload)) {
-      idTokenExpiry = __privateGet(this, _idTokenPayload).exp ? __privateGet(this, _idTokenPayload).exp : null;
-    }
-    if (__privateGet(this, _accessTokenPayload)) {
-      accessTokenExpiry = __privateGet(this, _accessTokenPayload).exp ? __privateGet(this, _accessTokenPayload).exp : null;
-    }
-    if (__privateGet(this, _refreshTokenPayload)) {
-      refreshTokenExpiry = __privateGet(this, _refreshTokenPayload).exp ? __privateGet(this, _refreshTokenPayload).exp : null;
-    }
-    return {
-      id: idTokenExpiry,
-      access: accessTokenExpiry,
-      refresh: refreshTokenExpiry
-    };
-  }
-  /**
-   * Makes a fetch, adding in the requested token.  
-   * 
-   * Also adds client ID and secret if they are defined.
-   * 
-   * @param url the URL to fetch
-   * @param params parameters to add to the fetch
-   * @param token which token to add
-   * @returns parsed JSON response
-   */
-  async jsonFetchWithToken(url, params, token) {
-    if (token == "access") {
-      if (!__privateGet(this, _accessToken)) {
-        throw new g(y.InvalidToken, "Cannot make fetch with access token - no access token defined");
-      }
-      if (!params.headers) params.headers = {};
-      params.headers.authorization = "Bearer " + __privateGet(this, _accessToken);
-    } else {
-      if (!params.body) params.body = {};
-      if (!__privateGet(this, _refreshToken)) {
-        throw new g(y.InvalidToken, "Cannot make fetch with refresh token - no refresh token defined");
-      }
-      params.body.refresh_token = __privateGet(this, _refreshToken);
-      params.body.grant_type = "refresh_token";
-    }
-    if (__privateGet(this, _client_id)) {
-      if (!params.body) params.body = {};
-      params.body.client_id = __privateGet(this, _client_id);
-      if (__privateGet(this, _client_secret)) {
-        params.body.client_secret = __privateGet(this, _client_secret);
-      }
-    }
-    if (typeof params.body != "string") params.body = JSON.stringify(params.body);
-    return await fetch(url, params);
-  }
-  /**
-   * Does nothing as CSRF tokens are not needed for this class
-   * @returns `undefined`
-   */
-  async getCsrfToken() {
-    return void 0;
-  }
-  async receiveTokens(tokens) {
-    if (tokens.access_token) {
-      const payload = this.getTokenPayload(tokens.access_token);
-      if (payload) {
-        __privateSet(this, _accessToken, tokens.access_token);
-        __privateSet(this, _accessTokenPayload, payload);
-      }
-      if (this.accessTokenResponseType == "localStorage") {
-        localStorage.setItem(this.accessTokenName, tokens.access_token);
-      } else if (this.accessTokenResponseType == "sessionStorage") {
-        sessionStorage.setItem(this.accessTokenName, tokens.access_token);
-      }
-    }
-    if (tokens.refresh_token) {
-      const payload = this.getTokenPayload(tokens.refresh_token);
-      if (payload) {
-        __privateSet(this, _refreshToken, tokens.refresh_token);
-        __privateSet(this, _refreshTokenPayload, payload);
-      }
-      if (this.refreshTokenResponseType == "localStorage") {
-        localStorage.setItem(this.refreshTokenName, tokens.refresh_token);
-      } else if (this.accessTokenResponseType == "sessionStorage") {
-        sessionStorage.setItem(this.refreshTokenName, tokens.refresh_token);
-      }
-    }
-    if (tokens.id_token) {
-      const payload = await this.validateIdToken(tokens.id_token);
-      __privateSet(this, _idTokenPayload, payload);
-      if (this.idTokenResponseType == "localStorage") {
-        localStorage.setItem(this.idTokenName, tokens.id_token);
-      } else if (this.idTokenResponseType == "sessionStorage") {
-        sessionStorage.setItem(this.idTokenName, tokens.id_token);
-      }
-    }
-  }
-  /////////
-  // Wrap flow functions
-  /**
-   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
-   * then saves the tokens, as per the requested method
-   * @param scope 
-   */
-  async clientCredentialsFlow(scope) {
-    const resp = await super.clientCredentialsFlow(scope);
-    await this.receiveTokens(resp);
-    return resp;
-  }
-  /**
-   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
-   * then saves the tokens, as per the requested method
-   * @param scope 
-   */
-  async passwordFlow(username, password, scope) {
-    const resp = await super.passwordFlow(username, password, scope);
-    await this.receiveTokens(resp);
-    return resp;
-  }
-  /**
-   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
-   * then saves the tokens, as per the requested method
-   * @param scope 
-   */
-  async deviceCodeFlow(scope) {
-    let url = this.authServerBaseUrl;
-    if (!url.endsWith("/")) url += "/";
-    url += this.deviceAuthorizationUrl;
-    const resp = await super.startDeviceCodeFlow(url, scope);
-    return resp;
-  }
-  /**
-   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
-   * then saves the tokens, as per the requested method
-   * @param scope 
-   */
-  async mfaOtpComplete(mfaToken, otp) {
-    const resp = await super.mfaOtpComplete(mfaToken, otp);
-    await this.receiveTokens(resp);
-    return resp;
-  }
-  /**
-   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
-   * then saves the tokens, as per the requested method
-   * @param scope 
-   */
-  async mfaOobComplete(mfaToken, oobCode, bindingCode) {
-    const resp = await super.mfaOobComplete(mfaToken, oobCode, bindingCode);
-    await this.receiveTokens(resp);
-    return resp;
-  }
-  /**
-   * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
-   * then saves the tokens, as per the requested method
-   * @param scope 
-   */
-  async refreshTokenFlow(refreshToken) {
-    if (!refreshToken) {
-      if (__privateGet(this, _refreshToken)) {
-        refreshToken = __privateGet(this, _refreshToken);
-      } else {
-        throw new g(y.InvalidToken, "Cannot refresh tokens: no refresh token present");
-      }
-    }
-    const resp = await super.refreshTokenFlow(refreshToken);
-    await this.receiveTokens(resp);
-    return resp;
-  }
-  /**
-   * Executes the authorization code flow
-   * @param scope the scope to request
-   * @param pkce whether or not to use PKCE.
-   */
-  async authorizationCodeFlow(scope, pkce = false) {
-    const resp = await super.startAuthorizationCodeFlow(scope, pkce);
-    if (resp.error || !resp.url) {
-      const cerr = g.fromOAuthError(
-        resp.error ?? "Couldn't create URL for authorization code flow",
-        resp.error_description
-      );
-      d.logger.debug(h({ err: cerr }));
-      throw cerr;
-    }
-    location.href = resp.url;
-  }
-}
-_accessToken = new WeakMap();
-_refreshToken = new WeakMap();
-_idTokenPayload = new WeakMap();
-_accessTokenPayload = new WeakMap();
-_refreshTokenPayload = new WeakMap();
-_client_id = new WeakMap();
-_client_secret = new WeakMap();
-exports.CrossauthError = g;
-exports.CrossauthLogger = d;
-exports.OAuthBffClient = OAuthBffClient;
-exports.OAuthClient = OAuthClient;
-exports.j = h;
+"use strict";var Ie=Object.defineProperty;var ce=r=>{throw TypeError(r)};var Oe=(r,e,t)=>e in r?Ie(r,e,{enumerable:!0,configurable:!0,writable:!0,value:t}):r[e]=t;var f=(r,e,t)=>Oe(r,typeof e!="symbol"?e+"":e,t),de=(r,e,t)=>e.has(r)||ce("Cannot "+t);var w=(r,e,t)=>(de(r,e,"read from private field"),t?t.call(r):e.get(r)),N=(r,e,t)=>e.has(r)?ce("Cannot add the same private member more than once"):e instanceof WeakSet?e.add(r):e.set(r,t),b=(r,e,t,o)=>(de(r,e,"write to private field"),o?o.call(r,t):e.set(r,t),t);Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});var Ue=Object.defineProperty,ge=r=>{throw TypeError(r)},Ne=(r,e,t)=>e in r?Ue(r,e,{enumerable:!0,configurable:!0,writable:!0,value:t}):r[e]=t,l=(r,e,t)=>Ne(r,typeof e!="symbol"?e+"":e,t),pe=(r,e,t)=>e.has(r)||ge("Cannot "+t),p=(r,e,t)=>(pe(r,e,"read from private field"),t?t.call(r):e.get(r)),$=(r,e,t)=>e.has(r)?ge("Cannot add the same private member more than once"):e instanceof WeakSet?e.add(r):e.set(r,t),E=(r,e,t,o)=>(pe(r,e,"write to private field"),e.set(r,t),t);class H{}l(H,"active","active"),l(H,"disabled","disabled"),l(H,"awaitingTwoFactorSetup","awaitingtwofactorsetup"),l(H,"awaitingEmailVerification","awaitingemailverification"),l(H,"passwordChangeNeeded","passwordchangeneeded"),l(H,"passwordResetNeeded","passwordresetneeded"),l(H,"factor2ResetNeeded","factor2resetneeded"),l(H,"passwordAndFactor2ResetNeeded","passwordandfactor2resetneeded");class P{}l(P,"session","s:"),l(P,"passwordResetToken","p:"),l(P,"emailVerificationToken","e:"),l(P,"apiKey","api:"),l(P,"authorizationCode","authz:"),l(P,"accessToken","access:"),l(P,"refreshToken","refresh:"),l(P,"mfaToken","omfa:"),l(P,"deviceCode","dc:"),l(P,"userCode","uc:");var m=(r=>(r[r.UserNotExist=0]="UserNotExist",r[r.PasswordInvalid=1]="PasswordInvalid",r[r.EmailNotExist=2]="EmailNotExist",r[r.UsernameOrPasswordInvalid=3]="UsernameOrPasswordInvalid",r[r.InvalidClientId=4]="InvalidClientId",r[r.ClientExists=5]="ClientExists",r[r.InvalidClientSecret=6]="InvalidClientSecret",r[r.InvalidClientIdOrSecret=7]="InvalidClientIdOrSecret",r[r.InvalidRedirectUri=8]="InvalidRedirectUri",r[r.InvalidOAuthFlow=9]="InvalidOAuthFlow",r[r.UserNotActive=10]="UserNotActive",r[r.EmailNotVerified=11]="EmailNotVerified",r[r.TwoFactorIncomplete=12]="TwoFactorIncomplete",r[r.Unauthorized=13]="Unauthorized",r[r.UnauthorizedClient=14]="UnauthorizedClient",r[r.InvalidScope=15]="InvalidScope",r[r.InsufficientScope=16]="InsufficientScope",r[r.InsufficientPriviledges=17]="InsufficientPriviledges",r[r.Forbidden=18]="Forbidden",r[r.InvalidKey=19]="InvalidKey",r[r.InvalidCsrf=20]="InvalidCsrf",r[r.InvalidSession=21]="InvalidSession",r[r.Expired=22]="Expired",r[r.Connection=23]="Connection",r[r.InvalidHash=24]="InvalidHash",r[r.UnsupportedAlgorithm=25]="UnsupportedAlgorithm",r[r.KeyExists=26]="KeyExists",r[r.PasswordChangeNeeded=27]="PasswordChangeNeeded",r[r.PasswordResetNeeded=28]="PasswordResetNeeded",r[r.Factor2ResetNeeded=29]="Factor2ResetNeeded",r[r.Configuration=30]="Configuration",r[r.InvalidEmail=31]="InvalidEmail",r[r.InvalidPhoneNumber=32]="InvalidPhoneNumber",r[r.InvalidUsername=33]="InvalidUsername",r[r.PasswordMatch=34]="PasswordMatch",r[r.InvalidToken=35]="InvalidToken",r[r.MfaRequired=36]="MfaRequired",r[r.PasswordFormat=37]="PasswordFormat",r[r.DataFormat=38]="DataFormat",r[r.FetchError=39]="FetchError",r[r.UserExists=40]="UserExists",r[r.FormEntry=41]="FormEntry",r[r.BadRequest=42]="BadRequest",r[r.AuthorizationPending=43]="AuthorizationPending",r[r.SlowDown=44]="SlowDown",r[r.ExpiredToken=45]="ExpiredToken",r[r.ConstraintViolation=46]="ConstraintViolation",r[r.NotImplemented=47]="NotImplemented",r[r.UnknownError=48]="UnknownError",r))(m||{});class g extends Error{constructor(e,t=void 0){let o,s=500;e==0?(o="User does not exist",s=401):e==1?(o="Password doesn't match",s=401):e==3?(o="Username or password incorrect",s=401):e==4?(o="Client id is invalid",s=401):e==5?(o="Client ID or name already exists",s=500):e==6?(o="Client secret is invalid",s=401):e==7?(o="Client id or secret is invalid",s=401):e==8?(o="Redirect Uri is not registered",s=401):e==9?(o="Invalid OAuth flow type",s=500):e==2?(o="No user exists with that email address",s=401):e==10?(o="Account is not active",s=403):e==33?(o="Username is not in an allowed format",s=400):e==31?(o="Email is not in an allowed format",s=400):e==32?(o="Phone number is not in an allowed format",s=400):e==11?(o="Email address has not been verified",s=403):e==12?(o="Two-factor setup is not complete",s=403):e==13?(o="Not authorized",s=401):e==14?(o="Client not authorized",s=401):e==15?(o="Invalid scope",s=403):e==16?(o="Insufficient scope",s=403):e==23?o="Connection failure":e==22?(o="Token has expired",s=401):e==24?o="Hash is not in a valid format":e==19?(o="Key is invalid",s=401):e==18?(o="You do not have permission to access this resource",s=403):e==17?(o="You do not have the right privileges to access this resource",s=401):e==20?(o="CSRF token is invalid",s=401):e==21?(o="Session cookie is invalid",s=401):e==25?o="Algorithm not supported":e==26?o="Attempt to create a key that already exists":e==27?(o="User must change password",s=403):e==28?(o="User must reset password",s=403):e==29?(o="User must reset 2FA",s=403):e==30?o="There was an error in the configuration":e==34?(o="Passwords do not match",s=401):e==35?(o="Token is not valid",s=401):e==36?(o="MFA is required",s=401):e==37?(o="Password format was incorrect",s=401):e==40?(o="User already exists",s=400):e==42?(o="The request is invalid",s=400):e==38?(o="Session data has unexpected format",s=500):e==39?(o="Couldn't execute a fetch",s=500):e==43?(o="Waiting for authorization",s=200):e==44?(o="Slow polling down by 5 seconds",s=200):e==45?(o="Token has expired",s=401):e==46?(o="Database update/insert caused a constraint violation",s=500):e==47?(o="This method has not been implemented",s=500):(o="Unknown error",s=500),t!=null&&!Array.isArray(t)?o=t:Array.isArray(t)&&(o=t.join(". ")),super(o),l(this,"isCrossauthError",!0),l(this,"httpStatus"),l(this,"code"),l(this,"codeName"),l(this,"messages"),this.code=e,this.codeName=m[e],this.httpStatus=s,this.name="CrossauthError",Array.isArray(t)?this.messages=t:this.messages=[o],Object.setPrototypeOf(this,g.prototype)}static fromOAuthError(e,t){let o;switch(e){case"invalid_request":o=42;break;case"unauthorized_client":o=14;break;case"access_denied":o=13;break;case"unsupported_response_type":o=42;break;case"invalid_scope":o=15;break;case"server_error":o=48;break;case"temporarily_unavailable":o=23;break;case"invalid_token":o=35;break;case"expired_token":o=45;break;case"insufficient_scope":o=35;break;case"mfa_required":o=36;break;case"authorization_pending":o=43;break;case"slow_down":o=44;break;default:o=48}return new g(o,t)}get oauthErrorCode(){switch(this.code){case 42:return"invalid_request";case 14:return"unauthorized_client";case 13:return"access_denied";case 15:return"invalid_scope";case 23:return"temporarily_unavailable";case 35:return"invalid_token";case 36:return"mfa_required";case 43:return"authorization_pending";case 44:return"slow_down";case 45:return"expired_token";case 22:return"expired_token";default:return"server_error"}}static asCrossauthError(e,t){if(e instanceof Error)return"isCrossauthError"in e?e:new g(48,e.message);if("errorCode"in e){let s=48;try{s=Number(e.errorCode)??48}catch{}let n=t??m[s];return"errorMessage"in e?n=e.errorMessage:"message"in e&&(n=e.message),new g(s,n)}let o=t??m[48];return"message"in e&&(o=e.message),new g(48,o)}}const W=class A{constructor(e){if(l(this,"level"),e)this.level=e;else if(typeof process<"u"&&"CROSSAUTH_LOG_LEVEL"in process.env){const t=(process.env.CROSSAUTH_LOG_LEVEL??"ERROR").toUpperCase();A.levelName.includes(t)?this.level=A.levelName.indexOf(t):this.level=A.Error}else this.level=A.Error}static get logger(){return globalThis.crossauthLogger}setLevel(e){this.level=e}log(e,t){e<=this.level&&(typeof t=="string"?console.log("Crossauth "+A.levelName[e]+" "+new Date().toISOString(),t):console.log(JSON.stringify({level:A.levelName[e],time:new Date().toISOString(),...t})))}error(e){this.log(A.Error,e)}warn(e){this.log(A.Warn,e)}info(e){this.log(A.Info,e)}debug(e){this.log(A.Debug,e)}static setLogger(e,t){globalThis.crossauthLogger=e,globalThis.crossauthLoggerAcceptsJson=t}};l(W,"None",0),l(W,"Error",1),l(W,"Warn",2),l(W,"Info",3),l(W,"Debug",4),l(W,"levelName",["NONE","ERROR","WARN","INFO","DEBUG"]);let c=W;function d(r){let e;typeof r=="object"&&"err"in r&&typeof r.err=="object"&&(e=r.err.stack);try{typeof r=="object"&&"err"in r&&typeof r.err=="object"&&r.err&&"message"in r.err&&!("msg"in r)&&(r.msg=r.err.message)}catch{}try{typeof r=="object"&&"err"in r&&typeof r.err=="object"&&(r.err={...r.err,stack:e})}catch{}try{typeof r=="object"&&"err"in r&&!("msg"in r)&&(r.msg=r.msg="An unknown error occurred")}catch{}try{typeof r=="object"&&"cerr"in r&&"isCrossauthError"in r.cerr&&r.cerr&&(r.errorCode=r.cerr.code,r.errorCodeName=r.cerr.codeName,r.httpStatus=r.cerr.httpStatus,"msg"in r||(r.msg=r.cerr.message),delete r.cerr)}catch{}return typeof r=="string"||globalThis.crossauthLoggerAcceptsJson?r:JSON.stringify(r)}globalThis.crossauthLogger=new c(c.None);globalThis.crossauthLoggerAcceptsJson=!0;const ye={issuer:"",authorization_endpoint:"",token_endpoint:"",jwks_uri:"",response_types_supported:[],subject_types_supported:[],response_modes_supported:["query","fragment"],grant_types_supported:["authorization_code","implicit"],id_token_signing_alg_values_supported:[],claim_types_supported:["normal"],claims_parameter_supported:!1,request_parameter_supported:!1,request_uri_parameter_supported:!0,require_request_uri_registration:!1},te=crypto,we=r=>r instanceof CryptoKey,X=new TextEncoder,G=new TextDecoder;function He(...r){const e=r.reduce((s,{length:n})=>s+n,0),t=new Uint8Array(e);let o=0;for(const s of r)t.set(s,o),o+=s.length;return t}const je=r=>{const e=atob(r),t=new Uint8Array(e.length);for(let o=0;o<e.length;o++)t[o]=e.charCodeAt(o);return t},M=r=>{let e=r;e instanceof Uint8Array&&(e=G.decode(e)),e=e.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return je(e)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}};class oe extends Error{static get code(){return"ERR_JOSE_GENERIC"}constructor(e){var t;super(e),this.code="ERR_JOSE_GENERIC",this.name=this.constructor.name,(t=Error.captureStackTrace)==null||t.call(Error,this,this.constructor)}}class I extends oe{constructor(){super(...arguments),this.code="ERR_JOSE_NOT_SUPPORTED"}static get code(){return"ERR_JOSE_NOT_SUPPORTED"}}class S extends oe{constructor(){super(...arguments),this.code="ERR_JWS_INVALID"}static get code(){return"ERR_JWS_INVALID"}}class D extends oe{constructor(){super(...arguments),this.code="ERR_JWT_INVALID"}static get code(){return"ERR_JWT_INVALID"}}class xe extends oe{constructor(){super(...arguments),this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED",this.message="signature verification failed"}static get code(){return"ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}}function O(r,e="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${e} must be ${r}`)}function Q(r,e){return r.name===e}function se(r){return parseInt(r.name.slice(4),10)}function Ke(r){switch(r){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function ze(r,e){if(e.length&&!e.some(t=>r.usages.includes(t))){let t="CryptoKey does not support this operation, its usages must include ";if(e.length>2){const o=e.pop();t+=`one of ${e.join(", ")}, or ${o}.`}else e.length===2?t+=`one of ${e[0]} or ${e[1]}.`:t+=`${e[0]}.`;throw new TypeError(t)}}function De(r,e,...t){switch(e){case"HS256":case"HS384":case"HS512":{if(!Q(r.algorithm,"HMAC"))throw O("HMAC");const o=parseInt(e.slice(2),10);if(se(r.algorithm.hash)!==o)throw O(`SHA-${o}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!Q(r.algorithm,"RSASSA-PKCS1-v1_5"))throw O("RSASSA-PKCS1-v1_5");const o=parseInt(e.slice(2),10);if(se(r.algorithm.hash)!==o)throw O(`SHA-${o}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!Q(r.algorithm,"RSA-PSS"))throw O("RSA-PSS");const o=parseInt(e.slice(2),10);if(se(r.algorithm.hash)!==o)throw O(`SHA-${o}`,"algorithm.hash");break}case"EdDSA":{if(r.algorithm.name!=="Ed25519"&&r.algorithm.name!=="Ed448")throw O("Ed25519 or Ed448");break}case"ES256":case"ES384":case"ES512":{if(!Q(r.algorithm,"ECDSA"))throw O("ECDSA");const o=Ke(e);if(r.algorithm.namedCurve!==o)throw O(o,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ze(r,t)}function me(r,e,...t){var o;if(t.length>2){const s=t.pop();r+=`one of type ${t.join(", ")}, or ${s}.`}else t.length===2?r+=`one of type ${t[0]} or ${t[1]}.`:r+=`of type ${t[0]}.`;return e==null?r+=` Received ${e}`:typeof e=="function"&&e.name?r+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&(o=e.constructor)!=null&&o.name&&(r+=` Received an instance of ${e.constructor.name}`),r}const he=(r,...e)=>me("Key must be ",r,...e);function ve(r,e,...t){return me(`Key for the ${r} algorithm must be `,e,...t)}const Ce=r=>we(r)?!0:(r==null?void 0:r[Symbol.toStringTag])==="KeyObject",re=["CryptoKey"],We=(...r)=>{const e=r.filter(Boolean);if(e.length===0||e.length===1)return!0;let t;for(const o of e){const s=Object.keys(o);if(!t||t.size===0){t=new Set(s);continue}for(const n of s){if(t.has(n))return!1;t.add(n)}}return!0};function Fe(r){return typeof r=="object"&&r!==null}function V(r){if(!Fe(r)||Object.prototype.toString.call(r)!=="[object Object]")return!1;if(Object.getPrototypeOf(r)===null)return!0;let e=r;for(;Object.getPrototypeOf(e)!==null;)e=Object.getPrototypeOf(e);return Object.getPrototypeOf(r)===e}const Je=(r,e)=>{if(r.startsWith("RS")||r.startsWith("PS")){const{modulusLength:t}=e.algorithm;if(typeof t!="number"||t<2048)throw new TypeError(`${r} requires key modulusLength to be 2048 bits or larger`)}};function Me(r){let e,t;switch(r.kty){case"RSA":{switch(r.alg){case"PS256":case"PS384":case"PS512":e={name:"RSA-PSS",hash:`SHA-${r.alg.slice(-3)}`},t=r.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":e={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${r.alg.slice(-3)}`},t=r.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":e={name:"RSA-OAEP",hash:`SHA-${parseInt(r.alg.slice(-3),10)||1}`},t=r.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"EC":{switch(r.alg){case"ES256":e={name:"ECDSA",namedCurve:"P-256"},t=r.d?["sign"]:["verify"];break;case"ES384":e={name:"ECDSA",namedCurve:"P-384"},t=r.d?["sign"]:["verify"];break;case"ES512":e={name:"ECDSA",namedCurve:"P-521"},t=r.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:"ECDH",namedCurve:r.crv},t=r.d?["deriveBits"]:[];break;default:throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"OKP":{switch(r.alg){case"EdDSA":e={name:r.crv},t=r.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":e={name:r.crv},t=r.d?["deriveBits"]:[];break;default:throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new I('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:e,keyUsages:t}}const ke=async r=>{if(!r.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');const{algorithm:e,keyUsages:t}=Me(r),o=[e,r.ext??!1,r.key_ops??t],s={...r};return delete s.alg,delete s.use,te.subtle.importKey("jwk",s,...o)},Se=r=>M(r);let ie,ne;const _e=r=>(r==null?void 0:r[Symbol.toStringTag])==="KeyObject",Te=async(r,e,t,o)=>{let s=r.get(e);if(s!=null&&s[o])return s[o];const n=await ke({...t,alg:o});return s?s[o]=n:r.set(e,{[o]:n}),n},Be=(r,e)=>{if(_e(r)){let t=r.export({format:"jwk"});return delete t.d,delete t.dp,delete t.dq,delete t.p,delete t.q,delete t.qi,t.k?Se(t.k):(ne||(ne=new WeakMap),Te(ne,r,t,e))}return r},Le=(r,e)=>{if(_e(r)){let t=r.export({format:"jwk"});return t.k?Se(t.k):(ie||(ie=new WeakMap),Te(ie,r,t,e))}return r},$e={normalizePublicKey:Be,normalizePrivateKey:Le},j=(r,e,t=0)=>{t===0&&(e.unshift(e.length),e.unshift(6));const o=r.indexOf(e[0],t);if(o===-1)return!1;const s=r.subarray(o,o+e.length);return s.length!==e.length?!1:s.every((n,i)=>n===e[i])||j(r,e,o+1)},le=r=>{switch(!0){case j(r,[42,134,72,206,61,3,1,7]):return"P-256";case j(r,[43,129,4,0,34]):return"P-384";case j(r,[43,129,4,0,35]):return"P-521";case j(r,[43,101,110]):return"X25519";case j(r,[43,101,111]):return"X448";case j(r,[43,101,112]):return"Ed25519";case j(r,[43,101,113]):return"Ed448";default:throw new I("Invalid or unsupported EC Key Curve or OKP Key Sub Type")}},be=async(r,e,t,o,s)=>{let n,i;const a=new Uint8Array(atob(t.replace(r,"")).split("").map(u=>u.charCodeAt(0))),h=e==="spki";switch(o){case"PS256":case"PS384":case"PS512":n={name:"RSA-PSS",hash:`SHA-${o.slice(-3)}`},i=h?["verify"]:["sign"];break;case"RS256":case"RS384":case"RS512":n={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${o.slice(-3)}`},i=h?["verify"]:["sign"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":n={name:"RSA-OAEP",hash:`SHA-${parseInt(o.slice(-3),10)||1}`},i=h?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":n={name:"ECDSA",namedCurve:"P-256"},i=h?["verify"]:["sign"];break;case"ES384":n={name:"ECDSA",namedCurve:"P-384"},i=h?["verify"]:["sign"];break;case"ES512":n={name:"ECDSA",namedCurve:"P-521"},i=h?["verify"]:["sign"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{const u=le(a);n=u.startsWith("P-")?{name:"ECDH",namedCurve:u}:{name:u},i=h?[]:["deriveBits"];break}case"EdDSA":n={name:le(a)},i=h?["verify"]:["sign"];break;default:throw new I('Invalid or unsupported "alg" (Algorithm) value')}return te.subtle.importKey(e,a,n,!1,i)},qe=(r,e,t)=>be(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g,"pkcs8",r,e),Ve=(r,e,t)=>be(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,"spki",r,e);async function Ge(r,e,t){if(typeof r!="string"||r.indexOf("-----BEGIN PUBLIC KEY-----")!==0)throw new TypeError('"spki" must be SPKI formatted string');return Ve(r,e)}async function Ye(r,e,t){if(typeof r!="string"||r.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return qe(r,e)}async function ue(r,e){if(!V(r))throw new TypeError("JWK must be an object");switch(e||(e=r.alg),r.kty){case"oct":if(typeof r.k!="string"||!r.k)throw new TypeError('missing "k" (Key Value) Parameter value');return M(r.k);case"RSA":if(r.oth!==void 0)throw new I('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');case"EC":case"OKP":return ke({...r,alg:e});default:throw new I('Unsupported "kty" (Key Type) Parameter value')}}const ee=r=>r==null?void 0:r[Symbol.toStringTag],Xe=(r,e)=>{if(!(e instanceof Uint8Array)){if(!Ce(e))throw new TypeError(ve(r,e,...re,"Uint8Array"));if(e.type!=="secret")throw new TypeError(`${ee(e)} instances for symmetric algorithms must be of type "secret"`)}},Qe=(r,e,t)=>{if(!Ce(e))throw new TypeError(ve(r,e,...re));if(e.type==="secret")throw new TypeError(`${ee(e)} instances for asymmetric algorithms must not be of type "secret"`);if(e.algorithm&&t==="verify"&&e.type==="private")throw new TypeError(`${ee(e)} instances for asymmetric algorithm verifying must be of type "public"`);if(e.algorithm&&t==="encrypt"&&e.type==="private")throw new TypeError(`${ee(e)} instances for asymmetric algorithm encryption must be of type "public"`)},Ze=(r,e,t)=>{r.startsWith("HS")||r==="dir"||r.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(r)?Xe(r,e):Qe(r,e,t)};function er(r,e,t,o,s){if(s.crit!==void 0&&(o==null?void 0:o.crit)===void 0)throw new r('"crit" (Critical) Header Parameter MUST be integrity protected');if(!o||o.crit===void 0)return new Set;if(!Array.isArray(o.crit)||o.crit.length===0||o.crit.some(i=>typeof i!="string"||i.length===0))throw new r('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let n;n=e;for(const i of o.crit){if(!n.has(i))throw new I(`Extension Header Parameter "${i}" is not recognized`);if(s[i]===void 0)throw new r(`Extension Header Parameter "${i}" is missing`);if(n.get(i)&&o[i]===void 0)throw new r(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(o.crit)}function rr(r,e){const t=`SHA-${r.slice(-3)}`;switch(r){case"HS256":case"HS384":case"HS512":return{hash:t,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:t,name:"RSA-PSS",saltLength:r.slice(-3)>>3};case"RS256":case"RS384":case"RS512":return{hash:t,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:t,name:"ECDSA",namedCurve:e.namedCurve};case"EdDSA":return{name:e.name};default:throw new I(`alg ${r} is not supported either by JOSE or your javascript runtime`)}}async function tr(r,e,t){if(e=await $e.normalizePublicKey(e,r),we(e))return De(e,r,t),e;if(e instanceof Uint8Array){if(!r.startsWith("HS"))throw new TypeError(he(e,...re));return te.subtle.importKey("raw",e,{hash:`SHA-${r.slice(-3)}`,name:"HMAC"},!1,[t])}throw new TypeError(he(e,...re,"Uint8Array"))}const or=async(r,e,t,o)=>{const s=await tr(r,e,"verify");Je(r,s);const n=rr(r,s.algorithm);try{return await te.subtle.verify(n,s,t,o)}catch{return!1}};async function sr(r,e,t){if(!V(r))throw new S("Flattened JWS must be an object");if(r.protected===void 0&&r.header===void 0)throw new S('Flattened JWS must have either of the "protected" or "header" members');if(r.protected!==void 0&&typeof r.protected!="string")throw new S("JWS Protected Header incorrect type");if(r.payload===void 0)throw new S("JWS Payload missing");if(typeof r.signature!="string")throw new S("JWS Signature missing or incorrect type");if(r.header!==void 0&&!V(r.header))throw new S("JWS Unprotected Header incorrect type");let o={};if(r.protected)try{const Re=M(r.protected);o=JSON.parse(G.decode(Re))}catch{throw new S("JWS Protected Header is invalid")}if(!We(o,r.header))throw new S("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");const s={...o,...r.header},n=er(S,new Map([["b64",!0]]),void 0,o,s);let i=!0;if(n.has("b64")&&(i=o.b64,typeof i!="boolean"))throw new S('The "b64" (base64url-encode payload) Header Parameter must be a boolean');const{alg:a}=s;if(typeof a!="string"||!a)throw new S('JWS "alg" (Algorithm) Header Parameter missing or invalid');if(i){if(typeof r.payload!="string")throw new S("JWS Payload must be a string")}else if(typeof r.payload!="string"&&!(r.payload instanceof Uint8Array))throw new S("JWS Payload must be a string or an Uint8Array instance");let h=!1;typeof e=="function"&&(e=await e(o,r),h=!0),Ze(a,e,"verify");const u=He(X.encode(r.protected??""),X.encode("."),typeof r.payload=="string"?X.encode(r.payload):r.payload);let y;try{y=M(r.signature)}catch{throw new S("Failed to base64url decode the signature")}if(!await or(a,e,y,u))throw new xe;let _;if(i)try{_=M(r.payload)}catch{throw new S("Failed to base64url decode the payload")}else typeof r.payload=="string"?_=X.encode(r.payload):_=r.payload;const Y={payload:_};return r.protected!==void 0&&(Y.protectedHeader=o),r.header!==void 0&&(Y.unprotectedHeader=r.header),h?{...Y,key:e}:Y}async function ir(r,e,t){if(r instanceof Uint8Array&&(r=G.decode(r)),typeof r!="string")throw new S("Compact JWS must be a string or Uint8Array");const{0:o,1:s,2:n,length:i}=r.split(".");if(i!==3)throw new S("Invalid Compact JWS");const a=await sr({payload:s,protected:o,signature:n},e),h={payload:a.payload,protectedHeader:a.protectedHeader};return typeof e=="function"?{...h,key:a.key}:h}const Ae=M;function nr(r){let e;if(typeof r=="string"){const t=r.split(".");(t.length===3||t.length===5)&&([e]=t)}else if(typeof r=="object"&&r)if("protected"in r)e=r.protected;else throw new TypeError("Token does not contain a Protected Header");try{if(typeof e!="string"||!e)throw new Error;const t=JSON.parse(G.decode(Ae(e)));if(!V(t))throw new Error;return t}catch{throw new TypeError("Invalid Token or Protected Header formatting")}}function ar(r){if(typeof r!="string")throw new D("JWTs must use Compact JWS serialization, JWT must be a string");const{1:e,length:t}=r.split(".");if(t===5)throw new D("Only JWTs using Compact JWS serialization can be decoded");if(t!==3)throw new D("Invalid JWT");if(!e)throw new D("JWTs must contain a payload");let o;try{o=Ae(e)}catch{throw new D("Failed to base64url decode the payload")}let s;try{s=JSON.parse(G.decode(o))}catch{throw new D("Failed to parse the decoded payload as JSON")}if(!V(s))throw new D("Invalid JWT Claims Set");return s}const C=class v{static flowNames(e){let t={};return e.forEach(o=>{o in v.flowName&&(t[o]=v.flowName[o])}),t}static isValidFlow(e){return v.allFlows().includes(e)}static areAllValidFlows(e){let t=!0;return e.forEach(o=>{v.isValidFlow(o)||(t=!1)}),t}static allFlows(){return[v.AuthorizationCode,v.AuthorizationCodeWithPKCE,v.ClientCredentials,v.RefreshToken,v.DeviceCode,v.Password,v.PasswordMfa,v.OidcAuthorizationCode]}static grantType(e){switch(e){case v.AuthorizationCode:case v.AuthorizationCodeWithPKCE:case v.OidcAuthorizationCode:return["authorization_code"];case v.ClientCredentials:return["client_credentials"];case v.RefreshToken:return["refresh_token"];case v.Password:return["password"];case v.PasswordMfa:return["http://auth0.com/oauth/grant-type/mfa-otp","http://auth0.com/oauth/grant-type/mfa-oob"];case v.DeviceCode:return["urn:ietf:params:oauth:grant-type:device_code"]}}};l(C,"All","all"),l(C,"AuthorizationCode","authorizationCode"),l(C,"AuthorizationCodeWithPKCE","authorizationCodeWithPKCE"),l(C,"ClientCredentials","clientCredentials"),l(C,"RefreshToken","refreshToken"),l(C,"DeviceCode","deviceCode"),l(C,"Password","password"),l(C,"PasswordMfa","passwordMfa"),l(C,"OidcAuthorizationCode","oidcAuthorizationCode"),l(C,"flowName",{[C.AuthorizationCode]:"Authorization Code",[C.AuthorizationCodeWithPKCE]:"Authorization Code with PKCE",[C.ClientCredentials]:"Client Credentials",[C.RefreshToken]:"Refresh Token",[C.DeviceCode]:"Device Code",[C.Password]:"Password",[C.PasswordMfa]:"Password MFA",[C.OidcAuthorizationCode]:"OIDC Authorization Code"});var k,T,q,F,J;class cr{constructor({authServerBaseUrl:e,client_id:t,client_secret:o,redirect_uri:s,codeChallengeMethod:n,stateLength:i,verifierLength:a,tokenConsumer:h,authServerCredentials:u,authServerMode:y,authServerHeaders:_}){l(this,"authServerBaseUrl",""),$(this,k),$(this,T),$(this,q),l(this,"codeChallengeMethod","S256"),$(this,F),l(this,"verifierLength",32),l(this,"redirect_uri"),$(this,J,""),l(this,"stateLength",32),l(this,"authzCode",""),l(this,"oidcConfig"),l(this,"tokenConsumer"),l(this,"authServerHeaders",{}),l(this,"authServerMode"),l(this,"authServerCredentials"),this.tokenConsumer=h,this.authServerBaseUrl=e,a&&(this.verifierLength=a),i&&(this.stateLength=i),t&&E(this,k,t),o&&E(this,T,o),s&&(this.redirect_uri=s),n&&(this.codeChallengeMethod=n),this.authServerBaseUrl=e,u&&(this.authServerCredentials=u),y&&(this.authServerMode=y),_&&(this.authServerHeaders=_)}set client_id(e){E(this,k,e)}set client_secret(e){E(this,T,e)}set codeVerifier(e){E(this,F,e)}set codeChallenge(e){E(this,q,e)}set state(e){E(this,J,e)}async loadConfig(e){if(e){c.logger.debug(d({msg:"Reading OIDC config locally"})),this.oidcConfig=e;return}let t;try{const o=new URL(this.authServerBaseUrl+"/.well-known/openid-configuration");c.logger.debug(d({msg:`Fetching OIDC config from ${o}`}));let s={headers:this.authServerHeaders};this.authServerMode&&(s.mode=this.authServerMode),this.authServerCredentials&&(s.credentials=this.authServerCredentials),t=await fetch(o,s)}catch(o){c.logger.error(d({err:o}))}if(!t||!t.ok)throw new g(m.Connection,"Couldn't get OIDC configuration from URL"+this.authServerBaseUrl+"/.well-known/openid-configuration");this.oidcConfig={...ye};try{const o=await t.json();for(const[s,n]of Object.entries(o))this.oidcConfig[s]=n}catch{throw new g(m.Connection,"Unrecognized response from OIDC configuration endpoint")}}getOidcConfig(){return this.oidcConfig}async startAuthorizationCodeFlow(e,t=!1){var o,s,n;if(c.logger.debug(d({msg:"Starting authorization code flow"})),this.oidcConfig||await this.loadConfig(),!((o=this.oidcConfig)!=null&&o.response_types_supported.includes("code"))||!((s=this.oidcConfig)!=null&&s.response_modes_supported.includes("query")))return{error:"invalid_request",error_description:"Server does not support authorization code flow"};if(!((n=this.oidcConfig)!=null&&n.authorization_endpoint))return{error:"server_error",error_description:"Cannot get authorize endpoint"};if(E(this,J,this.randomValue(this.stateLength)),!p(this,k))return{error:"invalid_request",error_description:"Cannot make authorization code flow without client id"};if(!this.redirect_uri)return{error:"invalid_request",error_description:"Cannot make authorization code flow without Redirect Uri"};let i=this.oidcConfig.authorization_endpoint+"?response_type=code&client_id="+encodeURIComponent(p(this,k))+"&state="+encodeURIComponent(p(this,J))+"&redirect_uri="+encodeURIComponent(this.redirect_uri);return e&&(i+="&scope="+encodeURIComponent(e)),t&&(E(this,F,this.randomValue(this.verifierLength)),E(this,q,this.codeChallengeMethod=="plain"?p(this,F):await this.sha256(p(this,F))),i+="&code_challenge="+p(this,q)),{url:i}}async redirectEndpoint(e,t,o,s){var n,i;if(this.oidcConfig||await this.loadConfig(),o||!e)return o||(o="server_error"),s||(s="Unknown error"),{error:o,error_description:s};if(p(this,J)&&t!=p(this,J))return{error:"access_denied",error_description:"State is not valid"};if(this.authzCode=e,!((n=this.oidcConfig)!=null&&n.grant_types_supported.includes("authorization_code")))return{error:"invalid_request",error_description:"Server does not support authorization code grant"};if(!((i=this.oidcConfig)!=null&&i.token_endpoint))return{error:"server_error",error_description:"Cannot get token endpoint"};const a=this.oidcConfig.token_endpoint;let h,u;h="authorization_code",u=p(this,T);let y={grant_type:h,client_id:p(this,k),code:this.authzCode};u&&(y.client_secret=u),y.code_verifier=p(this,F);try{return this.post(a,y,this.authServerHeaders)}catch(_){return c.logger.error(d({err:_})),{error:"server_error",error_description:"Unable to get access token from server"}}}async clientCredentialsFlow(e){var t,o;if(c.logger.debug(d({msg:"Starting client credentials flow"})),this.oidcConfig||await this.loadConfig(),!((t=this.oidcConfig)!=null&&t.grant_types_supported.includes("client_credentials")))return{error:"invalid_request",error_description:"Server does not support client credentials grant"};if(!((o=this.oidcConfig)!=null&&o.token_endpoint))return{error:"server_error",error_description:"Cannot get token endpoint"};if(!p(this,k))return{error:"invalid_request",error_description:"Cannot make client credentials flow without client id"};const s=this.oidcConfig.token_endpoint;let n={grant_type:"client_credentials",client_id:p(this,k),client_secret:p(this,T)};e&&(n.scope=e);try{return await this.post(s,n,this.authServerHeaders)}catch(i){return c.logger.error(d({err:i})),{error:"server_error",error_description:"Error connecting to authorization server"}}}async passwordFlow(e,t,o){var s,n;if(c.logger.debug(d({msg:"Starting password flow"})),this.oidcConfig||await this.loadConfig(),!((s=this.oidcConfig)!=null&&s.grant_types_supported.includes("password")))return{error:"invalid_request",error_description:"Server does not support password grant"};if(!((n=this.oidcConfig)!=null&&n.token_endpoint))return{error:"server_error",error_description:"Cannot get token endpoint"};const i=this.oidcConfig.token_endpoint;let a={grant_type:"password",client_id:p(this,k),client_secret:p(this,T),username:e,password:t};o&&(a.scope=o);try{return await this.post(i,a,this.authServerHeaders)}catch(h){return c.logger.error(d({err:h})),{error:"server_error",error_description:"Error connecting to authorization server"}}}async mfaAuthenticators(e){var t,o,s;if(c.logger.debug(d({msg:"Getting valid MFA authenticators"})),this.oidcConfig||await this.loadConfig(),!((t=this.oidcConfig)!=null&&t.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp"))&&(o=this.oidcConfig)!=null&&o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob"))return{error:"invalid_request",error_description:"Server does not support password_mfa grant"};if(!((s=this.oidcConfig)!=null&&s.issuer))return{error:"server_error",error_description:"Cannot get issuer"};const n=this.oidcConfig.issuer+(this.oidcConfig.issuer.endsWith("/")?"":"/")+"mfa/authenticators",i=await this.get(n,{authorization:"Bearer "+e,...this.authServerHeaders});if(!Array.isArray(i))return{error:"server_error",error_description:"Expected array of authenticators in mfa/authenticators response"};let a=[];for(let h=0;h<i.length;++h){const u=i[h];if(!u.id||!u.authenticator_type||!u.active)return{error:"server_error",error_description:"Invalid mfa/authenticators response"};a.push({id:u.id,authenticator_type:u.authenticator_type,active:u.active,name:u.name,oob_channel:u.oob_channel})}return{authenticators:a}}async mfaOtpRequest(e,t){var o,s;if(c.logger.debug(d({msg:"Making MFA OTB request"})),this.oidcConfig||await this.loadConfig(),!((o=this.oidcConfig)!=null&&o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))return{error:"invalid_request",error_description:"Server does not support password_mfa grant"};if(!((s=this.oidcConfig)!=null&&s.issuer))return{error:"server_error",error_description:"Cannot get issuer"};const n=this.oidcConfig.issuer+(this.oidcConfig.issuer.endsWith("/")?"":"/")+"mfa/challenge",i=await this.post(n,{client_id:p(this,k),client_secret:p(this,T),challenge_type:"otp",mfa_token:e,authenticator_id:t},this.authServerHeaders);return i.challenge_type!="otp"?{error:i.error??"server_error",error_description:i.error_description??"Invalid OTP challenge response"}:i}async mfaOtpComplete(e,t,o){var s,n;if(c.logger.debug(d({msg:"Completing MFA OTP request"})),this.oidcConfig||await this.loadConfig(),!((s=this.oidcConfig)!=null&&s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))return{error:"invalid_request",error_description:"Server does not support password_mfa grant"};if(!((n=this.oidcConfig)!=null&&n.issuer))return{error:"server_error",error_description:"Cannot get issuer"};const i=this.oidcConfig.token_endpoint,a=await this.post(i,{grant_type:"http://auth0.com/oauth/grant-type/mfa-otp",client_id:p(this,k),client_secret:p(this,T),challenge_type:"otp",mfa_token:e,otp:t,scope:o},this.authServerHeaders);return{id_token:a.id_token,access_token:a.access_token,refresh_token:a.refresh_token,expires_in:Number(a.expires_in),scope:a.scope,token_type:a.token_type,error:a.error,error_description:a.error_description}}async mfaOobRequest(e,t){var o,s;if(c.logger.debug(d({msg:"Making MFA OOB request"})),this.oidcConfig||await this.loadConfig(),!((o=this.oidcConfig)!=null&&o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))return{error:"invalid_request",error_description:"Server does not support password_mfa grant"};if(!((s=this.oidcConfig)!=null&&s.issuer))return{error:"server_error",error_description:"Cannot get issuer"};const n=this.oidcConfig.issuer+(this.oidcConfig.issuer.endsWith("/")?"":"/")+"mfa/challenge",i=await this.post(n,{client_id:p(this,k),client_secret:p(this,T),challenge_type:"oob",mfa_token:e,authenticator_id:t},this.authServerHeaders);return i.challenge_type!="oob"||!i.oob_code||!i.binding_method?{error:i.error??"server_error",error_description:i.error_description??"Invalid OOB challenge response"}:{challenge_type:i.challenge_type,oob_code:i.oob_code,binding_method:i.binding_method,error:i.error,error_description:i.error_description}}async mfaOobComplete(e,t,o,s){var n,i;if(c.logger.debug(d({msg:"Completing MFA OOB request"})),this.oidcConfig||await this.loadConfig(),!((n=this.oidcConfig)!=null&&n.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))return{error:"invalid_request",error_description:"Server does not support password_mfa grant"};if(!((i=this.oidcConfig)!=null&&i.issuer))return{error:"server_error",error_description:"Cannot get issuer"};const a=this.oidcConfig.token_endpoint,h=await this.post(a,{grant_type:"http://auth0.com/oauth/grant-type/mfa-oob",client_id:p(this,k),client_secret:p(this,T),challenge_type:"otp",mfa_token:e,oob_code:t,binding_code:o,scope:s},this.authServerHeaders);return h.error?{error:h.error,error_description:h.error_description}:{id_token:h.id_token,access_token:h.access_token,refresh_token:h.refresh_token,expires_in:"expires_in"in h?Number(h.expires_in):void 0,scope:h.scope,token_type:h.token_type}}async refreshTokenFlow(e){var t,o;if(c.logger.debug(d({msg:"Starting refresh token flow"})),this.oidcConfig||await this.loadConfig(),!((t=this.oidcConfig)!=null&&t.grant_types_supported.includes("refresh_token")))return{error:"invalid_request",error_description:"Server does not support refresh_token grant"};if(!((o=this.oidcConfig)!=null&&o.token_endpoint))return{error:"server_error",error_description:"Cannot get token endpoint"};const s=this.oidcConfig.token_endpoint;let n;n=p(this,T);let i={grant_type:"refresh_token",refresh_token:e,client_id:p(this,k)};n&&(i.client_secret=n);try{return await this.post(s,i,this.authServerHeaders)}catch(a){return c.logger.error(d({err:a})),{error:"server_error",error_description:"Error connecting to authorization server"}}}async startDeviceCodeFlow(e,t){var o;if(c.logger.debug(d({msg:"Starting device code flow"})),this.oidcConfig||await this.loadConfig(),!((o=this.oidcConfig)!=null&&o.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))return{error:"invalid_request",error_description:"Server does not support device code grant"};let s={grant_type:"urn:ietf:params:oauth:grant-type:device_code",client_id:p(this,k),client_secret:p(this,T)};t&&(s.scope=t);try{return await this.post(e,s,this.authServerHeaders)}catch(n){return c.logger.error(d({err:n})),{error:"server_error",error_description:"Error connecting to authorization server"}}}async pollDeviceCodeFlow(e){var t,o,s;if(c.logger.debug(d({msg:"Starting device code flow"})),this.oidcConfig||await this.loadConfig(),!((t=this.oidcConfig)!=null&&t.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))return{error:"invalid_request",error_description:"Server does not support device code grant"};if(!((o=this.oidcConfig)!=null&&o.token_endpoint))return{error:"server_error",error_description:"Cannot get token endpoint"};let n={grant_type:"urn:ietf:params:oauth:grant-type:device_code",client_id:p(this,k),client_secret:p(this,T),device_code:e};try{const i=await this.post((s=this.oidcConfig)==null?void 0:s.token_endpoint,n,this.authServerHeaders);return i.error,i}catch(i){return c.logger.error(d({err:i})),{error:"server_error",error_description:"Error connecting to authorization server"}}}async post(e,t,o={}){c.logger.debug(d({msg:"Fetch POST",url:e,params:Object.keys(t)}));let s={};return this.authServerCredentials&&(s.credentials=this.authServerCredentials),this.authServerMode&&(s.mode=this.authServerMode),await(await fetch(e,{method:"POST",...s,headers:{Accept:"application/json","Content-Type":"application/json",...o},body:JSON.stringify(t)})).json()}async get(e,t={}){c.logger.debug(d({msg:"Fetch GET",url:e}));let o={};return this.authServerCredentials&&(o.credentials=this.authServerCredentials),this.authServerMode&&(o.mode=this.authServerMode),await(await fetch(e,{method:"GET",...o,headers:{Accept:"application/json","Content-Type":"application/json",...t}})).json()}async validateIdToken(e){try{return await this.tokenConsumer.tokenAuthorized(e,"id")}catch{return}}async idTokenAuthorized(e){try{return await this.tokenConsumer.tokenAuthorized(e,"id")}catch(t){c.logger.warn(d({err:t}));return}}getTokenPayload(e){return ar(e)}}k=new WeakMap,T=new WeakMap,q=new WeakMap,F=new WeakMap,J=new WeakMap;class dr{constructor(e,t={}){if(l(this,"audience"),l(this,"jwtKeyType"),l(this,"jwtSecretKey"),l(this,"jwtPublicKey"),l(this,"clockTolerance",10),l(this,"authServerBaseUrl",""),l(this,"oidcConfig"),l(this,"keys",{}),this.audience=e,t.authServerBaseUrl&&(this.authServerBaseUrl=t.authServerBaseUrl),t.jwtKeyType&&(this.jwtKeyType=t.jwtKeyType),t.jwtSecretKey&&(this.jwtSecretKey=t.jwtSecretKey),t.jwtPublicKey&&(this.jwtPublicKey=t.jwtPublicKey),t.clockTolerance&&(this.clockTolerance=t.clockTolerance),t.oidcConfig&&(this.oidcConfig=t.oidcConfig),this.jwtPublicKey&&!this.jwtKeyType)throw new g(m.Configuration,"If specifying jwtPublic key, must also specify jwtKeyType")}async loadKeys(){try{if(this.jwtSecretKey){if(!this.jwtKeyType)throw new g(m.Configuration,"Must specify jwtKeyType if setting jwtSecretKey");this.keys._default=await Ye(this.jwtSecretKey,this.jwtKeyType)}else if(this.jwtPublicKey){if(!this.jwtKeyType)throw new g(m.Configuration,"Must specify jwtKeyType if setting jwtPublicKey");const e=await Ge(this.jwtPublicKey,this.jwtKeyType);this.keys._default=e}else{if(this.oidcConfig||await this.loadConfig(),!this.oidcConfig)throw new g(m.Connection,"Load OIDC config before Jwks");await this.loadJwks()}}catch(e){throw c.logger.debug(d({err:e})),new g(m.Connection,"Couldn't load keys")}}async loadConfig(e){if(e){this.oidcConfig=e;return}if(!this.authServerBaseUrl)throw new g(m.Connection,"Couldn't get OIDC configuration.  Either set authServerBaseUrl or set config manually");let t;try{t=await fetch(new URL("/.well-known/openid-configuration",this.authServerBaseUrl))}catch(o){c.logger.error(d({err:o}))}if(!t||!t.ok)throw new g(m.Connection,"Couldn't get OIDC configuration");this.oidcConfig={...ye};try{const o=await t.json();for(const[s,n]of Object.entries(o))this.oidcConfig[s]=n}catch{throw new g(m.Connection,"Unrecognized response from OIDC configuration endpoint")}}async loadJwks(e){if(e){this.keys={};for(let t=0;t<e.keys.length;++t){const o=e.keys[t];this.keys[o.kid??"_default"]=await ue(e.keys[t])}}else{if(!this.oidcConfig)throw new g(m.Connection,"Load OIDC config before Jwks");let t;try{t=await fetch(new URL(this.oidcConfig.jwks_uri))}catch(o){c.logger.error(d({err:o}))}if(!t||!t.ok)throw new g(m.Connection,"Couldn't get OIDC configuration");this.keys={};try{const o=await t.json();if(!("keys"in o)||!Array.isArray(o.keys))throw new g(m.Connection,"Couldn't fetch keys");for(let s=0;s<o.keys.length;++s)try{let n="_default";"kid"in o.keys[s]&&typeof o.keys[s]=="string"&&(n=String(o.keys[s]));const i=await ue(o.keys[s]);this.keys[n]=i}catch(n){throw c.logger.error(d({err:n})),new g(m.Connection,"Couldn't load keys")}}catch(o){throw c.logger.error(d({err:o})),new g(m.Connection,"Unrecognized response from OIDC jwks endpoint")}}}async tokenAuthorized(e,t){(!this.keys||Object.keys(this.keys).length==0)&&await this.loadKeys();const o=await this.validateToken(e);if(o){if(o.type!=t&&c.logger.error(d({msg:t+" expected but got "+o.type})),o.iss!=this.authServerBaseUrl){c.logger.error(d({msg:`Invalid issuer ${o.iss} in access token`,hashedAccessToken:await this.hash(o.jti)}));return}if(o.aud&&(Array.isArray(o.aud)&&!o.aud.includes(this.audience)||!Array.isArray(o.aud)&&o.aud!=this.audience)){c.logger.error(d({msg:`Invalid audience ${o.aud} in access token`,hashedAccessToken:await this.hash(o.jti)}));return}return o}}async validateToken(e){(!this.keys||Object.keys(this.keys).length==0)&&c.logger.warn("No keys loaded so cannot validate tokens");let t;try{t=nr(e).kid}catch{c.logger.warn(d({msg:"Invalid access token format"}));return}let o;"_default"in this.keys&&(o=this.keys._default);for(let s in this.keys)if(t==s){o=this.keys[s];break}if(!o){c.logger.warn(d({msg:"No matching keys found for access token"}));return}try{const{payload:s}=await ir(e,o),n=JSON.parse(new TextDecoder().decode(s));if(n.exp*1e3<Date.now()+this.clockTolerance){c.logger.warn(d({msg:"Access token has expired"}));return}return n}catch{c.logger.warn(d({msg:"Access token did not validate"}));return}}}const fe=30,Z=2,ae=30;class Ee{constructor(e){f(this,"autoRefreshUrl","/autorefresh");f(this,"csrfHeader","X-CROSSAUTH-CSRF");f(this,"headers",{});f(this,"autoRefreshActive",!1);f(this,"mode","cors");f(this,"credentials","same-origin");f(this,"tokenProvider");this.tokenProvider=e.tokenProvider,this.autoRefreshUrl=e.autoRefreshUrl,e.csrfHeader&&(this.csrfHeader=e.csrfHeader),e.headers&&(this.headers=e.headers),e.mode&&(this.mode=e.mode),e.credentials&&(this.credentials=e.credentials)}async startAutoRefresh(e=["access","id"],t){this.autoRefreshActive||(this.autoRefreshActive=!0,c.logger.debug(d({msg:"Starting auto refresh"})),await this.scheduleAutoRefresh(e,t))}stopAutoRefresh(){this.autoRefreshActive=!1,c.logger.debug(d({msg:"Stopping auto refresh"}))}async scheduleAutoRefresh(e,t){const o=this.tokenProvider.getCsrfToken(),s=o?await o:void 0,n=await this.tokenProvider.getTokenExpiries([...e,"refresh"],s);if(n.refresh==null){c.logger.debug(d({msg:"No refresh token found"}));return}const i=Date.now();let a=n.id;if((!a||n.access&&n.access<a)&&(a=n.access),!a){c.logger.debug(d({msg:"No tokens expire"}));return}const h=a*1e3-i-fe;if(h<0){c.logger.debug(d({msg:"Expiry time has passed"}));return}if(n.refresh&&n.refresh-fe<h){c.logger.debug(d({msg:"Refresh token has expired"}));return}let u=y=>new Promise(_=>setTimeout(_,y));c.logger.debug(d({msg:`Waiting ${h} before refreshing tokens`})),await u(h),await this.autoRefresh(e,s,t)}async autoRefresh(e,t,o){if(this.autoRefreshActive){let s,n=!1,i=0;for(;!n&&i<=Z;)try{let a={...this.headers};t&&(a[this.csrfHeader]=t),c.logger.debug(d({msg:"Initiating auto refresh"}));const h=await this.tokenProvider.jsonFetchWithToken(this.autoRefreshUrl,{method:"POST",headers:{Accept:"application/json","Content-Type":"application/json",...a},mode:this.mode,credentials:this.credentials,body:{csrfToken:t}},"refresh");if(h.ok||c.logger.error(d({msg:"Failed auto refreshing tokens",status:h.status})),s=await h.json(),s!=null&&s.ok){await this.scheduleAutoRefresh(e,o),n=!0;try{await this.tokenProvider.receiveTokens(s)}catch(u){const y=g.asCrossauthError(u);o?o("Couldn't receive tokens",y):(c.logger.debug(d({err:u})),c.logger.error(d({msg:"Error receiving tokens",cerr:y})))}}else i<Z?(c.logger.error(d({msg:`Failed auto refreshing tokens.  Retrying in ${ae} seconds`})),await(y=>new Promise(_=>setTimeout(_,y)))(ae*1e3)):(c.logger.error(d({msg:"Failed auto refreshing tokens.  Number of retries exceeded"})),o&&o("Failed auto refreshing tokens")),i++}catch(a){const h=g.asCrossauthError(a);c.logger.debug(d({err:h})),i<Z?(c.logger.error(d({msg:`Failed auto refreshing tokens.  Retrying in ${Z} seconds`})),await(y=>new Promise(_=>setTimeout(_,y)))(ae)):(c.logger.error(d({msg:"Failed auto refreshing tokens.  Number of retries exceeded"})),o&&o(h.message,h)),i++}}}}class Pe{constructor(e){f(this,"deviceCodePollUrl","/devicecodepoll");f(this,"headers",{});f(this,"pollingActive",!1);f(this,"mode","cors");f(this,"credentials","same-origin");f(this,"respectRedirect",!0);f(this,"oauthClient");this.oauthClient=e.oauthClient,e.deviceCodePollUrl!=null&&(this.deviceCodePollUrl=e.deviceCodePollUrl),e.headers&&(this.headers=e.headers),e.mode&&(this.mode=e.mode),e.credentials&&(this.credentials=e.credentials)}async startPolling(e,t,o=5){this.pollingActive||(this.pollingActive=!0,c.logger.debug(d({msg:"Starting auto refresh"})),await this.poll(e,o,t))}stopPolling(){this.pollingActive=!1,c.logger.debug(d({msg:"Stopping auto refresh"}))}async poll(e,t,o){var s;if(!e)c.logger.debug(d({msg:"device code poll: no device code provided"})),o("error","Error waiting for authorization");else try{if(c.logger.debug(d({msg:"device code poll: poll"})),!this.deviceCodePollUrl&&this.oauthClient){if(this.oauthClient.getOidcConfig()||await this.oauthClient.loadConfig(),!((s=this.oauthClient.getOidcConfig())!=null&&s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))return{error:"invalid_request",error_description:"Server does not support password_mfa grant"};let i=this.oauthClient.getOidcConfig();if(!(i!=null&&i.token_endpoint))return{error:"server_error",error_description:"Couldn't get OIDC configuration"};this.deviceCodePollUrl=i.token_endpoint}if(!this.deviceCodePollUrl)return{error:"server_error",error_description:"Must either provide deviceCodePollUrl or an oauthClient to fetch it from"};const n=await fetch(this.deviceCodePollUrl,{method:"POST",body:JSON.stringify({device_code:e}),headers:{"content-type":"application/json"}});if(n.redirected)this.pollingActive=!1,n.redirected&&o("completeAndRedirect",void 0,n.url);else if(!n.ok)this.pollingActive=!1,o("error","Received an error from the authorization server");else{const i=await n.json();if(c.logger.debug(d({msg:"device code poll: received"+JSON.stringify(i)})),i.error=="expired_token")this.pollingActive=!1,o("expired_token","Timeout waiting for authorization");else if(i.error=="authorization_pending"||i.error=="slow_down"){i.error=="slow_down"&&(t+=5);let a=i.interval??t,h=u=>new Promise(y=>setTimeout(y,u));c.logger.debug(d({msg:"device code poll: waiting "+String(a)+" seconds"})),await h(a*1e3),this.pollingActive&&this.poll(e,t,o)}else i.error?(this.pollingActive=!1,o("error",i.error_description??i.error)):(this.pollingActive=!1,o("complete"))}}catch(n){this.pollingActive=!1;const i=g.asCrossauthError(n);c.logger.debug(d({err:i})),c.logger.error(d({msg:"Polling failed",cerr:i})),o("error",i.message)}}}class hr{constructor(e={}){f(this,"bffPrefix","/bff");f(this,"csrfHeader","X-CROSSAUTH-CSRF");f(this,"enableCsrfProtection",!0);f(this,"headers",{});f(this,"mode","cors");f(this,"credentials","same-origin");f(this,"autoRefresher");f(this,"deviceCodePoller");f(this,"getCsrfTokenUrl","/api/getcsrftoken");f(this,"autoRefreshUrl","/api/refreshtokens");f(this,"tokensUrl","/tokens");e.bffPrefix&&(this.bffPrefix=e.bffPrefix),e.csrfHeader&&(this.csrfHeader=e.csrfHeader),e.enableCsrfProtection!=null&&(this.enableCsrfProtection=e.enableCsrfProtection),e.getCsrfTokenUrl&&(this.getCsrfTokenUrl=e.getCsrfTokenUrl),e.tokensUrl&&(this.tokensUrl=e.tokensUrl),e.autoRefreshUrl&&(this.autoRefreshUrl=e.autoRefreshUrl),this.bffPrefix.endsWith("/")||(this.bffPrefix+="/"),e.headers&&(this.headers=e.headers),e.mode&&(this.mode=e.mode),e.credentials&&(this.credentials=e.credentials),this.autoRefresher=new Ee({...e,autoRefreshUrl:this.autoRefreshUrl,tokenProvider:this}),this.deviceCodePoller=new Pe({...e,oauthClient:void 0})}async getCsrfToken(){if(this.enableCsrfProtection)try{const t=await(await fetch(this.getCsrfTokenUrl,{headers:this.headers,credentials:this.credentials,mode:this.mode})).json();if(!t.ok)throw g.asCrossauthError(t);return t.csrfToken}catch(e){throw g.asCrossauthError(e)}}async getIdToken(e){const t=await this.getTokens(e);return(t==null?void 0:t.id_token)??null}async haveIdToken(e){const t=await this.getTokens(e);return t==null?!1:t.have_id_token!=null?t.have_id_token:"id_token"in t}async getAccessToken(e){const t=await this.getTokens(e);return(t==null?void 0:t.access_token)??null}async haveAccessToken(e){const t=await this.getTokens(e);return t==null?!1:t.have_access_token!=null?t.have_access_token:"access_token"in t}async getRefreshToken(e){const t=await this.getTokens(e);return(t==null?void 0:t.refresh_token)??null}async haveRefreshToken(e){const t=await this.getTokens(e);return t==null?!1:t.have_refresh_token!=null?t.have_refresh_token:"refresh_token"in t}async api(e,t,o,s){let n={...this.headers};!s&&!["GET","HEAD","OPTIONS"].includes(e)&&(s=await this.getCsrfToken(),s&&(n[this.csrfHeader]=s)),t.startsWith("/")&&(t=t.substring(1));let i={};o&&(i.body=JSON.stringify(o));const a=await fetch(this.bffPrefix+t,{headers:n,method:e,mode:this.mode,credentials:this.credentials,...i});let h=null;return a.body&&(h=await a.json()),{status:a.status,body:h}}async getTokens(e){e||(e=await this.getCsrfToken());let t={...this.headers};e&&(t[this.csrfHeader]=e);try{const o=await fetch(this.tokensUrl,{method:"POST",headers:t,mode:this.mode,credentials:this.credentials});return o.status==204?{}:await o.json()}catch(o){throw g.asCrossauthError(o)}}async startAutoRefresh(e=["access","id"],t){return this.autoRefresher.startAutoRefresh(e,t)}stopAutoRefresh(){return this.autoRefresher.stopAutoRefresh()}async startDeviceCodePolling(e,t,o=5){return this.deviceCodePoller.startPolling(e,t,o)}stopDeviceCodePolling(){return this.deviceCodePoller.stopPolling()}async getTokenExpiries(e,t){const o=await this.getTokens(t),s=e.includes("id")?(o==null?void 0:o.id_token)??null:null,n=e.includes("access")?(o==null?void 0:o.access_token)??null:null,i=e.includes("refresh")?(o==null?void 0:o.refresh_token)??null:null;let a,h,u;return s&&(a=s.exp?s.exp:null),n&&(h=n.exp?n.exp:null),i&&(u=i.exp?i.exp:null),{id:a,access:h,refresh:u}}async jsonFetchWithToken(e,t,o){return typeof t.body!="string"&&(t.body=JSON.stringify(t.body)),await fetch(e,t)}receiveTokens(e){return new Promise(t=>{})}}class lr extends dr{async hash(e){const o=new TextEncoder().encode(e),s=await crypto.subtle.digest("SHA-256",o),n=Array.from(new Uint8Array(s));return btoa(n.reduce((i,a)=>i+String.fromCharCode(a),"")).replace(/\//g,"_").replace(/\+/g,"-").replace(/=+$/,"")}}var x,U,R,K,z,B,L;class ur extends cr{constructor(t){t.tokenConsumer||(t.tokenConsumer=new lr(t.client_id,{authServerBaseUrl:t.authServerBaseUrl}));super(t);f(this,"resServerBaseUrl","");f(this,"resServerHeaders",{});f(this,"resServerMode","cors");f(this,"resServerCredentials","same-origin");f(this,"accessTokenResponseType","memory");f(this,"refreshTokenResponseType","memory");f(this,"idTokenResponseType","memory");f(this,"accessTokenName","CROSSAUTH_AT");f(this,"refreshTokenName","CROSSAUTH_RT");f(this,"idTokenName","CROSSAUTH_IT");N(this,x);N(this,U);N(this,R);N(this,K);N(this,z);N(this,B);N(this,L);f(this,"autoRefresher");f(this,"deviceCodePoller");f(this,"deviceAuthorizationUrl","device_authorization");this.resServerBaseUrl!=null&&(this.resServerBaseUrl=t.resServerBaseUrl??"",this.resServerBaseUrl.length>0&&!this.resServerBaseUrl.endsWith("/")&&(this.resServerBaseUrl+="/")),t.accessTokenResponseType&&(this.accessTokenResponseType=t.accessTokenResponseType),t.idTokenResponseType&&(this.idTokenResponseType=t.idTokenResponseType),t.refreshTokenResponseType&&(this.refreshTokenResponseType=t.refreshTokenResponseType),t.accessTokenName&&(this.accessTokenName=t.accessTokenName),t.idTokenName&&(this.idTokenName=t.idTokenName),t.refreshTokenName&&(this.refreshTokenName=t.refreshTokenName),t.resServerHeaders&&(this.resServerHeaders=t.resServerHeaders),t.resServerMode&&(this.resServerMode=t.resServerMode),t.resServerCredentials&&(this.resServerCredentials=t.resServerCredentials),t.client_id&&b(this,B,t.client_id),t.client_secret&&b(this,L,t.client_secret),t.deviceAuthorizationUrl&&(this.deviceAuthorizationUrl=t.deviceAuthorizationUrl),this.autoRefresher=new Ee({...t,autoRefreshUrl:this.authServerBaseUrl+"/token",tokenProvider:this}),this.deviceCodePoller=new Pe({...t,oauthClient:this,deviceCodePollUrl:null});let o,s,n;if(this.idTokenResponseType=="sessionStorage"?o=sessionStorage.getItem(this.idTokenName):this.idTokenResponseType=="localStorage"&&(o=localStorage.getItem(this.idTokenName)),this.accessTokenResponseType=="sessionStorage"?s=sessionStorage.getItem(this.accessTokenName):this.accessTokenResponseType=="localStorage"&&(s=localStorage.getItem(this.accessTokenName)),this.refreshTokenResponseType=="sessionStorage"?n=sessionStorage.getItem(this.refreshTokenName):this.refreshTokenResponseType=="localStorage"&&(n=localStorage.getItem(this.refreshTokenName)),this.receiveTokens({access_token:s,id_token:o,refresh_token:n}),s){const i=this.getTokenPayload(s);i&&(b(this,x,s),b(this,K,i))}if(n){const i=this.getTokenPayload(n);i&&(b(this,U,n),b(this,z,i))}o?this.validateIdToken(o).then(i=>{b(this,R,i),t.autoRefresh&&this.startAutoRefresh(t.autoRefresh).then().catch(a=>{c.logger.debug(d({err:a,msg:"Couldn't start auto refresh"}))})}).catch(i=>{c.logger.debug(d({err:i,msg:"Couldn't validate ID token"}))}):w(this,x)&&t.autoRefresh&&n?this.startAutoRefresh(t.autoRefresh).then().catch(i=>{c.logger.debug(d({err:i,msg:"Couldn't start auto refresh"}))}):n&&!s&&this.refreshTokenFlow(n).then(i=>{c.logger.debug(d({msg:"Refreshed tokens"})),t.autoRefresh&&this.startAutoRefresh(t.autoRefresh).then().catch(a=>{c.logger.debug(d({err:a,msg:"Couldn't start auto refresh"}))})}).catch(i=>{const a=g.asCrossauthError(i);c.logger.debug(d({err:a})),c.logger.error(d({msg:"failed refreshing tokens",cerr:a}))})}get idTokenPayload(){return w(this,R)}async handleRedirectUri(){const t=new URL(window.location.href);if(t.origin+t.pathname!=this.redirect_uri)return;const o=new URLSearchParams(window.location.search);let s,n,i,a;for(const[u,y]of o)u=="code"&&(s=y),u=="state"&&(n=y),u=="error"&&(i=y),u=="error_description"&&(a=y);if(!i&&!s)return;if(i){const u=g.fromOAuthError(i,a);throw c.logger.debug(d({err:u})),c.logger.error(d({cerr:u,msg:"Error from authorize endpoint: "+i})),u}const h=await this.redirectEndpoint(s,n,i,a);if(h.error){const u=g.fromOAuthError(h.error,a);throw c.logger.debug(d({err:u})),c.logger.error(d({cerr:u,msg:"Error from redirect endpoint: "+h.error})),u}return await this.receiveTokens(h),h}async startAutoRefresh(t=["access","id"],o){return this.autoRefresher.startAutoRefresh(t,o)}stopAutoRefresh(){return this.autoRefresher.stopAutoRefresh()}async startDeviceCodePolling(t,o,s=5){return this.deviceCodePoller.startPolling(t,o,s)}stopDeviceCodePolling(){return this.deviceCodePoller.stopPolling()}getIdToken(){return w(this,R)}randomValue(t){const o=new Uint8Array(t);return self.crypto.getRandomValues(o),btoa(o.reduce((s,n)=>s+String.fromCharCode(n),"")).replace(/\//g,"_").replace(/\+/g,"-").replace(/=+$/,"")}async sha256(t){const s=new TextEncoder().encode(t),n=await crypto.subtle.digest("SHA-256",s),i=Array.from(new Uint8Array(n));return btoa(i.reduce((a,h)=>a+String.fromCharCode(h),"")).replace(/\//g,"_").replace(/\+/g,"-").replace(/=+$/,"")}async api(t,o,s){let n={...this.resServerHeaders};o.startsWith("/")&&(o=o.substring(1));let i={};s&&(i.body=JSON.stringify(s));let a;this.accessTokenResponseType=="sessionStorage"?a=sessionStorage.getItem(this.accessTokenName):this.accessTokenResponseType=="localStorage"&&(a=localStorage.getItem(this.accessTokenName)),n.authorization="Bearer "+a;const h=await fetch(this.resServerBaseUrl+o,{headers:n,method:t,mode:this.resServerMode,credentials:this.resServerCredentials,...i});let u=null;return h.body&&(u=await h.json()),{status:h.status,body:u}}async getTokenExpiries(t,o){let s,n,i;return w(this,R)&&(s=w(this,R).exp?w(this,R).exp:null),w(this,K)&&(n=w(this,K).exp?w(this,K).exp:null),w(this,z)&&(i=w(this,z).exp?w(this,z).exp:null),{id:s,access:n,refresh:i}}async jsonFetchWithToken(t,o,s){if(s=="access"){if(!w(this,x))throw new g(m.InvalidToken,"Cannot make fetch with access token - no access token defined");o.headers||(o.headers={}),o.headers.authorization="Bearer "+w(this,x)}else{if(o.body||(o.body={}),!w(this,U))throw new g(m.InvalidToken,"Cannot make fetch with refresh token - no refresh token defined");o.body.refresh_token=w(this,U),o.body.grant_type="refresh_token"}return w(this,B)&&(o.body||(o.body={}),o.body.client_id=w(this,B),w(this,L)&&(o.body.client_secret=w(this,L))),typeof o.body!="string"&&(o.body=JSON.stringify(o.body)),await fetch(t,o)}async getCsrfToken(){}async receiveTokens(t){if(t.access_token){const o=this.getTokenPayload(t.access_token);o&&(b(this,x,t.access_token),b(this,K,o)),this.accessTokenResponseType=="localStorage"?localStorage.setItem(this.accessTokenName,t.access_token):this.accessTokenResponseType=="sessionStorage"&&sessionStorage.setItem(this.accessTokenName,t.access_token)}if(t.refresh_token){const o=this.getTokenPayload(t.refresh_token);o&&(b(this,U,t.refresh_token),b(this,z,o)),this.refreshTokenResponseType=="localStorage"?localStorage.setItem(this.refreshTokenName,t.refresh_token):this.accessTokenResponseType=="sessionStorage"&&sessionStorage.setItem(this.refreshTokenName,t.refresh_token)}if(t.id_token){const o=await this.validateIdToken(t.id_token);b(this,R,o),this.idTokenResponseType=="localStorage"?localStorage.setItem(this.idTokenName,t.id_token):this.idTokenResponseType=="sessionStorage"&&sessionStorage.setItem(this.idTokenName,t.id_token)}}async clientCredentialsFlow(t){const o=await super.clientCredentialsFlow(t);return await this.receiveTokens(o),o}async passwordFlow(t,o,s){const n=await super.passwordFlow(t,o,s);return await this.receiveTokens(n),n}async deviceCodeFlow(t){let o=this.authServerBaseUrl;return o.endsWith("/")||(o+="/"),o+=this.deviceAuthorizationUrl,await super.startDeviceCodeFlow(o,t)}async mfaOtpComplete(t,o){const s=await super.mfaOtpComplete(t,o);return await this.receiveTokens(s),s}async mfaOobComplete(t,o,s){const n=await super.mfaOobComplete(t,o,s);return await this.receiveTokens(n),n}async refreshTokenFlow(t){if(!t)if(w(this,U))t=w(this,U);else throw new g(m.InvalidToken,"Cannot refresh tokens: no refresh token present");const o=await super.refreshTokenFlow(t);return await this.receiveTokens(o),o}async authorizationCodeFlow(t,o=!1){const s=await super.startAuthorizationCodeFlow(t,o);if(s.error||!s.url){const n=g.fromOAuthError(s.error??"Couldn't create URL for authorization code flow",s.error_description);throw c.logger.debug(d({err:n})),n}location.href=s.url}}x=new WeakMap,U=new WeakMap,R=new WeakMap,K=new WeakMap,z=new WeakMap,B=new WeakMap,L=new WeakMap;exports.CrossauthError=g;exports.CrossauthLogger=c;exports.OAuthBffClient=hr;exports.OAuthClient=ur;exports.j=d;